Ultimate Nmap Cheat Sheet: Over 50 Commands and Flags
Nmap (Network Mapper) remains the industry-standard tool for network discovery and auditing. Whether you’re a beginner looking to map a simple network or a professional pen tester needing advanced scanning techniques, Nmap is an essential part of your toolkit.
Nmap has been a go-to network mapping tool for years. Nothing else quite matches its capabilities. While newer tools have emerged, Nmap’s combination of power and flexibility keeps it essential for everything from basic network enumeration to advanced penetration testing.
One thing that makes Nmap challenging, especially for newcomers, is its vast array of commands and options. That being said, we’ve put together a practical reference guide that covers both common tasks and advanced techniques.
Cyberkraft’s comprehensive Nmap Cheat Sheet provides the most current commands for both beginners and advanced users. You can even download our PDF version for quick reference.
What is Nmap and Why Use It?
Nmap (Network Mapper) is an open-source tool designed for network discovery and security auditing. Created by Gordon Lyon in 1997, Nmap has become a cornerstone of cybersecurity, used by IT professionals, system administrators, and penetration testers worldwide.
Nmap’s versatility lies in its ability to scan networks, discover devices, identify open ports, detect operating systems, and even pinpoint vulnerabilities using its robust scripting engine. Whether you need to troubleshoot a network, assess security risks, or map out infrastructure, Nmap delivers efficient and actionable insights.
Why use Nmap?
- Powerful and Flexible: It works on various systems (Windows, Linux, macOS) and supports multiple protocols (TCP, UDP, ICMP).
- Security-Focused: Provides detailed information about vulnerabilities and misconfigurations.
- Free and Open-Source: Completely free to use, with an active community contributing updates and scripts.
Nmap is essential for tasks ranging from simple host discovery to complex penetration testing, making it indispensable for anyone working with networks.
Let’s look at Cyberkraft’s ultimate Nmap cheat sheet:
Nmap Basic Scans
| Basic Scans | ||
| Switch | Syntax | Description |
| -sS | nmap -sT [target] | TCP SYN scan |
| -sT | nmap -sT [target] | TCP Connect scan |
| -sU | nmap -sU [target] | UDP Scan |
| -sP | nmap -sP [target] | Ping Scan – find which hosts are up |
| -sL | nmap -sL [target] | List Scan – simply list targets to scan |
| sn | nmap -sn [target] | Ping Scan – disable port scan |
Nmap OS Detection
| OS Detection | ||
| Switch | Syntax | Description |
| -O | nmap -O [target] | Enables OS detection |
| —osscan-limit | nmap –osscan-limit [target] | Limit OS detection to hosts with open ports |
| –osscan-guess | nmap –osscan-guess [target] | Guess OS aggressively |
| –os- fingerprint | nmap –os-fingerprint [target] | Show OS fingerprint database |
Nmap Honeypots and Honeynets
| Honeypots and Honeynets | ||
| Switch | Syntax | Description |
| –script | nmap –script http-honeypot [target] | Detect HTTP |
| –script ftp- proftpd- backdoor | nmap –script ftp-proftpd-backdoor [target] | Detect FTP honeypots running with ProFTPD backdoo |
Nmap Firewalls/IDS Evasion Spoofing
| Firewalls/IDS Evasion and Spoofing | ||
| Switch | Syntax | Description |
| -f | nmap -f [target] | Scan the top [number] ports |
| -D | nmap -D [decoy1,…] [target] | Use fragmentation to split packets |
| -S | nmap -S [IP_Address] [target] | Randomize decoys |
| -e | nmap -e [interface] [target] | Spoof source IP address |
| -g/–source-port | nmap -g/–source-port [port] [target] | Use given source port |
| –proxies | nmap –proxies [url1, url2, …] [target] | Input from list of hosts/networks |
| –data-length | nmap –data-length [num] [target] | Scan [number] random targets |
| –ip-options | nmap –ip-options [options] [target] | Input from list of hosts/networks |
| –ttl | nmap –ttl [value] [target] | Output in the three major formats |
| –spoof-mac | nmap –spoof-mac [MAC address/prefix/vendor name] [target] | Grepable output to file |
Nmap Port Specifications and Scan Order
| Port Specifications and Scan Order | ||
| Switch | Syntax | Description |
| -p | nmap -p [port] [target] | Specify ports to scan |
| -F | nmap -F [target] | Fast scan (scan port) |
| -r | nmap -r [target] | Scan ports consecutively |
Nmap Service and Version Detection
| Service and Version Detection | ||
| Switch | Syntax | Description |
| -sV | nmap -sV target | Detect services & their versions on target ports |
| –version- intensity | nmap -sT [target] | TCP Connect scan |
| –version-all | nmap -sU [target | UDP Scan |
| –version -trace | nmap -sP [target] | Ping Scan – find which hosts are up |
Nmap Tar Pits
| Tar Pits | ||
| Switch | Syntax | Description |
| –script ipidseq | nmap –script ipidseq [target] | Detect tar pits by analyzing |
Nmap Advanced Scanning Techniques
| Advanced Scanning Techniques | ||
| Switch | Syntax | Description |
| -6 | nmap -6 [target] | Enable IPv6 scanning |
| -A | nmap -A [target] | Enable OS detection, version detection, script scanning, & trace route |
| –script | nmap –script=[script] [target] | Scan with a specific NSE script |
| –script-args | nmap –script-args=[args] [target] | Provide arguments to NSE scripts |
| –script-help | nmap –script-args=[args] [target] | Show help about a specific script |
| –script-updatedb | nmap –script-updatedb | Update script database |
| -sY | nmap -sY [target] | SCTP INIT scan |
| -sZ | nmap -sZ [target] | SCTP COOKIE-ECHO scan |
| -sO | nmap -sO [target] | IP protocol scan |
| –traceroute | nmap –traceroute [target] | Trace hop path to each host |
| –reason | nmap –reason [target] | Display the reason a port is in a particular state |
| –badsum | nmap –badsum [target] | Send packets with a bad checksum |
| -PR | nmap -PR [target] | ARP ping scan |
| –top-ports | nmap –top-ports [number] [target] | Scan the top [number] ports |
| –open | nmap –open [target] | Only show open ports |
Nmap Output Options
| Output Options | ||
| Switch | Syntax | Description |
| -oN | nmap -oN [file] [target] | Normal output to file |
| -oX | nmap -oX [file] [target] | XML output to file |
| -oS | nmap -oS [file] [target] | Script kiddie output to file |
| -oG | nmap -oG [file] [target] | Grepable output to file |
| -oA | nmap -oA [basename] [target] | Output in the three major formats at once |
| -v | nmap -v [target] | Increase verbosity level |
| -d | nmap -d [target] | Increase debugging level |
| –packet-trace | nmap –packet-trace [target] | Show all packets sent and received |
| –iflist | nmap –iflist | Show host interfaces and routes |
Nmap Additional Useful Commands
| Additional Useful Commands! | ||
| Switch | Syntax | Description |
| -f | nmap -f [target] | Use fragmentation to split packets |
| -D | nmap -D RND:10 [target] | Randomize decoys |
| -S | nmap -S [source_ip] [target] | Spoof source IP address |
| -g | nmap -g [port] [target] | Use given source port |
| -iL | nmap -iL [file] | Input from list of hosts/networks |
| -iR | nmap -iR [number] | Scan [number] random targets |
Upskill with Our CEH and PenTest+ Bootcamps
Mastering Nmap is just the beginning of your journey toward becoming a cybersecurity expert. If you’re ready to take your skills to the next level and build a solid foundation for your career, check out our Certified Ethical Hacker (CEH) Bootcamp and CompTIA PenTest+ Bootcamp.
Cyberkraft’s CEH Bootcamp
Earn the world’s most popular penetration testing certification. As an EC-Council Accredited Training Center, Cyberkraft offers instructor-led Bootcamps for the Certified Ethical Hacker v13 exam. C|EH is trusted by the U.S. Pentagon, Fortune 500 companies, and top organizations. Once certified, you will be in high demand with companies in both the public and private sectors. The skills you gain apply to more than 20 roles across 25+ industries, with the 5th highest salaries of all cybersecurity certifications over the last 10 years.
Our CEH Bootcamp includes:
- 40 hours of instruction with our EC-Council trained and certified instructors
- Official EC-Council CEH v13 eCourseware
- 6 months access to official EC-Council CEH labs
- Access to CEH Engage
- Full access to the Official EC-Council ethical hacking video library
- One on one study sessions before and after the bootcamp
- Fully paid exam voucher ($1,199 value)
- Job placement, resume writing, and career assistance
- First Time Pass Guarantee – free retake if you don’t pass on your first attempt
Cyberkraft’s PenTest+ Bootcamp
The CompTIA PenTest+ is the perfect certification for cybersecurity professionals seeking to enter the penetration testing career field. In Cyberkraft’s PenTest+ bootcamp you’ll work directly with the tools used by real-world pentesters. Learn the world’s most popular penetration testing toolkit, Kali Linux. Our bootcamp will teach you everything you need to pass your exam on the first attempt, guaranteed!
Our CompTIA PenTest+ PT0-003 Bootcamp includes:
- 40 hours of instruction with our CompTIA trained and certified instructors
- Access to the Official CompTIA Learn+Labs training environment
- Live instructor led study sessions
- $381 exam fee included. The full cost of the exam ($405) is included in the price of the bootcamp – you won’t have to pay for the exam separately
- Practice quizzes for each domain
- Fully immersive tests that simulate the actual exam
- Practice Performance Based Questions developed by CompTIA
- Lifetime access to recorded bootcamp sessions so you don’t need to worry if you miss a day of class!
- Exam preparation Masterclass and exam scheduling assistance
- Job placement, resume writing, and career assistance
- First Time Pass Guarantee – free retake if you don’t pass on your first attempt
Want to Learn at Your Own Pace? Explore Cyberkraft’s Self-Paced PenTest+ Course
Explore our self-paced PenTest+ course, designed for professionals who want the flexibility to learn on their own schedule. With comprehensive video modules, hands-on labs, and practice exams, this course offers everything you need to master penetration testing concepts and ace the certification exam.
You can earn Your PenTest+ PT0-002 Certification with 40 Hours of Elite Training and become an expert penetration tester with the industry’s best penetration testing certification.
CompTIA PenTest+ Course includes:
- One Year Access to the Official CompTIA PenTest+ Learn+Labs training environment
- Self-paced lessons
- Video lessons
- Study guides
- Practice questions
- Performance-based questions
- Flash cards
- Games
- Simulation exams
- Personalized weekly study sessions
- Customized to meet your training goals and schedule
- Taught by our expert CompTIA trained and certified instructors
- Full access to the Cyberkraft Training Community
- Free training resources
- Certification updates and news
- Free training sessions on YouTube and Discord
- Enrollment in the Cyberkraft Alumni Program
- Discounts with resume writers
- Career coaching
- Access to our extensive recruiter network
- Bonus course on how to build your own penetration testing toolkit
- Create a fully functioning test environment to use at your next penetration testing role
- Includes all tools needed to perform a full penetration test (over 350 tools included)
- The lab is connected with Windows Server, Windows 10, Linux, and other devices in a fully functional virtual network
- 7 Day Full Money Back Guarantee
- If you are not completely satisfied with the course, you will receive a full refund within 7 days of enrollment
Bookmark Your Nmap Cheat Sheet
Nmap remains one of the most versatile and powerful tools in cybersecurity, and now you have a reliable cheat sheet that ensures you’re ready for any network scanning task. From basic host discovery to advanced vulnerability assessments, this Nmap cheat sheet has all your essential commands in one place to improve your efficiency and effectiveness.
Bookmark this Nmap cheat sheet as your go-to reference, and consider downloading a PDF version for offline access HERE. By mastering these commands, you’ll have a competitive edge in network scanning and security auditing.
Don’t just stop at mastering Nmap—join our bootcamps or self-paced courses and become a certified cybersecurity professional. If you’re eager to level up further, explore the cybersecurity certifications and resources at Cyberkraft.
Through our Bootcamps and self-paced programs, we help cybersecurity professionals prepare for a variety of certification exams, including PenTest+ and CEH. Our in-depth training courses give you all you need to feel confident in your knowledge of the material so you can pass your certification exam on the first try. Contact us today and advance your cybersecurity career.
Responses