Nmap Cheat Sheet
Nmap is the de-facto standard for network reconnaissance. This is the subset of flags you’ll actually reach for on engagements or CTFs — not an exhaustive man page dump.
Quick-reference table
| Goal | Command |
|---|---|
| Fast TCP scan (top 1000 ports) | nmap -T4 <target> |
| All 65535 TCP ports | nmap -p- -T4 <target> |
| Service + version detection | nmap -sV <target> |
| OS detection | nmap -O <target> |
| Aggressive (OS + version + scripts + traceroute) | nmap -A <target> |
| Stealth SYN scan | nmap -sS <target> |
| UDP scan (top 100 ports) | nmap -sU --top-ports 100 <target> |
| Default NSE scripts | nmap -sC <target> |
| Output all formats | nmap -oA scan_results <target> |
The go-to recon one-liner
nmap -sV -sC -p- -T4 --min-rate 5000 -oA full_scan <target>-sV— detect service versions-sC— run default safe scripts-p-— all ports--min-rate 5000— push throughput on non-prod targets-oA— save.nmap,.gnmap, and.xmlsimultaneously
Useful NSE scripts
# Enumerate SMB shares and check for common vulns
nmap -p 445 --script smb-enum-shares,smb-vuln-ms17-010 <target>
# HTTP title grab across a subnet
nmap -p 80,443,8080 --script http-title 192.168.1.0/24
# Check for anonymous FTP login
nmap -p 21 --script ftp-anon <target>Firewall / IDS evasion basics
# Fragment packets (bypasses naive packet filters)
nmap -f <target>
# Spoof source port to 53 (DNS) — often allowed through firewalls
nmap --source-port 53 <target>
# Randomise scan order to avoid sequential-port detection
nmap --randomize-hosts -iL targets.txt