Reference

Nmap Cheat Sheet

30+ essential Nmap commands organized by use case. Bookmark this page for quick reference.

Target Specification Scan Types Port Selection Output Formats Timing & Performance NSE Scripts Practical Combinations Try These Scans

Target Specification

`nmap 192.168.1.1`	Scan a single IP
`nmap 192.168.1.1-100`	Scan a range of IPs
`nmap 192.168.1.0/24`	Scan an entire subnet (CIDR)
`nmap scanme.nmap.org`	Scan a hostname
`nmap -iL targets.txt`	Scan targets from a file
`nmap 192.168.1.1 --exclude 192.168.1.10`	Exclude specific hosts

Scan Types

`nmap -sS 192.168.1.1`	SYN stealth scan (default, needs raw sockets)
`nmap -sT 192.168.1.1`	TCP connect scan (works without raw sockets)
`nmap -sU 192.168.1.1`	UDP scan (slower, use with -p for specific ports)
`nmap -sV 192.168.1.1`	Service/version detection
`nmap -O 192.168.1.1`	OS fingerprinting
`nmap -A 192.168.1.1`	Aggressive: OS + version + script + traceroute

Port Selection

`nmap -p 80 192.168.1.1`	Scan a single port
`nmap -p 22,80,443 192.168.1.1`	Scan specific ports
`nmap -p 1-1000 192.168.1.1`	Scan a range of ports
`nmap -p- 192.168.1.1`	Scan all 65,535 ports
`nmap -F 192.168.1.1`	Fast scan (top 100 ports)
`nmap --top-ports 200 192.168.1.1`	Scan top N ports

Output Formats

`nmap -oN scan.txt 192.168.1.1`	Normal output to file
`nmap -oX scan.xml 192.168.1.1`	XML output (machine-readable)
`nmap -oG scan.gnmap 192.168.1.1`	Grepable output
`nmap -oA scan 192.168.1.1`	All formats at once
`nmap -v 192.168.1.1`	Verbose output (use -vv for more detail)

Timing & Performance

`nmap -T0 192.168.1.1`	Paranoid — extremely slow, evades IDS
`nmap -T2 192.168.1.1`	Polite — slows down to reduce bandwidth
`nmap -T3 192.168.1.1`	Normal — default timing
`nmap -T4 192.168.1.1`	Aggressive — fast, assumes good network
`nmap -T5 192.168.1.1`	Insane — very fast, may miss ports
`nmap --max-retries 1 192.168.1.1`	Limit retries to speed up scan

NSE Scripts

`nmap --script vuln 192.168.1.1`	Run vulnerability detection scripts
`nmap --script safe 192.168.1.1`	Run safe (non-disruptive) scripts
`nmap --script http-headers 192.168.1.1`	Check HTTP security headers
`nmap --script ssh-auth-methods 192.168.1.1`	Enumerate SSH auth methods
`nmap --script ssl-enum-ciphers -p 443 192.168.1.1`	Check SSL/TLS cipher strength
`nmap --script-updatedb`	Update NSE script database

Practical Combinations

`nmap -sT -Pn -F -sV --version-light -T4 192.168.1.1`	Quick scan (NetAudit AI fast profile)
`nmap -sT -Pn -sV -p 1-1000 -T4 192.168.1.1`	Deep scan (NetAudit AI detailed profile)
`nmap -sn 192.168.1.0/24`	Ping sweep — discover live hosts without port scan
`sudo nmap -sS -sV -O -T4 192.168.1.1`	Full recon: stealth SYN + version + OS

Try These Scans in NetAudit AI

NetAudit AI runs these Nmap scans for you — no terminal needed. The Quick Audit profile uses -sT -Pn -F -sV --version-light -T4 and the Deep Inspection uses -sT -Pn -sV -p 1-1000 -T4. Both include AI analysis and remediation.