Scanning

Nmap

What I do most of the time when scanning

Some of the most frequent nmap commands I use

Command	Description
nmap -sn 192.168.1.1/24 -oA initialScan	Scan the subnet and output to all formats with the name initialScan
grep "Up" initialScan.gnmap | awk {'print $2'} >> hostsAlive.txt	Look for hosts that are UP within our initialScan.gnmap and print just the IP to hostsAlive.txt
nmap -A -T4 -iL hostsAlive.txt	Aggressive Scan from hostsAlive list

Common switches

Some common nmap switches

Switch	Example	Description
-sS	nmap 192.168.1.1 -sS	TCP SYN port scan (Default)
-sT	nmap 192.168.1.1 -sT	TCP connect port scan (Default without root privilege)
-sU	nmap 192.168.1.1 -sU	UDP port scan
-sn	nmap 192.168.1.1/24 -sn	Disable port scanning. Host discovery only.
-Pn	nmap 192.168.1.1-5 -Pn	Disable host discovery. Port scan only.

Port Specification

Switches for scanning different ports

Switch	Example	Description
-p	nmap 192.168.1.1 -p 21-100	Port scan for port x
-p-	nmap 192.168.1.1 -p-	Port scan all ports
--top-ports	nmap 192.168.1.1 --top-ports 2000	Port scan the top 2000 ports

Service and Version Detection

Switches for scanning for different services and version detection

Switch	Example	Description
-sV	nmap 192.168.1.1	Attempts to determine the version of the service running on port
-A	nmap 192.168.1.1 -A	Enables OS detection, version detection, script scanning, and traceroute
-O	nmap 192.168.1.1 -O	Remote OS detection using TCP/IP stack fingerprinting

Enumeration

To be continued

fping

Scan subnet for alive hosts

fping -a -q -g 172.16.33.108/24

Resources

NMAP Cheat Sheetwww.tutorialspoint.com

Nmap Cheat Sheet 2026: All the Commands & FlagsStationX

Nmap: the Network Mapper - Free Security Scannernmap.org