Nmap Cheatsheet
Written by Alireza Liaghat || Reviewed by Dale Hobbs
This blog is part of Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource. You can learn more and find all of the cheatsheets HERE: https://www.blackhillsinfosec.com/offensive-tooling-cheatsheets/
Nmap Cheatsheet: PRINT-FRIENDLY PDF
Find the tool here: https://nmap.org/
Nmap is a powerful open-source tool commonly used by system/network administrators and security professionals to perform network discovery, security auditing, and basic vulnerability assessment. Nmap allows you to quickly identify live hosts, open ports, running services, operating systems, and potential security risks within a network. This cheatsheet provides a reference to essential Nmap commands, scanning techniques, and common use cases to help streamline your network reconnaissance and troubleshooting tasks.
The Nmap Formula
Nmap + Target + Type + Port + Detection + Timing + Scripts + Evasion
TARGET
What do you want to scan?
| Example | Description | Use Case |
|---|---|---|
192.168.x.x | Scan the specified IP address | Used when there is only one target IP address. |
domain.com | Scan the specified domain | Used when there is only one target domain. |
-iL target.txt | Scan from a list of host addresses | Used when searching a known range of hosts. |
--unique | Scans each address only once | Used in combination with lists. Avoids duplicate scans to speed up the scan. |
-n | No DNS resolution | Speeds up scanning by skipping reverse DNS resolution. |
TYPE
How do you want to scan?
| Example | Description | Use Case |
|---|---|---|
-sT | Full TCP 3-Way Handshake Scan | Most reliable scan. Use when not worried about firewalls. |
-sS | “Stealth” scan. Impartial 3-Way Handshake | Does not establish a full handshake. “Dumb” firewalls will only see this as regular poor connection. |
-sU | Scan using UDP | Preferred for scanning DNS (53), SNMP (161), DHCP (67), TFTP (69), etc. |
PORT
What port do you want to scan?
| Example | Description | Use Case |
|---|---|---|
-p 80,443 | Scans only the comma-separated ports | Useful for when scanning a host for a specific attack surface. |
-p 1-65535 | Scans all possible ports | Useful for all ports in use, including ephemeral (temporary) ports. |
DETECTION
What do you want to detect?
| Example | Description | Use Case |
|---|---|---|
-sV | Probe for service/version | Useful for when mapping and identifying a network |
--version-light | Try the most likely probes for detection | Useful for when mapping and identifying a network. |
--version-all | Try every available probe (max intensity) | Useful for when mapping and identifying a network.. |
-O | OS Detection | Useful for when mapping and identifying a network. |
TIMING
How fast do you want to scan?
| Example | Description | Use Case |
|---|---|---|
--max-rate 5 | Sends a maximum of 5 probes per second | Limits network traffic to avoid disruptions to the network. |
--scan-delay 1 | Adds 1 second delay between probes | Limits network traffic to avoid disruptions to the network. |
--host-timeout 1 | Give up on a particular port after 1 second | Limits network traffic and useful for slow responding devices. |
SCRIPTS
What additional scripts do you want?
| Example | Description | Use Case |
|---|---|---|
--script=whois | Spoofs the source IP address | Used when mapping a network. |
--scripts=smb-enum-shares | Adds random data to packets | Identifies SMB shares that might be exposed. |
--script=vulners | Uses a proxy to scan | Identifies known/unpatched vulnerabilities in a network. |
EVASION
How sneaky do you want to be?
| Example | Description | Use Case |
|---|---|---|
-spoof-mac 00:0C:29:6F:F3:6B | Spoofs the source MAC address | Useful for when the network switch restricts connectivity using MAC addresses |
S 192.168.1.1 | Spoofs the source IP address | Useful for when the network switch restricts connectivity using IP addresses |
--data-length 5 | Adds random data to packets | Useful for when trying to camouflage the network traffic caused by the scan |
--proxies 192.168.5.5 | Uses a proxy to scan | Useful for when navigating a scan through an IP-based filter |
Example formula of a slow and thorough search:
nmap 192.168.10.50 -sT -p1-65535 -version-light -max-rate 5 --script=vulners -S 192.168.1.1 Common Port States
open: | An application is actively accepting TCP connections or UDP datagrams on this port. |
closed: | The port is accessible. Nmap probes received a response but was indicated that there is no application listening. |
filtered: | Nmap cannot determine if the port is open. This could be caused by firewalls dropping packets or by network congestion. |
Explore the Infosec Survival Guide and more… for FREE!
Get instant access to all issues of the Infosec Survival Guide, as well as content like our self-published infosec zine, PROMPT#, and exclusive Darknet Diaries comics—all available at no cost.
You can check out all current and upcoming issues here: https://www.blackhillsinfosec.com/prompt-zine/