Nmap Cheat Sheet: The Complete Command Reference
Nmap is the standard tool for network discovery and security auditing. Whether you are mapping a small home lab or scanning a class B network, the same core commands apply. This nmap cheat sheet is a structured reference covering the commands and options I use most frequently, organized by task rather than alphabetically. Keep it bookmarked.
Host Discovery with Nmap
Before scanning ports, you need to know which hosts are alive. The default nmap host discovery sends ICMP echo, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp. For this nmap cheat sheet, here are the key discovery options.
Ping scan - host discovery only, no port scan:
nmap -sn 192.168.1.0/24
Skip host discovery and treat all hosts as online:
nmap -Pn 10.0.0.1
Use -Pn when scanning through firewalls that block ICMP. Without it, nmap assumes the host is down and skips the port scan entirely.
ARP discovery for local networks only - very fast:
nmap -PR 192.168.1.0/24
Port Scanning Techniques
Port scanning is the core function of nmap. The default scan type depends on your privileges - root gets SYN scan, unprivileged users get connect scan.
SYN scan - default for root, fast and stealthy:
nmap -sS 10.0.0.1
TCP connect scan - no root required:
nmap -sT 10.0.0.1
UDP scan - slow but necessary for DNS, SNMP, DHCP:
nmap -sU 10.0.0.1
Scan specific ports:
nmap -p 22,80,443 10.0.0.1 nmap -p 1-1024 10.0.0.1 nmap -p- 10.0.0.1 (all 65535 ports)
Top ports scan - faster than full range:
nmap --top-ports 100 10.0.0.1
Service and Version Detection
Knowing a port is open is only half the story. Service detection tells you what is actually running on that port and what version it is. This is essential for vulnerability assessment and is a key section of any nmap cheat sheet.
Service version detection:
nmap -sV 10.0.0.1
Aggressive version detection with more probes:
nmap -sV --version-intensity 5 10.0.0.1
OS fingerprinting - requires root:
nmap -O 10.0.0.1
Combined service detection, OS detection, scripts, and traceroute:
nmap -A 10.0.0.1
The -A flag is the aggressive option and a solid default for thorough scanning. It enables OS detection, version detection, script scanning, and traceroute in a single pass.
NSE Script Scanning
The Nmap Scripting Engine extends nmap from a port scanner into a full network assessment tool. Scripts are organized into categories: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln.
Run default scripts:
nmap -sC 10.0.0.1
Run a specific script:
nmap --script=http-title 10.0.0.1
Run all vulnerability scripts:
nmap --script=vuln 10.0.0.1
Useful individual scripts worth including in any nmap cheat sheet:
nmap --script=smb-os-discovery 10.0.0.1 nmap --script=dns-brute example.com nmap --script=http-enum 10.0.0.1 nmap --script=ssl-enum-ciphers -p 443 10.0.0.1 nmap --script=ftp-anon -p 21 10.0.0.1
Timing and Performance
Nmap timing templates control scan speed. Lower numbers are slower and stealthier, higher numbers are faster and noisier.
T0 (paranoid) - IDS evasion, extremely slow T1 (sneaky) - IDS evasion T2 (polite) - slower, less bandwidth T3 (normal) - default T4 (aggressive) - fast, assumes reliable network T5 (insane) - fastest, may miss results
For most internal network scanning, T4 is appropriate:
nmap -T4 -A 10.0.0.0/24
For external scanning or when stealth matters, use T2 or T1. For quick sweeps where accuracy is less critical, T5 works but expect some missed ports on congested networks.
Output Formats
Always save your scan results. Nmap supports multiple output formats that can be generated simultaneously.
Normal output - human readable: nmap -oN scan_results.txt 10.0.0.1 XML output - for tool integration: nmap -oX scan_results.xml 10.0.0.1 Grepable output - for parsing with grep and awk: nmap -oG scan_results.gnmap 10.0.0.1 All formats at once: nmap -oA scan_results 10.0.0.1
The -oA flag is the most practical option. It generates .nmap, .xml, and .gnmap files simultaneously. The XML output integrates with tools like Metasploit, Nessus, and custom scripts.
Firewall Evasion Techniques
When scanning through firewalls or IDS/IPS systems, these techniques can help avoid detection or bypass filtering.
Fragment packets: nmap -f 10.0.0.1 Use decoys - mix your IP with decoy IPs: nmap -D RND:5 10.0.0.1 Spoof source port - some firewalls allow DNS or HTTP source ports through: nmap --source-port 53 10.0.0.1 Use a specific MTU: nmap --mtu 24 10.0.0.1
Note: these techniques are for authorized penetration testing and network assessment. Using them against systems you do not own or have permission to scan is illegal in most jurisdictions.
Common Nmap Scan Combinations
These are the commands I find myself running most often. Consider this the practical core of the nmap cheat sheet.
Quick network sweep: nmap -sn -T4 192.168.1.0/24 Full TCP scan with service detection: nmap -sS -sV -p- -T4 10.0.0.1 Comprehensive scan - the do everything command: nmap -A -T4 -p- 10.0.0.1 Quick vulnerability check: nmap --script=vuln -sV 10.0.0.1 Web server enumeration: nmap -sV --script=http-enum,http-title,http-methods -p 80,443,8080,8443 10.0.0.1 SMB enumeration for Windows networks: nmap --script=smb-os-discovery,smb-enum-shares,smb-enum-users -p 445 10.0.0.1
Keep this nmap cheat sheet accessible during engagements. The commands here cover the vast majority of scanning scenarios you will encounter during network assessments, penetration tests, and routine infrastructure auditing. Nmap's documentation is comprehensive, but having the most-used commands in a single reference saves time when it matters.