mirror of
https://github.com/nmap/nmap.git
synced 2025-12-09 14:11:29 +00:00
This commit is contained in:
fyodor
129
docs/nmap.1
129
docs/nmap.1
@@ -1,12 +1,12 @@
|
||||
.\" Title: nmap
|
||||
.\" Author: [see the "Author" section]
|
||||
.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
|
||||
.\" Date: 05/14/2009
|
||||
.\" Date: 06/02/2009
|
||||
.\" Manual: Nmap Reference Guide
|
||||
.\" Source: Nmap
|
||||
.\" Language: English
|
||||
.\"
|
||||
.TH "NMAP" "1" "05/14/2009" "Nmap" "Nmap Reference Guide"
|
||||
.TH "NMAP" "1" "06/02/2009" "Nmap" "Nmap Reference Guide"
|
||||
.\" -----------------------------------------------------------------
|
||||
.\" * (re)Define some macros
|
||||
.\" -----------------------------------------------------------------
|
||||
@@ -467,12 +467,12 @@ Because host discovery needs are so diverse, Nmap offers a wide variety of optio
|
||||
ping
|
||||
tool\&. Users can skip the ping step entirely with a list scan (\fB\-sL\fR) or by disabling ping (\fB\-PN\fR), or engage the network with arbitrary combinations of multi\-port TCP SYN/ACK, UDP, and ICMP probes\&. The goal of these probes is to solicit responses which demonstrate that an IP address is actually active (is being used by a host or network device)\&. On many networks, only a small percentage of IP addresses are active at any given time\&. This is particularly common with private address space such as 10\&.0\&.0\&.0/8\&. That network has 16 million IPs, but I have seen it used by companies with less than a thousand machines\&. Host discovery can find those machines in a sparsely allocated sea of IP addresses\&.
|
||||
.PP
|
||||
If no host discovery options are given, Nmap sends a TCP ACK packet destined for port 80 and an ICMP echo request query to each target machine\&. An exception to this is that an ARP scan is used for any targets which are on a local ethernet network\&. For unprivileged Unix shell users, a SYN packet is sent instead of the ACK using the
|
||||
If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, and TCP ACK packet to port 80, and an ICMP timestamp request\&. These defaults are equivalent to the
|
||||
\fB\-PE \-PS443 \-PA80 \-PP\fR
|
||||
options\&. An exception to this is that an ARP scan is used for any targets which are on a local ethernet network\&. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the
|
||||
\fBconnect\fR
|
||||
system call\&..\" unprivileged users: limitations of
|
||||
These defaults are equivalent to the
|
||||
\fB\-PA \-PE\fR
|
||||
options\&. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing\&.
|
||||
This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing\&.
|
||||
.PP
|
||||
The
|
||||
\fB\-P*\fR
|
||||
@@ -508,16 +508,16 @@ Systems administrators often find this option valuable as well\&. It can easily
|
||||
.sp
|
||||
The
|
||||
\fB\-sP\fR
|
||||
option sends an ICMP echo request and a TCP ACK packet to port 80 by default\&. When executed by an unprivileged user, only a SYN packet is sent (using a
|
||||
option sends an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default\&. When executed by an unprivileged user, only SYN packets are sent (using a
|
||||
\fBconnect\fR
|
||||
call) to port 80 on the target\&. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless
|
||||
call) to ports 80 and 443 on the target\&. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless
|
||||
\fB\-\-send\-ip\fR
|
||||
was specified\&. The
|
||||
\fB\-sP\fR
|
||||
option can be combined with any of the discovery probe types (the
|
||||
\fB\-P*\fR
|
||||
options, excluding
|
||||
\fB\-PN\fR) for greater flexibility\&. If any of those probe type and port number options are used, the default probes (ACK and echo request) are overridden\&. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended\&. Otherwise hosts could be missed when the firewall drops probes or their responses\&.
|
||||
\fB\-PN\fR) for greater flexibility\&. If any of those probe type and port number options are used, the default probes are overridden\&. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended\&. Otherwise hosts could be missed when the firewall drops probes or their responses\&.
|
||||
.RE
|
||||
.PP
|
||||
\fB\-PN\fR (No ping) .\" -PN .\" host discovery: disabling
|
||||
@@ -624,7 +624,9 @@ Unfortunately for network explorers, many hosts and firewalls now block these pa
|
||||
\fB\-PE\fR
|
||||
option to enable this echo request behavior\&.
|
||||
.sp
|
||||
While echo request is the standard ICMP ping query, Nmap does not stop there\&. The ICMP standard (\m[blue]\fBRFC 792\fR\m[]\&\s-2\u[3]\d\s+2) also specifies timestamp request, information request, and address mask request packets as codes 13, 15, and 17, respectively\&. While the ostensible purpose for these queries is to learn information such as address masks and current times, they can easily be used for host discovery\&. A system that replies is up and available\&. Nmap does not currently implement information request packets, as they are not widely supported\&. RFC 1122 insists that
|
||||
While echo request is the standard ICMP ping query, Nmap does not stop there\&. The ICMP standards (\m[blue]\fBRFC 792\fR\m[]\&\s-2\u[3]\d\s+2.\" RFC 792
|
||||
and
|
||||
\m[blue]\fBRFC 950\fR\m[]\&\s-2\u[4]\d\s+2.\" RFC 950) also specify timestamp request, information request, and address mask request packets as codes 13, 15, and 17, respectively\&. While the ostensible purpose for these queries is to learn information such as address masks and current times, they can easily be used for host discovery\&. A system that replies is up and available\&. Nmap does not currently implement information request packets, as they are not widely supported\&. RFC 1122 insists that
|
||||
\(lqa host SHOULD NOT implement these messages\(rq\&. Timestamp and address mask queries can be sent with the
|
||||
\fB\-PP\fR
|
||||
and
|
||||
@@ -647,7 +649,7 @@ This host discovery method looks for either responses using the same protocol as
|
||||
\fB\-PR\fR (ARP Ping) .\" -PR .\" ARP ping
|
||||
.RS 4
|
||||
One of the most common Nmap usage scenarios is to scan an ethernet LAN\&. On most LANs, especially those using private address ranges specified by
|
||||
\m[blue]\fBRFC 1918\fR\m[]\&\s-2\u[4]\d\s+2, the vast majority of IP addresses are unused at any given time\&. When Nmap tries to send a raw IP packet such as an ICMP echo request, the operating system must determine the destination hardware (ARP) address corresponding to the target IP so that it can properly address the ethernet frame\&. This is often slow and problematic, since operating systems weren\'t written with the expectation that they would need to do millions of ARP requests against unavailable hosts in a short time period\&.
|
||||
\m[blue]\fBRFC 1918\fR\m[]\&\s-2\u[5]\d\s+2, the vast majority of IP addresses are unused at any given time\&. When Nmap tries to send a raw IP packet such as an ICMP echo request, the operating system must determine the destination hardware (ARP) address corresponding to the target IP so that it can properly address the ethernet frame\&. This is often slow and problematic, since operating systems weren\'t written with the expectation that they would need to do millions of ARP requests against unavailable hosts in a short time period\&.
|
||||
.sp
|
||||
ARP scan puts Nmap and its optimized algorithms in charge of ARP requests\&. And if it gets a response back, Nmap doesn\'t even need to worry about the IP\-based ping packets since it already knows the host is up\&. This makes ARP scan much faster and more reliable than IP\-based scans\&. So it is done by default when scanning ethernet hosts that Nmap detects are on a local ethernet network\&. Even if different ping types (such as
|
||||
\fB\-PE\fR
|
||||
@@ -788,7 +790,7 @@ call than with raw packets, making it less efficient\&. The system call complete
|
||||
\fB\-sU\fR (UDP scans) .\" -sU .\" UDP scan
|
||||
.RS 4
|
||||
While most popular services on the Internet run over the TCP protocol,
|
||||
\m[blue]\fBUDP\fR\m[]\&\s-2\u[5]\d\s+2
|
||||
\m[blue]\fBUDP\fR\m[]\&\s-2\u[6]\d\s+2
|
||||
services are widely deployed\&. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common\&. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports\&. This is a mistake, as exploitable UDP services are quite common and attackers certainly don\'t ignore the whole protocol\&. Fortunately, Nmap can help inventory UDP ports\&.
|
||||
.sp
|
||||
UDP scan is activated with the
|
||||
@@ -815,7 +817,7 @@ to skip slow hosts\&.
|
||||
These three scan types (even more are possible with the
|
||||
\fB\-\-scanflags\fR
|
||||
option described in the next section) exploit a subtle loophole in the
|
||||
\m[blue]\fBTCP RFC\fR\m[]\&\s-2\u[6]\d\s+2
|
||||
\m[blue]\fBTCP RFC\fR\m[]\&\s-2\u[7]\d\s+2
|
||||
to differentiate between
|
||||
\FCopen\F[]
|
||||
and
|
||||
@@ -904,7 +906,7 @@ He described the technique in
|
||||
Phrack
|
||||
Magazine issue #49 (November 1996)\&..\" Phrack
|
||||
Nmap, which included this technique, was released two issues later\&. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK\&. According to
|
||||
\m[blue]\fBRFC 793\fR\m[]\&\s-2\u[6]\d\s+2
|
||||
\m[blue]\fBRFC 793\fR\m[]\&\s-2\u[7]\d\s+2
|
||||
(TCP), a RST packet should be generated in response to such a probe whether the port is open or closed\&. However, Uriel noticed that many BSD\-derived systems simply drop the packet if the port is open\&.
|
||||
.RE
|
||||
.PP
|
||||
@@ -977,7 +979,7 @@ at the same time)\&. If no response is received after retransmissions, the proto
|
||||
.PP
|
||||
\fB\-b \fR\fB\fIFTP relay host\fR\fR (FTP bounce scan) .\" -b .\" FTP bounce scan
|
||||
.RS 4
|
||||
An interesting feature of the FTP protocol (\m[blue]\fBRFC 959\fR\m[]\&\s-2\u[7]\d\s+2) is support for so\-called proxy FTP connections\&. This allows a user to connect to one FTP server, then ask that files be sent to a third\-party server\&. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it\&. One of the abuses this feature allows is causing the FTP server to port scan other hosts\&. Simply ask the FTP server to send a file to each interesting port of a target host in turn\&. The error message will describe whether the port is open or not\&. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would\&. Nmap supports FTP bounce scan with the
|
||||
An interesting feature of the FTP protocol (\m[blue]\fBRFC 959\fR\m[]\&\s-2\u[8]\d\s+2) is support for so\-called proxy FTP connections\&. This allows a user to connect to one FTP server, then ask that files be sent to a third\-party server\&. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it\&. One of the abuses this feature allows is causing the FTP server to port scan other hosts\&. Simply ask the FTP server to send a file to each interesting port of a target host in turn\&. The error message will describe whether the port is open or not\&. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would\&. Nmap supports FTP bounce scan with the
|
||||
\fB\-b\fR
|
||||
option\&. It takes an argument of the form
|
||||
\fIusername\fR:\fIpassword\fR@\fIserver\fR:\fIport\fR\&.
|
||||
@@ -1179,7 +1181,7 @@ or
|
||||
class, which means that they increment the ID field in the IP header for each packet they send\&. This makes them vulnerable to several advanced information gathering and spoofing attacks\&.
|
||||
.\" uptime guess
|
||||
.PP
|
||||
Another bit of extra information enabled by OS detection is a guess at a target\'s uptime\&. This uses the TCP timestamp option (\m[blue]\fBRFC 1323\fR\m[]\&\s-2\u[8]\d\s+2) to guess when a machine was last rebooted\&. The guess can be inaccurate due to the timestamp counter not being initialized to zero or the counter overflowing and wrapping around, so it is printed only in verbose mode\&.
|
||||
Another bit of extra information enabled by OS detection is a guess at a target\'s uptime\&. This uses the TCP timestamp option (\m[blue]\fBRFC 1323\fR\m[]\&\s-2\u[9]\d\s+2) to guess when a machine was last rebooted\&. The guess can be inaccurate due to the timestamp counter not being initialized to zero or the counter overflowing and wrapping around, so it is printed only in verbose mode\&.
|
||||
.PP
|
||||
|
||||
A paper documenting the workings, usage, and customization of OS detection is available at \m[blue]\fB\%http://nmap.org/book/osdetect.html\fR\m[]\&.
|
||||
@@ -1219,7 +1221,7 @@ value (such as 1) speeds Nmap up, though you miss out on retries which could pot
|
||||
.\" Nmap Scripting Engine (NSE)
|
||||
.PP
|
||||
The Nmap Scripting Engine (NSE) is one of Nmap\'s most powerful and flexible features\&. It allows users to write (and share) simple scripts (using the
|
||||
\m[blue]\fBLua programming language\fR\m[]\&\s-2\u[9]\d\s+2,
|
||||
\m[blue]\fBLua programming language\fR\m[]\&\s-2\u[10]\d\s+2,
|
||||
.\" Lua programming language) to automate a wide variety of networking tasks\&. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap\&. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs\&.
|
||||
.PP
|
||||
Tasks we had in mind when creating the system include network discovery, more sophisticated version detection, vulnerability detection\&. NSE can even be used for vulnerability exploitation\&.
|
||||
@@ -1311,7 +1313,7 @@ More complicated script selection can be done using the
|
||||
\FCor\F[], and
|
||||
\FCnot\F[]
|
||||
operators to build Boolean expressions\&. The operators have the same
|
||||
\m[blue]\fBprecedence\fR\m[]\&\s-2\u[10]\d\s+2
|
||||
\m[blue]\fBprecedence\fR\m[]\&\s-2\u[11]\d\s+2
|
||||
as in Lua:
|
||||
\FCnot\F[]
|
||||
is the highest, followed by
|
||||
@@ -1358,15 +1360,15 @@ categories, except for those whose names start with
|
||||
.RE
|
||||
.RE
|
||||
.PP
|
||||
\fB\-\-script\-args \fR\fB\fIname1\fR\fR\fB=\fR\fB\fIvalue1\fR\fR\fB,\fR\fB\fIname2\fR\fR\fB={\fR\fB\fIname3\fR\fR\fB=\fR\fB\fIvalue3\fR\fR\fB},\fR\fB\fIname4\fR\fR\fB=\fR\fB\fIvalue4\fR\fR .\" --script-args .\" script arguments
|
||||
\fB\-\-script\-args \fR\fB\fIname1\fR\fR\fB=\fR\fB\fIvalue1\fR\fR\fB,\fR\fB\fIname2\fR\fR\fB={\fR\fB\fIname3\fR\fR\fB=\fR\fB\fIvalue3\fR\fR\fB},\fR\fB\fIname4\fR\fR\fB={\fR\fB\fIvalue4\fR\fR\fB,\fR\fB\fIvalue5\fR\fR\fB}\fR .\" --script-args .\" script arguments
|
||||
.RS 4
|
||||
Lets you provide arguments to NSE scripts\&. Arguments are passed as
|
||||
Lets you provide arguments to NSE scripts\&. Arguments are a comma\-separated list of
|
||||
\FCname=value\F[]
|
||||
pairs\&. The provided argument is processed and stored inside a Lua table, to which all scripts have access\&. The names are taken as strings (which must be alphanumeric values) and used as keys inside the
|
||||
\FCargument\-table\F[]\&. Values are either strings or tables themselves (surrounded by \(oq\FC{\F[]\(cq and \(oq\FC}\F[]\(cq)\&. For example, you could pass the comma\-separated arguments:
|
||||
\FCuser=bar,pass=foo,whois={whodb=nofollow+ripe}\F[]\&. String arguments are potentially used by several scripts; subtables are normally used by only one script\&. In scripts that take a subtable, the subtable is usually named after the script (like
|
||||
\FCwhois\F[]
|
||||
in this example)\&.
|
||||
pairs\&. Names and values may be strings not containing whitespace or the characters \(oq\FC{\F[]\(cq, \(oq\FC}\F[]\(cq, \(oq\FC=\F[]\(cq, or \(oq\FC,\F[]\(cq\&. To include one of these characters in a string, enclose the string in single or double quotes\&. Within a quoted string, \(oq\FC\e\F[]\(cq escapes a quote\&. A backslash is only used to escape quotation marks in this special case; in all other cases a backslash is interpreted literally\&. Values may also be tables enclosed in
|
||||
\FC{}\F[], just as in Lua\&. A table may contain simple string values or more name\-value pairs, including nested tables\&. An example of script arguments:
|
||||
\fB\-\-script\-args auth={user=foo,pass=\',{}=bar\'},userdb=C:\ePath\eTo\eFile\fR\&. The online NSE Documentation Portal at
|
||||
\m[blue]\fB\%http://nmap.org/nsedoc/\fR\m[]
|
||||
lists the arguments that each script accepts\&.
|
||||
.RE
|
||||
.PP
|
||||
\fB\-\-script\-trace\fR .\" --script-trace
|
||||
@@ -1750,7 +1752,7 @@ because accuracy there requires probe consistency, but most pinging and portscan
|
||||
\fB\-\-ip\-options \fR\fB\fIS|R [route]|L [route]|T|U \&.\&.\&. \fR\fR\fB;\fR \fB\-\-ip\-options \fR\fB\fIhex string\fR\fR (Send packets with specified ip options) .\" --ip-options .\" IP options
|
||||
.RS 4
|
||||
The
|
||||
\m[blue]\fBIP protocol\fR\m[]\&\s-2\u[11]\d\s+2
|
||||
\m[blue]\fBIP protocol\fR\m[]\&\s-2\u[12]\d\s+2
|
||||
offers several options which may be placed in packet headers\&. Unlike the ubiquitous TCP options, IP options are rarely seen due to practicality and security concerns\&. In fact, many Internet routers block the most dangerous options such as source routing\&. Yet options can still be useful in some cases for determining and manipulating the network route to target machines\&. For example, you may be able to use the record route option to determine a path to a target even when more traditional traceroute\-style approaches fail\&. Or if your packets are being dropped by a certain firewall, you may be able to specify a different route with the strict or loose source routing options\&.
|
||||
.sp
|
||||
The most powerful way to specify IP options is to simply pass in values as the argument to
|
||||
@@ -1920,10 +1922,10 @@ be directed to the given filename\&. Nmap includes a document type definition (D
|
||||
\m[blue]\fB\%http://nmap.org/data/nmap.dtd\fR\m[]\&.
|
||||
.sp
|
||||
XML offers a stable format that is easily parsed by software\&. Free XML parsers are available for all major computer languages, including C/C++, Perl, Python, and Java\&. People have even written bindings for most of these languages to handle Nmap output and execution specifically\&. Examples are
|
||||
\m[blue]\fBNmap::Scanner\fR\m[]\&\s-2\u[12]\d\s+2
|
||||
\m[blue]\fBNmap::Scanner\fR\m[]\&\s-2\u[13]\d\s+2
|
||||
.\" Nmap::Scanner
|
||||
and
|
||||
\m[blue]\fBNmap::Parser\fR\m[]\&\s-2\u[13]\d\s+2
|
||||
\m[blue]\fBNmap::Parser\fR\m[]\&\s-2\u[14]\d\s+2
|
||||
.\" Nmap::Parser
|
||||
in Perl CPAN\&. In almost all cases that a non\-trivial application interfaces with Nmap, XML is the preferred format\&.
|
||||
.sp
|
||||
@@ -2158,7 +2160,7 @@ line being the only IPv6 give away\&.
|
||||
While IPv6 hasn\'t exactly taken the world by storm, it gets significant use in some (usually Asian) countries and most modern operating systems support it\&. To use Nmap with IPv6, both the source and target of your scan must be configured for IPv6\&. If your ISP (like most of them) does not allocate IPv6 addresses to you, free tunnel brokers are widely available and work fine with Nmap\&. I use the free IPv6 tunnel broker.\" IPv6 tunnel broker
|
||||
service at
|
||||
\m[blue]\fB\%http://www.tunnelbroker.net\fR\m[]\&. Other tunnel brokers are
|
||||
\m[blue]\fBlisted at Wikipedia\fR\m[]\&\s-2\u[14]\d\s+2\&. 6to4 tunnels are another popular, free approach\&.
|
||||
\m[blue]\fBlisted at Wikipedia\fR\m[]\&\s-2\u[15]\d\s+2\&. 6to4 tunnels are another popular, free approach\&.
|
||||
.RE
|
||||
.PP
|
||||
\fB\-A\fR (Aggressive scan options) .\" -A
|
||||
@@ -2481,7 +2483,7 @@ If you received these files with a written license agreement or contract stating
|
||||
This
|
||||
Nmap Reference Guide
|
||||
is (C) 2005\(en2009 Insecure\&.Com LLC\&. It is hereby placed under version 2\&.5 of the
|
||||
\m[blue]\fBCreative Commons Attribution License\fR\m[]\&\s-2\u[15]\d\s+2\&. This allows you redistribute and modify the work as you desire, as long as you credit the original source\&. Alternatively, you may choose to treat this document as falling under the same license as Nmap itself (discussed previously)\&.
|
||||
\m[blue]\fBCreative Commons Attribution License\fR\m[]\&\s-2\u[16]\d\s+2\&. This allows you redistribute and modify the work as you desire, as long as you credit the original source\&. Alternatively, you may choose to treat this document as falling under the same license as Nmap itself (discussed previously)\&.
|
||||
.SS "Source Code Availability and Community Contributions"
|
||||
.PP
|
||||
Source is provided to this software because we believe users have a right to know exactly what a program is going to do before they run it\&. This also allows you to audit the software for security holes (none have been found so far)\&.
|
||||
@@ -2509,31 +2511,31 @@ Nmap should never be installed with special privileges (e\&.g\&. suid root) for
|
||||
.SS "Third\-Party Software"
|
||||
.PP
|
||||
This product includes software developed by the
|
||||
\m[blue]\fBApache Software Foundation\fR\m[]\&\s-2\u[16]\d\s+2\&. A modified version of the
|
||||
\m[blue]\fBLibpcap portable packet capture library\fR\m[]\&\s-2\u[17]\d\s+2.\" libpcap
|
||||
\m[blue]\fBApache Software Foundation\fR\m[]\&\s-2\u[17]\d\s+2\&. A modified version of the
|
||||
\m[blue]\fBLibpcap portable packet capture library\fR\m[]\&\s-2\u[18]\d\s+2.\" libpcap
|
||||
is distributed along with Nmap\&. The Windows version of Nmap utilized the Libpcap\-derived
|
||||
\m[blue]\fBWinPcap library\fR\m[]\&\s-2\u[18]\d\s+2.\" WinPcap
|
||||
\m[blue]\fBWinPcap library\fR\m[]\&\s-2\u[19]\d\s+2.\" WinPcap
|
||||
instead\&. Regular expression support is provided by the
|
||||
\m[blue]\fBPCRE library\fR\m[]\&\s-2\u[19]\d\s+2,.\" Perl Compatible Regular Expressions (PCRE)
|
||||
\m[blue]\fBPCRE library\fR\m[]\&\s-2\u[20]\d\s+2,.\" Perl Compatible Regular Expressions (PCRE)
|
||||
which is open\-source software, written by Philip Hazel\&..\" Hazel, Philip
|
||||
Certain raw networking functions use the
|
||||
\m[blue]\fBLibdnet\fR\m[]\&\s-2\u[20]\d\s+2.\" libdnet
|
||||
\m[blue]\fBLibdnet\fR\m[]\&\s-2\u[21]\d\s+2.\" libdnet
|
||||
networking library, which was written by Dug Song\&..\" Song, Dug
|
||||
A modified version is distributed with Nmap\&. Nmap can optionally link with the
|
||||
\m[blue]\fBOpenSSL cryptography toolkit\fR\m[]\&\s-2\u[21]\d\s+2.\" OpenSSL
|
||||
\m[blue]\fBOpenSSL cryptography toolkit\fR\m[]\&\s-2\u[22]\d\s+2.\" OpenSSL
|
||||
for SSL version detection support\&. The Nmap Scripting Engine uses an embedded version of the
|
||||
\m[blue]\fBLua programming language\fR\m[]\&\s-2\u[22]\d\s+2\&..\" Lua programming language
|
||||
\m[blue]\fBLua programming language\fR\m[]\&\s-2\u[23]\d\s+2\&..\" Lua programming language
|
||||
All of the third\-party software described in this paragraph is freely redistributable under BSD\-style software licenses\&.
|
||||
.SS "United States Export Control.\" export control"
|
||||
.PP
|
||||
Nmap only uses encryption when compiled with the optional OpenSSL support and linked with OpenSSL\&. When compiled without OpenSSL support, Insecure\&.Com LLC believes that Nmap is not subject to U\&.S\&.
|
||||
\m[blue]\fBExport Administration Regulations (EAR)\fR\m[]\&\s-2\u[23]\d\s+2
|
||||
\m[blue]\fBExport Administration Regulations (EAR)\fR\m[]\&\s-2\u[24]\d\s+2
|
||||
export control\&. As such, there is no applicable ECCN (explort control classification number) and exportation does not require any special license, permit, or other governmental authorization\&.
|
||||
.PP
|
||||
When compiled with OpenSSL support or distributed as source code, Insecure\&.Com LLC believes that Nmap falls under U\&.S\&. ECCN
|
||||
\m[blue]\fB5D002\fR\m[]\&\s-2\u[24]\d\s+2
|
||||
\m[blue]\fB5D002\fR\m[]\&\s-2\u[25]\d\s+2
|
||||
(\(lqInformation Security Software\(rq)\&. We distribute Nmap under the TSU exception for publicly available encryption software defined in
|
||||
\m[blue]\fBEAR 740\&.13(e)\fR\m[]\&\s-2\u[25]\d\s+2\&.
|
||||
\m[blue]\fBEAR 740\&.13(e)\fR\m[]\&\s-2\u[26]\d\s+2\&.
|
||||
.SH "Notes"
|
||||
.IP " 1." 4
|
||||
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
|
||||
@@ -2551,111 +2553,116 @@ RFC 792
|
||||
\%http://www.rfc-editor.org/rfc/rfc792.txt
|
||||
.RE
|
||||
.IP " 4." 4
|
||||
RFC 950
|
||||
.RS 4
|
||||
\%http://www.rfc-editor.org/rfc/rfc950.txt
|
||||
.RE
|
||||
.IP " 5." 4
|
||||
RFC 1918
|
||||
.RS 4
|
||||
\%http://www.rfc-editor.org/rfc/rfc1918.txt
|
||||
.RE
|
||||
.IP " 5." 4
|
||||
.IP " 6." 4
|
||||
UDP
|
||||
.RS 4
|
||||
\%http://www.rfc-editor.org/rfc/rfc768.txt
|
||||
.RE
|
||||
.IP " 6." 4
|
||||
.IP " 7." 4
|
||||
TCP RFC
|
||||
.RS 4
|
||||
\%http://www.rfc-editor.org/rfc/rfc793.txt
|
||||
.RE
|
||||
.IP " 7." 4
|
||||
.IP " 8." 4
|
||||
RFC 959
|
||||
.RS 4
|
||||
\%http://www.rfc-editor.org/rfc/rfc959.txt
|
||||
.RE
|
||||
.IP " 8." 4
|
||||
.IP " 9." 4
|
||||
RFC 1323
|
||||
.RS 4
|
||||
\%http://www.rfc-editor.org/rfc/rfc1323.txt
|
||||
.RE
|
||||
.IP " 9." 4
|
||||
.IP "10." 4
|
||||
Lua programming language
|
||||
.RS 4
|
||||
\%http://lua.org
|
||||
.RE
|
||||
.IP "10." 4
|
||||
.IP "11." 4
|
||||
precedence
|
||||
.RS 4
|
||||
\%http://www.lua.org/manual/5.1/manual.html#2.5.3
|
||||
.RE
|
||||
.IP "11." 4
|
||||
.IP "12." 4
|
||||
IP protocol
|
||||
.RS 4
|
||||
\%http://www.rfc-editor.org/rfc/rfc791.txt
|
||||
.RE
|
||||
.IP "12." 4
|
||||
.IP "13." 4
|
||||
Nmap::Scanner
|
||||
.RS 4
|
||||
\%http://sourceforge.net/projects/nmap-scanner/
|
||||
.RE
|
||||
.IP "13." 4
|
||||
.IP "14." 4
|
||||
Nmap::Parser
|
||||
.RS 4
|
||||
\%http://nmapparser.wordpress.com/
|
||||
.RE
|
||||
.IP "14." 4
|
||||
.IP "15." 4
|
||||
listed at Wikipedia
|
||||
.RS 4
|
||||
\%http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
|
||||
.RE
|
||||
.IP "15." 4
|
||||
.IP "16." 4
|
||||
Creative Commons Attribution License
|
||||
.RS 4
|
||||
\%http://creativecommons.org/licenses/by/2.5/
|
||||
.RE
|
||||
.IP "16." 4
|
||||
.IP "17." 4
|
||||
Apache Software Foundation
|
||||
.RS 4
|
||||
\%http://www.apache.org
|
||||
.RE
|
||||
.IP "17." 4
|
||||
.IP "18." 4
|
||||
Libpcap portable packet capture library
|
||||
.RS 4
|
||||
\%http://www.tcpdump.org
|
||||
.RE
|
||||
.IP "18." 4
|
||||
.IP "19." 4
|
||||
WinPcap library
|
||||
.RS 4
|
||||
\%http://www.winpcap.org
|
||||
.RE
|
||||
.IP "19." 4
|
||||
.IP "20." 4
|
||||
PCRE library
|
||||
.RS 4
|
||||
\%http://www.pcre.org
|
||||
.RE
|
||||
.IP "20." 4
|
||||
.IP "21." 4
|
||||
Libdnet
|
||||
.RS 4
|
||||
\%http://libdnet.sourceforge.net
|
||||
.RE
|
||||
.IP "21." 4
|
||||
.IP "22." 4
|
||||
OpenSSL cryptography toolkit
|
||||
.RS 4
|
||||
\%http://www.openssl.org
|
||||
.RE
|
||||
.IP "22." 4
|
||||
.IP "23." 4
|
||||
Lua programming language
|
||||
.RS 4
|
||||
\%http://www.lua.org
|
||||
.RE
|
||||
.IP "23." 4
|
||||
.IP "24." 4
|
||||
Export Administration Regulations (EAR)
|
||||
.RS 4
|
||||
\%http://www.access.gpo.gov/bis/ear/ear_data.html
|
||||
.RE
|
||||
.IP "24." 4
|
||||
.IP "25." 4
|
||||
5D002
|
||||
.RS 4
|
||||
\%http://www.access.gpo.gov/bis/ear/pdf/ccl5-pt2.pdf
|
||||
.RE
|
||||
.IP "25." 4
|
||||
.IP "26." 4
|
||||
EAR 740.13(e)
|
||||
.RS 4
|
||||
\%http://www.access.gpo.gov/bis/ear/pdf/740.pdf
|
||||
|
||||
Reference in New Issue
Block a user