Skip to content
PwnDeck logoPwnDeck
#nmap#network#pentesting#recon

Nmap Cheatsheet: Essential Flags for Pentesters

The Nmap flags I actually use on engagements — from quick discovery sweeps to slow OS-fingerprinting scans that don't trip the IDS.

By Javier HernándezPentester @ Accenture | OSCP (in progress)4 min read

Every pentester has their own nmap muscle memory. Mine is built from years of finding out the hard way which flags are worth the wait and which ones look impressive in books but never show up on a real engagement. Below is the short list I actually type. No -A against production. No --script=vuln on the entire scope. Just the flags that earn their keep.

The Daily Driver Scans

For initial discovery on a /24, I want to know which hosts are alive without hammering every port. A ping sweep is the right tool:

nmap -sn -PE -PP -PS80,443,22 -PA80,443 10.10.10.0/24 -oA discover

-sn disables port scanning. -PE is ICMP echo, -PP is ICMP timestamp (sometimes the only thing a Windows host responds to), and the -PS / -PA probes add SYN and ACK pings against common ports for hosts that drop ICMP. The -oA flag writes three output formats at once (nmap, gnmap, xml) so I never have to re-run a scan just to grep for a different field.

Advertisement

Once I have a host list, the fast TCP top-1000 sweep follows:

nmap -sS -T4 --top-ports 1000 -iL alive.txt -oA tcp-top1000

-sS is the half-open SYN scan, faster and stealthier than -sT. -T4 is the right timing on a lab or an internal engagement; never use -T5 on a real target — you'll miss ports because the scanner gives up too quickly. For external engagements where the client has asked me to be polite, -T2 and a small --max-rate keep me under most blue-team thresholds.

For the full port range — and you should always do this once per host, on top of the top-1000 — I separate it out into its own pass:

nmap -sS -p- --min-rate 5000 -T4 10.10.10.42 -oA fullports

-p- means ports 1 through 65535. --min-rate 5000 keeps the scan moving when the host is silent. The cost is accuracy on unstable networks, so I always re-scan the discovered ports with default settings before drawing conclusions.

Service Detection Without the Foot-Cannons

Once I know the open ports, version detection on just those ports is dramatically cheaper than scanning everything from scratch:

nmap -sV -sC -p 22,80,443,3306 -oA service 10.10.10.42

-sV runs version detection, -sC runs the default NSE script category — the safe ones that probe banners, grab certificates, enumerate Samba shares, list HTTP titles, and so on. Together they give you 80 % of what -A gives you, without the OS fingerprint that often gives away your IP to the IDS.

When I want OS detection separately and I know the target can handle it:

nmap -O --osscan-guess 10.10.10.42

--osscan-guess makes nmap return its best guess even when the fingerprint is ambiguous. It is very noisy, so save this for boxes you have already loudly touched, not for the first packet you send.

UDP — The Step Everyone Skips

UDP scanning is slow, unreliable, and absolutely essential. Domain controllers, SNMP services, IPSec, IKE, DNS, and TFTP all live on UDP and all of them have produced findings in my reports. The minimum acceptable UDP scan is the top-100:

nmap -sU --top-ports 100 -T4 --max-retries 1 10.10.10.42 -oA udp

--max-retries 1 cuts the timeout in half. You will miss the occasional filtered port, but the alternative is a 6-hour scan you cancel.

Scripts, but Surgical

The NSE library is huge and dangerous. Running --script=vuln blindly will crash printers, lock out AD accounts, and trip every SIEM rule the client has. Use it surgically. A few I trust:

# SMB — version, signing, null sessions
nmap -p445 --script smb-protocols,smb-security-mode,smb2-security-mode 10.10.10.42

# TLS — ciphers, certs, expiry
nmap -p443 --script ssl-enum-ciphers,ssl-cert 10.10.10.42

# HTTP — auth methods, robots, common dirs
nmap -p80,443 --script http-methods,http-headers,http-robots.txt 10.10.10.42

These are read-only, well-behaved, and rarely flagged. Anything in the intrusive or dos script categories should be opt-in, per host, in writing.

Practical Takeaways

The pattern is always: discover broadly, enumerate narrowly, exploit specifically. A noisy -A against everything you can ping is a great way to look busy and learn nothing. A discovery sweep + top-1000 + targeted version detection on real ports + targeted UDP gets you to a working attack surface map in under an hour, with output files you can grep against for the rest of the engagement. Pair the output with a quick visual recon pass — for example our favicon grabber or the subdomain finder — and you have a starting point that doesn't waste anyone's time.

Print this cheatsheet. Tape it to your monitor. Stop typing -A. Future you will thank you.

Share this article:LinkedInX
Advertisement

Related articles

April 30, 2026
3 min read

Subdomain Enumeration: Going Wide Before You Go Deep

Why the first hour of a recon engagement should be subdomain enumeration, and how to do it without firing a thousand DNS queries at the target.

#recon#subdomain#osint
Read article
April 22, 2026
5 min read

How to Prepare for OSCP: A Practical Guide

An honest, no-nonsense roadmap for passing the OSCP — the lab strategy that worked for me, the resources I'd repeat, and the ones I'd skip.

#oscp#certification#pentesting
Read article