Nmap Cheat Sheet for Ethical Hacking: Top Commands for Scanning, Enumeration & VAPT
The Nmap commands for ethical hacking covered in this guide are the ones that appear most in CEH v13 exams, VAPT engagements, and junior penetration testing interviews in India. This is not a comprehensive manual of every Nmap flag. It is a practical cheat sheet of the commands you will actually use.
Nmap (Network Mapper) is the standard starting point for almost every network security assessment. Before you can test for vulnerabilities, you need to know which hosts are live, which ports are open, which services are running, and which versions those services are. Nmap answers all four questions.
This Nmap tutorial for beginners covers host discovery, port scanning, version and OS detection, NSE scripting, enumeration, and output formatting. Every command here is intended for use in authorised lab environments only: your own machines, intentionally vulnerable practice targets, or platforms like TryHackMe and Hack The Box where testing is explicitly permitted.
What Is Nmap and Why Do Ethical Hackers and VAPT Professionals Use It in India?
Nmap is a free, open-source network scanning tool used to discover hosts, identify open ports, detect running services, and fingerprint operating systems on a network, and it is the most widely used reconnaissance tool in ethical hacking and VAPT engagements globally.
For students in India preparing for cybersecurity careers, Nmap is not optional knowledge. It appears directly in CEH v13 scanning and enumeration modules, in OSCP lab requirements, and in technical interview questions at Indian IT security firms and MSSPs. Employers hiring for VAPT roles in India consistently list Nmap as a required hands-on skill alongside tools like Burp Suite and Metasploit.
Why Nmap is the standard starting tool for ethical hackers:
- It works across all major operating systems and comes pre-installed on Kali Linux
- It covers the full reconnaissance phase: from finding live hosts to identifying specific service versions
- It integrates with other tools like Metasploit through XML output, making it part of a larger VAPT workflow
- It is actively maintained and updated, with an extensive scripting engine for advanced use
Understanding network scanning for ethical hacking begins with Nmap, and for most penetration testers and VAPT professionals, it never stops being part of their toolkit regardless of experience level.
What Are the Most Essential Nmap Commands Every Ethical Hacker Should Know?
The most essential Nmap commands for ethical hacking cover six core functions: host discovery, basic port scanning, version detection, OS detection, aggressive scanning, and NSE scripting.
These commands form the baseline every student should practice before attempting CEH labs, VAPT assignments, or technical interviews. Knowing what each flag does and when to use it is more important than memorising syntax, because interviewers ask about reasoning, not just command names.
Core Nmap Commands Cheat Sheet:
| Command | Syntax | What It Does | When to Use |
| Ping Scan (Host Discovery) | nmap -sn 192.168.1.0/24 | Finds live hosts without port scanning | First step of any network assessment |
| SYN Scan (Stealth) | nmap -sS <target> | Half-open TCP scan, less detectable | Default choice for port scanning in most assessments |
| TCP Connect Scan | nmap -sT <target> | Full TCP connection scan | When SYN scan requires root/admin privileges |
| UDP Scan | nmap -sU <target> | Scans UDP ports | Finding services like DNS, SNMP, DHCP |
| Version Detection | nmap -sV <target> | Identifies service versions on open ports | After initial port scan to gather service details |
| OS Detection | nmap -O <target> | Fingerprints the target operating system | Identifying OS for CVE research |
| Aggressive Scan | nmap -A <target> | Runs OS detection, version detection, scripts, and traceroute | Comprehensive single-pass scan in lab environments |
| Specific Port Scan | nmap -p 80,443,22 <target> | Scans only specified ports | When you know which ports to investigate |
| All Ports Scan | nmap -p- <target> | Scans all 65,535 ports | Full coverage when default port range is not enough |
| Scan with Verbosity | nmap -v <target> | Shows real-time output as scan runs | Monitoring progress on longer scans |
These Nmap commands for ethical hacking are the ones that appear most frequently in penetration testing reconnaissance tasks and CEH lab exercises. Practice each one in your Kali Linux lab environment until the syntax and purpose of every flag becomes second nature.
How Do You Use Nmap for Host Discovery to Find Live Systems on a Network?
Host discovery is always the first phase of a network security assessment, and Nmap provides several techniques for finding live systems depending on the network environment and whether ICMP is blocked.
Running a full port scan against an entire subnet is slow and noisy. Host discovery lets you first identify which IP addresses are actually active, then focus your detailed scanning on those specific targets. This is standard practice in both VAPT engagements and CEH lab exercises.
Nmap Host Discovery Commands:
nmap -sn 192.168.1.0/24 # Ping scan, no port scan, finds live hosts in subnet
nmap -sn -PS 192.168.1.0/24 # TCP SYN ping, useful when ICMP is blocked
nmap -sn -PA 192.168.1.0/24 # TCP ACK ping, bypasses some firewalls
nmap -sn -PR 192.168.1.0/24 # ARP scan, fastest and most reliable on local networks
nmap -Pn 192.168.1.100 # Skip host discovery, treat target as live (use when ping is blocked)
The -sn flag (no port scan) combined with a subnet range is the most common starting command for network scanning in ethical hacking assessments. On local networks, -PR (ARP scan) is faster and more reliable than ICMP-based discovery because ARP requests cannot be blocked by host firewalls the way pings can.
Ethical hacking tools on Kali Linux include Nmap pre-installed, so no setup is required beyond opening a terminal and running these commands against your own lab network or a practice target on TryHackMe.
How Do You Use Nmap Port Scanning Commands to Identify Open Ports and Running Services?
Nmap port scanning is the phase that produces the most actionable information in a penetration test, identifying which ports are open, closed, or filtered on a target system.
Different scan types work differently at the TCP level and have different implications for speed, accuracy, and how detectable they are to intrusion detection systems. Choosing the right scan type for the right situation is a skill CEH v13 and VAPT professionals are expected to demonstrate.
Nmap Port Scanning Commands by Scan Type:
| Scan Type | Command | How It Works | Best Used When |
| SYN Scan (Half-Open) | nmap -sS <target> | Sends SYN, receives SYN/ACK, never completes handshake | Default port scan, requires root/sudo |
| TCP Connect Scan | nmap -sT <target> | Completes full TCP handshake | No root access available |
| UDP Scan | nmap -sU <target> | Sends UDP packets, waits for ICMP unreachable response | Finding UDP services like DNS (53), SNMP (161) |
| FIN Scan | nmap -sF <target> | Sends FIN packet, open ports do not respond | Evading basic packet filters |
| NULL Scan | nmap -sN <target> | Sends packet with no flags set | Firewall evasion testing |
| XMAS Scan | nmap -sX <target> | Sends FIN, PSH, URG flags set | Firewall evasion testing |
| Top 1000 Ports | nmap <target> | Default scan of 1000 most common ports | Quick first assessment |
| All Ports | nmap -p- <target> | Scans all 65,535 ports | Comprehensive coverage |
| Custom Port Range | nmap -p 1-1024 <target> | Scans specified range only | Focused assessment |
Nmap port scanning commands with the -sS flag (SYN scan) require root or sudo privileges on Linux systems. If you receive a permission error, either run with sudo nmap -sS or switch to -sT which does not require elevated privileges.
All port scanning should only be performed on systems you own or have explicit written authorisation to test. Running Nmap against unauthorised networks is illegal regardless of intent.
How Do You Use Nmap for Service Version Detection and OS Fingerprinting in a VAPT Engagement?
Nmap service version detection (-sV) and OS fingerprinting (-O) go beyond identifying open ports to tell you exactly what software and operating system version is running on the target, which is essential for identifying specific CVEs in a VAPT engagement.
Knowing that port 22 is open tells you SSH is likely running. Knowing it is OpenSSH 7.4 on CentOS 7 tells you which known vulnerabilities apply to that exact configuration and whether the system is running an unpatched version. This is the information that makes a VAPT report actionable rather than generic.
Version Detection and OS Fingerprinting Commands:
nmap -sV <target> # Detects service versions on all open ports
nmap -sV –version-intensity 9 <target> # Maximum version detection accuracy (slower)
nmap -O <target> # OS fingerprinting (requires root/sudo)
nmap -O –osscan-guess <target> # Forces OS guess even with limited information
nmap -A <target> # Aggressive: runs -sV, -O, scripts, and traceroute together
nmap -sV -O -p 22,80,443 <target> # Version + OS detection on specific ports only
Important note on the -A flag: The aggressive scan (-A) is the most comprehensive single command but also the noisiest. It generates significantly more traffic than individual flag combinations and will trigger most intrusion detection systems. Use -A in lab environments and authorised VAPT engagements only, not in sensitive production assessments where stealth is required.
How Do You Use the Nmap Scripting Engine (NSE) for Vulnerability Scanning and Enumeration?
The Nmap Scripting Engine (NSE) extends Nmap’s capabilities from basic scanning into active vulnerability detection and service enumeration by running pre-written scripts against target systems during a scan.
NSE scripts are organised into categories. For ethical hackers and VAPT professionals, the most useful categories are auth (testing authentication bypass), vuln (checking for known vulnerabilities), discovery (gathering additional service information), and exploit (verifying exploitability in authorised tests). Students preparing for CEH v13 should be familiar with at least the vuln and discovery categories.
NSE Commands by Category:
| Category | Command | What It Does |
| Run all default scripts | nmap -sC <target> | Runs the default NSE script set, covers most common checks |
| Vulnerability scanning | nmap –script vuln <target> | Checks for known vulnerabilities across all open services |
| Authentication testing | nmap –script auth <target> | Tests for default or empty credentials on services |
| Discovery scripts | nmap –script discovery <target> | Gathers additional information about services and network |
| Specific script by name | nmap –script smb-vuln-ms17-010 <target> | Tests for EternalBlue (MS17-010) vulnerability specifically |
| HTTP enumeration | nmap –script http-enum <target> | Enumerates directories and files on web servers |
| SMB enumeration | nmap –script smb-enum-shares <target> | Lists accessible SMB shares on Windows targets |
| FTP anonymous login | nmap –script ftp-anon <target> | Checks whether FTP allows anonymous login |
Nmap NSE scripts for vulnerability scanning should always be run against targets in authorised environments. The –script vuln category in particular sends active probes that may trigger security alerts on monitored systems.
To see all available scripts and their descriptions, run nmap –script-help all or browse the full list at nmap.org/nsedoc.
What Are the Most Useful Nmap Commands for Enumeration in Ethical Hacking Assessments?
Nmap enumeration commands go beyond port scanning to actively gather detailed information about specific services running on open ports, using NSE scripts tailored to each service type.
Enumeration is the phase where attackers and ethical hackers gather actionable intelligence: user accounts, file shares, directory structures, DNS records, and SNMP data. CEH v13 dedicates an entire module to scanning and enumeration, and Nmap with NSE scripts covers the practical tool component of that module directly.
Nmap Enumeration Commands by Service:
# SMB Enumeration (Windows file sharing)
nmap –script smb-enum-shares -p 445 <target>
nmap –script smb-enum-users -p 445 <target>
nmap –script smb-os-discovery -p 445 <target>
# HTTP Enumeration (Web servers)
nmap –script http-enum -p 80,443 <target>
nmap –script http-methods -p 80,443 <target>
nmap –script http-title -p 80,443 <target>
# FTP Enumeration
nmap –script ftp-anon,ftp-bounce -p 21 <target>
# DNS Enumeration
nmap –script dns-brute <target>
nmap –script dns-zone-transfer -p 53 <target>
# SNMP Enumeration
nmap -sU –script snmp-info -p 161 <target>
nmap -sU –script snmp-sysdescr -p 161 <target>
# SSH Enumeration
nmap –script ssh-auth-methods -p 22 <target>
nmap –script ssh-hostkey -p 22 <target>
These Nmap enumeration commands represent the practical content of the CEH scanning and enumeration module. Practicing each service category against intentionally vulnerable machines like Metasploitable on your local lab gives you both the command familiarity and the conceptual understanding of what each enumeration result means for a VAPT report.
How Do You Save and Format Nmap Scan Output for VAPT Reports in Professional Engagements?
Nmap supports four output formats and saving scan results correctly is a professional requirement in every VAPT engagement because raw scan data must be included in reports and often imported into other tools.
Running a scan without saving the output means repeating the scan to get the data back. In professional VAPT engagements, re-scanning is often not permitted after the agreed assessment window closes. Building the habit of saving output in every lab session prepares you for this reality.
Nmap Output Format Commands:
nmap -oN scan_results.txt <target> # Normal output, human-readable text file
nmap -oX scan_results.xml <target> # XML output, importable into Metasploit and reporting tools
nmap -oG scan_results.gnmap <target> # Grepable output, useful for parsing with grep/awk
nmap -oA scan_results <target> # All three formats simultaneously (recommended for VAPT)
When to use each format:
- -oN (Normal): For quick reference and reading scan results directly
- -oX (XML): For importing into Metasploit (db_import) or professional VAPT reporting tools like Dradis and Serpico
- -oG (Grepable): For parsing specific information from large scans using command line tools
- -oA (All formats): The recommended default for any VAPT work because it generates all three simultaneously
Nmap output formats for VAPT reports are among the practical skills VAPT professionals in India use daily. Practicing with -oA by default in every lab session builds this habit before you need it in a professional context.
Which Nmap Commands Appear Most Often in CEH v13 Exams and Penetration Testing Interviews in India?
The Nmap commands that appear most frequently in CEH v13 exam questions and Indian cybersecurity technical interviews are SYN scan (-sS), version detection (-sV), OS detection (-O), aggressive scan (-A), ping scan (-sn), and NSE script execution (–script).
CEH v13 scanning and enumeration modules test both the syntax of these commands and the reasoning behind choosing one scan type over another in a given scenario. Interviewers at Indian cybersecurity companies ask questions that require you to apply this knowledge to a specific situation, not just recall a command.
Highest-Priority Nmap Commands for CEH v13 and Interviews:
| Command | Flag | Why It Is Commonly Tested |
| SYN Scan | -sS | Most common stealth scan, requires root, CEH scanning module staple |
| Version Detection | -sV | Core VAPT step, service fingerprinting for CVE research |
| OS Detection | -O | OS fingerprinting, required for targeted exploitation in theory |
| Aggressive Scan | -A | Combines multiple flags, tests understanding of composite commands |
| Ping Scan | -sn | Host discovery without port scan, first step of network assessment |
| Skip Ping | -Pn | Testing against firewalled hosts, common scenario question |
| All Ports | -p- | Understanding port range options and coverage trade-offs |
| NSE Vuln Scripts | –script vuln | Vulnerability scanning phase of VAPT workflow |
Cybersecurity interview questions about Nmap in India most commonly ask: “What is the difference between -sS and -sT?”, “When would you use -Pn?”, and “What does -A do and when should you avoid it?” Practicing these commands in a lab environment, rather than just memorising the answers, is the most reliable way to answer confidently.
If you want structured training that covers Nmap, scanning, enumeration, and the complete CEH v13 curriculum with hands-on lab access, explore Appin’s CEH v13 AI-powered course to check batch schedules and course details in Indore.
Conclusion
Nmap is the tool that starts almost every penetration test and VAPT engagement. The commands in this cheat sheet cover the full workflow from host discovery to enumeration and output formatting, giving you a ready reference for lab practice, CEH preparation, and technical interviews.
The most important thing is not to read this guide once and move on. Bookmark it, open a Kali Linux terminal, and practice each command against Metasploitable, DVWA, or a TryHackMe room until every flag and its purpose is something you can explain without looking it up.
If you want structured CEH preparation with lab-based Nmap practice and placement support, enquire with Appin Indore to check the next available batch.
