Nmap Cheat Sheet in 2023 – A Beginner’s Guide to Nmap


Nmap is an effective network scanning tool used by security professionals for various purposes.

For optimal use of Nmap, it’s essential to be familiar with its syntax and command structure. This cheat sheet covers some of the key commands and examples to assist in effectively using Nmap.

Target Specification

Nmap (Network Mapper) is one of the most well-known and frequently utilized network scanners available today, used both by cybersecurity professionals as well as novice users to scan local and remote ports, hosts, and networks in order to audit and discover information such as open ports.

nmap a single IP
nmap specific IPs
nmap a range
nmap scanme.nmap.orgScan a domain
nmap using CIDR notation
-iLnmap -iL targets.txtScan targets from a file
-iRnmap -iR 100Scan 100 random hosts
–excludenmap –exclude listed hosts

Nmap’s Target Specification is an integral element of its scanning process, as it determines which targets to scan as part of its scanning process and provides useful data about each target such as service version detection and OS detection as well as traceroute information.

Target specifications can include hostname or IP addresses, or ranges separated by commas, as well as port ranges such as 1-20 (e.g. “-p 1-20 “target>”, which causes Nmap to scan for 20 available ports on that host).

The port table provides information on open, filtered and closed ports as well as any ports Nmap cannot identify. Security engineers often find this data valuable because it reveals services running on targets.

Nmap Scan Techniques

Nmap is a network discovery and security auditing tool that uses raw IP packets to detect hosts and services on a network, along with operating systems, application versions, packet filters/firewalls used and network security policies in place.

-sSnmap -sSTCP SYN port scan (Default)
-sTnmap -sTTCP connect port scan (Default without root privilege)
-sUnmap -sUUDP port scan
-sAnmap -sATCP ACK port scan
-sWnmap -sWTCP Window port scan
-sMnmap -sMTCP Maimon port scan

Nmap offers several customizable scanning options to help tailor the scan. For instance, using timing templates to control speed or OS detection to identify targets can help make the most out of a scan.

Port Scanning

One of the key techniques offered by Nmap is port scanning, which uses Nmap’s distributed database of services names to assess whether any ports on a target host have opened or closed states and service names from those ports. Nmap returns open/closed states as well as service name information when performing this scan.

Nmap can make port scanning more efficient by using small fragmented IP packets that make it harder for packet filters and intrusion detection systems to recognize its scans, as well as decoys that make it appear that other hosts are scanning the target network.

Host Discovery

Nmap is an advanced network scanning tool used by security professionals to identify hosts and services on computer networks. It offers many features that help users enumerate services and versions, test for known vulnerabilities, brute force credentials and discover operating system information.

-sLnmap -sLNo Scan. List targets only
-snnmap -snDisable port scanning. Host discovery only.
-Pnnmap -PnDisable host discovery. Port scan only.
-PSnmap -PS22-25,80TCP SYN discovery on port x.
Port 80 by default
-PAnmap -PA22-25,80TCP ACK discovery on port x.
Port 80 by default
-PUnmap -PU53UDP discovery on port x.
Port 40125 by default
-PRnmap -PRARP discovery on local network
-nnmap -nNever do DNS resolution

Nmap can execute scripts to gather additional information about targets. This process, known as host discovery, marks the initial stage in any Nmap scan.

Nmap can send pings to various IP addresses and evaluate the response, scan for open ports, identify OS and hardware characteristics of network devices and identify open ports.

Nmap allows you to specify how many hosts to scan simultaneously, and set a timeout that lets it wait for each host in its target network to complete scanning before stopping; this feature provides the optimal balance of speed and stealth when conducting network scans.

Port Specification

Nmap is the go-to port scanner and offers plenty of options, but can be challenging to use for those unfamiliar with its commands and features.

An Nmap cheat sheet can help you learn about its functions and capabilities so that you can optimize your scans using Nmap. This cheat sheet covers the essentials of this tool with practical examples.

-pnmap -p 21Port scan for port x
-pnmap -p 21-100Port range
-pnmap -p U:53,T:21-25,80Port scan multiple TCP and UDP ports
-pnmap -p-Port scan all ports
-pnmap -p http,httpsPort scan from service name
-Fnmap -FFast port scan (100 ports)
–top-portsnmap –top-ports 2000Port scan the top x ports
-p-65535nmap -p-65535Leaving off initial port in range makes the scan start at port 1
-p0-nmap -p0-Leaving off end port in range
makes the scan go through to port 65535

Nmap offers several useful command line options to configure datagram transmission using its port scanning service, with one being -p, which specifies a port to which datagrams should be sent. You may specify a single port, comma-separated list of ports or any range from 1-1023 as you see fit.

Nmap command-line options such as -g, which sets the source port; -b, which adjusts bad sum; and -f enable grepable output for targets located on an XML file. Nping offers another useful feature allowing you to specify TCP window size which specifies how many bytes of traffic it accepts per time – this option may prove particularly helpful when scanning large networks that allocate an extensive buffer space.

Service and Version Detection

Nmap is an invaluable tool used for network discovery and security auditing, making it invaluable for network administrators looking to monitor servers, service upgrade schedules and more.

Nmap provides many features to detect hosts and services on a computer network by sending packets out and analyzing their responses, such as host discovery (list of hosts that respond to TCP/ICMP requests with specific port open), port scanning and operating system detection.

-sVnmap -sVAttempts to determine the version of the service running on port
-sV –version-intensitynmap -sV –version-intensity 8Intensity level 0 to 9. Higher number increases possibility of correctness
-sV –version-lightnmap -sV –version-lightEnable light mode. Lower possibility of correctness. Faster
-sV –version-allnmap -sV –version-allEnable intensity level 9. Higher possibility of correctness. Slower
-Anmap -AEnables OS detection, version detection, script scanning, and traceroute

OS detection refers to the process of identifying operating system and hardware characteristics on network devices. It can help identify vulnerabilities or misconfigurations which could be exploited during cyber attacks.

Nmap Cheat Sheet is an organized compilation of Nmap commands designed as a cheat sheet style documentation format, featuring some of the more important ones used by Ethical Hackers and Penetration Testers.

OS Detection

Nmap Cheat Sheet’s most potent feature is OS detection, which can identify both the operating system and version running on a host by analysing network traffic and other sources of data.

-Onmap -ORemote OS detection using TCP/IP stack fingerprinting
-O –osscan-limitnmap -O –osscan-limitIf at least one open and one closed TCP port are not found it will not try OS detection against host
-O –osscan-guessnmap -O –osscan-guessMakes Nmap guess more aggressively
-O –max-os-triesnmap -O –max-os-tries 1Set the maximum number x of OS detection tries against a target
-Anmap -AEnables OS detection, version detection, script scanning, and traceroute

This feature can assist in quickly and effectively conducting penetration tests by providing information about the operating system running on a target, making the testing more accurate and identifying vulnerable services and security holes on networks more readily.

Add the -O flag to your Nmap command in order to enable this. This will instruct Nmap to use both OS and version detection techniques when scanning targets.

Additionally, you can configure Nmap to run up to five OS detection attempts by default; you may reduce this value in order to speed up its scans.

The output generated from using the -o and -o-v options will provide more details about scanned targets, including whether they’re up or down, what port type was open for them and how long their scan took. Developers may find using this debugging output useful.

Timing and Performance

Timing can have a significant impact on how quickly a scan completes. Nmap uses an advanced dynamic timing algorithm to select optimal speeds at which to send probes out; this can significantly decrease scanning times.

However, this system is far from perfect and can lead to errors if the network is unreliable or slow. That is where the -host-timeout option comes into play.

-T0nmap -T0Paranoid (0) Intrusion Detection System evasion
-T1nmap -T1Sneaky (1) Intrusion Detection System evasion
-T2nmap -T2Polite (2) slows down the scan to use less bandwidth and use less target machine resources
-T3nmap -T3Normal (3) which is default speed
-T4nmap -T4Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
-T5nmap -T5Insane (5) speeds scan; assumes you are on an extraordinarily fast network

This option instructs Nmap to terminate its probe on an inactive port after the specified amount of time if it doesn’t receive any response to its probe, saving time on unreliable networks and decreasing retransmissions necessary to distinguish open ports that have been blocked or closed off.

This option should only be selected when your network is relatively fast and reliable; otherwise, it could cause Nmap to scan slower than anticipated.

Timing and Performance Switches

Nmap provides various timing and performance switches that can make scanning faster, as well as fine-grained controls to further increase performance. You can combine these options for optimal results.

The –defeat-rst-ratelimit option trades accuracy for speed by increasing UDP scanning speed against hosts that rate-limit ICMP error messages such as port unreachability errors. Nmap will also bypass RST packets it generates to reset those rates, which may prove especially helpful in networks known for being unstable.

–host-timeout <time>1s; 4m; 2hGive up on target after this long
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>1s; 4m; 2hSpecifies probe round trip time
–min-hostgroup/max-hostgroup <size<size>50; 1024Parallel host scan group sizes
–min-parallelism/max-parallelism <numprobes>10; 1Probe parallelization
–max-retries <tries>3Specify the maximum number of port scan probe retransmissions
–min-rate <number>100Send packets no slower than <number> per second
–max-rate <number>100Send packets no faster than <number> per second

–scan-delay allows you to set a delay between each probe Nmap sends to a target computer, helping speed up scan times on Solaris machines which only respond to single ICMP messages per second.

Finally, –min-rtt-timeout limits the maximum time Nmap will wait for network responses for any specific request. While this feature is rarely employed in practice, it can be extremely useful when scanning networks that are highly unreliable.

Nmap offers six timing templates that correspond to each scanning mode: paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5).

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.