| Interesting ports on (): |
| Can pass hostnames, IP addresses, networks, etc. |
| Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 |
| -iL : Input from list of hosts/networks |
| -iR : Choose random targets |
| --exclude : Exclude hosts/networks |
| --excludefile : Exclude list from file |
| HOST DISCOVERY: |
| -sL: List Scan - simply list targets to scan |
| -sP: Ping Scan - go no further than determining if host is online |
| -PN: Treat all hosts as online -- skip host discovery |
| -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports |
| -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes |
| -PO [protocol list]: IP Protocol Ping |
| -n/-R: Never do DNS resolution/Always resolve [default: sometimes] |
| --dns-servers : Specify custom DNS servers |
| --system-dns: Use OS's DNS resolver |
| SCAN TECHNIQUES: |
| -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans |
| -sU: UDP Scan |
| -sN/sF/sX: TCP Null, FIN, and Xmas scans |
| --scanflags : Customize TCP scan flags |
| -sI : Idle scan |
| -sO: IP protocol scan |
| -b : FTP bounce scan |
| --traceroute: Trace hop path to each host |
| --reason: Display the reason a port is in a particular state |
| PORT SPECIFICATION AND SCAN ORDER: |
| -p : Only scan specified ports |
| Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 |
| -F: Fast mode - Scan fewer ports than the default scan |
| -r: Scan ports consecutively - don't randomize |
| --top-ports : Scan most common ports |
| --port-ratio : Scan ports more common than |
| SERVICE/VERSION DETECTION: |
| -sV: Probe open ports to determine service/version info |
| --version-intensity : Set from 0 (light) to 9 (try all probes) |
| --version-light: Limit to most likely probes (intensity 2) |
| --version-all: Try every single probe (intensity 9) |
| --version-trace: Show detailed version scan activity (for debugging) |
| SCRIPT SCAN: |
| -sC: equivalent to --script=safe,intrusive |
| --script=: is a comma separated list of |
| directories, script-files or script-categories |
| --script-args=: provide arguments to scripts |
| --script-trace: Show all data sent and received |
| --script-updatedb: Update the script database. |
| OS DETECTION: |
| -O: Enable OS detection |
| --osscan-limit: Limit OS detection to promising targets |
| --osscan-guess: Guess OS more aggressively |
| TIMING AND PERFORMANCE: |
| Options which take |
| (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). |
| -T[0-5]: Set timing template (higher is faster) |
| --min-hostgroup/max-hostgroup : Parallel host scan group sizes |
| --min-parallelism/max-parallelism |
| --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout |
| probe round trip time. |
| --max-retries : Caps number of port scan probe retransmissions. |
| --host-timeout |
| --scan-delay/--max-scan-delay |
| FIREWALL/IDS EVASION AND SPOOFING: |
| -f; --mtu : fragment packets (optionally w/given MTU) |
| -D : Cloak a scan with decoys |
| -S : Spoof source address |
| -e : Use specified interface |
| -g/--source-port : Use given port number |
| --data-length : Append random data to sent packets |
| --ip-options : Send packets with specified ip options |
| --ttl : Set IP time-to-live field |
| --spoof-mac : Spoof your MAC address |
| --badsum: Send packets with a bogus TCP/UDP checksum |
| OUTPUT: |
| -oN/-oX/-oS/-oG : Output scan in normal, XML, s| |
| and Grepable format, respectively, to the given filename. |
| -oA : Output in the three major formats at once |
| -v: Increase verbosity level (use twice for more effect) |
| -d[level]: Set or increase debugging level (Up to 9 is meaningful) |
| --open: Only show open (or possibly open) ports |
| --packet-trace: Show all packets sent and received |
| --iflist: Print host interfaces and routes (for debugging) |
| --log-errors: Log errors/warnings to the normal-format output file |
| --append-output: Append to rather than clobber specified output files |
| --resume : Resume an aborted scan |
| --stylesheet : XSL stylesheet to transform XML output to HTML |
| --webxml: Reference stylesheet from Insecure.Org for more portable XML |
| --no-stylesheet: Prevent associating of XSL stylesheet w/XML output |
| MISC: |
| -6: Enable IPv6 scanning |
| -A: Enables OS detection and Version detection, Script scanning and Traceroute |
| --datadir : Specify custom Nmap data file location |
| --send-eth/--send-ip: Send using raw ethernet frames or IP packets |
| --privileged: Assume that the user is fully privileged |
| --unprivileged: Assume the user lacks raw socket privileges |
| -V: Print version number |
| -h: Print this help summary page. |
| EXAMPLES: |
| nmap -v -A scanme.nmap.org |
| nmap -v -sP 192.168.0.0/16 10.0.0.0/8 |
| nmap -v -iR 10000 -PN -p 80 |
| SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES |