Maximum Fragmentation (8 & 16 byte) -f/-ff (Use Fragmented IP Packets)
Maximum Fragmentation (8 & 16 byte) --mtu <databytes>(Maximum Transmission Unit)
Cloak A Scan With Decoys -D <decoy1,decoy2[,ME],...> (Create Decoys)
Spoof Source Address -S <IP_Address> (Source Address)
-sL (List Scan) Simply List Targets To Scan
Use Specified Interface -e <iface> (Packet Interface)
-sn (Ping Scan) Disable Port Scan
Use Given Port Number -g/--source-port (Source Port Scan)
-Pn/-P0/-PD/-PN (Don't Ping) Treat all hosts as online - skip host discovery
Append custom binary data to sent packets --data (Custom Binary Data)
Firewall/IDS Evasion -PS (TCP SYN Ping)
Append custom binary data to sent packets --data-string (Custom String Data)
and Spoofing -PA/-PT (TCP ACK Ping)
Append Random Data to Sent Packets --data-length <databytes> (Random Data Length)
-PU (UDP Ping)
Send packets with specified ip options --ip-options (Specify IP Option)
-PY (SCTP Ping)
--ttl <value> (Time To Live)
-PE/-PI (ICMP Echo Request Ping) ICMP Type 8 Expecting a type 0 (Echo reply)
2,048 hosts at a time are randomly chosen --randomize_hosts/-rH (Randomize Hosts)
-PP (ICMP Timestamp Ping) ICMP Type 13 Expecting a type 14 (Timestamp reply)
--spoof-mac <mac address/prefix/vendor name> (MAC Spoofing)
Discovery Options -PM (ICMP Address Mask Ping) ICMP Type 17 Expecting a type 18 (Address Mask reply)
Relay Connections Through HTTP/SOCKS4 Proxies --proxies <url1,[url2],...>(Chain Of Proxies)
-PO (IP Protocol Ping) DEFAULT_PROTO_PROBE_PORT_SPEC - ICMP (proto 1), IGMP (proto 2), and IP-in-IP (proto 4)
Send Packets With a Bogus TCP/UDP/SCTP Checksum --badsum (Bogus Packet)
--disable-arp-ping (No ARP or ND Ping)
--discovery-ignore-rst Ignore RST replies in case firewalls may spoof TCP reset (RST) replies
Default Group Size 5 >>> 1024 --min-hostgroup <numbers> (Min Parallel Hosts Per Scan)
Parallel Host Scan Group Sizes
--traceroute (Trace Path To Host)
Common Choice is 256 --max-hostgroup <numbers> (Max Parallel Hosts Per Scan)
-n (No DNS Resolution)
Default Based On Network Performance --min-parallelism <numprobes> (Mini Parallel Probe)
Probe Parallelization
-R (DNS Resolution)
10 Might Be Reasonable --max-parallelism <numprobes> (Max Parallel Probe)
--resolve-all (Scan Each Resolved Address)
100ms Reasonable Aggressive --initial-rtt-timeout <milliseconds> (Initial Probe Round Trip Timeout)
--system-dns (System DNS Resolver)
Specifies Probe Round Trip Time Rarely Used Option --min-rtt-timeout <milliseconds> (Mini Probe Round Trip Timeout)
--dns-servers (Specify DNS Servers)
Nor Exceed 1000ms --max-rtt-timeout <milliseconds> (Max Probe Round Trip Timeout)
3 Reasonable, 0 to prevent any retransmissions
--max-retries <numtries> (Maxi Ports Probe Retransmissions) ©Prawez Samani -O (OS Fingerprinting)
Default -T Profile 10
--osscan-limit (Limit System Scanning)
Max Amount of Time You Are Willing To Wait --host-timeout <milliseconds> (Slow Hosts Timeout)
Timing and Performance --osscan-guess, --fuzzy (Guess OS More Aggressively)
OS Detection
Exceeds Time Will Be Terminated & No Output --script-timeout (Slow Scripts Timeout)
Tuning Options
--max-os-tries (Max OS Detection Tries) Default 5 Times
Evade Threshold Based (IDS/IPS) --scan-delay <milliseconds> (Mini Delay Between Probes)
Guess OS More Aggressively
Delay Time Between Probes
Too Low Can Lead To Wasteful Packet -A (Aggressive, Additional & Advanced Detection)
--max-scan-delay <milliseconds> (Maxi Delay Between Probes)
Retransmissions & Possible Missed Ports Enable OS Detection, Version Detection, Script Scanning, and Traceroute
Send Packets No Slower Than <Number> Per Second --min-rate <number> (Mini Slower Packet Send)
Send Packets No Faster Than <Number> Per Second --max-rate <number> (Max Faster Packet Send) -sV/-sR (Version Detection)
Reduce Accuracy, Useful When You Only Care About Open Ports --defeat-rst-ratelimit (Ignore RST Packets Rate Limits) --allports (Don’t Exclude Any Ports)
Chance For Inaccuracy Is Greater --defeat-icmp-ratelimit (Ignore ICMP error messages Rate Limits) --version-intensity <Level> (Set Version Intensity) Set from 0 to 9 (Try all Probes) Default is 7
Version Detection
select(2)-Based Fallback Engine is Guaranteed To Be Available --nsock-engine epoll | kqueue | poll | select (Use nsock IO Multiplexing Engine) --version-light (Enable Light Mode Probe) Default is 2
Paranoid (T0) | Sneaky (T1) | Polite (T2) | Normal (T3) | Aggressive (T4) | Insane (T5) --version-all (Enable All Mode Probe) Default is 9
-T0 and -T1 May Be Useful For Avoiding IDS Alerts --timing/-T<0 | 1 | 2 | 3 | 4 | 5> (Timing Template) --version-trace (Extensive Debugging) Show Version Detection Detailed Scan Activity Version Trace: Subset of --packet-trace
Please Refer The Timing Templates & Their Effects Table
SYN/ACK - Open
-sS (TCP SYN Scan) Half Open Scan | Stealth Scan
-sC Is Equivalent To --script=default -sC/--script <Lua Script> (Using Script)
RST - Closed
NMap KungFu
--script-args <n1=v1,[n2=v2,...]> (Script Argument)
SYN/ACK - Open
-sT (TCP Connect() Scan) Vanila Scan
--script-args-file=filename (Script Argument Into File)
RST - Closed
--datadir <directory_name> (Custom Data Directory)
Scripting Engine RST - Unfiltered
Show All Data Sent and Received By Script Options (NSE) -sA (ACK Scan) ACK flag
No Response+ICMP Error - Filtered
--script-trace (Data Status)
Subset of --packet-trace, Specifying That Enables Script Tracing Too
RST+WIN=4096 - Open
-sW (Window Scan) ACK flag & check Window size
--script-updatedb (Update Script Database)
RST+WIN=0 - Closed
--script-help <Lua Script> (Show Help About Script)
RST - Open
-sM (Uriel/Maimon Scan) FIN/ACK flags
No Response - Closed
Output In The Three Major Formats At Once -oA (All Format)
UDP Data - Open
-oN <filename> (Normal Format)
Scan Techniques -sU (UDP Scan) No Response - Open | Filtered
-oX <filename> (XML Format)
ICMP Port Unreachable - Closed
-oS <filename> (Script Kiddie Format)
-sY (SCTP Init Scan)
-oG <filename> (Grepable Format)
-sN (Null Scan) 0 flags
No Response - Open
Verbose Mode -v/-vv/-v3/--verbose (Increase Verbosity Level) -sF (FIN Scan) F flag Stealth Scan
RST - Closed
Debug Mode -d/-dd/-d9/--debug (Increase Debugging Level) -sX (Xmas Scan) F/P/U flags
Displays The Packet That Determined A Port Or Hosts State --reason (Host & Port State Reason) --scanflags <Flags> (Customize TCP Flags Scan)
Verbosity & Debugging Only Show Open (or Possibly Open) Ports --open (Open Port) -sZ (Cookie-Echo Scans)
Run Time Interaction &
Prints A Timing Status Message After Each Interval --stats-every <time> (Print Periodic Timing Stats) -sI (Idle Scan) Zombie Scan
Reporting Options
Print A Summary Of Every Packet Sent Or Received (Include All 3 Trace) --packet-trace (Packet Status) -sO (IP Protocol Scan)
Print Host Interfaces and Routes (For Debugging) -iflist (List Interfaces) -b (FTP Bounce Attack)
--append-output (Append Outputs In Files) -sP (Ping Scan) Quickest Scan: No Actual Ports Are Queried
Append New Results In The Data Files If Scan Were Interrupted --resume <filename> (Resume An Aborted Scan)
XSL Style Sheet To Transform XML Output To HTML --stylesheet <path/URL> (Style Sheet)
-iL (Read Target from File) Input From List of Hosts/Networks (Manual Scanning)
Convenience Option, Reference Style Sheet From Nmap.Org --webxml (Reference Style Sheet)
-iR (Random Target)
Prevent Associating Of XSL Style Sheet w/XML Output --no-stylesheet (No Style Sheet)
--exclude (Exclude Target) Exclude Hosts/Networks
Log Errors/Warnings To The Normal-Format Output File --log-errors (Logs Status)
--excludefile (Exclude Target File)
--noninteractive (Noninteractive Mode)
-p <Port Range> (Only Scan Specified Ports)
Host & Port Orders
--exclude-ports (Exclude Specified Ports)
-6 (IPv6 Support)
-F (Fast Scan) Limited ports - 100 "nmap-services" file need to be modify with 100 ports
--servicedb <services file>
-r (Scan Ports Consecutively) Don't Randomize
--versiondb <service probes file>
--port-ratio (Scan ports more common than ratio)
--send-eth/--send-ip (Send Using Raw Ethernet Frames Or IP Packets)
--top-ports (Scan Most Common Ports)
--privileged (Fully Privileged)
Miscellaneous Options
--unprivileged (Lacks Raw Socket Privileged)
Useful For Memory-Leak Debugging --release-memory (Release Memory Before Quitting)
-V/--version (Nmap Version)
-h/--help (Quick Reference Screen)
Modify Its Argument Vector To Appear As Another Process -q (Quash Argument Vector)
