diff --git a/docs/refguide.xml b/docs/refguide.xml
index 90f2d0b0f..b3b2b68ed 100644
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -98,29 +98,35 @@
# nmap -A -T4 scanme.nmap.org
-Starting Nmap ( http://nmap.org )
-Interesting ports on scanme.nmap.org (64.13.134.52):
-Not shown: 994 filtered ports
-PORT STATE SERVICE VERSION
-22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
-25/tcp closed smtp
-53/tcp open domain ISC BIND 9.3.4
-70/tcp closed gopher
-80/tcp open http Apache httpd 2.2.2 ((Fedora))
-|_ HTML title: Go ahead and ScanMe!
-113/tcp closed auth
+Nmap scan report for scanme.nmap.org (64.13.134.52)
+Host is up (0.045s latency).
+Not shown: 993 filtered ports
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
+| ssh-hostkey: 1024 60:ac:4d:51:b1:cd:85:09:12:16:92:76:1d:5d:27:6e (DSA)
+|_2048 2c:22:75:60:4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA)
+25/tcp closed smtp
+53/tcp open domain
+70/tcp closed gopher
+80/tcp open http Apache httpd 2.2.3 ((CentOS))
+|_html-title: Go ahead and ScanMe!
+| http-methods: Potentially risky methods: TRACE
+|_See http://nmap.org/nsedoc/scripts/http-methods.html
+113/tcp closed auth
+31337/tcp closed Elite
Device type: general purpose
Running: Linux 2.6.X
-OS details: Linux 2.6.20-1 (Fedora Core 5)
+OS details: Linux 2.6.13 - 2.6.31, Linux 2.6.18
+Network Distance: 13 hops
TRACEROUTE (using port 80/tcp)
-HOP RTT ADDRESS
-[Cut first seven hops for brevity]
-8 10.59 so-4-2-0.mpr3.pao1.us.above.net (64.125.28.142)
-9 11.00 metro0.sv.svcolo.com (208.185.168.173)
-10 9.93 scanme.nmap.org (64.13.134.52)
+HOP RTT ADDRESS
+[Cut first 10 hops for brevity]
+11 80.33 ms layer42.car2.sanjose2.level3.net (4.59.4.78)
+12 137.52 ms xe6-2.core1.svk.layer42.net (69.36.239.221)
+13 44.15 ms scanme.nmap.org (64.13.134.52)
-Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds
+Nmap done: 1 IP address (1 host up) scanned in 22.19 seconds
@@ -161,24 +167,27 @@ manual. Some obscure options aren't even included here.
option argument) is treated as a target host specification. The
simplest case is to specify a target IP address or hostname for scanning.
-Sometimes you wish to scan a whole network of adjacent hosts.
-For this, Nmap supports
-CIDR-styleCIDR (Classless Inter-Domain Routing)
-addressing. You can append
-/numbits to an IPv4 address or hostname and
-Nmap will scan every IP address for which the first
-numbits are the same as for the reference
-IP or hostname given. For example, 192.168.10.0/24 would scan the 256
-hosts between 192.168.10.0 (binary: 11000000 10101000
-00001010 00000000) and 192.168.10.255 (binary: 11000000 10101000
-00001010 11111111), inclusive.
-192.168.10.40/24 would scan exactly the same targets. Given that the host
-scanme.nmap.orgscanme.nmap.org
+Sometimes you wish to scan a whole network of adjacent hosts. For
+this, Nmap supports CIDR-styleCIDR (Classless
+Inter-Domain Routing) addressing. You can append
+/numbits to an IPv4
+address or hostname and Nmap will scan every IP address for which the
+first numbits are the same as for the
+reference IP or hostname given. For example,
+192.168.10.0/24 would would scan the 256 hosts
+between 192.168.10.0
+(binary: 11000000 10101000 00001010 00000000)
+and 192.168.10.255
+(binary: 11000000 10101000 00001010 11111111),
+inclusive. 192.168.10.40/24 would scan exactly the same targets. Given
+that the host
+scanme.nmap.orgscanme.nmap.org
is at the IP address 64.13.134.52, the specification
-scanme.nmap.org/16 would scan the 65,536 IP addresses between
-64.13.0.0 and 64.13.255.255. The smallest allowed value is /0,
-which scans the whole Internet. The largest value is /32, which scans
-just the named host or IP address because all address bits are fixed.
+scanme.nmap.org/16 would scan the 65,536 IP addresses
+between 64.13.0.0 and 64.13.255.255. The smallest allowed value is
+/0, which targets the whole Internet. The largest
+value is /32, which scans just the named host or IP
+address because all address bits are fixed.address rangesCIDR notation is short but not always flexible enough. For example, you
@@ -186,15 +195,16 @@ might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or
.255 because they may be used as subnet network and broadcast addresses. Nmap supports
this through octet range addressing. Rather than specify a normal IP
address, you can specify a comma-separated list of numbers or ranges
-for each octet. For example, 192.168.0-255.1-254 will skip all
-addresses in the range that end in .0 or .255, and 192.168.3-5,7.1 will
+for each octet. For example, 192.168.0-255.1-254 will skip all
+addresses in the range that end in .0 or .255, and 192.168.3-5,7.1 will
scan the four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and
192.168.7.1. Either side of a range may be omitted; the default values
are 0 on the left and 255 on the right. Using - by
-itself is the same as 0-255, but remember to use 0- in the first octet
+itself is the same as 0-255, but remember to use
+0- in the first octet
so the target specification doesn't look like a command-line option.
Ranges need not be limited to the final octets: the specifier
-0-255.0-255.13.37 will perform an Internet-wide scan for all IP
+0-255.0-255.13.37 will perform an Internet-wide scan for all IP
addresses ending in 13.37. This sort of broad sampling can be useful
for Internet surveys and research.
@@ -257,10 +267,7 @@ you would expect.
their networks and may complain. Use this option at your
own risk! If you find yourself really bored one rainy
afternoon, try the command
- nmap -sS -PS80 -iR 0 -p 80
- example of
- example of
- example of
+ nmap -Pn -sS -p 80 -iR 0 --openexample ofexample ofexample ofexample of
to locate random web servers for browsing.
@@ -292,7 +299,7 @@ you would expect.
This offers the same functionality as the
option, except that the excluded targets are provided in a
- newline, space, or tab delimited
+ newline-, space-, or tab-delimited
exclude_file rather than on the
command line.The exclude file may contain comments that start with
@@ -473,7 +480,7 @@ you would expect.
host discovery with causes Nmap to
attempt the requested scanning functions against
every target IP address specified. So
- if a class B sized target address space (/16) is specified
+ if a class B target address space (/16) is specified
on the command line, all 65,536 IP addresses are scanned.
Proper host discovery is skipped as with the list scan, but
instead of stopping and printing the target list, Nmap
@@ -504,10 +511,8 @@ you would expect.
This option sends an empty TCP packet with the SYN
flag set. The default destination port is 80 (configurable
- at compile time by changing DEFAULT_TCP_PROBE_PORT_SPEC
- DEFAULT_TCP_PROBE_PORT_SPEC
- in nmap.h).
- nmap.h
+ at compile time by changing DEFAULT_TCP_PROBE_PORT_SPECDEFAULT_TCP_PROBE_PORT_SPEC
+ in nmap.h).nmap.h
Alternate ports can be
specified as a parameter. The syntax is the same as for the
except that port type specifiers like
@@ -638,7 +643,9 @@ you would expect.The port list
takes the same format as with the previously discussed
and options. If
- no ports are specified, the default is 40125. This default
+ no ports are specified, the default is
+ 40125.UDP scandefault port of
+ This default
can be configured at compile-time by changing
DEFAULT_UDP_PROBE_PORT_SPECDEFAULT_UDP_PROBE_PORT_SPEC
in nmap.h.nmap.h
@@ -680,10 +687,8 @@ you would expect.This option sends an SCTP packet containing a minimal
INIT chunk. The default destination port is 80 (configurable
at compile time by changing
- DEFAULT_SCTP_PROBE_PORT_SPEC
- DEFAULT_SCTP_PROBE_PORT_SPEC
- in nmap.h).
- nmap.h
+ DEFAULT_SCTP_PROBE_PORT_SPECDEFAULT_SCTP_PROBE_PORT_SPEC
+ in nmap.h).nmap.h
Alternate ports can be specified as a parameter. The syntax
is the same as for the
except that port type specifiers like
@@ -749,7 +754,8 @@ you would expect.
firewalls now block these packets, rather than responding as
required by RFC
- 1122. For this reason, ICMP-only scans are rarely
+ 1122.RFC 1122
+ For this reason, ICMP-only scans are rarely
reliable enough against unknown targets over the Internet.
But for system administrators monitoring an internal
network, they can be a practical and efficient approach.
@@ -789,7 +795,7 @@ you would expect.
- The newest host discovery option is the IP protocol ping,
+ One of the newer host discovery options is the IP protocol ping,
which sends IP packets with the specified protocol number
set in their IP header. The protocol list
takes the same format as do port lists in the
@@ -867,7 +873,7 @@ Traceroutes are performed post-scan using information from the scan results to d
-Traceroute works by sending packets with a low TTL (time-to-live) in an attempt to elicit ICMP Time Exceeded messages from intermediate hops between the scanner and the target host. Standard traceroute implementations start with a TTL of 1 and increment the TTL until the destination host is reached. Nmap's traceroute starts with a high TTL and then decrements the TTL until it reaches zero. Doing it backwards lets Nmap employ clever caching algorithms to speed up traces over multiple hosts. On average Nmap sends 5–10 fewer packets per host, depending on network conditions. If a single subnet is being scanned (i.e. 192.168.0.0/24) Nmap may only have to send a single packet to most hosts.
+Traceroute works by sending packets with a low TTL (time-to-live) in an attempt to elicit ICMP Time Exceeded messages from intermediate hops between the scanner and the target host. Standard traceroute implementations start with a TTL of 1 and increment the TTL until the destination host is reached. Nmap's traceroute starts with a high TTL and then decrements the TTL until it reaches zero. Doing it backwards lets Nmap employ clever caching algorithms to speed up traces over multiple hosts. On average Nmap sends 5–10 fewer packets per host, depending on network conditions. If a single subnet is being scanned (i.e. 192.168.0.0/24) Nmap may only have to send two packets to most hosts.
@@ -963,8 +969,8 @@ Traceroute works by sending packets with a low TTL (time-to-live) in an attempt
While Nmap has grown in functionality over the years,
it began as an efficient port scanner, and that remains its
core function. The simple command nmap
- target scans more than
- 1660 TCP ports on the host
+ target scans
+ 1,000 TCP ports on the host
target. While many port scanners
have traditionally lumped all ports into the open or closed
states, Nmap is much more granular. It divides ports into
@@ -1416,7 +1422,7 @@ really has no open ports. If most scanned ports are
closed but a few common port numbers (such as 22,
25, 53) are filtered, the system is most likely
susceptible. Occasionally, systems will even show the exact opposite
-behavior. If your scan shows 1000 open ports and three closed or filtered
+behavior. If your scan shows 1,000 open ports and three closed or filtered
ports, then those three may very well be the truly open ones.
@@ -1647,9 +1653,11 @@ well, in which case the default FTP port (21) on
This vulnerability was widespread in 1997 when Nmap was
released, but has largely been fixed. Vulnerable servers are still
around, so it is worth trying when all else fails. If bypassing a
-firewall is your goal, scan the target network for open port 21 (or
+firewall is your goal, scan the target network for port 21 (or
even for any FTP services if you scan all ports with version
-detection), then try a bounce scan using each. Nmap will tell you
+detection) and use the
+ftp-bounceftp-bounce script
+NSE script. Nmap will tell you
whether the host is vulnerable or not. If you are just trying to
cover your tracks, you don't need to (and, in fact, shouldn't) limit
yourself to hosts on the target network. Before you go scanning
@@ -1712,7 +1720,8 @@ way.
Ports can also be specified by name according to what the
port is referred to in the nmap-services. You
- can even use the wildcards * and ? with the names. For example, to scan
+ can even use the wildcards * and
+ ? with the names. For example, to scan
FTP and all ports whose names begin with http, use .
Be careful about shell expansions and quote the argument to if unsure.
@@ -1767,21 +1776,25 @@ way.
-
+
--port-ratio
- Scans all ports in nmap-services file with a ratio greater than the number specified as the argument.
+ Scans all ports in nmap-services file
+ with a ratio greater than the one given.
+ ratio must be between 0.0 and 1.1.
-
+
--top-ports
- Scans the N highest-ratio ports found in nmap-services file.
+ Scans the n highest-ratio ports
+ found in nmap-services file.
+ n must be 1 or greater.
@@ -1862,8 +1875,8 @@ way.
a URL for you to submit if to if you know for sure what is running
on the port. Please take a couple minutes to make the submission
so that your find can benefit everyone. Thanks to these
- submissions, Nmap has about 3,000 pattern matches for more than
- 350 protocols such as SMTP, FTP, HTTP, etc.submission of service fingerprints
+ submissions, Nmap has about 6,500 pattern matches for more than
+ 650 protocols such as SMTP, FTP, HTTP, etc.submission of service fingerprintsVersion detection is enabled and controlled with the
@@ -1920,15 +1933,13 @@ way.When performing a version scan (), Nmap sends a
series of probes, each of which is assigned a rarity value
between one and nine. The lower-numbered probes are effective
- against a wide variety of common services, while the higher
- numbered ones are rarely useful. The intensity level
+ against a wide variety of common services, while the higher-numbered
+ ones are rarely useful. The intensity level
specifies which probes should be applied. The higher the
number, the more likely it is the service will be correctly
identified. However, high intensity scans take longer. The
- intensity must be between 0 and 9.
- version detectionintensity
- The default is 7.
- version detectiondefault intensity
+ intensity must be between 0 and 9.version detectionintensity
+ The default is 7.version detectiondefault intensity
When a probe is registered to the target port via the
nmap-service-probesports directive, that probe is tried
regardless of intensity level. This ensures that the DNS
@@ -2018,7 +2029,7 @@ way.
ISN sampling, TCP options support and ordering, IP ID sampling, and
the initial window size check, Nmap compares the results to its
nmap-os-dbnmap-os-db
- database of more than a thousand known
+ database of more than 2,600 known
OS fingerprints and prints out the OS details if there is a match.
Each fingerprint includes a freeform textual description of the
OS, and a classification which provides the vendor name
@@ -2175,7 +2186,19 @@ way.
To reflect those different uses and to simplify the choice of which
scripts to run, each script contains a field associating it with one or more categories. Currently defined categories are
-safe, intrusive, malware, version, discovery, vuln, auth, and default. These are all described
+ auth,
+ default.
+ discovery,
+ dos,
+ exploit,
+ external,
+ fuzzer,
+ intrusive,
+ malware,
+ safe,
+ version, and
+ vuln,
+ These are all described
at .in .
@@ -2336,7 +2359,7 @@ which lists the category or categories in which each script belongs.
-
+ script arguments
@@ -2355,8 +2378,13 @@ escapes a quote. A backslash is only used to escape quotation marks in this
special case; in all other cases a backslash is interpreted literally. Values
may also be tables enclosed in {}, just as in Lua. A table
may contain simple string values or more name-value pairs, including nested
-tables. An example of script arguments:
-.
+tables. A complex example of script arguments is
+
+example of
+
+--script-args 'user=foo,pass=",{}=bar",whois={whodb=nofollow+ripe},userdb=custom'
+
+
The online NSE Documentation Portal at
lists the arguments that each script accepts.
@@ -2512,7 +2540,7 @@ and rise to several hundred in perfect conditions.
speed up scans of poorly performing hosts or networks. This is a
risky option to play with, as setting it too high may affect accuracy.
Setting this also reduces Nmap's ability to control parallelism
-dynamically based on network conditions. A value of ten might be
+dynamically based on network conditions. A value of 10 might be
reasonable, though I only adjust this value as a last resort.
The option is sometimes set to one
@@ -3448,7 +3476,7 @@ as %H%M%S, %R is the same as
%m%d%y. A % followed by any other
character just yields that character (%% gives you a
percent symbol). So will use an XML
-file in the form of scan-144840-121307.xml.
+file with a name in the form of scan-144840-121307.xml.
Nmap also offers options to control scan verbosity and to append
to output files rather than clobbering them. All of these options are
@@ -3462,7 +3490,7 @@ described below.normal output
- Requests that normal output be
+ Requests that normal output be
directed to the given filename. As discussed above, this
differs slightly from interactive output.
@@ -3476,7 +3504,7 @@ described below.
- Requests that XML output be
+ Requests that XML output be
directed to the given filename. Nmap includes a document
type definition (DTD) which allows XML parsers to validate
Nmap XML output. While it is primarily intended for
@@ -3491,12 +3519,10 @@ described below.
computer languages, including C/C++, Perl, Python, and
Java. People have even written bindings for most of these
languages to handle Nmap output and execution specifically.
- Examples are Nmap::Scanner
- Nmap::Scanner
- and Nmap::Parser
- Nmap::Parser
+ Examples are
+ Nmap::ScannerNmap::Scanner
+ and
+ Nmap::ParserNmap::Parser
in Perl
CPAN. In almost all cases that a non-trivial application
interfaces with Nmap, XML is the preferred format.
@@ -3622,8 +3648,7 @@ format is available
estimates are provided when Nmap thinks a scan will take
more than a few minutes. Use it twice or more for even greater
verbosity: , or give a verbosity level
- directly, for example .
- giving more than once
+ directly, for example .giving more than onceMost changes only affect interactive output, and some
@@ -3716,7 +3741,7 @@ even if this option is not specified.
interval of time. The time is a
specification of the kind described in
; so for example, use
- --stats-every 10s to get a status update
+ to get a status update
every 10 seconds. Updates are printed to interactive output
(the screen) and XML output.
@@ -3872,27 +3897,25 @@ hosts with at least one
- Nmap ships with an XSL
- XSL
- stylesheet
- stylesheet
- named nmap.xsl
- nmap.xsl
- for viewing or translating XML output to HTML.
- HTML from XML output
+ Nmap ships with an XSLXSL
+ stylesheetstylesheet
+ named nmap.xslnmap.xsl
+ for viewing or translating XML output to HTML.HTML from XML output
The XML output includes an xml-stylesheet
directive which points to nmap.xml
- where it was initially installed by Nmap (or in the current
- working directory on Windows). Simply load Nmap's XML
- output in a modern web browser and it should retrieve
- nmap.xsl from the filesystem and use it
- to render results. If you wish to use a different
+ where it was initially installed by Nmap. Run the XML file
+ through an XSLT processor such as
+ xsltprocxsltproc
+ to produce an HTML file. Directly opening the XML file in a
+ browser no longer works well because modern browsers limit the
+ locations a stylesheet may be loaded from.
+ If you wish to use a different
stylesheet, specify it as the argument to
. You must pass the full
pathname or URL. One common invocation is
. This
- tells a browser to load the latest version of the stylesheet
+ tells an XSLT processor to load the latest version of the stylesheet
from Nmap.Org. The option
does the same thing with less typing and memorization.
Loading the XSL from Nmap.Org makes it easier to view results on
@@ -3910,7 +3933,7 @@ hosts with at least one
- This convenience option is simply an alias for
+ This is a convenience option, nothing more than an alias for
.
@@ -3958,7 +3981,7 @@ hosts with at least one
3ffe:7501:4819:2000:210:f3ff:fe03:14d0,
so hostnames are recommended. The output looks the same as
usual, with the IPv6 address on the interesting
- ports line being the only IPv6 give away.
+ ports line being the only IPv6 giveaway.
While IPv6 hasn't exactly taken the world by storm, it
gets significant use in some (usually Asian) countries and
@@ -3989,8 +4012,7 @@ hosts with at least one
stands for yet. Presently this enables OS detection
(), version scanning (),
script scanning () and
- traceroute ().
- features enabled by
+ traceroute ().features enabled by
More features may be
added in the future. The point is to enable a
comprehensive set of scan options without people having
@@ -4023,7 +4045,9 @@ hosts with at least one
searches these files in the directory specified with the
option (if any). Any files not
found there, are searched for in the directory specified by
- the NMAPDIR environmental variableNMAPDIR environment variable.
+ the
+ NMAPDIRNMAPDIR environment variable
+ environment variable.
Next comes
~/.nmap.nmap directory
for real and effective UIDs (POSIX systems only) or location of
@@ -4121,7 +4145,7 @@ hosts with at least one
for options that require privileges (SYN scan, OS detection,
etc.). The
NMAP_PRIVILEGEDNMAP_PRIVILEGED environment variable
- environmental variable
+ environment variable
may be set as an equivalent alternative to
.
@@ -4143,7 +4167,7 @@ hosts with at least one
network functionality of your operating system is somehow
broken. The
NMAP_UNPRIVILEGEDNMAP_UNPRIVILEGED environment variable
- environmental variable
+ environment variable
may be set as an equivalent alternative to
.
@@ -4246,10 +4270,10 @@ hosts with at least one
Print out a status message like this:
- Stats: 0:00:08 elapsed; 111 hosts completed (5 up),
- 5 undergoing Service Scan
- Service scan Timing: About 28.00% done; ETC: 16:18
- (0:00:15 remaining)
+
+Stats: 0:00:07 elapsed; 20 hosts completed (1 up), 1 undergoing Service Scan
+Service scan Timing: About 33.33% done; ETC: 20:57 (0:00:12 remaining)
+
@@ -4262,21 +4286,22 @@ hosts with at least one
IP addresses and domain names are used to make things
more concrete. In their place you should substitute
addresses/names from
- your own network.. While I don't think
+ your own network. While I don't think
port scanning other networks is or should be illegal, some network
administrators don't appreciate unsolicited scanning of their networks and may
complain. Getting permission first is the best approach.
For testing purposes, you have permission to scan the host
- scanme.nmap.org. This permission only includes
+ scanme.nmap.org.scanme.nmap.org
+ This permission only includes
scanning via Nmap and not testing exploits or denial of service
attacks. To conserve bandwidth, please do not initiate more than
a dozen scans against that host per day. If this free scanning
target service is abused, it will be taken down and Nmap will
report Failed to resolve given hostname/IP:
scanme.nmap.org. These permissions also apply to
- the hosts scanme2.nmap.org,
- scanme3.nmap.org, and so on, though those hosts
+ the hosts scanme2.nmap.org,
+ scanme3.nmap.org, and so on, though those hosts
do not currently exist.
@@ -4292,7 +4317,7 @@ hosts with at least one
nmap -sS -O scanme.nmap.org/24Launches a stealth SYN scan against each machine that is
- up out of the 256 IPs on class C sized network where
+ up out of the 256 IPs on the class C sized network where
Scanme resides. It also tries to determine what
operating system is running on each host that is up and
running. This requires root privileges because of the SYN scan