Target Specification
Nmap is able to use hostnames, IP addresses and subnets.
nmap www.corp.domain.com
nmap 10.10.0.1
nmap 10.10.0.1/24
Target Specific settings
-iL inputfilename: Input from list of hosts/networks
-iR num hosts: Choose random targets
--exclude host1[,host2][,host3],... : Exclude hosts/networks
--excludefile exclude_file: Exclude list from file
Host Discovery
-sL List Scan - simply list targets to scan
-sn Ping Scan - disable port scan
-Pn Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist] TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list] IP Protocol Ping
-n/-R Never do DNS resolution/Always resolve [default: sometimes]
Scan Techniques
-sS TCP SYN scan
-sT Connect scan
-sA ACK scan
-sW Window scan
-sM Maimon scan
-sU UDP Scan
-sN TCP Null scan
-sF FIN scan
-sX Xmas scan
--scanflags Customize TCP scan flags
-sI zombie host[:probeport] Idle scan
-sY SCTP INIT scan
-sZ COOKIE-ECHO scan
-sO IP protocol scan
-b "FTP relay host" FTP bounce scan
Port Specification and Scan Order
-p Specify ports, e.g. -p80,443 or -p1-65535
-p U:PORT Scan UDP ports with Nmap, e.g. -p U:53
-F Fast mode, scans fewer ports than the default scan
-r Scan ports consecutively - don't randomize
--top-ports "number" Scan "number" most common ports
--port-ratio "ratio" Scan ports more common than "ratio"
Service Version Detection
-sV Probe open ports to determine service/version info
--version-intensity "level" Set from 0 (light) to 9 (try all probes)
--version-light Limit to most likely probes (intensity 2)
--version-all Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)
Script Scan
-sC equivalent to --script=default
--script="ssl-heartbleed" "ssl-heartbleed" Is the selected script
--script-args=n1=v1,[n2=v2,...] provide arguments to scripts
-script-args-file=filename provide NSE script args in a file
--script-trace Show all data sent and received
--script-updatedb Update script database
--script-help="ssl-heartbleed" Show help about scripts
OS Detection
-O Enable OS Detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
Firewalls IDS Evasion and Spoofing
-f; --mtu VALUE Fragment packets (optionally w/given MTU)
-D decoy1,decoy2,ME Cloak a scan with decoys
-S IP-ADDRESS Spoof source address
-e IFACE Use specified interface
-g PORTNUM Use given port number
--source-port PORTNUM
--proxies url1,[url2],... Relay connections through HTTP / SOCKS4 proxies
--data-length NUM Append random data to sent packets
--ip-options OPTIONS Send packets with specified ip options
--ttl VALUE Set IP time to live field
--spoof-mac ADDR/PREFIX/VENDOR Spoof NMAP MAC address
--badsum Send packets with a bogus TCP/UDP/SCTP checksum
Nmap Nikto Scan
Scans for http (Web) servers on port 80 and pipes into Nikto for scanning.
nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h -
Scans for http/https servers on port 80 & 443 and pipes into Nikto.
nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h -Nmap Output Options
-oN Output Normal
-oX Output to XML
-oS Script Kiddie / 1337 speak... sigh
-oG Output greppable - easy to grep nmap output
-oA BASENAME Output in the three major formats at once
-v Increase verbosity level use -vv or more for greater effect
-d Increase debugging level use -dd or more for greater effect
--reason Display the reason a port is in a particular state
--open Only show open or possibly open ports
--packet-trace Show all packets sent / received
--iflist Print host interfaces and routes for debugging
--log-errors Log errors/warnings to the normal-format output file
--append-output Append to rather than clobber specified output files
--resume FILENAME Resume an aborted scan
--stylesheet PATH/URL XSL stylesheet to transform XML output to HTML
--webxml Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet Prevent associating of XSL stylesheet w/XML output