Online IDE
Free Mock
Events New Scaler
Improve your coding skills with our resources
Compete in popular contests with top coders
Attend free live masterclass hosted by top tech professionals
Explore Offerings by SCALER

Download Interview guide PDF

Before you leave, take this NMAP Cheat Sheet interview guide with you.
Get a Free Personalized Career Roadmap
Answer 4 simple questions about you and get a path to a lucrative career
expand-icon Expand in New Tab
/ Interview Guides / NMAP Cheat Sheet

NMAP Cheat Sheet

Last Updated: Nov 10, 2023

Download PDF

Your requested download is ready!
Click here to download.
Certificate included
About the Speaker
What will you Learn?
Register Now

Nmap("Network Mapper") is an open-source and free tool that’s widely used for network discovery purposes. It’s capable of performing both host discovery and service detection, as well as doing a content analysis of the traffic it receives. Common uses for Nmap include vulnerability discovery, system security auditing, and detecting cyber attacks. You can run Nmap on a command line or in a web browser. To get the most out of Nmap, you should familiarize yourself with its features and usage.

Nmap can be used to find open ports on a remote host or network, and check whether a host or network has been compromised. It can also be used to test your own server or network to identify weak spots. Another common use case is in vulnerability assessment: using Nmap to test the connection between your website and your users to see whether your application is open to exploitation. 

When used properly, Nmap can be a very powerful tool. However, using it incorrectly can also cause problems. For example, sending a request with a Nmap scan that includes a lot of output will likely consume a lot of network bandwidth. This type of scan is called promiscuous mode and can cause network congestion if not used properly. Sending a request with a light Nmap scan may not cause any extra traffic but is still likely to return inaccurate results. 

Nmap can also be used for malicious purposes. Connecting a vulnerable system to a large network of malicious systems can help spread infection. Using Nmap to scan networks for vulnerabilities is also a risky proposition. It is likely to return inaccurate or even misleading results. Nmap is an open-source tool and is widely used by Nessus and other security researchers. Therefore, it is likely to be well-regarded by the community.

NMAP Tutorial: Basics to Advanced

1. Nmap Scan Types

Scan Type Details
TCP SCAN A TCP scan is used to ensure that a three-way handshake has been completed between you and a selected target system. Even though it is very noisy, a TCP scan can be detected with little to no effort. This is because the services may log the sender's IP address and may trigger an intrusion detection system.
UDP SCAN The UDP scan checks whether there is any UDP port open and listens for incoming connections on the target machine. Contrary to TCP, UDP does not offer any way to cure a positive result by sending a response with a positive acknowledgment. As a result, UDP scans may sometimes produce false positives. This type of scan is usually quite slow because computers, in general, slow down their responses to this kind of traffic in order to be on the safe side.
SYN SCAN In a SYN scan, a TCP connection is established by first creating a SYN packet and sending it to the server. This is unlike a normal TCP scan, which just generates a SYN packet. The response to these specially crafted packets is also analyzed by Nmap to produce scan results.
ACK SCAN To be able to monitor whether a particular port is filtered or not, ACK scans are employed. This guarantees to be very valuable when trying to spy on firewalls or their existing protocols. Simple packet filtering allows established connections, whereas a more complex firewall might not.
FIN SCAN The FIN scan is a stealthy TCP connection scan that sends a TCP FIN packet instead of a SYN packet. The computer may either send an RST packet (reset packet) back if it receives this input or send a FIN scan (finishing process) that may falsely generate positives and negatives, but it may elude some IDS systems and other countermeasures.
NULL SCAN A null scan is exactly what it sounds like: It leaves all of the header fields blank. Null packets are usually not valid and a few targets may not be able to handle them, but it is possible for them to be. Against a specific type of windows target, also known as null packet scanning, it is possible to produce unreliable results. On the other hand, as an effective way to get through windows, it is usually possible.
XMAS SCAN XMAS scans are very covert in nature. Because of the way their TCP protocol operates, computers running Windows will not react to Xmas scans in any way. The scan's name comes from the set of flags that are turned on within the packet that is being sent out for scanning. XMAS scans are used to manipulate the PSH, URG, and FIN flags found in the TCP header.
RPC SCAN RPC scans are used to discover remote procedure calls (RPC) machines that respond to Remote Procedure Call services (RPC). RPC services can be run on a variety of ports, making it hard to identify from a normal scan whether RPC services are running or not. It is generally a good idea to conduct an RPC scan periodically to learn where they are operating.
IDLE SCAN IDLE Scan is one of the less popular types of scans because it requires the host to be controlled. The packets are bounced off an external host in order to conceal their origins. Malicious attacks are limited to only those packets that are bounced off the internal host. It is one of the more controversial choices in Nmap because it is primarily used for malicious attacks.

Category-wise diverse NMAP commands with examples are explained in the following section.

Create a free personalised study plan Create a FREE custom study plan
Get into your dream companies with expert guidance
Get into your dream companies with expert..
Real-Life Problems
Prep for Target Roles
Custom Plan Duration
Flexible Plans

2. Target Specification

Switch  Example Description
  nmap Scan a specific IP address
  nmap Scan specific IP addresses
  nmap Scan specific range of IP addresses
  nmap Scans a domain
  nmap Scans a single IP using CIDR notation
-iL nmap -iL text.txt Scans a target from a file
-iR nmap -iR 200 Scans random 200 hosts
–exclude nmap -exclude Exclude the listed hosts

3. Scan Techniques

Switch Example Description
-sS nmap -sS TCP SYN Scan
-sT nmap -sT TCP Connect Scan
-sU nmap -sU UDP scan
-sA nmap -sA TCP ACK Scan
-sW nmap -sW TCP Window scan
-sM nmap -sM TCP Maimon scan
You can download a PDF version of Nmap Cheat Sheet.

Download PDF

Your requested download is ready!
Click here to download.

4. Host Discovery

Switch Example Description
-sL nmap -sL Creates targets List only
-sn nmap -sn This disables port scans and does host discovery only.
-Pn nmap -Pn This disables host discovery and allows port scan only.
-PS nmap -PS22-25,80

TCP SYN ping on port x.

Port 80 is by default

-PA nmap -PA22-25,80

TCP ACK ping on port x.

Port 80 is by default

-PU nmap -PU53

Enables UDP ping on port x.

Port 40125 is by default

-PR nmap -PR ARP ping on the local network
-n nmap -n Disables DNS resolution

5. Port Specification

Switch Example Description
-p nmap -p 27 Scan a specific port
-p nmap -p 27-100 Scan a port range
-p nmap -p U:53,T:27-40,80 Scans multiple TCP and UDP ports
-p- nmap -p-
Scan all ports
-p nmap -p http,https Scans based on the service name
-F nmap -F Scan 100 ports in fast manner
–top-ports nmap -top-ports 1015 Scans the top “x” ports
-p-65535 nmap -p-65535 Skips the initial port in the range and starts the scan from port 1
-p0- nmap -p0- Skips end port in the range and starts the scan to go through to the port 65535

Learn via our Video Courses

6. Service and Version Detection

Switch Example Description
-sV nmap -sV Helps in determining the version of the service 
-sV –version-intensity nmap -sV -version-intensity 9 To increase the Intensity level between 0 to 9. The higher the number higher is possibility of correctness
-sV –version-light nmap -sV -version-light This enables light mode. This has a lower possibility of correctness but is faster.
-sV –version-all nmap -sV -version-all This enables an intensity level  of 9. This has a higher possibility of correctness but is slower.
-A nmap -A This enables OS detection, version detection, and script scanning.

7. OS Detection

Switch Example Description
-O nmap -O TCP/IP stack fingerprinting is used for remote OS detection.
-O –osscan-limit nmap -O -osscan-limit The TCP port scan will not attempt OS detection on those hosts that do not have at least one open and one closed port.
-O –osscan-guess nmap -O -osscan-guess Makes Nmap guess more competently
-O –max-os-tries nmap -O -max-os-tries 1
This set the maximum number “x” of OS detection attempts against a target
Advance your career with   Mock Assessments Refine your coding skills with Mock Assessments
Real-world coding challenges for top company interviews
Real-world coding challenges for top companies
Real-Life Problems
Detailed reports

8. Timing and Performance

Switch Example Description
-T0 nmap -T0 Paranoid (0) Timing
-T1 nmap -T1 Sneaky (1) Timing
-T2 nmap -T2 Polite (2) Timing
-T3 nmap -T3 Normal (3) Timing
-T4 nmap -T4 Aggressive (4) Timing
-T5 nmap -T5 Insane (5) Timing
Switch Example input Description
–host-timeout <time> 5s; 10m; 5h After this long, give up on the target.
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> 5s; 10m; 5h How long it takes to return a probe round trip.
–min-hostgroup/max-hostgroup <size<size> 20; 512 Specifies host scan group sizes for parallelization
–min-parallelism/max-parallelism <numprobes> 10; 1 This probes parallelization
–scan-delay/–max-scan-delay <time> 10ms; 5s; 10m; 3h This adjusts the delay between probes
–max-retries <tries> 5 Specifies the maximum number retries for port scan probe retransmissions
–min-rate <number> 10 This sends packets at a minimum speed of <number> per second
–max-rate <number> 250 This sends packets at a maximum speed of <number> per second

9. NSE Scripts

Switch Example Description
-sC nmap -sC Default NSE scripts are used to scan.
–script default nmap -script default This scans with default NSE scripts 
–script nmap -script=banner Single script scanning
–script nmap -script=http* Wildcard scanning
–script nmap -script=http,banner Two scripts scanning
–script nmap -script "not intrusive" Default scanning without intrusive scripts
–script-args nmap -script snmp-sysdescr -script-args snmpcommunity=admin NSE script scanning with scipts

10. Useful NSE Script Examples

Command Description
nmap -Pn -script=http-sitemap-generator  Map generator for HTTP site
nmap -n -Pn -p 80 -open -sV -vvv -script banner,http-title -iR 1000 Search random web servers
nmap -Pn -script=dns-brute This gusses sub-domains by brute forcing on DNS hostnames
nmap -n -Pn -vv -O -sV -script smb-enum*,smb-ls,smb-mbenum,smb-os-discovery,smb-s*,smb-vuln*,smbv2* -vv Run safe SMB scripts
nmap -script whois* Query for whois 
nmap -p80 -script http-unsafe-output-escaping Vulnerabilities detection on cross websites
nmap -p80 -script http-sql-injection SQL injections detection

11. Firewall / IDS Evasion and Spoofing

Switch Example Description
-f nmap -f Small fragmented IP packets are used in requested scans (including ping scans). More difficult for packet filters
–mtu nmap -mtu 32 Set the offset size yourself
-D nmap -D,,, Scans from the spoofed IPs are send via this
-S nmap -S  Scans Scaler from InterviewBit 
-g nmap -g 53 Uses the given port number
–proxies nmap -proxies, This relays connections via HTTP or SOCKS4 proxy
–data-length nmap -data-length 200 This adds random data to the sent packets

12. Output

Switch Example Description
-oN nmap -oN result.file Adds the output to the result.file that is in normal format
-oX nmap -oX result.file Adds the output to the result.file that is in XML format
-oG nmap -oG result.file Adds the output to the result.file that can be grepable
-oA nmap -oA results All three major formats are displayed via this
-oG – nmap -oG - Shows grepable output on the screen
–append-output nmap -oN file.file -append-output Adds a scan to the previous scanned file
-v nmap -v Verbosity level is increase via this
-d nmap -d Debugging level is increase via this
–reason nmap -reason Shows the reason for the given state of the port
–open nmap -open Open ports are shown
–packet-trace nmap -T4 -packet-trace Packets sent and received are shown
–iflist nmap -iflist Host interfaces and routes are shown
–resume nmap -resume scaler.file Scan is resumed

13. Other Useful NMAP Commands

Command Description
nmap -iR 10 -PS22-25,80,113,1050,35000 -v -sn Only ports x are scanned, no ports are discovered.
nmap -PR -sn -vv Only show ARP discovery on the local network, no port scan.
nmap -iR 20 -sn -traceroute No port scan - just traceroute to specific targets.
nmap -sL -dns-server Queries the Internal DNS for detecting hosts and then lists targets


In this document, we’ve covered the basics of Network Mapper (NMAP), its features and some of the important cheat sheets. NMAP is the supreme source of port scan information, the foundation for most security enumeration during the initial phases of a penetration test. It has a number of settings and when you first start out using it it may be difficult to figure out. You can follow the guide for running Nmap on a Mac OS X or Linux machine. The beauty of the Nmap tool is that it’s designed to work with text output. This means that you do not have to be an expert in Linux or Bash Scripting in order to use this amazing tool. The code examples are very easy to follow and you will be up and running with Nmap in no time. 

Now, it’s time for you to head out and try what we’ve covered here and more. More than memorizing syntax, do pay attention to practising them and solving problems.



Which of the following commands scans random hosts?


Which of the following commands is for IP Protocol Ping?


Which of the following commands create a host list?


Which of the following commands sends IP packets?


Which of the following commands perform a sequential port scan?

Excel at your interview with Masterclasses Know More
Certificate included
What will you Learn?
Free Mock Assessment
Fill up the details for personalised experience.
Phone Number *
OTP will be sent to this number for verification
+91 *
Change Number
Graduation Year *
Graduation Year *
*Enter the expected year of graduation if you're student
Current Employer
Company Name
College you graduated from
College/University Name
Job Title
Job Title
Engineering Leadership
Software Development Engineer (Backend)
Software Development Engineer (Frontend)
Software Development Engineer (Full Stack)
Data Scientist
Android Engineer
iOS Engineer
Devops Engineer
Support Engineer
Research Engineer
Engineering Intern
QA Engineer
Product Manager
Product Designer
Backend Architect
Program Manager
Release Engineer
Security Leadership
Database Administrator
Data Analyst
Data Engineer
Non Coder
Please verify your phone number
Resend OTP
By clicking on Start Test, I agree to be contacted by Scaler in the future.
Already have an account? Log in
Free Mock Assessment
Instructions from Interviewbit
Start Test