Nmap Cheat Sheet (Basics to Advanced Nmap Cheat Sheet)

Nmap (Network Mapper) is a powerful, open-source tool for network discovery and security auditing. Whether you're a network administrator, cybersecurity enthusiast, or ethical hacker, this Nmap Cheat Sheet will guide you through the essential commands, switches, and options to maximize your efficiency with Nmap.

What is Nmap?

Nmap is a versatile tool that scans networks and hosts to gather information like open ports, services running, and system details. It is widely used for:

• Network inventory
• Vulnerability assessment
• Host and service discovery
• Security auditing

Setting Up Nmap

Before diving into the commands, ensure you have Nmap installed. You can download it from the official Nmap website. Installation instructions vary by operating system (Windows, Linux, macOS).

Basic Syntax

All Nmap commands follow a basic syntax:

nmap [options] [target]

• Target: IP address, range, hostname, or subnet (e.g., 192.168.1.1, example.com, 192.168.0.0/24).
• Options: Define scan types, speeds, output formats, and more.

Installing Nmap

You can install Nmap on various platforms:

• Linux: sudo apt install nmap (Ubuntu/Debian)
• macOS: brew install nmap
• Windows: Download the installer from nmap.org.

Once installed, you can begin running Nmap commands via the terminal or command prompt.

Host Discovery

Host discovery helps you identify which systems are live on a network. This is often the first step in any network scan.

Ping Scan (No Port Scan)

A ping scan is the most basic way to identify active hosts in a network:

nmap -sn 192.168.1.0/24

• -sn: Ping scan to identify active hosts without port scanning.

Treat Hosts as Up

If ICMP echo requests are blocked by a firewall, you can instruct Nmap to treat hosts as up:

nmap -Pn 192.168.1.1

• -Pn: Treat all hosts as up (useful when ICMP is disabled).

Port Scanning

Port scanning identifies open and closed ports on a host. Here’s an Nmap scan cheat sheet for common scans:

Scan Specific Ports

To scan specific ports, use the -p option followed by the port numbers or a range:

nmap -p 22,80 192.168.1.1

• -p: Scan specific ports (e.g., 22, 80).

Scan All Ports

You can scan all 65,535 ports with the following command:

nmap -p- 192.168.1.1

• -p-: Scan all 65,535 ports.

Fast Scan

To scan only the most common 100 ports, use the -F flag for a faster scan:

nmap -F 192.168.1.1

• -F: Fast scan (top 100 ports).

Service and Version Detection

Identify the services running on open ports and their versions:

Service Version Detection

To detect the services and their versions, use the -sV flag:

nmap -sV 192.168.1.1

• -sV: Service version detection.

This will provide a detailed list of services running on each open port, including the version numbers.

Aggressive Scan

You can run an aggressive scan to gather detailed information about the host. This includes OS detection, version detection, script scanning, and traceroute:

nmap -A 192.168.1.1

• -A: Aggressive scan (includes OS detection, version detection, and traceroute).

OS Detection

Understand the target’s operating system using these Nmap options cheat sheet commands:

Nmap can be used to identify the operating system of a remote host, which is essential in vulnerability assessments.

To detect the operating system of the target:

nmap -O 192.168.1.1

• -O: Enable OS detection.

nmap -A 192.168.1.1

• -A: Aggressive scan also includes OS detection.

Nmap Vulnerability Scanning

Use Nmap scripts to detect vulnerabilities. This Nmap vulnerability scan cheat sheet showcases its power:

Nmap has the ability to perform vulnerability assessments by using pre-built scripts designed to detect common security issues. This is particularly useful for penetration testers.

Running Vulnerability Scans

You can use the --script option to run scripts designed for vulnerability detection. The most common vulnerability scan script is vuln:

nmap --script vuln 192.168.1.1

• --script vuln: Run default vulnerability detection scripts.

Specific Script Example

You can also run specific vulnerability scripts by specifying their names:

nmap --script smb-vuln-ms17-010 192.168.1.1

• Detects EternalBlue vulnerability.

Advanced Scans

Stealth Scans

Conduct scans designed to avoid detection:

Stealth scanning techniques, such as the SYN scan, can help avoid detection by firewalls or intrusion detection systems (IDS).

nmap -sS 192.168.1.1

• -sS: SYN scan (stealthy and fast).

UDP Scans

Scan UDP ports:

Nmap can also be used to scan UDP ports, which are often ignored in regular port scans:

nmap -sU 192.168.1.1

• -sU: UDP scan.

Firewall Evasion

Bypass firewalls or IDS/IPS:

nmap -D RND:10 192.168.1.1

• -D: Use decoys to mask your IP.

nmap --source-port 53 192.168.1.1

• Spoof the source port to mimic DNS traffic.

Saving Output

Save results for analysis:

nmap -oN output.txt 192.168.1.1

• -oN: Save in normal format.

nmap -oX output.xml 192.168.1.1

• -oX: Save in XML format.

nmap -oG output.gnmap 192.168.1.1

• -oG: Save in grepable format.

Combining Flags and Switches

Efficiently combine Nmap flags cheat sheet entries to customize scans:

nmap -sS -p 80,443 -A -oN scan_report.txt 192.168.1.1

• Combines SYN scan, specific ports, aggressive scanning, and output saving.
• This performs a SYN scan on ports 22 (SSH), 80 (HTTP), and 443 (HTTPS), while also using aggressive scanning for version detection, OS detection, and other features.

Example: Fast Scan with Stealth and Vulnerability Scan

nmap -T4 -sS --script vuln 192.168.1.1

This performs a fast, stealthy scan and runs vulnerability scripts to identify known security issues.

Nmap Performance Optimization

Speed up your scans with these Nmap switches cheat sheet options:

Nmap provides various options for optimizing scan performance. These are particularly helpful when scanning large networks or when speed is a priority.

nmap -T4 192.168.1.0/24

• -T4: Adjusts timing for faster scans (ranges from -T0 to -T5).

Setting Minimum Send Rate

If you want to control the number of packets Nmap sends per second, use the --min-rate option:

nmap --min-rate 1000 192.168.1.1

• --min-rate: Sets the minimum packet send rate.

Nmap Output Formats

Nmap allows you to save the results of your scans in various formats, making it easy to analyze the results later.

Normal Output

nmap -oN output.txt 192.168.1.1

• -oN: Saves the scan results in a normal text file.

XML Output

For machine-readable output, use XML format:

nmap -oX output.xml 192.168.1.1

• -oX: Saves the output in XML format, which is useful for parsing or automation.

Grepable Output

If you need results in a format that can be easily parsed or searched:

nmap -oG output.gnmap 192.168.1.1

• -oG: Saves output in grepable format.

Popular Nmap Cheat Sheets

Explore these handy references:

• StationX Nmap Cheat Sheet: A concise resource for essential commands.
• Nmap Scan Cheat Sheet: Focuses on scan types and their uses.
• Nmap Vulnerability Scan Cheat Sheet: Specialized commands for security testing.

Conclusion

This Nmap Cheat Sheet is a comprehensive resource to help you master network scanning. From simple host discovery to advanced vulnerability assessments, these commands and options empower you to effectively analyze and secure networks. Remember to use Nmap ethically and with permission when exploring networks.

More Cheat Sheets and Top Picks

• HTML Cheat Sheet
• MariaDB Cheat Sheet
• CSS Cheat Sheet
• Java Cheat Sheet
• JavaScript Cheat Sheet
• Docker Cheat Sheet