Startseite » Blog » nmap Cheat Sheet: Commands you should know

nmap Cheat Sheet: Commands you should know

February 3, 2025 / By
nmap basic scans

Basic Nmap commands

Basic nmap scan

Performs a basic scan of the specified target.

Command
nmap <target>
Example
nmap 192.168.1.1

Scan of a specific port

Scans a specific port on the specified destination.

Command
nmap -p <port> <target>
Example
nmap -p 80 192.168.1.1

Scan of port range

Scans all ports in the specified range.

Command
nmap -p <start port>-<end port> <target>
Example
nmap -p 80-100 192.168.1.1

Scan of all 65535 Ports

Scans all available ports (0-65535) on the target.

Command
nmap -p- <target>
Example
nmap -p- 192.168.1.1
nmap advanced scans

Advances scanning techniques

TCP SYN Scan

Performs a quick and inconspicuous scan, also known as a “half-open” scan.

Command
nmap -sS <target>
Example
nmap -sS 192.168.1.1

TCP Connect Scan

Performs a complete TCP handshake. Useful if the user does not have privileged rights.

Command
nmap -sT <target>
Example
nmap -sT 192.168.1.1

UDP Scan

Scans the UDP ports of the target.

Command
nmap -sU <target>
Example
nmap -sU 192.168.1.1

ACK Scan

Detects whether a firewall is active and how it is configured.

Command
nmap -sA <target>
Example
nmap -sA 192.168.1.1

Window Scan

Recognizes firewall rules and identifies open ports through window size analysis.

Command
nmap -sW <target>
Example
nmap -sW 192.168.1.1

FIN Scan

Sends FIN packets to the target host. Effective for bypassing simple firewalls.

Command
nmap -sF <target>
Example
nmap -sF 192.168.1.1

Identification and Detection

OS Detection

Detects the operating system of the target host.

Command
nmap -O <target>
Example
nmap -O 192.168.1.1

Version detection

Detects the versions of the services running on the target host.

Command
nmap -sV <target>
Example
nmap -sV 192.168.1.1

Aggressive Scan

Performs a comprehensive scan including operating system detection, version detection, script scanning and traceroute.

Command
nmap -A <target>
Example
nmap -A 192.168.1.1

Traceroute

Determines the path from your computer to the target host.

Command
nmap --traceroute <target>
Example
nmap --traceroute 192.168.1.1
Network Exploration

Network Exploration

Ping Scan

Checks which hosts are active in the network without scanning ports.

Command
nmap -sn <network>
Example
nmap -sn 192.168.1.0/24

List Scan

Lists all hosts in a network without scanning them.

Command
nmap -sL <network>
Example
nmap -sL 192.168.1.0/24

Scan multiple targets

Scans multiple targets in a single command.

Command
nmap <target 1> <target 2> ...
Example
nmap 192.168.1.1 192.168.1.2 192.168.1.3

Scan list of targets

Scans all destinations listed in a file.

Command
nmap -iL <path to file>
Example
nmap -iL targets.txt

Stealth techniques and bypassing firewalls

Fragmented packet scan

Sends fragmented packets to bypass firewalls.

Command
nmap -f <target>
Example
nmap -f 192.168.1.1

IP address transformation

Uses decoys to disguise the actual IP of the scanner.

Command
nmap -D <stealth IP> <target>
Example
nmap -D RND:10 192.168.1.1

Spoofing of source IP

Specifies a fake source IP to disguise the scan.

Command
nmap -S <fake IP> <target>
Example
nmap -S 192.168.1.100 192.168.1.1
Reports and Outputs

Output and Reporting

Normal Output

Saves the scan results in normal format in a file.

Command
nmap -oN <filename> <target>
Example
nmap -oN scan_results.txt 192.168.1.1

XML Output

Saves the scan results in XML format.

Command
nmap -oX <filename> <target>
Example
nmap -oX scan_results.xml 192.168.1.1

Grep-able Output

Saves the scan results in a grep-friendly format.

Command
nmap -oG <filename> <target>
Example
nmap -oG scan_results.gnmap 192.168.1.1

All Output Formats

Saves the scan results in all available formats (normal, XML, grabbable).

Command
nmap -oA <filename> <target>
Example
nmap -oA scan_results 192.168.1.1
Passwordless Authentication The Future of MFA

Scripting and Expandability

Script Scanning

Executes the standard Nmap scripts (NSE).

Command
nmap -sC <target>
Example
nmap -sC 192.168.1.1

Execute specific scripts

Executes a specific Nmap script.

Command
nmap --script <script name> <target>
Example
nmap --script http-title 192.168.1.1

Execute script categories

Executes all scripts of a certain category (e.g. –script vuln for vulnerability scripts). Categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln

Command
nmap --script <category> <target>
Example
nmap --script vuln 192.168.1.1

Timing and Performance

Timing Template

Sets the speed of the scan, with -T0 being the slowest and -T5 the fastest.

Command
nmap -T<0-5> <target>
Example
nmap -T4 192.168.1.1

Maximum simultaneous scans

Specifies the maximum number of simultaneous scans to control the network load.

Command
nmap --max-parallelism <amount> <target>
Example
nmap --max-parallelism 10

Maximum parallel scans

Determines the minimum number of hosts that are scanned simultaneously.

Command
nmap --min-hostgroup <amount> <target>
Example
nmap --min-hostgroup 50
Red Teaming

Further nmap Options

IPv6 Scan

Performs a scan on an IPv6 destination.

Command
nmap -6 <target>
Example
nmap -6 2001:db8::ff00:42:8329

Silent Execution

Performs the scan without output on the screen.

Command
nmap -v0 <target>
Example
nmap -v0 192.168.1.1

Repeat Scans

Adds a delay between scans to bypass IDS/IPS.

Command
nmap --scan-delay <time> <target>
Example
nmap --scan-delay 5s 192.168.1.1

Nmap is an extremely powerful tool and the commands listed here are only a fraction of the options available. Each command can be further customized and combined to meet specific requirements and scenarios.

#HappyHacking

Related Posts

Scroll to Top
WordPress Cookie Plugin by Real Cookie Banner