Nmap Scanning Cheatsheet

Complete nmap command reference for host discovery, port scanning, service enumeration, OS detection, NSE scripts, and IDS evasion. (46 payloads)

Host Discovery

(6)

nmap -sn 192.168.1.0/24

Ping sweep — discover live hosts without port scanning

nmap -sn -PE -PP -PM 192.168.1.0/24

ICMP echo, timestamp, and netmask ping sweep

nmap -Pn 10.10.10.10

Skip host discovery — treat target as online (useful when ICMP is blocked)

nmap -PS22,80,443 192.168.1.0/24

TCP SYN ping on specific ports

nmap -PA80,443 192.168.1.0/24

TCP ACK ping — good for bypassing stateful firewalls

nmap -sn --dns-servers 8.8.8.8 192.168.1.0/24

Ping sweep using specific DNS server

Port Scanning

(10)

nmap -sS 10.10.10.10

SYN (stealth) scan — default when run as root, half-open connection

nmap -sT 10.10.10.10

TCP connect scan — full connection, no root required

nmap -sU -p 53,161,500 10.10.10.10

UDP scan on common ports (DNS, SNMP, IKE)

nmap -sA 10.10.10.10

ACK scan — map firewall rules, determine filtered vs unfiltered

nmap -p- 10.10.10.10

Scan all 65535 ports

nmap -p 22,80,443,8080,8443 10.10.10.10

Scan specific ports

nmap --top-ports 100 10.10.10.10

Scan top 100 most common ports

nmap -sN 10.10.10.10

Null scan — no flags set, may bypass some firewalls

nmap -sF 10.10.10.10

FIN scan — FIN flag only, may bypass stateless packet filters

nmap -sX 10.10.10.10

Xmas scan — FIN, PSH, URG flags set

Service & Version Detection

(5)

nmap -sV 10.10.10.10

Service/version detection on open ports

nmap -sV --version-intensity 9 10.10.10.10

Aggressive version detection (0-9 scale, higher = more probes)

nmap -O 10.10.10.10

OS detection (requires root)

nmap -A 10.10.10.10

Aggressive scan: OS, version, scripts, traceroute (-O -sV -sC --traceroute)

nmap -sV -sC 10.10.10.10

Service version + default NSE scripts

NSE Scripts

(8)

nmap --script vuln 10.10.10.10

Run all vulnerability detection scripts

nmap --script default 10.10.10.10

Run default script set (same as -sC)

nmap --script safe 10.10.10.10

Run safe scripts only — minimal impact on target

nmap --script auth 10.10.10.10

Check for default/weak credentials across services

nmap --script http-enum 10.10.10.10

Enumerate web server directories and files

nmap --script smb-vuln-ms17-010 -p 445 10.10.10.10

Check for EternalBlue (MS17-010) — WannaCry vulnerability

nmap --script ssl-heartbleed -p 443 10.10.10.10

Check for Heartbleed vulnerability

nmap --script=http-title -p 80,443,8080,8443 192.168.1.0/24

Grab HTTP page titles across subnet

Timing & Performance

(6)

nmap -T0 10.10.10.10

Paranoid — very slow, IDS evasion

nmap -T1 10.10.10.10

Sneaky — slow, IDS evasion

nmap -T3 10.10.10.10

Normal — default timing

nmap -T4 10.10.10.10

Aggressive — fast, assumes reliable network

nmap -T5 10.10.10.10

Insane — very fast, may miss ports on unreliable networks

nmap --min-rate 1000 -p- 10.10.10.10

Minimum 1000 packets/sec — fast full port scan

IDS Evasion

(6)

nmap -D RND:10 10.10.10.10

Decoy scan — 10 random decoys mask the real scanner IP

nmap -D 192.168.1.100,192.168.1.101,ME 10.10.10.10

Decoy scan with specific decoy IPs

nmap -f 10.10.10.10

Fragment packets — may bypass simple packet filters

nmap --source-port 53 10.10.10.10

Spoof source port 53 (DNS) — may bypass firewalls allowing DNS traffic

nmap --randomize-hosts 192.168.1.0/24

Randomize host scanning order — reduces detection signatures

nmap -sI zombie_host 10.10.10.10

Idle/zombie scan — completely blind, uses zombie host IP

Output

(5)

nmap -oN output.txt 10.10.10.10

Normal output to file

nmap -oX output.xml 10.10.10.10

XML output (parseable by Metasploit, etc.)

nmap -oG output.gnmap 10.10.10.10

Grepable output

nmap -oA output 10.10.10.10

All formats simultaneously (.nmap, .xml, .gnmap)

nmap -v 10.10.10.10

Verbose output — see progress in real time

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

Reverse Shell

Related Cheat Sheets

Linux Privilege Escalation Cheat Sheet Post-Exploitation Cheat Sheet Active Directory & Kerberos Cheat Sheet

$loading...