NMAP Command-Line Cheat Sheet

This command-line cheat sheet is designed to briefly reference some of the most commonly used NMAP commands, along with a brief description and practical examples to illustrate their use. Whether you’re a seasoned professional looking to brush up on your command-line skills or a newcomer eager to explore the possibilities of networking through NMAP, you’ll find valuable insights and shortcuts here.

Installation

DistributionCommand
Debian/Ubuntusudo apt-get install nmap
CentOS/Fedora/Red Hatsudo yum install nmap or sudo dnf install nmap
NixOSnix-env -iA nixos.nmap

Usage

Basic Scans

TaskCommand
Scan a single IPnmap 192.168.1.1
Scan a range of IPsnmap 192.168.1.1-20
Scan all portsnmap -p "-" 192.168.1.1
Avoid DNS resolutionnmap -n 192.168.1.1

Port Specification and Scans

SwitchExampleDescription
-pnmap 192.168.1.1 -p 21Port scan for port x
-pnmap 192.168.1.1 -p 21-100Port range
-pnmap 192.168.1.1 -p U:53,T:21-25,80Port scan multiple TCP and UDP ports
-pnmap 192.168.1.1 -p-Port scan all ports
-pnmap 192.168.1.1 -p http,httpsPort scan from service name
-Fnmap 192.168.1.1 -FFast port scan (100 ports)
--top-portsnmap 192.168.1.1 --top-ports 2000Port scan the top x ports
-pnmap -p T:80,T:8080,U:80,U:8080 192.168.1.1Scan specific TCP and UDP ports

Advanced Scans

TaskCommand
OS detectionnmap -O 192.168.1.1
Service version detectionnmap -sV 192.168.1.1
Aggressive scannmap -A 192.168.1.1

Service and Version Detection

SwitchExampleDescription
-sVnmap 192.168.1.1 -sVEnable intensity level 9. There is a higher possibility of correctness. Slower
-sV -version-intensitynmap 192.168.1.1 -sV -version-intensity 8Intensity level 0 to 9. A higher number increases the possibility of correctness
-sV -version-lightnmap 192.168.1.1 -sV -version-lightEnable light mode. Lower possibility of correctness. Faster
-sV -version-allnmap 192.168.1.1 -sV -version-allEnable intensity level 9. Higher possibility of correctness. Slower

OS Detection

SwitchExampleDescription
-Onmap 192.168.1.1 -ORemote OS detection using TCP/IP stack fingerprinting
-O -osscan-limitnmap 192.168.1.1 -O -osscan-limitLimits OS detection to hosts with at least one open and one closed port
-O -osscan-guessnmap 192.168.1.1 -O -osscan-guessMakes Nmap guess more aggressively about OS
-O -max-os-triesnmap 192.168.1.1 -O -max-os-tries 1Set the maximum number of OS detection tries against a target

Timing and Performance

SwitchExampleDescription
-T0 to -T5nmap 192.168.1.1 -T0nmap 192.168.1.1 -T5Varies from paranoid (IDS evasion) to insane speeds
--host-timeoutnmap --host-timeout 1s 192.168.1.1Give up on target after this long

NSE Scripts and Their Uses

CommandDescription
nmap -Pn -script=http-sitemap-generator scanme.nmap.orgHTTP site map generator
nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000Fast search for random web servers
nmap -Pn -script=dns-brute domain.comBrute forces DNS hostnames guessing subdomains

Firewall / IDS Evasion and Spoofing

SwitchExampleDescription
-fnmap 192.168.1.1 -fUse tiny fragmented IP packets to evade filters
-mtunmap 192.168.1.1 -mtu 32Set your own offset size
-Dnmap -D 192.168.1.101,... 192.168.1.1Send scans from spoofed IPs

Script Installation

nmap-vulners

git clone https://github.com/vulnersCom/nmap-vulners.git

scipag_vulscan

git clone https://github.com/scipag/vulscan scipag_vulscan
ln -s pwd/scipag_vulscan /usr/share/nmap/scripts/vulscan

Wrapping Up

This NMAP Command-Line Cheat Sheet concisely references the most commonly used commands in the powerful NMAP suite. Designed for beginners and experienced network administrators, it includes essential commands for various tasks—from simple IP scans to detailed service detection and security auditing.

You May Also Be Interested In

References

Nmap Documentation: The official Nmap documentation is valuable for in-depth information on commands and functionalities. (https://nmap.org/docs.html)

Nmap Vulnerability Scan: How to Find Weak Systems Easily—StationX This article explains how to use Nmap to perform vulnerability scans and quickly find weaknesses on target machines.

About Anto Online

Anto, a seasoned technologist with over two decades of experience, has traversed the tech landscape from Desktop Support Engineer to enterprise application consultant, specializing in AWS serverless technologies. He guides clients in leveraging serverless solutions while passionately exploring cutting-edge cloud concepts beyond his daily work. Anto's dedication to continuous learning, experimentation, and collaboration makes him a true inspiration, igniting others' interest in the transformative power of cloud computing.

View all posts by Anto Online

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.