Nmap Full Flag
Nmap Cheat Sheet
Host Discovery
-sL nmap 192.168.1.1-3 -sL # No Scan. List targets only
-sn nmap 192.168.1.1/24 -sn # Disable port scanning
-Pn nmap 192.168.1.1-5 -Pn # Disable host discovery. Port scan only
-PS nmap 192.168.1.1-5 -PS22-25,80 # TCP SYN discovery on ports 22-25,80
-PA nmap 192.168.1.1-5 -PA22-25,80 # TCP ACK discovery on ports 22-25,80
-PU nmap 192.168.1.1-5 -PU53 # UDP discovery on port 53
-PR nmap 192.168.1.0/24 -PR # ARP discovery on local network
-n nmap 192.168.1.1 -n # Never do DNS resolutionTarget Specification
nmap 192.168.1.1 # Scan a single IP
nmap 192.168.1.1 192.168.2.1 # Scan specific IPs
nmap 192.168.1.1-254 # Scan a range
nmap scanme.nmap.org # Scan a domain
nmap 192.168.1.0/24 # Scan using CIDR notation
-iL nmap -iL targets.txt # Scan targets from a file
-iR nmap -iR 100 # Scan 100 random hosts
--exclude nmap --exclude 192.168.1.1 # Exclude listed hostsScan Techniques
-sS nmap 192.168.1.1 -sS # TCP SYN port scan (Default)
-sT nmap 192.168.1.1 -sT # TCP connect port scan
-sU nmap 192.168.1.1 -sU # UDP port scan
-sA nmap 192.168.1.1 -sA # TCP ACK port scan
-sW nmap 192.168.1.1 -sW # TCP Window port scan
-sM nmap 192.168.1.1 -sM # TCP Maimon port scanPort Specification
-p nmap 192.168.1.1 -p 21 # Port scan for port 21
-p nmap 192.168.1.1 -p 21-100 # Port range
-p nmap 192.168.1.1 -p U:53,T:21-25,80 # TCP and UDP ports
-p- nmap 192.168.1.1 -p- # All 65535 ports
-p nmap 192.168.1.1 -p http,https # Port scan using service names
-F nmap 192.168.1.1 -F # Fast port scan (100 ports)
--top-ports nmap 192.168.1.1 --top-ports 2000 # Top 2000 portsTiming and Performance
nmap -T0 <target> # T0 = Paranoid (very slow, for IDS evasion)
nmap -T1 <target> # T1 = Sneaky (slow)
nmap -T2 <target> # T2 = Polite (slower, uses less bandwidth)
nmap -T3 <target> # T3 = Normal (default)
nmap -T4 <target> # T4 = Aggressive (faster, good for LANs)
nmap -T5 <target> # T5 = Insane (very fast, risk of inaccuracy)
--host-timeout <time> # Maximum time allowed for one host scan (e.g., 30m, 1h)
--min-rtt-timeout <time> # Minimum probe timeout based on round-trip time
--max-rtt-timeout <time> # Maximum probe timeout based on round-trip time
--min-hostgroup <size> # Minimum number of hosts to scan in parallel
--max-hostgroup <size> # Maximum number of hosts to scan in parallel
--min-parallelism <num> # Minimum number of probes to send in parallel
--max-parallelism <num> # Maximum number of probes to send in parallel
--scan-delay <time> # Delay between probes (e.g., 1s, 500ms)
--max-scan-delay <time> # Max allowed delay between probes
--max-retries <tries> # Max number of probe retransmissions per port
--min-rate <number> # Minimum number of packets per second
--max-rate <number> # Maximum number of packets per secondService and Version Detection
-sV # Detect service versions
--version-intensity <0-9> # Intensity of detection
--version-light # Light and fast scan
--version-all # Aggressive detection
-A # OS detection, version detection, scripts, tracerouteOS Detection
-O # Enable OS detection
--osscan-limit # Skip OS scan if conditions not met
--osscan-guess # Guess aggressively
--max-os-tries <x> # Set max OS detection triesFirewall / IDS Evasion and Spoofing
-f # Fragment packets
--mtu <val> # Set MTU
-D # Decoy scan
-S # Spoof source IP
-g # Set source port
--proxies # Relay via proxies
--data-length <bytes> # Append dataNSE Scripts
-sC # Default scripts
--script default # Same as -sC
--script=banner # Run specific script
--script=http* # Wildcard match
--script=http,banner # Multiple scripts
--script "not intrusive" # Exclude intrusive scripts
--script-args # Script argumentsExample NSE Scripts
nmap -Pn --script=http-sitemap-generator scanme.nmap.org
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000
nmap -Pn --script=dns-brute domain.com
nmap -n -Pn -vv -O -sV --script smb-* 192.168.1.1
nmap --script whois* domain.com
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org
nmap -p80 --script http-sql-injection scanme.nmap.orgWeb App Specific NSE Scripts
nmap -p80 --script http-methods --script-args http-methods.test-all http://target
nmap -p80 --script http-headers http://target
nmap -p80 --script http-auth,http-auth-finder,http-auth-guess http://target
nmap -p80 --script http-enum http://target
nmap -p80 --script http-config-backup http://target
nmap -p80 --script http-userdir-enum http://target
nmap -p80 --script http-vhosts,http-iis-short-name-brute http://target
nmap -p80 --script http-dombased-xss,http-xssed,http-stored-xss,http-csrf 192.168.1.1Advanced NSE Script Usage
nmap --script-args "userdb=users.txt,passdb=passlist.txt" -p21 ftp.target.com --script ftp-brute
nmap -p445 --script smb-enum-users,smb-enum-shares --script-args smbuser=admin,smbpass=password 192.168.1.100
nmap -p80 --script http-form-brute --script-args http-form-brute.hostname=target.com,http-form-brute.path=/login,http-form-brute.uservar=username,http-form-brute.passvar=password,http-form-brute.failmsg="invalid login" 192.168.1.1Vulnerability Scanning Scripts
nmap --script vuln 192.168.1.1
nmap -sV --script vulners 192.168.1.1
nmap -p80 --script http-vuln-cve2015-1635 192.168.1.1
nmap -p80 --script http-vuln-cve2017-5638 192.168.1.1
nmap -p80 --script http-vuln-cve2017-1001000 192.168.1.1Output Options
-oN <file> # Normal output
-oX <file> # XML output
-oG <file> # Grepable output
-oA <prefix> # All formats
--append-output # Append to file
-oG - # Output to screen (also -oN -, -oX -)Scan Output Analysis & Tips
- Look for open ports with services you can enumerate (e.g., HTTP, SMB, FTP).
- Closed ports still respond; filtered ports are likely firewalled.
- Combine `-sV` and `-A` to gather banners and OS info.
- Use `--reason` to understand why a port is marked as open/closed.
- Save all scans using `-oA` for later grep/parse.
- Use `grep open` or tools like `grepable`, `xsltproc`, or `nmaptocsv` to filter output.Last updated