Nmap Cheat Sheet: Essential Scans for Ethical Hackers

Introduction

In the vast expanse of the digital world, where every packet tells a story, Nmap is the hacker’s reconnaissance tool of choice. Whether mapping networks, identifying vulnerabilities, or conducting stealth scans, Nmap is a must-have for ethical hackers and security pros alike.

This cheat sheet covers the most effective Nmap commands for network discovery, vulnerability assessment, and stealth operations.

Basic Scanning

Discover Live Hosts (Ping Scan)

nmap -sn 192.168.1.0/24

Scans an entire subnet and lists active devices without probing ports.

Quick Port Scan (Top 1000 Ports)

nmap 192.168.1.1

Performs a fast scan of the most common 1000 TCP ports.

Full Port Scan (All 65,535 Ports)

nmap -p- 192.168.1.1

Scans all possible TCP ports.

Scan Specific Ports

nmap -p 22,80,443 192.168.1.1

Targets specific ports like SSH, HTTP, and HTTPS.

Detect Services & Versions

nmap -sV 192.168.1.1

Identifies running services and their versions.

Detect Operating System

nmap -O 192.168.1.1

Attempts OS detection using TCP/IP fingerprinting.

Advanced Scanning Techniques

Stealth Scan (SYN Scan)

nmap -sS 192.168.1.1

A quieter scan that sends SYN packets and monitors responses without completing connections.

UDP Scan

nmap -sU -p 53,161 192.168.1.1

Scans UDP ports like DNS (53) and SNMP (161), often overlooked attack surfaces.

Aggressive Scan (Comprehensive Information Gathering)

nmap -A 192.168.1.1

Combines OS detection, version detection, script scanning, and traceroute.

Scan an Entire Subnet

nmap 192.168.1.0/24

Scans all devices on a given subnet.

Scan Multiple Targets

nmap 192.168.1.1 192.168.1.2 192.168.1.3

Scans multiple specific IP addresses.

Vulnerability Scanning & Firewall Evasion

Scan for Known Vulnerabilities

nmap --script=vuln 192.168.1.1

Runs vulnerability detection scripts against the target.

Evade Firewalls with Fragmented Packets

nmap -f 192.168.1.1

Breaks up packets to bypass basic firewall filtering.

Use Decoys to Mask Your Scan

nmap -D RND:10 192.168.1.1

Generates fake scan sources to obfuscate your real IP.

Detect Firewalls & IDS Presence

nmap -sA 192.168.1.1

Sends TCP ACK packets to determine if a firewall is blocking requests.

Automating Scans with Nmap Scripting Engine (NSE)

Run a Specific Security Script

nmap --script=ssl-heartbleed 192.168.1.1

Checks for Heartbleed vulnerability on SSL-enabled servers.

Run Default Security Scripts

nmap --script=default 192.168.1.1

Executes Nmap’s built-in default scripts for common security checks.

Brute Force Passwords (Example: FTP)

nmap --script=ftp-brute -p 21 192.168.1.1

Attempts brute-force authentication against an FTP server.

Conclusion

Nmap is an essential tool for ethical hackers, red teamers, and security researchers. From basic host discovery to advanced evasion techniques, mastering Nmap is a game-changer in reconnaissance and penetration testing.

Nmap is an essential tool for ethical hackers, red teamers, and security researchers. From basic host discovery to advanced evasion techniques, mastering Nmap is a game-changer in reconnaissance and penetration testing.

If you want to take your Nmap skills further, I cover everything from advanced scanning techniques to firewall evasion in my Nmap Masterclass. Whether you’re a beginner or looking to refine your recon game, this course will get you there.

Master Nmap Now
Find this helpful? Share it with others!
Leave a Reply

Filed under: Ethical Hacking - @ March 23, 2025 1:44 am

Tags: , , , , ,