You are here: SecurityOwned Home » Nmap Command
SecurityOwned Nmap Target Specification command-line options
| Option |
Description |
| -iR (number of targets) |
Specify an input file with a list of tab-,space-, or newline-delimited targets. |
| -iR (number of targets) |
Scan a specified number of random targets. |
| --exlude (host1[,host2][,host3],…) |
Specify comma-separated targets to not scan |
| --excludefile (filename) |
Specify an input file with a list of tab-, space-, or newline-delimited targets to not scan. |
SecurityOwned Nmap Discovering Hosts command-line options
| Option |
Description |
| -sL |
Print a list of targets and their DNS names |
| -sP |
Perform a ping scan |
| -sN |
Disable host discovery (this option used to be -P0) |
| -PS/PA/PU[portlist] |
Advanced host discovery techniques using TCP SYN, TCP ACK, or UDP packets |
| -PE/PP/PM ICMP |
host discovery techniques using echo request, timestamp request, and address mask request |
| -PO[protocol list] |
Perform an IP protocol ping |
| -PR |
Perform an ARP ping |
| -n |
Disables DNS name resolution (also increased scan speed) |
| -R |
Enables DNS name resolution on all targets, even non-active targets |
| --dns-servers (serv1[,serve2],…) |
Specify DNS servers for Nmap to use |
| --system-dns |
Use the system DNS resolver instead of Nmap to perform DNS lookups (slower and rarely needed) |
| --send-ip |
Disables the default ARP ping for local Ethernet networks |
SecurityOwned Nmap Port State
| Port State |
Description |
| Open |
Open ports have an active application accepting TCP connections or UDP packets |
| Closed |
Closed ports are accessible, but they do not have a listening application. |
| Filtered |
Responses are blocked by a packet filter, therefore Nmap cannot determine if the port is open. |
| Unfiltered |
Unfiltered ports are accessible, but Nmap is unable to determine if they are open or closed. (ACK scan only) |
| Open|filtered |
Nmap is unable to determine if the port is open or filtered for scan types where open ports do not respond. (UDP, IP Proto, FIN, Null, Xmas scans) |
| Closed|filtered |
Nmap is unable to determine if a port is closed or filtered. (IP ID idle scan only) |
SecurityOwned Nmap Scan Options
| Scan Options |
Description |
| TCP Null scan |
The TCP Null scan (-sN ) does not set any flag bits in the TCP header |
| TCP FIN scan |
The TCP FIN scan (-sF ) sets only the FIN flag |
| Xmas scan |
The Xmas scan (-sX ) sets the FIN, PSH, and URG flags |
SecurityOwned Nmap port scanning command-line options
| Option |
Description |
| -sS |
TCP SYN scan |
| -sT |
TCP connect scan |
| -sU |
UDP port scan |
| -sN |
TCP null scan |
| -sF |
TCP FIN scan |
| -sX |
TCP Xmas scan |
| -sA |
TCP ACK scan |
| -sW |
TCP Window scan |
| -sM |
TCP Maimon scan |
| -sI (zombie host[:probeport]) |
TCP Idle scan |
| -sO |
IP Protocol scan |
| -b (FTP relay host) |
FTP Bounce scan |
| --scanflags (flags) |
Set the TCP flags of your choice |
| --traceroute |
Trace the path to the target host |
| --reason |
Provide host and port state reasons |
| -p (port range) |
Specify ports to scan |
| -F |
Fast scan |
| -r |
Don’t randomize ports |
| --servicedb (filename) |
Specify a file to use other than the default nmap-services file |
SecurityOwned Nmap OS detection command-line options
| Option |
Description |
| -O |
Enable OS detection |
| --osscan-limit |
Only perform OS detection against targets with at least one open and one closed port |
| --osscan-guess |
Guess near-matches aggressively |
| --max-retries (number) |
Sets the number of OS detection retries |
SecurityOwned Nmap service and application version detection command-line options
| Options |
Description |
| -sV |
Enable version detection for services and application |
| -sR |
Enable RPC version detection (enabled by default with -sV option) |
| --allports |
Don’t exclude any ports from version detection |
| --version-intensity (intensity) |
Set version scan intensity from 0 to 9 |
| --version-light |
Set version intensity to level 2 for quick version scanning |
| --version-all |
Set version intensity to level 9 to attempt all probes |
| --version-trace |
Print debugging information during version detection |
| --versiondb (service probes file) |
Specify a customized services probes file |
SecurityOwned Nmap NSE command-line options
| Option |
Description |
| -sC |
Execute safe and intrusive scripts |
| --script (script-categories|directory| filename|all) |
Execute specified scripts and categories |
| --script-args=(n1=v1[,n2=v2,…]) |
Provide arguments to override script values |
| --script-trace |
Print all incoming and outgoing script communication |
| --script-updatedb |
Update the script database name/category mapping |
SecurityOwned Nmap timing and performance command-line options
| Option |
Description |
| -T (paranoid|sneaky|polite| normal|aggressive|insane) Or -T (0–5) |
Sets the timing template |
| --min-hostgroup/max-hostgroup (size) |
Specify the parallel scan group size |
| --min-parallelism/max-parallelism (time) |
Specify the number of probes to execute in parallel |
| --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout (time) |
Specify the probe round trip timeout before giving up or retransmitting a probe |
| --scan-delay/–max-scan-delay (time) |
Specify the delay between probes |
| --max-retries (tries) |
Specify the number of probe retransmissions |
| --host-timeout (time) |
Specify a maximum amount of time to spend scanning a host before moving on to the next target |
| --defeat-rst-ratelimit |
Ignore RST rate limiting |
SecurityOwned Nmap and spoofing command-line options
| Option |
Description |
| -f |
Fragment packets to a maximum of 8 bytes (can be used twice for 16 bytes) |
| --mtu |
Specify the maximum packet size in multiples of 8 for packet fragmentation |
| -D (decoy1,decoy2[,ME],…) |
Specify decoys to perform scanning in conjunction with your system |
| -S (IP address) |
Specify a source IP address, either your own or another system |
| -e (iface) |
Specify an interface to use for scanning |
| -g/–source-port (portnum) |
Specify a source port to use for scanning |
| --data-length (num) |
Specify a number of bytes of random data to append to packets |
| --ip-options (R|T|U|S [IP IP2…]|L [IP IP2 …] ) Or --ip-options (hex string) |
Specify IP options to include in packets |
| --ttl (val) |
Specify a TTL value |
| --randomize-hosts |
Randomize the target hosts list before scanning |
| --spoof-mac (mac address/prefix/vendor name) |
Specify a MAC address to use for scanning |
| --badsum |
Send packets with bad TCP or UDP checksums |
SecurityOwned Nmap output logging command-line options
| Option |
Descritions |
| -oN/-oX/-oS/-oG (filename) |
Report output to normal, XML, s|
|
| -oA (file name) |
Report output to normal, XML, and Grep able format all at once |
| -v Or -vv Or -vvv |
Specify a verbosity level for more Information |
| -d[level] |
Specify a debugging level for even more information |
| --packet-trace |
Show all packets sent and received |
| --open |
Display only open, open|filtered, and unfiltered ports |
| --iflist |
Display scanning host interfaces and network routes |
| --log-errors |
Logs errors to normal output |
| --append-output |
Append instead of overwrite output files |
| --resume (filename) |
Resume an aborted scan |
| --stylesheet (path/URL) |
Specify a stylesheet path or URL |
| --webxml |
Reference the latest stylesheet at Insecure.org |
| --no-stylesheet |
Don’t use an XLS stylesheet |
SecurityOwned Nmap miscellaneous command-line options
| Option |
Description |
| -6 |
Enable IPv6 scanning |
| -A |
Enable OS detection, version detection, script scanning, and traceroute |
| --datadir |
Specify a location that contains Nmap data files |
| --send-ip |
Send data using packets at the IP layer |
| --send-eth |
Send data using raw Ethernet frames at the data link layer |
| --privileged |
Assume that the user is fully privileged |
| --unprivileged |
Assume that the user is not a privileged user |
| -V |
Print the Nmap version number |
| -h |
Print the Nmap usage |
![[Valid RSS]](images/valid-rss.png "Validate my RSS feed")