nmap — Scan and Analyse Networks
Practical guide to nmap — discover hosts, scan ports, detect services and operating systems, and find security issues on networks you are authorised to test.
nmap is the go-to tool for network inventory and security auditing: scan individual hosts or entire subnets, discover open ports and running services, fingerprint operating systems, and run Nmap Scripting Engine checks for known vulnerabilities – all from a single command. This cheat sheet covers the options you need daily, from a quick ping sweep to a comprehensive audit scan, always on systems you are authorised to test.
Basic Scans
nmap TARGET — Scan the 1000 most common ports on a target host. TARGET can be an IP, hostname, or CIDR range.
nmap 192.168.1.1nmap HOST1 HOST2 HOST3 — Scan multiple hosts separated by spaces.
nmap 192.168.1.1 192.168.1.2 192.168.1.3nmap NETWORK/CIDR — Scan an entire subnet.
nmap 192.168.1.0/24nmap START-END — Scan a range of IP addresses.
nmap 192.168.1.1-50nmap -iL FILE — Read targets from a file (one per line).
nmap -iL targets.txtnmap --exclude HOST1,HOST2 — Exclude specific hosts from a scan.
nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.254nmap --excludefile FILE — Exclude hosts listed in a file.
nmap 192.168.1.0/24 --excludefile exclude.txtnmap -6 TARGET — Scan an IPv6 target.
nmap -6 2001:db8::1Host Discovery
nmap -sn NETWORK/CIDR — Ping scan only — discover live hosts without port scanning.
nmap -sn 192.168.1.0/24nmap -Pn TARGET — Skip host discovery. Treat all hosts as online. Useful when ICMP is blocked.
nmap -Pn 192.168.1.1nmap -PS PORT(S) TARGET — TCP SYN discovery on specified ports.
nmap -PS22,80,443 192.168.1.0/24nmap -PA PORT(S) TARGET — TCP ACK discovery on specified ports.
nmap -PA80,443 192.168.1.0/24nmap -PU PORT(S) TARGET — UDP discovery on specified ports.
nmap -PU53,161 192.168.1.0/24nmap -PE TARGET — ICMP echo request discovery (traditional ping).
nmap -PE 192.168.1.0/24nmap -PP TARGET — ICMP timestamp request discovery.
nmap -PP 192.168.1.0/24nmap -PM TARGET — ICMP address mask request discovery.
nmap -PM 192.168.1.0/24nmap -PR TARGET — ARP discovery on local network. Fast and reliable on LAN.
nmap -PR 192.168.1.0/24nmap -sn -n NETWORK/CIDR — Fast ping sweep without DNS resolution.
nmap -sn -n 10.0.0.0/24Port Specification
nmap -p PORT TARGET — Scan a specific port.
nmap -p 80 192.168.1.1nmap -p PORT1,PORT2,PORT3 TARGET — Scan a list of specific ports.
nmap -p 22,80,443,8080 192.168.1.1nmap -p START-END TARGET — Scan a range of ports.
nmap -p 1-1024 192.168.1.1nmap -p- TARGET — Scan all 65535 ports.
nmap -p- 192.168.1.1nmap -p U:PORT,T:PORT TARGET — Specify UDP (U:) and TCP (T:) ports separately.
nmap -p U:53,161,T:22,80,443 192.168.1.1nmap --top-ports N TARGET — Scan the N most common ports.
nmap --top-ports 100 192.168.1.1nmap -F TARGET — Fast scan — only the 100 most common ports (instead of 1000).
nmap -F 192.168.1.0/24nmap -r TARGET — Scan ports sequentially instead of randomized order.
nmap -r -p 1-1024 192.168.1.1Scan Techniques
nmap -sS TARGET — TCP SYN scan (stealth/half-open). Default for privileged users. Fast and reliable.
sudo nmap -sS 192.168.1.1nmap -sT TARGET — TCP connect scan. Uses full TCP handshake. Default for unprivileged users.
nmap -sT 192.168.1.1nmap -sU TARGET — UDP scan. Slower than TCP scans, but essential for finding UDP services.
sudo nmap -sU -p 53,67,68,123,161,500 192.168.1.1nmap -sA TARGET — TCP ACK scan. Used to map firewall rulesets and determine filtered/unfiltered ports.
sudo nmap -sA 192.168.1.1nmap -sW TARGET — TCP Window scan. Like ACK scan, but can detect open ports on some systems.
sudo nmap -sW 192.168.1.1nmap -sN TARGET — TCP Null scan. Sends packets with no TCP flags set.
sudo nmap -sN 192.168.1.1nmap -sF TARGET — TCP FIN scan. Sends packets with only the FIN flag.
sudo nmap -sF 192.168.1.1nmap -sX TARGET — TCP Xmas scan. Sends packets with FIN, PSH, and URG flags set.
sudo nmap -sX 192.168.1.1nmap -sM TARGET — TCP Maimon scan. Sends FIN/ACK probe. Works on some BSD-derived systems.
sudo nmap -sM 192.168.1.1nmap -sO TARGET — IP protocol scan. Determines which IP protocols are supported.
sudo nmap -sO 192.168.1.1nmap -sS -sU TARGET — Combined TCP SYN and UDP scan for comprehensive results.
sudo nmap -sS -sU -p T:22,80,443,U:53,161 192.168.1.1Service & Version Detection
nmap -sV TARGET — Probe open ports to determine service name and version.
nmap -sV 192.168.1.1nmap -sV --version-intensity N TARGET — Set version detection intensity (0=light, 9=all probes). Default: 7.
nmap -sV --version-intensity 5 192.168.1.1nmap -sV --version-light TARGET — Light version scan (intensity 2). Faster but less accurate.
nmap -sV --version-light 192.168.1.1nmap -sV --version-all TARGET — Try every single probe for version detection (intensity 9).
nmap -sV --version-all 192.168.1.1nmap -A TARGET — Aggressive scan. Enables OS detection, version detection, script scanning, and traceroute.
sudo nmap -A 192.168.1.1nmap -sC TARGET — Run default NSE scripts. Equivalent to --script=default.
nmap -sC 192.168.1.1nmap -sV -sC TARGET — Version detection combined with default scripts. A common combination.
nmap -sV -sC 192.168.1.1OS Detection
nmap -O TARGET — Enable OS detection using TCP/IP stack fingerprinting.
sudo nmap -O 192.168.1.1nmap -O --osscan-limit TARGET — Only attempt OS detection if at least one open and one closed TCP port is found.
sudo nmap -O --osscan-limit 192.168.1.0/24nmap -O --osscan-guess TARGET — Guess OS more aggressively when detection is uncertain.
sudo nmap -O --osscan-guess 192.168.1.1nmap -O --max-os-tries N TARGET — Limit the number of OS detection attempts (default: 5).
sudo nmap -O --max-os-tries 2 192.168.1.1Timing & Performance
nmap -T0 TARGET — Paranoid timing. Extremely slow, for IDS evasion. Serial scan, 5 min between probes.
nmap -T0 192.168.1.1nmap -T1 TARGET — Sneaky timing. Slow, 15 seconds between probes.
nmap -T1 192.168.1.1nmap -T2 TARGET — Polite timing. Slows scan to use less bandwidth. 0.4 seconds between probes.
nmap -T2 192.168.1.1nmap -T3 TARGET — Normal timing. The default. Balances speed and accuracy.
nmap -T3 192.168.1.1nmap -T4 TARGET — Aggressive timing. Faster, assumes a reasonably fast and reliable network.
nmap -T4 192.168.1.1nmap -T5 TARGET — Insane timing. Very fast but may sacrifice accuracy. Can overwhelm targets.
nmap -T5 192.168.1.1nmap --min-rate N TARGET — Send at least N packets per second.
nmap --min-rate 1000 192.168.1.0/24nmap --max-rate N TARGET — Send at most N packets per second.
nmap --max-rate 100 192.168.1.1nmap --min-parallelism N TARGET — Set minimum number of parallel probes.
nmap --min-parallelism 10 192.168.1.0/24nmap --max-retries N TARGET — Limit the number of port scan probe retransmissions.
nmap --max-retries 2 192.168.1.1nmap --host-timeout TIME TARGET — Give up on a target after this time (e.g., 30s, 5m, 1h).
nmap --host-timeout 5m 192.168.1.0/24nmap --scan-delay TIME TARGET — Wait at least TIME between probes.
nmap --scan-delay 1s 192.168.1.1NSE Scripts (Nmap Scripting Engine)
nmap --script SCRIPT TARGET — Run a specific NSE script.
nmap --script http-title 192.168.1.1nmap --script CATEGORY TARGET — Run all scripts in a category: auth, broadcast, default, discovery, exploit, external, fuzzer, intrusive, malware, safe, version, vuln.
nmap --script safe 192.168.1.1nmap --script "SCRIPT1,SCRIPT2" TARGET — Run multiple scripts.
nmap --script "http-title,http-headers" 192.168.1.1nmap --script "http-*" TARGET — Run all scripts matching a wildcard pattern.
nmap --script "http-*" -p 80,443 192.168.1.1nmap --script "not intrusive" TARGET — Run all scripts except those in a category.
nmap --script "not intrusive" 192.168.1.1nmap --script "default and safe" TARGET — Run scripts that are in both categories (boolean AND).
nmap --script "default and safe" 192.168.1.1nmap --script SCRIPT --script-args KEY=VAL TARGET — Pass arguments to NSE scripts.
nmap --script http-brute --script-args http-brute.path=/admin 192.168.1.1nmap --script-updatedb — Update the NSE script database after adding custom scripts.
sudo nmap --script-updatedbnmap --script-help SCRIPT — Show help and documentation for a specific script.
nmap --script-help http-enumUseful NSE Scripts
nmap --script http-enum TARGET — Enumerate common web directories and files (robots.txt, admin panels, etc.).
nmap --script http-enum -p 80,443 192.168.1.1nmap --script http-title TARGET — Show the title of web pages on open HTTP ports.
nmap --script http-title -p 80,443,8080 192.168.1.0/24nmap --script http-headers TARGET — Show HTTP response headers.
nmap --script http-headers -p 80 192.168.1.1nmap --script ssl-enum-ciphers TARGET — Enumerate SSL/TLS cipher suites and grade them.
nmap --script ssl-enum-ciphers -p 443 192.168.1.1nmap --script ssl-cert TARGET — Retrieve and display SSL/TLS certificate details.
nmap --script ssl-cert -p 443 192.168.1.1nmap --script dns-brute TARGET — Brute-force DNS hostnames for a domain.
nmap --script dns-brute example.comnmap --script smb-os-discovery TARGET — Discover OS information via SMB protocol.
nmap --script smb-os-discovery -p 445 192.168.1.1nmap --script banner TARGET — Grab service banners from open ports.
nmap --script banner -p 21,22,25,80 192.168.1.1nmap --script vuln TARGET — Run all vulnerability detection scripts.
sudo nmap --script vuln 192.168.1.1nmap --script whois-ip TARGET — Look up WHOIS information for the target IP.
nmap --script whois-ip 8.8.8.8nmap --script traceroute-geolocation TARGET — Geolocate each hop in a traceroute.
sudo nmap --traceroute --script traceroute-geolocation 8.8.8.8nmap --script mysql-info TARGET — Retrieve MySQL server information.
nmap --script mysql-info -p 3306 192.168.1.1Output Formats
nmap -oN FILE TARGET — Normal output to a file (human-readable).
nmap -oN scan.txt 192.168.1.1nmap -oX FILE TARGET — XML output to a file. Useful for importing into other tools.
nmap -oX scan.xml 192.168.1.1nmap -oG FILE TARGET — Grepable output to a file. Easy to parse with grep/awk.
nmap -oG scan.gnmap 192.168.1.1nmap -oS FILE TARGET — Script kiddie output (leet speak). Mostly a joke.
nmap -oS scan.txt 192.168.1.1nmap -oA BASENAME TARGET — Output in all three major formats (.nmap, .xml, .gnmap).
nmap -oA scan_results 192.168.1.1nmap -v TARGET — Increase verbosity. Shows open ports as they are found.
nmap -v 192.168.1.1nmap -vv TARGET — Double verbosity for even more detail.
nmap -vv 192.168.1.1nmap -d TARGET — Enable debugging output.
nmap -d 192.168.1.1nmap --reason TARGET — Show the reason each port is set to a particular state.
nmap --reason 192.168.1.1nmap --open TARGET — Only show open (or possibly open) ports in output.
nmap --open 192.168.1.1nmap --packet-trace TARGET — Show all packets sent and received. Very verbose.
nmap --packet-trace -p 80 192.168.1.1nmap --resume FILE — Resume an aborted scan from a normal output file.
nmap --resume scan.txtFirewall & IDS Evasion
nmap -f TARGET — Fragment packets into 8-byte chunks to bypass packet filters.
sudo nmap -f 192.168.1.1nmap --mtu N TARGET — Set a custom MTU for fragmented packets (must be a multiple of 8).
sudo nmap --mtu 24 192.168.1.1nmap -D DECOY1,DECOY2,ME TARGET — Cloak scan with decoy IP addresses. ME inserts your real IP.
sudo nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1nmap -D RND:N TARGET — Use N random decoy addresses.
sudo nmap -D RND:5 192.168.1.1nmap -S SOURCE_IP TARGET — Spoof the source IP address.
sudo nmap -S 10.0.0.1 -e eth0 192.168.1.1nmap -e INTERFACE TARGET — Specify the network interface to use.
nmap -e eth0 192.168.1.1nmap --source-port PORT TARGET — Use a specific source port number. Some firewalls allow traffic from port 53 or 80.
sudo nmap --source-port 53 192.168.1.1nmap --data-length N TARGET — Append N random bytes to packets to avoid signature detection.
nmap --data-length 25 192.168.1.1nmap --spoof-mac MAC TARGET — Spoof the MAC address. Use 0 for random, or a vendor name.
sudo nmap --spoof-mac Apple 192.168.1.1nmap --badsum TARGET — Send packets with an invalid TCP/UDP checksum. Responses indicate a firewall not verifying checksums.
nmap --badsum 192.168.1.1nmap --ttl N TARGET — Set a custom IP time-to-live value.
nmap --ttl 64 192.168.1.1DNS & Reverse Lookup
nmap -n TARGET — Never do DNS resolution. Speeds up scans significantly.
nmap -n 192.168.1.0/24nmap -R TARGET — Always do reverse DNS resolution (even for offline hosts).
nmap -R 192.168.1.0/24nmap --dns-servers DNS1,DNS2 TARGET — Use custom DNS servers for resolution.
nmap --dns-servers 8.8.8.8,1.1.1.1 192.168.1.0/24nmap --system-dns TARGET — Use the OS DNS resolver instead of nmap's built-in resolver.
nmap --system-dns 192.168.1.1nmap -sL NETWORK/CIDR — List scan — only list targets with reverse DNS. No actual scanning.
nmap -sL 192.168.1.0/24Miscellaneous Options
nmap --traceroute TARGET — Trace the network path to the target.
sudo nmap --traceroute 8.8.8.8nmap --iflist — Show local network interfaces and routes as seen by nmap.
nmap --iflistnmap -sV --version-trace TARGET — Show detailed version scan activity for debugging.
nmap -sV --version-trace -p 80 192.168.1.1nmap --privileged TARGET — Assume the user is fully privileged (bypass privilege checks).
nmap --privileged 192.168.1.1nmap --send-eth TARGET — Send raw ethernet frames instead of IP packets.
sudo nmap --send-eth 192.168.1.1nmap -V — Show the nmap version.
nmap -VCommon Scan Combinations
nmap -sS -sV -O -p- TARGET — Comprehensive scan: SYN scan all ports, detect versions and OS.
sudo nmap -sS -sV -O -p- 192.168.1.1nmap -sn -n NETWORK/CIDR -oG - | grep 'Up' — Quick host discovery: list all live hosts on a network.
nmap -sn -n 192.168.1.0/24 -oG - | grep 'Up'nmap -T4 -F -sV TARGET — Fast scan with version detection on the top 100 ports.
nmap -T4 -F -sV 192.168.1.1nmap -sS -sU -T4 -A -v TARGET — Full TCP+UDP aggressive scan with all detection features.
sudo nmap -sS -sU -T4 -A -v 192.168.1.1nmap -sV -sC --open -p 80,443 NETWORK/CIDR — Find all web servers on a network with scripts and version info.
nmap -sV -sC --open -p 80,443 192.168.1.0/24nmap -Pn -sS -p 22 --open NETWORK/CIDR -oG - | grep open — Find all SSH servers on a network.
sudo nmap -Pn -sS -p 22 --open 192.168.1.0/24 -oG - | grep opennmap -sV --script ssl-cert -p 443 NETWORK/CIDR — Scan for SSL certificates on a network.
nmap -sV --script ssl-cert -p 443 192.168.1.0/24nmap -sU -p 161 --script snmp-info NETWORK/CIDR — Find SNMP-enabled devices and retrieve system info.
sudo nmap -sU -p 161 --script snmp-info 192.168.1.0/24nmap --script http-enum,http-title,http-methods -p 80,443,8080,8443 TARGET — Web reconnaissance: directories, titles, and allowed HTTP methods.
nmap --script http-enum,http-title,http-methods -p 80,443,8080,8443 192.168.1.1Port States Explained
open — An application is actively listening on this port and accepting connections.
closed — The port is accessible (responds to probes) but no application is listening.
filtered — A firewall or filter is blocking probes. Nmap cannot determine if the port is open.
unfiltered — The port is accessible but nmap cannot determine if it is open or closed (ACK scan).
open|filtered — Nmap cannot determine whether the port is open or filtered (common in UDP scans).
closed|filtered — Nmap cannot determine whether the port is closed or filtered.
Conclusion
nmap belongs in every administrator's toolkit: whether you are taking stock of your network, preparing a penetration test, or simply checking which services are reachable, no other tool provides as much insight in a single command. Use -oA for reproducible results and NSE scripts for targeted security checks.
Further Reading
- nmap – official documentation – reference and NSE script library
- nmap(1) – manual page – every option at a glance
- Nmap – Wikipedia – background and history
Related Commands
- nc – open and test TCP/UDP connections
- ping – check host reachability
- traceroute – trace network paths to a target