Complete Nmap Commands Cheat Sheet 2025 + PDF

Nmap (Network Mapper) is a powerful, free, and open-source tool designed for network discovery, security auditing, and troubleshooting. Developed by Gordon Lyon (also known as Fyodor), Nmap has become a go-to utility for network administrators, penetration testers, and cybersecurity professionals around the world.

Originally released in 1997, Nmap is renowned for its flexibility and effectiveness in both small internal networks and large-scale enterprise environments. Whether you’re mapping out your local network or identifying open ports on remote servers, Nmap offers the tools needed for accurate and detailed analysis.

What You Can Do With Nmap:

• Detect live hosts on a network
• Identify open ports and running services
• Discover operating systems and software versions
• Detect misconfigurations or potential vulnerabilities
• Bypass firewalls and evade intrusion detection systems (with advanced options)
• Automate scanning tasks with the Nmap Scripting Engine (NSE)

Platforms Supported:

• Windows
• Linux
• macOS
• FreeBSD and other Unix-like systems

Nmap also comes with a graphical interface called Zenmap, which simplifies usage for beginners while still offering the power of command-line features.

Key Features

Nmap offers a comprehensive set of features that make it one of the most versatile tools for network exploration and security assessment. Below are some of its core capabilities:

Host Discovery and Network Mapping

Identify live systems on a network and build a map of the connected devices.

Port Scanning and Service Detection

Determine which ports are open on a host and detect the services running on them, including their versions.

Operating System Detection

Use TCP/IP stack fingerprinting to guess the target system’s operating system and hardware characteristics.

Vulnerability Assessment

Detect potential vulnerabilities and misconfigurations by using Nmap’s scripting engine and custom scan options.

Scriptable Interaction with Network Services

Leverage the Nmap Scripting Engine (NSE) to automate tasks such as brute-force attacks, service discovery, and vulnerability scanning.

Support for IPv4 and IPv6

Fully supports scanning over both IPv4 and IPv6, ensuring compatibility with modern networks.

Cross-Platform Compatibility

Available on all major operating systems, including Windows, Linux, macOS, and BSD variants.

Use Cases

Nmap is a versatile tool used in a wide range of network and security-related scenarios. Its powerful scanning and detection capabilities make it an essential utility in both offensive and defensive security operations. Below are some of the most common use cases:

Network Inventory and Asset Discovery

Scan entire networks to identify active hosts, connected devices, and their open ports—helpful for building or updating a network inventory.

Security Auditing and Penetration Testing

Evaluate the security of a system or network by detecting open ports, exposed services, outdated software, and possible misconfigurations.

Network Troubleshooting

Diagnose connectivity issues, service availability, and configuration errors by probing hosts and analyzing responses.

Monitoring Host and Service Uptime

Use regular scans or scripting to track whether hosts and services are online and responsive over time.

Firewall Rule Testing

Assess firewall rules and configurations by sending different types of probes to verify which ports are filtered, blocked, or open.

Installation Guide

Installing Nmap is straightforward across most platforms. Below is the installation process for common operating systems.

Linux (Ubuntu/Debian)

To install Nmap on Ubuntu or Debian-based systems, open a terminal and run the following commands:

This will install the latest version available in your distribution’s repository.

Linux (CentOS/RHEL/Fedora)

CentOS / RHEL:

Fedora:

These commands install Nmap using the respective package managers. Make sure your system has internet access and appropriate privileges.

macOS

There are two common ways to install Nmap on macOS: using Homebrew or MacPorts.

Using Homebrew:

Using MacPorts:

Ensure that either Homebrew or MacPorts is installed on your system before using the above commands.

Windows

1. Download from official site: https://nmap.org/download.html
2. Run the installer as Administrator
3. Choose installation options (include Zenmap GUI if needed)

From Source

To build and install Nmap from source (Linux/Unix systems):

This method provides the latest version directly from the Nmap developers, which may include features not yet available in package managers.

Verification

After installation, you can verify that Nmap is properly installed and check its version using the following command:

This will display the installed version along with supported features and libraries.

Basic Syntax

The general syntax for using Nmap is:

Parameters Explained:

• [scan type] – Defines the type of scan (e.g., -sS for SYN scan, -sU for UDP scan).
• [options] – Additional parameters to customize the scan (e.g., -p for ports, -T4 for speed).
• [target specification] – IP address, domain name, range, or file containing a list of targets.

Example:

This runs a SYN scan (-sS) on ports 22, 80, and 443 with increased speed (-T4) against the target 192.168.1.1.

Target Specification

Nmap supports flexible ways to specify targets, allowing you to scan individual hosts, ranges, entire subnets, or even lists of IPs. Below are commonly used target specification formats:

Single IP Address

IP Range

Scans all addresses from 192.168.1.1 to 192.168.1.254.

Subnet (CIDR Notation)

Scans the entire subnet (256 addresses).

Multiple IPs

Scan specific IP addresses listed in sequence.

Hostname

DNS is resolved automatically to scan the IP behind the domain.

File Input (List of Targets)

Scans all targets listed line-by-line in the targets.txt file.

Exclude Specific Targets

Scans the entire subnet but excludes 192.168.1.1.

Common Scan Types

Nmap provides a variety of scan techniques to suit different network environments and purposes. Below are some of the most commonly used scan types:

TCP SYN Scan (Default)

Performs a stealthy SYN scan (also called half-open scan). Fast and less likely to be logged.

TCP Connect Scan

Uses the full TCP connection (three-way handshake). Useful when SYN scan is not permitted (e.g., without raw socket privileges).

UDP Scan

Scans for open UDP ports. Slower than TCP scans but essential for identifying services like DNS, SNMP, etc.

Comprehensive Scan

Performs TCP SYN and UDP scans, OS detection (-O), and aggressive scan (-A) which includes service/version detection, script scanning, and traceroute.

Ping Scan (Host Discovery)

Detects which hosts are up without scanning ports.

TCP ACK Scan

Used for firewall rule testing. It doesn’t determine open ports but can identify whether a firewall is blocking traffic.

TCP Window Scan

Advanced scan based on TCP window size. Can sometimes detect open ports when ACK scan fails.

TCP Maimon Scan

An obscure scan that sends FIN/ACK probes. Useful for certain firewall and packet filter configurations.

Port Specification

Nmap allows flexible control over which ports to scan. This is useful for narrowing down scan time or focusing on specific services.

Specific Ports

Scans only the listed ports — in this case, SSH (22), HTTP (80), and HTTPS (443).

Port Range

Scans ports from 1 to 1000.

All Ports

Scans all 65,535 TCP ports.

Top Ports

Scans the 1,000 most commonly used ports based on frequency data from large-scale scans.

Fast Scan

Scans the top 100 ports only. Useful for quick checks or large network sweeps.

Host Discovery Options

Host discovery helps determine which hosts are online before running detailed scans. Nmap provides several options to customize this process:

Ping Scan Only

Checks which hosts are up without scanning any ports.

Skip Ping

Skips host discovery and treats all hosts as online. Useful when ping is blocked by firewalls.

ICMP Echo Request

Sends ICMP echo requests (standard “ping”) to discover hosts.

ICMP Timestamp Request

Sends ICMP timestamp requests to identify live hosts.

ICMP Netmask Request

Sends ICMP netmask requests for host discovery.

TCP SYN Ping

Sends TCP SYN packets to specified ports (e.g., 22, 80, 443) to check if hosts respond.

TCP ACK Ping

Sends TCP ACK packets to specified ports for host discovery.

UDP Ping

Sends UDP packets to check if hosts respond.

Service and Version Detection

Nmap can probe open ports to determine what service is running and its version. This helps identify software, detect outdated services, and find potential vulnerabilities.

Version Detection

Performs standard version detection to identify services and versions running on open ports.

Aggressive Version Detection

Uses the highest intensity level (0–9) for deeper probing. May be slower but more accurate.

Light Version Detection

Performs minimal probing to avoid disrupting services or triggering alerts.

Default Service Detection (with Scripts)

Runs a set of default scripts (equivalent to --script=default) which includes basic service and version detection.

Note: -sC is often used with -sV in comprehensive scans like nmap -sC -sV target.

Operating System Detection

Nmap uses TCP/IP stack fingerprinting to determine the operating system and hardware characteristics of a target. This helps identify not only the OS type but also its version and other details.

OS Fingerprinting

Enables OS detection. Requires root or administrator privileges.

Aggressive OS Detection

Attempts to guess the OS more aggressively, even when confidence is low.

OS Detection with Version and More (Aggressive Scan)

Performs an aggressive scan that includes OS detection, version detection, script scanning, and traceroute.

Note: -A combines several powerful features and is often used in thorough scans, but may be noisy or trigger security systems.

NSE (Nmap Scripting Engine)

The Nmap Scripting Engine (NSE) allows users to automate a wide range of scanning tasks using custom or built-in scripts. NSE scripts can perform service detection, brute forcing, vulnerability scanning, and more.

Default Scripts

Runs the default set of scripts (same as --script=default). Useful for quick service and vulnerability checks.

Specific Script

Executes a single script, such as http-title or ssh-hostkey.

Script Categories

Runs all scripts in the specified category. Common categories include:

• default
• vuln
• auth
• discovery
• safe
• intrusive

Multiple Scripts Using Wildcards

Runs all scripts that match the wildcard pattern (e.g., all HTTP-related scripts).

Script Help

Displays detailed information about a specific script, including usage and categories.

Tip: You can find all available scripts in the /scripts/ directory of your Nmap installation or view them online at nmap.org/nsedoc.

Popular NSE Script Categories

Nmap scripts are organized into categories based on their functionality. These categories help users select scripts suited to specific tasks, such as vulnerability scanning or brute-force testing.

vuln – Vulnerability Detection

Detects known vulnerabilities in services, software, or configurations.

exploit – Exploitation Scripts

Attempts to exploit identified vulnerabilities (use with caution).

auth – Authentication Scripts

Tests or bypasses authentication mechanisms on services like SSH, FTP, or databases.

brute – Brute Force Scripts

Performs brute-force attacks to guess passwords or authentication tokens.

discovery – Network Discovery

Helps map network infrastructure, gather information about hosts, services, and users.

dos – Denial of Service

Launches DoS attacks (for testing purposes only; often disabled by default).

fuzzer – Fuzzing Scripts

Sends unexpected or malformed input to identify potential software crashes or vulnerabilities.

malware – Malware Detection

Scans for signs of malware infections or backdoors on the target system.

safe – Safe Scripts

Considered non-intrusive and unlikely to crash or disrupt services. Used in -sC scans by default.

intrusive – Intrusive Scripts

More aggressive or disruptive. May trigger alerts or affect service availability.

To list all scripts in a category:

Timing and Performance

Nmap provides various options to control scan speed, timing precision, and system load. These settings are essential when scanning large networks, avoiding detection, or fine-tuning performance.

Timing Templates

Use -T<0–5> to quickly set predefined timing profiles:

Template	Name	Description
-T0	Paranoid	Very slow, used to avoid detection by IDS
-T1	Sneaky	Slow, less detectable
-T2	Polite	Slower, reduces bandwidth and CPU usage
-T3	Normal	Default scan speed
-T4	Aggressive	Faster, may trigger detection
-T5	Insane	Very fast, suitable for reliable and responsive targets

Parallel Scanning

Forces a minimum of 10 parallel probes. Helps speed up scans on fast and stable networks.

Rate Limiting

Limits the number of packets sent per second. Useful for avoiding overloading the network or avoiding detection.

Host Timeout

Sets a maximum time (e.g., 5 minutes) to scan a single host. Prevents Nmap from hanging on unresponsive targets.

Firewall/IDS Evasion

Nmap offers several options to evade firewalls, intrusion detection systems (IDS), and logging mechanisms. These techniques can help bypass security filters or perform stealthy scans, but they should be used ethically and legally.

Fragment Packets

Sends fragmented IP packets to bypass some packet filters or firewalls.

Decoy Scan

Generates traffic from decoy IPs along with your own, making it harder for IDS to identify the real source. Replace ME with your scanner’s IP position.

Idle Scan

Performs a completely stealthy scan using a “zombie” host. The attacker never directly interacts with the target.

Source Port Spoofing

Spoofs the source port (e.g., 53 for DNS) to possibly bypass firewalls that allow specific port-based traffic.

Random Data Payload

Appends random data to packets, which may help evade some detection systems or avoid signature-based filtering.

MAC Address Spoofing

Sends packets using a spoofed MAC address. You can also use keywords like 0, RANDOM, or Apple for automatic generation.

Output Options

Nmap provides several output formats to help you record, analyze, or parse scan results efficiently. These can be used for documentation, automation, or integration with other tools.

Normal Output

Saves results in human-readable format. This is the default view you see in the terminal.

XML Output

Generates machine-readable XML output, useful for importing into other tools or parsing with scripts.

Grepable Output

Saves scan data in a format suitable for grep, awk, or other command-line filters.

All Formats Simultaneously

Creates normal (.nmap), XML (.xml), and grepable (.gnmap) outputs with the same base filename (output in this case).

Verbose Output

Increases the amount of information displayed during and after the scan.

Debug Output

Enables debug messages for troubleshooting and analysis. Multiple -d flags increase the level of detail (e.g., -d2, -d3).

Common Useful Commands

Below are practical Nmap commands grouped by common tasks such as network discovery, web scanning, vulnerability checks, and stealth operations.

Basic Network Discovery

Web Server Scanning

Vulnerability Scanning

Stealth Scanning

Advanced Techniques

For experienced users, Nmap offers powerful ways to combine scan types, target-specific vulnerabilities, and use automation scripts for deep network assessments.

Custom Scan Combinations

These commands combine multiple scan options to perform in-depth audits:

Scripting Examples

Use Nmap’s scripting engine (NSE) for targeted automation and protocol-specific enumeration:

These techniques are especially useful for penetration testing, red teaming, and automating security checks against commonly exposed services.

Nmap Switches Quick Reference

Scan Types

Switch	Description
-sS	TCP SYN scan (default, stealthy)
-sT	TCP connect scan (full handshake)
-sU	UDP scan
-sn	Ping scan (host discovery only)
-sA	TCP ACK scan (firewall rule testing)
-sW	TCP Window scan
-sM	TCP Maimon scan (FIN/ACK probes)

Host Discovery

Switch	Description
-sn	Ping scan only (no port scan)
-Pn	Skip host discovery (treat all as online)
-PE	Send ICMP echo request
-PS	Send TCP SYN ping to specified ports
-PA	Send TCP ACK ping to specified ports
-PU	Send UDP ping to specified ports

Port Specification

Switch	Description
-p	Specify individual ports or port ranges (e.g., -p 22,80,443 or -p 1-1000)
-F	Fast scan (top 100 most common ports)
--top-ports	Scan top N ports based on frequency data (e.g., --top-ports 1000)
-p-	Scan all 65,535 ports

Service Detection

Switch	Description
-sV	Detect service versions on open ports
-sC	Run default NSE scripts (equivalent to --script=default)
-A	Aggressive scan (includes -sV, -sC, -O, and traceroute)
-O	Detect operating system using TCP/IP fingerprinting

Output

Switch	Description
-oN	Save output in normal (human-readable) format
-oX	Save output in XML format
-oG	Save output in grepable format
-oA	Save in all formats (.nmap, .xml, .gnmap) with shared filename prefix
-v	Enable verbose mode (add -v, -vv for more detail)
-d	Enable debug mode (add -d, -d2, etc. for more levels)

Performance

Switch	Description
-T0 to -T5	Timing templates (from Paranoid to Insane) for scan speed and stealth balance
--min-rate	Set minimum number of packets per second (e.g., --min-rate 100)
--max-rate	Limit packet sending rate per second (e.g., --max-rate 1000)
--min-parallelism	Minimum number of parallel scan probes (e.g., --min-parallelism 10)

Best Practices

Legal and Ethical Usage

Using Nmap responsibly is critical to avoid legal consequences and unintentional disruption. Follow these guidelines:

• Scan only with permission
  Always obtain explicit authorization before scanning any network, system, or IP range that you do not own.
• Practice responsible disclosure
  If you discover a vulnerability, report it to the appropriate administrator or organization through official channels.
• Know the law
  Understand and comply with local laws, industry regulations, and your organization’s security policies.
• Scan carefully
  Use appropriate timing and rate-limiting options (e.g., -T2, --max-rate) to avoid impacting production systems or triggering alerts.

Note: Unauthorized scanning can result in legal action, blocked IP addresses, or service disruptions. Always act ethically and within legal boundaries.

Performance Optimization

Efficient Nmap usage helps reduce scan time, network load, and detection risk. Follow these tips to optimize performance:

• Use appropriate timing templates
  Adjust scan speed using -T options (-T3 for balanced, -T4 for faster scans on stable networks).
• Limit scan scope when possible
  Target only necessary hosts, ports, or services to avoid scanning unused assets.
• Use parallel scanning for large networks
  Increase scan concurrency using options like --min-parallelism to speed up scans on responsive networks.
• Save results for later analysis
  Use output options (-oN, -oA) to log scan results for documentation, auditing, or further processing.

Effective Scanning Strategy

A well-planned scanning approach improves efficiency and ensures comprehensive coverage. Follow these key phases:

• Discovery Phase
  Begin with host discovery (e.g., nmap -sn) to identify which systems are online before scanning ports.
• Port Scanning
  Start with common ports using fast scans (-F or --top-ports), then expand to full range (-p-) if needed.
• Service Detection
  Use version detection (-sV) and default scripts (-sC) to determine active services and software details.
• Vulnerability Assessment
  Run relevant NSE scripts (--script=vuln) to identify known security issues.
• Documentation
  Save all scan results (-oN, -oA) with timestamps for future reference, audit trails, and reporting.

Common Nmap Errors and Solutions

Troubleshooting common issues can help you get accurate results faster and avoid frustration during scans.

Permission Issues

• Problem:
  Operation not permitted or similar errors.
• Solution:
  Run Nmap with elevated privileges (e.g., sudo) or use -sT (TCP Connect) instead of -sS (SYN scan), which requires raw socket access.

Slow Scans

• Problem:
  Scans are taking an unusually long time to complete.
• Solution:
  • Use a faster timing template (e.g., -T4).
  • Limit the number of scanned ports (e.g., -p 1-1000).
  • Increase scan speed with --min-rate or --min-parallelism.

Firewall Blocking

• Problem:
  Target appears offline or unresponsive; no results returned.
• Solution:
  • Use -Pn to skip host discovery and treat the host as up.
  • Try alternate scan types like -sT, -sA, or -sU.
  • Use packet fragmentation with -f to bypass basic filtering.

GUI Alternatives to Nmap

Zenmap (Official GUI)

Zenmap is the official graphical user interface for Nmap, designed to make scanning and analysis more accessible—especially for users who prefer a visual approach.

Key Features:

• Point-and-click interface
  Easily configure and run scans without needing to memorize command-line options.
• Network topology visualization
  See scanned hosts and services on an interactive map.
• Scan result comparison
  Compare past and current scans to detect changes in the network.
• Profile management
  Save and reuse custom scan profiles for repeatable testing.
• Real-time scan progress
  View live updates during scanning, including host and port discovery.

Zenmap is cross-platform and available for Linux, Windows, and macOS. It’s especially useful for beginners or for documenting scans in a visual format.

Installation

You can install Zenmap on various platforms depending on your OS:

• Windows:
  Zenmap is included in the official Nmap installer from nmap.org. Just select Zenmap during installation.
• macOS:
  Zenmap is no longer officially maintained for macOS, but older builds may be available on nmap.org. Use with caution or consider running it via a Linux VM.

Other GUI Tools

In addition to Zenmap, several other GUI-based tools offer scanning, discovery, and analysis features—some built on top of Nmap, others as independent utilities.

Nmap GUI

A lightweight, web-based interface for Nmap. Useful for quick scans via browser on local or remote systems.

NetworkMiner

A network forensic analysis tool that passively captures and analyzes packets. Excellent for extracting metadata and reconstructing sessions.

Angry IP Scanner

A fast, open-source IP scanner with a clean interface. Supports plugin-based extensions and works on Windows, macOS, and Linux.

Advanced IP Scanner

Windows-only network scanner known for its ease of use. Useful for discovering shared folders, MAC addresses, and remote access.

Fing

A mobile-friendly network scanner app for iOS and Android. Great for quick device discovery and basic diagnostics on local networks.

Web-based Interfaces

These platforms offer network scanning, device discovery, and reconnaissance tools through a web interface—ideal for quick checks or remote access.

Nmap Online

A browser-based frontend for Nmap. It allows you to run basic scans without installing anything locally. Limited in features compared to full Nmap.

• Website: https://nmap.online
• Use case: Lightweight, quick scans for reachable hosts.

Shodan

A powerful search engine for discovering internet-connected devices and services (e.g., webcams, servers, routers).

• Website: https://www.shodan.io
• Use case: Passive reconnaissance, finding exposed ports and banners globally.

Censys

Another search engine for Internet-facing hosts, with a focus on security research and compliance.

• Website: https://censys.io
• Use case: Analyzing global exposure of services like HTTPS, SSH, and databases.

Note: These tools don’t replace Nmap but can complement it by offering global context and passive intelligence.

Here is the pdf Link: Complete Nmap Cheat Sheet

Frequently Asked Questions