Nmap Cheat Sheet & Command Builder
Pick your scan options to build a ready Nmap command, and browse the flag reference - in your browser.
- Pick a scan type in the builder, such as a SYN scan or a ping sweep, to form the base of the command.
- Toggle options like service detection, script scanning, timing, and port selection to add the right flags.
- Copy the assembled
nmapcommand, and use the flag reference table to look up anything unfamiliar. - Only run the command against hosts and networks you own or have written permission to scan.
Nmap, the Network Mapper, is the standard tool for discovering what is on a network and what those hosts are
running. In the reconnaissance phase of any assessment it answers the first questions you need: which machines
are alive, which ports are open, and what services sit behind them. This command builder assembles the right
nmap invocation from the options you choose, and the reference table explains each flag so you learn
the tool rather than just copying commands. A firm rule applies throughout: scan only networks you own or are
explicitly authorised to test, because port-scanning systems without permission can itself be unlawful.
Common scan types
The scan type decides how Nmap probes each port. The default for a privileged user is the SYN scan,
-sS, which sends a SYN packet and reads the reply without completing the handshake - fast and
relatively quiet. Without root you fall back to the TCP connect scan, -sT, which finishes the full
three-way handshake and is therefore noisier and more likely to be logged. UDP services need -sU,
which is slower because UDP has no handshake to lean on. When you only want to know which hosts are up without
touching ports at all, a ping sweep with -sn discovers live hosts across a range.
Service, OS, and script detection
Knowing a port is open is rarely enough - you want to know what is listening. Version detection,
-sV, interrogates each open port to fingerprint the service and its version. OS detection,
-O, guesses the operating system from subtle differences in how the stack responds. The Nmap
Scripting Engine adds deeper checks: -sC runs the default script set, while --script
lets you name specific scripts or categories, for example --script vuln to look for known issues.
The aggressive option -A bundles version detection, OS detection, default scripts, and traceroute
into one convenient (but loud) flag.
Ports, timing, and host discovery
By default Nmap checks the 1000 most common ports. You narrow or widen that with -p: use
-p 80,443 for specific ports, -p 1-1000 for a range, -p- to scan all
65535 ports, or --top-ports 100 to focus on the hundred most likely. Timing templates from
-T0 (paranoid and slow) to -T5 (insanely fast) trade stealth against speed;
-T4 is a common, reasonably brisk choice for a lab or an authorised engagement. Finally,
-Pn tells Nmap to skip host discovery and treat every target as online, which is essential when a
firewall drops the ping probes Nmap would otherwise use to decide a host is down.
A worked example
Suppose you want a solid all-round scan of an authorised target. You might build up
nmap -sV -sC -T4 -Pn 10.10.10.5. Reading it flag by flag: -sV fingerprints the
service and version on each open port; -sC runs the default scripts to pull banners and catch
common misconfigurations; -T4 keeps the scan moving at a brisk pace; and -Pn skips
the initial ping so a firewall that blocks ICMP does not make Nmap wrongly conclude the host is offline. The
trailing 10.10.10.5 is the target you are permitted to test. That single command gives you an open
port list, the software behind each port, and a first pass of script findings - a strong foundation for the
rest of an assessment, and a good habit to practise in a lab before you ever touch a live engagement.
Perguntas frequentes
What is Nmap?
Is it legal to run Nmap?
What is the difference between -sS and -sT?
How do I scan for service versions?
Does this tool scan for me?
Pratique de verdade
Pratique em alvos reais
Transforme essas ferramentas em habilidades com labs práticos e cursos guiados na HackerDNA.
Criar uma conta gratuita