Nmap Cheat Sheet - Reference Guide
Reading time: 11 minutes
If the Nmap project had a motto, it would be Scanning Done Right.
Since its inception more than two decades ago, Nmap, short for Network Mapper, has been repeatedly acclaimed as the de facto network discovery and security auditing platform, combining a scaffold of novel scanning techniques and a steady influx of advanced tools, all backed by a vibrant community of developers and supporters.
Newcomers to the tool are immediately entranced by the ease and flexibility by which customized scans can be performed—another unfailing testimony to the tool's very fabric when it comes to general reconnaissance and its potential to optimize every single phase of the asset-discovery process. For more advanced users, Nmap has no shortage of templates, scripting libraries supported by its NSE backend, as well as automation opportunities that extend the product's usability well into the realm of threat intelligence and vulnerability detection.
To get you up and running with Nmap, we've compiled a handful of the best use cases for the tool in the form of simple, easy-to-follow commands and arguments.
This Nmap Cheat Sheet entails everything from basic host-scanning techniques to more advanced scenarios requiring careful examination of the circumstances surrounding your target(s) of choice, and possibly some additional scanning tools, before choosing a specific path.
Once again, the idea is to catch a whiff of the tool's almost limitless abilities without incurring a penalty for excessive content: a rewarding labor that we leave in the hands of the reader.
Click on the cheat sheet diagram below to get the PNG version, or alternatively download the Nmap Cheat Sheet PDF from here.
- Host discovery and identification
- Version detection
- Network and port scanning
- Timing and performance
- Nmap Scripting Engine (NSE)
- Scanning web servers
- Scanning mail servers
- Scanning databases
- ICS/SCADA systems
- Generating reports
Host discovery and identification
Host discovery, sometimes referred to as ping scanning, is a common task among system administrators and pentesters alike. Unlike its more traditional counterparts, Nmap can offer a wide arrangement of ping sweep options using scanning techniques and protocols simply not available in other tools.
| Basic scanning | nmap <target> |
| Launch a ping scan (subnet) | nmap -sn <target> Ex: nmap -sn 192.168.1.0/24 |
| Scan a list of targets | nmap -iL [targets.txt] |
| Ping scan with traceroute | nmap -sn --traceroute acme.org example.org |
| TCP SYN ping | nmap -PS <target> |
| UDP ping | nmap -PU <target> |
| Scan IPv6 target | nmap -6 <target> |
| Specify NSE script | nmap -sn --script dns-brute example.org |
| Manually assign DNS servers | nmap --dns-servers <servers> <target> |
| ARP discovery | nmap -PR <target> Ex: nmap -PR 192.168.1.0/24 |
| UDP discovery on specified port | nmap -PU53 <target> |
| No DNS resolution | nmap -n <target> |
| Select network interface | nmap -e <interface> <target> |
| Skip host discovery | nmap -Pn <target> |
Version detection
Version detection is directly related to OS fingerprinting, or the active identification of a target's running platform and corresponding applications. Knowing the exact version of a specific software or service running on the endpoint can prove extremely valuable in identifying potential vulnerabilities and even unsuspected or unauthorized changes.
| Service detection | nmap -sV <target> Ex: nmap -sV scanme.nmap.org |
| OS detection | nmap -O <target> |
| Attempt OS guessing | nmap -O --osscan-guess <target> |
| Increasing version detection | nmap -sV --version-intensity <0-9> <target> |
| Troubleshoot version scans | nmap -sV --version-trace <target> |
| Aggressive detection mode | nmap -A <target> |
| Verbose mode | nmap -O -v <target> |
Network and port scanning
By combining some of the above switches and techniques, we are able to obtain better visibility into hosts potentially protected by defense mechanisms such as firewalls or intrusion prevention systems. System administrators can also benefit from this type of subversion ability by understanding how and where to apply any required filtering rules or hardening standards. In addition, spoofing certain network conditions, like an origin IP or MAC address via Nmap, can be helpful in detecting unauthorized uses of system resources and certain attacks on availability.
| TCP SYN ping scan | nmap -sn -PS <target> or nmap -sS |
| Scanning multiple ports | nmap -sn -PS80,100-1000 <target> |
| TCP ACK ping scan | nmap -sn -PA <target> or nmap -sA |
| UDP ping scan | nmap -sn -PU <target> |
| ICMP ping scan | nmap -sn -PE <target> |
| SCTP INIT ping scan | nmap -sn -PY <target> or nmap -sY |
| IP protocol ping scan (tracing) | nmap -sn -PO --packet-trace <target> |
| Scan random number of hosts | nmap -iR [number] |
| Broadcast ping scan | nmap --script broadcast-ping --packet-trace |
| Xmas scan (Sets the FIN, PSH, and URG flags) | nmap -sX <target> |
| UDP scan (with verbosity) | nmap -sU -v <target> |
| Scan a firewall (split TCP header into tiny fragments) | nmap -f <target> |
| Cloak a scan with decoys | nmap -D <decoy1>[,<decoy2>] <target>Ex: nmap -D 192.168.1.101,192.168.1.102 <target> |
| Spoof source IP address | nmap -S <IP_Address> <target> |
| Spoof MAC address) | nmap --spoof-mac [MAD_ADDRESS] <target> |
| Scan using a random MAC address | nmap -v -sT -PN --spoof-mac 0 <target> |
Timing and performance
Performance is at the heart of everything Nmap does right. Therefore, optimizing scanning via specific timing configurations and parameters can drastically improve both performance and accuracy should network congestion, slow host responses, and/or similar probable scenarios hinder your results.
| Rate limiting | nmap --scan-delay <time> |
| Adjust delay between probes | nmap --scan-delay <time>; --max-scan-delay <time> |
| Paranoid timing template | nmap -T0 <target> |
| Sneaky – ID evasion (also T0) | nmap -T1 <target> |
| Polite – Slower than normal scan | nmap -T2 <target> |
| Normal – Default speed | nmap -T3 <target> |
| Aggressive – Recommended mode | nmap -T4 -n -Pn -p- <target> |
| Insane – Very fast networks | nmap -T5 <target> |
| Host timeouts – Give up on hosts | nmap -sV -A -p- --host-timeout 5m <target> |
Nmap Scripting Engine (NSE)
Introduced during Google's 2007 Summer of Code, the scripting platform collectively known as NSE has extended Nmap's capabilities and granularity well beyond the scope of service and host detection. In fact, fourteen defined categories (at the time of this writing) underscore the vital role the Nmap community has played in embossing such an unprecedented amount of flexibility when it comes to scanning. These include names like auth, discovery, exploit or fuzzer, and command-line arguments that are flexible and easy to learn.
| Safe category – Default | nmap -sC <host> Ex: nmap -sC scanme.nmap.org |
| Execute (multiple) scripts by name | nmap --script default,safe |
| Select script by category | nmap --script exploit <target> |
| Execute NSE script file | nmap --script /path/to/script.nse <target> |
| Exclude a specific category | nmap -sV --script "not exploit" <target> |
| Include two different categories | nmap --script "broadcast and discovery" <target> |
| Combining wildcards | nmap --script "http-*” <target> |
| Set arguments | nmap -sV --script http-title --script-args http.useragent="Mozilla 1337"<target> |
| Load arguments from a file | nmap --script "discovery" --script-args-file nmap-args.txt<target> |
Scanning web servers
It is safe to assume that, despite the advent of cipher suites such as SSL/TLS to secure communications at large, a good portion of the visible internet remains cryptographically weak. Thus, it is not unreasonable to assume that HTTP-only endpoints can potentially become a trove of information, even if the level of exposure is not imminent. To this effect, Nmap is uniquely positioned to help us automate configuration checks that seek vulnerable web applications or even harvest default credentials. Here are some of the most common recipes:
| List supported HTTP methods | nmap -p80,443 --script http-methods --script-args httpmethods.test-all=true <target> |
| Discover interesting paths/folders | nmap --script http-enum -sV <target> |
| Brute-forcing HTTP basic auth | nmap -p80 --script http-brute <target> |
| Provide own user/password list | nmap -sV --script http-brute --script-args userdb=~/usernames.txt,passdb=~/passwords.txt <target> |
| Brute-forcing common web platforms (e.g., WordPress) | nmap -sV --script http-wordpress-brute <target> |
| Detect a web application firewall | nmap -sV --script http-waf-detect,http-waf-fingerprint<target> |
| Detect XST vulnerabilities (via HTTP TRACE method) | nmap -sV --script http-methods,http-trace --script-argshttp-methods.retest <target> |
| Detect XSS vulnerabilities | nmap -sV --script http-unsafe-output-escaping <target> |
| Detect SQL injection vulnerabilities | nmap -sV --script http-sql-injection <target> |
| Finding default credentials | nmap -sV --script http-default-accounts <target> |
| Finding exposed Git repos | nmap -sV --script http-git <target> |
Scanning mail servers
Just as visible and obvious as web platforms have become, email constitutes an integral part of any modern organization. Its exponential trajectory since the onset of the internet has turned email, and its derivatives, into a multifaceted product that touches almost every single aspect of the enterprise, integrating users, services, and technologies in a manner only conceived not too long ago. This widespread use, however, comes at a price. Email presents its own set of cyber risks and vulnerabilities, a situation compounded by misconfigurations and overall poor understanding of intricate ecosystems such as the cloud. Here are some Nmap capabilities when it comes to it.
| Brute-force SMTP | nmap -p25 --script smtp-brute <target> |
| Brute-force IMAP | nmap -p143 --script imap-brute <target> |
| Brute-force POP3 | nmap -p110 --script pop3-brute <target> |
| Enumerate users | nmap -p 25 --script=smtp-enum-users <target> |
| SMTP running on alternate port(s) | nmap -sV --script smtp-strangeport <target> |
| Discovering open relays | nmap -sV --script smtp-open-relay -v <target> |
| Find available SMTP commands | nmap -p 25 --script=smtp-commands <target> |
Scanning databases
If tampered with, databases can expose a plethora of sensitive information. In fact, almost every major cybersecurity incident or data leak in recent years has presupposed some sort of database compromise. The key factor here is the unprecedented degree to which trust is established across the dizzying array of both static and mobile platforms, and how these technologies introduce (or not) strict gatekeeping strategies around third-party implementations.
Consequently, Nmap has added support for systematically scanning numerous database technologies, allowing you to stitch together a handful of useful techniques.
| Identify MS SQL servers | nmap -p1433 --script ms-sql-info <target> |
| Brute-force MS SQL passwords | nmap -p1433 --script ms-sql-brute <target> |
| Dump password hashes (MS SQL) | nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes<target> |
| List databases (MySQL) | nmap -p3306 --script mysql-databases --script-args mysqluser=[user],mysqlpass=[password] <target> |
| Brute-force MySQL passwords | nmap -p3306 --script mysql-brute <target> |
| Root/Anonymous accounts with empty passwords | nmap -p3306 --script mysql-empty-password <target> |
| Brute-force Oracle SIDs | nmap -sV --script oracle-sid-brute <target> |
| Identify MongoDB servers | nmap -p27017 --script mongodb-info <target> |
| Listing CouchDB databases | nmap -p5984 --script couchdb-databases <target> |
| Identify Cassandra databases | nmap -p9160 --script cassandra-brute <target> |
| Brute-force Redis passwords | nmap -p6379 --script redis-brute <target> |
ICS/SCADA systems
An industrial control system (ICS) is a general term used to describe a conglomerate of control components that preside over hardware and software aspects of large infrastructure sectors such as power or other discrete manufacturing industries (e.g., automotive). Control in ICS infrastructure can be fully automated or may include a human in the loop (NIST)—this also includes the insertion of additional IT capabilities to supplement aging analog devices and similar mechanical alternatives.
ICSs are extremely vulnerable and carry an enormous risk, so using options like -sT (full connection TCP probe) to limit the intensity of scans is always advisable. If you're someone in charge of managing or protecting an ICS network, the below commands may prove quite useful.
| Detect standard (open) ports | nmap -Pn -sT --scan-delay 1s --max-parallelism 1-p80,102,443,502,1089, 1091,2222,4000,4840, 20000,34962,34964, 34980,44818,47808, 55000,55003 <target> |
| Control system ports (BACnet/IP) | nmap -Pn -sU -p47808 --script bacnet-info <target> |
| Ethernet/IP | nmap -Pn -sU -p44818 --script enip-info <target> |
| Discover a Modbus device | nmap -Pn -sT -p502 --script modbus-discover <target> |
| Discover a Niagara Fox device | nmap -Pn -sT -p1911,4911 --script fox-info <target> |
| Discover a PCWorx device | nmap -Pn -sT -p1962 --script pcworx-info <target> |
Generating reports
Lastly, saving scans into a report-like format is certainly an advantage considering the somewhat sinuous nature of scanning results; quite often, these can become difficult to understand even if you're attentive or know exactly what you're looking for. To this effect, Nmap can easily pair any host or port scanning technique, set the verbosity level, or generate debugging messages, with the output of your choice to facilitate further consumption and analysis. Here are a handful of examples in no particular order.
| Normal output to filename | nmap -oN [filename] <target> |
| Send results to XML format | nmap -oN [filename] -oX <filename.xml> <target> |
| Output to all formats (Normal, XML & grep) | nmap -oA [filename] <target> |
| Increase verbosity and debugging levels | nmap -v3 -d2 -oN [filename] <target> |
| Display host and port state reasons | nmap --reason <target> |
| Print periodic timing stats | nmap -Pn <target> --stats-every 10s |
| Trace packets and data sent and received | nmap -T4 --packet-trace <target> |
| Show open ports only | nmap --open <target> |
| List interfaces and routes | nmap --iflist |
It's hard to fathom a more complete scanning tool than Nmap. After so many years of operational prowess, thousands of papers and supporting literature, countless workshops, and proofs of concept, the tool remains as relevant as it's ever been.
It is important to recognize that the combination of any of the above techniques and corresponding arguments showcased in this Nmap cheat sheet is nowhere near exhaustive, as Nmap continues to exhibit the sort of canonical growth we would expect from a mature application. Notwithstanding, its core features remain accessible to all, and the possibilities of becoming proficient at what is considered an essential cyber skill remain enticing to everyone who ventures forth.
For a more in-depth look at Nmap, you can always read the Nmap documentation, or grab the official book which covers all these topics and much more!
