Nmap
Nmap Cheatsheet Default Ports: N/A (scanner tool) Scan Types Flag Description -sS SYN scan (stealth, default with root) -sT TCP connect scan (no root needed) -sU UDP scan -sV Service/version detection -sC Default scripts -sA ACK scan (firewall mapping) -sN NULL scan -sF FIN scan -sX Xmas scan -sn Ping sweep (no port scan) -O OS detection -A Aggressive (OS + version + scripts + traceroute) Port Specification nmap -p 22 # Single port nmap -p 22,80,443 # Multiple ports nmap -p 1-1024 # Port range nmap -p- # All 65535 ports nmap --top-ports 1000 # Top 1000 ports nmap -F # Fast scan (top 100) Timing Templates Flag Name Description -T0 Paranoid IDS evasion, very slow -T1 Sneaky Slow, IDS evasion -T2 Polite Slower, less bandwidth -T3 Normal Default -T4 Aggressive Faster, reliable network -T5 Insane Very fast, may miss results Output Formats nmap -oN output.txt # Normal output nmap -oX output.xml # XML output nmap -oG output.gnmap # Grepable output nmap -oA output # All formats at once Host Discovery nmap -sn 192.168.1.0/24 # Ping sweep nmap -PS22,80,443 192.168.1.0/24 # TCP SYN ping nmap -PA80 192.168.1.0/24 # TCP ACK ping nmap -PU53 192.168.1.0/24 # UDP ping nmap -PE 192.168.1.0/24 # ICMP echo ping nmap --disable-arp-ping 192.168.1.1 # Skip ARP discovery Evasion & Spoofing nmap -D RND:5 <target> # Decoy scan (5 random decoys) nmap -D decoy1,decoy2 <target> # Named decoys nmap -S <spoof-ip> <target> # Spoof source IP nmap --spoof-mac 0 <target> # Random MAC spoof nmap -f <target> # Fragment packets nmap --mtu 24 <target> # Custom MTU (must be multiple of 8) nmap --data-length 25 <target> # Append random data to packets nmap --scan-delay 5s <target> # Delay between probes nmap -sI <zombie> <target> # Idle/zombie scan nmap --proxies socks4://host:port # Route through proxy NSE Scripts nmap --script=<name> <target> # Run specific script nmap --script=<category> <target> # Run entire category nmap --script-help=<name> # Get help for a script nmap --script-updatedb # Update script database # Script categories: # auth, broadcast, brute, default, discovery, # dos, exploit, external, fuzzer, intrusive, # malware, safe, version, vuln Common Scan Combos # Quick full port scan nmap -p- --min-rate 5000 -T4 <target> # Detailed enum after port discovery nmap -p <ports> -sV -sC -O <target> # Aggressive all-in-one nmap -A -p- <target> # Stealth SYN + version detection nmap -sS -sV -p- -T4 <target> # UDP top ports nmap -sU --top-ports 100 <target> # Vulnerability scan nmap --script vuln <target> # Banner grabbing nmap -sV --script banner <target>