CyberBolt
Back to Articles
Tools & Reviews

Nmap Cheat Sheet: Every Scan Type and Technique Explained

boltApril 2, 20264 min read
nmapport-scanningnetwork-securitycheat-sheetpentesting
Share:

What Is Nmap?

Nmap (Network Mapper) is the world's most popular network scanning tool. It discovers hosts, open ports, running services, operating systems, and vulnerabilities on a network. Every penetration tester's first tool.

# Install Nmap
sudo apt install nmap    # Debian/Ubuntu
brew install nmap        # macOS
nmap --version           # Verify installation

Host Discovery

# Ping scan — find live hosts (no port scan)
nmap -sn 192.168.1.0/24

# Discover hosts without ping (useful when ICMP is blocked)
nmap -Pn 192.168.1.0/24

# ARP scan (local network only — most reliable)
nmap -PR 192.168.1.0/24

# TCP SYN ping on specific ports
nmap -PS80,443 192.168.1.0/24

# List targets without scanning
nmap -sL 192.168.1.0/24

Port Scanning Techniques

TCP SYN Scan (Stealth Scan) — Default

# Most common scan type (requires root). Sends SYN, reads SYN-ACK, sends RST.
# Never completes the TCP handshake — harder to detect in logs.
sudo nmap -sS target.com

TCP Connect Scan

# Completes the full TCP handshake. No root required.
# Slower and more detectable, but works without raw packet access.
nmap -sT target.com

UDP Scan

# Scan UDP ports (DNS, SNMP, DHCP). Much slower than TCP scans.
sudo nmap -sU target.com

# Combine TCP and UDP
sudo nmap -sS -sU target.com

Scan Specific Ports

nmap -p 80 target.com           # Single port
nmap -p 80,443,8080 target.com  # Multiple ports
nmap -p 1-1000 target.com       # Port range
nmap -p- target.com             # ALL 65535 ports
nmap --top-ports 100 target.com # Top 100 most common ports

Service and Version Detection

# Detect service versions
nmap -sV target.com

# Aggressive version detection
nmap -sV --version-intensity 5 target.com

# OS detection
sudo nmap -O target.com

# Aggressive scan (OS + version + scripts + traceroute)
nmap -A target.com

NSE Scripts (Nmap Scripting Engine)

# Run default scripts (safe, useful)
nmap -sC target.com

# Run a specific script
nmap --script http-title target.com

# Run multiple scripts
nmap --script "http-title,http-headers" target.com

# Vulnerability scanning
nmap --script vuln target.com

# Run all scripts in a category
nmap --script "auth" target.com

Most Useful NSE Scripts

ScriptPurpose
http-titleGet web page title
http-headersShow HTTP response headers
ssl-enum-ciphersList SSL/TLS cipher suites
ssh-bruteSSH brute-force (with permission)
smb-enum-sharesList SMB shares
dns-bruteDNS subdomain enumeration
vulnRun all vulnerability scripts
http-enumEnumerate web directories
ftp-anonCheck for anonymous FTP access

Output Formats

# Normal output to file
nmap -oN scan.txt target.com

# XML output (for parsing)
nmap -oX scan.xml target.com

# Grepable output
nmap -oG scan.grep target.com

# All formats at once
nmap -oA scan target.com

# Verbose output
nmap -v target.com
nmap -vv target.com      # Extra verbose

Timing and Performance

# Timing templates (T0=slowest/stealthiest, T5=fastest/noisiest)
nmap -T0 target.com   # Paranoid (IDS evasion)
nmap -T1 target.com   # Sneaky
nmap -T2 target.com   # Polite
nmap -T3 target.com   # Normal (default)
nmap -T4 target.com   # Aggressive (recommended for CTFs)
nmap -T5 target.com   # Insane (may miss ports)

# Custom timing
nmap --min-rate 1000 target.com    # Send at least 1000 packets/sec
nmap --max-retries 1 target.com    # Faster but may miss filtered ports

Firewall/IDS Evasion

# Fragment packets
nmap -f target.com

# Spoof source IP (decoys)
nmap -D RND:10 target.com

# Use a specific source port
nmap --source-port 53 target.com

# Randomize target order
nmap --randomize-hosts 192.168.1.0/24

Common Scan Profiles

# Quick reconnaissance
nmap -sV -sC -T4 target.com

# Full comprehensive scan
sudo nmap -sS -sV -sC -O -p- -T4 -oA full_scan target.com

# Stealth scan for pentests
sudo nmap -sS -T2 -f --source-port 53 -oA stealth_scan target.com

# Web server scan
nmap -sV -p 80,443,8080,8443 --script "http-*" target.com

# Quick subnet discovery
nmap -sn -T4 192.168.1.0/24 -oG - | grep "Up"

Key Takeaways

  • Always get written authorization before scanning networks you don't own
  • Start with nmap -sC -sV -T4 target — covers 90% of use cases
  • Use -p- for full port scans — default only scans top 1000 ports
  • Save output with -oA — you'll always want to reference results later
  • NSE scripts turn Nmap from a port scanner into a vulnerability scanner

Related Articles

Tools & Reviews

Burp Suite Essentials: Web Application Pentesting Workflow

Master Burp Suite for web app pentesting — Proxy setup, Repeater workflows, Intruder attacks, Scanner automation, and the essential extensions every tester needs.

April 2, 2026·5 min read
AI Security

AI Model Poisoning Explained: Train a Tiny Model and Break It

Train a tiny ML model in Python, poison its training data, and watch it break. A hands-on walkthrough of label flipping, backdoor attacks, and defenses.

April 7, 2026·6 min read
AI Security

How to Jailbreak-Proof Your AI App: A Beginner's Hands-On Guide

Build a chatbot, break it with 5 jailbreak attacks, then harden it with 4 defense layers — all hands-on with runnable Python code.

April 7, 2026·6 min read
Share:

Stay Ahead in AI Security

Get weekly insights on AI threats, LLM security, and defensive techniques. No spam, unsubscribe anytime.

Join security professionals who read CyberBolt.

Nmap Cheat Sheet — Complete Scanning Reference Guide (2026) | CyberBolt