← All Cheatsheets

network-pentest

Nmap — Network Scanning & Enumeration

Complete Nmap reference for host discovery, port scanning, service detection, and NSE scripting.

21 views Apr 2026 lazyhackers

Host Discovery (6)

nmap -sn 192.168.1.0/24

Ping sweep — discover live hosts (no port scan)

discovery ping

nmap -sn -PS22,80,443 192.168.1.0/24

TCP SYN ping on specific ports

discovery

nmap -sn -PA80,443 192.168.1.0/24

TCP ACK ping sweep

discovery

nmap -sn -PU53,161 192.168.1.0/24

UDP ping sweep

discovery udp

nmap -sn --send-ip 192.168.1.0/24

ARP ping (local network)

discovery arp

nmap -iL targets.txt -sn

Ping sweep from target list file

discovery

Port Scanning (9)

nmap -p- 10.10.10.1

Scan all 65535 ports

ports full

nmap -p 22,80,443,8080 10.10.10.1

Scan specific ports

ports

nmap -p 1-1000 10.10.10.1

Scan port range

ports

nmap -F 10.10.10.1

Fast scan — top 100 ports

ports fast

nmap --top-ports 1000 10.10.10.1

Scan top 1000 most common ports

ports

nmap -sS 10.10.10.1

SYN (stealth) scan — requires root

stealth syn

nmap -sT 10.10.10.1

TCP connect scan (no root needed)

tcp

nmap -sU -p 53,67,68,69,123,161 10.10.10.1

UDP scan common ports

udp

nmap -sA 10.10.10.1

ACK scan — map firewall rules

firewall ack

Service & Version Detection (5)

nmap -sV 10.10.10.1

Service/version detection

version service

nmap -sV --version-intensity 9 10.10.10.1

Aggressive version detection

version

nmap -O 10.10.10.1

OS detection

os fingerprint

nmap -A 10.10.10.1

Aggressive scan: OS+version+scripts+traceroute

aggressive full

nmap -sV -sC 10.10.10.1

Version + default NSE scripts

version scripts

NSE Scripts (12)

nmap -sC 10.10.10.1

Run default scripts

nse scripts

nmap --script=http-title 10.10.10.1

Get HTTP page titles

nse http

nmap --script=vuln 10.10.10.1

Run all vulnerability scripts

nse vuln

nmap --script=smb-vuln-ms17-010 10.10.10.1

Check EternalBlue (MS17-010)

nse smb eternalblue

nmap --script=smb-enum-shares,smb-enum-users -p 445 10.10.10.1

SMB enumeration

nse smb enum

nmap --script=ftp-anon -p 21 10.10.10.1

Check FTP anonymous login

nse ftp

nmap --script=ssh-auth-methods -p 22 10.10.10.1

SSH authentication methods

nse ssh

nmap --script=dns-zone-transfer -p 53 --script-args dns-zone-transfer.domain=target.com 10.10.10.1

DNS zone transfer attempt

nse dns

nmap --script=http-enum -p 80,443 10.10.10.1

Enumerate web directories

nse http enum

nmap --script=ssl-heartbleed -p 443 10.10.10.1

Check Heartbleed vulnerability

nse ssl vuln

nmap --script=mysql-info,mysql-empty-password -p 3306 10.10.10.1

MySQL enumeration

nse mysql

nmap -p 1433 --script=ms-sql-info,ms-sql-empty-password 10.10.10.1

MSSQL enumeration

nse mssql

Output & Timing (7)

nmap -oN output.txt 10.10.10.1

Save normal output to file

output

nmap -oX output.xml 10.10.10.1

Save XML output

output xml

nmap -oG output.gnmap 10.10.10.1

Greppable output

output grep

nmap -oA scan_results 10.10.10.1

Save all formats (normal+xml+grep)

output all

nmap -T4 -p- -sV 10.10.10.1

T4 timing (faster, less stealthy)

timing speed

nmap -T1 10.10.10.1

T1 timing (very slow, stealthy)

timing stealth

nmap --min-rate 5000 -p- 10.10.10.1

Set minimum packet rate for speed

timing speed

Evasion & Firewall Bypass (7)

nmap -f 10.10.10.1

Fragment packets to evade IDS

evasion firewall

nmap -D RND:10 10.10.10.1

Decoy scan with 10 random IPs

evasion decoy

nmap -D 192.168.1.5,192.168.1.6,ME 10.10.10.1

Decoy scan with specific IPs

evasion decoy

nmap --source-port 53 10.10.10.1

Spoof source port (bypass firewall rules)

evasion firewall

nmap --data-length 25 10.10.10.1

Append random data to packets

evasion

nmap --randomize-hosts -iL targets.txt

Randomize target scan order

evasion

nmap --proxies socks4://127.0.0.1:9050 10.10.10.1

Scan through SOCKS proxy/Tor

evasion proxy tor