Ping scans the network, listing machines that respond to ping.
Full TCP port scan using with service version detection - usually my first scan, I find T4 more accurate than T5 and still "pretty quick".
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + traceroute and scripts against target services.
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + traceroute and scripts against target services.
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.
Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full port range scan.
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection + full port range scan.
T5 uses very aggressive scan timings and could lead to missed ports, T4 is a better compromise if you need fast results.
Scans a list of IP addresses, you can add options before / after.
Outputs "grepable" output to a file, in this example Netbios servers.
E.g, The output file could be grepped for "Open".
Export nmap output to HTML report.
Find all Netbios servers on subnet
Nmap display Netbios name
Nmap check if Netbios servers are vulnerable to MS08-067
Becareful when running this command.
Scans for http servers on port 80 and pipes into Nikto for scanning.
Scans for http/https servers on port 80, 443 and pipes into Nikto for scanning.
inputfilename: Input from list of hosts/networks
num hosts: Choose random targets
host1[,host2][,host3],... : Exclude hosts/networks
exclude_file: Exclude list from file
List Scan - simply list targets to scan
Ping Scan - disable port scan
Treat all hosts as online -- skip host discovery
TCP SYN/ACK, UDP or SCTP discovery to given ports
ICMP echo, timestamp, and netmask request discovery probes
IP Protocol Ping
Never do DNS resolution/Always resolve [default: sometimes]
TCP SYN scan
TCP Null scan
Customize TCP scan flags
SCTP INIT scan
IP protocol scan
FTP bounce scan
Specify ports, e.g. -p80,443 or -p1-65535
Scan UDP ports with Nmap, e.g. -p U:53
Fast mode, scans fewer ports than the default scan
Scan ports consecutively - don't randomize
Scan "number" most common ports
Scan ports more common than "ratio"
Probe open ports to determine service/version info
Set from 0 (light) to 9 (try all probes)
Limit to most likely probes (intensity 2)
Try every single probe (intensity 9)
Show detailed version scan activity (for debugging)
equivalent to --script=default
"Lua scripts" is a comma separated list of directories, script-files or script-categories
provide arguments to scripts
provide NSE script args in a file
Show all data sent and received
Update script database
Show help about scripts
Enable OS Detection
Limit OS detection to promising targets
Guess OS more aggressively
Options which take TIME are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
Set timing template - higher is faster (less accurate)
Parallel host scan group sizes
Specifies probe round trip time
Caps number of port scan probe retransmissions
Give up on target after this long
Adjust delay between probes
Send packets no slower than NUMBER per second
Send packets no faster than NUMBER per second
Fragment packets (optionally w/given MTU)
Cloak a scan with decoys
Spoof source address
Use specified interface
Use given port number
Relay connections through HTTP / SOCKS4 proxies
Append random data to sent packets
Send packets with specified ip options
Set IP time to live field
Spoof NMAP MAC address
Send packets with a bogus TCP/UDP/SCTP checksum
Output to XML
Script Kiddie / 1337 speak... sigh
Output greppable - easy to grep nmap output
Output in the three major formats at once
Increase verbosity level use -vv or more for greater effect
Increase debugging level use -dd or more for greater effect
Display the reason a port is in a particular state
Only show open or possibly open ports
Show all packets sent / received
Print host interfaces and routes for debugging
Log errors/warnings to the normal-format output file
Append to rather than clobber specified output files
Resume an aborted scan
XSL stylesheet to transform XML output to HTML
Reference stylesheet from Nmap.Org for more portable XML
Prevent associating of XSL stylesheet w/XML output
Enable IPv6 scanning
Enable OS detection, version detection, script scanning, and traceroute
Specify custom Nmap data file location
Send using raw ethernet frames or IP packets
Assume that the user is fully privileged
Assume the user lacks raw socket privileges
Show nmap version number
Show nmap help screen