Quick Guide on “nmap : Cheat Sheet”


There is need of some basics commands for information gathering. But a single tool can have multiple commands as many of us played any Video Game, PlayStation, PS2, PS3, PS4 games, nearly every games have some Cheat Sheets. For ex. GTA on PC have cheat of leavemealone, seaways, etc. In the same manner our main tools of information gathering also have Cheat Sheets.

Also Raed:- Information Gathering Online Tools

Here we are discussing about the well known tool called as nmap.

Many commands surely everyone knows. But that are 2 out of 10, here I am giving you a total commands of nmap.

Before proceeding its humble request to go through the warning.

Warning : Scanning any website, webapp, organization without the owner’s permission is illegal. According to the particular country might be it is crime. This is only for educational purpose, #TeamKnowledgeSuttra is neither encourage you nor advise you to do so. Do this at your own risk.


Target Specification

Scan a single IP
Scan specific IPs
Scan a range
nmap scanme.nmap.org
Scan a domain
nmap -iL targets.txt
 Scan using CIDR notation
 Scan targets from a file
nmap -iR 100 Scan 100
 random hosts
nmap –exclude
 Exclude listed hosts
nmap -sS
 TCP SYN port scan (Default)

 Scan Techniques

nmap –sT TCP connect port scan
nmap -sU   UDP port scan
nmap  TCP ACK port scan
nmap -sW TCP Window port scan
nmap -sM TCP Maimon port scan



  Host Discovery
nmap -sL
No Scan. List targets only
nmap -sn
Disable port scanning
nmap -Pn
 Disable host discovery. Port scan only
nmap -PS22-25,80
 TCP SYN discovery on port x. Port 80 by default
nmap -PA22-25,80
TCP ACK discovery on port x. Port 80 by default
nmap -PU53
UDP discovery on port x. Port 40125 by default
nmap -PR
 ARP discovery on local network
nmap -n
 Never do DNS resolution


 Port Specification
nmap -p 21  Port scan for port x
nmap -p 21-100 Port range
nmap -p U:53,T:21-25,80  Port scan multiple TCP and UDP ports
 nmap -p- Port scan all ports
nmap -p http,https  Port scan from service name
nmap -F  Fast port scan (100 ports)
nmap –top-ports 2000 Port scan the top x ports
nmap -p-65535  Leaving off initial port in range makes the scan start at port 1
nmap -p0-  Leaving off end port in range makes the scan go through to port 65535

Service and Version Detection

nmap -sV Attempts to determine the version of the service running on port
nmap -sV –version-intensity  8 Intensity level 0 to 9. Higher number increases possibility of correctness
 nmap -sV –version-light  Enable light mode. Lower possibility of correctness. Faster
 nmap -sV –version-all  Enable intensity level 9. Higher possibility of correctness. Slower
nmap -A Enables OS detection, version detection, script scanning, and traceroute
nmap -O  Remote OS detection using TCP/IP stack fingerprinting
nmap -O –osscan-limit  If at least one open and one closed TCP port are not found it will not try OS detection against hosts
nmap -O –osscan-guess  Makes Nmap guess more aggressively
nmap -O –max-os-tries 1  Set the maximum number x of OS detection tries against a target
nmap -A  Enables OS detection, version detection, script scanning, and traceroute.

Timing and Performance

nmap -T0 Paranoid (0) Intrusion Detection System evasion
nmap -T1  Sneaky (1) Intrusion Detection System evasion
nmap -T2  Polite (2) slows down the scan to use less bandwidth and use less target machine resources
nmap -T3  Normal (3) which is default speed
nmap -T4 Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
nmap -T5  Insane (5) speeds scan; assumes you are on an extraordinarily fast network

NSE Scripts

nmap -sC  Scan with default NSE scripts. Considered useful for discovery and safe
nmap –script default  Scan with default NSE scripts. Considered useful for discovery and safe
nmap –script=banner Scan with a single script. Example banner
nmap –script=http* Scan with a wildcard. Example http
nmap –script=http,banner  Scan with two scripts. Example http and banner
nmap –script “not intrusive”  Scan default, but remove intrusive scripts
nmap –script snmp-sysdescr –script-args snmpcommunity=admin  NSE script with arguments

 Firewall / IDS Evasion and Spoofing

-f nmap -f  Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters
nmap –mtu 32  Set your own offset size
nmap -D,,,  Send scans from spoofed IPs
nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip  Above example explained
nmap -S www.microso.com www.facebook.com  Scan Facebook from Microso (-e eth0 -Pn may be required)
nmap -g 53  Use given source port number
nmap –proxies, Relay connections through HTTP/SOCKS4 proxies
nmap –data-length 200  Appends random data to sent packets


-oN nmap -oN normal.file  Normal output to the file normal.file
nmap -oX xml.file XML output to the file xml.file
nmap -oG grep.file Grepable output to the file grep.file
nmap -oA  results Output in the three major formats at once
nmap -oG – Grepable output to screen. -oN -, -oX – also usable
 nmap -oN file.file –append-output Append a scan to a previous scan file
nmap -v  Increase the verbosity level (use -vv or more for greater effect)
nmap -d  Increase debugging level (use -dd or more for greater effect)
nmap –reason Display the reason a port is in a particular state, same output as –vv
nmap –open  Only show open (or possibly open) ports
nmap -T4 –packet-trace Show all packets sent and received

Miscellaneous Options

nmap –iflist Shows the host interfaces and routes
nmap –resume results.file  Resume a scan
-6 nmap -6 2607:f0d0:1002:51::4 Enable IPv6 scanning
nmap -h nmap  help screen
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn Discovery only on ports x, no port scan
nmap -PR -sn -vv Arp discovery only on local network, no port scan
nmap -iR 10 -sn -traceroute Traceroute to random targets, no port scan
nmap -sL –dns-server  Query the Internal DNS for hosts, list targets only









Leave a Reply