> For the complete documentation index, see [llms.txt](https://mainekhacker-1.gitbook.io/mainekhacker/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mainekhacker-1.gitbook.io/mainekhacker/checklists/nmap-cheatsheet.md).

# Nmap Cheatsheet :

## Scanning Options

| Option               | What It Does                                  | Example Command                           |
| -------------------- | --------------------------------------------- | ----------------------------------------- |
| `10.10.10.0/24`      | Specifies the target network range.           | `nmap 10.10.10.0/24`                      |
| `-sn`                | Skips port scanning.                          | `nmap -sn 10.10.10.0/24`                  |
| `-Pn`                | Disables ICMP Echo Requests (no ping).        | `nmap -Pn 10.10.10.0/24`                  |
| `-n`                 | Avoids DNS resolution.                        | `nmap -n 10.10.10.0/24`                   |
| `-PE`                | Ping scan using ICMP Echo Requests.           | `nmap -PE 10.10.10.0/24`                  |
| `--packet-trace`     | Shows detailed packet sending/receiving logs. | `nmap --packet-trace 10.10.10.0/24`       |
| `--reason`           | Displays the reason for a result.             | `nmap --reason 10.10.10.0/24`             |
| `--disable-arp-ping` | Disables ARP Ping.                            | `nmap --disable-arp-ping 10.10.10.0/24`   |
| `--top-ports=<num>`  | Scans the most common ports.                  | `nmap --top-ports=100 10.10.10.0/24`      |
| `-p-`                | Scans all ports.                              | `nmap -p- 10.10.10.0/24`                  |
| `-p22-110`           | Scans ports between 22 and 110.               | `nmap -p22-110 10.10.10.0/24`             |
| `-p22,25`            | Scans only ports 22 and 25.                   | `nmap -p22,25 10.10.10.0/24`              |
| `-F`                 | Scans top 100 most common ports.              | `nmap -F 10.10.10.0/24`                   |
| `-sS`                | Performs a TCP SYN scan.                      | `nmap -sS 10.10.10.0/24`                  |
| `-sA`                | Conducts a TCP ACK scan.                      | `nmap -sA 10.10.10.0/24`                  |
| `-sU`                | Runs a UDP scan.                              | `nmap -sU 10.10.10.0/24`                  |
| `-sV`                | Scans service versions.                       | `nmap -sV 10.10.10.0/24`                  |
| `-sC`                | Uses default scripts for scanning.            | `nmap -sC 10.10.10.0/24`                  |
| `--script <script>`  | Runs specified scripts during the scan.       | `nmap --script http-title 10.10.10.0/24`  |
| `-O`                 | Identifies the target’s operating system.     | `nmap -O 10.10.10.0/24`                   |
| `-A`                 | OS, service, and traceroute detection.        | `nmap -A 10.10.10.0/24`                   |
| `-D RND:5`           | Uses 5 random decoys for the scan.            | `nmap -D RND:5 10.10.10.0/24`             |
| `-e`                 | Specifies the network interface for scanning. | `nmap -e eth0 10.10.10.0/24`              |
| `-S 10.10.10.200`    | Sets the source IP address.                   | `nmap -S 10.10.10.200 10.10.10.0/24`      |
| `-g`                 | Specifies the source port.                    | `nmap -g 80 10.10.10.0/24`                |
| `--dns-server <ns>`  | Uses a custom DNS server for resolution.      | `nmap --dns-server 8.8.8.8 10.10.10.0/24` |

## Output Options

| Option         | What It Does                                           | Example Command                       |
| -------------- | ------------------------------------------------------ | ------------------------------------- |
| `-oA filename` | Saves results in all formats under the given filename. | `nmap -oA scan_results 10.10.10.0/24` |
| `-oN filename` | Saves results in a normal text format.                 | `nmap -oN scan.txt 10.10.10.0/24`     |
| `-oG filename` | Saves results in a grepable format.                    | `nmap -oG scan.grep 10.10.10.0/24`    |
| `-oX filename` | Saves results in XML format.                           | `nmap -oX scan.xml 10.10.10.0/24`     |

## Performance Options

| Option                       | What It Does                                                 | Example Command                                 |
| ---------------------------- | ------------------------------------------------------------ | ----------------------------------------------- |
| `--max-retries <num>`        | Sets the number of retries for failed scans.                 | `nmap --max-retries 3 10.10.10.0/24`            |
| `--stats-every=5s`           | Displays scan progress every 5 seconds.                      | `nmap --stats-every=5s 10.10.10.0/24`           |
| `-v/-vv`                     | Increases verbosity during the scan.                         | `nmap -vv 10.10.10.0/24`                        |
| `--initial-rtt-timeout 50ms` | Sets the initial round-trip timeout value.                   | `nmap --initial-rtt-timeout 50ms 10.10.10.0/24` |
| `--max-rtt-timeout 100ms`    | Sets the maximum round-trip timeout value.                   | `nmap --max-rtt-timeout 100ms 10.10.10.0/24`    |
| `--min-rate 300`             | Sets the rate of packets sent per second.                    | `nmap --min-rate 300 10.10.10.0/24`             |
| `-T <0-5>`                   | Chooses the scan timing template (0 = slowest, 5 = fastest). | `nmap -T4 10.10.10.0/24`                        |

## Script Categories

| Category    | What It Does                                             | Example Command                         |
| ----------- | -------------------------------------------------------- | --------------------------------------- |
| `auth`      | Tests for authentication weaknesses.                     | `nmap --script auth 10.10.10.0/24`      |
| `broadcast` | Discovers hosts via broadcasting.                        | `nmap --script broadcast 10.10.10.0/24` |
| `brute`     | Brute-forces logins with common credentials.             | `nmap --script brute 10.10.10.0/24`     |
| `default`   | Runs default scripts with the `-sC` option.              | `nmap -sC 10.10.10.0/24`                |
| `discovery` | Identifies available services.                           | `nmap --script discovery 10.10.10.0/24` |
| `dos`       | Tests for Denial of Service vulnerabilities (risky).     | `nmap --script dos 10.10.10.0/24`       |
| `exploit`   | Attempts to exploit known vulnerabilities.               | `nmap --script exploit 10.10.10.0/24`   |
| `external`  | Uses external services for data processing.              | `nmap --script external 10.10.10.0/24`  |
| `fuzzer`    | Identifies vulnerabilities by sending malformed packets. | `nmap --script fuzzer 10.10.10.0/24`    |
| `intrusive` | Performs potentially damaging tests.                     | `nmap --script intrusive 10.10.10.0/24` |
| `malware`   | Scans for signs of malware infections.                   | `nmap --script malware 10.10.10.0/24`   |
| `safe`      | Safe, non-intrusive defensive scans.                     | `nmap --script safe 10.10.10.0/24`      |
| `version`   | Detects service versions.                                | `nmap --script version 10.10.10.0/24`   |
| `vuln`      | Scans for specific vulnerabilities.                      | `nmap --script vuln 10.10.10.0/24`      |

You have learned how ARP, ICMP, TCP, and UDP can detect live hosts by completing this room. Any response from a host is an indication that it is online. Below is a quick summary of the command-line options for Nmap that we have covered.

| Scan Type              | Example Command                             |
| ---------------------- | ------------------------------------------- |
| ARP Scan               | `sudo nmap -PR -sn MACHINE_IP/24`           |
| ICMP Echo Scan         | `sudo nmap -PE -sn MACHINE_IP/24`           |
| ICMP Timestamp Scan    | `sudo nmap -PP -sn MACHINE_IP/24`           |
| ICMP Address Mask Scan | `sudo nmap -PM -sn MACHINE_IP/24`           |
| TCP SYN Ping Scan      | `sudo nmap -PS22,80,443 -sn MACHINE_IP/30`  |
| TCP ACK Ping Scan      | `sudo nmap -PA22,80,443 -sn MACHINE_IP/30`  |
| UDP Ping Scan          | `sudo nmap -PU53,161,162 -sn MACHINE_IP/30` |

Remember to add `-sn` if you are only interested in host discovery without port-scanning. Omitting `-sn` will let Nmap default to port-scanning the live hosts.

| Option | Purpose                          |
| ------ | -------------------------------- |
| `-n`   | no DNS lookup                    |
| `-R`   | reverse-DNS lookup for all hosts |
| `-sn`  | host discovery only              |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mainekhacker-1.gitbook.io/mainekhacker/checklists/nmap-cheatsheet.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.