NMAP Cheat Sheet

By Jon Robinson | Published February 22, 2021 | Updated January 26, 2024

Two core tenants of network security are knowing what assets you need to protect and allowing only the minimal services that those assets require to function. NMAP can help you do both. Knowing what assets are exposed to the network is the first step in securing them. NMAP can help you find those assets and determine what services they are running.

As always, make sure you are on the vendor notification lists for new vulnerabilities, limit access to the services to those who need it, and place firewalls at the network perimeter and between network segments.

Download NMAP

NMAP Syntax

Command Line: nmap <options> <targets>

Your targets can be in any of the following formats:

Domain or IP: scanme.nmap.org, scanme.nmap.org/32, 64.13.134.52
Ranges: scanme.nmap.org/24, 64.13.134.52/24, 64.13.134.0-255, 64.13.134-135.1/24
Exclude: nmap 64.13.134.52/24 --exclude scanme.nmap.org,insecure.org

I Use -iL to read from a file. Use a hyphen instead of a filename if you want to read from standard input.

Command line example: sudo nmap -sL -iL /Users/jon/io.txt

In Zenmap, the input file needs to be in /usr/local/share/nmap on OS X or C:\Program Files\Nmap\share\zenmap on Windows. Source

Note: To see hidden files in Finder: defaults write com.apple.Finder AppleShowAllFiles YES

Command/Option	Description
`-sP` or `-sn`	Ping Scan
`-sL`	do a dry run using `-sL` to just list the targets
`-PN`	don’t ping. Usually NMAP does heavy probing against hosts that are found to be up. To do heavy probing against everyone in the range regardless, use this option.
`-iL`	read input from file. use hyphen in place of file to read from standard input
`-PS<port list>`	syn scan. sends a SYN on default port 80.
`-PA<port list>`	ack scan
`-PU<port list>`	udp scan
`-PE, -PP, -PM`	send icmp type 8 echo request, timestamp and address mask queries
`-v, -vv`	level one and level two verbosity
`-n`	disable all DNS resolution
`-R`	enable DNS queries for all hosts, even down ones
`-T4`	recommended timing option
`-oA <basename>`	Output in three major formats at once: normal, XML and greppable
`-oN <name.nmap>`	normal output; pair with `-v` for verbosity level
`-oG`	greppable, use `%T` and `%D` in the file name to insert the time and date
`-oX`	Output XML
`-iR <number>`	chooses `<number>` random targets
`--append-output`	adds new scan to existing file
`--source-port <portnum>` or `-g`	change source port to take advantage of some firewall configurations
`-O`	OS fingerprinting
`--data-length <length>`	adds `<length>` random bytes to each packet in tcp, udp and icmp ping scans. Makes scan less conspicuous.
`--randomize-hosts`	scans hosts in random order to make scan less obvious
`-F`	scan only top 100 most common ports. default is top 1000
`-A`	aggressive scan, which enables `-O`, `-sV`, `-sC` and `--trace-route`
`-sS`	TCP Syn Stealth. The most popular scan.
`-sU`	UCP scan.
`-oA <filename>`	output to all file formats
`—top-ports <integer>`	scan top `<integer>` most common ports

Finding targets

DNS

Action	Command
Find name servers	`host -t ns <domain>`
Find IP of A record	`host -t a <domain>`
Find MX record	`host -t mx <domain>`
Find SOA record	`host -t soa <domain>`

WHOIS

Action	Command
Find the owner and their allocated IPs	`whois <ip address>`
Enumerate ARIN contact emails	`whois -h whois.arin.net @target.com`
List target netblock handles	`whois -h whois.arin.net “n target*"`
List org names starting with ‘target’	`whois -h whois.arin.net “o target*"`

Scanning Modes

Intense scan

nmap -T4 -A -v <targets>

Using the canned aggressive -T4 option (recommended in most cases) do a verbose scan using the -A option, which is a shortcut to do -O OS fingerprinting, -sV version detection and -sC scripts and --trace-route to trace the paths to the hosts

Intense scan plus UDP

nmap -sS -sU -T4 -A -v -sU is UDP port scan -sS is SYN stealth scan. Fastest way to scan tcp ports. Stealthier than connect scan (-sT)

Intense scan, all TCP ports

nmap -p 1-65535 -T4 -A -v

-p 1-65535 means scan all TCP ports using the -T4 -A and -v options as opposed to just the top 1000 ports

Intense scan, no ping

nmap -T4 -A -v -Pn

-Pn` disables ping. You should do this if you already know the targets are up.

Ping scan

nmap -sn

Quick Scan

nmap -T4 -F

-F for fast. Nmap normally scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.

Quick Scan Plus

nmap -sV -T4 -O -F --version-light

Do a fast scan with light version detection (-sV --version-light; faster but less likely to identify services) and OS fingerprinting.

Quick Traceroute

nmap -sn --traceroute

Do a ping scan and traceroute.

Regular Scan

nmap

Use the defaults: SYN scan the most common 1000 TCP ports in random order (does a connect scan if you don’t have root access to send raw IP packets)

Slow comprehensive scan

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)"

Same as intense scan plus UDP but adds: -PE sends ICMP type 8 requests -PP sends ICMP timestamp requests -PS80,443 SYN scans ports 80 and 443 -PA ACK scans port 3389 -PU UDP scans 40125 -g 53 changes your source port to 53 (same as --source-port) --script”default or (discovery and safe)” runs that script

Scanned Port States

There are six port states recognized by NMAP.

State	Description
open	There is an application actively accepting TCP connections or UDP packets on this port.
closed	A closed port is accessible, but there is no application listening on it. They can be helpful to show that a host is online.
filtered	NMAP can’t reach the port.
unfiltered	The port is accessible, but NMAP can’t determine if is is open or closed. Scanning with a SYN, FIN or Window scan may provide more information.
open\|filtered	NMAP doesn’t know if it is open or filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
closed\|filtered	NMAP doesn’t know if it is closed or filtered. The TCP Idle Scan (-sI) produces this result.