The following Nmap cheat sheet aims to explain what Nmap is, what it does, and how to use it by providing Nmap command examples in a cheat sheet style documentation format.
Orignal Published Date: 11th December 2014
What is Nmap?
Nmap (network mapper), the god of port scanners used for network discovery and the basis for most security enumeration during the initial stages of a penetration test. The tool was written and maintained by Fyodor AKA Gordon Lyon.
Nmap displays exposed services on a target machine along with other useful information such as the verion and OS detection.
Nmap has made twelve movie appearances, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.
- What is Nmap?
- What does Nmap do:
- Download & Install Nmap
- Nmap Commands
- Nmap Cheatsheet
- Nmap Enumeration Command Examples
- Nmap Scan Tuning & Optimisation
- Nmap FAQ
- Document Changelog
What does Nmap do:
- Host discovery
- Port discovery / enumeration
- Service discovery
- Operating system version detection
- Hardware (MAC) address detection
- Service version detection
- Vulnerability / exploit detection, using Nmap scripts (NSE)
- Nmap IDS / Portscan Detection & Scan Time Optimisation
Download & Install Nmap
Nmap can be downloaded from nmap.org, however commonly Nmap is installed via your Linux distributions package manager:
Debian / Ubuntu / Kali
How to Install Nmap on Ubuntu, Debian, Kali or other Linux systems using the APT package manager.
Nmap RHEL / Fedora
How to Install Nmap on RHEL, Fedora, CentOS, Rocky Linux or other Linux systems using the DNF package manager.
Nmap Windows
Download Nmap for Windows and install: Nmap for Windows
Nmap MacOS
How to install nmap on MacOS using Brew.
Nmap Commands
Basic Nmap scanning command examples, often used at the first stage of enumeration.
Command | Description |
---|---|
|
Nmap scan the network, listing machines that respond to ping. |
|
A full TCP port scan using with service version detection - |
|
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services. |
|
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services. |
|
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection. |
|
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan. |
|
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan. |
Agressive scan timings are faster, but could yeild inaccurate results!
T5 uses very aggressive scan timings and could lead to missed ports, T3-4 is a better compromise if you need fast results (depending on if local network or remote).
Nmap scan from file
Command | Description |
---|---|
|
Scans a list of IP addresses, you can add options before / after. |
Nmap Scan all Ports
Command | Description |
---|---|
|
Nmap scan all ports, a full scan of all TCP ports on a target. |
Nmap output formats
Command | Description |
---|---|
|
nmap output to all formats. |
|
Outputs "grepable" output to a file, in this example Netbios servers. E.g, The output file could be grepped for "Open". |
|
Export nmap output to HTML report. |
Nmap Netbios Examples
Command | Description |
---|---|
|
Find all Netbios servers on subnet |
|
Nmap display Netbios name |
|
Nmap check if Netbios servers are vulnerable to MS08-067 |
--script-args=unsafe=1 has the potential to crash servers / services
Becareful when running this command.
Nmap Nikto Scan
Nmap + Nikto scanning for specific discovered HTTP ports.
Command | Description |
---|---|
|
Scans for http servers on port 80 and pipes into Nikto for scanning. |
|
Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning. |
Nmap Cheatsheet
Target Specification
Nmap allows hostnames, IP addresses, subnets.
Example:
Command | Description |
---|---|
|
inputfilename: Input from list of hosts/networks |
|
iterate hosts: Choose random targets from the input file |
|
host1[,host2][,host3],... : Exclude hosts/networks |
|
exclude_file: nmap exclude hosts list from file |
Host Discovery
Command | Description |
---|---|
|
List Scan - simply list targets to scan |
|
Nmap ping scan / sweep - runs a nmap network scan, with port scanning disabled |
|
Treat all hosts as online -- skip host discovery |
|
TCP SYN/ACK, UDP or SCTP discovery to given ports. Allows you to specify a specific port nmap uses to verify a host is up e.g., -PS22 (by default nmap sends to a bunch of common ports, this allows you to be specific) |
|
ICMP echo, timestamp, and netmask request discovery probes |
|
IP Protocol Ping |
|
Never do DNS resolution/Always resolve [default: sometimes] |
Scan Techniques
Command | Description |
---|---|
|
TCP SYN scan |
|
UDP Scan |
|
TCP Null scan |
|
Customize TCP scan flags |
|
Idle scan |
|
SCTP INIT scan |
|
IP protocol scan |
|
FTP bounce scan |
Port Specification and Scan Order
Command | Description |
---|---|
|
Specify ports, e.g. -p80,443 or -p1-65535 |
|
Scan UDP ports with Nmap, e.g. -p U:53 |
|
Fast mode, scans fewer ports than the default scan |
|
Scan ports consecutively - don't randomize |
|
Scan "number" most common ports |
|
Scan ports more common than "ratio" |
Service Version Detection
Command | Description |
---|---|
|
Probe open ports to determine service/version info |
|
Set from 0 (light) to 9 (try all probes) |
|
Limit to most likely probes (intensity 2) |
|
Try every single probe (intensity 9) |
|
Show detailed version scan activity (for debugging) |
Script Scan
Command | Description |
---|---|
|
equivalent to --script=default |
|
"Lua scripts" is a comma separated list of directories, script-files or script-categories |
|
provide arguments to scripts |
|
provide NSE script args in a file |
|
Show all data sent and received |
|
Update script database |
|
Show help about scripts |
OS Detection
Command | Description |
---|---|
|
Enable OS Detection |
|
Limit OS detection to promising targets |
|
Guess OS more aggressively |
Timing and Performance
Options which take TIME are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
Command | Description |
---|---|
|
Set timing template - higher is faster (less accurate) |
|
Parallel host scan group sizes |
|
Probe parallelization |
|
Specifies probe round trip time |
|
Caps number of port scan probe retransmissions |
|
Give up on target after this long |
|
Adjust delay between probes |
|
Send packets no slower than NUMBER per second |
|
Send packets no faster than NUMBER per second |
Firewalls IDS Evasion and Spoofing
Command | Description |
---|---|
|
Fragment packets (optionally w/given MTU) |
|
Cloak a scan with decoys |
|
Spoof source address |
|
Use specified interface |
|
Use given port number |
|
Relay connections through HTTP / SOCKS4 proxies |
|
Append random data to sent packets |
|
Send packets with specified ip options |
|
Set IP time to live field |
|
Spoof Nmap MAC address |
|
Send packets with a bogus TCP/UDP/SCTP checksum |
Nmap Scan Output File Options
Command | Description |
---|---|
|
Output Normal |
|
Output to XML |
|
Script Kiddie / 1337 speak... sigh |
|
Output greppable - easy to grep nmap output |
|
Output in the three major formats at once |
|
Increase verbosity level use -vv or more for greater effect |
|
Increase debugging level use -dd or more for greater effect |
|
Display the reason a port is in a particular state |
|
Only show open or possibly open ports |
|
Show all packets sent / received |
|
Print host interfaces and routes for debugging |
|
Log errors/warnings to the normal-format output file |
|
Append to rather than clobber specified output files |
|
Resume an aborted scan |
|
XSL stylesheet to transform XML output to HTML |
|
Reference stylesheet from Nmap.Org for more portable XML |
|
Prevent associating of XSL stylesheet w/XML output |
Misc Nmap Options
Command | Description |
---|---|
|
Enable IPv6 scanning |
|
Enable OS detection, version detection, script scanning, and traceroute |
|
Specify custom Nmap data file location |
|
Send using raw ethernet frames or IP packets |
|
Assume that the user is fully privileged |
|
Assume the user lacks raw socket privileges |
|
Show nmap version number |
|
Show nmap help screen |
Nmap Enumeration Command Examples
The following are real world examples of Nmap enumeration.
Enumerating Netbios
The following example enumerates Netbios on the target networks, the same process can be applied to other services by modifying ports / NSE scripts.
Detect all exposed Netbios servers on the subnet.
Nmap find exposed Netbios servers
root:~# nmap -sV -v -p 139,445 10.0.1.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds
</p>
Nmap find Netbios name.
Nmap find exposed Netbios servers
root:~# nmap -sU --script nbstat.nse -p 137 10.0.1.12
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
137/udp open netbios-ns
Host script results:
|_nbstat: NetBIOS name: STARSCREAM, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown)
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds
</p>
Nmap Netbios MS08-067
How to scan a target and identify if it is vulnerable to MS08-067
Nmap check MS08-067
root:~# nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 10.0.0.1
Nmap scan report for ie6winxp.decepticons (10.0.1.1)
Host is up (0.00026s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: NOT VULNERABLE
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds
</p>
The information gathered during the enumeration indicates the target is vulnerable to MS08-067, exploitation will confirm if it’s vulnerable to MS08-067.
Nmap Scan Tuning & Optimisation
Nmap Rate
To speed up your scan increase the rate, be aware that setting a high rate value will result in a less accurate scan.
Nmap Parallelism
The maximum or minimum amount of parallel tasks scanned at the same time (in parallel).
TIP: If you have an basic IDS / portscan detection blocking your scans you could lower the –min-parallelism in an attempt to reduce the number of concurrent connections
Nmap Host Group Sizes
The number of hosts scanned at the same time, Note: if you are writing output to a file e.g., -oA you will need to wait for the host group to complete scanning before the nmap output will be written to the file. Therefore if you get a lagging host you will may end up waiting a while for the output file, which brings us on to… host timeout.
Nmap Host Timeout
Nmap allows you to specify the timeout, which is the length of time it waits before giving up on the target. Be careful setting this super low, as you may end up with inaccurate results.
The following example would giveup after 50 seconds.
Nmap Scan Delay
An extremely useful option to defeat basic port scan detection (SOHO devices and some IDS) that essentially monitor and block X amount of connects per second (syn flood etc). In short the scan timing can be optimised to allow nmap to bypass firewall detection mechanism.
For example if you know you can get away with 2 req/sec without getting blacklisted then you could use:
added 200ms for a buffer
Nmap Disable DNS Lookups
Assuming you do not want domain names being looked up, use the -n
flag to dissable resolution and speed up the scan.
Nmap Black List Detection?
- It ussally takes and extemely long time to complete
- Droppped probes nmap will increase the timeout, but it’s likely you are already black listed
- To confirm, recheck a port that you know was open before
As far as I know there is no way of detecting for black listing within nmap natively.
Nmap Optimising Portscans for Targets
Once you have identified a target firewall / IDS you can look up the default settings for the portscan black list by reading the manual and use the nmap command switches above to obtain the best performance without getting black listed.
If you found this Nmap cheat sheet useful, please share it below.
Nmap FAQ
What is Nmap Used for?
Nmap (Network Mapper) is a free and open source tool for discovering and auditing networks. Many system and network administrators use Nmap to perform network inventories, asset management , manage service updating schedules, and monitor host or service availability.
Is Nmap Illegal?
When used properly, Nmap could help you protect your network from intruders. But used inappropriately (e.g., maliciously, and/or without permission from the target), Nmap could (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP.
Is Nmap a Vulnerability Scanner
Nmap is a port scanner or network mapper, the tool identified if a system exists on the network or IP address you provide. However, NSE Scripts then extend the functionality of Nmap by allowing additional host checkes that provide nmap vulnerability scanning functionality to the tool.
Why do hackers use Nmap?
Attackers or hackers may use Nmap to identify targets and the exposed ports on a target in an effort to idenitfy potential attack surface to perform addtional security testing against.
Nmap Download
You can download nmap from https://nmap.org/download or a common option would be to install via your Linux distributions package manager or Brew on macos.
Nmap Scripts List
You can find a lot of the current Nmap scripts list at https://nmap.org/nsedoc/scripts/ this list is actively updated by the Nmap project.
Document Changelog
- Original Post Date: 13/12/2014
- Last Updated: 10/06/2024 (10th of June 2024)
- Author: Arr0way
- Notes: Checked syntax was current for latest version of Nmap + added additional content.