Nmap Cheatsheet

Default Ports: N/A (scanner tool)

Scan Types

Flag	Description
`-sS`	SYN scan (stealth, default with root)
`-sT`	TCP connect scan (no root needed)
`-sU`	UDP scan
`-sV`	Service/version detection
`-sC`	Default scripts
`-sA`	ACK scan (firewall mapping)
`-sN`	NULL scan
`-sF`	FIN scan
`-sX`	Xmas scan
`-sn`	Ping sweep (no port scan)
`-O`	OS detection
`-A`	Aggressive (OS + version + scripts + traceroute)

Port Specification

nmap -p 22               # Single port
nmap -p 22,80,443        # Multiple ports
nmap -p 1-1024           # Port range
nmap -p-                 # All 65535 ports
nmap --top-ports 1000    # Top 1000 ports
nmap -F                  # Fast scan (top 100)

Timing Templates

Flag	Name	Description
`-T0`	Paranoid	IDS evasion, very slow
`-T1`	Sneaky	Slow, IDS evasion
`-T2`	Polite	Slower, less bandwidth
`-T3`	Normal	Default
`-T4`	Aggressive	Faster, reliable network
`-T5`	Insane	Very fast, may miss results

Output Formats

nmap -oN output.txt      # Normal output
nmap -oX output.xml      # XML output
nmap -oG output.gnmap    # Grepable output
nmap -oA output          # All formats at once

Host Discovery

nmap -sn 192.168.1.0/24               # Ping sweep
nmap -PS22,80,443 192.168.1.0/24      # TCP SYN ping
nmap -PA80 192.168.1.0/24             # TCP ACK ping
nmap -PU53 192.168.1.0/24             # UDP ping
nmap -PE 192.168.1.0/24               # ICMP echo ping
nmap --disable-arp-ping 192.168.1.1   # Skip ARP discovery

Evasion & Spoofing

nmap -D RND:5 <target>              # Decoy scan (5 random decoys)
nmap -D decoy1,decoy2 <target>      # Named decoys
nmap -S <spoof-ip> <target>         # Spoof source IP
nmap --spoof-mac 0 <target>         # Random MAC spoof
nmap -f <target>                    # Fragment packets
nmap --mtu 24 <target>              # Custom MTU (must be multiple of 8)
nmap --data-length 25 <target>      # Append random data to packets
nmap --scan-delay 5s <target>       # Delay between probes
nmap -sI <zombie> <target>          # Idle/zombie scan
nmap --proxies socks4://host:port   # Route through proxy

NSE Scripts

nmap --script=<name> <target>              # Run specific script
nmap --script=<category> <target>          # Run entire category
nmap --script-help=<name>                  # Get help for a script
nmap --script-updatedb                     # Update script database

# Script categories:
# auth, broadcast, brute, default, discovery,
# dos, exploit, external, fuzzer, intrusive,
# malware, safe, version, vuln

Common Scan Combos

# Quick full port scan
nmap -p- --min-rate 5000 -T4 <target>

# Detailed enum after port discovery
nmap -p <ports> -sV -sC -O <target>

# Aggressive all-in-one
nmap -A -p- <target>

# Stealth SYN + version detection
nmap -sS -sV -p- -T4 <target>

# UDP top ports
nmap -sU --top-ports 100 <target>

# Vulnerability scan
nmap --script vuln <target>

# Banner grabbing
nmap -sV --script banner <target>

Nmap Cheatsheet#

Scan Types#

Port Specification#

Timing Templates#

Output Formats#

Host Discovery#

Evasion & Spoofing#

NSE Scripts#

Common Scan Combos#

Nmap Cheatsheet

Scan Types

Port Specification

Timing Templates

Output Formats

Host Discovery

Evasion & Spoofing

NSE Scripts

Common Scan Combos