Nmap Cheat Sheet 2022 (PDF) - 100+ Nmap Commands List

Nmap stands for Network Mapper. It comes in free and is an open-source tool that is used for vulnerability scanning and network discovery. It is used by all the network administrators to identify which devices are running on the system, discover available hosts and services provided by them, find open ports as well as to detect security risks.

It can also be used to monitor single hosts and vast networks which encompass many devices and multitudes of subsets.

Over time it has evolved and is flexible but is a port-scan tool that is used to gather information by sending raw packets towards the system ports. It listens to all the responses sees whether the ports are open, closed, or filtered like a firewall. Port discovery or enumerations are other words that are used for port scanning.

Recommended: Download Nmap for Windows 10 & 11.


How Nmap Commands Work

How Nmap Commands Work

Packets that are sent out by Nmap return with IP addresses and other data thus allowing the user to identify different attributes of the network giving the user a profile or network map and allowing the creation of an inventory of the software and hardware.

Now, different protocols use different kinds of packet structures. It is used to employ transport layer protocols including TCP (Transmission Control Protocol), UDP (User Datagram Protocol), SCTP (Stream Control Transmission Protocol) and other supporting protocols like ICMP (Internet Control Message Transmission Protocol) which is used to send error messages.

Different protocols are used for various purposes and system ports like low resource overhead of UDP is good if you want real-time-streaming video but in this, some packets are lost in return for speed whereas non-real time streaming videos in Youtube is buffered and used much slower, albeit and reliable TCP.

Its fundamental port scanning and packet capture capabilities are being enhanced constantly.

100+ Nmap Commands Cheat Sheet – Massive List

Nmap Commands Cheat Sheet PDF

Nmap Ping Scan

Nmap –sp 

This one is quite famous as it is used to perform Nmap ping sweeps. Moreover, this is one of the easiest ways to detect hosts on any network.

Its only drawback is that at times it blocks IP-based ping packets so if you are not able to get solid results we suggest that you switch to ARP-based requests for the scan.

Basic Nmap Scan against IP or Host


You need to simply replace IP for the host if you wish to scan hostname:

Nmap securedyou.com

These kinds of scans are set perfect when you begin with Nmap.

  1. Scan IP Ranges
Recommended:  24 Useful Termux Commands List 2022 - PDF Download

It can be used to scan complete CIDR IP ranges such as:


This is used to scan consecutive 14 IP ranges starting from to

As an alternate the following kind of range can be used:


Wildcards can also be used to scan complete C class IP range like:

Nmap 1.1.1*

This shall scan 256 IP addresses ranging from to

If you wish to exclude specific IPs from the IP range scan then use the “-exclude” option:

Nmap –p 1.1.1.* --exclude

Scanning Most Popular Ports

OSCP Nmap Cheat Sheet

By using “-top-ports” parameter with specified number one can scan top X most common ports for that particular host like:

Nmap –top-ports 20 172.168.762

Now, we can replace “20” with the desired number, output example is shown below:

Nmap –top-ports 20

[root@securedyoushaheer:~]nmap --top-ports 20 localhost

21/tcp - For ftp

22/tcp - For ssh

23/tcp - For telnet

25/tcp - For smtp

53/tcp - For domain

80/tcp - For http

110/tcp - For pop3

111/tcp - For rpcbind

135/tcp - For msrpc

139/tcp - For netbios-ssn

143/tcp - For imap

443/tcp - For https

445/tcp - For microsoft-ds

993/tcp - For imaps

995/tcp - For pop3s

1723/tcp - For pptp

3306/tcp - For mysql

3389/tcp - For ms-wbt-server

5900/tcp - For vnc

8080/tcp - For http-proxy

Disabling DNS Name Resolution

If you wish to speed up your scan then you can select disable reverse DNS resolution for all the scans, for this all you need to do is add “-n” parameter. This can also be achieved with Wireshark.

[root@securedyoushaheer:~]nmap -p 80 -n
Normal vs port based DNS scan, the difference is clear:
[root@securitytrails:~]nmap -p 80

Detect Service/Daemon Versions

For this you need to use –sV parameters:

It is as followed:

[root@securedyoushaheer:~]nmap –sV localhost

Scan Specific Ports or Scan Entire port ranges on Local or Remote server

Nmap –p 1-5000 localhost

In this we scanned all 65535 ports for the localhost system, this is able to scan all the possible ports but we can also able to scan particular ports which are reported to give out faster results such as:

Nmap –p 80,443
  1. Scan Multiple IP Addresses

For this the following syntax needs to be used:


Moreover, consecutive IP addresses can also be scanned:


This shall scan , , and

ALSO CHECK: Download Nmap APK for Android 10, 11 and 12.

Scan Using TCP or UDP Protocols

The best thing about this one is that it works both with TCP and UDP protocols. While many services run on TCP users can get a lot of benefits by scanning services based on UDP. Following are some examples:

Recommended:  13 Types of Ethical Hackers and Hacking Groups To Watch in 2022

Standard TCP scanning output:

[root@securedyoushaheer:~]nmap -sT

UDP scanning results by using the “-sU” parameter

[root@securedyoushaheer:~]nmap -sU localhost

Nmap Cheat Sheet PDF Download

Below are the above commands and instructions saved in PDF file format.

Nmap Cheat Sheet (Latest)

How To Use Nmap Commands in the terminal

How to use Nmap Commands

Now for network administrators and security auditors, many free network monitoring utilities and free open-source vulnerability scanners are available. What makes this tool different is that along with port scanning it offers other functions as well:

  1. OS Detection: With this users can determine OP which is running on the device. Moreover, we can get other details like the name of the vendor, underlying OS, software version and the estimated uptime of the device.
  2. Network Mapping: This is used to identify devices on the network which is also known as host discovery including routers, switches, servers and how they are connected physically.
  3. Security Auditing: Once we know the OS version and apps running on network hosts then it helps network managers determine their vulnerability to particular flaws. Now, whenever a vulnerability alert is received by the admin in a particular version of the app like she can scan her network to see either version of the software is running on the network and takes a few steps to patch or even update specific hosts. Scripts are also used to automate tasks like detecting specific vulnerabilities.
  4. Service Discovery: It is not only able to identify network hosts but acts as mail, name, or web servers and specific app and versions of related software they run.

Recommended Cheat Sheets and Commands

  1. Google Dorks Cheat Sheet – SQL Injections and Credit Cards.
  2. Best Secure Coding Tips Cheat Sheet from OWASP.
  3. Kali Linux Wifi and Network Hacking Commands.
  4. Meterpreter Commands Full List.

Conclusion: Nmap Commands Cheat Sheet

Nmap is the best overall tool for network and host discovery, period. There is no question about this. However, it is not easy to use, complex and requires some command-line knowledge to be used. This is why we put together a detailed Nmap commands list that can be used by anyone as it contains 100+ commands that you can use for a variety of tasks.

Shaheer is the founder of SecuredYou. He is a cybersecurity freak and loves anything related to Computers and Technology. Apart from being a tech geek, he loves listening to music and going to the gym.


Please enter your comment!
Please enter your name here