We created this Nmap Cheat Sheet initially for students of Complete Ethical Hacking Bootcamp 2021: Zero to Mastery but we're now sharing it with any ethical hackers and penetration testers to help you learn and remember common Nmap syntax and to use as a handy reference. If you'd like to download a PDF version of this Nmap Cheat Sheet, enter your email below and we'll send it to you!
In this Nmap cheat sheet, you will find both Nmap command examples as well as explanations of when and why you would use certain options and arguments.
We also provide you with an overview of which commands require root/sudo privileges and compare the noise levels (measures the likelihood of alarming the target that you are scanning) of various commands.
There are a lot of Nmap commands that you can use that are very detailed and advanced. But the chances of ever needing to use them for the majority of users/students is quite low so we've kept this Nmap Cheat Sheet focused on the most important commands that you need to know and will use most often.
If you’ve stumbled across this page and are just starting to learn about Ethical Hacking, Penetration Testing and Nmap, welcome! Ethical Hacking is becoming a very popular and important field. In the coming years, cybercrime might become the greatest threat to every person, place and thing in the world. The best defense is to be prepared.
Still not convinced it's really worth it to learn these skills? If these stats from Cybint don't convince you, we don't know what will:
However, if you're stuck in an endless cycle of YouTube tutorials and want to start learning how hacking works by actually using and practicing the actual techniques and methods used by hackers today, then come join us at the Zero To Mastery Academy and learn Ethical Hacking alongside hundreds of other students that are you in your exact shoes.
Enough chit-chat from us, please enjoy this guide and if you'd like to submit any corrections or suggestions, please feel free to email us at firstname.lastname@example.org.
Nmap is an essential open-source tool for Ethical Hackers and Penetration testers. It was initially created by Gordon Lyon (aka Fyodor). Nmap themselves do a great job describing the tool (see below) and what is does, so why re-invent the wheel?
Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Want to see what an actual Nmap scan looks like and how to perform an NMAP scan? Watch this free lesson from the Zero To Mastery Ethical Hacking Bootcamp.
We can use
nmap -h to display an extended help menu of Nmap. In this extended help menu, you can find an overview of all possible options, and which arguments some of them require in order to work. Note that you can also use
man npm for an in-depth manual about nmap.
Nmap is an interesting tool that can be used in various ways. You can scan one single target or multiple targets. Here is a list of examples, showing the ways you can target something:
||Scanning a single IP|
||Scanning a hostname|
||Scanning an IP range|
||Scanning a subnet|
||Scanning from a predefined list|
Besides the basic
nmap < target >, we can also use various scanning types in Nmap. Each of them has their own unique capabilities, but also often come with the downside of one being noisier than the other. Let us see which types we have:
|Command||Description||Root/Sudo required||Noise level|
||This is a TCP SYN SCAN, also known as a stealth scan. This scan only sends a SYN packet and awaits a SYN/ACK response. When nmap receives a SYN/ACK on a specific probed port, it means the port exists on the machine and is open. This is a fast and pretty accurate scan, which you will use most of the time.||Required||Very Low|
||The -sT scan is more accurate than a -sS scan, but the downside is that it is slower, makes more noise and easily detected by well set-up firewalls. This is because it makes a full three-way handshake (or better said, a full TCP connection) with the host.||Not Required||Medium|
||This scan is used to scan for UDP ports. This is typically a slower and more difficult scan. Though most services use TCP, there are also services that use UDP, such as: DNS, SNMP, DHCP. So this scan is still useful as there are still exploitable UDP services. So don't make the mistake of skipping this scan, you might find something!||Required||Medium|
||This is a simple and fast ping scan to see which hosts reply to ICMP ping packets. This is useful if you are on the same (sub)network as the IP range you are scanning and if you only want to know which devices are live. You can also get the same result by using -Pn.||Not Required||Very Low|
||This is a service version scan. In order to know what exploits will work, it is very helpful to know the service version behind an open port. It might be that a certain exploit only works in one specific version of a certain service, as it might be patched in a new version.||Not Required||Medium|
||This is a remote OS detection scan. We use this scan to learn what OS the target runs on. This is very useful as it gives an idea of what kind of exploits might work on the target, and which exploits won't work. Note that this scan only works if there is at least 1 open port and 1 closed port.||Required||Medium|
||This is an aggressive scan. This scan performs an OS detection, version detection, script scanning, and traceroute. Though it returns a lot of information, you will be alarming the target as this is probably the noisiest scan.||Required||Very High|
Sometimes you want to know if a certain port is open on a target, or perhaps you want to know ALL open ports on the target. Luckily, Nmap provides its users with ways to specify this:
||Use -p <_port> to scan for one specific port on the target.|
||You can also use -p to scan for a range of ports, -p 1-20 <_target> would scan for the ports 1 to 20 on the target.|
||There is also the possibility to specify multiple specific ports by separating them with a comma.|
||If you want to scan for both UDP and TCP ports, you can use U:<_udp_port> and T:<_tcp_port>, separated by a comma.|
||The -F tells Nmap to scan for the 100 most common ports that can be open on a target.|
||With this option, you scan for the top # ports, depending on what amount you provide.|
||This option tells Nmap to scan the target for all the known ports there are in the world... there are 655,355 ports in total. This will clearly make the scan take longer to finish.|
Nmap allows for the use of "timing templates", which allows the user to specify how aggressive they wish to be with their scans, while leaving Nmap to pick the exact timing values. There are 6 timing templates:
||T0 is the slowest scan, also referred to as the "Paranoid" scan. This option is good for IDS evasion.|
||T1 is an option faster then T0, but is still referred to as the "Sneaky" template. This timing option is also a good choice for IDS evasion.|
||The T2 option is for a timely scan and is also known as the "Polite" timing option. This one slows the scan, which results in less bandwidth usage and less target machine resources|
||T3 is also known as the default scan timer. Using this template would be the same as not using it at all. This is what Nmap uses by default when there is no template selected.|
||T4 is an option to speed up scans by making the assumption that you are on a reasonably fast and reliable network. This time template is also referred to as the "Aggressive" template.|
||T5 is an insanely fast mode, assuming that you are on an extraordinarily fast network... or if you are willing to sacrifice some accuracy for speed. That is why it is also referred to as the "Insane" mode.|
Last but not least... Nmap provides us with scripts. These scripts come in categories:
We run a script in the following way:
nmap --script <_script/_script_group> <_taget>
Some scripts are very noisy, some not at all. Therefore, it is important to read what each script does and if it is easily detectable by the target or not.
Do note that you need to run
--script scans as root/sudo.
When you are doing a pentest, it is useful to use the -oN option to output your scan to a text file. This way, you can copy-paste it later into your pentest report. Here is how to do it:
nmap -oN <_filename.txt> <_target>
You can also use multiple options in one scan. For example, this is probably the most common scan you will perform:
sudo nmap -sS <_target> -oN <_filename.txt>
Lastly, we've added some screenshots of various commands below.
Want to dive deeper?
nmap -p 80 192.168.0.239
nmap -p- 192.168.0.239
sudo nmap -sV 192.168.0.239
nmap -T4 192.168.0.239
sudo nmap -sS 192.168.0.239
nmap -sn 192.168.0.239
A huge thanks and credit goes to Zero To Mastery Star Mentor and Ethical Hacker, Thomas. This cheat sheet was created in part from his notes while taking and completing the Ethical Hacking Bootcamp course.