Nmap Scan Cheat Sheet

Here are my go-to Nmap commands:

Nmap Host Discovery (Ping Scan) Basic Options

The first step in a vulnerability testing is to identify which host(s) are “up” or “alive” on the network. To identify host(s) are up, you use the Nmap Ping or “Sweep” Scan (-sP). By default, Nmap sends an ICMP echo request (ping) packet and waits for a response. To speed up the scan, you can use Nmap’s -n option to disable DNS reverse resolution (“Host,” n.d.) and the -T4 “Aggressive” timing option (“Timing,” n.d.). There are additional host discover techniques, ranging from quick ARP requests to elaborate combinations of TCP, ICMP, and other types of probes, a discussion of which are outside the scope of this post (“The Phases,” n.d.):

Purpose Command Example Nmap Scan
Scan an entire subnet nmap -sP <subnet_address> nmap 10.0.2.0/24
Scan a range of IP addresses on a subnet nmap -sP<subnet_ip_
address_range>
nmap 10.0.2.0.10-25
Scan a range of IP addresses on a subnet from a list nmap -sP -iL <scan_list.txt> nmap -sP -iL <scan_list.txt>
Exclude targets from a subnet scan nmap -sP <subnet> –exclude <target(s)> nmap 10.0.2.0./24 –exclude 10.0.2.1, 10.0.2.5
Exclude targets from a subnet scan using a list nmap -sP <subnet> –excludefile <do_not_scan_list_txt>  nmap 10.0.2.0/24 –excludefile <do_nopt_scan_list>

* You can also use the -sn option instead of -sP. This is often known as a “ping scan.” This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes (“Host,” n.d.).

Nmap Host Discovery (Ping Scan) Advanced Options

Name Usage Command
TCP SYN Ping May work on systems that do not respond to ICMP echo requests. Host responds with SYN/ACK. nmap -sP -PS 10.0.2.0/24
TCP ACK Ping May work on systems that do not respond to ICMP echo requests. Host responds with RST. nmap -sA -PS 10.0.2.0/24
UDP Ping May work on systems that do not respond to ICMP echo requests. Host responds with ICMP port unreachable. nmap -sP -PS 10.0.2.0/24

Nmap Port Scanning Basic Options

The second step in most vulnerability testing is to identify which ports and services are open on the host(s) that you have discovered. Nmap offers a variety of port scanning options. By default when you ask Nmap to perform a port scan it first conducts a Ping Scan. But since you have determined in the host discovery step which host(s) are up you can ask Nmap to skip this step. Asking Nmap to skip the discovery stage will further speed up your scan. In addition, you can use Nmap’s -n option to disable DNS reverse resolution (“Host,” n.d.) and the -T4 “Aggressive” timing option (“Timing,” n.d.) discussed above.

You invoke Nmap’s default port scan by the command “nmap” followed by the “target(s) (See below). First, by default Nmap will use ICMP to ping the host(s) to make sure it is up (unless you disabled the Nmap discovery with the -PN option mentioned above). Next, Nmap will use the TCP SYN Scan (-sS) to identify the open ports and services unless the user does not have root and raw packet privileges. In this case, Nmap will switch to the TCP Connect Scan (-sT). Finally, by default Nmap scans the most common 1,000 ports for each protocol as registered in the nmap-services file (“Well Known,” n.d.). You have to ask Nmap if you want it to scan additional ports or UDP:

Purpose Command Example Nmap Scan
Scan Well Know TCP ports nmap <target(s)> nmap 10.0.2.4
Scan Well Known UDP ports nmap -sU <target(s)> nmap 10.0.2.4
Scan top 100 TCP ports nmap -F <target(s)> nmap -F 10.0.2.4
Scan top 100 TCP ports nmap -F -sU <target(s)> nmap -sU -F -10.0.2.4
Scan all TCP Ports nmap -p- <target(s)> nmap -p- 10.0.2.4
Scan all UDP Ports nmap -sU -p- <target(s)> nmap -sU -p- 10.0.2.4

Nmap Port Selection Options

You can select specific ports. Below are some examples:

Purpose Command Example Nmap Scan
Scan a single port nmap -p <port_number> nmap  -p 21 10.0.2.4
Scan a port service nmap -p <service> nmap -p ftp 20.0.2.4
Scan multiple ports nmap -p <port1>, <port2>, port3> nmap -p 21, 22, 23, 25, 80

Nmap Operating System (OS) Fingerprinting

Purpose Command Example Nmap Scan
Identify the Operating System  nmap -O <target(s)>  nmap -O 10.0.2.4

Nmap Version Scanning

Purpose Command Example Nmap Scan
Identify the version of services running*  nmap -A <target(s)>  nmap -A 10.0.2.4

* Note: The Nmap Version Scan is -sS but the -A option turn on version detection and other “Advanced” and “Aggressive” features.

Nmap Vulnerability Scanning

Purpose Command Example Nmap Scan
Identify vulnerabilities  nmap –script vuln <target(s)>  nmap –script vuln 10.0.2.2

Nmap Advance Scanning Options

Purpose Command Example Nmap Scan
Print periodic timing stats  nmap –stats-every <time>*  nmap –stats-every 10s 10.0.2.4
Shows the reason each port is set to a specific state and the reason each host is up or down nmap –reason  nmap –reason 10.0.2.4
Output to all formats)  nmap -oA <filename>  nmap -oA 10.0.2.4
Resume aborted scan  nmap –resume <filename> **  nmap –resume <logfilename>
Scan multiple hosts in parallel  nmap –min-hostgroup <filename> nmap –min-hostgroup 100

* Periodically prints a timing status message after each interval of <time>. Example is 10s.
** if normal (-oN) or grepable (-oG) logs were kept, the user can ask Nmap to resume scanning with the target it was working on when execution ceased. Simply specify the –resume option and pass the normal/grepable output file as its argument. No other arguments are permitted, as Nmap parses the output file to use the same ones specified previously (“Output,” n.d.)

Resources

Host discovery.  (n.d.).  Retrieved October 3, 2015 from https://nmap.org/book/man-host-discovery.html

Port specification and scan order.  (n.d.).  Retrieved October 3, 2015 from https://nmap.org/book/man-port-specification.html

Output.  (n.d.).  Retrieved October 3, 2015 from https://nmap.org/book/man-output.html

Timing and performance.  (n.d.).  Retrieved October 3, 2015 from https://nmap.org/book/man-performance.html

The phases of an nmap scan.  (n.d.).  Retrieved October 3, 2015 from https://nmap.org/book/nmap-phases.html

Well known port list.  (n.d).  Retrieved October 3, 2015 from https://nmap.org/book/nmap-services.html