🔍 Nmap Command Cheat Sheet
Complete reference for Nmap network scanning commands with examples, techniques, and practical security testing tips
Basic scan of a single host or IP address
Syntax:
nmap [target]Examples:
nmap 192.168.1.1 Scan a single IP address
nmap example.com Scan a hostname
nmap scanme.nmap.org Scan Nmap's test server
Notes:
Default scan checks 1000 most common ports using SYN scan
Scan multiple hosts or IP ranges
Syntax:
nmap [target-range]Examples:
nmap 192.168.1.1-254 Scan IP range
nmap 192.168.1.0/24 Scan entire subnet using CIDR notation
nmap 192.168.1.1 192.168.1.5 192.168.1.10 Scan specific multiple IPs
nmap 192.168.1.* Scan using wildcard
Notes:
Multiple targeting methods: ranges, CIDR, wildcards, or space-separated IPs
Specify which ports to scan
Syntax:
nmap -p [port-range] [target]Examples:
nmap -p 80 192.168.1.1 Scan specific port
nmap -p 80,443,22 192.168.1.1 Scan multiple specific ports
nmap -p 1-1000 192.168.1.1 Scan port range
nmap -p- 192.168.1.1 Scan all 65535 ports
Notes:
Use -p- for all ports, comma-separated for specific ports, hyphen for ranges
Ping scan - discover hosts without port scanning
Syntax:
nmap -sn [target]Examples:
nmap -sn 192.168.1.0/24 Discover hosts in subnet
nmap -sn 192.168.1.1-20 Ping scan IP range
Notes:
Also known as ping sweep, skips port scanning for faster host discovery
Skip host discovery - treat all hosts as online
Syntax:
nmap -Pn [target]Examples:
nmap -Pn 192.168.1.1 Scan without ping
nmap -Pn -p 80,443 192.168.1.0/24 Scan web ports without host discovery
Notes:
Useful when hosts don't respond to ping but have open ports
ARP discovery scan for local networks
Syntax:
nmap -PR [target]Examples:
nmap -PR 192.168.1.0/24 ARP ping scan of local subnet
Notes:
Most reliable method for discovering hosts on local network
Skip DNS resolution for faster scanning
Syntax:
nmap -n [target]Examples:
nmap -n 192.168.1.0/24 Scan without DNS lookups
nmap -R 192.168.1.1 Force DNS resolution even for IP addresses
Notes:
Use -n to speed up scans, -R to force DNS resolution
TCP SYN scan (stealth scan)
Syntax:
nmap -sS [target]Examples:
nmap -sS 192.168.1.1 Perform SYN scan
nmap -sS -p 1-1000 192.168.1.1 SYN scan on first 1000 ports
Notes:
Default and most popular scan type, fast and unobtrusive
TCP connect scan
Syntax:
nmap -sT [target]Examples:
nmap -sT 192.168.1.1 Perform TCP connect scan
nmap -sT -p 22,80,443 192.168.1.1 Connect scan on common ports
Notes:
Completes full TCP connection, more detectable but works without privileges
UDP scan
Syntax:
nmap -sU [target]Examples:
nmap -sU 192.168.1.1 Scan UDP ports
nmap -sU -p 53,67,68,123,161 192.168.1.1 Scan common UDP ports
nmap -sS -sU -p T:80,443,U:53,161 192.168.1.1 Combined TCP and UDP scan
Notes:
UDP scans are slower but important for discovering UDP services
TCP ACK scan - firewall rule detection
Syntax:
nmap -sA [target]Examples:
nmap -sA 192.168.1.1 ACK scan to detect firewall rules
Notes:
Helps determine firewall rules and port filtering
TCP FIN scan - stealth scan
Syntax:
nmap -sF [target]Examples:
nmap -sF 192.168.1.1 FIN scan for stealth scanning
Notes:
Stealthier than SYN scan, may bypass simple firewalls
TCP NULL scan - no flags set
Syntax:
nmap -sN [target]Examples:
nmap -sN 192.168.1.1 NULL scan with no TCP flags
Notes:
Very stealthy, works against older firewalls and IDS systems
TCP Xmas scan - FIN, PSH, and URG flags
Syntax:
nmap -sX [target]Examples:
nmap -sX 192.168.1.1 Xmas scan with multiple flags set
Notes:
Named for 'lighting up like a Christmas tree', good for firewall testing
Version detection - identify service versions
Syntax:
nmap -sV [target]Examples:
nmap -sV 192.168.1.1 Detect service versions
nmap -sV --version-intensity 5 192.168.1.1 Intensive version detection
nmap -sV --version-light 192.168.1.1 Light version detection for speed
Notes:
Intensity levels 0-9, higher numbers are more accurate but slower
Operating system detection
Syntax:
nmap -O [target]Examples:
nmap -O 192.168.1.1 Detect operating system
nmap -O --osscan-guess 192.168.1.1 Aggressive OS guessing
Notes:
Requires root privileges and at least one open and one closed port
Aggressive scan - OS detection, version detection, scripts
Syntax:
nmap -A [target]Examples:
nmap -A 192.168.1.1 Comprehensive aggressive scan
nmap -A -p 22,80,443 192.168.1.1 Aggressive scan on specific ports
Notes:
Combines -O, -sV, -sC, and --traceroute for maximum information
Run default NSE scripts
Syntax:
nmap -sC [target]Examples:
nmap -sC 192.168.1.1 Run default safe scripts
nmap -sC -sV 192.168.1.1 Combine scripts with version detection
Notes:
Runs safe, useful scripts that provide additional information
Run specific script categories
Syntax:
nmap --script [category] [target]Examples:
nmap --script vuln 192.168.1.1 Run vulnerability detection scripts
nmap --script auth 192.168.1.1 Run authentication scripts
nmap --script discovery 192.168.1.1 Run discovery scripts
nmap --script safe 192.168.1.1 Run only safe scripts
Notes:
Categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln
Run specific NSE scripts
Syntax:
nmap --script [script-name] [target]Examples:
nmap --script http-title 192.168.1.1 Get HTTP page titles
nmap --script smb-vuln-ms17-010 192.168.1.1 Check for EternalBlue vulnerability
nmap --script http-enum 192.168.1.1 Enumerate web directories
nmap --script ssl-enum-ciphers -p 443 192.168.1.1 Enumerate SSL ciphers
Notes:
Use --script-help [script] for usage information
Pass arguments to NSE scripts
Syntax:
nmap --script [script] --script-args [args] [target]Examples:
nmap --script http-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.1 HTTP brute force with custom wordlists
nmap --script smb-brute --script-args userdb=/usr/share/nmap/nselib/data/usernames.lst 192.168.1.1 SMB brute force
Notes:
Arguments are script-specific, check documentation for each script
Timing templates for scan speed
Syntax:
nmap -T[0-5] [target]Examples:
nmap -T0 192.168.1.1 Paranoid - very slow, IDS evasion
nmap -T1 192.168.1.1 Sneaky - slow, IDS evasion
nmap -T2 192.168.1.1 Polite - slower to use less bandwidth
nmap -T3 192.168.1.1 Normal - default timing
nmap -T4 192.168.1.1 Aggressive - faster scan
nmap -T5 192.168.1.1 Insane - very fast, may miss results
Notes:
T3 is default, T4 recommended for modern networks, T0-T2 for IDS evasion
Control parallel probe groups
Syntax:
nmap --min-parallelism [num] [target]Examples:
nmap --min-parallelism 100 192.168.1.0/24 Minimum 100 parallel probes
nmap --max-parallelism 1 192.168.1.1 Serial scanning (one probe at a time)
Notes:
Higher values = faster scans but more resource intensive
Set maximum time spent on each host
Syntax:
nmap --host-timeout [time] [target]Examples:
nmap --host-timeout 300s 192.168.1.0/24 5 minute timeout per host
nmap --host-timeout 30m 192.168.1.1 30 minute timeout
Notes:
Use s for seconds, m for minutes, h for hours
Save output in normal format
Syntax:
nmap -oN [filename] [target]Examples:
nmap -oN scan_results.txt 192.168.1.1 Save normal output to file
nmap -oN - 192.168.1.1 Output to stdout
Notes:
Human-readable format, good for reports
Save output in XML format
Syntax:
nmap -oX [filename] [target]Examples:
nmap -oX scan_results.xml 192.168.1.1 Save XML output to file
nmap -oX - 192.168.1.1 Output XML to stdout
Notes:
Machine-readable format, good for parsing with other tools
Save output in grepable format
Syntax:
nmap -oG [filename] [target]Examples:
nmap -oG scan_results.gnmap 192.168.1.1 Save grepable output
grep 'open' scan_results.gnmap Grep for open ports
Notes:
Single line per host, easy to grep and parse
Save output in all major formats
Syntax:
nmap -oA [basename] [target]Examples:
nmap -oA full_scan 192.168.1.1 Creates .nmap, .xml, and .gnmap files
Notes:
Creates three files: basename.nmap, basename.xml, basename.gnmap
Verbose output - show more details
Syntax:
nmap -v [target]Examples:
nmap -v 192.168.1.1 Verbose output
nmap -vv 192.168.1.1 Very verbose output
nmap -d 192.168.1.1 Debug mode
Notes:
Use -vv for very verbose, -d for debugging information
Fragment packets to avoid detection
Syntax:
nmap -f [target]Examples:
nmap -f 192.168.1.1 Fragment packets
nmap -ff 192.168.1.1 Use smaller fragments
Notes:
May help bypass some firewalls and packet filters
Use decoy addresses to hide scan source
Syntax:
nmap -D [decoy1,decoy2,ME] [target]Examples:
nmap -D 192.168.1.10,192.168.1.11,ME 192.168.1.1 Use decoy IPs
nmap -D RND:10 192.168.1.1 Use 10 random decoy IPs
Notes:
ME represents your real IP, use multiple decoys for better hiding
Spoof source IP address
Syntax:
nmap -S [spoofed-IP] [target]Examples:
nmap -S 192.168.1.100 192.168.1.1 Spoof source IP
Notes:
May not work due to routing issues, requires -Pn usually
Use specific source port
Syntax:
nmap --source-port [port] [target]Examples:
nmap --source-port 53 192.168.1.1 Use source port 53 (DNS)
nmap --source-port 20 192.168.1.1 Use source port 20 (FTP data)
Notes:
Some firewalls allow specific source ports like 53, 20, or 80
Append random data to packets
Syntax:
nmap --data-length [num] [target]Examples:
nmap --data-length 25 192.168.1.1 Add 25 bytes of random data
Notes:
Changes packet size to evade signature-based detection
Randomize order of host scanning
Syntax:
nmap --randomize-hosts [target]Examples:
nmap --randomize-hosts 192.168.1.0/24 Random host order
Notes:
Makes scanning pattern less predictable
Show reason for port state
Syntax:
nmap --reason [target]Examples:
nmap --reason 192.168.1.1 Show why port is in specific state
Notes:
Helpful for understanding scan results and troubleshooting
Show all packets sent and received
Syntax:
nmap --packet-trace [target]Examples:
nmap --packet-trace -p 80 192.168.1.1 Trace packets for port 80
Notes:
Very verbose, shows exactly what Nmap is doing
Use specific network interface
Syntax:
nmap -e [interface] [target]Examples:
nmap -e eth0 192.168.1.1 Use eth0 interface
nmap -e wlan0 192.168.1.1 Use wireless interface
Notes:
Useful when you have multiple network interfaces
Resume interrupted scan
Syntax:
nmap --resume [logfile]Examples:
nmap --resume scan_results.gnmap Resume from grepable output file
Notes:
Can resume from normal, XML, or grepable output formats
🚀 Nmap Pro Tips
Essential Scan Types
nmap -sS- SYN scan (default, fast)nmap -sU- UDP scan (slower but important)nmap -A- Aggressive scan (OS + version + scripts)nmap -sn- Ping sweep (host discovery only)nmap -Pn- No ping (skip host discovery)nmap -p-- All ports (65535 ports)
Performance & Stealth
-T4- Aggressive timing (faster scans)-T2- Polite timing (slower, stealthier)-f- Fragment packets-D RND:10- Use 10 decoy IPs--randomize-hosts- Random host order-oA basename- Save all output formats
Common Command Combinations
🎯 Quick Network Survey
nmap -sn 192.168.1.0/24 Discover live hosts without port scanning
🔍 Comprehensive Scan
nmap -A -T4 192.168.1.1 Aggressive scan with OS/service detection
🛡️ Stealth Scan
nmap -sS -T2 -f 192.168.1.1 Slow, fragmented SYN scan for evasion
🚨 Vulnerability Scan
nmap --script vuln 192.168.1.1 Run vulnerability detection scripts
⚠️ Legal & Ethical Guidelines
- • Only scan networks you own or have explicit permission to test
- • Unauthorized network scanning can be illegal and may violate terms of service
- • Use
scanme.nmap.orgfor practice and testing Nmap features - • Be aware that aggressive scans can impact network performance
- • Always follow responsible disclosure for any vulnerabilities found
- • Consider using
-T2or slower timing to be more polite
📚 Popular NSE Script Categories
Nmap Scripting Engine (NSE) provides powerful automation capabilities:
🔐 Security Scripts
auth, brute, vuln - Authentication testing and vulnerability detection
🔍 Discovery Scripts
discovery, version - Service and version enumeration
🌐 Network Scripts
broadcast, external - Network topology and external resources