# nmap — Scan and Analyse Networks > Practical guide to nmap — discover hosts, scan ports, detect services and operating systems, and find security issues on networks you are authorised to test. Source: https://www.jpkc.com/db/en/cheatsheets/networking/nmap/ nmap is the go-to tool for network inventory and security auditing: scan individual hosts or entire subnets, discover open ports and running services, fingerprint operating systems, and run Nmap Scripting Engine checks for known vulnerabilities – all from a single command. This cheat sheet covers the options you need daily, from a quick ping sweep to a comprehensive audit scan, always on systems you are authorised to test. ## Basic Scans `nmap TARGET` — Scan the 1000 most common ports on a target host. TARGET can be an IP, hostname, or CIDR range. ```bash nmap 192.168.1.1 ``` `nmap HOST1 HOST2 HOST3` — Scan multiple hosts separated by spaces. ```bash nmap 192.168.1.1 192.168.1.2 192.168.1.3 ``` `nmap NETWORK/CIDR` — Scan an entire subnet. ```bash nmap 192.168.1.0/24 ``` `nmap START-END` — Scan a range of IP addresses. ```bash nmap 192.168.1.1-50 ``` `nmap -iL FILE` — Read targets from a file (one per line). ```bash nmap -iL targets.txt ``` `nmap --exclude HOST1,HOST2` — Exclude specific hosts from a scan. ```bash nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.254 ``` `nmap --excludefile FILE` — Exclude hosts listed in a file. ```bash nmap 192.168.1.0/24 --excludefile exclude.txt ``` `nmap -6 TARGET` — Scan an IPv6 target. ```bash nmap -6 2001:db8::1 ``` ## Host Discovery `nmap -sn NETWORK/CIDR` — Ping scan only — discover live hosts without port scanning. ```bash nmap -sn 192.168.1.0/24 ``` `nmap -Pn TARGET` — Skip host discovery. Treat all hosts as online. Useful when ICMP is blocked. ```bash nmap -Pn 192.168.1.1 ``` `nmap -PS PORT(S) TARGET` — TCP SYN discovery on specified ports. ```bash nmap -PS22,80,443 192.168.1.0/24 ``` `nmap -PA PORT(S) TARGET` — TCP ACK discovery on specified ports. ```bash nmap -PA80,443 192.168.1.0/24 ``` `nmap -PU PORT(S) TARGET` — UDP discovery on specified ports. ```bash nmap -PU53,161 192.168.1.0/24 ``` `nmap -PE TARGET` — ICMP echo request discovery (traditional ping). ```bash nmap -PE 192.168.1.0/24 ``` `nmap -PP TARGET` — ICMP timestamp request discovery. ```bash nmap -PP 192.168.1.0/24 ``` `nmap -PM TARGET` — ICMP address mask request discovery. ```bash nmap -PM 192.168.1.0/24 ``` `nmap -PR TARGET` — ARP discovery on local network. Fast and reliable on LAN. ```bash nmap -PR 192.168.1.0/24 ``` `nmap -sn -n NETWORK/CIDR` — Fast ping sweep without DNS resolution. ```bash nmap -sn -n 10.0.0.0/24 ``` ## Port Specification `nmap -p PORT TARGET` — Scan a specific port. ```bash nmap -p 80 192.168.1.1 ``` `nmap -p PORT1,PORT2,PORT3 TARGET` — Scan a list of specific ports. ```bash nmap -p 22,80,443,8080 192.168.1.1 ``` `nmap -p START-END TARGET` — Scan a range of ports. ```bash nmap -p 1-1024 192.168.1.1 ``` `nmap -p- TARGET` — Scan all 65535 ports. ```bash nmap -p- 192.168.1.1 ``` `nmap -p U:PORT,T:PORT TARGET` — Specify UDP (U:) and TCP (T:) ports separately. ```bash nmap -p U:53,161,T:22,80,443 192.168.1.1 ``` `nmap --top-ports N TARGET` — Scan the N most common ports. ```bash nmap --top-ports 100 192.168.1.1 ``` `nmap -F TARGET` — Fast scan — only the 100 most common ports (instead of 1000). ```bash nmap -F 192.168.1.0/24 ``` `nmap -r TARGET` — Scan ports sequentially instead of randomized order. ```bash nmap -r -p 1-1024 192.168.1.1 ``` ## Scan Techniques `nmap -sS TARGET` — TCP SYN scan (stealth/half-open). Default for privileged users. Fast and reliable. ```bash sudo nmap -sS 192.168.1.1 ``` `nmap -sT TARGET` — TCP connect scan. Uses full TCP handshake. Default for unprivileged users. ```bash nmap -sT 192.168.1.1 ``` `nmap -sU TARGET` — UDP scan. Slower than TCP scans, but essential for finding UDP services. ```bash sudo nmap -sU -p 53,67,68,123,161,500 192.168.1.1 ``` `nmap -sA TARGET` — TCP ACK scan. Used to map firewall rulesets and determine filtered/unfiltered ports. ```bash sudo nmap -sA 192.168.1.1 ``` `nmap -sW TARGET` — TCP Window scan. Like ACK scan, but can detect open ports on some systems. ```bash sudo nmap -sW 192.168.1.1 ``` `nmap -sN TARGET` — TCP Null scan. Sends packets with no TCP flags set. ```bash sudo nmap -sN 192.168.1.1 ``` `nmap -sF TARGET` — TCP FIN scan. Sends packets with only the FIN flag. ```bash sudo nmap -sF 192.168.1.1 ``` `nmap -sX TARGET` — TCP Xmas scan. Sends packets with FIN, PSH, and URG flags set. ```bash sudo nmap -sX 192.168.1.1 ``` `nmap -sM TARGET` — TCP Maimon scan. Sends FIN/ACK probe. Works on some BSD-derived systems. ```bash sudo nmap -sM 192.168.1.1 ``` `nmap -sO TARGET` — IP protocol scan. Determines which IP protocols are supported. ```bash sudo nmap -sO 192.168.1.1 ``` `nmap -sS -sU TARGET` — Combined TCP SYN and UDP scan for comprehensive results. ```bash sudo nmap -sS -sU -p T:22,80,443,U:53,161 192.168.1.1 ``` ## Service & Version Detection `nmap -sV TARGET` — Probe open ports to determine service name and version. ```bash nmap -sV 192.168.1.1 ``` `nmap -sV --version-intensity N TARGET` — Set version detection intensity (0=light, 9=all probes). Default: 7. ```bash nmap -sV --version-intensity 5 192.168.1.1 ``` `nmap -sV --version-light TARGET` — Light version scan (intensity 2). Faster but less accurate. ```bash nmap -sV --version-light 192.168.1.1 ``` `nmap -sV --version-all TARGET` — Try every single probe for version detection (intensity 9). ```bash nmap -sV --version-all 192.168.1.1 ``` `nmap -A TARGET` — Aggressive scan. Enables OS detection, version detection, script scanning, and traceroute. ```bash sudo nmap -A 192.168.1.1 ``` `nmap -sC TARGET` — Run default NSE scripts. Equivalent to --script=default. ```bash nmap -sC 192.168.1.1 ``` `nmap -sV -sC TARGET` — Version detection combined with default scripts. A common combination. ```bash nmap -sV -sC 192.168.1.1 ``` ## OS Detection `nmap -O TARGET` — Enable OS detection using TCP/IP stack fingerprinting. ```bash sudo nmap -O 192.168.1.1 ``` `nmap -O --osscan-limit TARGET` — Only attempt OS detection if at least one open and one closed TCP port is found. ```bash sudo nmap -O --osscan-limit 192.168.1.0/24 ``` `nmap -O --osscan-guess TARGET` — Guess OS more aggressively when detection is uncertain. ```bash sudo nmap -O --osscan-guess 192.168.1.1 ``` `nmap -O --max-os-tries N TARGET` — Limit the number of OS detection attempts (default: 5). ```bash sudo nmap -O --max-os-tries 2 192.168.1.1 ``` ## Timing & Performance `nmap -T0 TARGET` — Paranoid timing. Extremely slow, for IDS evasion. Serial scan, 5 min between probes. ```bash nmap -T0 192.168.1.1 ``` `nmap -T1 TARGET` — Sneaky timing. Slow, 15 seconds between probes. ```bash nmap -T1 192.168.1.1 ``` `nmap -T2 TARGET` — Polite timing. Slows scan to use less bandwidth. 0.4 seconds between probes. ```bash nmap -T2 192.168.1.1 ``` `nmap -T3 TARGET` — Normal timing. The default. Balances speed and accuracy. ```bash nmap -T3 192.168.1.1 ``` `nmap -T4 TARGET` — Aggressive timing. Faster, assumes a reasonably fast and reliable network. ```bash nmap -T4 192.168.1.1 ``` `nmap -T5 TARGET` — Insane timing. Very fast but may sacrifice accuracy. Can overwhelm targets. ```bash nmap -T5 192.168.1.1 ``` `nmap --min-rate N TARGET` — Send at least N packets per second. ```bash nmap --min-rate 1000 192.168.1.0/24 ``` `nmap --max-rate N TARGET` — Send at most N packets per second. ```bash nmap --max-rate 100 192.168.1.1 ``` `nmap --min-parallelism N TARGET` — Set minimum number of parallel probes. ```bash nmap --min-parallelism 10 192.168.1.0/24 ``` `nmap --max-retries N TARGET` — Limit the number of port scan probe retransmissions. ```bash nmap --max-retries 2 192.168.1.1 ``` `nmap --host-timeout TIME TARGET` — Give up on a target after this time (e.g., 30s, 5m, 1h). ```bash nmap --host-timeout 5m 192.168.1.0/24 ``` `nmap --scan-delay TIME TARGET` — Wait at least TIME between probes. ```bash nmap --scan-delay 1s 192.168.1.1 ``` ## NSE Scripts (Nmap Scripting Engine) `nmap --script SCRIPT TARGET` — Run a specific NSE script. ```bash nmap --script http-title 192.168.1.1 ``` `nmap --script CATEGORY TARGET` — Run all scripts in a category: auth, broadcast, default, discovery, exploit, external, fuzzer, intrusive, malware, safe, version, vuln. ```bash nmap --script safe 192.168.1.1 ``` `nmap --script "SCRIPT1,SCRIPT2" TARGET` — Run multiple scripts. ```bash nmap --script "http-title,http-headers" 192.168.1.1 ``` `nmap --script "http-*" TARGET` — Run all scripts matching a wildcard pattern. ```bash nmap --script "http-*" -p 80,443 192.168.1.1 ``` `nmap --script "not intrusive" TARGET` — Run all scripts except those in a category. ```bash nmap --script "not intrusive" 192.168.1.1 ``` `nmap --script "default and safe" TARGET` — Run scripts that are in both categories (boolean AND). ```bash nmap --script "default and safe" 192.168.1.1 ``` `nmap --script SCRIPT --script-args KEY=VAL TARGET` — Pass arguments to NSE scripts. ```bash nmap --script http-brute --script-args http-brute.path=/admin 192.168.1.1 ``` `nmap --script-updatedb` — Update the NSE script database after adding custom scripts. ```bash sudo nmap --script-updatedb ``` `nmap --script-help SCRIPT` — Show help and documentation for a specific script. ```bash nmap --script-help http-enum ``` ## Useful NSE Scripts `nmap --script http-enum TARGET` — Enumerate common web directories and files (robots.txt, admin panels, etc.). ```bash nmap --script http-enum -p 80,443 192.168.1.1 ``` `nmap --script http-title TARGET` — Show the title of web pages on open HTTP ports. ```bash nmap --script http-title -p 80,443,8080 192.168.1.0/24 ``` `nmap --script http-headers TARGET` — Show HTTP response headers. ```bash nmap --script http-headers -p 80 192.168.1.1 ``` `nmap --script ssl-enum-ciphers TARGET` — Enumerate SSL/TLS cipher suites and grade them. ```bash nmap --script ssl-enum-ciphers -p 443 192.168.1.1 ``` `nmap --script ssl-cert TARGET` — Retrieve and display SSL/TLS certificate details. ```bash nmap --script ssl-cert -p 443 192.168.1.1 ``` `nmap --script dns-brute TARGET` — Brute-force DNS hostnames for a domain. ```bash nmap --script dns-brute example.com ``` `nmap --script smb-os-discovery TARGET` — Discover OS information via SMB protocol. ```bash nmap --script smb-os-discovery -p 445 192.168.1.1 ``` `nmap --script banner TARGET` — Grab service banners from open ports. ```bash nmap --script banner -p 21,22,25,80 192.168.1.1 ``` `nmap --script vuln TARGET` — Run all vulnerability detection scripts. ```bash sudo nmap --script vuln 192.168.1.1 ``` `nmap --script whois-ip TARGET` — Look up WHOIS information for the target IP. ```bash nmap --script whois-ip 8.8.8.8 ``` `nmap --script traceroute-geolocation TARGET` — Geolocate each hop in a traceroute. ```bash sudo nmap --traceroute --script traceroute-geolocation 8.8.8.8 ``` `nmap --script mysql-info TARGET` — Retrieve MySQL server information. ```bash nmap --script mysql-info -p 3306 192.168.1.1 ``` ## Output Formats `nmap -oN FILE TARGET` — Normal output to a file (human-readable). ```bash nmap -oN scan.txt 192.168.1.1 ``` `nmap -oX FILE TARGET` — XML output to a file. Useful for importing into other tools. ```bash nmap -oX scan.xml 192.168.1.1 ``` `nmap -oG FILE TARGET` — Grepable output to a file. Easy to parse with grep/awk. ```bash nmap -oG scan.gnmap 192.168.1.1 ``` `nmap -oS FILE TARGET` — Script kiddie output (leet speak). Mostly a joke. ```bash nmap -oS scan.txt 192.168.1.1 ``` `nmap -oA BASENAME TARGET` — Output in all three major formats (.nmap, .xml, .gnmap). ```bash nmap -oA scan_results 192.168.1.1 ``` `nmap -v TARGET` — Increase verbosity. Shows open ports as they are found. ```bash nmap -v 192.168.1.1 ``` `nmap -vv TARGET` — Double verbosity for even more detail. ```bash nmap -vv 192.168.1.1 ``` `nmap -d TARGET` — Enable debugging output. ```bash nmap -d 192.168.1.1 ``` `nmap --reason TARGET` — Show the reason each port is set to a particular state. ```bash nmap --reason 192.168.1.1 ``` `nmap --open TARGET` — Only show open (or possibly open) ports in output. ```bash nmap --open 192.168.1.1 ``` `nmap --packet-trace TARGET` — Show all packets sent and received. Very verbose. ```bash nmap --packet-trace -p 80 192.168.1.1 ``` `nmap --resume FILE` — Resume an aborted scan from a normal output file. ```bash nmap --resume scan.txt ``` ## Firewall & IDS Evasion `nmap -f TARGET` — Fragment packets into 8-byte chunks to bypass packet filters. ```bash sudo nmap -f 192.168.1.1 ``` `nmap --mtu N TARGET` — Set a custom MTU for fragmented packets (must be a multiple of 8). ```bash sudo nmap --mtu 24 192.168.1.1 ``` `nmap -D DECOY1,DECOY2,ME TARGET` — Cloak scan with decoy IP addresses. ME inserts your real IP. ```bash sudo nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1 ``` `nmap -D RND:N TARGET` — Use N random decoy addresses. ```bash sudo nmap -D RND:5 192.168.1.1 ``` `nmap -S SOURCE_IP TARGET` — Spoof the source IP address. ```bash sudo nmap -S 10.0.0.1 -e eth0 192.168.1.1 ``` `nmap -e INTERFACE TARGET` — Specify the network interface to use. ```bash nmap -e eth0 192.168.1.1 ``` `nmap --source-port PORT TARGET` — Use a specific source port number. Some firewalls allow traffic from port 53 or 80. ```bash sudo nmap --source-port 53 192.168.1.1 ``` `nmap --data-length N TARGET` — Append N random bytes to packets to avoid signature detection. ```bash nmap --data-length 25 192.168.1.1 ``` `nmap --spoof-mac MAC TARGET` — Spoof the MAC address. Use 0 for random, or a vendor name. ```bash sudo nmap --spoof-mac Apple 192.168.1.1 ``` `nmap --badsum TARGET` — Send packets with an invalid TCP/UDP checksum. Responses indicate a firewall not verifying checksums. ```bash nmap --badsum 192.168.1.1 ``` `nmap --ttl N TARGET` — Set a custom IP time-to-live value. ```bash nmap --ttl 64 192.168.1.1 ``` ## DNS & Reverse Lookup `nmap -n TARGET` — Never do DNS resolution. Speeds up scans significantly. ```bash nmap -n 192.168.1.0/24 ``` `nmap -R TARGET` — Always do reverse DNS resolution (even for offline hosts). ```bash nmap -R 192.168.1.0/24 ``` `nmap --dns-servers DNS1,DNS2 TARGET` — Use custom DNS servers for resolution. ```bash nmap --dns-servers 8.8.8.8,1.1.1.1 192.168.1.0/24 ``` `nmap --system-dns TARGET` — Use the OS DNS resolver instead of nmap's built-in resolver. ```bash nmap --system-dns 192.168.1.1 ``` `nmap -sL NETWORK/CIDR` — List scan — only list targets with reverse DNS. No actual scanning. ```bash nmap -sL 192.168.1.0/24 ``` ## Miscellaneous Options `nmap --traceroute TARGET` — Trace the network path to the target. ```bash sudo nmap --traceroute 8.8.8.8 ``` `nmap --iflist` — Show local network interfaces and routes as seen by nmap. ```bash nmap --iflist ``` `nmap -sV --version-trace TARGET` — Show detailed version scan activity for debugging. ```bash nmap -sV --version-trace -p 80 192.168.1.1 ``` `nmap --privileged TARGET` — Assume the user is fully privileged (bypass privilege checks). ```bash nmap --privileged 192.168.1.1 ``` `nmap --send-eth TARGET` — Send raw ethernet frames instead of IP packets. ```bash sudo nmap --send-eth 192.168.1.1 ``` `nmap -V` — Show the nmap version. ```bash nmap -V ``` ## Common Scan Combinations `nmap -sS -sV -O -p- TARGET` — Comprehensive scan: SYN scan all ports, detect versions and OS. ```bash sudo nmap -sS -sV -O -p- 192.168.1.1 ``` `nmap -sn -n NETWORK/CIDR -oG - | grep 'Up'` — Quick host discovery: list all live hosts on a network. ```bash nmap -sn -n 192.168.1.0/24 -oG - | grep 'Up' ``` `nmap -T4 -F -sV TARGET` — Fast scan with version detection on the top 100 ports. ```bash nmap -T4 -F -sV 192.168.1.1 ``` `nmap -sS -sU -T4 -A -v TARGET` — Full TCP+UDP aggressive scan with all detection features. ```bash sudo nmap -sS -sU -T4 -A -v 192.168.1.1 ``` `nmap -sV -sC --open -p 80,443 NETWORK/CIDR` — Find all web servers on a network with scripts and version info. ```bash nmap -sV -sC --open -p 80,443 192.168.1.0/24 ``` `nmap -Pn -sS -p 22 --open NETWORK/CIDR -oG - | grep open` — Find all SSH servers on a network. ```bash sudo nmap -Pn -sS -p 22 --open 192.168.1.0/24 -oG - | grep open ``` `nmap -sV --script ssl-cert -p 443 NETWORK/CIDR` — Scan for SSL certificates on a network. ```bash nmap -sV --script ssl-cert -p 443 192.168.1.0/24 ``` `nmap -sU -p 161 --script snmp-info NETWORK/CIDR` — Find SNMP-enabled devices and retrieve system info. ```bash sudo nmap -sU -p 161 --script snmp-info 192.168.1.0/24 ``` `nmap --script http-enum,http-title,http-methods -p 80,443,8080,8443 TARGET` — Web reconnaissance: directories, titles, and allowed HTTP methods. ```bash nmap --script http-enum,http-title,http-methods -p 80,443,8080,8443 192.168.1.1 ``` ## Port States Explained `open` — An application is actively listening on this port and accepting connections. `closed` — The port is accessible (responds to probes) but no application is listening. `filtered` — A firewall or filter is blocking probes. Nmap cannot determine if the port is open. `unfiltered` — The port is accessible but nmap cannot determine if it is open or closed (ACK scan). `open|filtered` — Nmap cannot determine whether the port is open or filtered (common in UDP scans). `closed|filtered` — Nmap cannot determine whether the port is closed or filtered. ## Conclusion nmap belongs in every administrator's toolkit: whether you are taking stock of your network, preparing a penetration test, or simply checking which services are reachable, no other tool provides as much insight in a single command. Use `-oA` for reproducible results and NSE scripts for targeted security checks. ## Further Reading - [nmap – official documentation](https://nmap.org/docs.html) – reference and NSE script library - [nmap(1) – manual page](https://nmap.org/book/man.html) – every option at a glance - [Nmap – Wikipedia](https://en.wikipedia.org/wiki/Nmap) – background and history ## Related Commands - [nc](https://www.jpkc.com/db/en/cheatsheets/networking/nc/) – open and test TCP/UDP connections - [ping](https://www.jpkc.com/db/en/cheatsheets/networking/ping/) – check host reachability - [traceroute](https://www.jpkc.com/db/en/cheatsheets/networking/traceroute/) – trace network paths to a target