NMAP Cheatsheet


This is just a little cheatsheet I created for myself about NMAP. It will be updated as I learn more about this tool.

1 Scan Types

1.1 TCP Connect Scans

Command: nmap -sN

  • performs three-way handshake with each target port -> depending on response, determines if the port is open
  • Responses are either
    • RST: Port is closed
    • SYN/ACK: Port is open (sends ACK back)
    • No response: Port is filtered (firewall drops packets -> could be set to reject packets with tcp-reset, which makes a scan less effective)

1.2 TCP SYN Scans

Command: sudo nmap -sN

  • Similar to TCP Scan, but sends a RST back instead of ACK
  • aka. stealth scans


  • Can bypass older IDS’s that look for 3-way handhsake
  • Often not logged by applications listening on open ports (they usually log only fully established connections)
  • faster than TCP scans


  • require sudo
  • might crash unstable services

1.3 UDP Scans

Command: nmap -sU

  • stateless -> send packages and hope that it works

1.4 Firewall Evasion

  • Windows systems drop ICMP packages per default -> Ping doesn’t work
  • We can use -Pn flag to not bother pinging the host -> inefficient if host really is not alive
  • -f can be used to break up packets -> less likely to be detected by firewall or IDS
  • --scan-delay <time>ms to add a delay
  • --badsum generates an invalid Checksup for the packet -> Used to detect presence of firewall or IDS