Best NMAP Pentest Tutorial /CheetSheet

What is NMAP ?


Nmap (Network Mapper) is an open-source tool that specializes in network exploration and security auditing, originally published by Gordon “Fyodor” Lyon. The official website is ( Nmap is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.


Beginner Commands


This Page is for 3 year old girls or someone who is just starting in NMAP.

Basic Scanning Techniques


So here I will show the basic techniques for scanning network/host. But before that, you should know some basic stuff regarding Nmap status after scanning.

Port Status: After scanning, you may see some results with a port status like filtered, open, closed, etc. Let me explain this.


Open: This indicates that an application is listening for connections on this port.

Closed: This indicates that the probes were received but there is no application listening on this port.

Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering.

Unfiltered: This indicates that the probes were received but a state could not be established.

Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state.

Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.



  1. Let’s say our target is

Open command prompt and type


Scan Multiple Network/Targets

In Nmap you can even scan multiple targets for host discovery/information gathering.

Command: nmap host1 host2 host3 etc….It will work for the entire subnet as well as different IP addresses.

Scan a Range Of IP address



Nmap can also be used to scan an entire subnet using CIDR (Classless Inter-Domain Routing) notation.

Usage syntax: nmap [Network/CIDR]



Scan a list of targets


If you have a large number of systems to scan, you can enter the IP address (or host names) in a text file and use that file as input for Nmap on the command line.

syntax: nmap -iL [list.txt]

Scan Random Targets


The -iR parameter can be used to select random Internet hosts to scan. Nmap will randomly generate the specified number of targets and attempt to scan them.


syntax: nmap -iR [number of host]

It is not a good habit to do a random scan unless you have been given some project.

The –exclude option is used with Nmap to exclude hosts from a scan.

syntax: nmap [targets] –exclude [host(s)]

ex:nmap –exclude


Aggressive Scan


The aggressive scan selects most commonly used options within Nmap to try to give a simple alternative to writing long strings. It will also work for traceroute, etc.


Command:   nmap –A host


Discovery With Nmap


Discovery with Nmap is very interesting and very helpful for penetration testers. During discovery one can learn about services, port numbers, firewall presence, protocol, operating system, etc. We will discuss one by one. See the below image from SANS which contains different probing options and Scan Types. Go through this completely


Service Version Detection

-sV Probe open ports to determine service/version info
–version-intensity “level” Set from 0 (light) to 9 (try all probes)
–version-light Limit to most likely probes (intensity 2)
–version-all Try every single probe (intensity 9)
–version-trace Show detailed version scan activity (for debugging)


Firewalls IDS Evasion and Spoofing

-f; –mtu VALUE Fragment packets (optionally w/given MTU)
-D decoy1,decoy2,ME Cloak a scan with decoys
-S IP-ADDRESS Spoof source address
-e IFACE Use specified interface
–source-port PORTNUM
Use given port number
–proxies url1,[url2],… Relay connections through HTTP / SOCKS4 proxies
–data-length NUM Append random data to sent packets
–ip-options OPTIONS Send packets with specified ip options
–ttl VALUE Set IP time to live field
–spoof-mac ADDR/PREFIX/VENDOR Spoof NMAP MAC address
–badsum Send packets with a bogus TCP/UDP/SCTP checksum


Now get up and gets some coffee because next part will be intense (hopefully)……..

50 thoughts on “Best NMAP Pentest Tutorial /CheetSheet

Leave a Reply

Your email address will not be published. Required fields are marked *