HomeNmapNmap cheat sheet

Nmap cheat sheet

Nmap complete cheat sheet

Nmap cheat sheet – We saw about Nmap scanning in the previous post, if you have not read that post yet read that post first. In this post, I am going to divide all the commands that we can use in Nmap into sections and give them for you to understand.

What is Nmap?

The full name of Nmap is network mapper. Using this Nmap tool you can know the complete details about a network and also about that networking security. Simply put, Nmap is an information-gathering tool.

How to use Nmap?

Nmap can be used in a variety of ways depending on the user’s level of technical expertise.

Beginner – Zenmap the graphical user interface for Nmap

Intermediate – Command Line

Advanced – Python scripting with the Python-Nmap package

Nmap cheat sheet

Basic Scanning Techniques

The -s switch determines the type of scan to perform.

-sA – ACK scan
-sF – FIN scan
-sI – IDLE scan
-sL – DNS scan (a.k.a. list scan)
-sN – NULL scan
-sO – Protocol scan
-sP – Ping scan
-sR – RPC scan
-sS – SYN scan
-sT – TCP connect scan
-sW – Windows scan
-sX – XMAS scan

					Scan a Single Target >> nmap [target]
Scan Multiple Targets >> nmap [target1, target2, etc]
Scan a List of Targets >> nmap -iL [list.txt]
Scan a Range of Hosts >> nmap [range of IP addresses]
Scan an Entire Subnet >> nmap [ip address/cdir]
Scan Random Hosts >> nmap -iR [number]
Exclude Targets From a Scan >>nmap [targets] --exclude [targets]
Exclude Targets Using a List >> nmap [targets] --excludefile [list.txt]
Perform an Aggressive Scan >> nmap -A [target]
Scan an IPv6 Target >> nmap -6 [target]

Port Scanning Options

The Nmap tool will scan the port first but the default setting will scan the open TCP port. If you want to scan the other port you have to do it manually. All port scanning commands are given below.

					Perform a Fast Scan >> nmap -F [target]
Scan Specific Ports >> nmap -p [port(s)] [target]
Scan Ports by Name >> nmap -p [port name(s)] [target]
Scan Ports by Protocol >> nmap -sU -sT -p U:[ports],T:[ports] [target]
Scan All Ports >> nmap -p 1-65535 [target]
Scan Top Ports >> nmap --top-ports [number] [target]
Perform a Sequential Port Scan >> nmap -r [target]
Attempt to Guess an Unknown OS >> nmap -O --osscan-guess [target]
Service Version Detection >> nmap -sV [target]
Troubleshoot Version Scan >> nmap -sV --version-trace [target]
Perform a RPC Scan >> nmap -sR [target]

Discovery options

Host Discovery The -p switch determines the type of ping to perform.

-PI  – ICMP ping
-Po  – No ping
-PS  – SYN ping
-PT  – TCP ping

Perform a Ping Only Scan
Do Not Ping
UDP Ping
ICMP Echo Ping
ICMP Timestamp Ping
ICMP Address Mask Ping
IP Protocol Ping
ARP ping
Force Reverse DNS Resolution
Disable Reverse DNS Resolution
Alternative DNS Lookup
Manually Specify DNS Server
Create a Host List

nmap -sn [target]
nmap -Pn [target]
nmap -PS [target]
nmap -PA [target]
nmap -PU [target]
nmap -PY [target]
nmap -PE [target]
nmap -PP [target]
nmap -PM [target]
nmap -PO [target]
nmap -PR [target]
nmap –traceroute [target]
nmap -R [target]
nmap -n [target]
nmap –system-dns [target]
nmap –dns-servers [servers] [target]
nmap -sL [targets]

Timing and Performance





nmap -T0

Paranoid (0) Intrusion Detection
System evasion


nmap -T1

Sneaky (1) Intrusion Detection System


nmap -T2

Polite (2) slows down the scan to use
less bandwidth and use less target
machine resources


nmap -T3

Normal (3) which is default speed


nmap -T4

Aggressive (4) speeds scans; assumes
you are on a reasonably fast and
reliable network


nmap -T5

Insane (5) speeds scan; assumes you
are on an extraordinarily fast network



Example input


–host-timeout <time>

1s; 4m; 2h

Give up on target after this long

–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>

1s; 4m; 2h

Specifies probe round trip time

–min-hostgroup/max-hostgroup <size<size>

50; 1024

Parallel host scan group

–min-parallelism/max-parallelism <numprobes>

10; 1

Probe parallelization

–scan-delay/–max-scan-delay <time>

20ms; 2s; 4m; 5h

Adjust delay between probes

–max-retries <tries>


Specify the maximum number
of port scan probe retransmissions

–min-rate <number>


Send packets no slower than <numberr> per second

–max-rate <number>


Send packets no faster than <number> per second

OS Detection





nmap -O

Remote OS detection using TCP/IP
stack fingerprinting

-O –osscan-limit

nmap -O –osscan-limit

If at least one open and one closed
TCP port are not found it will not try
OS detection against host

-O –osscan-guess

nmap -O –osscan-guess

Makes Nmap guess more aggressively

-O –max-os-tries

nmap -O –max-os-tries 1

Set the maximum number x of OS
detection tries against a target


nmap -A

Enables OS detection, version detection, script scanning, and traceroute






nmap -oN normal.file

Normal output to the file normal.file


nmap -oX xml.file

XML output to the file xml.file


nmap -oG grep.file

Grepable output to the file grep.file


nmap -oA results

Output in the three major formats at once

-oG –

nmap -oG –

Grepable output to screen. -oN -, -oX – also usable


nmap -oN file.file –append-output

Append a scan to a previous scan file


nmap -v

Increase the verbosity level (use -vv or more for greater effect)


nmap -d

Increase debugging level (use -dd or more for greater effect)


nmap –reason

Display the reason a port is in a particular state, same output as -vv


nmap –open

Only show open (or possibly open) ports


nmap -T4 –packet-trace

Show all packets sent and received


nmap –iflist

Shows the host interfaces and routes


nmap –resume results.file

Resume a scan


I hope I have given all kinds of Nmap commands in this post, let me know through the command section if you know of any commands that are missing.

I hope you find this Nmap cheat sheet useful. I would also like to share this post with your friends.

# Nmap Cheat Sheet # Nmap Cheat Sheet


Leave A Reply

Please enter your comment!
Please enter your name here

Most Popular