diff --git a/docs/refguide.xml b/docs/refguide.xml index 6c2baa535..9fddad865 100644 --- a/docs/refguide.xml +++ b/docs/refguide.xml @@ -395,22 +395,23 @@ you would expect. scanning, OS detection, or ping scanning cannot be combined with this. If you wish to disable ping scanning while still performing such higher level functionality, read up on the - option. + (skip ping) option. - (Ping Scan) + (Skip port scan) ping scan + port scandisabling with - This option tells Nmap to only perform a ping scan - (host discovery), then print out the available hosts that - responded to the scan. Traceroute and NSE host scripts are - also run if requested, but no further testing (such as port - scanning or OS detection) is performed. This is by default + This option tells Nmap not to do a port scan after host + discovery, and only print out the available hosts that + responded to the scan. This is often known as a ping + scan, but you can also request that traceroute and + NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much @@ -469,7 +470,11 @@ you would expect. Proper host discovery is skipped as with the list scan, but instead of stopping and printing the target list, Nmap continues to perform requested functions as if each target - IP is active. For machines on a local ethernet network, ARP + IP is active. To skip ping scan and port + scan, while still allowing NSE to run, use the two options + together. + + For machines on a local ethernet network, ARP scanning will still be performed (unless is specified) because Nmap needs MAC addresses to further scan target hosts. This option flag used to be (uses zero), but was renamed to avoid confusion with protocol ping's (uses the letter O) flag. diff --git a/docs/scripting.xml b/docs/scripting.xml index 3febac7eb..bc4e3292b 100644 --- a/docs/scripting.xml +++ b/docs/scripting.xml @@ -194,6 +194,22 @@ Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds are generally only used for script debugging and development. Script scanning is also included as part of the (aggressive scan) option. + + Script scanning is normally done in combination with a port scan, + because scripts may be run or not run depending on the port states + found by the scan. With the option it is + possible to run a script scan without a port scan, only host + discovery. In this case only host scripts will be eligible to run. + To run a script scan with neither a host discovery nor a port scan, + use the options together with + or . Every host will + be assumed up and still only host scripts will be run. This + technique is useful for scripts like + whois.nsewhois.nse + that only use the remote system's address and don't require it to be + up. + + Scripts are not run in a sandbox and thus could accidentally or maliciously damage your system or invade your privacy. Never run @@ -766,6 +782,21 @@ local username = nmap.registry.args.user scripts. + + nmap -sP -sC example.com + + A script scan without a port scan; only host scripts are + eligible to run. + + + + nmap -PN -sP -sC example.com + + A script scan without host discovery or a port scan. All + hosts are assumed up and only host scripts are eligible to + run. + + example of nmap --script smb-os-discovery --script-trace example.com