Nmap Cheatsheet

nmap -sn $ipAddress | grep -oP '(?<=Nmap scan report for )[^ ]*'
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn $ipAddress
nmap -sCV --min-rate=5000 $ipAddress -Pn -vvv -oN targeted

nmap 192.168.1.1                    # Scan single IP
nmap 192.168.1.1 192.168.2.1        # Scan specific IPs
nmap 192.168.1.1-254                # Scan a range
nmap scanme.nmap.org                # Scan a domain
nmap 192.168.1.0/24                 # Scan using CIDR
nmap -iL targets.txt                # Scan targets from file
nmap -iR 100                        # Scan 100 random hosts
nmap --exclude 192.168.1.1          # Exclude listed hosts

# Simple Scans
nmap target                         # Basic scan of a target
nmap 192.168.1.1/24                # Scan entire subnet
nmap 192.168.1.1-50                # IP range

# Scan Types
nmap -sS target                    # TCP SYN scan (Default)
nmap -sT target                    # TCP connect scan (Default without root)
nmap -sU target                    # UDP scan
nmap -sA target                    # TCP ACK scan
nmap -sW target                    # TCP Window scan
nmap -sM target                    # TCP Maimon scan

# Port Selection
nmap -p 80 target                  # Scan specific port
nmap -p 80-443 target              # Port range
nmap -p- target                    # All ports (1-65535)
nmap -F target                     # Fast scan (100 ports)
nmap --top-ports 1000             # Top 1000 ports
nmap -p http,https                # Scan by service name
nmap -p U:53,T:21-25,80          # Mixed TCP/UDP scan
nmap -p-65535                    # Start from port 1
nmap -p0-                        # Scan through port 65535

nmap -sL 192.168.1.1-3            # No Scan, list targets only
nmap -sn target                    # Ping scan (disable port scan)
nmap -Pn target                    # Skip ping (assume host is up)
nmap -PS22-25,80 target           # TCP SYN discovery on ports
nmap -PA22-25,80 target           # TCP ACK discovery on ports
nmap -PU53 target                 # UDP discovery on port
nmap -PR 192.168.1.1/24          # ARP discovery on local network
nmap -n target                    # Never do DNS resolution

# Version Detection
nmap -sV target                    # Detect service versions
nmap -sV --version-light target    # Faster version detection
nmap -sV --version-all target      # Try all probes
nmap -sV --version-intensity 8    # Set intensity (0-9)
nmap -A target                    # Aggressive scan

# Script Scanning
nmap -sC target                    # Default script scan
nmap --script=vuln target          # Vulnerability scripts
nmap --script=safe target          # Safe scripts only
nmap --script=auth target          # Authentication scripts

nmap -O target                     # OS detection
nmap -O --osscan-guess target      # Aggressive OS guess
nmap -O --osscan-limit target      # Limit OS detection to promising targets
nmap -O --max-os-tries 1 target    # Set maximum OS detection tries
nmap -A target                     # Enable OS detection, version detection, scripts, and traceroute

# Timing Templates
nmap -T0 target                    # Paranoid - IDS evasion
nmap -T1 target                    # Sneaky - IDS evasion
nmap -T2 target                    # Polite - slower, resource friendly
nmap -T3 target                    # Normal - default speed
nmap -T4 target                    # Aggressive - fast, reliable networks
nmap -T5 target                    # Insane - very aggressive

# Performance Controls
--host-timeout <time>              # Give up after specified time
--min-rate <number>                # Send packets no slower than <number>/sec
--max-rate <number>                # Send packets no faster than <number>/sec
--min-parallelism <numprobes>      # Probe parallelization minimum
--max-parallelism <numprobes>      # Probe parallelization maximum
--min-hostgroup/max-hostgroup      # Parallel host scan group sizes

nmap -oN output.txt target         # Normal output
nmap -oG output.txt target         # Grepable output
nmap -oX output.xml target         # XML output
nmap -oA output target             # Output in all formats
nmap -v target                     # Verbose output
nmap -vv target                    # Very verbose output
nmap --reason target              # Show port state reasons
nmap -d target                    # Debugging
nmap --packet-trace target        # Show all packets

# Basic Script Usage
nmap --script=default target                           # Default safe scripts
nmap --script=banner target                           # Single script scan
nmap --script=http* target                           # Wildcard script scan
nmap --script "not intrusive" target                 # Exclude intrusive scripts

# Useful Script Examples
nmap --script=http-sitemap-generator scanme.nmap.org  # Generate HTTP site map
nmap --script=dns-brute domain.com                    # DNS subdomain brute force
nmap --script=whois* domain.com                       # Whois queries
nmap --script=http-sql-injection target               # SQL injection test
nmap --script=smb-enum*,smb-ls,smb-vuln* target      # SMB enumeration and checks

nmap -f target                     # Fragment packets
nmap --mtu 32 target               # Set specific MTU size
nmap -D decoy1,decoy2,ME target    # Cloak scan with decoys
nmap -S spoofed-IP target          # Spoof source address
nmap -g 53 target                  # Use specific source port
nmap --proxies proxy-url target    # Use HTTP/SOCKS4 proxy
nmap --data-length 200 target      # Append random data

# Combined Evasion Example
nmap -f -t 0 -n -Pn --data-length 200 -D 192.168.1.101,192.168.1.102 target

# Web Server Discovery
nmap -p80 -sV -oG - --open 192.168.1.0/24 | grep open

# Live Host Discovery
nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txt

# Compare Scan Results
ndiff scan1.xml scan2.xml

# Convert to HTML
xsltproc nmap.xml -o nmap.html

# Local Network ARP Scan
nmap -PR -sn 192.168.1.0/24 -vv