Nmap (Network Mapper) remains the undisputed king of network reconnaissance tools in 2026. Created by Gordon Lyon (Fyodor) in 1997, it has evolved into the most powerful open-source scanner available, used by penetration testers, system administrators, and security researchers worldwide.
This Nmap cheat sheet covers every command you need for effective network scanning, from basic host discovery to advanced NSE scripting. Whether you're preparing for OSCP, competing in CTFs, or conducting authorized security assessments, bookmark this page as your go-to reference.
Updated for Nmap 7.98+ with all current flags and techniques.
Print-friendly 2-page reference card with all essential Nmap commands.
Quick Navigation
What is Nmap?
Nmap is a free, open-source network scanner used for host discovery, port scanning, service detection, and security auditing. It sends specially crafted packets to target hosts and analyzes responses to determine what ports are open, what services are running, and what operating systems are in use.
Every penetration test starts with reconnaissance, and Nmap is the go-to tool for that phase. Security professionals use it to map network topology, identify potential attack vectors, and gather intelligence before attempting exploitation. System administrators rely on it for network inventory and monitoring unauthorized services.
Nmap is essential for the reconnaissance phase of penetration testing. Learn the complete methodology in our Reconnaissance Course.
Installation Commands
Nmap is available on all major platforms. Install it with your package manager:
| Platform | Command |
|---|---|
| Debian/Ubuntu/Kali | sudo apt install nmap |
| RHEL/CentOS/Fedora | sudo dnf install nmap |
| macOS (Homebrew) | brew install nmap |
| Windows | Download from nmap.org |
Verify installation with nmap --version. You should see version 7.98 or higher for
all features in this cheat sheet.
Basic Nmap Scanning Commands
These fundamental nmap commands form the foundation of network reconnaissance. Start here if you're learning how to use nmap.
| Command | Description |
|---|---|
nmap <target> |
Scan single host (top 1000 ports) |
nmap 192.168.1.1-254 |
Scan IP range |
nmap 192.168.1.0/24 |
Scan entire subnet (CIDR notation) |
nmap -iL targets.txt |
Scan targets from file (one per line) |
nmap --exclude 192.168.1.1 |
Exclude specific hosts |
nmap --excludefile exclude.txt |
Exclude hosts from file |
Pro Tip: Start with -sn for host discovery before running full port scans. This reduces noise and dramatically cuts scan time on large networks.
Host Discovery and Ping Scanning
Before scanning ports, determine which hosts are alive. The nmap ping sweep identifies live systems without generating excessive traffic.
| Flag | Description | Use Case |
|---|---|---|
-sn |
Ping scan only (no port scan) | Quick network sweep |
-Pn |
Skip host discovery | Scan hosts behind firewalls |
-PS22,80,443 |
TCP SYN ping on ports | Check specific services |
-PA |
TCP ACK ping | Bypass stateless firewalls |
-PU |
UDP ping | When TCP is blocked |
-PE |
ICMP echo ping | Traditional ping |
-PR |
ARP ping | Local network only (fastest) |
Practical Examples
# Quick network sweep to find live hosts
nmap -sn 192.168.1.0/24
# For hosts that block ICMP
nmap -Pn -PS22,80,443 192.168.1.0/24
# ARP scan on local network (requires root)
sudo nmap -PR -sn 192.168.1.0/24Practice host discovery techniques in our Nmap Lab, a beginner-friendly environment to master network scanning.
Port Scanning Techniques
Port scanning is the core of Nmap functionality. Different scan types have different use cases, stealth levels, and accuracy tradeoffs.
Scan Types
| Flag | Scan Type | When to Use |
|---|---|---|
-sS |
TCP SYN (Stealth) | Default for most scans - fast, quiet, requires root |
-sT |
TCP Connect | When you don't have root access |
-sU |
UDP Scan | Check UDP services (DNS, SNMP, DHCP) |
-sA |
TCP ACK | Map firewall rules |
-sN/-sF/-sX |
Null/FIN/Xmas | Evade simple packet filters |
Port Specification - Nmap Scan All Ports
| Flag | Example | Description |
|---|---|---|
-p 80 |
Single port | Scan specific port |
-p 80,443,8080 |
Multiple ports | Comma-separated list |
-p 1-1000 |
Port range | Scan ports 1 through 1000 |
-p- |
All ports | Scan all 65535 ports |
--top-ports 100 |
Top N ports | Most common ports |
-F |
Fast | Top 100 ports only |
Pro Tip: Always use -p- for thorough assessments. Many services hide on non-standard ports. Finding SSH on port 2222 or a web app on port 8443 can be the difference between a successful test and a missed finding.
Master port scanning techniques in our Scanning Course with hands-on exercises.
Service and Version Detection
Identifying what services run on open ports is crucial for vulnerability assessment. Nmap probes services to determine software names and versions.
| Flag | Description |
|---|---|
-sV |
Detect service versions |
--version-intensity 0-9 |
Scan intensity (0=light, 9=all probes) |
--version-light |
Quick version scan (intensity 2) |
--version-all |
Try all probes (intensity 9) |
-A |
Aggressive: OS + version + scripts + traceroute |
Examples
# Standard service detection
nmap -sV -p 22,80,443,3306,8080 target.example
# Aggressive full scan
nmap -A -T4 target.example
# Light version scan for speed
nmap -sV --version-light -p- target.exampleOS Detection
Nmap fingerprints TCP/IP stack implementations to identify operating systems. This requires root/admin privileges and works best with at least one open and one closed port.
| Flag | Description |
|---|---|
-O |
Enable OS detection |
--osscan-limit |
Only scan promising targets |
--osscan-guess |
Aggressive OS guessing |
# OS detection with aggressive guessing
sudo nmap -O --osscan-guess target.example
# Combined OS and version detection
sudo nmap -O -sV target.exampleNmap Scripting Engine (NSE) - Vulnerability Scanning
The Nmap Scripting Engine transforms Nmap from a simple scanner into a full vulnerability assessment tool. NSE scripts automate discovery, enumeration, and nmap vulnerability scan tasks that would otherwise require multiple specialized tools.
NSE contains over 600 scripts written in Lua, covering everything from basic banner grabbing to complex vulnerability detection. Scripts are organized into categories based on their purpose and intrusiveness level.
Script Categories
| Category | Purpose | Usage |
|---|---|---|
vuln |
Vulnerability detection | --script vuln |
exploit |
Active exploitation | --script exploit |
brute |
Password attacks | --script brute |
discovery |
Service enumeration | --script discovery |
safe |
Non-intrusive scans | --script safe |
default |
Standard safe scripts | -sC |
Most Useful NSE Scripts
# Comprehensive vulnerability scanning
nmap --script vuln target.example
# HTTP enumeration (directories, methods, headers)
nmap --script http-enum -p 80,443 target.example
# SMB vulnerabilities (EternalBlue, etc.)
nmap --script smb-vuln* -p 445 target.example
# SSL/TLS analysis (weak ciphers, expired certs)
nmap --script ssl-enum-ciphers -p 443 target.example
# DNS zone transfer check
nmap --script dns-zone-transfer -p 53 target.example
# FTP anonymous login
nmap --script ftp-anon -p 21 target.example
# MySQL info gathering
nmap --script mysql-info -p 3306 target.example
# SSH brute force (use responsibly on authorized targets)
nmap --script ssh-brute -p 22 target.example
# HTTP vulnerability scan
nmap --script http-vuln* -p 80,443 target.examplePro Tip: Run nmap --script-help "vuln" to see all available vulnerability scripts. Update scripts regularly with nmap --script-updatedb.
After discovering vulnerabilities with Nmap, practice exploiting them safely in HackerDNA's SQL Injection Lab or NoSQL Injection Lab.
Timing and Performance
Nmap's timing templates balance speed against accuracy and stealth. Choose based on your environment and goals.
Timing Templates
| Template | Name | Use Case |
|---|---|---|
-T0 |
Paranoid | IDS evasion (extremely slow) |
-T1 |
Sneaky | IDS evasion |
-T2 |
Polite | Reduce bandwidth usage |
-T3 |
Normal | Default |
-T4 |
Aggressive | Fast, reliable networks |
-T5 |
Insane | Very fast, may miss ports |
Fine-Grained Controls
| Flag | Description |
|---|---|
--min-rate 100 |
Minimum packets per second |
--max-rate 500 |
Maximum packets per second |
--max-retries 2 |
Limit probe retransmissions |
--host-timeout 30m |
Skip slow hosts after timeout |
Pro Tip: For CTFs and lab environments, use -T4 for speed. For real penetration tests, stick with -T3 or lower to avoid detection and ensure accuracy.
Output Formats
Save scan results for later analysis, reporting, and tool integration.
| Flag | Format | Best For |
|---|---|---|
-oN file.txt |
Normal | Human reading |
-oX file.xml |
XML | Tool parsing, Metasploit import |
-oG file.gnmap |
Grepable | Quick grep searches |
-oA basename |
All formats | Always use this |
Pro Tip: Always use -oA to save in all formats simultaneously. You'll thank yourself later when you need to parse results with different tools or generate reports.
Additional Output Flags
| Flag | Purpose |
|---|---|
-v / -vv |
Increase verbosity (see progress) |
--open |
Only show open ports |
--reason |
Show why port is open/closed |
Firewall and IDS Evasion
These techniques help bypass security controls during authorized penetration tests. Use responsibly and only on systems you have permission to test.
| Flag | Technique | Description |
|---|---|---|
-f |
Fragmentation | Split packets into 8-byte fragments |
--mtu 24 |
Custom MTU | Set fragment size (multiple of 8) |
-D decoy1,decoy2,ME |
Decoys | Mask your IP among decoys |
-S <ip> |
Spoof source | Fake source IP (limited use) |
-g 53 |
Source port | Use trusted port (DNS, HTTP) |
--data-length 50 |
Padding | Add random data to packets |
--randomize-hosts |
Order | Randomize target scan order |
--spoof-mac 0 |
MAC spoofing | Random MAC address |
Evasion Example
# Stealthy scan with multiple evasion techniques
sudo nmap -sS -T2 -f -D RND:5 --source-port 53 --data-length 50 target.exampleWarning: Evasion techniques are for authorized penetration tests only. Using these against systems you don't own or have explicit permission to test is illegal.
Common Scan Combinations
Copy-paste ready commands for common scanning scenarios. These combine multiple flags for practical use cases. Each command is tested and optimized for its specific purpose.
Host Discovery
# Quick host discovery on a subnet
nmap -sn 192.168.1.0/24
# ARP discovery on local network (fastest, requires root)
sudo nmap -PR -sn 192.168.1.0/24
# Discovery when ICMP is blocked
nmap -Pn -PS22,80,443 192.168.1.0/24Standard Reconnaissance
# Quick scan for CTF initial foothold
nmap -sC -sV -T4 -oA initial target.example
# Standard service scan with all ports
nmap -sV -sC -p- target.example -oA standard_scan
# Fast top ports scan for quick overview
nmap -F -T4 target.exampleComprehensive Scanning
# Comprehensive scan (great for CTFs and labs)
nmap -A -T4 -p- target.example -oA comprehensive
# Stealth scan with service and OS detection
sudo nmap -sS -sV -O -T4 target.example
# Full TCP + UDP (thorough but slow)
sudo nmap -sS -sU -sV -O -sC -p- -T4 -oA fullscan target.exampleSpecialized Scans
# UDP scan (common services only - UDP is slow)
sudo nmap -sU --top-ports 20 target.example
# Vulnerability assessment
nmap --script vuln -sV target.example -oA vuln_scan
# Web server enumeration
nmap -sV --script=http-enum,http-headers,http-methods -p 80,443,8080 target.example
# SMB enumeration and vulnerability check
nmap --script smb-enum-shares,smb-vuln* -p 445 target.example
# Database service enumeration
nmap -sV --script=mysql-info,ms-sql-info -p 3306,1433 target.examplePro Tip: For CTF competitions, start with nmap -sC -sV -T4 -oA initial target to get quick results while you read the challenge description. Run a full port scan nmap -p- -T4 target in a second terminal to catch services on non-standard ports.
Ready to put these commands into practice? Try our Hack the Box Lab where you'll use Nmap for real reconnaissance against a hardened target.
Understanding Port States
Nmap reports ports in six possible states. Understanding these helps interpret scan results accurately and avoid false conclusions about target security posture.
| State | Meaning |
|---|---|
open |
Application actively accepting connections |
closed |
Accessible but no service listening |
filtered |
Firewall blocking - can't determine state |
unfiltered |
Accessible but open/closed unknown (ACK scan) |
open|filtered |
Open or filtered - common in UDP scans |
closed|filtered |
Closed or filtered (IP ID idle scan) |
The filtered state often indicates a firewall is present. Try different scan
types (-sA, -sN, -sF) to gather more information about
firewall rules. The open|filtered state is common with nmap udp scan
results because UDP doesn't require acknowledgment, making it harder to determine if a port is
truly open or if packets are being silently dropped.
Quick Reference Card
The most essential Nmap commands in one place. Perfect for quick reference during assessments. Download the printable PDF version to keep at your desk.
Essential Commands
| nmap -sn <subnet> | Host discovery |
| nmap -sC -sV -T4 <target> | Quick service scan |
| nmap -p- <target> | All ports |
| nmap -A -T4 <target> | Aggressive scan |
| nmap --script vuln <target> | Vulnerability scan |
| nmap -sU --top-ports 20 <target> | UDP scan |
| nmap -oA <basename> <target> | Save all formats |
Key Flags
| -sS | SYN stealth scan | -sV | Version detection |
| -sC | Default scripts | -O | OS detection |
| -Pn | Skip ping | -T4 | Fast timing |
| -p- | All 65535 ports | -v | Verbose output |
Practice Your Nmap Skills
Knowing nmap commands is one thing. Using them effectively against real targets is another. Reading cheat sheets builds knowledge, but hands-on practice builds expertise. The difference between a competent penetration tester and a beginner often comes down to hours spent practicing reconnaissance against diverse targets.
HackerDNA Labs provides dedicated vulnerable machines to practice reconnaissance, scanning, and exploitation in a safe, legal environment. Each lab simulates real-world scenarios where you'll apply the commands from this nmap cheat sheet to discover services, identify vulnerabilities, and practice your methodology.
Recommended Labs for Nmap Practice
- Nmap Lab 102 Master the basics of network scanning in a guided environment
- Hack the Box Lab Full penetration test from reconnaissance to root access
- Secrets in Source Combine scanning with web exploitation techniques
Structured Learning Path
For comprehensive training, our Nmap Mastery Course covers everything from basics to advanced techniques with interactive exercises. For a quick interactive reference, try our Nmap Cheat Sheet Course with knowledge validation exercises.
Ready to start scanning? Create your free HackerDNA account and access beginner-friendly labs where you can practice every command in this cheat sheet legally.
Frequently Asked Questions
What is an Nmap cheat sheet?
An Nmap cheat sheet is a quick reference guide containing the most commonly used Nmap commands and flags. It helps security professionals quickly find the right syntax during penetration tests, CTF competitions, or network assessments without memorizing every option.
Is it legal to use Nmap?
Nmap itself is completely legal to install and use. However, scanning networks or systems you don't own without explicit written permission is illegal in most countries. Always get authorization before scanning any target. Practice on your own networks, authorized platforms like HackerDNA Labs, or dedicated practice environments.
What is the most common Nmap command?
The most commonly used command is nmap -sC -sV -T4 target. This runs
default scripts (-sC), detects service versions (-sV),
and uses aggressive timing (-T4). It provides a good balance of
information and speed for initial reconnaissance.
How do I scan all ports with Nmap?
Use nmap -p- target to scan all 65535 TCP ports. By default, Nmap only
scans the top 1000 most common ports. Scanning all ports takes longer but catches
services running on non-standard ports, which is often where interesting vulnerabilities
hide.
Why does my Nmap scan require root/sudo?
The default SYN scan (-sS) requires raw socket access, which needs root
privileges. OS detection (-O) and certain evasion techniques also require
root. If you don't have root access, use -sT for a TCP connect scan instead,
though it's slower and more detectable.
Related Resources
Expand your penetration testing toolkit with these related guides and courses:
- CTF for Beginners Guide - Learn how to apply Nmap in CTF competitions
- Network Penetration Testing Course - Complete network pentest methodology
- Nmap Mastery Course - In-depth Nmap training with hands-on exercises
- Nmap Cheat Sheet Course - Interactive cheat sheet with knowledge validation
- Official Nmap Documentation - Reference manual from the creators
Conclusion
This Nmap cheat sheet covers the essential commands for network reconnaissance in 2026. From basic host discovery to advanced NSE scripting, these techniques form the foundation of effective penetration testing.
Remember: scanning skills improve with practice, not memorization. Use this reference while working through real scenarios in lab environments. Each scan teaches you something new about how networks respond and where vulnerabilities hide.
Legal Reminder: Only scan networks and systems you own or have explicit written authorization to test. Unauthorized scanning is illegal in most jurisdictions regardless of intent.
Bookmark this page, start practicing, and build the reconnaissance skills that separate competent penetration testers from script kiddies.