Nmap Cheatsheet: Commands, Examples & Tutorials
Information
Section titled “Information”Nmap (“Network Mapper”) is an open-source utility for host discovery, port scanning, service detection, OS fingerprinting and scriptable probes via the Nmap Scripting Engine (NSE). It’s the default tool in every pentest playbook and the first thing oncall reaches for when “is the firewall actually doing what we think.”
Install
Section titled “Install”sudo apt update && sudo apt install -y nmapsudo dnf install -y nmapsudo pacman -S nmapbrew install nmap# Official installer ships Nmap + Zenmap GUI + Ncat + Npingwinget install -e --id Insecure.NmapConfirm the version + NSE script database location:
nmap --versionnmap --script-help all | headTarget Specification
Section titled “Target Specification”Across every command below, replace TARGET with one or more of:
- A single host:
10.0.0.5orscanme.nmap.org - A CIDR block:
10.0.0.0/24 - A range:
10.0.0.1-50or10.0.0,1,2.1-10 - A file of targets:
-iL targets.txt - Exclusions:
--exclude 10.0.0.1or--excludefile skip.txt
# Random 100 hosts on the public internet (research only).sudo nmap -sn -iR 100Host Discovery
Section titled “Host Discovery”Find live hosts without doing a port scan first.
| Flag | What it does |
|---|---|
-sn | ”ping scan” — host discovery, skip port scan |
-Pn | skip discovery, treat every host as up |
-PE | ICMP echo (requires root) |
-PS22,80,443 | TCP SYN ping on listed ports |
-PA22,80,443 | TCP ACK ping |
-PU53,161 | UDP ping on listed ports |
-PR | ARP ping (LAN-only, fastest + most reliable on the local subnet) |
-n | skip reverse-DNS for every hit (a lot faster on /16+) |
# Ping sweep of a /24, no port scan, no DNS.sudo nmap -sn -n 10.0.0.0/24
# ARP sweep on a local subnet — bypasses host firewall ICMP filters.sudo nmap -PR -sn 192.168.1.0/24
# Assume the host is up (some hosts block all ICMP / TCP probes).sudo nmap -Pn TARGETPort Scanning
Section titled “Port Scanning”The shape of the scan is what makes Nmap fast or slow.
| Flag | Scan type | When to use |
|---|---|---|
-sS | TCP SYN (half-open) | default, fast, root only |
-sT | TCP connect() | unprivileged or when SYN drops are noisy |
-sU | UDP | DNS / SNMP / NTP / VoIP gear |
-sA | TCP ACK | map firewall rule sets (stateful vs stateless) |
-sN -sF -sX | TCP Null / FIN / Xmas | bypass naïve stateless firewalls |
-sY | SCTP INIT | telecom / SS7 gear |
Port specifications:
# Top 1000 TCP ports (default).sudo nmap TARGET
# Top 100 — fastest useful pass.sudo nmap --top-ports 100 TARGET
# Every TCP port.sudo nmap -p- TARGET
# Specific ports / ranges / names.sudo nmap -p 22,80,443,1000-2000,http* TARGET
# Both TCP and UDP, every port.sudo nmap -sU -sS -p0-65535 TARGET
# Only show open ports in the output (great for diff'ing scans).sudo nmap --open TARGETUnderstanding Scan Results
Section titled “Understanding Scan Results”Nmap reports one of six states per port. Knowing the difference between
closed and filtered is the single most useful skill when reading output.
| State | Meaning |
|---|---|
open | An application is actively accepting connections on the port |
closed | Port is reachable (host replied) but no application is listening |
filtered | A firewall/filter dropped the probe — Nmap can’t tell open vs closed |
unfiltered | Port is reachable but Nmap can’t tell open vs closed (ACK scan) |
| `open | filtered` |
| `closed | filtered` |
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.680/tcp open http nginx 1.18.0443/tcp filtered https3306/tcp closed mysqlService & Version Detection
Section titled “Service & Version Detection”# -sV probes open ports and labels them with banner + version.sudo nmap -sV TARGET
# Stack version detection with default NSE scripts and OS guess.sudo nmap -A TARGET # = -sV -sC -O --traceroute
# Tighter probe (faster, less accurate) vs aggressive (slower, more accurate).sudo nmap -sV --version-intensity 0 TARGET # light banner onlysudo nmap -sV --version-intensity 9 TARGET # every probesudo nmap -sV --version-all TARGET # same as intensity 9OS Detection
Section titled “OS Detection”# Active OS fingerprint (root only, needs at least one open + one closed port).sudo nmap -O TARGET
# Be conservative — only print a guess when confidence is high.sudo nmap -O --osscan-limit TARGET
# Guess aggressively (useful for filtered hosts).sudo nmap -O --osscan-guess TARGETNSE — Nmap Scripting Engine
Section titled “NSE — Nmap Scripting Engine”NSE scripts live in /usr/share/nmap/scripts/ (Linux) or
/opt/homebrew/share/nmap/scripts/ (macOS, Apple Silicon). Categories:
auth, broadcast, brute, default, discovery, dos, exploit,
external, fuzzer, intrusive, malware, safe, version, vuln.
# Run all "default" scripts — same as the -sC in -A.sudo nmap -sC TARGET
# Run every "safe" script.sudo nmap --script "safe" TARGET
# All vuln-detection scripts.sudo nmap --script "vuln" TARGET
# A specific script with arguments.sudo nmap --script http-title --script-args http.useragent="kbve-scanner" TARGET
# Glob multiple categories, exclude one.sudo nmap --script "default,vuln and not intrusive" TARGET
# Update the local script database (after every nmap upgrade).sudo nmap --script-updatedb
# Show what a script does before running it.nmap --script-help http-shellshockHigh-value recipes:
# SSL/TLS posture: cipher list, cert expiry, known weak suites.sudo nmap -sV --script ssl-enum-ciphers,ssl-cert,sslv2,ssl-poodle -p 443 TARGET
# SMB share enumeration on a Windows host / file server.sudo nmap -p 139,445 --script "smb-enum-shares,smb-os-discovery,smb-vuln-*" TARGET
# HTTP fingerprint pack — title, headers, common dirs, robots, CSP.sudo nmap -sV --script "http-title,http-headers,http-enum,http-robots.txt,http-security-headers" -p 80,443,8080,8443 TARGET
# DNS recon — zone transfer, NSEC walk, brute subdomains.sudo nmap -sn --script "dns-zone-transfer,dns-nsec-enum,dns-brute" --script-args dns-brute.domain=example.com TARGET
# Vulnerability sweep (noisy, run only on owned systems).sudo nmap -sV --script "vuln" TARGETOutput & Reporting
Section titled “Output & Reporting”# Normal stdout + grepable + XML in one go.sudo nmap -oA scan-baseline TARGET# produces scan-baseline.nmap, scan-baseline.gnmap, scan-baseline.xml
# Save XML for ndiff or downstream tooling.sudo nmap -oX scan.xml TARGET
# Live progress on a long scan.sudo nmap -v --stats-every 30s TARGET
# Diff two scans (great for "what changed since last week").ndiff scan-baseline.xml scan-new.xmlConvert the XML to HTML for sharing:
xsltproc scan.xml -o scan.htmlTiming & Performance
Section titled “Timing & Performance”-T0 (paranoid) through -T5 (insane). Default is -T3.
| Profile | Use |
|---|---|
-T0 | IDS evasion, hours-per-port |
-T1 | sneaky, IDS evasion |
-T2 | polite, low bandwidth |
-T3 | normal (default) |
-T4 | aggressive — assume a fast, reliable network |
-T5 | insane — local LAN or willing-to-lose-accuracy |
Tunables when -T* isn’t precise enough:
sudo nmap \ --min-rate 1000 --max-rate 5000 \ --min-parallelism 64 --max-parallelism 256 \ --max-retries 2 \ --host-timeout 30m \ --max-rtt-timeout 200ms \ -T4 TARGETFirewall & IDS Evasion
Section titled “Firewall & IDS Evasion”# Source-port spoof — many firewalls trust 53 / 80 / 443 outbound.sudo nmap --source-port 53 TARGETsudo nmap -g 53 TARGET
# Fragmented packets — split TCP header across multiple IP fragments.sudo nmap -f TARGETsudo nmap --mtu 16 TARGET
# Decoys — N decoy IPs appear to scan alongside your real one.sudo nmap -D 10.0.0.1,10.0.0.2,ME,10.0.0.4 TARGET
# Proxy chain (limited support — works for TCP connect scans).sudo nmap --proxies socks4://127.0.0.1:9050 -sT TARGET
# Randomize host order + spoof MAC vendor on the LAN.sudo nmap --randomize-hosts --spoof-mac Apple TARGET
# Slow IDS-evasion scan (be patient).sudo nmap -T1 -sS -f --data-length 24 TARGETCommon Recipes
Section titled “Common Recipes”Internal subnet inventory
Section titled “Internal subnet inventory”# 1. Find live hosts.sudo nmap -sn -PR -oA inv-live 10.0.0.0/24
# 2. Fast TCP top-1000 against live hosts only.grep "Status: Up" inv-live.gnmap | awk '{print $2}' > live-hosts.txtsudo nmap -sS --top-ports 1000 -iL live-hosts.txt -oA inv-tcp
# 3. UDP focus on the usual suspects.sudo nmap -sU -p 53,67,68,69,123,137,138,161,162,500,514,520,1900,5353 -iL live-hosts.txt -oA inv-udpWeb-server triage
Section titled “Web-server triage”sudo nmap -p 80,443,8080,8443,8000,8888,3000,5000,9000 \ -sV -sC \ --script "http-title,http-headers,http-methods,http-enum,http-security-headers,ssl-cert,ssl-enum-ciphers" \ -oA web-triage TARGETCTF / HackTheBox first contact
Section titled “CTF / HackTheBox first contact”# Stage 1: every TCP port, fast, just to see what's open.sudo nmap -p- --min-rate 5000 -T4 -oN stage1.txt TARGET
# Stage 2: focus on the open ports from stage 1.PORTS=$(grep ^[0-9] stage1.txt | cut -d/ -f1 | paste -sd,)sudo nmap -p "$PORTS" -sC -sV -O -oA stage2 TARGETEgress-firewall test from inside the network
Section titled “Egress-firewall test from inside the network”# Which outbound ports actually reach the internet from this host?sudo nmap -Pn -sS -p- --min-rate 1000 scanme.nmap.orgContinuous monitoring (cron + ndiff)
Section titled “Continuous monitoring (cron + ndiff)”# Save a daily baseline, alert on drift.sudo nmap -sS --top-ports 1000 -oX /var/log/nmap/$(date +%F).xml 10.0.0.0/24ndiff /var/log/nmap/yesterday.xml /var/log/nmap/$(date +%F).xml | tee /var/log/nmap/diff-$(date +%F).txtQuick Reference
Section titled “Quick Reference”nmap -h # built-in helpsudo nmap -sn 10.0.0.0/24 # who's upsudo nmap -p- TARGET # every TCP portsudo nmap -sU TARGET # UDPsudo nmap -sV -sC -O TARGET # service + default NSE + OSsudo nmap -A TARGET # aggressive (= -sV -sC -O --traceroute)sudo nmap --script vuln TARGET # known-CVE checkssudo nmap -oA scan TARGET # save all formatssudo nmap -T4 --min-rate 1000 TARGET # fast passTroubleshooting
Section titled “Troubleshooting”Common failures and the fix.
| Symptom | Cause | Fix |
|---|---|---|
You requested a scan type which requires root privileges | -sS, -sU, -O, -PE need raw sockets | Run with sudo, or fall back to -sT (unprivileged connect scan) |
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn | Host blocks ICMP/TCP discovery probes | Add -Pn to skip discovery and treat the host as up |
All ports show filtered | A firewall is dropping probes | Try -Pn, a trusted source port (-g 53), or an ACK scan (-sA) to map rules |
| UDP scan crawls / takes forever | UDP is rate-limited and retransmit-heavy | Limit ports (-p 53,161,500), raise --min-rate, add --host-timeout |
dnet: Failed to open device ethX / no results on LAN | Wrong interface or no L2 access | Pin the interface with -e eth0, or use -Pn to avoid ARP |
Failed to resolve "TARGET" | DNS lookup failed | Check the hostname, or scan the IP directly and add -n to skip DNS |
| Scan is accurate but extremely slow | Default timing too polite for the link | Raise to -T4 and set --min-rate; drop -A/-O if you don’t need them |
NSE: 'X' did not match a category, filename, or directory | Script DB is stale or the name is wrong | Run sudo nmap --script-updatedb; verify with nmap --script-help X |
Nmap vs Other Scanners
Section titled “Nmap vs Other Scanners”Nmap is the most accurate all-rounder, but it’s not the fastest at internet scale. Pick the right tool, then hand off to Nmap for the deep pass.
| Tool | Strength | Trade-off |
|---|---|---|
| Nmap | Accuracy, NSE scripts, version + OS detection | Slower on huge ranges |
| masscan | Asynchronous, scans the whole IPv4 internet in minutes | No version detection, accuracy drops at high rates |
| RustScan | Fast port discovery, then auto-pipes into Nmap | Just a front-end; still needs Nmap for depth |
| ZMap | Single-port internet-wide research scanning | Built for one port at a time, not host audits |
| naabu | Fast SYN/CONNECT discovery, scriptable pipelines | Discovery only, no service fingerprinting |
A common pattern: discover open ports fast, then deep-scan only those.
# masscan finds open ports fast, Nmap fingerprints them accurately.sudo masscan -p1-65535 TARGET --rate 10000 -oG masscan.gnmapPORTS=$(grep -oP 'Ports: \K[0-9]+' masscan.gnmap | sort -un | paste -sd,)sudo nmap -p "$PORTS" -sC -sV -O TARGETIs it legal to use Nmap?
Nmap itself is legal, but scanning networks you don’t own or lack written
permission to scan is illegal in most jurisdictions. Stick to your own
infrastructure, CTF ranges (HackTheBox / TryHackMe), scanme.nmap.org, and
engagements with a signed scope.
What is the difference between an -sS and -sT scan?
-sS is a TCP SYN (half-open) scan that never finishes the handshake — fast
and stealthier, but root-only. -sT is a full TCP connect() scan that
completes the handshake; it works unprivileged but is slower and noisier.
How do I scan all 65535 ports?
Use -p-, e.g. sudo nmap -p- TARGET. For speed, add a rate floor and timing
template: sudo nmap -p- --min-rate 5000 -T4 TARGET.
What is the Nmap Scripting Engine (NSE)?
NSE runs Lua scripts for advanced discovery, version detection, vulnerability
checks and brute forcing. Scripts are grouped into categories (default,
safe, vuln, intrusive, …) and run via --script, e.g.
sudo nmap --script vuln TARGET.
What does filtered mean, and how is it different from closed?
closed means the port is reachable but nothing is listening. filtered
means a firewall dropped the probe, so Nmap can’t tell open from closed.
Filtered almost always means a firewall — re-probe with -Pn, a trusted
source port (-g 53), or an ACK scan (-sA).
How do I detect service versions and the OS?
Use -sV for service/version detection and -O for OS fingerprinting. The
-A flag bundles both with default scripts and traceroute
(-sV -sC -O --traceroute).
Related Companions
Section titled “Related Companions”- Ncat ships with Nmap — TCP/UDP swiss army knife, replaces
nc.Terminal window ncat -lvnp 4444 # listen on TCP/4444ncat --ssl example.com 443 # TLS client - Nping — packet crafter, for ad-hoc ICMP/TCP/UDP/ARP probes.
Terminal window sudo nping --tcp -p 443 --flags syn -c 5 TARGET - Ndiff — compare two XML scans (already shown under Output).
- Zenmap — official GUI; useful for first-time users + saved scan profiles.
