Nmap cheatsheet
S
Super Administrator#nmap#network-security#cheatsheet
Nmap Basics
Host Discovery
bash
-sL nmap 192.168.1.1-3 -sL # No Scan. List targets only
-sn nmap 192.168.1.1/24 -sn # Disable port scanning
-Pn nmap 192.168.1.1-5 -Pn # Disable host discovery. Port scan only
-PS nmap 192.168.1.1-5 -PS22-25,80 # TCP SYN discovery on ports 22-25,80
-PA nmap 192.168.1.1-5 -PA22-25,80 # TCP ACK discovery on ports 22-25,80
-PU nmap 192.168.1.1-5 -PU53 # UDP discovery on port 53
-PR nmap 192.168.1.0/24 -PR # ARP discovery on local network
-n nmap 192.168.1.1 -n # Never do DNS resolution
Target Specification
bash
nmap 192.168.1.1 # Scan a single IP
nmap 192.168.1.1 192.168.2.1 # Scan specific IPs
nmap 192.168.1.1-254 # Scan a range
nmap scanme.nmap.org # Scan a domain
nmap 192.168.1.0/24 # Scan using CIDR notation
-iL nmap -iL targets.txt # Scan targets from a file
-iR nmap -iR 100 # Scan 100 random hosts
--exclude nmap --exclude 192.168.1.1 # Exclude listed hosts
Scan Techniques
bash
-sS nmap 192.168.1.1 -sS # TCP SYN port scan (Default)
-sT nmap 192.168.1.1 -sT # TCP connect port scan
-sU nmap 192.168.1.1 -sU # UDP port scan
-sA nmap 192.168.1.1 -sA # TCP ACK port scan
-sW nmap 192.168.1.1 -sW # TCP Window port scan
-sM nmap 192.168.1.1 -sM # TCP Maimon port scan
Port Specification
bash
-p nmap 192.168.1.1 -p 21 # Port scan for port 21
-p nmap 192.168.1.1 -p 21-100 # Port range
-p nmap 192.168.1.1 -p U:53,T:21-25,80 # TCP and UDP ports
-p- nmap 192.168.1.1 -p- # All 65535 ports
-p nmap 192.168.1.1 -p http,https # Port scan using service names
-F nmap 192.168.1.1 -F # Fast port scan (100 ports)
--top-ports nmap 192.168.1.1 --top-ports 2000 # Top 2000 ports
Timing and Performance
bash
nmap -T0 <target> # T0 = Paranoid (very slow, for IDS evasion)
nmap -T1 <target> # T1 = Sneaky (slow)
nmap -T2 <target> # T2 = Polite (slower, uses less bandwidth)
nmap -T3 <target> # T3 = Normal (default)
nmap -T4 <target> # T4 = Aggressive (faster, good for LANs)
nmap -T5 <target> # T5 = Insane (very fast, risk of inaccuracy)
--host-timeout <time> # Maximum time allowed for one host scan (e.g., 30m, 1h)
--min-rtt-timeout <time> # Minimum probe timeout based on round-trip time
--max-rtt-timeout <time> # Maximum probe timeout based on round-trip time
--min-hostgroup <size> # Minimum number of hosts to scan in parallel
--max-hostgroup <size> # Maximum number of hosts to scan in parallel
--min-parallelism <num> # Minimum number of probes to send in parallel
--max-parallelism <num> # Maximum number of probes to send in parallel
--scan-delay <time> # Delay between probes (e.g., 1s, 500ms)
--max-scan-delay <time> # Max allowed delay between probes
--max-retries <tries> # Max number of probe retransmissions per port
--min-rate <number> # Minimum number of packets per second
--max-rate <number> # Maximum number of packets per second
Service and Version Detection
bash
-sV # Detect service versions
--version-intensity <0-9> # Intensity of detection
--version-light # Light and fast scan
--version-all # Aggressive detection
-A # OS detection, version detection, scripts, traceroute
OS Detection
bash
-O # Enable OS detection
--osscan-limit # Skip OS scan if conditions not met
--osscan-guess # Guess aggressively
--max-os-tries <x> # Set max OS detection tries
Firewall / IDS Evasion and Spoofing
bash
-f # Fragment packets
--mtu <val> # Set MTU
-D # Decoy scan
-S # Spoof source IP
-g # Set source port
--proxies # Relay via proxies
--data-length <bytes> # Append data
NSE Scripts
bash
-sC # Default scripts
--script default # Same as -sC
--script=banner # Run specific script
--script=http* # Wildcard match
--script=http,banner # Multiple scripts
--script "not intrusive" # Exclude intrusive scripts
--script-args # Script arguments
Example NSE Scripts
bash
nmap -Pn --script=http-sitemap-generator scanme.nmap.org
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000
nmap -Pn --script=dns-brute domain.com
nmap -n -Pn -vv -O -sV --script smb-* 192.168.1.1
nmap --script whois* domain.com
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org
nmap -p80 --script http-sql-injection scanme.nmap.org
Web App Specific NSE Scripts
bash
nmap -p80 --script http-methods --script-args http-methods.test-all http://target
nmap -p80 --script http-headers http://target
nmap -p80 --script http-auth,http-auth-finder,http-auth-guess http://target
nmap -p80 --script http-enum http://target
nmap -p80 --script http-config-backup http://target
nmap -p80 --script http-userdir-enum http://target
nmap -p80 --script http-vhosts,http-iis-short-name-brute http://target
nmap -p80 --script http-dombased-xss,http-xssed,http-stored-xss,http-csrf 192.168.1.1
Advanced NSE Script Usage
bash
nmap --script-args "userdb=users.txt,passdb=passlist.txt" -p21 ftp.target.com --script ftp-brute
nmap -p445 --script smb-enum-users,smb-enum-shares --script-args smbuser=admin,smbpass=password 192.168.1.100
nmap -p80 --script http-form-brute --script-args http-form-brute.hostname=target.com,http-form-brute.path=/login,http-form-brute.uservar=username,http-form-brute.passvar=password,http-form-brute.failmsg="invalid login" 192.168.1.1
Vulnerability Scanning Scripts
bash
nmap --script vuln 192.168.1.1
nmap -sV --script vulners 192.168.1.1
nmap -p80 --script http-vuln-cve2015-1635 192.168.1.1
nmap -p80 --script http-vuln-cve2017-5638 192.168.1.1
nmap -p80 --script http-vuln-cve2017-1001000 192.168.1.1
Output Options
bash
-oN <file> # Normal output
-oX <file> # XML output
-oG <file> # Grepable output
-oA <prefix> # All formats
--append-output # Append to file
-oG - # Output to screen (also -oN -, -oX -)
Scan Output Analysis & Tips
bash
- Look for open ports with services you can enumerate (e.g., HTTP, SMB, FTP).
- Closed ports still respond; filtered ports are likely firewalled.
- Combine `-sV` and `-A` to gather banners and OS info.
- Use `--reason` to understand why a port is marked as open/closed.
- Save all scans using `-oA` for later grep/parse.
- Use `grep open` or tools like `grepable`, `xsltproc`, or `nmaptocsv` to filter output.
Protocol Scan
🔐 Authentication & Identity
LDAP (389, 636)
bash
nmap -p 389,636 --script=ldap* <target>
nmap --script "(ldap*) and not brute" -p 389 <target>
nmap -p 636 --script=ldap-search,ldap-rootdse <target>
Kerberos (88)
bash
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" <target>
nmap -p 88 --script=krb5-info <target>
SMB (139, 445)
bash
nmap -p 139,445 --script=smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode,smb2-capabilities,smb2-security-mode <target>
nmap --script smb-vuln* -p 445 <target>
nmap -p 445 --script=smb-null-session <target>
RDP (3389)
bash
nmap -p 3389 --script=rdp-enum-encryption <target>
nmap -p 3389 --script=rdp-vuln-ms12-020 <target>
nmap -p 3389 --script=rdp-ntlm-info <target>
WinRM (5985, 5986)
bash
nmap -p 5985,5986 --script=http-windows-enum <target>
nmap -p 5985,5986 --script=winrm-enum-users <target>
📱 Network Services
FTP (21)
bash
nmap -p 21 --script=ftp-anon,ftp-bounce,ftp-syst,ftp-vsftpd-backdoor,ftp-proftpd-backdoor,ftp-libopie <target>
SSH (22)
bash
nmap -p 22 --script=ssh-hostkey,ssh-auth-methods,sshv1,ssh2-enum-algos,ssh-brute <target>
Telnet (23)
bash
nmap -p 23 --script=telnet-encryption,telnet-ntlm-info <target>
SMTP (25, 465, 587)
bash
nmap -p 25,465,587 --script=smtp-commands,smtp-enum-users,smtp-open-relay,smtp-ntlm-info <target>
DNS (53)
bash
nmap -p 53 --script=dns-zone-transfer,dns-nsid,dns-service-discovery,dns-recursion,dns-cache-snoop,dns-random-srcport <target>
TFTP (69)
bash
nmap -sU -p 69 --script=tftp-enum <target>
POP3 (110, 995)
bash
nmap -p 110,995 --script=pop3-capabilities,pop3-brute <target>
IMAP (143, 993)
bash
nmap -p 143,993 --script=imap-capabilities,imap-brute <target>
SNMP (161, 162)
bash
nmap -sU -p 161,162 --script=snmp-info,snmp-interfaces,snmp-processes,snmp-win32-services,snmp-brute,snmp-sysdescr <target>
R-Services (512, 513, 514)
bash
nmap -p 512,513,514 --script=rpcinfo <target>
IPMI (623)
bash
nmap -p 623 --script=ipmi-version,ipmi-cipher-zero <target>
RSync (873)
bash
nmap -p 873 --script=rsync-list-modules <target>
MSSQL (1433, 1434, 2433)
bash
nmap -p 1433,1434,2433 --script=ms-sql-info,ms-sql-empty-password,ms-sql-dump-hashes,ms-sql-brute,ms-sql-config <target>
Oracle TNS (1521)
bash
nmap -p 1521 --script=oracle-tns-version,oracle-sid-brute <target>
NFS (2049)
bash
nmap -p 2049 --script=nfs-ls,nfs-statfs,nfs-showmount,nfs-acls <target>
MySQL (3306)
bash
nmap -p 3306 --script=mysql-info,mysql-users,mysql-databases,mysql-empty-password,mysql-query,mysql-brute,mysql-dump-hashes <target>
PostgreSQL (5432)
bash
nmap -p 5432 --script=pgsql-brute,pgsql-databases,pgsql-users <target>
nmap -p 5432 --script=pgsql-enum <target>
PostgreSQL Secure (5433)
bash
nmap -p 5433 --script=pgsql-info <target>
NetBIOS (137, 138)
bash
nmap -p 137,138 --script=nbstat,smb-os-discovery,smb-enum-shares,smb-enum-users <target>
VNC (5900)
bash
nmap -p 5900 --script=vnc-info,vnc-title,vnc-brute <target>
Redis (6379)
bash
nmap -p 6379 --script=redis-info,redis-brute <target>
Elasticsearch (9200)
bash
nmap -p 9200 --script=http-elasticsearch-head,http-title,http-methods,http-headers <target>
Memcached (11211)
bash
nmap -p 11211 --script=memcached-info <target>
RPCBind (111)
bash
nmap -sU -sT -p 111 --script=rpcinfo <target>
SIP (5060)
bash
nmap -sU -p 5060 --script=sip-methods,sip-enum-users <target>
MQTT (1883)
bash
nmap -p 1883 --script=mqtt-subscribe,mqtt-connect <target>
RMI (1099)
bash
nmap -p 1099 --script=rmi-dumpregistry,rmi-vuln-classloader <target>
NTP (123)
bash
nmap -sU -p 123 --script=ntp-info,ntp-monlist <target>
Docker (2375)
bash
nmap -p 2375 --script=docker-version <target>
RabbitMQ (5672)
bash
nmap -p 5672 --script=rabbitmq-info <target>
Jenkins (8080)
bash
nmap -p 8080 --script=http-jenkins-info,http-headers,http-title <target>
# Common Vulnerabilities: Anonymous Access, Script Console Exposure
AJP (Apache JServ Protocol - 8009)
bash
nmap -p 8009 --script=ajp-methods,ajp-headers,ajp-auth <target>
# Common Exploit: Ghostcat CVE-2020-1938 (File Inclusion via AJP)
Kubernetes API Server (6443)
bash
nmap -p 6443 --script=http-kubernetes-info,http-headers,http-title <target>
# Check for: Unauthorized access, misconfigured kubelet, exposed dashboard
CouchDB (5984)
bash
nmap -p 5984 --script=http-couchdb-info,http-title,http-headers <target>
# Common Exploits: CVE-2017-12635 & CVE-2017-12636 (Remote Code Execution)
VMware (902, 903, 443)
bash
nmap -p 902,903,443 --script=vmware-version <target>
TeamViewer (5938)
bash
nmap -p 5938 --script=teamviewer-info <target>
Bacula (9101)
bash
nmap -p 9101 --script=bacula-info <target>
X11 (6000)
bash
nmap -p 6000 --script=x11-access <target>
Web Services (80, 443, 8080, 8443)
bash
nmap -p 80,443,8080,8443 --script=http-title,http-methods,http-enum,http-headers,http-server-header,http-auth-finder,http-vuln* <target>
WebDAV (80, 443, 8080)
bash
nmap -p 80,443,8080 --script=http-webdav-scan <target>
Apache Hadoop (50070)
bash
nmap -p 50070 --script=http-hadoop-info <target>
Tomcat (8080, 8443)
bash
nmap -p 8080,8443 --script=http-tomcat-manager,http-tomcat-users <target>
Zookeeper (2181)
bash
nmap -p 2181 --script=zookeeper-info <target>
Kafka (9092)
bash
nmap -p 9092 --script=kafka-info <target>
Varnish (6081)
bash
nmap -p 6081 --script=http-headers,http-title <target>
🧰 Other Useful Nmap Scripts
Common Nmap Automation & Misc Scripts
bash
nmap --script=default,safe <target>
nmap -p- --min-rate=10000 -T4 <target> # Fast full port scan
nmap -sV --version-all -p <port> <target> # Aggressive service detection
nmap -sC -sV <target> # Default scripts and version detection
nmap -Pn -n -sS -p- -T4 <target> # Stealth SYN scan without DNS resolution
Brute Force
bash
nmap -p 21,22,23,25,80,110,143,443,3306,5432,6379,8080 --script brute <target>
Vulnerability Detection
bash
nmap --script vuln <target>
nmap -p 80,443 --script=http-vuln* <target>
nmap -p 445 --script=smb-vuln* <target>
Web Technologies & Frameworks
bash
nmap -p 80,443 --script=http-headers,http-title,http-methods,http-enum,http-php-version,http-aspnet-debug,http-wordpress-enum,http-drupal-enum <target>
Network Scan
sh
nmap -sn $ip
Disable port scanning (only host discovery)
Use this to check if hosts are up without scanning their ports.
sh
nmap -sn -PS $ip
SYN Ping
Sends a SYN packet to check if the host responds.
sh
nmap -sn -PA $ip
TCP ACK Ping
Useful for detecting hosts behind firewalls that block ICMP.
sh
nmap -T4 -sS -p- $ip
Full SYN scan with aggressive timing
Scans all ports using a SYN scan with a faster timing template (T4).
sh
nmap -sC -sV --script={name_of_script} -p- -T4 $ip
Run script with version detection
Runs a specific Nmap script while detecting versions of services.
sh
nmap -Pn -sA -p-
ACK scan for firewall analysis
Determines which ports are filtered or unfiltered by firewalls.
sh
nmap -Pn -sS -sV -p- --data-length 200 -D $gatewayip,$gatewayip $ip
Decoy scan with packet padding
Uses decoys to obscure the real scanner and adds random data to packets.
🔹 Flags for Better Results
🚀 Scan Types
-sA→ TCP ACK scan-sS→ TCP SYN scan-sT→ TCP connect scan
🔍 Host & Network Discovery
PE→ Ping scan using ICMP ECHO request--disable-arp-ping→ Disable ARP ping
📡 Packet Handling & Output
--packet-trace→ Show all packets sent and received--reason→ Display the reason for specific results
🔢 Port Scanning
--top-ports=10→ Scan the top 10 most frequent ports-p22→ Scan a specific port (e.g., port 22)-F→ Scan the top 100 ports
🛡️ Spoofing & Stealth Techniques
-D RND:5→ Generate 5 random decoy IP addresses-S <IP>→ Set a specific source IP address-e tun0→ Send requests through a specific network interface--source-port 53→ Scan using a specific source port (e.g.,53)
🎯 Optimizing Nmap Scans
Reducing scan time can help evade IDS detection, while increasing speed may appear suspicious.
🕒 Timing & Performance Tweaks
--host-timeout 5s→ Set a timeout for each host (e.g., 5 seconds)--scan-delay 5s→ Delay between scan attempts (e.g., 5 seconds)--initial-rtt-timeout 50ms→ Set the initial RTT timeout--max-rtt-timeout 100ms→ Set the max RTT timeout
📂 Nmap Output Formats
-oN <filename>→ Save as normal text file-oX <filename>→ Save as XML file-oS <filename>→ Save as script (for Metasploit)-oA <basename>→ Save in all formats (.nmap,.xml,.gnmap)
