NMAP CHEAT SHEET Advanced Scanning Options Timing Options

Tips for conducting a Nmap scan. TCP SYN Scan nmap -sS [target] Timing Templates nmap -T [0-5] [target]

Basic Scanning Techniques TCP connect scan nmap -sT [target] Set the packet TTL nmap ttl [time]
UDP scan nmap -sU [target] [target]
Scan a single target nmap [target]
TCP Null scan nmap -sN [target] Minimum of parallel nmap min-parallelism
Scan multiple targets nmap
connections [number] [target]
[target1,target2,etc] TCP Fin scan nmap -sF [target]
Maximum of parallel nmap max-parallelism
Scan a list of targets nmap -iL [list.txt] Xmas scan nmap -sX [target] connection [number] [target]
Scan a range of hosts nmap [range of IP TCP ACK scan nmap -sA [target] Minimum host group size nmap min-hostgroup
addresses] Custom TCP scan nmap scanflags [flags] [number] [targets]
Scan an entire subnet nmap [IP address/cdir] [target] Maximum host group size nmap max-hostgroup
Scan random hosts nmap -iR [number] IP protocol scan nmap -sO [target] [number] [targets]
Excluding targets from a scan nmap [targets] Send Raw Ethernet packets nmap send-eth Maximum RTT timeout nmap initial-rtt-
exclude [targets] [target] timeout [time] [target]
Excluding targets using a list nmap [targets] Send IP packets nmap send-ip [target] Initial RTT timeout nmap max-rtt-timeout
excludefile [list.txt] [TTL] [target]
Port Scanning Options
Perform an aggressive scan nmap -A [target] Maximum retries nmap max-retries
Perform a fast scan nmap -F [target]
Scan an IPv6 target nmap -6 [target] [number] [target]
Scan specific ports nmap -p [ports] [target]
Discovery Options Host timeout nmap host-timeout
Scan ports by name nmap -p [port name]
[time] [target]
Perform a ping scan only nmap -sP [target] [target]
Minimum Scan delay nmap scan-delay
Dont ping nmap -PN [target] Scan ports by protocol nmap -sU -sT -p
[time] [target]
TCP SYN Ping nmap -PS [target] U:[ports],T:[ports]
[target] Maximum scan delay nmap max-scan-delay
TCP ACK ping nmap -PA [target] [time] [target]
Scan all ports nmap -p * [target]
UDP ping nmap -PU [target] Minimum packet rate nmap min-rate
Scan top ports nmap top-ports
SCTP Init Ping nmap -PY [target] [number] [target]
[number] [target]
ICMP echo ping nmap -PE [target] Maximum packet rate nmap max-rate
Perform a sequential port nmap -r [target]
ICMP Timestamp ping nmap -PP [target] [number] [target]
scan
ICMP address mask ping nmap -PM [target] Defeat reset rate limits nmap defeat-rst-
Version Detection ratelimit [target]
IP protocol ping nmap -PO [target] Operating system detection nmap -O [target]
ARP ping nmap -PR [target] Attempt to guess an nmap -O osscan-guess
Traceroute nmap traceroute unknown [target]
[target] Service version detection nmap -sV [target]
Force reverse DNS resolution nmap -R [target] Troubleshooting version nmap -sV version-
Disable reverse DNS nmap -n [target] scans trace [target]
resolution Perform a RPC scan nmap -sR [target]

This cheat sheet was compiled by Steven M. Swafford, and is distributed according to the Creative Commons v3 Attribution License. File version 1.0. More cheat sheets?