Nmap Cheatsheet

Live Host Discovery

Option	Purpose
`-n`	no DNS lookup
`-R`	reverse-DNS lookup for all hosts
`-sn`	host discovery only

Option	Purpose
`-p-`	all ports
`-p1-1023`	scan ports 1 to 1023
`-F`	100 most common ports
`-r`	scan ports in consecutive order
`-T<0-5>`	-T0 being the slowest and T5 the fastest
`--max-rate 50`	rate <= 50 packets/sec
`--min-rate 15`	rate >= 15 packets/sec
`--min-parallelism 100`	at least 100 probes in parallel


Port Scan Type	Example Command
TCP Null Scan	`sudo nmap -sN MACHINE_IP`
TCP FIN Scan	`sudo nmap -sF MACHINE_IP`
TCP Xmas Scan	`sudo nmap -sX MACHINE_IP`
TCP Maimon Scan	`sudo nmap -sM MACHINE_IP`
TCP ACK Scan	`sudo nmap -sA MACHINE_IP`
TCP Window Scan	`sudo nmap -sW MACHINE_IP`
Custom TCP Scan	`sudo nmap --scanflags URGACKPSHRSTSYNFIN MACHINE_IP`
Spoofed Source IP	`sudo nmap -S SPOOFED_IP MACHINE_IP`
Spoofed MAC Address	`--spoof-mac SPOOFED_MAC`
Decoy Scan	`nmap -D DECOY_IP,ME MACHINE_IP`
Idle (Zombie) Scan	`sudo nmap -sI ZOMBIE_IP MACHINE_IP`
Fragment IP data into 8 bytes	`-f`
Fragment IP data into 16 bytes	`-ff`

Option	Purpose
`--source-port PORT_NUM`	specify source port number
`--data-length NUM`	append random data to reach given length

Option	Purpose
`--reason`	explains how Nmap made its conclusion
`-v`	verbose
`-vv`	very verbose
`-d`	debugging
`-dd`	more details for debugging


Option	Meaning
`-sV`	determine service/version info on open ports
`-sV --version-light`	try the most likely probes (2)
`-sV --version-all`	try all available probes (9)
`-O`	detect OS
`--traceroute`	run traceroute to target
`--script=SCRIPTS`	Nmap scripts to run
`-sC` or `--script=default`	run default scripts
`-A`	equivalent to `-sV -O -sC --traceroute`
`-oN`	save output in normal format
`-oG`	save output in grepable format
`-oX`	save output in XML format
`-oA`	save output in normal, XML and Grepable formats