Nmap stands for Network Mapper. It comes in free and is an open-source tool that is used for vulnerability scanning and network discovery. It is used by all the network administrators to identify which devices are running on the system, discover available hosts and services provided by them, find open ports as well as to detect security risks.
It can also be used to monitor single hosts and vast networks which encompass many devices and multitudes of subsets.
Over time it has evolved and is flexible but is a port-scan tool that is used to gather information by sending raw packets towards the system ports. It listens to all the responses sees whether the ports are open, closed, or filtered like a firewall. Port discovery or enumerations are other words that are used for port scanning.
Recommended: Download Nmap for Windows 10 & 11.
How Nmap Commands Work
Packets that are sent out by Nmap return with IP addresses and other data thus allowing the user to identify different attributes of the network giving the user a profile or network map and allowing the creation of an inventory of the software and hardware.
Now, different protocols use different kinds of packet structures. It is used to employ transport layer protocols including TCP (Transmission Control Protocol), UDP (User Datagram Protocol), SCTP (Stream Control Transmission Protocol) and other supporting protocols like ICMP (Internet Control Message Transmission Protocol) which is used to send error messages.
Different protocols are used for various purposes and system ports like low resource overhead of UDP is good if you want real-time-streaming video but in this, some packets are lost in return for speed whereas non-real time streaming videos in Youtube is buffered and used much slower, albeit and reliable TCP.
Its fundamental port scanning and packet capture capabilities are being enhanced constantly.
100+ Nmap Commands Cheat Sheet – Massive List
Nmap Ping Scan
This one is quite famous as it is used to perform Nmap ping sweeps. Moreover, this is one of the easiest ways to detect hosts on any network.
Its only drawback is that at times it blocks IP-based ping packets so if you are not able to get solid results we suggest that you switch to ARP-based requests for the scan.
Basic Nmap Scan against IP or Host
You need to simply replace IP for the host if you wish to scan hostname:
These kinds of scans are set perfect when you begin with Nmap.
- Scan IP Ranges
It can be used to scan complete CIDR IP ranges such as:
This is used to scan consecutive 14 IP ranges starting from 18.104.22.168 to 22.214.171.124.
As an alternate the following kind of range can be used:
Wildcards can also be used to scan complete C class IP range like:
This shall scan 256 IP addresses ranging from 126.96.36.199 to 188.8.131.526
If you wish to exclude specific IPs from the IP range scan then use the “-exclude” option:
Nmap –p 1.1.1.* --exclude 184.108.40.206
Scanning Most Popular Ports
By using “-top-ports” parameter with specified number one can scan top X most common ports for that particular host like:
Nmap –top-ports 20 172.168.762
Now, we can replace “20” with the desired number, output example is shown below:
Nmap –top-ports 20 220.127.116.11 [[email protected]:~]nmap --top-ports 20 localhost 21/tcp - For ftp 22/tcp - For ssh 23/tcp - For telnet 25/tcp - For smtp 53/tcp - For domain 80/tcp - For http 110/tcp - For pop3 111/tcp - For rpcbind 135/tcp - For msrpc 139/tcp - For netbios-ssn 143/tcp - For imap 443/tcp - For https 445/tcp - For microsoft-ds 993/tcp - For imaps 995/tcp - For pop3s 1723/tcp - For pptp 3306/tcp - For mysql 3389/tcp - For ms-wbt-server 5900/tcp - For vnc 8080/tcp - For http-proxy
Disabling DNS Name Resolution
If you wish to speed up your scan then you can select disable reverse DNS resolution for all the scans, for this all you need to do is add “-n” parameter. This can also be achieved with Wireshark.
[[email protected]:~]nmap -p 80 -n 18.104.22.168 Normal vs port based DNS scan, the difference is clear: [[email protected]:~]nmap -p 80 22.214.171.124
Detect Service/Daemon Versions
For this you need to use –sV parameters:
It is as followed:
[[email protected]:~]nmap –sV localhost
Scan Specific Ports or Scan Entire port ranges on Local or Remote server
Nmap –p 1-5000 localhost
In this we scanned all 65535 ports for the localhost system, this is able to scan all the possible ports but we can also able to scan particular ports which are reported to give out faster results such as:
Nmap –p 80,443 126.96.36.199
- Scan Multiple IP Addresses
For this the following syntax needs to be used:
Nmap 188.8.131.52 184.108.40.206
Moreover, consecutive IP addresses can also be scanned:
This shall scan 220.127.116.11 , 18.104.22.168 , 22.214.171.124 and 126.96.36.199
ALSO CHECK: Download Nmap APK for Android 10, 11 and 12.
Scan Using TCP or UDP Protocols
The best thing about this one is that it works both with TCP and UDP protocols. While many services run on TCP users can get a lot of benefits by scanning services based on UDP. Following are some examples:
Standard TCP scanning output:
[[email protected]:~]nmap -sT 192.168.7.11
UDP scanning results by using the “-sU” parameter
[[email protected]:~]nmap -sU localhost
Nmap Cheat Sheet PDF Download
Below are the above commands and instructions saved in PDF file format.
How To Use Nmap Commands in the terminal
Now for network administrators and security auditors, many free network monitoring utilities and free open-source vulnerability scanners are available. What makes this tool different is that along with port scanning it offers other functions as well:
- OS Detection: With this users can determine OP which is running on the device. Moreover, we can get other details like the name of the vendor, underlying OS, software version and the estimated uptime of the device.
- Network Mapping: This is used to identify devices on the network which is also known as host discovery including routers, switches, servers and how they are connected physically.
- Security Auditing: Once we know the OS version and apps running on network hosts then it helps network managers determine their vulnerability to particular flaws. Now, whenever a vulnerability alert is received by the admin in a particular version of the app like she can scan her network to see either version of the software is running on the network and takes a few steps to patch or even update specific hosts. Scripts are also used to automate tasks like detecting specific vulnerabilities.
- Service Discovery: It is not only able to identify network hosts but acts as mail, name, or web servers and specific app and versions of related software they run.
Recommended Cheat Sheets and Commands
- Google Dorks Cheat Sheet – SQL Injections and Credit Cards.
- Best Secure Coding Tips Cheat Sheet from OWASP.
- Kali Linux Wifi and Network Hacking Commands.
- Meterpreter Commands Full List.
Conclusion: Nmap Commands Cheat Sheet
Nmap is the best overall tool for network and host discovery, period. There is no question about this. However, it is not easy to use, complex and requires some command-line knowledge to be used. This is why we put together a detailed Nmap commands list that can be used by anyone as it contains 100+ commands that you can use for a variety of tasks.