You are on page 1of 1

Target specification

IP address, hostnames, networks, etc Example: scanme.nmap.org, microsoft.com/24, 1 2.1!".#.1$ 1#.#.#-2%%.1-2%4 -i& file input fr om list -i' n choose r andom tar gets, 0 never ending --excl(de --excl(defile file exclude host or list fr om file

*er8ice and 8ersion detection


-s<: version detection --8ersion-all tr y ever y single pr o&e --8ersion-trace tr ace ver sion scan activity --all-ports dont exclude por ts

-P* n tcp syn ping -P3 n tcp ack ping -P+ n udp ping -P: netmask r eq -PP timestamp r eq -PE echo r eq -s& list scan -P. pr otocol ping -Pn no ping -n no !" -' !" r esolution for all tar gets --tracero(te# tr ace path to host $for topology map% -sn ping same as PP P: P*44; P3"#

SecurityByDefault.com

7ost disco8er9

-. ena&le '" detection --f(669 guess '" detection --max-os-tries set the maximum num&er of tr ies against a tar get

1irewall/I=* e8asion
-f fr agment packets -* ip spoof sour ce addr ess --randomi6e-hosts or der -8 (ncr ease ver &osity level -d @1- A set de&ugging level -= d1,d2 cloack scan with decoys g so(rce spoof sour ce por t --spoof-mac mac change the sr c mac --reason host and por t r eason --packet-trace tr ace packets

<er?osit9 and de?(gging options

Port scanning techni)(es


-s* tcp syn scan -s, sctp init scan -s/ tcp window -sT tcp connect scan -s- sctp cookie echo -s0 s1 -s2 null, fin, xmas -s+ udp scan -s. ip pr otocol s3 tcp ack

Interacti8e options
8/< incr ease+decr ease ver &osity level d/= incr ease+decr ease de&ugging level p/P tur n on+off packet tr acing

Port specification and scan order


-p 4n-m5 r ange -p- all por ts -p +:n-m,6 T:n,m U for udp T for tcp --top-ports n scan the highest -ratio ports -p n,m,6 individual -1 fast, common 100 -r dont r andomize

:iscellaneo(s options
--res(me file r esume a&or ted scan $fr om o! or o) output% -! ena&le ipv* scanning -3 agr essive same as -. -s< -sB --tracero(te

Timing and performance


-T# par anoid -T; nor mal --min-hostgro(p --min-rate --min-parallelism --min-rtt-timeo(t --max-retries Examples C(ick scan 1ast scan @port"#A Pingscan *low comprehensi8e C(ick tracero(te: -T1 sneaky -T4 aggr esive --max-hostgro(p --max-rate --max-parallelism --max-rtt-timeo(t --host-timeo(t -T2 polite -T% insane

*cripts
-sB perform scan with default scripts --script file r un scr ipt $or all% --script-args nD8 pr ovide ar guments --script-(pdated? update the scr ipt d&7 --script-trace pr int in+out communication

--initial-rtt-timeo(t --scan-dela9

.(tp(t
-o0 nor mal -o2 xml -o> gr epa&le o3 all other s

nmap -T, -nmap -T, --max.rtt.timeout /00 --initial.rtt.timeout 100 --min.hostgroup 01/ --max.retries 0 -n -10 -p20 nmap -s1 -13 -11 -1"/1,/4,/0,20,114,41445 -1620,114,,,4,100,/ --source-port 04 -T, nmap -s" -sU -T, -6 -v -13 -11 -1"/1,//,/4,/0,20,114,41445 -1620,114,,,4,100,/ -1' --script all nmap -s1 -13 -1"//,/0,20 -16/1,/4,20,4425 -1U -1' --traceroute