tips

SecurityTrails Blog · Nov 02 · by Gianni Perez

Nmap Cheat Sheet - Reference Guide

Reading time: 11 minutes
Listen to this article

If the Nmap project had a motto, it would be Scanning Done Right.

Since its inception more than two decades ago, Nmap, short for Network Mapper, has been repeatedly acclaimed as the de facto network discovery and security auditing platform, combining a scaffold of novel scanning techniques and a steady influx of advanced tools, all backed by a vibrant community of developers and supporters.

Newcomers to the tool are immediately entranced by the ease and flexibility by which customized scans can be performed—another unfailing testimony to the tool’s very fabric when it comes to general reconnaissance and its potential to optimize every single phase of the asset-discovery process. For more advanced users, Nmap has no shortage of templates, scripting libraries supported by its NSE backend, as well as automation opportunities that extend the product’s usability well into the realm of threat intelligence and vulnerability detection.

To get you up and running with Nmap, we’ve compiled a handful of the best use cases for the tool in the form of simple, easy-to-follow commands and arguments.

This Nmap Cheat Sheet entails everything from basic host-scanning techniques to more advanced scenarios requiring careful examination of the circumstances surrounding your target(s) of choice, and possibly some additional scanning tools, before choosing a specific path.

Get Instant Port Scan Data Now Discover how SurfaceBrowser™ can reveal all your open ports instantly

Once again, the idea is to catch a whiff of the tool’s almost limitless abilities without incurring a penalty for excessive content: a rewarding labor that we leave in the hands of the reader.

Click on the cheat sheet diagram below to get the PNG version, or alternatively download the Nmap Cheat Sheet PDF from here.

Nmap Cheat Sheet

Host discovery and identification

Host discovery, sometimes referred to as ping scanning, is a common task among system administrators and pentesters alike. Unlike its more traditional counterparts, Nmap can offer a wide arrangement of ping sweep options using scanning techniques and protocols simply not available in other tools.

Basic scanning nmap <target>
Launch a ping scan (subnet) nmap -sn <target> Ex: nmap -sn 192.168.1.0/24
Scan a list of targets nmap -iL [targets.txt]
Ping scan with traceroute nmap -sn –traceroute acme.org example.org
TCP SYN ping nmap -PS <target>
UDP ping nmap -PU <target>
Scan IPv6 target nmap -6 <target>
Specify NSE script nmap -sn –script dns-brute example.org
Manually assign DNS servers nmap –dns-servers <servers> <target>
ARP discovery nmap -PR <target> Ex: nmap -PR 192.168.1.0/24
UDP discovery on specified port nmap -PU53 <target>
No DNS resolution nmap -n <target>
Select network interface nmap -e <interface> <target>
Skip host discovery nmap -Pn <target>

Version detection

Version detection is directly related to OS fingerprinting, or the active identification of a target’s running platform and corresponding applications. Knowing the exact version of a specific software or service running on the endpoint can prove extremely valuable in identifying potential vulnerabilities and even unsuspected or unauthorized changes.

Service detection nmap -sV <target> Ex: nmap -sV scanme.nmap.org
OS detection nmap -O <target>
Attempt OS guessing nmap -O –osscan-guess <target>
Increasing version detection nmap -sV –version-intensity 0-9> <target>
Troubleshoot version scans nmap -sV –version-trace <target>
Aggressive detection mode nmap -A <target>
Verbose mode nmap -O -v <target>

Network and port scanning

By combining some of the above switches and techniques, we are able to obtain better visibility into hosts potentially protected by defense mechanisms such as firewalls or intrusion prevention systems. System administrators can also benefit from this type of subversion ability by understanding how and where to apply any required filtering rules or hardening standards. In addition, spoofing certain network conditions, like an origin IP or MAC address via Nmap, can be helpful in detecting unauthorized uses of system resources and certain attacks on availability.

TCP SYN ping scan nmap -sn -PS <target> or nmap -sS
Scanning multiple ports nmap -sn -PS80,100-1000 <target>
TCP ACK ping scan nmap -sn -PA <target> or nmap -sA
UDP ping scan nmap -sn -PU <target>
ICMP ping scan nmap -sn -PE <target>
SCTP INIT ping scan nmap -sn -PY <target> or nmap -sY
IP protocol ping scan (tracing) nmap -sn -PO –packet-trace <target>
Scan random number of hosts nmap -iR [number]
Broadcast ping scan nmap –script broadcast-ping –packet-trace
Xmas scan (Sets the FIN, PSH, and URG flags) nmap -sX <target>
UDP scan (with verbosity) nmap -sU -v <target>
Scan a firewall (split TCP header into tiny fragments) nmap -f <target>
Cloak a scan with decoys nmap -D <decoy1>[,<decoy2>] <target>Ex: nmap -D 192.168.1.101,192.168.1.102 <target>
Spoof source IP address nmap -S <IP_Address> <target>
Spoof MAC address) nmap –spoof-mac [MAD_ADDRESS] <target>
Scan using a random MAC address nmap -v -sT -PN –spoof-mac 0 <target>

Timing and performance

Performance is at the heart of everything Nmap does right. Therefore, optimizing scanning via specific timing configurations and parameters can drastically improve both performance and accuracy should network congestion, slow host responses, and/or similar probable scenarios hinder your results.

Rate limiting nmap –scan-delay <time>
Adjust delay between probes nmap –scan-delay <time>; –max-scan-delay <time>
Paranoid timing template nmap -T0 <target>
Sneaky – ID evasion (also T0) nmap -T1 <target>
Polite – Slower than normal scan nmap -T2 <target>
Normal – Default speed nmap -T3 <target>
Aggressive – Recommended mode nmap -T4 -n -Pn -p- <target>
Insane – Very fast networks nmap -T5 <target>
Host timeouts – Give up on hosts nmap -sV -A -p- –host-timeout 5m <target>

Nmap Scripting Engine (NSE)

Introduced during Google’s 2007 Summer of Code, the scripting platform collectively known as NSE has extended Nmap’s capabilities and granularity well beyond the scope of service and host detection. In fact, fourteen defined categories (at the time of this writing) underscore the vital role the Nmap community has played in embossing such an unprecedented amount of flexibility when it comes to scanning. These include names like auth, discovery, exploit or fuzzer, and command-line arguments that are flexible and easy to learn.

Safe category – Default nmap -sC <host> Ex: nmap -sC scanme.nmap.org
Execute (multiple) scripts by name nmap –script default,safe
Select script by category nmap –script exploit <target>
Execute NSE script file nmap –script /path/to/script.nse <target>
Exclude a specific category nmap -sV –script “not exploit” <target>
Include two different categories nmap –script “broadcast and discovery” <target>
Combining wildcards nmap –script “http-*” <target>
Set arguments nmap -sV –script http-title –script-args http.useragent=”Mozilla 1337”<target>
Load arguments from a file nmap –script “discovery” –script-args-file nmap-args.txt<target>

Scanning web servers

It is safe to assume that, despite the advent of cipher suites such as SSL/TLS to secure communications at large, a good portion of the visible internet remains cryptographically weak. Thus, it is not unreasonable to assume that HTTP-only endpoints can potentially become a trove of information, even if the level of exposure is not imminent. To this effect, Nmap is uniquely positioned to help us automate configuration checks that seek vulnerable web applications or even harvest default credentials. Here are some of the most common recipes:

List supported HTTP methods nmap -p80,443 –script http-methods –script-args httpmethods.test-all=true <target>
Discover interesting paths/folders nmap –script http-enum -sV <target>
Brute-forcing HTTP basic auth nmap -p80 –script http-brute <target>
Provide own user/password list nmap -sV –script http-brute –script-args userdb=~/usernames.txt,passdb=~/passwords.txt <target>
Brute-forcing common web platforms (e.g., WordPress) nmap -sV –script http-wordpress-brute <target>
Detect a web application firewall nmap -sV –script http-waf-detect,http-waf-fingerprint<target>
Detect XST vulnerabilities (via HTTP TRACE method) nmap -sV –script http-methods,http-trace –script-argshttp-methods.retest <target>
Detect XSS vulnerabilities nmap -sV –script http-unsafe-output-escaping <target>
Detect SQL injection vulnerabilities nmap -sV –script http-sql-injection <target>
Finding default credentials nmap -sV –script http-default-accounts <target>
Finding exposed Git repos nmap -sV –script http-git <target>

Scanning mail servers

Just as visible and obvious as web platforms have become, email constitutes an integral part of any modern organization. Its exponential trajectory since the onset of the internet has turned email, and its derivatives, into a multifaceted product that touches almost every single aspect of the enterprise, integrating users, services, and technologies in a manner only conceived not too long ago. This widespread use, however, comes at a price. Email presents its own set of cyber risks and vulnerabilities, a situation compounded by misconfigurations and overall poor understanding of intricate ecosystems such as the cloud. Here are some Nmap capabilities when it comes to it.

Brute-force SMTP nmap -p25 –script smtp-brute <target>
Brute-force IMAP nmap -p143 –script imap-brute <target>
Brute-force POP3 nmap -p110 –script pop3-brute <target>
Enumerate users nmap -p 25 –script=smtp-enum-users <target>
SMTP running on alternate port(s) nmap -sV –script smtp-strangeport <target>
Discovering open relays nmap -sV –script smtp-open-relay -v <target>
Find available SMTP commands nmap -p 25 –script=smtp-commands <target>

Scanning databases

If tampered with, databases can expose a plethora of sensitive information. In fact, almost every major cybersecurity incident or data leak in recent years has presupposed some sort of database compromise. The key factor here is the unprecedented degree to which trust is established across the dizzying array of both static and mobile platforms, and how these technologies introduce (or not) strict gatekeeping strategies around third-party implementations.

Consequently, Nmap has added support for systematically scanning numerous database technologies, allowing you to stitch together a handful of useful techniques.

Identify MS SQL servers nmap -p1433 –script ms-sql-info <target>
Brute-force MS SQL passwords nmap -p1433 –script ms-sql-brute <target>
Dump password hashes (MS SQL) nmap -p1433 –script ms-sql-empty-password,ms-sql-dump-hashes<target>
List databases (MySQL) nmap -p3306 –script mysql-databases –script-args mysqluser=[user],mysqlpass=[password] <target>
Brute-force MySQL passwords nmap -p3306 –script mysql-brute <target>
Root/Anonymous accounts with empty passwords nmap -p3306 –script mysql-empty-password <target>
Brute-force Oracle SIDs nmap -sV –script oracle-sid-brute <target>
Identify MongoDB servers nmap -p27017 –script mongodb-info <target>
Listing CouchDB databases nmap -p5984 –script couchdb-databases <target>
Identify Cassandra databases nmap -p9160 –script cassandra-brute <target>
Brute-force Redis passwords nmap -p6379 –script redis-brute <target>

ICS/SCADA systems

An industrial control system (ICS) is a general term used to describe a conglomerate of control components that preside over hardware and software aspects of large infrastructure sectors such as power or other discrete manufacturing industries (e.g., automotive). Control in ICS infrastructure can be fully automated or may include a human in the loop (NIST)—this also includes the insertion of additional IT capabilities to supplement aging analog devices and similar mechanical alternatives.

ICSs are extremely vulnerable and carry an enormous risk, so using options like -sT (full connection TCP probe) to limit the intensity of scans is always advisable. If you’re someone in charge of managing or protecting an ICS network, the below commands may prove quite useful.

Detect standard (open) ports nmap -Pn -sT –scan-delay 1s –max-parallelism 1-p80,102,443,502,1089, 1091,2222,4000,4840, 20000,34962,34964, 34980,44818,47808, 55000,55003 <target>
Control system ports (BACnet/IP) nmap -Pn -sU -p47808 –script bacnet-info <target>
Ethernet/IP nmap -Pn -sU -p44818 –script enip-info <target>
Discover a Modbus device nmap -Pn -sT -p502 –script modbus-discover <target>
Discover a Niagara Fox device nmap -Pn -sT -p1911,4911 –script fox-info <target>
Discover a PCWorx device nmap -Pn -sT -p1962 –script pcworx-info <target>

Generating reports

Lastly, saving scans into a report-like format is certainly an advantage considering the somewhat sinuous nature of scanning results; quite often, these can become difficult to understand even if you’re attentive or know exactly what you’re looking for. To this effect, Nmap can easily pair any host or port scanning technique, set the verbosity level, or generate debugging messages, with the output of your choice to facilitate further consumption and analysis. Here are a handful of examples in no particular order.

Normal output to filename nmap -oN [filename] <target>
Send results to XML format nmap -oN [filename] -oX <filename.xml> <target>
Output to all formats (Normal, XML & grep) nmap -oA [filename] <target>
Increase verbosity and debugging levels nmap -v3 -d2 -oN [filename] <target>
Display host and port state reasons nmap –reason <target>
Print periodic timing stats nmap -Pn <target> –stats-every 10s
Trace packets and data sent and received nmap -T4 –packet-trace <target>
Show open ports only nmap –open <target>
List interfaces and routes nmap –iflist

It’s hard to fathom a more complete scanning tool than Nmap. After so many years of operational prowess, thousands of papers and supporting literature, countless workshops, and proofs of concept, the tool remains as relevant as it’s ever been.

It is important to recognize that the combination of any of the above techniques and corresponding arguments showcased in this Nmap cheat sheet is nowhere near exhaustive, as Nmap continues to exhibit the sort of canonical growth we would expect from a mature application. Notwithstanding, its core features remain accessible to all, and the possibilities of becoming proficient at what is considered an essential cyber skill remain enticing to everyone who ventures forth.

For a more in-depth look at Nmap, you can always read the Nmap documentation, or grab the official book which covers all these topics and much more!

Gianni Perez Blog Author
GIANNI PEREZ

Gianni is a technical writer at SecurityTrails and adjunct college cybersecurity instructor with over two decades of infosec experience. He knows firsthand the demands security professionals face, and draws upon his knowledge of IT systems - from administration and software dev, as well as automation, to provide valuable security insights that make a real difference.