Nmap Cheat Sheet Beginner-Friendly Guide with Examples
Nmap (Network Mapper) is a free tool that helps you find devices on a network, discover open ports, and identify services running on those ports. This Nmap cheat sheet uses simple language and lots of practical examples so beginners can learn by doing. Only scan systems you own or have permission to test.
Before running Nmap you must tell it which addresses to check. You can give one IP, a range, many specific IPs, or a whole network. Pick the right target list so you only scan what you mean to scan.
Example | Explanation |
---|---|
nmap 10.0.0.5 | Scan one device to find open ports and services. |
nmap 10.0.1.6-9 | Scan a small consecutive range of addresses. |
nmap 172.16.0.0/28 | Scan an entire small subnet (16 hosts). |
nmap 192.0.2.10,192.0.2.12 | Scan specific IPs listed together. |
nmap -iL targets.txt | Read targets from a file named targets.txt. |
nmap –exclude 10.10.10.8 10.10.10.0/29 | Scan a subnet but skip the excluded address. |
Nmap has different scanning techniques. Some are quick, some are stealthy, and some work without special privileges. Choose a method depending on speed, stealth, and access level.
Example | Explanation |
---|---|
nmap -sS 192.168.2.20 | TCP SYN scan – fast and common; sends half-open connections. |
nmap -sT 192.168.3.8 | TCP Connect scan – completes full connections; works without admin. |
nmap -sU 10.1.1.7 | UDP scan – finds UDP services (DNS, SNMP); usually slower. |
nmap -sA 172.16.5.9 | ACK scan – useful to inspect firewall behavior. |
nmap -sN 203.0.113.5 | Null scan – sends no TCP flags and can be stealthy in some cases. |
nmap -sX 198.51.100.6 | Xmas scan – uses unusual flags to test responses from some systems. |
Before probing ports, it helps to know which hosts are actually online. Host discovery tells you which addresses reply and saves time by avoiding offline hosts.
Example | Explanation |
---|---|
nmap -sn 10.0.2.15/28 | Ping sweep: list hosts that are up; no port scan performed. |
nmap -Pn 192.168.50.60 | Skip discovery and assume hosts are up (useful if ping is blocked). |
nmap -PR 10.10.10.11/24 | ARP discovery for local networks; very accurate on LANs. |
nmap -PS22,80 203.0.113.21 | Send TCP SYN probes to ports 22 and 80 to detect live hosts. |
nmap -PU161 198.18.0.25 | Send UDP probe on port 161 to find SNMP-capable devices. |
Ports are “doors” to services. Scanning specific ports is faster; scanning all ports is thorough but slower. Choose based on what you want to check.
Example | Explanation |
---|---|
nmap -p22 10.5.5.5 | Scan only SSH port (22). |
nmap -p 80,443 10.6.6.6 | Scan common web ports (HTTP and HTTPS). |
nmap -p 1-100 192.168.3.14 | Scan the first 100 ports, a good quick range. |
nmap -p 5900-5905 203.0.113.30 | Scan a small high range (example: VNC ports). |
nmap -F 172.31.1.21 | Fast scan: only most common ports for speed. |
nmap -p- 10.2.3.9 | Full TCP port scan (1–65535) for complete coverage. |
Once you find open ports, Nmap can probe them to determine what software is running and its version. This helps identify services and known vulnerabilities.
Example | Explanation |
---|---|
nmap -sV 203.0.113.7 | Probe services to display names and versions (e.g., Apache 2.4). |
nmap -sV -p22,80 198.51.100.18 | Detect versions only on specified ports to save time. |
nmap –version-intensity 2 192.0.2.40 | Lighter probing to reduce noise and speed up scan. |
nmap –version-all 10.11.11.5 | More aggressive version checks for thorough results. |
nmap -A 10.11.11.13 | Advanced scan: versions, OS detection, scripts and traceroute. |
Nmap can guess which operating system a device uses by looking at how it responds to network probes. This is called OS fingerprinting.
Example | Explanation |
---|---|
nmap -O 192.0.2.21 | Try to identify the OS (Windows, Linux, etc.). |
nmap –osscan-guess 198.18.0.9 | Allow Nmap to make its best guess when unsure. |
nmap -O –max-os-tries 2 10.100.1.2 | Limit OS detection attempts to finish faster or be quieter. |
You can control how fast Nmap sends packets. Faster scans finish quicker but are more noticeable; slower scans are quieter and less likely to trigger alerts.
Example | Explanation |
---|---|
nmap -T4 203.0.113.11 | Faster scanning template for quick results. |
nmap -T1 198.51.100.22 | Slow and stealthy scan to limit noise. |
nmap –min-rate 100 172.16.10.18 | Ensure at least 100 packets per second for speed. |
nmap –max-retries 1 198.51.100.250 | Try fewer retries to finish faster on unreliable links. |
nmap –scan-delay 50ms 192.0.2.240 | Add a delay between probes to reduce bursts of traffic. |
The Nmap Scripting Engine runs small scripts to automate extra checks: gathering info, testing for common problems, or checking known vulnerabilities. Scripts range from safe to intrusive — pick with care.
Example | Explanation |
---|---|
nmap -sC 192.0.2.33 | Run a basic set of safe scripts for common info. |
nmap –script http-title -p80 10.3.3.7 | Show the title of a web page on port 80. |
nmap –script ssl-cert -p443 203.0.113.50 | Retrieve SSL certificate details from HTTPS. |
nmap –script smb-enum-shares -p445 10.4.4.8 | List SMB shares on a Windows host (with permission). |
nmap –script vuln 198.51.100.65 | Run vulnerability category scripts (may be intrusive). |
Evasion features change how packets look or where they appear to come from. These are advanced techniques and can be illegal or disruptive if used without permission — use only in controlled environments.
Example | Explanation |
---|---|
nmap -D RND:3 172.31.50.7 | Use random decoys to hide the real scan source. |
nmap -S 10.99.99.9 192.168.200.8 | Spoof source IP address (requires privileges and may break routing). |
nmap -f 203.0.113.55 | Fragment packets to try to avoid simple filters. |
nmap –data-length 50 192.0.2.75 | Add junk bytes to change packet fingerprint. |
nmap –ttl 40 198.51.100.75 | Set packet TTL to make packets appear from farther away. |
Save scan results so you can review them, share with others, or use automated tools to process them later.
Example | Explanation |
---|---|
nmap -oN results.txt 10.200.1.5 | Save human-readable output to a text file. |
nmap -oX results.xml 192.0.2.44 | Save XML output for tools to parse. |
nmap -oG results.gnmap 172.20.20.30 | Save in a grepable format for quick text searches. |
nmap -oA fullscan 198.18.1.17 | Save in all formats (text, XML, grepable) with one base name. |
Combine options to match real tasks — discover live hosts, probe services, and save results. These examples are practical and safe to try on your own network.
Example | Explanation |
---|---|
nmap -sn 192.168.1.0/24 | List live devices on your local network. |
nmap -sS -p 22,80 10.0.0.20 | Quick SYN check of SSH and web ports on one host. |
nmap -sV -p 80,443 203.0.113.70 | Detect service names and versions for web ports. |
nmap -A -p 80 198.51.100.80 | Detailed scan on port 80: versions, OS, and scripts. |
nmap -sU -p 53 10.0.0.40 | Check if DNS responds over UDP. |
nmap -p- –min-rate 200 -oN allports.txt 192.0.2.100 | Aggressive full-port scan and save results to a file. |
A few best practices to keep your scans useful and safe.
nmap -sn
or nmap -sV
.-oN
or -oA
.-F
, deep checks with -p-
and -A
.Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…
While file extensions in Linux are optional and often misleading, the file command helps decode what a…
The touch command is one of the quickest ways to create new empty files or update timestamps…
Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…
Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…
Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…