Quick Start: Essential Nmap Commands
Essential Nmap Commands β Cheat Sheet
The following twelve commands cover 90% of day-to-day Nmap operations. Each entry lists exact syntax, purpose, and practical judgment on when to deploy or avoid it. Flags requiring root privileges or generating significant network noise are marked.
| Symbol | Meaning |
|---|---|
| π | Requires root / elevated privileges |
| π | Generates significant noise; likely to trigger IDS/IPS alerts |
Host Discovery & Network Mapping
nmap -sn 192.0.2.0/24
What it does: Sends ICMP echo, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests to identify live hosts. When to use it: Initial network inventory, asset discovery, or before a maintenance window to identify responding systems. Risks: ICMP is often blocked at perimeter firewalls; you'll miss hosts that drop ping but expose services. Expected output: A list of IP addresses with
Host is uplatency figures; no port data.
| When to avoid | Alternative |
|---|---|
| You need port state data to confirm service exposure | Drop -sn and run -sS directly; accept that you'll scan some dead IPs |
Stealth TCP Scanning with OS Detection
sudo nmap -sS -O 198.51.100.42
π
What it does: Sends SYN packets without completing TCP handshake (half-open scan); probes TCP/IP stack quirks to fingerprint operating system. When to use it: Reconnaissance where you want to minimize log entries on the target; OS data helps prioritize vulnerability checks. Risks:
-Orequires root and sends additional probe traffic; accuracy degrades with firewalls/NAT. Expected output: Port table plusRunning:line with OS guess and confidence percentage.
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:50:56:C0:00:08 (VMware)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.15
OS details: Linux 5.15
A port marked filtered is not a clean result β it is an unanswered question. It means a firewall, host-based filter, or rate-limiting dropped the probe without RST. Log these separately; they often indicate segmentation boundaries worth mapping.
Service Version Detection with Default Scripts
sudo nmap -sV -sC 198.51.100.42
π
What it does:
-sVprobes open ports to determine service names and version banners;-sCruns the default set of NSE scripts (safe category, non-intrusive). When to use it: Baseline documentation, vulnerability correlation, or before patch cycles. Risks: Banner grabbing can crash fragile embedded services;-sCscripts are "safe" but not zero-risk. Expected output: Enhanced port table withVERSIONcolumn and script output blocks.
Full Port Range Scan
sudo nmap -p- 198.51.100.42
π
What it does: Scans all 65,535 TCP ports (
-p-expands to 1-65535). When to use it: Thorough compromise assessment, CTF environments, or when you suspect non-standard services above port 1024. Risks: Duration scales linearly; a single host can take 15-60+ minutes depending on latency and rate limits. Expected output: Complete port inventory; most will showclosedorfiltered.
Lab: nmap -p- -T4 198.51.100.42 (faster, noisier) Production: nmap -p- -T2 --max-retries 1 198.51.100.42 (slower, gentler on WAN links)
Aggressive Scan
sudo nmap -A 198.51.100.42
π π
What it does: Equivalent to
-sV -sC -O --traceroute; enables version detection, default scripts, OS fingerprinting, and path tracing in one invocation. When to use it: Single-host deep inspection when you need maximum data and noise is acceptable. Risks: Very verbose; traceroute probes may leak source path information. Expected output: Consolidated report suitable for documentation or ticket attachment.
Output in All Formats
nmap -oA scan_20250715_198.51.100.42 -sV 198.51.100.42
What it does: Writes
.nmap(human-readable),.xml(parser-friendly), and.gnmap(grep-friendly) simultaneously. When to use it: Any scripted workflow or when downstream tools consume XML. Risks: None operational; ensure write directory exists. Expected output: Three files with consistent basename.
Balanced Speed for Common Ports
nmap -T4 --top-ports 1000 192.0.2.0/24
π
What it does: Uses timing template 4 (aggressive) against the 1,000 most frequently open ports per Fyodor's research. When to use it: Quick health checks on internal networks with good bandwidth and no IDS concerns. Risks:
-T4can overwhelm slow targets or congested links; drops packets under lossy conditions. Expected output: Fast results for responsive hosts; false negatives on uncommon services.
Skip Host Discovery
nmap -Pn 198.51.100.42
What it does: Treats target as online regardless of ping response; proceeds directly to port scan. When to use it: Targets block ICMP, or you're scanning through proxies/forwarders where host discovery probes fail differently than port probes. Risks: You will wait full timeout cycles against truly dead IPs. Expected output: Port results for hosts that would otherwise be skipped.
Fast UDP Scanning
sudo nmap -sU -F 198.51.100.42
π
What it does:
-sUsends UDP datagrams;-Flimits to top 100 ports instead of default 1,000. When to use it: DNS, SNMP, NTP, or VoIP infrastructure checks where UDP services are expected. Risks: UDP scanning is inherently slow (no handshake to confirm state); many ports returnopen|filtereddue to silence. Expected output: Sparse but critical findings; plan for long runtimes if expanding beyond-F.
Vulnerability Detection with NSE
nmap --script vuln 198.51.100.42
π
What it does: Runs all NSE scripts in the
vulncategory (checks for known CVEs, misconfigurations, default credentials). When to use it: Scheduled security assessments, pre-patch validation, or incident response triage. Risks: Some scripts are intrusive; false positives require manual verification. Expected output: Structured vulnerability findings with references and CVSS scores where available.
Decoy Scan
sudo nmap -D RND:10 198.51.100.42
π π
What it does: Generates 10 random decoy source IPs interleaved with real probes; target logs show mixed origins. When to use it: Authorized, defensive use only. Use in lab environments or in explicitly authorized detection-validation exercises to test SIEM correlation rules and source-based alerting.
Fragmentation Evasion
sudo nmap -f --mtu 16 198.51.100.42
π π
What it does:
-fsplits probe into 8-byte fragments;--mtu 16forces 16-byte payload fragments. Bypasses simple packet filters that don't reassemble streams. When to use it: Authorized, defensive use only. IDS/IPS testing in controlled environments, or validating that your own edge devices properly reassemble before ACL evaluation.
Flag Category Quick Reference
| Category | Common Flags | Purpose |
|---|---|---|
| Scan type | -sS, -sT, -sU, -sV, -A, -sn |
TCP SYN, connect, UDP, version, aggressive, ping sweep |
| Timing | -T0 to -T5, --min-rate, --max-retries |
Speed vs. stealth trade-off; -T0/T1 for IDS evasion, -T3 default, -T4/-T5 for internal networks |
| Output | -oN, -oX, -oG, -oA |
Normal, XML, grepable, all formats |
| Evasion | -f, --mtu, -D, --source-port, --data-length |
Fragmentation, decoys, spoofed origins, payload padding |
Common Mistakes
| Mistake | Why it bites you |
|---|---|
Running -A by default on every target |
Doubles scan time and noise; -sV alone suffices for most inventories |
Forgetting -Pn against cloud hosts |
AWS, GCP, Azure often block ICMP; Nmap skips the host entirely |
Using -T5 across WAN links |
Packet loss causes false filtered or closed states; -T4 is usually the ceiling |
Ignoring UDP (-sU) entirely |
SNMP, DNS, IPMI, and various IoT protocols expose attack surface only over UDP |
| Trusting version banners blindly | Services can be honeypots, misreported, or backported-patched without banner update |
Pre-Scan Checklist
- [ ] Confirm authorization scope (IP ranges, ports, timing constraints)
- [ ] Verify
nmapversion matches expected features (nmap --version) - [ ] Test connectivity:
pingorncto one target to confirm path - [ ] Select output format for downstream consumption
- [ ] For production: start with
-T3or-T2, escalate only if performance permits - [ ] Log scan parameters for reproducibility and incident correlation