Cyber Security | Nmap Cheat Sheet

Akash Ranjan Patel
4 min readDec 7, 2020


Nmap is a network scanner tool

Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.!

Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.

Setup Nmap /Zenmap

1.Windows Zenmap Setup:-


2.Linux:- Nmap Setup :-

git clone

make install

Cheat sheet

1.Intense Scan:-

Command: nmap -T4 -A -v

Should be reasonable quick, scan the most common TCP ports. It will make an effort in determining the OS type and what services and their versions are running.

This comes from having a pretty fast timing template (-T4) and for using the -A option which will try determine services, versions and OS. With the verbose output (-v) it will also give us a lot of feedback as Nmap makes progress in the scan.

> nmap -T4 -A -v

2.Intense scan plus UDP :-

Command: nmap -sS -sU -T4 -A -v

Same as the regular Intense scan, just that we will also scan UDP ports (-sU).

The -sS option is telling Nmap that it should also scan TCP ports using SYN packets. Because this scan includes UDP ports this explicit definition of -sS is necessary.

>nmap -sS -sU -T4 -A -v

3.Intense scan, all TCP ports:-

Command: nmap -p 1–65535 -T4 -A -v

Leave no TCP ports unchecked.

Normally Nmap scans a list of 1000 most common protocols, but instead we will in this example scan everything from port 1 to 65535 (max). The 1000 most common protocols listing can be found in the file called nmap-services.

>nmap -p 1–65535 -T4 -A -v

4.Intense scan, no ping:-

Command: nmap -T4 -A -v -Pn

Just like the other intense scans, however this will assume the host is up. Usefull if the target is blocking ping request and you already know the target is up.

>nmap -T4 -A -v -Pn

5.Ping scan:-

Command: nmap -sn

Do only a ping only on the target, no port scan.

>nmap -sn

6.Quick scan:-

Command: nmap -T4 -F

Scan faster than the intense scan by limiting the number of TCP ports scanned to only the top 100 most common TCP ports.

>nmap -T4 -F

7.Quick scan plus:-

Command: nmap -sV -T4 -O -F –version-light

Add a little bit of version and OS detection and you got the Quick scan plus.

>nmap -sV -T4 -O -F — version-light

8.Quick traceroute :-

Command: nmap -sn –traceroute

Use this option when you need to determine hosts and routers in a network scan. It will traceroute and ping all hosts defined in the target.

>nmap -sn — traceroute

9.Regular scan:-

Command: nmap

Default everything. This means it will issue a TCP SYN scan for the most common 1000 TCP ports, using ICMP Echo request (ping) for host detection.


10.Slow comprehensive scan:-

Command: nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)”

This scan has a whole bunch of options in it and it may seem daunting to understand at first. It is however not so complicated once you take a closer look at the options. The scan can be said to be a “Intense scan plus UDP” plus some extras features.

It will put a whole lot of effort into host detection, not giving up if the initial ping request fails. It uses three different protocols in order to detect the hosts; TCP, UDP and SCTP.

If a host is detected it will do its best in determining what OS, services and versions the host are running based on the most common TCP and UDP services. Also the scan camouflages itself as source port 53 (DNS)

>nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 — script “default or (discovery and safe)”



Akash Ranjan Patel

InfoSec Writer/Instructor/Custom Course Creator Bug Bounty Hunter Penetration Tester