Nmap Cheat Sheet V1.0


Scripting Engine
Notable Scripts
Cheat Sheet
-sC Run default scripts
A full list of Nmap Scripting Engine scripts is
available at
Run individual or groups of scripts
SANS Institute
Some particularly useful scripts include:
Use the list of script arguments
dns-zone-transfer: Attempts to pull a zone file
Base Syntax
(AXFR) from a DNS server.
Update script database
# nmap [ScanType] [Options] {targets}
$ nmap --script dns-zone-
transfer.nse --script-args dns-zone-
transfer.domain=<domain> -p53
Target Specification
Script Categories
: :
IPv4 address:
Nmap's script categories include, but are not limited to, the
IPv6 address: AABB:CCDD::FF%eth0
http-robots.txt: Harvests robots.txt files from
Host name:
discovered web servers.
auth: Utilize credentials or bypass authentication on target
IP address range: 192.168.0-255.0-255
$ nmap --script http-robots.txt
CIDR block:
broadcast: Discover hosts not included on command line by
Use file with lists of targets: -iL <filename>
broadcasting on local network.
brute: Attempt to guess passwords on target systems, for a
smb-brute: Attempts to determine valid
variety of protocols, including http, SNMP, IAX, MySQL, VNC,
username and password combinations via
Target Ports
automated guessing.
default: Scripts run automatically when -sC or -A are used.
discovery: Try to learn more information about target hosts
No port range specified scans 1,000 most popular
$ nmap --script smb-brute.nse -p445
through public sources of information, SNMP, directory services,
and more.
dos: May cause denial of service conditions in target hosts.
-F Scan 100 most popular ports
smb-psexec: Attempts to run a series of
exploit: Attempt to exploit target systems.
external: Interact with third-party systems not included in
Port range
programs on the target machine, using
target list.
-p<port1>,<port2>,... Port List
credentials provided as scriptargs.
fuzzer: Send unexpected input in network protocol fields.
Mix TCP and UDP
$ nmap --script smb-psexec.nse –
intrusive: May crash target, consume excessive resources, or
Scan linearly (do not randomize ports)
otherwise impact target machines in a malicious fashion.
malware: Look for signs of malware infection on the target
Scan n most popular ports
--top-ports <n>
-p445 <hosts>
Leaving off initial port in range makes
safe: Designed not to impact target in a negative fashion.
Nmap scan start at port 1
version: Measure the version of software or protocol spoken
by target hosts.
Leaving off end port in range makes
vul: Measure whether target systems have a known
Nmap scan through port 65535
Scan ports 1-65535


00 votes

Related Articles

Related forms

Related Categories

Parent category: Education
Page of 2