Page cover

recon/nmap

Nmap Cheat Sheet

Scans

Type
Flag
Description

Default Scan

N/A

TCP/SYN scan with host discovery and service-version detection.

Fast Scan

-F

Scans common ports quickly.

Disable Host Discovery

-Pn

Skip ping scan

OS Scan

-O

Identifies the target's operating system.

Service-Version Scan

-sV

Identifies the target's operating system.

Vuln Assessment Scan

-sC

Uses default scripts to find common vulnerabilities.

Aggressive Scan

-A

Comprehensive scan on all ports.

UDP Scan

-sU

Identify open UDP ports

TCP/SYN Scan

-sS

TCP/SYN scan

TCP Connect Scan

-sT

Really Loud [!]

Outputs

Type
Description
Command

Normal Output

Normal format

nmap <target> -oN output.txt

Greppable Output

Greppable format, suitable for use with tools like grep, awk and sed.

nmap <target> -oG output.gnmap

XML Output

XML format, providing a structured and machine-readable output.

nmap <target> -oX output.xml

All Formats

Save the 3 formats

nmap <target> -oA output_all

Scripts

Action
Command

Check available scripts

ls -al /usr/share/nmap/scripts

Searching with a specific word

ls -al /usr/share/nmap/scripts | grep -e “<word>”

Check script information

nmap —-script-help=<script_name>

Run specific script

nmap —-script=<script_name>

Firewall/IDS evasion & Spoofing Options

Option
Flag
Description

Fragmentation

-f

Fragments packets to evade packet filters.

Decoy

-D

Uses decoy IPs to obscure the scan's true source.

Interface

-e

Specifies network interface for packet sending.

Random Data

--data-length

Adds random data to evade signature-based IDS.

Bad Checksum

--badsum

Sends packets with invalid checksums to bypass simple filters.

Scan Timing & Performance

Option
Flag
Description

Set timing template

-T<timing>

Specifies scan aggressiveness from 0 (Paranoid) to 5 (Insane).

Set the scan rate

--min-rate —max-rate

Controls packets per second, affecting speed and stealthiness.

Set the maximum number of port scan probe retransmissions

--max-retries

Limits retries for port scan probes, impacting scan thoroughness.

Specify maximum time allowed for host discovery

--host-timeout

Sets max time for discovering hosts, useful for slow networks.

Set maximum and minimum round-trip time

--max-rtt-timeout —min-rtt-timeout

Controls timeout values by setting max and min round-trip times.

Previousrecon/active_reconnaissnceNextrecon/network_enumeration

Last updated