TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, and so on

Example: atlantacloudtech.com, aarrrggh.com/26, 192.168.3.111; 10.1-16.0-255.1-254

-iL "inputfilename"

Input from list of hosts/networks.

-iR "num hosts"

Choose random targets.

--exclude "host1[,host2][,host3],...."

Exclude hosts/networks.

--excludefile "exclude_file

Exclude list from file.

HOST DISCOVERY:

-sL

List scan - simply list targets to scan.

-sn

Ping scan - disable port scan.

-Pn

Treat all hosts as online; skip the ping for host discovery.

-PS [portlist]

TCP SYN discovery to given ports.

- PA [portlist]

TCP ACK discovery to given ports.

- PU [portlist]

UDP discovery to given ports.

-PY[portlist]

SCTP discovery to given ports.

-PE

ICMP echo discovery probe.

-PP

ICMP timestamp discovery probe.

-PM

ICMP netmask request discovery probe.

-PO[protocol list]

IP Protocol Ping, as opposed to an ICMP ping.

-n

Never do DNS resolution [default: sometimes].

-R

Always resolve [default: sometimes].

Hacker Tip:

Resolving DNS gives you more information about the network, but it creates DNS-Request traffic, which can alert a sysadmin that there is something going on that is not entirely normal – especially if they are not using DNS in the network.

--dns-servers "serv1[,serv2],..."

Specify custom DNS servers.

--system-dns

Use the OS's DNS resolver. This is the default behavior.

--traceroute

Trace the hop path to each host. This would only make sense in large, complicated, segmented networks.

SCAN TECHNIQUES:

-sS

TCP SYN scan (you will use this one often).

-sT

TCP Connect() scan (you will use this one often).

-sA

TCP ACK scans.

-sW

TCP Window scans.

-sM

TCP Maimon scans.

-sU

UDP Scan.

-sN

TCP Null scan.

-sF

TCP FIN scan.

-sX:

TCP Xmas scan. All flags set. Confuses the target machine.

--scanflags "flags"

Customize TCP scan flags, including those in the 9 rows below.

NS

ECN-nonce concealment protection (experimental: see RFC 3540).

CWR

Congestion Window Reduced. Used to indicate that packets are being reduced in size to maintain traffic under congested network conditions.

ECE

ECN-Echo has a dual role, depending on the value of the SYN flag. It indicates the following:

If the SYN flag is set (1), that the TCP peer is ECN capable.

If the SYN flag is clear (0), that a packet with the Congestion Experienced flag in the IP header set is received during normal transmission (added to header by RFC 3168).

URG

Indicates that the Urgent pointer field is significant.

ACK

Indicates that the Acknowledgment field is significant.

PSH

Push function. Asks to push the buffered data to the receiving application.

RST

Reset the connection.

SYN

Synchronize sequence numbers.

FIN

No more data from sender.

-sI "zombie host[:probeport]"

Idle scan.

-sO

IP protocol scan.

-b "FTP relay host"

FTP bounce scan.

PORT SPECIFICATION AND SCAN ORDER:

-p "port ranges"

Only scan specified ports, for example -p22; -p1-65535; -p U:53, 111, 137 ,T:21-25 ,80, 139 ,8080, S:9.

-F

Fast mode - Scan fewer ports than the default scan.

-r

Scan ports consecutively–don't randomize.

--top-ports "number"

Scan "number" most common ports.

--port-ratio "ratio"

Scan ports more common than "ratio".

SERVICE/VERSION DETECTION:

-sV

Probe open ports to determine service/version info.

--version-intensity "level"

Set from 0 (light) to 9 (try all probes).

--version-light

Limit to most likely probes (intensity 2).

--version-all

Try every single probe (intensity 9).

--version-trace

Show detailed version scan activity (for debugging).

SCRIPT SCAN:

-sC

equivalent to–script=default.

--script="Lua scripts":

"Lua scripts" is a comma-separated list of directories, script-files, or script-categories that you enter here.

--script-args="n1=v1,[n2=v2,...]"

You provide arguments (or parameters) to scripts.

--script-args-file=filename

provide NSE script arguments from a file.

--script-trace

Show all data sent and received.

--script-updatedb

Update the script database.

--script-help="Lua scripts"

Show help about scripts. "Lua scripts" is a comma-separated list of script-files or script-categories.

OS DETECTION:

-O

Enable OS detection.

--osscan-limit

Limit OS detection to promising targets.

--osscan-guess

Guess OS more aggressively.

TIMING AND PERFORMANCE:

Options specifying time intervals are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value. For example 23ms).

-T"0-5"

Set timing template (higher is faster, and also noisier).

--min-hostgroup "size"

Parallel host scan group sizes.

--max-hostgroup "size"

Parallel host scan group sizes.

--min-parallelism "numprobes"

Probe parallelization.

--max-parallelism "numprobes"

Probe parallelization.

--min-rtt-timeout "time"

Specifies probe round trip time.

--max-rtt-timeout "time"

Specifies probe round trip time.

--initial-rtt-timeout "time"

Specifies probe round trip time.

--max-retries "tries"

Caps the number of port scan probe retransmissions.

--host-timeout "time"

Give up on target after this time interval.

--scan-delay "time"

Adjust delay between probes.

--max-scan-delay "time"

Adjust delay between probes.

--min-rate "number"

Send packets no slower than "number" per second.

--max-rate "number"

Send packets no faster than "number" per second.

FIREWALL/IDS EVASION AND SPOOFING:

-f; --mtu "value"

fragment packets (optionally w/given MTU).

-D "decoy1,decoy2[,ME],..."

Cloak a scan with decoys.

-S "IP_Address"

Spoof source address.

-e "iface"

Use specified interface.

-g/--source-port "portnum"

Use given port number.

--proxies "url1,[url2],..."

Relay connections through HTTP/SOCKS4 proxies.

--data-length "number"

Append random data to sent packets.

--ip-options "options"

Send packets with specified IP options.

--ttl "value"

Set the IP time-to-live field.

--spoof-mac "mac address/prefix/vendor name"

Spoof your MAC address.

--badsum

Send packets with a bogus TCP/UDP/SCTP checksum.

OUTPUT:

-oN "file"

Output scan to the given filename in normal format.

-oX "file"

Output scan to the given filename in XML format.

-oS "file"

Output scan to the given filename in s|"rIpt kIddi3 format. This one is just for fun.

-oG "file"

Output scan to the given filename in Grepable format.

-oA "basename"

Output in the three major formats at once.

-v

Increase verbosity level from 1-5. Use -vv (verbosity 2) –vvv (verbosity 3) and so on for greater effect.

-d

Increase debugging level 0-6. You can repeat the "d" like verbosity levels, or use -d5 to save space in your command line. The default is -d0.

--reason

Display the reason a port is in a particular state.

--open

Only show open (or possibly open) ports.

--packet-trace

Show all packets sent and received.

--iflist

Print host interfaces and routes (for debugging).

--log-errors

Log errors/warnings to the normal-format output file.

--append-output

Append to rather than clobber specified output files.

--resume "filename"

Resume an aborted scan.

--stylesheet "path/URL"

XSL stylesheet to transform XML output to HTML.

--webxml

Reference stylesheet from Nmap.org for more portable XML.

--no-stylesheet

Prevent associating XSL stylesheet with XML output.

MISC:

-6

Enable IPv6 scanning.

-A

Enable OS detection, version detection, script scanning, and traceroute. This is a shortcut for -sS -sV --traceroute -O. Wolf's favorite scanning option.

--datadir "dirname"

Specify custom Nmap data file location.

--send-eth

Send using raw Ethernet frames.

--send-ip

Send using raw IP packets.

--privileged

Assume that the user is fully privileged.

--unprivileged

Assume the user lacks raw socket privileges

-V

Print Nmap version number. Doesn't work in conjunction with other options.

-h

Print the help summary page.

EXAMPLES:

nmap -v -A boweaver.com

nmap -v -sn 192.168.0.0/16 10.0.0.0/8

nmap -v -iR 10000 -Pn -p 80