Edit

Nmap cheat sheet for netadmins/sysadmins

The ultimate reference for network exploration, security auditing, and system enumeration—tailored for netadmins and sysadmins to map networks, discover services, and assess vulnerabilities efficiently.

This cheat sheet covers:

✔ Nmap installation & setup &#xNAN;✔ Host discovery techniques &#xNAN;✔ Port scanning & service detection &#xNAN;✔ OS fingerprinting & script automation &#xNAN;✔ Stealth & evasion tactics

Nmap Cheat Sheet for NetAdmins & SysAdmins

Active Host Discovery, Port Scanning, and Enumeration

1. Nmap Installation & Setup

bash

# Install on Ubuntu/Debian
sudo apt install nmap

# Install on CentOS/RHEL
sudo yum install nmap
# or for newer versions:
sudo dnf install nmap

# Install on macOS
brew install nmap

# Install on Windows
# Download from: https://nmap.org/download.html

# Check installation and version
nmap --version

# Update Nmap (on Kali/Ubuntu/Debian)
sudo apt update && sudo apt upgrade nmap

# Update NSE scripts
nmap --script-updatedb

2. Host Discovery

Find live hosts in a network without port scanning.

Basic Ping Scan

sh

  • -sn: Disables port scanning (ping-only).

ARP Scan (Local Network)

sh

  • -PR: ARP discovery (fastest for local networks).

No Ping Scan (Skip Host Discovery)

sh

  • -Pn: Treats all hosts as online (bypasses firewalls blocking ICMP).

TCP SYN Ping Discovery

sh

  • -PS: Sends SYN packets to specified ports (default: 80).

UDP Ping Discovery

sh

  • -PU: Sends UDP packets to check for responses.

ICMP Echo & Timestamp Ping

sh

  • -PE: ICMP Echo Request

  • -PP: ICMP Timestamp Request

List Scan (DNS Resolution Only)

sh

  • -sL: Lists hosts without scanning.

3. Port Scanning

Identify open ports and services.

Basic TCP SYN Scan (Stealthy)

sh

  • -sS: SYN scan (fast, doesn’t complete TCP handshake).

TCP Connect Scan (Full Handshake)

sh

  • -sT: Completes TCP connection (noisier).

UDP Scan (Slower but Essential)

sh

  • -sU: Scans UDP ports (use -T4 for speed).

Aggressive Scan (OS, Version, Scripts)

sh

  • -A: Enables OS detection (-O), version detection (-sV), and script scanning (-sC).

Fast Scan (Top 100 Ports)

sh

  • -F: Scans top 100 ports (faster than default).

Scan Specific Ports

sh

Service Version Detection

sh

  • -sV: Probes services for version info.

OS Detection

sh

  • -O: Attempts OS fingerprinting.

4. Enumeration & Scripting

Gather detailed info using NSE (Nmap Scripting Engine).

Default Safe Scripts

sh

  • -sC: Runs default safe scripts.

Run Specific Scripts

sh

Vulnerability Scanning

sh

  • Runs vulnerability detection scripts.

SMB Enumeration

sh

HTTP Enumeration

sh

DNS Enumeration

sh

5. Performance & Output

Adjust Timing (Speed)

sh

Save Output

sh

6. Advanced Techniques

Spoof Source IP (Decoy Scan)

sh

  • -D: Adds decoy IPs to confuse logging.

Fragment Packets (Evasion)

sh

  • -f: Splits packets into smaller fragments.

Idle (Zombie) Scan

sh

  • Uses a third-party host to scan (stealthy).

Quick Reference Table

Command

Description

nmap -sn 192.168.1.0/24

Ping sweep (host discovery)

nmap -sS 192.168.1.100

Stealth SYN scan

nmap -sV -sC 192.168.1.100

Version detection + default scripts

nmap -A 192.168.1.100

Aggressive scan (OS, version, scripts)

nmap -p 80,443 192.168.1.100

Scan specific ports

nmap --script=vuln 192.168.1.100

Vulnerability scan

Pro Tip: Always ensure you have proper authorization before scanning networks. For more: man nmap or visit nmap.org

PreviousNetwork security testingNextOpenVAS cheat sheet for netadmins/sysadmins

Last updated