ENNAENNA

Nmap Cheat Sheet

Essential nmap commands for network discovery, port scanning, service enumeration, and firewall evasion. Covers everything from basic host discovery to advanced NSE scripting.

View Nmap tool page

Host Discovery

Ping sweep to discover live hosts without port scanning

$ nmap -sn 192.168.1.0/24

Skip host discovery and scan specific ports on all hosts

$ nmap -Pn -p 80,443 192.168.1.0/24

ARP discovery on local network segment

$ nmap -sn -PR 10.0.0.0/24

List scan with reverse DNS using a specific DNS server

$ nmap -sL -dns-server 8.8.8.8 192.168.1.0/24

ICMP echo, timestamp, and netmask discovery combined

$ nmap -sn -PE -PP -PM 10.0.0.0/16

Scan Types

SYN stealth scan on all 65535 ports

$ nmap -sS -p- 192.168.1.1

UDP scan on the top 100 common UDP ports

$ nmap -sU --top-ports 100 192.168.1.1

Version detection with default scripts on specific ports

$ nmap -sV -sC -p 22,80,443 192.168.1.1

ACK scan to map firewall rulesets

$ nmap -sA -p 80 192.168.1.1

NULL, FIN, and Xmas scans for firewall evasion

$ nmap -sN -sF -sX -p 80 192.168.1.1

NSE Scripts

Run all vulnerability detection scripts against a target

$ nmap --script=vuln 192.168.1.1

Enumerate directories and files on a web server

$ nmap --script=http-enum -p 80 192.168.1.1

Enumerate SMB shares and detect OS via SMB

$ nmap --script=smb-enum-shares,smb-os-discovery -p 445 192.168.1.1

Test for Heartbleed vulnerability on HTTPS services

$ nmap --script=ssl-heartbleed -p 443 192.168.1.1

Run only scripts tagged as both default and safe

$ nmap --script="default and safe" 192.168.1.1

Output Formats

Output in all three formats: normal, XML, and grepable

$ nmap -oA scan_results 192.168.1.0/24

Generate XML output and convert to HTML report

$ nmap -oX - 192.168.1.1 | xsltproc - -o report.html

Grepable output piped to extract hosts with open ports

$ nmap -oG - 192.168.1.0/24 | grep 'open' | awk '{print $2}'

Append results to an existing output file

$ nmap --append-output -oN ongoing_scan.txt 192.168.1.1

Timing & Performance

Aggressive timing with minimum packet rate of 1000/sec

$ nmap -T4 --min-rate 1000 -p- 192.168.1.1

Polite timing with limited retries for stealth

$ nmap -T2 --max-retries 2 192.168.1.1

Control probe parallelism for large network scans

$ nmap --min-parallelism 50 --max-parallelism 100 192.168.1.0/24

Skip hosts that take longer than 5 minutes to scan

$ nmap --host-timeout 5m -p- 192.168.1.0/24

Firewall Evasion

Use 10 random decoy IP addresses to obscure the scan origin

$ nmap -D RND:10 -p 80 192.168.1.1

Fragment packets with a custom MTU to bypass packet filters

$ nmap -f --mtu 24 -p 80 192.168.1.1

Spoof source port as DNS to bypass poorly configured firewalls

$ nmap --source-port 53 -p 80 192.168.1.1

Append random data to packets to avoid signature-based detection

$ nmap --data-length 50 -p 80 192.168.1.1

Introduce delays between probes to evade rate-based IDS

$ nmap -sS --scan-delay 5s --max-scan-delay 10s 192.168.1.1

More Cheat Sheets

Hashcat Cheat Sheet

5 sections

SQLMap Cheat Sheet

5 sections

ffuf Cheat Sheet

5 sections

Nuclei Cheat Sheet

5 sections

Subfinder Cheat Sheet

4 sections

Metasploit Cheat Sheet

5 sections