Tech, Gadgets, Photography, Social Media and Poor Spelling

Linux Tip: Getting more out of NMAP


Nmap is a great tool for finding what ports are open on local or remote servers and has saved my bacon a few times, it can when used properly however tell you a lot more about those remote machines. this cheat sheet is one of the better one’s I have found


All of you guys are aware of Nmap (Network Mapping). It is a very famous port scanner available for free.
It is not just only a port scanner, it also do various jobs like banner grabbing, OS fingerprinting, run scripts etc.
So I’m gonna show you some important commands of Nmap.

Requisites: Nmap

Step 1: Open up the console and type:
It will give you the whole commands of nmap.
But we are here to understanding the commands so we should go ahead.

Here is the cheatsheet of NMAP.


Goal command example
Scan a Single Target nmap [target] nmap
Scan Multiple Targets nmap [target1, target2, etc] nmap
Scan a List of Targets nmap -iL [list.txt] nmap -iL targets.txt
Scan a Range of Hosts nmap [range of ip addresses] nmap
Scan an Entire Subnet nmap [ip address/cdir] nmap
Scan Random Hosts nmap -iR [number] nmap -iR 0
Excluding Targets from a Scan nmap [targets] –exclude [targets] nmap –exclude,
Excluding Targets Using a List nmap [targets] –excludefile [list.txt] nmap –excludefile notargets.txt
Perform an Aggressive Scan nmap -A [target] nmap -A
Scan an IPv6 Target nmap -6 [target] nmap -6 1aff:3c21:47b1:0000:0000:0000:0000:2afe


Goal command example
Perform a Ping Only Scan nmap -sP [target] nmap -sP
Don’t Ping nmap -PN [target] nmap -PN
TCP SYN Ping nmap -PS [target] nmap -PS
TCP ACK Ping nmap -PA [target] nmap -PA
UDP Ping nmap -PU [target] nmap -PU
SCTP INIT Ping nmap -PY [target] nmap -PY
ICMP Echo Ping nmap -PE [target] nmap -PE
ICMP Timestamp Ping nmap -PP [target] nmap -PP
ICMP Address Mask Ping nmap -PM [target] nmap -PM
IP Protocol Ping nmap -PO [target] nmap -PO
ARP Ping nmap -PR [target] nmap -PR
Traceroute nmap –traceroute [target] nmap –traceroute
Force Reverse DNS Resolution nmap -R [target] nmap -R
Disable Reverse DNS Resolution nmap -n [target] nmap -n
Alternative DNS Lookup nmap –system-dns [target] nmap –system-dns
Manually Specify DNS Server(s) nmap –dns-servers [servers] [target] nmap –dns-servers
Create a Host List nmap -sL [targets] nmap -sL



Goal command example
TCP SYN Scan nmap -sS [target] nmap -sS
TCP Connect Scan nmap -sT [target] nmap -sT
UDP Scan nmap -sU [target] nmap -sU
TCP NULL Scan nmap -sN [target] nmap -sN
TCP FIN Scan nmap -sF [target] nmap -sF
Xmas Scan nmap -sX [target] nmap -sX
TCP ACK Scan nmap -sA [target] nmap -sA
Custom TCP Scan nmap –scanflags [flags] [target] nmap –scanflags SYNFIN
IP Protocol Scan nmap -sO [target] nmap -sO
Send Raw Ethernet Packets nmap –send-eth [target] nmap –send-eth
Send IP Packets nmap –send-ip [target] nmap –send-ip



Goal command example
Perform a Fast Scan nmap -F [target] nmap -F
Scan Specific Ports nmap -p [port(s)] [target] nmap -p 21-25,80,139,8080
Scan Ports by Name nmap -p [port name(s)] [target] nmap -p ftp,http*
Scan Ports by Protocol nmap -sU -sT -p U:[ports],T:[ports] [target] nmap -sU -sT -p U:53,111,137,T:21-25,80,139,8080
Scan All Ports nmap -p ‘*’ [target] nmap -p ‘*’
Scan Top Ports nmap –top-ports [number] [target] nmap –top-ports 10
Perform a Sequential Port Scan nmap -r [target] nmap -r



Goal command example
Operating System Detection nmap -O [target] nmap -O
Submit TCP/IP Fingerprints
Attempt to Guess an Unknown OS nmap -O –osscan-guess [target] nmap -O –osscan-guess
Service Version Detection nmap -sV [target] nmap -sV
Troubleshooting Version Scans nmap -sV –version-trace [target] nmap -sV –version-trace
Perform a RPC Scan nmap -sR [target] nmap -sR



Goal command example
Timing Templates nmap -T[0-5] [target] nmap -T3
Set the Packet TTL nmap –ttl [time] [target] nmap –ttl 64
Minimum # of Parallel Operations nmap –min-parallelism [number] [target] nmap –min-parallelism 10
Maximum # of Parallel Operations nmap –max-parallelism [number] [target] nmap –max-parallelism 1
Minimum Host Group Size nmap –min-hostgroup [number] [targets] nmap –min-hostgroup 50
Maximum Host Group Size nmap –max-hostgroup [number] [targets] nmap –max-hostgroup 1
Maximum RTT Timeout nmap –initial-rtt-timeout [time] [target] nmap –initial-rtt-timeout 100ms
Initial RTT Timeout nmap –max-rtt-timeout [TTL] [target] nmap –max-rtt-timeout 100ms
Maximum Retries nmap –max-retries [number] [target] nmap –max-retries 10
Host Timeout nmap –host-timeout [time] [target] nmap –host-timeout 30m
Minimum Scan Delay nmap –scan-delay [time] [target] nmap –scan-delay 1s
Maximum Scan Delay nmap –max-scan-delay [time] [target] nmap –max-scan-delay 10s
Minimum Packet Rate nmap –min-rate [number] [target] nmap –min-rate 50
Maximum Packet Rate nmap –max-rate [number] [target] nmap –max-rate 100
Defeat Reset Rate Limits nmap –defeat-rst-ratelimit [target] nmap –defeat-rst-ratelimit



Goal command example
Fragment Packets nmap -f [target] nmap -f
Specify a Specific MTU nmap –mtu [MTU] [target] nmap –mtu 32
Use a Decoy nmap -D RND:[number] [target] nmap -D RND:10
Idle Zombie Scan nmap -sI [zombie] [target] nmap -sI
Manually Specify a Source Port nmap –source-port [port] [target] nmap –source-port 1025
Append Random Data nmap –data-length [size] [target] nmap –data-length 20
Randomize Target Scan Order nmap –randomize-hosts [target] nmap –randomize-hosts
Spoof MAC Address nmap –spoof-mac [MAC|0|vendor] [target] nmap –spoof-mac Cisco
Send Bad Checksums nmap –badsum [target] nmap –badsum



Goal command example
Save Output to a Text File nmap -oN [scan.txt] [target] nmap -oN scan.txt
Save Output to a XML File nmap -oX [scan.xml] [target] nmap -oX scan.xml
Grepable Output nmap -oG [scan.txt] [targets] nmap -oG scan.txt
Output All Supported File Types nmap -oA [path/filename] [target] nmap -oA ./scan
Periodically Display Statistics nmap –stats-every [time] [target] nmap –stats-every 10s
133t Output nmap -oS [scan.txt] [target] nmap -oS scan.txt



Goal command example
Getting Help nmap -h nmap -h
Display Nmap Version nmap -V nmap -V
Verbose Output nmap -v [target] nmap -v
Debugging nmap -d [target] nmap -d
Display Port State Reason nmap –reason [target] nmap –reason
Only Display Open Ports nmap –open [target] nmap –open
Trace Packets nmap –packet-trace [target] nmap –packet-trace
Display Host Networking nmap –iflist nmap –iflist
Specify a Network Interface nmap -e [interface] [target] nmap -e eth0



Goal command example
Execute Individual Scripts nmap –script [script.nse] [target] nmap –script banner.nse
Execute Multiple Scripts nmap –script [expression] [target] nmap –script ‘http-*’
Script Categories all, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute Scripts by Category nmap –script [category] [target] nmap –script ‘not intrusive’
Execute Multiple Script Categories nmap –script [category1,category2,etc] nmap –script ‘default or safe’
Troubleshoot Scripts nmap –script [script] –script-trace [target] nmap –script banner.nse –script-trace
Update the Script Database nmap –script-updatedb nmap –script-updatedb

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


This entry was posted on March 14, 2013 by in Linux, tip, Ubuntu and tagged , , , , , , , .
%d bloggers like this: