Nmap Cheat Sheet

Nmap is one of the most popular network mappers in the infosec world. It’s utilized by cybersecurity professionals and newbies alike to audit and discover local and remote open ports, as well as hosts and network information. Here is a quick cheat sheet that you can use while working with Nmap. 

Scanning command syntax

Scanning Command Syntax
nmap [scan types] [options] { specification}

Port Specification options

-Pnmap –p 23 scanning port specific port
-Pnmap –p 23-100 scanning port specific port range
-pnmap -pU:110,T:23-25,443,T-TCP different port types scan
-p-nmap -p- scan for all ports
-pnmap -smtp,https scan from specified protocols
-Fnmap –F port scan for speed up
-P "*"namp -p "*" ftp scan using name
-rnmap -r port scan


Host / discovery

-sLnmap -sLList without scanning
-snnmap -snDisable port scanning
-Pnnmap -PnPort scans only and no host discovery
-PSnmap -PS22-25,80TCP SYN discovery on specified port
-PAnmap -PA22-25,80TCP ACK discovery on specified port
-PUnmap -PU53UDP discovery on specified port
-PR nmap -PRARP discovery within local network
-n nmap -nno DNS resolution


Nmap Port Scan types

-sSnmap -sSTCP SYN port scan
-sTnmap -sTTCP connect port scan
-sAnmap -sATCP ACK port scan
-sUnmap -sUUDP port scan
-Sfnmap -Sf FIN scan
-sXnmap -SX scan
-Sp nmap -Sp scan
-sU nmap -Su scan
-sAnmap -Sa ACK scan
-SLnmap -Sl scan


Nmap Port Selection

nmap IP scan
nmap specific IPs
nmap a range of IPs
nmap xyz.orgscan a domain
nmap using CIDR notation
nmap -iL scan.txtscan from a file
nmap --exclude IP s exclude from scan


Use of NMAP scripts NSE

nmap --script= test script thee listed script against target IP address
nmap --script-update-dbadding new scripts
nmap -sV -sCuse of safe default scripts for scan
nmap --script-help="Test Script"get help for script

Firewall proofing

nmap -f []scan fragment packets
nmap –mtu [MTU] []specify MTU
nmap -sI [zombie] []scan idle zoombie
nmap –source-port [port] []manual source port - specify
nmap –data-length [size] []randomly append data
nmap –randomize-hosts [] scan order randomization
nmap –badsum []bad checksum


NMAP output formats

Default/normal outputnmap -oN scan.txt
XMLnmap -oX scanr.xml
Grepable formatsnmap -oG grep.txt
All formatsnmap -oA

Scan options

nmap -sP scan only
nmap -PU ping scan
nmap -PE echo ping
nmap -PO protocol ping
nmap -PR ping
nmap -Pn without pinging
nmap –traceroute

NMAP Timing options

nmap -T0 scan
nmap -T1 scan to avoid IDS
nmap -T2 scan
nmap -T3 scan timer
nmap -T4 scan
nmap -T5 aggressive scan


September 20, 2019
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013