Nmap Cheat Sheet, plus bonus Nmap + Nessus Cheat Sheet JPG & PDF (2024)

We’ve put together a comprehensive Nmap Cheat Sheet. If you also use Nessus with Nmap, keep reading. At the end of the post we have also included the Nmap + Nessus Cheat Sheet so you have all the useful commands at your fingertips.

All the tables provided in the cheat sheets are also presented in tables below which are easy to copy and paste.

The Nmap cheat sheet covers:

Different usage options of Nmap
Scanning command syntax
Port Specification options
Host /172.16.1.1 discovery
Scanning types
Version detection
172.16.1.1 specification
Use of NMAP scripts NSE
Firewall proofing
NMAP output formats
Scan options
NMAP Timing options
Miscellaneous commands

View or Download the Cheat Sheet JPG image

Right-click on the image below to save the JPG file (1945 width x 2470 height in pixels), or click here to open it in a new browser tab. Once the image opens in a new window, you may need to click on the image to zoom in and view the full-sized jpeg.

View or Download the cheat sheet PDF file

You can download the cheat sheet PDF file here. If it opens in a new browser tab, simply right click on the PDF and navigate to the download selection.

What’s included in the Cheat Sheet

The following categories and items have been included in the cheat sheet:

Different usage options of Nmap

Different usage options
Port discovery and specification Host discovery and specification Vulnerability scanning Application and service version detection Software version detection against the ports Firewall / IDS Spoofing

Scanning command syntax

Scanning Command Syntax
nmap [scan types] [options] {172.16.1.1 specification}

Port Specification options

Port Specification Options
Syntax	Example	Description
-P	nmap –p 23 172.16.1.1	Port scanning port specific port
-P	nmap –p 23-100 172.16.1.1	Port scanning port specific port range
-p	nmap -pU:110,T:23-25,443 172.16.1.1	U-UDP,T-TCP different port types scan
-p-	nmap -p- 172.16.1.1	Port scan for all ports
-p	nmap -smtp,https 172.16.1.1	Port scan from specified protocols
-F	nmap –F 172.16.1.1	Fast port scan for speed up
*-P ""**	namp -p "*" ftp 172.16.1.1	Port scan using name
-r	nmap -r 172.16.1.1	Sequential port scan

Host /172.16.1.1 discovery

Host /172.16.1.1 Discovery
Switch/Syntax	Example	Description
-sL	nmap 172.16.1.1-5 -sL	List 172.16.1.1 without scanning
-sn	nmap 172.16.1.1/8 -sn	Disable port scanning
-Pn	nmap 172.16.1.1-8 -Pn	Port scans only and no host discovery
-PS	nmap 172.16.1.185 -PS22-25,80	TCP SYN discovery on specified port
-PA	nmap 172.16.1.185 -PA22-25,80	TCP ACK discovery on specified port
-PU	nmap 172.16.1.1-8 -PU53	UDP discovery on specified port
-PR	nmap 172.16.1.1-1/8 -PR	ARP discovery within local network
-n	nmap 172.16.1.1 -n	no DNS resolution

Scanning types

Scanning Types
Switch/Syntax	Example	Description
-sS	nmap 172.16.1.1 -sS	TCP SYN port scan
-sT	nmap 172.16.1.1 -sT	TCP connect port scan
-sA	nmap 172.16.1.1 -sA	TCP ACK port scan
-sU	nmap 172.16.1.1 -sU	UDP port scan
-Sf	nmap -Sf 172.16.1.1	TCP FIN scan
-sX	nmap -SX 172.16.1.1	XMAS scan
-Sp	nmap -Sp 172.16.1.1	Ping scan
-sU	nmap -Su 172.16.1.1	UDP scan
-sA	nmap -Sa 172.16.1.1	TCP ACK scan
-SL	nmap -Sl 172.16.1.1	list scan

Version detection

Version Detection
Switch/Syntax	Example	Description
-sV	nmap 172.16.1.1 -sV	Try to find the version of the service running on port
-sV --version-intensity	nmap 172.16.1.1 -sV --version-intensity 6	Intensity level range 0 to 9.
-sV --version-all	nmap 172.16.1.1 -sV --version-all	Set intensity level to 9
-sV --version-light	nmap 172.16.1.1 -sV --version-light	Enable light mode
-A	nmap 172.16.1.1 -A	Enables OS detection, version detection, script scanning, and traceroute
-O	nmap 172.16.1.1 -O	Remote OS detection

172.16.1.1 specification

172.16.1.1 Specification
nmap 172.16.1.1	single IP scan
nmap 172.16.1.1 172.16.100.1	scan specific IPs
nmap 172.16.1.1-254	scan a range of IPs
nmap xyz.org	scan a domain
nmap 10.1.1.0/8	scan using CIDR notation
nmap -iL scan.txt	scan 172.16.1.1s from a file
nmap --exclude 172.16.1.1	specified IP s exclude from scan

Use of NMAP scripts NSE

Use of Nmap Scripts NSE
nmap --script= test script 172.16.1.0/24	execute thee listed script against target IP address
nmap --script-update-db	adding new scripts
nmap -sV -sC	use of safe default scripts for scan
nmap --script-help="Test Script"	get help for script

Firewall proofing

Firewall Proofing
nmap -f [172.16.1.1]	scan fragment packets
nmap –mtu [MTU] [172.16.1.1]	specify MTU
nmap -sI [zombie] [172.16.1.1]	scan idle zoombie
nmap –source-port [port] [172.16.1.1]	manual source port - specify
nmap –data-length [size] [172.16.1.1]	randomly append data
nmap –randomize-hosts [172.16.1.1]	172.16.1.1 scan order randomization
nmap –badsum [172.16.1.1]	bad checksum

NMAP output formats

Nmap output Formats
Default/normal output	nmap -oN scan.txt 172.16.1.1
XML	nmap -oX scanr.xml 172.16.1.1
Grepable format	snmap -oG grep.txt 172.16.1.1
All formats	nmap -oA 172.16.1.1

Scan options

Scan Options
Syntax	Description
nmap -sP 172.16.1.1	Ping scan only
nmap -PU 172.16.1.1	UDP ping scan
nmap -PE 172.16.1.1	ICMP echo ping
nmap -PO 172.16.1.1	IP protocol ping
nmap -PR 172.16.1.1	ARP ping
nmap -Pn 172.16.1.1	Scan without pinging
nmap –traceroute 172.16.1.1	Traceroute

NMAP Timing options

Nmap Timing Options
Syntax	Description
nmap -T0 172.16.1.1	Slowest scan
nmap -T1 172.16.1.1	Tricky scan to avoid IDS
nmap -T2 172.16.1.1	Timely scan
nmap -T3 172.16.1.1	Default scan timer
nmap -T4 172.16.1.1	Aggressive scan
nmap -T5 172.16.1.1	Very aggressive scan

Miscellaneous commands

Miscellaneous Commands
nmap -6	scan IPV6 targets
nmap –proxies proxy 1 URL, proxy 2 URL	Run in targets with proxies
nmap –open	Show open ports only

Nmap + Nessus Cheat Sheet

If you also use Nessus with Nmap, download this cheat sheet instead as it has all the tables included in the Nmap cheat sheet plus three extra Nessus tables. Click on the image below to open the JPG in a new window where you can save it. Alternatively you can download the PDF file here.

Nessus install and use

Nessus Installation and Usage
Installation	# apt-get install nessus
Add administrator for the application	# nessus-adduser
Update components	# nessus-update-plugins
Start nessus	# /etc/init.d/nessusd start
Check nessus port	# netstat -luntp or # netstat –landtp

Nessuscli

Nessuscli
nessus –h	Display help
nessus –q	Run in batch mode
nessus --list-policies	List policies included in .nessus configuration file
nessus --list-reports	List report names included in .nessus configuration file
nessus –p	List available plugins in the server
nessus --policy-name (policy name)	Specify policy to use when a scan initiate in command line
nessus -T (format)	Specify output report format (html, text, nbe, nessus)
nessus --target-file (file name)	Use scan targets specified in the file instead of default .nessus file
nessus –x	Do not check for SSL certificates

Nessus server commands

Nessus Server Commands
nessus-service -a ( ip address )	Listens to specified IP address only
nessus-service -c (Config file name )	Set to use server side configuration file instead of default configuration file
nessus-service -D	Set server mode to background run
nessus-service -h	List summary of nessus commands
nessus-service --ipv4-only	Listen to IPV4 only
nessus-service --ipv6-only	Listen to IPV6 only
nessus-service -K	Configure master password for nessus scanner
nessus-service -p	Set server to listen to client specified port rather than default port 1241
nessus-service -q	Run in quiet mode

Related: Nmap Scanning Tutorial