Cheat sheet — Scanning & Enumeration with nmap¶
Companion to Module 02 — Scanning & Enumeration · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
Only scan hosts you own or have explicit written permission to test. A scan is trivially logged and, unauthorized, can be illegal.
Host discovery (what's alive)¶
nmap -sn 10.0.0.0/24 # ping sweep only — no port scan
nmap -sn -PR 10.0.0.0/24 # ARP scan (fast + reliable on a local subnet)
nmap -Pn 10.0.0.5 # skip discovery, treat host as up (when ICMP is blocked)
nmap -sL 10.0.0.0/24 # list targets, no packets sent (sanity-check your range)
Port scanning (what's listening)¶
nmap 10.0.0.5 # default: top 1000 TCP ports, SYN scan if root
nmap -p- 10.0.0.5 # all 65535 TCP ports
nmap -p 22,80,443 10.0.0.5 # specific ports
nmap --top-ports 100 10.0.0.5 # the 100 most common ports (fast first look)
nmap -sS 10.0.0.5 # SYN / half-open scan (default as root — stealthier, faster)
nmap -sT 10.0.0.5 # full TCP connect (no root; noisier — logs a full connection)
nmap -sU --top-ports 20 10.0.0.5 # UDP scan (slow — scope it tightly)
Service & version detection (what software)¶
nmap -sV 10.0.0.5 # probe open ports for service + version
nmap -sV --version-intensity 9 10.0.0.5 # try harder (slower)
nmap -O 10.0.0.5 # OS fingerprint (needs root)
nmap -A 10.0.0.5 # aggressive: -sV -O --script=default --traceroute
NSE — the Nmap Scripting Engine (enumeration)¶
nmap -sC 10.0.0.5 # run the "default" safe script category
nmap --script=vuln 10.0.0.5 # known-vuln checks (category)
nmap --script=http-enum -p80 10.0.0.5 # enumerate web paths
nmap --script=smb-enum-shares,smb-os-discovery -p445 10.0.0.5
nmap --script-help=http-enum # read what a script does before firing it
ls /usr/share/nmap/scripts/ # browse installed scripts
Timing, output, and being kind¶
nmap -T4 10.0.0.5 # faster timing (-T0 paranoid … -T5 insane)
nmap --max-rate 100 10.0.0.5 # cap packets/sec (protect fragile targets)
nmap -oA scan 10.0.0.5 # save all 3 formats: .nmap / .gnmap / .xml
nmap -oN scan.txt 10.0.0.5 # human-readable only
nmap -v 10.0.0.5 # verbose progress (-vv for more)
Gotchas worth remembering¶
- A port number is a hypothesis, not an answer. "443 open" means something is listening — only
-sVand NSE turn that into "nginx 1.18 serving an admin panel." Never report a service from the port number alone. - Scanning is the loudest thing you'll do. One source IP touching a fan of ports in a tight window is exactly the T1595 telemetry a SOC hunts.
-T4/-T5and-p-trade stealth for speed — that's an engagement decision, not a default. -Pnis a double-edged sword. It stops nmap giving up on hosts that block ping, but it also makes nmap scan every target as if up — huge, slow scans if your range is mostly dead. Discover first, then-Pnthe survivors.- UDP is slow and lies. Open|filtered is the usual result because there's no handshake. Scope UDP to the ports you actually care about (53, 161, 500) rather than sweeping.
- Save every scan (
-oA). You'll re-reference it, diff it against a later scan, and feed the.xmlto other tools. Re-running a scan to recover output you didn't save is wasted noise on the target.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).