Scanning Options

Option What It Does Example Command
10.10.10.0/24 Specifies the target network range. nmap 10.10.10.0/24
-sn Skips port scanning. nmap -sn 10.10.10.0/24
-Pn Disables ICMP Echo Requests (no ping). nmap -Pn 10.10.10.0/24
-n Avoids DNS resolution. nmap -n 10.10.10.0/24
-PE Ping scan using ICMP Echo Requests. nmap -PE 10.10.10.0/24
--packet-trace Shows detailed packet sending/receiving logs. nmap --packet-trace 10.10.10.0/24
--reason Displays the reason for a result. nmap --reason 10.10.10.0/24
--disable-arp-ping Disables ARP Ping. nmap --disable-arp-ping 10.10.10.0/24
--top-ports=<num> Scans the most common ports. nmap --top-ports=100 10.10.10.0/24
-p- Scans all ports. nmap -p- 10.10.10.0/24
-p22-110 Scans ports between 22 and 110. nmap -p22-110 10.10.10.0/24
-p22,25 Scans only ports 22 and 25. nmap -p22,25 10.10.10.0/24
-F Scans top 100 most common ports. nmap -F 10.10.10.0/24
-sS Performs a TCP SYN scan. nmap -sS 10.10.10.0/24
-sA Conducts a TCP ACK scan. nmap -sA 10.10.10.0/24
-sU Runs a UDP scan. nmap -sU 10.10.10.0/24
-sV Scans service versions. nmap -sV 10.10.10.0/24
-sC Uses default scripts for scanning. nmap -sC 10.10.10.0/24
--script <script> Runs specified scripts during the scan. nmap --script http-title 10.10.10.0/24
-O Identifies the target’s operating system. nmap -O 10.10.10.0/24
-A OS, service, and traceroute detection. nmap -A 10.10.10.0/24
-D RND:5 Uses 5 random decoys for the scan. nmap -D RND:5 10.10.10.0/24
-e Specifies the network interface for scanning. nmap -e eth0 10.10.10.0/24
-S 10.10.10.200 Sets the source IP address. nmap -S 10.10.10.200 10.10.10.0/24
-g Specifies the source port. nmap -g 80 10.10.10.0/24
--dns-server <ns> Uses a custom DNS server for resolution. nmap --dns-server 8.8.8.8 10.10.10.0/24

Output Options
Option What It Does Example Command
-oA filename Saves results in all formats under the given filename. nmap -oA scan_results 10.10.10.0/24
-oN filename Saves results in a normal text format. nmap -oN scan.txt 10.10.10.0/24
-oG filename Saves results in a grepable format. nmap -oG scan.grep 10.10.10.0/24
-oX filename Saves results in XML format. nmap -oX scan.xml 10.10.10.0/24

Performance Options
Option What It Does Example Command
--max-retries <num> Sets the number of retries for failed scans. nmap --max-retries 3 10.10.10.0/24
--stats-every=5s Displays scan progress every 5 seconds. nmap --stats-every=5s 10.10.10.0/24
-v/-vv Increases verbosity during the scan. nmap -vv 10.10.10.0/24
--initial-rtt-timeout 50ms Sets the initial round-trip timeout value. nmap --initial-rtt-timeout 50ms 10.10.10.0/24
--max-rtt-timeout 100ms Sets the maximum round-trip timeout value. nmap --max-rtt-timeout 100ms 10.10.10.0/24
--min-rate 300 Sets the rate of packets sent per second. nmap --min-rate 300 10.10.10.0/24
-T <0-5> Chooses the scan timing template (0 = slowest, 5 = fastest). nmap -T4 10.10.10.0/24

Script Categories
Category What It Does Example Command
auth Tests for authentication weaknesses. nmap --script auth 10.10.10.0/24
broadcast Discovers hosts via broadcasting. nmap --script broadcast 10.10.10.0/24
brute Brute-forces logins with common credentials. nmap --script brute 10.10.10.0/24
default Runs default scripts with the -sC option. nmap -sC 10.10.10.0/24
discovery Identifies available services. nmap --script discovery 10.10.10.0/24
dos Tests for Denial of Service vulnerabilities (risky). nmap --script dos 10.10.10.0/24
exploit Attempts to exploit known vulnerabilities. nmap --script exploit 10.10.10.0/24
external Uses external services for data processing. nmap --script external 10.10.10.0/24
fuzzer Identifies vulnerabilities by sending malformed packets. nmap --script fuzzer 10.10.10.0/24
intrusive Performs potentially damaging tests. nmap --script intrusive 10.10.10.0/24
malware Scans for signs of malware infections. nmap --script malware 10.10.10.0/24
safe Safe, non-intrusive defensive scans. nmap --script safe 10.10.10.0/24
version Detects service versions. nmap --script version 10.10.10.0/24
vuln Scans for specific vulnerabilities. nmap --script vuln 10.10.10.0/24