November 22, 2023

Nmap Cheat Sheet Tutorial

By Ovais Mirza

Nmap is a free, open-source tool for discovering hosts and services on a computer network by sending packets and analyzing the responses. Nmap includes features such as host discovery, service detection, and operating system detection that are useful for probing computer networks.

  • Nmap can give you more information about your targets, such as reverse DNS names, device types, and MAC addresses.
  • The process of locating hosts on a network is known as host discovery. List the hosts that, for example, respond to TCP and/or ICMP requests or have a specific port open.
  • Port scanning is the process of identifying all open ports on a target host.
  • OS detection is the process of determining the operating system and hardware characteristics of network devices.
  • Version detection is the process of interrogating network services on remote devices to determine the application name and version number.
  • You can interact with the target support in a scripted manner by using the Nmap Scripting Engine (NSE).

Also Read: How to Install Nmap on windows, linux, mac, android and Top Penetration testing tools for Kali Linux

The application of Nmap

  • To assess a device’s or firewall’s security, identify the network connections that can be made to or through it.
  • Identifying open ports on a target host as part of audit preparation.
  • Network inventory includes things like network inventory, network mapping, and asset and maintenance management.
  • To assess a network’s security, new servers must be identified.
  • For hosts on a network, traffic generation, response analysis, and response time measurement are all available.
  • A network’s vulnerabilities are discovered and exploited.
  • DNS requests and subdomain lookups

Also Read: How to install WIRESHARK on kali linux/ubuntu/debain and How to Install burp suite on linux/ubuntu

Commands for NMAP Cheat sheet

The following section explains how to use different NMAP commands based on their type, with examples such as –

Common Scanning Commands

GoalCommand  Example
Scan just a single target[Target]nmap-nnmap 192.168.0.1
Scan Multiple targets at a time[Taget1, Target2, Target3 etc.] nmapnmap 192.168.0.1 192.168.0.2
Scan a Collection of hostsnmap [range of ip addresses]nmap 192.168.0.1-10
Scan a Subnet in Its Entiretynmap [ip address/cdir]nmap 192.168.0.1/24
Scan a set of hosts randomlynmap -iR [number]nmap -iR
Leaving Targets Out of a Scannmap [targets] – exclude [targets]nmap 192.168.0.1/24 –exclude 192.168.0.100, 192.168.0.20
Leaving Targets Out of a Scan using a listnmap [targets] – excludefile [list.txt]nmap 192.168.0.1/24 –excludefile notargets.tx
Performing an aggressive scannmap -A [target]nmap -A 192.168.0.
Scanning IPv6 Targetnmap -6 [target]nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2af

Exploring Options

GoalCommandExample
Conduct a Ping-Only Scan.nmap -sP [target]nmap -sP 192.168.0.1
Please don’t ping.nmap -PN [target]nmap -PN 192.168.0.
TCP SYN Pingnmap -PS [target]nmap -PS 192.168.0.
TCP ACK Pingnmap -PA [target]nmap -PA 192.168.0.
UDP Pingnmap -PU [target]nmap -PU 192.168.0.
SCTP Pingnmap -PY [target]nmap -PY 192.168.0.
ICMP Echo Pingnmap -PE [target]nmap -PE 192.168.0.
ICMP Timestamp Pingnmap -PP [target]nmap -PP 192.168.0.
CMP Address Mask Pingnmap -PM [target]nmap -PM 192.168.0.
IP Protocol Pingnmap -PO [target]nmap -PO 192.168.0.1  

Options for Advanced Scanning

ARP Pingnmap -PR targetnmap -PR 192.168.0.1
Traceroutnmap –traceroute [target]nmap –traceroute 192.168.0.1
Force Reverse DNS Resolutionnmap -R [target]nmap -R 192.168.0.1
Disabling Reverse DNS Resolutionnmap -n [target]nmap -n 192.168.0.1
The Alternative DNS Lookupnmap –system-dns [target]nmap –system-dns 192.168.0.1
The Manually Specify DNS Server(s)nmap –dns-servers [servers] [target]nmap –dns-servers 201.56.212.54 192.168.0.1
Create a Host Listnmap -sL [targets]nmap -sL 192.168.0.1/24

Options for Port Scanning

GoalCommandExample
Perform a quick scannmap -F [target]nmap -F 192.168.0.1
Examine Particular Portsnmap -p [port(s)] [target]nmap -p 21-25,80,139,8080 192.168.1.1
Examine Ports by Namenmap -p [port name(s)] [target]nmap -p ftp,http* 192.168.0.1
Examine Ports by Protocolnmap -sU -sT -p U: [ports],T:[ports] [target]nmap -sU -sT -p U:53,111,137,T:21- 25,80,139,8080 192. 168.0.1
Examine all Portsnmap -p ‘*’ [target]nmap -p ‘*’ 192.168.0.
Examine Top Portsnmap –top-ports [number] [target]nmap –top-ports 10 192.168.0.
Scan Ports in Sequential Ordernmap -r [target]nmap -r 192.168.0.

Detecting Versions

GoalCommandExample
Detecting Operating Systemnmap -O [target]nmap -O 192.168.0.1
Attempting to Guess an Unknown OSnmap -O –osscan guess [target]nmap -O –osscan-guess 192.168.0.1
Detecting Service Versionnmap -sV [target]nmap -sV 192.168.0.1
Examining troubleshooting versionsnmap -sV –version trace [target]nmap -sV –version-trace 192.168.0.1
Performing a RPC Scannmap -sR [target]nmap -sR 192.168.0.1

Techniques for Getting Through Firewalls

GoalCommandExample
Boost Packetsnmap -f [target]nmap -f 192.168.0.1
pacify a particular MTUnmap –mtu [MTU] [target]nmap –mtu 32 192.168.0
Use Decoynmap -D RND:[number] [target]nmap -D RND:10 192.168.0.1
The Zombie Scannmap -sI [zombie] [target]nmap -sI 192.168.0.38
Specify a Source Port Manuallynmap –source-port [port] [target]nmap –source-port 10 192.168.0.1
Include Random Datanmap –data-length [size] [target]nmap –data-length [size] [target]
Randomize Target Scanning Ordernmap –randomize-hosts [target]nmap –randomize-ho 192.168.0.1-20
Spoof MAC’s addressnmap –spoof-mac [MAC|0|vendor] [target]nmap –spoof-mac Cis 192.168.0.1
Sending Invalid Checksumnmap –badsum [target]nmap –badsum 192.168.0.1