-A
— “Aggressive” scan; alias for-O -sC -sV --traceroute
.-D
— Send multiple scan requests using decoys; specified using a list of arbitrary IP addresses. The special “addresses” ME and RND represent the attacker (you!) and a random IP address, respectively. If ME isn’t included in the list, it will be inserted into a random position. Trades stealth for “chaff”. Maybe only useful as a diversion?-e
— Specify the network interface to use during scanning.-f
— Fragment (TCP) packets into chunks of 8 bytes or less. Can help evade some next-gen firewall / IDS alarms.-ff
— Fragment (TCP) packets into chunks of 16 bytes or less. Can help evade some next-gen firewall / IDS alarms.-F
— “Fast” scan. Alias for--top-ports 100
.-g
— Use the specified source port number, rather than a random source port. Useful for bypassing some stateless firewalls.-iL
— Use a file for Nmap’s scan targets.-n
— Don’t resolve host names using DNS (or do reverse DNS resolution).-O
— OS detection. Generally requires at least one open and one closed port to be detected, and results will be distorted if the target is virtualized. The OS type is much more reliably detected than the OS version.-p-
— Scan all ports. (The end/beginning of port ranges can be excluded to represent 1/65535, so-p-
is equivalent to-p1-65535
.) If omitted, the 1000 most common ports are scanned by default.-Pn
— Scan the host even if it doesn’t respond to an initial ping. Necessary for scanning/discovering modern Windows systems, since the Windows Firewall blocks ICMP by default.-r
— Scan ports in sequential order (rather than randomly). Can make for more accurate scans for targets that have only recently been brought online.-R
— Perform reverse DNS resolution even for offline hosts.-sC
— Scan with “default” script set; equivalent to--script default
. Mostly provides basic intelligence.-sV
— Service detection. The same as-sT
(because a full TCP connection is required to gather the necessary information), but probes listening services for additional information.-S
— Use a spoofed IP address for the scan. Only useful if you can actually capture incoming packets at that IP address! Generally must be combined with the-e
and-Pn
flags.-T
— Specify timing from 0 – 5.-T0
will wait 5 minutes between ports.-T1
is typical on engagements.-T3
is the default.-T4
is typical on CTFs.-T5
is not recommended, as it is so fast that it may lead to packet loss.-v
— Increase Nmap’s verbosity. There are four verbosity levels for Nmap:-v
<-vv
<-d
<-dd
. In practice, I’ve found anything above-v
too noisy for general use.
There’s more, but these are the big ones.