Sandbox99 Chronicles

Nmap Cheat Sheet: Essential Scans for Ethical Hackers and Network Admins

Written by Jose Mendez

Hi, I’m Jose Mendez, the creator of sandbox99.cc. with a passion for technology and a hands-on approach to learning, I’ve spent more than fifteen years navigating the ever-evolving world of IT.



Cheat Sheet | Cybersecurity | Ethical Hacking



InfoSec | network-scanning | nmap | NSE-Scripts | open-source | OS-Detection | PortScanning | Reconnaissance



Published Jul 16, 2025 | Last updated on Jul 16, 2025 at 1:14PM



Follow me on LinkedIn

Reading Time: 3 minutes

Table of Contents show

🧹 Introduction

Nmap (Network Mapper) is a powerful open-source tool used by ethical hackers, network administrators, and security professionals for network discovery and security auditing. Whether you’re scanning for open ports, fingerprinting services, or detecting operating systems, Nmap offers a flexible and scriptable environment to gain critical insights into your network. This cheat sheet is designed to serve as a quick reference for some of the most common and useful Nmap commands.

🔧 Basic Usage

Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}

# Examples:
nmap 192.168.1.1                    # Scan a single IP
nmap 192.168.1.1 192.168.1.2        # Scan multiple IPs

🚀 Common Nmap Scans

sudo nmap -sn <target>              # Ping Scan
sudo nmap -sS <target>              # TCP SYN Scan
sudo nmap -sT <target>              # Connect Scan
sudo nmap -sU <target>              # UDP Scan
sudo nmap -A  <target>              # Aggressive Scan
sudo nmap -T4 -F <target>           # Quick Scan

🔖 Port Specification

sudo nmap -p 22,80,443 <target>     # Scan Specific Ports
sudo nmap -p 1-1000 <target>        # Scan Port Ranges
sudo nmap -p- <target>              # Scan All Ports
sudo nmap -F  <target>              # Fast port scan (100 ports)
sudo nmap -top-ports 1000           # Port scan the top x ports

🧠 OS and Service Detection

sudo nmap -O <target>               # Operating System Detection
sudo nmap -sV <target>              # Service Version Detection
sudo nmap -A <target>               # Enable OS, version script scan
sudo nmap -sV -version-all <target> # Intensity level 9 but slower

sudo nmap -sV -version-intensity 8 <target>
# Intensity level 0 to 9, Higher the better

sudo nmap -sV -version-light <target>
# Enable light mode. Lower possibility of correctness. Faster

🔍 Host Discovery

sudo nmap -n <target>               # No DNS Resolution
sudo nmap -sL <target>              # List Target Only
sudo nmap -PR <target>              # ARP Scan (Local Network)
sudo nmap -Pn <target>              # Disable host discovery, Port scan only
sudo nmap -PS <target>              # TCP SYN discovery on port x
sudo nmap -PA <target>              # TCP ACK discovery on port x
sudo nmap -PU <target>              # UDP discovery on port x

🎯 Target Specification

sudo nmap 192.168.1.1-254                         # IP Ranges
sudo nmap 192.168.1.0/24                          # CIDR Notation
sudo nmap -iL target.txt                          # Input From File
sudo nmap 192.168.1.0/24 --exclude 192.168.1.5    # Exclude Hosts

⏱ Timing and Performance

# Timing Templates
sudo nmap -T0 <target>          # Paranoid (0) Intrusion Detection System evasion
sudo nmap -T1 <target>          # Sneaky (1) Intrusion Detection System evasion
sudo nmap -T2 <target>          # Polite (2) slows down the scan to use less bandwidth
sudo nmap -T3 <target>          # Normal (3) which is default speed
sudo nmap -T4 <target>          # Aggressive (4) speeds scans;
sudo nmap -T5 <target>          # Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
sudo nmap --max-retries <num>        # Max Retries
sudo nmap --scan-delay <time>        # Scan Delay

🛠 NSE Scripts (Nmap Scripting Engine)

sudo nmap -sC <target>                     # Default Scripts
sudo nmap --script=http-title <target>     # Specific Script
sudo nmap --script=vuln <target>           # By Categories
sudo nmap -sV --script=vuln <target>       # Combine with Version Detection
sudo nmap --script=banner <target>         # Grabbing banner
sudo nmap --script=http* <target>          # Scan with wildcard http
sudo nmap --script=http-sql-injection <target> # Check for SQL injections

sudo nmap -p3306 --script=mysql-empty-password <target>
# Checking Empty password

sudo nmap -p80 --script=http-unsafe-output-escaping <target>
# Detect cross site scripting vulnerabilities

sudo nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* <target>
# Safe SMB scripts to run

sudo nmap -n -Pn -p80 --open -sV -vvv --script=banner,http-title -iR 1000 <target>
# Fast search for random web servers

📁 Output Formats and Examples

sudo nmap -oN output.txt <target>          # Normal Output
sudo nmap -oG output.txt <target>          # Grepable Output
sudo nmap -oX output.xml <target           # XML Output
sudo nmap -oA output.txt <target>          # All Formats

sudo nmap -p80 -sV -oG - --open <CIDR IPs> | grep open
# Scan for web servers and grep to show which IPs are running web servers

sudo nmap -iR 10 -n -oX out.xml <CIDR IPs> | grep "Nmap" | cut -d " " -f5 > live-hosts.txt
# Generate a list of the IPs of live hosts

📌 Useful Examples

sudo nmap -p 80,443 --open <target>        # Find Open Web Ports
sudo nmap -sn 10.0.0.0/24                  # Find Live Hosts in Subnet
sudo nmap -Pn -p 80,443 <target>           # Firewall Evasion Check
sudo nmap -T4 -F <target> -oA initial.txt  # Initial Scan
sudo nmap -Pn -sV -sC -pxx,xxx,xxx <target> -oA moderate-scan.txt

🚡 Legal & Ethical Reminder

Always scan responsibly. Make sure you have explicit permission to scan any network or host. Unauthorized scanning can be illegal and unethical. Refer to local laws such as the Computer Fraud and Abuse Act (CFAA) in the U.S. or similar laws in your jurisdiction.

🧠 Final Thoughts

Nmap is a cornerstone tool in the world of ethical hacking and network troubleshooting. Mastering its essential scans can dramatically improve your situational awareness and operational efficiency. Use this cheat sheet as a launchpad for your Nmap learning and incorporate it into your daily toolkit. And remember—with great scanning power comes great responsibility.

📚 Further Resources

Official Nmap Documentation
Nmap Reference Guide (PDF)
TryHackMe Nmap Room

Calendar

July 2025
S	M	T	W	T	F	S
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Stored XSS Explained: A Hands-On Demo with DVWA and OWASP ZAP

by Jose Mendez | Published Jul 17, 2025 | Last updated on Jul 17, 2025 at 8:31AM | Cybersecurity, Ethical Hacking, Web Security

🧭 Introduction In this demonstration, we explore one of the most dangerous yet commonly found web vulnerabilities—Stored Cross-Site Scripting (XSS). Unlike its reflected counterpart, stored XSS involves injecting malicious scripts that are permanently stored on the...

🛠 Metasploit Cheat Sheet: A Quick Guide for Ethical Hackers

by Jose Mendez | Published Jul 16, 2025 | Last updated on Jul 17, 2025 at 3:35AM | Cheat Sheet, Ethical Hacking

Introduction Metasploit is one of the most powerful tools in an ethical hacker’s arsenal. Whether you're performing a penetration test or competing in a Capture The Flag (CTF) event, Metasploit streamlines the process of identifying, exploiting, and gaining control of...

Level Up: Using sqlmap and ZAP for SQL Injection Testing in DVWA

by Jose Mendez | Published Jul 15, 2025 | Last updated on Jul 15, 2025 at 6:27AM | Cybersecurity, Ethical Hacking, Web Security

🧨 Introduction In our previous blog post, we successfully demonstrated a classic SQL Injection attack against DVWA (Damn Vulnerable Web Application) using its interactive web interface under security level: low. That exercise helped us understand how vulnerable input...