Hey there! Welcome to our Nmap cheat sheet, which will provide a comprehensive guide to Nmap commands and flags. Nmap, also known as Network Mapper, is an open-source tool used to explore networks and audit security. It allows you to discover hosts and services on a computer network and helps you uncover and provide valuable network information and security vulnerabilities.
Table Of Contents
Key Features of Nmap
- Host Discovery: Nmap can identify active hosts on a network using various techniques such as TCP, ICMP, and ARP ping scans.
- OS Detection: Nmap can identify the operating systems of target hosts.
- Service Version Detection: Nmap can determine the versions of services running on open ports, providing valuable insight into potential vulnerabilities.
- Port Scanning: Nmap can scan for open ports on target hosts, revealing the services running on those ports and their associated protocols.
- Scripting Engine: Nmap’s scripting engine (Nmap Scripting Engine or NSE) allows automation and customization of tasks, such as exploitation and vulnerability scanning.
Basic Nmap Scanning Techniques
Before we dive into the various Nmap commands and flags, let’s start with some basic commands that will help you get started:
The most basic Nmap command nmap <target>. Replace <target> with the IP address or hostname of the target you want to scan. For example, nmap example.com or nmap 192.168.1.0
nmap <target>Scanning multiple targets, nmap <target1> <target2>: This command allows you to scan multiple hosts. Replace <target1> <target2> with the IP addresses or hostnames of the target you want to scan. For example, nmap 192.168.1.1 192.168.1.0 or nmap example.com example.net.
nmap <target1> <target2>Scanning an entire subnet. nmap <subnet>: This command allows you to scan an entire subnet. For example, nmap 192.168.1.1/24
nmap <subnet>Scanning an IP address range. nmap <startIP-endIP>: This command scans a range of IP addresses. For example, nmap 192.168.1.1-192.168.1.100
nmap <startIP-endIP>Scanning specific ports nmap -p <port1,port2,…> <target> The -p flag allows you to scan specific ports on a target host. For example, nmap -p 80,53 192.168.1.1
nmap -p <port1,port2,...> <target> Scanning a range of ports, nmap -p <port> – <port> <target>: This command allows you to scan a range of ports on a target. Replace <port> – <port> with the desired port range and <target> with the IP address or hostname. For example, nmap -p 53-80 example.com or nmap -p 53-80 192.168.1.1.
nmap -p <port> - <port> <target> Scanning a specific port, nmap -p <port> <target>: This command allows you to scan a specific port on a target. Replace <port> with the desired port number and <target> with the IP address or hostname. For example, nmap -p 80 example.com or nmap -p 80 192.168.1.1.
nmap -p <port> <target>Aggressive scanning, nmap -A <target>: The -A flag enables aggressive scanning. Which includes OS detection and service version detection. -A flag will scan the target using -sS, -sV, and -O flags. This command provides more detailed information about the target. For example, nmap -A 192.168.1.1.
nmap -A <target>Fast scan mode, nmap -F <target>: The -F flag enables a fast scan mode, which scans only the most common ports. This is useful when you want to quickly identify open ports on a target. For example, nmap -F example.com.
nmap -F <target>Commonly Used Nmap Flags
Nmap offers a wide range of flags that allow you to customize your scans and obtain specific information about the target. Here are some commonly used Nmap flags:
-SS: This flag enables TCP SYN scan, also known as stealth scan, which is the default and most commonly used scan type according to nmap.org. It’s quiet and stealthy. It’s considered a half-open scanning because it doesn’t perform a full TCP connection. It sends a SYN packet to the target’s ports and analyzes the response to determine whether the port is open, closed, or filtered.
nmap -sS <target>-sT: This flag enables TCP connect scan, which establishes a full TCP connection with the target’s ports. It is slower than SYN scan but provides more accurate results.
nmap -sT <target>-sU: This flag enables UDP scan, which is used to scan for open UDP ports. UDP scans are generally slower than TCP scans, according to nmap.org.
nmap -sU <target>-O: This flag enables OS detection, which attempts to determine the operating system running on the target. It analyzes various network characteristics and compares them to a database of known operating system signatures.
nmap -O <target>-sV: This flag enables service version detection, which attempts to determine the version of the services running on the target’s ports. It sends probes to the target’s ports and compares the responses to a database of known service signatures.
nmap -sV <target>-T<0-5>: This flag sets the timing template for the scan. The higher the number, the faster the scan, but it has a higher risk of detection. The default timing template is 3.
nmap <target> -T<0-5>-p-: This flag scans all 65535 ports on the target. By default, Nmap only scans the top 1000 most common ports.
nmap -p- <target>Advanced Nmap Commands
Now that you are familiar with the basic commands and commonly used flags let’s explore some advanced Nmap commands that provide additional functionality:
Nmap Scripting Engine (NSE)
The -sC flag enables script scanning, which allows you to run Nmap scripts against the target. Nmap scripts are written in the Lua programming language and provide additional functionality, such as vulnerability detection and service enumeration.
nmap -sC <target>This command allows you to run a specific Nmap script against the target. Replace <script> with the name of the script you want to run. For example, nmap –script http-enum example.com.
nmap --script <script> <target>This command enables you to run a default Nmap script against the target.
nmap --script=default <target>This command allows you to run scripts against Specific Ports.
nmap --script=<script> -p <port> <target> Nmap Output
The -oX flag saves the scan results in XML format. This is useful when you want to parse the results programmatically or import them into other tools for further analysis.
nmap -oX <output.xml> <target>The -oN flag saves the scan results in normal (human-readable) format. This is the default output format if no other format is specified.
nmap -oN <output.txt> <target>The oA flag allows you to save scan results in multiple formats simultaneously (normal, XML, and grepable formats). According to nmap.org. It’s convenient, and the results are stored in <basename>.nmap, <basename>.xml, and <basename>.gnmap, respectively.
nmap -oA <target>The -v flag enables verbose output, which provides more detailed information about the scan progress and results. It can be useful for troubleshooting or when you need more visibility into the scanning process.
nmap -v <target>Conclusion
In this Nmap cheat sheet, we have covered the basic Nmap commands, commonly used flags, and advanced commands that provide additional functionality. Nmap is a powerful tool that can help you discover hosts and services on a network, identify open ports, and gather valuable information for network exploration and security auditing. If you want to learn, you can click here for more resources.
Remember to always use Nmap responsibly and with proper authorization. Unauthorized scanning of networks or hosts is illegal and can lead to severe consequences. Use Nmap to enhance your network security and gain valuable insights into your network infrastructure.
We hope this cheat sheet has provided you with a solid foundation for using Nmap effectively. Happy scanning!
References and Citations:
About The Author
