Cheat Sheets

Nmap

Complete Nmap flag reference, grouped by function. Flags in English, descriptions follow your language.

Target Specification
-iL — Read targets from a file.
-iR — Pick random targets.
--exclude — Exclude hosts / networks.
--excludefile — Exclude a list from a file.
Host Discovery
-sL — List scan: just list targets.
-sn — Ping scan: skip port scan.
-Pn — Skip discovery (all hosts online).
-PS / -PA / -PU / -PY — TCP SYN/ACK, UDP or SCTP discovery.
-PE / -PP / -PM — ICMP echo, timestamp, netmask probes.
-PO[protocol list] — IP protocol ping.
-n / -R — Never / always resolve DNS.
--dns-servers — Use custom DNS servers.
--system-dns — Use the OS DNS resolver.
--traceroute — Trace the hop path per host.
Scan Techniques
-sS / -sT / -sA / -sW / -sM — TCP SYN/Connect/ACK/Window/Maimon.
-sU — UDP scan.
-sN / -sF / -sX — TCP Null, FIN and Xmas scans.
--scanflags — Customize TCP scan flags.
-sI — Idle (zombie) scan.
-sY / -sZ — SCTP INIT / COOKIE-ECHO scans.
-sO — IP protocol scan.
-b — FTP bounce scan.
Port Specification & Scan Order
-p — Scan only these ports.
--exclude-ports — Exclude these ports.
-F — Fast mode (fewer ports).
-r — Scan ports in order (no random).
--top-ports — Scan the N most common ports.
--port-ratio — Scan ports above a frequency ratio.
Service/Version Detection
-sV — Detect service / version on open ports.
--version-intensity — Probe intensity 0–9.
--version-light — Lightweight probing (intensity 2).
--version-all — Try every probe (intensity 9).
--version-trace — Verbose version-scan activity.
OS Detection
-O — Enable OS detection.
--osscan-limit — Limit to promising targets.
--osscan-guess — Guess OS more aggressively.
Timing & Performance
-T<0-5> — Timing template (higher = faster).
--min-hostgroup / --max-hostgroup — Parallel host group sizes.
--min-parallelism / --max-parallelism — Probe parallelization.
--min-rtt-timeout / --max-rtt-timeout / --initial-rtt-timeout — Probe round-trip timing.
--max-retries — Cap probe retransmissions.
--host-timeout — Give up on a target after this.
--scan-delay / --max-scan-delay — Delay between probes.
--min-rate — Send no slower than N/sec.
--max-rate — Send no faster than N/sec.
Firewall/IDS Evasion & Spoofing
-f ; --mtu — Fragment packets (optional MTU).
-D — Cloak the scan with decoys.
-S — Spoof the source address.
-e — Use a specific interface.
-g / --source-port — Use a fixed source port.
--proxies — Relay via HTTP / SOCKS4 proxies.
--data — Append a hex payload.
--data-string — Append an ASCII string.
--data-length — Append random data.
--ip-options — Set custom IP options.
--ttl — Set the IP TTL field.
--spoof-mac — Spoof the MAC address.
--badsum — Send a bogus checksum.
Output
-oN / -oX / -oS / -oG — Normal / XML / script-kiddie / grepable output.
-oA — Output all three major formats.
-v — Increase verbosity (-vv for more).
-d — Increase debugging (-dd for more).
--reason — Show why a port is in its state.
--open — Only show open ports.
--packet-trace — Show all packets sent / received.
--iflist — Show host interfaces & routes.
--append-output — Append instead of overwriting.
--resume — Resume an aborted scan.
--noninteractive — Disable runtime keyboard input.
--stylesheet — XSL stylesheet for XML→HTML.
--webxml — Use Nmap.Org's stylesheet.
--no-stylesheet — No XSL stylesheet in XML.
Script Scan (NSE)
-sC — Same as --script=default.
--script= — Run scripts / categories / dirs.
--script-args= — Pass script arguments.
--script-args-file=filename — Script args from a file.
--script-trace — Show all script I/O.
--script-updatedb — Update the script database.
--script-help= — Show help for scripts.
Misc
-6 — Enable IPv6 scanning.
-A — OS, version, scripts & traceroute.
--datadir — Custom data-file location.
--send-eth / --send-ip — Send raw ethernet or IP packets.
--privileged — Assume full privileges.
--unprivileged — Assume no raw-socket privileges.
-V — Print version number.
-h — Print help summary.

Compiled from the “Nmap” chart by Hacking Articles (Ignite Technologies); descriptions condensed.