Nmap cheat sheet

List of content you will read in this article:

Nmap, which stands for Network Mapper, is a free and open-source vulnerability assessment and network discovery application. Nmap is used by network administrators to determine what devices are operating on their systems, debug networks, locate available hosts, find open ports, detect security issues in the network and determine network device operating systems and hardware characteristics.

Nmap may be used to monitor single hosts as well as large networks with hundreds of thousands of devices and subnets.

Below is the cheat sheet for Nmap that can be used for quick reference for the commands.

Scanning commands

Scan a single target

nmap [IP address]

Scan multiple hosts within the same network

nmap [IP address1] [IP address2]

Scan a subnet

nmap [IP address/cidr]

Example: 

nmap 192.168.1.1/24

Scanning an IPv6 address

nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe

Scanning a particular link or domain

nmap scan.nmap.com

Perform UDP power scan

nmap [IP address] -sU

Perform TCP window port scan

nmap [IP address] -sW

Perform TCP SYN port scan (default)

nmap [IP address] -sS

Scan by excluding few hosts

nmap --exclude [IP address]

Implement TCP SYN scan

nmap -sS [IP address]

Implement TCP ACK scan

nmap -sA [IP address]

Implement UDP scan

nmap -sU [IP address]

Implement IP protocol scan

nmap -sO [IP address]

Send IP packets to some host

nmap -send-ip [IP address]

Host discovery and ARP ping commands

Ping on scan 

nmap -sP [IP address]

Discover ARP in the local network

nmap 192.168.1.1-1/24 -PR

Implement TCP SYN ping

nmap -PS [IP address]

Implement TCP ACK ping

nmap -PA [IP address]

Implement UDP ping

nmap -PU [IP address]

Implement ICMP echo ping

nmap -PE [IP address]

Implement IP protocol ping

nmap -PO [IP address]

Implementing tracerouting

nmap -traceroute [IP address]

Enforce reverse DNS resolution

nmap -R [IP address]

To disable reverse DNS resolution

nmap -n [IP address]

Port Scanning

Fast scan

nmap -F [IP address]

Specific ports’ scanning

nmap -p [port(s)] [IP address]

Implement scan on all the ports

nmap -p '*' [IP address]

Scan top k ports

nmap [IP address] --top-ports 10

Port scan a range

nmap [IP address] -p 1-100

Implement sequential port scanning

nmap -r [IP address]

Version and OS detection

OS detection

nmap -O [IP address]

Detect service version

nmap -sV [IP address]

OS detection, version detection, script scanning, and tracerouting

nmap 192.168.1.1 -A

Guess an unknown OS

nmap -O -osscan guess [IP address]

Implement Remote Procedure Call scan

nmap -sR [IP address]

Firewall/IDS Evasion techniques

Spoofing a MAC-address

nmap -spoof-mac [MAC|0|vendor] [IP address]

Append some random data to delivered packets

nmap --data-length 100 [IP address]

Induce an invalid TCP/UDP checksum for delivered packets

nmap --badsum [IP address]

Implement idle zombie scan

nmap -sI [zombie] [IP address]

Troubleshooting and debugging using outputs in Nmap

Implement packet tracing

nmap -packet-trace [IP address]

Enhance debugging level

nmap -d [IP address]

Show open ports

nmap --open [IP address]

Give normal output of some file

nmap [IP address] -oN file.ext

Give XML output of the file

nmap [IP address] -oX file.ext

Display host interfaces and routes

nmap -iflist

Get Nmap version

nmap -V

To resume a scan

nmap --resume file.extension

Scripts

Run individual scripts

nmap -script [file.nse] [IP address]

To check for SQL injection attack

nmap -p80 --script http-sql-injection scan.domain.com

To update script database

nmap -script-updatedb

Run multiple scripts using a wildcard

nmap -script [expression] [IP address]

Example

nmap -script 'http-*' 192.168.1.1

Terms discussed in the above commands

Ports

A port is a location in your computer where network services interact with your computer. Ports are software-based tools that are handled by the operating system of a computer. Each port corresponds to a certain activity or service. Ports allow computers to readily distinguish between different types of traffic: emails, for example, travel to a different port than websites, even when both arrive at a computer over the same connection. 

Ports are standardised across all network-connected devices, with a unique number allocated to each port. For instance, Standard Mail Transfer Protocol (SMTP) has port number 25 and HTTP has port number 80. Search for more port numbers and services at your end.

IP address

An IP address is a one-of-a-kind identifier for a device on the internet or a local network. IP is an abbreviation for "Internet Protocol," which is a collection of rules that governs the format of data delivered over the internet or a local network. The two different types of IPs are IPv4 and IPv6.

TCP

TCP/IP allows you to specify how a certain computer should be linked to the internet and how data should be sent between them. When numerous computer networks are linked, it aids in the creation of a virtual network. It is a connection-oriented protocol meaning it first establishes a connection between server and client and then transfers data.

UDP

The Datagram oriented protocol is UDP. This is due to the fact that there is no overhead for initiating, maintaining, or ending a connection. UDP is a good choice for broadcast and multicast network communication.