Skip to content

nmap Cheatsheet

nmap-chacho

Default Scanning as Non-root with no Flags/Options

nmap 192.168.1.0/24 = nmap -sT 192.168.1.0/24
(noisy)

Default Scanning as Root with no Flags/Options

nmap 192.168.1.0/24 = nmap -sS 192.168.1.0/24
(quiet)

Process

The Noisy Way

When to use: When you need detailed information quickly and stealth is not a concern.
Consideration: This method generates a lot of traffic and is likely to be detected by IDS/IPS systems. 

nmap -sT -vv -oA network-topology <ip.addr/24>
Grab our list of open IPs: 
grep open network-topology.gnmap | cut -d" " -f 2 > device_list.txt
Rescan network aggressively for additional IPs at the exclusion of our open IP list: 
nmap -A --excludefile device_list.txt <ip.addr/24>
Add any additional IPs found to the list: 
echo "<IP_ADDRESS>" >> device_list.txt
Now rerun scan of the found IPs aggressively, but remove the ping as we no longer need to discover hosts: 
nmap -Pn -A -iL device_list.txt

The Quiet Way

When to use: When stealth is important, such as during a penetration test to avoid detection by IDS/IPS.
Consideration: While quieter, stealth scans can still be detected by advanced IDS systems, especially if not properly configured.

Never run a Syn Stealth scan against an entire network - first identify hosts that are up.

Running the scan against an entire network is resource-intensive, time-consuming, and may trigger intrusion detection systems (IDS) or intrusion prevention systems (IPS) across the network; the latter of which may get your IP blocked.

Who is Up

When to use: To find out which hosts are up using ICMP ping.
Consideration: ICMP pings can be blocked by firewalls, making this method less effective. 

nmap -sn -PE -T2 <IP_ADDRESS/24>

Alternatively, ARP ping if ICMP is not available:
Note: Must already be on the network to do this.

When to use: When ICMP pings are blocked or filtered.
Consideration: Only works on the local network and can be noisy. 

nmap -sn -PR -T2 <IP_ADDRESS/24>
Or: 
nmap -sn -PA -T2 <IP_ADDRESS/24>

Stealth Scan

When to use: To perform a stealthy scan on specific hosts identified as up.
Consideration: Though quieter than full connect scans, stealth scans can still be detected by IDS if not properly configured. 

nmap -sS -Pn -T4 192.168.0.1,5,10
(Use whichever IP addresses were up.)

FIN Scan

When to use: Useful for bypassing stateless firewalls and packet filtering.
Consideration: May not work effectively against stateful firewalls and can be detected by IDS. 

nmap -sF 192.168.0.1-254

Save Noted IPs to a File
nano scan_targets.txt
Fragment the Scan to Avoid Detection and Change Source-Port

When to use: To evade detection by breaking the scan into smaller packets and using a common port.
Consideration: Some IDS/IPS systems can reassemble fragmented packets and detect the scan, and it may cause network issues. 

nmap -f --source-port 53 192.168.0.1-254

Scan with Decoys

When to use: To mask your IP address with decoys.
Consideration: Using too many decoys can increase scan time and complexity, and some IDS/IPS systems can detect decoy usage. 

nmap -D RND:15 192.168.0.182
Uses 15 random decoy IP addresses rather than your own IP. You can also select exactly which IP addresses you'd like to be your decoys. Here is a website that goes into a bit more detail on that.

UDP Scan

When to use: For scanning UDP ports, typically when assessing services like DNS.
Consideration: UDP scans can be slow and unreliable due to the lack of a connection handshake, and many firewalls block UDP traffic. 

nmap -sU -iL scan_targets.txt -oA target_data.txt

Avoid IDS with XMAS Scan

When to use: When you want to evade IDS that detect stealth scans.
Consideration: XMAS scans may still be detected by some IDS and might not work on all targets, especially those with modern firewalls. 

nmap -sX -iL scan_targets.txt -oA XMAS_data.txt

Identifying a Windows Box

When to use: To determine if hosts are running Windows by checking for specific Windows responses.
Consideration: This scan can be noisy and detectable by IDS/IPS systems. 

nmap -sA -oA ACK_results.txt 192.168.0.1-254

Vulnerability Scan

When to use: When you want to check for known vulnerabilities.
Consideration: This scan can be very noisy and is likely to trigger IDS/IPS alerts. 

nmap --script vuln 192.168.0.1-245

Malware Scan

When to use: To check for malware.
Consideration: This scan can also be noisy and might not detect all types of malware, especially custom or advanced threats. 

nmap --script malware 192.168.0.1-245

OS Fingerprinting

When to use: To determine the operating system running on the target hosts.
Consideration: OS fingerprinting can be noisy and is likely to be detected by IDS/IPS systems, as it involves sending a variety of probes to elicit responses that reveal OS characteristics.

nmap -O <ip.addr>

For more details on how these scans might be detected, see NMAP OS Discovery Filters section of the Malicious Traffic Analysis post.