Back to all tools

Nmap Cheatsheet

Network discovery and security auditing tool.

Star on GitHub Follow on X Connect on LinkedIn Join Discord

## Scanning Techniques & Types

## Basic Scanning Techniques

Command	Description
`nmap 192.168.1.1`	Scan a single IP.
`nmap 192.168.1.1 192.168.2.1`	Scan multiple IPs.
`nmap 192.168.1.1-254`	Scan a range of hosts (1.1 to 1.254).
`nmap domiso.com`	Scan a domain.
`nmap 192.168.1.0/24`	Scan an entire subnet (Class C network, 192.168.1.0 to 192.168.1.255).
`nmap -iL targets.txt`	Scan multiple targets listed in a file (`targets.txt`).
`nmap -iR 100`	Scan 100 random hosts.
`nmap --exclude 192.168.1.1`	Exclude a specific host from the scan (192.168.1.1 in this case).
`nmap -A 192.168.1.1`	Perform an aggressive scan that includes OS detection, version detection, script scanning, and traceroute.
`nmap -6 target`	Scan an IPv6 address (example).

## Scanning Types

Syntax	Command	Description
`-sS`	`nmap -sS 192.168.1.1`	TCP SYN Scan - Stealthy, doesn’t complete the handshake.
`-sT`	`nmap -sT 192.168.1.1`	TCP Connect Scan - Completes the handshake.
`-sA`	`nmap -sA 192.168.1.1`	TCP ACK Scan - Maps firewalls, no connection.
`-sU`	`nmap -sU 192.168.1.1`	UDP Scan - Scans UDP ports.
`-Sf`	`nmap -Sf 192.168.1.1`	TCP SYN FIN Scan - Stealthy, bypasses some firewalls.
`-sX`	`nmap -sX 192.168.1.1`	TCP Xmas Scan - Flags used to evade detection.
`-Sp`	`nmap -Sp 192.168.1.1`	Ping Scan - Checks if host is online.
`-SL`	`nmap -SL 192.168.1.1`	TCP Maimon Scan - Uses FIN, PSH, ACK flags.
`-sW`	`nmap -sW 192.168.1.1`	TCP Window Scan - Detects ports using window size.
`-sM`	`nmap -sM 192.168.1.1`	TCP Maimon Scan - Similar to Xmas with different flags.

## Discovery and Enumeration

## Host Discovery

Syntax	Command	Description
`-sL`	`nmap -sL 192.168.1.1`	List Scan - Lists targets only.
`-sn`	`nmap -sn 192.168.1.1`	Ping Scan - Checks if hosts are up.
`-Pn`	`nmap -Pn 192.168.1.1`	No Ping - Skips host discovery.
`-PS`	`nmap -PS 192.168.1.1`	TCP SYN Ping - Sends SYN to check if up.
`-PA`	`nmap -PA 192.168.1.1`	TCP ACK Ping - Sends ACK to check if up.
`-PU`	`nmap -PU 192.168.1.1`	UDP Ping - Sends UDP to check if up.
`-PR`	`nmap -PR 192.168.1.1`	ARP Ping - ARP request for local networks.
`-n`	`nmap -n 192.168.1.1`	No DNS - Disables DNS resolution.
`-sP`	`nmap -sP 192.168.1.1`	Ping Scan - Same as `-sn`, checks online.
`-PN`	`nmap -PN 192.168.1.1`	No Host Discovery - Assumes host is up.
`-PY`	`nmap -PY 192.168.1.1`	SCTP Ping - Checks with SCTP INIT.
`-PE`	`nmap -PE 192.168.1.1`	ICMP Echo Ping - Sends ICMP Echo to check if up.
`-PP`	`nmap -PP 192.168.1.1`	ICMP Timestamp Ping - Uses ICMP Timestamp.
`-PM`	`nmap -PM 192.168.1.1`	ICMP Mask Ping - Uses ICMP Mask request.
`-PO`	`nmap -PO 192.168.1.1`	IP Protocol Ping - Checks with IP protocol.
`--traceroute`	`nmap --traceroute 192.168.1.1`	Traceroute - Traces the path to the target.
`-R`	`nmap -R 192.168.1.1`	DNS Resolution - Forces reverse DNS lookup.

## Port Specification

Syntax	Command	Description
`-p`	`nmap -p 192.168.1.1`	Port Scan - Scans the specified ports.
`-p 21-100`	`nmap -p 21-100 192.168.1.1`	Range of Ports - Scans ports 21 to 100.
`-p U:53,T:21-25,80`	`nmap -p U:53,T:21-25,80 192.168.1.1`	UDP and TCP Ports - Scans specific UDP and TCP ports.
`-p-`	`nmap -p- 192.168.1.1`	All Ports - Scans all 65535 ports.
`-p http,https,smtp`	`nmap -p http,https,smtp 192.168.1.1`	Service Ports - Scans ports for specific services.
`-F`	`nmap -F 192.168.1.1`	Fast Scan - Scans fewer ports quickly.
`-p- 65535`	`nmap -p- 65535 192.168.1.1`	All Ports (65535) - Scans all 65535 ports.
`-p0`	`nmap -p0 192.168.1.1`	Zero Port Scan - Invalid, error if used.
`-r`	`nmap -r 192.168.1.1`	Scan Ports in Order - Scans ports sequentially.
`-p "*" ftp`	`nmap -p "*" ftp 192.168.1.1`	Wildcard Port Scan - Invalid syntax, use specific ports.

## Service and Version Detection

Syntax	Command	Description
`-sV`	`nmap -sV 192.168.1.1`	Service Version Detection - Detects service versions.
`-sV --version-intensity`	`nmap -sV --version-intensity 5 192.168.1.1`	Version Intensity - Adjusts version scan intensity.
`-sV --version-all`	`nmap -sV --version-all 192.168.1.1`	All Version Detection - Tries all possible probes for version info.
`-A`	`nmap -A 192.168.1.1`	Aggressive Scan - Enables OS, version, script scanning, and traceroute.

## OS Detection

Syntax	Command	Description
`-O`	`nmap -O 192.168.1.1`	OS Detection - Tries to identify the OS.
`-O --osscan-limit`	`nmap -O --osscan-limit 192.168.1.1`	Limit OS Scan - Limits OS scan to a smaller set of tests.
`-O --osscan-guess`	`nmap -O --osscan-guess 192.168.1.1`	OS Scan Guess - Makes a guess when OS detection is uncertain.
`-O --max-os-tries`	`nmap -O --max-os-tries 3 192.168.1.1`	Max OS Tries - Limits the number of attempts for OS detection.
`-A`	`nmap -A 192.168.1.1`	Aggressive Scan - Includes OS, version, script scanning, and traceroute.

## Output and Reporting

## Output Options

Syntax	Command	Description
`-oN`	`nmap -oN output.txt 192.168.1.1`	Normal Output - Saves results in a human-readable format.
`-oX`	`nmap -oX output.xml 192.168.1.1`	XML Output - Saves results in XML format.
`-oG`	`nmap -oG output.gnmap 192.168.1.1`	Grepable Output - Saves results in a format suitable for grep.
`-oA`	`nmap -oA output 192.168.1.1`	All Output - Saves results in Normal, XML, and Grepable formats.
`--append-output`	`nmap --append-output -oN output.txt 192.168.1.1`