Nmap cheat sheet for vulnerability assessment and penetration testing

This cheat sheet covers the essential Nmap commands for comprehensive penetration testing and vulnerability assessment workflows.

Nmap Installation & Setup

Installing the Nmap tool on various operating systems and performing initial configuration, including updating the script database.

bash

# Install on Kali Linux (pre-installed) or update
sudo apt update && sudo apt install nmap

# Install on Ubuntu/Debian
sudo apt install nmap

# Install on CentOS/RHEL
sudo yum install nmap
# or for newer versions:
sudo dnf install nmap

# Install on macOS
brew install nmap

# Install on Windows
# Download from: https://nmap.org/download.html

# Check installation and version
nmap --version

# Update Nmap (on Kali/Ubuntu/Debian)
sudo apt update && sudo apt upgrade nmap

# Update NSE scripts
nmap --script-updatedb

Host Discovery

Finding live hosts and active devices on a network.

bash

# Basic network sweep
nmap -sn 192.168.1.0/24

# Skip host discovery (treat all hosts as online)
nmap -Pn 192.168.1.1/24

# ARP discovery on local network
nmap -PR 192.168.1.1/24

# ICMP echo discovery
nmap -PE 192.168.1.1/24

Port Scanning Techniques

Identifying open ports and the associated protocols (TCP/UDP) on a target.

bash

# TCP SYN scan (stealth, default)
nmap -sS 192.168.1.1

# TCP Connect scan (completes 3-way handshake)
nmap -sT 192.168.1.1

# UDP scan (slower)
nmap -sU 192.168.1.1

# TCP ACK scan (firewall mapping)
nmap -sA 192.168.1.1

# Window scan (obscure)
nmap -sW 192.168.1.1

# Scan specific ports
nmap -p 22,80,443,8080 192.168.1.1

# Scan port ranges
nmap -p 1-1000 192.168.1.1

# Scan all ports (aggressive)
nmap -p- 192.168.1.1

# Scan top N most common ports
nmap --top-ports 100 192.168.1.1

Service & Version Detection

Determining the specific application name and version number running on an open port.

bash

# Service version detection
nmap -sV 192.168.1.1

# Aggressive service detection
nmap -A 192.168.1.1

# OS fingerprinting
nmap -O 192.168.1.1

# Version detection intensity (0-9)
nmap -sV --version-intensity 8 192.168.1.1

# Light version detection (faster)
nmap -sV --version-light 192.168.1.1

Vulnerability Scanning with NSE

Using the Nmap Scripting Engine to probe for known vulnerabilities and misconfigurations.

bash

# Scan with all vulnerability scripts
nmap --script vuln 192.168.1.1

# Safe scripts (non-intrusive)
nmap --script "safe" 192.168.1.1

# Specific vulnerability categories
nmap --script "exploit*" 192.168.1.1
nmap --script "auth*" 192.168.1.1
nmap --script "http-*" 192.168.1.1

# Multiple script categories
nmap --script "vuln and safe" 192.168.1.1

# Common vulnerability scripts
nmap --script http-sql-injection 192.168.1.1
nmap --script ssl-heartbleed 192.168.1.1
nmap --script smb-vuln-ms17-010 192.168.1.1

# Update NSE scripts
nmap --script-updatedb

Authentication & Credential Testing

Attempting to brute-force or test login credentials for various services.

bash

# SMB brute force
nmap --script smb-brute --script-args userdb=users.txt,passdb=passwords.txt 192.168.1.1

# SSH brute force
nmap --script ssh-brute --script-args userdb=users.txt 192.168.1.1

# HTTP authentication testing
nmap --script http-auth-finder 192.168.1.1

# Check for anonymous FTP
nmap --script ftp-anon 192.168.1.1

Firewall Evasion & Stealth

Using techniques to avoid detection by firewalls and Intrusion Detection Systems (IDS).

bash

# Fragment packets
nmap -f 192.168.1.1

# Use decoy IPs
nmap -D 192.168.1.50,192.168.1.51,ME 192.168.1.1

# Spoof source IP
nmap -S 192.168.1.99 -e eth0 192.168.1.1

# Use specific source port
nmap --source-port 53 192.168.1.1

# Randomize target order
nmap --randomize-hosts 192.168.1.1/24

# Slow scan to avoid detection
nmap -T1 192.168.1.1

# Maximum stealth (very slow)
nmap -T0 192.168.1.1

Timing & Performance

Controlling the speed and aggressiveness of the scan to balance speed and stealth.

bash

# Paranoid (0) - Very slow, stealth
nmap -T0 192.168.1.1

# Sneaky (1) - Slow, stealth
nmap -T1 192.168.1.1

# Polite (2) - Slower, less intrusive
nmap -T2 192.168.1.1

# Normal (3) - Default
nmap -T3 192.168.1.1

# Aggressive (4) - Faster, may be detected
nmap -T4 192.168.1.1

# Insane (5) - Very fast, likely detected
nmap -T5 192.168.1.1

# Custom timing template
nmap --min-parallelism 100 --max-rtt-timeout 500 192.168.1.1

Output Formats

Saving scan results in different file formats for reporting and integration with other tools.

bash

# Normal output to file
nmap -oN output.txt 192.168.1.1

# XML output (for tools like Metasploit)
nmap -oX output.xml 192.168.1.1

# Grepable output
nmap -oG output.gnmap 192.168.1.1

# All formats at once
nmap -oA output 192.168.1.1

# Append to output file
nmap -oN output.txt --append-output 192.168.1.1

Common PT Workflow Commands

Pre-built command sequences for typical penetration testing stages.

bash

# Initial reconnaissance
nmap -sn 192.168.1.0/24 -oN network_sweep.txt

# Quick TCP scan on found hosts
nmap -sS --top-ports 100 -T4 -iL live_hosts.txt -oN quick_scan.txt

# Comprehensive scan
nmap -sS -sV -O -A -p- -T4 target_ip -oA comprehensive_scan

# Vulnerability assessment
nmap --script vuln,safe -sV target_ip -oN vuln_scan.txt

# Service-specific deep scan
nmap -sV --script "http-*,ssl-*,ssh-*" -p 80,443,22 target_ip

# UDP top ports (common services)
nmap -sU --top-ports 50 -T4 target_ip -oN udp_scan.txt

Integration with Other Tools

Using Nmap's output to feed into other security tools like Metasploit.

bash

# Export for Metasploit
nmap -sS -sV -O -oX metasploit_scan.xml 192.168.1.0/24

# Import into Metasploit
db_import metasploit_scan.xml

# Grepable output for parsing
nmap -oG - 192.168.1.1 | grep "80/open"

# Pipe to other tools
nmap -sV -p 80,443 192.168.1.0/24 | grep -B2 -A2 "Apache"

Useful Script Arguments

Advanced options for controlling and debugging NSE scripts.

bash

# Set script timeout
nmap --script-timeout 5m 192.168.1.1

# Update script database
nmap --script-updatedb

# Debug scripts
nmap --script-trace --script http-headers 192.168.1.1

# Custom script arguments
nmap --script http-enum --script-args http-enum.displayall=true 192.168.1.1

Quick Reference

-sS: TCP SYN Stealth Scan
-sT: TCP Connect Scan
-sU: UDP Scan
-sV: Service Version Detection
-O: OS Fingerprinting
-A: Aggressive Scan (OS, version, script, traceroute)
-T[0-5]: Timing Template (0=slowest, 5=fastest)
-p: Port specification
-oA: Output all formats
--script: NSE script execution

PreviousNmap and OpenVAS NextOpenVAS cheat sheet for vulnerability assessment and penetration testing

Last updated 2 months ago