Nmap: A Comprehensive Guide and Cheat Sheet

Introduction to Nmap

Nmap (Network Mapper) is a powerful and versatile open-source tool used for network exploration, port scanning, service and version detection, security auditing, and network performance assessment. It caters to a broad spectrum of users, ranging from ethical hackers to network administrators. In this comprehensive guide, we’ll explore the fundamentals of Nmap and provide you with a handy cheat sheet to get started.

Understanding Nmap

Nmap operates by sending packets to the target hosts and analyzing their responses. It can discover hosts available on the network, find open ports, identify services running on those ports, and even determine the operating system of the target.

Target Specification

nmap a single IP
nmap specific IPs
nmap a range
nmap scanme.nmap.orgScan a domain
nmap using CIDR notation
-iLnmap -iL targets.txtScan targets from a file
-iRnmap -iR 100Scan 100 random hosts
–excludenmap –exclude listed hosts

Scan Techniques

-sSnmap -sSTCP SYN port scan (Default)
-sTnmap -sTTCP connect port scan (Default without root privilege)
-sUnmap -sUUDP port scan
-sAnmap -sATCP ACK port scan
-sWnmap -sWTCP Window port scan
-sMnmap -sMTCP Maimon port scan

Host Discovery

-sLnmap -sLNo Scan. List targets only
-snnmap -snDisable port scanning. Host discovery only.
-Pnnmap -PnDisable host discovery. Port scan only.
-PSnmap -PS22-25,80TCP SYN discovery on port x. Port 80 by default.
-PAnmap -PA22-25,80TCP ACK discovery on port x. Port 80 by default.
-PUnmap -PU53UDP discovery on port x. Port 40125 by default.
-PRnmap -PRARP discovery on the local network
-nnmap -nNever do DNS resolution

Port Specification

-pnmap -p 21Port scan for a specific port (e.g., port 21)
-pnmap -p 21-100Port range scan (e.g., ports 21 to 100)
-pnmap -p U:53,T:21-25,80Scan multiple TCP and UDP ports
-p-nmap -p-Scan all ports (1 to 65535)
-pnmap -p http,httpsPort scan using service names (e.g., http, https)
-Fnmap -FFast port scan (scan the 100 most common ports)
–top-portsnmap –top-ports 2000Port scan the top x most common ports
-p-65535nmap -p-65535Scan all ports starting from port 1
-p0-nmap -p0-Scan all ports up to port 65535

Service and Version Detection

-sVnmap -sVAttempts to determine the version of the service running on each port
-sV –version-intensitynmap -sV –version-intensity 8Specifies the version detection intensity level from 0 to 9, with higher values increasing the possibility of correctness
-sV –version-lightnmap -sV –version-lightEnables light mode for version detection, providing faster results with a lower possibility of correctness
-sV –version-allnmap -sV –version-allEnables intensity level 9 for version detection, offering a higher possibility of correctness at the cost of slower scanning
-Anmap -AEnables comprehensive scanning, including OS detection, version detection, script scanning, and traceroute

OS Detection

-Onmap -ORemote OS detection using TCP/IP stack fingerprinting
-O –osscan-limitnmap -O –osscan-limitIf at least one open and one closed TCP port are not found, it will not try OS detection against the host
-O –osscan-guessnmap -O –osscan-guessMakes Nmap guess more aggressively during OS detection
-O –max-os-triesnmap -O –max-os-tries 1Sets the maximum number of OS detection tries (x) against a target
-Anmap -AEnables comprehensive scanning, including OS detection, version detection, script scanning, and traceroute

Timing and Performance

-T0nmap -T0Paranoid (0) Intrusion Detection System evasion
-T1nmap -T1Sneaky (1) Intrusion Detection System evasion
-T2nmap -T2Polite (2) slows down the scan to use less bandwidth and target machine resources
-T3nmap -T3Normal (3), which is the default speed for scans
-T4nmap -T4Aggressive (4) speeds up scans; assumes you are on a reasonably fast and reliable network
-T5nmap -T5Insane (5) speeds up scans; assumes you are on an extraordinarily fast network
SwitchExample inputDescription
–host-timeout <time>1s; 4m; 2hGive up on a target after a specified time
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>1s; 4m; 2hSpecifies probe round trip time
–min-hostgroup/max-hostgroup <size>50; 1024Parallel host scan group sizes
–min-parallelism/max-parallelism <numprobes>10; 1Probe parallelization
–scan-delay/–max-scan-delay <time>20ms; 2s; 4m; 5hAdjusts delay between probes
–max-retries <tries>3Specifies the maximum number of port scan probe retransmissions
–min-rate <number>100Sends packets no slower than the specified rate per second
–max-rate <number>100Sends packets no faster than the specified rate per second

NSE Scripts

-sCnmap -sCScan with default NSE scripts. Considered useful for discovery and safe
–script defaultnmap –script defaultScan with default NSE scripts. Considered useful for discovery and safe
–scriptnmap –script=bannerScan with a single script. Example: banner
–scriptnmap –script=http*Scan with a wildcard. Example: http
–scriptnmap –script=http,bannerScan with two scripts. Example: http and banner
–scriptnmap –script “not intrusive”Scan with default scripts but remove intrusive ones
–script-argsnmap –script snmp-sysdescr –script-args snmpcommunity=admin script with arguments

Useful NSE Script Examples

nmap -Pn --script=http-sitemap-generator scanme.nmap.orgRun the HTTP site map generator script to create a sitemap for a website.
nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000Conduct a fast search for random web servers on port 80, retrieving banners and titles for discovered web services.
nmap -Pn --script=dns-brute domain.comUse DNS brute-force to guess DNS hostnames, attempting to discover subdomains of the specified domain.
nmap -n -Pn -vv -O -sV --script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv a set of safe SMB (Server Message Block) scripts to gather information about Windows systems on the network, including shares and vulnerabilities.
nmap --script whois* domain.comPerform a WHOIS query for the specified domain, providing information about domain registration.
nmap -p80 --script http-unsafe-output-escaping scanme.nmap.orgDetect cross-site scripting (XSS) vulnerabilities on web servers running on port 80.
nmap -p80 --script http-sql-injection scanme.nmap.orgCheck for SQL injection vulnerabilities in web applications hosted on port 80.

Firewall/IDS Evasion and Spoofing

-fnmap -fRequested scan (including ping scans) use tiny fragmented IP packets, which can be harder for packet filters to detect.
--mtunmap --mtu 32Set your own maximum transmission unit (MTU) offset size for packet fragmentation.
-Dnmap -D,,, scans from spoofed IP addresses. This can help hide your identity during scans.
-Dnmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ipAn explanation of the -D switch, allowing you to send scans from multiple decoy IP addresses.
-Snmap -S www.facebook.comScan a target (e.g., Facebook) from a different source (e.g., Microsoft). Use with caution, as this involves IP address spoofing. Additional options like -e eth0 -Pn may be required.
-gnmap -g 53 a given source port number (e.g., source port 53).
--proxiesnmap --proxies, connections through HTTP/SOCKS4 proxies. Useful for hiding your true source IP address.
--data-lengthnmap --data-length 200 random data to sent packets, which can help obfuscate traffic and evade certain filters.

Output and Display Options

-oNnmap -oN normal.fileSave normal output to the file normal.file.
-oXnmap -oX xml.fileSave XML output to the file xml.file.
-oGnmap -oG grep.fileSave grepable output to the file grep.file.
-oAnmap -oA resultsOutput in all major formats (normal, xml, and grepable) at once, with the base name results.
-oG -nmap -oG -Send grepable output to the screen. -oN - and -oX - are also usable for this purpose.
--append-outputnmap -oN file.file --append-outputAppend the results of a scan to a previous scan file.
-vnmap -vIncrease the verbosity level (use -vv or more for greater detail).
-dnmap -dIncrease the debugging level (use -dd or more for greater detail).
--reasonnmap --reasonDisplay the reason a port is in a particular state, providing the same output as -vv.
--opennmap --openOnly show open (or possibly open) ports in the output.
--packet-tracenmap -T4 --packet-traceShow all packets sent and received during the scan for debugging purposes.
--iflistnmap --iflistDisplay information about host interfaces and routes.
--resumenmap --resume results.fileResume a scan using the information from a previous scan stored in results.file.

Helpful Nmap Output Examples

nmap -p80 -sV -oG - --open | grep openScan for web servers and use grep to show which IPs are running web servers.
nmap -iR 10 -n -oX out.xml | grep "Nmap" | cut -d " " -f5 > live-hosts.txtGenerate a list of the IP addresses of live hosts.
nmap -iR 10 -n -oX out2.xml | grep "Nmap" | cut -d " " -f5 >> live-hosts.txtAppend IP addresses to the list of live hosts.
ndiff scan1.xml scan2.xmlCompare output from Nmap scans using the ndiff tool.
xsltproc nmap.xml -o nmap.htmlConvert Nmap XML files to HTML format.
grep " open " results.nmap | sed -r 's/ +/ /g' | sort | uniq -c | sort -rn | lessGenerate a reverse-sorted list showing how often ports turn up as open in the Nmap results.

Miscellaneous Options

-6nmap -6 2607:f0d0:1002:51::4Enable IPv6 scanning.
-hnmap -hDisplay the Nmap help screen.

Other Useful Nmap Commands

nmap -iR 10 -PS22-25,80,113,1050,35000 -v -snDiscovery only on specified ports, no port scan.
nmap -PR -sn -vvARP discovery only on the local network, no port scan.
nmap -iR 10 -sn -traceroutePerform a traceroute to random targets, no port scan.
nmap -sL --dns-server the internal DNS server for hosts and list targets only.
thank you for this great resource: stationx


This Nmap cheat sheet provides you with essential commands to start using Nmap effectively. However, Nmap offers a plethora of advanced and complex scanning options for various scenarios. To delve deeper into Nmap’s capabilities, consider exploring the official documentation.

Remember to use Nmap responsibly and ethically, respecting legal boundaries and permissions when scanning networks or systems.

Nmap is a valuable tool in the world of network security and administration. By mastering its usage, you can enhance your ability to assess network vulnerabilities, identify security risks, and maintain robust network infrastructure.

1 thought on “Nmap: A Comprehensive Guide and Cheat Sheet”

  1. Hi! I want to say that this article is amazing, great written and come with almost all significant infos. I would like to look more posts like this .


Leave a Comment

Join our Mailing list!

Get all latest news, exclusive deals and academy updates.