Nmap Cheat Sheet in 2023 – A Beginner’s Guide to Nmap


Nmap is an effective network scanning tool used by security professionals for various purposes.

For optimal use of Nmap, it’s essential to be familiar with its syntax and command structure. This cheat sheet covers some of the key commands and examples to assist in effectively using Nmap.

Target Specification

Nmap (Network Mapper) is one of the most well-known and frequently utilized network scanners available today, used both by cybersecurity professionals as well as novice users to scan local and remote ports, hosts, and networks in order to audit and discover information such as open ports.

nmap Scan a single IP
nmap Scan specific IPs
nmap Scan a range
nmap Scan a domain
nmap Scan using CIDR notation
-iL nmap -iL targets.txt Scan targets from a file
-iR nmap -iR 100 Scan 100 random hosts
–exclude nmap –exclude Exclude listed hosts

Nmap’s Target Specification is an integral element of its scanning process, as it determines which targets to scan as part of its scanning process and provides useful data about each target such as service version detection and OS detection as well as traceroute information.

Target specifications can include hostname or IP addresses, or ranges separated by commas, as well as port ranges such as 1-20 (e.g. “-p 1-20 “target>”, which causes Nmap to scan for 20 available ports on that host).

The port table provides information on open, filtered and closed ports as well as any ports Nmap cannot identify. Security engineers often find this data valuable because it reveals services running on targets.

Nmap Scan Techniques

Nmap is a network discovery and security auditing tool that uses raw IP packets to detect hosts and services on a network, along with operating systems, application versions, packet filters/firewalls used and network security policies in place.

-sS nmap -sS TCP SYN port scan (Default)
-sT nmap -sT TCP connect port scan (Default without root privilege)
-sU nmap -sU UDP port scan
-sA nmap -sA TCP ACK port scan
-sW nmap -sW TCP Window port scan
-sM nmap -sM TCP Maimon port scan

Nmap offers several customizable scanning options to help tailor the scan. For instance, using timing templates to control speed or OS detection to identify targets can help make the most out of a scan.

Port Scanning

One of the key techniques offered by Nmap is port scanning, which uses Nmap’s distributed database of services names to assess whether any ports on a target host have opened or closed states and service names from those ports. Nmap returns open/closed states as well as service name information when performing this scan.

Nmap can make port scanning more efficient by using small fragmented IP packets that make it harder for packet filters and intrusion detection systems to recognize its scans, as well as decoys that make it appear that other hosts are scanning the target network.

Host Discovery

Nmap is an advanced network scanning tool used by security professionals to identify hosts and services on computer networks. It offers many features that help users enumerate services and versions, test for known vulnerabilities, brute force credentials and discover operating system information.

-sL nmap -sL No Scan. List targets only
-sn nmap -sn Disable port scanning. Host discovery only.
-Pn nmap -Pn Disable host discovery. Port scan only.
-PS nmap -PS22-25,80 TCP SYN discovery on port x.
Port 80 by default
-PA nmap -PA22-25,80 TCP ACK discovery on port x.
Port 80 by default
-PU nmap -PU53 UDP discovery on port x.
Port 40125 by default
-PR nmap -PR ARP discovery on local network
-n nmap -n Never do DNS resolution

Nmap can execute scripts to gather additional information about targets. This process, known as host discovery, marks the initial stage in any Nmap scan.

Nmap can send pings to various IP addresses and evaluate the response, scan for open ports, identify OS and hardware characteristics of network devices and identify open ports.

Nmap allows you to specify how many hosts to scan simultaneously, and set a timeout that lets it wait for each host in its target network to complete scanning before stopping; this feature provides the optimal balance of speed and stealth when conducting network scans.

Port Specification

Nmap is the go-to port scanner and offers plenty of options, but can be challenging to use for those unfamiliar with its commands and features.

An Nmap cheat sheet can help you learn about its functions and capabilities so that you can optimize your scans using Nmap. This cheat sheet covers the essentials of this tool with practical examples.

-p nmap -p 21 Port scan for port x
-p nmap -p 21-100 Port range
-p nmap -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports
-p nmap -p- Port scan all ports
-p nmap -p http,https Port scan from service name
-F nmap -F Fast port scan (100 ports)
–top-ports nmap –top-ports 2000 Port scan the top x ports
-p-65535 nmap -p-65535 Leaving off initial port in range makes the scan start at port 1
-p0- nmap -p0- Leaving off end port in range
makes the scan go through to port 65535

Nmap offers several useful command line options to configure datagram transmission using its port scanning service, with one being -p, which specifies a port to which datagrams should be sent. You may specify a single port, comma-separated list of ports or any range from 1-1023 as you see fit.

Nmap command-line options such as -g, which sets the source port; -b, which adjusts bad sum; and -f enable grepable output for targets located on an XML file. Nping offers another useful feature allowing you to specify TCP window size which specifies how many bytes of traffic it accepts per time – this option may prove particularly helpful when scanning large networks that allocate an extensive buffer space.

Service and Version Detection

Nmap is an invaluable tool used for network discovery and security auditing, making it invaluable for network administrators looking to monitor servers, service upgrade schedules and more.

Nmap provides many features to detect hosts and services on a computer network by sending packets out and analyzing their responses, such as host discovery (list of hosts that respond to TCP/ICMP requests with specific port open), port scanning and operating system detection.

-sV nmap -sV Attempts to determine the version of the service running on port
-sV –version-intensity nmap -sV –version-intensity 8 Intensity level 0 to 9. Higher number increases possibility of correctness
-sV –version-light nmap -sV –version-light Enable light mode. Lower possibility of correctness. Faster
-sV –version-all nmap -sV –version-all Enable intensity level 9. Higher possibility of correctness. Slower
-A nmap -A Enables OS detection, version detection, script scanning, and traceroute

OS detection refers to the process of identifying operating system and hardware characteristics on network devices. It can help identify vulnerabilities or misconfigurations which could be exploited during cyber attacks.

Nmap Cheat Sheet is an organized compilation of Nmap commands designed as a cheat sheet style documentation format, featuring some of the more important ones used by Ethical Hackers and Penetration Testers.

OS Detection

Nmap Cheat Sheet’s most potent feature is OS detection, which can identify both the operating system and version running on a host by analysing network traffic and other sources of data.

-O nmap -O Remote OS detection using TCP/IP stack fingerprinting
-O –osscan-limit nmap -O –osscan-limit If at least one open and one closed TCP port are not found it will not try OS detection against host
-O –osscan-guess nmap -O –osscan-guess Makes Nmap guess more aggressively
-O –max-os-tries nmap -O –max-os-tries 1 Set the maximum number x of OS detection tries against a target
-A nmap -A Enables OS detection, version detection, script scanning, and traceroute

This feature can assist in quickly and effectively conducting penetration tests by providing information about the operating system running on a target, making the testing more accurate and identifying vulnerable services and security holes on networks more readily.

Add the -O flag to your Nmap command in order to enable this. This will instruct Nmap to use both OS and version detection techniques when scanning targets.

Additionally, you can configure Nmap to run up to five OS detection attempts by default; you may reduce this value in order to speed up its scans.

The output generated from using the -o and -o-v options will provide more details about scanned targets, including whether they’re up or down, what port type was open for them and how long their scan took. Developers may find using this debugging output useful.

Timing and Performance

Timing can have a significant impact on how quickly a scan completes. Nmap uses an advanced dynamic timing algorithm to select optimal speeds at which to send probes out; this can significantly decrease scanning times.

However, this system is far from perfect and can lead to errors if the network is unreliable or slow. That is where the -host-timeout option comes into play.

-T0 nmap -T0 Paranoid (0) Intrusion Detection System evasion
-T1 nmap -T1 Sneaky (1) Intrusion Detection System evasion
-T2 nmap -T2 Polite (2) slows down the scan to use less bandwidth and use less target machine resources
-T3 nmap -T3 Normal (3) which is default speed
-T4 nmap -T4 Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network
-T5 nmap -T5 Insane (5) speeds scan; assumes you are on an extraordinarily fast network

This option instructs Nmap to terminate its probe on an inactive port after the specified amount of time if it doesn’t receive any response to its probe, saving time on unreliable networks and decreasing retransmissions necessary to distinguish open ports that have been blocked or closed off.

This option should only be selected when your network is relatively fast and reliable; otherwise, it could cause Nmap to scan slower than anticipated.

Timing and Performance Switches

Nmap provides various timing and performance switches that can make scanning faster, as well as fine-grained controls to further increase performance. You can combine these options for optimal results.

The –defeat-rst-ratelimit option trades accuracy for speed by increasing UDP scanning speed against hosts that rate-limit ICMP error messages such as port unreachability errors. Nmap will also bypass RST packets it generates to reset those rates, which may prove especially helpful in networks known for being unstable.

–host-timeout <time> 1s; 4m; 2h Give up on target after this long
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> 1s; 4m; 2h Specifies probe round trip time
–min-hostgroup/max-hostgroup <size<size> 50; 1024 Parallel host scan group sizes
–min-parallelism/max-parallelism <numprobes> 10; 1 Probe parallelization
–max-retries <tries> 3 Specify the maximum number of port scan probe retransmissions
–min-rate <number> 100 Send packets no slower than <number> per second
–max-rate <number> 100 Send packets no faster than <number> per second

–scan-delay allows you to set a delay between each probe Nmap sends to a target computer, helping speed up scan times on Solaris machines which only respond to single ICMP messages per second.

Finally, –min-rtt-timeout limits the maximum time Nmap will wait for network responses for any specific request. While this feature is rarely employed in practice, it can be extremely useful when scanning networks that are highly unreliable.

Nmap offers six timing templates that correspond to each scanning mode: paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5).

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.