Nmap Recon Cheat Sheet (CEH-style)

Safety first (professional rule)

• Only scan what you own or have written permission to test.
• Start small: discovery → top ports → expand only if needed.
• Document: scope, time window, commands, results, and remediation notes.

Phase 1: Discovery

nmap -sn 10.10.0.0/24
nmap -sn -PS80,443 -PA80,443 10.10.0.0/24
nmap -Pn 10.10.0.15

Use discovery to build an accurate target list. If ICMP is blocked, try TCP SYN/ACK probes. -Pn means “assume host is up” (use when discovery fails).

Phase 2: Port scanning

# Quick top ports (fast signal)
nmap --top-ports 200 -T3 target

# Full TCP ports (slower, thorough)
nmap -p- -T3 target

# UDP (use carefully; UDP can be noisy/slow)
nmap -sU --top-ports 50 -T3 target

Real-world tip: start with top ports, then go full only for systems that matter (servers, gateways, exposed apps).

Phase 3: Identify services & versions

nmap -sV target
nmap -sV --version-intensity 7 target
nmap -sC -sV -p 22,80,443,445 target

Version detection is where recon becomes actionable: a port number alone is not a risk. Service + version + exposure is risk.

Phase 4: Scripted validation (NSE)

# Default safe scripts
nmap -sC -sV target

# Targeted scripts (examples)
nmap --script vuln -sV target
nmap --script http-enum -p80,443 target
nmap --script smb-os-discovery,smb2-security-mode -p445 target

Use scripts for validation, not for drama. In professional environments, the output must translate to remediation.

Output you should keep (for evidence)

nmap -sC -sV -oN nmap.txt -oX nmap.xml target
nmap -p- -sV -oN full-tcp.txt target

• nmap.txt: human-readable notes
• nmap.xml: import to tools/reporting later

How to read results like a cybersecurity professional

• Exposure: Is it internal-only or internet-facing?
• Privilege: Does compromise lead to admin/domain impact?
• Exploitability: Is there a known CVE and realistic path?
• Compensating controls: MFA, segmentation, EDR, monitoring.
• Decision: patch / disable / restrict / monitor / accept (with approval).