Target specification Service and version detection

IP address, hostnames, networks, etc -sV: version detection --all-ports dont exclude por ts
Example: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 --version-all tr y ever y single pr obe
-iL file input fr om list -iR n choose r andom tar gets, 0 never ending --version-trace tr ace ver sion scan activity
--exclude --excludefile file exclude host or list fr om file
-O enable OS detection --fuzzy guess OS detection
--max-os-tries set the maximum number of tr ies against a tar get
Host discovery

SecurityByDefault.com
-PS n tcp syn ping -PA n tcp ack ping -PU n udp ping
-PM netmask r eq -PP timestamp r eq -PE echo r eq Firewall/IDS evasion
-sL list scan -PO pr otocol ping -Pn no ping -f fr agment packets -D d1,d2 cloack scan with decoys
-n no DNS -R DNS r esolution for all tar gets -S ip spoof sour ce addr ess g source spoof sour ce por t
--traceroute: tr ace path to host (for topology map) --randomize-hosts or der --spoof-mac mac change the sr c mac
-sn ping same as PP PM PS443 PA80
Verbosity and debugging options
-v Incr ease ver bosity level --reason host and por t r eason
Port scanning techniques -d (1-9) set debugging level --packet-trace tr ace packets
-sS tcp syn scan -sT tcp connect scan -sU udp scan
-sY sctp init scan -sZ sctp cookie echo -sO ip pr otocol
-sW tcp window -sN sF -sX null, fin, xmas sA tcp ack
Interactive options
v/V incr ease/decr ease ver bosity level
d/D incr ease/decr ease debugging level
Port specification and scan order p/P tur n on/off packet tr acing
-p [n-m] r ange -p- all por ts -p n,m,z individual
-p U:n-m,z T:n,m U for udp T for tcp -F fast, common 100 Miscellaneous options
--top-ports n scan the highest-ratio ports -r dont r andomize --resume file r esume abor ted scan (fr om oN or oG output)
-6 enable ipv6 scanning
-A agr essive same as -O -sV -sC --traceroute
Timing and performance
-T0 par anoid -T1 sneaky -T2 polite
-T3 nor mal -T4 aggr esive -T5 insane
Scripts
-sC perform scan with default scripts --script file r un scr ipt (or all)
--min-hostgroup --max-hostgroup
--script-args n=v pr ovide ar guments --script-updatedb update the scr ipt db.
--min-rate --max-rate
--script-trace pr int in/out communication
--min-parallelism --max-parallelism
--min-rtt-timeout --max-rtt-timeout --initial-rtt-timeout Output
--max-retries --host-timeout --scan-delay -oN nor mal -oX xml -oG gr epable oA all other s

Examples
Quick scan nmap -T4 -F
Fast scan (port80) nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 --max_retries 0 -n -P0 -p80
Pingscan nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4
Slow comprehensive nmap -sS -sU -T4 -A -v -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 -PO --script all
Quick traceroute: nmap -sP -PE -PS22,25,80 -PA21,23,80,3389 -PU -PO --traceroute