Nmap is 27 years old and still the network scanner every penetration tester opens first. Most testers use 5% of its capability and miss the rest. This cheatsheet covers the flags we actually use across BFSI and government engagements — grouped by what you're trying to accomplish.
Discovery — what's alive
Host discovery
bash# ICMP + TCP SYN to 80, 443, 22, plus ARP if local
nmap -sn 10.0.0.0/24
# No ping, scan-as-if-up (good through firewalls)
nmap -Pn -p- 10.0.0.0/24
# DNS-only (passive-ish)
nmap -sL 10.0.0.0/24Port scans you'll actually use
Top 10 commands
bash# Fast SYN scan, top 1000 ports
sudo nmap -sS -T4 <target>
# All TCP ports, version detection, default scripts, OS guess
sudo nmap -sS -sV -sC -O -p- -T4 <target>
# UDP scan (slow but mandatory)
sudo nmap -sU --top-ports 100 -T4 <target>
# Both TCP and UDP in one go
sudo nmap -sS -sU -p T:1-65535,U:53,67,68,123,161,500 <target>
# Service version + script scan against a single port
sudo nmap -sV -sC -p 443 <target>
# Aggressive (do not use against production without approval)
sudo nmap -A -T4 <target>
# IPv6
sudo nmap -6 -sS -p- <target>
# From a list of targets
sudo nmap -iL targets.txt -oA outputs/scan-2026-04Timing templates demystified
| Template | Speed | When to use |
|---|---|---|
| -T0 (paranoid) | Days per host | IDS evasion in active red team |
| -T1 (sneaky) | Hours per host | Same — slightly faster |
| -T2 (polite) | Slow | Production where stability matters |
| -T3 (default) | Normal | Most engagements |
| -T4 (aggressive) | Fast | Authorized internal scanning |
| -T5 (insane) | Very fast | CTFs, lab environments only |
NSE — the scripts that find vulnerabilities
Useful NSE invocations
bash# Default safe scripts
nmap -sC <target>
# Vulnerability scripts (loud, run with care)
nmap --script vuln <target>
# Specific script
nmap --script smb-vuln-ms17-010 -p 445 <target>
# All HTTP-related scripts on 80/443
nmap --script "http-*" -p 80,443 <target>
# Update local NSE database
sudo nmap --script-updatedb| Script | Finds |
|---|---|
| smb-os-discovery | OS via SMB negotiation |
| smb-enum-shares | Open SMB shares |
| smb-vuln-ms17-010 | EternalBlue / WannaCry |
| smb2-security-mode | SMB signing status |
| ssl-enum-ciphers | Weak TLS ciphers |
| ssl-cert | Cert details, expiry, SANs |
| http-title / http-headers | Web banner enum |
| http-enum | Common paths (admin, .git, backup) |
| dns-zone-transfer | AXFR test |
| snmp-info | SNMP banner / strings |
NSE scripts our consultants run on every engagement
Output — feed your other tools
Output formats
bash# All formats at once with the same prefix
nmap -sS -p- -oA prefix <target>
# Produces prefix.nmap (text), prefix.gnmap (greppable), prefix.xml
# Greppable extraction (open ports per host)
grep "open" prefix.gnmap | awk '{print $2}'
# Convert XML to HTML
xsltproc prefix.xml -o prefix.htmlStealth and evasion
Slow it down, look weirder
bash# Decoys (your IP is one of many)
nmap -D RND:10 -sS <target>
# Source port (some firewalls trust 53)
nmap --source-port 53 -sS <target>
# Fragment packets
nmap -f -sS <target>
# Random target order
nmap --randomize-hosts -iL targets.txtCommon errors and fixes
| Error | Fix |
|---|---|
| dnet: Failed to open device | Run with sudo |
| No targets specified | You forgot the target argument |
| Host seems down | Add -Pn |
| UDP scan returns all open|filtered | Add -sV to disambiguate |
| Scan times out | Drop -T4 to -T3 or split scope |
| RTTVAR has grown to over 2.3 seconds | High-latency target — increase timeouts |
Train with Macksofy
Our network pentest engagements is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.