nmap -sS 192.168.1.50
The original "stealth" scan. Send a TCP SYN. If the target responds with a SYN ACK, do not complete the handshake, but instead send a RST. This is less likely to be logged by the target.
nmap -sA 192.168.1.0/24
Send a TCP ACK. Used to map out firewall rulesets, determine which ports are filtered, and if a firewall is stateful or not.
nmap -sN 192.168.1.2-10
Send a TCP segment with no flags raised. This is not the normal state for TCP, which always has at least one flag (usually ACK) raised. Used to sneak through a non-stateful firewall.
nmap -sF www.company.tld
Send a TCP FIN. Used to sneak through a non-stateful firewall.
nmap -sX 192.168.1.0/24
Send a TCP segment with FIN, PSH, and URG flags raised, thus lighting up the packet "like a Christmas tree." This is an illogical combination. Used to sneak through a non-stateful firewall.
nmap -Pn -p- 192.168.1.0/24
Skip discovery. Assume all hosts are online for port scan. Useful if targets have their firewall up and only offer services on unusual ports.
-sI <zombie> <target>
nmap -sI -Pn -p- zombie.middle.tld www.company.tld
Conduct a blind TCP port scan (idle scan). No packets are sent directly from your attacker machine to the target. Uses a "zombie" (middle man) host to obtain information about open ports on the target. You have to spend some time identifying a machine that can act as a zombie. Once you locate a good zombie, you can reuse it for more scans.
-b <FTP relay> <FTP target>
nmap -v -b name:firstname.lastname@example.org ftp-target-server.company.tld -Pn
Conduct an FTP bounce scan. Exploit FTP proxy connections in which a user asks a "middle man" FTP server to send files to another FTP server. Because of widespread abuse, the FTP relay feature has been disabled by most vendors.
-T <0 - 5>
nmap 192.168.1.0/24 -T 2
Use different timing templates to throttle the speed of your queries to make the scan less noticeable. Choose from T0 (slowest) to T5 (fastest). Nmap also refers to these speeds as paranoid, sneaky, polite, normal, aggressive, and insane, respectively. T0 and T1 are best for IDS evasion, but are VERY slow. T5 has been reported to be unstable because it is too fast. T4 is the recommended choice for a fast scan that is still stable. T3 is the default.
nmap -f 192.168.1.50
Split packets (including pings) into 8-byte fragments to make it harder for packet filtering firewalls and intrusion detection to detect the purpose of packets. MTU is the maximum fragment size.
-D [decoy1, decoy2, decoy3, etc.] <target>
nmap -D 192.168.1.10 192.168.1.15 192.168.1.30 126.96.36.199
Used to mask a port scan by using decoys. Creates bogus packets "from" the decoys so the actual attacker "blends in" with the crowd. It looks like both the decoys and the actual attackers are performing attacks. In this example, 192.168.1.50 is the target. The other IPs are the decoys.
nmap -e eth0 192.168.1.50
Specify the interface Nmap should use.
-S <spoofed source address>
nmap -e eth0 -S www.google.com 192.168.1.50
Spoofs the source address. Might not return results since the target will try to respond to the fake address. Can be used to confuse IDS or target administrator. Often used with -e or -Pn. May throw binding errors. Spoofed attack should be validated by Wireshark capture on the target. This example makes it appear to target 192.168.1.50 that www.google.com is trying to scan it.
--spoof-mac [vendor type | MAC address]
- nmap -sT -PN --spoof-mac apple 192.168.1.50
- nmap -sT -PN --spoof-mac B7:B1:F9:BC:D4:56 192.168.1.50
Use a bogus source hardware address (also known as Media Access Control or MAC address). You can specify a random MAC based on vendor, or explicitly specify the MAC address. The first example creates a random Apple hardware address.
Note: Do not mistake "MAC" for Macintosh.
nmap --source-port 53 192.168.1.36
Use a specific source port number (spoof source port) to fool packet filters configured to trust that port. Same as -g <portnumber> option.
nmap --randomize-hosts 192.168.1.1-100
Randomize the order of the hosts being scanned.
--proxies <proxy:port, proxy:port...>
nmap --proxies http://192.168.1.30:8080,http://192.168.1.90:8008 192.168.1.50
Relay TCP connections through a chain of HTTP or SOCKS4 proxies. Especially useful on the Internet. This example conducts an Nmap scan against target 192.168.1.50 through two proxies, 192.168.1.30 and 192.168.1.90.