Nmap Cheat Sheet: Randomized & Stealth Scanning
| Technique | Command | Purpose |
|---|---|---|
| Random Port Scan | nmap -p- --randomize-hosts scanme.nmap.org | Scans all ports in random order to avoid detection. |
| Random Host Scan | nmap -iL targets.txt --randomize-hosts | Scans multiple hosts from a file in random order. |
| Decoy Scan | nmap -D 192.168.1.100,10.0.0.5,ME scanme.nmap.org | Masks your IP using spoofed decoys. |
| Fragmented Packets | nmap -f scanme.nmap.org | Breaks packets into fragments to evade deep packet inspection. |
| Slow Timing Scan | nmap -T2 scanme.nmap.org | Slows scan to reduce detection risk. |
| Spoof MAC Address | nmap --spoof-mac 00:11:22:33:44:55 scanme.nmap.org | Bypasses MAC-based filters. |
| ACK Scan | nmap -sA scanme.nmap.org | Maps firewall rules without full connection. |
| Idle Zombie Scan | nmap -sI zombie_host scanme.nmap.org | Uses a third-party host to mask your identity. |
| IP Protocol Scan | nmap -sO scanme.nmap.org | Scans using different IP protocols. |
| Random Source Port | nmap --source-port 53 scanme.nmap.org | Uses port 53 (DNS) to bypass firewalls. |
| Random port using shell | nmap -p $(shuf -i 1-65535 -n 5 | paste -sd, -) scanme.nmap.org | See notes |
| Service Version Detection | nmap -sV scanme.nmap.org | This command probes open ports to determine what service is running. It's incredibly useful for vulnerability assessments, patch management, and understanding the software stack of a target. |
Random port using shell
shuf -i 1-65535 -n 5randomly selects 5 ports between 1 and 65535.paste -sd, -formats them as a comma-separated list.- Nmap scans those random ports on
scanme.nmap.org.
Combined Nmap Command: Stealth + Service Detection
nmap -sS -sV -T2 -f --spoof-mac 00:11:22:33:44:55 scanme.nmap.org
What Each Flag Does:
-sS: SYN scan (stealthy, doesn’t complete TCP handshake)-sV: Enables service version detection-T2: Slows down the scan to reduce detection risk-f: Fragments packets to evade deep packet inspection--spoof-mac: Masks your MAC address to bypass MAC-based filters
Why This Combo Works:
This command allows you to:
- Identify open ports and the services running on them
- Detect service versions (e.g., Apache 2.4.41, SSH 8.2)
- Avoid triggering basic IDS/IPS systems
- Mask your identity and scan more discreetly