Nmap Cheatsheet

Nmap Quick commands

Ping Sweep

nmap -sn <ipaddress range>-<ipaddress range>


nmap -sn


nmap -sn

List Scan aka reverse-dns lookup

On a corperate network this is a bit better of a scan due to enumeration of hosts and instead of icmp request which might get dropped it does reverse dns lookup. Always be enumerating! What’s best is the information you might get. End point naming conventions, etc.

nmap -sL

TCP and UDP scan - Short hand

Adding UDP scan to Syn scan by adding U

nmap -sSU

This is the same is -sS -sU

OS and Version detection

$ nmap -sS -A


Top Ports

Only look at top “x” ports used

nmap -sSU -A --top-ports 10

All ports - short hand

nmap -sS -p-

Output Types

  • -oN - Normal
  • -oX - XML
  • -oS - Don’t use this one (Skript Kiddie output)
  • -oG - Greppable
  • -oA - All formats except Skript Kiddie

Greppable output with timestamp %D

nmap -sS -A -oG nmap-scan%D

Open Ports Only

nmap -sS --open





nmap -sS -A -p- -script /usr/share/nmap/scripts/smb-enum-shares.nse


Run default scripts to enumerate even more

nmap -sSU -A -scripts=default

The Kitchen Sink

Enumerate reverse dns, tcp/udp ports, enumerate versions/OS, all ports, greppable output, using all scripts

nmap -sL -sSU -A -p- -oG nmap-scan%D -script=all
comments powered by Disqus