Nmap Cheat Sheet
Cheat Sheets

Nmap Cheat Sheet

parrotassassin15 October 8, 2024 2 min read 24 views

Basic Scan Types

CommandDescription
nmap <target>Simple scan, default is a TCP connect scan
nmap -sS <target>Stealth SYN scan (default for privileged users)
nmap -sT <target>TCP connect scan (used if SYN scan isn’t an option)
nmap -sU <target>UDP scan
nmap -sP <target>Ping scan, lists live hosts (no port scan)
nmap -sV <target>Version detection (finds version of services)
nmap -O <target>OS detection

Port Scanning

CommandDescription
nmap -p <port> <target>Scan specific port
nmap -p- <target>Scan all 65535 TCP ports
nmap --top-ports <N> <target>Scan N most common ports
nmap -F <target>Fast scan (100 most common ports)
nmap --reason <target>Show why a port is reported as open/closed

Aggressive Scanning

CommandDescription
nmap -A <target>Aggressive scan (includes OS detection, version detection, script scanning, traceroute)
nmap -T4 <target>Faster scan with aggressive timing (T0-T5, higher is faster)

Host Discovery

CommandDescription
nmap -sn <target>Ping scan (host discovery, no port scan)
nmap -Pn <target>Disable ping (treats all hosts as up)
nmap -PS/PA <target>TCP SYN/ACK ping (port selection: -PS22,80 for 22, 80)
nmap -PU <target>UDP ping (port selection: -PU53 for port 53)

Service & Version Detection

CommandDescription
nmap -sV <target>Detect service version on open ports
nmap --version-all <target>Attempt to detect version on all ports

Output Formats

CommandDescription
nmap -oN output.txt <target>Normal text output
nmap -oX output.xml <target>XML output
nmap -oG output.gnmap <target>Grepable output
nmap -oA output <target>Output in all formats (normal, XML, grepable)

Scan Specific IP Range

CommandDescription
nmap <IP1>-<IP2>Scan a range of IP addresses (e.g., nmap 192.168.1.1-20)
nmap <IP>/CIDRScan a subnet (e.g., nmap 192.168.1.0/24)

Excluding Hosts

CommandDescription
nmap <target> --exclude <host>Exclude specific hosts from scan
nmap <target> --excludefile <file>Exclude hosts listed in a file

Nmap Scripting Engine (NSE)

CommandDescription
nmap --script <script-name> <target>Run specific script
nmap --script-help <script-name>Get help for a specific script
nmap --script vuln <target>Scan target for vulnerabilities using NSE
nmap --script safe <target>Only run non-intrusive scripts

Advanced Options

CommandDescription
nmap -6 <target>Enable IPv6 scanning
nmap -D RND:10 <target>Use decoys to hide the real scanning source
nmap --data-length <num> <target>Send packets with additional padding
nmap --spoof-mac <mac address>Spoof MAC address
nmap -S <source_ip> <target>Use specific source IP address
Written by

parrotassassin15

Cybersecurity professional and contributor at Lorikeet Security.

Share this article
Back to Blog

Related Articles

Jan 13, 2025

The Ultimate Wireshark Cheat Sheet: Master Network Analysis Like a Pro

Wireshark is the go-to tool for anyone diving into the world of network analysis, cybersecurity, or ...
Dec 26, 2024

The Ultimate Guide to Nuclei Enumeration Scanner

What is Nuclei? Nuclei is an open-source tool developed by ProjectDiscovery, designed to streamline ...
Oct 13, 2024

Comprehensive Burp Suite Cheat Sheet for Web Application Security Testing

Burp Suite is one of the most powerful tools for web application security testing, used widely by pe...
Lory waving

Hi, I'm Lory! Need help finding the right service? Click to chat!