Nmap Cheat sheet

Remember

If you need help :

nmap -h

Basic scan

If you’re lazy, then :

nmap -A <ip>

Scan techniques

-sS : SYN scan, fast scan. Need root privileges

-sV : Version scan. Will get the name and the version of the detected service.

-sC : Script scan. It run basic nmap scan. Find more in your /usr/share/nmap/scripts/

-sT : TCP connect port scan

-p : Define the ports you want to scan. By default it will scan de top 1000. You can scan all the ports using "-p-", unique ports with "-p80" or ranges with "-p100-200"

--top-ports X : Define the X top ports (well known) you want to scan

At the start, nmap will perform a ping scan, if the machine you’re trying to scan doesn’t respond, nmap will stop. You can overcome this using a parameter.

-sn : Nmap will not perform a ping scan at the start

A simple command can look like this then :

sudo nmap -sSVC -p21,22,80,443 10.2.10.3

Going further

All connection aren’t on TCP protocol. Some ports can be open on the UDP protocol. You can scan them using :

-sU : UDP scan

When you perform pentest, you might have a long list of IP to scan. Nmap can help you automate the scan.

-iL <path to your file> : Scan all hosts present in the file

Precise output file :

-oA <name output> : This command will output the scan in all format, grepable, xml, normal.

If you want specific output :

-oX,G,N <name> : X for XML, G for grepable, N for normal

Timing. By default nmap scan with the T3 implicit parameter. You can increase or decrease speed according to the asset scanned :

-T0 : Paranoid IDS evasion

-T1 : Sneaky IDS evasion

-T2 : Polite, it slows down the scan to use less bandwidth

-T3 : Normal scan with default speed

-T4 : Aggressive speeds scan

-T5 : Insane speeds scan