Nmap Commands Cheat Sheet: Every Command You Need
Nmap is the most widely used network scanning tool in the world. Whether you are a penetration tester mapping an attack surface, a system administrator auditing your network, or a security student learning the fundamentals, Nmap is a tool you need to know cold. This cheat sheet covers every major Nmap capability with the exact command syntax and clear explanations of what each flag does.
All commands assume you have proper authorization to scan the target. Scanning networks you do not own or have permission to test is illegal in most jurisdictions.
Host Discovery
Host discovery determines which hosts on a network are online before you begin port scanning.
| Command | Description |
|---|---|
nmap -sn 192.168.1.0/24 |
Ping scan — find live hosts without port scanning |
nmap -Pn 10.0.0.1 |
Skip host discovery — treat all hosts as online |
nmap -PS22,80,443 10.0.0.1 |
TCP SYN discovery on specified ports |
nmap -PA80,443 10.0.0.1 |
TCP ACK discovery on specified ports |
nmap -PU53,161 10.0.0.1 |
UDP discovery on specified ports |
nmap -PE 10.0.0.0/24 |
ICMP echo request discovery |
nmap -PP 10.0.0.0/24 |
ICMP timestamp discovery |
nmap -PM 10.0.0.0/24 |
ICMP address mask discovery |
nmap -PR 192.168.1.0/24 |
ARP discovery (local network only, very reliable) |
# Discover all live hosts on a subnet
nmap -sn 192.168.1.0/24
# Discover hosts when ICMP is blocked — use TCP SYN on common ports
nmap -sn -PS22,80,443,8080 10.0.0.0/24
# Scan a host that blocks ping (skip discovery entirely)
nmap -Pn 10.0.0.1
# List targets without scanning (DNS resolution only)
nmap -sL 192.168.1.0/24
Port Scanning Techniques
The scan type determines how Nmap probes each port to determine its state (open, closed, filtered).
| Flag | Scan Type | Description |
|---|---|---|
-sS |
TCP SYN (stealth) | Sends SYN, reads response, never completes handshake. Default for root. |
-sT |
TCP connect | Completes full TCP handshake. Default for non-root users. |
-sU |
UDP scan | Sends UDP packets. Slow but necessary for DNS, SNMP, DHCP. |
-sA |
TCP ACK | Maps firewall rules. Does not determine open/closed. |
-sN |
TCP null | Sends no flags. Can bypass some stateless firewalls. |
-sF |
TCP FIN | Sends only FIN flag. Another firewall evasion technique. |
-sX |
TCP Xmas | Sends FIN, PSH, URG flags. Named for the lit-up flag bits. |
-sW |
Window scan | Like ACK scan but examines TCP window size for more detail. |
-sM |
Maimon scan | FIN/ACK probe. Works against some BSD-derived systems. |
# Default SYN scan (requires root/admin)
sudo nmap -sS 10.0.0.1
# TCP connect scan (no root required)
nmap -sT 10.0.0.1
# UDP scan (slow — combine with version detection for accuracy)
sudo nmap -sU --top-ports 100 10.0.0.1
# Combined TCP and UDP scan
sudo nmap -sS -sU 10.0.0.1
Port Specification
By default, Nmap scans the 1,000 most common TCP ports. You almost always want to customize this.
| Flag | Description | Example |
|---|---|---|
-p 80 |
Scan a single port | nmap -p 80 10.0.0.1 |
-p 80,443,8080 |
Scan specific ports | nmap -p 80,443,8080 10.0.0.1 |
-p 1-1024 |
Scan a range | nmap -p 1-1024 10.0.0.1 |
-p- |
Scan all 65,535 ports | nmap -p- 10.0.0.1 |
-p U:53,T:80 |
Mix UDP and TCP ports | nmap -p U:53,161,T:80,443 10.0.0.1 |
--top-ports 100 |
Scan top N most common | nmap --top-ports 100 10.0.0.1 |
-F |
Fast scan (top 100 ports) | nmap -F 10.0.0.1 |
--exclude-ports |
Skip specific ports | nmap --exclude-ports 22 10.0.0.1 |
# Scan all ports — the most thorough option
nmap -p- 10.0.0.1
# Scan common web ports
nmap -p 80,443,8080,8443 10.0.0.1
# Scan all ports below 1024 (privileged ports)
nmap -p 1-1023 10.0.0.1
Service and Version Detection
Knowing a port is open is useful. Knowing what software and version is running on that port is far more valuable.
| Flag | Description |
|---|---|
-sV |
Probe open ports to determine service/version |
--version-intensity 0-9 |
Set probe intensity (0 = light, 9 = try everything) |
--version-light |
Shortcut for --version-intensity 2 |
--version-all |
Shortcut for --version-intensity 9 |
# Standard version detection
nmap -sV 10.0.0.1
# Aggressive version detection — more accurate, slower
nmap -sV --version-intensity 9 10.0.0.1
# Light version detection — faster, may miss some services
nmap -sV --version-light 10.0.0.1
# Version detection on specific ports
nmap -sV -p 22,80,443,3306 10.0.0.1
OS Detection
Nmap can fingerprint the operating system of a target by analyzing TCP/IP stack behavior.
| Flag | Description |
|---|---|
-O |
Enable OS detection |
--osscan-limit |
Only attempt OS detection if at least one open and one closed port found |
--osscan-guess |
Guess more aggressively when not confident |
--max-os-tries N |
Limit retransmissions for OS detection |
# Basic OS detection
sudo nmap -O 10.0.0.1
# OS detection with aggressive guessing
sudo nmap -O --osscan-guess 10.0.0.1
# Combined: OS detection + version detection + default scripts
sudo nmap -A 10.0.0.1
The -A flag is a shortcut that enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute).
Timing and Performance
Nmap's timing templates control how fast and aggressively it scans. Higher numbers are faster but noisier and less reliable on congested networks.
| Template | Name | Description |
|---|---|---|
-T0 |
Paranoid | Extremely slow. IDS evasion. Waits 5 minutes between probes. |
-T1 |
Sneaky | Very slow. IDS evasion. |
-T2 |
Polite | Slower than default. Reduces network load. |
-T3 |
Normal | Default timing. Balanced. |
-T4 |
Aggressive | Faster. Good for reliable networks. |
-T5 |
Insane | Very fast. May miss results on lossy networks. |
Fine-grained timing controls:
| Flag | Description |
|---|---|
--min-rate 1000 |
Send at least 1000 packets per second |
--max-rate 500 |
Send no more than 500 packets per second |
--max-retries 2 |
Limit probe retransmissions |
--host-timeout 30m |
Skip hosts that take too long |
--scan-delay 1s |
Wait between probes |
--min-parallelism 10 |
Minimum parallel probes |
# Fast scan on a reliable local network
nmap -T4 -F 192.168.1.0/24
# Slow and quiet scan for IDS evasion
nmap -T1 -sS -p 80,443 10.0.0.1
# Rate-limited scan
nmap --min-rate 300 --max-rate 500 -p- 10.0.0.1
NSE Scripts (Nmap Scripting Engine)
The Nmap Scripting Engine extends Nmap with hundreds of scripts for vulnerability detection, brute forcing, discovery, and more.
| Flag | Description |
|---|---|
-sC |
Run default scripts (same as --script=default) |
--script <name> |
Run a specific script |
--script <category> |
Run all scripts in a category |
--script-args |
Pass arguments to scripts |
--script-help <name> |
Show help for a specific script |
Script categories:
| Category | Purpose |
|---|---|
auth |
Authentication and credential testing |
broadcast |
Discover hosts via broadcast messages |
brute |
Brute-force credential attacks |
default |
Safe, useful scripts that run with -sC |
discovery |
Gather more information about the network |
dos |
Denial of service tests (use with caution) |
exploit |
Attempt to exploit vulnerabilities |
fuzzer |
Send unexpected data to test for bugs |
intrusive |
Scripts that may crash the target |
malware |
Detect malware and backdoors |
safe |
Scripts considered safe to run |
version |
Advanced version detection |
vuln |
Check for known vulnerabilities |
# Run default scripts
nmap -sC 10.0.0.1
# Run vulnerability scan scripts
nmap --script vuln 10.0.0.1
# Run a specific script
nmap --script http-title -p 80 10.0.0.1
# Run multiple specific scripts
nmap --script "http-title,http-headers,http-methods" -p 80 10.0.0.1
# Run scripts matching a pattern
nmap --script "http-*" -p 80,443 10.0.0.1
# Run safe and discovery scripts but not intrusive ones
nmap --script "safe and discovery and not intrusive" 10.0.0.1
# Script with arguments
nmap --script http-brute --script-args http-brute.path=/admin -p 80 10.0.0.1
# Check for a specific vulnerability
nmap --script smb-vuln-ms17-010 -p 445 10.0.0.1
Output Formats
Save your scan results. You will regret it if you do not.
| Flag | Format | Description |
|---|---|---|
-oN scan.txt |
Normal | Human-readable text output |
-oX scan.xml |
XML | Machine-parseable. Works with tools like Metasploit. |
-oG scan.gnmap |
Grepable | One host per line. Easy to parse with grep/awk. |
-oA scan |
All formats | Saves .nmap, .xml, and .gnmap simultaneously |
-oS scan.txt |
Script kiddie | Replaces letters with symbols. Do not use this. |
# Save in all formats at once (best practice)
nmap -oA /path/to/results 10.0.0.1
# Normal output for quick review
nmap -oN scan_results.txt 10.0.0.1
# XML output for importing into other tools
nmap -oX scan_results.xml 10.0.0.1
# Verbose output to terminal while saving
nmap -v -oA results 10.0.0.1
# Append to an existing file
nmap --append-output -oN ongoing_scan.txt 10.0.0.1
Firewall Evasion and Stealth
These techniques help bypass firewalls and intrusion detection systems during authorized penetration tests.
| Flag | Description |
|---|---|
-f |
Fragment packets into 8-byte chunks |
-f -f |
Fragment into 16-byte chunks |
--mtu N |
Set custom fragment size (must be multiple of 8) |
-D decoy1,decoy2,ME |
Use decoy addresses to mask your real IP |
-S <ip> |
Spoof source IP address |
--source-port N |
Use a specific source port |
--data-length N |
Append random data to packets |
--randomize-hosts |
Scan hosts in random order |
--spoof-mac <mac> |
Spoof your MAC address |
--badsum |
Send packets with bad checksums (detect firewalls) |
# Fragment packets to bypass simple packet filters
sudo nmap -f -sS 10.0.0.1
# Use decoy addresses
sudo nmap -D 10.0.0.2,10.0.0.3,ME -sS 10.0.0.1
# Spoof source port as DNS (53) — some firewalls allow this
sudo nmap --source-port 53 -sS 10.0.0.1
# Randomize scan order and add data padding
nmap --randomize-hosts --data-length 50 -sS 192.168.1.0/24
# Spoof MAC address (use 0 for random)
sudo nmap --spoof-mac 0 -sS 10.0.0.1
Target Specification
Nmap accepts targets in multiple formats:
# Single IP
nmap 10.0.0.1
# Hostname
nmap scanme.nmap.org
# CIDR range
nmap 192.168.1.0/24
# IP range
nmap 192.168.1.1-254
# Octet range
nmap 192.168.1,2,3.0/24
# From a file (one target per line)
nmap -iL targets.txt
# Exclude hosts
nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.254
# Exclude from file
nmap 192.168.1.0/24 --excludefile exclusions.txt
Useful Real-World Scan Combinations
These are the scans you will actually run on engagements and audits.
# Quick network sweep — find live hosts fast
nmap -sn -T4 192.168.1.0/24
# Standard initial scan — SYN scan, top 1000 ports, version detection
sudo nmap -sS -sV -T4 10.0.0.1
# Comprehensive scan — all ports, version, OS, scripts
sudo nmap -sS -sV -O -sC -p- -T4 10.0.0.1
# Full audit — everything, save all formats
sudo nmap -A -p- -T4 -oA full_audit 10.0.0.1
# Web server scan
nmap -sV --script "http-*" -p 80,443,8080,8443 10.0.0.1
# Vulnerability assessment
nmap -sV --script vuln -p- 10.0.0.1
# Quick UDP scan of common services
sudo nmap -sU --top-ports 20 -sV 10.0.0.1
# Stealthy scan for red team engagements
sudo nmap -sS -T1 -f --source-port 53 -D RND:5 -p 22,80,443 10.0.0.1
# Scan a /16 for a specific open port
nmap -sS -p 443 --open --min-rate 10000 10.0.0.0/16
# Detect firewall rules with ACK scan
sudo nmap -sA -p 80,443 10.0.0.1
# Banner grabbing
nmap -sV --script banner -p 21,22,25,80,110,143,443 10.0.0.1
# SMB enumeration
nmap --script "smb-enum-*" -p 139,445 10.0.0.1
Quick Reference Table
| Goal | Command |
|---|---|
| Find live hosts | nmap -sn 192.168.1.0/24 |
| Fast port scan | nmap -F 10.0.0.1 |
| All ports | nmap -p- 10.0.0.1 |
| Version detection | nmap -sV 10.0.0.1 |
| OS detection | sudo nmap -O 10.0.0.1 |
| Everything | sudo nmap -A -p- -T4 10.0.0.1 |
| Vulnerability scan | nmap --script vuln 10.0.0.1 |
| Save results | nmap -oA results 10.0.0.1 |
| Stealth scan | sudo nmap -sS -T2 10.0.0.1 |
| UDP scan | sudo nmap -sU --top-ports 50 10.0.0.1 |
This cheat sheet covers the commands you will reach for on virtually every engagement. Keep it bookmarked, and remember: always get written authorization before scanning any network.
Master penetration testing in our free Ethical Hacking textbook.