Quick Reference
Nmap Quick Reference
Hackers Manifest - hackersmanifest.com
🔧 Try the Interactive Builder
Don't want to memorize syntax? Use our Interactive Nmap Command Builder to visually configure scans and generate commands.
Comprehensive quick reference for Nmap - the essential network discovery and security auditing tool.
🔍 Host Discovery
| Ping scan (no port scan) | nmap -sn 192.168.1.0/24 |
| Skip host discovery | nmap -Pn target |
| TCP SYN ping | nmap -PS22,80,443 target |
| TCP ACK ping | nmap -PA22,80,443 target |
| UDP ping | nmap -PU53,161 target |
| ICMP echo ping | nmap -PE target |
| ICMP timestamp ping | nmap -PP target |
| ARP ping (local network) | nmap -PR 192.168.1.0/24 |
| List targets only | nmap -sL 192.168.1.0/24 |
🚪 Port Scanning
| TCP SYN scan (stealth) | nmap -sS target |
| TCP connect scan | nmap -sT target |
| UDP scan | nmap -sU target |
| Specific ports | nmap -p 22,80,443 target |
| Port range | nmap -p 1-1000 target |
| All ports | nmap -p- target |
| Top 100 ports | nmap --top-ports 100 target |
| FIN scan | nmap -sF target |
| Xmas scan | nmap -sX target |
| Null scan | nmap -sN target |
🔬 Service & Version Detection
| Service version detection | nmap -sV target |
| Light version scan | nmap -sV --version-light target |
| Aggressive version scan | nmap -sV --version-all target |
| Version intensity (0-9) | nmap -sV --version-intensity 5 |
| OS detection | nmap -O target |
| Aggressive OS detection | nmap -O --osscan-guess target |
| Service + OS + Script | nmap -A target |
| Traceroute | nmap --traceroute target |
📜 NSE Scripts
| Default scripts | nmap -sC target |
| Specific script | nmap --script=http-headers target |
| Script category | nmap --script=vuln target |
| Multiple scripts | nmap --script=smb*,vuln target |
| Script with args | nmap --script-args=user=admin |
| Update script database | nmap --script-updatedb |
| Script help | nmap --script-help=http-* |
| Safe scripts only | nmap --script=safe target |
⚠️ Vulnerability Scanning
| All vuln scripts | nmap --script=vuln target |
| SMB vulnerabilities | nmap --script=smb-vuln* target |
| EternalBlue check | nmap --script=smb-vuln-ms17-010 |
| HTTP vulnerabilities | nmap --script=http-vuln* target |
| SSL vulnerabilities | nmap --script=ssl-* target |
| Heartbleed check | nmap --script=ssl-heartbleed |
| Shellshock check | nmap --script=http-shellshock |
| Vulscan (CVE database) | nmap --script=vulscan target |
⏱️ Timing & Performance
| Paranoid (IDS evasion) | nmap -T0 target |
| Sneaky | nmap -T1 target |
| Polite (less bandwidth) | nmap -T2 target |
| Normal (default) | nmap -T3 target |
| Aggressive | nmap -T4 target |
| Insane (fastest) | nmap -T5 target |
| Min parallelism | nmap --min-parallelism 100 |
| Max retries | nmap --max-retries 2 target |
| Host timeout | nmap --host-timeout 30m |
📄 Output Formats
| Normal output | nmap -oN scan.txt target |
| XML output | nmap -oX scan.xml target |
| Grepable output | nmap -oG scan.gnmap target |
| All formats | nmap -oA scan target |
| Verbose output | nmap -v target |
| Extra verbose | nmap -vv target |
| Debugging | nmap -d target |
| Reason for port state | nmap --reason target |
| Resume scan | nmap --resume scan.gnmap |
🥷 Evasion Techniques
| Fragment packets | nmap -f target |
| Custom MTU | nmap --mtu 24 target |
| Decoy scan | nmap -D decoy1,decoy2,ME target |
| Spoof source IP | nmap -S spoofed_ip target |
| Spoof source port | nmap --source-port 53 target |
| Spoof MAC address | nmap --spoof-mac 0 target |
| Append random data | nmap --data-length 25 target |
| Bad checksum | nmap --badsum target |
| Idle/zombie scan | nmap -sI zombie target |
🎯 Common Scan Profiles
Quick Discovery
nmap -sn -T4 192.168.1.0/24 Fast host discovery on local network
Standard Scan
nmap -sS -sV -sC -T4 target SYN scan with version detection and scripts
Full Comprehensive
nmap -sS -sV -sC -O -p- -T4 -oA full target Complete scan with all ports, OS detection, output
Aggressive Scan
nmap -A -T4 target OS detection, version, scripts, traceroute
Stealth Scan
nmap -sS -T2 -f --data-length 25 target Slow, fragmented packets for IDS evasion
Vulnerability Scan
nmap -sV --script=vuln -T4 target Version detection with vulnerability scripts
UDP Services
nmap -sU -sV --top-ports 20 target Top UDP ports with service detection
Web Server Scan
nmap -sV -p 80,443 --script=http-* target HTTP/HTTPS enumeration with all HTTP scripts
📚 NSE Script Categories
auth - Authenticationbroadcast - Network discoverybrute - Brute forcedefault - Safe defaultdiscovery - Informationdos - Denial of serviceexploit - Exploitsexternal - Third-partyfuzzer - Fuzzingintrusive - May crashmalware - Malware detectionsafe - Non-intrusiveversion - Version detectvuln - VulnerabilitiesGenerated from Hackers Manifest | For authorized security testing only | hackersmanifest.com