The nmap command example I run first against any host is nmap -sV -T4 192.0.2.10: a default TCP scan with service/version detection at a brisk timing template. That single line tells me which of the top 1000 ports are open and what is listening on each. Everything else on this page is a variation on that theme: change the discovery, change the port set, change how loud or careful the scan is. Below are the nmap command examples I actually use, in the order I usually reach for them, with honest notes on which need root and which behave differently from what the man page implies.
One ground rule before the commands: only scan hosts and networks you own or have explicit written permission to test. Port scanning a network you do not control is, in many jurisdictions, the kind of thing that gets logged and reported.
What does nmap do?
Nmap (Network Mapper) is a free, open-source tool that sends crafted packets to hosts and interprets the responses to discover which hosts are up, which ports are open, what services and versions are listening, and often what operating system the host is running. It is the de facto standard for network discovery and security auditing. The typical workflow is: discover live hosts on a subnet (-sn), scan their ports (the default TCP scan, or -p for a specific set), identify the services behind open ports (-sV), and optionally fingerprint the OS (-O) or run deeper probes through the Nmap Scripting Engine (--script). Most scan types that craft raw packets (SYN scan, OS detection, UDP scan) require root privileges; the connect scan (-sT) is the unprivileged fallback.
Host discovery: who is alive on this subnet
Find live hosts without scanning any ports. This is the ping sweep:
nmap -sn 192.168.1.0/24
-sn (formerly -sP) disables the port scan entirely. Nmap sends a mix of ICMP echo, TCP SYN to 443, TCP ACK to 80, and an ICMP timestamp request, then lists the hosts that answer. Run as root it also does ARP requests on the local segment, which is both faster and harder to block than ICMP.
If you only want the list of IPs and nothing else, skip discovery and just enumerate the targets nmap would scan:
nmap -sL 192.168.1.0/24-sL (list scan) sends no packets to the hosts at all. It does do reverse-DNS lookups by default, so it is not perfectly silent; add -n to skip DNS and make it fully passive.
The default scan: top 1000 TCP ports
With no scan-type flag, nmap scans the 1000 most common TCP ports:
nmap 192.0.2.10What it actually runs depends on your privileges. As root, the default is a SYN scan (-sS): nmap sends a SYN, watches for SYN/ACK (open) or RST (closed), and never completes the handshake. As an unprivileged user it falls back to a full TCP connect scan (-sT), which completes the three-way handshake and is therefore more likely to be logged by the target.
To be explicit about the SYN scan (and remember it needs root):
sudo nmap -sS 192.0.2.10The 1000 ports are not 1-1000. They are the 1000 statistically most common ports from nmap's nmap-services frequency data. To scan a specific port or range, use -p:
nmap -p 22,80,443 192.0.2.10
nmap -p 1-1024 192.0.2.10
nmap -p- 192.0.2.10-p- scans all 65535 ports. It is thorough and slow; do not run it as your first pass against a large range.
Service and version detection
Open is not enough. -sV probes each open port to identify the service and its version:
nmap -sV 192.0.2.10A typical slice of output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.24.0 (Ubuntu)
443/tcp open ssl/http nginx 1.24.0 (Ubuntu)
Version detection works by matching service banners and probe responses against the nmap-service-probes database. Tune how hard it tries with --version-intensity 0 (light, fast) to 9 (try every probe). -sV --version-all is shorthand for intensity 9.
OS fingerprinting
-O guesses the operating system from TCP/IP stack quirks:
sudo nmap -O 192.0.2.10OS detection needs root because it crafts and reads raw packets, and it needs at least one open and one closed port to fingerprint reliably. The result is a probability-ranked guess, not a fact: nmap will print something like OS details: Linux 5.4 - 5.15 with an accuracy percentage. Treat it as a hint, not gospel, especially across NAT or behind a load balancer.
A common combination is the "aggressive" scan, which bundles version detection, OS detection, default scripts, and traceroute:
sudo nmap -A 192.0.2.10-A is loud. It is fine for a host you own; it is exactly the wrong choice when you are trying to stay quiet.
Choosing a scan type
| Flag | Scan type | Needs root | Notes |
|---|---|---|---|
-sS | TCP SYN ("half-open") | Yes | Default when privileged. Fast, relatively quiet. |
-sT | TCP connect | No | Default when unprivileged. Completes handshake, more likely logged. |
-sU | UDP | Yes | Slow; UDP gives no SYN/ACK so nmap infers state from timeouts and ICMP. |
-sn | No port scan (host discovery) | No (ARP needs root) | Ping sweep only. |
-sV | Service/version detection | No | Layers on top of a port scan; not a scan type by itself. |
-O | OS detection | Yes | Needs one open and one closed port. |
-A | Aggressive (-sV -O + scripts + traceroute) | Yes | Convenient and noisy. |
Timing, scope, and staying out of trouble
Timing templates trade speed for stealth and reliability. -T4 is my default for networks I own:
nmap -sV -T4 192.0.2.10The templates run -T0 (paranoid, one probe every five minutes, for IDS evasion) through -T5 (insane, for fast LANs where you do not care about dropped results). -T3 is the implicit default; -T4 is faster and fine on modern links; -T0 and -T1 are genuinely for evading detection and will take hours.
Scope a scan by feeding targets from a file rather than the command line:
nmap -iL targets.txt -p 80,443 -oA web-scan-iL reads one target per line. -oA web-scan writes all three output formats at once: normal (.nmap), grepable (.gnmap), and XML (.xml). The XML is the one to keep; it feeds into reporting tools and into ndiff for comparing two scans over time.
A couple of flags worth knowing for accuracy and politeness:
-Pnskips host discovery and treats every target as up. Use it when a host blocks ping but you know it is there; without it nmap may skip a live-but-silent host entirely.-nskips reverse-DNS, which speeds up large scans and avoids hammering the DNS server with PTR lookups.--top-ports 100scans the 100 most common ports instead of 1000, for a faster first pass.
Firewall and IDS evasion flags
When a firewall or intrusion-detection system sits between you and the target, the default scan stands out. Nmap has a handful of options that make a scan harder to attribute or fingerprint. They are not magic (the Nmap reference guide is blunt that there is no silver bullet), and on an authorized engagement you usually want the opposite of stealth so the blue team can correlate your traffic. But these are the flags the evasion intent is built on:
sudo nmap -f 192.0.2.10
sudo nmap -D 198.51.100.5,198.51.100.6,ME 192.0.2.10
sudo nmap -g 53 192.0.2.10
sudo nmap --data-length 25 192.0.2.10-ffragments the probe packets, splitting the TCP header across several tiny IP packets (8 bytes or less after the IP header) so a simple packet filter cannot read it in one go. A second-fraises the fragment size to 16 bytes. Many modern firewalls reassemble fragments before inspecting, so this is far less effective than it was in 2005.-Druns a decoy scan: the target sees probes that appear to come from each decoy IP as well as your real address, so your scan hides in the noise.MEmarks your real position in the list. Decoys must be live hosts, or you risk SYN-flooding the target.-g(long form--source-port) sends from a fixed source port. Picking a commonly-allowed port like 53 (DNS) or 80 can slip past a firewall that trusts traffic from those ports.--data-lengthappends that many random bytes to each packet, changing the packet size signature some detection rules key on.
All four craft raw packets, so they need root. Decoys and source-port spoofing are exactly the techniques an IDS is tuned to catch, and on a real network they are as likely to raise an alert as avoid one. The same stealth-versus-detection tradeoff shows up at the application layer; I walk through it for injection testing in the sqlmap evasion and anti-detection guide.
The Nmap Scripting Engine
NSE runs Lua scripts for deeper enumeration and vuln checks. The default category runs with -sC (or as part of -A):
nmap -sC -sV 192.0.2.10Run a specific script or category by name:
nmap --script http-title 192.0.2.10
nmap --script "ssl-*" -p 443 192.0.2.10
nmap --script vuln 192.0.2.10The vuln category probes for known vulnerabilities. It is genuinely useful and genuinely intrusive; some scripts in it can crash fragile services. Read what a script does (nmap --script-help http-title) before pointing it at production. Scripts live in nmap's scripts/ directory; --script-updatedb rebuilds the index after you add your own.
When nmap is the wrong tool
Nmap maps reachable network surface. It does not test web-application logic, SQL injection, or authentication flaws behind an open port; that is a different layer. If port 443 is open and you need to probe the app behind it, nmap hands off to tools like sqlmap (covered in my sqlmap cheat sheet) for injection testing. Nmap also will not enumerate a local filesystem; for that the right tool is the shell, and the find command cheat sheet is the reference I keep open there.
Two more honest limits. A SYN scan against a stateful firewall can report ports as filtered rather than open or closed, which tells you a firewall is dropping packets, not whether the service exists. And UDP scans (-sU) are slow and unreliable by design, because a closed UDP port often simply does not answer, so nmap waits out the retransmission timeout on every silent port; budget the time, and add -sV (which sends protocol-specific payloads) if open ports come back as open|filtered.
FAQ
See also
- sqlmap cheat sheet: once nmap finds an open web port, this is the reference for probing the application behind it for SQL injection.
- sqlmap evasion and anti-detection: the application-layer version of the firewall/IDS evasion tradeoff covered above.
- The best SQL injection tools in 2026: where nmap fits in a wider offensive toolkit once a service is identified.
- Web application security vulnerabilities: the classes of flaw that live behind the open ports nmap surfaces.
- find command cheat sheet: the local-filesystem counterpart to network reconnaissance, for the post-access enumeration nmap does not do.
- External: Nmap Reference Guide, the Firewall/IDS Evasion and Spoofing section, and the nmap source repository.
Sources
Authoritative references this article was fact-checked against.
