Skip to main content

nmap Cheat Sheet

Shenzhen, China

Installation

sudo pacman -S nmap

Nmap Commands

Syntax for Nmap Commands

The Nmap launch command is very simple. To do this, just pass the destination IP address or network to it in the parameters, and also Now let’s look at the main options that we will need in this article.

  • -vv: Increase verbosity
  • -n: No DNS resolution. This speeds up our scan!
  • -sn: No port scan
  • -PE: Use ICMP echo request queries. This is what is displayed in the output above
  • -T4: prohibits the dynamic scan delay from exceeding 10 ms for TCP ports. See man nmap
  • --packet-trace: Trace sent and received packets
  • -sL: just create a list of running hosts, but do not scan nmap ports
  • -sP: only check if the host is accessible using ping
  • -Pn: consider all hosts available, even if they do not respond to ping
  • -sS / sT / sA / sW / sM: TCP scan
  • -sU: UDP scan nmap
  • -sN / sF / sX: TCP NULL and FIN scan
  • -sC: run the default script
  • -sI: lazy Idle scan
  • -p: specify the range of ports for checking
  • -sV: a detailed study of ports to determine the version of services
  • -O: determine the operating system
  • -T[0-5]: scanning speed, the more, the faster
  • -D: mask scan
  • -S: change your IP address to the specified
  • -e: use a speci_c interface
  • --spoof-mac: set your MAC address

Network Scans

nmap IP or Host Scan

nmap 192.168.2.117
nmap debian11

Scan a Range of IP’s

nmap 192.168.2.100-120

nmap Scan Subnet

nmap 192.168.2.0/24

Scan a List of Targets

nmap -iL list. txt

Fast Scan Don't List Services

nmap -sn 192.168.2.0/24

Port Scans

Scan Single Port

nmap -p 8080 192.168.2.117

Scan a Range of Ports

 nmap -p 80-8080 192.168.2.117

Specified Ports

nmap -sV -p 22,53,110,143,4564 192.168.2.117

Scan the 100 most Common Ports

nmap -F 192.168.2.117

Scan all Ports

nmap -p 192.168.2.117

Scan TCP Ports

nmap -sT 192.168.2.117

SYN Scan TCP Ports

sudo nmap -sS 192.168.2.117

Scan specific UDP Ports

sudo nmap -sU -p 53 192.168.2.117

Scan Ports of Hosts that don't respond to Pings

nmap -Pn -F 192.168.2.117

Operating System and Services

nmap -A 192.168.2.117

Aggressive Service Detection

nmap -sV -T5 192.168.2.110

Lightweight Service Detection

nmap -sV -T0 192.168.2.110

Scan Firewall Settings

sudo nmap -sA 192.168.2.110

Scan IPv6 Addresses

nmap -6 240e:3b5:3011:1580:7dd7:91ed:c0b6:5a0d

Find the Open Port

nmap --open 192.168.2.117

Packets Send or Received

nmap --packet-trace 192.168.2.117

Specific MAC Address Spoofing

nmap --spoof-mac 28:ad:3e:75:e0:28 192.168.2.117

Random MAC Address Spoofing

nmap -v -sT -Pn --spoof-mac 0 192.168.2.117

Scanning with NSE Scripts

Available scripts:

ls /usr/share/nmap/scripts
nmap --script-help=whois-domain.nse

WHOIS

nmap --script whois-domain.nse www.instar.com

HTTP Title

nmap -script=http-title 192.168.2.0/24

HTTP Headers

nmap -script=http-headers 192.168.2.117

Discover Hosts using the DNS Service

nmap --script=broadcast-avahi-dos 192.168.2.0/24

Brute Force

nmap --script http-brute -p 80 192.168.2.110
nmap --script http-form-brute -p 80 192.168.2.110
nmap --script ftp-brute -p 21 192.168.2.110
nmap -p 5432 --script pgsql-brute 192.168.2.110
nmap --script rtsp-url-brute -p 554 192.168.2.117
nmap -p 23 --script telnet-brute --script-args userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s 192.168.2.110

DoS

nmap --script http-slowloris-check 192.168.2.110
nmap --script http-slowloris --max-parallelism 400  192.168.2.110

Host Interfaces, Routes and Packets

nmap --iflist
nmap --packet-trace
nmap -vv -n -sn -PE -T4 --packet-trace 192.168.2.117

Stealth List Scan

nmap --dns-servers 8.8.4.4,8.8.8.8 -sL 49.12.0.118/24