Nmap

Comprehensive Nmap Guide & Cheat Sheet

Nmap (Network Mapper) is a powerful, open-source tool for network discovery, security auditing, and vulnerability assessment. It is widely used by network administrators, penetration testers, and security professionals to map networks, discover hosts and services, and identify vulnerabilities.

1. What is Nmap?

Nmap is a command-line tool designed for network reconnaissance. It sends packets to target hosts and analyzes responses to determine which hosts are up, what services they offer, what operating systems they run, and more. Over its 25+ year history, Nmap has evolved from a simple port scanner to a comprehensive network security tool with advanced scripting capabilities .

2. Real-World Use Cases

  • Network Discovery & Inventory: Identify devices, services, and operating systems on a network.

  • Port Scanning: Detect open, closed, and filtered ports to assess potential entry points.

  • Vulnerability Scanning: Use scripts to find known vulnerabilities in services and configurations.

  • Security Auditing & Compliance: Ensure only authorized devices and services are present.

  • Penetration Testing: Simulate attacks to identify and fix vulnerabilities.

  • Firewall Testing: Evaluate firewall rules and responses to simulated attacks.

  • Network Security Monitoring: Detect changes in network topology or services .

3. Common Nmap Scan Types & Syntax

Scan Type
Description
Command Syntax

TCP SYN (Stealth) Scan

Default, stealthy, half-open scan

nmap -sS <target>

TCP Connect Scan

Full TCP handshake, less stealthy

nmap -sT <target>

UDP Scan

Scans UDP ports

nmap -sU <target>

SCTP INIT Scan

For SCTP protocol (telecom networks)

nmap -sY <target>

TCP NULL/FIN/Xmas Scans

Stealth scans using unusual TCP flags

nmap -sN/-sF/-sX <target>

ACK Scan

Maps firewall rules, not port state

nmap -sA <target>

Idle Scan

Stealthy, uses a third-party host

nmap -sI <zombie> <target>

Version Detection

Detects service versions

nmap -sV <target>

OS Detection

Identifies target OS

nmap -O <target>

Ping Scan

Host discovery only, no port scan

nmap -sn <target>

List Scan

Lists targets, no packets sent

nmap -sL <target>

4. Essential Nmap Switches, Flags, and Options

Host Discovery

  • -sn : Ping scan (host discovery only)

  • -Pn : Treat all hosts as online (skip host discovery)

  • -PS/PA/PU/PR : TCP SYN/ACK, UDP, ARP discovery on specified ports

Port Specification

  • -p <ports> : Specify ports (e.g., -p 80,443 or -p 1-65535)

  • -F : Fast scan (fewer ports)

  • --top-ports <n> : Scan top n most common ports

Service & Version Detection

  • -sV : Detect service versions

  • --version-intensity <0-9> : Set version detection intensity

OS Detection

  • -O : Enable OS detection

  • --osscan-limit : Limit OS detection to hosts with open ports

  • --osscan-guess : Aggressive OS guessing

Timing & Performance

  • -T0 to -T5 : Timing templates (T0=slowest/stealthiest, T5=fastest)

  • --min-rate/--max-rate : Control packet sending rate

Output Formats

  • -oN <file> : Normal output

  • -oX <file> : XML output

  • -oG <file> : Grepable output

  • -oA <basename> : All formats at once

Firewall/IDS Evasion

  • -f : Fragment packets

  • -D <decoy1,decoy2,...> : Use decoys

  • -S <IP> : Spoof source address

  • -g <port> : Use given source port

Nmap Scripting Engine (NSE)

  • -sC : Run default scripts

  • --script <name/category> : Run specific scripts (e.g., --script=http-enum)

  • --script-args <args> : Pass arguments to scripts

5. Nmap Scripting Engine (NSE)

NSE allows automation and advanced scanning using scripts written in Lua. Scripts are grouped by categories such as discovery, brute force, vulnerability, and exploitation.

Popular Scripts:

  • http-enum : Enumerate web server directories/files

  • smb-os-discovery : Identify OS via SMB

  • dns-brute : Brute-force DNS subdomains

  • ftp-anon : Check for anonymous FTP access

  • vulners : Detect known vulnerabilities

  • snmp-brute : Brute-force SNMP community strings

  • http-vuln-* : Detect web application vulnerabilities

Usage Example:

nmap --script=http-enum <target>
nmap --script=vulners -p 80,443 <target>

Script Help:

nmap --script-help=<scriptname>

Script Arguments:

nmap --script=<script> --script-args=<args> <target>

Best Practices: Only run scripts you understand, especially those in intrusive, exploit, or vuln categories, as they may disrupt services .

6. Timing Options

  • -T0 : Paranoid (very slow, stealthy)

  • -T1 : Sneaky

  • -T2 : Polite

  • -T3 : Normal (default)

  • -T4 : Aggressive (faster, less stealthy)

  • -T5 : Insane (fastest, most detectable)

Other Timing Controls:

  • --host-timeout <time> : Max time per host

  • --scan-delay <time> : Delay between probes

7. Output Formats

  • Normal: -oN <file>

  • XML: -oX <file>

  • Grepable: -oG <file>

  • All at once: -oA <basename>

  • Script Kiddie: -oS <file> (fun, not practical)

8. Best Practices & Security Considerations

  • Always obtain explicit permission before scanning any network you do not own or control. Unauthorized scanning is illegal and unethical .

  • Define clear objectives and scope for your scans.

  • Communicate with stakeholders to avoid disruptions.

  • Document and analyze scan results for future reference.

  • Be aware of network impact: Aggressive scans can disrupt services.

  • Understand legal and ethical constraints: Unauthorized use can result in legal action .

  • Use NSE scripts responsibly: Some scripts can be intrusive or disruptive .

9. Limitations

  • Detection by IDS/IPS: Even stealth scans can be detected by modern security systems.

  • Network Impact: Large or aggressive scans may slow down or disrupt networks.

  • Legal Risks: Unauthorized scanning can lead to lawsuits or criminal charges.

  • Not a Vulnerability Scanner: Nmap can identify potential vulnerabilities, but is not a full vulnerability management solution .

10. Quick Reference Cheat Sheet

# Basic host discovery (ping scan)
nmap -sn 192.168.1.0/24

# Stealth SYN scan of top 1000 ports
nmap -sS <target>

# Full TCP connect scan of all ports
nmap -sT -p 1-65535 <target>

# UDP scan of top 100 ports
nmap -sU --top-ports 100 <target>

# Service and version detection
nmap -sV <target>

# OS detection
nmap -O <target>

# Run default scripts
nmap -sC <target>

# Run specific NSE script
nmap --script=http-enum <target>

# Aggressive scan (OS, version, script, traceroute)
nmap -A <target>

# Output in all formats
nmap -oA scan_results <target>

11. Further Resources

12. Summary Table: Common Nmap Options

Option
Description

-sS

TCP SYN (stealth) scan

-sT

TCP connect scan

-sU

UDP scan

-p

Specify ports

-F

Fast scan

-A

Aggressive scan (OS, version, scripts)

-O

OS detection

-sV

Service/version detection

-T0--T5

Timing templates

-oN/-oX/-oG/-oA

Output formats

-sC

Default scripts

--script

Specify NSE scripts

-D

Decoy scan

-f

Fragment packets

-Pn

Treat all hosts as online

13. Final Notes

Nmap is a versatile and indispensable tool for network security. Mastery of its options, scan types, and scripting capabilities can greatly enhance your ability to assess and secure networks. Always use Nmap responsibly, ethically, and legally.

PreviousSOC II TYPE IINextAngry IP Scanner

Last updated

Was this helpful?