Skip to main content

Nmap Cheat Sheet

Host Discovery

# Ping scan (no port scan)
nmap -sn 192.168.1.0/24

# Treat all hosts as online (skip host discovery)
nmap -Pn 192.168.1.1

# ARP ping scan (local network only)
nmap -PR 192.168.1.0/24

# TCP SYN discovery
nmap -PS22,80,443 192.168.1.0/24

# Combine: no DNS resolution + treat all online
nmap -Pn -n 192.168.1.1

Port Scanning

# SYN scan (default, requires root)
nmap -sS 192.168.1.1

# TCP connect scan (no root needed)
nmap -sT 192.168.1.1

# UDP scan
nmap -sU 192.168.1.1

# Scan specific ports
nmap -p 22,80,443 192.168.1.1

# Scan port range
nmap -p 1-1000 192.168.1.1

# Scan all 65535 ports
nmap -p- 192.168.1.1

# Top 100 ports
nmap --top-ports 100 192.168.1.1

Service & Version Detection

# Service version detection
nmap -sV 192.168.1.1

# OS detection
nmap -O 192.168.1.1

# Aggressive scan (OS + version + scripts + traceroute)
nmap -A 192.168.1.1

# Version intensity (0-9, default 7)
nmap -sV --version-intensity 9 192.168.1.1

NSE Scripts

# Run default scripts
nmap -sC 192.168.1.1

# Run specific script
nmap --script=http-title 192.168.1.1

# Run script category
nmap --script=vuln 192.168.1.1
nmap --script=auth 192.168.1.1
nmap --script=discovery 192.168.1.1

# Multiple scripts
nmap --script=http-headers,http-methods 192.168.1.1

# SMB enumeration
nmap --script=smb-enum-shares,smb-enum-users 192.168.1.1

# HTTP enumeration
nmap --script=http-enum 192.168.1.1 -p 80,443

Output Formats

# Normal output to file
nmap -oN output.txt 192.168.1.1

# XML output
nmap -oX output.xml 192.168.1.1

# Grepable output
nmap -oG output.gnmap 192.168.1.1

# All formats at once
nmap -oA output 192.168.1.1

Timing & Evasion

# Timing templates (0=paranoid, 5=insane)
nmap -T0  # Paranoid (IDS evasion)
nmap -T1  # Sneaky
nmap -T2  # Polite
nmap -T3  # Normal (default)
nmap -T4  # Aggressive
nmap -T5  # Insane

# Fragment packets
nmap -f 192.168.1.1

# Decoy scan
nmap -D RND:5 192.168.1.1

# Spoof source IP
nmap -S 10.0.0.1 192.168.1.1

# Randomize host order
nmap --randomize-hosts 192.168.1.0/24

Common Scan Combos

# Quick recon
nmap -sV -sC -T4 -oA scan 192.168.1.1

# Full port + version + scripts
nmap -p- -sV -sC -T4 -oA full_scan 192.168.1.1

# Stealth scan, no DNS, OS detection
nmap -sS -Pn -n -O -T2 192.168.1.1

# UDP top ports
nmap -sU --top-ports 20 -T4 192.168.1.1