Nmap Cheat Sheet (original) (raw)
Last Updated : 23 Jul, 2025
**Nmap (Network Mapper) is a free and open-source network detection and security scanning utility. Many network and system administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring server or service availability. Nmap uses raw IP packets in a novel way to determine the hosts available on the network, the services they offer (application name and version), and the operating systems they are running (and operating systems). version). It's designed to scan large networks quickly but works well with a single host.
In this **Nmap Cheat Sheet, you'll learn all the basics to advanced like basic scanning techniques, discovery options in Nmap, Firewall evasion techniques, version detection, output options, scripting engines and more.
Usage of Nmap
- Auditing the security of a device or firewall by identifying the network connections that can be made to or through it.
- In preparation for auditing, identify open ports on a target host.
- Network inventory, network mapping, asset and maintenance management are all examples of network services.
- Identifying additional servers to test the network's security.
- Creating network traffic, analysing responses, and measuring response time.
- Used to Finding and exploiting vulnerabilities in a network.
- DNS queries and subdomain search
Usage:
nmap [] [] {}
NMAP Commands Cheat Sheet 2024
Basic Scanning Techniques
| Nmap Query | Nmap Command |
|---|---|
| Scan a single target | nmap [target] |
| Scan multiple targets | nmap [target1,target2,etc] |
| Scan a list of targets | nmap -iL [list.txt] |
| Scan a range of hosts | nmap [range of IP addresses] |
| Scan an entire subnet | nmap [IP address/cdir] |
| Scan random hosts | nmap -iR [number] |
| Excluding targets from a scan | nmap [targets] –exclude [targets] |
| Excluding targets using a list | nmap [targets] –excludefile [list.txt] |
| Perform an aggressive scan | nmap -A [target] |
| Scan an IPv6 target | nmap -6 [target] |
Discovery Options
| Nmap Query | Nmap Command |
|---|---|
| Perform a ping scan only | nmap -sP [target] |
| Don’t ping | nmap -PN [target] |
| TCP SYN Ping | nmap -PS [target] |
| TCP ACK ping | nmap -PA [target] |
| UDP ping | nmap -PU [target] |
| SCTP Init Ping | nmap -PY [target] |
| ICMP echo ping | nmap -PE [target] |
| ICMP Timestamp ping | nmap -PP [target] |
| ICMP address mask ping | nmap -PM [target] |
| IP protocol ping | nmap -PO [target] |
| ARP ping | nmap -PR [target] |
| Traceroute | nmap –traceroute [target] |
| Force reverse DNS resolution | nmap -R [target] |
| Disable reverse DNS resolution | nmap -n [target] |
| Alternative DNS lookup | nmap –system-dns [target] |
| Manually specify DNS servers | nmap –dns-servers [servers] [target] |
| Create a host list | nmap -sL [targets] |
Firewall Evasion Techniques
| Nmap Query | Nmap Command |
|---|---|
| Fragment packets | nmap -f [target] |
| Specify a specific MTU | nmap –mtu [MTU] [target] |
| Use a decoy | nmap -D RND: [number] [target] |
| Idle zombie scan | nmap -sI [zombie] [target] |
| Manually specify a source port | nmap –source-port [port] [target] |
| Append random data | nmap –data-length [size] [target] |
| Randomize target scan order | nmap –randomize-hosts [target] |
| Spoof MAC Address | nmap –spoof-mac [MAC|0 |
| Send bad checksums | nmap –badsum [target] |
Version Detection
| Nmap Query | Nmap Command |
|---|---|
| Operating system detection | nmap -O [target] |
| Attempt to guess an unknown | nmap -O –osscan-guess [target] |
| Service version detection | nmap -sV [target] |
| Troubleshooting version scans | nmap -sV –version-trace [target] |
| Perform a RPC scan | nmap -sR [target] |
Output Options
| Nmap Query | Nmap Command |
|---|---|
| Save output to a text file | nmap -oN [scan.txt] [target] |
| Save output to a xml file | nmap -oX [scan.xml] [target] |
| Grepable output | nmap -oG [scan.txt] [target] |
| Output all supported file types | nmap -oA [path/filename] [target] |
| Periodically display statistics | nmap –stats-every [time] [target] |
| 133t output | nmap -oS [scan.txt] [target] |
Scripting Engine
| Nmap Query | Nmap Command |
|---|---|
| Execute individual scripts | nmap –script [script.nse] [target] |
| Execute multiple scripts | nmap –script [expression] [target] |
| Execute scripts by category | nmap –script [cat] [target] |
| Execute multiple scripts categories | nmap –script [cat1,cat2, etc] |
| Troubleshoot scripts | nmap –script [script] –script-trace [target] |
| Update the script database | nmap –script-updatedb |