Nmap
Scan Network Range
--reason (Host and port state reasons). Shows the reason each port is set to a specific state and the reason each host is up or down.
ARP ping scan
Basic IP range scan
Scanning IP list
ICMP reply scan
Service discovery
By default, Nmap scans the top 1000 TCP ports with the SYN scan (-sS). This SYN scan is set only to default when we run it as root because of the socket permissions required to create raw TCP packets. Otherwise, the TCP scan (-sT) is performed by default.
we disable the ICMP echo requests (
-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping).
Cheat sheet
Scanning Options
Nmap Option
Description
10.10.10.0/24
Target network range.
-sn
Disables port scanning.
-Pn
Disables ICMP Echo Requests
-n
Disables DNS Resolution.
-PE
Performs the ping scan by using ICMP Echo Requests against the target.
--packet-trace
Shows all packets sent and received.
--reason
Displays the reason for a specific result.
--disable-arp-ping
Disables ARP Ping Requests.
--top-ports=<num>
Scans the specified top ports that have been defined as most frequent.
-p-
Scan all ports.
-p22-110
Scan all ports between 22 and 110.
-p22,25
Scans only the specified ports 22 and 25.
-F
Scans top 100 ports.
-sS
Performs an TCP SYN-Scan.
-sA
Performs an TCP ACK-Scan.
-sU
Performs an UDP Scan.
-sV
Scans the discovered services for their versions.
-sC
Perform a Script Scan with scripts that are categorized as "default".
--script <script>
Performs a Script Scan by using the specified scripts.
-O
Performs an OS Detection Scan to determine the OS of the target.
-A
Performs OS Detection, Service Detection, and traceroute scans.
-D RND:5
Sets the number of random Decoys that will be used to scan the target.
-e
Specifies the network interface that is used for the scan.
-S 10.10.10.200
Specifies the source IP address for the scan.
-g
Specifies the source port for the scan.
--dns-server <ns>
DNS resolution is performed by using a specified name server.
Output Options
Nmap Option
Description
-oA filename
Stores the results in all available formats starting with the name of "filename".
-oN filename
Stores the results in normal format with the name "filename".
-oG filename
Stores the results in "grepable" format with the name of "filename".
-oX filename
Stores the results in XML format with the name of "filename".
Performance Options
Nmap Option
Description
--max-retries <num>
Sets the number of retries for scans of specific ports.
--stats-every=5s
Displays scan's status every 5 seconds.
-v/-vv
Displays verbose output during the scan.
--initial-rtt-timeout 50ms
Sets the specified time value as initial RTT timeout.
--max-rtt-timeout 100ms
Sets the specified time value as maximum RTT timeout.
--min-rate 300
Sets the number of packets that will be sent simultaneously.
-T <0-5>
Specifies the specific timing template.
Firewall and IDS/IPS Evasion
Decoys
10.129.2.28 -p 80 -sS -Pn -n --disable-arp-ping --packet-trace -D RND:5
Scan by Using Different Source IP
10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0
DNS Proxying
10.129.2.28 -p 50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53
Connect to the Filtered Port
Last updated