Nmap is an effective network scanning tool used by security professionals for various purposes.
For optimal use of Nmap, it’s essential to be familiar with its syntax and command structure. This cheat sheet covers some of the key commands and examples to assist in effectively using Nmap.
Target Specification
Nmap (Network Mapper) is one of the most well-known and frequently utilized network scanners available today, used both by cybersecurity professionals as well as novice users to scan local and remote ports, hosts, and networks in order to audit and discover information such as open ports.
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| nmap 192.168.1.1 | Scan a single IP | |
| nmap 192.168.1.1 192.168.2.1 | Scan specific IPs | |
| nmap 192.168.1.1-254 | Scan a range | |
| nmap scanme.nmap.org | Scan a domain | |
| nmap 192.168.1.0/24 | Scan using CIDR notation | |
| -iL | nmap -iL targets.txt | Scan targets from a file |
| -iR | nmap -iR 100 | Scan 100 random hosts |
| –exclude | nmap –exclude 192.168.1.1 | Exclude listed hosts |
Nmap’s Target Specification is an integral element of its scanning process, as it determines which targets to scan as part of its scanning process and provides useful data about each target such as service version detection and OS detection as well as traceroute information.
Target specifications can include hostname or IP addresses, or ranges separated by commas, as well as port ranges such as 1-20 (e.g. “-p 1-20 “target>”, which causes Nmap to scan for 20 available ports on that host).
The port table provides information on open, filtered and closed ports as well as any ports Nmap cannot identify. Security engineers often find this data valuable because it reveals services running on targets.
Nmap Scan Techniques
Nmap is a network discovery and security auditing tool that uses raw IP packets to detect hosts and services on a network, along with operating systems, application versions, packet filters/firewalls used and network security policies in place.
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sS | nmap 192.168.1.1 -sS | TCP SYN port scan (Default) |
| -sT | nmap 192.168.1.1 -sT | TCP connect port scan (Default without root privilege) |
| -sU | nmap 192.168.1.1 -sU | UDP port scan |
| -sA | nmap 192.168.1.1 -sA | TCP ACK port scan |
| -sW | nmap 192.168.1.1 -sW | TCP Window port scan |
| -sM | nmap 192.168.1.1 -sM | TCP Maimon port scan |
Nmap offers several customizable scanning options to help tailor the scan. For instance, using timing templates to control speed or OS detection to identify targets can help make the most out of a scan.
Port Scanning
One of the key techniques offered by Nmap is port scanning, which uses Nmap’s distributed database of services names to assess whether any ports on a target host have opened or closed states and service names from those ports. Nmap returns open/closed states as well as service name information when performing this scan.
Nmap can make port scanning more efficient by using small fragmented IP packets that make it harder for packet filters and intrusion detection systems to recognize its scans, as well as decoys that make it appear that other hosts are scanning the target network.
Host Discovery
Nmap is an advanced network scanning tool used by security professionals to identify hosts and services on computer networks. It offers many features that help users enumerate services and versions, test for known vulnerabilities, brute force credentials and discover operating system information.
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sL | nmap 192.168.1.1-3 -sL | No Scan. List targets only |
| -sn | nmap 192.168.1.1/24 -sn | Disable port scanning. Host discovery only. |
| -Pn | nmap 192.168.1.1-5 -Pn | Disable host discovery. Port scan only. |
| -PS | nmap 192.168.1.1-5 -PS22-25,80 | TCP SYN discovery on port x. Port 80 by default |
| -PA | nmap 192.168.1.1-5 -PA22-25,80 | TCP ACK discovery on port x. Port 80 by default |
| -PU | nmap 192.168.1.1-5 -PU53 | UDP discovery on port x. Port 40125 by default |
| -PR | nmap 192.168.1.1-1/24 -PR | ARP discovery on local network |
| -n | nmap 192.168.1.1 -n | Never do DNS resolution |
Nmap can execute scripts to gather additional information about targets. This process, known as host discovery, marks the initial stage in any Nmap scan.
Nmap can send pings to various IP addresses and evaluate the response, scan for open ports, identify OS and hardware characteristics of network devices and identify open ports.
Nmap allows you to specify how many hosts to scan simultaneously, and set a timeout that lets it wait for each host in its target network to complete scanning before stopping; this feature provides the optimal balance of speed and stealth when conducting network scans.
Port Specification
Nmap is the go-to port scanner and offers plenty of options, but can be challenging to use for those unfamiliar with its commands and features.
An Nmap cheat sheet can help you learn about its functions and capabilities so that you can optimize your scans using Nmap. This cheat sheet covers the essentials of this tool with practical examples.
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -p | nmap 192.168.1.1 -p 21 | Port scan for port x |
| -p | nmap 192.168.1.1 -p 21-100 | Port range |
| -p | nmap 192.168.1.1 -p U:53,T:21-25,80 | Port scan multiple TCP and UDP ports |
| -p | nmap 192.168.1.1 -p- | Port scan all ports |
| -p | nmap 192.168.1.1 -p http,https | Port scan from service name |
| -F | nmap 192.168.1.1 -F | Fast port scan (100 ports) |
| –top-ports | nmap 192.168.1.1 –top-ports 2000 | Port scan the top x ports |
| -p-65535 | nmap 192.168.1.1 -p-65535 | Leaving off initial port in range makes the scan start at port 1 |
| -p0- | nmap 192.168.1.1 -p0- | Leaving off end port in range makes the scan go through to port 65535 |
Nmap offers several useful command line options to configure datagram transmission using its port scanning service, with one being -p, which specifies a port to which datagrams should be sent. You may specify a single port, comma-separated list of ports or any range from 1-1023 as you see fit.
Nmap command-line options such as -g, which sets the source port; -b, which adjusts bad sum; and -f enable grepable output for targets located on an XML file. Nping offers another useful feature allowing you to specify TCP window size which specifies how many bytes of traffic it accepts per time – this option may prove particularly helpful when scanning large networks that allocate an extensive buffer space.
Service and Version Detection
Nmap is an invaluable tool used for network discovery and security auditing, making it invaluable for network administrators looking to monitor servers, service upgrade schedules and more.
Nmap provides many features to detect hosts and services on a computer network by sending packets out and analyzing their responses, such as host discovery (list of hosts that respond to TCP/ICMP requests with specific port open), port scanning and operating system detection.
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -sV | nmap 192.168.1.1 -sV | Attempts to determine the version of the service running on port |
| -sV –version-intensity | nmap 192.168.1.1 -sV –version-intensity 8 | Intensity level 0 to 9. Higher number increases possibility of correctness |
| -sV –version-light | nmap 192.168.1.1 -sV –version-light | Enable light mode. Lower possibility of correctness. Faster |
| -sV –version-all | nmap 192.168.1.1 -sV –version-all | Enable intensity level 9. Higher possibility of correctness. Slower |
| -A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
OS detection refers to the process of identifying operating system and hardware characteristics on network devices. It can help identify vulnerabilities or misconfigurations which could be exploited during cyber attacks.
Nmap Cheat Sheet is an organized compilation of Nmap commands designed as a cheat sheet style documentation format, featuring some of the more important ones used by Ethical Hackers and Penetration Testers.
OS Detection
Nmap Cheat Sheet’s most potent feature is OS detection, which can identify both the operating system and version running on a host by analysing network traffic and other sources of data.
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -O | nmap 192.168.1.1 -O | Remote OS detection using TCP/IP stack fingerprinting |
| -O –osscan-limit | nmap 192.168.1.1 -O –osscan-limit | If at least one open and one closed TCP port are not found it will not try OS detection against host |
| -O –osscan-guess | nmap 192.168.1.1 -O –osscan-guess | Makes Nmap guess more aggressively |
| -O –max-os-tries | nmap 192.168.1.1 -O –max-os-tries 1 | Set the maximum number x of OS detection tries against a target |
| -A | nmap 192.168.1.1 -A | Enables OS detection, version detection, script scanning, and traceroute |
This feature can assist in quickly and effectively conducting penetration tests by providing information about the operating system running on a target, making the testing more accurate and identifying vulnerable services and security holes on networks more readily.
Add the -O flag to your Nmap command in order to enable this. This will instruct Nmap to use both OS and version detection techniques when scanning targets.
Additionally, you can configure Nmap to run up to five OS detection attempts by default; you may reduce this value in order to speed up its scans.
The output generated from using the -o and -o-v options will provide more details about scanned targets, including whether they’re up or down, what port type was open for them and how long their scan took. Developers may find using this debugging output useful.
Timing and Performance
Timing can have a significant impact on how quickly a scan completes. Nmap uses an advanced dynamic timing algorithm to select optimal speeds at which to send probes out; this can significantly decrease scanning times.
However, this system is far from perfect and can lead to errors if the network is unreliable or slow. That is where the -host-timeout option comes into play.
| SWITCH | EXAMPLE | DESCRIPTION |
|---|---|---|
| -T0 | nmap 192.168.1.1 -T0 | Paranoid (0) Intrusion Detection System evasion |
| -T1 | nmap 192.168.1.1 -T1 | Sneaky (1) Intrusion Detection System evasion |
| -T2 | nmap 192.168.1.1 -T2 | Polite (2) slows down the scan to use less bandwidth and use less target machine resources |
| -T3 | nmap 192.168.1.1 -T3 | Normal (3) which is default speed |
| -T4 | nmap 192.168.1.1 -T4 | Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network |
| -T5 | nmap 192.168.1.1 -T5 | Insane (5) speeds scan; assumes you are on an extraordinarily fast network |
This option instructs Nmap to terminate its probe on an inactive port after the specified amount of time if it doesn’t receive any response to its probe, saving time on unreliable networks and decreasing retransmissions necessary to distinguish open ports that have been blocked or closed off.
This option should only be selected when your network is relatively fast and reliable; otherwise, it could cause Nmap to scan slower than anticipated.
Timing and Performance Switches
Nmap provides various timing and performance switches that can make scanning faster, as well as fine-grained controls to further increase performance. You can combine these options for optimal results.
The –defeat-rst-ratelimit option trades accuracy for speed by increasing UDP scanning speed against hosts that rate-limit ICMP error messages such as port unreachability errors. Nmap will also bypass RST packets it generates to reset those rates, which may prove especially helpful in networks known for being unstable.
| SWITCH | EXAMPLE INPUT | DESCRIPTION |
|---|---|---|
| –host-timeout <time> | 1s; 4m; 2h | Give up on target after this long |
| –min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> | 1s; 4m; 2h | Specifies probe round trip time |
| –min-hostgroup/max-hostgroup <size<size> | 50; 1024 | Parallel host scan group sizes |
| –min-parallelism/max-parallelism <numprobes> | 10; 1 | Probe parallelization |
| –max-retries <tries> | 3 | Specify the maximum number of port scan probe retransmissions |
| –min-rate <number> | 100 | Send packets no slower than <number> per second |
| –max-rate <number> | 100 | Send packets no faster than <number> per second |
–scan-delay allows you to set a delay between each probe Nmap sends to a target computer, helping speed up scan times on Solaris machines which only respond to single ICMP messages per second.
Finally, –min-rtt-timeout limits the maximum time Nmap will wait for network responses for any specific request. While this feature is rarely employed in practice, it can be extremely useful when scanning networks that are highly unreliable.
Nmap offers six timing templates that correspond to each scanning mode: paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5).
