Target Specification
-iL (inputfilename: Input from list of hosts/networks)
-iR (num hosts: Choose random targets)
–exclude (host1[,host2][,host3],… : Exclude hosts/networks)
–excludefile (exclude_file: Exclude list from file)
Host Discovery
-sL List Scan – simply list targets to scan
-sn Ping Scan – disable port scan
-Pn Treat all hosts as online — skip host discovery
-PS/PA/PU/PY[portlist] TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list] IP Protocol Ping
-n/-R Never do DNS resolution/Always resolve [default: sometimes]
Nmap Scripts
Nmap Scripts location: /usr/share/nmap/scripts
Scripts are written in Lua and can be edited using vim
–script=http* 1.2.3.4 -Will run all scripts that start with HTTP against the target address
-sC 1.2.3.4 will run default scripts against an IP this uses most commonly used scripts from the script library
–script=”Lua scripts” “Lua scripts” is a comma separated list of directories, script-files or script-categories
–script-args=n1=v1,[n2=v2,…] provide arguments to scripts
-script-args-file=filename provide NSE script args in a file
–script-trace Show all data sent and received
–script-updatedb Update script database
–script-help=”Lua scripts” Show help about scripts
Timing and Performance
-T 0-5 Set timing template – higher is faster (less accurate)
Parallel host scan group sizes
–min-hostgroup SIZE
–max-hostgroup SIZE
Probe parallelization
–min-parallelism NUMPROBES
–max-parallelism NUMPROBES
Specifies probe round trip time
–min-rtt-timeout TIME
–max-rtt-timeout TIME
–initial-rtt-timeout TIME
–max-retries TRIES Caps number of port scan probe retransmissions
–host-timeout TIME Give up on target after this long
Adjust delay between probes
–scan-delay TIME
–max-scan-delay TIME
–min-rate NUMBER Send packets no slower than NUMBER per second
–max-rate NUMBER Send packets no faster than NUMBER per second
Port Specification
-p Specify ports, e.g. -p80,443 or -p1-65535
-p U:PORT Scan UDP ports with Nmap, e.g. -p U:53
-F Fast mode, scans fewer ports than the default scan
-r Scan ports consecutively – don’t randomize
–top-ports “number” Scan “number” most common ports
–port-ratio “ratio” Scan ports more common than “ratio”
Service Version Detection
-sV Probe open ports to determine service/version info
–version-intensity “level” Set from 0 (light) to 9 (try all probes)
–version-light Limit to most likely probes (intensity 2)
–version-all Try every single probe (intensity 9)
–version-trace Show detailed version scan activity (for debugging)
Firewall /IDS Evasion and Spoofing
-D decoy1,decoy2,ME used for cloaking a scan with decoy addresses usage -D 1.2.3.4, 1.2.3.5,Me
-f; –mtu VALUE Fragment packets (optionally w/given MTU)
-S IP-ADDRESS Spoof source address
-e IFACE Use specified interface
Use given port number
-g PORTNUM
–source-port PORTNUM
–proxies url1,[url2],… Relay connections through HTTP / SOCKS4 proxies
–data-length NUM Append random data to sent packets
–ip-options OPTIONSSend packets with specified ip options
–ttl VALUE Set IP time to live field
–spoof-mac ADDR/PREFIX/VENDORSpoof NMAP MAC address
–badsum Send packets with a bogus TCP/UDP/SCTP checksum
OS Detection
-O Enable OS Detection
–osscan-limit Limit OS detection to promising targets
–osscan-limit Limit OS detection to promising targets
Scan Techniques
-sS TCP SYN scan (stealth scan also default mode in root)
-sT Connect scan
-sA ACK scan
-sW Window scan
-sM Maimon scan
-sU UDP Scan
-sN TCP Null scan
–sF FIN scan
-sX Xmas scan
–scanflags Customize TCP scan flags
-sI zombie host[:probeport] Idle scan
-sY SCTP INIT scan
-sZ COOKIE-ECHO scan
-sO IP protocol scan
-b “FTP relay host”FTP bounce scan
Nmap Output Options
-oN Output Normal
-oX Output to XML
-oS Script Kiddie / 1337 speak… sigh
-oG Output greppable – easy to grep nmap output
-oA BASENAME Output in the three major formats at once
-v Increase verbosity level use -vv or more for greater effect
-d Increase debugging level use -dd or more for greater effect
–reason Display the reason a port is in a particular state
–open Only show open or possibly open ports
–packet-trace Show all packets sent / received
–iflist Print host interfaces and routes for debugging
–log-errors Log errors/warnings to the normal-format output file
–append-output Append to rather than clobber specified output files
–resume FILENAME Resume an aborted scan
–stylesheet PATH/URL XSL stylesheet to transform XML output to HTML
–webxml Reference stylesheet from Nmap.Org for more portable XML
–no-stylesheet Prevent associating of XSL stylesheet w/XML outpu