Nmap cheatsheet

TCP port scan

All ports

nmap -vv -sT -p - --open IP

---

List scan - list targets to scan

Show target addresses to scan

nmap -sL -iL targets.txt -Pn -n

or show only IP addresses

nmap -sL -iL targets.txt -Pn -n | grep "Nmap scan report" | cut -d" " -f5

---

Discover services

One port

nmap -P0 -sV --version-all -sT -sC -p PORT HOST

All ports

nmap -P0 -sV --version-all -sT -sC -p - HOST

Probe one port - no ping, no DNS lookup

nmap -vv -sT -p 443 HOST -Pn -n

---

Rate limit

Limit packet rate

nmap -vv -sT -p- -oA nmap_full -iL targets.txt --max-rate 500

Disable parallel scan

nmap -vv -sT -oA nmap_short -iL targets.txt --max-parallelism 1

Enumerate HTTP services

Enumerate HTTP services on the host

nmap -sV -sT --script=http-enum -p- -Pn hostname

Get titles of HTTP websites

nmap -sV --script http-title --script-args "http-title.url=/" -p80,443,8000-9000 192.168.0.0/8 

Search for specific title

nmap -sV --script http-title --script-args "http-title.url=/" -p80,443,8000-9000 192.168.0.0/8 | grep pattern

Java RMI

Java RMI script

nmap -sT -p 8101 --script +rmi-dumpregistry HOST

nmap --script=rmi-vuln-classloader -p PORT HOST

SMB

SMB scripts

nmap -v -p 139,445 --script=smb-vuln-*  HOST

Scan randomized IP range one by one

Scan common ports of 20 hosts from the range (randomized), one by one, parameters: output in all formats, no ping, no DNS lookup, only opened, max rate: 5, append output to one file

for i in `seq 11 30 | sort -R`; do nmap -vv -sT -p 22,80,... -oA nmapscan -n --max-rate 5 --append-output -Pn --open "192.168.1.${i}"; done

Scan 1000 ports for 10 hosts (randomized), one by one, parameters: output in all formats, no ping, no DNS lookup, only opened, max rate

for i in `seq 11 20 | sort -R`; do nmap -vv -sT -oA nmapscan -n  --max-retries 3 --max-rate 5 --append-output -Pn --open "192.168.1.${i}"; done