Comprehensive Nmap Cheatsheet for Security Analysts and Penetration Testers

🛠 Security Tool Cheatsheet

Alex Morgan — Senior Penetration Tester

What is Nmap?

Nmap (Network Mapper) is a powerful open-source tool used for network discovery and security auditing. Common uses include network inventory, managing service upgrade schedules, and monitoring host or service uptime. It offers advanced features for probing computer networks, including detecting hosts and services, identifying operating systems, and executing scripts for vulnerability scanning.

Installation

Nmap can be installed on various platforms. Here’s how to install it:

On Debian-based systems: sudo apt install nmap
On Red Hat-based systems: sudo yum install nmap
On macOS: brew install nmap

Basic Syntax

The basic syntax for Nmap is:

nmap [options] [targets]

Network Discovery

Ping Scan

To find live hosts on a network:

nmap -sn 192.168.1.0/24

Service Version Detection

To find service versions on detected ports:

nmap -sV 192.168.1.1

Scanning

TCP Connect Scan

To perform a full TCP connection scan:

nmap -sT 192.168.1.0/24

Stealth SYN Scan

To perform a SYN scan:

nmap -sS -p 1-65535 192.168.1.1

Exploitation

Script Scanning

To run Nmap scripts for deeper analysis:

nmap --script=http-enum 192.168.1.1

Analysis

OS Detection

To detect the operating system:

nmap -O 192.168.1.1

Aggressive Scan

To perform an aggressive scan that combines various techniques:

nmap -A 192.168.1.1

Evasion

Fragmenting Packets

To evade firewalls by fragmenting packets:

nmap -f 192.168.1.1

Changing the Source Port

To specify a different source port:

nmap -g 53 192.168.1.1

Reporting

Output Formats

To save results in various formats:

nmap -oN output.txt 192.168.1.1
nmap -oX output.xml 192.168.1.1
nmap -oG output.gnmap 192.168.1.1

Quick Reference Table

Flag	Description
-sT	TCP connect scan
-sS	SYN scan (stealth)
-sV	Service version detection
-O	Operating system detection
-A	Aggressive scan (OS detection, version detection, script scanning, traceroute)

Pro Tips

Use nmap -sS -p- target to scan all 65535 ports.
Combine -Pn with scans to skip host discovery.
Use --script with specific or custom scripts for defined operations.

Real-World Examples

Here are some practical examples that experienced analysts might use:

Identifying Vulnerable Services

nmap -sV --script=vuln 192.168.1.1

Comprehensive Network Audit

nmap -sS -sV -O -A 192.168.1.0/24

Comprehensive Nmap Cheatsheet for Security Analysts and Penetration Testers

What is Nmap?

Installation

Basic Syntax

Network Discovery

Ping Scan

Service Version Detection

Scanning

TCP Connect Scan

Stealth SYN Scan

Exploitation

Script Scanning

Analysis

OS Detection

Aggressive Scan

Evasion

Fragmenting Packets

Changing the Source Port

Reporting

Output Formats

Quick Reference Table

Pro Tips

Real-World Examples

Identifying Vulnerable Services

Comprehensive Network Audit

Categories

Recent Posts

What is Nmap?

Installation

Basic Syntax

Network Discovery

Ping Scan

Service Version Detection

Scanning

TCP Connect Scan

Stealth SYN Scan

Exploitation

Script Scanning

Analysis

OS Detection

Aggressive Scan

Evasion

Fragmenting Packets

Changing the Source Port

Reporting

Output Formats

Quick Reference Table

Pro Tips

Real-World Examples

Identifying Vulnerable Services

Comprehensive Network Audit

Related Posts

Security Cheatsheet

Using ChatGPT for Threat Intelligence Analysis

AI Prompts Cheatsheet for Cybersecurity Analysts