Nmap Cheat Sheet 2025: Complete Guide
Here is the Cheat Sheet For Nmap Commands which also include Advance Level, So enjoy!
Usage:
nmap [Scan Type(s)] [Options] {target}
Host Discovery
| Commands | Description |
|---|
| -sn | Ping Scan (It will disable Port Scanning) |
| -Pn | Treat all hosts as online |
| -PS | Uses TCP SYN Packet |
| -PA | Uses TCP ACK Packet |
| -PU | Uses UDP Packet |
| -PY | Uses SCTP Packet |
| -PE | Uses ICMP echo Packet |
| -PP | Uses ICMP timestamp Packet |
| -PM | Uses ICMP netmask request discovery Packet |
| -PR | Uses ARP Protocol for Ping |
| -R | Do reverse DNS lookup |
| -n | Do not do reverse DNS lookup |
| –dns-servers <IP> | Use Specified DNS server |
| –system-dns | Use System (OS) DNS resolver |
| –traceroute | Trace hop path to the target host |
NOTE: Here is a complete Nmap Tutorial for beginners!
Port Scanning
| Commands | Description |
|---|
| -sS | Uses only SYN Flag in TCP Packet, also known as Stealth Scan |
| -sA | Uses only ACK Flag in TCP Packet |
| -sT | Makes a Full handshake, also known as TCP Connect Scan |
| -sW | Same as -sA But analyzes the window size of the target host and then differentiates between closed or open ports |
| -sM | It uses FIN and ACK Flag, If the target system drops the Packet then it may indicate that the port is open |
| -sU | You can use Customize flags like SYN, ACK, FIN, URG, PUSH or RESET |
| -sN | Null scan, it does not use any TCP Flag |
| -sF | Only uses FIN Flag |
| -sX | Uses FIN, PUSH, and URG Flag at once |
| -sI <IP:port> | Idle Scan, Uses a Zombie Host |
| -sO | Uses IP Protocol instead of TCP Protocol |
| -sY | Uses SCTP INIT Protocol |
| -sZ | Uses SCTP COOKIE_ECHO Protocol |
| –scanflags <flag> | You can use Customize flags like SYN, ACK,FIN, URG, PUSH or RESET |
| -6 <IPv6> | Enable IPv6 scanning |
NOTE: Nmap stealth Scan is not stealthy anymore, Here are Five Reasons!
Port Specifications
| Commands | Description |
|---|
| -p <port-number> | To specify scanning ports |
| -p- | Scan all 65535 Ports |
| –exclude-ports <port-number> | To exclude specified port |
| -F | Scan fewer ports, also known as Fast mode |
| -r | Scan port in sequence not in random order |
Service/Version Detection
| Commands | Description |
|---|
| -sV | Determine Version Information of the open Ports |
| –version-intensity <0-9> | Determine Version Information with accuracy (0 means lightest and 9 means highest) |
| –version-light | Uses normal intensity i.e: 2 |
| –version-all | Uses the highest accuracy 9 |
| –version-trace | Shows detailed scan activity (for debugging) |
OS Detection
| Commands | Description |
|---|
| -O | Detect OS running on the target |
| –osscan-guess | Used to Guess OS |
| –osscan-limit | Limits OS detection |
| -A | Aggressive scan, it detects OS running, versions detection, and more! |
Timing and Performance
| Commands | Description |
|---|
| -T <0-5> | Timing Template (0 is slowest, 5 is fastest) |
| –scan-delay <time> | Used to adjust delay Between Packets sent |
| –min-rate <time> | Send packets no slower than <time> per second |
| –max-rate <time> | Send packets no faster than <time> per second |
FIREWALL/IDS EVASION AND SPOOFING
| Commands | Description |
|---|
| -f | Fragment sending packets |
| –mtu <value> | Use specified MTU size (in bytes) |
| -D RND: | Decoy scan (scan the target host with random IP address) |
| -S <ip-address> | Spoof Source address |
| e <interface> | Use specified Interface |
| –source-port <number> | Use specified source port |
| –proxies <IP> | relay on specified proxies |
| –data-length <number> | Append random data to the sending packets |
| –ttl <number> | Use to specify TTL value |
| –spoof-mac <mac-address or vendor name> | Use specified mac address to spoof |
| –badsum | Send packets with fake checksum |
| –data <hex string> | Append a custom payload to the sending packets |
| –data-string <string> | Append a custom ASCII string to the sending packets |
