NMAP Cheat Sheet

To view the live version of the

page, click here.

© Copyright by Interviewbit
Contents

NMAP Tutorial: Basics to Advanced

1. Nmap Scan Types
2. Target Specification
3. Scan Techniques
4. Host Discovery
5. Port Specification
6. Service and Version Detection
7. OS Detection
8. Timing and Performance
9. NSE Scripts
10. Useful NSE Script Examples
11. Firewall / IDS Evasion and Spoofing
12. Output
13. Other Useful NMAP Commands

Page 1 © Copyright by Interviewbit

Let's get Started
Nmap("Network Mapper") is an open-source and free tool that’s widely used for
network discovery purposes. It’s capable of performing both host discovery and
service detection, as well as doing a content analysis of the traffic it receives.
Common uses for Nmap include vulnerability discovery, system security auditing, and
detecting cyber attacks. You can run Nmap on a command line or in a web browser.
To get the most out of Nmap, you should familiarize yourself with its features and
usage.
Nmap can be used to find open ports on a remote host or network, and check
whether a host or network has been compromised. It can also be used to test your
own server or network to identify weak spots. Another common use case is in
vulnerability assessment: using Nmap to test the connection between your website
and your users to see whether your application is open to exploitation.
When used properly, Nmap can be a very powerful tool. However, using it incorrectly
can also cause problems. For example, sending a request with a Nmap scan that
includes a lot of output will likely consume a lot of network bandwidth. This type of
scan is called promiscuous mode and can cause network congestion if not used
properly. Sending a request with a light Nmap scan may not cause any extra traffic
but is still likely to return inaccurate results.
Nmap can also be used for malicious purposes. Connecting a vulnerable system to a
large network of malicious systems can help spread infection. Using Nmap to scan
networks for vulnerabilities is also a risky proposition. It is likely to return inaccurate
or even misleading results. Nmap is an open-source tool and is widely used by Nessus
and other security researchers. Therefore, it is likely to be well-regarded by the
community.

NMAP Tutorial: Basics to Advanced

1. Nmap Scan Types

Page 2 © Copyright by Interviewbit

 NMAP Cheat Sheet

Scan Type Details

A TCP scan is used to ensure that a three-way

handshake has been completed between you
and a selected target system. Even though it is
TCP SCAN very noisy, a TCP scan can be detected with little
to no effort. This is because the services may log
the sender's IP address and may trigger an
intrusion detection system.

The UDP scan checks whether there is any UDP

port open and listens for incoming connections
on the target machine. Contrary to TCP, UDP
does not offer any way to cure a positive result
by sending a response with a positive
UDP SCAN
acknowledgment. As a result, UDP scans may
sometimes produce false positives. This type of
scan is usually quite slow because computers, in
general, slow down their responses to this kind
of traffic in order to be on the safe side.

In a SYN scan, a TCP connection is established

by first creating a SYN packet and sending it to
the server. This is unlike a normal TCP scan,
SYN SCAN
which just generates a SYN packet. The
response to these specially cra ed packets is
also analyzed by Nmap to produce scan results.

To be able to monitor whether a particular port

is filtered or not, ACK scans are employed. This
guarantees to be very valuable when trying to
ACK SCAN spy on firewalls or their existing protocols.
Simple packet filtering allows established
connections, whereas a more complex firewall
might not.

Page 3 © Copyright by Interviewbit

 NMAP Cheat Sheet

Category-wise diverse NMAP commands with examples are explained in the following
section.

2. Target Specification

Switch Example Description

nmap Scan a specific IP

192.168.1.3 address

nmap 192.168.1.2 Scan specific IP

192.168.2.3 addresses

nmap 192.168.1.7- Scan specific range of

254 IP addresses

nmap
Scans a domain
ramdom.doman.org

nmap Scans a single IP using

192.168.1.1/29 CIDR notation

nmap -iL Scans a target from a

-iL
text.txt file

Scans random 200

-iR nmap -iR 200
hosts

– nmap -exclude Exclude the listed

exclude 192.168.1.2 hosts

3. Scan Techniques

Page 4 © Copyright by Interviewbit

 NMAP Cheat Sheet

Switch Example Description

-sS nmap 192.167.1.2 -sS TCP SYN Scan

-sT nmap 192.168.1.1 -sT TCP Connect Scan

-sU nmap 192.168.1.1 -sU UDP scan

-sA nmap 192.168.1.1 -sA TCP ACK Scan

-sW nmap 192.168.1.1 -sW TCP Window scan

-sM nmap 192.168.1.1 -sM TCP Maimon scan

4. Host Discovery

Page 5 © Copyright by Interviewbit

 NMAP Cheat Sheet

Switch Example Description

nmap
-sL 192.168.1.6-9 - Creates targets List only
sL

nmap This disables port scans

-sn 192.168.1.2/29 and does host discovery
-sn only.

nmap This disables host

-Pn 192.168.1.2-5 - discovery and allows port
Pn scan only.

nmap TCP SYN ping on port x.

-PS 192.168.1.2-5 -
Port 80 is by default
PS22-25,80

nmap TCP ACK ping on port x.

-PA 192.168.1.2-5 -
Port 80 is by default
PA22-25,80

nmap
Enables UDP ping on port
-PU 192.168.1.3-7 -
x.
PU53 Port 40125 is by default

nmap
ARP ping on the local
-PR 192.168.1.2-
network
3/24 -PR

nmap
-n 192.168.1.2 - Disables DNS resolution
n

Page 6 © Copyright by Interviewbit

 NMAP Cheat Sheet

5. Port Specification

Page 7 © Copyright by Interviewbit

 NMAP Cheat Sheet

Switch Example Description

nmap
-p 192.168.1.9 Scan a specific port
-p 27

nmap
-p 192.168.1.9 Scan a port range
-p 27-100

nmap
192.168.1.9
Scans multiple TCP and UDP
-p -p
ports
U:53,T:27-
40,80

nmap
-p- 192.168.1.9
Scan all ports
-p-

nmap
192.168.1.9 Scans based on the service
-p
-p name
http,https

nmap
-F 192.168.1.9 Scan 100 ports in fast manner
-F

nmap
–top- 192.168.1.9
Scans the top “x” ports
ports -top-ports
1015

nmap Skips the initial port in the

-p-
192.168.1.8 range and starts the scan
65535
p 65535 from port 1
Page 8 © Copyright by Interviewbit
 NMAP Cheat Sheet

6. Service and Version Detection

Switch Example Description

nmap
Helps in determining the
-sV 192.168.1.9
version of the service
-sV

nmap
192.168.1.9 To increase the Intensity level
-sV –
-sV - between 0 to 9. The higher the
version-
version- number higher is possibility of
intensity
intensity correctness
9

nmap
-sV – 192.168.1.9 This enables light mode. This
version- -sV - has a lower possibility of
light version- correctness but is faster.
light

nmap
This enables an intensity level
-sV – 192.168.1.9
of 9. This has a higher
version- -sV -
possibility of correctness but
all version-
is slower.
all

nmap This enables OS detection,

-A 192.168.1.8 version detection, and script
-A scanning.

7. OS Detection

Page 9 © Copyright by Interviewbit

 NMAP Cheat Sheet

Switch Example Description

nmap
TCP/IP stack fingerprinting is
-O 192.168.1.8
used for remote OS detection.
-O

nmap The TCP port scan will not

-O –
192.168.1.8 attempt OS detection on those
osscan-
-O -osscan- hosts that do not have at least
limit
limit one open and one closed port.

nmap
-O –
192.168.1.8 Makes Nmap guess more
osscan-
-O -osscan- competently
guess
guess

nmap
-O –
192.168.1.8 This set the maximum number
max-
-O -max-os- “x” of OS detection attempts
os-tries
tries 1 against a target

8. Timing and Performance

Page 10 © Copyright by Interviewbit

 NMAP Cheat Sheet

Switch Example Description

nmap 192.168.1.8 -
-T0 Paranoid (0) Timing
T0

nmap 192.168.1.8 -
-T1 Sneaky (1) Timing
T1

nmap 192.168.1.8 -
-T2 Polite (2) Timing
T2

nmap 192.168.1.8 -
-T3 Normal (3) Timing
T3

nmap 192.168.1.8 - Aggressive (4)

-T4
T4 Timing

nmap 192.168.1.8 -
-T5 Insane (5) Timing
T5

Page 11 © Copyright by Interviewbit

 NMAP Cheat Sheet

Switch Example input Description

A er this long,
–host-timeout
5s; 10m; 5h give up on the
<time>
target.

–min-rtt-
How long it
timeout/max-rtt-
takes to return
timeout/initial- 5s; 10m; 5h
a probe round
rtt-timeout
trip.
<time>

–min- Specifies host

hostgroup/max- scan group
20; 512
hostgroup sizes for
<size<size> parallelization

–min-
parallelism/max- This probes
10; 1
parallelism parallelization
<numprobes>

This adjusts the

–scan-delay/–max- 10ms; 5s;
delay between
scan-delay <time> 10m; 3h
probes

Specifies the
maximum
–max-retries number retries
5
<tries> for port scan
probe
retransmissions

Page 12 © Copyright by Interviewbit

 NMAP Cheat Sheet

9. NSE Scripts

Switch Example Description

Default NSE
-sC nmap 192.168.1.9 -sC scripts are
used to scan.

This scans
–script nmap 192.168.1.9 -script
with default
default default
NSE scripts

nmap 192.168.1.9 - Single script

–script
script=banner scanning

nmap 192.168.1.9 - Wildcard

–script
script=http* scanning

nmap 192.168.1.9 - Two scripts

–script
script=http,banner scanning

Default
scanning
nmap 192.168.1.9 -script
–script without
"not intrusive"
intrusive
scripts

nmap -script snmp-sysdescr

– NSE script
-script-args
script- scanning with
snmpcommunity=admin
args scipts
192.168.1.9

Page 13 © Copyright by Interviewbit

 NMAP Cheat Sheet

10. Useful NSE Script Examples

Command Description

nmap -Pn -script=http-sitemap- Map generator for

generator interviewbit.com HTTP site

nmap -n -Pn -p 80 -open -sV -vvv - Search random

script banner,http-title -iR 1000 web servers

This gusses sub-

nmap -Pn -script=dns-brute domains by brute
interviewbit.com forcing on DNS
hostnames

nmap -n -Pn -vv -O -sV -script smb-

enum*,smb-ls,smb-mbenum,smb-os- Run safe SMB
discovery,smb-s*,smb-vuln*,smbv2* -vv scripts
192.168.1.1

nmap -script whois* interviewbit.com Query for whois

Vulnerabilities
nmap -p80 -script http-unsafe-output-
detection on
escaping interviewbit.com
cross websites

nmap -p80 -script http-sql-injection SQL injections

interviewbit.com detection

11. Firewall / IDS Evasion and Spoofing

Page 14 © Copyright by Interviewbit

 NMAP Cheat Sheet

Switch Example Description

Small fragmented
IP packets are
used in requested
-f nmap 192.168.1.9 -f scans (including
ping scans). More
difficult for packet
filters

nmap 192.168.1.9 -mtu Set the offset size

–mtu
32 yourself

nmap -D 192.168.9.102,
Scans from the
192.168.9.103,
-D spoofed IPs are
192.168.9.104,
send via this
192.168.9.523

nmap -S
Scans Scaler from
-S www.interviewbit.com
InterviewBit
www.scaler.com

nmap -g 53 Uses the given

-g
192.168.1.9 port number

nmap -proxies This relays

– http://192.168.1.9:8080, connections via
proxies http://192.168.9.2:8080 HTTP or SOCKS4
192.168.1.9 proxy

This adds random

–data- nmap -data-length 200
data to the sent
length 192.168.1.9
packets

Page 15 © Copyright by Interviewbit

 NMAP Cheat Sheet

12. Output

Page 16 © Copyright by Interviewbit

 NMAP Cheat Sheet

Switch Example Description

Adds the output to the

nmap 192.168.1.9
-oN result.file that is in
-oN result.file
normal format

Adds the output to the

nmap 192.168.1.9
-oX result.file that is in
-oX result.file
XML format

Adds the output to the

nmap 192.168.1.9
-oG result.file that can be
-oG result.file
grepable

All three major

nmap 192.168.1.9
-oA formats are displayed
-oA results
via this

nmap 192.168.1.9 Shows grepable

-oG –
-oG - output on the screen

– nmap 192.168.1.9
Adds a scan to the
append- -oN file.file -
previous scanned file
output append-output

nmap 192.168.1.9 Verbosity level is

-v
-v increase via this

nmap 192.168.1.9 Debugging level is

-d
-d increase via this

Shows the reason for

nmap 192.168.1.9
–reason the given state of the
-reason
port

nmap 192.168.1.9
–open Open ports are shown
-open

Page 17 © Copyright by Interviewbit

 NMAP Cheat Sheet

13. Other Useful NMAP Commands

Command Description

nmap -iR 10 -PS22-

Only ports x are scanned, no
25,80,113,1050,35000 -v -
ports are discovered.
sn

nmap 192.168.1.9-1/25 - Only show ARP discovery on the

PR -sn -vv local network, no port scan.

nmap -iR 20 -sn - No port scan - just traceroute to

traceroute specific targets.

Queries the Internal DNS for

nmap 192.168.1.9-40 -sL
detecting hosts and then lists
-dns-server 192.168.1.9
targets

Conclusion

In this document, we’ve covered the basics of Network Mapper (NMAP), its features
and some of the important cheat sheets. NMAP is the supreme source of port scan
information, the foundation for most security enumeration during the initial phases
of a penetration test. It has a number of settings and when you first start out using it
it may be difficult to figure out. You can follow the guide for running Nmap on a Mac
OS X or Linux machine. The beauty of the Nmap tool is that it’s designed to work with
text output. This means that you do not have to be an expert in Linux or Bash
Scripting in order to use this amazing tool. The code examples are very easy to follow
and you will be up and running with Nmap in no time.

Page 18 © Copyright by Interviewbit

 NMAP Cheat Sheet

Now, it’s time for you to head out and try what we’ve covered here and more. More
than memorizing syntax, do pay attention to practising them and solving problems.

Page 19 © Copyright by Interviewbit

Links to More Interview
Questions

C Interview Questions Php Interview Questions C Sharp Interview Questions

Web Api Interview Hibernate Interview Node Js Interview Questions

Questions Questions

Cpp Interview Questions Oops Interview Questions Devops Interview Questions

Machine Learning Interview Docker Interview Questions Mysql Interview Questions

Questions

Css Interview Questions Laravel Interview Questions Asp Net Interview Questions

Django Interview Questions Dot Net Interview Questions Kubernetes Interview

Questions

Operating System Interview React Native Interview Aws Interview Questions

Questions Questions

Git Interview Questions Java 8 Interview Questions Mongodb Interview

Questions

Dbms Interview Questions Spring Boot Interview Power Bi Interview Questions

Questions

Pl Sql Interview Questions Tableau Interview Linux Interview Questions

Questions

Ansible Interview Questions Java Interview Questions Jenkins Interview Questions

Page 20 © Copyright by Interviewbit