top of page

Mastering Network Exploration: Unveiling the Secrets of Nmap with Our Ultimate Cheat Sheet

If you are starting in your ethical hacking career you probably heard of nmap. Nmap is short for Network Mapper, and it has a variety of functions from port discovery to host discovery. Below I am going to explore the history of nmap and its different function.

Nmap was first invented in 1997 by Gordon Lyon, also known by his pseudonym Fyodor. It has gone through numerous updates, and remains one of the most respect network mapping tools.

below are the functions and features that Nmap has. But, before we start I have to give a disclaimer. This is for educational purposes only, use the below information below to only scan, and pertest devices and services you have permissions to test. Security Reaper is not responsible for any illegal actions you do with the informations provided.

Now that the disclaimer is out the way lets get to the point.

Host Discovery:

nmap will perform passive or active scan based on your choice to discover host within a network with techniques such as ICMP, TCP, UDP, ARP scans.

Port Scanning:

Nmap will scan and identify open ports on a target host to see what services are available and accessible. This is done through a variety of scans such as NULL scans, TCP connect scans, SYN scans, and UDP scans.

Firewall Evasion Techniques:

Nmap can evade and bypass firewalls, as well as Intrusion Detection systems using a variety of techniques such as source port randomization, Decoy scanning, and fragmentation.

Output Formats:

Nmap supports and outputs many formats as XML, plain text, etc allowing you to customize the output and use it with other tools that fits your requirements.

Service and Version Detections:

Nmap has the the ability to detect a wide range services and versions running on the network you scan. this is helpful to map out vulnerabilities associated with the a specific version of a service running on the network scanned. For example, let's say that a network is running Postgresql version 7.5. When you search this version up you find out it is potentially vulnerable to an SQL injection attack.

Nmap Scripting Engine(NSE):

Nmap has a powerful scripting engine that uses scripts written in LUA programming language with a multitude of enhanced functions such as, vulnerability scanning, host discovery, and operating system detection. Not satisfied with the pre-installed scripts you can write your own scripts, and integrate them into Nmap. Furthermore, Nmap scripts can be integrated with other tools to enhance your security assessments.

Operating System Detection:

Not only is Nmap capable of detecting services and version running on a network, but also operating systems. For example, let say you scan a network you find a multitude of ports, and it has an operating system for one of the systems running on network Windows. Knowing this information you find out it's windows 7 after running a deep scan. Armed with this information you find out it's vulnerable to Windows Eternal Blue potentially exploitable.

Now that you know what Nmap is cable of below is a cheat sheet for Nmap.

Basic Scanning Techniques:

TCP SYN Scan: nmap -sS <target>

TCP Connect Scan: nmap -sT <target>

UDP Scan: nmap -sU <target>

Ping Scan: nmap -sn <target>

Service and Version Detection:

Version Detection: nmap -sV <target>

Aggressive Scan: nmap -A <target>

Operating System Detection:

OS Detection: nmap -O <target>

Aggressive OS Detection: nmap -A -O <target>

Output Formats:

Normal Output: nmap -oN output.txt <target>

XML Output: nmap -oX output.xml <target>

Grepable Output: nmap -oG output.grep <target>

Timing and Performance:

Timing Template: nmap -T<0-5> <target>

Aggressive Timing: nmap -T4 <target>

Insane Timing: nmap -T5 <target>

Scripting Engine:

Default Scripts: nmap -sC <target>

Individual Script: nmap --script <script> <target>

Script Categories: nmap --script <category> <target>

Firewall Evasion Techniques:

Fragmentation: nmap -f <target>

Decoy Scan: nmap -D RND:<number of decoys> <target>

Idle Scan: nmap -sI <zombie host> <target>

Port Specification:

Scan Specific Ports: nmap -p <port1,port2,...> <target>

Scan Port Range: nmap -p <start-end> <target>

Scan All Ports: nmap -p- <target>

Output Filtering:

Filter by Port State: nmap --open <target>

Filter by Host State: nmap --unprivileged <target>

Exclude Hosts: nmap --exclude <excluded hosts> <target>


Verbose Output: nmap -v <target>

Aggressive Scan with Traceroute: nmap -A -traceroute <target>

IPv6 Scan: nmap -6 <target>

8 views0 comments


bottom of page