Nmap Commands: The Practical Cheat Sheet (2026)
June 22, 2001 · by Pentevo
Nmap ("Network Mapper") is the most widely used network-scanning tool in security. It answers three questions fast: what's online, what ports are open, and what's running on them. This is a practical reference for the commands you'll reach for most.
⚠️ Only scan networks and hosts you own or have explicit written permission to test. Unauthorized scanning can be illegal.
Host discovery (who's alive?)
nmap -sn 192.168.1.0/24
-sn does a "ping sweep" — it finds live hosts without port-scanning them. Great first step on a network.
Basic port scans
nmap 192.168.1.10 # top 1000 TCP ports
nmap -p 80,443,8080 host # specific ports
nmap -p- host # all 65,535 TCP ports
nmap -F host # fast: top 100 ports
By default Nmap runs a SYN scan (-sS) when privileged — fast and relatively quiet. Without privileges it falls back to a full TCP connect scan (-sT).
Service and version detection
nmap -sV host # identify service versions
nmap -O host # OS fingerprinting
nmap -A host # aggressive: -sV, -O, scripts, traceroute
-sV is one of the most useful flags — knowing exactly which version of a service is running is the difference between a guess and a finding.
Timing and performance
nmap -T4 host # faster timing (good default on LANs)
nmap -T2 host # slower / stealthier
-T0 to -T5 trade speed for noise. -T4 is a sensible everyday default.
The Nmap Scripting Engine (NSE)
NSE is what turns Nmap from a port scanner into a lightweight assessment tool:
nmap -sC host # default safe scripts
nmap --script vuln host # known-vuln checks
nmap --script http-title -p 80,443 host
Scripts live in categories like safe, default, discovery, and vuln. Stick to safe/default unless you understand what an intrusive script does.
Saving output
nmap -oN scan.txt host # human-readable
nmap -oX scan.xml host # XML (feed into other tools)
nmap -oA scan host # all formats at once
A solid "first look" command
nmap -sV -sC -T4 -p- -oA fulltcp <target>
Full TCP port sweep, version detection, default scripts, reasonable speed, all output formats saved. From there you dig into whatever looks interesting.
Where to go next
Nmap tells you what's exposed; the next step is understanding what the exposed service is doing wrong — which is where web tools like Burp Suite and frameworks like the OWASP Top 10 come in.
Want guided, hands-on practice? Our free Academy covers scanning and enumeration as part of the full CEH syllabus.
Related reading
Best Penetration Testing Tools in 2026
The essential penetration testing tools every ethical hacker should know — scanners, proxies, exploitation frameworks and more, with what each is best for.
ToolsBest Vulnerability Scanners in 2026
A practical comparison of the best vulnerability scanners — what they do, free vs commercial options, and how scanning fits into real security.
ToolsMetasploit Tutorial for Beginners (2026)
Understand the Metasploit Framework — what it is, its core concepts (modules, payloads, sessions), and how to use it for authorized learning.
ToolsKali Linux for Beginners: Getting Started in 2026
What Kali Linux is, who it's for, how to install it safely, and the essential commands and tools to begin your ethical-hacking journey.
Practice this hands-on
Pentevo Academy turns these concepts into guided lessons, videos and quizzes — free.
Start learning free