Nmap, or Network Mapper, was published by Gordon Lyon in September 1997 in the Phrack Magazine with the source code included. With the efforts of the different computer security communities, its development continued. Nmap is generally used to discover computer hosts and services by sending and analysing packets. Nmap is designed to scan large networks more efficiently. You can also use it for scanning a single host.
Nmap's Features
- Host discovery and identification
- Version detection
- Network and port scanning
- Timing and performance
- Nmap Scripting Engine (NSE)
- Scanning web servers
- Scanning mail servers
- Scanning databases
- ICS/SCADA systems
- Generating reports
Nmap Cheat Sheet
As software engineers, we always search for the best tools and guides to be more productive. Having all this information as a quick reference is also more convenient.
This is why we've provided you with this Nmap cheat sheet — to make you the master of Nmap. Or as close to it as possible. The following paragraphs explain the use of each command with examples.
Target Specification
The functions and syntaxes below teach you everything related to target host specification. As for the meaning of target host specification, every command line is not an option/option argument.
Function: Scan a single IP.
Example: nmap 192.168.1.1
Function: Scan specific IPS.
Example: nmap 192.168.1.1 192.168.2.1
Function: Scan a range.
Example: nmap 192.168.1.1-254
Function: Scan a domain.
Example: nmap scanme.nmap.org
Function: Scan using CIDR notation.
Example: nmap 192.168.1.0/24
Function: Scan targets from a file.
Example: nmap -iL targets.txt
Switch: -iL
Function: Scan 100 random hosts.
Example: nmap -iR 100
Switch: -iR
Function: Exclude listed hosts.
Example: nmap –exclude 192.168.1.1
Switch: –exclude
Nmap Scan Techniques
Nmap supports many scanning techniques and allows network system administrators to scan networks and find available hosts.
Function: TCP SYN port scan (Default).
Example: nmap 192.168.1.1 -sS
Switch: -sS
Function: TCP connects port scan (Default without root privilege).
Example: nmap 192.168.1.1 -sT
Switch: -sT
Function: UDP port scan.
Example: nmap 192.168.1.1 -sU
Switch: -sU
Function: TCP ACK port scan.
Example: nmap 192.168.1.1 -sA
Switch: -sA
Function: TCP Window port scan.
Example: nmap 192.168.1.1 -sW
Switch: -sW
Function: TCP Maimon port scan.
Example: nmap 192.168.1.1 -sM
Switch: -sM
Host Discovery
Hot discovery is a common task among administrators and is sometimes called Ping Scanning. And now, Nmap provides you with a wide arrangement of ping sweep options using unique scanning techniques and protocols.
Function: No Scan. List targets only.
Example: nmap 192.168.1.1-3 -sL
Switch: -sL
Function: Disable port scanning. Host discovery only.
Example: nmap 192.168.1.1/24 -snCopied
Switch: -sn
Function: Disable host discovery. Port scan only.
Example: nmap 192.168.1.1-5 -PnCopied
Switch: -Pn
Function: TCP SYN discovery on port x. Port 80 by default.
Example: nmap 192.168.1.1-5 -PS22-25,80
Switch: -PS
Function: TCP ACK discovery on port x. Port 80 by default.
Example: nmap 192.168.1.1-5 -PA22-25,80
Switch: -PA
Function: UDP discovery on port x. Port 40125 by default.
Example: nmap 192.168.1.1-5 -PU53
Switch: -PU
Function: ARP discovery on the local network.
Example: nmap 192.168.1.1-1/24 -PR
Switch: -PR
Function: Never perform a DNS resolution.
Example: nmap 192.168.1.1 -n
Switch: -n
Port Specification
Combining some of the switches and techniques gives you better insight into hosts potentially protected by defense mechanisms.
Function: Port scan for port x
Example: nmap 192.168.1.1 -p 21
Switch: -p
Function: Port range
Example: nmap 192.168.1.1 -p 21-100
Switch: -p
Function: Port scan multiple TCP and UDP ports
Example: nmap 192.168.1.1 -p U:53,T:21-25,80
Switch: -p
Function: Port scan all ports
Example: nmap 192.168.1.1 -p-
Switch: -p
Function: Port scan from service name
Example: nmap 192.168.1.1 -p http,https
Switch: -p
Function: Fast port scan (100 ports)
Example: nmap 192.168.1.1 -F
Switch: -F
Function: Port scan the top x ports
Example: nmap 192.168.1.1 –top-ports 2000
Switch: –top-ports
Function: Leaving off the initial port in range makes the scan start at port 1
Example: nmap 192.168.1.1 -p-65535
Switch: -p-65535
Function: Leaving off end port in range makes the scan go through to port 65535
Example: nmap 192.168.1.1 -p0-
Switch: -p0-
Service and Version Detection
Knowing the exact version of a specific software or service running on the endpoint can prove extremely valuable in identifying potential vulnerabilities.
Function: Attempts to determine the version of the service running on the port.
Example: nmap 192.168.1.1 -sV
Switch: -sV
Function: Intensity level 0 to 9. A higher number increases the possibility of correctness.
Example: nmap 192.168.1.1 -sV –version-intensity 8
Switch: -sV –version-intensity
Function: Enable light mode. Lower possibility of correctness, faster.
Example: nmap 192.168.1.1 -sV –version-light
Switch: -sV –version-light
Function: Enable intensity level 9. Higher possibility of correctness, Slower.
Example: nmap 192.168.1.1 -sV –version-all
Switch: -sV –version-all
Function: Enables OS detection, version detection, script scanning, and traceroute.
Example: nmap 192.168.1.1 -A
Switch: -A
OS Detection
One of Nmap's well-known features is remote OS detection using TCP/IP stack fingerprinting.
Function: Remote OS detection using TCP/IP stack fingerprinting.
Example: nmap 192.168.1.1 -O
Switch: -O
Function: If at least one open and one closed TCP port are not found, it wouldn't perform an OS detection against the host.
Example: nmap 192.168.1.1 -O –osscan-limit
Switch: -O –osscan-limit
Function: Makes Nmap guess more aggressively.
Example: nmap 192.168.1.1 -O –osscan-guess
Switch: -O –osscan-guess
Function: Set the maximum number x of OS detection tries against a target.
Example: nmap 192.168.1.1 -O –max-os-tries 1
Switch: -O –max-os-tries
Function: Enables OS detection, version detection, script scanning, and traceroute.
Example: nmap 192.168.1.1 -A
Switch: -A
Timing and Performance
As you know, performance plays an important role. So, optimizing scanning via specific timing configurations and parameters can increasingly improve both performance and accuracy should network congestion.
Function: Paranoid (0) Intrusion Detection System evasion.
Example: nmap 192.168.1.1 -T0
Switch: -T0
Function: Sneaky (1) Intrusion Detection System evasion.
Example: nmap 192.168.1.1 -T1
Switch: -T1
Function: Polite (2) slows the scan to use less bandwidth and fewer target machine resources.
Example: nmap 192.168.1.1 -T2
Switch: -T2
Function: Normal (3), which is the default speed.
Example: nmap 192.168.1.1 -T3
Switch: -T3
Function: Aggressive (4) speed scans; assumes you are on a reasonably fast and reliable network.
Example: nmap 192.168.1.1 -T4
Switch: -T4
Function: Insane (5) speed scan; assumes you are on an extraordinarily fast network.
Example: nmap 192.168.1.1 -T5
Switch: -T5
Timing and Performance Switches
Function: Give up on target after this long.
Example input: 1s; 4m; 2h
Switch: –host-timeout <time>
Function: Specifies probe round trip time.
Example input: 1s; 4m; 2h
Switch: –min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>
Function: Parallel host scan group sizes.
Example input: 50; 1024
Switch: –min-hostgroup/max-hostgroup <size<size>
Function: Probe parallelization.
Example input: 10; 1
Switch: –min-parallelism/max-parallelism <numprobes>
Function: Specify the maximum number of port scan probe retransmissions.
Example input: 3
Switch: –max-retries <tries>
Function: Send packets no slower than <number> per second.
Example input: 100
Switch: –min-rate <number>
Function: Send packets no faster than <number> per second.
Example input: 100
Switch: –max-rate <number>
NSE Scripts
NSE stands for Nmap Scripting Engine, published during Google's 2007 summer of code. NSE allows you to write a simple script to automate various networking tasks.
Function: Scan with default NSE scripts. Considered useful for discovery and safe.
Example: nmap 192.168.1.1 -sC
Switch: -sC
Function: Scan with default NSE scripts. Considered useful for discovery and safe.
Example: nmap 192.168.1.1 –script default
Switch: –script default
Function: Scan with a single script—example banner.
Example: nmap 192.168.1.1 –script=banner
Switch: –script
Function: Scan with a wildcard. Example HTTP.
Example: nmap 192.168.1.1 –script=http*
Switch: –script
Function: Scan with two scripts: example, HTTP and banner.
Example: nmap 192.168.1.1 –script=http,banner
Switch: –script
Function: Scan default, but remove intrusive scripts.
Example: nmap 192.168.1.1 –script "not intrusive"
Switch: –script
Function: NSE script with arguments.
Example: nmap –script snmp-sysdescr –script-args snmpcommunity=admin 192.168.1.1
Switch: –script-args
Useful NSE Script Examples
Function: HTTP site map generator.
Command: nmap -Pn –script=http-sitemap-generator scanme.nmap.org
Function: Fast search for random web servers.
Command: nmap -n -Pn -p 80 –open -sV -vvv –script banner,http-title -iR 1000
Function: Brute forces DNS hostnames to guess subdomains.
Command: nmap -Pn –script=dns-brute domain.com
Function: Safe SMB scripts to run.
Command: nmap -n -Pn -vv -O -sV –script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv 192.168.1.1
Function: Whois query.
Command: nmap –script whois* domain.comCopied
Function: Detect cross-site scripting vulnerabilities.
Command: nmap -p80 –script http-unsafe-output-escaping scanme.nmap.org
Function: Check for SQL injections.
Command: nmap -p80 –script http-sql-injection scanme.nmap.org
Firewall / IDS Evasion and Spoofing
As a penetration tester, you need to know how to avoid firewall rules that are in place and identify information about a host.
Function: Requested scans (including ping scans) use tiny fragmented IP packets. Harder for packet filters.
Example: nmap 192.168.1.1 -f
Switch: -f
Function: Set your offset size.
Example: nmap 192.168.1.1 –mtu 32
Switch: –mtu
Function: Send scans from spoofed IPs.
Example: nmap -D 192.168.1.101,192.168.1.102,192.168.1.103,192.168.1.23 192.168.1.1
Switch: -D
Function: Scan Facebook from Microsoft (-e eth0 -Pn may be required).
Example: nmap -S www.microsoft.com www.facebook.com
Switch: -S
Function: Use the given source port number.
Example: nmap -g 53 192.168.1.1
Switch: -g
Function: Relay connections through HTTP/SOCKS4 proxies.
Example: nmap –proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1
Switch: –proxies
Function: Appends random data to send packets.
Example: nmap –data-length 200 192.168.1.1
Switch: –data-length
Output
Function: Normal output to the file normal.
Example: nmap 192.168.1.1 -oN normal.file
Switch: -oN
Function: XML output to the file XML.
Example: nmap 192.168.1.1 -oX xml.file
Switch: -oX
Function: Grepable output to the file grep.
Example: nmap 192.168.1.1 -oG grep.file
Switch: -oG
Function: Output in the three major formats at once.
Example: nmap 192.168.1.1 -oA results
Switch: -oA
Function: Grepable output to screen. -oN -, -oX – also usable.
Example: nmap 192.168.1.1 -oG –
Switch: -oG –
Function: Append a scan to a previous scan file.
Example: nmap 192.168.1.1 -oN file.file –append-output
Switch: –append-output
Function: Increase verbosity (use -vv or more for greater effect).
Example: nmap 192.168.1.1 -v
Switch: -v
Function: Increase debugging level (use -dd or more for greater effect).
Example: nmap 192.168.1.1 -d
Switch: -d
Function: Display the reason a port is in a particular state, same output as -vv.
Example: nmap 192.168.1.1 –reason
Switch: –reason
Function: Only show open (or possibly open) ports.
Example: nmap 192.168.1.1 –open
Switch: –open
Function: Show all packets sent and received.
Example: nmap 192.168.1.1 -T4 –packet-trace
Switch: –packet-trace
Function: Shows the host interfaces and routes.
Example: nmap –iflist
Switch: –iflist
Function: Resume a scan.
Example: nmap –resume results.file
Switch: –resume
Helpful Nmap Output examples
Function: Scan for web servers and grep to show which IPs are running web servers.
Command: nmap -p80 -sV -oG – –open 192.168.1.1/24 | grep open
Function: Generate a list of the IPs of live hosts.
Command: nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d"" -f5 > live-hosts.txt
Function: Append IP to the list of live hosts.
Command: nmap -iR 10 -n -oX out2.xml | grep “Nmap” | cut -d ” ” -f5 >> live-hosts.txt
Function: Compare output from Nmap using the ndif.
Command: ndiff scanl.xml scan2.xml
Function: Convert Nmap XML files to HTML files.
Command: xsltproc nmap.xml -o nmap.html
Function: Reverse sorted list of how often ports turn up.
Command: grep ” open ” results.nmap | sed -r ‘s/ +/ /g’ | sort | uniq -c | sort -rn | less
Miscellaneous Nmap Flags
Function: Enable IPv6 scanning.
Example: nmap -6 2607:f0d0:1002:51::4
Switch: -6
Function: Nmap help screen.
Example: nmap -h
Switch: -h
Other Useful Nmap Commands
Function: Discovery only on ports x, no port scan.
Command: nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn
Function: Arp discovery only on the local network, no port scan.
Command: nmap 192.168.1.1-1/24 -PR -sn -vv
Function: Traceroute to random targets, no port scan.
Command: nmap -iR 10 -sn -traceroute
Function: Query the Internal DNS for hosts, list targets only.
Command: nmap 192.168.1.1-50 -sL –dns-server 192.168.1.1
Conclusion
Network Mapper, commonly known as Nmap, is a product of Gordon Lyon, published in 1997. Because of how efficient it made scanning large networks to be, different computer security groups helped its development.
The features of Nmap include version detection, scanning databases and web servers, and generating reports. As for Nmap’s uses, you can perform target and port specifications, timing and performance switches, and more.
People also read:
