🚀 Ultimate Nmap Cheat Sheet by Daxxtropezz

The most comprehensive Nmap reference guide for network reconnaissance and security testing

🎯 Introduction

This comprehensive cheat sheet provides an extensive reference for Nmap (Network Mapper), the industry-standard tool for network discovery, security auditing, and vulnerability assessment. From basic reconnaissance to advanced evasion techniques, this guide covers it all.

🔧 Installation & Setup

Windows

# Download from official site
winget install Nmap.Nmap
# Or via Chocolatey
choco install nmap

Linux (Debian/Ubuntu)

sudo apt update && sudo apt install nmap

Verify Installation

nmap --version
nmap --script-updatedb  # Update script database

🏁 Quick Start

Command	Description
`nmap target`	Basic scan
`nmap 192.168.1.0/24`	Scan entire subnet
`nmap -F target`	Fast scan (100 most common ports)
`nmap -A target`	Aggressive scan (OS, version, scripts, traceroute)

🔍 Host Discovery

Basic Discovery

# Ping sweep (no port scan)
nmap -sn 192.168.1.0/24

# List scan (enumerate hosts without pinging)
nmap -sL 192.168.1.0/24

# ARP scan (local network)
nmap -PR 192.168.1.0/24

Advanced Discovery Techniques

# TCP SYN ping on multiple ports
nmap -PS21,22,25,53,80,110,443,993,995 target

# TCP ACK ping
nmap -PA80,443 target

# UDP ping
nmap -PU53,67,68,123,161 target

# ICMP ping types
nmap -PE target           # Echo request
nmap -PP target           # Timestamp request
nmap -PM target           # Netmask request

# Skip host discovery (treat all as online)
nmap -Pn target

# Combine multiple ping types
nmap -PS80 -PA3389 -PU40125 target

🔌 Port Scanning Techniques

Basic Port Scans

# TCP SYN scan (default, stealthy)
nmap -sS target

# TCP Connect scan (complete handshake)
nmap -sT target

# UDP scan
nmap -sU target

# Combined TCP/UDP scan
nmap -sS -sU target

Advanced Port Scanning

# TCP FIN scan (bypass simple firewalls)
nmap -sF target

# TCP Xmas scan (FIN, PSH, URG flags)
nmap -sX target

# TCP Null scan (no flags set)
nmap -sN target

# TCP ACK scan (firewall rules detection)
nmap -sA target

# TCP Window scan
nmap -sW target

# TCP Maimon scan
nmap -sM target

# SCTP INIT scan
nmap -sY target

# IP Protocol scan
nmap -sO target

Port Specification

# Specific ports
nmap -p 21,22,23,25,53,80,110,443,993,995 target

# Port ranges
nmap -p 1-65535 target
nmap -p- target                    # All ports (same as above)

# Top ports
nmap --top-ports 1000 target

# Exclude ports
nmap -p 1-100 --exclude-ports 80,443 target

# Random port order
nmap -r target

🔬 Service & Version Detection

# Version detection
nmap -sV target

# Intensity levels (0-9)
nmap -sV --version-intensity 9 target

# Light version detection
nmap -sV --version-light target

# Version detection with scripts
nmap -sV -sC target

# Aggressive detection
nmap -A target

# RPC scan
nmap -sR target

🖥️ OS Fingerprinting

# Basic OS detection
nmap -O target

# Aggressive OS detection
nmap -O --osscan-guess target

# Limit OS detection to promising targets
nmap -O --osscan-limit target

# Maximum retries for OS detection
nmap -O --max-os-tries 2 target

📜 NSE Scripting Engine

Script Categories

# Default scripts
nmap -sC target
nmap --script default target

# Vulnerability scripts
nmap --script vuln target

# Malware detection
nmap --script malware target

# Discovery scripts
nmap --script discovery target

# Brute force scripts
nmap --script brute target

# Exploitation scripts
nmap --script exploit target

Specific Scripts

# HTTP enumeration
nmap --script http-enum target

# SMB enumeration
nmap --script smb-enum-shares,smb-enum-users target

# DNS enumeration
nmap --script dns-brute target

# SSL/TLS analysis
nmap --script ssl-enum-ciphers -p 443 target

# Database enumeration
nmap --script mysql-enum,oracle-enum,ms-sql-enum target

# FTP enumeration
nmap --script ftp-anon,ftp-bounce target

Script Arguments

# Pass arguments to scripts
nmap --script http-enum --script-args http-enum.basepath=/admin/ target

# Multiple script arguments
nmap --script smb-brute --script-args userdb=users.txt,passdb=pass.txt target

🛡️ Vulnerability Assessment

Comprehensive Vulnerability Scans

# All vulnerability scripts
nmap --script vuln target

# Specific vulnerability categories
nmap --script "vuln and safe" target
nmap --script "vuln and not dos" target

# CVE-specific scans
nmap --script "cve-2017-*" target

# Web application vulnerabilities
nmap --script http-vuln-* target

# SSL vulnerabilities
nmap --script ssl-heartbleed,ssl-poodle,ssl-dh-params target

Database Vulnerabilities

# MySQL vulnerabilities
nmap --script mysql-vuln-cve2012-2122 target

# MS-SQL vulnerabilities
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell target

# Oracle vulnerabilities
nmap --script oracle-enum-users,oracle-sid-brute target

🥷 Stealth & Evasion

Timing Templates

# Paranoid (very slow, IDS evasion)
nmap -T0 target

# Sneaky (slow, IDS evasion)
nmap -T1 target

# Polite (slower, less bandwidth)
nmap -T2 target

# Normal (default)
nmap -T3 target

# Aggressive (faster, assumes fast network)
nmap -T4 target

# Insane (very fast, may miss results)
nmap -T5 target

Firewall Evasion

# Fragment packets
nmap -f target
nmap -ff target                    # Use 8-byte fragments

# MTU specification
nmap --mtu 24 target

# Decoy scans
nmap -D RND:10 target              # 10 random decoys
nmap -D decoy1,decoy2,ME,decoy3 target

# Source port spoofing
nmap --source-port 53 target
nmap -g 53 target                  # Same as above

# Spoof MAC address
nmap --spoof-mac 0 target          # Random MAC
nmap --spoof-mac Apple target      # Apple MAC
nmap --spoof-mac 00:01:02:03:04:05 target

# Idle zombie scan
nmap -sI zombie_host target

# Data length
nmap --data-length 25 target

# Randomize target order
nmap --randomize-hosts target1 target2 target3

Advanced Evasion

# Bad checksum (bypass some firewalls)
nmap --badsum target

# Append random data
nmap --data-string "random_string" target

# Custom TCP options
nmap --ip-options "L 192.168.1.1 192.168.1.2" target

# Send packets with specific TTL
nmap --ttl 64 target

⚡ Performance Optimization

Parallelization

# Parallel host scanning
nmap --min-parallelism 100 --max-parallelism 256 target

# Host group sizes
nmap --min-hostgroup 50 --max-hostgroup 100 target

# Scan delay
nmap --scan-delay 1s target
nmap --max-scan-delay 10s target

# Rate limiting
nmap --min-rate 1000 target
nmap --max-rate 5000 target

Timeout Controls

# Host timeout
nmap --host-timeout 5m target

# Round-trip timeout
nmap --min-rtt-timeout 100ms --max-rtt-timeout 1s target

# Retries
nmap --max-retries 3 target

📊 Output & Reporting

Output Formats

# Normal output
nmap -oN scan_results.txt target

# XML output
nmap -oX scan_results.xml target

# Grepable output
nmap -oG scan_results.grep target

# Script kiddie output
nmap -oS scan_results.skid target

# All formats
nmap -oA scan_results target

# Append to file
nmap -oN scan_results.txt --append-output target

Verbose Output

# Verbose mode
nmap -v target

# Very verbose
nmap -vv target

# Debug mode
nmap -d target
nmap -dd target                    # More debug info

# Show only open ports
nmap --open target

# Show packet trace
nmap --packet-trace target

# Show reason for port state
nmap --reason target

🎭 Advanced Techniques

IPv6 Scanning

# IPv6 scan
nmap -6 target

# IPv6 ping sweep
nmap -6 -sn 2001:db8::/32

Proxy Chains

# SOCKS4 proxy
nmap --proxies socks4://proxy:1080 target

# HTTP proxy
nmap --proxies http://proxy:8080 target

# Chain multiple proxies
nmap --proxies socks4://proxy1:1080,http://proxy2:8080 target

Advanced NSE Usage

# Update script database
nmap --script-updatedb

# List available scripts
nmap --script-help vuln

# Dry run (show what scripts would run)
nmap --script vuln --script-trace target

# Script categories
nmap --script "not intrusive" target
nmap --script "default or safe" target
nmap --script "default and safe" target

🔥 One-Liners for Pros

Network Reconnaissance

# Complete network discovery and service enumeration
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" 192.168.1.0/24

# Stealth scan with vulnerability assessment
nmap -sS -T2 -f --source-port 53 --script "vuln and not dos" target

# Fast web service enumeration
nmap -p 80,443,8080,8443 --script http-enum,http-headers,http-methods,http-title target

# Comprehensive SMB enumeration
nmap -p 445 --script smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-os-discovery target

# Database service discovery
nmap -sV --script "mysql-* or oracle-* or ms-sql-*" -p 1433,1521,3306,5432 target

Penetration Testing

# Full vulnerability assessment
nmap -sS -sU -T4 -A -v --script "default or (vuln and safe)" --script-args=unsafe=1 target

# Exploit validation scan
nmap --script "exploit" --script-args=unsafe=1 target

# Brute force common services
nmap --script "brute" --script-args userdb=users.txt,passdb=passwords.txt target

# Advanced evasion scan
nmap -sS -T1 -f -D RND:10 --source-port 53 --data-length 32 --spoof-mac 0 target

⚠️ Legal Disclaimer

WARNING: Only use these commands on networks you own or have explicit permission to test. Unauthorized network scanning may be illegal in your jurisdiction. Always follow responsible disclosure practices.

🤝 Contributing

Found a cool Nmap technique? Have suggestions for improvement?

🐛 Report Issues
🔄 Submit Pull Requests
⭐ Star this repository if it helped you!

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

Made with ❤️ for the InfoSec Community

⬆ Back to Top

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
LICENSE		LICENSE
README.md		README.md

License

Daxxtropezz/nmap-cheatsheet

Folders and files

Latest commit

History

Repository files navigation