Nmap Cheat Sheet

Nmap is one of the most popular network mappers in the infosec world. It’s utilized by cybersecurity professionals and newbies alike to audit and discover local and remote open ports, as well as hosts and network information. Here is a quick cheat sheet that you can use while working with Nmap. 

Scanning command syntax

Scanning Command Syntax
nmap [scan types] [options] { specification}

Port Specification options

Syntax Example Description
-P nmap –p 23 Port scanning port specific port
-P nmap –p 23-100 Port scanning port specific port range
-p nmap -pU:110,T:23-25,443 U-UDP,T-TCP different port types scan
-p- nmap -p- Port scan for all ports
-p nmap -smtp,https Port scan from specified protocols
-F nmap –F Fast port scan for speed up
-P "*" namp -p "*" ftp Port scan using name
-r nmap -r Sequential port scan


Host / discovery

Switch/Syntax Example Description
-sL nmap -sL List without scanning
-sn nmap -sn Disable port scanning
-Pn nmap -Pn Port scans only and no host discovery
-PS nmap -PS22-25,80 TCP SYN discovery on specified port
-PA nmap -PA22-25,80 TCP ACK discovery on specified port
-PU nmap -PU53 UDP discovery on specified port
-PR nmap -PR ARP discovery within local network
-n nmap -n no DNS resolution


Nmap Port Scan types

Switch/Syntax Example Description
-sS nmap -sS TCP SYN port scan
-sT nmap -sT TCP connect port scan
-sA nmap -sA TCP ACK port scan
-sU nmap -sU UDP port scan
-Sf nmap -Sf TCP FIN scan
-sX nmap -SX XMAS scan
-Sp nmap -Sp Ping scan
-sU nmap -Su UDP scan
-sA nmap -Sa TCP ACK scan
-SL nmap -Sl list scan


Nmap Port Selection

nmap single IP scan
nmap scan specific IPs
nmap scan a range of IPs
nmap xyz.org scan a domain
nmap scan using CIDR notation
nmap -iL scan.txt scan from a file
nmap --exclude specified IP s exclude from scan


Use of NMAP scripts NSE

nmap --script= test script execute thee listed script against target IP address
nmap --script-update-db adding new scripts
nmap -sV -sC use of safe default scripts for scan
nmap --script-help="Test Script" get help for script

Firewall proofing

nmap -f [] scan fragment packets
nmap –mtu [MTU] [] specify MTU
nmap -sI [zombie] [] scan idle zoombie
nmap –source-port [port] [] manual source port - specify
nmap –data-length [size] [] randomly append data
nmap –randomize-hosts [] scan order randomization
nmap –badsum [] bad checksum


NMAP output formats

Default/normal output nmap -oN scan.txt
XML nmap -oX scanr.xml
Grepable format snmap -oG grep.txt
All formats nmap -oA

Scan options

Syntax Description
nmap -sP Ping scan only
nmap -PU UDP ping scan
nmap -PE ICMP echo ping
nmap -PO IP protocol ping
nmap -PR ARP ping
nmap -Pn Scan without pinging
nmap –traceroute Traceroute

NMAP Timing options

Syntax Description
nmap -T0 Slowest scan
nmap -T1 Tricky scan to avoid IDS
nmap -T2 Timely scan
nmap -T3 Default scan timer
nmap -T4 Aggressive scan
nmap -T5 Very aggressive scan


September 20, 2019
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013