Nmap Options
Target Specification
Option ( Switch / Syntax ) | Description |
---|---|
| Input from list of hosts/networks |
| Choose random targets/ Scan random hosts |
| Exclude single or multiple hosts/networks |
| Exclude list from file |
Host Discovery
Option ( Switch / Syntax ) | Description |
---|---|
| List Scan - simply lists targets |
| Ping Scan - disable port scan for discovering host |
| Treat all hosts as online -- skip host discovery nmap |
| TCP SYN/ACK, UDP or SCTP INIT discovery to given ports |
| ICMP echo, timestamp, and netmask request discovery probes |
| Use ICMP timestamp request |
| IP Protocol Ping |
| Never do DNS resolution/Always resolve [default: sometimes] |
| Immediate mode, display things as we find them |
| A string representing the intended sequence ignorance level |
| Path to a file where flat text will be dumped that normally would go to the users terminal |
| Numeric value representing the number of seconds to wait before declaring the scan over |
Scan Techniques
Option ( Switch / Syntax ) | Description |
---|---|
| TCP SYN/Connect()/ACK/Window/Maimon scans |
| UDP Scan |
| TCP Null, FIN, and Xmas scans |
| TCP ACK scan |
| TCP scan flags |
| Ping scan |
| Customize TCP scan flags |
| Idle zombie scan |
| SCTP INIT scan |
| IP protocol scan |
| FTP bounce scan |
| Send raw ethernet packets |
| Send IP packets |
Port Specification and Scan Order
Option ( Switch / Syntax ) | Description |
---|---|
| Only scan specified range ports |
| Port scans all 1-65535 ports |
| Port scan from specified protocols |
| Fast mode - Scan less ports than the default scan (scan 100 most common ports) |
| Scan ports consecutively – do not randomize |
| Randomize target host order |
| Port list |
| Port range |
| Scan port using name |
| Mix TCP and UDP |
| Scan most common ports |
| Scan ports more common than |
| Leaving off initial port in range makes Nmap scan start at port 1 |
| Leaving off end port in range makes Nmap scan through port 65535 |
Service / Version Detection
Option ( Switch / Syntax ) | Description |
---|---|
| Probe open ports to determine service/version info |
| Set from 0 (light) to 9 (try all probes) |
| Limit to most likely probes (intensity 2) |
| Try every single probe (intensity 9) |
| Show detailed version scan activity (for debugging) |
Script Scan
Option ( Switch / Syntax ) | Description |
---|---|
| Run individual or group of scripts |
| is a comma separated list of directories, script-files or script-categories |
| Show all data sent and received |
| Update the script database. |
| “Lua scripts” = Show help about scripts |
OS Detection
Option ( Switch / Syntax ) | Description |
---|---|
| Enable OS detection/ OS Discovery using Nmap and Unicornscan/ Remote OS Detection using TCP/IP stack fingerprinting |
| Limit OS detection to promising targets |
| Guess OS more aggressively |
| Set the maximum number x of OS detection tries against a target |
Timing and Performance
Option ( Switch / Syntax ) | Description |
---|---|
| Set timing template (higher is faster) |
| Set the packet TTL |
| Parallel host scan group sizes |
| Probe parallelization |
| Specifies probe round trip time |
| Caps number of port scan probe retransmissions |
| Give up on target after this long |
| Adjust delay between probes |
| Send packets no slower than per second |
| Send packets no faster than per second |
| Defeat reset rate limits |
Firewall / IDS Evasion and Spoofing
Option ( Switch / Syntax ) | Description |
---|---|
| Fragment packets (optionally w/given MTU) |
| Cloak a scan with decoys |
| Spoof source address |
| Use given port number |
| Append random data to send packets |
| Send packets with specified IP options |
| Set IP time-to-live field |
| Spoof your MAC address |
| Idle zombie scan |
| Send packets with a bogus TCP/UDP/SCTP checksum |
| Relay connections through HTTP/SOCKS4 proxies |
Output
Option ( Switch / Syntax ) | Description |
---|---|
| Output scan in normal, XML, s<rIpt kIddi3, and Grepable format, respectively, to the given filename |
| Output in the three major formats at once |
| Increase verbosity level (use -vv or more for greater effect) |
| Increase debugging level (use -dd or more for greater effect) |
| Display the reason a port is in a particular state |
| Only show open (or possibly open) ports |
| Show all packets sent and received |
| Print host interfaces and routes (for debugging) |
| Log errors/warnings to the normal-format output file |
| Append to rather than clobber specified output files |
| Resume an aborted scan |
| XSL stylesheet to transform XML output to HTML |
| Reference stylesheet from http://nmap.org/ for more portable XML |
| revent associating of XSL stylesheet w/XML output |
| Periodically display statistics |
Miscellaneous Options
Option ( Switch / Syntax ) | Description |
---|---|
| Nmap help screen |
| IPv6 Scanning by using -6 option in Zenmap |
| Enables OS detection, version detection, script scanning, and traceroute, also known as Aggressive scan |
| Disable reverse IP address lookups |
| Specify custom Nmap data file location |
| Send using raw ethernet frames or IP packets |
| Assume that the user is fully privileged |
| Display Nmap version |
| Assume the user lacks raw socket privileges |
Last updated