Nmap Security Cheat Sheet - Complete Reference

🔍 What is Nmap?

Nmap is a powerful network discovery and security auditing tool used to discover hosts, services, and vulnerabilities across networks. It's essential for network administrators, security professionals, and ethical hackers.

650+

NSE Scripts

15+

Scan Types

Expert

Level Tool

⚠️ Legal and Ethical Warning

Permission Required: Only scan networks you own or have explicit permission to test
Responsible Use: Use Nmap ethically for security assessment and education
Rate Limiting: Aggressive scans can impact network performance
Legal Compliance: Unauthorized scanning may violate laws in your jurisdiction
Documentation: Always document your scanning activities for legitimate purposes

🎯 Basic Discovery & Host Detection

Essential commands for network discovery and host enumeration

Basic

nmap 192.168.1.1

Basic scan of a single host

Basic

nmap 192.168.1.0/24

Scan entire subnet (CIDR notation)

Basic

nmap 192.168.1.1-50

Scan IP range (1 through 50)

Basic

nmap -sn 192.168.1.0/24

Ping sweep - discover live hosts only (no port scan)

Basic

nmap -Pn 192.168.1.1

Skip host discovery - assume host is online

🔍 Port Scanning Techniques

Different scanning methods for various scenarios

Scanning

nmap -sS 192.168.1.1

TCP SYN scan (stealth scan) - default scan type

Scanning

nmap -sT 192.168.1.1

TCP connect scan (full connection)

Scanning

nmap -sU 192.168.1.1

UDP scan (slower but important for UDP services)

Stealth

nmap -sF 192.168.1.1

FIN scan - send FIN packets

Stealth

nmap -sN 192.168.1.1

NULL scan - send packets with no flags

Stealth

nmap -sX 192.168.1.1

XMAS scan - send FIN, PSH, and URG flags

🎯 Port Specification & Timing

Control which ports to scan and scan timing

Basic

nmap -p 22,80,443 192.168.1.1

Scan specific ports

Basic

nmap -p 1-1000 192.168.1.1

Scan port range 1-1000

Basic

nmap -p- 192.168.1.1

Scan all 65535 ports

Advanced

nmap -T4 192.168.1.1

Aggressive timing (T0=Paranoid, T5=Insane)

Basic

nmap --top-ports 100 192.168.1.1

Scan top 100 most common ports

Basic

nmap -F 192.168.1.1

Fast scan - top 100 ports only

🔧 Service & Version Detection

Identify services and their versions

Advanced

nmap -sV 192.168.1.1

Service version detection

Advanced

nmap -O 192.168.1.1

OS detection

Advanced

nmap -A 192.168.1.1

Aggressive scan (OS, version, script, traceroute)

Advanced

nmap --version-intensity 9 192.168.1.1

Maximum version detection intensity (0-9)

Advanced

nmap --osscan-guess 192.168.1.1

Guess OS more aggressively

📜 NSE Scripts & Vulnerability Detection

Leverage Nmap Scripting Engine for advanced testing

Scripts

nmap -sC 192.168.1.1

Run default NSE scripts

Scripts

nmap --script vuln 192.168.1.1

Run vulnerability detection scripts

Scripts

nmap --script safe 192.168.1.1

Run safe scripts only

Scripts

nmap --script http-enum 192.168.1.1

HTTP directory enumeration

Scripts

nmap --script smb-vuln* 192.168.1.1

All SMB vulnerability scripts

Scripts

nmap --script ssl-cert,ssl-enum-ciphers 192.168.1.1

SSL certificate and cipher information

💡 Popular NSE Script Categories:
• auth - Authentication bypassing
• brute - Brute force attacks
• discovery - Network discovery
• dos - Denial of Service
• exploit - Vulnerability exploitation
• intrusive - May impact target
• malware - Malware detection
• safe - Safe to run
• vuln - Vulnerability detection

🥷 Stealth & Evasion Techniques

Avoid detection and bypass firewalls

Stealth

nmap -D RND:10 192.168.1.1

Decoy scan with 10 random IP addresses

Stealth

nmap -S 10.0.0.5 192.168.1.1

Spoof source IP address

Stealth

nmap --source-port 53 192.168.1.1

Use specific source port (DNS port 53)

Stealth

nmap --data-length 25 192.168.1.1

Append random data to packets

Stealth

nmap --scan-delay 5s 192.168.1.1

Add delay between packets

Stealth

nmap -f 192.168.1.1

Fragment packets to avoid detection

📄 Output & Reporting

Save and format scan results

Output

nmap -oN scan.txt 192.168.1.1

Save normal output to file

Output

nmap -oX scan.xml 192.168.1.1

Save XML output to file

Output

nmap -oG scan.gnmap 192.168.1.1

Save grepable output

Output

nmap -oA scan 192.168.1.1

Save all output formats

Output

nmap -v 192.168.1.1

Verbose output (use -vv for more verbose)

Output

nmap --reason 192.168.1.1

Display reason for port state

🚀 Quick Reference & Common Combinations

Ready-to-use command combinations for common scenarios

🎯 Quick Network Discovery

nmap -sn -T4 192.168.1.0/24

Fast ping sweep of entire subnet

⚡ Fast Port Scan

nmap -T4 -F 192.168.1.1

Quick scan of top 100 ports

🔍 Comprehensive Scan

nmap -A -T4 -oA scan 192.168.1.1

Aggressive scan with all output formats

🛡️ Stealth Scan

nmap -sS -T2 -f -D RND:10 192.168.1.1

Stealthy SYN scan with decoys and fragmentation

🔒 Web App Testing

nmap -p 80,443 --script http-enum,http-vuln* 192.168.1.1

Web application vulnerability scan

📊 UDP Service Discovery

nmap -sU -T4 --top-ports 1000 192.168.1.1

UDP scan of top 1000 ports

💡 Pro Tips:
• Use -Pn if hosts don't respond to ping
• Combine -sS -sU for TCP and UDP scanning
• Use --script-help=script-name for script documentation
• Run nmap --script-updatedb to update script database
• Use --min-rate and --max-rate to control scan speed

🔢 Common Ports Reference

Essential ports and their services

21 FTP

22 SSH

23 Telnet

25 SMTP

53 DNS

80 HTTP

110 POP3

143 IMAP

443 HTTPS

993 IMAPS

995 POP3S

3389 RDP

5432 PostgreSQL

3306 MySQL

1433 MSSQL

445 SMB

Nmap Cheat Sheet

🔍 What is Nmap?

⚠️ Legal and Ethical Warning

🎯 Basic Discovery & Host Detection

🔍 Port Scanning Techniques

🎯 Port Specification & Timing

🔧 Service & Version Detection

📜 NSE Scripts & Vulnerability Detection

🥷 Stealth & Evasion Techniques

📄 Output & Reporting

🚀 Quick Reference & Common Combinations

🔢 Common Ports Reference