|
Scan/Parameter
|
Description
|
|
-sP
|
ping scan, detect hosts on subnet, otherwise use -P0 (!ping)
|
|
-PS/-PA/-PU/-PY
|
ping syn, ack, udp or stcp, write ports behind (-PS80,443)
|
|
-PR
|
arp ping scan, default and only same subnet
|
|
--traceroute
|
use traceroute, don't work for -sT and -sI
|
|
-PE/-PP/-PM
|
icmp messages, sends icmp Echo, Timestamp, Addressmask
|
|
-PN/-P0
|
no ping, no protocol ping, just use -P0 normally
|
|
-sO
|
tcp/ip protocol scan, routing of tcp/ip protocols (icmp for udp)
|
|
-sS
|
tcp syn scan, compliant method, "stealth" (non-completing 3way-handshake)
|
|
-sT
|
tcp connect scan, correct method, reliable, using syscalls (completing 3way-handshake)
|
|
-sU
|
udp scan, use --host-timeout and payload (--data-length X), reduce port-range if !icmp
|
|
-sN
|
null scan, against unix, "sneaky" scan, filter devices
|
|
-sF
|
fin scan, against unix/filter devices, "sneaky" scan, uses fin
|
|
-sX
|
xmas scan, against unix/filter devices, "sneaky" scan, uses all flags
|
|
-sA
|
ack scan, against filter devices, filtered/not and not open/close, uses ack
|
|
-sW
|
window scan, against filter devices, uses ack
|
|
-sM
|
maimon scan, against bsd, uses fin/ack
|
|
-sI
|
idle scan, stealthy method, use -P0, check ipid's, zombie target:probeport
|
|
-sD
|
decoy scan, 7th position "me"
|
|
-sC
|
nse script scan, intrusive, lua scripts, --script=all, --script "http-*", --script-updatedb
|
|
--script=vulscan
|
nse vuln scan, compares banner to CVE DB
|
|
-sV/--allports
|
service version detection, fingerprinting services (hint: amap)/don't exclude ports (9100)
|
|
-sR
|
rpc scan, detects rpc-services name/number (like rpcinfo -p)
|
|
-sY/-sZ/--adler32
|
stcp scans, (ss7 world), "stealth" (non-completing association), use adler32 not castagnoli crc
|
|
-b
|
ftp bounce scan (deprecated), username:password@server:port
|
|
--scanflags
|
configure scan flags, URGACKPSHRSTSYNFIN
|
|
-p/-p-/-F/--top-ports
|
configure port range (-p 21-23,80)/scan all ports/just scan top 100/scan top-ports (10)
|
|
--reason/--open/-r
|
host and port state reasons/shows just open ports/don't randomize
|
|
-O
|
os detection, guessing probability
|
|
-vvvvv (-d)
|
test ip-id/seq-no's, be very very verbose (or even debug)
|
|
-n/-R
|
no dns resolution at all/force dns resolution
|
|
-TX
|
timing option, 0=paranoid|1=sneaky|2=polite|3=normal|4=aggressive|5=insane
|
|
-T4
|
aggressive = --max-rtt-timeout 1250 --initial-rtt-timeout 500 --max-retries 6, delay 10 ms
|
|
-T5
|
insane = --max-rtt-timeout 300 --min-rtt-timeout 50 --initial-rtt-timeout 250 --max-retries 2 --host-timeout 15m, delay 5 ms
|
|
--min-parallelism/--max-parallelism
|
minimal/maximum parallel probes
|
|
--min-rtt-timeout/--max-rtt-timeout/--initial-rtt-timeout
|
minmal/maximal/initial rtt timeout (never under 100/over 1000)
|
|
--max-retries
|
controls portscan probe retransmission
|
|
--host-timeout
|
set maximum host timeout (giving up)
|
|
--scan-delay/--max-scan-delay
|
set scan delay time between scans
|
|
--min-rate/--max-rate
|
direct control of scan rate number
|
|
--defeat-rst-ratelimit
|
circumvent rate limiting (rst), just distinguish between open/closed
|
|
-f/--mtu
|
scan in small fragments, define mtu
|
|
-S/-g
|
spoof source ip, spoof source port
|
|
--spoof-mac/--sent-eth
|
spoof source mac/send ethernet frames
|
|
-e
|
define network interface to send (-e eth1)
|
|
--datalength
|
append random data of length
|
|
--ip-options
|
configure ip options (use hex strings, \x01\x07\x04\x00*36\x01 = 36 null bytes)
|
|
--ttl
|
configure time to live
|
|
--bad-sum
|
send packes with bogus tcp/udp checksums (fw detection)
|
|
--randomize-hosts
|
randomize traget host order
|
|
-oN/-oX/-oG/-oS/-oA
|
output normal/xml/grepable/scriptkid/all formats (normal/xml/grep)
|
|
--packet-trace/--script-trace
|
show packets (like live tcpdump)/show script actions
|
|
--append-output/--resume
|
append output to existing file (no xml, manual fix), resume scan (normal/grep only)
|
|
--webxml/--no-stylesheet
|
use latest xsl-sheet (http://nmap.org/data/nmap.xsl)/don't use stylsheet
|
|
-A
|
aggressive scanning = -O -sV -sC --traceroute
|
|
-6
|
use ipv6 (nmap 3ffe:7501:4819:2000:210:f3ff:fe03:14d0)
|
|
-iR
|
choose random targets (-iR 100)
|
