# Nmap Cheat Sheet ## Scanning Options

Nmap Option	Description
`-sn`	Disables port scanning
`-Pn`	Disables ICMP Echo requests
`-n`	Disabled DNS resolution
`-PE`	performs the pings scan by using ICMP echo requests
`--packet-trace`	shows all packets sent and received
`--reason`	display the reason for a specific result
`--disable-arp-ping`	disables ARP Ping request
`--top-ports=<int>`	scans the specified number of top ports
`-p-`	scan all ports
`-p22-110`	scan all ports between 22 and 110
`-p22,110`	scan only ports 22 and 110
`-F`	scan top 100 ports
`-sS`	perform TCP SYN-Scan
`-sA`	perform TCP ACK-Scan
`-sU`	perform UDP scan
`-sV`	scans the discovered services for their versions
`-sC`	perform a script scan with scripts that are categorized as "default"
`--script <script>`	performs a script scan by using the specified scripts
`-O`	perform an OS detection scan
`-A`	performs OS detection, service detection, and traceroute scans
`-D RND:5`	sets the number of random decoys that will be used to scan the target
`-e`	specifies the network interface that is used for the scan
`-S 10.10.10.200`	specifies the source IP address for the scan
`-g`	specifies the source port for the scan
`--dns-server`	DNS resolution is performed by using a specified name server

## Output Options

Nmap Option	Description
`-oA filename`	Stores the results in all available formats starting with the name of "filename"
`-oN filename`	Stores the results in normal format with the name "filename"
`-oG filename`	Stores the results in "grepable" format with the name of "filename"
`-oX filename`	Stores the results in XML format with the name of "filename"

**Convert XML file to HTML:** `xsltproc target.xml -o target.html` ## Performance Options | Nmap Option | Description | | ---------------------------- | ----------------------------------------------------------- | | `--max-retries ` | Sets the number of retries for scans of specific ports | | `--stats-every=5s` | Displays scan's status every 5 seconds | | `-v/-vv` | Displays verbose output during the scan | | `--initial-rtt-timeout 50ms` | Sets the specified time value as initial RTT timeout | | `--max-rtt-timeout 100ms` | Sets the specified time value as maximum RTT timeout | | `--min-rate 300` | Sets the number of packets that will be sent simultaneously | | `-T <0-5>` | Specifies the specific timing template | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.drngd0tter.red/cheat-sheets/nmap-cheat-sheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.