Nmap Cheat Sheet

Table of Contents

1. What is Nmap?
2. How to Use Nmap
   1. Command Line
   2. Zenmap GUI
   3. Python Nmap Module
3. Basic Scanning Techniques
   1. Scan a Single Target
   2. Scan Multiple Targets
   3. Scan a List of Targets
   4. Scan a Range of Hosts
   5. Scan an Entire Subnet
   6. Scan Random Hosts
   7. Exclude Targets From a Scan
   8. Exclude Targets Using a List
   9. Perform an Aggressive Scan
   10. Scan an IPv6 Target
4. Port Scanning Options
   1. Perform a Fast Scan
   2. Scan Specific Ports
   3. Scan Ports by Name
   4. Scan Ports by Protocol
   5. Scan All Ports
   6. Scan Top Ports
   7. Perform a Sequential Port Scan
   8. Attempt to Guess an Unknown OS
   9. Service Version Detection
   10. Troubleshoot Version Scan
   11. Perform a RPC Scan
5. Discovery Options
   1. Perform a Ping Only Scan
   2. Do Not Ping
   3. TCP SYN Ping
   4. TCP ACK Ping
   5. UDP Ping
   6. SCTP INIT Ping
   7. ICMP Echo Ping
   8. ICMP Timestamp Ping
   9. ICMP Address Mask Ping
   10. IP Protocol Ping
   11. ARP Ping
   12. Traceroute
   13. Force Reverse DNS Resolution
   14. Disable Reverse DNS Resolution
   15. Alternative DNS Lookup
   16. Manually Specify DNS Server
   17. Create a Host List
6. Firewall Evasion Techniques
   1. Fragment Packets
   2. Specify a Specific MTU
   3. Use a Decoy
   4. Idle Zombie Scan
   5. Manually Specify a Source Port
   6. Append Random Data
   7. Randomize Target Scan Order
   8. Spoof MAC Address
   9. Send Bad Checksums
   10. Spoof Source Address
   11. Use Proxies for Scanning
7. Advanced Scanning Functions
   1. TCP SYN Scan
   2. TCP Connect Scan
   3. UDP Scan
   4. TCP NULL Scan
   5. TCP FIN Scan
   6. Xmas Scan
   7. TCP ACK Scan
   8. Custom TCP Scan
   9. IP Protocol Scan
   10. Send Raw Ethernet Packets
   11. Send IP Packets
8. Timing Options
   1. Timing Templates
   2. Set the Packet TTL
   3. Minimum Number of Parallel Operations
   4. Maximum Number of Parallel Operations
   5. Minimum Host Group Size
   6. Maximum Host Group Size
   7. Maximum RTT Timeout
   8. Initial RTT Timeout
   9. Maximum Number of Retries
   10. Host Timeout
   11. Minimum Scan Delay
   12. Maximum Scan Delay
   13. Minimum Packet Rate
   14. Maximum Packet Rate
   15. Defeat Reset Rate Limits
9. Output Options
   1. Save Output to a Text File
   2. Save Output to a XML File
   3. Grepable Output
   4. Output All Supported File Types
   5. Periodically Display Statistics
   6. 1337 Output
   7. Interactive Output
   8. Display Reason for Port States
10. Compare Scans
    1. Comparison Using Ndiff
    2. Ndiff Verbose Mode
    3. XML Output Mode
11. Troubleshooting and Debugging
    1. Get Help
    2. Display Nmap Version
    3. Verbose Output
    4. Debugging
    5. Display Port State Reason
    6. Only Display Open Ports
    7. Trace Packets
    8. Display Host Networking
    9. Specify a Network Interface
    10. Check for Root Privileges
12. Nmap Scripting Engine (NSE)
    1. Execute Individual Scripts
    2. Execute Multiple Scripts
    3. Execute Scripts by Category
    4. Execute Multiple Script Categories
    5. Troubleshoot Scripts
    6. Update the Script Database
    7. Script Categories Overview
    8. Script Arguments
    9. Script Timing and Safety
13. OS Detection Techniques
    1. Basic OS Detection
    2. Aggressive OS Detection
    3. OS Detection with Version Detection
    4. OS Detection Limits
14. Performance Optimization
    1. Adjusting Timing Parameters
    2. Network Configuration
    3. Memory Management
15. Real-World Scan Examples
    1. Basic Network Inventory Scan
    2. Comprehensive Security Audit
    3. Stealthy Penetration Test Scan
    4. Web Server Enumeration
    5. Database Server Discovery
16. Nmap in Scripts and Automation
    1. Bash Scripting with Nmap
    2. Python Integration
    3. Scheduled Scans
17. Common Mistakes and Best Practices
    1. Legal Considerations
    2. Ethical Scanning Guidelines
    3. Performance Best Practices
    4. Security Best Practices

What is Nmap?

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich), it has become the de facto standard for network exploration and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Key Features:

• Host Discovery: Identify hosts on a network
• Port Scanning: Enumerate open ports on target systems
• Version Detection: Determine service/application name and version numbers
• OS Detection: Determine operating system and hardware characteristics
• Scriptable Interaction: Nmap Scripting Engine (NSE) for advanced detection and vulnerability checks
• Flexible: Supports dozens of advanced techniques for mapping out networks
• Cross-Platform: Runs on Linux, Windows, macOS, and other platforms

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

How to Use Nmap

Nmap can be used in a variety of ways depending on the user's level of technical expertise and specific requirements.

Command Line

nmap [Scan Type(s)] [Options] {target specification}

Target Specification:

• Can pass hostnames, IP addresses, networks, etc.
• Ex: scanme.nmap.org, 192.168.1.1, 192.168.1.0/24, 10.0.0-255.1-254

Basic Structure:

nmap [target]

Zenmap GUI

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application that makes Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

Features:

• Interactive and graphical results viewing
• Profile editor for scan configurations
• Topology mapping
• Results comparison
• Saved scan results
• Built-in command creator

Installation:

# Debian/Ubuntu
sudo apt-get install zenmap

# Windows
# Download from https://nmap.org/download.html

Python Nmap Module

For integration with Python scripts and automation.

Installation:

pip install python-nmap

Basic Usage:

import nmap
nm = nmap.PortScanner()
nm.scan('127.0.0.1', '22-443')
print(nm.all_hosts())
print(nm['127.0.0.1'].all_protocols())

Basic Scanning Techniques

Scan a Single Target

nmap [target]

Examples:

nmap 192.168.1.1
nmap scanme.nmap.org
nmap localhost

Scan Multiple Targets

nmap [target1 target2 target3]

Examples:

nmap 192.168.1.1 192.168.1.2 192.168.1.3
nmap 192.168.1.1,2,3
nmap 192.168.1.1-3

Scan a List of Targets

nmap -iL [input file]

Examples:

nmap -iL targets.txt
# File format: one target per line
# 192.168.1.1
# 192.168.1.2
# example.com

Scan a Range of Hosts

nmap [start IP]-[end IP]

Examples:

nmap 192.168.1.1-100
nmap 10.0.0.1-254

Scan an Entire Subnet

nmap [network address]/[prefix]

Examples:

nmap 192.168.1.0/24
nmap 10.0.0.0/16
nmap 172.16.0.0/12

Scan Random Hosts

nmap -iR [number of hosts]

Examples:

nmap -iR 10        # Scan 10 random hosts
nmap -iR 100       # Scan 100 random hosts
nmap -iR 0         # Continuous random scanning (use with caution!)

Exclude Targets From a Scan

nmap [target range] --exclude [hosts to exclude]

Examples:

nmap 192.168.1.0/24 --exclude 192.168.1.100
nmap 192.168.1.1-100 --exclude 192.168.1.50,192.168.1.60

Exclude Targets Using a List

nmap [targets] --excludefile [exclude file]

Examples:

nmap 192.168.1.0/24 --excludefile exclude.txt
# exclude.txt contains:
# 192.168.1.100
# 192.168.1.200
# printer.local

Perform an Aggressive Scan

nmap -A [target]

The -A option enables:

• OS detection (-O)
• Version detection (-sV)
• Script scanning (-sC)
• Traceroute (--traceroute)

Examples:

nmap -A 192.168.1.1
nmap -A -T4 192.168.1.0/24

Scan an IPv6 Target

nmap -6 [target]

Examples:

nmap -6 2001:db8::1
nmap -6 fe80::a00:27ff:fe4e:66a1
nmap -6 2001:db8::/64

Port Scanning Options

Perform a Fast Scan

nmap -F [target]

Scans the 100 most common ports (instead of default 1000).

Examples:

nmap -F 192.168.1.1
nmap -F --top-ports 50 192.168.1.1  # Customize number of top ports

Scan Specific Ports

nmap -p [port(s)] [target]

Examples:

nmap -p 80 192.168.1.1
nmap -p 80,443 192.168.1.1
nmap -p 1-100 192.168.1.1
nmap -p 22,80,443,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,443,8080 192.168.1.1

Scan Ports by Name

nmap -p [service name(s)] [target]

Examples:

nmap -p http 192.168.1.1
nmap -p http,https 192.168.1.1
nmap -p smtp,pop3,imap 192.168.1.1

Scan Ports by Protocol

nmap -sU -sT -p U:[ports],T:[ports] [target]

Examples:

nmap -sU -sT -p U:53,67-69,111,161,T:21-25,80,443 192.168.1.1
nmap -p T:80,U:53 192.168.1.1

Scan All Ports

nmap -p- [target]

or

nmap -p 1-65535 [target]

Note: Scanning all ports can be very time-consuming.

Examples:

nmap -p- 192.168.1.1
nmap -p 1-65535 --max-rate 1000 192.168.1.1  # Rate limited

Scan Top Ports

nmap --top-ports [number] [target]

Examples:

nmap --top-ports 10 192.168.1.1
nmap --top-ports 100 192.168.1.0/24
nmap --top-ports 1000 192.168.1.1

Perform a Sequential Port Scan

nmap -r [target]

Scans ports in numerical order rather than random order.

Examples:

nmap -r 192.168.1.1
nmap -r -p 1-100 192.168.1.1

Attempt to Guess an Unknown OS

nmap -O --osscan-guess [target]

When Nmap cannot determine the OS exactly, it will make guesses.

Examples:

nmap -O --osscan-guess 192.168.1.1
nmap -O --osscan-guess --max-os-tries 1 192.168.1.1

Service Version Detection

nmap -sV [target]

Examples:

nmap -sV 192.168.1.1
nmap -sV --version-intensity 9 192.168.1.1  # Most intense
nmap -sV --version-light 192.168.1.1        # Lighter/faster
nmap -sV --version-all 192.168.1.1          # Try every single probe

Version Intensity Levels:

• 0: No version detection
• 1-9: Increasing intensity (9 is most comprehensive)
• light: Equivalent to intensity 2
• all: Equivalent to intensity 9

Troubleshoot Version Scan

nmap -sV --version-trace [target]

Shows detailed information about version detection process.

Examples:

nmap -sV --version-trace 192.168.1.1
nmap -sV -d --version-trace 192.168.1.1  # With debug output

Perform a RPC Scan

nmap -sR [target]

RPC (Remote Procedure Call) scan. Note: -sR is now deprecated in favor of NSE scripts.

Examples:

nmap -sR 192.168.1.1
nmap --script rpc-grind 192.168.1.1  # Modern alternative

Discovery Options

Perform a Ping Only Scan

nmap -sn [target]

Host discovery only - no port scan.

Examples:

nmap -sn 192.168.1.0/24
nmap -sn 192.168.1.1-100
nmap -sn -PE -PS22,80,443 192.168.1.0/24  # Custom ping types

Do Not Ping

nmap -Pn [target]

Treat all hosts as online - skip host discovery.

Examples:

nmap -Pn 192.168.1.1
nmap -Pn -p 80,443 192.168.1.0/24

TCP SYN Ping

nmap -PS[port list] [target]

Sends TCP SYN packet to specified ports.

Examples:

nmap -PS 192.168.1.1                    # Default port 80
nmap -PS22,80,443 192.168.1.1          # Specific ports
nmap -PS22-25,80,110,143 192.168.1.1   # Port range
nmap -PS 192.168.1.0/24                # Network scan

TCP ACK Ping

nmap -PA[port list] [target]

Sends TCP ACK packet to specified ports.

Examples:

nmap -PA 192.168.1.1
nmap -PA80,443 192.168.1.1
nmap -PA 192.168.1.0/24

UDP Ping

nmap -PU[port list] [target]

Sends UDP packet to specified ports.

Examples:

nmap -PU 192.168.1.1                    # Default port 40125
nmap -PU53,111,137 192.168.1.1         # Specific ports
nmap -PU53-59 192.168.1.1              # Port range

SCTP INIT Ping

nmap -PY[port list] [target]

Sends SCTP INIT chunk to specified ports.

Examples:

nmap -PY 192.168.1.1
nmap -PY80,443 192.168.1.1

ICMP Echo Ping

nmap -PE [target]

Sends ICMP echo request (ping).

Examples:

nmap -PE 192.168.1.1
nmap -PE 192.168.1.0/24

ICMP Timestamp Ping

nmap -PP [target]

Sends ICMP timestamp request.

Examples:

nmap -PP 192.168.1.1
nmap -PP 192.168.1.0/24

ICMP Address Mask Ping

nmap -PM [target]

Sends ICMP address mask request.

Examples:

nmap -PM 192.168.1.1
nmap -PM 192.168.1.0/24

IP Protocol Ping

nmap -PO[protocol list] [target]

Sends IP protocol packets.

Examples:

nmap -PO 192.168.1.1                    # Default protocols 1 (ICMP), 2 (IGMP), 4 (IPIP)
nmap -PO1,6,17 192.168.1.1             # Protocols 1 (ICMP), 6 (TCP), 17 (UDP)

ARP Ping

nmap -PR [target]

ARP ping for local network discovery.

Examples:

nmap -PR 192.168.1.0/24
nmap -PR 192.168.1.1-100

Traceroute

nmap --traceroute [target]

Perform traceroute to target.

Examples:

nmap --traceroute 192.168.1.1
nmap --traceroute -p 80 google.com
nmap --traceroute --max-ttl 30 192.168.1.1

Force Reverse DNS Resolution

nmap -R [target]

Always do reverse DNS resolution.

Examples:

nmap -R 192.168.1.0/24
nmap -R -sn 192.168.1.1-100

Disable Reverse DNS Resolution

nmap -n [target]

Never do reverse DNS resolution (default is sometimes).

Examples:

nmap -n 192.168.1.0/24
nmap -n -sn 192.168.1.1-100

Alternative DNS Lookup

nmap --system-dns [target]

Use system DNS resolver instead of built-in parallel resolver.

Examples:

nmap --system-dns 192.168.1.0/24
nmap --system-dns -R 192.168.1.1

Manually Specify DNS Server

nmap --dns-servers [server1,server2,...] [target]

Examples:

nmap --dns-servers 8.8.8.8 192.168.1.0/24
nmap --dns-servers 8.8.8.8,8.8.4.4 192.168.1.0/24
nmap --dns-servers 192.168.1.1 192.168.1.0/24

Create a Host List

nmap -sL [targets]

List scan - simply list targets to scan.

Examples:

nmap -sL 192.168.1.0/24
nmap -sL -n 192.168.1.0/24  # Without DNS resolution
nmap -sL -R 192.168.1.0/24  # With DNS resolution

Firewall Evasion Techniques

Fragment Packets

nmap -f [target]

Fragment packets ( splits TCP headers over several packets).

Examples:

nmap -f 192.168.1.1
nmap -f -mtu 16 192.168.1.1  # Specify fragment size
nmap -f --data-length 200 192.168.1.1

Specify a Specific MTU

nmap --mtu [MTU] [target]

Set maximum transmission unit size.

Examples:

nmap --mtu 8 192.168.1.1
nmap --mtu 16 192.168.1.1
nmap --mtu 24 192.168.1.1

Use a Decoy

nmap -D [decoy1,decoy2,ME,...] [target]

Examples:

nmap -D RND:10 192.168.1.1          # 10 random decoys
nmap -D decoy1,decoy2,decoy3,ME 192.168.1.1
nmap -D 192.168.1.101,192.168.1.102,ME 192.168.1.1
nmap -D RND:5,192.168.1.101,ME 192.168.1.1  # Mix of random and specific

Idle Zombie Scan

nmap -sI [zombie host] [target]

Idle scan using another host as a "zombie".

Examples:

nmap -sI 192.168.1.100 192.168.1.1
nmap -sI zombie.example.com 192.168.1.1

Manually Specify a Source Port

nmap --source-port [port] [target]

or

nmap -g [port] [target]

Examples:

nmap --source-port 53 192.168.1.1      # DNS source port
nmap --source-port 20 192.168.1.1      # FTP-data source port
nmap -g 80 192.168.1.1                 # Alternative syntax

Append Random Data

nmap --data-length [number] [target]

Append random data to sent packets.

Examples:

nmap --data-length 25 192.168.1.1
nmap --data-length 100 192.168.1.1
nmap --data-length 300 192.168.1.1

Randomize Target Scan Order

nmap --randomize-hosts [target]

Examples:

nmap --randomize-hosts 192.168.1.0/24
nmap --randomize-hosts -p 80,443 192.168.1.1-100

Spoof MAC Address

nmap --spoof-mac [MAC|0|vendor] [target]

Examples:

nmap --spoof-mac 0 192.168.1.1                    # Random MAC
nmap --spoof-mac Cisco 192.168.1.1               # Vendor MAC
nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1   # Specific MAC

Send Bad Checksums

nmap --badsum [target]

Send packets with bogus TCP/UDP checksums.

Examples:

nmap --badsum 192.168.1.1
nmap -sS --badsum 192.168.1.1

Spoof Source Address

nmap -S [spoofed IP] [target]

Examples:

nmap -S 192.168.1.100 192.168.1.1
nmap -e eth0 -S 10.0.0.1 192.168.1.1

Use Proxies for Scanning

nmap --proxies [proxy1,proxy2,...] [target]

Examples:

nmap --proxies http://192.168.1.100:8080 192.168.1.1
nmap --proxies socks4://192.168.1.100:1080 192.168.1.1

Advanced Scanning Functions

TCP SYN Scan

nmap -sS [target]

Default scan type for root users. Half-open scan.

Examples:

nmap -sS 192.168.1.1
nmap -sS -p 1-1000 192.168.1.0/24

TCP Connect Scan

nmap -sT [target]

Default scan type for non-root users. Full TCP connection.

Examples:

nmap -sT 192.168.1.1
nmap -sT -p 80,443 192.168.1.0/24

UDP Scan

nmap -sU [target]

UDP port scan.

Examples:

nmap -sU 192.168.1.1
nmap -sU -p 53,67-69,161 192.168.1.1
nmap -sU --max-retries 1 192.168.1.0/24  # Faster UDP scan

TCP NULL Scan

nmap -sN [target]

Null scan - sets no bits (TCP flag header is 0).

Examples:

nmap -sN 192.168.1.1
nmap -sN -p 1-100 192.168.1.1

TCP FIN Scan

nmap -sF [target]

FIN scan - sets just the TCP FIN bit.

Examples:

nmap -sF 192.168.1.1
nmap -sF -p 22,80,443 192.168.1.1

Xmas Scan

nmap -sX [target]

Xmas scan - sets FIN, PSH, and URG flags.

Examples:

nmap -sX 192.168.1.1
nmap -sX -p 1-100 192.168.1.1

TCP ACK Scan

nmap -sA [target]

ACK scan - determines if ports are filtered.

Examples:

nmap -sA 192.168.1.1
nmap -sA -p 80,443 192.168.1.1

Custom TCP Scan

nmap --scanflags [flags] [target]

Custom TCP scan with specified flags.

Examples:

nmap --scanflags URGACKPSHRSTSYNFIN 192.168.1.1
nmap --scanflags SYNURG 192.168.1.1

IP Protocol Scan

nmap -sO [target]

Determine which IP protocols are supported.

Examples:

nmap -sO 192.168.1.1
nmap -sO -p 1,6,17 192.168.1.1  # Protocols: ICMP, TCP, UDP

Send Raw Ethernet Packets

nmap --send-eth [target]

Use raw Ethernet sending.

Examples:

nmap --send-eth 192.168.1.1

Send IP Packets

nmap --send-ip [target]

Send at raw IP level.

Examples:

nmap --send-ip 192.168.1.1

Timing Options

Timing Templates

nmap -T[0-5] [target]

Timing Templates:

• T0 (Paranoid): 5 min wait between probes, IDS evasion
• T1 (Sneaky): 15 sec wait, IDS evasion
• T2 (Polite): 0.4 sec wait, slows scan to use less bandwidth
• T3 (Normal): Default, parallel scans
• T4 (Aggressive): Assumes fast network, may miss some ports
• T5 (Insane): Very aggressive, may overwhelm networks

Examples:

nmap -T0 192.168.1.1      # Very slow, stealthy
nmap -T1 192.168.1.1      # Slow, stealthy
nmap -T2 192.168.1.1      # Polite
nmap -T3 192.168.1.1      # Normal (default)
nmap -T4 192.168.1.1      # Aggressive
nmap -T5 192.168.1.1      # Insane

Set the Packet TTL

nmap --ttl [time] [target]

Set IP time-to-live field.

Examples:

nmap --ttl 32 192.168.1.1
nmap --ttl 64 192.168.1.1
nmap --ttl 128 192.168.1.1

Minimum Number of Parallel Operations

nmap --min-parallelism [number] [target]

Set minimum number of parallel operations.

Examples:

nmap --min-parallelism 10 192.168.1.0/24
nmap --min-parallelism 100 192.168.1.0/24

Maximum Number of Parallel Operations

nmap --max-parallelism [number] [target]

Set maximum number of parallel operations.

Examples:

nmap --max-parallelism 1 192.168.1.0/24    # Serial scan
nmap --max-parallelism 10 192.168.1.0/24

Minimum Host Group Size

nmap --min-hostgroup [size] [targets]

Set minimum host group size for parallel scan.

Examples:

nmap --min-hostgroup 64 192.168.1.0/24
nmap --min-hostgroup 256 10.0.0.0/16

Maximum Host Group Size

nmap --max-hostgroup [size] [targets]

Set maximum host group size for parallel scan.

Examples:

nmap --max-hostgroup 16 192.168.1.0/24
nmap --max-hostgroup 1 192.168.1.0/24     # Scan hosts one by one

Maximum RTT Timeout

nmap --max-rtt-timeout [time] [target]

Set maximum round trip time timeout.

Examples:

nmap --max-rtt-timeout 100ms 192.168.1.1
nmap --max-rtt-timeout 500ms 192.168.1.0/24
nmap --max-rtt-timeout 2s 192.168.1.1

Initial RTT Timeout

nmap --initial-rtt-timeout [time] [target]

Set initial round trip time timeout.

Examples:

nmap --initial-rtt-timeout 100ms 192.168.1.1
nmap --initial-rtt-timeout 500ms 192.168.1.0/24

Maximum Number of Retries

nmap --max-retries [number] [target]

Set maximum number of port scan probe retransmissions.

Examples:

nmap --max-retries 0 192.168.1.0/24      # No retries
nmap --max-retries 1 192.168.1.0/24      # One retry
nmap --max-retries 10 192.168.1.1        # Ten retries

Host Timeout

nmap --host-timeout [time] [target]

Give up on slow targets.

Examples:

nmap --host-timeout 30m 192.168.1.0/24      # 30 minutes
nmap --host-timeout 2h 192.168.1.0/24       # 2 hours
nmap --host-timeout 15m 10.0.0.0/16         # 15 minutes

Minimum Scan Delay

nmap --scan-delay [time] [target]

Set minimum time between probes.

Examples:

nmap --scan-delay 1s 192.168.1.1
nmap --scan-delay 100ms 192.168.1.0/24
nmap --scan-delay 5s 192.168.1.1           # Very slow

Maximum Scan Delay

nmap --max-scan-delay [time] [target]

Set maximum time between probes.

Examples:

nmap --max-scan-delay 10ms 192.168.1.1
nmap --max-scan-delay 100ms 192.168.1.0/24

Minimum Packet Rate

nmap --min-rate [number] [target]

Send packets no slower than specified per second.

Examples:

nmap --min-rate 100 192.168.1.0/24      # 100 packets/sec minimum
nmap --min-rate 1000 192.168.1.0/24     # 1000 packets/sec minimum

Maximum Packet Rate

nmap --max-rate [number] [target]

Send packets no faster than specified per second.

Examples:

nmap --max-rate 100 192.168.1.0/24      # 100 packets/sec maximum
nmap --max-rate 10 192.168.1.1          # 10 packets/sec maximum (slow)
nmap --max-rate 1 192.168.1.1           # 1 packet/sec (very slow)

Defeat Reset Rate Limits

nmap --defeat-rst-ratelimit [target]

Ignore rate limits on RST responses.

Examples:

nmap --defeat-rst-ratelimit 192.168.1.1
nmap -sS --defeat-rst-ratelimit 192.168.1.0/24

Output Options

Save Output to a Text File

nmap -oN [filename] [target]

Examples:

nmap -oN scan.txt 192.168.1.1
nmap -oN /tmp/results.txt 192.168.1.0/24
nmap -oN myscan.txt -p 80,443 192.168.1.1

Save Output to a XML File

nmap -oX [filename] [target]

Examples:

nmap -oX scan.xml 192.168.1.1
nmap -oX results.xml 192.168.1.0/24

Grepable Output

nmap -oG [filename] [target]

Examples:

nmap -oG scan.gnmap 192.168.1.1
nmap -oG results.gnmap 192.168.1.0/24

Output All Supported File Types

nmap -oA [basename] [target]

Creates three files: .nmap, .gnmap, and .xml.

Examples:

nmap -oA scan 192.168.1.1
# Creates: scan.nmap, scan.gnmap, scan.xml
nmap -oA /tmp/myscan 192.168.1.0/24

Periodically Display Statistics

nmap --stats-every [time] [target]

Examples:

nmap --stats-every 10s 192.168.1.0/24
nmap --stats-every 1m 10.0.0.0/16

1337 Output

nmap -oS [filename] [target]

Script Kiddie output format.

Examples:

nmap -oS leet.txt 192.168.1.1

Interactive Output

nmap --interactive

Start in interactive mode.

Examples:

nmap --interactive

Display Reason for Port States

nmap --reason [target]

Show reason for port state determination.

Examples:

nmap --reason 192.168.1.1
nmap -sS --reason 192.168.1.0/24

Compare Scans

Comparison Using Ndiff

ndiff [scan1.xml] [scan2.xml]

Examples:

ndiff scan1.xml scan2.xml
ndiff /tmp/scan1.xml /tmp/scan2.xml

Ndiff Verbose Mode

ndiff -v [scan1.xml] [scan2.xml]

Examples:

ndiff -v scan1.xml scan2.xml

XML Output Mode

ndiff --xml [scan1.xml] [scan2.xml]

Examples:

ndiff --xml scan1.xml scan2.xml > diff.xml

Troubleshooting and Debugging

Get Help

nmap -h

or

nmap --help

Display Nmap Version

nmap -V

or

nmap --version

Verbose Output

nmap -v [target]

Increase verbosity level (can be used multiple times).

Examples:

nmap -v 192.168.1.1
nmap -vv 192.168.1.1       # More verbose
nmap -vvv 192.168.1.1      # Even more verbose

Debugging

nmap -d [target]

Increase debugging level (can be used multiple times).

Examples:

nmap -d 192.168.1.1
nmap -dd 192.168.1.1       # More debug info
nmap -ddd 192.168.1.1      # Even more debug info

Display Port State Reason

nmap --reason [target]

Examples:

nmap --reason 192.168.1.1
nmap -sS --reason 192.168.1.0/24

Only Display Open Ports

nmap --open [target]

Examples:

nmap --open 192.168.1.1
nmap -p 1-1000 --open 192.168.1.0/24

Trace Packets

nmap --packet-trace [target]

Show all packets sent and received.

Examples:

nmap --packet-trace 192.168.1.1
nmap -sS --packet-trace 192.168.1.1

Display Host Networking

nmap --iflist

Show host interfaces and routes.

Examples:

nmap --iflist

Specify a Network Interface

nmap -e [interface] [target]

Examples:

nmap -e eth0 192.168.1.1
nmap -e wlan0 192.168.1.1
nmap -e tun0 10.0.0.1

Check for Root Privileges

sudo nmap [target]

Many scan types require root privileges.

Examples:

sudo nmap -sS 192.168.1.1      # SYN scan requires root
sudo nmap -sU 192.168.1.1      # UDP scan requires root

Nmap Scripting Engine (NSE)

Execute Individual Scripts

nmap --script [script.nse] [target]

Examples:

nmap --script http-title 192.168.1.1
nmap --script ssh-hostkey 192.168.1.1
nmap --script smb-os-discovery 192.168.1.1

Execute Multiple Scripts

nmap --script [script1,script2,...] [target]

Examples:

nmap --script http-title,http-headers 192.168.1.1
nmap --script ssh-*,ftp-* 192.168.1.1

Execute Scripts by Category

nmap --script [category] [target]

Common Categories:

• auth - Authentication credentials
• broadcast - Network discovery
• brute - Brute force attacks
• default - Default scripts (safe and useful)
• discovery - Service discovery
• dos - Denial of service checks
• exploit - Exploit scripts
• external - May send data to third parties
• fuzzer - Fuzzing modules
• intrusive - Intrusive scripts
• malware - Malware detection
• safe - Safe scripts
• version - Version detection enhancement
• vuln - Vulnerability detection

Examples:

nmap --script safe 192.168.1.1
nmap --script vuln 192.168.1.1
nmap --script discovery 192.168.1.0/24

Execute Multiple Script Categories

nmap --script [category1,category2,...] [target]

Examples:

nmap --script default,safe 192.168.1.1
nmap --script vuln,exploit 192.168.1.1

Troubleshoot Scripts

nmap --script-trace [target]

Examples:

nmap --script http-title --script-trace 192.168.1.1
nmap --script vuln --script-trace 192.168.1.1

Update the Script Database

nmap --script-updatedb

Examples:

sudo nmap --script-updatedb

Script Categories Overview

nmap --script-help [category or script]

Examples:

nmap --script-help vuln
nmap --script-help http-*
nmap --script-help "ssh-*"

Script Arguments

nmap --script-args [args] [target]

Examples:

nmap --script http-headers --script-args http.useragent="Mozilla/5.0" 192.168.1.1
nmap --script smb-os-discovery --script-args smbusername=admin,smbpassword=password 192.168.1.1
nmap --script http-sql-injection --script-args httpspider.maxpagecount=200 192.168.1.1

Script Timing and Safety

nmap --script-timeout [time] [target]

Examples:

nmap --script-timeout 30s 192.168.1.1
nmap --script-timeout 2m 192.168.1.0/24

OS Detection Techniques

Basic OS Detection

nmap -O [target]

Examples:

nmap -O 192.168.1.1
nmap -O --osscan-limit 192.168.1.1     # Only detect if open ports found

Aggressive OS Detection

nmap -O --osscan-guess --fuzzy [target]

Examples:

nmap -O --osscan-guess 192.168.1.1
nmap -O --max-os-tries 1 192.168.1.1   # Limit OS detection attempts

OS Detection with Version Detection

nmap -A [target]

Examples:

nmap -A 192.168.1.1
nmap -A -T4 192.168.1.0/24

OS Detection Limits

nmap -O --osscan-limit [target]

Examples:

nmap -O --osscan-limit 192.168.1.1

Performance Optimization

Adjusting Timing Parameters

nmap -T[0-5] --min-rate [rate] --max-rate [rate] [target]

Examples:

nmap -T4 --min-rate 1000 192.168.1.0/24
nmap -T5 --max-rate 100 192.168.1.1

Network Configuration

nmap --min-parallelism [num] --max-parallelism [num] [target]

Examples:

nmap --min-parallelism 100 --max-parallelism 256 192.168.1.0/24

Memory Management

nmap --min-rate [rate] --max-retries [num] [target]

Examples:

nmap --min-rate 500 --max-retries 2 192.168.1.0/24

Real-World Scan Examples

Basic Network Inventory Scan

nmap -sn 192.168.1.0/24

Purpose: Discover live hosts on network.

Comprehensive Security Audit

nmap -sS -sU -T4 -A -v -p- 192.168.1.1

Purpose: Full port scan with OS and version detection.

Stealthy Penetration Test Scan

nmap -sS -sV -T2 -f --data-length 200 -D RND:5 --source-port 53 --max-hostgroup 1 --max-retries 2 192.168.1.1

Purpose: Evade IDS/IPS detection.

Web Server Enumeration

nmap -sV --script=http-enum,http-title,http-headers -p 80,443,8080,8443 192.168.1.1

Purpose: Discover web applications and services.

Database Server Discovery

nmap -sV --script=ms-sql-info,mysql-info,pgsql-info,oracle-sid-brute -p 1433,3306,5432,1521 192.168.1.1

Purpose: Identify database services and versions.

Nmap in Scripts and Automation

Bash Scripting with Nmap

#!/bin/bash
TARGETS="192.168.1.0/24"
OUTPUT_DIR="/tmp/nmap_scans"
DATE=$(date +%Y%m%d)

mkdir -p $OUTPUT_DIR
nmap -sS -sV -O -oA $OUTPUT_DIR/scan_$DATE $TARGETS

Python Integration

import nmap
import datetime

nm = nmap.PortScanner()
target = '192.168.1.0/24'

nm.scan(hosts=target, arguments='-sS -sV -O')
for host in nm.all_hosts():
    print(f"Host: {host}")
    print(f"State: {nm[host].state()}")
    for proto in nm[host].all_protocols():
        ports = nm[host][proto].keys()
        for port in ports:
            print(f"Port: {port}\tState: {nm[host][proto][port]['state']}")

Scheduled Scans

# Add to crontab
0 2 * * * /usr/bin/nmap -sS -sV -oA /var/log/nmap/daily_scan 192.168.1.0/24

Common Mistakes and Best Practices

Must Considerations

Always:

1. Obtain written permission before scanning
2. Scan only networks you own or have authorization to test
3. Respect privacy and data protection laws
4. Document authorization for audit purposes

Ethical Scanning Guidelines

1. Do not scan without explicit permission
2. Limit scan intensity to avoid disrupting services
3. Respect rate limits and network policies
4. Secure scan results - they contain sensitive information
5. Report findings responsibly to appropriate parties

Performance Best Practices

1. Use appropriate timing (-T3 is usually optimal)
2. Limit parallel operations on slow networks
3. Use --max-retries to avoid hanging scans
4. Set --host-timeout for unresponsive hosts
5. Save results regularly with -oA during long scans

Security Best Practices

1. Run as non-root when possible
2. Use VPNs for external scans
3. Encrypt stored results
4. Regularly update Nmap and scripts
5. Validate targets before scanning

---

Reference Sites

Official Resources:

• Nmap Official Website
• Nmap Documentation
• Nmap Book: "Nmap Network Scanning"
• Nmap Scripting Engine Documentation

Tutorials and Guides:

• Nmap - The Basics
• HackerTarget Nmap Cheatsheet
• Beginner's Guide to Nmap
• Top 32 Nmap Commands
• Nmap Linux man page
• 29 Practical Examples of Nmap Commands
• Nmap Scanning Types, Commands, NSE Scripts
• Nmap CheatSheet
• Nmap Cheat Sheet - HighOnCoffee
• Nmap Cheat Sheet: From Discovery to Exploits
• Nmap: my own cheatsheet
• NMAP Commands Cheatsheet
• Nmap Cheat Sheet - StationX
• Nmap Cookbook Cheat Sheet

Advanced Topics:

• Nmap Firewall Evasion Techniques
• Nmap Timing and Performance
• Nmap Output Formats
• NSE Script Examples

Community and Support:

• Nmap Mailing Lists
• Nmap Development
• NSE Script Repository

---

License: Creative Commons Attribution-ShareAlike
Note: Always use Nmap responsibly and only on networks you own or have permission to scan.