Nmap Network Scanner

Nmap cheatsheet — scan ports, detect services and OS, run scripts. nmap -sV -sC, nmap -p 1-1000, nmap -A, nmap --script vuln. Full network scanning reference.

9 min read

What it is

Nmap (Network Mapper) is a free and open-source utility for network discovery and security auditing. You reach for it when you need to understand what hosts are on a network, what services they are running, and what operating systems they are using.

Installation

Linux

sudo apt update && sudo apt install nmap # Debian/Ubuntu
sudo yum install nmap                 # Fedora/CentOS/RHEL
sudo pacman -S nmap                   # Arch Linux

macOS

brew install nmap

Windows

Download the installer from the official Nmap website: https://nmap.org/download.html

Core Concepts

  • Targets: The hosts or networks you want to scan. These can be IP addresses, hostnames, or network ranges.
  • Ports: Network communication endpoints on a host, identified by numbers (e.g., 80 for HTTP, 22 for SSH). Nmap scans ports to see if they are open, closed, or filtered.
  • Scan Types: Different methods Nmap uses to probe ports and gather information, each with trade-offs in speed, stealth, and accuracy.
  • NSE (Nmap Scripting Engine): A powerful feature that allows users to write and use scripts to automate a wide variety of networking tasks, including advanced vulnerability detection.

Commands / Usage

Basic Host Discovery

  • Ping scan a single IP address:

    nmap -sn 192.168.1.1

    Discovers if a host at 192.168.1.1 is online without scanning its ports.

  • Ping scan a range of IP addresses:

    nmap -sn 192.168.1.1-100

    Discovers if any hosts in the range 192.168.1.1 to 192.168.1.100 are online.

  • Ping scan a subnet using CIDR notation:

    nmap -sn 192.168.1.0/24

    Discovers if any hosts in the 192.168.1.0/24 subnet are online.

  • Ping scan and resolve hostnames:

    nmap -sn -R 192.168.1.0/24

    Discovers online hosts in the 192.168.1.0/24 subnet and attempts to resolve their hostnames.

Port Scanning

  • Scan default ports on a single IP address:

    nmap 192.168.1.1

    Scans the most common 1000 TCP ports on 192.168.1.1.

  • Scan default ports on a hostname:

    nmap example.com

    Scans the most common 1000 TCP ports on example.com.

  • Scan all TCP ports on a single IP address:

    nmap -p- 192.168.1.1

    Scans all 65535 TCP ports on 192.168.1.1.

  • Scan specific TCP ports on a single IP address:

    nmap -p 22,80,443 192.168.1.1

    Scans TCP ports 22, 80, and 443 on 192.168.1.1.

  • Scan a range of TCP ports on a single IP address:

    nmap -p 1-1024 192.168.1.1

    Scans TCP ports from 1 to 1024 on 192.168.1.1.

  • Scan UDP ports on a single IP address:

    nmap -sU 192.168.1.1

    Scans the most common 1000 UDP ports on 192.168.1.1.

  • Scan specific UDP ports on a single IP address:

    nmap -sU -p 53,161 192.168.1.1

    Scans UDP ports 53 and 161 on 192.168.1.1.

  • Scan both TCP and UDP ports:

    nmap -sS -sU -p T:22,U:53 192.168.1.1

    Scans TCP port 22 and UDP port 53 on 192.168.1.1.

Scan Types

  • SYN scan (stealth scan):

    nmap -sS 192.168.1.1

    Performs a TCP SYN scan, which is faster and stealthier than a full connect scan. Requires root privileges.

  • Connect scan:

    nmap -sT 192.168.1.1

    Performs a full TCP connect scan. Does not require root privileges but is noisier.

  • FIN scan:

    nmap -sF 192.168.1.1

    Sends a FIN packet. Effective against some firewalls and IDS systems. Requires root privileges.

  • Xmas scan:

    nmap -sX 192.168.1.1

    Sends a FIN, PSH, and URG packet. Requires root privileges.

  • Null scan:

    nmap -sN 192.168.1.1

    Sends a packet with no TCP flags set. Requires root privileges.

  • UDP scan:

    nmap -sU 192.168.1.1

    Scans UDP ports. Slower than TCP scans.

  • ACK scan (for firewall rule testing):

    nmap -sA 192.168.1.1

    Determines if ports are filtered by a firewall.

  • Window scan:

    nmap -sW 192.168.1.1

    Similar to ACK scan but checks TCP window sizes.

  • Maimon scan:

    nmap -sM 192.168.1.1

    Sends a SYN-ACK packet. Requires root privileges.

Service and Version Detection

  • Enable service and version detection:

    nmap -sV 192.168.1.1

    Tries to determine the service and version running on open ports.

  • Aggressive service and version detection:

    nmap -sV -A 192.168.1.1

    Enables OS detection, version detection, script scanning, and traceroute.

OS Detection

  • Enable OS detection:
    nmap -O 192.168.1.1
    Attempts to determine the operating system of the target. Requires root privileges.

Timing and Performance

  • Set timing template (0=paranoid, 1=sneaky, 2=polite, 3=normal, 4=aggressive, 5=insane):

    nmap -T4 192.168.1.1

    Uses the aggressive timing template for faster scanning.

  • Set minimum and maximum parallelism:

    nmap --min-parallelism 100 --max-parallelism 500 192.168.1.1

    Sets the number of probes sent concurrently.

  • Set initial and maximum retransmission timeouts:

    nmap --initial-rtt-timeout 500ms --max-rtt-timeout 2s 192.168.1.1

    Configures how Nmap handles packet retransmissions.

  • Fast scan:

    nmap -F 192.168.1.1

    Scans fewer ports than the default scan (top 100 instead of 1000).

Nmap Scripting Engine (NSE)

  • Run default scripts:

    nmap -sC 192.168.1.1

    Runs a category of default NSE scripts.

  • Run scripts from a specific category:

    nmap --script "vuln" 192.168.1.1

    Runs all NSE scripts in the "vuln" category.

  • Run a specific script:

    nmap --script "http-enum" 192.168.1.1

    Runs the http-enum.nse script on 192.168.1.1.

  • Run scripts based on port protocol:

    nmap --script "default or discovery or safe" 192.168.1.1

    Runs scripts categorized as "default", "discovery", or "safe".

  • Run scripts with arguments:

    nmap --script "http-title" --script-args "http-title.url=/login" 192.168.1.1

    Runs the http-title script with a specific URL argument.

Output Options

  • Normal output:

    nmap 192.168.1.1

    Prints scan results to the console.

  • Save output to a normal file:

    nmap -oN output.txt 192.168.1.1

    Saves scan results to output.txt in a human-readable format.

  • Save output to an XML file:

    nmap -oX output.xml 192.168.1.1

    Saves scan results to output.xml in XML format.

  • Save output to a "grepable" file:

    nmap -oG output.grep 192.168.1.1

    Saves scan results to output.grep in a format easily parsable with grep.

  • Save output in all formats:

    nmap -oA output_prefix 192.168.1.1

    Saves output to output_prefix.nmap (normal), output_prefix.xml (XML), and output_prefix.gnmap (grepable).

  • Verbosity level (0-5):

    nmap -v 192.168.1.1
nmap -vv 192.168.1.1

    Increases the level of detail displayed during the scan. -v for verbose, -vv for very verbose.

Other Useful Options

  • Specify a target list file:

    nmap -iL targets.txt

    Reads target IP addresses or hostnames from the targets.txt file.

  • Exclude hosts:

    nmap -iL targets.txt --exclude 192.168.1.10

    Scans targets from targets.txt but excludes 192.168.1.10.

  • Set the packet rate:

    nmap --rate 1000 192.168.1.1

    Sets the scan rate to 1000 packets per second.

  • Don’t ping hosts (assume they are up):

    nmap -Pn 192.168.1.1

    Skips the host discovery phase and scans all specified ports, even if the host appears offline. Useful for hosts that block ping requests.

  • Trace route:

    nmap --traceroute 192.168.1.1

    Performs a traceroute to the target host.

  • Scan for open ports only:

    nmap --open 192.168.1.1

    Only shows hosts that have at least one open port.

  • Limit scan to specific ports:

    nmap --top-ports 100 192.168.1.1

    Scans the top 100 most common ports.

  • Disable DNS resolution:

    nmap -n 192.168.1.1

    Disables reverse DNS resolution for all scanned IPs.

Common Patterns

  • Discover all hosts and open web servers on a subnet:

    nmap -sn 192.168.1.0/24 | grep "is up" | cut -d' ' -f5- | nmap -p 80,443 -oG - --open -

    First, find all live hosts, then scan only those hosts for open port 80 or 443.

  • Aggressively scan a host for OS, services, and vulnerabilities:

    nmap -A -T4 -oA full_scan_report 192.168.1.10

    Performs an aggressive scan, enabling OS detection, version detection, script scanning, and traceroute, using a fast timing template, and saves output in all formats.

  • Find all hosts running SSH and attempt to identify their OS:

    nmap -p 22 --open -sV -O 192.168.1.0/24 -oG ssh_hosts.txt

    Scans a subnet for hosts with port 22 open, identifies the service version, attempts OS detection, and saves the output in grepable format.

  • Scan for common web vulnerabilities using NSE scripts:

    nmap -p 80,443 --script "http-vuln*" 192.168.1.0/24 -oN web_vulns.txt

    Scans all hosts on the subnet for web vulnerabilities using scripts starting with http-vuln.

  • Identify hosts that block ping requests:

    nmap -Pn -p 80 192.168.1.0/24 | grep "/open/"

    Scans all hosts on the subnet for port 80, assuming they are up (-Pn), and filters for open ports.

  • Scan a list of IPs from a file, saving detailed output:

    nmap -iL ip_list.txt -sV -O -T4 -oA detailed_scan

    Scans IPs from ip_list.txt, performing version and OS detection with aggressive timing, and saving all output formats.

Gotchas

  • Root Privileges: Many of Nmap’s most effective and stealthy scan types (like SYN scans, FIN scans, Xmas scans, and OS detection) require root or administrator privileges. If you get errors about raw socket permissions, you likely need to run Nmap with sudo.
  • Firewalls and IDS: Aggressive scanning, especially with certain scan types or high timing templates (-T4, -T5), can be detected by Intrusion Detection Systems (IDS) or blocked by firewalls. Stealthier scans (-T2, -T3) or specific techniques might be necessary.
  • UDP Scan Speed: UDP scanning is significantly slower than TCP scanning because UDP is a connectionless protocol, and Nmap has to rely on timing and retransmissions to determine port states.
  • "Filtered" Port State: A "filtered" state means Nmap cannot determine if a port is open or closed, usually because a firewall or network filtering device is blocking the probes. This is a common and often frustrating result.
  • NSE Script Output: NSE scripts can produce a lot of varied output. Understanding the output of specific scripts is key to interpreting their results. Some scripts require specific arguments (--script-args) to function correctly or provide useful information.
  • Target Specification: Be careful with CIDR notation (/24) and IP ranges (1-100). Misinterpreting them can lead to scanning unintended networks or hosts.
  • -Pn Flag: While useful for bypassing ping blocks, using -Pn on a large network without specifying ports can lead to extremely long scan times, as Nmap will attempt to scan all ports on every IP address in the range.
  • Race Conditions: In very fast scans or complex network environments, Nmap might occasionally misinterpret port states due to network latency or packet loss.