~/toolsnmap-cheat-sheet

Nmap Cheat Sheet & Command Builder

Pick your scan options to build a ready Nmap command, and browse the flag reference - in your browser.

Apenas para testes de segurança autorizados e fins educacionais. Use somente em sistemas que você possui ou tem permissão explícita para testar.
nmap-cheat-sheet Local · sem envio
  1. Pick a scan type in the builder, such as a SYN scan or a ping sweep, to form the base of the command.
  2. Toggle options like service detection, script scanning, timing, and port selection to add the right flags.
  3. Copy the assembled nmap command, and use the flag reference table to look up anything unfamiliar.
  4. Only run the command against hosts and networks you own or have written permission to scan.

Nmap, the Network Mapper, is the standard tool for discovering what is on a network and what those hosts are running. In the reconnaissance phase of any assessment it answers the first questions you need: which machines are alive, which ports are open, and what services sit behind them. This command builder assembles the right nmap invocation from the options you choose, and the reference table explains each flag so you learn the tool rather than just copying commands. A firm rule applies throughout: scan only networks you own or are explicitly authorised to test, because port-scanning systems without permission can itself be unlawful.

Common scan types

The scan type decides how Nmap probes each port. The default for a privileged user is the SYN scan, -sS, which sends a SYN packet and reads the reply without completing the handshake - fast and relatively quiet. Without root you fall back to the TCP connect scan, -sT, which finishes the full three-way handshake and is therefore noisier and more likely to be logged. UDP services need -sU, which is slower because UDP has no handshake to lean on. When you only want to know which hosts are up without touching ports at all, a ping sweep with -sn discovers live hosts across a range.

Service, OS, and script detection

Knowing a port is open is rarely enough - you want to know what is listening. Version detection, -sV, interrogates each open port to fingerprint the service and its version. OS detection, -O, guesses the operating system from subtle differences in how the stack responds. The Nmap Scripting Engine adds deeper checks: -sC runs the default script set, while --script lets you name specific scripts or categories, for example --script vuln to look for known issues. The aggressive option -A bundles version detection, OS detection, default scripts, and traceroute into one convenient (but loud) flag.

Ports, timing, and host discovery

By default Nmap checks the 1000 most common ports. You narrow or widen that with -p: use -p 80,443 for specific ports, -p 1-1000 for a range, -p- to scan all 65535 ports, or --top-ports 100 to focus on the hundred most likely. Timing templates from -T0 (paranoid and slow) to -T5 (insanely fast) trade stealth against speed; -T4 is a common, reasonably brisk choice for a lab or an authorised engagement. Finally, -Pn tells Nmap to skip host discovery and treat every target as online, which is essential when a firewall drops the ping probes Nmap would otherwise use to decide a host is down.

A worked example

Suppose you want a solid all-round scan of an authorised target. You might build up nmap -sV -sC -T4 -Pn 10.10.10.5. Reading it flag by flag: -sV fingerprints the service and version on each open port; -sC runs the default scripts to pull banners and catch common misconfigurations; -T4 keeps the scan moving at a brisk pace; and -Pn skips the initial ping so a firewall that blocks ICMP does not make Nmap wrongly conclude the host is offline. The trailing 10.10.10.5 is the target you are permitted to test. That single command gives you an open port list, the software behind each port, and a first pass of script findings - a strong foundation for the rest of an assessment, and a good habit to practise in a lab before you ever touch a live engagement.

Perguntas frequentes

What is Nmap?
Nmap (Network Mapper) is the standard open-source tool for network discovery and port scanning. It finds live hosts, open ports, running services and versions, and can run scripts to probe for vulnerabilities - the foundation of the recon phase.
Is it legal to run Nmap?
Scan only networks you own or are authorized to assess, such as HackerDNA's labs. Unauthorized scanning can violate computer-misuse laws and acceptable-use policies. Use this builder to learn the flags and practice on legal targets.
What is the difference between -sS and -sT?
-sS is a SYN (half-open) scan that is fast and stealthier because it never completes the TCP handshake; -sT is a full connect scan that is more detectable but needs no special privileges. The builder shows which flags a scan combines.
How do I scan for service versions?
Add -sV to fingerprint service versions and -O to guess the operating system; -sC runs the default NSE scripts. Combining them (nmap -sVC) is a common thorough first pass - the builder assembles it for you.
Does this tool scan for me?
No. It builds the command text in your browser for you to run in your own authorized terminal. HackerDNA never performs a scan on your behalf.

Pratique de verdade

Pratique em alvos reais

Transforme essas ferramentas em habilidades com labs práticos e cursos guiados na HackerDNA.

Criar uma conta gratuita
15.000+ Hackers 100+ Labs & Cursos Grátis
Comece Grátis