Part of series: cheatsheet
Nmap Cheatsheet
I’ve compiled a cheatsheet to list some useful nmap commands.
Full scan of all ports, enumerate services and use default scripts
nmap -sC -sV -p- -v <TARGET_IP> -T5 -oN <OUTPUT_FILE> --open
TCP ports
nmap -p- <TARGET_IP> -oN all_tcp.txt
UDP ports
nmap -p- <TARGET_IP> -sU -oN all_udp.txt
Top ports
nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt
Stealth scan
nmap -sS 192.168.50.149
Connect scan
nmap -sT 192.168.50.149
Note: Useful if no sudo available or via proxychains
Network sweep
nmap -sn 192.168.50.1-253 -oG ping-sweep.txt
- check which machines are up on the network
grep Up ping-sweep.txt | cut -d " " -f 2
Use -script option
nmap --script vuln,safe,discovery -oN scan.txt <TARGET_IP>
To list all NSE scripts:
ls -lh /usr/share/nmap/scripts/
via socks4 proxy
nmap --proxies socks4://proxy-ip:1080 <TARGET_IP>
Ideally, we use proxychains or ligolo-ng instead of nmap’s --proxies feature as the latter can be unreliable.