Nmap Cheat Sheet - CyberMaks's Knowledge Base

🔍 Basic Port Scanning

Quick TCP Scan

192.168.1.1

Scans 1000 most common TCP ports using SYN scan. Fastest basic scan.

Default: -sS -top-ports 1000 -Pn

All TCP Ports

-p- 192.168.1.1

Scans ALL 65535 TCP ports. Takes ~2-10 minutes per host.

💡 Pro Tip: Use -p 1-1000,8000-9000 for custom ranges

UDP Scanning

-sU -top-ports 100 192.168.1.1

Scans UDP ports. Much slower due to no handshake. Use -sSU for TCP+UDP.

Combine: -sS -sU -p 1-1000

Host Discovery

-sn 192.168.1.0/24

Ping sweep only. Finds live hosts, no port scanning.

🛡️ Stealth & Firewall Evasion

SYN Stealth Scan

-sS 192.168.1.1

Half-open connections. Stealthiest & fastest. Requires root.

💡 Never completes TCP handshake = No logs on target

Packet Fragmentation

-f -f 192.168.1.1

Splits packets into 8/4 byte fragments. Bypasses simple firewalls & IDS.

-f = 8 bytes | -f -f = 4 bytes | --mtu 24 = Custom MTU

MAC Address Spoofing

--spoof-mac 0,1,DE:AD:BE:EF:01:23 192.168.1.1

Spoofs MAC address. Works only on local network.

0=Random | 1=Own MAC | X:X:X:X:X:X=Specific

IP Address Spoofing

-e eth0 -S 10.0.0.100 192.168.1.1

Spoofs source IP. You won't see responses!

⚠️ Use with: -Pn -f --spoof-mac 0 + Idle scan

Idle/Zombie Scan

-sI zombie_ip 192.168.1.1

Uses zombie host. Your IP completely invisible to target.

💡 Find zombie: nmap -O --osscan-guess (predictable IPID)

🔥 Advanced Firewall Bypass

Source Port Spoof

-sS -p 80,443 --source-port 53,20 192.168.1.1

Trusted ports bypass rules: 53=DNS, 20=FTP, 88=Kerberos.

Decoy Attack

-D RND:10,ME,10.1.1.1,decoy1.com 192.168.1.1

Mixes your scan with 10+ decoy IPs. Hides real attacker.

ME=Your IP | RND:20=20 random IPs

Bad Checksums

--badsum -sS 192.168.1.1

Invalid checksums crash bad IDS/firewalls.

FTOS Mismatch

--fuzzy -sS 192.168.1.1

Violates RFC specs. Some firewalls drop packets.

📡 Service & Version Detection

Command	What it does	Example
`-sV`	Detects service versions	Apache 2.4.41
`-sC`	Default NSE scripts	http-title, ssl-cert
`--script vuln`	Vulnerability checks	Heartbleed, SMB vulns
`-A`	OS+Version+Scripts+Trace	Complete scan

Golden Combo

-sC -sV -O -p- 192.168.1.1

Scripts + Version + OS + All ports. Most comprehensive scan.

Vuln Scanning

--script vuln,exploit 192.168.1.1

Checks 200+ common vulnerabilities.

⚡ Performance & Output

Timing Templates

-T0 -T5 192.168.1.1

-T0 Paranoid (0.5s/packet) | -T5 Insane (5ms/packet)
Default: -T3

All Outputs

-oA fullscan 192.168.1.1

Creates: fullscan.nmap, fullscan.xml, fullscan.gnmap

-oN=Normal | -oX=XML | -oG=Grepable

No Ping

-Pn -n 192.168.1.1

-Pn Skip host discovery | -n No DNS

Scan Type	Stealth	Speed	Root?
SYN (-sS)	⭐⭐⭐⭐⭐	⭐⭐⭐⭐⭐	Yes
UDP (-sU)	⭐⭐⭐	⭐	No
Connect (-sT)	⭐	⭐⭐⭐	No