# Host Discovery
Find live hosts before scanning ports. By default Nmap sends ARP (local), ICMP echo + TCP SYN 443 + TCP ACK 80 (remote).
nmap -sn 192.168.1.0/24
Ping sweep — find all live hosts on the subnet (no port scan)
nmap -sn -PR 192.168.1.0/24
ARP discovery only — fastest on local networks, bypasses host firewalls
nmap -sn -PE -PP -PM TARGET
ICMP discovery: Echo + Timestamp + Address Mask — bypass ICMP-echo-only filters
nmap -sn -PS22,80,443 -PA80,443 TARGET
TCP SYN+ACK discovery on common ports — works when ICMP is blocked
nmap -sn -PU53,161 TARGET
UDP discovery on DNS + SNMP ports
nmap -Pn TARGET
Skip discovery — treat all hosts as online (use when ping is blocked)
nmap -sL 10.0.0.0/24
List scan — DNS reverse lookup only, no packets sent (passive recon)
# Scan Types
Different TCP/UDP scan techniques. SYN scan is the default and most popular.
| Flag | Scan Type | When to use |
|---|---|---|
| -sS | TCP SYN (stealth) | Default, fast, doesn't complete handshake |
| -sT | TCP Connect | When you don't have raw socket privileges |
| -sU | UDP Scan | Discover DNS, SNMP, DHCP, TFTP services |
| -sA | TCP ACK | Map firewall rules (filtered vs unfiltered) |
| -sW | Window Scan | Like ACK but detects open ports on some systems |
| -sN | TCP Null | No flags set — evades some firewalls |
| -sF | FIN Scan | FIN flag only — stealthy against some IDS |
| -sX | Xmas Scan | FIN+PSH+URG — another firewall evasion technique |
| -sM | Maimon Scan | FIN+ACK — works on some BSD systems |
| -sI | Idle/Zombie Scan | Ultimate stealth — use a zombie host as proxy |
nmap -sS TARGET
SYN stealth scan — the most common and recommended scan type (requires root)
nmap -sU --top-ports 200 TARGET
UDP scan on top 200 ports — slow but essential (SNMP, DNS, TFTP are UDP)
nmap -sS -sU -p T:1-1000,U:53,111,161,500 TARGET
Combined TCP+UDP scan — scan TCP top 1000 + specific UDP ports simultaneously
nmap -sI zombie_ip TARGET
Idle scan — completely blind scan using a zombie host (0 packets from your IP)
# Port Specification
Control exactly which ports to scan. By default Nmap scans the top 1000 ports.
nmap -p- TARGET
Scan all 65535 TCP ports — never skip this in a pentest
nmap -p 80,443,8080,8443 TARGET
Scan specific ports only
nmap -p 1-1024 TARGET
Scan a port range (all privileged ports)
nmap --top-ports 100 TARGET
Scan only the 100 most common ports (fast recon)
nmap -p- --min-rate=1000 TARGET
Full port scan at 1000+ packets/sec — fast full scan strategy
nmap -p T:80,443,U:53,161 TARGET
Mix TCP and UDP ports in one command
# Service & Version Detection
Don't just find open ports — identify what's running and what version. Critical for finding exploits.
nmap -sV TARGET
Version detection — probe open ports to determine service and version
nmap -sV --version-intensity 9 TARGET
Maximum version detection — try all probes (slower but more accurate)
nmap -sV --version-light TARGET
Light version scan — intensity 2, much faster (less accurate)
nmap -sC TARGET
Default scripts — equivalent to --script=default (safe, useful info)
nmap -sC -sV -p 22,80,443 TARGET
The classic combo: version detection + default scripts on specific ports
nmap -A TARGET
Aggressive scan: -sV + -sC + -O + --traceroute (noisy but comprehensive)
# OS Detection
Fingerprint the operating system by analyzing TCP/IP stack behavior.
nmap -O TARGET
OS detection — needs at least 1 open + 1 closed port for accuracy
nmap -O --osscan-guess TARGET
Aggressive OS guessing — print best guess even when uncertain
nmap -O --osscan-limit TARGET
Only attempt OS detection on hosts with 1 open + 1 closed port (skip uncertain)
# NSE Scripts
The Nmap Scripting Engine is incredibly powerful. 600+ scripts for vuln scanning, brute-force, enumeration, and more.
💡 Tip: List all available scripts:
ls /usr/share/nmap/scripts/ | wc -lScript Categories
nmap --script=default TARGET
Run default scripts (same as -sC) — safe and informative
nmap --script=vuln TARGET
Run all vulnerability detection scripts — finds CVEs, misconfigs
nmap --script=safe TARGET
Run all scripts marked safe — won't crash services or trigger IDS
nmap --script="vuln and safe" TARGET
Boolean logic — scripts that are both vuln AND safe
Most Useful Scripts
nmap -p 445 --script=smb-enum-shares,smb-enum-users,smb-os-discovery TARGET
SMB enumeration — shares, users, OS version
nmap -p 80,443 --script=http-enum,http-headers,http-methods,http-title TARGET
HTTP enumeration — directories, headers, allowed methods, page titles
nmap -p 53 --script=dns-zone-transfer --script-args dns-zone-transfer.domain=DOMAIN TARGET
DNS zone transfer attempt
nmap -p 21 --script=ftp-anon,ftp-bounce,ftp-syst TARGET
FTP enumeration — anonymous login, bounce attack, system info
nmap -p 25 --script=smtp-enum-users,smtp-open-relay TARGET
SMTP enumeration — valid users + open relay check
nmap -p 3306 --script=mysql-enum,mysql-info,mysql-empty-password TARGET
MySQL enumeration — info, empty passwords, user enumeration
nmap -p 443 --script=ssl-enum-ciphers,ssl-cert,ssl-heartbleed TARGET
SSL/TLS audit — cipher suites, certificate info, Heartbleed check
nmap --script=smb-vuln-ms17-010 -p 445 TARGET
Check for EternalBlue (MS17-010) — still found in the wild
Script Arguments
nmap --script=http-brute --script-args http-brute.path=/admin,userdb=users.txt,passdb=pass.txt -p 80 TARGET
HTTP brute-force with custom wordlists and target path
nmap --script=http-put --script-args http-put.url=/uploads/shell.php,http-put.file=shell.php -p 80 TARGET
HTTP PUT upload — test if PUT method allows file upload
# Firewall & IDS Evasion
Techniques to bypass firewalls, IDS/IPS, and avoid detection during scans.
nmap -f TARGET
Fragment packets — split into 8-byte fragments to evade packet inspection
nmap --mtu 16 TARGET
Custom MTU — must be a multiple of 8 (16, 24, 32...)
nmap -D RND:10 TARGET
Decoy scan — generate 10 random decoy IPs to hide your real source
nmap -D decoy1,decoy2,decoy3,ME TARGET
Decoy scan with specific IPs — ME marks your position in the list
nmap -S SPOOFED_IP -e eth0 -Pn TARGET
IP spoofing — won't see results but useful with idle scan
nmap -g 53 TARGET
Source port 53 — some firewalls trust traffic from DNS port
nmap --data-length 25 TARGET
Append random data to packets — defeat signatures matching packet size
nmap --scan-delay 5s TARGET
Wait 5 seconds between probes — evade rate-based IDS detection
nmap --badsum TARGET
Send bad checksums — real hosts drop these, firewalls/proxies may respond
# Timing & Performance
Control scan speed. T0-T1 for stealth, T3 is default, T4-T5 for speed.
| Flag | Template | Use case |
|---|---|---|
| -T0 | Paranoid | IDS evasion — 5 min between probes |
| -T1 | Sneaky | IDS evasion — 15 sec between probes |
| -T2 | Polite | Reduce bandwidth usage |
| -T3 | Normal | Default — balanced speed |
| -T4 | Aggressive | Fast scans on reliable networks |
| -T5 | Insane | Fastest — may miss ports on slow networks |
nmap -T4 --min-rate=1000 -p- TARGET
Fast full scan — aggressive timing + minimum 1000 packets/sec
nmap --min-parallelism 100 TARGET
At least 100 probes in parallel — speed up scans on large networks
nmap --max-retries 1 TARGET
Maximum 1 retransmission — faster but might miss filtered ports
nmap --host-timeout 30s TARGET
Skip hosts that take more than 30s — useful for large scan ranges
# Output Formats
Save your results. Always use -oA to save all 3 formats at once.
nmap -oN scan.txt TARGET
Normal output — human-readable text file
nmap -oX scan.xml TARGET
XML output — for parsing, importing into tools (Metasploit, etc.)
nmap -oG scan.gnmap TARGET
Grepable output — easy to parse with grep/awk/cut
nmap -oA scan TARGET
All 3 formats at once — creates scan.nmap, scan.xml, scan.gnmap
nmap -oG - TARGET | grep "open" | awk '{print $2}'
One-liner: extract only IPs with open ports from grepable output
nmap -v --reason TARGET
Verbose + reason — show why each port is open/closed/filtered
# Real-World Combos
Copy-paste ready combinations for common pentesting scenarios.
💡 Pro Workflow: Step 1: Fast port discovery. Step 2: Targeted deep scan on open ports only.
Initial Recon (Pentest / OSCP)
nmap -p- --min-rate=1000 -T4 TARGET -oN allports.txt
Step 1: Fast full port scan
nmap -p OPEN_PORTS -sC -sV -oA detailed TARGET
Step 2: Deep scan on discovered ports only (scripts + version)
Web Server Audit
nmap -p 80,443,8080,8443 -sV --script="http-*" TARGET
Full HTTP enumeration — all http-* scripts on web ports
Active Directory / Domain Controller
nmap -p 53,88,135,139,389,445,464,636,3268,3269 -sV -sC TARGET
DC port scan — DNS, Kerberos, RPC, SMB, LDAP, Global Catalog
Vulnerability Scan
nmap -sV --script=vuln -p OPEN_PORTS TARGET -oA vulnscan
Run all vuln scripts on open ports — find CVEs and misconfigurations
Stealthy Scan
nmap -sS -T1 -f -D RND:5 -g 53 --data-length 25 TARGET
Maximum stealth: SYN + slow timing + fragment + decoys + source port 53 + padding
Network Sweep
nmap -sn 10.0.0.0/24 -oG - | grep "Up" | awk '{print $2}' > live_hosts.txt
Discover live hosts and save to file for further scanning
nmap -iL live_hosts.txt -p- --min-rate=1000 -oA full_scan
Full port scan on all discovered live hosts from file
📚 Related Resources
- OSCP Cheatsheet — Full OSCP exam command reference — nmap scanning is the foundation
- Full Pentesting Cheatsheet — 200+ commands beyond nmap: exploitation, privesc, Active Directory attacks
- How to Start Pentesting — Step-by-step beginner's guide: methodology, tools and certifications
- Pentesting Glossary — CVE, CVSS, port scanning, enumeration and 60+ key terms defined
✨
AI-Assisted Pentest Report
Try for free →
Turn your findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 11,600+ commands?
This Nmap cheatsheet is just one tool. Pentest Mindmap organizes 11,600+ commands across 32 categories — from recon to post-exploitation — with instant search and one-click copy.
Try free for 7 days →