Nmap Cheat Sheet

Updated 2026-04-30

Nmap (Network Mapper) is the industry-standard open-source tool for network discovery and security auditing, trusted by penetration testers, system administrators, and security professionals worldwide since its 1997 release by Gordon Lyon (Fyodor). Nmap excels at host discovery, port scanning, service version detection, OS fingerprinting, and executing custom security scripts through the Nmap Scripting Engine (NSE)—all while offering sophisticated firewall evasion techniques and flexible timing controls to balance speed against stealth. One key insight: Nmap's power multiplies when you combine scan types, timing templates, and NSE scripts strategically—a basic SYN scan paired with version detection and the right timing template can reveal far more than the sum of its parts, making every flag choice a tactical decision in how loud or quiet you want your reconnaissance to be.

What This Cheat Sheet Covers

This topic spans 18 focused tables and 142 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Host Discovery TechniquesTable 2: TCP Port Scanning MethodsTable 3: UDP and Other Protocol ScansTable 4: Service and Version DetectionTable 5: Operating System DetectionTable 6: Nmap Scripting Engine (NSE) CategoriesTable 7: NSE Script Usage and ArgumentsTable 8: Timing TemplatesTable 9: Performance and Timing OptionsTable 10: Port SpecificationTable 11: Target SpecificationTable 12: Firewall Evasion TechniquesTable 13: Output Format OptionsTable 14: Verbosity and DebuggingTable 15: Network Interface OptionsTable 16: Miscellaneous OptionsTable 17: Common Scan RecipesTable 18: Port State Meanings

Table 1: Host Discovery Techniques

Before scanning ports, Nmap needs to know which hosts are actually alive — and the trick is that no single probe works everywhere. These techniques give you a probe for every situation: TCP SYN/ACK pings slip past ICMP-blocking firewalls, ARP is fastest on a local subnet, and -Pn skips discovery entirely for hosts that drop every ping but are really up.

Technique	Example	Description
TCP SYN Ping	`nmap -PS80,443 192.168.1.0/24`	• Sends TCP SYN packets to specified ports (default 80) • open/closed responses indicate host is up • effective against ICMP-filtering firewalls
TCP ACK Ping	`nmap -PA80,443 192.168.1.0/24`	• Sends TCP ACK packets to specified ports (default 80) • any RST response confirms host is alive • bypasses stateless firewalls blocking SYN
UDP Ping	`nmap -PU53,161 192.168.1.0/24`	• Sends UDP packets to specified ports (default 40125) • ICMP port unreachable = host up • useful when TCP is heavily filtered
ICMP Echo Ping	`nmap -PE 192.168.1.0/24`	• Sends ICMP Type 8 echo request • expects Type 0 reply • traditional ping method but widely blocked by firewalls
ICMP Timestamp Ping	`nmap -PP 192.168.1.0/24`	• Sends ICMP Type 13 timestamp request • expects Type 14 reply • alternative when echo requests are blocked
ICMP Netmask Ping	`nmap -PM 192.168.1.0/24`	• Sends ICMP Type 17 address mask request • expects Type 18 reply • rarely used but can bypass specific ICMP filters

Table 1: Host Discovery Techniques

Technique	Example	Description
TCP SYN Ping	`nmap -PS80,443 192.168.1.0/24`	• Sends TCP SYN packets to specified ports (default 80) • open/closed responses indicate host is up • effective against ICMP-filtering firewalls
TCP ACK Ping	`nmap -PA80,443 192.168.1.0/24`	• Sends TCP ACK packets to specified ports (default 80) • any RST response confirms host is alive • bypasses stateless firewalls blocking SYN
UDP Ping	`nmap -PU53,161 192.168.1.0/24`	• Sends UDP packets to specified ports (default 40125) • ICMP port unreachable = host up • useful when TCP is heavily filtered
ICMP Echo Ping	`nmap -PE 192.168.1.0/24`	• Sends ICMP Type 8 echo request • expects Type 0 reply • traditional ping method but widely blocked by firewalls
ICMP Timestamp Ping	`nmap -PP 192.168.1.0/24`	• Sends ICMP Type 13 timestamp request • expects Type 14 reply • alternative when echo requests are blocked
ICMP Netmask Ping	`nmap -PM 192.168.1.0/24`	• Sends ICMP Type 17 address mask request • expects Type 18 reply • rarely used but can bypass specific ICMP filters