Skip to content

Nmap Cheatsheet: Commands, Examples & Tutorials

Nmap (“Network Mapper”) is an open-source utility for host discovery, port scanning, service detection, OS fingerprinting and scriptable probes via the Nmap Scripting Engine (NSE). It’s the default tool in every pentest playbook and the first thing oncall reaches for when “is the firewall actually doing what we think.”

Terminal window
sudo apt update && sudo apt install -y nmap

Confirm the version + NSE script database location:

Terminal window
nmap --version
nmap --script-help all | head

Across every command below, replace TARGET with one or more of:

  • A single host: 10.0.0.5 or scanme.nmap.org
  • A CIDR block: 10.0.0.0/24
  • A range: 10.0.0.1-50 or 10.0.0,1,2.1-10
  • A file of targets: -iL targets.txt
  • Exclusions: --exclude 10.0.0.1 or --excludefile skip.txt
Terminal window
# Random 100 hosts on the public internet (research only).
sudo nmap -sn -iR 100

Find live hosts without doing a port scan first.

FlagWhat it does
-sn”ping scan” — host discovery, skip port scan
-Pnskip discovery, treat every host as up
-PEICMP echo (requires root)
-PS22,80,443TCP SYN ping on listed ports
-PA22,80,443TCP ACK ping
-PU53,161UDP ping on listed ports
-PRARP ping (LAN-only, fastest + most reliable on the local subnet)
-nskip reverse-DNS for every hit (a lot faster on /16+)
Terminal window
# Ping sweep of a /24, no port scan, no DNS.
sudo nmap -sn -n 10.0.0.0/24
# ARP sweep on a local subnet — bypasses host firewall ICMP filters.
sudo nmap -PR -sn 192.168.1.0/24
# Assume the host is up (some hosts block all ICMP / TCP probes).
sudo nmap -Pn TARGET

The shape of the scan is what makes Nmap fast or slow.

FlagScan typeWhen to use
-sSTCP SYN (half-open)default, fast, root only
-sTTCP connect()unprivileged or when SYN drops are noisy
-sUUDPDNS / SNMP / NTP / VoIP gear
-sATCP ACKmap firewall rule sets (stateful vs stateless)
-sN -sF -sXTCP Null / FIN / Xmasbypass naïve stateless firewalls
-sYSCTP INITtelecom / SS7 gear

Port specifications:

Terminal window
# Top 1000 TCP ports (default).
sudo nmap TARGET
# Top 100 — fastest useful pass.
sudo nmap --top-ports 100 TARGET
# Every TCP port.
sudo nmap -p- TARGET
# Specific ports / ranges / names.
sudo nmap -p 22,80,443,1000-2000,http* TARGET
# Both TCP and UDP, every port.
sudo nmap -sU -sS -p0-65535 TARGET
# Only show open ports in the output (great for diff'ing scans).
sudo nmap --open TARGET

Nmap reports one of six states per port. Knowing the difference between closed and filtered is the single most useful skill when reading output.

StateMeaning
openAn application is actively accepting connections on the port
closedPort is reachable (host replied) but no application is listening
filteredA firewall/filter dropped the probe — Nmap can’t tell open vs closed
unfilteredPort is reachable but Nmap can’t tell open vs closed (ACK scan)
`openfiltered`
`closedfiltered`
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6
80/tcp open http nginx 1.18.0
443/tcp filtered https
3306/tcp closed mysql
Terminal window
# -sV probes open ports and labels them with banner + version.
sudo nmap -sV TARGET
# Stack version detection with default NSE scripts and OS guess.
sudo nmap -A TARGET # = -sV -sC -O --traceroute
# Tighter probe (faster, less accurate) vs aggressive (slower, more accurate).
sudo nmap -sV --version-intensity 0 TARGET # light banner only
sudo nmap -sV --version-intensity 9 TARGET # every probe
sudo nmap -sV --version-all TARGET # same as intensity 9
Terminal window
# Active OS fingerprint (root only, needs at least one open + one closed port).
sudo nmap -O TARGET
# Be conservative — only print a guess when confidence is high.
sudo nmap -O --osscan-limit TARGET
# Guess aggressively (useful for filtered hosts).
sudo nmap -O --osscan-guess TARGET

NSE scripts live in /usr/share/nmap/scripts/ (Linux) or /opt/homebrew/share/nmap/scripts/ (macOS, Apple Silicon). Categories: auth, broadcast, brute, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.

Terminal window
# Run all "default" scripts — same as the -sC in -A.
sudo nmap -sC TARGET
# Run every "safe" script.
sudo nmap --script "safe" TARGET
# All vuln-detection scripts.
sudo nmap --script "vuln" TARGET
# A specific script with arguments.
sudo nmap --script http-title --script-args http.useragent="kbve-scanner" TARGET
# Glob multiple categories, exclude one.
sudo nmap --script "default,vuln and not intrusive" TARGET
# Update the local script database (after every nmap upgrade).
sudo nmap --script-updatedb
# Show what a script does before running it.
nmap --script-help http-shellshock

High-value recipes:

Terminal window
# SSL/TLS posture: cipher list, cert expiry, known weak suites.
sudo nmap -sV --script ssl-enum-ciphers,ssl-cert,sslv2,ssl-poodle -p 443 TARGET
# SMB share enumeration on a Windows host / file server.
sudo nmap -p 139,445 --script "smb-enum-shares,smb-os-discovery,smb-vuln-*" TARGET
# HTTP fingerprint pack — title, headers, common dirs, robots, CSP.
sudo nmap -sV --script "http-title,http-headers,http-enum,http-robots.txt,http-security-headers" -p 80,443,8080,8443 TARGET
# DNS recon — zone transfer, NSEC walk, brute subdomains.
sudo nmap -sn --script "dns-zone-transfer,dns-nsec-enum,dns-brute" --script-args dns-brute.domain=example.com TARGET
# Vulnerability sweep (noisy, run only on owned systems).
sudo nmap -sV --script "vuln" TARGET
Terminal window
# Normal stdout + grepable + XML in one go.
sudo nmap -oA scan-baseline TARGET
# produces scan-baseline.nmap, scan-baseline.gnmap, scan-baseline.xml
# Save XML for ndiff or downstream tooling.
sudo nmap -oX scan.xml TARGET
# Live progress on a long scan.
sudo nmap -v --stats-every 30s TARGET
# Diff two scans (great for "what changed since last week").
ndiff scan-baseline.xml scan-new.xml

Convert the XML to HTML for sharing:

Terminal window
xsltproc scan.xml -o scan.html

-T0 (paranoid) through -T5 (insane). Default is -T3.

ProfileUse
-T0IDS evasion, hours-per-port
-T1sneaky, IDS evasion
-T2polite, low bandwidth
-T3normal (default)
-T4aggressive — assume a fast, reliable network
-T5insane — local LAN or willing-to-lose-accuracy

Tunables when -T* isn’t precise enough:

Terminal window
sudo nmap \
--min-rate 1000 --max-rate 5000 \
--min-parallelism 64 --max-parallelism 256 \
--max-retries 2 \
--host-timeout 30m \
--max-rtt-timeout 200ms \
-T4 TARGET
Terminal window
# Source-port spoof — many firewalls trust 53 / 80 / 443 outbound.
sudo nmap --source-port 53 TARGET
sudo nmap -g 53 TARGET
# Fragmented packets — split TCP header across multiple IP fragments.
sudo nmap -f TARGET
sudo nmap --mtu 16 TARGET
# Decoys — N decoy IPs appear to scan alongside your real one.
sudo nmap -D 10.0.0.1,10.0.0.2,ME,10.0.0.4 TARGET
# Proxy chain (limited support — works for TCP connect scans).
sudo nmap --proxies socks4://127.0.0.1:9050 -sT TARGET
# Randomize host order + spoof MAC vendor on the LAN.
sudo nmap --randomize-hosts --spoof-mac Apple TARGET
# Slow IDS-evasion scan (be patient).
sudo nmap -T1 -sS -f --data-length 24 TARGET
Terminal window
# 1. Find live hosts.
sudo nmap -sn -PR -oA inv-live 10.0.0.0/24
# 2. Fast TCP top-1000 against live hosts only.
grep "Status: Up" inv-live.gnmap | awk '{print $2}' > live-hosts.txt
sudo nmap -sS --top-ports 1000 -iL live-hosts.txt -oA inv-tcp
# 3. UDP focus on the usual suspects.
sudo nmap -sU -p 53,67,68,69,123,137,138,161,162,500,514,520,1900,5353 -iL live-hosts.txt -oA inv-udp
Terminal window
sudo nmap -p 80,443,8080,8443,8000,8888,3000,5000,9000 \
-sV -sC \
--script "http-title,http-headers,http-methods,http-enum,http-security-headers,ssl-cert,ssl-enum-ciphers" \
-oA web-triage TARGET
Terminal window
# Stage 1: every TCP port, fast, just to see what's open.
sudo nmap -p- --min-rate 5000 -T4 -oN stage1.txt TARGET
# Stage 2: focus on the open ports from stage 1.
PORTS=$(grep ^[0-9] stage1.txt | cut -d/ -f1 | paste -sd,)
sudo nmap -p "$PORTS" -sC -sV -O -oA stage2 TARGET

Egress-firewall test from inside the network

Section titled “Egress-firewall test from inside the network”
Terminal window
# Which outbound ports actually reach the internet from this host?
sudo nmap -Pn -sS -p- --min-rate 1000 scanme.nmap.org
Terminal window
# Save a daily baseline, alert on drift.
sudo nmap -sS --top-ports 1000 -oX /var/log/nmap/$(date +%F).xml 10.0.0.0/24
ndiff /var/log/nmap/yesterday.xml /var/log/nmap/$(date +%F).xml | tee /var/log/nmap/diff-$(date +%F).txt
Terminal window
nmap -h # built-in help
sudo nmap -sn 10.0.0.0/24 # who's up
sudo nmap -p- TARGET # every TCP port
sudo nmap -sU TARGET # UDP
sudo nmap -sV -sC -O TARGET # service + default NSE + OS
sudo nmap -A TARGET # aggressive (= -sV -sC -O --traceroute)
sudo nmap --script vuln TARGET # known-CVE checks
sudo nmap -oA scan TARGET # save all formats
sudo nmap -T4 --min-rate 1000 TARGET # fast pass

Common failures and the fix.

SymptomCauseFix
You requested a scan type which requires root privileges-sS, -sU, -O, -PE need raw socketsRun with sudo, or fall back to -sT (unprivileged connect scan)
Note: Host seems down. If it is really up, but blocking our ping probes, try -PnHost blocks ICMP/TCP discovery probesAdd -Pn to skip discovery and treat the host as up
All ports show filteredA firewall is dropping probesTry -Pn, a trusted source port (-g 53), or an ACK scan (-sA) to map rules
UDP scan crawls / takes foreverUDP is rate-limited and retransmit-heavyLimit ports (-p 53,161,500), raise --min-rate, add --host-timeout
dnet: Failed to open device ethX / no results on LANWrong interface or no L2 accessPin the interface with -e eth0, or use -Pn to avoid ARP
Failed to resolve "TARGET"DNS lookup failedCheck the hostname, or scan the IP directly and add -n to skip DNS
Scan is accurate but extremely slowDefault timing too polite for the linkRaise to -T4 and set --min-rate; drop -A/-O if you don’t need them
NSE: 'X' did not match a category, filename, or directoryScript DB is stale or the name is wrongRun sudo nmap --script-updatedb; verify with nmap --script-help X

Nmap is the most accurate all-rounder, but it’s not the fastest at internet scale. Pick the right tool, then hand off to Nmap for the deep pass.

ToolStrengthTrade-off
NmapAccuracy, NSE scripts, version + OS detectionSlower on huge ranges
masscanAsynchronous, scans the whole IPv4 internet in minutesNo version detection, accuracy drops at high rates
RustScanFast port discovery, then auto-pipes into NmapJust a front-end; still needs Nmap for depth
ZMapSingle-port internet-wide research scanningBuilt for one port at a time, not host audits
naabuFast SYN/CONNECT discovery, scriptable pipelinesDiscovery only, no service fingerprinting

A common pattern: discover open ports fast, then deep-scan only those.

Terminal window
# masscan finds open ports fast, Nmap fingerprints them accurately.
sudo masscan -p1-65535 TARGET --rate 10000 -oG masscan.gnmap
PORTS=$(grep -oP 'Ports: \K[0-9]+' masscan.gnmap | sort -un | paste -sd,)
sudo nmap -p "$PORTS" -sC -sV -O TARGET

Is it legal to use Nmap? Nmap itself is legal, but scanning networks you don’t own or lack written permission to scan is illegal in most jurisdictions. Stick to your own infrastructure, CTF ranges (HackTheBox / TryHackMe), scanme.nmap.org, and engagements with a signed scope.

What is the difference between an -sS and -sT scan? -sS is a TCP SYN (half-open) scan that never finishes the handshake — fast and stealthier, but root-only. -sT is a full TCP connect() scan that completes the handshake; it works unprivileged but is slower and noisier.

How do I scan all 65535 ports? Use -p-, e.g. sudo nmap -p- TARGET. For speed, add a rate floor and timing template: sudo nmap -p- --min-rate 5000 -T4 TARGET.

What is the Nmap Scripting Engine (NSE)? NSE runs Lua scripts for advanced discovery, version detection, vulnerability checks and brute forcing. Scripts are grouped into categories (default, safe, vuln, intrusive, …) and run via --script, e.g. sudo nmap --script vuln TARGET.

What does filtered mean, and how is it different from closed? closed means the port is reachable but nothing is listening. filtered means a firewall dropped the probe, so Nmap can’t tell open from closed. Filtered almost always means a firewall — re-probe with -Pn, a trusted source port (-g 53), or an ACK scan (-sA).

How do I detect service versions and the OS? Use -sV for service/version detection and -O for OS fingerprinting. The -A flag bundles both with default scripts and traceroute (-sV -sC -O --traceroute).

  • Ncat ships with Nmap — TCP/UDP swiss army knife, replaces nc.
    Terminal window
    ncat -lvnp 4444 # listen on TCP/4444
    ncat --ssl example.com 443 # TLS client
  • Nping — packet crafter, for ad-hoc ICMP/TCP/UDP/ARP probes.
    Terminal window
    sudo nping --tcp -p 443 --flags syn -c 5 TARGET
  • Ndiff — compare two XML scans (already shown under Output).
  • Zenmap — official GUI; useful for first-time users + saved scan profiles.