← Back to writing
Tools & Cheatsheets

Nmap Cheatsheet

Feb 14, 2024
4 min read
lawbyte

Nmap is the foundation of every network engagement. This cheatsheet covers every scan type, timing option, NSE category, and evasion technique you’ll need — organized for quick lookup during pentests and CTF challenges.

Target Specification

nmap 192.168.1.1              # single IP
nmap 192.168.1.1-254          # IP range
nmap 192.168.1.0/24           # CIDR
nmap 10.0.0.0/8               # entire class A
nmap -iL targets.txt          # from file
nmap --exclude 192.168.1.5    # exclude host
nmap 192.168.1.1 192.168.1.2  # multiple targets

# Random targets
nmap -iR 100 --open           # 100 random internet hosts

Scan Types

# TCP SYN scan (default, requires root)
nmap -sS 192.168.1.1

# TCP connect scan (no root needed, slower, noisier)
nmap -sT 192.168.1.1

# UDP scan (slow, requires root)
nmap -sU 192.168.1.1

# Combine TCP SYN + UDP
nmap -sS -sU 192.168.1.1

# ACK scan (firewall mapping — see what's filtered vs unfiltered)
nmap -sA 192.168.1.1

# Window scan (similar to ACK, fingerprints RST)
nmap -sW 192.168.1.1

# FIN scan (IDS evasion — RFC 793 compliant)
nmap -sF 192.168.1.1

# Xmas scan (FIN + PSH + URG — IDS evasion)
nmap -sX 192.168.1.1

# Null scan (no flags — RFC bypass)
nmap -sN 192.168.1.1

# SCTP INIT scan
nmap -sY 192.168.1.1

# IP protocol scan
nmap -sO 192.168.1.1

# Ping scan only (no port scan)
nmap -sn 192.168.1.0/24

Port Specification

nmap -p 22 192.168.1.1              # single port
nmap -p 22,80,443 192.168.1.1       # multiple ports
nmap -p 1-1024 192.168.1.1          # port range
nmap -p- 192.168.1.1                # all 65535 ports
nmap -p U:53,T:80,443 192.168.1.1   # mixed UDP/TCP
nmap -p http,ftp 192.168.1.1        # by service name
nmap --top-ports 1000 192.168.1.1   # most common 1000
nmap --top-ports 100 192.168.1.1    # most common 100
nmap -F 192.168.1.1                 # fast — top 100

Service & Version Detection

# Version detection
nmap -sV 192.168.1.1

# Intensity (0-9, higher = more probes)
nmap -sV --version-intensity 9 192.168.1.1

# Aggressive version detection
nmap -sV --version-all 192.168.1.1

# OS detection (requires root)
nmap -O 192.168.1.1
nmap -O --osscan-guess 192.168.1.1   # aggressive guess

Timing Templates

-T0   # Paranoid — IDS evasion, very slow
-T1   # Sneaky — slow, lower risk of detection
-T2   # Polite — slows to avoid bandwidth issues
-T3   # Normal — default
-T4   # Aggressive — faster, assumes reliable network
-T5   # Insane — very fast, may miss open ports

Fine-grained timing:

--min-rate 1000          # at least 1000 packets/sec
--max-rate 500           # at most 500 packets/sec
--min-parallelism 100    # minimum parallel probes
--max-retries 2          # fewer retries = faster
--host-timeout 5m        # give up on host after 5 min
--scan-delay 200ms       # wait 200ms between probes

Host Discovery

# ICMP echo ping
nmap -PE 192.168.1.0/24

# TCP SYN ping (no ICMP)
nmap -PS22,80,443 192.168.1.0/24

# TCP ACK ping
nmap -PA80 192.168.1.0/24

# UDP ping
nmap -PU53 192.168.1.0/24

# ARP ping (fast, layer 2, LAN only)
nmap -PR 192.168.1.0/24

# No ping — treat all hosts as up (for firewalled hosts)
nmap -Pn 192.168.1.1

# ICMP timestamp ping
nmap -PP 192.168.1.0/24

NSE — Nmap Scripting Engine

# Run default scripts
nmap -sC 192.168.1.1

# Run specific script
nmap --script=http-title 192.168.1.1

# Run multiple scripts
nmap --script=http-title,http-headers 192.168.1.1

# Run script category
nmap --script=vuln 192.168.1.1          # vulnerability checks
nmap --script=auth 192.168.1.1          # authentication bypass
nmap --script=brute 192.168.1.1         # brute force
nmap --script=exploit 192.168.1.1       # exploitation
nmap --script=safe 192.168.1.1          # non-intrusive
nmap --script=discovery 192.168.1.1     # service discovery
nmap --script=intrusive 192.168.1.1     # may crash services

# With script arguments
nmap --script=http-brute \
     --script-args=http-brute.path=/admin,http-brute.method=POST \
     192.168.1.1

# Update NSE database
nmap --script-updatedb

Useful NSE scripts

# Web
nmap --script=http-enum -p 80,443 target.com           # directory enum
nmap --script=http-shellshock -p 80 target.com         # shellshock
nmap --script=http-sql-injection target.com             # SQLi detection
nmap --script=http-auth-finder target.com               # auth methods
nmap --script=http-vuln-cve2017-5638 target.com         # Struts RCE

# SMB
nmap --script=smb-vuln-ms17-010 -p 445 target.com      # EternalBlue
nmap --script=smb-enum-shares -p 445 target.com         # list shares
nmap --script=smb-brute -p 445 target.com               # brute credentials
nmap --script=smb-os-discovery target.com               # OS via SMB

# SSH
nmap --script=ssh-auth-methods -p 22 target.com
nmap --script=ssh-brute -p 22 target.com

# DNS
nmap --script=dns-zone-transfer -p 53 target.com
nmap --script=dns-brute target.com

# SSL/TLS
nmap --script=ssl-enum-ciphers -p 443 target.com
nmap --script=ssl-heartbleed -p 443 target.com          # Heartbleed
nmap --script=ssl-poodle -p 443 target.com

# FTP
nmap --script=ftp-anon -p 21 target.com                # anonymous login
nmap --script=ftp-bounce -p 21 target.com              # FTP bounce

# MySQL / MSSQL / PostgreSQL
nmap --script=mysql-empty-password -p 3306 target.com
nmap --script=ms-sql-info -p 1433 target.com
nmap --script=pgsql-brute -p 5432 target.com

Firewall / IDS Evasion

# Fragment packets
nmap -f 192.168.1.1           # 8-byte fragments
nmap -ff 192.168.1.1          # 16-byte fragments
nmap --mtu 24 192.168.1.1     # custom MTU

# Decoy scan (hide among fake IPs)
nmap -D RND:10 192.168.1.1    # 10 random decoys
nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1  # specific decoys

# Spoof source IP (only works if routable back)
nmap -S 10.0.0.5 192.168.1.1

# Spoof source port
nmap --source-port 53 192.168.1.1
nmap -g 53 192.168.1.1         # same thing

# Slow scan (evade threshold-based detection)
nmap -T0 --scan-delay 10s 192.168.1.1

# Randomize port order
nmap --randomize-hosts 192.168.1.0/24

# Append random data to packets
nmap --data-length 25 192.168.1.1

# Use specific interface
nmap -e eth0 192.168.1.1

# IPv6
nmap -6 fe80::1

Output Formats

nmap -oN output.txt 192.168.1.1    # normal (human readable)
nmap -oX output.xml 192.168.1.1    # XML
nmap -oG output.gnmap 192.168.1.1  # grepable
nmap -oA output 192.168.1.1        # all three formats
nmap -oJ output.json 192.168.1.1   # JSON (with --stats-every)
nmap -v 192.168.1.1                # verbose
nmap -vv 192.168.1.1               # more verbose
nmap -d 192.168.1.1                # debug

Parse grepable output:

# Extract open ports from grepable output
grep "open" output.gnmap | awk -F'[/ ]' '{print $1, $5}'

# List all IPs with port 80 open
grep "80/open" output.gnmap | awk '{print $2}'

Common One-Liners

# Full recon on single host
nmap -sV -sC -O -p- --min-rate 5000 -oA full_scan 192.168.1.1

# Quick discovery sweep
nmap -sn -T4 192.168.1.0/24 | grep "Nmap scan report" | awk '{print $NF}'

# Find all web servers on a range
nmap -p 80,443,8080,8443 --open -T4 192.168.1.0/24

# EternalBlue check across subnet
nmap --script smb-vuln-ms17-010 -p 445 192.168.1.0/24

# UDP top 100
nmap -sU --top-ports 100 -T4 192.168.1.1

# Stealth scan through firewall
nmap -sS -T2 -f --source-port 53 --data-length 20 -D RND:5 192.168.1.1

# CTF box
nmap -sV -sC -p- --min-rate 10000 10.10.10.1
#cheatsheet #nmap #scanning #network
Author lawbyte
Link https://lbyte.id/2024/02/14/tools/network/nmap-cheatsheet/
License CC BY-NC-SA 4.0
← Previous SQL Injection Cheatsheet Next → TCP1P 2023: Mobile Writeup

Discussion

Leave a comment · All fields required · No spam

No comments yet. Be the first.