NMap Cheat Sheet Discovery

Question 1

Skip host discovery (no ping)

Answer 1

nmap -Pn

Disables host discovery; same as nmap -P0

Question 2

Skip port scan

Answer 2

nmap -sn

Question 3

List targets to scan

Answer 3

nmap -sL

Question 4

TCP SYN ping

Answer 4

nmap -PS

Question 5

TCP ACK ping

Answer 5

nmap -PA

Question 6

UDP ping

Answer 6

nmap -PU

Question 7

ICMP echo ping

Answer 7

nmap -PE

Question 8

ICMP timestamp ping

Answer 8

nmap -PP

Question 9

ICMP netmask ping

Answer 9

nmap -PM

Question 10

IP protocol ping

Answer 10

nmap -PO

Question 11

OS fingerprinting and port scanning

Answer 11

nmap -O

Send packets to remote OS and analyze the response. This is ACTIVE scanning.

Question 12

Aggressive

Answer 12

nmap -A

OS fingerprinting and port scanning with VULNERABILITY scanning

Also includes a TRACEROUTE and lists possible problems with each scanned port number. Do a -O and -A to see the difference!

Question 13

IP Protocol Scan

Answer 13

nmap -sO

Major protocols like ICMP, TCP, UDP, IGMP, etc

Question 14

TCP Connect

Answer 14

nmap -sT

This does leave a record of your activities in target system, but it’s very reliable.

Question 15

SYN Scanning, Stealth Scan

Answer 15

nmap -sS

Also known as HALF-OPEN scanning. This is the default scan and the most common.

Question 16

FIN Scan

Answer 16

nmap -sF

Question 17

Null Scan

Answer 17

nmap -sN

Question 18

Xmas Scan

Answer 18

nmap -sX

Xmas scan sets Fin, Urg, and Psh, although some utilities turn ALL 6 flags on!

Question 19

Ping Scan

Answer 19

nmap -sP or -sn

Determines active hosts

Ex: nmap -sP 192.168.3.1-20 will scan 3.1 through 3.20 to see which are up (which reply).

Question 20

UDP Scan

Answer 20

nmap -sU

Looks for open UDP ports.

Question 21

ACK Scan

Answer 21

nmap -sA

Used to test your firewall rules.