NMAP Cheat Sheet

Scan an IPv4 host/address

nmap 192.168.1.1

Scan an IPv6 host/address

nmap -6 2607:f8b0:4007:804::1009
nmap -v A -6 2607:f8b0:4007:804::1009

Scan FQDN

nmap server1.cyberciti.biz

Scan a host name with more info

nmap -v server1.cyberciti.biz

Scan a range of IP address

nmap 192.168.1.1-20
nmap 192.168.1.*
nmap 192.168.1.0/24
nmap 192.168.1.1,2,3
nmap 192.168.1.1 192.168.1.2

Read list of hosts/networks from a file

nmap -iL /tmp/test.txt

Excluding hosts/networks (IPv4)

nmap 192.168.1.0/24 --exclude 192.168.1.5
nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254
nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt

Turn on OS and version detection scanning script (IPv4)

nmap -A 192.168.1.254
nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt

Find out if a host/network is protected by a firewall

nmap -sA 192.168.1.254

Scan a host when protected by the firewall

nmap -PN 192.168.1.1

Scan a network and find out which servers and devices are up and running

nmap -sP 192.168.1.0/24

Perform a fast scan

nmap -F 192.168.1.1

Display the reason a port is in a particular state

nmap --reason 192.168.1.1

Only show open (or possibly open) ports

nmap --open 192.168.1.1

Show all packets sent and received

nmap --packet-trace 192.168.1.1

Show host interfaces and routes (netsat -nr)

nmap --iflist

Scan specific ports

nmap -p 80 192.168.1.1
nmap -p 80,443 192.168.1.1
nmap -p 80-200 192.168.1.1
nmap -p T:80 192.168.1.1
nmap -p U:53 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
nmap --top-ports 5 192.168.1.1

Fastest way to scan all your devices/computers for open ports

nmap -T5 192.168.1.0/24

Detect remote operating system

nmap -O 192.168.1.1
nmap -O --osscan-guess 192.168.1.1
nmap -v -O --osscan-guess 192.168.1.1

Detect remote services (server / daemon) version numbers

nmap -sV 192.168.1.1

Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

nmap -PS 192.168.1.1
nmap -PS 80,21,443 192.168.1.1
nmap -PA 192.168.1.1
nmap -PA 80,21,200-512 192.168.1.1

Scan a host using IP protocol ping

nmap -PO 192.168.1.1

Scan a host using UDP ping

nmap -PU 192.168.1.1
nmap -PU 2000.2001 192.168.1.1

Stealthy scan

nmap -sS 192.168.1.1

Find out the most commonly used TCP ports using TCP ACK scan

nmap -sA 192.168.1.1

Find out the most commonly used TCP ports using TCP Window scan

nmap -sW 192.168.1.1

Find out the most commonly used TCP ports using TCP Maimon scan

nmap -sM 192.168.1.1

Find out the most commonly used TCP ports using TCP connect scan

nmap -sT 192.168.1.1

Scan a host for UDP services (UDP scan)

nmap -sU 192.168.1.1

Scan for IP protocol

nmap -sO 192.168.1.1

Scan a firewall for security weakness. TCP Null Scan to fool a firewall to generate a response
Does not set any bits (TCP flag header is 0)

nmap -sN 192.168.1.254

TCP Fin scan to check firewall. Sets just the TCP FIN bit

nmap -sF 192.168.1.254

TCP Xmas scan to check firewall. Sets the FIN, PSH, & URG flags, lighting the packet up like a Christmas tree

nmap -sX 192.168.1.254

Scan a firewall for packets fragments

nmap -f 192.168.1.1

Set your own offset size with the –mtu option

nmap --mtu 32 192.168.1.1

Cloak a scan with decoys

nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5

Spoof your MAC address

nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1

Add other options

nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1

Use a random MAC address. The number 0, means nmap chooses a completely random MAC address

nmap -v -sT -PN --spoof-mac 0 192.168.1.1

Save output to a text file

nmap 192.168.1.1 > output.txt
nmap -oN /tmp/filename 192.168.1.1
nmap -oN output.txt 192.168.1.1

Find host MAC address (can only be done on same LAN segment)

sudo nmap -sP -n 192.168.0.1
sudo nmap -sP -n 192.168.0.0/24