In Cybersecurity, NMAP (Network Mapper) is the heart of Network Scanning and reconnaissance. This tool is also Featured in movies like The Matrix Reloaded and Mr. Robot, it is the industry standard for network discovery and security auditing.
Everything from your initial scan to sophisticated firewall evasion is covered in this guide, which concludes with a comprehensive cheat sheet for your everyday use for IT Professionals To Daily Students.
Part 1 : Start With The Basics
Fundamentally, Nmap analyzes the response after sending specially constructed packet as per our use to a target host machine.
- Basic Scan (Scans Top 1000 ports)
The simplest command scans the top 1000 most common ports on a target.
nmap 192.168.1.12) Specify Target As per Your needs.
You aren't limited to single IPs. Nmap is flexible:
- Single IP:
nmap 192.168.1.1 - Hostname:
nmap scanme.nmap.org - Range:
nmap 192.168.1.1-50 - Subnet (CIDR):
nmap 192.168.1.0/24 - Input from List:
nmap -iL targets.txt(Scans list of IPs in a file)\
Section 2: Methods of Port Scanning Not every scan is made equally. Different strategies are required depending on the target's firewall and your privileges.
1. Stealth Scan (TCP SYN Scan) -sS is the flag. If you run Nmap as root (sudo), this is the default scan. Because it sends a SYN packet, waits for a SYN/ACK, and never completes the connection, it is frequently referred to as "half-open" scanning. Compared to a full connect scan, it is quicker and more covert.
sudo nmap -sS 192.168.1.12. TCP Connect Scan Flag:
- sT The default check for users without sudo privileges. It completes a three-way TCP handshake. System logs are more likely to contain it.
nmap -sT 192.168.1.13. UDP Scan Flag:
-sU Remember that UDP is used by services like DNS (53), SNMP (161) and DHCP (67/68). Because UDP is connectionless, these scans take longer.
sudo nmap -sU 192.168.1.1Section 3: Reconnaissance (OS & Service Detection) It's not enough to know that a port is "Open." You must be aware of what is operating and who constructed it.
- Identification of Service Versions Flag: -sV queries open ports to find the service name and version number (for example, it finds "Apache httpd 2.4.41" rather than just "80/tcp open").
nmap -sV 192.168.1.12) OS Detection
Flag: -O Analyzes TCP/IP stack behavior (TTL, window size and more) to guess the operating system (Windows, Linux, iOS, etc.).
sudo nmap -O 192.168.1.3. Aggressive Scan (The "Do It All" Switch) Flag: -A Enables Traceroute, Script scanning, OS detection, and Version detection simultaneously.
nmap -A 192.168.1.1THE NMAP SCRIPTING ENGINE (NSE) Nmap's superpower is this. You can automate networking tasks, vulnerability detection, and more with NSE by running Lua scripts.
nmap -sC <target> is the default safe script.
nmap — script=http-title <target> is the specific script.
To check for known vulnerabilities such as Heartbleed or SMBGhost, use nmap — script=vuln <target>.
Example (Brute forcing SSH):
nmap -p 22 --script ssh-brute --script-args userdb=users.txt,passdb=pass.txt <target>Section 5: Complex Firewall Avoidance Both aggressive scans and standard ping sweeps are blocked by modern firewalls. Here's how to get around them.
Skip Ping: -Pn (Assume that every host is online). vital in the event that the target blocks ICMP.
Packet Fragmentation — Packets are broken up into small pieces using the -f option, which makes it more difficult for firewalls to identify the signature.
# Splits packets into 8-byte chunks (or 16-byte with double -f)
nmap -f -f 192.168.1.5The "Zombie" Decoy Scan — Decoys: -D RND:10 (hides your identity in the noise by flooding the target with scans from ten randomly selected fictitious IPs in addition to yours).
# Sends scans from 10 random IP addresses + your IP
nmap -D RND:10 192.168.1.5The manipulation of the source port ( — source-port) : Many firewalls are configured to allow traffic from specific trusted ports, such as DNS (port 53) or Web (port 80), to ensure return traffic works. Sometimes you can get around a firewall rule by making Nmap send packets from port 53.
# Pretend all your traffic is originating from a DNS server
nmap --source-port 53 192.168.1.5Part 6: Output & Logging
Always save your work.
Normal Output: -oN scan.txt (Text file)
XML Output: -oX scan.xml (Best for importing into other tools)
Grepable Output: -oG scan.grep (Easy to search with grep)
All Formats: -oA my_scan (Saves all three formats named my_scan.nmap, .xml, .gnmap)
CheatSheet File :
NMAP ULTIMATE CHEATSHEET (EXTENDED
EDITION)
ADDITIONAL ADVANCED COMMANDS & EXPLANATIONS--- ADVANCED PORT SCANNING --
nmap -sW <target> # TCP Window Scan (Detect open ports via TCP window size)
nmap -sM <target> # Maimon Scan (FIN/ACK variant, rare but useful)
nmap --scanflags URGACKPSH <target> # Custom TCP flag scan
nmap -sI <zombie> <target> # Idle/Zombie Scan (Highly stealthy, requires idle host)--- IPV6 SCANNING --
nmap -6 <target> # Scan IPv6 target
nmap -6 -sV <target> # IPv6 with version detection--- DNS ENUMERATION --
nmap --script dns-brute <target> # DNS subdomain brute force
nmap --script dns-zone-transfer <target> # Attempt zone transfer--- SMB ENUMERATION --
nmap -p 445 --script smb-os-discovery <target>
nmap -p 445 --script smb-enum-shares <target>
nmap -p 445 --script smb-vuln* <target>--- DATABASE ENUMERATION --
nmap -p 3306 --script mysql-info <target>
nmap -p 1433 --script ms-sql-info <target>
nmap -p 6379 --script redis-info <target>--- SSL/TLS ANALYSIS --
nmap -p 443 --script ssl-cert <target>
nmap -p 443 --script ssl-enum-ciphers <target>
nmap --script ssl-heartbleed <target>--- BRUTE FORCE MODULES --
nmap --script ftp-brute -p 21 <target>
nmap --script rdp-brute -p 3389 <target>
nmap --script http-brute -p 80 <target>--- VULNERABILITY & EXPLOIT DISCOVERY --
nmap --script vuln <target>
nmap --script exploit <target>
nmap --script auth <target>--- PERFORMANCE TUNING --
nmap --min-rate 1000 <target> # Minimum packets per second
nmap --max-rate 5000 <target> # Maximum packets per second
nmap --max-retries 2 <target> # Reduce retransmissions
nmap --host-timeout 30m <target> # Stop scanning host after 30 minutes--- OUTPUT & AUTOMATION --
nmap -oA scan_results <target> # Output all formats
nmap -oX scan.xml <target> # XML for automation tools
nmap --append-output <target> # Append to existing output file--- USEFUL PROFESSIONAL COMBINATIONS --
Full Enterprise Audit:
nmap -sS -sV -O -sC -p- -T4 --min-rate 1000 -oA enterprise_audit <target>
Stealth External Recon:
nmap -sS -Pn -T2 -f --data-length 50 -D RND:5 <target>
Internal Network Mapping:
nmap -sn -PR 192.168.0.0/24 -oA lan_inventory
Web Application Deep Scan:
nmap -p 80,443 --script "http-enum,http-title,http-vuln*" -sV <target>
IMPORTANT NOTES:- Always have written authorization before scanning.- Use -T4 for LAN, -T2 for stealth internet scans.
- Combine -sV with -sC for effective enumeration