Nmap Cheat Sheet
Navigate the world of network scanning with precision using this comprehensive Nmap cheat sheet. Discover essential commands, options, and best practices for performing efficient network scans.
Nmap Cheat Sheet
nmap <target>
Perform a basic scan on the target
nmap -p <ports> <target>
Scan specific ports on the target
nmap -p- <target>
Scan all 65535 ports on the target
nmap -sS <target>
Stealth SYN scan (default if not root)
nmap -sT <target>
TCP connect scan
nmap -sU <target>
UDP scan
nmap -sA <target>
TCP ACK scan
nmap -sN <target>
TCP NULL scan
nmap -sF <target>
TCP FIN scan
nmap -O <target>
OS detection
nmap -A <target>
Aggressive scan
nmap -T<0-5> <target>
Set timing template (0=paranoid, 5=insane)
nmap -v <target>
Increase verbosity
nmap -vv <target>
Very verbose output
nmap -oN <output.txt> <target>
Save results in normal format to a file
nmap -oX <output.xml> <target>
Save results in XML format to a file
nmap -oG <output.grep> <target>
Save results in grepable format to a file
nmap --script <script> <target>
Run Nmap script against target
nmap -p- --script vuln <target>
Run vulnerability scan against all ports
nmap -sV <target>
Version detection
nmap -sC <target>
Default script scan
nmap --traceroute <target>
Perform a traceroute
Note: Replace <target>, <ports>, <script>, etc., with actual values.
Nmap Best Practice Examples
Basic Scan on Target
Command: nmap target.com
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:00
UTC Nmap scan report for target.com (192.168.1.1)
Host is up (0.05s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
Scan Specific Ports on Target
Command: nmap -p 80,443 target.com
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:05 UTC
Nmap scan report for target.com (192.168.1.1)
Host is up (0.05s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
Aggressive Scan with Version Detection
Command: nmap -A target.com
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:10 UTC
Nmap scan report for target.com (192.168.1.1)
Host is up (0.05s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.39 ((Unix))
|_http-server-header: Apache/2.4.39 (Unix)
|_http-title: Example Domain
Nmap done: 1 IP address (1 host up) scanned in 5.78 seconds
Run Script Against Target
Command: nmap --script http-enum target.com
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:15 UTC
Nmap scan report for target.com (192.168.1.1)
Host is up (0.05s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /: Potentially interesting files found
| /admin/: Potentially interesting files found
| /images/: Potentially interesting files found
|_ /backup/: Potentially interesting files found
Comprehensive Scan with Script Execution and Version Detection
Execute a comprehensive scan on the specified target using Nmap. This command combines the -sV flag for version detection and the -sC flag for script execution. The -sV flag helps identify the versions of services running on open ports, while the -sC flag runs default scripts to perform basic vulnerability and service enumeration.
This approach provides a well-rounded view of the target system, allowing you to gain insights into both the services and potential vulnerabilities present. The combination of version detection and script execution enhances your ability to assess the security posture of the target network or host.
Command: nmap -sV -sC target
Output:
Starting Nmap 7.91 ( https://nmap.org ) at 2023-08-31 12:20 UTC
Nmap scan report for target.com (192.168.1.1)
Host is up (0.05s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.39 ((Unix))
|_http-server-header: Apache/2.4.39 (Unix)
|_http-title: Example Domain 443/tcp open ssl/http Apache httpd 2.4.39 ((Unix))
|_http-server-header: Apache/2.4.39 (Unix)
|_http-title: Example Domain
| ssl-cert: Subject: commonName=target.com
| Subject Alternative Name: DNS:target.com
| Issuer: organizationName=Let's Encrypt, countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-08-01T00:00:00Z
| Not valid after: 2023-09-01T23:59:59Z
| MD5: aaabbbcccddddeeeeffff11112222
|_SHA-1: 112233445566778899aabbccddee
|_SHA-256: 1234567890abcdef
Remember to replace target.com with the actual target IP address or domain name when executing these commands. These examples showcase different scenarios and how to interpret Nmap's output. You can use these as templates and adjust them based on your specific needs.
Last updated
Was this helpful?