Nmap Cheat Sheet
Network mapper for host discovery, port scanning, service/version detection, and NSE scripting.
Overview
Nmap discovers live hosts, open ports, running services, OS fingerprints, and runs the Nmap Scripting Engine (NSE) for vulnerability checks and protocol-specific enumeration. It is the default first-pass scanner in most internal and external assessments.
Authorized testing only. Scan only networks and hosts within your engagement scope and rules of engagement. Aggressive scans can disrupt services and trigger IDS/IPS.
Install
Debian/Ubuntu/Kali
sudo apt update && sudo apt install -y nmapmacOS
brew install nmapVerify
nmap --versionEssential commands
Ping sweep (no port scan)
nmap -sn 10.10.10.0/24Top 1000 TCP ports, default scripts
nmap -sC -sV -oA nmap_initial 10.10.10.5All TCP ports (slower)
nmap -p- --min-rate 1000 -oA nmap_alltcp 10.10.10.5UDP top ports
sudo nmap -sU --top-ports 100 -sV 10.10.10.5Single port / service check
nmap -sV -p 445 10.10.10.5Quick one-liners
Find live hosts on a /24 without port scan
nmap -sn 10.10.10.0/24-sn skips port scanning (ARP/ICMP discovery only). Faster and quieter than a full scan. Replace the CIDR with your lab range.
Fast service scan on one host (scripts + versions)
nmap -sC -sV -oA quick 10.10.10.5-sC runs default safe NSE scripts; -sV fingerprints services. -oA writes .nmap, .xml, and .gnmap files with basename quick.
Scan all TCP ports quickly
nmap -p- --min-rate 5000 -oA alltcp 10.10.10.5Enumerate SMB shares and users
nmap -p 445 --script smb-enum-shares,smb-enum-users 10.10.10.5Treat host as up when ICMP is blocked
nmap -Pn -sS -sV 10.10.10.5Common workflows
External / quick triage —
nmap -Pn -sS -sC -sV --open -oA ext_quick target.example.comFull TCP then targeted scripts —
nmap -p- --min-rate 5000 -oA fulltcp 10.10.10.5nmap -sC -sV -p 22,80,443,3306,8080 -oA scripts 10.10.10.5SMB / Windows enumeration (NSE) —
nmap -p 445 --script smb-enum-shares,smb-enum-users,smb-os-discovery 10.10.10.5nmap -p 445 --script smb-vuln* 10.10.10.5Vulnerability-oriented NSE —
nmap -sV --script vuln -oA nmap_vuln 10.10.10.5nmap -p 80,443 --script http-enum,http-headers,http-title target.example.comThrough proxy / decoy (when RoE allows) —
nmap -sS -Pn --proxies socks4://127.0.0.1:9050 target.example.comFlags reference
-sn | Host discovery only (no port scan) Ping/ARP discovery only—no port probes. Faster and quieter; use to map live hosts before a full scan. |
|---|---|
-Pn | Treat host as up (skip ICMP discovery) Skips the host-discovery phase when firewalls block ICMP. Required for many external targets that drop ping. |
-sS | SYN stealth scan (requires root) Half-open TCP scan; needs root or CAP_NET_RAW. Default choice on Linux when you have privileges. |
-sT | Connect scan (no root) |
-sU | UDP scan |
-sV | Service/version detection |
-sC | Default safe scripts (--script=default) |
-p | Ports (-p- = all 65535) -p 22,80,443 for a list; -p- scans every TCP port (slow). Pair with --min-rate on CTF/lab ranges. |
-O | OS detection |
-A | Aggressive: OS, version, scripts, traceroute |
-oA | Output all formats with basename |
-oN / -oX / -oG | Normal / XML / grepable |
--open | Show only open ports |
--min-rate | Minimum packet send rate |
--script | Run NSE scripts or categories |
-iL | Input list of targets |
-6 | IPv6 |
Tips
- Save with -oA early; XML feeds tools like xsltproc, Metasploit, and reporting pipelines.
- UDP scans are slow and often need sudo; prioritize ports suggested by TCP services.
- -sC runs intrusive scripts on some ports—confirm with client before production.
- Combine with masscan/rustscan for fast port discovery, then nmap -p <ports> -sC -sV for depth.
- Tune --min-rate and --max-retries on large ranges to balance speed vs. accuracy.