Nmap is the ultimate tool for hackers and penetration testers in 2025, offering unmatched versatility for network reconnaissance, vulnerability scanning, and stealth operations. This article delivers a comprehensive list of the top 100 Nmap commands, alongside bonus cheat sheets for other hacker tools to round out your arsenal.
Why Nmap Dominates in 2025
Nmap (Network Mapper) excels at host discovery, port scanning, OS detection, and scripting, making it a must-have for red teamers, blue teamers, and ethical hackers. As of March 31, 2025, its continuous updates keep it a step ahead of modern cyber defenses.
Table of Contents
Top 100 Nmap Commands
Basic Scanning
Command Description nmap target Default scan nmap -sS target Stealth SYN scan nmap -sT target TCP connect scan nmap -sU target UDP scan nmap -sN target TCP NULL scan nmap -sF target FIN scan nmap -sX target Xmas scan
Host Discovery
Command Description nmap -sn target Ping scan only nmap -Pn target No host discovery nmap -PR target ARP ping nmap -PS80,443 target TCP SYN ping nmap -PA80 target TCP ACK ping nmap -PU53 target UDP ping nmap -PE target ICMP echo ping
Port Scanning
Command Description nmap -p 22 target Single port scan nmap -p 1-1000 target Port range scan nmap -p- target All 65,535 ports nmap -F target Top 100 ports nmap –top-ports 10 target Top 10 ports nmap -p http* target Scan by service name nmap -sO target Protocol scan
Service & OS Detection
Command Description nmap -sV target Service version detection nmap -O target OS detection nmap -A target Aggressive scan nmap –osscan-guess target Aggressive OS guess nmap –version-intensity 9 target Max version probe intensity nmap -sR target RPC scan nmap –version-all target Exhaustive version scan
Nmap Scripting Engine (NSE)
Command Description nmap –script http-enum target Web directory enumeration nmap –script dns-brute target DNS subdomain brute-force nmap –script vulners target Vulnerability detection nmap –script smb-os-discovery target SMB OS info nmap –script ftp-anon target Anonymous FTP check nmap –script ssh-brute target SSH brute-force nmap –script http-vuln-cve2017-5638 target Specific CVE check nmap –script smtp-enum-users target SMTP user enumeration nmap –script snmp-info target SNMP details nmap –script http-title target Grab web page titles nmap –script ssl-enum-ciphers target SSL/TLS cipher check nmap –script mysql-info target MySQL server info
Evasion & Stealth
Command Description nmap -f target Fragment packets nmap -D RND:10 target 10 random decoys nmap -sI zombie_host target Idle scan nmap –badsum target Invalid checksum packets nmap –spoof-mac 0 target Spoof random MAC nmap -g 53 target Source port spoofing nmap –data-length 50 target Append random data nmap –mtu 16 target Set MTU for fragmentation
Timing & Performance
Command Description nmap -T0 target Paranoid timing nmap -T4 target Aggressive timing nmap –min-rate 1000 target Min packet rate nmap –max-rate 500 target Max packet rate nmap –min-parallelism 10 target Min parallel scans nmap –max-parallelism 1 target Sequential scans nmap –host-timeout 10m target Timeout per host nmap –scan-delay 1s target Delay between probes
Output Options
Command Description nmap -oN file target Normal output to file nmap -oX file target XML output nmap -oG file target Grepable output nmap -v target Verbose mode nmap -d target Debugging output nmap –packet-trace target Show sent/received packets nmap –append-output file target Append to file
Target Specification
Command Description nmap 192.168.1.0/24 CIDR range scan nmap -iL targets.txt Scan from file nmap -iR 10 target Random 10 targets nmap –exclude 192.168.1.1 target Exclude host nmap -n target No DNS resolution nmap -R target Force DNS resolution
Advanced Features
Command Description nmap –traceroute target Trace route to target nmap –reason target Show port state reasons nmap –allports target Scan all ports, no exclusions nmap –privileged target Assume root privileges nmap –unprivileged target Non-root mode nmap –script-args ‘user=admin’ target Pass script args nmap –script-timeout 30s target Script timeout nmap –max-retries 1 target Limit retries nmap –stats-every 5s target Progress updates nmap –ttl 32 target Set TTL nmap –proxies http://proxy:8080 target Use proxy
Extra Power Moves
Command Description nmap –script-updatedb Update NSE database nmap –script-help http-enum Script documentation nmap –iflist List interfaces nmap –resume file Resume aborted scan nmap –min-hostgroup 50 target Min group size nmap –max-hostgroup 100 target Max group size nmap –initial-rtt-timeout 500ms target Initial RTT nmap –max-rtt-timeout 1s target Max RTT nmap –min-rtt-timeout 100ms target Min RTT nmap –defeat-rst-ratelimit target Bypass RST limits nmap –defeat-icmp-ratelimit target Bypass ICMP limits nmap –nsock-engine epoll target Optimize engine nmap –version-trace target Trace version probes nmap –webxml target XML with web styling nmap –open target Show only open ports nmap –port-ratio 0.9 target Scan high-ratio ports nmap –exclude-ports 22 target Skip specific ports nmap –randomize-hosts target Randomize target order nmap –scanflags URG target Custom TCP flags nmap –system-dns target Use system DNS
Real-World Applications
Recon: nmap -sn -PE 10.0.0.0/24 finds live hosts with ICMP.Vuln Scanning: nmap -sV --script vulners -p- target hunts exploits.Stealth: nmap -sS -T2 -f -D RND:5 target slips past basic defenses.Web Hacking: nmap --script http-enum,http-vuln-* -p80,443 target targets web apps.Firewall Detection: nmap -sA 192.168.1.1 identifies firewall presence via ACK scan.Quick Network Map: nmap -sn 10.0.0.0/24 -oG map.txt generates a grepable host list.Service Fingerprinting: nmap -sV -p 22,80,443 target pinpoints exact service versions.DNS Recon: nmap --script dns-zone-transfer -p 53 target attempts zone transfer.SMB Enumeration: nmap --script smb-enum-shares -p 445 target lists SMB shares.HTTP Method Check: nmap --script http-methods -p 80 target reveals allowed HTTP methods.SSL Cert Analysis: nmap --script ssl-cert -p 443 target extracts SSL certificate details.Brute-Forcing SNMP: nmap --script snmp-brute -p 161 target guesses SNMP community strings.Ping Sweep: nmap -PE -sn 172.16.0.0/16 finds live hosts with ICMP echo.Stealthy Port Scan: nmap -sS -T3 -Pn target avoids ping for quieter scanning.Vuln Exploit Check: nmap --script vuln -p- target scans for common vulnerabilities.MySQL Dumping: nmap --script mysql-dump -p 3306 target attempts MySQL data extraction.Web Spidering: nmap --script http-crawl -p 80 target maps website structure.IP Spoofing: nmap -S 10.0.0.99 target fakes source IP for evasion.OS Fingerprinting: nmap -O --osscan-limit target focuses on OS detection only.Slow Scan Evasion: nmap -T1 -f --data-length 200 target minimizes detection risk.Proxy Enumeration: nmap --script http-open-proxy -p 8080 target tests for open proxies.Email Harvesting: nmap --script http-email-harvest -p 80 target grabs emails from web pages.UDP Service Scan: nmap -sU -p 123,161 target probes common UDP services.Custom Output: nmap -A -oX scan.xml target saves detailed results in XML.
Bonus Hacker Tool Cheat Sheets
Expand your skills with these 2025-ready cheat sheets from external sources:
Pro Tips
Test on legal labs (e.g., Hack The Box).
Combine Nmap with Metasploit for full attack chains.
Stay ethical—skills are for authorized use only.
Conclusion
These 100 Nmap commands, paired with top-tier cheat sheets, arm you for any hacking challenge in 2025. Keep learning, stay sharp, and follow SquidHacker.com for more.
