🔍 Nmap Cheat Sheet
Quick reference for the most useful Nmap commands in penetration testing and network auditing.
Basic Scans
| Command | Description |
|---|
nmap <target> | Default scan (top 1000 TCP ports) |
nmap -sn <target> | Ping sweep — host discovery only |
nmap -p- <target> | Scan all 65535 TCP ports |
nmap -sU <target> | UDP scan |
nmap -sV <target> | Service version detection |
nmap -O <target> | OS detection |
nmap -A <target> | Aggressive scan (OS + version + scripts + traceroute) |
Scan Types
| Flag | Type | Notes |
|---|
-sS | SYN (Stealth) | Default for root; half-open — fast & quiet |
-sT | TCP Connect | Full 3-way handshake; default for non-root |
-sU | UDP | Slower; essential for DNS, SNMP, DHCP |
-sN | Null | No flags set — bypasses some firewalls |
-sF | FIN | FIN flag only |
-sX | Xmas | FIN + PSH + URG flags |
NSE Scripts
# Run default scripts
nmap -sC <target>
# Run specific script
nmap --script=http-enum <target>
# Run vulnerability scripts
nmap --script=vuln <target>
# Run all SMB scripts
nmap --script=smb* <target>
# Safe scripts only
nmap --script=safe <target>
Timing Templates
| Flag | Name | Use Case |
|---|
-T0 | Paranoid | IDS evasion (very slow) |
-T1 | Sneaky | IDS evasion |
-T2 | Polite | Reduced bandwidth |
-T3 | Normal | Default |
-T4 | Aggressive | CTFs and fast networks |
-T5 | Insane | Very fast; may miss ports |
Output Formats
# Normal output
nmap -oN output.txt <target>
# XML output
nmap -oX output.xml <target>
# Grepable output
nmap -oG output.gnmap <target>
# All formats at once
nmap -oA output_basename <target>
My Go-To Pentest Scan
nmap -sC -sV -O -oA nmap/initial <target>
nmap -p- -T4 -oA nmap/allports <target>
nmap -sU --top-ports 50 -oA nmap/udp <target>