Comprehensive Nmap Cheat Sheet#

Installing Nmap#

🖥️ Windows Installation#

1. Go to the official Nmap download page:
   https://nmap.org/download.html

2. Download the Microsoft Windows Installer (.exe)

3. Run the installer and follow these steps:

   • Accept the license agreement
   • Choose default options
   • ✅ Ensure the following are checked:
     • Nmap
     • Zenmap (GUI)
     • Add to PATH

4. Verify installation:

   nmap -v

🐧 Linux Installation (Debian/Ubuntu)#

1. Run the following commands in your terminal.

   sudo apt update
   sudo apt install nmap -y

2. Verify

   nmap -v

🍎 macOS Installation#

brew install nmap

Standard Scan#

Performs a default scan using common ports and TCP SYN packets to identify open ports and services.

nmap <IP-address>

Scan Multiple Targets#

Scans multiple IP addresses or ranges to discover open ports and services.

nmap <IP1> <IP2>
nmap 192.168.1.1-20
nmap 192.168.1.0/24

Scan a Range of Ports#

Targets a specific set or range of ports to identify open ports.

nmap -p 1-65535 <IP-address>
nmap -p 80,443,8080 <IP-address>

Host Discovery Only (Ping Scan)#

Determines if hosts are online without scanning for ports.

nmap -sn <IP-address>

TCP SYN Scan (Stealth Scan)#

Conducts a stealth scan by sending TCP SYN packets without completing a full connection.

nmap -sS <IP-address>

TCP Connect Scan#

Uses the full TCP three-way handshake to establish connections and detect open ports.

nmap -sT <IP-address>

UDP Scan#

Checks for open UDP ports.

nmap -sU <IP-address>

TCP ACK Scan (Firewall Detection)#

Tests firewall rules by sending ACK packets.

nmap -sA <IP-address>

Detect OS and Services#

Gathers detailed information about the operating system, services, and their versions.

nmap -A <IP-address>

Version Detection#

Detects the version information of services running on open ports.

nmap -sV <IP-address>

OS Detection#

Identifies the operating system of the target.

nmap -O <IP-address>

Default Script Scan#

Runs default Nmap scripts to gather additional details.

nmap -sC <IP-address>

Vulnerability Detection#

Uses scripts specifically designed to detect vulnerabilities.

nmap --script=vuln <IP-address>

HTTP Enumeration#

Enumerates HTTP services and directories.

nmap --script=http-enum <IP-address>

Heartbleed Detection#

Checks for the Heartbleed vulnerability on SSL/TLS.

nmap -sV --script=ssl-heartbleed <IP-address>

Set Scan Speed (0 slowest, 5 fastest)#

Adjusts the scan speed to manage stealth and reliability.

nmap -T0 <IP-address>   # paranoid
nmap -T1 <IP-address>   # sneaky
nmap -T2 <IP-address>   # polite
nmap -T3 <IP-address>   # normal (default)
nmap -T4 <IP-address>   # aggressive
nmap -T5 <IP-address>   # insane

Fragment Packets#

Splits packets into fragments to evade detection by firewalls and IDS.

nmap -f <IP-address>

Specify MTU#

Manually sets the packet size to evade detection.

nmap --mtu 24 <IP-address>

Decoy Scan#

Uses multiple decoy addresses to obscure the true source of the scan.

nmap -D RND:10 <IP-address>

Idle Zombie Scan#

Conducts a stealth scan using a zombie (idle) host to mask the attacker’s IP.

nmap -sI <zombie-ip> <target-ip>

Save Output to File#

Saves scan results in normal text format to a file.

nmap -oN output.txt <IP-address>

XML Output#

Exports results in XML format for easy parsing.

nmap -oX output.xml <IP-address>

Greppable Output#

Saves output in a format optimized for grep usage.

nmap -oG output.grep <IP-address>

Disable DNS Resolution (Speeds up Scan)#

Prevents DNS resolution to speed up scanning.

nmap -n <IP-address>

Show Only Open Ports#

Displays only the ports identified as open.

nmap --open <IP-address>

Aggressive Host Discovery#

Combines multiple host discovery techniques for better accuracy.

nmap -PE -PP -PS80,443 -PA3389 <IP-address>

Verbose Output#

Provides additional detail about the scan’s process.

nmap -v <IP-address>
nmap -vv <IP-address>   # very verbose

Master these commands to build your foundational skills in penetration testing and cybersecurity assessments.