Nmap cheat sheet

Nmap Cheat Sheet: From Beginner to Expert Pentesters

Basic Scanning #

• Scan a single host:bashCopyEditnmap 192.168.1.1
• Scan multiple hosts:bashCopyEditnmap 192.168.1.1 192.168.1.2 192.168.1.3
• Scan a subnet:bashCopyEditnmap 192.168.1.0/24
• Scan a range of IPs:bashCopyEditnmap 192.168.1.1-100
• Scan a domain:bashCopyEditnmap example.com

Port Scanning #

• Scan common ports (default):bashCopyEditnmap -F 192.168.1.1
• Scan specific ports:bashCopyEditnmap -p 22,80,443 192.168.1.1
• Scan all 65,535 ports:bashCopyEditnmap -p- 192.168.1.1
• Scan UDP ports:bashCopyEditnmap -sU -p 53,161 192.168.1.1
• Scan top 1000 ports faster:bashCopyEditnmap --top-ports 100 192.168.1.1

Advanced Scanning #

• Service and version detection:bashCopyEditnmap -sV 192.168.1.1
• OS detection:bashCopyEditnmap -O 192.168.1.1
• Aggressive scan (OS, version, scripts, traceroute):bashCopyEditnmap -A 192.168.1.1
• Scan with NSE (Nmap Scripting Engine):bashCopyEditnmap --script=vuln 192.168.1.1

Firewall Evasion & Stealth Scanning #

• Fragment packets to bypass IDS/IPS:bashCopyEditnmap -f 192.168.1.1
• Randomize scan order:bashCopyEditnmap -r 192.168.1.1
• Decoy scan (confuses IDS):bashCopyEditnmap -D RND:10 192.168.1.1
• Scan with spoofed source IP:bashCopyEditnmap -S 192.168.1.100 192.168.1.1
• Scan using a fake MAC address:bashCopyEditnmap --spoof-mac 00:11:22:33:44:55 192.168.1.1
• Idle scan (completely stealthy):bashCopyEditnmap -sI zombie_host 192.168.1.1

Bypassing Firewalls #

• Use NULL scan (no TCP flags):bashCopyEditnmap -sN 192.168.1.1
• Use FIN scan:bashCopyEditnmap -sF 192.168.1.1
• Use XMAS scan:bashCopyEditnmap -sX 192.168.1.1
• Use slow scan to avoid detection:bashCopyEditnmap -T2 192.168.1.1
• Use an HTTP proxy to scan:bashCopyEditnmap --proxies http://proxy:8080 192.168.1.1

NSE (Nmap Scripting Engine) #

• Detect vulnerabilities:bashCopyEditnmap --script=vuln 192.168.1.1
• Check for SMB vulnerabilities:bashCopyEditnmap --script=smb-vuln* 192.168.1.1
• Run multiple scripts:bashCopyEditnmap --script=http-enum,ftp-anon 192.168.1.1
• Scan for CVE exploits:bashCopyEditnmap --script=vulners 192.168.1.1

Network Mapping & Host Discovery #

• List live hosts (no port scan):bashCopyEditnmap -sn 192.168.1.0/24
• Find open ports without pinging first:bashCopyEditnmap -Pn 192.168.1.1
• Traceroute with Nmap:bashCopyEditnmap --traceroute 192.168.1.1

Saving and Exporting Results #

• Save output in normal format:bashCopyEditnmap -oN output.txt 192.168.1.1
• Save output in XML format:bashCopyEditnmap -oX output.xml 192.168.1.1
• Save output in all formats:bashCopyEditnmap -oA scan_results 192.168.1.1
• View Nmap XML output in a readable format:bashCopyEditcat output.xml | xsltproc -o output.html

Scan Timing and Performance #

• Scan as fast as possible:bashCopyEditnmap -T5 192.168.1.1
• Paranoid scan (avoiding detection):bashCopyEditnmap -T0 192.168.1.1
• Aggressive scan (faster but noisy):bashCopyEditnmap -T4 192.168.1.1

Evading Intrusion Detection Systems (IDS) #

• Use random port scanning:bashCopyEditnmap -p- -T2 --randomize-hosts 192.168.1.1
• Scan with minimum packets per second:bashCopyEditnmap --min-rate 10 192.168.1.1

Detecting Honeypots #

• Check for honeypots:bashCopyEditnmap --script=honeypot-detect 192.168.1.1

Brute-Forcing with NSE #

• Brute force SSH login:bashCopyEditnmap --script=ssh-brute -p 22 192.168.1.1
• Brute force HTTP authentication:bashCopyEditnmap --script=http-brute -p 80 192.168.1.1
• Brute force MySQL login:bashCopyEditnmap --script=mysql-brute -p 3306 192.168.1.1