diff --git a/CHANGELOG b/CHANGELOG index 6d89c2089..96a3786b0 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,36 @@ # Nmap Changelog ($Id$) +UNRELEASED + +o Wrote a new man page from scratch. It is much more comprehensive + (more than twice as long) and (IMHO) better organized than the + previous one. Read it online at http://www.insecure.org/nmap/man/ + or docs/nmap.1 from the Nmap distribution. Let me know if you have + any ideas for improving it. I am also looking for translations. If + you are interested in translating to a language not already found at + http://www.insecure.org/nmap/nmap_documentation.html , please mail + Fyodor for the DocBook XML source to translate. + +o Removed foreign translations of the old man page from the + distribution. Included the following contributed translations + (nroff format) of the new man page: + Brazilian Portuguese by Lucien Raven (lucienraven(a)yahoo.com.br) + +o Wrote a new "help screen", which you get when running Nmap without + arguments. It is also reproduced in the man page and at + http://www.insecure.org/nmap/data/nmap.usage.txt . I gave up trying + to fit it within a 25-line, 80-column terminal window. It is now 78 + lines and summarizes all but the most obscure Nmap options. + +o Fixed a problem which caused UDP version scanning to fail to print + the matched service. Thanks to Martin Macok + (martin.macok(a)underground.cz) for reporting the problem and Doug + Hoyte (doug(a)hcsw.org) for fixing it. + +o Fixed a crash occured when the --exclude option was used with + netmasks on certain platforms. Thanks to Adam + (nmapuser(a)globalmegahost.com) for reporting the problem. + o Version detection softmatches (when Nmap determines the service protocol such as smtp but isn't able to determine the app name such as Postfix) can now parse out the normal match line fields such as @@ -20,6 +51,11 @@ o Fixed a bunch of typos and misspellings throughout the Nmap source code (mostly in comments). This was a 625-line patch by Saint Xavier (skyxav(a)skynet.be). +o Nmap now accepts target list files in Windows end-of-line format (\r\n) + as well as standard UNIX format (\n) on all platforms. Passing a + Windows style file to Nmap on UNIX didn't work before unless you ran + dos2unix first. + o Removed Identd scan support from NmapFE since Nmap no longer supports it. Thanks to Jonathan Dieter (jdieter99(a)gmx.net) for the patch. @@ -38,6 +74,10 @@ o Fixed a divide-by-zero crash when you specify rather bogus Bart Dopheide (dopheide(a)fmf.nl) for identifying the problem and sending a patch. +o Fixed a minor syntax error in tcpip.h that was causing problems with + GCC 4.1. Thanks to Dirk Mueller (dmuell(a)gmx.net) for reporting + the problem and sending a fix. + Nmap 3.93 o Modified Libpcap's configure.ac to compile with the diff --git a/Makefile.in b/Makefile.in index dcb61bb22..a7364bc43 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,5 +1,5 @@ export NMAP_VERSION = 3.94 -NMAP_NAME= nmap +NMAP_NAME= Nmap NMAP_URL= http://www.insecure.org/nmap/ NMAP_PLATFORM=@host@ prefix = @prefix@ diff --git a/docs/nmap.1 b/docs/nmap.1 index 1a5eb6190..65a5c3683 100644 --- a/docs/nmap.1 +++ b/docs/nmap.1 @@ -1,1237 +1,1403 @@ -.\" This definition swiped from the gcc(1) man page -.de Sp -.if n .sp -.if t .sp 0.4 -.. -.TH NMAP 1 -.SH NAME -nmap \- Network exploration tool and security scanner -.SH SYNOPSIS -.B nmap -[Scan Type(s)] [Options] -.SH DESCRIPTION - -.I Nmap -is designed to allow system administrators and curious -individuals to scan large networks to determine which hosts -are up and what services they are offering. -.I nmap -supports a large number of scanning techniques such as: UDP, TCP -connect(), TCP SYN (half open), ftp proxy (bounce attack), ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN -sweep, IP Protocol, and Null scan. See the -.I Scan Types -section for more details. nmap also offers a number of -advanced features such as remote OS detection via TCP/IP -fingerprinting, stealth scanning, dynamic delay and -retransmission calculations, parallel scanning, detection of -down hosts via parallel pings, decoy scanning, port -filtering detection, direct (non-portmapper) RPC scanning, -fragmentation scanning, and flexible target and port -specification. +.\" ** You probably do not want to edit this file directly ** +.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). +.\" Instead of manually editing it, you probably should edit the DocBook XML +.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. +.TH "NMAP" "1" "11/17/2005" "" "Nmap Reference Guide" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +nmap \- Network exploration tool and security / port scanner +.SH "SYNOPSIS" +.HP 5 +\fBnmap\fR [\fIScan\ Type\fR...] [\fIOptions\fR] {\fItarget\ specification\fR} +.SH "DESCRIPTION" .PP -Significant effort has been put into decent nmap performance -for non-root users. Unfortunately, many critical kernel -interfaces (such as raw sockets) require root privileges. -nmap should be run as root whenever possible (not setuid root, -of course). +Nmap (\(lqNetwork Mapper\(rq) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. .PP -The result of running nmap is usually a list of interesting ports on -the machine(s) being scanned (if any). Nmap always gives the port's -"well known" service name (if any), number, state, and protocol. The -state is either "open", "closed" "filtered", or "unfiltered". Open -means that the target machine will accept() connections on that port. -Closed ports are not listening for connections (they have no -application associated with them). Filtered means that a firewall, -filter, or other network obstacle is covering the port and preventing -nmap from determining whether the port is open. Unfiltered means that -the port is known by nmap to be closed and no firewall/filter seems to -be interfering with nmap's attempts to determine this. Unfiltered -ports are the common case and are only shown when most of the scanned -ports are in the filtered state. In some cases, Nmap cannot -distinguish between filtered ports and those that are either open or -closed. For example, a port that does not respond to a FIN Scan could -be either open or filtered. In these cases, Nmap lists ports as -"open|filtered" or "closed|filtered". -.PP -Depending on options used, nmap may also report the -following characteristics of the remote host: OS in use, TCP -sequentiality, usernames running the programs which have -bound to each port, the DNS name, whether the host is a -smurf address, and a few others. -.SH OPTIONS -Options that make sense together can generally be combined. -Some options are specific to certain scan modes. -.I nmap -tries to catch and warn the user about psychotic or -unsupported option combinations. -.Sp -If you are impatient, you can skip to the -.I examples -section at the end, which demonstrates common usage. You -can also run -.B nmap -h -for a quick reference page listing all the options. -.TP -.B SCAN TYPES -.TP -.B \-sS -TCP SYN scan: This technique is often referred to as "half-open" -scanning, because you don't open a full TCP connection. You send a SYN -packet, as if you are going to open a real connection and you wait for -a response. A SYN|ACK indicates the port is listening. A RST is -indicative of a non\-listener. If a SYN|ACK is received, a RST is -immediately sent to tear down the connection (actually our OS kernel -does this for us). The primary advantage to this scanning technique is -that fewer sites will log it. Unfortunately you need root privileges -to build these custom SYN packets. This is the default scan type for -privileged users. -.TP -.B \-sT -TCP connect() scan: This is the most basic form of TCP -scanning. The connect() system call provided by your -operating system is used to open a connection to every -interesting port on the machine. If the port is listening, -connect() will succeed, otherwise the port isn't -reachable. One strong advantage to this technique is that -you don't need any special privileges. Any user on most UNIX -boxes is free to use this call. -.Sp -This sort of scan is easily detectable as target host logs will show a -bunch of connection and error messages for the services which accept() -the connection just to have it immediately shutdown. This is the -default scan type for unprivileged users. -.TP -.B \-sF \-sX \-sN -Stealth FIN, Xmas Tree, or Null scan modes: There are times -when even SYN scanning isn't clandestine enough. Some -firewalls and packet filters watch for SYNs to restricted -ports, and programs like Synlogger and Courtney are -available to detect these scans. These advanced scans, on -the other hand, may be able to pass through unmolested. -.Sp -The idea is that closed ports are required to reply to your probe -packet with an RST, while open ports must ignore the packets in -question (see RFC 793 pp 64). Filered ports also tend to drop probes -without a response, so Nmap considers ports "open|filtered" when it -fails to elicit any response. If you add version detection (-sV), it -will try to verify whether the ports are actually open and change the -state as appropriate. The FIN scan uses a bare (surprise) FIN packet -as the probe, while the Xmas tree scan turns on the FIN, URG, and PUSH -flags. The Null scan turns off all flags. Unfortunately Microsoft -(like usual) decided to completely ignore the standard and do things -their own way. Thus this scan type will not work against systems -running Windows95/NT. On the positive side, this is a good way to -distinguish between the two platforms. If the scan finds open ports, -you know the machine is not a Windows box. If a -sF,-sX,or -sN scan -shows all ports closed, yet a SYN (-sS) scan shows ports being opened, -you are probably looking at a Windows box. This is less useful now -that nmap has proper OS detection built in. There are also a few -other systems that are broken in the same way Windows is. They -include Cisco, BSDI, HP/UX, MVS, and IRIX. All of the above send -resets from the open ports when they should just drop the packet. -.TP -.B \-sP -Ping scanning: Sometimes you only want to know which hosts -on a network are up. Nmap can do this by sending ICMP echo -request packets to every IP address on the networks you -specify. Hosts that respond are up. Unfortunately, some -sites such as microsoft.com block echo request packets. -Thus nmap can also send a TCP ack packet to (by default) -port 80. If we get an RST back, that machine is up. A -third technique involves sending a SYN packet and waiting -for a RST or a SYN/ACK. For non-root users, a connect() -method is used. -.Sp -By default (for root users), nmap uses both the ICMP and ACK -techniques in parallel. You can change these with the -.B \-P -options described later. -.Sp -Note that pinging is done by default anyway, and only hosts -that respond are scanned. Only use this option if you wish -to ping sweep -.B without -doing any actual port scans. -.TP -.B \-sV -Version detection: After TCP and/or UDP ports are discovered using one -of the other scan methods, version detection communicates with those -ports to try and determine more about what is actually running. A -file called nmap-service-probes is used to determine the best probes -for detecting various services and the match strings to expect. Nmap -tries to determine the service protocol (e.g. ftp, ssh, telnet, http), -the application name (e.g. ISC Bind, Apache httpd, Solaris telnetd), -the version number, and sometimes miscellaneous details like whether -an X server is open to connections or the SSH protocol version). If -Nmap was compiled with OpenSSL support, it will connect to SSL servers -to deduce the service listening behind the encryption. When RPC -services are discovered, the Nmap RPC grinder is used to determine the -RPC program and version numbers. Some UDP ports are left in the -"open|filtered" state after a UDP scan is unable to determine whether -the port is open or filtered. Version detection will try to elicit a -response from these ports (just as it does with open ports), and -change the state to open if it succeeds. Note that the Nmap -A option -also enables this feature. For a much more detailed description of -Nmap service detection, read our paper at -http://www.insecure.org/nmap/versionscan.html . There is a related ---version_trace option which causes Nmap to print out extensive -debugging info about what version scanning is doing (this is a subset -of what you would get with --packet_trace). -.TP -.B \-sU -UDP scans: This method is used to determine which UDP (User Datagram -Protocol, RFC 768) ports are open on a host. The technique is to send -0 byte UDP packets to each port on the target machine. If we receive -an ICMP port unreachable message, then the port is closed. If a UDP -response is received to the probe (unusual), the port is open. If we -get no response at all, the state is "open|filtered", meaning that the -port is either open or packet filters are blocking the communication. -Versions scan (-sV) can be used to help differentiate the truly open -ports from the filtered ones. -.Sp -Some people think UDP scanning is pointless. I usually -remind them of the Solaris rpcbind hole. Rpcbind can -be found hiding on an undocumented UDP port somewhere above -32770. So it doesn't matter that 111 is blocked by the -firewall. But can you find which of the more than 30,000 -high ports it is listening on? With a UDP scanner you can! -There is also the cDc Back Orifice backdoor program which -hides on a configurable UDP port on Windows machines. Not -to mention the many commonly vulnerable services that -utilize UDP such as snmp, tftp, NFS, etc. -.Sp -Unfortunately UDP scanning is sometimes painfully slow since -most hosts implement a suggestion in RFC 1812 (section -4.3.2.8) of limiting the ICMP error message rate. For -example, the Linux kernel (in net/ipv4/icmp.h) limits -destination unreachable message generation to 80 per 4 -seconds, with a 1/4 second penalty if that is exceeded. -Solaris has much more strict limits (about 2 messages per -second) and thus takes even longer to scan. -.I nmap -detects this rate limiting and slows down accordingly, -rather than flood the network with useless packets that will -be ignored by the target machine. -.Sp -As is typical, Microsoft ignored the suggestion of the RFC -and does not seem to do any rate limiting at all on Win95 -and NT machines. Thus we can scan all 65K ports of a -Windows machine -.B very -quickly. Whoop! -.Sp -.TP -.B \-sO -IP protocol scans: This method is used to determine which IP protocols -are supported on a host. The technique is to send raw IP packets -without any further protocol header to each specified protocol on the -target machine. If we receive an ICMP protocol unreachable message, -then the protocol is not in use. Otherwise we assume it is open. -Note that some hosts (AIX, HP-UX, Digital UNIX) and firewalls may not -send protocol unreachable messages. This causes all of the protocols -to appear "open". -.Sp -Because the implemented technique is very similar to UDP port scanning, -ICMP rate limit might apply too. But the IP -protocol field has only 8 bits, so at most 256 protocols can be -probed which should be possible in reasonable time anyway. -.TP -.B \-sI -Idlescan: This advanced scan method allows for a truly blind TCP -port scan of the target (meaning no packets are sent to the target from -your real IP address). Instead, a unique side-channel attack exploits -predictable "IP fragmentation ID" sequence generation on the zombie host -to glean information about the open ports on the target. IDS systems -will display the scan as coming from the zombie machine you specify -(which must be up and meet certain criteria). I wrote an informal -paper about this technique at -http://www.insecure.org/nmap/idlescan.html . -.Sp -Besides being extraordinarily stealthy (due to its blind nature), this -scan type permits mapping out IP-based trust relationships between machines. -The port listing shows open ports -.I from the perspective of the zombie host. -So you can try scanning a target using various zombies that you think -might be trusted (via router/packet filter rules). Obviously this is -crucial information when prioritizing attack targets. Otherwise, you -penetration testers might have to expend considerable resources "owning" an -intermediate system, only to find out that its IP isn't even trusted -by the target host/network you are ultimately after. -.Sp -You can add a colon followed by a port number if you wish to probe -a particular port on the zombie host for IPID changes. Otherwise Nmap -will use the port it uses by default for "tcp pings". -.TP -.B \-sA -ACK scan: This advanced method is usually used to map out -firewall rulesets. In particular, it can help determine -whether a firewall is stateful or just a simple packet -filter that blocks incoming SYN packets. -.Sp -This scan type sends an ACK packet (with random looking -acknowledgment/sequence numbers) to the ports specified. -If a RST comes back, the ports is classified as -"unfiltered". If nothing comes back (or if an ICMP -unreachable is returned), the port is classified as -"filtered". Note that -.I nmap -usually doesn't print "unfiltered" -ports, so getting -.B no -ports shown in the output is usually a sign that all the -probes got through (and returned RSTs). This scan will -obviously never show ports in the "open" state. -.TP -.B \-sW -Window scan: This advanced scan is very similar to the ACK -scan, except that it can sometimes detect open ports as well -as filtered/unfiltered due to an anomaly in the TCP window -size reporting by some operating systems. Systems -vulnerable to this include at least some versions of AIX, -Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital -UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, -OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, and -VxWorks. See the nmap-hackers mailing list archive for a -full list. -.TP -.B \-sR -RPC scan. This method works in combination with the various -port scan methods of Nmap. It takes all the TCP/UDP ports -found open and then floods them with SunRPC program NULL -commands in an attempt to determine whether they are RPC -ports, and if so, what program and version number they serve -up. Thus you can effectively obtain the same info as -"rpcinfo -p" even if the target's portmapper is behind a -firewall (or protected by TCP wrappers). Decoys do not -currently work with RPC scan, at some point I may add decoy -support for UDP RPC scans. This is automatically enabled as part of -version scan (-sV) if you request that. -.TP -.B \-sL -List scan. This method simply generates and prints a list of -IP addresses or hostnames without actually pinging or port scanning -them. DNS name resolution will be performed unless you use -n. -.TP -.B \-b -FTP bounce attack: An interesting "feature" of the ftp -protocol (RFC 959) is support for "proxy" ftp -connections. In other words, I should be able to connect -from evil.com to the FTP server of target.com and request -that the server send a file ANYWHERE on the Internet! Now -this may have worked well in 1985 when the RFC was -written. But in today's Internet, we can't have people -hijacking ftp servers and requesting that data be spit out -to arbitrary points on the Internet. As *Hobbit* wrote back -in 1995, this protocol flaw "can be used to post virtually -untraceable mail and news, hammer on servers at various -sites, fill up disks, try to hop firewalls, and generally be -annoying and hard to track down at the same time." What we -will exploit this for is to (surprise, surprise) scan TCP -ports from a "proxy" ftp server. Thus you could connect to -an ftp server behind a firewall, and then scan ports that -are more likely to be blocked (139 is a good one). If the -ftp server allows reading from and writing to some directory -(such as /incoming), you can send arbitrary data to ports -that you do find open (nmap doesn't do this for you though). -.Sp -The argument passed to the "b" option is the host you want -to use as a proxy, in standard URL notation. The format is: -.I username:password@server:port. -Everything but -.I server -is optional. To determine what servers are vulnerable to -this attack, you can see my article in -.I Phrack -51. An updated version is available at the -.I nmap -URL (http://www.insecure.org/nmap). -.TP -.B GENERAL OPTIONS -None of these are required but some can be quite useful. Note that -the -P options can now be combined -- you can increase your odds of -penetrating strict firewalls by sending many probe types using -different TCP ports/flags and ICMP codes. -.TP -.B \-P0 -Do not try to ping hosts at all before scanning them. This -allows the scanning of networks that don't allow ICMP echo -requests (or responses) through their firewall. -microsoft.com is an example of such a network, and thus you -should always use -.B \-P0 +The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the +\(lqinteresting ports table\(rq. That table lists the port number and protocol, service name, and state. The state is either +open, +filtered, +closed, or +unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. +Filtered +means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is +open or -.B \-PS80 -when portscanning microsoft.com. Note that "ping" in this context may -involve more than the traditional ICMP echo request packet. Nmap -supports many such probes, including arbitrary combinations of TCP, -UDP, and ICMP probes. By default, Nmap sends an ICMP echo request and -a TCP ACK packet to port 80. -.TP -.B \-PA [portlist] -Use TCP ACK "ping" to determine what hosts are up. Instead of sending -ICMP echo request packets and waiting for a response, we spew out TCP -ACK packets throughout the target network (or to a single machine) and -then wait for responses to trickle back. Hosts that are up should -respond with a RST. This option preserves the efficiency of only -scanning hosts that are up while still allowing you to scan -networks/hosts that block ping packets. For non root UNIX users, we -use connect() and thus a SYN is actually being sent. To set the -destination ports of the probe packets use -PA[,port2][...]. -The default port is 80, since this port is often not filtered out. -Note that this option now accepts multiple, comma-separated port -numbers. -.TP -.B \-PS [portlist] -This option uses SYN (connection request) packets instead of -ACK packets for root users. Hosts that are up should -respond with a RST (or, rarely, a SYN|ACK). You can set the -destination ports in the same manner as \-PA above. -.TP -.B \-PR -This option specifies a raw ethernet ARP ping. It cannot be used in -combination with any of the other ping types. When the target -machines are on the same network you are scanning from, this is the -fastest and most reliable (because it goes below IP-level filters) -ping method. Nmap sends an IPv4-to-Ethernet ARP request for each -target IP, and watches for any ARP response. -.B \-PU [portlist] -This option sends UDP probes to the specified hosts, expecting an ICMP -port unreachable packet (or possibly a UDP response if the port is -open) if the host is up. Since many UDP services won't reply to an -empty packet, your best bet might be to send this to expected-closed -ports rather than open ones. -.TP -.B \-PE -This option uses a true ping (ICMP echo request) packet. It -finds hosts that are up and also looks for subnet-directed -broadcast addresses on your network. These are IP addresses -which are externally reachable and translate to a broadcast -of incoming IP packets to a subnet of computers. These -should be eliminated if found as they allow for numerous -denial of service attacks (Smurf is the most common). -.TP -.B \-PP -Uses an ICMP timestamp request (type 13) packet to find listening hosts. -.TP -.B \-PM -Same as -.B \-PE -and -.B \-PP -except uses a netmask request (ICMP type 17). -.TP -.B \-PB -This is the default ping type. It uses both the ACK ( -.B \-PA -) and ICMP echo request ( -.B \-PE -) sweeps in parallel. This way you can get firewalls that filter -either one (but not both). The TCP probe destination port can be set -in the same manner as with \-PA above. Note that this flag is now deprecated -as pingtype flags can now be used in combination. So you should use both "PE" -and "PA" (or rely on the default behavior) to achieve this same effect. -.TP -.B \-O -This option activates remote host identification via TCP/IP -fingerprinting. In other words, it uses a bunch of -techniques to detect subtleties in the underlying operating -system network stack of the computers you are scanning. It -uses this information to create a "fingerprint" which it -compares with its database of known OS fingerprints (the -nmap-os-fingerprints file) to decide what type of system you -are scanning. -.Sp -If Nmap is unable to guess the OS of a machine, and conditions are -good (e.g. at least one open port), Nmap will provide a URL you can use -to submit the fingerprint if you know (for sure) the OS running on the -machine. By doing this you contribute to the pool of operating -systems known to nmap and thus it will be more accurate for everyone. -Note that if you leave an IP address on the form, the machine may be -scanned when we add the fingerprint (to validate that it works). -.Sp -The \-O option also enables several other tests. One is the "Uptime" -measurement, which uses the TCP timestamp option (RFC 1323) to guess -when a machine was last rebooted. This is only reported for machines -which provide this information. -.Sp -Another test enabled by \-O is TCP Sequence Predictability -Classification. This is a measure that describes approximately how -hard it is to establish a forged TCP connection against the remote -host. This is useful for exploiting source-IP based trust -relationships (rlogin, firewall filters, etc) or for hiding the source -of an attack. The actual difficulty number is based on statistical -sampling and may fluctuate. It is generally better to use the English -classification such as "worthy challenge" or "trivial joke". This is -only reported in normal output with -v. -.Sp -When verbose mode (\-v) is on with \-O, IPID Sequence Generation is also reported. Most machines are in the "incremental" class, which means that they increment the "ID" field in the IP header for each packet they send. This makes them vulnerable to several advanced information gathering and spoofing attacks. -.TP -.B \--osscan_limit -OS detection is far more effective if at least one open and one closed -TCP port are found. Set this option and Nmap will not even try OS -detection against hosts that do not meet this criteria. This can save -substantial time, particularly on -P0 scans against many hosts. It -only matters when OS detection is requested (-O or -A options). -.TP -.B \-A -This option enables _a_dditional _a_dvanced and _a_ggressive options. -I haven't decided exactly which it stands for yet :). Presently -this enables OS Detection (-O) and version scanning (-sV). More -features may be added in the future. The point is to enable a -comprehensive set of scan options without people having to remember a -large set of flags. This option only enables features, and not timing -options (such as -T4) or verbosity options (-v) that you might wan't -as well. -.TP -.B \-6 -This options enables IPv6 support. All targets must be IPv6 if this -option is used, and they can be specified via normal DNS name (AAAA -record) or as a literal IP address such as -3ffe:501:4819:2000:210:f3ff:fe03:4d0 . Currently, connect() TCP scan -and TCP connect() Ping scan are supported. If you need UDP or other -scan types, have a look at http://nmap6.sourceforge.net/ . -.TP -.B \--send_eth -Asks Nmap to send packets at the raw ethernet (data link) layer rather -than the higher IP (network) layer. By default, Nmap chooses the one -which is generally best for the platform it is running on. Raw -sockets (IP layer) are generally most efficient for UNIX machines, -while ethernet frames work best on the many Windows versions where -Microsoft has disabled raw sockets support. Nmap still uses raw IP -packets when there is no other choice (such as non-ethernet -connections). -.TP -.B --send_ip -Asks Nmap to send packets via raw IP sockets rather than sending lower -level ethernet frames. It is the complement to the --send-eth -option.discussed previously. -.TP -.B \--spoof_mac [mac, prefix, or vendor substring] -Ask Nmap to use the given MAC address for all of the raw ethernet -frames it sends. The MAC given can take several formats. If it is -simply the string "0", Nmap chooses a completely random MAC for the -session. If the given string is an even number of hex digits (with -the pairs optionally separated by a colon), Nmap will use those as the -MAC. If less than 12 hex digits are provided, Nmap fills in the -remainder of the 6 bytes with random values. If the argument isn't a -0 or hex string, Nmap looks through the nmap-mac-prefixes to find a -vendor name containing the given string (it is case insensitive). If -a match is found, Nmap uses the vendor's OUI (3-byte prefix) and fills -out the remaining 3 bytes randomly. Valid --spoof_mac argument -examples are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", -"0020F2", and "Cisco". -.TP -.B \-f -This option causes the requested scan (including ping scans) to use -tiny fragmented IP packets. The idea is to split up the TCP header -over several packets to make it harder for packet filters, intrusion -detection systems, and other annoyances to detect what you are -doing. Be careful with this! Some programs have trouble handling these -tiny packets. The old-school sniffer named Sniffit segmentation -faulted immediately upon receiving the first fragment. Specify this -option once, and Nmap splits the packets into 8 bytes or less after -the IP header. So a 20-byte TCP header would be split into 3 packets. - Two with eight bytes of the TCP header, and one with the final four. -Of course each fragment also has an IP header. Specify -f again to -use 16 bytes per fragment (reducing the number of fragments). Or you -can specify your own offset size with the --mtu option. Don't also -specify -f if you use --mtu. The offset must be a multiple of 8. -While fragmented packets won't get by packet filters and firewalls -that queue all IP fragments, such as the CONFIG_IP_ALWAYS_DEFRAG -option in the Linux kernel, some networks can't afford the performance -hit this causes and thus leave it disabled. Some source systems -defragment outgoing packets in the kernel. Linux with the ip tables -connection tracking module is one such example. Do a scan with a -sniffer such as ethereal running to ensure that sent packets are -fragmented. -.Sp -Note that I do not yet have this option working on all -systems. It works fine for my Linux, FreeBSD, and OpenBSD -boxes and some people have reported success with other *NIX -variants. -.TP -.B \-v -Verbose mode. This is a highly recommended option and it -gives out more information about what is going on. You can -use it twice for greater effect. You can also use -.B \-d -a few times if you really want to get crazy with -scrolling the screen! -.TP -.B \-h -This handy option display a quick reference screen of nmap -usage options. As you may have noticed, this man page is -not exactly a "quick reference" :) -.TP -.B \-oN -This logs the results of your scans in a normal -.B human readable -form into the file you specify as an argument. -.TP -.B \-oX -This logs the results of your scans in -.B XML -form into the file you specify as an argument. This allows programs -to easily capture and interpret Nmap results. You can give the -argument "-" (without quotes) to shoot output into stdout (for shell -pipelines, etc). In this case normal output will be suppressed. -Watch out for error messages if you use this (they will still go to -stderr). Also note that "-v" may cause some extra information to be -printed. The Document Type Definition (DTD) defining the XML output -structure is available at http://www.insecure.org/nmap/data/nmap.dtd . -.TP -.B \--stylesheet -Nmap ships with an XSL stylesheet named nmap.xsl for viewing or -translating XML output to HTML. The XML output includes an -xml-stylesheet directive which points to nmap.xml where it was -initially installed by Nmap (or in the current working directory on -Windows). Simply load Nmap's XML output in a modern web browser and -it should retrieve nmap.xsl from the filesystem and use it to render -results. If you wish to use a different stylesheet, specify it as the -argument to --stylesheet. You must pass the full pathname or URL. -One common invocation is --stylesheet -http://www.insecure.org/nmap/data/nmap.xsl . This tells a browser to -load the latest version of the stylesheet from Insecure.Org. This -makes it easier to view results on a machine that doesn't have Nmap -(and thus nmap.xsl) installed. So the URL is often more useful, but -the local filesystem locaton of nmap.xsl is used by default for -privacy reasons. -.TP -.B \--no_stylesheet -Specify this option to prevent Nmap from associating any XSL -stylesheet with its XML output. The xml-stylesheet directive is -omitted. -.TP -.B \-oG -This logs the results of your scans in a -.B grepable -form into the file you specify as an argument. This simple format -provides all the information on one line (so you can easily grep for -port or OS information and see all the IPs. This used to be the -preferred mechanism for programs to interact with Nmap, but now we -recommend XML output (-oX instead). This simple format may not -contain as much information as the other formats. You can give the -argument "-" (without quotes) to shoot output into stdout (for shell -pipelines, etc). In this case normal output will be suppressed. -Watch out for error messages if you use this (they will still go to -stderr). Also note that "-v" will cause some extra information to -be printed. -.TP -.B \-oA -This tells Nmap to log in ALL the major formats (normal, grepable, -and XML). You give a base for the filename, and the output files will -be base.nmap, base.gnmap, and base.xml. -.TP -.B \-oS -thIs l0gz th3 r3suLtS of YouR ScanZ iN a -.B s| -A network scan that is canceled due to control-C, network -outage, etc. can be resumed using this option. The -logfilename must be either a normal (-oN) or grepable (-oG) -log from the aborted scan. No other options -can be given (they will be the same as the aborted scan). -Nmap will start on the machine after the last one -successfully scanned in the log file. -.TP -.B \--exclude -Specifies a list of targets (hosts, ranges, netblocks) that should be -excluded from a scan. Useful to keep from scanning yourself, your ISP, -particularly sensitive hosts, etc. -.TP -.B \--excludefile -Same functionality as the --exclude option, only the excluded targets -are provided in an newline-delimited exclude_file rather than on the -command line. -.TP -.B \--allports -Causes version detection (-sV) to scan all open ports found, including -those excluded as dangerous (likely to cause crashes or other -problems) in nmap-service-probes. -.TP -.B \--append_output -Tells Nmap to append scan results to any output files you have specified -rather than overwriting those files. -.TP -.B \-iL -Reads target specifications from the file specified RATHER -than from the command line. The file should contain a list -of host or network expressions separated by spaces, tabs, or -newlines. Use a hyphen (-) as -.I inputfilename -if you want nmap to read host expressions from -stdin (like at the end of a pipe). See the section -.I target specification -for more information on the expressions you fill the file with. -.TP -.B \-iR -This option tells Nmap to generate its own hosts to scan by -simply picking random numbers :). It will never end after the given -number of IPs has been scanned -- use 0 for a never-ending scan. This -option can be useful for statistical sampling of the Internet to -estimate various things. If you are ever really bored, try -.I nmap \-sS \-PS80 \-iR 0 \-p 80 -to find some web servers to look at. -.TP -.B \-p -This option specifies what ports you want to specify. For -example "-p 23" will only try port 23 of the target host(s). -"\-p 20-30,139,60000-" scans ports between 20 and 30, port -139, and all ports greater than 60000. The default is to -scan all ports between 1 and 1024 as well as any ports -listed in the services file which comes with nmap. For IP protocol -scanning (-sO), this specifies the protocol number you wish to scan -for (0-255). -.Sp -When scanning both TCP and UDP ports, you can specify a particular -protocol by preceding the port numbers by "T:" or "U:". The qualifier -lasts until you specify another qualifier. For example, the argument -"-p U:53,111,137,T:21-25,80,139,8080" would scan UDP ports 53,111,and -137, as well as the listed TCP ports. Note that to scan both UDP & -TCP, you have to specify -sU and at least one TCP scan type (such as --sS, -sF, or -sT). If no protocol qualifier is given, the port -numbers are added to all protocol lists. -.TP -.B \-F Fast scan mode. -Specifies that you only wish to scan for ports listed in the services -file which comes with nmap (or the protocols file for -sO). This is -obviously much faster than scanning all 65535 ports on a host. -.TP -.B \-D -Causes a decoy scan to be performed which makes it appear to -the remote host that the host(s) you specify as decoys are -scanning the target network too. Thus their IDS might -report 5-10 port scans from unique IP addresses, but they -won't know which IP was scanning them and which were -innocent decoys. While this can be defeated through router -path tracing, response-dropping, and other "active" -mechanisms, it is generally an extremely effective technique -for hiding your IP address. -.Sp -Separate each decoy host with commas, and you can optionally -use "ME" as one of the decoys to represent the position you -want your IP address to be used. If you put "ME" in the -6th position or later, some common port scan detectors (such -as Solar Designer's excellent scanlogd) are unlikely to -show your IP address at all. If you don't use "ME", nmap -will put you in a random position. -.Sp -Note that the hosts you use as decoys should be up or you -might accidentally SYN flood your targets. Also it will be -pretty easy to determine which host is scanning if only one -is actually up on the network. You might want to use IP -addresses instead of names (so the decoy networks don't see -you in their nameserver logs). -.Sp -Also note that some "port scan detectors" will -firewall/deny routing to hosts that attempt port scans. The problem -is that many scan types can be forged (as this option demonstrates). -So attackers can cause such a machine to sever connectivity with -important hosts such as its internet gateway, DNS TLD servers, sites -like Windows Update, etc. Most such software offers whitelist -capabilities, but you are unlikely to enumerate all of the critical -machines. For this reason we never recommend taking -action against port scans that can be forged, including SYN scans, UDP -scans, etc. The machine you block could just be a decoy. -.Sp -Decoys are used both in the initial ping scan (using ICMP, -SYN, ACK, or whatever) and during the actual port scanning -phase. Decoys are also used during remote OS detection ( -.B \-O -). -.Sp -It is worth noting that using too many decoys may slow your -scan and potentially even make it less accurate. Also, some -ISPs will filter out your spoofed packets, although many -(currently most) do not restrict spoofed IP packets at all. -.TP -.B \-S -In some circumstances, -.I nmap -may not be able to determine your source address ( -.I nmap -will tell you if this is the case). In this situation, use -\-S with your IP address (of the interface you wish to send -packets through). -.Sp -Another possible use of this flag is to spoof the scan to -make the targets think that -.B someone else -is scanning them. Imagine a company being repeatedly port -scanned by a competitor! This is not a supported usage (or -the main purpose) of this flag. I just think it raises an -interesting possibility that people should be aware of -before they go accusing others of port scanning them. -.B \-e -would generally be required for this sort of usage. -.TP -.B \-e -Tells nmap what interface to send and receive packets on. -Nmap should be able to detect this but it will tell you if -it cannot. -.TP -.B \--source_port -Sets the source port number used in scans. Many naive firewall and -packet filter installations make an exception in their ruleset to -allow DNS (53) or FTP-DATA (20) packets to come through and establish -a connection. Obviously this completely subverts the security -advantages of the firewall since intruders can just masquerade as FTP -or DNS by modifying their source port. Obviously for a UDP scan you -should try 53 first and TCP scans should try 20 before 53. Note that -this is only a request -- nmap will honor it only if and when it is -able to. For example, you can't do TCP ISN sampling all from one -host:port to one host:port, so nmap changes the source port even if -you used this option. This is an alias for the shorter, but harder to -remember, -g option. -.Sp -Be aware that there is a small performance penalty on some -scans for using this option, because I sometimes store -useful information in the source port number. -.TP -.B \--data_length -Normally Nmap sends minimalistic packets that only contain a header. -So its TCP packets are generally 40 bytes and ICMP echo requests are -just 28. This option tells Nmap to append the given number of -random bytes to most of the packets it sends. OS detection (\-O) -packets are not affected, but most pinging and portscan packets are. -This slows things down, but can be slightly less conspicuous. -.TP -.B \-n -Tells Nmap to -.B NEVER -do reverse DNS resolution on the active IP addresses it finds. Since DNS is often slow, this can help speed things up. -.TP -.B \-R -Tells Nmap to -.B ALWAYS -do reverse DNS resolution on the target IP addresses. Normally -this is only done when a machine is found to be alive. -.TP -.B \-r -Tells Nmap -.B NOT -to randomize the order in which ports are scanned. -.TP -.B \-\-ttl -Sets the IPv4 time to live field in sent packets to the given value. -.TP -.B \-\-privileged -Tells Nmap to simply assume that it is privileged enough to perform -raw socket sends, packet sniffing, and similar operations that usually -require root privileges on UNIX systems. By default Nmap bails if -such operations are requested but geteuid() is not zero. --privileged -is useful with Linux kernel capabilities and similar systems that may -be configured to allow unprivileged users to perform raw-packet -scans. Be sure to provide this option flag before any flags for -options that require privileges (SYN scan, OS detection, etc.). The -NMAP_PRIVILEGED variable may be set as an equivalent alternative ---privileged. -.TP -.B \-\-interactive -Starts Nmap in interactive mode, which offers an interactive Nmap -prompt allowing easy launching of multiple scans (either synchronously -or in the background). This is useful for people who scan from -multi-user systems -- they often want to test their security without -letting everyone else on the system know exactly which systems they -are scanning. Use --interactive to activate this mode and then type -'h' for help. This option is rarely used because proper shells are -usually more familiar and feature-complete. -.TP -.B \-\-randomize_hosts -Tells Nmap to shuffle each group of up to 2048 hosts before -it scans them. This can make the scans less obvious to -various network monitoring systems, especially when you -combine it with slow timing options (see below). -.TP -.B \-M -Sets the maximum number of sockets that will be used in -parallel for a TCP connect() scan (the default). This is -useful to slow down the scan a little bit and avoid crashing -remote machines. Another approach is to use \-sS, which is -generally easier for machines to handle. -.TP -.B --packet_trace -Tells Nmap to show all the packets it sends and receives in a -tcpdump-like format. This can be tremendously useful for debugging, -and is also a good learning tool. -.TP -.B --datadir [directoryname] -Nmap obtains some special data at runtime in files named -nmap-service-probes, nmap-services, nmap-protocols, nmap-rpc, -nmap-mac-prefixes, and nmap-os-fingerprints. Nmap first searches -these files in the directory option to --datadir. Any files not found -there, are searched for in the directory specified by the NMAPDIR -environmental variable. Next comes ~/.nmap for real and effective -UIDs (POSIX systems only) or location of the Nmap executable (Win32 -only), and then a compiled-in location such as /usr/local/share/nmap -or /usr/share/nmap . As a last resort, Nmap will look in the current -directory. -.TP -.B TIMING OPTIONS -Generally Nmap does a good job at adjusting for Network -characteristics at runtime and scanning as fast as possible -while minimizing that chances of hosts/ports going -undetected. However, there are same cases where Nmap's -default timing policy may not meet your objectives. The -following options provide a fine level of control over the -scan timing: -.TP -.B -T -These are canned timing policies for conveniently expressing -your priorities to Nmap. -.B Paranoid -mode scans -.B very -slowly in the hopes of avoiding detection by IDS systems. -It serializes all scans (no parallel scanning) and generally -waits at least 5 minutes between sending packets. -.B Sneaky -is similar, except it -only waits 15 seconds between sending packets. -.B Polite -is meant to ease load on the network and reduce the chances -of crashing machines. It serializes the probes and waits -.B at least -0.4 seconds between them. Note that this is generally at least an -order of magnitude slower than default scans, so only use it when you -need to. -.B Normal -is the default Nmap behavior, which tries to run as quickly -as possible without overloading the network or missing -hosts/ports. -.B Aggressive -This option can make certain scans (especially SYN scans against -heavily filtered hosts) much faster. It is recommended for impatient -folks with a fast net connection. -.B Insane -is only suitable for very fast networks or where you don't -mind losing some information. It times out hosts in 15 -minutes and won't wait more than 0.3 seconds for individual probes. -It does allow for very quick network sweeps though :). -.Sp -You can also reference these by number (0-5). For example, "-T0" -gives you Paranoid mode and "-T5" is Insane mode. If you wish to set -specific timing values such as --max_rtt_timeout or --host_timeout, -place them after any -T option on the command line. Otherwise the -defaults for the selected timing mode will override your choices. -.TP -.B --host_timeout -Specifies the amount of time Nmap is allowed to spend -scanning a single host before giving up on that IP. The -default timing mode has no host timeout. -.TP -.B --max_rtt_timeout -Specifies the maximum amount of time Nmap is allowed to wait -for a probe response before retransmitting or timing out -that particular probe. The default mode sets this to about -9000. -.TP -.B --min_rtt_timeout -When the target hosts start to establish a pattern of -responding very quickly, Nmap will shrink the amount of time -given per probe. This speeds up the scan, but can lead to -missed packets when a response takes longer than usual. -With this parameter you can guarantee that Nmap will wait at -least the given amount of time before giving up on a probe. -.TP -.B --initial_rtt_timeout -Specifies the initial probe timeout. This is generally only -useful when scanning firewalled hosts with -P0. Normally -Nmap can obtain good RTT estimates from the ping and the -first few probes. The default mode uses 6000. -.TP -.B --max_hostgroup -Specifies the maximum number of hosts that Nmap is allowed to scan in -parallel. Most of the port scan techniques support multi-host -operation, which makes them much quicker. Spreading the load among -multiple target hosts makes the scans gentler. The downside is -increased results latency. You need to wait for all hosts in a group -to finish, rather than having them pop up one by one. Specify an -argument of one for old-style (one host at a time) Nmap behavior. -Note that the ping scanner handles its own grouping, and ignores this -value. -.TP -.B --min_hostgroup -Specifies the minimum host group size (see previous entry). Large -values (such as 50) are often beneficial for unattended scans, though they do -take up more memory. Nmap may override this preference when it needs -to, because a group must all use the same network interface, and some -scan types can only handle one host at a time. -.TP -.B --max_parallelism -Specifies the maximum number of scans Nmap is allowed to -perform in parallel. Setting this to one means Nmap will -never try to scan more than 1 port at a time. It also -effects other parallel scans such as ping sweep, RPC scan, -etc. -.TP -.B --min_parallelism -Tells Nmap to scan at least the given number of ports in parallel. -This can speed up scans against certain firewalled hosts by an order -of magnitude. But be careful -- results will become unreliable if you -push it too far. -.TP -.B --scan_delay -Specifies the -.B minimum -amount of time Nmap must wait between probes. This is -mostly useful to reduce network load or to slow the scan way -down to sneak under IDS thresholds. Nmap will sometimes increase the -delay itself when it detects many dropped packets. For example, -Solaris systems tend to respond with only one ICMP port unreachable -packet per second during a UDP scan. So Nmap will try to detect this -and lower its rate of UDP probes to one per second. -.TP -.B --max_scan_delay -As noted above, Nmap will sometimes enforce a special delay between -sending packets. This can provide more accurate results while -reducing network congestion, but it can slow the scans down -substantially. By default (with no -T options specified), Nmap allows -this delay to grow to one second per probe. This option allows you to -set a lower or higher maximum. Even if you set it to zero, Nmap will -have some delay between packet sends so that it can wait for responses -and avoid having too many outstanding probes in parallel. +closed. +Closed +ports have no application listening on them, though they could open up at any time. Ports are classified as +unfiltered +when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations +open|filtered +and +closed|filtered +when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP protocol scan is requested (\fB\-sO\fR), Nmap provides information on supported IP protocols rather than listening ports. +.PP +In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses. +.PP +A typical Nmap scan is shown in +Example\ 15.1, \(lqA representative Nmap scan\(rq. The only Nmap arguments used in this example are +\fB\-A\fR, to enable OS and version detection, +\fB\-T4\fR +for faster execution, and then the two target hostnames. +Example\ 15.1.\ A representative Nmap scan.sp +.nf +# nmap \-A \-T4 scanme.nmap.org playground -.SH TARGET SPECIFICATION -Everything that isn't an option (or option argument) in nmap -is treated as a target host specification. The simplest -case is listing single hostnames or IP addresses on the -command line. If you want to scan a subnet of IP addresses, -you can append -.B "/mask" -to the hostname -or IP address. -.B mask -must be between 0 (scan the whole Internet) and 32 (scan the -single host specified). Use /24 to scan a class "C" address -and /16 for a class "B". -.Sp -Nmap also has a more powerful notation which lets you -specify an IP address using lists/ranges for each element. -Thus you can scan the whole class "B" network 192.168.*.* by -specifying "192.168.*.*" or "192.168.0-255.0-255" or even -"192.168.1-50,51-255.1,2,3,4,5-255". And of course you can -use the mask notation: "192.168.0.0/16". These are all -equivalent. If you use asterisks ("*"), remember that most -shells require you to escape them with back slashes or -protect them with quotes. -.Sp -Another interesting thing to do is slice the Internet the -other way. Instead of scanning all the hosts in a class -"B", scan "*.*.5.6-7" to scan every IP address that ends in -\&.5.6 or .5.7 Pick your own numbers. For more information on -specifying hosts to scan, see the -.I examples -section. -.SH EXAMPLES -Here are some examples of using nmap, from simple and normal -to a little more complex/esoteric. Note that actual numbers -and some actual domain names are used to make things more -concrete. In their place you should substitute -addresses/names from -.B your own network. -I do not think portscanning other networks is illegal; nor -should portscans be construed by others as an attack. I -have scanned hundreds of thousands of machines and have -received only one complaint. But I am not a lawyer and some -(anal) people may be annoyed by -.I nmap -probes. Get permission first or use at your own risk. -.Sp -.B nmap -v target.example.com -.Sp +Starting nmap ( http://www.insecure.org/nmap/ ) +Interesting ports on scanme.nmap.org (205.217.153.62): +(The 1663 ports scanned but not shown below are in state: filtered) +PORT STATE SERVICE VERSION +22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) +53/tcp open domain +70/tcp closed gopher +80/tcp open http Apache httpd 2.0.52 ((Fedora)) +113/tcp closed auth +Device type: general purpose +Running: Linux 2.4.X|2.5.X|2.6.X +OS details: Linux 2.4.7 \- 2.6.11, Linux 2.6.0 \- 2.6.11 +Uptime 33.908 days (since Thu Jul 21 03:38:03 2005) + +Interesting ports on playground.nmap.org (192.168.0.40): +(The 1659 ports scanned but not shown below are in state: closed) +PORT STATE SERVICE VERSION +135/tcp open msrpc Microsoft Windows RPC +139/tcp open netbios\-ssn +389/tcp open ldap? +445/tcp open microsoft\-ds Microsoft Windows XP microsoft\-ds +1002/tcp open windows\-icfw? +1025/tcp open msrpc Microsoft Windows RPC +1720/tcp open H.323/Q.931 CompTek AquaGateKeeper +5800/tcp open vnc\-http RealVNC 4.0 (Resolution 400x250; VNC TCP port: 5900) +5900/tcp open vnc VNC (protocol 3.8) +MAC Address: 00:A0:CC:63:85:4B (Lite\-on Communications) +Device type: general purpose +Running: Microsoft Windows NT/2K/XP +OS details: Microsoft Windows XP Pro RC1+ through final release +Service Info: OSs: Windows, Windows XP + +Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds +.fi +.PP +The newest version of Nmap can be obtained from +\fI\%http://www.insecure.org/nmap/\fR. The newest version of the man page is available from +\fI\%http://www.insecure.org/nmap/man/\fR. +.SH "OPTIONS SUMMARY" +.PP +This options summary is printed when Nmap is run with no arguments, and the latest version is always available at +\fI\%http://www.insecure.org/nmap/data/nmap.usage.txt\fR. It helps people remember the most common options, but is no substitute for the in\-depth documentation in the rest of this manual. Some obscure options aren't even included here. +.PP +.nf +Usage: nmap [Scan Type(s)] [Options] {target specification} +TARGET SPECIFICATION: + Can pass hostnames, IP addresses, networks, etc. + Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0\-255.1\-254 + \-iL : Input from list of hosts/networks + \-iR : Choose random targets + \-\-exclude : Exclude hosts/networks + \-\-excludefile : Exclude list from file +HOST DISCOVERY: + \-sL: List Scan \- simply list targets to scan + \-sP: Ping Scan \- go no further than determining if host is online + \-P0: Treat all hosts as online \-\- skip host discovery + \-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports + \-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes + \-n/\-R: Never do DNS resolution/Always resolve [default: sometimes] +SCAN TECHNIQUES: + \-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans + \-sN/sF/sX: TCP Null, FIN, and Xmas scans + \-\-scanflags : Customize TCP scan flags + \-sI : Idlescan + \-sO: IP protocol scan + \-b : FTP bounce scan +PORT SPECIFICATION AND SCAN ORDER: + \-p : Only scan specified ports + Ex: \-p22; \-p1\-65535; \-p U:53,111,137,T:21\-25,80,139,8080 + \-F: Fast \- Scan only the ports listed in the nmap\-services file) + \-r: Scan ports consecutively \- don't randomize +SERVICE/VERSION DETECTION: + \-sV: Probe open ports to determine service/version info + \-\-version_light: Limit to most likely probes for faster identification + \-\-version_all: Try every single probe for version detection + \-\-version_trace: Show detailed version scan activity (for debugging) +OS DETECTION: + \-O: Enable OS detection + \-\-osscan_limit: Limit OS detection to promising targets + \-\-osscan_guess: Guess OS more aggressively +TIMING AND PERFORMANCE: + \-T[0\-6]: Set timing template (higher is faster) + \-\-min_hostgroup/max_hostgroup : Parallel host scan group sizes + \-\-min_parallelism/max_parallelism : Probe parallelization + \-\-min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout : Specifies + probe round trip time. + \-\-host_timeout : Give up on target after this long + \-\-scan_delay/\-\-max_scan_delay : Adjust delay between probes +FIREWALL/IDS EVASION AND SPOOFING: + \-f; \-\-mtu : fragment packets (optionally w/given MTU) + \-D : Cloak a scan with decoys + \-S : Spoof source address + \-e : Use specified interface + \-g/\-\-source_port : Use given port number + \-\-data_length : Append random data to sent packets + \-\-ttl : Set IP time\-to\-live field + \-\-spoof_mac : Spoof your MAC address +OUTPUT: + \-oN/\-oX/\-oS/\-oG : Output scan in normal, XML, s|: Output in the three major formats at once + \-v: Increase verbosity level (use twice for more effect) + \-d[level]: Set or increase debugging level (Up to 9 is meaningful) + \-\-packet_trace: Show all packets sent and received + \-\-iflist: Print host interfaces and routes (for debugging) + \-\-append_output: Append to rather than clobber specified output files + \-\-resume : Resume an aborted scan + \-\-stylesheet : XSL stylesheet to transform XML output to HTML + \-\-no_stylesheet: Prevent associating of XSL stylesheet w/XML output +MISC: + \-6: Enable IPv6 scanning + \-A: Enables OS detection and Version detection + \-\-datadir : Specify custom Nmap data file location + \-\-send_eth/\-\-send_ip: Send using raw ethernet frames or IP packets + \-\-privileged: Assume that the user is fully privileged + \-V: Print version number + \-h: Print this help summary page. +EXAMPLES: + nmap \-v \-A scanme.nmap.org + nmap \-v \-sP 192.168.0.0/16 10.0.0.0/8 + nmap \-v \-iR 10000 \-P0 \-p 80 +.fi +.sp +.SH "TARGET SPECIFICATION" +.PP +Everything on the Nmap command\-line that isn't an option (or option argument) is treated as a target host specification. The simplest case is to specify a target IP address or hostname for scanning. +.PP +Sometimes you wish to scan a whole network of adjacent hosts. For this, Nmap supports CIDR\-style addressing. You can append /\fInumbits\fR +to an IP address or hostname and Nmap will scan every IP address for which the first +\fInumbits\fR +are the same as for the reference IP or hostname given. For example, 192.168.10.0/24 would scan the 256 hosts between 192.168.10.0 (binary: +11000000 10101000 00001010 00000000) and 192.168.10.255 (binary: +11000000 10101000 00001010 11111111), inclusive. 192.168.10.40/24 would do exactly the same thing. Given that the host scanme.nmap.org is at the IP address 205.217.153.62, the specification scanme.nmap.org/16 would scan the 65,536 IP addresses between 205.217.0.0 and 205.217.255.255. The smallest allowed value is /1, which scans half the Internet. The largest value is 32, which scans just the named host or IP address because all address bits are fixed. +.PP +CIDR notation is short but not always flexible enough. For example, you might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they are commonly broadcast addresses. Nmap supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma separated list of numbers or ranges for each octet. For example, 192.168.0\-255.1\-254 will skip all addresses in the range that end in .0 and or .255. Ranges need not be limited to the final octects: the specifier 0\-255.0\-255.13.37 will perform an Internet\-wide scan for all IP addresses ending in 13.37. This sort of broad sampling can be useful for Internet surveys and research. +.PP +IPv6 addresses can only be specified by their fully qualified IPv6 address or hostname. CIDR and octet ranges aren't supported for IPv6 because they are rarely useful. +.PP +Nmap accepts multiple host specifications on the command line, and they don't need to be the same type. The command +\fBnmap scanme.nmap.org 192.168.0.0/8 10.0.0,1,3\-7.0\-255\fR +does what you would expect. +.PP +While targets are usually specified on the command lines, the following options are also available to control target selection: +.TP +\fB\-iL \fR (Input from list) +Reads target specifications from +\fIinputfilename\fR. Passing a huge list of hosts is often awkward on the command line, yet it is a common desire. For example, your DHCP server might export a list of 10,000 current leases that you wish to scan. Or maybe you want to scan all IP addresses +\fIexcept\fR +for those to locate hosts using unauthorized static IP addresses. Simply generate the list of hosts to scan and pass that filename to Nmap as an argument to the +\fB\-iL\fR +option. Entries can be in any of the formats accepted by Nmap on the command line (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must be separated by one or more spaces, tabs, or newlines. You can specify a hyphen (\-) as the filename if you want Nmap to read hosts from standard input rather than an actual file. +.TP +\fB\-iR \fR (Choose random targets) +For Internet\-wide surveys and other research, you may want to choose targets at random. The +\fInum hosts\fR +argument tells Nmap how many IPs to generate. Undesirable IPs such as those in certain private, multicast, or unallocated address ranges are automatically skipped. The argument +0 +can be specified for a never\-ending scan. Keep in mind that some network administrators bristle at unauthorized scans of their networks and may complain. Use this option at your own risk! If you find yourself really bored one rainy afternoon, try the command +\fBnmap \-sS \-PS80 \-iR 0 \-p 80\fR +to locate random web servers for browsing. +.TP +\fB\-\-exclude \fR (Exclude hosts/networks) +Specifies a comma\-separated list of targets to be excluded from the scan even if they are part of the overall network range you specify. The list you pass in uses normal Nmap syntax, so it can include hostnames, CIDR netblocks, octet ranges, etc. This can be useful when the network you wish to scan includes untouchable mission\-critical servers, systems that are known to react adversely to port scans, or subnetworks administered by other people. +.TP +\fB\-\-excludefile \fR (Exclude list from file) +This offers the same functionality as the +\fB\-\-exclude\fR +option, except that the excluded targets are provided in a newline, space, or tab delimited +\fIexclude_file\fR +rather than on the command line. +.SH "HOST DISCOVERY" +.PP +One of the very first steps in any network reconnaissance mission is to reduce a (sometimes huge) set of IP ranges into a list of active or interesting hosts. Scanning every port of every single IP address is slow and usually unnecessary. Of course what makes a host interesting depends greatly on the scan purposes. Network administrators may only be interested in hosts running a certain service, while security auditors may care about every single device with an IP address. An administrator may be comfortable using just an ICMP ping to locate hosts on his internal network, while an external penetration tester may use a diverse set of dozens of probes in an attempt to evade firewall restrictions. +.PP +Because host discovery needs are so diverse, Nmap offers a wide variety of options for customizing the techniques used. Host discovery is sometimes called ping scan, but it goes well beyond the simple ICMP echo request packets associated with the ubiquitous +ping +tool. Users can skip the ping step entirely with a list scan (\fB\-sL\fR) or by disabling ping (\fB\-P0\fR), or engage the network with arbitrary combinations of multi\-port TCP SYN/ACK, UDP, and ICMP probes. The goal of these probes is to solicit responses which demonstrate that an IP address is actually active (is being used by a host or network device). On many networks, only a small percentage of IP addresses are active at any given time. This is particularly common with RFC1918\-blessed private address space such as 10.0.0.0/8. That network has 16 million IPs, but I have seen it used by companies with less than a thousand machines. Host discovery can find those machines in a sparsely allocated sea of IP addresses. +.PP +If no host discovery options are given, Nmap sends a TCP ACK packet destined for port 80 and an ICMP Echo Request query to each target machine. An exception to this is that an ARP scan is used for any targets which are on a local ethernet network. For unprivileged UNIX shell users, a SYN packet is sent instead of the ack using the +\fBconnect()\fR +system call. These defaults are equivalent to the +\fB\-PA \-PE\fR +options. This host discovery is often sufficent when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing. +.PP +The +\fB\-P*\fR +options (which select ping types) can be combined. You can increase your odds of penetrating strict firewalls by sending many probe types using different TCP ports/flags and ICMP codes. Also note that ARP discovery (\fB\-PR\fR) is done by default against targets on a local ethernet network even if you specify other +\fB\-P*\fR +options, because it is almost always faster and more effective. +.PP +The following options control host discovery. +.TP +\fB\-sL\fR (List Scan) +The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts. By default, Nmap still does reverse\-DNS resolution on the hosts to learn their names. It is often surprising how much useful information simple hostnames give out. For example, +fw.chi.playboy.com +is the firewall for the Chicago office of Playboy Enterprises. Nmap also reports the total number of IP addresses at the end. The list scan is a good sanity check to ensure that you have proper IP addresses for your targets. If the hosts sport domain names you do not recognize, it is worth investigating further to prevent scanning the wrong company's network. +.sp +Since the idea is to simply print a list of target hosts, options for higher level functionality such as port scanning, OS detection, or ping scanning cannot be combined with this. If you wish to disable ping scanning while still performing such higher level functionality, read up on the +\fB\-P0\fR +option. +.TP +\fB\-sP\fR (Ping Scan) +This option tells Nmap to +\fIonly\fR +perform a ping scan (host discovery), then print out the available hosts that responded to the scan. No further testing (such as port scanning or OS detection) is performed. This is one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name. +.sp +Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries. +.sp +The +\fB\-sP\fR +option sends an ICMP echo request and a TCP packet to port 80 by default. When executed by an unprivileged user, a SYN packet is sent (using a +\fBconnect()\fR +call) to port 80 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests (\fB\-PR\fR) are used unless +\fB\-\-send_ip\fR +was specified. The +\fB\-sP\fR +option can be combined with any of the discovery probe types (the +\fB\-P*\fR +options, excluding +\fB\-P0\fR) for greater flexibility. If any of those probe type and port number options are used, the default probes (ACK and echo request) are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses. +.TP +\fB\-P0\fR (No ping) +This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with +\fB\-P0\fR +causes Nmap to attempt the requested scanning functions against +\fIevery\fR +target IP address specified. So if a class B sized target address space (/16) is specified on the command line, all 65,536 IP addresses are scanned. That second option character in +\fB\-P0\fR +is a zero and not the letter O. Proper host discovery is skipped as with the list scan, but instead of stopping and printing the target list, Nmap continues to perform requested functions as if each target IP is active. +.TP +\fB\-PS [portlist]\fR (TCP SYN Ping) +This option sends an empty TCP packet with the SYN flag set. The default destination port is 80 (configurable at compile time by changing DEFAULT_TCP_PROBE_PORT in +\fInmap.h\fR), but an alternate port can be specified as a parameter. A comma separated list of ports can even be specified (e.g. +\fB\-PS22,23,25,80,113,1050,35000\fR), in which case probes will be attempted against each port in parallel. +.sp +The SYN flag suggests to the remote system that you are attempting to establish a connection. Normally the destination port will be closed, and a RST (reset) packet sent back. If the port happens to be open, the target will take the second step of a TCP 3\-way\-handshake by responding with a SYN/ACK TCP packet. The machine running Nmap then tears down the nascent connection by responding with a RST rather than sending an ACK packet which would complete the 3\-way\-handshake and establish a full connection. The RST packet is sent by the kernel of the machine running Nmap in response to the unexpected SYN/ACK, not by Nmap itself. +.sp +Nmap does not care whether the port is open or closed. Either the RST or SYN/ACK response discussed previously tell Nmap that the host is available and responsive. +.sp +On UNIX boxes, only the privileged user +root +is generally able to send and receive raw TCP packets. For unprivileged users, a workaround is automatically employed whereby the connect() system call is initiated against each target port. This has the effect of sending a SYN packet to the target host, in an attempt to establish a connection. If connect() returns with a quick success or an ECONNREFUSED failure, the underlying TCP stack must have received a SYN/ACK or RST and the host is marked available. If the connection attempt is left hanging until a timeout is reached, the host is marked as down. This workaround is also used for IPv6 connections, as raw IPv6 packet building support is not yet available in Nmap. +.TP +\fB\-PA [portlist]\fR (TCP ACK Ping) +The TCP ACK ping is quite similar to the just\-discussed SYN ping. The difference, as you could likely guess, is that the TCP ACK flag is set instead of the SYN flag. Such an ACK packet purports to be acknowledging data over an established TCP connection, but no such connection exists. So remote hosts should always respond with a RST packet, disclosing their existence in the process. +.sp +The +\fB\-PA\fR +option uses the same default port as the SYN probe (80) and can also take a list of destination ports in the same format. If an unprivileged user tries this, or an IPv6 target is specified, the connect() workaround discussed previously is used. This workaround is imperfect because connect() is actually sending a SYN packet rather than an ACK. +.sp +The reason for offering both SYN and ACK ping probes is to maximize the chances of bypassing firewalls. Many administrators configure routers and other simple firewalls to block incoming SYN packets except for those destined for public services like the company web site or mail server. This prevents other incoming connections to the organization, while allowing users to make unobstructed outgoing connections to the Internet. This non\-stateful approach takes up few resources on the firewall/router and is widely supported by hardware and software filters. The Linux Netfilter/iptables firewall software offers the +\fB\-\-syn\fR +convenience option to implement this stateless approach. When stateless firewall rules such as this are in place, SYN ping probes (\fB\-PS\fR) are likely to be blocked when sent to closed target ports. In such cases, the ACK probe shines as it cuts right through these rules. +.sp +Another common type of firewall uses stateful rules that drop unexpected packets. This feature was initially found mostly on high\-end firewalls, though it has become much more common over the years. The Linux Netfilter/iptables system supports this through the +\fB\-\-state\fR +option, which categorizes packets based on connection state. A SYN probe is more likely to work against such a system, as unexpected ACK packets are generally recognized as bogus and dropped. A solution to this quandary is to send both SYN and ACK probes by specifying +\fB\-PS\fR +and +\fB\-PA\fR. +.TP +\fB\-PU [portlist]\fR (UDP Ping) +Another host discovery option is the UDP ping, which sends an empty (unless +\fB\-\-data_length\fR +is specified) UDP packet to the given ports. The portlist takes the same format as with the previously discussed +\fB\-PS\fR +and +\fB\-PA\fR +options. If no ports are specified, the default is 31338. This default can be configured at compile\-time by changing DEFAULT_UDP_PROBE_PORT in +\fInmap.h\fR. A highly uncommon port is used by default because sending to open ports is often undesirable for this particular scan type. +.sp +Upon hitting a closed port on the target machine, the UDP probe should elicit an ICMP port unreachable packet in return. This signifies to Nmap that the machine is up and available. Many other types of ICMP errors, such as host/network unreachables or TTL exceeded are indicative of a down or unreachable host. A lack of response is also interpreted this way. If an open port is reached, most services simply ignore the empty packet and fail to return any response. This is why the default probe port is 31338, which is highly unlikely to be in use. A few services, such as chargen, will respond to an empty UDP packet, and thus disclose to Nmap that the machine is available. +.sp +The primary advantage of this scan type is that it bypasses firewalls and filters that only screen TCP. For example, I once owned a Linksys BEFW11S4 wireless broadband router. The external interface of this device filtered all TCP ports by default, but UDP probes would still elicit port unreachable messages and thus give away the device. +.TP +\fB\-PE\fR; \fB\-PP\fR; \fB\-PM\fR (ICMP Ping Types) +In addition to the unusual TCP and UDP host discovery types discussed previously, Nmap can send the standard packets sent by the ubiquitous +ping +program. Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (Echo Reply) in return from available hosts. Unfortunately for network explorers, many hosts and firewalls now block these packets, rather than responding as required by +[1]\&\fIRFC 1122\fR. For this reason, ICMP\-only scans are rarely reliable enough against unknown targets over the Internet. But for system administrators monitoring an internal network, they can be a practical and efficient approach. Use the +\fB\-PE\fR +option to enable this echo request behavior. +.sp +While echo request is the standard ICMP ping query, Nmap does not stop there. The ICMP standard ([2]\&\fIRFC 792\fR) also specifies timestamp request, information request, and address mask request packets as codes 13, 15, and 17, respectively. While the ostensible purpose for these queries is to learn information such as address masks and current times, they can easily be used for host discovery. A system that replies is up and available. Nmap does not currently implement information request packets, as they are not widely supported. RFC 1122 insists that +\(lqa host SHOULD NOT implement these messages\(rq. Timestamp and address mask queries can be sent with the +\fB\-PP\fR +and +\fB\-PM\fR +options, respectively. A timestamp reply (ICMP code 14) or address mask reply (code 18) discloses that the host is available. These two queries can be valuable when admins specifically block echo request packets while forgetting that other ICMP queries can be used for the same purpose. +.TP +\fB\-PR\fR (ARP Ping) +One of the most common Nmap usage scenarios is to scan an ethernet LAN. On most LANs, especially those using RFC1918\-blessed private address ranges, the vast majority of IP addresses are unused at any given time. When Nmap tries to send a raw IP packet such as an ICMP echo request, the operating system must determine the destination hardware (ARP) address corresponding to the target IP so that it can properly address the ethernet frame. This is often slow and problematic, since operating systems weren't written with the expectation that they would need to do millions of ARP requests against unavailable hosts in a short time period. +.sp +ARP scan puts Nmap and its optimized algorithms in charge of ARP requests. And if it gets a response back, Nmap doesn't even need to worry about the IP\-based ping packets since it already knows the host is up. This makes ARP scan much faster and more reliable than IP\-based scans. So it is done by default when scanning ethernet hosts that Nmap detects are on a local ethernet network. Even if different ping types (such as +\fB\-PE\fR +or +\fB\-PS\fR) are specified, Nmap uses ARP instead for any of the targets which are on the same LAN. If you absolutely don't want to do an ARP scan, specify +\fB\-\-send_ip\fR. +.TP +\fB\-n\fR (No DNS resolution) +Tells Nmap to +\fInever\fR +do reverse DNS resolution on the active IP addresses it finds. Since DNS is often slow, this speeds things up. +.TP +\fB\-R\fR (DNS resolution for all targets) +Tells Nmap to +\fIalways\fR +do reverse DNS resolution on the target IP addresses. Normally this is only performed when a machine is found to be alive. +.TP +\fB\-\-system_dns\fR (Use system DNS resolver) +By default, Nmap resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses. Many requests (often dozens) are performed in parallel for performance. Specify this option if you wish to use your system resolver instead (one IP at a time via the getnameinfo() call). This is slower and rarely useful unless there is a bug in the Nmap DNS code \-\- please contact us if that is the case. The system resolver is always used for IPv6 scans. +.SH "PORT SCANNING BASICS" +.PP +While Nmap has grown in functionality over the years, it began as an efficient port scanner, and that remains its core function. The simple command +\fBnmap \fR\fB\fItarget\fR\fR +scans more than 1660 TCP ports on the host +\fItarget\fR. While many port scanners have traditionally lumped all ports into the open or closed states, Nmap is much more granular. It divides ports into six states: +open, +closed, +filtered, +unfiltered, +open|filtered, or +closed|filtered. +.PP +These states are not intrinsic properties of the port itself, but describe how Nmap sees them. For example, an Nmap scan from the same network as the target may show port 135/tcp as open, while a scan at the same time with the same options from across the Internet might show that port as +filtered. +.PP +\fBThe six port states recognized by Nmap\fR +.TP +open +An application is actively accepting TCP connections or UDP packets on this port. Finding these is often the primary goal of port scanning. Security\-minded people know that each open port is an avenue for attack. Attackers and pen\-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users. Open ports are also interesting for non\-security scans because they show services available for use on the network. +.TP +closed +A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next. +.TP +filtered +Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host\-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically. +.TP +unfiltered +The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open. +.TP +open|filtered +Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP Protocol, FIN, Null, and Xmas scans classify ports this way. +.TP +closed|filtered +This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IPID Idle scan. +.SH "PORT SCANNING TECHNIQUES" +.PP +As a novice performing automotive repair, I can struggle for hours trying to fit my rudimentary tools (hammer, duct tape, wrench, etc.) to the task at hand. When I fail miserably and tow my jalopy to a real mechanic, he invariably fishes around in a huge tool chest until pulling out the perfect gizmo which makes the job seem effortless. The art of port scanning is similar. Experts understand the dozens of scan techniques and choose the appropriate one (or combination) for a given task. Inexperienced users and script kiddies, on the other hand, try to solve every problem with the default SYN scan. Since Nmap is free, the only barrier to port scanning mastery is knowledge. That certainly beats the automotive world, where it may take great skill to determine that you need a strut spring compressor, then you still have to pay thousands of dollars for it. +.PP +Most of the scan types are only available to privileged users. This is because they send and receive raw packets, which requires root access on UNIX systems. Using an administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when WinPcap has already been loaded into the OS. Requiring root privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts. Now, the world is different. Computers are cheaper, far more people have always\-on direct Internet access, and desktop UNIX systems (including Linux and MAC OS X) are prevalent. A Windows version of Nmap is now available, allowing it to run on even more desktops. For all these reasons, users have less need to run Nmap from limited shared shell accounts. This is fortunate, as the privileged options make Nmap far more powerful and flexible. +.PP +While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines (or firewalls in front of them). Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap. Much more common are non\-RFC\-compliant hosts that do not respond as they should to Nmap probes. FIN, Null, and Xmas scans are particularly susceptible to this problem. Such issues are specific to certain scan types and so are discussed in the individual scan type entries. +.PP +This section documents the dozen or so port scan techniques supported by Nmap. Only one method may be used at a time, except that UDP scan (\fB\-sU\fR) may be combined with any one of the TCP scan types. As a memory aid, port scan type options are of the form +\fB\-s\fR\fB\fIC\fR\fR, where +\fIC\fR +is a prominent character in the scan name, usually the first. The one exception to this is the deprecated FTP bounce scan (\fB\-b\fR). By default, Nmap performs a SYN Scan, though it substitutes a Connect() scan if the user does not have proper privileges to send raw packets (requires root access on UNIX) or if IPv6 targets were specified. Of the scans listed in this section, unprivileged users can only execute connect() and ftp bounce scans. +.TP +\fB\-sS\fR (TCP SYN scan) +SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's Fin/Null/Xmas, Maimon and Idle scans do. It also allows clear, reliable differentiation between the +open, +closed, and +filtered +states. +.sp +This technique is often referred to as half\-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non\-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is received. +.TP +\fB\-sT\fR (TCP connect() scan) +TCP Connect() scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the +connect() +system call. This is the same high\-level system call that web browsers, P2P clients, and most other network\-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt. +.sp +When SYN scan is available, it is usually a better choice. Nmap has less control over the high level +connect() +call than with raw packets, making it less efficient. The system call completes connections to open target ports rather than performing the half\-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such alarm system. Many services on your average UNIX system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been connect scanned. +.TP +\fB\-sU\fR (UDP scans) +While most popular services on the Internet run over the TCP protocol, +[3]\&\fIUDP\fR +services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports. +.sp +UDP scan is activated with the +\fB\-sU\fR +option. It can be combined with a TCP scan type such as SYN scan (\fB\-sS\fR) to check both protocols during the same run. +.sp +UDP scan works by sending an empty (no data) UDP header to every targeted port. If an ICMP port unreachable error (type 3, code 3) is returned, the port is +closed. Other ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13) mark the port as +filtered. Occasionally, a service will respond with a UDP packet, proving that it is +open. If no response is received after retransmissions, the port is classified as +open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Versions scan (\fB\-sV\fR) can be used to help differentiate the truly open ports from the filtered ones. +.sp +A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct retransmissions just in case the probe or response were lost. Closed ports are often an even bigger problem. They usually send back an ICMP port unreachable error. But unlike the RST packets sent by closed TCP ports in response to a SYN or Connect scan, many hosts rate limit ICMP port unreachable messages by default. Linux and Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits destination unreachable messages to one per second (in +\fInet/ipv4/icmp.c\fR). +.sp +Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop. Unfortunately, a Linux\-style limit of one packet per second makes a 65,536\-port scan take more than 18 hours. Ideas for speeding your UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using +\fB\-\-host_timeout\fR +to skip slow hosts. +.TP +\fB\-sN\fR; \fB\-sF\fR; \fB\-sX\fR (TCP Null, FIN, and Xmas scans) +These three scan types (even more are possible with the +\fB\-\-scanflags\fR +option described in the next section) exploit a subtle loophole in the +[4]\&\fITCP RFC\fR +to differentiate between +open +and +closed +ports. Page 65 says that +\(lqif the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.\(rq +Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: +\(lqyou are unlikely to get here, but if you do, drop the segment, and return.\(rq +.sp +When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types: +.RS +.TP +Null scan (\fB\-sN\fR) +Does not set any bits (tcp flag header is 0) +.TP +FIN scan (\fB\-sF\fR) +Sets just the TCP FIN bit. +.TP +Xmas scan (\fB\-sX\fR) +Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. +.RE +.IP +These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If a RST packet is received, the port is considered +closed, while no response means it is +open|filtered. The port is marked +filtered +if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received. +.sp +The key advantage to these scan types is that they can sneak through certain non\-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don't count on this though \-\- most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled +closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most UNIX\-based systems though. Another downside of these scans is that they can't distinguish +open +ports from certain +filtered +ones, leaving you with the response +open|filtered. +.TP +\fB\-sA\fR (TCP ACK scan) +This scan is different than the others discussed so far in that it never determines +open +(or even +open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered. +.sp +The ACK scan probe packet has only the ACK flag set (unless you use +\fB\-\-scanflags\fR). When scanning unfiltered systems, +open +and +closed +ports will both return a RST packet. Nmap then labels them as +unfiltered, meaning that they are reachable by the ACK packet, but whether they are +open +or +closed +is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 1, 2, 3, 9, 10, or 13), are labeled +filtered. +.TP +\fB\-sW\fR (TCP Window scan) +Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing +unfiltered +when a RST is returned. It does this by examining the TCP Window field of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window. So instead of always listing a port as +unfiltered +when it receives a RST back, Window scan lists the port as +open +or +closed +if the TCP Window value in that reset is positive or zero, respectively. +.sp +This scan relies on an implementation detail of a minority of systems out on the Internet, so you can't always trust it. Systems that don't support it will usually return all ports +closed. Of course, it is possible that the machine really has no open ports. If most scanned ports are +closed +but a few common port numbers (such as 22, 25, 53) are +filtered, the system is most likely susceptible. Occasionally, systems will even show the exact opposite behavior. If your scan shows 1000 open ports and 3 closed or filtered ports, then those three may very well be the truly open ones. +.TP +\fB\-sM\fR (TCP Maimon scan) +The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as Null, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD\-derived systems simply drop the packet if the port is open. +.TP +\fB\-\-scanflags\fR (Custom TCP scan) +Truly advanced Nmap users need not limit themselves to the canned scan types offered. The +\fB\-\-scanflags\fR +option allows you to design your own scan by specifying arbitrary TCP flags. Let your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules! +.sp +The +\fB\-\-scanflags\fR +argument can be a numerical flag value such as 9 (PSH and FIN), but using symbolic names is easier. Just mash together any combination of +URG, +ACK, +PSH, +RST, +SYN, and +FIN. For example, +\fB\-\-scanflags URGACKPSHRSTSYNFIN\fR +sets everything, though it's not very useful for scanning. The order these are specified in is irrelevant. +.sp +In addition to specifying the desired flags, you can specify a TCP scan type (such as +\fB\-sA\fR +or +\fB\-sF\fR). That base type tells Nmap how to interpret responses. For example, a SYN scan considers no\-response to indicate a +filtered +port, while a FIN scan treats the same as +open|filtered. Nmap will behave the same way it does for the base scan type, except that it will use the TCP flags you specify instead. If you don't specify a base type, SYN scan is used. +.TP +\fB\-sI \fR (Idlescan) +This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side\-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). This fascinating scan type is too complex to fully describe in this reference guide, so I wrote and posted an informal paper with full details at +\fI\%http://www.insecure.org/nmap/idlescan.html\fR. +.sp +Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP\-based trust relationships between machines. The port listing shows open ports +\fIfrom the perspective of the zombie host.\fR +So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules). +.sp +You can add a colon followed by a port number to the zombie host if you wish to probe a particular port on the zombie for IPID changes. Otherwise Nmap will use the port it uses by default for tcp pings (80). +.TP +\fB\-sO\fR (IP protocol scan) +IP Protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. Yet it still uses the +\fB\-p\fR +option to select scanned protocol numbers, reports its results within the normal port table format, and even uses the same underlying scan engine as the true port scanning methods. So it is close enough to a port scan that it belongs here. +.sp +Besides being useful in its own right, protocol scan demonstrates the power of open source software. While the fundamental idea is pretty simple, I had not thought to add it nor received any requests for such functionality. Then in the summer of 2000, Gerhard Rieger conceived the idea, wrote an excellent patch implementing it, and sent it to the nmap\-hackers mailing list. I incorporated that patch into the Nmap tree and released a new version the next day. Few pieces of commercial software have users enthusiastic enough to design and contribute their own improvements! +.sp +Protocol scan works in a similar fashion to UDP scan. Instead of iterating through the port number field of a UDP packet, it sends IP packet headers and iterates through the 8\-bit IP protocol field. The headers are usually empty, containing no data and not even the proper header for the claimed protocol. The three exceptions are TCP, UDP, and ICMP. A proper protocol header for those is included since some systems won't send them otherwise and because Nmap already has functions to create them. Instead of watching for ICMP port unreachable messages, protocol scan is on the lookout for ICMP +\fIprotocol\fR +unreachable messages. If Nmap receives any response in any protocol from the target host, Nmap marks that protocol as +open. An ICMP protocol unreachable error (type 3, code 2) causes the protocol to be marked as +closed +Other ICMP unreachable errors (type 3, code 1, 3, 9, 10, or 13) cause the protocol to be marked +filtered +(though they prove that ICMP is +open +at the same time). If no response is received after retransmissions, the protocol is marked +open|filtered +.TP +\fB\-b \fR (FTP bounce scan) +An interesting feature of the FTP protocol ([5]\&\fIRFC 959\fR) is support for so\-called proxy ftp connections. This allows a user to connect to one FTP server, then ask that files be sent to a third\-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. One of the abuses this feature allows is causing the FTP server to port scan other hosts. Simply ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would. Nmap supports ftp bounce scan with the +\fB\-b\fR +option. It takes an argument of the form +\fIusername\fR:\fIpassword\fR@\fIserver\fR:\fIport\fR. +\fIServer\fR +is the name or IP address of a vulnerable FTP server. As with a normal URL, you may omit +\fIusername\fR:\fIpassword\fR, in which case anonymous login credentials (user: +anonymous +password:\-wwwuser@) are used. The port number (and preceding colon) may be omitted as well, in which case the default FTP port (21) on +\fIserver\fR +is used. +.sp +This vulnerability was widespread in 1997 when Nmap was released, but has largely been fixed. Vulnerable servers are still around, so it is worth trying when all else fails. If bypassing a firewall is your goal, scan the target network for open port 21 (or even for any ftp services if you scan all ports with version detection), then try a bounce scan using each. Nmap will tell you whether the host is vulnerable or not. If you are just trying to cover your tracks, you don't need to (and, in fact, shouldn't) limit yourself to hosts on the target network. Before you go scanning random Internet addresses for vulnerable FTP servers, consider that sysadmins may not appreciate you abusing their servers in this way. +.SH "PORT SPECIFICATION AND SCAN ORDER" +.PP +In addition to all of the scan methods discussed previously, Nmap offers options for specifying which ports are scanned and whether the scan order is randomized or sequential. By default, Nmap scans all ports up to and including 1024 as well as higher numbered ports listed in the +\fInmap\-services\fR +file for the protocol(s) being scanned. +.TP +\fB\-p \fR (Only scan specified ports) +This option specifies which ports you want to scan and overrides the default. Individual port numbers are OK, as are ranges separated by a hyphen (e.g. 1\-1023). The beginning and/or end values of a range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify +\fB\-p\-\fR +to scan ports from 1 through 65535. Scanning port zero is allowed if you specify it explicitly. For IP protocol scanning (\fB\-sO\fR), this option specifies the protocol numbers you wish to scan for (0\-255). +.sp +When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port numbers by +T: +or +U:. The qualifier lasts until you specify another qualifier. For example, the argument +\fB\-p U:53,111,137,T:21\-25,80,139,8080\fR +would scan UDP ports 53,111,and 137, as well as the listed TCP ports. Note that to scan both UDP & TCP, you have to specify +\fB\-sU\fR +and at least one TCP scan type (such as +\fB\-sS\fR, +\fB\-sF\fR, or +\fB\-sT\fR). If no protocol qualifier is given, the port numbers are added to all protocol lists. +.TP +\fB\-F\fR (Fast (limited port) scan) +Specifies that you only wish to scan for ports listed in the +\fInmap\-services\fR +file which comes with nmap (or the protocols file for +\fB\-sO\fR). This is much faster than scanning all 65535 ports on a host. Because this list contains so many TCP ports (more than 1200), the speed difference from a default TCP scan (about 1650 ports) isn't dramatic. The difference can be enormous if you specify your own tiny +\fInmap\-services\fR +file using the +\fB\-\-datadir\fR +option. +.TP +\fB\-r\fR (Don't randomize ports) +By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify +\fB\-r\fR +for sequential port scanning instead. +.SH "SERVICE AND VERSION DETECTION" +.PP +Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its +\fInmap\-services\fR +database of about 2,200 well\-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accurate \-\- the vast majority of daemons listening on TCP port 25 are, in fact, mail servers. However, you should not bet your security on this! People can and do run services on strange ports. +.PP +Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to. Version detection helps you obtain this information. +.PP +After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The +\fInmap\-service\-probes\fR +database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. ftp, ssh, telnet, http), the application name (e.g. ISC Bind, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux) and sometimes miscellaneous details like whether an X server is open to connections, the SSH protocol version, or the KaZaA user name). Of course, most services don't provide all of this information. If Nmap was compiled with OpenSSL support, it will connect to SSL servers to deduce the service listening behind that encryption layer. When RPC services are discovered, the Nmap RPC grinder (\fB\-sR\fR) is automatically used to determine the RPC program and version numbers. Some UDP ports are left in the +open|filtered +state after a UDP port scan is unable to determine whether the port is open or filtered. Version detection will try to elicit a response from these ports (just as it does with open ports), and change the state to open if it succeeds. +open|filtered +TCP ports are treaded the same way. Note that the Nmap +\fB\-A\fR +option enables version detection among other things. A paper documenting the workings, usage, and customization of version detection is available at +\fI\%http://www.insecure.org/nmap/vscan/\fR. +.PP +When Nmap receives responses from a service but cannot match them to its database, it prints out a special fingerprint and a URL for you to submit if to if you know for sure what is running on the port. Please take a couple minutes to make the submission so that your find can benefit everyone. Thanks to these submissions, Nmap has about 3,000 pattern matches for more than 350 protocols such as smtp, ftp, http, etc. +.PP +Version detection is enabled and controlled with the following options: +.TP +\fB\-sV\fR (Version detection) +Enables version detection, as discussed above. Alternatively, you can use +\fB\-A\fR +to enable both OS detection and version detection. +.TP +\fB\-\-allports\fR (Don't exclude any ports from version detection) +By default, Nmap version detection skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of HTTP get requests, binary SSL session requests, etc. This behavior can be changed by modifying or removing the +Exclude +directive in +\fInmap\-service\-probes\fR, or you can specify +\fB\-\-allports\fR +to scan all ports regardless of any +Exclude +directive. +.TP +\fB\-\-version_intensity \fR (Set version scan intensity) +When performing a version scan (\fB\-sV\fR), nmap sends a series of probes, each of which is assigned a rarity value between 1 and 9. The lower\-numbered probes are effective against a wide variety of common services, while the higher numbered ones are rarely useful. The intensity level specifies which probes should be applied. The higher the number, the more likely it is the service will be correctly identified. However, high intensity scans take longer. The intensity must be between 0 and 9. The default is 7. When a probe is registered to the target port via the +\fInmap\-service\-probes\fRports +directive, that probe is tried regardless of intensity level. This ensures that the DNS probes will always be attempted against any open port 53, the SSL probe will be done against 443, etc. +.TP +\fB\-\-version_light\fR (Enablie light mode) +This is a convenience alias for +\fB\-\-version_intensity 2\fR. This light mode makes version scanning much faster, but it is slightly less likely to identify services. +.TP +\fB\-\-version_all\fR (Try every single probe) +An alias for +\fB\-\-version_intensity 9\fR, ensuring that every single probe is attempted against each port. +.TP +\fB\-\-version_trace\fR (Trace version scan activity) +This causes Nmap to print out extensive debugging info about what version scanning is doing. It is a subset of what you get with +\fB\-\-packet_trace\fR. +.TP +\fB\-sR\fR (RPC scan) +This method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can effectively obtain the same info as +\fBrpcinfo \-p\fR +even if the target's portmapper is behind a firewall (or protected by TCP wrappers). Decoys do not currently work with RPC scan. This is automatically enabled as part of version scan (\fB\-sV\fR) if you request that. As version detection includes this and is much more comprehensive, +\fB\-sR\fR +is rarely needed. +.SH "OS DETECTION" +.PP +One of Nmap's best\-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IPID sampling, and the initial window size check, Nmap compares the results to its +\fInmap\-os\-fingerprints\fR +database of more than 1500 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc). +.PP +If Nmap is unable to guess the OS of a machine, and conditions are good (e.g. at least one open port and one closed port were found), Nmap will provide a URL you can use to submit the fingerprint if you know (for sure) the OS running on the machine. By doing this you contribute to the pool of operating systems known to Nmap and thus it will be more accurate for everyone. +.PP +OS detection enables several other tests which make use of information that is gathered during the process anyway. One of these is uptime measurement, which uses the TCP timestamp option (RFC 1323) to guess when a machine was last rebooted. This is only reported for machines which provide this information. Another is TCP Sequence Predictability Classification. This measures approximately how hard it is to establish a forged TCP connection against the remote host. It is useful for exploiting source\-IP based trust relationships (rlogin, firewall filters, etc) or for hiding the source of an attack. This sort of spoofing is rarely performed any more, but many machines are still vulnerable to it. The actual difficulty number is based on statistical sampling and may fluctuate. It is generally better to use the English classification such as +\(lqworthy challenge\(rq +or +\(lqtrivial joke\(rq. This is only reported in normal output in verbose (\fB\-v\fR) mode. When verbose mode is enabled along with +\fB\-O\fR, IPID Sequence Generation is also reported. Most machines are in the +\(lqincremental\(rq +class, which means that they increment the ID field in the IP header for each packet they send. This makes them vulnerable to several advanced information gathering and spoofing attacks. +.PP +A paper documenting the workings, usage, and customization of version detection is available in more than a dozen languages at +\fI\%http://www.insecure.org/nmap/nmap\-fingerprinting\-article.html\fR. +.PP +OS detection is enabled and controlled with the following options: +.TP +\fB\-O\fR (Enable OS detection) +Enables OS detection, as discussed above. Alternatively, you can use +\fB\-A\fR +to enable both OS detection and version detection. +.TP +\fB\-\-osscan_limit\fR (Limit OS detection to promising targets) +OS detection is far more effective if at least one open and one closed TCP port are found. Set this option and Nmap will not even try OS detection against hosts that do not meet this criteria. This can save substantial time, particularly on +\fB\-P0\fR +scans against many hosts. It only matters when OS detection is requested with +\fB\-O\fR +or +\fB\-A\fR. +.TP +\fB\-\-osscan_guess\fR; \fB\-\-fuzzy\fR (Guess OS detection results) +When Nmap is unable to detect a perfect OS match, it sometimes offers up near\-matches as possibilities. The match has to be very close for Nmap to do this by default. Either of these (equivalent) options make Nmap guess more aggressively. +.SH "TIMING AND PERFORMANCE" +.PP +One of my highest Nmap development priorities has always been performance. A default scan (\fBnmap \fR\fB\fIhostname\fR\fR) of a host on my local network takes a fifth of a second. That is barely enough time to blink, but adds up when you are scanning tens or hundreds of thousands of hosts. Moreover, certain scan options such as UDP scanning and version detection can increase scan times substantially. So can certain firewall configurations, particularly response rate limiting. While Nmap utilizes parallelism and many advanced algorithms to accelerate these scans, the user has ultimate control over how Nmap runs. Expert users carefully craft Nmap commands to obtain only the information they care about while meeting their time constraints. +.PP +Techniques for improving scan times include omitting non\-critical tests, and upgrading to the latest version of Nmap (performance enhancements are made frequently). Optimizing timing parameters can also make a substantial difference. Those options are listed below. +.TP +\fB\-\-min_hostgroup \fR; \fB\-\-max_hostgroup \fR (Adjust parallel scan group sizes) +Nmap has the ability to port scan or version scan multiple hosts in parallel. Nmap does this by dividing the target IP space into groups and then scanning one group at a time. In general, larger groups are more efficient. The downside is that host results can't be provided until the whole group is finished. So if Nmap started out with a group size of 50, the user would not receive any reports (except for the updates offered in verbose mode) until the first 50 hosts are completed. +.sp +By default, Nmap takes a compromise approach to this conflict. It starts out with a group size as low as five so the first results come quickly and then increases the groupsize to as high as 1024. The exact default numbers depend on the options given. For efficiency reasons, Nmap uses larger group sizes for UDP or few\-port TCP scans. +.sp +When a maximum group size is specified with +\fB\-\-max_hostgroup\fR, Nmap will never exceed that size. Specify a minimum size with +\fB\-\-min_hostgroup\fR +and Nmap will try to keep group sizes above that level. Nmap may have to use smaller groups than you specify if there are not enough target hosts left on a given interface to fulfill the specified minimum. Both may be set to keep the group size within a specific range, though this is rarely desired. +.sp +The primary use of these options is to specify a large minimum group size so that the full scan runs more quickly. A common choice is 256 to scan a network in Class C sized chunks. For a scan with many ports, exceeding that number is unlikely to help much. For scans of just a few port numbers, host group sizes of 2048 or more may be helpful. +.TP +\fB\-\-min_parallelism \fR; \fB\-\-max_parallelism \fR (Adjust probe parallelization) +These options control the total number of probes that may be outstanding for a host group. They are used for port scanning and host discovery. By default, Nmap calculates an ever\-changing ideal parallelism based on network performance. If packets are being dropped, Nmap slows down and allows fewer outstanding probes. The ideal probe number slowly rises as the network proves itself worthy. These options place minimum or maximum bounds on that variable. By default, the ideal parallelism can drop to 1 if the network proves unreliable and rise to several hundred in perfect conditions. +.sp +The most common usage is to set +\fB\-\-min_parallelism\fR +to a number higher than one to speed up scans of poorly performing hosts or networks. This is a risky option to play with, as setting it too high may affect accuracy. Setting this also reduces Nmap's ability to control parallelism dynamically based on network conditions. A value of ten might be reasonable, though I only adjust this value as a last resort. +.sp +The +\fB\-\-max_parallelism\fR +option is sometimes set to one to prevent Nmap from sending more than one probe at a time to hosts. This can be useful in combination with +\fB\-\-scan_delay\fR +(discussed later), although the latter usually serves the purpose well enough by itself. +.TP +\fB\-\-min_rtt_timeout \fR, \fB\-\-max_rtt_timeout \fR, \fB\-\-initial_rtt_timeout \fR (Adjust probe timeouts) +Nmap maintains a running timeout value for determining how long it will wait for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes. If the network latency shows itself to be significant and variable, this timeout can grow to several seconds. It also starts at a conservative (high) level and may stay that way for a while when Nmap scans unresponsive hosts. +.sp +These options take a value in milliseconds. Specifying a lower +\fB\-\-max_rtt_timeout\fR +and +\fB\-\-initial_rtt_timeout\fR +than the defaults can cut scan times significantly. This is particularly true for pingless (\fB\-P0\fR) scans, and those against heavily filtered networks. Don't get too aggressive though. The scan can end up taking longer if you specify such a low value that many probes are timing out and retransmitting while the response is in transit. +.sp +If all the hosts are on a local network, 100 milliseconds is a reasonable aggressive +\fB\-\-max_rtt_timeout\fR +value. If routing is involved, ping a host on the network first with the ICMP ping utility, or with a custom packet crafter such as hping2 that is more likely to get through a firewall. Look at the maximum round trip time out of ten packets or so. You might want to double that for the +\fB\-\-initial_rtt_timeout\fR +and triple or quadruple it for the +\fB\-\-max_rtt_timeout\fR. I generally do not set the maximum rtt below 100ms, no matter what the ping times are. Nor do I exceed 1000ms. +.sp +\fB\-\-min_rtt_timeout\fR +is a rarely used option that could be useful when a network is so unreliable that even Nmap's default is too aggressive. Since Nmap only reduces the timeout down to the minimum when the network seems to be reliable, this need is unusual and should be reported as a bug to the nmap\-dev mailing list. +.TP +\fB\-\-host_timeout \fR (Give up on slow target hosts) +Some hosts simply take a +\fIlong\fR +time to scan. This may be due to poorly performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time. Sometimes it is best to cut your losses and skip those hosts initially. This can be done by specifying +\fB\-\-host_timeout\fR +with the number of milliseconds you are willing to wait. I often specify 1800000 to ensure that Nmap doesn't waste more than half an hour on a single host. Note that Nmap may be scanning other hosts at the same time during that half an hour as well, so it isn't a complete loss. A host that times out is skipped. No port table, OS detection, or version detection results are printed for that host. +.TP +\fB\-\-scan_delay \fR; \fB\-\-max_scan_delay \fR (Adjust delay between probes) +This option causes Nmap to wait at least the given number of milliseconds between each probe it sends to a given host. This is particularly useful in the case of rate limiting. Solaris machines (among many others) will usually respond to UDP scan probe packets with only one ICMP message per second. Any more than that sent by Nmap will be wasteful. A +\fB\-\-scan_delay\fR +of 1000 will keep Nmap at that slow rate. Nmap tries to detect rate limiting and adjust the scan delay accordingly, but it doesn't hurt to specify it explicitly if you already know what rate works best. +.sp +Another use of +\fB\-\-scan_delay\fR +is to evade threshold based intrusion detection and prevention systems (IDS/IPS). +.TP +\fB\-T \fR (Set a timing template) +While the fine grained timing controls discussed in the previous section are powerful and effective, some people find them confusing. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize. So Nmap offers a simpler approach, with six timing templates. You can specify them with the +\fB\-T\fR +option and their number (0 \- 5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so +\fB\-T3\fR +does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally Insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed. +.sp +These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick the exact timing values. The templates also make some minor speed adjustments for which fine grained control options do not currently exist. For example, +\fB\-T4\fR +prohibits the dynamic scan delay from exceeding 10ms for TCP ports and +\fB\-T5\fR +caps that value at 5 milliseconds. Templates can be used in combination with fine grained controls, as long as the template is specified first. Otherwise the standard values for the template may override the values you specify. I recommend using +\fB\-T4\fR +when scanning reasonably modern and reliable networks. Keep that option (at the beginning of the command line) even when you add fine grained controls so that you benefit from those extra minor optimizations that it enables. +.sp +If you are on a decent broadband or ethernet connection, I would recommend always using +\fB\-T4\fR. Some people love +\fB\-T5\fR +though it is too aggressive for my taste. People sometimes specify +\fB\-T2\fR +because they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow +\fB\-T Polite\fR +really is. Their scan may take ten times longer than a default scan. Machine crashes and bandwidth problems are rare with the default timing options (\fB\-T3\fR) and so I normally recommend that for cautious scanners. Omitting version detection is far more effective than playing with timing values at reducing these problems. +.sp +While +\fB\-T0\fR +and +\fB\-T1\fR +may be useful for avoiding IDS alerts, they will take an extraordinarily long time to scan thousands of machines or ports. For such a long scan, you may prefer to set the exact timing values you need rather than rely on the canned +\fB\-T0\fR +and +\fB\-T1\fR +values. +.sp +The main effects of +\fBT0\fR +are serializing the scan so only one port is scanned at a time, and waiting five minutes between sending each probe. +\fBT1\fR +and +\fBT2\fR +are similar but they only wait 15 seconds and 0.4 seconds, respectively, between probes. +\fBT3\fR +is Nmap's default behavior, which includes parallelization. +\fBT4\fR +does the equivalent of +\fB\-\-max_rtt_timeout 1250 \-\-initial_rtt_timeout 500\fR +and sets the maximum TCP scan delay to 10 milliseconds. +\fBT5\fR +does the equivalent of +\fB\-\-max_rtt_timeout 300 \-\-min_rtt_timeout 50 \-\-initial_rtt_timeout 250 \-\-host_timeout 900000\fR +as well as setting the maximum TCP scan delay to 5ms. +.SH "FIREWALL/IDS EVASION AND SPOOFING" +.PP +Many Internet pioneers envisioned a global open network with a universal IP address space allowing virtual connections between any two nodes. This allows hosts to act as true peers, serving and retrieving information from each other. People could access all of their home systems from work, changing the climate control settings or unlocking the doors for early guests. This vision of universal connectivity has been stifled by address space shortages and security concerns. In the early 1990s, organizations began deploying firewalls for the express purpose of reducing connectivity. Huge networks were cordoned off from the unfiltered Internet by application proxies, network address translation, and packet filters. The unrestricted flow of information gave way to tight regulation of approved communication channels and the content that passes over them. +.PP +Network obstructions such as firewalls can make mapping a network exceedingly difficult. It will not get any easier, as stifling casual reconnaissance is often a key goal of implementing the devices. Nevertheless, Nmap offers many features to help understand these complex networks, and to verify that filters are working as intended. It even supports mechanisms for bypassing poorly implemented defenses. One of the best methods of understanding your network security posture is to try to defeat it. Place yourself in the mindset of an attacker, and deploy techniques from this section against your networks. Launch an FTP bounce scan, Idle scan, fragmentation attack, or try to tunnel through one of your own proxies. +.PP +In addition to restricting network activity, companies are increasingly monitoring traffic with intrusion detection systems (IDS). All of the major IDSs ship with rules designed to detect Nmap scans because scans are sometimes a precursor to attacks. Many of these products have recently morphed into intrusion +\fIprevention\fR +systems (IPS) that actively block traffic deemed malicious. Unfortunately for network administrators and IDS vendors, reliably detecting bad intentions by analyzing packet data is a tough problem. Attackers with patience, skill, and the help of certain Nmap options can usually pass by IDSs undetected. Meanwhile, administrators must cope with large numbers of false positive results where innocent activity is misdiagnosed and alerted on or blocked. +.PP +Occasionally people suggest that Nmap should not offer features for evading firewall rules or sneaking past IDSs. They argue that these features are just as likely to be misused by attackers as used by administrators to enhance security. The problem with this logic is that these methods would still be used by attackers, who would just find other tools or patch the functionality into Nmap. Meanwhile, administrators would find it that much harder to do their jobs. Deploying only modern, patched FTP servers is a far more powerful defense than trying to prevent the distribution of tools implementing the FTP bounce attack. +.PP +There is no magic bullet (or Nmap option) for detecting and subverting firewalls and IDS systems. It takes skill and experience. A tutorial is beyond the scope of this reference guide, which only lists the relevant options and describes what they do. +.TP +\fB\-f\fR (fragment packets); \fB\-\-mtu\fR (using the specified MTU) +The +\fB\-f\fR +option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny packets. The old\-school sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option once, and Nmap splits the packets into 8 bytes or less after the IP header. So a 20\-byte TCP header would be split into 3 packets. Two with eight bytes of the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify +\fB\-f\fR +again to use 16 bytes per fragment (reducing the number of fragments). Or you can specify your own offset size with the +\fB\-\-mtu\fR +option. Don't also specify +\fB\-f\fR +if you use +\fB\-\-mtu\fR. The offset must be a multiple of 8. While fragmented packets won't get by packet filters and firewalls that queue all IP fragments, such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, some networks can't afford the performance hit this causes and thus leave it disabled. Others can't enable this because fragments may take different routes into their networks. Some source systems defragment outgoing packets in the kernel. Linux with the iptables connection tracking module is one such example. Do a scan while a sniffer such as Ethereal is running to ensure that sent packets are fragmented. If your host OS is causing problems, try the +\fB\-\-send_eth\fR +option to bypass the IP layer and send raw ethernet frames. +.TP +\fB\-D \fR (Cloak a scan with decoys) +Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5\-10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response\-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address. +.sp +Separate each decoy host with commas, and you can optionally use +ME +as one of the decoys to represent the position for your real IP address. If you put +ME +in the 6th position or later, some common port scan detectors (such as Solar Designer's excellent scanlogd) are unlikely to show your IP address at all. If you don't use +ME, nmap will put you in a random position. +.sp +Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets. Also it will be pretty easy to determine which host is scanning if only one is actually up on the network. You might want to use IP addresses instead of names (so the decoy networks don't see you in their nameserver logs). +.sp +Decoys are used both in the initial ping scan (using ICMP, SYN, ACK, or whatever) and during the actual port scanning phase. Decoys are also used during remote OS detection (\fB\-O\fR). Decoys do not work with version detection or TCP connect() scan. +.sp +It is worth noting that using too many decoys may slow your scan and potentially even make it less accurate. Also, some ISPs will filter out your spoofed packets, but many do not restrict spoofed IP packets at all. +.TP +\fB\-S \fR (Spoof source address) +In some circumstances, Nmap may not be able to determine your source address ( Nmap will tell you if this is the case). In this situation, use +\fB\-S\fR +with the IP address of the interface you wish to send packets through. +.sp +Another possible use of this flag is to spoof the scan to make the targets think that +\fIsomeone else\fR +is scanning them. Imagine a company being repeatedly port scanned by a competitor! The +\fB\-e\fR +option would generally be required for this sort of usage, and +\fB\-P0\fR +would normally be advisable as well. +.TP +\fB\-e \fR (Use specified interface) +Tells Nmap what interface to send and receive packets on. Nmap should be able to detect this automatically, but it will tell you if it cannot. +.TP +\fB\-\-source_port ;\fR \fB\-g \fR (Spoof source port number) +One surprisingly common misconfiguration is to trust traffic based only on the source port number. It is easy to understand how this comes about. An administrator will set up a shiny new firewall, only to be flooded with complains from ungrateful users whose applications stopped working. In particular, DNS may be broken because the UDP DNS replies from external servers can no longer enter the network. FTP is another common example. In active FTP transfers, the remote server tries to establish a connection back to the client to transfer the requested file. +.sp +Secure solutions to these problems exist, often in the form of application\-level proxies or protocol\-parsing firewall modules. Unfortunately there are also easier, insecure solutions. Noting that DNS replies come from port 53 and active ftp from port 20, many admins have fallen into the trap of simply allowing incoming traffic from those ports. They often assume that no attacker would notice and exploit such firewall holes. In other cases, admins consider this a short\-term stop\-gap measure until they can implement a more secure solution. Then they forget the security upgrade. +.sp +Overworked network administrators are not the only ones to fall into this trap. Numerous products have shipped with these insecure rules. Even Microsoft has been guilty. The IPsec filters that shipped with Windows 2000 and Windows XP contain an implicit rule that allows all TCP or UDP traffic from port 88 (Kerberos). In another well\-known case, versions of the Zone Alarm personal firewall up to 2.1.25 allowed any incoming UDP packets with the source port 53 (DNS) or 67 (DHCP). +.sp +Nmap offers the +\fB\-g\fR +and +\fB\-\-source_port\fR +options (they are equivalent) to exploit these weaknesses. Simply provide a port number and Nmap will send packets from that port where possible. Nmap must use different port numbers for certain OS detection tests to work properly, and DNS requests ignore the +\fB\-\-source_port\fR +flag because Nmap relies on system libraries to handle those. Most TCP scans, including SYN scan, support the option completely, as does UDP scan. +.TP +\fB\-\-data_length \fR (Append random data to sent packets) +Normally Nmap sends minimalist packets containing only a header. So its TCP packets are generally 40 bytes and ICMP echo requests are just 28. This option tells Nmap to append the given number of random bytes to most of the packets it sends. OS detection (\fB\-O\fR) packets are not affected, but most pinging and portscan packets are. This slows things down, but can make a scan slightly less conspicuous. +.TP +\fB\-\-ttl \fR (Set IP time\-to\-live field) +Sets the IPv4 time\-to\-live field in sent packets to the given value. +.TP +\fB\-\-randomize_hosts\fR (Randomize target host order) +Tells Nmap to shuffle each group of up to 8096 hosts before it scans them. This can make the scans less obvious to various network monitoring systems, especially when you combine it with slow timing options. If you want to randomize over larger group sizes, increase PING_GROUP_SZ in +\fInmap.h\fR +and recompile. An alternative solution is to generate the target IP list with a list scan (\fB\-sL \-n \-oN \fR\fB\fIfilename\fR\fR), randomize it with a Perl script, then provide the whole list to Nmap with +\fB\-iL\fR. +.TP +\fB\-\-spoof_mac \fR (Spoof MAC address) +Asks Nmap to use the given MAC address for all of the raw ethernet frames it sends. This option implies +\fB\-\-send_eth\fR +to ensure that Nmap actually sends ethernet\-level packets. The MAC given can take several formats. If it is simply the string +\(lq0\(rq, Nmap chooses a completely random MAC for the session. If the given string is an even number of hex digits (with the pairs optionally separated by a colon), Nmap will use those as the MAC. If less than 12 hex digits are provided, Nmap fills in the remainder of the 6 bytes with random values. If the argument isn't a 0 or hex string, Nmap looks through +\fInmap\-mac\-prefixes\fR +to find a vendor name containing the given string (it is case insensitive). If a match is found, Nmap uses the vendor's OUI (3\-byte prefix) and fills out the remaining 3 bytes randomly. Valid +\fB\-\-spoof_mac\fR +argument examples are +Apple, +0, +01:02:03:04:05:06, +deadbeefcafe, +0020F2, and +Cisco. +.SH "OUTPUT" +.PP +Any security tools is only as useful as the output it generates. Complex tests and algorithms are of little value if they aren't presented in an organized and comprehensible fashion. Given the number of ways Nmap is used by people and other software, no single format can please everyone. So Nmap offers several formats, including the interactive mode for humans to read directly and XML for easy parsing by software. +.PP +In addition to offering different output formats, Nmap provides options for controlling the verbosity of output as well as debugging messages. Output types may be sent to standard output or to named files, which Nmap can append to or clobber. Output files may also be used to resume aborted scans. +.PP +Nmap makes output available in five different formats. The default is called +interactive output, and it is sent to standard output (stdout). There is also +normal output, which is similar to +interactive +except that it displays less runtime information and warnings since it is expected to be analyzed after the scan completes rather than interactively. +.PP +XML output is one of the most important output types, as it can be converted to HTML, easily parsed by programs such as Nmap graphical user interfaces, or imported into databases. +.PP +The two remaining output types are the simple +grepable output +which includes most information for a target host on a single line, and +sCRiPt KiDDi3 0utPUt +for users who consider themselves |<\-r4d. +.PP +While interactive output is the default and has no associated command\-line options, the other four format options use the same syntax. They take one argument, which is the filename that results should be stored in. Multiple formats may be specified, but each format may only be specified once. For example, you may wish to save normal output for your own review while saving XML of the same scan for programmatic analysis. You might do this with the options +\fB\-oX myscan.xml \-oN myscan.nmap\fR. While this chapter uses the simple names like +myscan.xml +for brevity, more descriptive names are generally recommended. The names chosen are a matter of personal preference, though I use long ones that incorporate the scan date and a word or two describing the scan, placed in a directory named after the company I'm scanning. +.PP +While these options save results to files, Nmap still prints interactive output to stdout as usual. For example, the command +\fBnmap \-oX myscan.xml target\fR +prints XML to +\fImyscan.xml\fR +and fills standard output with the same interactive results it would have printed if +\fB\-oX\fR +wasn't specified at all. You can change this by passing a hyphen character as the argument to one of the format types. This causes Nmap to deactivate interactive output, and instead print results in the format you specified to the standard output stream. So the command +\fBnmap \-oX \- target\fR +will send only XML output to stdout. Serious errors may still be printed to the normal error stream, stderr. +.PP +Unlike some Nmap arguments, the space between the logfile option flag (such as +\fB\-oX\fR) and the filename or hyphen is mandatory. If you omit the flags and give arguments such as +\fB\-oG\-\fR +or +\fB\-oXscan.xml\fR, a backwards compatibility feature of Nmap will cause the creation of +\fInormal format\fR +output files named +\fIG\-\fR +and +\fIXscan.xml\fR +respectively. +.PP +Nmap also offers options to control scan verbosity and to append to output files rather than clobbering them. All of these options are described belowe. +.PP +\fBNmap Output Formats\fR +.TP +\fB\-oN \fR (Normal output) +Requests that +normal output +be directed to the given filename. As discussed above, this differs slightly from +interactive output. +.TP +\fB\-oX \fR (XML output) +Requests that +XML output +be directed to the given filename. Nmap includes a document type definition (DTD) which allows XML parsers to validate Nmap XML output. While it is primarily intended for programmatic use, it can also help humans interpret Nmap XML output. The DTD defines the legal elements of the format, and often enumerates the attributes and values they can take on. The latest version is always available from +\fI\%http://www.insecure.org/nmap/data/nmap.dtd\fR. +.sp +XML offers a stable format that is easily parsed by software. Free XML parsers are available for all major computer languages, including C/C++, Perl, Python, and Java. People have even written bindings for most of these languages to handle Nmap output and execution specifically. Examples are +[6]\&\fINmap::Scanner\fR +and +[7]\&\fINmap::Parser\fR +in Perl CPAN. In almost all cases that a non\-trivial application interfaces with Nmap, XML is the preferred format. +.sp +The XML output references an XSL stylesheet which can be used to format the results as HTML. The easiest way to use this is simply to load the XML output in a web browser such as Firefox or IE. By default, this will only work on the machine you ran Nmap on (or a similarly configured one) due to the hard\-coded +\fInmap.xsl\fR +filesystem path. See the +\fB\-\-stylesheet\fR +option for a way to create a portable XML file that renders as HTML on any web\-connected machine. +.TP +\fB\-oS \fR (ScRipT KIdd|3 oUTpuT) +Script kiddie output is like interactive output, except that it is post\-processed to better suit the 'l33t HaXXorZ who previously looked down on Nmap due to its consistent capitalization and spelling. Humor impaired people should note that this option is making fun of the script kiddies before flaming me for supposedly +\(lqhelping them\(rq. +.TP +\fB\-oG \fR (Grepable output) +This output format is covered last because it is deprecated. The XML output format is far more powerful, and is nearly as convenient for experienced users. XML is a standard for which dozens of excellent parsers are available, while grepable output is my own simple hack. XML is extensible to support new Nmap features as they are released, while I often must omit those features from grepable output for lack of a place to put them. +.sp +Nevertheless, grepable output is still quite popular. It is a simple format that lists each host on one line and can be trivially searched and parsed with standard UNIX tools such as grep, awk, cut, sed, diff, and Perl. Even I usually use it for one\-off tests done at the command line. Finding all the hosts with the ssh port open or that are running Solaris takes only a simple grep to identify the hosts, piped to an awk or cut command to print the desired fields. +.sp +Grepable output consists of comments (lines starting with a pound (#)) and target lines. A target line includes a combination of 6 labeled fields, separated by tabs and followed with a colon. The fields are +Host, +Ports, +Protocols, +Ignored State, +OS, +Seq Index, +IPID, and +Status. +.sp +The most important of these fields is generally +Ports, which gives details on each interesting port. It is a comma separated list of port entries. Each port entry represents one interesting port, and takes the form of seven slash (/) separated subfields. Those subfields are: +Port number, +State, +Protocol, +Owner, +Service, +SunRPC info, and +Version info. +.sp +As with XML output, this man page does not allow for documenting the entire format. A more detailed look at the Nmap grepable output format is available from +\fI\%http://www.unspecific.com/nmap\-oG\-output\fR. +.TP +\fB\-oA \fR (Output to all formats) +As a convenience, you may specify +\fB\-oA \fR\fB\fIbasename\fR\fR +to store scan results in normal, XML, and grepable formats at once. They are stored in +\fIbasename\fR.nmap, +\fIbasename\fR.xml, and +\fIbasename\fR.gnmap, respectively. As with most programs, you can prefix the filenames with a directory path, such as +\fI~/nmaplogs/foocorp/\fR +on UNIX or +\fIc:\\hacking\\sco\fR +on Windows. +.PP +\fBVerbosity and debugging options\fR +.TP +\fB\-v\fR (Increase verbosity level) +Increases the verbosity level, causing Nmap to print more information about the scan in progress. Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a scan will take more than a few minutes. Use it twice for even greater verbosity. Using it more than twice has no effect. +.sp +Most changes only affect interactive output, and some also affect normal and script kiddie output. The other output types are meant to be processed by machines, so Nmap can give substantial detail by default in those formats without fatiguing a human user. However, there are a few changes in other modes where output size can be reduced substantially by omitting some detail. For example, a comment line in the grepable output that provides a list of all ports scanned is only printed in verbose mode because it can be quite long. +.TP +\fB\-d [level]\fR (Increase or set debugging level) +When even verbose mode doesn't provide sufficient data for you, debugging is available to flood you with much more! As with the verbosity option (\fB\-v\fR), debugging is enabled with a command\-line flag (\fB\-d\fR) and the debug level can be increased by specifying it multiple times. Alternatively, you can set a debug level by giving an argument to +\fB\-d\fR. For example, +\fB\-d9\fR +sets level nine. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets. +.sp +Debugging output is useful when a bug is suspected in Nmap, or if you are simply confused as to what Nmap is doing and why. As this feature is mostly intended for developers, debug lines aren't always self\-explanatory. You may get something like: +Timeout vals: srtt: \-1 rttvar: \-1 to: 1000000 delta 14987 ==> srtt: 14987 rttvar: 14987 to: 100000. If you don't understand a line, your only recourses are to ignore it, look it up in the source code, or request help from the development list (nmap\-dev). Some lines are self explanatory, but the messages become more obscure as the debug level is increased. +.TP +\fB\-\-packet_trace\fR (Trace packets and data sent and received) +Causes Nmap to print a summary of every packet sent or received. This is often used for debugging, but is also a valuable way for new users to understand exactly what Nmap is doing under the covers. To avoid printing thousands of lines, you may want to specify a limited number of ports to scan, such as +\fB\-p20\-30\fR. If you only care about the goings on of the version detection subsystem, use +\fB\-\-version_trace\fR +instead. +.TP +\fB\-\-iflist\fR (List interfaces and routes) +Prints the interface list and system routes as detected by Nmap. This is useful for debugging routing problems or device mischaracterization (such as Nmap treating a PPP connection as Ethernet). +.PP +\fBMiscellaneous output options\fR +.TP +\fB\-\-append_output\fR (Append to rather than clobber output files) +When you specify a filename to an output format flag such as +\fB\-oX\fR +or +\fB\-oN\fR, that file is overwritten by default. If you prefer to keep the existing content of the file and append the new results, specify the +\fB\-\-append_output\fR +option. All output filenames specified in that Nmap execution will then be appended to rather than clobbered. This doesn't work well for XML (\fB\-oX\fR) scan data as the resultant file generally won't parse properly until you fix it up by hand. +.TP +\fB\-\-resume \fR (Resume aborted scan) +Some extensive Nmap runs take a very long time \-\- on the order of days. Such scans don't always run to completion. Restrictions may prevent Nmap from being run during working hours, the network could go down, the machine Nmap is running on might suffer a planned or unplanned reboot, or Nmap itself could crash. The admin running Nmap could cancel it for any other reason as well, by pressing +ctrl\-C. Restarting the whole scan from the beginning may be undesirable. Fortunately, if normal (\fB\-oN\fR) or grepable (\fB\-oG\fR) logs were kept, the user can ask Nmap to resume scanning with the target it was working on when execution ceased. Simply specify the +\fB\-\-resume\fR +option and pass the normal/grepable output file as its argument. No other arguments are permitted, as Nmap parses the output file to use the same ones specified previously. Simply call Nmap as +\fBnmap \-\-resume \fR\fB\fIlogfilename\fR\fR. Nmap will append new results to the data files specified in the previous execution. Resumption does not support the XML output format because combining the two runs into one valid XML file would be difficult. +.TP +\fB\-\-stylesheet \fR (Set XSL stylesheet to transform XML output) +Nmap ships with an XSL stylesheet named +\fInmap.xsl\fR +for viewing or translating XML output to HTML. The XML output includes an +xml\-stylesheet +directive which points to +\fInmap.xml\fR +where it was initially installed by Nmap (or in the current working directory on Windows). Simply load Nmap's XML output in a modern web browser and it should retrieve +\fInmap.xsl\fR +from the filesystem and use it to render results. If you wish to use a different stylesheet, specify it as the argument to +\fB\-\-stylesheet\fR. You must pass the full pathname or URL. One common invocation is +\fB\-\-stylesheet http://www.insecure.org/nmap/data/nmap.xsl\fR +. This tells a browser to load the latest version of the stylesheet from Insecure.Org. This makes it easier to view results on a machine that doesn't have Nmap (and thus +\fInmap.xsl\fR) installed. So the URL is often more useful, but the local filesystem location of nmap.xsl is used by default for privacy reasons. +.TP +\fB\-\-no_stylesheet\fR (Omit XSL stylesheet declaration from XML) +Specify this option to prevent Nmap from associating any XSL stylesheet with its XML output. The +xml\-stylesheet +directive is omitted. +.SH "MISCELLANEOUS OPTIONS" +.PP +This section describes some important (and not\-so\-important) options that don't really fit anywhere else. +.TP +\fB\-6\fR (Enable IPv6 scanning) +Since 2002, Nmap has offered IPv6 support for its most popular features. In particular, ping scanning (TCP\-only), connect() scanning, and version detection all support IPv6. The command syntax is the same as usual except that you also add the +\fB\-6\fR +option. Of course, you must use IPv6 syntax if you specify an address rather than a hostname. An address might look like +3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are recommended. The output looks the same as usual, with the IPv6 address on the +\(lqinteresting ports\(rq +line being the only IPv6 give away. +.sp +While IPv6 hasn't exactly taken the world by storm, it gets significant use in some (usually Asian) countries and most modern operating systems support it. To use Nmap with IPv6, both the source and target of your scan must be configured for IPv6. If your ISP (like most of them) does not allocate IPv6 addresses to you, free tunnel brokers are widely available and work fine with Nmap. One of the better ones is run by BT Exact at +\fI\%https://tb.ipv6.btexact.com/\fR. I have also used one that Hurricane Electric provides at +\fI\%http://ipv6tb.he.net/\fR. 6to4 tunnels are another popular, free approach. +.TP +\fB\-A\fR (Aggressive scan options) +This option enables additional advanced and aggressive options. I haven't decided exactly which it stands for yet. Presently this enables OS Detection (\fB\-O\fR) and version scanning (\fB\-sV\fR). More features may be added in the future. The point is to enable a comprehensive set of scan options without people having to remember a large set of flags. This option only enables features, and not timing options (such as +\fB\-T4\fR) or verbosity options (\fB\-v\fR) that you might want as well. +.TP +\fB\-\-datadir \fR (Specify custom Nmap data file location) +Nmap obtains some special data at runtime in files named +\fInmap\-service\-probes\fR, +\fInmap\-services\fR, +\fInmap\-protocols\fR, +\fInmap\-rpc\fR, +\fInmap\-mac\-prefixes\fR, and +\fInmap\-os\-fingerprints\fR. Nmap first searches these files in the directory specified with the +\fB\-\-datadir\fR +option (if any). Any files not found there, are searched for in the directory specified by the NMAPDIR environmental variable. Next comes +\fI~/.nmap\fR +for real and effective UIDs (POSIX systems only) or location of the Nmap executable (Win32 only), and then a compiled\-in location such as +\fI/usr/local/share/nmap\fR +or +\fI/usr/share/nmap\fR +. As a last resort, Nmap will look in the current directory. +.TP +\fB\-\-send_eth\fR (Use raw ethernet sending) +Asks Nmap to send packets at the raw ethernet (data link) layer rather than the higher IP (network) layer. By default, Nmap chooses the one which is generally best for the platform it is running on. Raw sockets (IP layer) are generally most efficient for UNIX machines, while ethernet frames are required for Windows operation since Microsoft disabled raw socket support. Nmap still uses raw IP packets on UNIX despite this option when there is no other choice (such as non\-ethernet connections). +.TP +\fB\-\-send_ip\fR (Send at raw IP level) +Asks Nmap to send packets via raw IP sockets rather than sending lower level ethernet frames. It is the complement to the +\fB\-\-send\-eth\fR +option discussed previously. +.TP +\fB\-\-privileged\fR (Assume that the user is fully privileged) +Tells Nmap to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require root privileges on UNIX systems. By default Nmap quits if such operations are requested but geteuid() is not zero. +\fB\-\-privileged\fR +is useful with Linux kernel capabilities and similar systems that may be configured to allow unprivileged users to perform raw\-packet scans. Be sure to provide this option flag before any flags for options that require privileges (SYN scan, OS detection, etc.). The NMAP_PRIVILEGED variable may be set as an equivalent alternative to +\fB\-\-privileged\fR. +.TP +\fB\-\-interactive\fR (Start in interactive mode) +Starts Nmap in interactive mode, which offers an interactive Nmap prompt allowing easy launching of multiple scans (either synchronously or in the background). This is useful for people who scan from multi\-user systems as they often want to test their security without letting everyone else on the system know exactly which systems they are scanning. Use +\fB\-\-interactive\fR +to activate this mode and then type +h +for help. This option is rarely used because proper shells are usually more familiar and feature\-complete. This option includes a bang (!) operator for executing shell commands, which is one of many reasons not to install Nmap setuid root. +.TP +\fB\-V\fR; \fB\-\-version\fR (Print version number) +Prints the Nmap version number and exits. +.TP +\fB\-h\fR; \fB\-\-help\fR (Print help summary page) +Prints a short help screen with the most common command flags. Running Nmap without any arguments does the same thing. +.SH "RUNTIME INTERACTION" +.PP +This feature does not yet exist in Nmap. I need to either add it or remove this section +.PP +During the execution of nmap, all key presses are captured. This allows you to interact with the program without aborting and restarting it. Certain special keys will change options, while any other keys will print out a status message telling you about the scan. The convention is that +\fIlowercase letters increase\fR +the amount of printing, and +\fIuppercase letters decrease\fR +the printing. +.TP +\fBv\fR / \fBV\fR +Increase / Decrease the Verbosity +.TP +\fBd\fR / \fBD\fR +Increase / Decrease the Debugging Level +.TP +\fBp\fR / \fBP\fR +Turn on / off Packet Tracing +.TP +Anything else +Print out a status message like this: +.sp +Stats: 0:00:08 elapsed; 111 hosts completed (5 up), 5 undergoing Service Scan +.sp +Service scan Timing: About 28.00% done; ETC: 16:18 (0:00:15 remaining) +.SH "EXAMPLES" +.PP +Here are some Nmap usage examples, from the simple and routine to a little more complex and esoteric. Some actual IP addresses and domain names are used to make things more concrete. In their place you should substitute addresses/names from +\fIyour own network.\fR. While I don't think port scanning other networks is or should be illegal, some network administrators don't appreciate unsolicited scanning of their networks and may complain. Getting permission first is the best approach. +.PP +For testing purposes, you have permission to scan the host +scanme.nmap.org. This permission only includes scanning via Nmap and not testing exploits or denial of service attacks. To conserve bandwidth, please do not initiate more than a dozen scans against that host per day. If this free scanning target service is abused, it will be taken down and Nmap will report +Failed to resolve given hostname/IP: scanme.nmap.org. These permissions also apply to the hosts +scanme2.nmap.org, +scanme3.nmap.org, and so on, though those hosts do not currently exist. +.PP +\fBnmap \-v scanme.nmap.org\fR +.PP This option scans all reserved TCP ports on the machine -target.example.com . The \-v means turn on verbose mode. -.Sp -.B nmap -sS -O target.example.com/24 -.Sp -Launches a stealth SYN scan against each machine that is up -out of the 255 machines on class "C" where -target.example.com resides. It also tries to determine what -operating system is running on each host that is up and -running. This requires root privileges because of the SYN -scan and the OS detection. -.Sp -.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127" -.Sp -Sends an Xmas tree scan to the first half of each of the 255 -possible 8 bit subnets in the 198.116 class "B" address -space. We are testing whether the systems run sshd, DNS, -pop3d, imapd, or port 4564. Note that Xmas scan doesn't -work on Microsoft boxes due to their deficient TCP stack. -Same goes with CISCO, IRIX, HP/UX, and BSDI boxes. -.Sp -.B nmap -v --randomize_hosts -p 80 "*.*.2.3-5" -.Sp -Rather than focus on a specific IP range, it is sometimes -interesting to slice up the entire Internet and scan a small -sample from each slice. This command finds all web servers -on machines with IP addresses ending in .2.3, .2.4, or .2.5. -If you are root you might as well add -sS. Also you will -find more interesting machines starting at 127. so you might -want to use "127-222" instead of the first asterisks because -that section has a greater density of interesting machines -(IMHO). -.Sp -.B "host -l company.com | cut "-d " -f 4 | ./nmap -v -iL -" -.Sp -Do a DNS zone transfer to find the hosts in company.com and -then feed the IP addresses to -.I nmap. -The above commands are for my GNU/Linux box. You may need -different commands/options on other operating systems. -.SH BUGS -Bugs? What bugs? Send me any that you find. Patches are -nice too :) Remember to also send in new OS fingerprints so -we can grow the database. Nmap will give you a submission -URL when an appropriate fingerprint is found. -.SH AUTHOR -.Sp +scanme.nmap.org +. The +\fB\-v\fR +option enables verbose mode. +.PP +\fBnmap \-sS \-O scanme.nmap.org/24\fR +.PP +Launches a stealth SYN scan against each machine that is up out of the 255 machines on +\(lqclass C\(rq +network where Scanme resides. It also tries to determine what operating system is running on each host that is up and running. This requires root privileges because of the SYN scan and OS detection. +.PP +\fBnmap \-sV \-p 22,53,110,143,4564 198.116.0\-255.1\-127\fR +.PP +Launches host enumeration and a TCP scan at the first half of each of the 255 possible 8 bit subnets in the 198.116 class B address space. This tests whether the systems run sshd, DNS, pop3d, imapd, or port 4564. For any of these ports found open, version detection is used to determine what application is running. +.PP +\fBnmap \-v \-iR 100000 \-P0 \-p 80\fR +.PP +Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with +\fB\-P0\fR +since first sending a couple probes to determine whether a host is up is wasteful when you are only probing one port on each target host anyway. +.PP +\fBnmap \-P0 \-p80 \-oX logs/pb\-port80scan.xml \-oG logs/pb\-port80scan.gnmap 216.163.128.20/20\fR +.PP +This scans 4096 IPs for any webservers (without pinging them) and saves the output in grepable and XML formats. +.PP +\fBhost \-l company.com | cut \-d \-f 4 | nmap \-v \-iL \-\fR +.PP +Do a DNS zone transfer to find the hosts in company.com and then feed the IP addresses to nmap. The above commands are for my GNU/Linux box \-\- other systems have different commands for performing a zone transfer. +.SH "BUGS" +.PP +Like its author, Nmap isn't perfect. But you can help make it better by sending bug reports or even writing patches. If Nmap doesn't behave the way you expect, first upgrade to the latest version available from +\fI\%http://www.insecure.org/nmap/\fR. If the problem persists, do some research to determine whether it has already been discovered and addressed. Try Googling the error message or browsing the Nmap\-dev archives at +\fI\%http://seclists.org/\fR. Read this full munaual page as well. If nothing comes of this, mail a bug report to +. Please include everything you have learned about the problem, as well as what version of Nmap you are running and what operating system version it is running on. Problem reports and Nmap usage questions sent to nmap\-dev@insecure.org are far more likely to be answered than those sent to Fyodor directly. +.PP +Code patches to fix bugs are even better than bug reports. Basic instructions for creating patch files with your changes are available at +\fI\%http://www.insecure.org/nmap/data/HACKING\fR. Patches may be sent to nmap\-dev (recommended) or to Fyodor directly. +.SH "AUTHOR" +.PP Fyodor -.I -.SH DISTRIBUTION -The newest version of -.I nmap -can be obtained from -.I http://www.insecure.org/nmap/ -.Sp -The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap is -also a registered trademark of Insecure.Com LLC. This program is free -software; you may redistribute and/or modify it under the terms of the -GNU General Public License as published by the Free Software -Foundation; Version 2. This guarantees your right to use, modify, and -redistribute this software under certain conditions. If you wish to -embed Nmap technology into proprietary software, we may be willing to -sell alternative licenses (contact sales@insecure.com). Many security -scanner vendors already license Nmap technology such as our remote OS -fingerprinting database and code, service/version detection system, -and port scanning code. -.Sp -Note that the GPL places important restrictions on "derived works", yet -it does not provide a detailed definition of that term. To avoid -misunderstandings, we consider an application to constitute a -"derivative work" for the purpose of this license if it does any of the -following: -.Sp -o Integrates source code from Nmap -.Sp -o Reads or includes Nmap copyrighted data files, such as -nmap-os-fingerprints or nmap-service-probes. -.Sp -o Executes Nmap and parses the results (as opposed to typical shell or -execution-menu apps, which simply display raw Nmap output and so are -not derivative works.) -.Sp -o Integrates/includes/aggregates Nmap into a proprietary executable -installer, such as those produced by InstallShield. -.Sp -o Links to a library or executes a program that does any of the above -.Sp -The term "Nmap" should be taken to also include any portions or derived -works of Nmap. This list is not exclusive, but is just meant to -clarify our interpretation of derived works with some common examples. -These restrictions only apply when you actually redistribute Nmap. For -example, nothing stops you from writing and selling a proprietary -front-end to Nmap. Just distribute it by itself, and point people to -http://www.insecure.org/nmap/ to download Nmap. -.Sp -We don't consider these to be added restrictions on top of the GPL, but -just a clarification of how we interpret "derived works" as it applies -to our GPL-licensed Nmap product. This is similar to the way Linus -Torvalds has announced his interpretation of how "derived works" -applies to Linux kernel modules. Our interpretation refers only to -Nmap - we don't speak for any other GPL products. -.Sp -If you have any questions about the GPL licensing restrictions on using -Nmap in non-GPL works, we would be happy to help. As mentioned above, -we also offer alternative license to integrate Nmap into proprietary -applications and appliances. These contracts have been sold to many -security vendors, and generally include a perpetual license as well as -providing for priority support and updates as well as helping to fund -the continued development of Nmap technology. Please email -sales@insecure.com for further information. -.Sp -As a special exception to the GPL terms, Insecure.Com LLC grants -permission to link the code of this program with any version of the -OpenSSL library which is distributed under a license identical to that -listed in the included Copying.OpenSSL file, and distribute linked -combinations including the two. You must obey the GNU GPL in all -respects for all of the code used other than OpenSSL. If you modify -this file, you may extend this exception to your version of the file, -but you are not obligated to do so. -.Sp -If you received these files with a written license agreement or -contract stating terms other than the terms above, then that -alternative license agreement takes precedence over these comments. -.Sp -Source is provided to this software because we believe users have a -right to know exactly what a program is going to do before they run it. -This also allows you to audit the software for security holes (none -have been found so far). -.Sp -Source code also allows you to port Nmap to new platforms, fix bugs, -and add new features. You are highly encouraged to send your changes -to fyodor@insecure.org for possible incorporation into the main -distribution. By sending these changes to Fyodor or one the -Insecure.Org development mailing lists, it is assumed that you are -offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right -to reuse, modify, and relicense the code. Nmap will always be -available Open Source, but this is important because the inability to -relicense code has caused devastating problems for other Free Software -projects (such as KDE and NASM). We also occasionally relicense the -code to third parties as discussed above. If you wish to specify -special license conditions of your contributions, just say so when you -send them. -.Sp -This program is distributed in the hope that it will be useful, but -WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -General Public License for more details at -http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included -with Nmap. -.Sp -It should also be noted that Nmap has been known to crash -certain poorly written applications, TCP/IP stacks, and even -operating systems. -.B Nmap should never be run against mission critical systems -unless you are prepared to suffer downtime. We acknowledge -here that Nmap may crash your systems or networks and we -disclaim all liability for any damage or problems Nmap could -cause. -.Sp -Because of the slight risk of crashes and because a few black hats like -to use Nmap for reconnaissance prior to attacking systems, there are -administrators who become upset and may complain when their system is -scanned. Thus, it is often advisable to request permission before -doing even a light scan of a network. -.Sp -Nmap should never be installed with special privileges (eg suid root) for security reasons. -.Sp -This product includes software developed by the Apache Software -Foundation (http://www.apache.org/). The -.I Libpcap -portable packet capture library is distributed along with nmap. -Libpcap was originally copyrighted by Van Jacobson, Craig Leres and -Steven McCanne, all of the Lawrence Berkeley National Laboratory, -University of California, Berkeley, CA. It is now maintained by -http://www.tcpdump.org . -.Sp -Regular expression support is provided by the PCRE library package, -which is open source software, written by Philip Hazel, and copyright -by the University of Cambridge, England. See http://www.pcre.org/ . -.Sp -Nmap can optionally link to the OpenSSL cryptography toolkit, which is -available from http://www.openssl.org/ . -.Sp -US Export Control: Insecure.Com LLC believes that Nmap falls under US -ECCN (export control classification number) 5D992. This category is -called '"Information Security" "software" not controlled by 5D002'. -The only restriction of this classification is AT (anti-terrorism), -which applies to almost all goods and denies export to a handful of -rogue nations such as Iran and North Korea. Thus exporting Nmap does -not require any special license, permit, or other governmental -authorization. + +(\fI\%http://www.insecure.org\fR) +.PP +Hundreds of people have made valuable contributions to Nmap over the years. These are detailed in the +\fICHANGELOG\fR +file which is distributed with Nmap and also available from +\fI\%http://www.insecure.org/nmap/nmap_changelog.html\fR. +.SH "LEGAL NOTICES" +.SS "Copyright and Licensing" +.PP +The Nmap Security Scanner is (C) 1996\-2005 Insecure.Com LLC. Nmap is also a registered trademark of Insecure.Com LLC. This program is free software; you may redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2. This guarantees your right to use, modify, and redistribute this software under certain conditions. If you wish to embed Nmap technology into proprietary software, we may be willing to sell alternative licenses (contact +). Many security scanner vendors already license Nmap technology such as host discovery, port scanning, OS detection, and service/version detection. +.PP +Note that the GPL places important restrictions on +\(lqderived works\(rq, yet it does not provide a detailed definition of that term. To avoid misunderstandings, we consider an application to constitute a +\(lqderivative work\(rq +for the purpose of this license if it does any of the following: +.TP 3 +\(bu +Integrates source code from Nmap +.TP +\(bu +Reads or includes Nmap copyrighted data files, such as +\fInmap\-os\-fingerprints\fR +or +\fInmap\-service\-probes\fR. +.TP +\(bu +Executes Nmap and parses the results (as opposed to typical shell or execution\-menu apps, which simply display raw Nmap output and so are not derivative works.) +.TP +\(bu +Integrates/includes/aggregates Nmap into a proprietary executable installer, such as those produced by InstallShield. +.TP +\(bu +Links to a library or executes a program that does any of the above. +.PP +The term +\(lqNmap\(rq +should be taken to also include any portions or derived works of Nmap. This list is not exclusive, but is just meant to clarify our interpretation of derived works with some common examples. These restrictions only apply when you actually redistribute Nmap. For example, nothing stops you from writing and selling a proprietary front\-end to Nmap. Just distribute it by itself, and point people to +\fI\%http://www.insecure.org/nmap/\fR +to download Nmap. +.PP +We don't consider these to be added restrictions on top of the GPL, but just a clarification of how we interpret +\(lqderived works\(rq +as it applies to our GPL\-licensed Nmap product. This is similar to the way Linus Torvalds has announced his interpretation of how +\(lqderived works\(rq +applies to Linux kernel modules. Our interpretation refers only to Nmap \- we don't speak for any other GPL products. +.PP +If you have any questions about the GPL licensing restrictions on using Nmap in non\-GPL works, we would be happy to help. As mentioned above, we also offer alternative license to integrate Nmap into proprietary applications and appliances. These contracts have been sold to many security vendors, and generally include a perpetual license as well as providing for priority support and updates as well as helping to fund the continued development of Nmap technology. Please email + +for further information. +.PP +As a special exception to the GPL terms, Insecure.Com LLC grants permission to link the code of this program with any version of the OpenSSL library which is distributed under a license identical to that listed in the included Copying.OpenSSL file, and distribute linked combinations including the two. You must obey the GNU GPL in all respects for all of the code used other than OpenSSL. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. +.PP +If you received these files with a written license agreement or contract stating terms other than the terms above, then that alternative license agreement takes precedence over these comments. +.SS "Source code availability and community contributions" +.PP +Source is provided to this software because we believe users have a right to know exactly what a program is going to do before they run it. This also allows you to audit the software for security holes (none have been found so far). +.PP +Source code also allows you to port Nmap to new platforms, fix bugs, and add new features. You are highly encouraged to send your changes to + +for possible incorporation into the main distribution. By sending these changes to Fyodor or one of the Insecure.Org development mailing lists, it is assumed that you are offering Fyodor and Insecure.Com LLC the unlimited, non\-exclusive right to reuse, modify, and relicense the code. Nmap will always be available Open Source, but this is important because the inability to relicense code has caused devastating problems for other Free Software projects (such as KDE and NASM). We also occasionally relicense the code to third parties as discussed above. If you wish to specify special license conditions of your contributions, just say so when you send them. +.SS "No Warranty" +.PP +This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details at +\fI\%http://www.gnu.org/copyleft/gpl.html\fR, or in the COPYING file included with Nmap. +.PP +It should also be noted that Nmap has occasionally been known to crash poorly written applications, TCP/IP stacks, and even operating systems. While this is extremely rare, it is important to keep in mind. +\fINmap should never be run against mission critical systems\fR +unless you are prepared to suffer downtime. We acknowledge here that Nmap may crash your systems or networks and we disclaim all liability for any damage or problems Nmap could cause. +.SS "Inappropriate Usage" +.PP +Because of the slight risk of crashes and because a few black hats like to use Nmap for reconnaissance prior to attacking systems, there are administrators who become upset and may complain when their system is scanned. Thus, it is often advisable to request permission before doing even a light scan of a network. +.PP +Nmap should never be installed with special privileges (e.g. suid root) for security reasons. +.SS "Third\-Party Software" +.PP +This product includes software developed by the +[8]\&\fIApache Software Foundation\fR. A modified version of the +[9]\&\fILibpcap portable packet capture library\fR +is distributed along with nmap. The Windows version of Nmap utilized the libpcap\-derived +[10]\&\fIWinPcap library\fR +instead. Regular expression support is provided by the +[11]\&\fIPCRE library\fR, which is open source software, written by Philip Hazel. Certain raw networking functions use the +[12]\&\fILibdnet\fR +networking library, which was written by Dug Song. A modified version is distributed with Nmap. Nmap can optionally link with the +[13]\&\fIOpenSSL cryptography toolkit\fR +for SSL version detection support. All of the third\-party software described in this paragraph is freely redistributable under BSD\-style software licenses. +.SS "US Export Control Classification" +.PP +US Export Control: Insecure.Com LLC believes that Nmap falls under US ECCN (export control classification number) 5D992. This category is called +\(lqInformation Security software not controlled by 5D002\(rq. The only restriction of this classification is AT (anti\-terrorism), which applies to almost all goods and denies export to a handful of rogue nations such as Iran and North Korea. Thus exporting Nmap does not require any special license, permit, or other governmental authorization. +.SH "REFERENCES" +.TP 4 + 1.\ RFC 1122 +\%http://www.rfc\-editor.org/rfc/rfc1122.txt +.TP 4 + 2.\ RFC 792 +\%http://www.rfc\-editor.org/rfc/rfc792.txt +.TP 4 + 3.\ UDP +\%http://www.rfc\-editor.org/rfc/rfc768.txt +.TP 4 + 4.\ TCP RFC +\%http://www.rfc\-editor.org/rfc/rfc793.txt +.TP 4 + 5.\ RFC 959 +\%http://www.rfc\-editor.org/rfc/rfc959.txt +.TP 4 + 6.\ Nmap::Scanner +\%http://sourceforge.net/projects/nmap\-scanner/ +.TP 4 + 7.\ Nmap::Parser +\%http://www.nmapparser.com +.TP 4 + 8.\ Apache Software Foundation +\%http://www.apache.org +.TP 4 + 9.\ Libpcap portable packet capture library +\%http://www.tcpdump.org +.TP 4 +10.\ WinPcap library +\%http://www.winpcap.org +.TP 4 +11.\ PCRE library +\%http://www.pcre.org +.TP 4 +12.\ Libdnet +\%http://libdnet.sourceforge.net +.TP 4 +13.\ OpenSSL cryptography toolkit +\%http://www.openssl.org diff --git a/docs/nmap.dtd b/docs/nmap.dtd index 5e148d71b..0282b68c6 100644 --- a/docs/nmap.dtd +++ b/docs/nmap.dtd @@ -1,50 +1,44 @@ - diff --git a/docs/nmap.usage.txt b/docs/nmap.usage.txt index 53aa308b8..e8e960920 100644 --- a/docs/nmap.usage.txt +++ b/docs/nmap.usage.txt @@ -1,25 +1,79 @@ -Nmap 3.93 Usage: nmap [Scan Type(s)] [Options] -Some Common Scan Types ('*' options require root privileges) -* -sS TCP SYN stealth port scan (default if privileged (root)) - -sT TCP connect() port scan (default for unprivileged users) -* -sU UDP port scan - -sP ping scan (Find any reachable machines) -* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) - -sV Version scan probes open ports determining service & app names/versions - -sR RPC scan (use with other scan types) -Some Common Options (none are required, most can be combined): -* -O Use TCP/IP fingerprinting to guess remote operating system - -p ports to scan. Example range: 1-1024,1080,6666,31337 - -F Only scans ports listed in nmap-services - -v Verbose. Its use is recommended. Use twice for greater effect. - -P0 Don't ping hosts (needed to scan www.microsoft.com and others) -* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys - -6 scans via IPv6 rather than IPv4 - -T General timing policy - -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] - -oN/-oX/-oG Output normal/XML/grepable scan logs to - -iL Get targets from file; Use '-' for stdin -* -S /-e Specify source address or network interface - --interactive Go into interactive mode (then press h for help) -Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*' -SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES +Nmap 3.94 ( http://www.insecure.org/nmap/ ) +Usage: nmap [Scan Type(s)] [Options] {target specification} +TARGET SPECIFICATION: + Can pass hostnames, IP addresses, networks, etc. + Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 + -iL : Input from list of hosts/networks + -iR : Choose random targets + --exclude : Exclude hosts/networks + --excludefile : Exclude list from file +HOST DISCOVERY: + -sL: List Scan - simply list targets to scan + -sP: Ping Scan - go no further than determining if host is online + -P0: Treat all hosts as online -- skip host discovery + -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports + -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes + -n/-R: Never do DNS resolution/Always resolve [default: sometimes] +SCAN TECHNIQUES: + -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans + -sN/sF/sX: TCP Null, FIN, and Xmas scans + --scanflags : Customize TCP scan flags + -sI : Idlescan + -sO: IP protocol scan + -b : FTP bounce scan +PORT SPECIFICATION AND SCAN ORDER: + -p : Only scan specified ports + Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 + -F: Fast - Scan only the ports listed in the nmap-services file) + -r: Scan ports consecutively - don't randomize +SERVICE/VERSION DETECTION: + -sV: Probe open ports to determine service/version info + --version_light: Limit to most likely probes for faster identification + --version_all: Try every single probe for version detection + --version_trace: Show detailed version scan activity (for debugging) +OS DETECTION: + -O: Enable OS detection + --osscan_limit: Limit OS detection to promising targets + --osscan_guess: Guess OS more aggressively +TIMING AND PERFORMANCE: + -T[0-6]: Set timing template (higher is faster) + --min_hostgroup/max_hostgroup : Parallel host scan group sizes + --min_parallelism/max_parallelism : Probe parallelization + --min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout : Specifies + probe round trip time. + --host_timeout : Give up on target after this long + --scan_delay/--max_scan_delay : Adjust delay between probes +FIREWALL/IDS EVASION AND SPOOFING: + -f; --mtu : fragment packets (optionally w/given MTU) + -D : Cloak a scan with decoys + -S : Spoof source address + -e : Use specified interface + -g/--source_port : Use given port number + --data_length : Append random data to sent packets + --ttl : Set IP time-to-live field + --spoof_mac : Spoof your MAC address +OUTPUT: + -oN/-oX/-oS/-oG : Output scan in normal, XML, s|: Output in the three major formats at once + -v: Increase verbosity level (use twice for more effect) + -d[level]: Set or increase debugging level (Up to 9 is meaningful) + --packet_trace: Show all packets sent and received + --iflist: Print host interfaces and routes (for debugging) + --append_output: Append to rather than clobber specified output files + --resume : Resume an aborted scan + --stylesheet : XSL stylesheet to transform XML output to HTML + --no_stylesheet: Prevent associating of XSL stylesheet w/XML output +MISC: + -6: Enable IPv6 scanning + -A: Enables OS detection and Version detection + --datadir : Specify custom Nmap data file location + --send_eth/--send_ip: Send using raw ethernet frames or IP packets + --privileged: Assume that the user is fully privileged + -V: Print version number + -h: Print this help summary page. +EXAMPLES: + nmap -v -A scanme.nmap.org + nmap -v -sP 192.168.0.0/16 10.0.0.0/8 + nmap -v -iR 10000 -P0 -p 80 +SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES diff --git a/docs/nmap_manpage.html b/docs/nmap_manpage.html index 3e34abb68..e810e67a1 100644 --- a/docs/nmap_manpage.html +++ b/docs/nmap_manpage.html @@ -7,1165 +7,2345 @@ 
 
-NMAP(1)                                                                NMAP(1)
+NMAP(1)                      Nmap Reference Guide                      NMAP(1)

NAME

-       nmap - Network exploration tool and security scanner
+       nmap - Network exploration tool and security / port scanner

SYNOPSIS

-       nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>
+       nmap [Scan Type...] [Options] {target specification}

DESCRIPTION

-       Nmap is designed to allow system administrators and curious individuals
-       to scan large networks to determine which hosts are up  and  what  ser-
-       vices  they  are  offering.   nmap  supports a large number of scanning
-       techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp  proxy
-       (bounce  attack),  ICMP  (ping  sweep),  FIN, ACK sweep, Xmas Tree, SYN
-       sweep, IP Protocol, and Null scan.  See the Scan Types section for more
-       details.  nmap also offers a number of advanced features such as remote
-       OS detection via TCP/IP fingerprinting, stealth scanning, dynamic delay
-       and  retransmission  calculations, parallel scanning, detection of down
-       hosts via parallel pings, decoy  scanning,  port  filtering  detection,
-       direct (non-portmapper) RPC scanning, fragmentation scanning, and flex-
-       ible target and port specification.
+       Nmap (“Network Mapper”) is an open source tool for network exploration
+       and security auditing. It was designed to rapidly scan large networks,
+       although it works fine against single hosts. Nmap uses raw IP packets
+       in novel ways to determine what hosts are available on the network,
+       what services (application name and version) those hosts are offering,
+       what operating systems (and OS versions) they are running, what type of
+       packet filters/firewalls are in use, and dozens of other
+       characteristics. While Nmap is commonly used for security audits, many
+       systems and network administrators find it useful for routine tasks
+       such as network inventory, managing service upgrade schedules, and
+       monitoring host or service uptime.
 
-       Significant effort has been put into decent nmap performance  for  non-
-       root  users.   Unfortunately,  many critical kernel interfaces (such as
-       raw sockets) require root privileges.  nmap should be run as root when-
-       ever possible (not setuid root, of course).
+       The output from Nmap is a list of scanned targets, with supplemental
+       information on each depending on the options used. Key among that
+       information is the “interesting ports table”. That table lists the port
+       number and protocol, service name, and state. The state is either open,
+       filtered, closed, or unfiltered. Open means that an application on the
+       target machine is listening for connections/packets on that port.
+       Filtered means that a firewall, filter, or other network obstacle is
+       blocking the port so that Nmap cannot tell whether it is open or
+       closed.  Closed ports have no application listening on them, though
+       they could open up at any time. Ports are classified as unfiltered when
+       they are responsive to Nmap’s probes, but Nmap cannot determine whether
+       they are open or closed. Nmap reports the state combinations
+       open|filtered and closed|filtered when it cannot determine which of the
+       two states describe a port. The port table may also include software
+       version details when version detection has been requested. When an IP
+       protocol scan is requested (-sO), Nmap provides information on
+       supported IP protocols rather than listening ports.
 
-       The  result  of  running nmap is usually a list of interesting ports on
-       the machine(s) being scanned (if any).  Nmap always  gives  the  port’s
-       "well  known"  service name (if any), number, state, and protocol.  The
-       state is either "open", "closed"  "filtered",  or  "unfiltered".   Open
-       means  that  the target machine will accept() connections on that port.
-       Closed ports are not listening for connections (they have  no  applica-
-       tion associated with them).  Filtered means that a firewall, filter, or
-       other network obstacle is covering the port and  preventing  nmap  from
-       determining  whether  the port is open.  Unfiltered means that the port
-       is known by nmap to be closed and no firewall/filter seems to be inter-
-       fering  with  nmap’s  attempts to determine this.  Unfiltered ports are
-       the common case and are only shown when most of the scanned  ports  are
-       in  the filtered state.  In some cases, Nmap cannot distinguish between
-       filtered ports and those that are either open or closed.  For  example,
-       a port that does not respond to a FIN Scan could be either open or fil-
-       tered.   In  these  cases,  Nmap  lists  ports  as  "open|filtered"  or
-       "closed|filtered".
+       In addition to the interesting ports table, Nmap can provide further
+       information on targets, including reverse DNS names, operating system
+       guesses, device types, and MAC addresses.
 
-       Depending  on  options used, nmap may also report the following charac-
-       teristics of the remote host: OS in use, TCP  sequentiality,  usernames
-       running  the  programs  which  have  bound  to each port, the DNS name,
-       whether the host is a smurf address, and a few others.
+       A typical Nmap scan is shown in Example 15.1, “A representative Nmap
+       scan”. The only Nmap arguments used in this example are -A, to enable
+       OS and version detection, -T4 for faster execution, and then the two
+       target hostnames.  Example 15.1. A representative Nmap scan.sp
+       # nmap -A -T4 scanme.nmap.org playground
+
+       Starting nmap ( http://www.insecure.org/nmap/ )
+       Interesting ports on scanme.nmap.org (205.217.153.62):
+       (The 1663 ports scanned but not shown below are in state: filtered)
+       PORT    STATE  SERVICE VERSION
+       22/tcp  open   ssh     OpenSSH 3.9p1 (protocol 1.99)
+       53/tcp  open   domain
+       70/tcp  closed gopher
+       80/tcp  open   http    Apache httpd 2.0.52 ((Fedora))
+       113/tcp closed auth
+       Device type: general purpose
+       Running: Linux 2.4.X|2.5.X|2.6.X
+       OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11
+       Uptime 33.908 days (since Thu Jul 21 03:38:03 2005)
+
+       Interesting ports on playground.nmap.org (192.168.0.40):
+       (The 1659 ports scanned but not shown below are in state: closed)
+       PORT     STATE SERVICE       VERSION
+       135/tcp  open  msrpc         Microsoft Windows RPC
+       139/tcp  open  netbios-ssn
+       389/tcp  open  ldap?
+       445/tcp  open  microsoft-ds  Microsoft Windows XP microsoft-ds
+       1002/tcp open  windows-icfw?
+       1025/tcp open  msrpc         Microsoft Windows RPC
+       1720/tcp open  H.323/Q.931   CompTek AquaGateKeeper
+       5800/tcp open  vnc-http      RealVNC 4.0 (Resolution 400x250; VNC TCP port: 5900)
+       5900/tcp open  vnc           VNC (protocol 3.8)
+       MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications)
+       Device type: general purpose
+       Running: Microsoft Windows NT/2K/XP
+       OS details: Microsoft Windows XP Pro RC1+ through final release
+       Service Info: OSs: Windows, Windows XP
+
+       Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds
-

OPTIONS

-       Options that make sense  together  can  generally  be  combined.   Some
-       options  are  specific  to certain scan modes.  nmap tries to catch and
-       warn the user about psychotic or unsupported option combinations.
-
-       If you are impatient, you can skip to the examples section at the  end,
-       which  demonstrates common usage.  You can also run nmap -h for a quick
-       reference page listing all the options.
-
-       SCAN TYPES
-
-       -sS    TCP SYN scan: This technique is often referred to as "half-open"
-              scanning, because you don’t open a full TCP connection. You send
-              a SYN packet, as if you are going to open a real connection  and
-              you wait for a response. A SYN|ACK indicates the port is listen-
-              ing. A RST is indicative of a non-listener.   If  a  SYN|ACK  is
-              received,  a RST is immediately sent to tear down the connection
-              (actually our OS kernel does this for us). The primary advantage
-              to  this  scanning  technique  is  that fewer sites will log it.
-              Unfortunately you need root privileges to build these custom SYN
-              packets.  This is the default scan type for privileged users.
-
-       -sT    TCP connect() scan: This is the most basic form of TCP scanning.
-              The connect() system call provided by your operating  system  is
-              used  to  open  a  connection  to  every interesting port on the
-              machine. If the port is listening, connect() will succeed,  oth-
-              erwise  the  port  isn’t reachable. One strong advantage to this
-              technique is that you don’t need  any  special  privileges.  Any
-              user on most UNIX boxes is free to use this call.
-
-              This  sort of scan is easily detectable as target host logs will
-              show a bunch of connection and error messages for  the  services
-              which  accept() the connection just to have it immediately shut-
-              down.  This is the default scan type for unprivileged users.
-
-       -sF -sX -sN
-              Stealth FIN, Xmas Tree, or Null scan modes: There are times when
-              even  SYN  scanning isn’t clandestine enough. Some firewalls and
-              packet filters watch for SYNs to restricted ports, and  programs
-              like Synlogger and Courtney are available to detect these scans.
-              These advanced scans, on the other hand, may  be  able  to  pass
-              through unmolested.
-
-              The  idea  is  that  closed  ports are required to reply to your
-              probe packet with an RST, while open ports must ignore the pack-
-              ets in question (see RFC 793 pp 64).  Filered ports also tend to
-              drop  probes  without  a  response,  so  Nmap  considers   ports
-              "open|filtered"  when  it  fails to elicit any response.  If you
-              add version detection (-sV), it will try to verify  whether  the
-              ports  are  actually  open  and change the state as appropriate.
-              The FIN scan uses a bare (surprise) FIN  packet  as  the  probe,
-              while  the Xmas tree scan turns on the FIN, URG, and PUSH flags.
-              The Null scan turns  off  all  flags.   Unfortunately  Microsoft
-              (like  usual)  decided  to completely ignore the standard and do
-              things their own way.  Thus this scan type will not work against
-              systems  running  Windows95/NT.  On the positive side, this is a
-              good way to distinguish between the two platforms.  If the  scan
-              finds open ports, you know the machine is not a Windows box.  If
-              a -sF,-sX,or -sN scan shows all ports closed, yet  a  SYN  (-sS)
-              scan  shows  ports  being  opened, you are probably looking at a
-              Windows box.  This is less useful now that nmap  has  proper  OS
-              detection built in.  There are also a few other systems that are
-              broken in the same way Windows is.  They  include  Cisco,  BSDI,
-              HP/UX,  MVS,  and  IRIX.   All of the above send resets from the
-              open ports when they should just drop the packet.
-
-       -sP    Ping scanning: Sometimes you only want to know which hosts on  a
-              network  are  up.  Nmap can do this by sending ICMP echo request
-              packets to every IP address on the networks you specify.   Hosts
-              that   respond  are  up.   Unfortunately,  some  sites  such  as
-              microsoft.com block echo request packets.  Thus  nmap  can  also
-              send a TCP ack packet to (by default) port 80.  If we get an RST
-              back, that machine is up.  A third technique involves sending  a
-              SYN  packet  and  waiting  for a RST or a SYN/ACK.  For non-root
-              users, a connect() method is used.
-
-              By default (for root users), nmap uses both  the  ICMP  and  ACK
-              techniques  in  parallel.   You  can  change  these  with the -P
-              options described later.
-
-              Note that pinging is done by default anyway, and only hosts that
-              respond  are  scanned.  Only use this option if you wish to ping
-              sweep without doing any actual port scans.
-
-       -sV    Version detection: After TCP and/or  UDP  ports  are  discovered
-              using  one of the other scan methods, version detection communi-
-              cates with those ports to try and determine more about  what  is
-              actually  running.  A file called nmap-service-probes is used to
-              determine the best probes for detecting various services and the
-              match  strings  to  expect.  Nmap tries to determine the service
-              protocol (e.g. ftp, ssh, telnet,  http),  the  application  name
-              (e.g. ISC Bind, Apache httpd, Solaris telnetd), the version num-
-              ber, and sometimes  miscellaneous  details  like  whether  an  X
-              server  is open to connections or the SSH protocol version).  If
-              Nmap was compiled with OpenSSL support, it will connect  to  SSL
-              servers  to  deduce the service listening behind the encryption.
-              When RPC services are discovered, the Nmap RPC grinder  is  used
-              to  determine  the  RPC  program  and version numbers.  Some UDP
-              ports are left in the "open|filtered" state after a UDP scan  is
-              unable  to determine whether the port is open or filtered.  Ver-
-              sion detection will try to elicit a response  from  these  ports
-              (just  as it does with open ports), and change the state to open
-              if it succeeds. Note that the Nmap -A option also  enables  this
-              feature.   For  a much more detailed description of Nmap service
-              detection, read our paper  at  http://www.insecure.org/nmap/ver-
-              sionscan.html .  There is a related --version_trace option which
-              causes Nmap to print out extensive  debugging  info  about  what
-              version  scanning  is  doing (this is a subset of what you would
-              get with --packet_trace).
-
-       -sU    UDP scans: This method is used  to  determine  which  UDP  (User
-              Datagram Protocol, RFC 768) ports are open on a host.  The tech-
-              nique is to send 0 byte UDP packets to each port on  the  target
-              machine.   If  we receive an ICMP port unreachable message, then
-              the port is closed.  If a UDP response is received to the  probe
-              (unusual),  the port is open.  If we get no response at all, the
-              state is "open|filtered", meaning that the port is  either  open
-              or packet filters are blocking the communication.  Versions scan
-              (-sV) can be used to help differentiate  the  truly  open  ports
-              from the filtered ones.
-
-              Some  people  think  UDP scanning is pointless. I usually remind
-              them of the Solaris rpcbind hole. Rpcbind can be found hiding on
-              an  undocumented  UDP  port somewhere above 32770. So it doesn’t
-              matter that 111 is blocked by the firewall.  But  can  you  find
-              which  of  the  more  than 30,000 high ports it is listening on?
-              With a UDP scanner you can!  There is also the cDc Back  Orifice
-              backdoor  program which hides on a configurable UDP port on Win-
-              dows machines.  Not to mention the many commonly vulnerable ser-
-              vices that utilize UDP such as snmp, tftp, NFS, etc.
-
-              Unfortunately  UDP  scanning  is  sometimes painfully slow since
-              most hosts implement a suggestion in RFC 1812 (section  4.3.2.8)
-              of limiting the ICMP error message rate.  For example, the Linux
-              kernel (in net/ipv4/icmp.h) limits destination unreachable  mes-
-              sage  generation  to 80 per 4 seconds, with a 1/4 second penalty
-              if that is exceeded.  Solaris has much more strict limits (about
-              2 messages per second) and thus takes even longer to scan.  nmap
-              detects this rate limiting and slows  down  accordingly,  rather
-              than flood the network with useless packets that will be ignored
-              by the target machine.
-
-              As is typical, Microsoft ignored the suggestion of the  RFC  and
-              does  not  seem  to  do any rate limiting at all on Win95 and NT
-              machines.  Thus we can scan all 65K ports of a  Windows  machine
-              very quickly.  Whoop!
-
-
-       -sO    IP  protocol  scans:  This  method is used to determine which IP
-              protocols are supported on a host.  The technique is to send raw
-              IP packets without any further protocol header to each specified
-              protocol on the target machine.  If we receive an ICMP  protocol
-              unreachable message, then the protocol is not in use.  Otherwise
-              we assume it is open.  Note that some hosts (AIX, HP-UX, Digital
-              UNIX)  and firewalls may not send protocol unreachable messages.
-              This causes all of the protocols to appear "open".
-
-              Because the implemented technique is very similar  to  UDP  port
-              scanning,  ICMP  rate limit might apply too. But the IP protocol
-              field has only 8 bits, so at most 256 protocols  can  be  probed
-              which should be possible in reasonable time anyway.
-
-       -sI <zombie host[:probeport]>
-              Idlescan: This advanced scan method allows for a truly blind TCP
-              port scan of the target (meaning no packets are sent to the tar-
-              get  from your real IP address).  Instead, a unique side-channel
-              attack exploits predictable "IP fragmentation ID" sequence  gen-
-              eration  on  the zombie host to glean information about the open
-              ports on the target.  IDS systems will display the scan as  com-
-              ing  from  the  zombie machine you specify (which must be up and
-              meet certain criteria).  I wrote an informal  paper  about  this
-              technique at http://www.insecure.org/nmap/idlescan.html .
-
-              Besides   being  extraordinarily  stealthy  (due  to  its  blind
-              nature), this scan type permits mapping out IP-based trust rela-
-              tionships  between  machines.  The port listing shows open ports
-              from the perspective of the zombie host.  So you can  try  scan-
-              ning  a  target  using  various  zombies that you think might be
-              trusted (via router/packet filter  rules).   Obviously  this  is
-              crucial  information  when  prioritizing attack targets.  Other-
-              wise, you penetration testers might have to expend  considerable
-              resources "owning" an intermediate system, only to find out that
-              its IP isn’t even trusted by the  target  host/network  you  are
-              ultimately after.
-
-              You  can  add  a  colon followed by a port number if you wish to
-              probe a particular port on the zombie  host  for  IPID  changes.
-              Otherwise  Nmap  will  use  the port it uses by default for "tcp
-              pings".
-
-       -sA    ACK scan: This advanced method is usually used to map out  fire-
-              wall  rulesets.   In particular, it can help determine whether a
-              firewall is stateful or just a simple packet filter that  blocks
-              incoming SYN packets.
-
-              This scan type sends an ACK packet (with random looking acknowl-
-              edgment/sequence numbers) to the  ports  specified.   If  a  RST
-              comes back, the ports is classified as "unfiltered".  If nothing
-              comes back (or if an ICMP unreachable is returned), the port  is
-              classified  as "filtered".  Note that nmap usually doesn’t print
-              "unfiltered" ports, so getting no ports shown in the  output  is
-              usually  a  sign  that  all the probes got through (and returned
-              RSTs). This scan will obviously never show ports in  the  "open"
-              state.
-
-       -sW    Window scan: This advanced scan is very similar to the ACK scan,
-              except that it can sometimes detect open ports as well  as  fil-
-              tered/unfiltered  due  to  an  anomaly  in  the  TCP window size
-              reporting by some operating systems.  Systems vulnerable to this
-              include  at least some versions of AIX, Amiga, BeOS, BSDI, Cray,
-              Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX,  OS/2,
-              IRIX,  MacOS,  NetBSD,  OpenBSD,  OpenStep, QNX, Rhapsody, SunOS
-              4.X, Ultrix, VAX, and VxWorks.   See  the  nmap-hackers  mailing
-              list archive for a full list.
-
-       -sR    RPC  scan.   This  method  works in combination with the various
-              port scan methods of Nmap.  It takes all the TCP/UDP ports found
-              open  and  then floods them with SunRPC program NULL commands in
-              an attempt to determine whether they are RPC ports, and  if  so,
-              what  program  and  version  number they serve up.  Thus you can
-              effectively obtain the same info as "rpcinfo  -p"  even  if  the
-              target’s  portmapper  is  behind a firewall (or protected by TCP
-              wrappers).  Decoys do not currently work with RPC scan, at  some
-              point  I may add decoy support for UDP RPC scans.  This is auto-
-              matically enabled as part of version scan (-sV) if  you  request
-              that.
-
-       -sL    List scan.  This method simply generates and prints a list of IP
-              addresses or hostnames without actually pinging or port scanning
-              them.   DNS name resolution will be performed unless you use -n.
-
-       -b <ftp relay host>
-              FTP bounce attack: An interesting "feature" of the ftp  protocol
-              (RFC  959)  is  support  for  "proxy"  ftp connections. In other
-              words, I should be able to connect  from  evil.com  to  the  FTP
-              server  of  target.com  and  request that the server send a file
-              ANYWHERE on the Internet!  Now this may have worked well in 1985
-              when the RFC was written. But in today’s Internet, we can’t have
-              people hijacking ftp servers and requesting that  data  be  spit
-              out  to arbitrary points on the Internet. As *Hobbit* wrote back
-              in 1995, this protocol flaw  "can  be  used  to  post  virtually
-              untraceable  mail  and news, hammer on servers at various sites,
-              fill up disks, try to hop firewalls, and generally  be  annoying
-              and  hard  to track down at the same time." What we will exploit
-              this for is to  (surprise,  surprise)  scan  TCP  ports  from  a
-              "proxy"  ftp  server.  Thus  you  could connect to an ftp server
-              behind a firewall, and then scan ports that are more  likely  to
-              be blocked (139 is a good one). If the ftp server allows reading
-              from and writing to some directory (such as /incoming), you  can
-              send arbitrary data to ports that you do find open (nmap doesn’t
-              do this for you though).
-
-              The argument passed to the "b" option is the host  you  want  to
-              use  as a proxy, in standard URL notation.  The format is: user-
-              name:password@server:port.  Everything but server  is  optional.
-              To determine what servers are vulnerable to this attack, you can
-              see my article in Phrack 51.  An updated version is available at
-              the nmap URL (http://www.insecure.org/nmap).
-
-       GENERAL OPTIONS
-              None  of  these are required but some can be quite useful.  Note
-              that the -P options can now be combined -- you can increase your
-              odds of penetrating strict firewalls by sending many probe types
-              using different TCP ports/flags and ICMP codes.
-
-       -P0    Do not try to ping hosts at  all  before  scanning  them.   This
-              allows  the  scanning  of  networks  that  don’t allow ICMP echo
-              requests (or responses) through their  firewall.   microsoft.com
-              is  an example of such a network, and thus you should always use
-              -P0 or -PS80 when portscanning microsoft.com.  Note that  "ping"
-              in  this context may involve more than the traditional ICMP echo
-              request packet.  Nmap supports many such probes, including arbi-
-              trary  combinations  of  TCP, UDP, and ICMP probes.  By default,
-              Nmap sends an ICMP echo request and a TCP ACK packet to port 80.
-
-       -PA [portlist]
-              Use  TCP  ACK "ping" to determine what hosts are up.  Instead of
-              sending ICMP echo request packets and waiting for a response, we
-              spew  out TCP ACK packets throughout the target network (or to a
-              single machine) and then wait for  responses  to  trickle  back.
-              Hosts  that  are up should respond with a RST.  This option pre-
-              serves the efficiency of only scanning hosts that are  up  while
-              still  allowing you to scan networks/hosts that block ping pack-
-              ets.  For non root UNIX users, we use connect() and thus  a  SYN
-              is  actually  being  sent.   To set the destination ports of the
-              probe packets use -PA<port1>[,port2][...].  The default port  is
-              80,  since  this port is often not filtered out.  Note that this
-              option now accepts multiple, comma-separated port numbers.
-
-       -PS [portlist]
-              This option uses SYN (connection request) packets instead of ACK
-              packets for root users.  Hosts that are up should respond with a
-              RST (or, rarely, a SYN|ACK).  You can set the destination  ports
-              in the same manner as -PA above.
-
-       -PR    This  option  specifies  a  raw ethernet ARP ping.  It cannot be
-              used in combination with any of the other ping types.  When  the
-              target  machines  are on the same network you are scanning from,
-              this is the fastest and most reliable (because it goes below IP-
-              level  filters) ping method.  Nmap sends an IPv4-to-Ethernet ARP
-              request for each target IP, and watches for  any  ARP  response.
-              -PU  [portlist]  This  option  sends UDP probes to the specified
-              hosts, expecting an ICMP port unreachable packet (or possibly  a
-              UDP response if the port is open) if the host is up.  Since many
-              UDP services won’t reply to an empty packet, your best bet might
-              be  to send this to expected-closed ports rather than open ones.
-
-       -PE    This option uses a true ping (ICMP  echo  request)  packet.   It
-              finds  hosts  that  are  up  and  also looks for subnet-directed
-              broadcast addresses on your network.   These  are  IP  addresses
-              which  are  externally reachable and translate to a broadcast of
-              incoming IP packets to a subnet of computers.  These  should  be
-              eliminated if found as they allow for numerous denial of service
-              attacks (Smurf is the most common).
-
-       -PP    Uses an ICMP timestamp request (type 13) packet to find  listen-
-              ing hosts.
-
-       -PM    Same  as  -PE  and  -PP except uses a netmask request (ICMP type
-              17).
-
-       -PB    This is the default ping type.  It uses both the ACK ( -PA ) and
-              ICMP  echo request ( -PE ) sweeps in parallel.  This way you can
-              get firewalls that filter either one (but not  both).   The  TCP
-              probe destination port can be set in the same manner as with -PA
-              above.  Note that this flag is now deprecated as pingtype  flags
-              can now be used in combination.  So you should use both "PE" and
-              "PA" (or rely on the default  behavior)  to  achieve  this  same
-              effect.
-
-       -O     This option activates remote host identification via TCP/IP fin-
-              gerprinting.  In other words, it uses a bunch of  techniques  to
-              detect  subtleties  in  the  underlying operating system network
-              stack of the computers you are scanning.  It uses this  informa-
-              tion  to  create  a  "fingerprint"  which  it  compares with its
-              database of  known  OS  fingerprints  (the  nmap-os-fingerprints
-              file) to decide what type of system you are scanning.
-
-              If  Nmap  is unable to guess the OS of a machine, and conditions
-              are good (e.g. at least one open port), Nmap will provide a  URL
-              you can use to submit the fingerprint if you know (for sure) the
-              OS running on the machine.  By doing this you contribute to  the
-              pool of operating systems known to nmap and thus it will be more
-              accurate for everyone.  Note that if you leave an IP address  on
-              the form, the machine may be scanned when we add the fingerprint
-              (to validate that it works).
-
-              The -O option also enables several  other  tests.   One  is  the
-              "Uptime"  measurement,  which uses the TCP timestamp option (RFC
-              1323) to guess when a machine was last rebooted.  This  is  only
-              reported for machines which provide this information.
-
-              Another  test enabled by -O is TCP Sequence Predictability Clas-
-              sification.  This is a measure that describes approximately  how
-              hard  it  is  to  establish  a forged TCP connection against the
-              remote host.  This is  useful  for  exploiting  source-IP  based
-              trust  relationships (rlogin, firewall filters, etc) or for hid-
-              ing the source of an attack.  The actual  difficulty  number  is
-              based  on  statistical sampling and may fluctuate.  It is gener-
-              ally better to use the English classification  such  as  "worthy
-              challenge"  or  "trivial joke".  This is only reported in normal
-              output with -v.
-
-              When verbose mode (-v) is on with -O, IPID  Sequence  Generation
-              is also reported.  Most machines are in the "incremental" class,
-              which means that they increment the "ID" field in the IP  header
-              for  each  packet they send.  This makes them vulnerable to sev-
-              eral advanced information gathering and spoofing attacks.
-
-       --osscan_limit
-              OS detection is far more effective if at least one open and  one
-              closed  TCP  port  are found.  Set this option and Nmap will not
-              even try OS detection against hosts that do not meet this crite-
-              ria.   This can save substantial time, particularly on -P0 scans
-              against many hosts.   It  only  matters  when  OS  detection  is
-              requested (-O or -A options).
-
-       -A     This  option  enables  _a_dditional  _a_dvanced and _a_ggressive
-              options.  I haven’t decided exactly which it stands for yet  :).
-              Presently  this  enables  OS Detection (-O) and version scanning
-              (-sV).  More features may be added in the future.  The point  is
-              to  enable  a  comprehensive  set of scan options without people
-              having to remember a large  set  of  flags.   This  option  only
-              enables  features,  and not timing options (such as -T4) or ver-
-              bosity options (-v) that you might wan’t as well.
-
-       -6     This options enables IPv6 support.  All targets must be IPv6  if
-              this  option  is  used, and they can be specified via normal DNS
-              name  (AAAA  record)  or  as  a  literal  IP  address  such   as
-              3ffe:501:4819:2000:210:f3ff:fe03:4d0 .  Currently, connect() TCP
-              scan and TCP connect() Ping scan are supported.  If you need UDP
-              or  other  scan  types,  have  a  look  at  http://nmap6.source-
-              forge.net/ .
-
-       --send_eth
-              Asks Nmap to send packets at the raw ethernet (data link)  layer
-              rather  than  the  higher  IP (network) layer.  By default, Nmap
-              chooses the one which is generally best for the platform  it  is
-              running on.  Raw sockets (IP layer) are generally most efficient
-              for UNIX machines, while ethernet frames work best on  the  many
-              Windows  versions  where Microsoft has disabled raw sockets sup-
-              port.  Nmap still uses raw IP packets when  there  is  no  other
-              choice (such as non-ethernet connections).
-
-       --send_ip
-              Asks Nmap to send packets via raw IP sockets rather than sending
-              lower level ethernet  frames.   It  is  the  complement  to  the
-              --send-eth option.discussed previously.
-
-       --spoof_mac [mac, prefix, or vendor substring]
-              Ask  Nmap to use the given MAC address for all of the raw ether-
-              net frames it sends.  The MAC given can  take  several  formats.
-              If it is simply the string "0", Nmap chooses a completely random
-              MAC for the session.  If the given string is an even  number  of
-              hex  digits  (with  the  pairs optionally separated by a colon),
-              Nmap will use those as the MAC.  If less than 12 hex digits  are
-              provided, Nmap fills in the remainder of the 6 bytes with random
-              values.  If the argument isn’t a 0 or  hex  string,  Nmap  looks
-              through  the  nmap-mac-prefixes to find a vendor name containing
-              the given string (it is case insensitive).  If a match is found,
-              Nmap  uses  the  vendor’s  OUI (3-byte prefix) and fills out the
-              remaining 3 bytes randomly.  Valid --spoof_mac argument examples
-              are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2",
-              and "Cisco".
-
-       -f     This option causes the requested scan (including ping scans)  to
-              use tiny fragmented IP packets.  The idea is to split up the TCP
-              header over several packets to make it harder  for  packet  fil-
-              ters,  intrusion  detection  systems,  and  other  annoyances to
-              detect what you are doing. Be careful with this!  Some  programs
-              have trouble handling these tiny packets. The old-school sniffer
-              named Sniffit segmentation faulted  immediately  upon  receiving
-              the  first  fragment.  Specify this option once, and Nmap splits
-              the packets into 8 bytes or less after  the  IP  header.   So  a
-              20-byte TCP header would be split into 3 packets.
-               Two  with eight bytes of the TCP header, and one with the final
-              four.  Of course each fragment also has an IP  header.   Specify
-              -f  again  to  use 16 bytes per fragment (reducing the number of
-              fragments).  Or you can specify your own offset  size  with  the
-              --mtu option.  Don’t also specify -f if you use --mtu.  The off-
-              set must be a multiple of 8.  While fragmented packets won’t get
-              by  packet  filters  and  firewalls that queue all IP fragments,
-              such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux  kernel,
-              some  networks  can’t afford the performance hit this causes and
-              thus leave it disabled.  Some source systems defragment outgoing
-              packets  in  the  kernel.   Linux  with the ip tables connection
-              tracking module is one such example.  Do a scan with  a  sniffer
-              such  as  ethereal running to ensure that sent packets are frag-
-              mented.
-
-              Note that I do not yet have this option working on all  systems.
-              It  works fine for my Linux, FreeBSD, and OpenBSD boxes and some
-              people have reported success with other *NIX variants.
-
-       -v     Verbose mode.  This is a highly recommended option and it  gives
-              out  more  information  about  what is going on.  You can use it
-              twice for greater effect.  You can also use -d a  few  times  if
-              you really want to get crazy with scrolling the screen!
-
-       -h     This handy option display a quick reference screen of nmap usage
-              options.  As you may have noticed, this man page is not  exactly
-              a "quick reference" :)
-
-       -oN <logfilename>
-              This  logs  the results of your scans in a normal human readable
-              form into the file you specify as an argument.
-
-       -oX <logfilename>
-              This logs the results of your scans in XML form  into  the  file
-              you specify as an argument.  This allows programs to easily cap-
-              ture and interpret Nmap results.  You can give the argument  "-"
-              (without   quotes)  to  shoot  output  into  stdout  (for  shell
-              pipelines, etc).  In this case normal output will be suppressed.
-              Watch out for error messages if you use this (they will still go
-              to stderr).  Also note that "-v" may cause some  extra  informa-
-              tion to be printed.  The Document Type Definition (DTD) defining
-              the  XML  output  structure  is  available  at  http://www.inse-
-              cure.org/nmap/data/nmap.dtd .
-
-       --stylesheet <filename>
-              Nmap  ships with an XSL stylesheet named nmap.xsl for viewing or
-              translating XML output to HTML.  The XML output includes an xml-
-              stylesheet  directive which points to nmap.xml where it was ini-
-              tially installed by Nmap (or in the current working directory on
-              Windows).  Simply load Nmap’s XML output in a modern web browser
-              and it should retrieve nmap.xsl from the filesystem and  use  it
-              to  render  results.  If you wish to use a different stylesheet,
-              specify it as the argument to --stylesheet.  You must  pass  the
-              full  pathname  or  URL.   One common invocation is --stylesheet
-              http://www.insecure.org/nmap/data/nmap.xsl  .   This   tells   a
-              browser  to load the latest version of the stylesheet from Inse-
-              cure.Org.  This makes it easier to view  results  on  a  machine
-              that  doesn’t  have  Nmap (and thus nmap.xsl) installed.  So the
-              URL is often more useful, but the local  filesystem  locaton  of
-              nmap.xsl is used by default for privacy reasons.
-
-       --no_stylesheet
-              Specify  this  option  to  prevent Nmap from associating any XSL
-              stylesheet with its XML output.  The xml-stylesheet directive is
-              omitted.
-
-       -oG <logfilename>
-              This  logs the results of your scans in a grepable form into the
-              file you specify as an argument.  This  simple  format  provides
-              all the information on one line (so you can easily grep for port
-              or OS information and see all the IPs.  This used to be the pre-
-              ferred  mechanism for programs to interact with Nmap, but now we
-              recommend XML output (-oX instead).  This simple format may  not
-              contain  as much information as the other formats.  You can give
-              the argument "-" (without quotes) to shoot  output  into  stdout
-              (for  shell pipelines, etc).  In this case normal output will be
-              suppressed.  Watch out for error messages if you use this  (they
-              will  still  go to stderr).  Also note that "-v" will cause some
-              extra information to be printed.
-
-       -oA <basefilename>
-              This tells Nmap  to  log  in  ALL  the  major  formats  (normal,
-              grepable,  and  XML).  You give a base for the filename, and the
-              output files will be base.nmap, base.gnmap, and base.xml.
-
-       -oS <logfilename>
-              thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|<ipT kiDd|3 f0rM iNto
-              THe  fiL3  U sPecfy 4s an arGuMEnT!  U kAn gIv3 the 4rgument "-"
-              (wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!!
-
-       --resume <logfilename>
-              A network scan that is canceled due to control-C,  network  out-
-              age,  etc.  can  be  resumed using this option.  The logfilename
-              must be either a normal (-oN) or grepable  (-oG)  log  from  the
-              aborted  scan.   No other options can be given (they will be the
-              same as the aborted scan).  Nmap will start on the machine after
-              the last one successfully scanned in the log file.
-
-       --exclude <host1 [,host2][,host3],...">
-              Specifies  a  list  of  targets  (hosts, ranges, netblocks) that
-              should be excluded from a scan. Useful  to  keep  from  scanning
-              yourself, your ISP, particularly sensitive hosts, etc.
-
-       --excludefile <exclude_file>
-              Same  functionality  as  the --exclude option, only the excluded
-              targets are provided in an newline-delimited exclude_file rather
-              than on the command line.
-
-       --allports
-              Causes  version  detection  (-sV)  to scan all open ports found,
-              including those excluded as dangerous (likely to  cause  crashes
-              or other problems) in nmap-service-probes.
-
-       --append_output
-              Tells  Nmap  to append scan results to any output files you have
-              specified rather than overwriting those files.
-
-       -iL <inputfilename>
-              Reads target specifications from the file specified RATHER  than
-              from  the  command line.  The file should contain a list of host
-              or network expressions separated by spaces, tabs,  or  newlines.
-              Use  a hyphen (-) as inputfilename if you want nmap to read host
-              expressions from stdin (like at the end of  a  pipe).   See  the
-              section target specification for more information on the expres-
-              sions you fill the file with.
-
-       -iR <num hosts>
-              This option tells Nmap to generate its own hosts to scan by sim-
-              ply  picking  random  numbers  :).   It will never end after the
-              given number of IPs has been scanned -- use 0 for a never-ending
-              scan.  This option can be useful for statistical sampling of the
-              Internet to estimate various things.  If  you  are  ever  really
-              bored,  try  nmap -sS -PS80 -iR 0 -p 80 to find some web servers
-              to look at.
-
-       -p <port ranges>
-              This option specifies what ports you want to specify. For  exam-
-              ple  "-p  23"  will only try port 23 of the target host(s).  "-p
-              20-30,139,60000-" scans ports between 20 and 30, port  139,  and
-              all  ports greater than 60000.  The default is to scan all ports
-              between 1 and 1024 as well as any ports listed in  the  services
-              file  which  comes  with  nmap.  For IP protocol scanning (-sO),
-              this specifies the protocol number you wish to scan for (0-255).
-
-              When scanning both TCP and UDP ports, you can specify a particu-
-              lar protocol by preceding the port numbers by "T:" or "U:".  The
-              qualifier  lasts until you specify another qualifier.  For exam-
-              ple, the argument  "-p  U:53,111,137,T:21-25,80,139,8080"  would
-              scan  UDP ports 53,111,and 137, as well as the listed TCP ports.
-              Note that to scan both UDP & TCP, you have to specify -sU and at
-              least  one TCP scan type (such as -sS, -sF, or -sT).  If no pro-
-              tocol qualifier is given, the port numbers are added to all pro-
-              tocol lists.
-
-       -F Fast scan mode.
-              Specifies  that  you  only  wish to scan for ports listed in the
-              services file which comes with nmap (or the protocols  file  for
-              -sO).   This  is  obviously  much faster than scanning all 65535
-              ports on a host.
-
-       -D <decoy1 [,decoy2][,ME],...>
-              Causes a decoy scan to be performed which makes it appear to the
-              remote  host that the host(s) you specify as decoys are scanning
-              the target network too.  Thus their IDS might report  5-10  port
-              scans from unique IP addresses, but they won’t know which IP was
-              scanning them and which were innocent decoys.  While this can be
-              defeated  through  router  path  tracing, response-dropping, and
-              other "active" mechanisms, it is generally an  extremely  effec-
-              tive technique for hiding your IP address.
-
-              Separate each decoy host with commas, and you can optionally use
-              "ME" as one of the decoys to represent  the  position  you  want
-              your IP address to be used.  If you put "ME" in the 6th position
-              or later,  some  common  port  scan  detectors  (such  as  Solar
-              Designer’s  excellent  scanlogd)  are  unlikely  to show your IP
-              address at all.  If you don’t use "ME", nmap will put you  in  a
-              random position.
-
-              Note  that the hosts you use as decoys should be up or you might
-              accidentally SYN flood your targets.  Also  it  will  be  pretty
-              easy to determine which host is scanning if only one is actually
-              up on the network.  You might want to use IP  addresses  instead
-              of  names  (so  the  decoy networks don’t see you in their name-
-              server logs).
-
-              Also note that some "port  scan  detectors"  will  firewall/deny
-              routing  to  hosts that attempt port scans.  The problem is that
-              many scan types can be forged (as this option demonstrates).  So
-              attackers  can  cause  such a machine to sever connectivity with
-              important hosts such as its internet gateway, DNS  TLD  servers,
-              sites  like  Windows  Update,  etc.   Most  such software offers
-              whitelist capabilities, but you are unlikely to enumerate all of
-              the  critical machines.  For this reason we never recommend tak-
-              ing action against port scans that can be forged, including  SYN
-              scans,  UDP  scans,  etc.  The machine you block could just be a
-              decoy.
-
-              Decoys are used both in the initial ping scan (using ICMP,  SYN,
-              ACK,  or  whatever)  and  during the actual port scanning phase.
-              Decoys are also used during remote OS detection ( -O ).
-
-              It is worth noting that using too many decoys may slow your scan
-              and  potentially  even  make  it less accurate.  Also, some ISPs
-              will filter out your spoofed packets, although  many  (currently
-              most) do not restrict spoofed IP packets at all.
-
-       -S <IP_Address>
-              In  some  circumstances,  nmap may not be able to determine your
-              source address ( nmap will tell you if this is  the  case).   In
-              this  situation,  use  -S with your IP address (of the interface
-              you wish to send packets through).
-
-              Another possible use of this flag is to spoof the scan  to  make
-              the targets think that someone else is scanning them.  Imagine a
-              company being repeatedly port scanned by a competitor!  This  is
-              not  a  supported  usage  (or the main purpose) of this flag.  I
-              just think it raises  an  interesting  possibility  that  people
-              should  be aware of before they go accusing others of port scan-
-              ning them.  -e would generally be  required  for  this  sort  of
-              usage.
-
-       -e <interface>
-              Tells  nmap what interface to send and receive packets on.  Nmap
-              should be able to detect this but it will tell you if it cannot.
-
-       --source_port <portnumber>
-              Sets  the source port number used in scans.  Many naive firewall
-              and packet filter installations make an exception in their rule-
-              set  to  allow DNS (53) or FTP-DATA (20) packets to come through
-              and establish a connection.  Obviously this completely  subverts
-              the security advantages of the firewall since intruders can just
-              masquerade as FTP or DNS by modifying their source port.   Obvi-
-              ously  for  a  UDP  scan  you  should try 53 first and TCP scans
-              should try 20 before 53.  Note that this is only  a  request  --
-              nmap will honor it only if and when it is able to.  For example,
-              you can’t do TCP ISN sampling all  from  one  host:port  to  one
-              host:port, so nmap changes the source port even if you used this
-              option.  This is an alias for the shorter, but harder to  remem-
-              ber, -g option.
-
-              Be aware that there is a small performance penalty on some scans
-              for using this option, because I sometimes store useful informa-
-              tion in the source port number.
-
-       --data_length <number>
-              Normally  Nmap  sends  minimalistic  packets that only contain a
-              header.  So its TCP packets are generally 40 bytes and ICMP echo
-              requests  are  just  28.   This  option tells Nmap to append the
-              given number of random bytes to most of the  packets  it  sends.
-              OS detection (-O) packets are not affected, but most pinging and
-              portscan packets are.   This  slows  things  down,  but  can  be
-              slightly less conspicuous.
-
-       -n     Tells  Nmap  to NEVER do reverse DNS resolution on the active IP
-              addresses it finds.  Since DNS is  often  slow,  this  can  help
-              speed things up.
-
-       -R     Tells  Nmap to ALWAYS do reverse DNS resolution on the target IP
-              addresses.  Normally this is only done when a machine  is  found
-              to be alive.
-
-       -r     Tells  Nmap  NOT  to  randomize  the  order  in  which ports are
-              scanned.
-
-       --ttl <value>
-              Sets the IPv4 time to live field in sent packets  to  the  given
-              value.
-
-       --privileged
-              Tells Nmap to simply assume that it is privileged enough to per-
-              form raw socket sends, packet sniffing, and  similar  operations
-              that  usually  require  root  privileges  on  UNIX  systems.  By
-              default  Nmap  bails  if  such  operations  are  requested   but
-              geteuid() is not zero.  --privileged is useful with Linux kernel
-              capabilities and similar systems that may be configured to allow
-              unprivileged users to perform raw-packet scans.  Be sure to pro-
-              vide this option flag before any flags for options that  require
-              privileges  (SYN scan, OS detection, etc.).  The NMAP_PRIVILEGED
-              variable may be set as an equivalent alternative --privileged.
-
-       --interactive
-              Starts Nmap in interactive mode,  which  offers  an  interactive
-              Nmap  prompt  allowing  easy launching of multiple scans (either
-              synchronously or in the background). This is useful  for  people
-              who  scan  from  multi-user  systems  -- they often want to test
-              their security without letting everyone else on the system  know
-              exactly  which  systems  they are scanning. Use --interactive to
-              activate this mode and then type usually more familiar and  fea-
-              ture-complete.
-
-       --randomize_hosts
-              Tells  Nmap  to shuffle each group of up to 2048 hosts before it
-              scans them.  This can make the scans  less  obvious  to  various
-              network  monitoring systems, especially when you combine it with
-              slow timing options (see below).
-
-       -M <max sockets>
-              Sets the maximum number of sockets that will be used in parallel
-              for  a TCP connect() scan (the default).  This is useful to slow
-              down the scan a little bit and avoid crashing  remote  machines.
-              Another  approach  is  to use -sS, which is generally easier for
-              machines to handle.
-
-       --packet_trace
-              Tells Nmap to show all the packets it sends and  receives  in  a
-              tcpdump-like format.  This can be tremendously useful for debug-
-              ging, and is also a good learning tool.
-
-       --datadir [directoryname]
-              Nmap obtains some special data at runtime in files  named  nmap-
-              service-probes,  nmap-services,  nmap-protocols, nmap-rpc, nmap-
-              mac-prefixes, and  nmap-os-fingerprints.   Nmap  first  searches
-              these files in the directory option to --datadir.  Any files not
-              found there, are searched for in the directory specified by  the
-              NMAPDIR environmental variable.  Next comes ~/.nmap for real and
-              effective UIDs (POSIX systems only) or location of the Nmap exe-
-              cutable  (Win32  only),  and then a compiled-in location such as
-              /usr/local/share/nmap or /usr/share/nmap .  As  a  last  resort,
-              Nmap will look in the current directory.
-
-       TIMING OPTIONS
-              Generally  Nmap does a good job at adjusting for Network charac-
-              teristics at runtime and scanning as fast as possible while min-
-              imizing  that chances of hosts/ports going undetected.  However,
-              there are same cases where Nmap’s default timing policy may  not
-              meet  your  objectives.   The  following  options provide a fine
-              level of control over the scan timing:
-
-       -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
-              These are canned timing  policies  for  conveniently  expressing
-              your priorities to Nmap.  Paranoid mode scans very slowly in the
-              hopes of avoiding detection by IDS systems.  It  serializes  all
-              scans (no parallel scanning) and generally waits at least 5 min-
-              utes between sending packets.  Sneaky is similar, except it only
-              waits  15  seconds  between sending packets.  Polite is meant to
-              ease load on the network and  reduce  the  chances  of  crashing
-              machines.   It serializes the probes and waits at least 0.4 sec-
-              onds between them.  Note that this  is  generally  at  least  an
-              order  of  magnitude  slower  than default scans, so only use it
-              when you need to.  Normal is the default  Nmap  behavior,  which
-              tries to run as quickly as possible without overloading the net-
-              work or missing hosts/ports.  Aggressive This  option  can  make
-              certain  scans  (especially  SYN  scans against heavily filtered
-              hosts) much faster.  It is recommended for impatient folks  with
-              a  fast  net  connection.  Insane is only suitable for very fast
-              networks or where you don’t mind losing  some  information.   It
-              times  out hosts in 15 minutes and won’t wait more than 0.3 sec-
-              onds for individual probes.  It does allow for very  quick  net-
-              work sweeps though :).
-
-              You  can  also  reference  these  by number (0-5).  For example,
-              "-T0" gives you Paranoid mode and "-T5" is Insane mode.  If  you
-              wish  to set specific timing values such as --max_rtt_timeout or
-              --host_timeout, place them after any -T option  on  the  command
-              line.   Otherwise the defaults for the selected timing mode will
-              override your choices.
-
-       --host_timeout <milliseconds>
-              Specifies the amount of time Nmap is allowed to spend scanning a
-              single  host  before  giving  up on that IP.  The default timing
-              mode has no host timeout.
-
-       --max_rtt_timeout <milliseconds>
-              Specifies the maximum amount of time Nmap is allowed to wait for
-              a  probe  response before retransmitting or timing out that par-
-              ticular probe.  The default mode sets this to about 9000.
-
-       --min_rtt_timeout <milliseconds>
-              When the target hosts start to establish a pattern of responding
-              very  quickly,  Nmap  will  shrink  the amount of time given per
-              probe.  This speeds up the scan, but can lead to missed  packets
-              when  a  response  takes longer than usual.  With this parameter
-              you can guarantee that Nmap will wait at least the given  amount
-              of time before giving up on a probe.
-
-       --initial_rtt_timeout <milliseconds>
-              Specifies  the  initial  probe  timeout.  This is generally only
-              useful when scanning firewalled hosts with -P0.   Normally  Nmap
-              can  obtain  good  RTT estimates from the ping and the first few
-              probes.  The default mode uses 6000.
-
-       --max_hostgroup <numhosts>
-              Specifies the maximum number of hosts that Nmap  is  allowed  to
-              scan  in  parallel.   Most  of  the port scan techniques support
-              multi-host operation, which makes them much quicker.   Spreading
-              the  load  among  multiple target hosts makes the scans gentler.
-              The downside is increased results latency.  You need to wait for
-              all  hosts  in a group to finish, rather than having them pop up
-              one by one.  Specify an argument of one for old-style (one  host
-              at  a  time)  Nmap behavior.  Note that the ping scanner handles
-              its own grouping, and ignores this value.
-
-       --min_hostgroup <numhosts>
-              Specifies the minimum host  group  size  (see  previous  entry).
-              Large  values  (such  as 50) are often beneficial for unattended
-              scans, though they do take up more memory.   Nmap  may  override
-              this  preference  when it needs to, because a group must all use
-              the same network interface, and some scan types can only  handle
-              one host at a time.
-
-       --max_parallelism <number>
-              Specifies the maximum number of scans Nmap is allowed to perform
-              in parallel.  Setting this to one means Nmap will never  try  to
-              scan more than 1 port at a time.  It also effects other parallel
-              scans such as ping sweep, RPC scan, etc.
-
-       --min_parallelism <number>
-              Tells Nmap to scan at least the given number of ports in  paral-
-              lel.   This  can speed up scans against certain firewalled hosts
-              by an order of magnitude.  But be careful -- results will become
-              unreliable if you push it too far.
-
-       --scan_delay <milliseconds>
-              Specifies  the  minimum  amount  of  time Nmap must wait between
-              probes.  This is mostly useful to reduce network load or to slow
-              the  scan  way  down  to  sneak under IDS thresholds.  Nmap will
-              sometimes increase the delay itself when it detects many dropped
-              packets.  For example, Solaris systems tend to respond with only
-              one ICMP port unreachable packet per second during a  UDP  scan.
-              So Nmap will try to detect this and lower its rate of UDP probes
-              to one per second.
-
-       --max_scan_delay <milliseconds>
-              As noted above, Nmap will  sometimes  enforce  a  special  delay
-              between sending packets.  This can provide more accurate results
-              while reducing network congestion, but it  can  slow  the  scans
-              down  substantially.  By default (with no -T options specified),
-              Nmap allows this delay to grow to one second  per  probe.   This
-              option allows you to set a lower or higher maximum.  Even if you
-              set it to zero, Nmap will have some delay between  packet  sends
-              so that it can wait for responses and avoid having too many out-
-              standing probes in parallel.
+
OPTIONS SUMMARY
+       This options summary is printed when Nmap is run with no arguments, and
+       the latest version is always available at
+       http://www.insecure.org/nmap/data/nmap.usage.txt. It helps people
+       remember the most common options, but is no substitute for the in-depth
+       documentation in the rest of this manual. Some obscure options aren’t
+       even included here.
+
+       Usage: nmap [Scan Type(s)] [Options] {target specification}
+       TARGET SPECIFICATION:
+         Can pass hostnames, IP addresses, networks, etc.
+         Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0-255.0-255.1-254
+         -iL <inputfilename>: Input from list of hosts/networks
+         -iR <num hosts>: Choose random targets
+         --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
+         --excludefile <exclude_file>: Exclude list from file
+       HOST DISCOVERY:
+         -sL: List Scan - simply list targets to scan
+         -sP: Ping Scan - go no further than determining if host is online
+         -P0: Treat all hosts as online -- skip host discovery
+         -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery probes to given ports
+         -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
+         -n/-R: Never do DNS resolution/Always resolve [default: sometimes resolve]
+       SCAN TECHNIQUES:
+         -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
+         -sN/sF/sX: TCP Null, FIN, and Xmas scans
+         --scanflags <flags>: Customize TCP scan flags
+         -sI <zombie host[:probeport]>: Idlescan
+         -sO: IP protocol scan
+         -b <ftp relay host>: FTP bounce scan
+       PORT SPECIFICATION AND SCAN ORDER:
+         -p <port ranges>: Only scan specified ports
+           Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
+         -F: Fast - Scan only the ports listed in the nmap-services file)
+         -r: Scan ports consecutively - don’t randomize
+       SERVICE/VERSION DETECTION:
+         -sV: Probe open ports to determine service/version info
+         --version_light: Limit to most likely probes for faster identification
+         --version_all: Try every single probe for version detection
+         --version_trace: Show detailed version scan activity (for debugging)
+       OS DETECTION:
+         -O: Enable OS detection
+         --osscan_limit: Limit OS detection to promising targets
+         --osscan_guess: Guess OS more aggressively
+       TIMING AND PERFORMANCE:
+         -T[0-6]: Set timing template (higher is faster)
+         --min_hostgroup/max_hostgroup <msec>: Parallel host scan group sizes
+         --min_parallelism/max_parallelism <msec>: Probe parallelization
+         --min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout <msec>: Specifies
+             probe round trip time.
+         --host_timeout <msec>: Give up on target after this long
+         --scan_delay/--max_scan_delay <msec>: Adjust delay between probes
+       FIREWALL/IDS EVASION AND SPOOFING:
+         -f; --mtu <val>: fragment packets (optionally w/given MTU)
+         -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
+         -S <IP_Address>: Spoof source address
+         -e <iface>: Use specified interface
+         -g/--source_port <portnum>: Use given port number
+         --data_length <num>: Append random data to sent packets
+         --ttl <val>: Set IP time-to-live field
+         --spoof_mac <mac address, prefix, or vendor name>: Spoof your MAC address
+       OUTPUT:
+         -oN/-oX/-oS/-oG <file>: Output scan results in normal, XML, s|<rIpt kIddi3,
+            and Grepable format, respectively, to the given filename.
+         -oA <basename>: Output in the three major formats at once
+         -v: Increase verbosity level (use twice for more effect)
+         -d[level]: Set or increase debugging level (Up to 9 is meaningful)
+         --packet_trace: Show all packets sent and received
+         --iflist: Print host interfaces and routes (for debugging)
+         --append_output: Append to rather than clobber specified output files
+         --resume <filename>: Resume an aborted scan
+         --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
+         --no_stylesheet: Prevent Nmap from associating XSL stylesheet w/XML output
+       MISC:
+         -6: Enable IPv6 scanning
+         -A: Enables OS detection and Version detection
+         --datadir <dirname>: Specify custom Nmap data file location
+         --send_eth/--send_ip: Send packets using raw ethernet frames or IP packets
+         --privileged: Assume that the user is fully privileged
+         -V: Print version number
+         -h: Print this help summary page.
+       EXAMPLES:
+         nmap -v -A scanme.nmap.org
+         nmap -v -sP 192.168.0.0/16 10.0.0.0/8
+         nmap -v -iR 10000 -P0 -p 80
 
 
 
 

 
TARGET SPECIFICATION
-       Everything that isn’t an option (or option argument) in nmap is treated
-       as  a  target  host specification.  The simplest case is listing single
-       hostnames or IP addresses on the command line.  If you want to  scan  a
-       subnet  of  IP  addresses,  you  can append /mask to the hostname or IP
-       address.  mask must be between 0 (scan the whole Internet) and 32 (scan
-       the  single  host  specified).  Use /24 to scan a class "C" address and
-       /16 for a class "B".
+       Everything on the Nmap command-line that isn’t an option (or option
+       argument) is treated as a target host specification. The simplest case
+       is to specify a target IP address or hostname for scanning.
 
-       Nmap also has a more powerful notation which lets  you  specify  an  IP
-       address  using  lists/ranges  for  each element.  Thus you can scan the
-       whole class "B" network  192.168.*.*  by  specifying  "192.168.*.*"  or
-       "192.168.0-255.0-255" or even "192.168.1-50,51-255.1,2,3,4,5-255".  And
-       of course you can use the mask notation: "192.168.0.0/16".   These  are
-       all  equivalent.  If you use asterisks ("*"), remember that most shells
-       require you to escape them with  back  slashes  or  protect  them  with
-       quotes.
+       Sometimes you wish to scan a whole network of adjacent hosts. For this,
+       Nmap supports CIDR-style addressing. You can append /numbits to an IP
+       address or hostname and Nmap will scan every IP address for which the
+       first numbits are the same as for the reference IP or hostname given.
+       For example, 192.168.10.0/24 would scan the 256 hosts between
+       192.168.10.0 (binary: 11000000 10101000 00001010 00000000) and
+       192.168.10.255 (binary: 11000000 10101000 00001010 11111111),
+       inclusive. 192.168.10.40/24 would do exactly the same thing. Given that
+       the host scanme.nmap.org is at the IP address 205.217.153.62, the
+       specification scanme.nmap.org/16 would scan the 65,536 IP addresses
+       between 205.217.0.0 and 205.217.255.255. The smallest allowed value is
+       /1, which scans half the Internet. The largest value is 32, which scans
+       just the named host or IP address because all address bits are fixed.
 
-       Another  interesting  thing  to do is slice the Internet the other way.
-       Instead of scanning all the hosts in a class "B", scan  "*.*.5.6-7"  to
-       scan  every IP address that ends in .5.6 or .5.7 Pick your own numbers.
-       For more information on specifying hosts to scan, see the examples sec-
-       tion.
+       CIDR notation is short but not always flexible enough. For example, you
+       might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or
+       .255 because they are commonly broadcast addresses. Nmap supports this
+       through octet range addressing. Rather than specify a normal IP
+       address, you can specify a comma separated list of numbers or ranges
+       for each octet. For example, 192.168.0-255.1-254 will skip all
+       addresses in the range that end in .0 and or .255. Ranges need not be
+       limited to the final octects: the specifier 0-255.0-255.13.37 will
+       perform an Internet-wide scan for all IP addresses ending in 13.37.
+       This sort of broad sampling can be useful for Internet surveys and
+       research.
+
+       IPv6 addresses can only be specified by their fully qualified IPv6
+       address or hostname. CIDR and octet ranges aren’t supported for IPv6
+       because they are rarely useful.
+
+       Nmap accepts multiple host specifications on the command line, and they
+       don’t need to be the same type. The command nmap scanme.nmap.org
+       192.168.0.0/8 10.0.0,1,3-7.0-255 does what you would expect.
+
+       While targets are usually specified on the command lines, the following
+       options are also available to control target selection:
+
+       -iL <inputfilename> (Input from list)
+              Reads target specifications from inputfilename. Passing a huge
+              list of hosts is often awkward on the command line, yet it is a
+              common desire. For example, your DHCP server might export a list
+              of 10,000 current leases that you wish to scan. Or maybe you
+              want to scan all IP addresses except for those to locate hosts
+              using unauthorized static IP addresses. Simply generate the list
+              of hosts to scan and pass that filename to Nmap as an argument
+              to the -iL option. Entries can be in any of the formats accepted
+              by Nmap on the command line (IP address, hostname, CIDR, IPv6,
+              or octet ranges). Each entry must be separated by one or more
+              spaces, tabs, or newlines. You can specify a hyphen (-) as the
+              filename if you want Nmap to read hosts from standard input
+              rather than an actual file.
+
+       -iR <num hosts> (Choose random targets)
+              For Internet-wide surveys and other research, you may want to
+              choose targets at random. The num hosts argument tells Nmap how
+              many IPs to generate. Undesirable IPs such as those in certain
+              private, multicast, or unallocated address ranges are
+              automatically skipped. The argument 0 can be specified for a
+              never-ending scan. Keep in mind that some network administrators
+              bristle at unauthorized scans of their networks and may
+              complain. Use this option at your own risk! If you find yourself
+              really bored one rainy afternoon, try the command nmap -sS -PS80
+              -iR 0 -p 80 to locate random web servers for browsing.
+
+       --exclude <host1[,host2][,host3],...> (Exclude hosts/networks)
+              Specifies a comma-separated list of targets to be excluded from
+              the scan even if they are part of the overall network range you
+              specify. The list you pass in uses normal Nmap syntax, so it can
+              include hostnames, CIDR netblocks, octet ranges, etc. This can
+              be useful when the network you wish to scan includes untouchable
+              mission-critical servers, systems that are known to react
+              adversely to port scans, or subnetworks administered by other
+              people.
+
+       --excludefile <exclude_file> (Exclude list from file)
+              This offers the same functionality as the --exclude option,
+              except that the excluded targets are provided in a newline,
+              space, or tab delimited exclude_file rather than on the command
+              line.
+
+
+

+
HOST DISCOVERY
+       One of the very first steps in any network reconnaissance mission is to
+       reduce a (sometimes huge) set of IP ranges into a list of active or
+       interesting hosts. Scanning every port of every single IP address is
+       slow and usually unnecessary. Of course what makes a host interesting
+       depends greatly on the scan purposes. Network administrators may only
+       be interested in hosts running a certain service, while security
+       auditors may care about every single device with an IP address. An
+       administrator may be comfortable using just an ICMP ping to locate
+       hosts on his internal network, while an external penetration tester may
+       use a diverse set of dozens of probes in an attempt to evade firewall
+       restrictions.
+
+       Because host discovery needs are so diverse, Nmap offers a wide variety
+       of options for customizing the techniques used. Host discovery is
+       sometimes called ping scan, but it goes well beyond the simple ICMP
+       echo request packets associated with the ubiquitous ping tool. Users
+       can skip the ping step entirely with a list scan (-sL) or by disabling
+       ping (-P0), or engage the network with arbitrary combinations of
+       multi-port TCP SYN/ACK, UDP, and ICMP probes. The goal of these probes
+       is to solicit responses which demonstrate that an IP address is
+       actually active (is being used by a host or network device). On many
+       networks, only a small percentage of IP addresses are active at any
+       given time. This is particularly common with RFC1918-blessed private
+       address space such as 10.0.0.0/8. That network has 16 million IPs, but
+       I have seen it used by companies with less than a thousand machines.
+       Host discovery can find those machines in a sparsely allocated sea of
+       IP addresses.
+
+       If no host discovery options are given, Nmap sends a TCP ACK packet
+       destined for port 80 and an ICMP Echo Request query to each target
+       machine. An exception to this is that an ARP scan is used for any
+       targets which are on a local ethernet network. For unprivileged UNIX
+       shell users, a SYN packet is sent instead of the ack using the
+       connect() system call. These defaults are equivalent to the -PA -PE
+       options. This host discovery is often sufficent when scanning local
+       networks, but a more comprehensive set of discovery probes is
+       recommended for security auditing.
+
+       The -P* options (which select ping types) can be combined. You can
+       increase your odds of penetrating strict firewalls by sending many
+       probe types using different TCP ports/flags and ICMP codes. Also note
+       that ARP discovery (-PR) is done by default against targets on a local
+       ethernet network even if you specify other -P* options, because it is
+       almost always faster and more effective.
+
+       The following options control host discovery.
+
+       -sL (List Scan)
+              The list scan is a degenerate form of host discovery that simply
+              lists each host of the network(s) specified, without sending any
+              packets to the target hosts. By default, Nmap still does
+              reverse-DNS resolution on the hosts to learn their names. It is
+              often surprising how much useful information simple hostnames
+              give out. For example, fw.chi.playboy.com is the firewall for
+              the Chicago office of Playboy Enterprises. Nmap also reports the
+              total number of IP addresses at the end. The list scan is a good
+              sanity check to ensure that you have proper IP addresses for
+              your targets. If the hosts sport domain names you do not
+              recognize, it is worth investigating further to prevent scanning
+              the wrong company’s network.
+
+              Since the idea is to simply print a list of target hosts,
+              options for higher level functionality such as port scanning, OS
+              detection, or ping scanning cannot be combined with this. If you
+              wish to disable ping scanning while still performing such higher
+              level functionality, read up on the -P0 option.
+
+       -sP (Ping Scan)
+              This option tells Nmap to only perform a ping scan (host
+              discovery), then print out the available hosts that responded to
+              the scan. No further testing (such as port scanning or OS
+              detection) is performed. This is one step more intrusive than
+              the list scan, and can often be used for the same purposes. It
+              allows light reconnaissance of a target network without
+              attracting much attention. Knowing how many hosts are up is more
+              valuable to attackers than the list provided by list scan of
+              every single IP and host name.
+
+              Systems administrators often find this option valuable as well.
+              It can easily be used to count available machines on a network
+              or monitor server availability. This is often called a ping
+              sweep, and is more reliable than pinging the broadcast address
+              because many hosts do not reply to broadcast queries.
+
+              The -sP option sends an ICMP echo request and a TCP packet to
+              port 80 by default. When executed by an unprivileged user, a SYN
+              packet is sent (using a connect() call) to port 80 on the
+              target. When a privileged user tries to scan targets on a local
+              ethernet network, ARP requests (-PR) are used unless --send_ip
+              was specified. The -sP option can be combined with any of the
+              discovery probe types (the -P* options, excluding -P0) for
+              greater flexibility. If any of those probe type and port number
+              options are used, the default probes (ACK and echo request) are
+              overridden. When strict firewalls are in place between the
+              source host running Nmap and the target network, using those
+              advanced techniques is recommended. Otherwise hosts could be
+              missed when the firewall drops probes or their responses.
+
+       -P0 (No ping)
+              This option skips the Nmap discovery stage altogether. Normally,
+              Nmap uses this stage to determine active machines for heavier
+              scanning. By default, Nmap only performs heavy probing such as
+              port scans, version detection, or OS detection against hosts
+              that are found to be up. Disabling host discovery with -P0
+              causes Nmap to attempt the requested scanning functions against
+              every target IP address specified. So if a class B sized target
+              address space (/16) is specified on the command line, all 65,536
+              IP addresses are scanned. That second option character in -P0 is
+              a zero and not the letter O. Proper host discovery is skipped as
+              with the list scan, but instead of stopping and printing the
+              target list, Nmap continues to perform requested functions as if
+              each target IP is active.
+
+       -PS [portlist] (TCP SYN Ping)
+              This option sends an empty TCP packet with the SYN flag set. The
+              default destination port is 80 (configurable at compile time by
+              changing DEFAULT_TCP_PROBE_PORT in nmap.h), but an alternate
+              port can be specified as a parameter. A comma separated list of
+              ports can even be specified (e.g.
+              -PS22,23,25,80,113,1050,35000), in which case probes will be
+              attempted against each port in parallel.
+
+              The SYN flag suggests to the remote system that you are
+              attempting to establish a connection. Normally the destination
+              port will be closed, and a RST (reset) packet sent back. If the
+              port happens to be open, the target will take the second step of
+              a TCP 3-way-handshake by responding with a SYN/ACK TCP packet.
+              The machine running Nmap then tears down the nascent connection
+              by responding with a RST rather than sending an ACK packet which
+              would complete the 3-way-handshake and establish a full
+              connection. The RST packet is sent by the kernel of the machine
+              running Nmap in response to the unexpected SYN/ACK, not by Nmap
+              itself.
+
+              Nmap does not care whether the port is open or closed. Either
+              the RST or SYN/ACK response discussed previously tell Nmap that
+              the host is available and responsive.
+
+              On UNIX boxes, only the privileged user root is generally able
+              to send and receive raw TCP packets. For unprivileged users, a
+              workaround is automatically employed whereby the connect()
+              system call is initiated against each target port. This has the
+              effect of sending a SYN packet to the target host, in an attempt
+              to establish a connection. If connect() returns with a quick
+              success or an ECONNREFUSED failure, the underlying TCP stack
+              must have received a SYN/ACK or RST and the host is marked
+              available. If the connection attempt is left hanging until a
+              timeout is reached, the host is marked as down. This workaround
+              is also used for IPv6 connections, as raw IPv6 packet building
+              support is not yet available in Nmap.
+
+       -PA [portlist] (TCP ACK Ping)
+              The TCP ACK ping is quite similar to the just-discussed SYN
+              ping. The difference, as you could likely guess, is that the TCP
+              ACK flag is set instead of the SYN flag. Such an ACK packet
+              purports to be acknowledging data over an established TCP
+              connection, but no such connection exists. So remote hosts
+              should always respond with a RST packet, disclosing their
+              existence in the process.
+
+              The -PA option uses the same default port as the SYN probe (80)
+              and can also take a list of destination ports in the same
+              format. If an unprivileged user tries this, or an IPv6 target is
+              specified, the connect() workaround discussed previously is
+              used. This workaround is imperfect because connect() is actually
+              sending a SYN packet rather than an ACK.
+
+              The reason for offering both SYN and ACK ping probes is to
+              maximize the chances of bypassing firewalls. Many administrators
+              configure routers and other simple firewalls to block incoming
+              SYN packets except for those destined for public services like
+              the company web site or mail server. This prevents other
+              incoming connections to the organization, while allowing users
+              to make unobstructed outgoing connections to the Internet. This
+              non-stateful approach takes up few resources on the
+              firewall/router and is widely supported by hardware and software
+              filters. The Linux Netfilter/iptables firewall software offers
+              the --syn convenience option to implement this stateless
+              approach. When stateless firewall rules such as this are in
+              place, SYN ping probes (-PS) are likely to be blocked when sent
+              to closed target ports. In such cases, the ACK probe shines as
+              it cuts right through these rules.
+
+              Another common type of firewall uses stateful rules that drop
+              unexpected packets. This feature was initially found mostly on
+              high-end firewalls, though it has become much more common over
+              the years. The Linux Netfilter/iptables system supports this
+              through the --state option, which categorizes packets based on
+              connection state. A SYN probe is more likely to work against
+              such a system, as unexpected ACK packets are generally
+              recognized as bogus and dropped. A solution to this quandary is
+              to send both SYN and ACK probes by specifying -PS and -PA.
+
+       -PU [portlist] (UDP Ping)
+              Another host discovery option is the UDP ping, which sends an
+              empty (unless --data_length is specified) UDP packet to the
+              given ports. The portlist takes the same format as with the
+              previously discussed -PS and -PA options. If no ports are
+              specified, the default is 31338. This default can be configured
+              at compile-time by changing DEFAULT_UDP_PROBE_PORT in nmap.h. A
+              highly uncommon port is used by default because sending to open
+              ports is often undesirable for this particular scan type.
+
+              Upon hitting a closed port on the target machine, the UDP probe
+              should elicit an ICMP port unreachable packet in return. This
+              signifies to Nmap that the machine is up and available. Many
+              other types of ICMP errors, such as host/network unreachables or
+              TTL exceeded are indicative of a down or unreachable host. A
+              lack of response is also interpreted this way. If an open port
+              is reached, most services simply ignore the empty packet and
+              fail to return any response. This is why the default probe port
+              is 31338, which is highly unlikely to be in use. A few services,
+              such as chargen, will respond to an empty UDP packet, and thus
+              disclose to Nmap that the machine is available.
+
+              The primary advantage of this scan type is that it bypasses
+              firewalls and filters that only screen TCP. For example, I once
+              owned a Linksys BEFW11S4 wireless broadband router. The external
+              interface of this device filtered all TCP ports by default, but
+              UDP probes would still elicit port unreachable messages and thus
+              give away the device.
+
+       -PE; -PP; -PM (ICMP Ping Types)
+              In addition to the unusual TCP and UDP host discovery types
+              discussed previously, Nmap can send the standard packets sent by
+              the ubiquitous ping program. Nmap sends an ICMP type 8 (echo
+              request) packet to the target IP addresses, expecting a type 0
+              (Echo Reply) in return from available hosts. Unfortunately for
+              network explorers, many hosts and firewalls now block these
+              packets, rather than responding as required by [1]RFC 1122. For
+              this reason, ICMP-only scans are rarely reliable enough against
+              unknown targets over the Internet. But for system administrators
+              monitoring an internal network, they can be a practical and
+              efficient approach. Use the -PE option to enable this echo
+              request behavior.
+
+              While echo request is the standard ICMP ping query, Nmap does
+              not stop there. The ICMP standard ([2]RFC 792) also specifies
+              timestamp request, information request, and address mask request
+              packets as codes 13, 15, and 17, respectively. While the
+              ostensible purpose for these queries is to learn information
+              such as address masks and current times, they can easily be used
+              for host discovery. A system that replies is up and available.
+              Nmap does not currently implement information request packets,
+              as they are not widely supported. RFC 1122 insists that “a host
+              SHOULD NOT implement these messages”. Timestamp and address mask
+              queries can be sent with the -PP and -PM options, respectively.
+              A timestamp reply (ICMP code 14) or address mask reply (code 18)
+              discloses that the host is available. These two queries can be
+              valuable when admins specifically block echo request packets
+              while forgetting that other ICMP queries can be used for the
+              same purpose.
+
+       -PR (ARP Ping)
+              One of the most common Nmap usage scenarios is to scan an
+              ethernet LAN. On most LANs, especially those using
+              RFC1918-blessed private address ranges, the vast majority of IP
+              addresses are unused at any given time. When Nmap tries to send
+              a raw IP packet such as an ICMP echo request, the operating
+              system must determine the destination hardware (ARP) address
+              corresponding to the target IP so that it can properly address
+              the ethernet frame. This is often slow and problematic, since
+              operating systems weren’t written with the expectation that they
+              would need to do millions of ARP requests against unavailable
+              hosts in a short time period.
+
+              ARP scan puts Nmap and its optimized algorithms in charge of ARP
+              requests. And if it gets a response back, Nmap doesn’t even need
+              to worry about the IP-based ping packets since it already knows
+              the host is up. This makes ARP scan much faster and more
+              reliable than IP-based scans. So it is done by default when
+              scanning ethernet hosts that Nmap detects are on a local
+              ethernet network. Even if different ping types (such as -PE or
+              -PS) are specified, Nmap uses ARP instead for any of the targets
+              which are on the same LAN. If you absolutely don’t want to do an
+              ARP scan, specify --send_ip.
+
+       -n (No DNS resolution)
+              Tells Nmap to never do reverse DNS resolution on the active IP
+              addresses it finds. Since DNS is often slow, this speeds things
+              up.
+
+       -R (DNS resolution for all targets)
+              Tells Nmap to always do reverse DNS resolution on the target IP
+              addresses. Normally this is only performed when a machine is
+              found to be alive.
+
+       --system_dns (Use system DNS resolver)
+              By default, Nmap resolves IP addresses by sending queries
+              directly to the name servers configured on your host and then
+              listening for responses. Many requests (often dozens) are
+              performed in parallel for performance. Specify this option if
+              you wish to use your system resolver instead (one IP at a time
+              via the getnameinfo() call). This is slower and rarely useful
+              unless there is a bug in the Nmap DNS code -- please contact us
+              if that is the case. The system resolver is always used for IPv6
+              scans.
+
+
+

+
PORT SCANNING BASICS
+       While Nmap has grown in functionality over the years, it began as an
+       efficient port scanner, and that remains its core function. The simple
+       command nmap target scans more than 1660 TCP ports on the host target.
+       While many port scanners have traditionally lumped all ports into the
+       open or closed states, Nmap is much more granular. It divides ports
+       into six states: open, closed, filtered, unfiltered, open|filtered, or
+       closed|filtered.
+
+       These states are not intrinsic properties of the port itself, but
+       describe how Nmap sees them. For example, an Nmap scan from the same
+       network as the target may show port 135/tcp as open, while a scan at
+       the same time with the same options from across the Internet might show
+       that port as filtered.
+
+       The six port states recognized by Nmap
+
+       open   An application is actively accepting TCP connections or UDP
+              packets on this port. Finding these is often the primary goal of
+              port scanning. Security-minded people know that each open port
+              is an avenue for attack. Attackers and pen-testers want to
+              exploit the open ports, while administrators try to close or
+              protect them with firewalls without thwarting legitimate users.
+              Open ports are also interesting for non-security scans because
+              they show services available for use on the network.
+
+       closed A closed port is accessible (it receives and responds to Nmap
+              probe packets), but there is no application listening on it.
+              They can be helpful in showing that a host is up on an IP
+              address (host discovery, or ping scanning), and as part of OS
+              detection. Because closed ports are reachable, it may be worth
+              scanning later in case some open up. Administrators may want to
+              consider blocking such ports with a firewall. Then they would
+              appear in the filtered state, discussed next.
+
+       filtered
+              Nmap cannot determine whether the port is open because packet
+              filtering prevents its probes from reaching the port. The
+              filtering could be from a dedicated firewall device, router
+              rules, or host-based firewall software. These ports frustrate
+              attackers because they provide so little information. Sometimes
+              they respond with ICMP error messages such as type 3 code 13
+              (destination unreachable: communication administratively
+              prohibited), but filters that simply drop probes without
+              responding are far more common. This forces Nmap to retry
+              several times just in case the probe was dropped due to network
+              congestion rather than filtering. This slows down the scan
+              dramatically.
+
+       unfiltered
+              The unfiltered state means that a port is accessible, but Nmap
+              is unable to determine whether it is open or closed. Only the
+              ACK scan, which is used to map firewall rulesets, classifies
+              ports into this state. Scanning unfiltered ports with other scan
+              types such as Window scan, SYN scan, or FIN scan, may help
+              resolve whether the port is open.
+
+       open|filtered
+              Nmap places ports in this state when it is unable to determine
+              whether a port is open or filtered. This occurs for scan types
+              in which open ports give no response. The lack of response could
+              also mean that a packet filter dropped the probe or any response
+              it elicited. So Nmap does not know for sure whether the port is
+              open or being filtered. The UDP, IP Protocol, FIN, Null, and
+              Xmas scans classify ports this way.
+
+       closed|filtered
+              This state is used when Nmap is unable to determine whether a
+              port is closed or filtered. It is only used for the IPID Idle
+              scan.
+
+
+

+
PORT SCANNING TECHNIQUES
+       As a novice performing automotive repair, I can struggle for hours
+       trying to fit my rudimentary tools (hammer, duct tape, wrench, etc.) to
+       the task at hand. When I fail miserably and tow my jalopy to a real
+       mechanic, he invariably fishes around in a huge tool chest until
+       pulling out the perfect gizmo which makes the job seem effortless. The
+       art of port scanning is similar. Experts understand the dozens of scan
+       techniques and choose the appropriate one (or combination) for a given
+       task. Inexperienced users and script kiddies, on the other hand, try to
+       solve every problem with the default SYN scan. Since Nmap is free, the
+       only barrier to port scanning mastery is knowledge. That certainly
+       beats the automotive world, where it may take great skill to determine
+       that you need a strut spring compressor, then you still have to pay
+       thousands of dollars for it.
+
+       Most of the scan types are only available to privileged users. This is
+       because they send and receive raw packets, which requires root access
+       on UNIX systems. Using an administrator account on Windows is
+       recommended, though Nmap sometimes works for unprivileged users on that
+       platform when WinPcap has already been loaded into the OS. Requiring
+       root privileges was a serious limitation when Nmap was released in
+       1997, as many users only had access to shared shell accounts. Now, the
+       world is different. Computers are cheaper, far more people have
+       always-on direct Internet access, and desktop UNIX systems (including
+       Linux and MAC OS X) are prevalent. A Windows version of Nmap is now
+       available, allowing it to run on even more desktops. For all these
+       reasons, users have less need to run Nmap from limited shared shell
+       accounts. This is fortunate, as the privileged options make Nmap far
+       more powerful and flexible.
+
+       While Nmap attempts to produce accurate results, keep in mind that all
+       of its insights are based on packets returned by the target machines
+       (or firewalls in front of them). Such hosts may be untrustworthy and
+       send responses intended to confuse or mislead Nmap. Much more common
+       are non-RFC-compliant hosts that do not respond as they should to Nmap
+       probes. FIN, Null, and Xmas scans are particularly susceptible to this
+       problem. Such issues are specific to certain scan types and so are
+       discussed in the individual scan type entries.
+
+       This section documents the dozen or so port scan techniques supported
+       by Nmap. Only one method may be used at a time, except that UDP scan
+       (-sU) may be combined with any one of the TCP scan types. As a memory
+       aid, port scan type options are of the form -sC, where C is a prominent
+       character in the scan name, usually the first. The one exception to
+       this is the deprecated FTP bounce scan (-b). By default, Nmap performs
+       a SYN Scan, though it substitutes a Connect() scan if the user does not
+       have proper privileges to send raw packets (requires root access on
+       UNIX) or if IPv6 targets were specified. Of the scans listed in this
+       section, unprivileged users can only execute connect() and ftp bounce
+       scans.
+
+       -sS (TCP SYN scan)
+              SYN scan is the default and most popular scan option for good
+              reasons. It can be performed quickly, scanning thousands of
+              ports per second on a fast network not hampered by intrusive
+              firewalls. SYN scan is relatively unobtrusive and stealthy,
+              since it never completes TCP connections. It also works against
+              any compliant TCP stack rather than depending on idiosyncrasies
+              of specific platforms as Nmap’s Fin/Null/Xmas, Maimon and Idle
+              scans do. It also allows clear, reliable differentiation between
+              the open, closed, and filtered states.
+
+              This technique is often referred to as half-open scanning,
+              because you don’t open a full TCP connection. You send a SYN
+              packet, as if you are going to open a real connection and then
+              wait for a response. A SYN/ACK indicates the port is listening
+              (open), while a RST (reset) is indicative of a non-listener. If
+              no response is received after several retransmissions, the port
+              is marked as filtered. The port is also marked filtered if an
+              ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is
+              received.
+
+       -sT (TCP connect() scan)
+              TCP Connect() scan is the default TCP scan type when SYN scan is
+              not an option. This is the case when a user does not have raw
+              packet privileges or is scanning IPv6 networks. Instead of
+              writing raw packets as most other scan types do, Nmap asks the
+              underlying operating system to establish a connection with the
+              target machine and port by issuing the connect() system call.
+              This is the same high-level system call that web browsers, P2P
+              clients, and most other network-enabled applications use to
+              establish a connection. It is part of a programming interface
+              known as the Berkeley Sockets API. Rather than read raw packet
+              responses off the wire, Nmap uses this API to obtain status
+              information on each connection attempt.
+
+              When SYN scan is available, it is usually a better choice. Nmap
+              has less control over the high level connect() call than with
+              raw packets, making it less efficient. The system call completes
+              connections to open target ports rather than performing the
+              half-open reset that SYN scan does. Not only does this take
+              longer and require more packets to obtain the same information,
+              but target machines are more likely to log the connection. A
+              decent IDS will catch either, but most machines have no such
+              alarm system. Many services on your average UNIX system will add
+              a note to syslog, and sometimes a cryptic error message, when
+              Nmap connects and then closes the connection without sending
+              data. Truly pathetic services crash when this happens, though
+              that is uncommon. An administrator who sees a bunch of
+              connection attempts in her logs from a single system should know
+              that she has been connect scanned.
+
+       -sU (UDP scans)
+              While most popular services on the Internet run over the TCP
+              protocol, [3]UDP services are widely deployed. DNS, SNMP, and
+              DHCP (registered ports 53, 161/162, and 67/68) are three of the
+              most common. Because UDP scanning is generally slower and more
+              difficult than TCP, some security auditors ignore these ports.
+              This is a mistake, as exploitable UDP services are quite common
+              and attackers certainly don’t ignore the whole protocol.
+              Fortunately, Nmap can help inventory UDP ports.
+
+              UDP scan is activated with the -sU option. It can be combined
+              with a TCP scan type such as SYN scan (-sS) to check both
+              protocols during the same run.
+
+              UDP scan works by sending an empty (no data) UDP header to every
+              targeted port. If an ICMP port unreachable error (type 3, code
+              3) is returned, the port is closed. Other ICMP unreachable
+              errors (type 3, codes 1, 2, 9, 10, or 13) mark the port as
+              filtered. Occasionally, a service will respond with a UDP
+              packet, proving that it is open. If no response is received
+              after retransmissions, the port is classified as open|filtered.
+              This means that the port could be open, or perhaps packet
+              filters are blocking the communication. Versions scan (-sV) can
+              be used to help differentiate the truly open ports from the
+              filtered ones.
+
+              A big challenge with UDP scanning is doing it quickly. Open and
+              filtered ports rarely send any response, leaving Nmap to time
+              out and then conduct retransmissions just in case the probe or
+              response were lost. Closed ports are often an even bigger
+              problem. They usually send back an ICMP port unreachable error.
+              But unlike the RST packets sent by closed TCP ports in response
+              to a SYN or Connect scan, many hosts rate limit ICMP port
+              unreachable messages by default. Linux and Solaris are
+              particularly strict about this. For example, the Linux 2.4.20
+              kernel limits destination unreachable messages to one per second
+              (in net/ipv4/icmp.c).
+
+              Nmap detects rate limiting and slows down accordingly to avoid
+              flooding the network with useless packets that the target
+              machine will drop. Unfortunately, a Linux-style limit of one
+              packet per second makes a 65,536-port scan take more than 18
+              hours. Ideas for speeding your UDP scans up include scanning
+              more hosts in parallel, doing a quick scan of just the popular
+              ports first, scanning from behind the firewall, and using
+              --host_timeout to skip slow hosts.
+
+       -sN; -sF; -sX (TCP Null, FIN, and Xmas scans)
+              These three scan types (even more are possible with the
+              --scanflags option described in the next section) exploit a
+              subtle loophole in the [4]TCP RFC to differentiate between open
+              and closed ports. Page 65 says that “if the [destination] port
+              state is CLOSED .... an incoming segment not containing a RST
+              causes a RST to be sent in response.”  Then the next page
+              discusses packets sent to open ports without the SYN, RST, or
+              ACK bits set, stating that: “you are unlikely to get here, but
+              if you do, drop the segment, and return.”
+
+              When scanning systems compliant with this RFC text, any packet
+              not containing SYN, RST, or ACK bits will result in a returned
+              RST if the port is closed and no response at all if the port is
+              open. As long as none of those three bits are included, any
+              combination of the other three (FIN, PSH, and URG) are OK. Nmap
+              exploits this with three scan types:
+
+              Null scan (-sN)
+                     Does not set any bits (tcp flag header is 0)
+
+              FIN scan (-sF)
+                     Sets just the TCP FIN bit.
+
+              Xmas scan (-sX)
+                     Sets the FIN, PSH, and URG flags, lighting the packet up
+                     like a Christmas tree.
+
+              These three scan types are exactly the same in behavior except
+              for the TCP flags set in probe packets. If a RST packet is
+              received, the port is considered closed, while no response means
+              it is open|filtered. The port is marked filtered if an ICMP
+              unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is
+              received.
+
+              The key advantage to these scan types is that they can sneak
+              through certain non-stateful firewalls and packet filtering
+              routers. Another advantage is that these scan types are a little
+              more stealthy than even a SYN scan. Don’t count on this though
+              -- most modern IDS products can be configured to detect them.
+              The big downside is that not all systems follow RFC 793 to the
+              letter. A number of systems send RST responses to the probes
+              regardless of whether the port is open or not. This causes all
+              of the ports to be labeled closed. Major operating systems that
+              do this are Microsoft Windows, many Cisco devices, BSDI, and IBM
+              OS/400. This scan does work against most UNIX-based systems
+              though. Another downside of these scans is that they can’t
+              distinguish open ports from certain filtered ones, leaving you
+              with the response open|filtered.
+
+       -sA (TCP ACK scan)
+              This scan is different than the others discussed so far in that
+              it never determines open (or even open|filtered) ports. It is
+              used to map out firewall rulesets, determining whether they are
+              stateful or not and which ports are filtered.
+
+              The ACK scan probe packet has only the ACK flag set (unless you
+              use --scanflags). When scanning unfiltered systems, open and
+              closed ports will both return a RST packet. Nmap then labels
+              them as unfiltered, meaning that they are reachable by the ACK
+              packet, but whether they are open or closed is undetermined.
+              Ports that don’t respond, or send certain ICMP error messages
+              back (type 3, code 1, 2, 3, 9, 10, or 13), are labeled filtered.
+
+       -sW (TCP Window scan)
+              Window scan is exactly the same as ACK scan except that it
+              exploits an implementation detail of certain systems to
+              differentiate open ports from closed ones, rather than always
+              printing unfiltered when a RST is returned. It does this by
+              examining the TCP Window field of the RST packets returned. On
+              some systems, open ports use a positive window size (even for
+              RST packets) while closed ones have a zero window. So instead of
+              always listing a port as unfiltered when it receives a RST back,
+              Window scan lists the port as open or closed if the TCP Window
+              value in that reset is positive or zero, respectively.
+
+              This scan relies on an implementation detail of a minority of
+              systems out on the Internet, so you can’t always trust it.
+              Systems that don’t support it will usually return all ports
+              closed. Of course, it is possible that the machine really has no
+              open ports. If most scanned ports are closed but a few common
+              port numbers (such as 22, 25, 53) are filtered, the system is
+              most likely susceptible. Occasionally, systems will even show
+              the exact opposite behavior. If your scan shows 1000 open ports
+              and 3 closed or filtered ports, then those three may very well
+              be the truly open ones.
+
+       -sM (TCP Maimon scan)
+              The Maimon scan is named after its discoverer, Uriel Maimon. He
+              described the technique in Phrack Magazine issue #49 (November
+              1996). Nmap, which included this technique, was released two
+              issues later. This technique is exactly the same as Null, FIN,
+              and Xmas scans, except that the probe is FIN/ACK. According to
+              RFC 793 (TCP), a RST packet should be generated in response to
+              such a probe whether the port is open or closed. However, Uriel
+              noticed that many BSD-derived systems simply drop the packet if
+              the port is open.
+
+       --scanflags (Custom TCP scan)
+              Truly advanced Nmap users need not limit themselves to the
+              canned scan types offered. The --scanflags option allows you to
+              design your own scan by specifying arbitrary TCP flags. Let your
+              creative juices flow, while evading intrusion detection systems
+              whose vendors simply paged through the Nmap man page adding
+              specific rules!
+
+              The --scanflags argument can be a numerical flag value such as 9
+              (PSH and FIN), but using symbolic names is easier. Just mash
+              together any combination of URG, ACK, PSH, RST, SYN, and FIN.
+              For example, --scanflags URGACKPSHRSTSYNFIN sets everything,
+              though it’s not very useful for scanning. The order these are
+              specified in is irrelevant.
+
+              In addition to specifying the desired flags, you can specify a
+              TCP scan type (such as -sA or -sF). That base type tells Nmap
+              how to interpret responses. For example, a SYN scan considers
+              no-response to indicate a filtered port, while a FIN scan treats
+              the same as open|filtered. Nmap will behave the same way it does
+              for the base scan type, except that it will use the TCP flags
+              you specify instead. If you don’t specify a base type, SYN scan
+              is used.
+
+       -sI <zombie host[:probeport]> (Idlescan)
+              This advanced scan method allows for a truly blind TCP port scan
+              of the target (meaning no packets are sent to the target from
+              your real IP address). Instead, a unique side-channel attack
+              exploits predictable IP fragmentation ID sequence generation on
+              the zombie host to glean information about the open ports on the
+              target. IDS systems will display the scan as coming from the
+              zombie machine you specify (which must be up and meet certain
+              criteria). This fascinating scan type is too complex to fully
+              describe in this reference guide, so I wrote and posted an
+              informal paper with full details at
+              http://www.insecure.org/nmap/idlescan.html.
+
+              Besides being extraordinarily stealthy (due to its blind
+              nature), this scan type permits mapping out IP-based trust
+              relationships between machines. The port listing shows open
+              ports from the perspective of the zombie host.  So you can try
+              scanning a target using various zombies that you think might be
+              trusted (via router/packet filter rules).
+
+              You can add a colon followed by a port number to the zombie host
+              if you wish to probe a particular port on the zombie for IPID
+              changes. Otherwise Nmap will use the port it uses by default for
+              tcp pings (80).
+
+       -sO (IP protocol scan)
+              IP Protocol scan allows you to determine which IP protocols
+              (TCP, ICMP, IGMP, etc.) are supported by target machines. This
+              isn’t technically a port scan, since it cycles through IP
+              protocol numbers rather than TCP or UDP port numbers. Yet it
+              still uses the -p option to select scanned protocol numbers,
+              reports its results within the normal port table format, and
+              even uses the same underlying scan engine as the true port
+              scanning methods. So it is close enough to a port scan that it
+              belongs here.
+
+              Besides being useful in its own right, protocol scan
+              demonstrates the power of open source software. While the
+              fundamental idea is pretty simple, I had not thought to add it
+              nor received any requests for such functionality. Then in the
+              summer of 2000, Gerhard Rieger conceived the idea, wrote an
+              excellent patch implementing it, and sent it to the nmap-hackers
+              mailing list. I incorporated that patch into the Nmap tree and
+              released a new version the next day. Few pieces of commercial
+              software have users enthusiastic enough to design and contribute
+              their own improvements!
+
+              Protocol scan works in a similar fashion to UDP scan. Instead of
+              iterating through the port number field of a UDP packet, it
+              sends IP packet headers and iterates through the 8-bit IP
+              protocol field. The headers are usually empty, containing no
+              data and not even the proper header for the claimed protocol.
+              The three exceptions are TCP, UDP, and ICMP. A proper protocol
+              header for those is included since some systems won’t send them
+              otherwise and because Nmap already has functions to create them.
+              Instead of watching for ICMP port unreachable messages, protocol
+              scan is on the lookout for ICMP protocol unreachable messages.
+              If Nmap receives any response in any protocol from the target
+              host, Nmap marks that protocol as open. An ICMP protocol
+              unreachable error (type 3, code 2) causes the protocol to be
+              marked as closed Other ICMP unreachable errors (type 3, code 1,
+              3, 9, 10, or 13) cause the protocol to be marked filtered
+              (though they prove that ICMP is open at the same time). If no
+              response is received after retransmissions, the protocol is
+              marked open|filtered
+
+       -b <ftp relay host> (FTP bounce scan)
+              An interesting feature of the FTP protocol ([5]RFC 959) is
+              support for so-called proxy ftp connections. This allows a user
+              to connect to one FTP server, then ask that files be sent to a
+              third-party server. Such a feature is ripe for abuse on many
+              levels, so most servers have ceased supporting it. One of the
+              abuses this feature allows is causing the FTP server to port
+              scan other hosts. Simply ask the FTP server to send a file to
+              each interesting port of a target host in turn. The error
+              message will describe whether the port is open or not. This is a
+              good way to bypass firewalls because organizational FTP servers
+              are often placed where they have more access to other internal
+              hosts than any old Internet host would. Nmap supports ftp bounce
+              scan with the -b option. It takes an argument of the form
+              username:password@server:port.  Server is the name or IP address
+              of a vulnerable FTP server. As with a normal URL, you may omit
+              username:password, in which case anonymous login credentials
+              (user: anonymous password:-wwwuser@) are used. The port number
+              (and preceding colon) may be omitted as well, in which case the
+              default FTP port (21) on server is used.
+
+              This vulnerability was widespread in 1997 when Nmap was
+              released, but has largely been fixed. Vulnerable servers are
+              still around, so it is worth trying when all else fails. If
+              bypassing a firewall is your goal, scan the target network for
+              open port 21 (or even for any ftp services if you scan all ports
+              with version detection), then try a bounce scan using each. Nmap
+              will tell you whether the host is vulnerable or not. If you are
+              just trying to cover your tracks, you don’t need to (and, in
+              fact, shouldn’t) limit yourself to hosts on the target network.
+              Before you go scanning random Internet addresses for vulnerable
+              FTP servers, consider that sysadmins may not appreciate you
+              abusing their servers in this way.
+
+
+

+
PORT SPECIFICATION AND SCAN ORDER
+       In addition to all of the scan methods discussed previously, Nmap
+       offers options for specifying which ports are scanned and whether the
+       scan order is randomized or sequential. By default, Nmap scans all
+       ports up to and including 1024 as well as higher numbered ports listed
+       in the nmap-services file for the protocol(s) being scanned.
+
+       -p <port ranges> (Only scan specified ports)
+              This option specifies which ports you want to scan and overrides
+              the default. Individual port numbers are OK, as are ranges
+              separated by a hyphen (e.g. 1-1023). The beginning and/or end
+              values of a range may be omitted, causing Nmap to use 1 and
+              65535, respectively. So you can specify -p- to scan ports from 1
+              through 65535. Scanning port zero is allowed if you specify it
+              explicitly. For IP protocol scanning (-sO), this option
+              specifies the protocol numbers you wish to scan for (0-255).
+
+              When scanning both TCP and UDP ports, you can specify a
+              particular protocol by preceding the port numbers by T: or U:.
+              The qualifier lasts until you specify another qualifier. For
+              example, the argument -p U:53,111,137,T:21-25,80,139,8080 would
+              scan UDP ports 53,111,and 137, as well as the listed TCP ports.
+              Note that to scan both UDP & TCP, you have to specify -sU and at
+              least one TCP scan type (such as -sS, -sF, or -sT). If no
+              protocol qualifier is given, the port numbers are added to all
+              protocol lists.
+
+       -F (Fast (limited port) scan)
+              Specifies that you only wish to scan for ports listed in the
+              nmap-services file which comes with nmap (or the protocols file
+              for -sO). This is much faster than scanning all 65535 ports on a
+              host. Because this list contains so many TCP ports (more than
+              1200), the speed difference from a default TCP scan (about 1650
+              ports) isn’t dramatic. The difference can be enormous if you
+              specify your own tiny nmap-services file using the --datadir
+              option.
+
+       -r (Don’t randomize ports)
+              By default, Nmap randomizes the scanned port order (except that
+              certain commonly accessible ports are moved near the beginning
+              for efficiency reasons). This randomization is normally
+              desirable, but you can specify -r for sequential port scanning
+              instead.
+
+
+

+
SERVICE AND VERSION DETECTION
+       Point Nmap at a remote machine and it might tell you that ports 25/tcp,
+       80/tcp, and 53/udp are open. Using its nmap-services database of about
+       2,200 well-known services, Nmap would report that those ports probably
+       correspond to a mail server (SMTP), web server (HTTP), and name server
+       (DNS) respectively. This lookup is usually accurate -- the vast
+       majority of daemons listening on TCP port 25 are, in fact, mail
+       servers. However, you should not bet your security on this! People can
+       and do run services on strange ports.
+
+       Even if Nmap is right, and the hypothetical server above is running
+       SMTP, HTTP, and DNS servers, that is not a lot of information. When
+       doing vulnerability assessments (or even simple network inventories) of
+       your companies or clients, you really want to know which mail and DNS
+       servers and versions are running. Having an accurate version number
+       helps dramatically in determining which exploits a server is vulnerable
+       to. Version detection helps you obtain this information.
+
+       After TCP and/or UDP ports are discovered using one of the other scan
+       methods, version detection interrogates those ports to determine more
+       about what is actually running. The nmap-service-probes database
+       contains probes for querying various services and match expressions to
+       recognize and parse responses. Nmap tries to determine the service
+       protocol (e.g. ftp, ssh, telnet, http), the application name (e.g. ISC
+       Bind, Apache httpd, Solaris telnetd), the version number, hostname,
+       device type (e.g. printer, router), the OS family (e.g. Windows, Linux)
+       and sometimes miscellaneous details like whether an X server is open to
+       connections, the SSH protocol version, or the KaZaA user name). Of
+       course, most services don’t provide all of this information. If Nmap
+       was compiled with OpenSSL support, it will connect to SSL servers to
+       deduce the service listening behind that encryption layer. When RPC
+       services are discovered, the Nmap RPC grinder (-sR) is automatically
+       used to determine the RPC program and version numbers. Some UDP ports
+       are left in the open|filtered state after a UDP port scan is unable to
+       determine whether the port is open or filtered. Version detection will
+       try to elicit a response from these ports (just as it does with open
+       ports), and change the state to open if it succeeds.  open|filtered TCP
+       ports are treaded the same way. Note that the Nmap -A option enables
+       version detection among other things. A paper documenting the workings,
+       usage, and customization of version detection is available at
+       http://www.insecure.org/nmap/vscan/.
+
+       When Nmap receives responses from a service but cannot match them to
+       its database, it prints out a special fingerprint and a URL for you to
+       submit if to if you know for sure what is running on the port. Please
+       take a couple minutes to make the submission so that your find can
+       benefit everyone. Thanks to these submissions, Nmap has about 3,000
+       pattern matches for more than 350 protocols such as smtp, ftp, http,
+       etc.
+
+       Version detection is enabled and controlled with the following options:
+
+       -sV (Version detection)
+              Enables version detection, as discussed above. Alternatively,
+              you can use -A to enable both OS detection and version
+              detection.
+
+       --allports (Don’t exclude any ports from version detection)
+              By default, Nmap version detection skips TCP port 9100 because
+              some printers simply print anything sent to that port, leading
+              to dozens of pages of HTTP get requests, binary SSL session
+              requests, etc. This behavior can be changed by modifying or
+              removing the Exclude directive in nmap-service-probes, or you
+              can specify --allports to scan all ports regardless of any
+              Exclude directive.
+
+       --version_intensity <intensity> (Set version scan intensity)
+              When performing a version scan (-sV), nmap sends a series of
+              probes, each of which is assigned a rarity value between 1 and
+              9. The lower-numbered probes are effective against a wide
+              variety of common services, while the higher numbered ones are
+              rarely useful. The intensity level specifies which probes should
+              be applied. The higher the number, the more likely it is the
+              service will be correctly identified. However, high intensity
+              scans take longer. The intensity must be between 0 and 9. The
+              default is 7. When a probe is registered to the target port via
+              the nmap-service-probesports directive, that probe is tried
+              regardless of intensity level. This ensures that the DNS probes
+              will always be attempted against any open port 53, the SSL probe
+              will be done against 443, etc.
+
+       --version_light (Enablie light mode)
+              This is a convenience alias for --version_intensity 2. This
+              light mode makes version scanning much faster, but it is
+              slightly less likely to identify services.
+
+       --version_all (Try every single probe)
+              An alias for --version_intensity 9, ensuring that every single
+              probe is attempted against each port.
+
+       --version_trace (Trace version scan activity)
+              This causes Nmap to print out extensive debugging info about
+              what version scanning is doing. It is a subset of what you get
+              with --packet_trace.
+
+       -sR (RPC scan)
+              This method works in conjunction with the various port scan
+              methods of Nmap. It takes all the TCP/UDP ports found open and
+              floods them with SunRPC program NULL commands in an attempt to
+              determine whether they are RPC ports, and if so, what program
+              and version number they serve up. Thus you can effectively
+              obtain the same info as rpcinfo -p even if the target’s
+              portmapper is behind a firewall (or protected by TCP wrappers).
+              Decoys do not currently work with RPC scan. This is
+              automatically enabled as part of version scan (-sV) if you
+              request that. As version detection includes this and is much
+              more comprehensive, -sR is rarely needed.
+
+
+

+
OS DETECTION
+       One of Nmap’s best-known features is remote OS detection using TCP/IP
+       stack fingerprinting. Nmap sends a series of TCP and UDP packets to the
+       remote host and examines practically every bit in the responses. After
+       performing dozens of tests such as TCP ISN sampling, TCP options
+       support and ordering, IPID sampling, and the initial window size check,
+       Nmap compares the results to its nmap-os-fingerprints database of more
+       than 1500 known OS fingerprints and prints out the OS details if there
+       is a match. Each fingerprint includes a freeform textual description of
+       the OS, and a classification which provides the vendor name (e.g. Sun),
+       underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type
+       (general purpose, router, switch, game console, etc).
+
+       If Nmap is unable to guess the OS of a machine, and conditions are good
+       (e.g. at least one open port and one closed port were found), Nmap will
+       provide a URL you can use to submit the fingerprint if you know (for
+       sure) the OS running on the machine. By doing this you contribute to
+       the pool of operating systems known to Nmap and thus it will be more
+       accurate for everyone.
+
+       OS detection enables several other tests which make use of information
+       that is gathered during the process anyway. One of these is uptime
+       measurement, which uses the TCP timestamp option (RFC 1323) to guess
+       when a machine was last rebooted. This is only reported for machines
+       which provide this information. Another is TCP Sequence Predictability
+       Classification. This measures approximately how hard it is to establish
+       a forged TCP connection against the remote host. It is useful for
+       exploiting source-IP based trust relationships (rlogin, firewall
+       filters, etc) or for hiding the source of an attack. This sort of
+       spoofing is rarely performed any more, but many machines are still
+       vulnerable to it. The actual difficulty number is based on statistical
+       sampling and may fluctuate. It is generally better to use the English
+       classification such as “worthy challenge” or “trivial joke”. This is
+       only reported in normal output in verbose (-v) mode. When verbose mode
+       is enabled along with -O, IPID Sequence Generation is also reported.
+       Most machines are in the “incremental” class, which means that they
+       increment the ID field in the IP header for each packet they send. This
+       makes them vulnerable to several advanced information gathering and
+       spoofing attacks.
+
+       A paper documenting the workings, usage, and customization of version
+       detection is available in more than a dozen languages at
+       http://www.insecure.org/nmap/nmap-fingerprinting-article.html.
+
+       OS detection is enabled and controlled with the following options:
+
+       -O (Enable OS detection)
+              Enables OS detection, as discussed above. Alternatively, you can
+              use -A to enable both OS detection and version detection.
+
+       --osscan_limit (Limit OS detection to promising targets)
+              OS detection is far more effective if at least one open and one
+              closed TCP port are found. Set this option and Nmap will not
+              even try OS detection against hosts that do not meet this
+              criteria. This can save substantial time, particularly on -P0
+              scans against many hosts. It only matters when OS detection is
+              requested with -O or -A.
+
+       --osscan_guess; --fuzzy (Guess OS detection results)
+              When Nmap is unable to detect a perfect OS match, it sometimes
+              offers up near-matches as possibilities. The match has to be
+              very close for Nmap to do this by default. Either of these
+              (equivalent) options make Nmap guess more aggressively.
+
+
+

+
TIMING AND PERFORMANCE
+       One of my highest Nmap development priorities has always been
+       performance. A default scan (nmap hostname) of a host on my local
+       network takes a fifth of a second. That is barely enough time to blink,
+       but adds up when you are scanning tens or hundreds of thousands of
+       hosts. Moreover, certain scan options such as UDP scanning and version
+       detection can increase scan times substantially. So can certain
+       firewall configurations, particularly response rate limiting. While
+       Nmap utilizes parallelism and many advanced algorithms to accelerate
+       these scans, the user has ultimate control over how Nmap runs. Expert
+       users carefully craft Nmap commands to obtain only the information they
+       care about while meeting their time constraints.
+
+       Techniques for improving scan times include omitting non-critical
+       tests, and upgrading to the latest version of Nmap (performance
+       enhancements are made frequently). Optimizing timing parameters can
+       also make a substantial difference. Those options are listed below.
+
+       --min_hostgroup <milliseconds>; --max_hostgroup <milliseconds> (Adjust
+       parallel scan group sizes)
+              Nmap has the ability to port scan or version scan multiple hosts
+              in parallel. Nmap does this by dividing the target IP space into
+              groups and then scanning one group at a time. In general, larger
+              groups are more efficient. The downside is that host results
+              can’t be provided until the whole group is finished. So if Nmap
+              started out with a group size of 50, the user would not receive
+              any reports (except for the updates offered in verbose mode)
+              until the first 50 hosts are completed.
+
+              By default, Nmap takes a compromise approach to this conflict.
+              It starts out with a group size as low as five so the first
+              results come quickly and then increases the groupsize to as high
+              as 1024. The exact default numbers depend on the options given.
+              For efficiency reasons, Nmap uses larger group sizes for UDP or
+              few-port TCP scans.
+
+              When a maximum group size is specified with --max_hostgroup,
+              Nmap will never exceed that size. Specify a minimum size with
+              --min_hostgroup and Nmap will try to keep group sizes above that
+              level. Nmap may have to use smaller groups than you specify if
+              there are not enough target hosts left on a given interface to
+              fulfill the specified minimum. Both may be set to keep the group
+              size within a specific range, though this is rarely desired.
+
+              The primary use of these options is to specify a large minimum
+              group size so that the full scan runs more quickly. A common
+              choice is 256 to scan a network in Class C sized chunks. For a
+              scan with many ports, exceeding that number is unlikely to help
+              much. For scans of just a few port numbers, host group sizes of
+              2048 or more may be helpful.
+
+       --min_parallelism <milliseconds>; --max_parallelism <milliseconds>
+       (Adjust probe parallelization)
+              These options control the total number of probes that may be
+              outstanding for a host group. They are used for port scanning
+              and host discovery. By default, Nmap calculates an ever-changing
+              ideal parallelism based on network performance. If packets are
+              being dropped, Nmap slows down and allows fewer outstanding
+              probes. The ideal probe number slowly rises as the network
+              proves itself worthy. These options place minimum or maximum
+              bounds on that variable. By default, the ideal parallelism can
+              drop to 1 if the network proves unreliable and rise to several
+              hundred in perfect conditions.
+
+              The most common usage is to set --min_parallelism to a number
+              higher than one to speed up scans of poorly performing hosts or
+              networks. This is a risky option to play with, as setting it too
+              high may affect accuracy. Setting this also reduces Nmap’s
+              ability to control parallelism dynamically based on network
+              conditions. A value of ten might be reasonable, though I only
+              adjust this value as a last resort.
+
+              The --max_parallelism option is sometimes set to one to prevent
+              Nmap from sending more than one probe at a time to hosts. This
+              can be useful in combination with --scan_delay (discussed
+              later), although the latter usually serves the purpose well
+              enough by itself.
+
+       --min_rtt_timeout <milliseconds>, --max_rtt_timeout <milliseconds>,
+       --initial_rtt_timeout <milliseconds> (Adjust probe timeouts)
+              Nmap maintains a running timeout value for determining how long
+              it will wait for a probe response before giving up or
+              retransmitting the probe. This is calculated based on the
+              response times of previous probes. If the network latency shows
+              itself to be significant and variable, this timeout can grow to
+              several seconds. It also starts at a conservative (high) level
+              and may stay that way for a while when Nmap scans unresponsive
+              hosts.
+
+              These options take a value in milliseconds. Specifying a lower
+              --max_rtt_timeout and --initial_rtt_timeout than the defaults
+              can cut scan times significantly. This is particularly true for
+              pingless (-P0) scans, and those against heavily filtered
+              networks. Don’t get too aggressive though. The scan can end up
+              taking longer if you specify such a low value that many probes
+              are timing out and retransmitting while the response is in
+              transit.
+
+              If all the hosts are on a local network, 100 milliseconds is a
+              reasonable aggressive --max_rtt_timeout value. If routing is
+              involved, ping a host on the network first with the ICMP ping
+              utility, or with a custom packet crafter such as hping2 that is
+              more likely to get through a firewall. Look at the maximum round
+              trip time out of ten packets or so. You might want to double
+              that for the --initial_rtt_timeout and triple or quadruple it
+              for the --max_rtt_timeout. I generally do not set the maximum
+              rtt below 100ms, no matter what the ping times are. Nor do I
+              exceed 1000ms.
+
+              --min_rtt_timeout is a rarely used option that could be useful
+              when a network is so unreliable that even Nmap’s default is too
+              aggressive. Since Nmap only reduces the timeout down to the
+              minimum when the network seems to be reliable, this need is
+              unusual and should be reported as a bug to the nmap-dev mailing
+              list.
+
+       --host_timeout <milliseconds> (Give up on slow target hosts)
+              Some hosts simply take a long time to scan. This may be due to
+              poorly performing or unreliable networking hardware or software,
+              packet rate limiting, or a restrictive firewall. The slowest few
+              percent of the scanned hosts can eat up a majority of the scan
+              time. Sometimes it is best to cut your losses and skip those
+              hosts initially. This can be done by specifying --host_timeout
+              with the number of milliseconds you are willing to wait. I often
+              specify 1800000 to ensure that Nmap doesn’t waste more than half
+              an hour on a single host. Note that Nmap may be scanning other
+              hosts at the same time during that half an hour as well, so it
+              isn’t a complete loss. A host that times out is skipped. No port
+              table, OS detection, or version detection results are printed
+              for that host.
+
+       --scan_delay <milliseconds>; --max_scan_delay <milliseconds> (Adjust
+       delay between probes)
+              This option causes Nmap to wait at least the given number of
+              milliseconds between each probe it sends to a given host. This
+              is particularly useful in the case of rate limiting. Solaris
+              machines (among many others) will usually respond to UDP scan
+              probe packets with only one ICMP message per second. Any more
+              than that sent by Nmap will be wasteful. A --scan_delay of 1000
+              will keep Nmap at that slow rate. Nmap tries to detect rate
+              limiting and adjust the scan delay accordingly, but it doesn’t
+              hurt to specify it explicitly if you already know what rate
+              works best.
+
+              Another use of --scan_delay is to evade threshold based
+              intrusion detection and prevention systems (IDS/IPS).
+
+       -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> (Set a timing
+       template)
+              While the fine grained timing controls discussed in the previous
+              section are powerful and effective, some people find them
+              confusing. Moreover, choosing the appropriate values can
+              sometimes take more time than the scan you are trying to
+              optimize. So Nmap offers a simpler approach, with six timing
+              templates. You can specify them with the -T option and their
+              number (0 - 5) or their name. The template names are paranoid
+              (0), sneaky (1), polite (2), normal (3), aggressive (4), and
+              insane (5). The first two are for IDS evasion. Polite mode slows
+              down the scan to use less bandwidth and target machine
+              resources. Normal mode is the default and so -T3 does nothing.
+              Aggressive mode speeds scans up by making the assumption that
+              you are on a reasonably fast and reliable network. Finally
+              Insane mode assumes that you are on an extraordinarily fast
+              network or are willing to sacrifice some accuracy for speed.
+
+              These templates allow the user to specify how aggressive they
+              wish to be, while leaving Nmap to pick the exact timing values.
+              The templates also make some minor speed adjustments for which
+              fine grained control options do not currently exist. For
+              example, -T4 prohibits the dynamic scan delay from exceeding
+              10ms for TCP ports and -T5 caps that value at 5 milliseconds.
+              Templates can be used in combination with fine grained controls,
+              as long as the template is specified first. Otherwise the
+              standard values for the template may override the values you
+              specify. I recommend using -T4 when scanning reasonably modern
+              and reliable networks. Keep that option (at the beginning of the
+              command line) even when you add fine grained controls so that
+              you benefit from those extra minor optimizations that it
+              enables.
+
+              If you are on a decent broadband or ethernet connection, I would
+              recommend always using -T4. Some people love -T5 though it is
+              too aggressive for my taste. People sometimes specify -T2
+              because they think it is less likely to crash hosts or because
+              they consider themselves to be polite in general. They often
+              don’t realize just how slow -T Polite really is. Their scan may
+              take ten times longer than a default scan. Machine crashes and
+              bandwidth problems are rare with the default timing options
+              (-T3) and so I normally recommend that for cautious scanners.
+              Omitting version detection is far more effective than playing
+              with timing values at reducing these problems.
+
+              While -T0 and -T1 may be useful for avoiding IDS alerts, they
+              will take an extraordinarily long time to scan thousands of
+              machines or ports. For such a long scan, you may prefer to set
+              the exact timing values you need rather than rely on the canned
+              -T0 and -T1 values.
+
+              The main effects of T0 are serializing the scan so only one port
+              is scanned at a time, and waiting five minutes between sending
+              each probe.  T1 and T2 are similar but they only wait 15 seconds
+              and 0.4 seconds, respectively, between probes.  T3 is Nmap’s
+              default behavior, which includes parallelization.  T4 does the
+              equivalent of --max_rtt_timeout 1250 --initial_rtt_timeout 500
+              and sets the maximum TCP scan delay to 10 milliseconds.  T5 does
+              the equivalent of --max_rtt_timeout 300 --min_rtt_timeout 50
+              --initial_rtt_timeout 250 --host_timeout 900000 as well as
+              setting the maximum TCP scan delay to 5ms.
+
+
+

+
FIREWALL/IDS EVASION AND SPOOFING
+       Many Internet pioneers envisioned a global open network with a
+       universal IP address space allowing virtual connections between any two
+       nodes. This allows hosts to act as true peers, serving and retrieving
+       information from each other. People could access all of their home
+       systems from work, changing the climate control settings or unlocking
+       the doors for early guests. This vision of universal connectivity has
+       been stifled by address space shortages and security concerns. In the
+       early 1990s, organizations began deploying firewalls for the express
+       purpose of reducing connectivity. Huge networks were cordoned off from
+       the unfiltered Internet by application proxies, network address
+       translation, and packet filters. The unrestricted flow of information
+       gave way to tight regulation of approved communication channels and the
+       content that passes over them.
+
+       Network obstructions such as firewalls can make mapping a network
+       exceedingly difficult. It will not get any easier, as stifling casual
+       reconnaissance is often a key goal of implementing the devices.
+       Nevertheless, Nmap offers many features to help understand these
+       complex networks, and to verify that filters are working as intended.
+       It even supports mechanisms for bypassing poorly implemented defenses.
+       One of the best methods of understanding your network security posture
+       is to try to defeat it. Place yourself in the mindset of an attacker,
+       and deploy techniques from this section against your networks. Launch
+       an FTP bounce scan, Idle scan, fragmentation attack, or try to tunnel
+       through one of your own proxies.
+
+       In addition to restricting network activity, companies are increasingly
+       monitoring traffic with intrusion detection systems (IDS). All of the
+       major IDSs ship with rules designed to detect Nmap scans because scans
+       are sometimes a precursor to attacks. Many of these products have
+       recently morphed into intrusion prevention systems (IPS) that actively
+       block traffic deemed malicious. Unfortunately for network
+       administrators and IDS vendors, reliably detecting bad intentions by
+       analyzing packet data is a tough problem. Attackers with patience,
+       skill, and the help of certain Nmap options can usually pass by IDSs
+       undetected. Meanwhile, administrators must cope with large numbers of
+       false positive results where innocent activity is misdiagnosed and
+       alerted on or blocked.
+
+       Occasionally people suggest that Nmap should not offer features for
+       evading firewall rules or sneaking past IDSs. They argue that these
+       features are just as likely to be misused by attackers as used by
+       administrators to enhance security. The problem with this logic is that
+       these methods would still be used by attackers, who would just find
+       other tools or patch the functionality into Nmap. Meanwhile,
+       administrators would find it that much harder to do their jobs.
+       Deploying only modern, patched FTP servers is a far more powerful
+       defense than trying to prevent the distribution of tools implementing
+       the FTP bounce attack.
+
+       There is no magic bullet (or Nmap option) for detecting and subverting
+       firewalls and IDS systems. It takes skill and experience. A tutorial is
+       beyond the scope of this reference guide, which only lists the relevant
+       options and describes what they do.
+
+       -f (fragment packets); --mtu (using the specified MTU)
+              The -f option causes the requested scan (including ping scans)
+              to use tiny fragmented IP packets. The idea is to split up the
+              TCP header over several packets to make it harder for packet
+              filters, intrusion detection systems, and other annoyances to
+              detect what you are doing. Be careful with this! Some programs
+              have trouble handling these tiny packets. The old-school sniffer
+              named Sniffit segmentation faulted immediately upon receiving
+              the first fragment. Specify this option once, and Nmap splits
+              the packets into 8 bytes or less after the IP header. So a
+              20-byte TCP header would be split into 3 packets. Two with eight
+              bytes of the TCP header, and one with the final four. Of course
+              each fragment also has an IP header. Specify -f again to use 16
+              bytes per fragment (reducing the number of fragments). Or you
+              can specify your own offset size with the --mtu option. Don’t
+              also specify -f if you use --mtu. The offset must be a multiple
+              of 8. While fragmented packets won’t get by packet filters and
+              firewalls that queue all IP fragments, such as the
+              CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, some
+              networks can’t afford the performance hit this causes and thus
+              leave it disabled. Others can’t enable this because fragments
+              may take different routes into their networks. Some source
+              systems defragment outgoing packets in the kernel. Linux with
+              the iptables connection tracking module is one such example. Do
+              a scan while a sniffer such as Ethereal is running to ensure
+              that sent packets are fragmented. If your host OS is causing
+              problems, try the --send_eth option to bypass the IP layer and
+              send raw ethernet frames.
+
+       -D <decoy1 [,decoy2][,ME],...> (Cloak a scan with decoys)
+              Causes a decoy scan to be performed, which makes it appear to
+              the remote host that the host(s) you specify as decoys are
+              scanning the target network too. Thus their IDS might report
+              5-10 port scans from unique IP addresses, but they won’t know
+              which IP was scanning them and which were innocent decoys. While
+              this can be defeated through router path tracing,
+              response-dropping, and other active mechanisms, it is generally
+              an effective technique for hiding your IP address.
+
+              Separate each decoy host with commas, and you can optionally use
+              ME as one of the decoys to represent the position for your real
+              IP address. If you put ME in the 6th position or later, some
+              common port scan detectors (such as Solar Designer’s excellent
+              scanlogd) are unlikely to show your IP address at all. If you
+              don’t use ME, nmap will put you in a random position.
+
+              Note that the hosts you use as decoys should be up or you might
+              accidentally SYN flood your targets. Also it will be pretty easy
+              to determine which host is scanning if only one is actually up
+              on the network. You might want to use IP addresses instead of
+              names (so the decoy networks don’t see you in their nameserver
+              logs).
+
+              Decoys are used both in the initial ping scan (using ICMP, SYN,
+              ACK, or whatever) and during the actual port scanning phase.
+              Decoys are also used during remote OS detection (-O). Decoys do
+              not work with version detection or TCP connect() scan.
+
+              It is worth noting that using too many decoys may slow your scan
+              and potentially even make it less accurate. Also, some ISPs will
+              filter out your spoofed packets, but many do not restrict
+              spoofed IP packets at all.
+
+       -S <IP_Address> (Spoof source address)
+              In some circumstances, Nmap may not be able to determine your
+              source address ( Nmap will tell you if this is the case). In
+              this situation, use -S with the IP address of the interface you
+              wish to send packets through.
+
+              Another possible use of this flag is to spoof the scan to make
+              the targets think that someone else is scanning them. Imagine a
+              company being repeatedly port scanned by a competitor! The -e
+              option would generally be required for this sort of usage, and
+              -P0 would normally be advisable as well.
+
+       -e <interface> (Use specified interface)
+              Tells Nmap what interface to send and receive packets on. Nmap
+              should be able to detect this automatically, but it will tell
+              you if it cannot.
+
+       --source_port <portnumber>; -g <portnumber> (Spoof source port number)
+              One surprisingly common misconfiguration is to trust traffic
+              based only on the source port number. It is easy to understand
+              how this comes about. An administrator will set up a shiny new
+              firewall, only to be flooded with complains from ungrateful
+              users whose applications stopped working. In particular, DNS may
+              be broken because the UDP DNS replies from external servers can
+              no longer enter the network. FTP is another common example. In
+              active FTP transfers, the remote server tries to establish a
+              connection back to the client to transfer the requested file.
+
+              Secure solutions to these problems exist, often in the form of
+              application-level proxies or protocol-parsing firewall modules.
+              Unfortunately there are also easier, insecure solutions. Noting
+              that DNS replies come from port 53 and active ftp from port 20,
+              many admins have fallen into the trap of simply allowing
+              incoming traffic from those ports. They often assume that no
+              attacker would notice and exploit such firewall holes. In other
+              cases, admins consider this a short-term stop-gap measure until
+              they can implement a more secure solution. Then they forget the
+              security upgrade.
+
+              Overworked network administrators are not the only ones to fall
+              into this trap. Numerous products have shipped with these
+              insecure rules. Even Microsoft has been guilty. The IPsec
+              filters that shipped with Windows 2000 and Windows XP contain an
+              implicit rule that allows all TCP or UDP traffic from port 88
+              (Kerberos). In another well-known case, versions of the Zone
+              Alarm personal firewall up to 2.1.25 allowed any incoming UDP
+              packets with the source port 53 (DNS) or 67 (DHCP).
+
+              Nmap offers the -g and --source_port options (they are
+              equivalent) to exploit these weaknesses. Simply provide a port
+              number and Nmap will send packets from that port where possible.
+              Nmap must use different port numbers for certain OS detection
+              tests to work properly, and DNS requests ignore the
+              --source_port flag because Nmap relies on system libraries to
+              handle those. Most TCP scans, including SYN scan, support the
+              option completely, as does UDP scan.
+
+       --data_length <number> (Append random data to sent packets)
+              Normally Nmap sends minimalist packets containing only a header.
+              So its TCP packets are generally 40 bytes and ICMP echo requests
+              are just 28. This option tells Nmap to append the given number
+              of random bytes to most of the packets it sends. OS detection
+              (-O) packets are not affected, but most pinging and portscan
+              packets are. This slows things down, but can make a scan
+              slightly less conspicuous.
+
+       --ttl <value> (Set IP time-to-live field)
+              Sets the IPv4 time-to-live field in sent packets to the given
+              value.
+
+       --randomize_hosts (Randomize target host order)
+              Tells Nmap to shuffle each group of up to 8096 hosts before it
+              scans them. This can make the scans less obvious to various
+              network monitoring systems, especially when you combine it with
+              slow timing options. If you want to randomize over larger group
+              sizes, increase PING_GROUP_SZ in nmap.h and recompile. An
+              alternative solution is to generate the target IP list with a
+              list scan (-sL -n -oN filename), randomize it with a Perl
+              script, then provide the whole list to Nmap with -iL.
+
+       --spoof_mac <mac address, prefix, or vendor name> (Spoof MAC address)
+              Asks Nmap to use the given MAC address for all of the raw
+              ethernet frames it sends. This option implies --send_eth to
+              ensure that Nmap actually sends ethernet-level packets. The MAC
+              given can take several formats. If it is simply the string “0”,
+              Nmap chooses a completely random MAC for the session. If the
+              given string is an even number of hex digits (with the pairs
+              optionally separated by a colon), Nmap will use those as the
+              MAC. If less than 12 hex digits are provided, Nmap fills in the
+              remainder of the 6 bytes with random values. If the argument
+              isn’t a 0 or hex string, Nmap looks through nmap-mac-prefixes to
+              find a vendor name containing the given string (it is case
+              insensitive). If a match is found, Nmap uses the vendor’s OUI
+              (3-byte prefix) and fills out the remaining 3 bytes randomly.
+              Valid --spoof_mac argument examples are Apple, 0,
+              01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco.
+
+
+

+
OUTPUT
+       Any security tools is only as useful as the output it generates.
+       Complex tests and algorithms are of little value if they aren’t
+       presented in an organized and comprehensible fashion. Given the number
+       of ways Nmap is used by people and other software, no single format can
+       please everyone. So Nmap offers several formats, including the
+       interactive mode for humans to read directly and XML for easy parsing
+       by software.
+
+       In addition to offering different output formats, Nmap provides options
+       for controlling the verbosity of output as well as debugging messages.
+       Output types may be sent to standard output or to named files, which
+       Nmap can append to or clobber. Output files may also be used to resume
+       aborted scans.
+
+       Nmap makes output available in five different formats. The default is
+       called interactive output, and it is sent to standard output (stdout).
+       There is also normal output, which is similar to interactive except
+       that it displays less runtime information and warnings since it is
+       expected to be analyzed after the scan completes rather than
+       interactively.
+
+       XML output is one of the most important output types, as it can be
+       converted to HTML, easily parsed by programs such as Nmap graphical
+       user interfaces, or imported into databases.
+
+       The two remaining output types are the simple grepable output which
+       includes most information for a target host on a single line, and
+       sCRiPt KiDDi3 0utPUt for users who consider themselves |<-r4d.
+
+       While interactive output is the default and has no associated
+       command-line options, the other four format options use the same
+       syntax. They take one argument, which is the filename that results
+       should be stored in. Multiple formats may be specified, but each format
+       may only be specified once. For example, you may wish to save normal
+       output for your own review while saving XML of the same scan for
+       programmatic analysis. You might do this with the options -oX
+       myscan.xml -oN myscan.nmap. While this chapter uses the simple names
+       like myscan.xml for brevity, more descriptive names are generally
+       recommended. The names chosen are a matter of personal preference,
+       though I use long ones that incorporate the scan date and a word or two
+       describing the scan, placed in a directory named after the company I’m
+       scanning.
+
+       While these options save results to files, Nmap still prints
+       interactive output to stdout as usual. For example, the command nmap
+       -oX myscan.xml target prints XML to myscan.xml and fills standard
+       output with the same interactive results it would have printed if -oX
+       wasn’t specified at all. You can change this by passing a hyphen
+       character as the argument to one of the format types. This causes Nmap
+       to deactivate interactive output, and instead print results in the
+       format you specified to the standard output stream. So the command nmap
+       -oX - target will send only XML output to stdout. Serious errors may
+       still be printed to the normal error stream, stderr.
+
+       Unlike some Nmap arguments, the space between the logfile option flag
+       (such as -oX) and the filename or hyphen is mandatory. If you omit the
+       flags and give arguments such as -oG- or -oXscan.xml, a backwards
+       compatibility feature of Nmap will cause the creation of normal format
+       output files named G- and Xscan.xml respectively.
+
+       Nmap also offers options to control scan verbosity and to append to
+       output files rather than clobbering them. All of these options are
+       described belowe.
+
+       Nmap Output Formats
+
+       -oN <filespec> (Normal output)
+              Requests that normal output be directed to the given filename.
+              As discussed above, this differs slightly from interactive
+              output.
+
+       -oX <filespec> (XML output)
+              Requests that XML output be directed to the given filename. Nmap
+              includes a document type definition (DTD) which allows XML
+              parsers to validate Nmap XML output. While it is primarily
+              intended for programmatic use, it can also help humans interpret
+              Nmap XML output. The DTD defines the legal elements of the
+              format, and often enumerates the attributes and values they can
+              take on. The latest version is always available from
+              http://www.insecure.org/nmap/data/nmap.dtd.
+
+              XML offers a stable format that is easily parsed by software.
+              Free XML parsers are available for all major computer languages,
+              including C/C++, Perl, Python, and Java. People have even
+              written bindings for most of these languages to handle Nmap
+              output and execution specifically. Examples are [6]Nmap::Scanner
+              and [7]Nmap::Parser in Perl CPAN. In almost all cases that a
+              non-trivial application interfaces with Nmap, XML is the
+              preferred format.
+
+              The XML output references an XSL stylesheet which can be used to
+              format the results as HTML. The easiest way to use this is
+              simply to load the XML output in a web browser such as Firefox
+              or IE. By default, this will only work on the machine you ran
+              Nmap on (or a similarly configured one) due to the hard-coded
+              nmap.xsl filesystem path. See the --stylesheet option for a way
+              to create a portable XML file that renders as HTML on any
+              web-connected machine.
+
+       -oS <filespec> (ScRipT KIdd|3 oUTpuT)
+              Script kiddie output is like interactive output, except that it
+              is post-processed to better suit the ’l33t HaXXorZ who
+              previously looked down on Nmap due to its consistent
+              capitalization and spelling. Humor impaired people should note
+              that this option is making fun of the script kiddies before
+              flaming me for supposedly “helping them”.
+
+       -oG <filespec> (Grepable output)
+              This output format is covered last because it is deprecated. The
+              XML output format is far more powerful, and is nearly as
+              convenient for experienced users. XML is a standard for which
+              dozens of excellent parsers are available, while grepable output
+              is my own simple hack. XML is extensible to support new Nmap
+              features as they are released, while I often must omit those
+              features from grepable output for lack of a place to put them.
+
+              Nevertheless, grepable output is still quite popular. It is a
+              simple format that lists each host on one line and can be
+              trivially searched and parsed with standard UNIX tools such as
+              grep, awk, cut, sed, diff, and Perl. Even I usually use it for
+              one-off tests done at the command line. Finding all the hosts
+              with the ssh port open or that are running Solaris takes only a
+              simple grep to identify the hosts, piped to an awk or cut
+              command to print the desired fields.
+
+              Grepable output consists of comments (lines starting with a
+              pound (#)) and target lines. A target line includes a
+              combination of 6 labeled fields, separated by tabs and followed
+              with a colon. The fields are Host, Ports, Protocols, Ignored
+              State, OS, Seq Index, IPID, and Status.
+
+              The most important of these fields is generally Ports, which
+              gives details on each interesting port. It is a comma separated
+              list of port entries. Each port entry represents one interesting
+              port, and takes the form of seven slash (/) separated subfields.
+              Those subfields are: Port number, State, Protocol, Owner,
+              Service, SunRPC info, and Version info.
+
+              As with XML output, this man page does not allow for documenting
+              the entire format. A more detailed look at the Nmap grepable
+              output format is available from
+              http://www.unspecific.com/nmap-oG-output.
+
+       -oA <basename> (Output to all formats)
+              As a convenience, you may specify -oA basename to store scan
+              results in normal, XML, and grepable formats at once. They are
+              stored in basename.nmap, basename.xml, and basename.gnmap,
+              respectively. As with most programs, you can prefix the
+              filenames with a directory path, such as ~/nmaplogs/foocorp/ on
+              UNIX or c:\hacking\sco on Windows.
+
+       Verbosity and debugging options
+
+       -v (Increase verbosity level)
+              Increases the verbosity level, causing Nmap to print more
+              information about the scan in progress. Open ports are shown as
+              they are found and completion time estimates are provided when
+              Nmap thinks a scan will take more than a few minutes. Use it
+              twice for even greater verbosity. Using it more than twice has
+              no effect.
+
+              Most changes only affect interactive output, and some also
+              affect normal and script kiddie output. The other output types
+              are meant to be processed by machines, so Nmap can give
+              substantial detail by default in those formats without fatiguing
+              a human user. However, there are a few changes in other modes
+              where output size can be reduced substantially by omitting some
+              detail. For example, a comment line in the grepable output that
+              provides a list of all ports scanned is only printed in verbose
+              mode because it can be quite long.
+
+       -d [level] (Increase or set debugging level)
+              When even verbose mode doesn’t provide sufficient data for you,
+              debugging is available to flood you with much more! As with the
+              verbosity option (-v), debugging is enabled with a command-line
+              flag (-d) and the debug level can be increased by specifying it
+              multiple times. Alternatively, you can set a debug level by
+              giving an argument to -d. For example, -d9 sets level nine. That
+              is the highest effective level and will produce thousands of
+              lines unless you run a very simple scan with very few ports and
+              targets.
+
+              Debugging output is useful when a bug is suspected in Nmap, or
+              if you are simply confused as to what Nmap is doing and why. As
+              this feature is mostly intended for developers, debug lines
+              aren’t always self-explanatory. You may get something like:
+              Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 14987 ==>
+              srtt: 14987 rttvar: 14987 to: 100000. If you don’t understand a
+              line, your only recourses are to ignore it, look it up in the
+              source code, or request help from the development list
+              (nmap-dev). Some lines are self explanatory, but the messages
+              become more obscure as the debug level is increased.
+
+       --packet_trace (Trace packets and data sent and received)
+              Causes Nmap to print a summary of every packet sent or received.
+              This is often used for debugging, but is also a valuable way for
+              new users to understand exactly what Nmap is doing under the
+              covers. To avoid printing thousands of lines, you may want to
+              specify a limited number of ports to scan, such as -p20-30. If
+              you only care about the goings on of the version detection
+              subsystem, use --version_trace instead.
+
+       --iflist (List interfaces and routes)
+              Prints the interface list and system routes as detected by Nmap.
+              This is useful for debugging routing problems or device
+              mischaracterization (such as Nmap treating a PPP connection as
+              Ethernet).
+
+       Miscellaneous output options
+
+       --append_output (Append to rather than clobber output files)
+              When you specify a filename to an output format flag such as -oX
+              or -oN, that file is overwritten by default. If you prefer to
+              keep the existing content of the file and append the new
+              results, specify the --append_output option. All output
+              filenames specified in that Nmap execution will then be appended
+              to rather than clobbered. This doesn’t work well for XML (-oX)
+              scan data as the resultant file generally won’t parse properly
+              until you fix it up by hand.
+
+       --resume <filename> (Resume aborted scan)
+              Some extensive Nmap runs take a very long time -- on the order
+              of days. Such scans don’t always run to completion. Restrictions
+              may prevent Nmap from being run during working hours, the
+              network could go down, the machine Nmap is running on might
+              suffer a planned or unplanned reboot, or Nmap itself could
+              crash. The admin running Nmap could cancel it for any other
+              reason as well, by pressing ctrl-C. Restarting the whole scan
+              from the beginning may be undesirable. Fortunately, if normal
+              (-oN) or grepable (-oG) logs were kept, the user can ask Nmap to
+              resume scanning with the target it was working on when execution
+              ceased. Simply specify the --resume option and pass the
+              normal/grepable output file as its argument. No other arguments
+              are permitted, as Nmap parses the output file to use the same
+              ones specified previously. Simply call Nmap as nmap --resume
+              logfilename. Nmap will append new results to the data files
+              specified in the previous execution. Resumption does not support
+              the XML output format because combining the two runs into one
+              valid XML file would be difficult.
+
+       --stylesheet <path or URL> (Set XSL stylesheet to transform XML output)
+              Nmap ships with an XSL stylesheet named nmap.xsl for viewing or
+              translating XML output to HTML. The XML output includes an
+              xml-stylesheet directive which points to nmap.xml where it was
+              initially installed by Nmap (or in the current working directory
+              on Windows). Simply load Nmap’s XML output in a modern web
+              browser and it should retrieve nmap.xsl from the filesystem and
+              use it to render results. If you wish to use a different
+              stylesheet, specify it as the argument to --stylesheet. You must
+              pass the full pathname or URL. One common invocation is
+              --stylesheet http://www.insecure.org/nmap/data/nmap.xsl
+              nmap.xsl) installed. So the URL is often more useful, but the
+              local filesystem location of nmap.xsl is used by default for
+              privacy reasons.
+
+       --no_stylesheet (Omit XSL stylesheet declaration from XML)
+              Specify this option to prevent Nmap from associating any XSL
+              stylesheet with its XML output. The xml-stylesheet directive is
+              omitted.
+
+
+

+
MISCELLANEOUS OPTIONS
+       This section describes some important (and not-so-important) options
+       that don’t really fit anywhere else.
+
+       -6 (Enable IPv6 scanning)
+              Since 2002, Nmap has offered IPv6 support for its most popular
+              features. In particular, ping scanning (TCP-only), connect()
+              scanning, and version detection all support IPv6. The command
+              syntax is the same as usual except that you also add the -6
+              option. Of course, you must use IPv6 syntax if you specify an
+              address rather than a hostname. An address might look like
+              3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
+              recommended. The output looks the same as usual, with the IPv6
+              address on the “interesting ports” line being the only IPv6 give
+              away.
+
+              While IPv6 hasn’t exactly taken the world by storm, it gets
+              significant use in some (usually Asian) countries and most
+              modern operating systems support it. To use Nmap with IPv6, both
+              the source and target of your scan must be configured for IPv6.
+              If your ISP (like most of them) does not allocate IPv6 addresses
+              to you, free tunnel brokers are widely available and work fine
+              with Nmap. One of the better ones is run by BT Exact at
+              https://tb.ipv6.btexact.com/. I have also used one that
+              Hurricane Electric provides at http://ipv6tb.he.net/. 6to4
+              tunnels are another popular, free approach.
+
+       -A (Aggressive scan options)
+              This option enables additional advanced and aggressive options.
+              I haven’t decided exactly which it stands for yet. Presently
+              this enables OS Detection (-O) and version scanning (-sV). More
+              features may be added in the future. The point is to enable a
+              comprehensive set of scan options without people having to
+              remember a large set of flags. This option only enables
+              features, and not timing options (such as -T4) or verbosity
+              options (-v) that you might want as well.
+
+       --datadir <directoryname> (Specify custom Nmap data file location)
+              Nmap obtains some special data at runtime in files named
+              nmap-service-probes, nmap-services, nmap-protocols, nmap-rpc,
+              nmap-mac-prefixes, and nmap-os-fingerprints. Nmap first searches
+              these files in the directory specified with the --datadir option
+              (if any). Any files not found there, are searched for in the
+              directory specified by the NMAPDIR environmental variable. Next
+              comes ~/.nmap for real and effective UIDs (POSIX systems only)
+              or location of the Nmap executable (Win32 only), and then a
+              compiled-in location such as /usr/local/share/nmap or
+              /usr/share/nmap
+
+       --send_eth (Use raw ethernet sending)
+              Asks Nmap to send packets at the raw ethernet (data link) layer
+              rather than the higher IP (network) layer. By default, Nmap
+              chooses the one which is generally best for the platform it is
+              running on. Raw sockets (IP layer) are generally most efficient
+              for UNIX machines, while ethernet frames are required for
+              Windows operation since Microsoft disabled raw socket support.
+              Nmap still uses raw IP packets on UNIX despite this option when
+              there is no other choice (such as non-ethernet connections).
+
+       --send_ip (Send at raw IP level)
+              Asks Nmap to send packets via raw IP sockets rather than sending
+              lower level ethernet frames. It is the complement to the
+              --send-eth option discussed previously.
+
+       --privileged (Assume that the user is fully privileged)
+              Tells Nmap to simply assume that it is privileged enough to
+              perform raw socket sends, packet sniffing, and similar
+              operations that usually require root privileges on UNIX systems.
+              By default Nmap quits if such operations are requested but
+              geteuid() is not zero.  --privileged is useful with Linux kernel
+              capabilities and similar systems that may be configured to allow
+              unprivileged users to perform raw-packet scans. Be sure to
+              provide this option flag before any flags for options that
+              require privileges (SYN scan, OS detection, etc.). The
+              NMAP_PRIVILEGED variable may be set as an equivalent alternative
+              to --privileged.
+
+       --interactive (Start in interactive mode)
+              Starts Nmap in interactive mode, which offers an interactive
+              Nmap prompt allowing easy launching of multiple scans (either
+              synchronously or in the background). This is useful for people
+              who scan from multi-user systems as they often want to test
+              their security without letting everyone else on the system know
+              exactly which systems they are scanning. Use --interactive to
+              activate this mode and then type h for help. This option is
+              rarely used because proper shells are usually more familiar and
+              feature-complete. This option includes a bang (!) operator for
+              executing shell commands, which is one of many reasons not to
+              install Nmap setuid root.
+
+       -V; --version (Print version number)
+              Prints the Nmap version number and exits.
+
+       -h; --help (Print help summary page)
+              Prints a short help screen with the most common command flags.
+              Running Nmap without any arguments does the same thing.
+
+
+

+
RUNTIME INTERACTION
+       This feature does not yet exist in Nmap. I need to either add it or
+       remove this section
+
+       During the execution of nmap, all key presses are captured. This allows
+       you to interact with the program without aborting and restarting it.
+       Certain special keys will change options, while any other keys will
+       print out a status message telling you about the scan. The convention
+       is that lowercase letters increase the amount of printing, and
+       uppercase letters decrease the printing.
+
+       v / V  Increase / Decrease the Verbosity
+
+       d / D  Increase / Decrease the Debugging Level
+
+       p / P  Turn on / off Packet Tracing
+
+       Anything else
+              Print out a status message like this:
+
+              Stats: 0:00:08 elapsed; 111 hosts completed (5 up), 5 undergoing
+              Service Scan
+
+              Service scan Timing: About 28.00% done; ETC: 16:18 (0:00:15
+              remaining)
 
 
 

 
EXAMPLES
-       Here  are some examples of using nmap, from simple and normal to a lit-
-       tle more complex/esoteric.  Note that actual numbers  and  some  actual
-       domain names are used to make things more concrete.  In their place you
-       should substitute addresses/names from your  own  network.   I  do  not
-       think  portscanning  other networks is illegal; nor should portscans be
-       construed by others as an attack.  I have scanned hundreds of thousands
-       of  machines  and  have  received  only  one complaint.  But I am not a
-       lawyer and some (anal) people may  be  annoyed  by  nmap  probes.   Get
-       permission first or use at your own risk.
+       Here are some Nmap usage examples, from the simple and routine to a
+       little more complex and esoteric. Some actual IP addresses and domain
+       names are used to make things more concrete. In their place you should
+       substitute addresses/names from your own network.. While I don’t think
+       port scanning other networks is or should be illegal, some network
+       administrators don’t appreciate unsolicited scanning of their networks
+       and may complain. Getting permission first is the best approach.
 
-       nmap -v target.example.com
+       For testing purposes, you have permission to scan the host
+       scanme.nmap.org. This permission only includes scanning via Nmap and
+       not testing exploits or denial of service attacks. To conserve
+       bandwidth, please do not initiate more than a dozen scans against that
+       host per day. If this free scanning target service is abused, it will
+       be taken down and Nmap will report Failed to resolve given hostname/IP:
+       scanme.nmap.org. These permissions also apply to the hosts
+       scanme2.nmap.org, scanme3.nmap.org, and so on, though those hosts do
+       not currently exist.
 
-       This  option  scans  all reserved TCP ports on the machine target.exam-
-       ple.com .  The -v means turn on verbose mode.
+       nmap -v scanme.nmap.org
 
-       nmap -sS -O target.example.com/24
+       This option scans all reserved TCP ports on the machine scanme.nmap.org
+       -v option enables verbose mode.
 
-       Launches a stealth SYN scan against each machine that is up out of  the
-       255  machines  on  class "C" where target.example.com resides.  It also
-       tries to determine what operating system is running on each  host  that
-       is  up  and  running.  This requires root privileges because of the SYN
-       scan and the OS detection.
+       nmap -sS -O scanme.nmap.org/24
 
-       nmap -sX -p 22,53,110,143,4564 198.116.*.1-127
+       Launches a stealth SYN scan against each machine that is up out of the
+       255 machines on “class C” network where Scanme resides. It also tries
+       to determine what operating system is running on each host that is up
+       and running. This requires root privileges because of the SYN scan and
+       OS detection.
 
-       Sends an Xmas tree scan to the first half of each of the 255 possible 8
-       bit  subnets  in  the  198.116 class "B" address space.  We are testing
-       whether the systems run sshd, DNS, pop3d, imapd, or  port  4564.   Note
-       that  Xmas  scan doesn’t work on Microsoft boxes due to their deficient
-       TCP stack.  Same goes with CISCO, IRIX, HP/UX, and BSDI boxes.
+       nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
 
-       nmap -v --randomize_hosts -p 80 *.*.2.3-5
+       Launches host enumeration and a TCP scan at the first half of each of
+       the 255 possible 8 bit subnets in the 198.116 class B address space.
+       This tests whether the systems run sshd, DNS, pop3d, imapd, or port
+       4564. For any of these ports found open, version detection is used to
+       determine what application is running.
 
-       Rather than focus on a specific IP range, it is  sometimes  interesting
-       to  slice  up  the  entire  Internet  and scan a small sample from each
-       slice.  This  command  finds  all  web  servers  on  machines  with  IP
-       addresses  ending in .2.3, .2.4, or .2.5.  If you are root you might as
-       well add -sS.  Also you will find more interesting machines starting at
-       127.  so you might want to use "127-222" instead of the first asterisks
-       because that section has a  greater  density  of  interesting  machines
-       (IMHO).
+       nmap -v -iR 100000 -P0 -p 80
 
-       host -l company.com | cut  -d  -f 4 | ./nmap -v -iL -
+       Asks Nmap to choose 100,000 hosts at random and scan them for web
+       servers (port 80). Host enumeration is disabled with -P0 since first
+       sending a couple probes to determine whether a host is up is wasteful
+       when you are only probing one port on each target host anyway.
 
-       Do  a  DNS zone transfer to find the hosts in company.com and then feed
-       the IP addresses to nmap.  The above commands are for my GNU/Linux box.
-       You may need different commands/options on other operating systems.
+       nmap -P0 -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap
+       216.163.128.20/20
+
+       This scans 4096 IPs for any webservers (without pinging them) and saves
+       the output in grepable and XML formats.
+
+       host -l company.com | cut -d -f 4 | nmap -v -iL -
+
+       Do a DNS zone transfer to find the hosts in company.com and then feed
+       the IP addresses to nmap. The above commands are for my GNU/Linux box
+       -- other systems have different commands for performing a zone
+       transfer.
 
 
 

 
BUGS
-       Bugs?   What bugs?  Send me any that you find.  Patches are nice too :)
-       Remember to also send in  new  OS  fingerprints  so  we  can  grow  the
-       database.  Nmap will give you a submission URL when an appropriate fin-
-       gerprint is found.
+       Like its author, Nmap isn’t perfect. But you can help make it better by
+       sending bug reports or even writing patches. If Nmap doesn’t behave the
+       way you expect, first upgrade to the latest version available from
+       http://www.insecure.org/nmap/. If the problem persists, do some
+       research to determine whether it has already been discovered and
+       addressed. Try Googling the error message or browsing the Nmap-dev
+       archives at http://seclists.org/. Read this full munaual page as well.
+       If nothing comes of this, mail a bug report to <nmap-dev@insecure.org>.
+       Please include everything you have learned about the problem, as well
+       as what version of Nmap you are running and what operating system
+       version it is running on. Problem reports and Nmap usage questions sent
+       to nmap-dev@insecure.org are far more likely to be answered than those
+       sent to Fyodor directly.
+
+       Code patches to fix bugs are even better than bug reports. Basic
+       instructions for creating patch files with your changes are available
+       at http://www.insecure.org/nmap/data/HACKING. Patches may be sent to
+       nmap-dev (recommended) or to Fyodor directly.
 
 
 

 
AUTHOR
-       Fyodor <fyodor@insecure.org>
+       Fyodor <fyodor@insecure.org> (http://www.insecure.org)
+
+       Hundreds of people have made valuable contributions to Nmap over the
+       years. These are detailed in the CHANGELOG file which is distributed
+       with Nmap and also available from
+       http://www.insecure.org/nmap/nmap_changelog.html.
 
 
 

-
DISTRIBUTION
-       The newest version  of  nmap  can  be  obtained  from  http://www.inse-
-       cure.org/nmap/
+
LEGAL NOTICES
+       The newest version of Nmap can be obtained from
+       http://www.insecure.org/nmap/
 
-       The  Nmap  Security  Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap is
-       also a registered trademark of Insecure.Com LLC.  This program is  free
-       software;  you may redistribute and/or modify it under the terms of the
-       GNU General Public License as published by the  Free  Software  Founda-
-       tion; Version 2.  This guarantees your right to use, modify, and redis-
-       tribute this software under certain conditions.  If you wish  to  embed
-       Nmap  technology  into  proprietary software, we may be willing to sell
-       alternative licenses (contact sales@insecure.com).  Many security scan-
-       ner  vendors already license Nmap technology such as our remote OS fin-
-       gerprinting database and code, service/version  detection  system,  and
-       port scanning code.
+   Copyright and Licensing
+       The Nmap Security Scanner is (C) 1996-2005 Insecure.Com LLC. Nmap is
+       also a registered trademark of Insecure.Com LLC. This program is free
+       software; you may redistribute and/or modify it under the terms of the
+       GNU General Public License as published by the Free Software
+       Foundation; Version 2. This guarantees your right to use, modify, and
+       redistribute this software under certain conditions. If you wish to
+       embed Nmap technology into proprietary software, we may be willing to
+       sell alternative licenses (contact <sales@insecure.com>). Many security
+       scanner vendors already license Nmap technology such as host discovery,
+       port scanning, OS detection, and service/version detection.
 
-       Note that the GPL places important restrictions on "derived works", yet
-       it does not provide a detailed definition of that term.  To avoid  mis-
-       understandings,  we consider an application to constitute a "derivative
-       work" for the purpose of this license if it does any of the following:
+       Note that the GPL places important restrictions on “derived works”, yet
+       it does not provide a detailed definition of that term. To avoid
+       misunderstandings, we consider an application to constitute a
+       “derivative work” for the purpose of this license if it does any of the
+       following:
 
-       o Integrates source code from Nmap
+       ·  Integrates source code from Nmap
 
-       o Reads or includes Nmap copyrighted data files, such  as  nmap-os-fin-
-       gerprints or nmap-service-probes.
+       ·  Reads or includes Nmap copyrighted data files, such as
+          nmap-os-fingerprints or nmap-service-probes.
 
-       o  Executes Nmap and parses the results (as opposed to typical shell or
-       execution-menu apps, which simply display raw Nmap output  and  so  are
-       not derivative works.)
+       ·  Executes Nmap and parses the results (as opposed to typical shell or
+          execution-menu apps, which simply display raw Nmap output and so are
+          not derivative works.)
 
-       o  Integrates/includes/aggregates  Nmap  into  a proprietary executable
-       installer, such as those produced by InstallShield.
+       ·  Integrates/includes/aggregates Nmap into a proprietary executable
+          installer, such as those produced by InstallShield.
 
-       o Links to a library or executes a program that does any of the above
+       ·  Links to a library or executes a program that does any of the above.
 
-       The term "Nmap" should be taken to also include any portions or derived
-       works  of Nmap.  This list is not exclusive, but is just meant to clar-
-       ify our interpretation of derived  works  with  some  common  examples.
-       These restrictions only apply when you actually redistribute Nmap.  For
-       example, nothing stops you  from  writing  and  selling  a  proprietary
-       front-end  to  Nmap.  Just distribute it by itself, and point people to
-       http://www.insecure.org/nmap/ to download Nmap.
+       The term “Nmap” should be taken to also include any portions or derived
+       works of Nmap. This list is not exclusive, but is just meant to clarify
+       our interpretation of derived works with some common examples. These
+       restrictions only apply when you actually redistribute Nmap. For
+       example, nothing stops you from writing and selling a proprietary
+       front-end to Nmap. Just distribute it by itself, and point people to
+       http://www.insecure.org/nmap/ to download Nmap.
 
        We don’t consider these to be added restrictions on top of the GPL, but
-       just  a clarification of how we interpret "derived works" as it applies
-       to our GPL-licensed Nmap product.  This is similar  to  the  way  Linus
-       Torvalds  has  announced  his  interpretation  of  how  "derived works"
-       applies to Linux kernel modules.  Our  interpretation  refers  only  to
-       Nmap - we don’t speak for any other GPL products.
+       just a clarification of how we interpret “derived works” as it applies
+       to our GPL-licensed Nmap product. This is similar to the way Linus
+       Torvalds has announced his interpretation of how “derived works”
+       applies to Linux kernel modules. Our interpretation refers only to Nmap
+       - we don’t speak for any other GPL products.
 
        If you have any questions about the GPL licensing restrictions on using
-       Nmap in non-GPL works, we would be happy to help.  As mentioned  above,
-       we  also  offer  alternative license to integrate Nmap into proprietary
-       applications and appliances.  These contracts have been  sold  to  many
-       security  vendors, and generally include a perpetual license as well as
-       providing for priority support and updates as well as helping  to  fund
-       the continued development of Nmap technology.  Please email sales@inse-
-       cure.com for further information.
+       Nmap in non-GPL works, we would be happy to help. As mentioned above,
+       we also offer alternative license to integrate Nmap into proprietary
+       applications and appliances. These contracts have been sold to many
+       security vendors, and generally include a perpetual license as well as
+       providing for priority support and updates as well as helping to fund
+       the continued development of Nmap technology. Please email
+       <sales@insecure.com> for further information.
 
-       As a special exception to the GPL terms, Insecure.Com LLC  grants  per-
-       mission  to  link  the  code  of  this  program with any version of the
-       OpenSSL library which is distributed under a license identical to  that
-       listed in the included Copying.OpenSSL file, and distribute linked com-
-       binations including the two. You must obey the GNU GPL in all  respects
-       for  all of the code used other than OpenSSL.  If you modify this file,
-       you may extend this exception to your version of the file, but you  are
-       not obligated to do so.
+       As a special exception to the GPL terms, Insecure.Com LLC grants
+       permission to link the code of this program with any version of the
+       OpenSSL library which is distributed under a license identical to that
+       listed in the included Copying.OpenSSL file, and distribute linked
+       combinations including the two. You must obey the GNU GPL in all
+       respects for all of the code used other than OpenSSL. If you modify
+       this file, you may extend this exception to your version of the file,
+       but you are not obligated to do so.
 
-       If  you  received  these files with a written license agreement or con-
-       tract stating terms other than the terms above, then  that  alternative
-       license agreement takes precedence over these comments.
+       If you received these files with a written license agreement or
+       contract stating terms other than the terms above, then that
+       alternative license agreement takes precedence over these comments.
 
-       Source  is  provided  to  this software because we believe users have a
+   Source code availability and community contributions
+       Source is provided to this software because we believe users have a
        right to know exactly what a program is going to do before they run it.
-       This  also  allows  you  to audit the software for security holes (none
+       This also allows you to audit the software for security holes (none
        have been found so far).
 
-       Source code also allows you to port Nmap to new  platforms,  fix  bugs,
-       and  add  new features.  You are highly encouraged to send your changes
-       to fyodor@insecure.org for possible incorporation into the main distri-
-       bution.   By  sending  these  changes to Fyodor or one the Insecure.Org
-       development mailing lists, it is assumed that you are  offering  Fyodor
-       and  Insecure.Com LLC the unlimited, non-exclusive right to reuse, mod-
-       ify, and relicense the  code.   Nmap  will  always  be  available  Open
-       Source,  but  this is important because the inability to relicense code
-       has caused devastating problems for other Free Software projects  (such
-       as  KDE  and  NASM).   We also occasionally relicense the code to third
-       parties as discussed above.  If you wish  to  specify  special  license
-       conditions of your contributions, just say so when you send them.
+       Source code also allows you to port Nmap to new platforms, fix bugs,
+       and add new features. You are highly encouraged to send your changes to
+       <fyodor@insecure.org> for possible incorporation into the main
+       distribution. By sending these changes to Fyodor or one of the
+       Insecure.Org development mailing lists, it is assumed that you are
+       offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right
+       to reuse, modify, and relicense the code. Nmap will always be available
+       Open Source, but this is important because the inability to relicense
+       code has caused devastating problems for other Free Software projects
+       (such as KDE and NASM). We also occasionally relicense the code to
+       third parties as discussed above. If you wish to specify special
+       license conditions of your contributions, just say so when you send
+       them.
 
-       This  program  is  distributed  in the hope that it will be useful, but
-       WITHOUT ANY  WARRANTY;  without  even  the  implied  warranty  of  MER-
-       CHANTABILITY  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
-       Public License for more details at http://www.gnu.org/copyleft/gpl.html
-       , or in the COPYING file included with Nmap.
+   No Warranty
+       This program is distributed in the hope that it will be useful, but
+       WITHOUT ANY WARRANTY; without even the implied warranty of
+       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+       General Public License for more details at
+       http://www.gnu.org/copyleft/gpl.html, or in the COPYING file included
+       with Nmap.
 
-       It  should  also  be  noted  that  Nmap has been known to crash certain
+       It should also be noted that Nmap has occasionally been known to crash
        poorly written applications, TCP/IP stacks, and even operating systems.
-       Nmap  should  never  be run against mission critical systems unless you
-       are prepared to suffer downtime.  We acknowledge  here  that  Nmap  may
-       crash  your  systems  or networks and we disclaim all liability for any
-       damage or problems Nmap could cause.
+       While this is extremely rare, it is important to keep in mind.  Nmap
+       should never be run against mission critical systems unless you are
+       prepared to suffer downtime. We acknowledge here that Nmap may crash
+       your systems or networks and we disclaim all liability for any damage
+       or problems Nmap could cause.
 
+   Inappropriate Usage
        Because of the slight risk of crashes and because a few black hats like
-       to  use  Nmap  for reconnaissance prior to attacking systems, there are
-       administrators who become upset and may complain when their  system  is
-       scanned.   Thus,  it  is  often  advisable to request permission before
-       doing even a light scan of a network.
+       to use Nmap for reconnaissance prior to attacking systems, there are
+       administrators who become upset and may complain when their system is
+       scanned. Thus, it is often advisable to request permission before doing
+       even a light scan of a network.
 
-       Nmap should never be installed with special privileges (eg  suid  root)
+       Nmap should never be installed with special privileges (e.g. suid root)
        for security reasons.
 
-       This product includes software developed by the Apache Software Founda-
-       tion (http://www.apache.org/).  The  Libpcap  portable  packet  capture
-       library  is  distributed along with nmap.  Libpcap was originally copy-
-       righted by Van Jacobson, Craig Leres and Steven  McCanne,  all  of  the
-       Lawrence Berkeley National Laboratory, University of California, Berke-
-       ley, CA.  It is now maintained by http://www.tcpdump.org .
+   Third-Party Software
+       This product includes software developed by the [8]Apache Software
+       Foundation. A modified version of the [9]Libpcap portable packet
+       capture library is distributed along with nmap. The Windows version of
+       Nmap utilized the libpcap-derived [10]WinPcap library instead. Regular
+       expression support is provided by the [11]PCRE library, which is open
+       source software, written by Philip Hazel. Certain raw networking
+       functions use the [12]Libdnet networking library, which was written by
+       Dug Song. A modified version is distributed with Nmap. Nmap can
+       optionally link with the [13]OpenSSL cryptography toolkit for SSL
+       version detection support. All of the third-party software described in
+       this paragraph is freely redistributable under BSD-style software
+       licenses.
 
-       Regular expression support is provided by  the  PCRE  library  package,
-       which  is  open source software, written by Philip Hazel, and copyright
-       by the University of Cambridge, England.  See http://www.pcre.org/ .
+   US Export Control Classification
+       US Export Control: Insecure.Com LLC believes that Nmap falls under US
+       ECCN (export control classification number) 5D992. This category is
+       called “Information Security software not controlled by 5D002”. The
+       only restriction of this classification is AT (anti-terrorism), which
+       applies to almost all goods and denies export to a handful of rogue
+       nations such as Iran and North Korea. Thus exporting Nmap does not
+       require any special license, permit, or other governmental
+       authorization.
 
-       Nmap can optionally link to the OpenSSL cryptography toolkit, which  is
-       available from http://www.openssl.org/ .
 
-       US  Export  Control: Insecure.Com LLC believes that Nmap falls under US
-       ECCN (export control classification number) 5D992.   This  category  is
-       called  ’"Information  Security"  "software"  not controlled by 5D002’.
-       The only restriction of this  classification  is  AT  (anti-terrorism),
-       which  applies  to  almost  all goods and denies export to a handful of
-       rogue nations such as Iran and North Korea.  Thus exporting  Nmap  does
-       not  require  any special license, permit, or other governmental autho-
-       rization.
+

+
REFERENCES
+        1. RFC 1122
+           http://www.rfc-editor.org/rfc/rfc1122.txt
+
+        2. RFC 792
+           http://www.rfc-editor.org/rfc/rfc792.txt
+
+        3. UDP
+           http://www.rfc-editor.org/rfc/rfc768.txt
+
+        4. TCP RFC
+           http://www.rfc-editor.org/rfc/rfc793.txt
+
+        5. RFC 959
+           http://www.rfc-editor.org/rfc/rfc959.txt
+
+        6. Nmap::Scanner
+           http://sourceforge.net/projects/nmap-scanner/
+
+        7. Nmap::Parser
+           http://www.nmapparser.com
+
+        8. Apache Software Foundation
+           http://www.apache.org
+
+        9. Libpcap portable packet capture library
+           http://www.tcpdump.org
+
+       10. WinPcap library
+           http://www.winpcap.org
+
+       11. PCRE library
+           http://www.pcre.org
+
+       12. Libdnet
+           http://libdnet.sourceforge.net
+
+       13. OpenSSL cryptography toolkit
+           http://www.openssl.org
 
 
 
-                                                                       NMAP(1)
+                                  11/17/2005                           NMAP(1)
 

 

 

diff --git a/libpcre/pcre.h b/libpcre/pcre.h
index bb66522ee..b2596a83d 100644
--- a/libpcre/pcre.h
+++ b/libpcre/pcre.h
@@ -48,7 +48,17 @@ make changes to pcre.in. */
 
 /* Win32 uses DLL by default; it needs special stuff for exported functions. */
 
-/* Removed -- Fyodor */
+#ifdef _WIN32
+#  ifdef PCRE_DEFINITION
+#    ifdef DLL_EXPORT
+#      define PCRE_DATA_SCOPE __declspec(dllexport)
+#    endif
+#  else
+#    ifndef PCRE_STATIC
+#      define PCRE_DATA_SCOPE extern __declspec(dllimport)
+#    endif
+#  endif
+#endif
 
 /* For other operating systems, we use the standard "extern". */
 
diff --git a/nmap-services b/nmap-services
index 3fc032ed5..bc1ef8c6f 100644
--- a/nmap-services
+++ b/nmap-services
@@ -1183,6 +1183,7 @@ supfiledbg        1127/tcp   # SUP debugging
 cce3x             1139/tcp   # ClearCommerce Engine 3.x ( www.clearcommerce.com)
 nfa               1155/tcp   # Network File Access
 nfa               1155/udp   # Network File Access
+lsnr              1158/tcp   # Oracle DB listener
 phone             1167/udp   # conference calling
 skkserv           1178/tcp   # SKK (kanji input)
 lupa              1212/tcp   # 
@@ -1977,6 +1978,7 @@ sdxauthd          5540/udp   # ACE/Server services
 sdadmind          5550/tcp   # ACE/Server services
 freeciv           5555/tcp   #
 rplay             5555/udp   # 
+isqlplus          5560/tcp   # Oracle web enabled SQL interface (version 10g+)
 pcanywheredata    5631/tcp   # 
 pcanywherestat    5632/tcp   # 
 pcanywherestat    5632/udp   # 
diff --git a/nmap.cc b/nmap.cc
index 64231f77c..648ae4c94 100644
--- a/nmap.cc
+++ b/nmap.cc
@@ -1558,32 +1558,86 @@ struct scan_lists *getpts(char *origexpr) {
 }
 
 void printusage(char *name, int rc) {
-  printf(
-	 "Nmap %s Usage: nmap [Scan Type(s)] [Options] \n"
-	 "Some Common Scan Types ('*' options require root privileges)\n"
-	 "* -sS TCP SYN stealth port scan (default if privileged (root))\n"
-	 "  -sT TCP connect() port scan (default for unprivileged users)\n"
-	 "* -sU UDP port scan\n"
-	 "  -sP ping scan (Find any reachable machines)\n"
-	 "* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)\n"
-         "  -sV Version scan probes open ports determining service & app names/versions\n"
-	 "  -sR RPC scan (use with other scan types)\n"
-	 "Some Common Options (none are required, most can be combined):\n"
-	 "* -O Use TCP/IP fingerprinting to guess remote operating system\n"
-	 "  -p  ports to scan.  Example range: 1-1024,1080,6666,31337\n"
-	 "  -F Only scans ports listed in nmap-services\n"
-	 "  -v Verbose. Its use is recommended.  Use twice for greater effect.\n"
-	 "  -P0 Don't ping hosts (needed to scan www.microsoft.com and others)\n"
-	 "* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys\n"
-         "  -6 scans via IPv6 rather than IPv4\n"
-	 "  -T  General timing policy\n"
-	 "  -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]\n"
-	 "  -oN/-oX/-oG  Output normal/XML/grepable scan logs to \n"
-	 "  -iL  Get targets from file; Use '-' for stdin\n"
-	 "* -S /-e  Specify source address or network interface\n"
-	 "  --interactive Go into interactive mode (then press h for help)\n"
-	 "Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'\n"
-	 "SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES \n", NMAP_VERSION);
+
+printf("%s %s ( %s )\n"
+       "Usage: nmap [Scan Type(s)] [Options] {target specification}\n"
+       "TARGET SPECIFICATION:\n"
+       "  Can pass hostnames, IP addresses, networks, etc.\n"
+       "  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254\n"
+       "  -iL : Input from list of hosts/networks\n"
+       "  -iR : Choose random targets\n"
+       "  --exclude : Exclude hosts/networks\n"
+       "  --excludefile : Exclude list from file\n"
+       "HOST DISCOVERY:\n"
+       "  -sL: List Scan - simply list targets to scan\n"
+       "  -sP: Ping Scan - go no further than determining if host is online\n"
+       "  -P0: Treat all hosts as online -- skip host discovery\n"
+       "  -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports\n"
+       "  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes\n"
+       "  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]\n"
+       "SCAN TECHNIQUES:\n"
+       "  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans\n"
+       "  -sN/sF/sX: TCP Null, FIN, and Xmas scans\n"
+       "  --scanflags : Customize TCP scan flags\n"
+       "  -sI : Idlescan\n"
+       "  -sO: IP protocol scan\n"
+       "  -b : FTP bounce scan\n"
+       "PORT SPECIFICATION AND SCAN ORDER:\n"
+       "  -p : Only scan specified ports\n"
+       "    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080\n"
+       "  -F: Fast - Scan only the ports listed in the nmap-services file)\n"
+       "  -r: Scan ports consecutively - don't randomize\n"
+       "SERVICE/VERSION DETECTION:\n"
+       "  -sV: Probe open ports to determine service/version info\n"
+       "  --version_light: Limit to most likely probes for faster identification\n"
+       "  --version_all: Try every single probe for version detection\n"
+       "  --version_trace: Show detailed version scan activity (for debugging)\n"
+       "OS DETECTION:\n"
+       "  -O: Enable OS detection\n"
+       "  --osscan_limit: Limit OS detection to promising targets\n"
+       "  --osscan_guess: Guess OS more aggressively\n"
+       "TIMING AND PERFORMANCE:\n"
+       "  -T[0-5]: Set timing template (higher is faster)\n"
+       "  --min_hostgroup/max_hostgroup : Parallel host scan group sizes\n"
+       "  --min_parallelism/max_parallelism : Probe parallelization\n"
+       "  --min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout : Specifies\n"
+       "      probe round trip time.\n"
+       "  --host_timeout : Give up on target after this long\n"
+       "  --scan_delay/--max_scan_delay : Adjust delay between probes\n"
+       "FIREWALL/IDS EVASION AND SPOOFING:\n"
+       "  -f; --mtu : fragment packets (optionally w/given MTU)\n"
+       "  -D : Cloak a scan with decoys\n"
+       "  -S : Spoof source address\n"
+       "  -e : Use specified interface\n"
+       "  -g/--source_port : Use given port number\n"
+       "  --data_length : Append random data to sent packets\n"
+       "  --ttl : Set IP time-to-live field\n"
+       "  --spoof_mac : Spoof your MAC address\n"
+       "OUTPUT:\n"
+       "  -oN/-oX/-oS/-oG : Output scan in normal, XML, s|: Output in the three major formats at once\n"
+       "  -v: Increase verbosity level (use twice for more effect)\n"
+       "  -d[level]: Set or increase debugging level (Up to 9 is meaningful)\n"
+       "  --packet_trace: Show all packets sent and received\n"
+       "  --iflist: Print host interfaces and routes (for debugging)\n"
+       "  --append_output: Append to rather than clobber specified output files\n"
+       "  --resume : Resume an aborted scan\n"
+       "  --stylesheet : XSL stylesheet to transform XML output to HTML\n"
+       "  --no_stylesheet: Prevent associating of XSL stylesheet w/XML output\n"
+       "MISC:\n"
+       "  -6: Enable IPv6 scanning\n"
+       "  -A: Enables OS detection and Version detection\n"
+       "  --datadir : Specify custom Nmap data file location\n"
+       "  --send_eth/--send_ip: Send using raw ethernet frames or IP packets\n"
+       "  --privileged: Assume that the user is fully privileged\n"
+       "  -V: Print version number\n"
+       "  -h: Print this help summary page.\n"
+       "EXAMPLES:\n"
+       "  nmap -v -A scanme.nmap.org\n"
+       "  nmap -v -sP 192.168.0.0/16 10.0.0.0/8\n"
+       "  nmap -v -iR 10000 -P0 -p 80\n"
+       "SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES\n", NMAP_NAME, NMAP_VERSION, NMAP_URL);
   exit(rc);
 }
 
@@ -1828,7 +1882,7 @@ char *grab_next_host_spec(FILE *inputfd, int argc, char **fakeargv) {
   } else { 
     host_spec_index = 0;
     while((ch = getc(inputfd)) != EOF) {
-      if (ch == ' ' || ch == '\n' || ch == '\t' || ch == '\0') {
+      if (ch == ' ' || ch == '\r' || ch == '\n' || ch == '\t' || ch == '\0') {
 	if (host_spec_index == 0) continue;
 	host_spec[host_spec_index] = '\0';
 	return host_spec;
diff --git a/nmap_winconfig.h b/nmap_winconfig.h
index 19afab4f8..b59455889 100644
--- a/nmap_winconfig.h
+++ b/nmap_winconfig.h
@@ -105,7 +105,7 @@
 #define NMAP_WINCONFIG_H
 
 #define NMAP_VERSION "3.93"
-#define NMAP_NAME "nmap"
+#define NMAP_NAME "Nmap"
 #define NMAP_URL "http://www.insecure.org/nmap"
 #define NMAP_PLATFORM "i686-pc-windows-windows"
 #define NMAPDATADIR "c:\nmap" /* FIXME: I really need to make this dynamic */
diff --git a/scripts/Makefile b/scripts/Makefile
index 9c1f54314..9b6676cdd 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -25,9 +25,12 @@ servicematch: dummy
 
 web:
 	test x$(wroot) != x
-	cd ../docs && cp -a nmap_gpgkeys.txt nmap_manpage*.html nmap*.1 \
+	make -C $(wroot)/nmapguide manhtml manxml man manxlate
+	cp $(wroot)/nmapguide/nmap.1 ../docs
+	cd ../docs && cp -a nmap_gpgkeys.txt nmap_manpage-*.html nmap*.1 \
                             xnmap.1 nmap.usage.txt nmap.dtd nmap.xsl \
                             leet-nmap-ascii-art.txt $(wroot)/nmap/data/
+	cp $(wroot)/nmapguide/build/man-built.xml $(wroot)/nmap/data/
 	./sort-prints.pl ../nmap-os-fingerprints > nos && mv nos ../nmap-os-fingerprints
 	./produceosclasschoosebox.pl ../nmap-os-fingerprints > $(wroot)/nmap/data/os-classes.txt
 	cd .. && cp -a CHANGELOG HACKING COPYING COPYING.OpenSSL INSTALL \
@@ -48,20 +51,8 @@ distro:
 	../nmap -h > /dev/null    #Make sure nmap exists
 	rm -f ../docs/nmap.usage.txt	
 	../nmap -h > ../docs/nmap.usage.txt 
-	rm -f ../docs/nmap_manpage.html
-# nodepage option is included in man2html because of bug in that program which causes it to
-# drop lines if you let it try to delete page breaks
-	nroff -man ../docs/nmap.1 | man2html -nodepage -title 'Nmap network security scanner man page' > ../docs/nmap_manpage.html
-	nroff -man ../docs/nmap_french.1 | man2html -nodepage -title 'Nmap network security scanner man page (French translation)' > ../docs/nmap_manpage-fr.html
-	nroff -man ../docs/nmap_german.1 | man2html -nodepage -title 'Nmap network security scanner man page (German translation)' > ../docs/nmap_manpage-de.html
-	nroff -man ../docs/nmap_italian.1 | man2html -nodepage -title 'Nmap network security scanner man page (Italian translation)' > ../docs/nmap_manpage-it.html
-	nroff -man ../docs/nmap_latvian.1 | man2html -nodepage -title 'Nmap network security scanner man page (Latvian translation)' > ../docs/nmap_manpage-lv.html
-	nroff -Tlatin1 -man ../docs/nmap_lithuanian.1 | man2html -nodepage -title 'Nmap network security scanner man page (Lithuanian translation)' > ../docs/nmap_manpage-lt.html
-	nroff -man ../docs/nmap_russian.1 | man2html -nodepage -title 'Nmap network security scanner man page (Russian translation)' > ../docs/nmap_manpage-ru.html
-# We need a content-type for the Lithuanian version
-	sr '' '' ../docs/nmap_manpage-lt.html
-	nroff -man ../docs/nmap_portuguese.1 | man2html -nodepage -title 'Nmap network security scanner man page (Portuguese translation)' > ../docs/nmap_manpage-pt.html
-	nroff -man ../docs/nmap_spanish.1 | man2html -nodepage -title 'Nmap network security scanner man page (Spanish translation)' > ../docs/nmap_manpage-es.html
+	make -C $(wroot)/nmapguide man manxlate
+	cp $(wroot)/nmapguide/nmap.1 ../docs
 	rm -rf /usr/tmp/nmap-$(NMAP_VERSION)
 	mkdir /usr/tmp/nmap-$(NMAP_VERSION)
 # Make the RPM .spec file
@@ -137,15 +128,11 @@ distro:
 	$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/docs
 	cd ../docs; cp -a README nmap_gpgkeys.txt \
                     nmap-fingerprinting-article.txt \
-                    nmap.deprecated.txt nmap.usage.txt nmap_doc.html \
-                    nmap_manpage-de.html nmap_manpage-es.html \
-                    nmap_manpage-fr.html nmap_manpage-it.html \
-                    nmap_manpage-lt.html nmap_manpage-pt.html \
-                    nmap_manpage-ru.html nmap_manpage.html \
-                    nmap.1 nmapfe.1 nmap_french.1 nmap_german.1 \
-                    nmap_italian.1 nmap_lithuanian.1 nmap_portuguese.1 \
-                    nmap_spanish.1 nmap_russian.1 xnmap.1 nmap.dtd nmap.xsl \
-                    leet-nmap-ascii-art.txt /usr/tmp/nmap-$(NMAP_VERSION)/docs
+                    nmap.deprecated.txt nmap.usage.txt  \
+                    nmap.1 nmapfe.1 xnmap.1 nmap.dtd nmap.xsl \
+                    leet-nmap-ascii-art.txt \
+                    $(wroot)/nmap/data/man-xlate/man-*.1 \
+                    /usr/tmp/nmap-$(NMAP_VERSION)/docs
 	$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/nmapfe
 	cd ../nmapfe; cp -a Makefile.in aclocal.m4 configure configure.ac \
 	              nmapfe.c nmapfe.h nmapfe_sig.c nmapfe_sig.h \
diff --git a/service_scan.cc b/service_scan.cc
index f05160a78..8bb1dd7a0 100644
--- a/service_scan.cc
+++ b/service_scan.cc
@@ -1652,8 +1652,18 @@ ServiceGroup::~ServiceGroup() {
    PORT_OPEN. */
 static void adjustPortStateIfNeccessary(ServiceNFO *svc) {
 
+  char host[128];
+
   if (svc->port->state == PORT_OPENFILTERED) {
-    svc->target->ports.addPort(svc->portno, svc->proto, NULL, PORT_OPEN);
+    svc->port->state = PORT_OPEN;
+
+    if (o.verbose || o.debugging > 1) {
+      svc->target->NameIP(host, sizeof(host));
+
+      log_write(LOG_STDOUT, "Discovered open|filtered port %hu/%s on %s is actually open\n",
+         svc->portno, proto2ascii(svc->proto), host);
+      log_flush(LOG_STDOUT);
+    }
   }
 
   return;
diff --git a/targets.cc b/targets.cc
index 64e76f21f..9f2f83fee 100644
--- a/targets.cc
+++ b/targets.cc
@@ -1733,7 +1733,7 @@ int hostInExclude(struct sockaddr *checksock, size_t checksocklen,
         }
 	else {
 	  exclude_group[i++].rewind();
-	  continue;
+	  break;
 	}
       } 
       /* For ranges we need to be a little more slick, if we don't find a match
diff --git a/tcpip.h b/tcpip.h
index e6e921627..5a4bf477d 100644
--- a/tcpip.h
+++ b/tcpip.h
@@ -286,7 +286,7 @@ class PacketTrace {
      direction must be PacketTrace::SENT or PacketTrace::RCVD .
      Optional 'now' argument makes this function slightly more
      efficient by avoiding a gettimeofday() call. */
-  static void PacketTrace::traceArp(pdirection pdir, const u8 *frame, u32 len,
+  static void traceArp(pdirection pdir, const u8 *frame, u32 len,
 				    struct timeval *now);
 };