Nmap Cheat Sheet header

We’ve put together a comprehensive Nmap Cheat Sheet. If you also use Nessus with Nmap, keep reading. At the end of the post we have also included the Nmap + Nessus Cheat Sheet so you have all the useful commands at your fingertips.

All the tables provided in the cheat sheets are also presented in tables below which are easy to copy and paste.

The Nmap cheat sheet covers:

  • Different usage options of Nmap
  • Scanning command syntax
  • Port Specification options
  • Host / discovery
  • Scanning types
  • Version detection
  • specification
  • Use of NMAP scripts NSE
  • Firewall proofing
  • NMAP output formats
  • Scan options
  • NMAP Timing options
  • Miscellaneous commands

View or Download the Cheat Sheet JPG image

Right-click on the image below to save the JPG file (1945 width x 2470 height in pixels), or click here to open it in a new browser tab. Once the image opens in a new window, you may need to click on the image to zoom in and view the full-sized jpeg.

Nmap Cheat Sheet JPG

View or Download the cheat sheet PDF file

You can download the cheat sheet PDF file here. If it opens in a new browser tab, simply right click on the PDF and navigate to the download selection.

What’s included in the Cheat Sheet

The following categories and items have been included in the cheat sheet:

Different usage options of Nmap

Different usage options
Port discovery and specification
Host discovery and specification
Vulnerability scanning
Application and service version detection
Software version detection against the ports
Firewall / IDS Spoofing

Scanning command syntax

Scanning Command Syntax

nmap [scan types] [options] { specification}

Port Specification options

Port Specification Options





nmap –p 23

Port scanning port specific port


nmap –p 23-100

Port scanning port specific port range


nmap -pU:110,T:23-25,443

U-UDP,T-TCP different port types scan


nmap -p-

Port scan for all ports


nmap -smtp,https

Port scan from specified protocols


nmap –F

Fast port scan for speed up

-P "*"

namp -p "*" ftp

Port scan using name


nmap -r

Sequential port scan

Host / discovery

Host / Discovery





nmap -sL

List without scanning


nmap -sn

Disable port scanning


nmap -Pn

Port scans only and no host discovery


nmap -PS22-25,80

TCP SYN discovery on specified port


nmap -PA22-25,80

TCP ACK discovery on specified port


nmap -PU53

UDP discovery on specified port


nmap -PR

ARP discovery within local network


nmap -n

no DNS resolution

Scanning types

Scanning Types





nmap -sS

TCP SYN port scan


nmap -sT

TCP connect port scan


nmap -sA

TCP ACK port scan


nmap -sU

UDP port scan


nmap -Sf

TCP FIN scan


nmap -SX

XMAS scan


nmap -Sp

Ping scan


nmap -Su

UDP scan


nmap -Sa

TCP ACK scan


nmap -Sl

list scan

Version detection

Version Detection





nmap -sV

Try to find the version of the service running on port

-sV --version-intensity

nmap -sV --version-intensity 6

Intensity level range 0 to 9.

-sV --version-all

nmap -sV --version-all

Set intensity level to 9

-sV --version-light

nmap -sV --version-light

Enable light mode


nmap -A

Enables OS detection, version detection, script scanning, and traceroute


nmap -O

Remote OS detection specification Specification


single IP scan


scan specific IPs


scan a range of IPs

nmap xyz.org

scan a domain


scan using CIDR notation

nmap -iL scan.txt

scan from a file

nmap --exclude

specified IP s exclude from scan

Use of NMAP scripts NSE

Use of Nmap Scripts NSE

nmap --script= test script

execute thee listed script against target IP address

nmap --script-update-db

adding new scripts

nmap -sV -sC

use of safe default scripts for scan

nmap --script-help="Test Script"

get help for script

Firewall proofing

Firewall Proofing

nmap -f []

scan fragment packets

nmap –mtu [MTU] []

specify MTU

nmap -sI [zombie] []

scan idle zoombie

nmap –source-port [port] []

manual source port - specify

nmap –data-length [size] []

randomly append data

nmap –randomize-hosts [] scan order randomization

nmap –badsum []

bad checksum

NMAP output formats

Nmap output Formats

Default/normal output

nmap -oN scan.txt


nmap -oX scanr.xml

Grepable format

snmap -oG grep.txt

All formats

nmap -oA

Scan options

Scan Options



nmap -sP

Ping scan only

nmap -PU

UDP ping scan

nmap -PE

ICMP echo ping

nmap -PO

IP protocol ping

nmap -PR

ARP ping

nmap -Pn

Scan without pinging

nmap –traceroute


NMAP Timing options

Nmap Timing Options



nmap -T0

Slowest scan

nmap -T1

Tricky scan to avoid IDS

nmap -T2

Timely scan

nmap -T3

Default scan timer

nmap -T4

Aggressive scan

nmap -T5

Very aggressive scan

Miscellaneous commands

Miscellaneous Commands

nmap -6

scan IPV6 targets

nmap –proxies proxy 1 URL, proxy 2 URL

Run in targets with proxies

nmap –open

Show open ports only

Nmap + Nessus Cheat Sheet

If you also use Nessus with Nmap, download this cheat sheet instead as it has all the tables included in the Nmap cheat sheet plus three extra Nessus tables. Click on the image below to open the JPG in a new window where you can save it. Alternatively you can download the PDF file here.

Nmap + Nessus Cheat Sheet

Nessus install and use

Nessus Installation and Usage


# apt-get install nessus

Add administrator for the application

# nessus-adduser

Update components

# nessus-update-plugins

Start nessus

# /etc/init.d/nessusd start

Check nessus port

# netstat -luntp or # netstat –landtp



nessus –h

Display help

nessus –q

Run in batch mode

nessus --list-policies

List policies included in .nessus configuration file

nessus --list-reports

List report names included in .nessus configuration file

nessus –p

List available plugins in the server

nessus --policy-name (policy name)

Specify policy to use when a scan initiate in command line

nessus -T (format)

Specify output report format (html, text, nbe, nessus)

nessus --target-file (file name)

Use scan targets specified in the file instead of default .nessus file

nessus –x

Do not check for SSL certificates

Nessus server commands

Nessus Server Commands

nessus-service -a ( ip address )

Listens to specified IP address only

nessus-service -c (Config file name )

Set to use server side configuration file instead of default configuration file

nessus-service -D

Set server mode to background run

nessus-service -h

List summary of nessus commands

nessus-service --ipv4-only

Listen to IPV4 only

nessus-service --ipv6-only

Listen to IPV6 only

nessus-service -K

Configure master password for nessus scanner

nessus-service -p

Set server to listen to client specified port rather than default port 1241

nessus-service -q

Run in quiet mode

Related: Nmap Scanning Tutorial