Nmap (Network Mapper) is a free tool that helps you find devices on a network, discover open ports, and identify services running on those ports. This Nmap cheat sheet uses simple language and lots of practical examples so beginners can learn by doing. Only scan systems you own or have permission to test.
Choosing what to scan
Before running Nmap you must tell it which addresses to check. You can give one IP, a range, many specific IPs, or a whole network. Pick the right target list so you only scan what you mean to scan.
| Example | Explanation |
|---|---|
| nmap 10.0.0.5 | Scan one device to find open ports and services. |
| nmap 10.0.1.6-9 | Scan a small consecutive range of addresses. |
| nmap 172.16.0.0/28 | Scan an entire small subnet (16 hosts). |
| nmap 192.0.2.10,192.0.2.12 | Scan specific IPs listed together. |
| nmap -iL targets.txt | Read targets from a file named targets.txt. |
| nmap –exclude 10.10.10.8 10.10.10.0/29 | Scan a subnet but skip the excluded address. |
Basic scan methods
Nmap has different scanning techniques. Some are quick, some are stealthy, and some work without special privileges. Choose a method depending on speed, stealth, and access level.
| Example | Explanation |
|---|---|
| nmap -sS 192.168.2.20 | TCP SYN scan – fast and common; sends half-open connections. |
| nmap -sT 192.168.3.8 | TCP Connect scan – completes full connections; works without admin. |
| nmap -sU 10.1.1.7 | UDP scan – finds UDP services (DNS, SNMP); usually slower. |
| nmap -sA 172.16.5.9 | ACK scan – useful to inspect firewall behavior. |
| nmap -sN 203.0.113.5 | Null scan – sends no TCP flags and can be stealthy in some cases. |
| nmap -sX 198.51.100.6 | Xmas scan – uses unusual flags to test responses from some systems. |
Finding active devices
Before probing ports, it helps to know which hosts are actually online. Host discovery tells you which addresses reply and saves time by avoiding offline hosts.
| Example | Explanation |
|---|---|
| nmap -sn 10.0.2.15/28 | Ping sweep: list hosts that are up; no port scan performed. |
| nmap -Pn 192.168.50.60 | Skip discovery and assume hosts are up (useful if ping is blocked). |
| nmap -PR 10.10.10.11/24 | ARP discovery for local networks; very accurate on LANs. |
| nmap -PS22,80 203.0.113.21 | Send TCP SYN probes to ports 22 and 80 to detect live hosts. |
| nmap -PU161 198.18.0.25 | Send UDP probe on port 161 to find SNMP-capable devices. |
Scanning ports
Ports are “doors” to services. Scanning specific ports is faster; scanning all ports is thorough but slower. Choose based on what you want to check.
| Example | Explanation |
|---|---|
| nmap -p22 10.5.5.5 | Scan only SSH port (22). |
| nmap -p 80,443 10.6.6.6 | Scan common web ports (HTTP and HTTPS). |
| nmap -p 1-100 192.168.3.14 | Scan the first 100 ports, a good quick range. |
| nmap -p 5900-5905 203.0.113.30 | Scan a small high range (example: VNC ports). |
| nmap -F 172.31.1.21 | Fast scan: only most common ports for speed. |
| nmap -p- 10.2.3.9 | Full TCP port scan (1–65535) for complete coverage. |
Detecting services and versions
Once you find open ports, Nmap can probe them to determine what software is running and its version. This helps identify services and known vulnerabilities.
| Example | Explanation |
|---|---|
| nmap -sV 203.0.113.7 | Probe services to display names and versions (e.g., Apache 2.4). |
| nmap -sV -p22,80 198.51.100.18 | Detect versions only on specified ports to save time. |
| nmap –version-intensity 2 192.0.2.40 | Lighter probing to reduce noise and speed up scan. |
| nmap –version-all 10.11.11.5 | More aggressive version checks for thorough results. |
| nmap -A 10.11.11.13 | Advanced scan: versions, OS detection, scripts and traceroute. |
Identifying operating systems
Nmap can guess which operating system a device uses by looking at how it responds to network probes. This is called OS fingerprinting.
| Example | Explanation |
|---|---|
| nmap -O 192.0.2.21 | Try to identify the OS (Windows, Linux, etc.). |
| nmap –osscan-guess 198.18.0.9 | Allow Nmap to make its best guess when unsure. |
| nmap -O –max-os-tries 2 10.100.1.2 | Limit OS detection attempts to finish faster or be quieter. |
Adjusting speed and stealth
You can control how fast Nmap sends packets. Faster scans finish quicker but are more noticeable; slower scans are quieter and less likely to trigger alerts.
| Example | Explanation |
|---|---|
| nmap -T4 203.0.113.11 | Faster scanning template for quick results. |
| nmap -T1 198.51.100.22 | Slow and stealthy scan to limit noise. |
| nmap –min-rate 100 172.16.10.18 | Ensure at least 100 packets per second for speed. |
| nmap –max-retries 1 198.51.100.250 | Try fewer retries to finish faster on unreliable links. |
| nmap –scan-delay 50ms 192.0.2.240 | Add a delay between probes to reduce bursts of traffic. |
Nmap scripts (NSE)
The Nmap Scripting Engine runs small scripts to automate extra checks: gathering info, testing for common problems, or checking known vulnerabilities. Scripts range from safe to intrusive — pick with care.
| Example | Explanation |
|---|---|
| nmap -sC 192.0.2.33 | Run a basic set of safe scripts for common info. |
| nmap –script http-title -p80 10.3.3.7 | Show the title of a web page on port 80. |
| nmap –script ssl-cert -p443 203.0.113.50 | Retrieve SSL certificate details from HTTPS. |
| nmap –script smb-enum-shares -p445 10.4.4.8 | List SMB shares on a Windows host (with permission). |
| nmap –script vuln 198.51.100.65 | Run vulnerability category scripts (may be intrusive). |
Evasion and spoofing (advanced)
Evasion features change how packets look or where they appear to come from. These are advanced techniques and can be illegal or disruptive if used without permission — use only in controlled environments.
| Example | Explanation |
|---|---|
| nmap -D RND:3 172.31.50.7 | Use random decoys to hide the real scan source. |
| nmap -S 10.99.99.9 192.168.200.8 | Spoof source IP address (requires privileges and may break routing). |
| nmap -f 203.0.113.55 | Fragment packets to try to avoid simple filters. |
| nmap –data-length 50 192.0.2.75 | Add junk bytes to change packet fingerprint. |
| nmap –ttl 40 198.51.100.75 | Set packet TTL to make packets appear from farther away. |
Saving output
Save scan results so you can review them, share with others, or use automated tools to process them later.
| Example | Explanation |
|---|---|
| nmap -oN results.txt 10.200.1.5 | Save human-readable output to a text file. |
| nmap -oX results.xml 192.0.2.44 | Save XML output for tools to parse. |
| nmap -oG results.gnmap 172.20.20.30 | Save in a grepable format for quick text searches. |
| nmap -oA fullscan 198.18.1.17 | Save in all formats (text, XML, grepable) with one base name. |
Combined examples
Combine options to match real tasks — discover live hosts, probe services, and save results. These examples are practical and safe to try on your own network.
| Example | Explanation |
|---|---|
| nmap -sn 192.168.1.0/24 | List live devices on your local network. |
| nmap -sS -p 22,80 10.0.0.20 | Quick SYN check of SSH and web ports on one host. |
| nmap -sV -p 80,443 203.0.113.70 | Detect service names and versions for web ports. |
| nmap -A -p 80 198.51.100.80 | Detailed scan on port 80: versions, OS, and scripts. |
| nmap -sU -p 53 10.0.0.40 | Check if DNS responds over UDP. |
| nmap -p- –min-rate 200 -oN allports.txt 192.0.2.100 | Aggressive full-port scan and save results to a file. |
Quick tips
A few best practices to keep your scans useful and safe.
- Only scan systems you own or have explicit permission to test.
- Start with simple, non-intrusive scans like
nmap -snornmap -sV. - Save results to compare scans over time with
-oNor-oA. - Use the right scan type for the job: quick checks with
-F, deep checks with-p-and-A. - Be careful with NSE scripts and evasion options — some scripts are intrusive and evasion can be illegal.
