Nmap Cheat Sheet 2026: Complete Command Reference

Default scan: TCP SYN against the 1,000 most common ports (requires root) or TCP connect otherwise.

TCP SYN (half-open) scan — fast and stealthier; never completes the 3-way handshake. Requires root.

Full TCP connect() scan — completes the handshake. Slower and more visible, but works without root.

UDP scan — much slower than TCP; useful for finding DNS, SNMP, NTP, and other UDP services.

Ping sweep — discover live hosts in a subnet without scanning ports.

Skip host discovery — treat all hosts as online (use when ICMP is blocked).

Scan a single port (here, port 80).

Scan a port range (here, ports 1 through 1000).

Scan all 65,535 TCP ports — the most thorough TCP scan.

Scan the 100 most commonly open ports as ranked by Nmap's frequency database.

Fast scan — only the 100 most common ports (equivalent to --top-ports 100 with quicker timing).

Probe open ports to identify the service name and version (e.g., Apache 2.4.58, OpenSSH 9.6).

Set probe intensity 0-9 — higher means more probes and better accuracy at the cost of speed.

Aggressive scan: enables OS detection (-O), version detection (-sV), default scripts (-sC), and traceroute.

OS detection via TCP/IP fingerprinting. Requires root and at least one open and one closed port.

Run the default script category (safe, useful info-gathering scripts) — same as -sC.

Run all vulnerability-detection scripts against the target.

Enumerate common web app paths and admin interfaces on HTTP services.

Identify the OS, computer name, NetBIOS name, and domain over SMB.

Refresh the local NSE script database after installing or updating scripts.

Show usage, arguments, and examples for any specific NSE script.

Save normal human-readable output to a file.

Save XML output — best for parsing into other tools (Metasploit, Faraday, custom scripts).

Save grepable output — easy to slice with grep/awk/cut for one-liners.

Save in all three formats at once (.nmap, .xml, .gnmap with the same base filename).

Increase verbosity (-v once, -vv twice) — see open ports as soon as they are discovered.

Paranoid timing — extremely slow, used to evade IDS detection.

Normal timing (default) — balanced speed and reliability.

Insane timing — fastest possible; may miss results on slow networks.

Send at least 1,000 packets per second regardless of timing template.

Limit retransmissions per probe — speeds up scans on reliable networks.

Fragment packets into 8-byte fragments to evade simple packet filters.

Use 10 random decoy source IPs alongside your real IP to obscure the scan origin.

Spoof the source port (here, DNS/53) — bypasses some egress filters that whitelist DNS.

Append 25 random bytes of payload to each probe to confuse signature-based detection.

Spoof a source IP address (requires raw sockets and a working route back to the spoofed IP).

Quick web audit — version-detect web ports and enumerate paths/titles in one shot.

Full TCP + selected UDP scan — covers the most actionable services in one run.

Stealth scan — slow timing, fragmented packets, padding, and 5 decoys to avoid IDS triggers.

Vulnerability scan — version-detect plus all vuln NSE scripts; saves output in all formats.

Subnet discovery — ICMP echo plus TCP SYN pings on common ports to find live hosts even when ICMP is blocked.