NMAP CheatSheet
Home | CheatSheets | Theory | About | Back
| Scan Type |
Command |
| ARP Scan |
sudo nmap -PR -sn /24 |
| ICMP Echo Scan |
sudo nmap -PE -sn /24 |
| ICMP Timestamp Scan |
sudo nmap -PP -sn /24 |
| ICMP Address Mask Scan |
sudo nmap -PM -sn /24 |
| TCP SYN Ping Scan |
sudo nmap -PS22,80,443 -sn /30 |
| TCP ACK Ping Scan |
sudo nmap -PA22,80,443 -sn /30 |
| UDP Ping Scan |
sudo nmap -PU53,161,162 -sn /30 |
| TCP Connect Scan |
nmap -sT |
| TCP SYN Scan |
sudo nmap -sS |
| UDP Scan |
sudo nmap -sU |
| TCP Null Scan |
sudo nmap -sN |
| TCP FIN Scan |
sudo nmap -sF |
| TCP Xmas Scan |
sudo nmap -sX |
| TCP Maimon Scan |
sudo nmap -sM |
| TCP ACK Scan |
sudo nmap -sA |
| TCP Window Scan |
sudo nmap -sW |
| Custom TCP Scan |
sudo nmap –scanflags URGACKPSHRSTSYNFIN |
| Spoofed Source IP |
sudo nmap -S SPOOFED_IP |
| Spoofed MAC Address |
–spoof-mac SPOOFED_MAC |
| Decoy Scan |
nmap -D DECOY_IP,ME |
| Idle (Zombie) Scan |
sudo nmap -sI ZOMBIE_IP |
| Flag |
Purpose |
| -f |
Fragment IP data into 8 bytes |
| -ff |
Fragment IP data into 16 bytes |
| -p- |
All Ports |
| -p1-1023 |
Scan Ports 1 to 1023 |
| -F |
100 Most Common Ports |
| -r |
Scan Ports in Consecutive Order |
| -T<0-5> |
-T0 being the Slowest and T5 the Fastest |
| –max-rate 50 |
Rate <= 50 packets/sec |
| –min-rate 15 |
Rate >= 15 packets/sec |
| –min-parallelism 100 |
At least 100 Probes in Parallel |
| –source-port PORT_NUM |
Specify source port number |
| –data-length NUM |
Append random data to reach given length |
| –traceroute |
Run traceroute to target |
| –reason |
explains how Nmap made its conclusion |
| -v |
verbose |
| -vv |
very verbose |
| -d |
debugging |
| -dd |
more details for debugging |