Nmap Cheat Sheet

Network security is a critical aspect of modern IT infrastructure, and one of the most powerful tools in a security professional's arsenal is Nmap. Nmap, which stands for Network Mapper, is an open-source tool used for network discovery and security auditing. Whether you're a seasoned network administrator or a beginner in the field, having a comprehensive Nmap Cheat Sheet can significantly enhance your efficiency and effectiveness. This guide will walk you through the essentials of Nmap, from basic commands to advanced techniques, ensuring you have a solid foundation to build upon.

Understanding Nmap

Nmap is a versatile tool that can be used for a variety of tasks, including:

• Network discovery
• Service and operating system detection
• Port scanning
• Vulnerability detection
• Network mapping

Nmap operates by sending packets to the target host and analyzing the responses. This allows it to determine which hosts are available on the network, what services they are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and more.

Basic Nmap Commands

To get started with Nmap, it’s essential to understand the basic commands. These commands form the foundation of more complex scans and are crucial for everyday network tasks.

Basic Syntax

The basic syntax for Nmap is straightforward:

nmap [Scan Type(s)] [Options] {target specification}

Here are some fundamental commands:

• nmap 192.168.1.1: This command scans the host at IP address 192.168.1.1.
• nmap 192.168.1.1-254: This command scans the range of IP addresses from 192.168.1.1 to 192.168.1.254.
• nmap example.com: This command scans the host at the domain name example.com.

Scan Types

Nmap offers several types of scans, each serving a different purpose:

• -sP: Ping scan. This scan is used to determine which hosts are up on the network.
• -sS: TCP SYN scan. This scan is used to determine which ports are open on a host.
• -sU: UDP scan. This scan is used to determine which UDP ports are open on a host.
• -sA: ACK scan. This scan is used to determine which ports are filtered or unfiltered.
• -sV: Version detection. This scan is used to determine the version of services running on open ports.
• -O: OS detection. This scan is used to determine the operating system of the target host.

Advanced Nmap Techniques

Once you’re comfortable with the basics, you can explore more advanced Nmap techniques to gain deeper insights into your network.

Service and Version Detection

Service and version detection can help you identify the specific services and their versions running on open ports. This information is crucial for vulnerability assessment and patch management.

nmap -sV 192.168.1.1

This command will scan the host at 192.168.1.1 and attempt to identify the services and their versions running on open ports.

Operating System Detection

Operating system detection can help you determine the operating system of the target host. This information is useful for tailoring your security measures to the specific OS.

nmap -O 192.168.1.1

This command will scan the host at 192.168.1.1 and attempt to identify the operating system.

Firewall and IDS Evasion

Nmap includes several options for evading firewalls and intrusion detection systems (IDS). These options can help you perform stealthier scans and avoid detection.

• -f: Fragment packets. This option can help evade simple packet filters.
• -D: Decoy scan. This option can help confuse IDS by sending packets from multiple decoy IP addresses.
• -S: Spoof source address. This option can help evade IDS by spoofing the source address of the scan.

Nmap Scripting Engine (NSE)

The Nmap Scripting Engine (NSE) allows you to extend Nmap’s functionality with custom scripts. These scripts can perform a wide range of tasks, from vulnerability detection to data extraction.

To use NSE, you can specify the script name with the -sC option:

nmap -sC 192.168.1.1

This command will scan the host at 192.168.1.1 using the default set of NSE scripts.

You can also specify a custom script with the –script option:

nmap –script vuln 192.168.1.1

This command will scan the host at 192.168.1.1 using the vuln script, which is designed to detect vulnerabilities.

Nmap Output and Reporting

Nmap provides several options for outputting scan results, making it easy to analyze and report on your findings.

Output Formats

Nmap supports various output formats, including:

• -oN: Normal output. This format saves the scan results in a plain text file.
• -oX: XML output. This format saves the scan results in an XML file, which can be easily parsed by other tools.
• -oG: Grepable output. This format saves the scan results in a format that can be easily parsed by grep.
• -oS: Script kiddie output. This format saves the scan results in a format that can be easily parsed by script kiddies.

Example Output Command

To save the scan results in a plain text file, you can use the following command:

nmap -oN scan_results.txt 192.168.1.1

This command will scan the host at 192.168.1.1 and save the results in a file named scan_results.txt.

Nmap Cheat Sheet

To help you quickly reference the most commonly used Nmap commands, here is a comprehensive Nmap Cheat Sheet:

📝 Note: This cheat sheet covers the most commonly used Nmap commands. For a more comprehensive list, refer to the official Nmap documentation.

Practical Examples

To illustrate the practical use of Nmap, let’s go through a few examples that demonstrate how to use Nmap in real-world scenarios.

Example 1: Basic Network Scan

Suppose you want to perform a basic network scan to identify all active hosts on your network. You can use the following command:

nmap -sP 192.168.1.0/24

This command will scan the entire 192.168.1.0/24 subnet and list all active hosts.

Example 2: Port Scanning

If you want to scan a specific host for open ports, you can use the following command:

nmap -sS 192.168.1.1

This command will perform a TCP SYN scan on the host at 192.168.1.1 and list all open ports.

Example 3: Service and Version Detection

To identify the services and their versions running on open ports, you can use the following command:

nmap -sV 192.168.1.1

This command will scan the host at 192.168.1.1 and attempt to identify the services and their versions running on open ports.

Example 4: Operating System Detection

To determine the operating system of a target host, you can use the following command:

nmap -O 192.168.1.1

This command will scan the host at 192.168.1.1 and attempt to identify the operating system.

Example 5: Firewall and IDS Evasion

To perform a stealthier scan and evade detection by firewalls and IDS, you can use the following command:

nmap -f -D 192.168.1.2,192.168.1.3 192.168.1.1

This command will fragment packets and use decoy IP addresses to confuse IDS while scanning the host at 192.168.1.1.

Example 6: Nmap Scripting Engine

To use the Nmap Scripting Engine (NSE) for vulnerability detection, you can use the following command:

nmap –script vuln 192.168.1.1

This command will scan the host at 192.168.1.1 using the vuln script, which is designed to detect vulnerabilities.

📝 Note: Always ensure you have permission to scan the target network or host. Unauthorized scanning can be illegal and unethical.

Nmap is a powerful tool that can significantly enhance your network security capabilities. By mastering the essential commands and techniques outlined in this Nmap Cheat Sheet, you can perform comprehensive network scans, identify vulnerabilities, and take proactive measures to secure your network. Whether you’re a seasoned professional or just starting out, Nmap is an invaluable asset in your toolkit.

Related Terms:

• sans nmap cheat sheet
• nmap scripts
• nmap f
• stationx nmap cheat sheet
• nmap deep scan
• nmap cheat sheet 2025