Basic Nmap Flags

FlagWhat Does it Do?PurposeNotes

Service Versioning

Host Discovery

Service and OS Versioning

Host Discovery

Add Verbosity

Quality of Life

You ‘can’ add extra verbosity with -vv but I find that to be useless

Specify Port(s)

Host Discovery

Read Targets from List

Quality of Life

Output Results to a File (.txt, .xml)

Quality of Life

I always output to .xml so you can upload to Zenmap or Legion

Only Display Open ports

Quality of Life

Load an NSE script

Host DiscoveryQuality of LifeVulnerability Analysis

Specify a UDP Port Scan

Host Discovery

Enable IPv6 scanning

Host Discovery

Set Speed

Obfuscation

Likely you do not need to go slower than T2, and should never go faster than T4.

Fragment the Packets — The idea is to split the TCP packet up over several tiny fragmented packets

Obfuscation

Does not work with Windows, NSE scripts, or service versioning

Scan the Target Range in a Random Order

Obfuscation

No good reason not to use this one

Append Bytes of Random Data on Each Packet

Obfuscation

A typical TCP packet is 40 Bytes, I find appending 5 (12.5%) variance is a good amount

Disable ICMP ping

Obfuscation

A lot of networks block ICMP

Disable ARP Ping

Obfuscation

Ignore RST responses from the host

Obfuscation

Specifies a Time for The Scan to Move On

Obfuscation

Specifies How Many Times a Host Should Be Attempted Before Moving On

Obfuscation

Adds a Delay Between Hosts Scanned

Obfuscation

1075ms seems to work well and be plenty of a delay

Excludes Specific Port(s) From the Scan

Obfuscation