Nmap Cheat Sheet for Cybersecurity Professionals

Nmap Cheat Sheet

Nmap is an essential tool for any cybersecurity professional. Whether you’re conducting a vulnerability assessment or a penetration test, Nmap allows you to discover hosts, services, and vulnerabilities on a network. Here is a comprehensive list of Nmap commands, organized by functionality, and a stylish HTML table to help you use Nmap more efficiently.

Basic Scan Commands

These are the essential commands used for basic network scanning. They help identify live hosts, scan specific IPs, and scan entire networks.

Command	Description
nmap 192.168.1.1	Scan a single IP address.
nmap 192.168.1.1 192.168.2.1	Scan multiple specific IP addresses.
nmap 192.168.1.1-254	Scan a range of IP addresses.
nmap scanme.nmap.org	Scan a domain name.
nmap 192.168.1.0/24	Scan using CIDR notation to scan a subnet.
nmap -iL targets.txt	Scan targets from a file.
nmap -iR 100	Scan 100 random hosts.
nmap –exclude 192.168.1.1	Exclude specific hosts from the scan.

Scan Types (TCP, UDP, ACK, etc.)

These scan types allow you to adjust the scan methodology based on your network and what you’re testing for.

Command	Description
nmap 192.168.1.1 -sS	TCP SYN scan (default scan type for speed and stealth).
nmap 192.168.1.1 -sT	TCP connect scan (useful when you don’t have root privileges).
nmap 192.168.1.1 -sU	UDP port scan.
nmap 192.168.1.1 -sA	TCP ACK scan to map firewall rules.
nmap 192.168.1.1 -sW	TCP Window scan to analyze traffic characteristics.
nmap 192.168.1.1 -sM	TCP Maimon scan (rarely used but effective for evading detection).

Host Discovery and Ping Scanning

These switches control how Nmap identifies which hosts are up and available in the network.

Command	Description
nmap 192.168.1.1-3 -sL	List the target hosts without performing any scanning.
nmap 192.168.1.1/24 -sn	Disable port scanning, only perform host discovery.
nmap 192.168.1.1-5 -Pn	Disable host discovery; only perform a port scan.
nmap 192.168.1.1-5 -PS22-25,80	TCP SYN discovery on specific ports.
nmap 192.168.1.1-5 -PA22-25,80	TCP ACK discovery on specific ports.
nmap 192.168.1.1-5 -PU53	UDP discovery on specific port (53 for DNS).
nmap 192.168.1.1-1/24 -PR	ARP discovery on a local network.
nmap 192.168.1.1 -n	Disable DNS resolution during the scan.

Port Scanning and Range

These switches allow you to define which ports you wish to scan, and customize port ranges for more focused scans.

Command	Description
nmap 192.168.1.1 -p 21	Scan port 21 (FTP) on the target IP address.
nmap 192.168.1.1 -p 21-100	Scan ports 21 through 100.
nmap 192.168.1.1 -p U:53,T:21-25,80	Scan multiple TCP and UDP ports.
nmap 192.168.1.1 -p-	Scan all 65535 ports on the target.
nmap 192.168.1.1 -p http,https	Scan for service names like HTTP and HTTPS.
nmap 192.168.1.1 -F	Fast scan of the top 100 ports.
nmap 192.168.1.1 -top-ports 2000	Scan the top 2000 most common ports.

Version Detection and OS Fingerprinting

This section includes commands that enable Nmap to determine the versions of services running on a host and perform OS fingerprinting.

Command	Description
nmap 192.168.1.1 -sV	Detect versions of services running on open ports.
nmap 192.168.1.1 -sV –version-intensity 8	Service version detection with intensity level 8 (higher values provide more accuracy).
nmap 192.168.1.1 -sV –version-light	Light version detection (faster but less accurate).
nmap 192.168.1.1 -O	Perform OS detection on the target machine.
nmap 192.168.1.1 -A	Enable OS detection, version detection, script scanning, and traceroute.

Conclusion

Nmap is a versatile tool for cybersecurity professionals. Whether you’re scanning a few hosts or performing a detailed audit on an entire network, these Nmap commands will help you gather critical information to identify vulnerabilities and assess your network’s security posture.

With these commands at your disposal, you’re well-equipped to conduct network discovery, version detection, OS fingerprinting, vulnerability scanning, and more. Always remember that network scanning without authorization may be illegal, so ensure you have proper consent before using Nmap on networks you don’t own.

AutoRecon : Multi Threaded Network Reconnaissance Tool

August 7, 2019

In "Kali Linux"

DivideAndScan : Divide Full Port Scan Results And Use It For Targeted Nmap Runs

June 9, 2021

In "Kali Linux"

NMAP 7.0 Released

December 12, 2015

In "Blog"

0xSnow

0xSnow is a cybersecurity researcher with a focus on both offensive and defensive security. Working with ethical hacking, threat detection, Linux tools, and adversary simulation, 0xSnow explores vulnerabilities, attack chains, and mitigation strategies. Passionate about OSINT, malware analysis, and red/blue team tactics, 0xSnow shares detailed research, technical walkthroughs, and security tool insights to support the infosec community.