NMAP — Cheatsheet

Yesterday, I put an article on The Network Mapper i.e. how nmap works, how it is really useful on a recon trip to networking and scanning for open ports and services. Today I want to actually provide you a cheat sheet on NMAP, that should also be a handy in your arsenal, coz it’s like you don’t have to focus on remembering the commands, rather than focus on the crux of enumeration.

In my personal experience, I created this cheatsheet in the early days of my learning. If you like such cheatsheets… let me know of any other tool you want to have in your arsenal (with the cheatsheet).

Note: Due to regular updates in nmap I will try to keep this cheatsheet updated for your preferred use.

Nmap Target Selection

  • Scan a single IP: nmap
  • Scan a host: nmap www.testhostname.com
  • Scan a range of IPs: nmap–20
  • Scan a subnet: nmap
  • Scan targets from a text file: nmap -iL list-of-ips.txt

These are all default scans, which will scan 1000 TCP ports. Host discovery will take place.

Nmap Port Selection

  • Scan a single Port: nmap -p 22
  • Scan a range of ports: nmap -p 1–100
  • Scan 100 most common ports (Fast): nmap -F
  • Scan all 65535 ports: nmap -p-

Nmap Port Scan types

  • Scan using TCP connect: nmap -sT
  • Scan using TCP SYN scan (default): nmap -sS
  • Scan UDP ports: nmap -sU -p 123,161,162
  • Scan selected ports — ignore discovery: nmap -Pn -F

Privileged access is required to perform the default SYN scans. If privileges are insufficient a TCP connect scan will be used. A TCP connect requires a full TCP connection to be established and therefore is a slower scan. Ignoring discovery is often required as many firewalls or hosts will not respond to PING, so could be missed unless you select the -Pn parameter. Of course this can make scan times much longer as you could end up sending scan probes to hosts that are not there.

Service and OS Detection

  • Detect OS and Services: nmap -A
  • Standard service detection: nmap -sV
  • More aggressive Service Detection: nmap -sV — version-intensity 5
  • Lighter banner grabbing detection: nmap -sV — version-intensity 0

Service and OS detection rely on different methods to determine the operating system or service running on a particular port. The more aggressive service detection is often helpful if there are services running on unusual ports. On the other hand the lighter version of the service will be much faster as it does not really attempt to detect the service simply grabbing the banner of the open service.

Nmap Output Formats

  • Save default output to file: nmap -oN outputfile.txt
  • Save results as XML: nmap -oX outputfile.xml
  • Save results in a format for grep: nmap -oG outputfile.txt
  • Save in all formats: nmap -oA outputfile

The default format could also be saved to a file using a simple file redirect command > file. Using the -oN option allows the results to be saved but also can be monitored in the terminal as the scan is under way.

Digging deeper with NSE Scripts

  • Scan using default safe scripts: nmap -sV -sC
  • Get help for a script: nmap — script-help=ssl-heartbleed
  • Scan using a specific NSE script: nmap -sV -p 443 –script=ssl-heartbleed.nse
  • Scan with a set of scripts: nmap -sV — script=smb*

Nehh, just a n00b

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store