An Nmap cheat sheet is an essential reference for any security professional looking to map attack surfaces and identify vulnerabilities with precision. Nmap (Network Mapper) functions by sending specially crafted raw IP packets to a target and analyzing the responses to determine host availability, open ports, running services, and operating system versions. By using specific flags and the Nmap Scripting Engine (NSE), you can transform a simple port scan into a powerful vulnerability assessment tool.
TL;DR: Essential Nmap Takeaways
- Speed vs. Stealth: Use
-sS(TCP SYN Scan) for a balance of speed and stealth, as it doesn't complete the three-way handshake. - Automation: Use the Nmap Scripting Engine (NSE) with
--scriptto automate tasks like banner grabbing and vulnerability detection. - Evasion: Use fragmentation (
-f) and decoys (-D) to bypass basic firewalls and Intrusion Detection Systems (IDS). - Output Persistence: Always use
-oAto save results in all formats (XML, Grepable, and Normal) for future analysis and reporting.
Core Scanning Techniques and Flag Reference
Understanding the fundamental scan types is the difference between a noisy, failed engagement and a successful reconnaissance phase. Nmap offers various methods to interact with the TCP/IP stack of a target. Most professionals start with a basic ping sweep to identify live hosts before moving into more aggressive port scanning. If you are working on an external engagement, using an online port scanner can provide a quick perspective of your perimeter from an external viewpoint.
TCP SYN vs. Connect Scans
The TCP SYN Scan (-sS) is the default and most popular scan. It works by sending a SYN packet and waiting for a SYN/ACK. If received, the port is open; if a RST is received, it is closed. Because Nmap sends a RST to close the connection before the handshake finishes, the scan is often not logged by simple application-layer listeners. In contrast, the TCP Connect Scan (-sT) completes the three-way handshake. While slower and noisier, it is necessary when the user does not have raw socket permissions, such as scanning from certain restricted environments or using specific proxies.
UDP Scanning Challenges
Scanning UDP ports (-sU) is notoriously slow and unreliable compared to TCP. UDP is a connectionless protocol, meaning there is no handshake. If a port is open, the service might not respond at all unless the packet contains a specific payload the service expects. If the port is closed, the target often sends an ICMP Port Unreachable message. However, many firewalls drop these ICMP responses, leading Nmap to report the port as open|filtered. When performing a network penetration testing methodology, you should prioritize common UDP ports like 53 (DNS), 161 (SNMP), and 123 (NTP) rather than scanning the full 65,535 range.
| Flag | Scan Type | Description |
|---|---|---|
| -sS | TCP SYN Scan | Half-open scan; fast and relatively stealthy. |
| -sT | TCP Connect Scan | Completes the handshake; used when raw sockets are unavailable. |
| -sU | UDP Scan | Identifies open UDP services; slow and prone to false positives. |
| -sA | ACK Scan | Used to map out firewall rulesets rather than find open ports. |
| -sV | Version Detection | Probes open ports to determine service and version info. |
Key Takeaway: Always prioritize -sS for internal network discovery. If you encounter significant packet loss or rate-limiting, adjust your timing templates rather than switching to a Connect scan.
Host Discovery and Port Selection Strategies
In large-scale environments, scanning every port on every IP address is inefficient. A typical Class C subnet has 254 usable hosts, and scanning all 65,535 TCP ports on each would take hours. Effective reconnaissance requires narrowing the scope. Using a network scanner or Nmap's discovery flags allows you to find live targets in seconds.
Bypassing Host Discovery
By default, Nmap performs host discovery using ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request. If a target blocks ICMP, Nmap might assume it is down and skip it. Use the -Pn flag to treat all hosts as online. This is a standard practice in bug bounty hunting where hosts are often hardened against pings. For internal discovery, -sn (Ping Scan) is useful for mapping out a subnet without port scanning, allowing you to build a target list quickly.
Targeting Specific Port Ranges
Nmap scans the 1,000 most common ports by default. You can modify this behavior using the following flags:
-p-: Scans all 65,535 ports. Essential for deep dives but very slow.-p 80,443,8080: Scans only the specified ports.--top-ports 100: Scans the most frequent 100 ports based on Nmap's internal statistics.-r: Scans ports sequentially instead of in random order.
When performing initial reconnaissance, --top-ports 2000 often captures 90% of the relevant attack surface while taking a fraction of the time required for a full scan. This fits perfectly into a pentest checklist for efficient time management during a time-boxed engagement.
Service and OS Fingerprinting for Vulnerability Research
Identifying that port 80 is open is only the first step. To find exploitable vulnerabilities, you must know what is running behind that port. Nmap’s -sV flag enables version detection, which sends a series of probes to the open ports and matches the responses against a database of thousands of service signatures.
Increasing Version Intensity
You can control how hard Nmap tries to identify a service with the --version-intensity flag, ranging from 0 (light) to 9 (all probes). A higher intensity increases the chance of identifying obscure services but adds to the scan time. Combining this with -O for Operating System detection provides a clear picture of the target's stack. Nmap determines the OS by analyzing subtle differences in how the target's TCP/IP stack handles specific packets, such as window size, TTL, and TCP options.
The Importance of the --reason Flag
One of the most underused yet vital flags is --reason. It tells you exactly why Nmap categorized a port as open, closed, or filtered. For example, if a port is filtered, --reason might show "no-response" or "admin-prohibited." This information is crucial when trying to determine if a firewall is actively blocking you or if the service is simply not responding. This level of detail is necessary when following a web application security testing guide to ensure no hidden entry points are missed.
Key Takeaway: Version detection (-sV) is the foundation of vulnerability research. Without it, you are guessing versions, which leads to failed exploits and wasted time.
Mastering the Nmap Scripting Engine (NSE)
The NSE is what makes Nmap a world-class security tool. It allows users to write and share scripts to automate a wide variety of networking tasks. These scripts are written in Lua and can perform everything from advanced service discovery to brute-forcing credentials and even exploiting known vulnerabilities.
NSE Script Categories
Scripts are organized into categories, which can be invoked using --script <category>. Common categories include:
- default: A collection of safe, fast scripts used by the
-sCflag. - vuln: Checks for specific known vulnerabilities (e.g., MS17-010).
- auth: Attempts to bypass or test authentication on services like FTP, SSH, or MySQL.
- brute: Performs brute-force attacks against common services.
- discovery: Gathers more information about the network, such as SNMP queries or directory listing.
Practical NSE Examples for Bug Bounties
For bug bounty hunters, specific scripts can save hours of manual work. For instance, http-enum acts as a basic directory fuzzer, while ssl-cert retrieves information about the SSL certificate, often revealing internal hostnames or alternative subdomains. If you are focused on identifying targets, combining Nmap with subdomain enumeration tools creates a comprehensive view of the target's infrastructure.
Example command for a focused web discovery:
nmap -p80,443 --script http-enum,http-title,ssl-cert <target>
This command identifies the page title, common directories, and certificate details in a single pass. It is much more efficient than running three separate tools. When you find an interesting directory, you can then pivot to more specialized tools.
Timing, Performance, and Evasion Strategies
In a real-world scenario, you will often face firewalls, rate-limiters, and IDSs that attempt to block or slow down your scans. Nmap provides several mechanisms to tune performance and hide your activity.
Timing Templates (-T)
Nmap offers six timing templates (0 through 5). -T0 (Paranoid) and -T1 (Sneaky) are extremely slow, designed to evade IDS by waiting long periods between packets. -T3 is the default. -T4 (Aggressive) and -T5 (Insane) are used for fast networks where speed is a priority and noise is not a concern. In most professional assessments, -T4 is the standard for a good balance of speed and reliability.
Advanced Firewall Evasion
If a simple scan is being dropped, you might need to use evasion techniques.
Fragmentation (-f) breaks the TCP header into several packets, making it harder for simple packet filters to track the connection state.
Decoys (-D) allow you to specify several other IP addresses to appear as if they are also scanning the target. The target's logs will show multiple scanners, making it difficult to determine which one is the real attacker.
| Technique | Flag | Use Case |
|---|---|---|
| Source Port Spoofing | --source-port 53 | Bypass firewalls that allow all traffic from DNS/NTP ports. |
| MTU Manipulation | --mtu 24 | Set a custom Maximum Transmission Unit to fragment packets. |
| Data Append | --data-length 25 | Add random data to packets to change their signature. |
| MAC Spoofing | --spoof-mac 0 | Generate a random MAC address for local network scans. |
Key Takeaway: Evasion is not just about staying hidden; it is about getting accurate results. If a firewall is dropping your packets, your scan results are incomplete. Use evasion to "talk" to the service.
Output Management and Post-Scan Analysis
A scan is only as good as the data you can extract from it. Nmap provides three main output formats. The Normal output (-oN) is what you see on the screen. The XML output (-oX) is the most powerful, as it can be parsed by other tools like Metasploit, Zenmap, or custom Python scripts. The Grepable output (-og) is designed for quick command-line manipulation using grep, cut, and awk.
Parsing XML for Reporting
Most senior testers use the XML output to generate professional reports. You can use the xsltproc tool to convert an Nmap XML file into a clean, readable HTML document. This is helpful when presenting findings to a client who may not want to look at a terminal screen. Furthermore, Nmap results can be imported directly into databases like db_nmap within the Metasploit Framework, allowing you to instantly launch exploits against discovered services.
Comparing Scans with Ndiff
For long-term monitoring of a network, ndiff is an invaluable tool. It compares two Nmap XML files and highlights the differences, such as newly opened ports or changed service versions. This is a primary method for detecting "shadow IT" or unauthorized changes in a network environment over time. If you are managing a large infrastructure, regularly scheduled scans compared with ndiff provide a clear audit trail of your external exposure.
Practical Scenarios and Command Examples
To wrap up this Nmap cheat sheet, let's look at some real-world command combinations used by professionals.
The "I'm in a Hurry" Scan
nmap -sS -T4 -F <target>
This command uses a SYN scan, aggressive timing, and the -F flag to scan only the top 100 ports. It provides results in seconds for a single host.
The Full Perimeter Audit
nmap -sS -sV -Pn -p- -iL targets.txt -oA perimeter_scan
This command scans all 65,535 ports on a list of targets (-iL), identifies versions, skips host discovery (-Pn), and saves everything to files named perimeter_scan. This is the "gold standard" for a comprehensive external audit.
The Local Network Discovery
nmap -sn 192.168.1.0/24
A simple ping sweep to see who is online on the local subnet. Once you have this list, you can move to more detailed port scanning of the active IPs.
Frequently Asked Questions
Is Nmap legal to use?
Nmap is a tool, and its legality depends on how you use it. Scanning a network you own or have explicit permission to test is legal and a standard part of security auditing. However, scanning networks without permission can be interpreted as a precursor to an attack and may violate the Computer Fraud and Abuse Act (CFAA) in the US or similar laws globally. Always obtain written consent before scanning third-party infrastructure.
What is the difference between -sS and -sT?
-sS (SYN scan) is a half-open scan that does not complete the TCP handshake, making it faster and less likely to be logged by the application. -sT (Connect scan) completes the handshake and is used when the user does not have administrative privileges to create raw packets or when scanning through certain proxies.
Why does Nmap say a port is "filtered"?
A "filtered" state means that Nmap cannot determine if the port is open or closed because its probes are being blocked. This is usually caused by a dedicated firewall, router rules, or host-based security software (like Windows Firewall) dropping the packets without sending a response back to the scanner.
How can I scan a large network faster?
To increase speed, you can use the --min-rate flag to force Nmap to send a minimum number of packets per second (e.g., --min-rate 5000). You can also limit the port range with --top-ports and use the -T4 or -T5 timing templates. However, be careful as very high rates can crash older network equipment or trigger security alerts.
