nmap-kitty

nmap

Target (IP, URL, CIDR range, etc.)

Scan Type

Ports

Discovery

Timing

Output

Services

OS Detection

Scripts

Advanced

Evasion

Scan Types

SYN Scan

Fast, stealthy scan

TCP Connect

Full TCP connection

UDP Scan

UDP port scan

ACK Scan

ACK flag probe scan

NULL Scan

No flags set

FIN Scan

FIN flag set only

XMAS Scan

FIN, PSH, URG flags

Maimon Scan

FIN/ACK probe

Zombie scan

Abuse third-party hosts.

custom IP (optional: probe):

IP Protocol

IP protocol scan

Port Selection

All Ports

Scan all 65535 ports

First 1000

Ports 1-1000

Top 100

Common ports

Top 1000

Most common ports

Common Services

SSH,HTTP,HTTPS,RDP

Extended Common

More services

Mixed TCP/UDP

Common for both

Fast Scan

100 most common

Exclude ports

Exclude scanning certain ports.

ports to exclude (number, comma seperated):

Host Discovery

No Ping

Skip host discovery

Ping Scan

Only discovery

ARP Scan

Local network only

TCP SYN Ping

To common ports

TCP ACK Ping

May bypass firewalls

UDP Ping

DNS, SNMP ports

ICMP Echo

Standard ping

ICMP Timestamp

Timestamp request

ICMP Netmask

Address mask request

Timing & Performance

Paranoid

Very slow, stealthy

Sneaky

Slow, avoid IDS

Polite

Less bandwidth

Normal

Default speed

Aggressive

Fast networks

Insane

Fastest, inaccurate

Custom Timing

Minimum packet rate

Increase the packets/sec that get sent.

minimum concurrent packets sent (number):

Maximum packet rate

Limit the packets/sec that get sent.

maximum concurrent packets sent (number):

Increase hostgroups

increase the minimum amount of concurrent hosts scanned.

minimum concurrent hosts (number):

Limit hostgroups

Limit the amount of concurrent hosts scanned.

maximum concurrent hosts (number):

Minimum parallelism

Speed up scanning (min limit)

minimum parallel processes (number):

Maximum parallelism

Speed up scanning (max limit)

maximum parallel processes (number):

Host timeout

set a timeout for hosts that don't respond

timeout limit (in minutes):

Delay probes

Add a delay

delay (in seconds):

Output Format

Normal Output

Human readable

Grepable Output

Easy to parse

XML Output

Structured data

All Formats

Save in all formats

Verbose

More info

Very Verbose

Even more info

Show Reason

Port state reasons

Open Ports Only

Skip closed ports

Service Detection

Version Detection

Identify services

Light Version

Fast service detection

Aggressive Version

Thorough but slow

All Version Tests

Try every probe

Trace Version

Show detection details

All Ports

Don't exclude any ports

OS Detection

OS Detection

Identify operating system

Aggressive OS

Guess OS aggressively

Limit OS Scan

Only promising targets

Aggressive Scan

OS, version, scripts

Script Scanning

Default Scripts

Safe scripts

Default Scripts

Equivalent to -sC

Vulnerability Scan

Find vulnerabilities

Safe Scripts

Non-intrusive only

Auth Scripts

Authentication checks

Discovery

Network discovery

Version Scripts

Better service detection

Exploit Scripts

Attempt exploitation

SSL Ciphers

Check SSL/TLS

HTTP Enum

Enumerate web files

SMB OS Discovery

Windows system info

Banner Grabbing

Get service banners

Advanced Options

Privileged

Assume root/admin

Send Ethernet

Use raw ethernet

Data length

Add random data

data length:

Bad Checksum

Send invalid checksums

Traceroute

Trace path to host

System DNS

Use system resolver

Firewall/IDS Evasion

Fragment Packets

Split IP packets

Custom MTU

Fragment at given size

MTU Size:

Spoof Source IP

Fake source address

IP Address:

Spoof MAC

Fake MAC address

MAC Address:

Use Proxy

HTTP/SOCKS4 proxy

Proxy URL:

Decoy Scan

Hide among decoys

Decoys (e.g. RND:5 or IP1,IP2):

Source Port

Appear as specific traffic

Port Number:

Random Order

Shuffle target order