Professor Messer’s Quick Reference Guide to

NMAP
SCAN OPTION SUMMARY PING OPTIONS
Requires Identifies Identifies ICMP Echo Request Ping -PE, -PI
Command
Scan Name Privileged TCP UDP -PA[portlist], -PT[portlist]
Syntax TCP ACK Ping
Access Ports Ports
TCP SYN Ping -PS[portlist]
TCP SYN Scan -sS YES YES NO
UDP Ping -PU[portlist]
TCP connect() Scan -sT NO YES NO
ICMP Timestamp Ping -PP
FIN Stealth Scan -sF YES YES NO
ICMP Address Mask Ping -PM
Xmas Tree Stealth Scan -sX YES YES NO
Don’t Ping -P0, -PN, -PD
Null Stealth Scan -sN YES YES NO
Require Reverse -R
Ping Scan -sP NO NO NO
Disable Reverse DNS -n
Version Detection -sV NO NO NO
Specify DNS Servers --dns-servers
UDP Scan -sU YES NO YES
REAL-TIME INFORMATION OPTIONS
IP Protocol Scan -sO YES NO NO
Verbose Mode --verbose, -v
ACK Scan -sA YES YES NO
Version Trace --version-trace
Window Scan -sW YES YES NO
Packet Trace --packet-trace
RPC Scan -sR NO NO NO
Debug Mode --debug, -d
List Scan -sL NO NO NO
Interactive Mode --interactive
Idlescan -sI YES YES NO
Noninteractive Mode --noninteractive
FTP Bounce Attack -b NO YES NO
OPERATING SYSTEM FINGERPRINTING
HOST AND PORT OPTIONS
OS Fingerprinting -O
Exclude Targets --exclude <host1 [,host2],...>
Limit System Scanning --osscan-limit
Exclude Targets in File --excludefile <exclude_file>
More Guessing Flexibility --osscan-guess, --fuzzy
Read Targets from File -iL <inputfilename>
Additional, Advanced, and Aggressive -A
Pick Random Numbers for Targets -iR <num_hosts>
VERSION DETECTION
Randomize Hosts --randomize_hosts, -rH
Version Scan -sV
No Random Ports -r --allports
Don’t Exclude Any Ports
Source Port --source-port <portnumber> Set Version Intensity --version-intensity
Specify Protocol or Port Numbers -p <port_range> Enable Version Scanning Light --version-light
Fast Scan Mode -F Enable Version Scan All --version-all
Create Decoys -D <decoy1 [,decoy2][,ME],...> RUN-TIME INTERACTIONS
Source Address -S <IP_address> Display Run-Time Help ?
Interface -e <interface> Increase / Decrease Verbosity v / V

List Interfaces --iflist Increase / Decrease Debugging d / D

Increase / Decrease Packet Tracing p / P
TUNING AND TIMING OPTIONS
Any Other Key Print Status
Time to Live --ttl
LOGGING OPTIONS
Use Fragmented IP Packets -f, -ff Normal Format -oN <logfilename>
Maximum Transmission Unit --mtu <databytes> XML Format -oX <logfilename>
Data Length --data-length <databytes> Grepable Format -oG <logfilename>
All Formats -oA <basefilename>
Host Timeout --host-timeout <milliseconds>
Script Kiddie Format -oS <logfilename>
Initial Round Trip Timeout --initial-rtt-timeout <milliseconds>
Resume Scan --resume <logfilename>
Minimum Round Trip Timeout --min-rtt-timeout <milliseconds>
Append Output --append-output
Maximum Round Trip Timeout --max-rtt-timeout <milliseconds>
MISCELLANEOUS OPTIONS
Maximum Parallel Hosts per Scan --max-hostgroup <number> Quick Reference Screen --help, -h
Minimum Parallel Hosts per Scan --min-hostgroup <number> Nmap Version --version, -V

Maximum Parallel Port Scans
Minimum Parallel Port Scans
Minimum Delay Between Probes
Maximum Delay Between Probes
Timing Policies
--max-parallelism <number> Data Directory --datadir <directory_name>
Quash Argument Vector -q
--min-parallelism <number>
Define Custom Scan Flags --scanflags <flagval>
--scan-delay <milliseconds>
(Uriel) Maimon Scan -sM
--max-scan-delay -6
IPv6 Support
--timing, -T<0|1|2|3|4|5> Send Bad TCP or UDP Checksum --badsum

http://www.ProfessorMesser.com SNC-201 Copyright © 2007 Professor Messer, LLC, All Rights Reserved
 Professor Messer’s Quick Reference Guide to

NMAP
Identifying Open Ports with Nmap

TCP SYN SCAN (-sS) TCP connect() SCAN (-sT) TCP FIN SCAN (-sF)

TCP XMAS TREE SCAN (-sX) TCP NULL SCAN (-sN) TCP PING SCAN (-sP)

VERSION DETECTION SCAN (-sV) UDP SCAN (-sU) IP PROTOCOL SCAN (-sO)
Version scan identifies open ports with a TCP SYN scan...

...and then queries the port with a customized signature. TCP ACK SCAN (-sA) TCP WINDOW SCAN (-sW)

IDLESCAN (-sI <zombie host:[probeport]>)

Step 1: Nmap sends a SYN/ACK to the zombie workstation to Step 2: Nmap sends a SYN frame to the destination address, Step 3: Nmap repeats the original SYN/ACK probe of the zom-
induce a RST in return. This RST frame contains the initial IPID but nmap spoofs the IP address to make it seem as if the SYN bie station. If the IPID has incremented, then the port that was
that nmap will remember for later. frame was sent from the zombie workstation. spoofed in the original SYN frame is open on the destination
device.

FTP BOUNCE ATTACK (-b <ftp_relay_host>)

A closed port will result with the FTP server informing the source station that the FTP server can’t build the connection.

An open port completes the transfer over the specified connection.

http://www.ProfessorMesser.com SNC-201 Copyright © 2007 Professor Messer, LLC, All Rights Reserved