Nmap Cheat Sheet: Top 10 Scan Techiques

June 19, 2025

15 min read

A practical cheat sheet explaining the top 10 Nmap scan techniques — how they work, when to use them, and how to configure scan scope, speed, and output.

Arthur Kotylevskiy CEO @ Netlas.io

Tags:

Nmap is a widely used open-source tool in cybersecurity, known for its powerful network scanning and analysis capabilities. It’s free, supports a wide range of scan techniques, and is versatile enough for many use cases.

That said, if you don’t use it every day, you probably forget most of the options — I certainly do. I tend to remember just a few basic flags and end up checking the man page every time I need something more advanced. So, I’ve put together this cheat sheet of the most commonly used commands. Hopefully, it helps you find the right option faster — or even discover something new.

Additional options for controlling scan scope, speed, and output are covered in the sections below. A short FAQ is included at the end of this post for readers new to Nmap or unfamiliar with its basics.

TOP 10 Most Practical Nmap Scanning Methods

Option	Name	Description
`-sn`	Ping Scan	Discovers live hosts without performing a port scan.
`-sT`	TCP Connect Scan	Full TCP handshake — used when SYN scan is unavailable (e.g., non-root).
`-sS`	SYN Scan	Stealthy TCP scan that sends SYN packets without completing connections.
`-sU`	UDP Scan	Sends UDP packets to identify open UDP ports.
`-sA`	ACK Scan	Sends ACK packets to detect firewall rules and filtering behavior.
`-sV`	Version Detection	Attempts to determine service versions on open ports.
`-O`	OS Detection	Tries to identify the target’s operating system based on network behavior.
`-sC`	Default Script Scan	Runs a default set of NSE scripts for extended service enumeration.
`-D`	Decoy Scan	Sends packets from decoy IPs to mask the real source of the scan.
`-sI`	Idle Scan	Stealthy scan using a zombie host to hide the scanner’s IP.

I skip¹ several rarely used or situational scan techniques to maintain clarity and focus on the most practical methods.

Let’s take a closer look at how to use these methods effectively in practice.

Root Privileges Required

Most Nmap scan methods — especially those that send raw packets — require root privileges to work properly. Only a few methods, such as TCP Connect Scan, and Version Detection, can be performed without elevated access.

0. Default Scan

If you run nmap with no scan options, just a target, Nmap performs the default scan, which includes the following:

Host Discovery: Uses ICMP and TCP probes to check if the host is up.
DNS Resolution: Performs forward or reverse DNS lookup, depending on whether a hostname or IP address is provided.
Scan Type: TCP Connect (-sT) if not run as root, or SYN Scan (-sS) if run as root.
Port Range: Scans the 1,000 most common TCP ports, as defined in the nmap-services database².

So running Nmap with no options is roughly equivalent to:

nmap -sT -T3 [target]   # if run as user or
nmap -sS -T3 [target]   # if run as root

1. Ping Scan

To check which hosts are online without scanning their ports — ideal for network inventory or reachability checks.

Before scanning ports, Nmap typically performs host discovery — a ping sweep to identify which targets are online. By default, it sends a combination of ICMP echo, TCP SYN (to port 443), and TCP ACK (to port 80) probes. You can limit the scan to this phase only by using the -sn option.

You can customize the probes Nmap uses by explicitly setting them with these options:

-PE — ICMP Echo Request
-PP — ICMP Timestamp Request
-PM — ICMP Netmask Request
-PS — TCP SYN to specific ports
-PA — TCP ACK to specific ports
-PU — UDP packets to specific ports

Examples:

Use the default probe set to check which hosts are online:
```
nmap -sn 192.168.1.0/24
```
Send only TCP SYN probes to ports 22 and 80:
```
nmap -sn -PS22,80 192.168.1.0/24
```
Skip host discovery and assume all hosts are online:
```
nmap -Pn 192.168.1.0/24
```

2. TCP Connect Scan

To confirm if a service fully accepts TCP connections by completing the full three-way handshake — more accurate in detecting responsive services.

This method performs a full three-way TCP handshake with each target port by calling the operating system’s standard connect() system call. It sends a SYN, waits for a SYN-ACK, and responds with an ACK, thereby fully establishing the connection. If the handshake completes, the port is marked open. If a RST is received instead, the port is considered closed.

Because it uses the OS networking stack, -sT does not require root privileges. However, it is more easily detected and logged by firewalls and intrusion detection systems (IDS), since it completes real TCP sessions. It’s also generally slower and less stealthy than a SYN scan (-sS).

Example:

nmap -sT 192.168.1.1

This runs a TCP Connect scan on the target, testing each port by completing an actual connection.

3. SYN Scan

To quickly and stealthily identify open TCP ports by sending SYN packets without completing full connections.

SYN Scan, also known as half-open scan, is Nmap’s default and most commonly used scanning technique. It sends a TCP SYN packet to each target port and analyzes the response:

If a SYN-ACK is received, the port is open.
If a RST is received, the port is closed.
If no response or an ICMP error is returned, the port is likely filtered.

Unlike -sT, SYN scan does not complete the TCP handshake — after receiving SYN-ACK, it immediately sends a RST to tear down the connection. This makes it stealthier, faster, and harder to detect by standard logging tools, though many IDS/IPS systems still flag it today.

Example:

nmap -sS 192.168.1.1

Performs a SYN scan, testing which ports respond with SYN-ACK and appear open.

4. UDP Scan

To detect open UDP ports by sending UDP packets and analyzing the presence or absence of ICMP errors.

UDP scan sends empty UDP packets to target ports and interprets responses to determine port state. If an ICMP Port Unreachable (Type 3, Code 3) message is received, the port is considered closed. If there’s no response, the port is marked as open|filtered, meaning it could be open, silently dropped, or blocked by a firewall. Some ports may return application-layer replies (like DNS or SNMP), confirming they are open.

UDP scanning is slower and less reliable than TCP scanning because of the lack of acknowledgments in the protocol and widespread rate-limiting of ICMP responses. However, it’s a good way to discover UDP services.

Example:

nmap -sU 192.168.1.1

Performs a basic UDP scan across the default top 1,000 ports.

5. ACK Scan

To probe firewall behavior by checking whether ACK packets are filtered or pass through to the target.

ACK scan is used primarily for firewall rule analysis, not port discovery. It sends TCP packets with only the ACK flag set. Because these packets do not initiate a connection, they don’t elicit the usual SYN-ACK or RST responses. Instead:

If a RST is returned, the port is unfiltered — the packet was allowed through.
If there is no response, or an ICMP unreachable error, the port is likely filtered by a firewall.

This scan is useful for mapping out firewall rules and understanding whether traffic to a port is being silently dropped or explicitly rejected.

Example:

nmap -sA 192.168.1.1

Scans the target using ACK probes to analyze firewall filtering behavior.

6. Version Detection

To identify the software and version running on open ports by analyzing responses to probe messages.

This method connects to open ports and interacts with the running services to determine their type and version. Nmap sends a set of predefined probes and compares the responses against its internal nmap-service-probes database³.

By default, Nmap uses --version-intensity 9, which means it tries all available probes to maximize detection accuracy. This produces thorough results but can increase scan duration and network noise. You can reduce the intensity to speed up scans or be less intrusive:

--version-intensity 0: Fastest — only tries the most likely probes.
--version-intensity 1–8: Adds more probes progressively.
--version-intensity 9: Default — tries all probes for maximum accuracy.

Example:

nmap -sV --version-intensity 5 192.168.1.1

Use lower values if you want quicker scans or are working in stealth-sensitive environments.

7. OS Detection

To determine the target system’s operating system based on TCP/IP stack fingerprinting.

OS Detection uses TCP/IP stack fingerprinting to identify the target’s operating system. Nmap sends a series of crafted TCP, UDP, and ICMP probes to the target and observes subtle differences in how the system responds — such as TTL values, TCP window sizes, TCP options, ICMP codes, and fragmentation behavior. These response patterns are compared against Nmap’s internal fingerprint database, nmap-os-db⁴, to find the closest match.

This method works best when multiple open and closed ports are available, as it needs diverse response contexts for reliable fingerprinting.

Use the --osscan-guess option to instruct Nmap to make an educated guess about the OS even when confidence is low or when multiple matches exist. This is useful in uncertain situations where you’d still like to get the most probable OS information.

Example:

nmap -O --osscan-guess 192.168.1.1

8. Default Script Scan

To perform basic reconnaissance using standard Nmap scripts for service info, SSL details, DNS lookups, and more.

The Default Script Scan uses Nmap’s Scripting Engine (NSE) to run a curated set of scripts classified as safe and default. These scripts are designed to extract additional information from services running on open ports — such as banner data, SSL/TLS certificate details, HTTP headers, DNS info, and basic vulnerabilities.

9. Decoy Scan

To hide the source of a scan by mixing the attacker’s IP with several decoy addresses.

Decoy scan uses spoofed IP addresses to hide the true source of a scan, making it harder for intrusion detection systems (IDS) and firewalls to identify the attacker. Nmap sends packets that appear to come from multiple IP addresses, only one of which is the actual scanner. This technique is useful for evasion, especially when scanning monitored or sensitive networks. You can provide a list of decoy IPs manually, using ME to indicate your real IP.

Example:

nmap -D 10.0.0.1,10.0.0.2,ME 192.168.1.1

This command sends packets that appear to originate from three sources — 10.0.0.1, 10.0.0.2, and your actual host — making it difficult to determine which IP is performing the scan.

10. Idle Scan

To conduct a completely stealthy port scan by using a third-party zombie host to interact with the target.

Idle scan is an advanced and stealthy scanning technique that allows you to probe a target without revealing your own IP address. It leverages a third-party machine, known as a zombie, to send packets on your behalf. The technique exploits predictable IP identification (IPID) sequence numbers in the zombie’s IP stack.

The scan works as follows:

Nmap first checks the zombie’s IPID behavior to ensure it’s incremental and predictable.
Nmap then sends a spoofed SYN packet to the target, pretending it came from the zombie.
If the target port is open, it replies to the zombie with a SYN-ACK, prompting the zombie to send back an RST — increasing its IPID by 1.
If the port is closed, the target replies with a RST directly to the zombie — but the zombie does not respond, so its IPID remains unchanged.
Nmap probes the zombie before and after to detect these IPID changes and infer the target port’s status.

Since the target believes the zombie is initiating the connection, the actual scanner’s IP never appears in any traffic reaching the target — making this one of the most covert methods available. However, it requires finding a suitable zombie: an idle host with no firewall and a globally incrementing IPID counter, which is rare on modern systems.

Example:

nmap -sI 192.168.1.50 192.168.1.1

This command scans 192.168.1.1 using 192.168.1.50 as the zombie. If the zombie meets the requirements, the scan can be conducted with complete anonymity from the scanner’s perspective.

    sequenceDiagram
	    participant Scanner
	    participant Zombie as Zombie<br>192.168.1.50
	    participant Target as Target<br>192.168.1.1
	
	    Scanner->>Zombie: Probe for IPID
	    Zombie-->>Scanner: Baseline IPID
	
	    Scanner->>Target: SYN spoofed from Zombie
	
	    alt Port opened
	          Target->>Zombie: SYN-ACK
	          Zombie-->>Target: RST, IPID incremented
	    else Port closed
	          Target->>Zombie: RST
	    end
	
	    Scanner->>Zombie: Probe IPID again
	    Zombie-->>Scanner: Return updated IPID
	
	    alt IPID incremented
	        Scanner->>Scanner: OPENED
	    else IPID not changed
	        Scanner->>Scanner: CLOSED / FILTERED
	    end

Important Notes

Zombie selection is critical — Nmap will abort if the chosen zombie is not idle or does not have predictable IPID behavior.
Idle scan only works on IPv4 (not IPv6).

Scan Configuration Options

Now that we’ve covered the main scanning methods, let’s explore the range of options Nmap provides to control how a scan is performed, what it targets, and how the results are displayed.

Defining Scan Scope

This performs a basic port scan on a single IP:

nmap 192.168.1.1

To scan multiple hosts, list the target IPs separated by spaces:

nmap 192.168.1.1 192.168.1.2

Scanning a Range of IPs

nmap 192.168.1.1-254

nmap 192.168.1.0/24

Excluding Specific Hosts

To exclude certain hosts from a scan, use the --exclude or --excludefile option.

nmap 192.168.1.0/24 --exclude 192.168.1.10,192.168.1.20

This command will run a basic scan of the subnet while excluding two IPs.

Scanning from a File

In practice, target lists are often stored in a file. Just format it with one IP address or hostname per line, and use the -iL option to scan it:

nmap -iL targets.txt

Specifying Ports

By default, Nmap scans the top 1000 most commonly used TCP ports. To narrow or customize the scan scope, use the -p option to specify exactly which ports to scan. You can list individual ports, ranges, or combinations.

nmap -p 22,80,443 192.168.1.1

nmap -p 1-1024 192.168.1.1

nmap -p U:53,T:80 192.168.1.1   # Scan UDP port 53 and TCP port 80

Controlling Scan Speed

Nmap provides detailed options for controlling scan speed, packet rate, and parallelism. These parameters help balance performance, accuracy, stealth, and network impact — especially useful when scanning large networks or working in sensitive environments.

To perform a scan with different timing profiles:

nmap -T1 192.168.1.0/24   # Slow, stealthy scan

nmap -T4 192.168.1.0/24   # Fast, noisy scan

By default, Nmap uses the -T3 timing template, which offers a moderate balance between speed and accuracy.

Timing Templates

Timing templates are the most straightforward way to adjust scan speed and aggressiveness:

-T0: Paranoid — extremely slow, minimizes detection risk.
-T1: Sneaky — very slow and cautious.
-T2: Polite — slower than default, reduces network impact.
-T3: Normal — default setting, balanced performance.
-T4: Aggressive — faster, suitable for stable networks.
-T5: Insane — maximum speed, likely to trigger alarms.

Probe Delay

These options introduce or limit delays between probes:

nmap --scan-delay 500ms 192.168.1.1   # Fixed 500ms delay between probes

nmap --max-scan-delay 1s 192.168.1.1   # Cap adaptive delay at 1 second

Packet Rate

Control how many packets Nmap sends per second:

nmap --min-rate 100 192.168.1.1   # Send at least 100 packets per second

nmap --max-rate 50 192.168.1.1    # Send no more than 50 packets per second

Probe Parallelism

Control how many probes are sent simultaneously:

nmap --min-parallelism 10 192.168.1.1

nmap --max-parallelism 50 192.168.1.1

Host Group Size

Adjust how many hosts are scanned in parallel:

nmap --min-hostgroup 20 -iL targets.txt   # Scan at least 20 hosts at a time

nmap --max-hostgroup 100 -iL targets.txt  # Scan no more than 100 hosts at a time

Host Timeout

Abort scanning of any host that takes too long to respond:

nmap --host-timeout 2m 192.168.1.0/24   # Skip hosts that take longer than 2 minutes

This option ensures Nmap doesn’t get stuck on slow or unresponsive hosts, which is especially useful in large network scans. Without --host-timeout, Nmap uses adaptive timing based on network conditions — there is no fixed timeout by default, so scans may take significantly longer on unstable or firewalled hosts.

Randomizing Target Order

By default, Nmap scans hosts in the order listed. Use this option to shuffle the order — useful for evasion or load distribution:

nmap --randomize-hosts -iL targets.txt

Controlling Nmap Output

Nmap offers several options to adjust the level of detail in its output and to export scan results in different formats. These options are useful for debugging, scripting, reporting, or simply staying informed during long-running scans.

Verbosity and Debugging

Use -v or -vv to increase the verbosity of output. This provides more information during the scan process, such as probe stages, host discovery, and port analysis progress. Use it when you want more real-time feedback.

nmap -v 192.168.1.1     # Verbose output
nmap -vv 192.168.1.1    # Very verbose output

For even more insight into Nmap’s behavior, use -d, -d2, or higher debug levels. This shows internal logic and probe details — helpful for troubleshooting or understanding how a scan works.

nmap -d2 192.168.1.1    # Detailed debug output

Saving Output to Files

Nmap supports multiple output formats:

nmap -oN results.txt 192.168.1.1   # Saves standard output to results.txt

nmap -oX results.xml 192.168.1.1   # XML format

nmap -oG results.grep 192.168.1.1   # Grep-friendly output

nmap -oA scan 192.168.1.1   # All at once - scan.nmap, scan.xml, and scan.gnmap

Real-Time Scan Statistics

For monitoring long scans or large target lists, use --stats-every to get periodic updates during a scan.

nmap --stats-every 10s -iL targets.txt

Nmap Usage FAQ

If you’re new to Nmap, you’ll find answers to a few frequently asked questions below to help you get started.

What Is Nmap Used For?

Nmap (Network Mapper) is a powerful network scanning tool primarily used for port scanning, host discovery, and vulnerability assessment. Over the years, Nmap has continuously evolved with new features and updates, but its core purpose remains the same — to serve as an essential network scanner.

Key Uses of Nmap:

Network Exploration: Identifying live hosts and mapping network topologies.
Service Enumeration: Detecting services running on open ports and their versions.
Security Auditing: Assessing potential vulnerabilities in your network.

Nmap is widely used by organizations of all sizes, from small businesses to large enterprises, for tasks like semi-automated and manual port audits, host monitoring, penetration testing, and more.

At its core, Nmap works by analyzing IP packets to identify remote hosts, detect operating systems, and uncover running services. It sends specially crafted packets and waits for responses, which it then analyzes. The type of packet sent and the analysis methods depend on the user’s input — specifically, the options chosen when running the scan.

What are the basic Nmap functions?

Nmap is primarily employed to scan networks and gather comprehensive details about hosts. It is indispensable for penetration testers and network administrators who need to identify active devices, reveal open ports, detect running services, and deduce operating systems. By leveraging its extensive range of command options, Nmap can perform rapid scans for a quick overview or detailed investigations for deeper security insights.

Key Functions Include:

Host Discovery: Locating active devices on a network.
Port Enumeration: Identifying open, closed, and filtered ports.
Service Detection: Determining what applications and services are running on each port.
OS Fingerprinting: Inferring the operating systems in use.
Scripted Assessments: Utilizing NSE scripts to automate vulnerability detection and other custom checks.

Is Nmap Free?

Yes, Nmap is free for personal and most commercial uses. It is released as open source under a permissive license, allowing anyone to download, modify, and use it for network mapping and security assessments. However, Nmap uses a dual licensing model — while it’s free under the GPL for general use, a paid commercial license is required for proprietary redistribution or embedding it into closed-source software or commercial products. This model helps support ongoing development while keeping Nmap accessible to the security community.

Is Nmap Legal?

Yes, Nmap is legal to use — when used responsibly and with proper authorization. The legality depends entirely on your intent and whether you have explicit permission to scan the target systems. Scanning your own infrastructure or systems where you have been clearly authorized is fully legal and a common practice in security assessments.

Important Points to Remember:

Always Get Permission: Never scan networks or systems that you don’t own or administer without documented consent.
Check Local Laws: Cybersecurity laws vary by country and region. When in doubt, consult legal guidance and obtain written authorization.
Act Ethically: Even if scanning is technically possible, ethical use ensures you avoid legal trouble and unintended consequences.

How to install Nmap?

Nmap is available on most platforms and can be easily installed using native package managers. Some Linux distributions, especially those tailored for penetration testing — like Kali Linux, Parrot OS, and BackBox — come with Nmap preinstalled.

Linux

For most general-purpose distributions, Nmap can be installed via the system’s package manager:

Debian/Ubuntu
```
sudo apt update
sudo apt install nmap
```

CentOS/RHEL (with EPEL)

sudo dnf install epel-release
sudo dnf install nmap

Fedora
```
sudo dnf install nmap
```
Arch Linux
```
sudo pacman -S nmap
```

macOS

On macOS, the easiest way to install Nmap is via Homebrew:

brew install nmap

Windows

On Windows, it is recommended to download the official installer from the Nmap download page. It includes the Nmap command-line tool, the Npcap packet capture driver (required for raw packet scanning), and optional components like Zenmap, Ncat, and Ndiff.

Nmap Graphical Interface

While the most common way to use Nmap is through the command-line interface (CLI), a graphical interface is also available. It’s called Zenmap, and it can be installed on most systems using the same method as installing Nmap itself.

Do Firewalls Block Nmap?

Yes — firewalls are designed to filter or block suspicious traffic and can interfere with Nmap scans by dropping probe packets, limiting responses, or making ports appear filtered. This can affect both host discovery and port scanning accuracy.

However, many of Nmap’s options allow users to bypass or analyze firewall behavior. Techniques such as adjusting probe types (-PS, -PA, -PU), using decoy addresses (-D), or tuning timing parameters (-T, --scan-delay) were already covered in earlier sections.

For more advanced evasion, Nmap also supports packet fragmentation (-f) and other stealth techniques.

Are there any easier-to-use Nmap alternatives?

Yes, several tools offer simpler or more user-friendly interfaces than Nmap.

Nmap Cheat Sheet: Top 10 Scan Techiques

TOP 10 Most Practical Nmap Scanning Methods

0. Default Scan

1. Ping Scan

2. TCP Connect Scan

3. SYN Scan

4. UDP Scan

5. ACK Scan

6. Version Detection

7. OS Detection

8. Default Script Scan

9. Decoy Scan

10. Idle Scan

Scan Configuration Options

Defining Scan Scope

Scanning a Range of IPs

Excluding Specific Hosts

Specifying Ports

Controlling Scan Speed

Probe Delay

Packet Rate

Probe Parallelism

Host Group Size

Host Timeout

Controlling Nmap Output

Verbosity and Debugging

Saving Output to Files

Nmap Usage FAQ

What Is Nmap Used For?

What are the basic Nmap functions?

Is Nmap Free?

Is Nmap Legal?

How to install Nmap?

Do Firewalls Block Nmap?

Are there any easier-to-use Nmap alternatives?

Related Posts