nmap Cheat Sheet

A quick Nmap cheat sheet for your reference, covering essential commands and options:

Basic Nmap Scanning Commands

1. 1. Scan a single IP:
      nmap <IP address>

   2. Scan a range of IPs:
      nmap <IP range>


      Example: nmap 192.168.1.1-10

   3. Scan an entire subnet:
      nmap 192.168.1.0/24

   4. Scan a list of IPs from a file:
      nmap -iL <file>


Common Scan Types

1. TCP SYN scan (default and stealthier):
   nmap -sS <target>

2. TCP Connect scan:
   nmap -sT <target>

3. UDP scan:
   nmap -sU <target>

4. Aggressive scan (includes OS detection, version detection, script scanning, and traceroute):
   nmap -A <target>

5. OS and Version Detection:
   nmap -O <target>

6. Service Version Detection:
   nmap -sV <target>


Specifying Ports

1. Scan a specific port:
   nmap -p <port> <target>

2. Scan a range of ports:
   nmap -p <start-end> <target>

3. Scan top 1000 common ports (default):
   nmap <target>

4. Scan all 65535 ports:
   nmap -p- <target>


Output Options

1. Save output to a text file:
   nmap -oN <filename> <target>

2. Save output in XML format:
   nmap -oX <filename> <target>

3. Save output in all formats:
   nmap -oA <basename> <target>


Advanced Techniques

1. Scan using a specific timing template (0–5; 5 is the fastest):
   nmap -T<0-5> <target>


   Example: nmap -T4 <target>

2. Scan with a spoofed IP:
   nmap -S <spoofed IP> <target>

3. Disable DNS resolution:
   nmap -n <target>

4. Traceroute to detect network paths:
   nmap --traceroute <target>

5. Scan for scripts (e.g., --script=vuln for vulnerabilities):
   nmap --script=<script name> <target>


   Example: nmap --script=vuln <target>

Example Commands

1. Full TCP SYN scan on all ports with OS detection:
   nmap -sS -O -p- <target>

2. Fast scan of top 100 ports and output to a file:
   nmap -F -oN fast_scan_results.txt <target>


Helpful Tips

• Use -v or -vv for verbose mode.
• Combine multiple options to customize scans, e.g., nmap -sS -p 80,443 -A -T4 <target>

Learn more about nmap.