diff --git a/CHANGELOG b/CHANGELOG
index 1362d40f9..a3679881d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,8 +2,13 @@
 
 4.22SOC1
 
-o Upgraded from WinPcap 4.0 to WinPcap 4.01 and fixed a versioning
-  error [Eddie]
+o The UMIT graphical Nmap frontend is now included (as an ALPHA TEST
+  release) with the Nmap tarball distribution.  It isn't yet in the
+  RPMs or the Windows distributions.  UMIT is written with Python/GTK
+  and has many huge advantages over NmapFE.  It installs from the Nmap
+  source tarballs as part of the "make install" process unless you
+  specify --without-umit to configure.  Please give UMIT a try (the
+  executable is named umit) and let us know the results!
 
 o The port selection mechanism was overhauled.  Nmap now knows
   (roughly) how common various services are, so you can specify
@@ -62,7 +67,8 @@ o The build dependencies were dramatically reduced by removing
   This should make Nmap compilation faster and prevent some
   portability problems. [David Fifield]
 
-o Upgraded from WinPcap 3.1 to WinPcap 4.0 [Eddie]
+o Upgraded from WinPcap 3.1 to WinPcap 4.01 and fixed a pcap installer
+  error. [Eddie]
 
 o In verbose mode, Nmap now reports where it obtains data files (such as
   nmap-services) from. [David Fifield]
@@ -112,6 +118,8 @@ o A number of changes were made to the Windows build system to handle
   version numbers, publisher field, add/remove program support,
   etc. [Eddie]
 
+o The Nmap -A option now enables the traceroute option too [Eddie]
+
 o Improved how the Gen1 OS Detection system selects which UDP ports to
   send probes to.  [Kris]
 
diff --git a/Makefile.in b/Makefile.in
index 1c5b7af33..59ede246b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -53,6 +53,7 @@ TARGET = nmap
 TARGETNMAPFE=@TARGETNMAPFE@
 INSTALLNMAPFE=@INSTALLNMAPFE@
 INSTALLNSE=@INSTALLNSE@
+INSTALLUMIT=@INSTALLUMIT@
 
 ifneq (@LIBLUA_LIBS@,)
 NSE_SRC=nse_main.cc nse_auxiliar.cc nse_nsock.cc nse_init.cc nse_nmaplib.cc nse_debug.cc nse_pcrelib.cc nse_string.cc 
@@ -103,7 +104,7 @@ $(NSOCKDIR)/src/libnsock.a: $(NSOCKDIR)/src/Makefile FORCE
 	cd $(NSOCKDIR)/src && $(MAKE)
 
 $(LIBLUADIR)/liblua.a: $(LIBLUADIR)/Makefile FORCE
-	@echo Compiling liblua; cd $(LIBLUADIR) && $(MAKE) @LUAFLAVOR@
+	@echo Compiling liblua; cd $(LIBLUADIR) && $(MAKE) liblua.a @LUAFLAGS@
 
 #$(LIBPCAPDIR)/Makefile:
 #	@echo Configuring libpcap; cd $(LIBPCAPDIR); ./configure
@@ -197,6 +198,9 @@ install-nmapfe: $(TARGETNMAPFE)
 	@echo "If the next command fails -- you cannot use the X front end"
 	-test -f nmapfe/nmapfe && $(INSTALL) -c -m 755 -s nmapfe/nmapfe $(DESTDIR)$(bindir)/nmapfe && rm -f $(DESTDIR)$(bindir)/xnmap && $(SHTOOL) mkln -f -s $(DESTDIR)$(bindir)/nmapfe $(DESTDIR)$(bindir)/xnmap && $(INSTALL) -c -m 644 nmapfe.desktop $(DESTDIR)$(deskdir)/nmapfe.desktop && $(INSTALL) -c -m 644 docs/nmapfe.1 $(DESTDIR)$(mandir)/man1/nmapfe.1 && $(INSTALL) -c -m 644 docs/xnmap.1 $(DESTDIR)$(mandir)/man1/xnmap.1
 
+install-umit: umit/setup.py
+	cd umit && python setup.py install --prefix $(DESTDIR)$(prefix)
+
 NSE_FILES = scripts/script.db scripts/*.nse
 NSE_LIB_FILES = nselib/*lua nselib/*so
 install-nse: $(TARGET)
@@ -205,7 +209,8 @@ install-nse: $(TARGET)
 	$(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(nmapdatadir)/nselib
 	cp -f $(NSE_LIB_FILES) $(DESTDIR)$(nmapdatadir)/nselib
 
-install: install-nmap $(INSTALLNMAPFE) $(INSTALLNSE)
+install: install-nmap $(INSTALLNMAPFE) $(INSTALLNSE) $(INSTALLUMIT)
+	@echo "NMAP SUCCESSFULLY INSTALLED"
 
 uninstall:
 	rm -f $(bindir)/$(TARGET) $(bindir)/nmapfe $(bindir)/xnmap
diff --git a/configure b/configure
index d8b9270bb..c6bff21d8 100755
--- a/configure
+++ b/configure
@@ -673,12 +673,13 @@ host
 host_cpu
 host_vendor
 host_os
-LUAFLAVOR
+LUAFLAGS
 CPP
 GREP
 EGREP
 TARGETNMAPFE
 INSTALLNMAPFE
+INSTALLUMIT
 OPENSSL_LIBS
 PCAP_DEPENDS
 PCAP_CLEAN
@@ -1300,7 +1301,8 @@ Optional Packages:
   --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
   --with-localdirs        Explicitly ask compiler to use
                           /usr/local/{include,libs} if they exist
-  --without-nmapfe        skip nmapfe X-window GUI
+  --without-nmapfe        Skip nmapfe X-window GUI
+  --without-umit          Skip installation of the UMIT graphical frontend
   --with-openssl=DIR      Use optional openssl libs and includes from
                           DIR/lib/ and DIR/include/openssl/)
   --with-libpcap=DIR      Look for pcap in DIR/include and DIR/libs.
@@ -3408,14 +3410,14 @@ case "$host" in
 #define DEC 1
 _ACEOF
 
-	LUAFLAVOR=posix
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-netbsd* | *-knetbsd*-gnu)
     cat >>confdefs.h <<\_ACEOF
 #define NETBSD 1
 _ACEOF
 
-	LUAFLAVOR=bsd
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
 	LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
     ;;
   *-openbsd*)
@@ -3423,7 +3425,7 @@ _ACEOF
 #define OPENBSD 1
 _ACEOF
 
-	LUAFLAVOR=bsd
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
 	LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
     ;;
   *-sgi-irix5*)
@@ -3433,8 +3435,8 @@ _ACEOF
 
     if test -z "$GCC"; then
       sgi_cc=yes
-	LUAFLAVOR=posix
     fi
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-sgi-irix6*)
     cat >>confdefs.h <<\_ACEOF
@@ -3444,7 +3446,7 @@ _ACEOF
     if test -z "$GCC"; then
       sgi_cc=yes
     fi
-	LUAFLAVOR=posix
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-hpux*)
     cat >>confdefs.h <<\_ACEOF
@@ -3524,7 +3526,7 @@ _ACEOF
 
 fi
 
-	LUAFLAVOR=posix
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.0*)
     cat >>confdefs.h <<\_ACEOF
@@ -3535,14 +3537,14 @@ _ACEOF
 #define SOLARIS 1
 _ACEOF
 
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.[1-9][0-9]*)
     cat >>confdefs.h <<\_ACEOF
 #define SOLARIS 1
 _ACEOF
 
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.1*)
     cat >>confdefs.h <<\_ACEOF
@@ -3553,7 +3555,7 @@ _ACEOF
 #define SOLARIS 1
 _ACEOF
 
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.2*)
     cat >>confdefs.h <<\_ACEOF
@@ -3564,7 +3566,7 @@ _ACEOF
 #define SOLARIS 1
 _ACEOF
 
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.3*)
     cat >>confdefs.h <<\_ACEOF
@@ -3575,7 +3577,7 @@ _ACEOF
 #define SOLARIS 1
 _ACEOF
 
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.4*)
     cat >>confdefs.h <<\_ACEOF
@@ -3586,7 +3588,7 @@ _ACEOF
 #define SOLARIS 1
 _ACEOF
 
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.5.1)
     cat >>confdefs.h <<\_ACEOF
@@ -3597,14 +3599,14 @@ _ACEOF
 #define SOLARIS 1
 _ACEOF
 
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris*)
     cat >>confdefs.h <<\_ACEOF
 #define SOLARIS 1
 _ACEOF
 
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-sunos4*)
     cat >>confdefs.h <<\_ACEOF
@@ -3615,7 +3617,7 @@ _ACEOF
 #define SPRINTF_RETURNS_STRING 1
 _ACEOF
 
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-linux*)
     linux=yes
@@ -3628,7 +3630,7 @@ _ACEOF
 _ACEOF
   # libpcap doesn't even LOOK at
                                      # the timeout you give it under Linux
-	LUAFLAVOR=linux
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
 	LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
     ;;
   *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*)
@@ -3636,7 +3638,7 @@ _ACEOF
 #define FREEBSD 1
 _ACEOF
 
-	LUAFLAVOR=bsd
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
 	LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
     ;;
   *-bsdi*)
@@ -3645,7 +3647,7 @@ _ACEOF
 _ACEOF
 
 	LUAFLAVOR=bsd
-	LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-apple-darwin*)
     macosx=yes
@@ -3654,10 +3656,10 @@ _ACEOF
 _ACEOF
 
     needs_cpp_precomp=yes
-	LUAFLAVOR=macosx
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_MACOSX\""
     ;;
   *)
-  	LUAFLAVOR=posix
+	LUAFLAGS=MYCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN"
 esac
 
 
@@ -5426,7 +5428,23 @@ fi
 
 
 
-# First we test whether they specified openssl desires explicitly
+# Do they want UMIT?
+INSTALLUMIT=install-umit
+
+# Check whether --with-umit was given.
+if test "${with_umit+set}" = set; then
+  withval=$with_umit;  case "$with_umit" in
+   no)
+    INSTALLUMIT=""
+    ;;
+   esac
+
+fi
+
+
+
+
+# We test whether they specified openssl desires explicitly
 use_openssl="yes"
 specialssldir=""
 
@@ -7067,6 +7085,7 @@ if test "${with_liblua+set}" = set; then
     LUA_DEPENDS="$LIBLUADIR/liblua.a"
     LUA_CLEAN="lua_clean"
     LUA_DIST_CLEAN="lua_dist_clean"
+	have_lua="yes"
 
   ;;
   no)
@@ -9593,12 +9612,13 @@ host!$host$ac_delim
 host_cpu!$host_cpu$ac_delim
 host_vendor!$host_vendor$ac_delim
 host_os!$host_os$ac_delim
-LUAFLAVOR!$LUAFLAVOR$ac_delim
+LUAFLAGS!$LUAFLAGS$ac_delim
 CPP!$CPP$ac_delim
 GREP!$GREP$ac_delim
 EGREP!$EGREP$ac_delim
 TARGETNMAPFE!$TARGETNMAPFE$ac_delim
 INSTALLNMAPFE!$INSTALLNMAPFE$ac_delim
+INSTALLUMIT!$INSTALLUMIT$ac_delim
 OPENSSL_LIBS!$OPENSSL_LIBS$ac_delim
 PCAP_DEPENDS!$PCAP_DEPENDS$ac_delim
 PCAP_CLEAN!$PCAP_CLEAN$ac_delim
@@ -9629,7 +9649,6 @@ NSOCKDIR!$NSOCKDIR$ac_delim
 LIBNSOCK_LIBS!$LIBNSOCK_LIBS$ac_delim
 GTK_CONFIG!$GTK_CONFIG$ac_delim
 LIBOBJS!$LIBOBJS$ac_delim
-LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
   if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -9668,6 +9687,50 @@ CEOF$ac_eof
 _ACEOF
 
 
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+LTLIBOBJS!$LTLIBOBJS$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 1; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+:end
+s/|#_!!_#|//g
+CEOF$ac_eof
+_ACEOF
+
+
 # VPATH may cause trouble with some makes, so we remove $(srcdir),
 # ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
 # trailing colons and then remove the whole line if VPATH becomes empty
@@ -9906,7 +9969,7 @@ s&@builddir@&$ac_builddir&;t t
 s&@abs_builddir@&$ac_abs_builddir&;t t
 s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
 $ac_datarootdir_hack
-" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed 's/|#_!!_#|//g' >$tmp/out
+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" >$tmp/out
 
 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
   { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
diff --git a/configure.ac b/configure.ac
index 9a1a5cdd2..345430b79 100644
--- a/configure.ac
+++ b/configure.ac
@@ -136,111 +136,111 @@ needs_cpp_precomp=no
 case "$host" in
   *alpha-dec-osf*)
     AC_DEFINE(DEC)
-	LUAFLAVOR=posix
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-netbsd* | *-knetbsd*-gnu)
     AC_DEFINE(NETBSD)
-	LUAFLAVOR=bsd
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
 	LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
     ;;
   *-openbsd*)
     AC_DEFINE(OPENBSD)
-	LUAFLAVOR=bsd
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
 	LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
     ;;
   *-sgi-irix5*)
     AC_DEFINE(IRIX)
     if test -z "$GCC"; then
       sgi_cc=yes
-	LUAFLAVOR=posix
     fi
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-sgi-irix6*)
     AC_DEFINE(IRIX)
     if test -z "$GCC"; then
       sgi_cc=yes
     fi
-	LUAFLAVOR=posix
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-hpux*)
     AC_DEFINE(HPUX)
     # To link with libnet and NM (/usr/lib/libnm.sl) library
     # on HP-UX 11.11 (other versions?) Mikhail Zakharov (zmey20000@yahoo.com)
     AC_CHECK_LIB(nm, open_mib)
-	LUAFLAVOR=posix
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.0*)  
     AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
     AC_DEFINE(SOLARIS)
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.[[1-9]][[0-9]]*)
     AC_DEFINE(SOLARIS)
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.1*)
     AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
     AC_DEFINE(SOLARIS)
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.2*)
     AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
     AC_DEFINE(SOLARIS)
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.3*)
     AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
     AC_DEFINE(SOLARIS)
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.4*)
     AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
     AC_DEFINE(SOLARIS)
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris2.5.1)
     AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
     AC_DEFINE(SOLARIS)
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-solaris*)
     AC_DEFINE(SOLARIS)
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-sunos4*)
     AC_DEFINE(SUNOS)
     AC_DEFINE(SPRINTF_RETURNS_STRING)
-	LUAFLAVOR=solaris
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-linux*)
     linux=yes
     AC_DEFINE(LINUX)
     AC_DEFINE(PCAP_TIMEOUT_IGNORED)  # libpcap doesn't even LOOK at
                                      # the timeout you give it under Linux
-	LUAFLAVOR=linux
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
 	LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
     ;;
   *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*)
     AC_DEFINE(FREEBSD)
-	LUAFLAVOR=bsd
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
 	LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
     ;;
   *-bsdi*)
     AC_DEFINE(BSDI)
 	LUAFLAVOR=bsd
-	LDFLAGS="-Wl,-E $LDFLAGS" # needed for nse-C-module support
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_POSIX -DLUA_USE_DLOPEN\""
     ;;
   *-apple-darwin*)
     macosx=yes
     AC_DEFINE(MACOSX)
     needs_cpp_precomp=yes
-	LUAFLAVOR=macosx
+	LUAFLAGS="MYCFLAGS=\"-DLUA_USE_MACOSX\""
     ;;
   *)
-  	LUAFLAVOR=posix
+	LUAFLAGS=MYCFLAGS="-DLUA_USE_POSIX -DLUA_USE_DLOPEN"
 esac
 
-AC_SUBST(LUAFLAVOR)
+AC_SUBST(LUAFLAGS)
 AC_SEARCH_LIBS(dlopen, dl)
 
 dnl equiv to '#define inline' to 'inline', '__inline__', '__inline' or ''
@@ -300,7 +300,7 @@ test "${with_nmapfe+set}" != "set" && with_nmapfe=yes
  
 TARGETNMAPFE=nmapfe/nmapfe
 INSTALLNMAPFE=install-nmapfe
-AC_ARG_WITH(nmapfe, AC_HELP_STRING([--without-nmapfe], [skip nmapfe X-window GUI]),
+AC_ARG_WITH(nmapfe, AC_HELP_STRING([--without-nmapfe], [Skip nmapfe X-window GUI]),
  [  case "$with_nmapfe" in
   no)
     TARGETNMAPFE=""; INSTALLNMAPFE=""
@@ -310,7 +310,19 @@ AC_ARG_WITH(nmapfe, AC_HELP_STRING([--without-nmapfe], [skip nmapfe X-window GUI
 AC_SUBST(TARGETNMAPFE)
 AC_SUBST(INSTALLNMAPFE)
 
-# First we test whether they specified openssl desires explicitly
+# Do they want UMIT?
+INSTALLUMIT=install-umit
+AC_ARG_WITH(umit, AC_HELP_STRING([--without-umit], [Skip installation of the UMIT graphical frontend]),
+ [ case "$with_umit" in
+   no)
+    INSTALLUMIT=""
+    ;;
+   esac]
+)
+AC_SUBST(INSTALLUMIT)
+
+
+# We test whether they specified openssl desires explicitly
 use_openssl="yes"
 specialssldir=""
 
@@ -589,6 +601,7 @@ AC_HELP_STRING([--without-liblua], [Compile without lua (this will exclude all o
     LUA_DEPENDS="$LIBLUADIR/liblua.a"
     LUA_CLEAN="lua_clean"
     LUA_DIST_CLEAN="lua_dist_clean"
+	have_lua="yes"
 	
   ;;
   no)
diff --git a/docs/leet-nmap-ascii-art.txt b/docs/leet-nmap-ascii-art.txt
index 9781c76cd..7fefcea1f 100644
--- a/docs/leet-nmap-ascii-art.txt
+++ b/docs/leet-nmap-ascii-art.txt
@@ -12,5 +12,3 @@
     /  /  _/ /    +                                      /              \/
    '  (__/                                             /                  \
              NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY
-              [ Sick of the Nmap dragon? Submit your art and tag ]
-              [ lines to nmap-dev@insecure.org for next release! ]
diff --git a/docs/nmap-fingerprinting-article.txt b/docs/nmap-fingerprinting-article.txt
deleted file mode 100644
index 086ff9475..000000000
--- a/docs/nmap-fingerprinting-article.txt
+++ /dev/null
@@ -1,620 +0,0 @@
-[ NOTE -- A more up-to-date version of this paper and translations to
-  many other languages are available from
-  http://www.insecure.org/nmap/nmap-fingerprinting-article.html ]
-
-	 Remote OS detection via TCP/IP Stack FingerPrinting
-	    by Fyodor <fyodor@insecure.org> (www.insecure.org)
-			   October 18, 1998
-
-
-ABSTRACT
-
-This paper discusses how to glean precious information about a host by
-querying its TCP/IP stack.  I first present some of the "classical"
-methods of determining host OS which do not involve stack
-fingerprinting.  Then I describe the current "state of the art" in
-stack fingerprinting tools.  Next comes a description of many
-techniques for causing the remote host to leak information about
-itself.  Finally I detail my (nmap) implementation of this, followed
-by a snapshot gained from nmap which discloses what OS is running on
-many popular Internet sites.
-
-
-REASONS
-
-I think the usefulness of determining what OS a system is running is
-pretty obvious, so I'll make this section short.  One of the strongest
-examples of this usefulness is that many security holes are dependent
-on OS version.  Lets say you are doing a penetration test and you find
-port 53 open.  If this is a vulnerable version of Bind, you only get
-one chance to exploit it since a failed attempt will crash the daemon.
-With a good TCP/IP fingerprinter, you will quickly find that this
-machine is running 'Solaris 2.51' or 'Linux 2.0.35' and you can adjust
-your shellcode accordingly.
-
-A worse possibility is someone scanning 500,000 hosts in advance to
-see what OS is running and what ports are open.  Then when someone
-posts (say) a root hole in Sun's comsat daemon, our little cracker
-could grep his list for 'UDP/512' and 'Solaris 2.6' and he immediately
-has pages and pages of rootable boxes.  It should be noted that this
-is SCRIPT KIDDIE behavior.  You have demonstrated no skill and nobody
-is even remotely impressed that you were able to find some vulnerable
-.edu that had not patched the hole in time.  Also, people will be even
-_less_ impressed if you use your newfound access to deface the
-department's web site with a self-aggrandizing rant about how damn
-good you are and how stupid the sysadmins must be.
-
-Another possible use is for social engineering.  Lets say that you are
-scanning your target company and nmap reports a 'Datavoice TxPORT
-PRISM 3000 T1 CSU/DSU 6.22/2.06'.  The hacker might now call up as
-'Datavoice support' and discuss some issues about their PRISM 3000.
-"We are going to announce a security hole soon, but first we want all
-our current customers to install the patch -- I just mailed it to you
-..."  Some naive administrators might assume that only an authorized
-engineer from Datavoice would know so much about their CSU/DSU.
-
-Another potential use of this capability is evaluation of companies
-you may want to do business with.  Before you choose a new ISP, scan
-them and see what equipment is in use.  Those "$99/year" deals don't
-sound nearly so good when you find out they have crappy routers and
-offer PPP services off a bunch of Windows boxes.
-
-
-CLASSICAL TECHNIQUES
-
-Stack fingerprinting solves the problem of OS identification in a
-unique way.  I think this technique holds the most promise, but there
-are currently many other solutions.  Sadly, this is still one the most
-effective of those techniques:
-
-playground~> telnet hpux.u-aizu.ac.jp
-Trying 163.143.103.12...
-Connected to hpux.u-aizu.ac.jp.
-Escape character is '^]'.
-
-HP-UX hpux B.10.01 A 9000/715 (ttyp2)
-
-login: 
-
-There is no point going to all this trouble of fingerprinting if the
-machine will blatantly announce to the world exactly what it is
-running!  Sadly, many vendors ship _current_ systems with these kind
-of banners and many admins do not turn them off.  Just because there
-are other ways to figure out what OS is running (such as
-fingerprinting), does not mean we should just announce our OS and
-architecture to every schmuck who tries to connect.
-
-The problems with relying on this technique are that an increasing
-number of people are turning banners off, many systems don't give much
-information, and it is trivial for someone to "lie" in their banners.
-Nevertheless, banner reading is all you get for OS and OS Version
-checking if you spend $thousands on the commercial ISS scanner.
-Download nmap or queso instead and save your money :).
-
-Even if you turn off the banners, many applications will happily give
-away this kind of information when asked.  For example lets look at an
-FTP server:
-
-payfonez> telnet ftp.netscape.com 21
-Trying 207.200.74.26...
-Connected to ftp.netscape.com.
-Escape character is '^]'.
-220 ftp29 FTP server (UNIX(r) System V Release 4.0) ready.
-SYST
-215 UNIX Type: L8 Version: SUNOS
-
-First of all, it gives us system details in its default banner.  Then
-if we give the 'SYST' command it happily feeds back even more information.
-
-If anon FTP is supported, we can often download /bin/ls or other
-binaries and determine what architecture it was built for.
-
-Many other applications are too free with information.  Take web
-servers for example:
-
-playground> echo 'GET / HTTP/1.0\n' | nc hotbot.com 80 | egrep '^Server:' 
-Server: Microsoft-IIS/4.0
-playground>
-
-Hmmm ... I wonder what OS those lamers are running.
-
-Other classic techniques include DNS host info records (rarely
-effective) and social engineering.  If the machine is listening on
-161/udp (snmp), you are almost guaranteed a bunch of detailed info
-using 'snmpwalk' from the CMU SNMP tools distribution and the 'public'
-community name.
-
-
-CURRENT FINGERPRINTING PROGRAMS
-
-
-Nmap is not the first OS recognition program to use TCP/IP
-fingerprinting.  The common IRC spoofer sirc by Johan has included
-very rudimentary fingerprinting techniques since version 3 (or
-earlier).  It attempts to place a host in the classes "Linux",
-"4.4BSD", "Win95", or "Unknown" using a few simple TCP flag tests.
-
-Another such program is checkos, released publicly in January of this
-year by Shok in Confidence Remains High Issue #7.
-The fingerprinting techniques are exactly the same as SIRC, and even
-the _code_ is identical in many places.  Checkos was privately
-available for a long time prior to the public release, so I have no
-idea who swiped code from whom.  But neither seems to credit the
-other.  One thing checkos does add is telnet banner checking, which is
-useful but has the problems described earlier.  [ Update:  Shok wrote in
-to say that chekos was never intended to be public and this is why he 
-didn't bother to credit SIRC for some of the code. ]
-
-Su1d also wrote an OS checking program.  His is called SS and as of
-Version 3.11 it can identify 12 different OS types.  I am somewhat
-partial to this one since he credits my nmap program for some of the
-networking code :).
-
-Then there is queso.  This program is the newest and it is a huge leap
-forward from the other programs.  Not only do they introduce a couple
-new tests, but they were the first (that I have seen) to move the
-OS fingerprints _out_ of the code.  The other scanners included code like:
-
-/* from ss */
-if ((flagsfour & TH_RST) && (flagsfour & TH_ACK) && (winfour == 0) && 
-   (flagsthree & TH_ACK))
-       reportos(argv[2],argv[3],"Livingston Portmaster ComOS");
-
-Instead, queso moves this into a configuration file which obviously
-scales much better and makes adding an OS as easy as appending a few
-lines to a fingerprint file.
-
-Queso was written by Savage, one of the fine folks at Apostols.org .
-
-One problem with all the programs describe above is that they are very
-limited in the number of fingerprinting tests which limits the
-granularity of answers.  I want to know more than just 'this machine
-is OpenBSD, FreeBSD, or NetBSD', I wish to know exactly which of those
-it is as well as some idea of the release version number.  In the same
-way, I would rather see 'Solaris 2.6' than simply 'Solaris'.  To
-achieve this response granularity, I worked on a number of
-fingerprinting techniques which are described in the next section.
-
-FINGERPRINTING METHODOLOGY
-
-There are many, many techniques which can be used to fingerprint
-networking stacks.  Basically, you just look for things that differ
-among operating systems and write a probe for the difference.  If you
-combine enough of these, you can narrow down the OS very tightly.  For
-example nmap can reliably distinguish Solaris 2.4 vs. Solaris 2.5-2.51
-vs Solaris 2.6.  It can also tell Linux kernel 2.0.30 from 2.0.31-34
-or 2.0.35.  Here are some techniques:
-
-The FIN probe -- Here we send a FIN packet (or any packet without an
-    ACK or SYN flag) to an open port and wait for a response.  The
-    correct RFC793 behavior is to NOT respond, but many broken
-    implementations such as MS Windows, BSDI, CISCO, HP/UX, MVS, and
-    IRIX send a RESET back.  Most current tools utilize this
-    technique.
-
-The BOGUS flag probe -- Queso is the first scanner I have seen to use
-    this clever test.  The idea is to set an undefined TCP "flag" ( 64
-    or 128) in the TCP header of a SYN packet.  Linux boxes prior to
-    2.0.35 keep the flag set in their response.  I have not found any
-    other OS to have this bug.  However, some operating systems seem
-    to reset the connection when they get a SYN+BOGUS packet.  This 
-    behavior could be useful in identifying them.
-			
-TCP ISN Sampling -- The idea here is to find patterns in the initial
-    sequence numbers chosen by TCP implementations when responding to
-    a connection request.  These can be categorized in to many groups
-    such as the traditional 64K (many old UNIX boxes), Random
-    increments (newer versions of Solaris, IRIX, FreeBSD, Digital
-    UNIX, Cray, and many others), True "random" (Linux 2.0.*, OpenVMS,
-    newer AIX, etc).  Windows boxes (and a few others) use a "time
-    dependent" model where the ISN is incremented by a small fixed
-    amount each time period.  Needless to say, this is almost as
-    easily defeated as the old 64K behavior.  Of course my favorite
-    technique is "constant".  The machines ALWAYS use the exact same
-    ISN :).  I've seen this on some 3Com hubs (uses 0x803) and Apple
-    LaserWriter printers (uses 0xC7001).
-
-    You can also subclass groups such as random incremental by
-    computing variances, greatest common divisors, and other functions
-    on the set of sequence numbers and the differences between the
-    numbers.
-
-    It should be noted that ISN generation has important security
-    implications.  For more information on this, contact "security
-    expert" Tsutomu "Shimmy" Shimomura at SDSC and ask him how he was
-    owned.  Nmap is the first program I have seen to use this for OS
-    identification.
-
-Don't Fragment bit -- Many operating systems are starting to set the
-    IP "Don't Fragment" bit on some of the packets they send.  This
-    gives various performance benefits (though it can also be annoying
-    -- this is why nmap fragmentation scans do not work from Solaris
-    boxes).  In any case, not all OS's do this and some do it in
-    different cases, so by paying attention to this bit we can glean
-    even more information about the target OS.  I haven't seen this
-    one before either.
-
-TCP Initial Window -- This simply involves checking the window size on
-    returned packets.  Older scanners simply used a non-zero window on
-    a RST packet to mean "BSD 4.4 derived".  Newer scanners such as
-    queso and nmap keep track of the exact window since it is actually
-    pretty constant by OS type.  This test actually gives us a lot of
-    information, since some operating systems can be uniquely
-    identified by the window alone (for example, AIX is the only OS I
-    have seen which uses 0x3F25).  In their "completely rewritten"
-    TCP stack for NT5, Microsoft uses 0x402E.  Interestingly, that is
-    exactly the number used by OpenBSD and FreeBSD.
-
-ACK Value -- Although you would think this would be completely
-    standard, implementations differ in what value they use for the
-    ACK field in some cases.  For example, lets say you send a
-    FIN|PSH|URG to a closed TCP port.  Most implementations will set
-    the ACK to be the same as your initial sequence number, though
-    Windows and some stupid printers will send your seq + 1.  If you
-    send a SYN|FIN|URG|PSH to an open port, Windows is very
-    inconsistent.  Sometimes it sends back your seq, other times it
-    sends S++, and still other times is sends back a seemingly random
-    value.  One has to wonder what kind of code MS is writing that
-    changes its mind like this.
-
-ICMP Error Message Quenching -- Some (smart) operating systems follow
-    the RFC 1812 suggestion to limit the rate at which various error
-    messages are sent.  For example, the Linux kernel (in
-    net/ipv4/icmp.h) limits destination unreachable message generation
-    to 80 per 4 seconds, with a 1/4 second penalty if that is
-    exceeded.  One way to test this is to send a bunch of packets to
-    some random high UDP port and count the number of unreachables
-    received.  I have not seen this used before, and in fact I have
-    not added this to nmap (except for use in UDP port scanning).
-    This test would make the OS detection take a bit longer since you
-    need to send a bunch of packets and wait for them to return.  Also
-    dealing with the possibility of packets dropped on the network
-    would be a pain.
-
-ICMP Message Quoting -- The RFCs specify that ICMP error messages
-    quote some small amount of an ICMP message that causes various
-    errors.  For a port unreachable message, almost all
-    implementations send only the required IP header + 8 bytes back.
-    However, Solaris sends back a bit more and Linux sends back even
-    more than that.  The beauty with this is it allows nmap to
-    recognize Linux and Solaris hosts even if they don't have any
-    ports listening.
-
-ICMP Error message echoing integrity -- I got this idea from something
-   Theo De Raadt (lead OpenBSD developer) posted to
-   comp.security.unix.  As mentioned before, machines have to send
-   back part of your original message along with a port unreachable
-   error.  Yet some machines tend to use your headers as 'scratch
-   space' during initial processing and so they are a bit warped by
-   the time you get them back.  For example, AIX and BSDI send back an
-   IP 'total length' field that is 20 bytes too high.  Some BSDI,
-   FreeBSD, OpenBSD, ULTRIX, and VAXen fuck up the IP ID that you sent
-   them.  While the checksum is going to change due to the changed
-   TTL anyway, there are some machines (AIX, FreeBSD, etc.) which send
-   back an inconsistent or 0 checksum.  Same thing goes with the UDP
-   checksum.  All in all, nmap does nine different tests on the ICMP
-   errors to sniff out subtle differences like these.
-
-Type of Service -- For the ICMP port unreachable messages I look at
-   the type of service (TOS) value of the packet sent back.  Almost
-   all implementations use 0 for this ICMP error although Linux uses
-   0xC0.  This does not indicate one of the standard TOS values, but instead is
-   part of the unused (AFAIK) precedence field.  I do not know why
-   this is set, but if they change to 0 we will be able to keep
-   identifying the old versions _and_ we will be able to identify
-   between old and new.
-
-Fragmentation Handling -- This is a favorite technique of Thomas
-   H. Ptacek of Secure Networks, Inc (now owned by a bunch of Windows
-   users at NAI).  This takes advantage of the fact that different
-   implementations often handle overlapping IP fragments differently.
-   Some will overwrite the old portions with the new, and in other
-   cases the old stuff has precedence.  There are many different
-   probes you can use to determine how the packet was reassembled.  I
-   did not add this capability since I know of no portable way to send
-   IP fragments (in particular, it is a bitch on Solaris).  For more
-   information on overlapping fragments, you can read their IDS paper
-   (www.secnet.com).
-
-TCP Options -- These are truly a gold mine in terms of leaking
-    information.  The beauty of these options is that:
-    1) They are generally optional (duh!) :) so not all hosts implement
-       them.
-    2) You know if a host implements them by sending a query with an
-       option set. The target generally show support of the option by
-       setting it on the reply.
-    3) You can stuff a whole bunch of options on one packet to test
-       everything at once.
-    
-    Nmap sends these options along with almost every probe packet: 
-
-    Window Scale=10; NOP; Max Segment Size = 265; Timestamp; End of Ops;
-
-    When you get your response, you take a look at which options were
-    returned and thus are supported.  Some operating systems such as
-    recent FreeBSD boxes support all of the above, while others, such
-    as Linux 2.0.X support very few.  The latest Linux 2.1.x kernels
-    do support all of the above.  On the other hand, they are more
-    vulnerable to TCP sequence prediction.  Go figure.
-
-    Even if several operating systems support the same set of options,
-    you can sometimes distinguish them by the _values_ of the options.
-    For example, if you send a small MSS value to a Linux box, it will
-    generally echo that MSS back to you.  Other hosts will give you
-    different values.
-
-    And even if you get the same set of supported options AND the same
-    values, you can still differentiate via the _order_ that the
-    options are given, and where padding is applied.  For example
-    Solaris returns 'NNTNWME' which means:
-    <no op><no op><timestamp><no op><window scale><echoed MSS>
-
-    While Linux 2.1.122 returns MENNTNW.  Same options, same values,
-    but different order!
-
-    I have not seen any other OS detection tools utilizes TCP options,
-    but it is very useful.
-
-    There are a few other useful options I might probe for at some
-    point, such as those that support T/TCP and selective
-    acknowledgements.
-
-
-Exploit Chronology -- Even with all the tests above, nmap is unable to
-    distinguish between the TCP stacks of Win95, WinNT, or Win98.
-    This is rather surprising, especially since Win98 came out about 4
-    years after Win95.  You would think they would have bothered to
-    improve the stack in some way (like supporting more TCP options)
-    and so we would be able to detect the change and distinguish the
-    operating systems.  Unfortunately, this is not the case.  The NT
-    stack is apparently the same crappy stack they put into '95.  And
-    they didn't bother to upgrade it for '98.
-
-    But do not give up hope, for there is a solution.  You can simply
-    start with early Windows DOS attacks (Ping of Death, Winnuke, etc)
-    and move up a little further to attacks such as Teardrop and Land.
-    After each attack, ping them to see whether they have crashed.
-    When you finally crash them, you will likely have narrowed what
-    they are running down to one service pack or hotfix.
-
-    I have not added this functionality to nmap, although I must admit
-    it is very tempting :).
-
-
-SYN Flood Resistance -- Some operating systems will stop accepting new
-    connections if you send too many forged SYN packets at them
-    (forging the packets avoids trouble with your kernel resetting the
-    connections).  Many operating systems can only handle 8 packets.
-    Recent Linux kernels (among other operating systems) allow
-    various methods such as SYN cookies to prevent this from being a
-    serious problem.  Thus you can learn something about your target
-    OS by sending 8 packets from a forged source to an open port and
-    then testing whether you can establish a connection to that port
-    yourself.  This was not implemented in nmap since some people get
-    upset when you SYN flood them.  Even explaining that you were
-    simply trying to determine what OS they are running might not help
-    calm them.
-
-NMAP IMPLEMENTATION AND RESULTS
-
-I have created a reference implementation of the OS detection
-techniques mentioned above (except those I said were excluded).  I
-have added this to my Nmap scanner which has the advantage that it
-already _knows_ what ports are open and closed for fingerprinting so
-you do not have to tell it.  It is also portable among Linux, *BSD,
-and Solaris 2.51 and 2.6, and some other operating systems.
-
-The new version of nmap reads a file filled with Fingerprint templates
-that follow a simple grammar.  Here is an example:
-
-FingerPrint  IRIX 6.2 - 6.4 # Thanks to Lamont Granquist
-TSeq(Class=i800)
-T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
-T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
-T3(Resp=Y%DF=N%W=C000|EF2A%ACK=O%Flags=A%Ops=NNT)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
-Lets look at the first line (I'm adding '>' quote markers):
-
-> FingerPrint  IRIX 6.2 - 6.3 # Thanks to Lamont Granquist
-
-This simply says that the fingerprint covers IRIX versions 6.2 through
-6.3 and the comment states that Lamont Granquist kindly sent me the IP
-addresses or fingerprints of the IRIX boxes tested.
-
-> TSeq(Class=i800)
-
-This means that ISN sampling put it in the "i800 class".  This means
-that each new sequence number is a multiple of 800 greater than the
-last one.
-
-> T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
-
-The test is named T1 (for test1, clever eh?).  In this test we send a
-SYN packet with a bunch of TCP options to an open port.  DF=N means
-that the "Don't fragment" bit of the response must not be set.
-W=C000|EF2A means that the window advertisement we received must
-be 0xC000 or EF2A.  ACK=S++ means the acknowledgement we receive must
-be our initial sequence number plus 1.  Flags = AS means the ACK and
-SYN flags were sent in the response.  Ops = MNWNNT means the options
-in the response must be (in this order):
-
-<MSS (not echoed)><NOP><Window scale><NOP><NOP><Timestamp>
-
-> T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
-
-Test 2 involves a NULL with the same options to an open port.  Resp=Y
-means we must get a response.  Ops= means that there must not be any
-options included in the response packet.  If we took out '%Ops='
-entirely then any options sent would match.
-
-> T3(Resp=Y%DF=N%W=400%ACK=S++%Flags=AS%Ops=M)
-
-Test 3 is a SYN|FIN|URG|PSH w/options to an open port.
-
-> T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-
-This is an ACK to an open port.  Note that we do not have a Resp=
-here.  This means that lack of a response (such as the packet being
-dropped on the network or an evil firewall) will not disqualify a
-match as long as all the other tests match.  We do this because
-virtually any OS will send a response, so a lack of response is
-generally an attribute of the network conditions and not the OS
-itself.  We put the Resp tag in tests 2 and 3 because some operating
-systems _do_ drop those without responding.
-
-> T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-> T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-> T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
-
-These tests are a SYN, ACK, and FIN|PSH|URG, respectively, to a closed
-port.  The same options as always are set.  Of course this is all
-probably obvious given the descriptive names 'T5', 'T6', and 'T7' :).
-
-> PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
-This big sucker is the 'port unreachable' message test.  You should
-recognize the DF=N by now.  TOS=0 means that IP type of service field
-was 0.  The next two fields give the (hex) values of the IP total
-length field of the message IP header and the total length given in
-the IP header they are echoing back to us.  RID=E means the RID value
-we got back in the copy of our original UDP packet was expected (ie
-the same as we sent).  RIPCK=E means they didn't fuck up the checksum
-(if they did, it would say RIPCK=F).  UCK=E means the UDP checksum is
-also correct.  Next comes the UDP length which was 0x134 and DAT=E
-means they echoed our UDP data correctly.  Since most implementations
-(including this one) do not send any of our UDP data back, they get
-DAT=E by default.
-
-The version of nmap with this functionality is currently in the 6th
-private beta cycle.  It may be out by the time you read this in
-Phrack.  Then again, it might not.  See http://www.insecure.org/nmap/
-for the latest version.
-
-POPULAR SITE SNAPSHOTS
-
-Here is the fun result of all our effort.  We can now take random
-Internet sites and determine what OS they are using.  A lot of these
-people have eliminated telnet banners, etc. to keep this information
-private.  But this is of no use with our new fingerprinter!  Also
-this is a good way to expose the <your favorite crap OS> users as the
-lamers that they are :)!
-
-The command used in these examples was: nmap -sS -p 80 -O -v <host>
-
-Also note that most of these scans were done on 10/18/98.  Some of
-these folks may have upgraded/changed servers since then.
-
-Note that I do not like every site on here.  
-
-# "Hacker" sites or (in a couple cases) sites that think they are
-www.l0pht.com        => OpenBSD 2.2 - 2.4
-www.insecure.org     => Linux 2.0.31-34
-www.rhino9.ml.org    => Windows 95/NT     # No comment :)
-www.technotronic.com => Linux 2.0.31-34
-www.nmrc.org         => FreeBSD 2.2.6 - 3.0
-www.cultdeadcow.com  => OpenBSD 2.2 - 2.4
-www.kevinmitnick.com => Linux 2.0.31-34  # Free Kevin!
-www.2600.com         => FreeBSD 2.2.6 - 3.0 Beta
-www.antionline.com   => FreeBSD 2.2.6 - 3.0 Beta
-www.rootshell.com    => Linux 2.0.35  # Changed to OpenBSD after
-                                      # they got owned.
-
-# Security vendors, consultants, etc.
-www.repsec.com       => Linux 2.0.35
-www.iss.net          => Linux 2.0.31-34
-www.checkpoint.com   => Solaris 2.5 - 2.51
-www.infowar.com      => Win95/NT
-
-# Vendor loyalty to their OS
-www.li.org           => Linux 2.0.35 # Linux International
-www.redhat.com       => Linux 2.0.31-34 # I wonder what distribution :)
-www.debian.org       => Linux 2.0.35
-www.linux.org        => Linux 2.1.122 - 2.1.126
-www.sgi.com          => IRIX 6.2 - 6.4
-www.netbsd.org       => NetBSD 1.3X
-www.openbsd.org      => Solaris 2.6     # Ahem :)
-www.freebsd.org      => FreeBSD 2.2.6-3.0 Beta
-
-# Ivy league
-www.harvard.edu      => Solaris 2.6
-www.yale.edu         => Solaris 2.5 - 2.51
-www.caltech.edu      => SunOS 4.1.2-4.1.4  # Hello! This is the 90's :)   
-www.stanford.edu     => Solaris 2.6
-www.mit.edu          => Solaris 2.5 - 2.51 # Coincidence that so many good
-                                           # schools seem to like Sun?
-                                           # Perhaps it is the 40%
-                                           # .edu discount :)
-www.berkeley.edu     => UNIX OSF1 V 4.0,4.0B,4.0D  
-www.oxford.edu       => Linux 2.0.33-34  # Rock on!
-
-# Lamer sites
-www.aol.com          => IRIX 6.2 - 6.4  # No wonder they are so insecure :)
-www.happyhacker.org  => OpenBSD 2.2-2.4 # Sick of being owned, Carolyn?
-                                        # Even the most secure OS is
-                                        # useless in the hands of an
-                                        # incompetent admin.
-
-# Misc
-www.lwn.net          => Linux 2.0.31-34 # This Linux news site rocks!
-www.slashdot.org     => Linux 2.1.122 - 2.1.126
-www.whitehouse.gov   => IRIX 5.3
-sunsite.unc.edu      => Solaris 2.6
-
-Notes: In their security white paper, Microsoft said about their lax
-security: "this assumption has changed over the years as Windows NT
-gains popularity largely because of its security features.".  Hmm,
-from where I stand it doesn't look like Windows is very popular among
-the security community :).  I only see 2 Windows boxes from the whole
-group, and Windows is _easy_ for nmap to distinguish since it is so
-broken (standards wise).
-
-And of course, there is one more site we must check.  This is the web
-site of the ultra-secret Transmeta corporation.  Interestingly the
-company was funded largely by Paul Allen of Microsoft, but it employs
-Linus Torvalds.  So do they stick with Paul and run NT or do they side
-with the rebels and join the Linux revolution?  Let us see:
-
-We use the command:
-nmap -sS -F -o transmeta.log -v -O www.transmeta.com/24
-
-This says SYN scan for known ports (from /etc/services), log the
-results to 'transmeta.log', be verbose about it, do an OS scan, and
-scan the class 'C' where www.transmeta.com resides.  Here is the gist
-of the results:
-
-neon-best.transmeta.com (206.184.214.10) => Linux 2.0.33-34
-www.transmeta.com (206.184.214.11) => Linux 2.0.30
-neosilicon.transmeta.com (206.184.214.14) => Linux 2.0.33-34
-ssl.transmeta.com (206.184.214.15) => Linux unknown version
-linux.kernel.org (206.184.214.34) => Linux 2.0.35
-www.linuxbase.org (206.184.214.35) => Linux 2.0.35 ( possibly the same
-                                      machine as above )
-
-Well, I think this answers our question pretty clearly :).
-
-
-ACKNOWLEDGEMENTS
-
-The only reason Nmap is currently able to detect so many different
-operating systems is that many people on the private beta team went to
-a lot of effort to search out new and exciting boxes to fingerprint!
-In particular, Jan Koum, van Hauser, Dmess0r, David O'Brien, James
-W. Abendschan, Solar Designer, Chris Wilson, Stuart Stock, Mea Culpa,
-Lamont Granquist, Dr. Who, Jordan Ritter, Brett Eldridge, and Pluvius
-sent in tons of IP addresses of wacky boxes and/or fingerprints of
-machines not reachable through the Internet.
-
-Thanks to Richard Stallman for writing GNU Emacs.  This article would
-not be so well word-wrapped if I was using vi or cat and ^D.
-
-Questions and comments can be sent to fyodor@insecure.org (if that doesn't
-work for some reason, use fyodor@insecure.org).  Nmap can be obtained
-from http://www.insecure.org/nmap .
-
-
-
diff --git a/docs/nmap.1 b/docs/nmap.1
index e948fe859..df46d524f 100644
--- a/docs/nmap.1
+++ b/docs/nmap.1
@@ -2,7 +2,7 @@
 .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
 .\" Instead of manually editing it, you probably should edit the DocBook XML
 .\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NMAP" "1" "07/04/2007" "" "Nmap Reference Guide"
+.TH "NMAP" "1" "07/07/2007" "" "Nmap Reference Guide"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -40,9 +40,9 @@ In addition to the interesting ports table, Nmap can provide further information
 .PP
 A typical Nmap scan is shown in
 Example\ 14.1, \(lqA representative Nmap scan\(rq. The only Nmap arguments used in this example are
-\fB\-A\fR, to enable OS and version detection,
+\fB\-A\fR, to enable OS and version detection, script scanning, and traceroute;
 \fB\-T4\fR
-for faster execution, and then the two target hostnames.
+for faster execution; and then the two target hostnames.
 Example\ 14.1.\ A representative Nmap scan.sp
 .nf
 # nmap \-A \-T4 scanme.nmap.org playground
@@ -118,7 +118,6 @@ SCAN TECHNIQUES:
   \-sO: IP protocol scan
   \-b <ftp relay host>: FTP bounce scan
   \-\-traceroute: Trace hop path to each host
-  \-\-reason: Display the reason a port is in a particular state
 PORT SPECIFICATION AND SCAN ORDER:
   \-p <port ranges>: Only scan specified ports
     Ex: \-p22; \-p1\-65535; \-p U:53,111,137,T:21\-25,80,139,8080
@@ -180,7 +179,7 @@ OUTPUT:
   \-\-no\-stylesheet: Prevent associating of XSL stylesheet w/XML output
 MISC:
   \-6: Enable IPv6 scanning
-  \-A: Enables OS detection, Version detection, Script scanning and Traceroute
+  \-A: Enables OS detection and Version detection
   \-\-datadir <dirname>: Specify custom Nmap data file location
   \-\-send\-eth/\-\-send\-ip: Send using raw ethernet frames or IP packets
   \-\-privileged: Assume that the user is fully privileged
@@ -383,7 +382,7 @@ Traceroutes are performed post\-scan using information from the scan results to
 Traceroute works by sending packets with a low TTL (time\-to\-live) in an attempt to illicit ICMP TTL_EXCCEDED messages from intermediate hops between the scanner and the target host. Standard traceroute implementation start with a TTL of 1 and increment the TTL until the destination host is reached. Nmap's traceroute starts with a high TTL and then decrements the TTL until it reaches 0. Doing it backwards lets nmap employ clever caching algorithms to speed up traces over multiple hosts. On average nmap sends 5\-10 fewer packets per host, depending on network conditions. If a single subnet is being scanned (i.e. 192.168.0.0/24) nmap may only have to send a single packet to most hosts.
 .TP
 \fB\-\-reason\fR (Host and port state reasons)
-Shows the reason each port is set to a specific state and the reason each host is up or down. This option displays the type of the packet that determined a port or hosts state. For example, A RST packet from a closed port or an echo reply from an alive host. The information nmap can provide is determined by the type of scan or ping. The SYN scan and SYN ping (\fB\-sS and -PT\fR) are very detailed. Whilst the TCP connect scan and ping (\fB\-sT\fR) are limited by the implementation of connect(). This feature is automatically enabled by the debug flag (\fB\-d\fR) and the results are stored in XML log files even if this option is not specified.
+Shows the reason each port is set to a specific state and the reason each host is up or down. This option displays the type of the packet that determined a port or hosts state. For example, A RST packet from a closed port or an echo reply from an alive host. The information nmap can provide is determined by the type of scan or ping. The SYN scan and SYN ping (\fB\\\-sS and \-PT\fR) are very detailed. Whilst the TCP connect scan and ping (\fB\\\-sT\fR) are limited by the implementation of connect(). This feature is automatically enabled by the debug flag (\fB\\\-d\fR) and the results are stored in XML log files even if this option is not specified.
 .TP
 \fB\-n\fR (No DNS resolution)
 Tells Nmap to
@@ -664,6 +663,15 @@ and at least one TCP scan type (such as
 \fB\-sS\fR,
 \fB\-sF\fR, or
 \fB\-sT\fR). If no protocol qualifier is given, the port numbers are added to all protocol lists.
+Ports can also be specified by name according to what the port is referred to in the
+\fInmap\-services\fR. You can even use the wildcards * and ? with the names. For example, to scan ftp and all ports whose names begin with http, use
+\fB\-p ftp,http*\fR. Be careful about shell expansions and quote the argument to \-p if unsure.
+.sp
+Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in
+\fInmap\-services\fR. For example, the following will scan all ports in
+\fInmap\-services\fR
+equal to or below 1024:
+\fB\-p [\-1024]\fR. Be careful with shell expansions and quote the argument to \-p if unsure.
 .TP
 \fB\-F\fR (Fast (limited port) scan)
 Specifies that you only wish to scan for ports listed in the
@@ -681,6 +689,20 @@ options.
 By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify
 \fB\-r\fR
 for sequential port scanning instead.
+.TP
+\fB\-\-port\-ratio <decimal number between 0 and 1>\fR
+Scans all ports in
+\fInmap\-services\fR
+file with a ratio greater than the number specified as the argument. (new format
+\fInmap\-services\fR
+only.)
+.TP
+\fB\-\-top\-ports <integer of 1 or greater>\fR
+Scans the N highest\-ratio ports found in
+\fInmap\-services\fR
+file. (new format
+\fInmap\-services\fR
+only.)
 .SH "SERVICE AND VERSION DETECTION"
 .PP
 Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its
@@ -706,8 +728,7 @@ Version detection is enabled and controlled with the following options:
 .TP
 \fB\-sV\fR (Version detection)
 Enables version detection, as discussed above. Alternatively, you can use
-\fB\-A\fR
-to enable both OS detection and version detection.
+\fB\-A\fR, which enables version detection among other things.
 .TP
 \fB\-\-allports\fR (Don't exclude any ports from version detection)
 By default, Nmap version detection skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of HTTP get requests, binary SSL session requests, etc. This behavior can be changed by modifying or removing the
@@ -766,7 +787,7 @@ OS detection is enabled and controlled with the following options:
 \fB\-O\fR (Enable OS detection)
 Enables OS detection, as discussed above. Alternatively, you can use
 \fB\-A\fR
-to enable both OS detection and version detection. 2nd generation OS detection is tried first. If that fails, Nmap will either print out the host fingerprint and ask you to submit it (if you are certain about what the target host is running), or Nmap will fall back to the 1st generation OS detection system in case its larger database has a match.
+to enable OS detection along with other things. 2nd generation OS detection is tried first. If that fails, Nmap will either print out the host fingerprint and ask you to submit it (if you are certain about what the target host is running), or Nmap will fall back to the 1st generation OS detection system in case its larger database has a match.
 .TP
 \fB\-O2\fR (2nd Generation OS Detection Only)
 Enables 2nd generation OS detection, but never falls back to the old (1st generation) system, even if it fails to find any match. This saves time and can reduce the number of packets sent to each target.
diff --git a/docs/nmap.deprecated.txt b/docs/nmap.deprecated.txt
deleted file mode 100644
index 4057687e1..000000000
--- a/docs/nmap.deprecated.txt
+++ /dev/null
@@ -1,371 +0,0 @@
-                               .oO Phrack 51 Oo.
-
-                            Volume Seven, Issue Fifty One
-                                     xx of xx                     
-
-                            The Art of Port Scanning
-                           by Fyodor (fyodor@insecure.org)
-
-
-
-[ Abstract ]
-
-This paper details many of the techniques used to determine what ports (or
-similar protocol abstraction) of a host are listening for connections.  These 
-ports represent potential communication channels.  Mapping their existence
-facilitates the exchange of information with the host, and thus it is quite 
-useful for anyone wishing to explore their networked environment, including 
-hackers.  Despite what you have heard from the media, the Internet is NOT
-all about TCP port 80.  Anyone who relies exclusively on the WWW for
-information gathering is likely to gain the same level of proficiency as your 
-average AOLer, who does the same.  This paper is also meant to serve as an
-introduction to and ancillary documentation for a coding project I have been 
-working on.  It is a full featured, robust port scanner which (I hope) solves 
-some of the problems I have encountered when dealing with other scanners and 
-when working to scan massive networks.  The tool, nmap, supports the following:
-
-    - vanilla TCP connect() scanning, 
-    - TCP SYN (half open) scanning,
-    - TCP FIN (stealth) scanning, 
-    - TCP ftp proxy (bounce attack) scanning
-    - SYN/FIN scanning using IP fragments (bypasses packet filters),
-    - UDP recvfrom() scanning, 
-    - UDP raw ICMP port unreachable scanning, 
-    - ICMP scanning (ping-sweep), and
-    - reverse-ident scanning.
-
-The freely distributable source code is appended to this paper.
-
-
-
-[ Introduction ]
-
-Scanning, as a method for discovering exploitable communication channels, has
-been around for ages.  The idea is to probe as many listeners as possible, and
-keep track of the ones which are receptive or useful to your particular need.
-Much of the field of advertising is based on this paradigm, and the "to current
-resident" brute force style of bulk mail is an almost perfect parallel to what
-we will discuss.  Just stick a message in every mailbox and wait for the
-responses to trickle back.
-
-Scanning entered the h/p world along with the phone systems.  Here we have this
-tremendous global telecommunications network, all reachable through codes on 
-our telephone.  Millions of numbers are reachable locally, yet we may only
-be interested in 0.5% of these numbers, perhaps those that answer with a 
-carrier.
-
-The logical solution to finding those numbers that interest us is to try them
-all.  Thus the field of "wardialing" arose.  Excellent programs like Toneloc
-were developed to facilitate the probing of entire exchanges and more.  The
-basic idea is simple.  If you dial a number and your modem gives you a CONNECT,
-you record it.  Otherwise the computer hangs up and tirelessly dials the next 
-one.
-
-While wardialing is still useful, we are now finding that many of the computers
-we wish to communicate with are connected through networks such as the Internet
-rather than analog phone dialups.  Scanning these machines involves the same
-brute force technique.  We send a blizzard of packets for various protocols,
-and we deduce which services are listening from the responses we receive (or
-don't receive).
-
-
-
-[ Techniques ]
-
-Over time, a number of techniques have been developed for surveying the
-protocols and ports on which a target machine is listening.  They all offer
-different benefits and problems.  Here is a line up of the most common:
-
-- TCP connect() scanning : This is the most basic form of tcp scanning.  The
-connect() system call provided by your operating system is used to open a
-connection to every interesting port on the machine.  If the port is listening,
-connect() will succeed, otherwise the port isn't reachable.  One strong
-advantage to this technique is that you don't need any special privileges.  Any
-user on most UNIX boxes is free to use this call.  Another advantage is speed.
-While making a separate connect() call for every targeted port in a linear
-fashion would take ages over a slow connection, you can hasten the scan by
-using many sockets in parallel.  Using non-blocking I/O allows you to set a low
-time-out period and watch all the sockets at once.  This is the fastest
-scanning method supported by nmap, and is available with the -t (TCP) option.
-The big downside is that this sort of scan is easily detectable and filterable.
-The target hosts logs will show a bunch of connection and error messages for
-the services which take the connection and then have it immediately shutdown.
-
-
-- TCP SYN scanning : This technique is often referred to as "half-open"
-scanning, because you don't open a full TCP connection.  You send a SYN packet,
-as if you are going to open a real connection and wait for a response.  A
-SYN|ACK indicates the port is listening.  A RST is indicative of a non-
-listener.  If a SYN|ACK is received, you immediately send a RST to tear down
-the connection (actually the kernel does this for us).  The primary advantage
-to this scanning technique is that fewer sites will log it.  Unfortunately you
-need root privileges to build these custom SYN packets.  SYN scanning is the -s
-option of nmap.
-
-
-- TCP FIN scanning : There are times when even SYN scanning isn't clandestine
-enough.  Some firewalls and packet filters watch for SYNs to an unallowed port,
-and programs like synlogger and courtney are available to detect these scans.
-FIN packets, on the other hand, may be able to pass through unmolested.  This
-scanning technique was featured in detail by Uriel Maimon in Phrack 49, article
-15.  The idea is that closed ports tend to reply to your FIN packet with the
-proper RST.  Open ports, on the other hand, tend to ignore the packet in
-question.  This is a bug in TCP implementations and so it isn't 100% reliable
-(some systems, notably Micro$oft boxes, seem to be immune).  It works well on
-most other systems I've tried.  FIN scanning is the -U (Uriel) option of nmap.
-
-
-- Fragmentation scanning : This is not a new scanning method in and of itself,
-but a modification of other techniques.  Instead of just sending the probe
-packet, you break it into a couple of small IP fragments.  You are splitting 
-up the TCP header over several packets to make it harder for packet filters 
-and so forth to detect what you are doing.  Be careful with this!  Some
-programs have trouble handling these tiny packets.  My favorite sniffer
-segmentation faulted immediately upon receiving the first 36-byte fragment.  
-After that comes a 24 byte one!  While this method won't get by packet filters
-and firewalls that queue all IP fragments (like the CONFIG_IP_ALWAYS_DEFRAG 
-option in Linux), a lot of networks can't afford the performance hit this
-causes.  This feature is rather unique to scanners (at least I haven't seen 
-any others that do this).  Thanks to daemon9 for suggesting it.  The -f
-instructs the specified SYN or FIN scan to use tiny fragmented packets.
-
-
-- TCP reverse ident scanning : As noted by Dave Goldsmith in a 1996 Bugtraq
-post, the ident protocol (rfc1413) allows for the disclosure of the username of
-the owner of any process connected via TCP, even if that process didn't 
-initiate the connection.  So you can, for example, connect to the http port 
-and then use identd to find out whether the server is running as root.  This 
-can only be done with a full TCP connection to the target port (ie the -t
-option).  nmap's -i option queries identd for the owner of all listen()ing
-ports.
-
-
-- FTP bounce attack : An interesting "feature" of the ftp protocol (RFC 959) is
-support for "proxy" ftp connections.  In other words, I should be able to
-connect from evil.com to the FTP server-PI (protocol interpreter) of target.com
-to establish the control communication connection.  Then I should be able to
-request that the server-PI initiate an active server-DTP (data transfer
-process) to send a file ANYWHERE on the internet!  Presumably to a User-DTP,
-although the rfc specifically states that asking one server to send a file to
-another is OK.  Now this may have worked well in 1985, when the rfc was
-written.  But nowadays, we can't have people hijacking ftp servers and
-requesting that data be spit out to arbitrary points on the internet.  As
-*Hobbit* wrote back in 1995, this protocol flaw "can be used to post virtually
-untraceable mail and news, hammer on servers at various sites, fill up disks,
-try to hop firewalls, and generally be annoying and hard to track down at the
-same time."  What we will exploit this for is to (surprise, surprise) scan TCP
-ports from a "proxy" ftp server.  Thus you could connect to an ftp server
-behind a firwall, and then scan ports that are more likely to be blocked (139
-is a good one).  If the ftp server allows reading from and writing to a
-directory (such as /incoming), you can send arbitrary data to ports that you do
-find open.
-
-For port scanning, our technique is to use the PORT command to declare that
-our passive "User-DTP" is listening on the target box at a certain port number.
- Then we try to LIST the current directory, and the result is sent over the
-Server-DTP channel.  If our target host is listening on the specified port, the
-transfer will be successful (generating a 150 and a 226 response).  Otherwise
-we will get "425 Can't build data connection: Connection refused."  Then we
-issue another PORT command to try the next port on the target host.  The
-advantages to this approach are obvious (harder to trace, potential to bypass
-firewalls).  The main disadvantages are that it is slow, and that some FTP
-servers have finally got a clue and disabled the proxy "feature".  For what it
-is worth, here is a list of benners from sites where it does/doesn't work:
-
-*Bounce attacks worked:*
-
-220 xxxxxxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready.
-220 xxx.xxx.xxx.edu FTP server ready.
-220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11 ...) ready.
-220 lem FTP server (SunOS 4.1) ready.
-220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready.
-220 elios FTP server (SunOS 4.1) ready
-
-*Bounce attack failed:*
-
-220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready.
-220 xxx.xx.xxxxx.EDU Version wu-2.4.2-academ[BETA-12](1) Fri Feb 7
-220 ftp Microsoft FTP Service (Version 3.0).
-220 xxx FTP server (Version wu-2.4.2-academ[BETA-11](1) Tue Sep 3 ...) ready.
-220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[BETA-13](6) ...) ready.
-
-The 'x's are partly there to protect those guilty of running a flawed server,
-but mostly just to make the lines fit in 80 columns.  Same thing with the
-ellipse points.  The bounce attack is avalable with the -b <proxy_server>
-option of nmap.  proxy_server can be specified in standard URL format,
-username:password@server:port , with everything but server being optional.
-
-
-- UDP ICMP port unreachable scanning : This scanning method varies from the
-above in that we are using the UDP protocol instead of TCP.  While this
-protocol is simpler, scanning it is actually significantly more difficult.
-This is because open ports don't have to send an acknowledgement in response to
-our probe, and closed ports aren't even required to send an error packet.
-Fortunately, most hosts do send an ICMP_PORT_UNREACH error when you send a
-packet to a closed UDP port.  Thus you can find out if a port is NOT open, and
-by exclusion determine which ports which are.  Neither UDP packets, nor the
-ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also
-implement retransmission of packets that appear to be lost (or you will get a
-bunch of false positives).  Also, this scanning technique is slow because of
-compensation for machines that took RFC 1812 section 4.3.2.8 to heart and limit
-ICMP error message rate.  For example, the Linux kernel (in net/ipv4/icmp.h)
-limits destination unreachable message generation to 80 per 4 seconds, with a
-1/4 second penalty if that is exceeded.  At some point I will add a better
-algorithm to nmap for detecting this.  Also, you will need to be root for
-access to the raw ICMP socket necessary for reading the port unreachable.  The
--u (UDP) option of nmap implements this scanning method for root users.
-
-Some people think UDP scanning is lame and pointless.  I usually remind them of
-the recent Solaris rcpbind hole.  Rcpbind can be found hiding on an
-undocumented UDP port somewhere above 32770.  So it doesn't matter that 111 is
-blocked by the firewall.  But can you find which of the more than 30,000 high
-ports it is listening on?  With a UDP scanner you can!
-
-
-- UDP recvfrom() and write() scanning : While non-root users can't read
-port unreachable errors directly, Linux is cool enough to inform the user
-indirectly when they have been received.  For example a second write()
-call to a closed port will usually fail.  A lot of scanners such as netcat
-and Pluvius' pscan.c do this.  I have also noticed that recvfrom() on
-non-blocking UDP sockets usually return EAGAIN ("Try Again", errno 13) if
-the ICMP error hasn't been received, and ECONNREFUSED ("Connection refused", 
-errno 111) if it has.  This is the technique used for determining open ports 
-when non-root users use -u (UDP).  Root users can also use the -l (lamer
-UDP scan) options to force this, but it is a really dumb idea.
-
-
-- ICMP echo scanning : This isn't really port scanning, since ICMP doesn't have
-a port abstraction.  But it is sometimes useful to determine what hosts in a
-network are up by pinging them all.  the -P option does this.  Also you might
-want to adjust the PING_TIMEOUT #define if you are scanning a large
-network. nmap supports a host/bitmask notation to make this sort of thing
-easier.  For example 'nmap -P cert.org/24 152.148.0.0/16' would scan CERT's
-class C network and whatever class B entity 152.148.* represents.  Host/26 is
-useful for 6-bit subnets within an organization.
-
-
-
-[ Features ]
-
-Prior to writing nmap, I spent a lot of time with other scanners exploring the
-Internet and various private networks (note the avoidance of the "intranet"
-buzzword).  I have used many of the top scanners available today, including
-strobe by Julian Assange, netcat by *Hobbit*, stcp by Uriel Maimon, pscan by
-Pluvius, ident-scan by Dave Goldsmith, and the SATAN tcp/udp scanners by
-Wietse Venema.  These are all excellent scanners!  In fact, I ended up hacking
-most of them to support the best features of the others.  Finally I decided
-to write a whole new scanner, rather than rely on hacked versions of a dozen
-different scanners in my /usr/local/sbin.  While I wrote all the code, nmap
-uses a lot of good ideas from its predecessors.  I also incorporated some new
-stuff like fragmentation scanning and options which were on my "wish list" for
-other scanners.  Here are some of the (IMHO) useful features of nmap:
-
-- dynamic delay time calculations: Some scanners require that you supply a
-delay time between sending packets.  Well how should I know what to use?
-Sure, I can ping them, but that is a pain, and plus the response time of many
-hosts changes dramatically when they are being flooded with requests.  nmap
-tries to determine the best delay time for you.  It also tries to keep track
-of packet retransmissions, etc. so that it can modify this delay time during
-the course of the scan.  For root users, the primary technique for finding an
-initial delay is to time the internal "ping" function.  For non-root users, it
-times an attempted connect() to a closed port on the target.  It can also pick
-a reasonable default value.  Again, people who want to specify a delay
-themselves can do so with -w (wait), but you shouldn't have to.
-
-- retransmission: Some scanners just send out all the query packets, and
-collect the responses.  But this can lead to false positives or negatives in
-the case where packets are dropped.  This is especially important for
-"negative" style scans like UDP and FIN, where what you are looking for is a
-port that does NOT respond.  In most cases, nmap implements a configurable
-number of retransmissions for ports that don't respond.
-
-- parallel port scanning:  Some scanners simply scan ports linearly, one at a
-time, until they do all 65535.  This actually works for TCP on a very fast 
-local network, but the speed of this is not at all acceptable on a wide area 
-network like the Internet.  nmap uses non-blocking i/o and parallel scanning 
-in all TCP and UDP modes.  The number of scans in parallel is configurable
-with the -M (Max sockets) option.  On a very fast network you will actually 
-decrease performance if you do more than 18 or so.  On slow networks, high
-values increase performance dramatically.
-
-- Flexible port specification:  I don't always want to just scan all 65535
-ports.  Also, the scanners which only allow you to scan ports 1 - N sometimes 
-fall short of my need.  The -p option allows you to specify an arbitrary
-number of ports and ranges for scanning.  For example, '-p 21-25,80,113,
-60000-' does what you would expect (a trailing hyphen means up to 65536, a
-leading hyphen means 1 through).  You can also use the -F (fast) option, which
-scans all the ports registered in your /etc/services (a la strobe).
-
-- Flexible target specification:  I often want to scan more then one host,
-and I certainly don't want to list every single host on a large network to
-scan.  Everything that isn't an option (or option argument) in nmap is
-treated as a target host.  As mentioned before, you can optionally append
-/mask to a hostname or IP address in order to scan all hosts with the same
-initial <mask> bits of the 32 bit IP address.
-
-- detection of down hosts:  Some scanners allow you to scan large networks, but
-they waste a huge amount of time scanning 65535 ports of a dead host!  By
-default, nmap pings each host to make sure it is up before wasting time on it.
-It is also capable of bailing on hosts which seem down based on strange port
-scanning errors.  It is also meant to be tolerant of people who accidently scan
-network addresses, broadcast addresses, etc.
-
-- detection of your IP address: For some reason, a lot of scanners ask you to
-type in your IP address as one of the parameters.  Jeez, I don't want to have
-to 'ifconfig' and figure out my current address every time I scan.  Of course,
-this is better then the scanners I've seen which require recompilation every
-time you change your address!  nmap first tries to detect your address during
-the ping stage.  It uses the address that the echo response is received on, as
-that is the interface it should almost always be routed through.  If it can't
-do this (like if you don't have host pinging enabled), nmap tries to detect
-your primary interface and uses that address.  You can also use -S to specify
-it directly, but you shouldn't have to (unless you want to make it look like
-someone ELSE is SYN or FIN scanning a host.
-
-
-Some other, more minor options:
-
- -v (verbose): This is highly recommended for interactive use.  Among other
-useful messages, you will see ports come up as they are found, rather than
-having to wait for the sorted summary list.
-
- -r (randomize): This will randomize the order in which the target host's
-ports are scanned.
-
- -q (quash argv): This changes argv[0] to FAKE_ARGV ("pine" by default).
-It also eliminates all other arguments, so you won't look too suspicious in
-'w' or 'ps' listings.
-
- -h for an options summary.
-
-Also look for http://www.insecure.org/nmap/, which is the web site I plan to
-put future versions and more information on.  In fact, you would be well
-advised to check there right now.
-
-
-[ Greets ]
-
-Of course this paper would not be complete without a shout out to all the 
-people who made it possible.
-
-* Congratulations to the people at Phrack for getting this thing going again!
-* Greets to the whole dc-stuff crew.
-* Greets to the STUPH, Turntec, L0pht, TACD, the Guild, cDc, and all the other
-  groups who help keep the scene alive.
-* Shout out to _eci for disclosing the coolest Windows bug in recent history.
-* Thanks to the Data Haven Project (dhp.com) admins for providing such great
-  service for $10/month.  
-* And a special shout out goes to all my friends.  You know who
-  you are and some of you (wisely) stay out of the spotlight, so I'll keep you
-  anonymous ... except of course for Ken and Jay, and Avenger, Grog, Cash
-  Monies, Ethernet Kid, Zos, JuICe, Mother Prednisone, and Karen.
-
-
-And finally, we get to ...
-
-
-[ The code ]
-
-This should compile fine on any Linux box with 'gcc -O6 -o nmap nmap.c -lm'.
-It is distrubuted under the terms of the GNU GENERAL PUBLIC LICENSE.  If you
-have problems or comments, feel free to mail me (fyodor@insecure.org).
diff --git a/docs/nmap.usage.txt b/docs/nmap.usage.txt
index 2ef3d48a8..ad2f5f068 100644
--- a/docs/nmap.usage.txt
+++ b/docs/nmap.usage.txt
@@ -89,7 +89,7 @@ OUTPUT:
   --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
 MISC:
   -6: Enable IPv6 scanning
-  -A: Enables OS detection, Version detection, Script scanning and Traceroute
+  -A: Enables OS detection and Version detection, Script scanning and Traceroute
   --datadir <dirname>: Specify custom Nmap data file location
   --send-eth/--send-ip: Send using raw ethernet frames or IP packets
   --privileged: Assume that the user is fully privileged
diff --git a/docs/nmap_doc.html b/docs/nmap_doc.html
deleted file mode 100644
index 9467153bb..000000000
--- a/docs/nmap_doc.html
+++ /dev/null
@@ -1,449 +0,0 @@
-<HTML>
-<HEAD>
-<TITLE>Nmap: The Art of Port Scanning</TITLE>
-</HEAD>
-<BODY BGCOLOR="#2A0D45" TEXT="#ffffff" LINK="#ff0000" ALINK="#00ff00" VLINK="#ff0000">
-<H1><CENTER>The Art of Port Scanning</CENTER></H1>
-<CENTER><H1>by Fyodor <A HREF="mailto:fyodor@insecure.org">&lt;fyodor@insecure.org&gt;</A></H1></CENTER>
-<CENTER>(Last significant update: Sat Sep  6 03:24:53 GMT 1997)</CENTER>
-<BR><BR>
-
-<H1>Warning, the interface to nmap has changed a bit and so not all the flags and options mentioned in this paper are still accurate.  The authoritative documentation is now the man page (<A HREF="nmap_manpage.html">html version</A>).  This article still contains a lot of information on port scanning though and so I recommend that nmap users read it.</H1>
-
-<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Abstract</TH></TR></TABLE>
-
-<P>This paper details many of the techniques used to determine what ports (or
-similar protocol abstraction) of a host are listening for connections.  These 
-ports represent potential communication channels.  Mapping their existence
-facilitates the exchange of information with the host, and thus it is quite 
-useful for anyone wishing to explore their networked environment, including 
-hackers.  Despite what you have heard from the media, the Internet is NOT
-all about TCP port 80.  Anyone who relies exclusively on the WWW for
-information gathering is likely to gain the same level of proficiency as your 
-average AOLer, who does the same.  This paper is also meant to serve as an
-introduction to and ancillary documentation for a coding project I have been 
-working on.  It is a full featured, robust port scanner which (I hope) solves 
-some of the problems I have encountered when dealing with other scanners and 
-when working to scan massive networks.  The tool, nmap, supports the following:
-<BR><BR>
-<UL>
-<LI><A HREF="#connect">Vanilla TCP connect() scanning</A>,
-<LI><A HREF="#syn">TCP SYN (half open) scanning</A>,
-<LI><A HREF="#fin">TCP FIN (stealth) scanning</A>,
-<LI><A HREF="#bounce">TCP ftp proxy (bounce attack) scanning</A>,
-<LI><A HREF="#frag">SYN/FIN scanning using IP fragments (bypasses packet filters)</A>,
-<LI><A HREF="#recvfrom">UDP recvfrom() scanning</A>,
-<LI><A HREF="#port_unreach">UDP raw ICMP port unreachable scanning</A>,
-<LI><A HREF="#icmp">ICMP scanning (ping-sweep)</A>, and
-<LI><A HREF="#ident">Reverse-ident scanning</A>.
-</UL>
-<BR><BR>
-The freely distributable source code is available at <A HREF="http://www.insecure.org/nmap/">http://www.insecure.org/nmap/</A>
-<BR><BR>
-
-<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH
-ALIGN="CENTER">Introduction</TH></TR></TABLE>
-
-<P>Scanning, as a method for discovering exploitable communication channels, has
-been around for ages.  The idea is to probe as many listeners as possible, and
-keep track of the ones that are receptive or useful to your particular need.
-Much of the field of advertising is based on this paradigm, and the "to current
-resident" brute force style of bulk mail is an almost perfect parallel to what
-we will discuss.  Just stick a message in every mailbox and wait for the
-responses to trickle back.
-
-<P>Scanning entered the h/p world along with the phone systems.  Here
-we have this tremendous global telecommunications network, all
-reachable through codes on our telephone.  Millions of numbers are
-reachable locally, yet we may only be interested in 0.5% of these
-numbers, perhaps those that answer with a carrier.
-
-<P>The logical solution to finding those numbers that interest us is
-to try them all.  Thus the field of "wardialing" arose.  Excellent
-programs like Toneloc were developed to facilitate the probing of
-entire exchanges and more.  The basic idea is simple.  If you dial a
-number and your modem gives you a CONNECT, you record it.  Otherwise
-the computer hangs up and tirelessly dials the next one.
-
-<P>While wardialing is still useful, we are now finding that many of
-the computers we wish to communicate with are connected through
-networks such as the Internet rather than analog phone dialups.
-Scanning these machines involves the same brute force technique.  We
-send a blizzard of packets for various protocols, and we deduce which
-services are listening from the responses we receive (or don't
-receive).
-
-<BR><BR>
-<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Techniques</TH></TR></TABLE>
-
-<P>Over time, a number of techniques have been developed for surveying the
-protocols and ports on which a target machine is listening.  They all offer
-different benefits and problems.  Here is a line up of the most common:<BR><BR>
-
-<UL>
-
-<LI><A NAME="connect">TCP connect() scanning : This is the most basic
-form of TCP scanning.  The connect() system call provided by your
-operating system is used to open a connection to every interesting
-port on the machine.  If the port is listening, connect() will
-succeed, otherwise the port isn't reachable.  One strong advantage to
-this technique is that you don't need any special privileges.  Any
-user on most UNIX boxes is free to use this call.  Another advantage
-is speed.  While making a separate connect() call for every targeted
-port in a linear fashion would take ages over a slow connection, you
-can hasten the scan by using many sockets in parallel.  Using
-non-blocking I/O allows you to set a low time-out period and watch all
-the sockets at once.  This is the fastest scanning method supported by
-nmap, and is available with the -t (TCP) option.  The big downside is
-that this sort of scan is easily detectable and filterable.  The
-target hosts logs will show a bunch of connection and error messages
-for the services which take the connection and then have it
-immediately shutdown.<BR><BR>
-
-
-<LI><A NAME="syn">TCP SYN scanning : This technique is often referred
-to as "half-open" scanning, because you don't open a full TCP
-connection.  You send a SYN packet, as if you are going to open a real
-connection and wait for a response.  A SYN|ACK indicates the port is
-listening.  A RST is indicative of a non- listener.  If a SYN|ACK is
-received, you immediately send a RST to tear down the connection
-(actually the kernel does this for us).  The primary advantage to this
-scanning technique is that fewer sites will log it.  Unfortunately you
-need root privileges to build these custom SYN packets.  SYN scanning
-is the -s option of nmap.<BR><BR>
-
-
-<LI><A NAME="fin">TCP FIN scanning : There are times when even SYN
-scanning isn't clandestine enough.  Some firewalls and packet filters
-watch for SYNs to restricted ports, and programs like synlogger and
-Courtney are available to detect these scans.  FIN packets, on the
-other hand, may be able to pass through unmolested.  This scanning
-technique was featured in detail by Uriel Maimon in Phrack 49, article
-15.  The idea is that closed ports tend to reply to your FIN packet
-with the proper RST.  Open ports, on the other hand, tend to ignore
-the packet in question.  As Alan Cox has pointed out, this is required
-TCP behavior.  However, some systems (notably Micro$oft boxes), are
-broken in this regard.  They send RST's regardless of the port state,
-and thus they aren't vulnerable to this type of scan.  It works well
-on most other systems I've tried.  Actually, it is often useful to
-discriminate between a *NIX and NT box, and this can be used to do
-that. FIN scanning is the -U (Uriel) option of nmap.<BR><BR>
-
-
-<LI><A NAME="frag">Fragmentation scanning : This is not a new scanning
-method in and of itself, but a modification of other techniques.
-Instead of just sending the probe packet, you break it into a couple
-of small IP fragments.  You are splitting up the TCP header over
-several packets to make it harder for packet filters and so forth to
-detect what you are doing.  Be careful with this!  Some programs have
-trouble handling these tiny packets.  My favorite sniffer segmentation
-faulted immediately upon receiving the first 36-byte fragment.  After
-that comes a 24 byte one!  While this method won't get by packet
-filters and firewalls that queue all IP fragments (like the
-CONFIG_IP_ALWAYS_DEFRAG option in Linux), a lot of networks can't
-afford the performance hit this causes.  This feature is rather unique
-to scanners (at least I haven't seen any others that do this).  Thanks
-to daemon9 for suggesting it.  The -f instructs the specified SYN or
-FIN scan to use tiny fragmented packets.<BR><BR>
-
-
-<LI><A NAME="ident">TCP reverse ident scanning : As noted by Dave
-Goldsmith in a 1996 Bugtraq post, the ident protocol (rfc1413) allows
-for the disclosure of the username of the owner of any process
-connected via TCP, even if that process didn't initiate the
-connection.  So you can, for example, connect to the http port and
-then use identd to find out whether the server is running as root.
-This can only be done with a full TCP connection to the target port
-(i.e. the -t option).  nmap's -i option queries identd for the owner
-of all listen()ing ports.<BR><BR>
-
-
-<LI><A NAME="bounce">FTP bounce attack : An interesting "feature" of
-the ftp protocol (RFC 959) is support for "proxy" ftp connections.  In
-other words, I should be able to connect from evil.com to the FTP
-server-PI (protocol interpreter) of target.com to establish the
-control communication connection.  Then I should be able to request
-that the server-PI initiate an active server-DTP (data transfer
-process) to send a file ANYWHERE on the internet!  Presumably to a
-User-DTP, although the RFC specifically states that asking one server
-to send a file to another is OK.  Now this may have worked well in
-1985 when the RFC was just written.  But nowadays, we can't have
-people hijacking ftp servers and requesting that data be spit out to
-arbitrary points on the internet.  As *Hobbit* wrote back in 1995,
-this protocol flaw "can be used to post virtually untraceable mail and
-news, hammer on servers at various sites, fill up disks, try to hop
-firewalls, and generally be annoying and hard to track down at the
-same time."  What we will exploit this for is to (surprise, surprise)
-scan TCP ports from a "proxy" ftp server.  Thus you could connect to
-an ftp server behind a firewall, and then scan ports that are more
-likely to be blocked (139 is a good one).  If the ftp server allows
-reading from and writing to a directory (such as /incoming), you can
-send arbitrary data to ports that you do find open.
-
-<P>For port scanning, our technique is to use the PORT command to declare that
-our passive "User-DTP" is listening on the target box at a certain port number.
- Then we try to LIST the current directory, and the result is sent over the
-Server-DTP channel.  If our target host is listening on the specified port, the
-transfer will be successful (generating a 150 and a 226 response).  Otherwise
-we will get "425 Can't build data connection: Connection refused."  Then we
-issue another PORT command to try the next port on the target host.  The
-advantages to this approach are obvious (harder to trace, potential to bypass
-firewalls).  The main disadvantages are that it is slow, and that some FTP
-servers have finally got a clue and disabled the proxy "feature".  For what it
-is worth, here is a list of banners from sites where it does/doesn't work:
-
-<P>*Bounce attacks worked:*<BR><BR>
-<PRE>
-220 xxxxxxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready.
-220 xxx.xxx.xxx.edu FTP server ready.
-220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11 ...) ready.
-220 lem FTP server (SunOS 4.1) ready.
-220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready.
-220 elios FTP server (SunOS 4.1) ready
-</PRE>
-
-<P>*Bounce attack failed:*<BR><BR>
-<PRE>
-220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready.
-220 xxx.xx.xxxxx.EDU Version wu-2.4.2-academ[BETA-12](1) Fri Feb 7
-220 ftp Microsoft FTP Service (Version 3.0).
-220 xxx FTP server (Version wu-2.4.2-academ[BETA-11](1) Tue Sep 3 ...) ready.
-220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[BETA-13](6) ...) ready.
-</PRE>
-
-The 'x's are partly there to protect those guilty of running a flawed server,
-but mostly just to make the lines fit in 80 columns.  Same thing with the
-ellipse points.  The bounce attack is available with the -b <proxy_server>
-option of nmap.  proxy_server can be specified in standard URL format,
-username:password@server:port , with everything but server being optional.<BR><BR>
-
-
-<LI><A NAME="port_unreach">UDP ICMP port unreachable scanning : This
-scanning method varies from the above in that we are using the UDP
-protocol instead of TCP.  While this protocol is simpler, scanning it
-is actually significantly more difficult.  This is because open ports
-don't have to send an acknowledgement in response to our probe, and
-closed ports aren't even required to send an error packet.
-Fortunately, most hosts do send an ICMP_PORT_UNREACH error when you
-send a packet to a closed UDP port.  Thus you can find out if a port
-is NOT open, and by exclusion determine which ports which are.
-Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so
-UDP scanners of this sort must also implement retransmission of
-packets that appear to be lost (or you will get a bunch of false
-positives).  Also, this scanning technique is slow because of
-compensation for machines that took RFC 1812 section 4.3.2.8 to heart
-and limit ICMP error message rate.  For example, the Linux kernel (in
-net/ipv4/icmp.h) limits destination unreachable message generation to
-80 per 4 seconds, with a 1/4 second penalty if that is exceeded.  At
-some point I will add a better algorithm to nmap for detecting this.
-Also, you will need to be root for access to the raw ICMP socket
-necessary for reading the port unreachable.  The -u (UDP) option of
-nmap implements this scanning method for root users.
-
-<P>Some people think UDP scanning is lame and pointless.  I usually
-remind them of the recent Solaris rcpbind hole.  Rpcbind can be found
-hiding on an undocumented UDP port somewhere above 32770.  So it
-doesn't matter that 111 is blocked by the firewall.  But can you find
-which of the more than 30,000 high ports it is listening on?  With a
-UDP scanner you can!<BR><BR>
-
-
-<LI><A NAME="recvfrom">UDP recvfrom() and write() scanning : While
-non-root users can't read port unreachable errors directly, Linux is
-cool enough to inform the user indirectly when they have been
-received.  For example a second write() call to a closed port will
-usually fail.  A lot of scanners such as netcat and Pluvius' pscan.c
-does this.  I have also noticed that recvfrom() on non-blocking UDP
-sockets usually return EAGAIN ("Try Again", errno 13) if the ICMP
-error hasn't been received, and ECONNREFUSED ("Connection refused",
-errno 111) if it has.  This is the technique used for determining open
-ports when non-root users use -u (UDP).  Root users can also use the
--l (lamer UDP scan) options to force this, but it is a really dumb
-idea.<BR><BR>
-
-
-<LI><A NAME="icmp">ICMP echo scanning : This isn't really port
-scanning, since ICMP doesn't have a port abstraction.  But it is
-sometimes useful to determine what hosts in a network are up by
-pinging them all.  the -P option does this.  ICMP scanning is now in
-parallel, so it can be quite fast.  To speed things up even more, you
-can increase the number of pings in parallel with the '-L <num>'
-option.  It can also be helpful to tweek the ping timeout value with
-'-T <num_seconds>'.  nmap supports a host/bitmask notation to make
-this sort of thing easier.  For example 'nmap -P cert.org/24
-152.148.0.0/16' would scan CERT's class C network and whatever class B
-entity 152.148.* represents.  Host/26 is useful for 6-bit subnets
-within an organization.  Nmap now also offers a more powerful form.
-You can now do things like '150.12,17,71-79.7.*' and it will do what
-you expect.  For each of the four values, you can either put a single
-number, a range (with '-'), a comma-separated list of numbers and
-ranges, or a '*' which is just a short cut for 0-255.  By default,
-likely network/broadcast addresses like .0 and .255 are not scanned,
-but the '-A' option allows you to do this if you wish.
-
-</UL>
-<BR><BR>
-
-<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Features</TH></TR></TABLE>
-
-<P>Prior to writing nmap, I spent a lot of time with other scanners
-exploring the Internet and various private networks (note the
-avoidance of the "intranet" buzzword).  I have used many of the top
-scanners available today, including strobe by Julian Assange, netcat
-by *Hobbit*, stcp by Uriel Maimon, pscan by Pluvius, ident-scan by
-Dave Goldsmith, and the SATAN tcp/udp scanners by Wietse Venema.
-These are all excellent scanners!  In fact, I ended up hacking most of
-them to support the best features of the others.  Finally I decided to
-write a whole new scanner, rather than rely on hacked versions of a
-dozen different scanners in my /usr/local/sbin.  While I wrote all the
-code, nmap uses a lot of good ideas from its predecessors.  I also
-incorporated some new stuff like fragmentation scanning and options
-that were on my "wish list" for other scanners.  Here are some of the
-(IMHO) useful features of nmap:<BR><BR>
-
-<UL>
-<LI>dynamic delay time calculations: Some scanners require that you
-supply a delay time between sending packets.  Well how should I know
-what to use?  Sure, I can ping them, but that is a pain, and plus the
-response time of many hosts changes dramatically when they are being
-flooded with requests.  nmap tries to determine the best delay time
-for you.  It also tries to keep track of packet retransmissions,
-etc. so that it can modify this delay time during the course of the
-scan.  For root users, the primary technique for finding an initial
-delay is to time the internal "ping" function.  For non-root users, it
-times an attempted connect() to a closed port on the target.  It can
-also pick a reasonable default value.  Again, people who want to
-specify a delay themselves can do so with -w (wait), but you shouldn't
-have to.<BR><BR>
-
-<LI>retransmission: Some scanners just send out all the query packets,
-and collect the responses.  But this can lead to false positives or
-negatives in the case where packets are dropped.  This is especially
-important for "negative" style scans like UDP and FIN, where what you
-are looking for is a port that does NOT respond.  In most cases, nmap
-implements a configurable number of retransmissions for ports that
-don't respond.<BR><BR>
-
-<LI>parallel port scanning: Some scanners simply scan ports linearly,
-one at a time, until they do all 65535.  This actually works for TCP
-on a very fast local network, but the speed of this is not at all
-acceptable on a wide area network like the Internet.  nmap uses
-non-blocking i/o and parallel scanning in all TCP and UDP modes.  The
-number of scans in parallel is configurable with the -M (Max sockets)
-option.  On a very fast network you will actually decrease performance
-if you do more than 18 or so.  On slow networks, high values increase
-performance dramatically.<BR><BR>
-
-<LI>Flexible port specification: I don't always want to just scan all
-65535 ports.  Also, the scanners which only allow you to scan ports 1
-- N sometimes fall short of my need.  The -p option allows you to
-specify an arbitrary number of ports and ranges for scanning.  For
-example, '-p 21-25,80,113, 60000-' does what you would expect (a
-trailing hyphen means up to 65536, a leading hyphen means 1 through).
-You can also use the -F (fast) option, which scans all the ports
-registered in your /etc/services (a la strobe).<BR><BR>
-
-<LI>Flexible target specification: I often want to scan more then one
-host, and I certainly don't want to list every single host on a large
-network to scan.  Everything that isn't an option (or option argument)
-in nmap is treated as a target host.  As mentioned before, you can
-optionally append /mask to a hostname or IP address in order to scan
-all hosts with the same initial <mask> bits of the 32 bit IP
-address.  You can use the same powerful syntax as the port
-specifications to specify targets like '150.12.17.71-79.7.*'.  '*' is
-just a shortcut for 0-255, remember to escape it from your shell if
-used.<BR><BR>
-
-<LI>detection of down hosts: Some scanners allow you to scan large
-networks, but they waste a huge amount of time scanning 65535 ports of
-a dead host!  By default, nmap pings each host to make sure it is up
-before wasting time on it.  It also does thin in parallel, to speed
-things up.  You can change the parrallel ping lookahead with '-L' and
-the ping timeout with '-T'.  You can turn pinging off completely with
-the '-D' command line option.  This is useful for scanning networks
-like microsoft.com where ICMP echo requests can't get through.  Nmap
-is also capable of bailing on hosts that seem down based on strange
-port scanning errors.  It is also meant to be tolerant of people who
-accidentally scan network addresses, broadcast addresses, etc.<BR><BR>
-
-<LI>detection of your IP address: For some reason, a lot of scanners
-ask you to type in your IP address as one of the parameters.  Jeez, I
-don't want to have to 'ifconfig' and figure out my current address
-every time I scan.  Of course, this is better then the scanners I've
-seen which require recompilation every time you change your address!
-nmap first tries to detect your address during the ping stage.  It
-uses the address that the echo response is received on, as that is the
-interface it should almost always be routed through.  If it can't do
-this (like if you don't have host pinging enabled), nmap tries to
-detect your primary interface and uses that address.  You can also use
--S to specify it directly, but you shouldn't have to (unless you want
-to make it look like someone ELSE is SYN or FIN scanning a
-host.<BR><BR>
-</UL>
-
-Some other, more minor options:<BR>
-<PRE>
- -v (verbose): This is highly recommended for interactive use.  Among other
-useful messages, you will see ports come up as they are found, rather than
-having to wait for the sorted summary list.
-
- -r (randomize): This will randomize the order in which the target host's
-ports are scanned.
-
- -q (quash argv): This changes argv[0] to FAKE_ARGV ("pine" by default).
-It also eliminates all other arguments, so you won't look too suspicious in
-'w' or 'ps' listings.
-
- -h for an options summary.
-
- -R show and resolve all hosts, even down ones.
-</PRE>
-
-Also look for <A
-HREF="http://www.insecure.org/nmap/">http://www.insecure.org/nmap</A>,
-which is the web site I plan to put future versions and more
-information on.  In fact, you would be well advised to check there
-right now. (If that isn't where you are reading this).
-
-<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Example
-Usage</TH></TR></TABLE>
-<BR><BR>
-
-To launch a stealth scan of the entire class 'B' networks 166.66.0.0 and
-166.67.0.0 for the popularly exploitable imapd daemon:<BR>
-<pre>
-# nmap -Up 143 166.66.0.0/16 166.67.0.0/16
-</pre>
-To do a standard tcp scan on the reserved ports of host
-&lt;target&gt;:<BR>
-<pre>
-&gt; nmap target
-</pre>
-To check the class 'C' network on which warez.com sits for popular
-services (via fragmented SIN scan):<BR>
-<pre>
-# nmap -fsp 21,22,23,25,80,110 warez.com/24
-</pre>
-To scan the same network for all the services in your /etc/services
-via (very fast) tcp scan:<BR>
-<pre>
-&gt; nmap -F warez.com/24
-</pre> 
-To scan secret.pathetic.net using the ftp bounce attack off of
-ftp.pathetic.net:<BR>
-<pre>
-&gt; nmap -Db ftp.pathetic.net secret.pathetic.net
-</pre>
-To find hosts that are up in the the adjacent class C's 193.14.12,
-.13, .14, .15, ... , .30:<BR>
-<pre>
-&gt; nmap -P '193.14.[12-30].*'
-</pre>
-If you don't want to have to quote it to avoid shell interpretation,
-this does the same thing:<BR>
-<pre>
-&gt; nmap -P 193.14.12-30.0-255
-</pre>
-
-</BODY>
-</HTML>
diff --git a/docs/nmap_french.1 b/docs/nmap_french.1
deleted file mode 100644
index 71a92a4ba..000000000
--- a/docs/nmap_french.1
+++ /dev/null
@@ -1,950 +0,0 @@
-.\" nmap version 3.00, August 2002
-.\" This definition swiped from the gcc(1) man page
-.de Sp
-.if n .sp
-.if t .sp 0.4
-..
-.TH NMAP 1
-.SH NOM
-nmap \- Outil d'exploration rИseau et analyseur de sИcuritИ
-.SH SYNOPSIS
-.B nmap
-[Type(s) de scan] [Options] <hТte ou rИseau #1 ... [#N]>
-.SH DESCRIPTION
-
-.I Nmap 
-a ИtИ conГu pour que les administrateurs systХmes et les curieux 
-puissent analyser de grands rИseaux pour dИterminer les hТtes actifs et les 
-services offerts.
-.I nmap 
-supporte un grand nombre de techniques d'analyse\ : UDP, TCP
-connect(), TCP SYN (mi ouvert), ftp proxy (attaque par rebond),
-Reverse-ident, ICMP (balayage de ping), FIN, balayage de ACK, Xmas Tree, balayage 
-de SYN, Protocoles IP, et Null scan. Voir la section 
-.I Types de scans
-pour plus de dИtails. Nmap offre Иgalement des caractИristiques avancИes
-comme la dИtection du systХme d'exploitation distant via l'empreinte
-TCP/IP, l'analyse furtive, le dИlai dynamique et les calculs de retransmission,
-l'analyse parallХle, dИtection de hТtes inactifs via
-des pings parallХles, l'analyse avec leurres, la dИtection des ports filtrИs,
-analyse directe (sans portmapper) des RCP, l'analyse avec fragmentation, 
-et une notation puissante pour dИsigner les hТtes et les ports.
-.PP
-Des efforts significatifs ont ИtИ consacrИs pour que nmap soit utilisable
-par des utilisateurs non-root. Malheureusement, la plupart des interfaces 
-noyaux critiques (comme les raw sockets) requiХrent les privilХges root.
-Nmap devrait donc Йtre lancИ en tant que root autant que possible 
-(mais pas en setuid root, Иvidemment).
-.PP
-Le rИsultat de l'exИcution de nmap est habituellement une liste 
-de ports intИressants sur les machines analysИes. Nmap donne pour 
-chaque port le nom du service, le numИro, l'Иtat et le protocole.
-L'Иtat peut Йtre ╚\ open\ ╩, ╚\ filtered\ ╩ ou ╚\ unfiltered\ ╩. 
-╚\ Open\ ╩ signifie que la machine cible accepte les connexions sur ce port. 
-╚\ Filtered\ ╩ signifie qu'un pare-feu, un filtre ou un autre obstacle rИseau
-protХge le port et empЙche nmap de dИtecter si le port est ouvert. 
-╚\ Unfiltered\ ╩ signifie que le port est fermИ et qu'aucun pare-feu n'a 
-interfИrИ avec nmap.
-Les ports ╚\ Unfiltered\ ╩ sont les plus courants et ne sont affichИs
-que lorsque la majoritИ des ports analysИs sont dans l'Иtat ╚\ filtered\ ╩.
-.PP
-En fonction des options utilisИes, nmap peut aussi rapporter les caractИristiques
-suivantes du systХme d'exploitation distant\ :
-type de systХme d'exploitation, sИquencement TCP, noms des utilisateurs
-qui ont lancИ les programmes qui Иcoutent sur chaque port, le nom DNS,
-et d'autres choses encore.
-.SH OPTIONS
-Les options ayant du sens ensemble peuvent gИnИralement Йtre combinИes.
-Certaines options sont spИcifiques Ю certains modes d'analyses.
-.I nmap 
-essaye de dИtecter et de prИvenir l'utilisateur
-en cas de combinaisons d'options dИmentes ou non supportИes.
-.Sp
-Si vous Йtes impatient, vous pouvez passer directement
-Ю la section des 
-.I exemples
-Ю la fin, qui illustre l'usage courant. Vous pouvez aussi lancer
-.B nmap -h
-pour un bref rappel de toutes les options.
-.TP
-.B TYPES DE SCANS
-.TP
-.B \-sS
-TCP SYN scan\ : Cette technique est souvent appelИe scan
-╚\ mi ouvert\ ╩, parce qu'on ouvre une connexion TCP incomplХte.
-On envoie un paquet SYN, comme pour une vИritable ouverture de connexion
-et on attend une rИponse. Un SYN ou ACK indique
-que le port est sous Иcoute, en revanche un RST signifie que personne n'Иcoute
-sur ce port.
-Si un SYN ou ACK est reГu, un RST est immИdiatement envoyИ pour interrompre
-la connexion.
-Le principal avantage de cette technique est que peu de sites l'archiveront.
-dans leurs logs.
-Malheureusement vous avez besoin des privilХges root pour construire
-ces paquets SYN sur mesure. C'est le scan par dИfaut pour les utilisateurs
-qui ont les privilХges root.
-.TP
-.B \-sT 
-TCP connect() scan\ : C'est la forme la plus simple de scan TCP.
-L'appel systХme connect() fournit par votre systХme d'exploitation
-est utilisИ pour ouvrir une connexion sur tous les ports intИressants
-de la cible. Si le port est sur Иcoute, 
-connect() rИussira, sinon le port est injoignable.
-Le principal avantage de cette technique est qu'elle ne nИcessite pas
-de privilХges particuliers. Presque tous les utilisateurs de toutes les machines Unix
-sont libres d'utiliser cet appel systХme.
-.Sp
-Ce type de scan est facilement dИtectable par l'hТte cible
-puisque les logs de la cible montreront un ensemble de connexions
-et de messages d'erreurs pour les services qui ont acceptИ la connexion
-qui a ИtИ immИdiatement coupИe.
-C'est le scan par dИfaut pour les utilisateurs normaux (non root).
-.TP
-.B \-sF \-sX \-sN 
-Stealth FIN, Xmas Tree, ou Null scan modes\ : Parfois mЙme
-un SYN scan n'est pas suffisamment discret.
-Certains pare-feux et filtreurs de paquets regardent les 
-SYNs vers les ports interdits, et des programmes comme Synlogger et
-Courtney peuvent dИtecter ces scans. En revanche, ces scans avancИs
-devrait pourvoir passer sans problХmes.
-.Sp
-L'idИe est qu'un port fermИ est requis pour
-rИpondre au paquet de test par un RST, alors
-que les ports ouverts doivent ignorer les paquets en question
-(voir RFC 793 pp 64). Le FIN scan utilise
-un paquet FIN nu comme testeur, alors que le scan Xmas tree
-active les drapeaux URG et PUSH du paquet FIN. Le scan Null, dИsactive tous
-les drapeaux. Malheureusement Microsoft (comme d'habitude)
-a dИcidИ d'ignorer complХtement le standard et de faire les choses Ю sa faГon.
-C'est pourquoi ce type de scan ne fonctionne pas contre les systХmes sous
-Windows95/NT. Le cТtИ positif est que c'est un bon moyen de distinguer deux
-plates-formes.
-Si le scan trouve des ports ouverts, vous savez que la machine cible n'est 
-pas sous Windows. Si un -sF,-sX, ou -sN scan montre tous les ports
-fermИs, et qu'un scan SYN (-sS) montre tous les ports ouverts, la machine cible 
-fonctionne probablement sous
-Windows. Ceci est moins utile depuis que nmap a son propre dИtecteur de systХme
-d'exploitation intИgrИ. D'autres systХmes ont le mЙme problХme que Windows\ :
-Cisco, BSDI, HP/UX, MVS, et IRIX.
-La plupart envoient des resets depuis les ports ouverts au lieu d'ignorer 
-le paquet.
-.TP
-.B \-sP
-Ping scanning\ : Parfois vous voulez juste savoir quels sont les hТtes
-actifs d'un rИseau. 
-Nmap peut le faire pour vous en envoyant des paquets d'Иcho ICMP Ю chaque adresse IP du rИseau spИcifiИ.
-Les hТtes qui rИpondent sont actifs. Malheureusement, certains sites comme
-microsoft.com, bloquent les paquets d'Иcho.
-Toutefois nmap peut aussi envoyer un paquet TCP ack au port 80 (par dИfaut).
-Si vous recevez un RST en retour, la machine est active. Une troisiХme 
-technique consiste Ю envoyer un paquet SYN et d'attendre un RST ou un SYN/ACK. 
-Pour les utilisateurs non-root, la mИthode connect() est utilisИe.
-.Sp
-Par dИfaut (pour les utilisateurs root), nmap utilise la technique
-ICMP et ACK en parallХle. Vous pouvez changer l'option
-.B \-P 
-dИcrite plus tard.
-.Sp
-Remarquez que le ping est fait par dИfaut de toutes faГons 
-et seuls les hТtes qui rИpondent sont analysИs.
-N'utilisez cette option que si vous voulez faire un balayage de
-ping 
-.B sans
-faire d'analyse de ports.
-.TP
-.B \-sU
-UDP scans\ : Cette mИthode est utilisИe pour dИterminer les ports UDP
-(User Datagram Protocol, RFC 768) qui sont ouverts sur l'hТte
-Cette technique consiste Ю envoyer un paquet udp de 0 octet Ю chaque
-port de la machine cible. Si on reГoit un message ICMP ╚\ port unreachable\ ╩,
-alors le port est fermИ. Autrement nous supposons qu'il est ouvert.
-.Sp
-Certaines personne pensent que l'analyse UDP est inutile.
-J'ai pour habitude de leur rappeler le trou rИcent dans rcpbind sous Solaris.
-Rpcbind peut dissimuler un port UDP non documentИ quelque part au dessus
-de 32\ 770. Comme dИcouvrir un tel port sans scanner UDP\ ?
-Il y a aussi le programme
-cDc Back Orifice backdoor qui cache un port UDP configurable
-sur les machines Windows. Sans mЙme mentionner tous les services courants
-qui utilisent UDP tels que snmp, tftp, NFS, etc.
-.Sp
-Malheureusement l'analyse UDP peut Йtre particuliХrement longue puisque la plupart
-des hТtes implИmente une suggestion de la RFC 1812 (section
-4.3.2.8) pour limiter le dИbit des messages d'erreurs ICMP. Par exemple, 
-le noyau Linux (dans net/ipv4/icmp.h) limite la gИnИration de
-message ╚\ destination unreachable\ ╩ Ю 80 pour 4 secondes, avec 
-une pИnalitИ de 1/4 secondes si ce nombre est dИpassИ.
-Solaris a des limites encore plus strictes (Ю peu prХs 2 messages par
-seconde) et l'analyse nИcessite encore plus de temps.
-.I Nmap
-dИtecte cette limite de dИbit et ralentit plutТt que d'inonder inutilement
-le rИseau avec des paquets qui seront ignorИs par la machine cible.
-.Sp
-Comme d'habitude, Microsoft a ignorИ la suggestion RFC
-et n'a pas implИmentИ de limitation de taux dans les machines
-Win95 et NT. C'est pourquoi nous pouvons analyser 
-les 65K ports d'une machine Windows
-.B trХs
-rapidement. Wahoo !
-.TP
-.B \-sO
-IP protocol scans\ : Cette mИthode est utilisИe
-pour dИterminer les protocoles IP supportИs par l'hТte.
-La technique consiste Ю envoyer des paquets IP bruts sans entЙte de protocole
-Ю chaque protocole spИcifiИ sur la machine cible.
-Si nous recevons un message ICMP ╚\ protocol unreachable\ ╩,
-alors le protocole n'est pas utilisИ. Autrement nous supposons qu'il est
-ouvert. Remarquez que certains hТtes (AIX, HP-UX, Digital UNIX)
-et les pare-feux peuvent ne pas renvoyer les
-messages ╚\ protocol unreachable\ ╩, faisant apparaНtre ouverts
-tous les protocoles.
-.Sp
-Comme cette technique est trХs similaire Ю l'analyse des ports UDP, la
-limitation du dИbit ICMP peut aussi apparaНtre.
-Mais comme le champ protocole d'IP n'a que 8 bits, il y a au plus 256
-protocoles, donc la durИe restera raisonnable.
-.TP
-.B \-sI <zombie host[:probeport]>
-scan paresseux : cette mИthode de scan avancИe autorise un scan TCP 
-vИritablement aveugle de la cible (aucun paquet ne sera envoyИ Ю la cible
-depuis votre vИritable adresse IP). ю la place, une attaque unilatИrale
-exploite la prИdiction de la sИquence d'identificateur de fragmentation IP
-de l'hТte zombie pour glaner des informations sur les ports ouverts de la cible.
-Les systХmes de dИtections d'intrusion indiqueront que le scan provient de la
-machine zombie spИcifiИe (qui doit Йtre active et vИrifier un certain nombre de
-critХres). J'envisage de donner plus d'explication Ю http://www.insecure.org/nmap/nmap_documentation.html 
-dans un futur proche.
-.TP
-.Sp
-En plus d'Йtre extraordinairement furtive (grБce Ю sa nature aveugle), ce scan
-permet de s'affranchir des relations de confiance entre machines
-fondИes sur l'IP. La liste de ports montre les ports ouverts
-.I tels que les voit l'hТte zombie.
-Aussi, vous pouvez essayer de scanner une cible en utilisant diffИrents zombies
-Ю qui elle fait confiance (via les rХgles de filtrage des routeurs/paquets).
-иvidemment cette information est cruciale pour orienter l'attaque. Autrement 
-votre test de pИnИtration va consommer des ressources considИrables
-appartenant au systХme intermИdiaire, pour s'apercevoir en fin de compte
-qu'il n'y a pas de relation de confiance entre l'hТte cible 
-et l'IP de la machine zombie.
-.Sp 
-Vous pouvez ajouter un deux-point suivi par le numИro de port si vous
-voulez tester un port particulier sur l'hТte zombie pour les changement IPID.
-Autrement Nmap utilisera le port qu'il utilise par dИfaut pour les pings TCP.
-.TP
-.B \-sA
-ACK scan\ : C'est une technique avancИe qui est utilisИ pour dИcouvrir
-les rХgles des pare-feux et pour savoir si on a affaire Ю un pare-feu ou un simple
-filtreur de paquets qui bloquent les paquets SYN entrant.
-.Sp
-Ce type d'analyse envoie un paquet ACK (avec un numИro 
-d'acquittement/sИquence alИatoire) aux ports spИcifiИs.
-Si un RST vient en retour, les ports sont classИs comme
-non filtrИs. Si rien ne revient (ou alors un message ICMP
-╚\ unreachable\ ╩), les ports sont classИs comme filtrИs . Remarquez
-que
-.I nmap
-n'affiche pas les ports non filtrИs.
-Aussi, si 
-.B aucun
-port n'est affichИ dans la sortie, c'est souvent un signe que tous
-les tests ont fonctionnИ (et retournИ RSTs). Ce scan ne montrera Иvidement
-jamais de port ouvert.
-.TP
-.B \-sW
-Window scan\ : C'est une analyse avancИe trХs similaire au 
-ACK scan, sauf qu'il peut parfois dИtecter aussi bien des
-ports ouverts que filtrИs/non filtrИs grБce Ю une anomalie
-dans la taille de la fenЙtre TCP rapportИe par certains systХmes.
-Parmi les systХmes vulnИrables se trouvent certaines versions de
-AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital
-UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD,
-OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, et
-VxWorks. Voir les archives de la liste de diffusion nmap-hackers pour une liste
-exhaustive.
-.TP
-.B \-sR 
-RPC scan. Cette mИthode fonctionne en combinaison
-avec diverses mИthodes d'analyse de port de nmap.
-Il prend tous les ports TCP/UDP ouverts et les inonde de 
-commandes SunRPC NULL pour dИterminer ceux qui sont
-des ports RPC, et si c'est le cas, le programme et son numИro de version 
-qui les servent.
-Vous pouvez obtenir la mЙme information
-que 'rpcinfo -p' mЙme si le portmapper cible est derriХre un
-pare-feu (ou protИgИ par un wrapper TCP). Les leurres ne fonctionnent pour le
-moment pas avec les scans RCP, et je dois ajouter le support pour les leurres
-dans les scans UPD RCP.
-.TP
-.B \-sL
-scan-liste. Cette mИthode gИnХre une liste d'IP/nom sans les pinger ou les 
-scanner. La rИsolution de nom DNS sera rИalisИe sauf si vous utilisez -n.
-.TP
-.B \-b <ftp relay host>
-attaque par rebond FTP\ : Une caractИristique intИressante du 
-protocole ftp (RFC 959) est le support des connexions \fBproxy\fR. 
-En d'autres termes, je dois Йtre capable de me connecter depuis
-mechant.com au serveur FTP de cible.com et demander que le serveur envoie
-un fichier N'IMPORTE Oы sur Internet. гa fonctionnait bien 
-en 1985 quand la RFC a ИtИ Иcrite. Mais dans l'Internet d'aujourd'hui
-nous ne pouvons pas nous permettre d'avoir des pirates qui dИtournent 
-des serveurs ftp et envoient des donnИes n'importe oЫ dans Internet.
-J'avais Иcrit en 1995 que ce dИfaut du protocole ╚\ peut Йtre utilisИ pour
-envoyer des courriers et nouvelles intracables, 
-matraquer des serveurs de sites, saturer les disques,
-essayer de contourner les pare-feux et gИnИralement Йtre difficile Ю repИrer\ ╩.
-On peut aussi l'exploiter pour faire un scan 
-des ports TCP depuis un serveur ftp ╚\ proxy\ ╩. Ainsi, vous pouvez vous
-connecter Ю un serveur ftp derriХre un pare-feu et scanner les ports
-sans Йtre bloquИ (139 est un bon nombre). Si le serveur ftp
-autorise la lecture et l'Иcriture dans certains rИpertoires
-(tel que /incoming), vous pouvez envoyez des donnИes arbitraires
-aux ports que vous avez trouvИ ouvert (nmap ne le fera toutefois pas pour vous)
-.Sp
-L'argument passИ Ю l'option \fB-b\fR est l'hТte que vous voulez utiliser comme
-proxy, dans la notation URL standard. Le format est\ :
-.I username:password@server:port. 
-Tout sauf
-.I server
-est optionnel. Pour dИterminer les serveurs qui sont
-vulnИrables Ю cette attaque, vous pouvez voir mon article dans
-.I Phrack
-51. Une version mise Ю jour est disponible Ю l'URL 
-http://www.insecure.org/nmap.
-.TP
-.B OPTIONS GиNиRALES
-Aucune n'est nИcessaire, mais certaines peuvent Йtre trХs utiles.
-.TP
-.B \-P0
-Ne pas essayer de ping sur les hТtes avant de les analyser.
-Cela permet l'analyse des rИseaux qui ne permettent pas les requЙtes
-ou les rИponses ICMP Ю travers leurs pare-feux.
-Microsoft.com en est un exemple, et vous devez
-toujours utiliser
-.B \-P0
-ou
-.B \-PT80
-pour faire une analyse de port sur microsoft.com.
-.TP
-.B \-PT
-Utilise TCP "ping" pour dИterminer les hТtes actifs. Au lieu
-d'envoyer une requЙte d'Иcho ICMP et d'attendre une rИponse, nous 
-envoyons des paquets TCP ACK dans le rИseau cible
-(ou contre une machine) et attendons des rИponses pour conclure.
-Les hТtes devraient rИpondre par un
-RST. Cette option prИserve l'efficacitИ des scan
-des hТtes qui sont actifs mais autorise l'analyse des
-hТtes/rИseaux qui bloquent les paquets de ping.
-Pour les utilisateurs non root,
-nous utilisons connect(). Pour spИcifier le port de destination
-du test utilisez -PT<port number>. Le port par dИfaut est
-80, car ce port n'est pas souvent filtrИ.
-.TP
-.B \-PS
-Cette option utilise des paquets SYN (demande de connexion) Ю la place
-des paquets ACK pour les utilisateurs ROOT. Les hТtes actifs devrait rИpondre
-par un RST (ou, rarement par un SYN | ACK).
-.TP
-.B \-PI
-Cette option utilise un vИritable paquet ping (requЙte d'Иcho ICMP).
-Il recherche les hТtes actifs et aussi regarde les adresses
-de diffusion des sous-rИseaux. Il y a des adresses IP
-qui sont joignable de l'extИrieur et qui sont traduites
-en une diffusion de paquet entrant dans un rИseau. 
-гa devrait Йtre supprimИ, si dИcouvert, car Гa permet un grand nombre
-d'attaques de dИni de service.
-.TP
-.B \-PP
-utilise un paquet ICMP de requЙte d'estampille temporelle (code 13) pour
-dИterminer les hТtes qui Иcoutent.
-.TP
-.B \-PM
-Fait la mЙme chose que
-.B \-PI
-et
-.B \-PP
-sauf qu'il utilise une requЙte de masque de sous-rИseau (ICMP code 17).
-.TP
-.B \-PB
-C'est le ping par dИfaut. Il utilise les balayages ACK (
-.B \-PT
-) et ICMP (
-.B \-PI
-) en parallХle. De cette maniХre, vous pouvez passer les pare-feux qui ne filtrent
-que l'un des deux types de paquets.
-.TP
-.B \-O
-Cette option active l'identification de l'hТte distant via l'empreinte
-TCP/IP. Autrement dit, nmap utilise un ensemble de techniques
-pour dИtecter les subtilitИs dans la pile rИseau du systХme d'exploitation
-de l'ordinateur que vous Йtes en train d'analyser. Il utilise ces informations
-pour crИer une ╚\ empreinte\ ╩ qui est comparИe avec sa base de donnИes
-d'empreintes connues (le fichier nmap-os-fingerprints) pour retrouver le type 
-de systХme que vous Йtes en train d'analyser.
-.Sp
-Si Nmap est incapable de deviner le systХme d'exploitation de la machine,
-et que les conditions sont bonnes (par exemple, au moins un port est ouvert)
-Nmap fournira une URL que vous pourrez utiliser pour soumettre si vous
-connaissez avec certitude le nom du systХme d'exploitation Ю qui appartient 
-cette nouvelle empreinte.
-Vous contribuerez ainsi Ю augmenter le nombre de systХmes d'exploitations
-dИtectable par nmap et la la prИcision de la dИtection. Si vous laissez 
-une adresse IP dans le formulaire, la machine pourra Йtre analysИe lorsque
-nous ajouterons l'empreinte (pour valider que Гa marche).
-.Sp
-L'option \-O active aussi plusieurs autres tests. L'un d'entre eux est la mesure
-de ╚\ uptime\ ╩ (durИe ИcoulИe depuis le dernier redИmarrage du systХme), qui utilise l'estampille TCP (RFC 1323) pour deviner la date du 
-dernier redИmarrage de la machine. Ceci n'est rapportИ que pour les machines
-qui fournissent cette information.
-.Sp 
-Un autre test activИ par \-O est la classification de la prИdiction
-de la sИquence TCP. C'est une mesure qui dИcrit approximativement la difficultИ
-d'Иtablir une connexion TCP forgИe contre l'hТte distant. C'est utile
-pour exploiter les relations de confiances fondИes sur l'IP source
-(rlogin, firewall filters, etc) ou pour cacher la source d'une attaque.
-La valeur rИelle de la difficultИ est calculИe sur un Иchantillon et peut
-fluctuer. Il est gИnИralement plus appropriИ d'utiliser une classification
-par nom tel que ╚\ worthy challenge\ ╩ ou ╚\ trivial joke\ ╩. Ceci n'est 
-rapportИ dans la sortie normale qu'avec l'option -v.
-.Sp
-Si le mode verbeux (\-v) est activИ en mЙme temps que \-O, 
-la gИnИration de sИquence IPID est aussi rapportИe. 
-La plupart des machines appartiennent Ю la classe incrИmentale, 
-ce qui signifie qu'elle incrИmente le champ ID dans l'entЙte 
-IP pour chaque paquet envoyИ. Ce qui les rend vulnИrables
-Ю la collecte d'information avancИe et aux attaques par
-usurpation.
-.TP
-.B \-I
-Active l'analyse TCP reverse ident. Dave Goldsmith 
-dans un message Ю Bugtraq en 1996, a fait remarquer que le protocole
-ident (rfc 1413) autorise la dИcouverte du nom d'utilisateur qui
-possХde un processus connectИ via TCP, mЙme si le processus n'est pas Ю
-l'instigateur de la connexion. Vous pouvez ainsi vous connecter au port
-http et utiliser identd pour dИcouvrir si le serveur tourne sous root.
-Ceci ne peut Йtre fait qu'avec une connexion TCP complХte sur le port cible
-(i.e. l'option d'analyse -sT). Quand
-.B \-I
-est utilisИ, l'identd de l'hТte distant est interrogИ pour chaque port
-ouvert trouvИ. иvidemment Гa ne fonctionne pas si l'hТte n'utilise pas identd.
-.TP
-.B \-f
-Cette option oblige les analyses FIN, XMAS, ou NULL
-Ю utiliser de petit paquets IP fragmentИs. L'idИe est de partager
-l'entЙte TCP en plusieurs paquets pour rendre leurs dИtections plus difficile
-par les filtres et les systХmes de dИtection d'intrusion, et les autres 
-enquiquineurs qui tentent de dИtecter ce que vous Йtes en train de faire.
-Faites attention avec ceci, certains programmes ont des difficultИs avec ces
-petits paquets. Mon sniffer favori plante immИdiatement lorsqu'il reГoit le
-premier fragment de 36 octets.
-Cette option est inefficace contre les filtreurs de paquets et les pare-feux
-qui rИassemblent les fragments IP
-(comme l'option CONFIG_IP_ALWAYS_DEFRAG dans le noyau Linux), 
-certains rИseaux ne peuvent pas supporter cette perte de performance 
-et ne rИassemblent pas les paquets.
-.Sp
-Remarquez que je n'ai pas encore fait fonctionner cette option sur tous les
-systХmes. гa marche parfaitement sur les machines Linux, FreeBSD et OpenBSD
-et certaines personnes m'ont rapportИ leurs succХs avec d'autres saveurs 
-d'Unix.
-.TP
-.B \-v
-Mode verbeux. C'est une option hautement recommandИe qui fournit beaucoup
-d'informations sur ce que vous Йtes en train de faire. Vous pouvez l'utiliser
-deux fois pour un effet plus important. Utiliser
-.B \-d
-une paire de fois si vous voulez vraiment devenir fou avec le dИfilement de
-l'Иcran\ !
-.TP
-.B \-h
-Cette option affiche un bref rИcapitulatif des options de nmap.
-Comme vous l'avez sans doute remarquИ, cette page de manuel n'est pas vraiment
-un ╚\ bref rИcapitulatif\ ╩. :)
-.TP
-.B \-oN <logfilename>
-Enregistre les rИsultats de vos analyses dans un 
-format 
-.B lisible par un humain
-dans le fichier spИcifiИ en argument.
-.TP
-.B \-oX <logfilename>
-Enregistre le rИsultat de vos analyses dans un format 
-.B XML
-dans le fichier spИcifiИ en argument. Ceci permet Ю des programmes
-d'interprИter facilement les rИsultats de nmap. 
-Vous pouvez donner l'argument '\fB-\fR' (sans les guillemets) pour envoyer la sortie sur la sortie standard
-(pour les pipelines shells, etc).
-Dans ce cas la sortie normale sera supprimИe.
-Regardez attentivement les messages d'erreurs si vous utilisez ceci (ils sont
-encore envoyИs sur la sortie d'erreur standard).
-Notez aussi que \fB-v\fR peut afficher des informations supplИmentaires.
-La dИfinition de type de document (DTD) dИfinissant la structure de la sortie
-XML est disponible Ю http://www.insecure.org/nmap/data/nmap.dtd .
-.TP
-.B \-oG <logfilename>
-Enregistre les rИsultats de vos analyses dans une forme adaptИe pour 
-.B grep.
-Ce format simple fournit toutes les informations sur une ligne. C'est le
-mИcanisme prИfИrИ des programmes qui interagissent avec nmap, mais dИsormais nous
-recommandons plutТt la sortie XML (-oX). Ce format simple ne contient pas autant d'informations
-que les autres formats. Vous pouvez donner l'argument ╚\fB-\fR╩ (sans les guillemets) pour envoyer la sortie sur la sortie standard
-(pour les pipelines shells, etc).
-Dans ce cas la sortie normale sera supprimИe.
-Regardez attentivement les messages d'erreurs si vous utilisez ceci (ils sont
-encore envoyИs sur la sortie d'erreur standard).
-Notez aussi que \fB-v\fR peut afficher des informations supplИmentaires.
-.TP
-.B \-oA <logfilename>
-indique Ю nmap d'enregistrer dans tous les formats majeurs (normal, grep et
-XML). Vous fournissez le prИfixe du nom de fichier et les sorties auront
-respectivement les suffixes .nmap, .gnmap et .xml .
-.TP
-.B \-oS <logfilename>
-enregistre les rИsultats de vos analyses en format 
-.B script kiddie 
-(NdT\ : C'est un langage dans lequel certaines lettres sont remplacИes par des chiffres/symboles 
-typiquement exemple A devient 4, E devient 3, etc. Cette langue est utilisИe par 
-les ╚\ cowboyz\ ╩ d'Internet.
-Cette population folklorique amuse beaucoup les autres internautes, au point qu'il existe une option pour eux dans nmap)
-V0u$ poUV3z dOnn3r l'4rgUm3nt '\fB-\fR' (s4ns l3$ guIll3m3ts) poUr 3nvoy3r l4 sOrti3 sUr l4 $orti3 $t4nd4rd.
-.TP
-.B \--resume <logfilename>
-L'analyse d'un rИseau qui a ИtИ annulИe par un Ctrl-C, problХme de rИseau, etc.
-peut Йtre reprise en utilisant cette option. 
-logfilename doit Йtre soit un log normal (-oN) soit
-un log lisible par une machine (-oM) d'une analyse avortИe. 
-Aucune autre option ne peut Йtre donnИe (ce sont obligatoirement les mЙmes que
-celles du scan avortИ).
-Nmap dИmarrera sur la machine aprХs la derniХre machine qui a ИtИ analysИe avec succХs dans le
-fichier de log.
-.TP
-.B \--append_output
-indique Ю Nmap d'Иcrire Ю la fin des fichiers de sortie au lieu de les Иcraser.
-.TP
-.B \-iL <inputfilename>
-Lit les spИcifications de la cible depuis le fichier spИcifiИ
-plutТt que depuis la ligne de commande. Le fichier doit contenir une liste
-d'hТtes, d'expressions de rИseaux sИparИes par des espaces, tabulations ou retour chariots.
-Utilisez le tiret 
-pour lire depuis stdin (comme la fin d'un pipe).
-Voyez la section \fIspИcification de cible\fR
-pour plus d'information sur les expressions que vous pouvez mettre dans le fichier.
-.TP
-.B \-iR
-Cette option indique Ю Nmap de gИnИrer ses propres hТtes
-Ю analyser par tirage alИatoire :). гa ne finit jamais.
-гa peut Йtre utile pour un Иchantillon d'Internet pour estimer diverses choses.
-Si vous vous ennuyez, essayez
-.I nmap \-sS \-iR \-p 80
-pour rechercher des serveurs web Ю regarder.
-.TP
-.B \-p <port ranges>
-Cette option spИcifie les ports que vous voulez essayer.
-Par exemple '-p 23' n'essayera que le port 23 of de l'hТte
-cible. '\-p 20-30,139,60000-' analysera les ports entre 20 et 30, le port
-139, et tous les ports supИrieurs Ю 60000. Le comportement par dИfaut est d'analyser tous
-les ports de 1 Ю 1024 ainsi que tous les ports listИs dans les fichiers de services fournis avec nmap.
-Pour l'analyse par IP (-sO), ceci spИcifie le numИro de protocole que vous voulez analyser
-.Sp
-Lorsque vous scannez les ports TCP et UPD vous pouvez spИcifier un protocole
-particulier en prИfixant les numИros de ports par ╚\ T\ ╩: ou ╚\ U:\ ╩.
-L'effet du spИcificateur dure jusqu'Ю ce que vous en spИcifiez un autre.
-Par exemple, l'argument ╚\ -p U:53,111,137,T:21-25,80,139,8080\ ╩ 
-scannera les ports UDP 53, 111 et 137 ainsi que les ports TCP mentionnИs.
-Remarquez que pour scanner UDP et TCP, vous devez spИcifier -sU et au moins une
-analyse TCP (telle que -sS, -sF ou -sT). Si aucune spИcification de 
-protocole n'est indiquИe, les numИros de ports sont ajoutИs Ю tous les
-protocoles.
-.TP
-.B \-F Fast scan mode.
-SpИcifie que vous ne voulez analyser que les ports listИs
-dans le fichier des services livrИ avec nmap (ou le fichier des protocoles pour
--sO).
-C'est Иvidemment plus rapide que d'analyser les 65535 ports d'un hТte.
-.TP
-.B \-D <decoy1 [,decoy2][,ME],...>
-rИalise un scan avec leurres. Du point de vue de l'hТte distant, les hТtes 
-leurres apparaНtront comme s'ils analysaient aussi le rИseau cible. Ainsi, 
-les systХmes de dИtection d'intrusion ne pourront pas savoir parmi l'ensemble 
-des IP qui semblent les scanner quelle est l'IP qui effectue rИellement 
-l'analyse et quelles IP ne sont en rИalitИ que d'innocent leurres.
-Bien que ceci puisse Йtre contrИ par 
-path tracing, response-dropping, et d'autres mИcanismes actifs,
-c'est gИnИralement une technique efficace pour dissimuler son adresse IP.
-.Sp
-SИparez chaque hТte-leurre par des virgules, et vous pouvez optionnellement
-utiliser '\fBME\fR' (Moi) comme l'un des leurres pour reprИsenter
-la position que vous voulez utiliser pour votre adresse.
-Si vous utilisez '\fBME\fR' au delЮ de la 6Хme position, la plupart des dИtecteurs de scan
-(mЙme l'excellent scanlogd de Solar Designer) seront incapables de voir votre adresse IP.
-Si vous n'utilisez pas '\fBME\fR', nmap choisira une position alИatoire.
-.Sp
-Remarquez que les hТtes leurres doivent Йtre actifs
-ou vous risquez accidentellement de faire une inondation SYN sur vos cibles.
-Il est aussi presque facile de dИterminer qui est en train de scanner si seul une
-seule machine est active sur le rИseau. Vous pouvez vouloir utiliser des adresses IP
-Ю la place des noms (ainsi les rИseaux leurres ne vous verront pas dans les logs du serveurs de nom).
-.Sp
-Remarquez Иgalement que quelques dИtecteurs (stupides) de scan bloqueront 
-les hТtes qui tentent des scans de ports. Aussi vous pouvez par inadvertance
-bloquer l'accХs des machines leurres Ю la machine cible.
-Ceci peut provoquer de grave problХmes aux machines cibles si le leurre s'avХre Йtre
-sa passerelle internet ou mЙme ╚\ localhost\ ╩. Il faut donc utiliser prudemment cette option.
-La vraie morale de cette histoire est que les dИtecteurs de scan ne doivent pas prendre de
-mesures contre les machines qui semblent les analyser, car il se peut que ce soit des leurres\ !
-.Sp
-Les leurres sont utilisИs pour le scan initial (en utilisant ICMP,
-SYN, ACK, ou autre chose) et pendant la vИritable phase de scan. Les leurres sont aussi
-utilisИs pendant la dИtection de l'hТte distant (
-.B \-O
-).
-.Sp 
-Il ne faut pas oublier que d'utiliser un trop grand nombre de leurres
-peut ralentir
-le scan et mЙme le rendre imprИcis. De plus certains
-fournisseurs d'accХs Ю Internet (FAI) filtreront vos paquets usurpИs, bien que la plupart
-n'applique aucune restriction sur les paquets usurpИs.
-.TP
-.B \-S <adresse_ip>
-Dans certaines circonstances,
-.I nmap
-est incapable de dИterminer l'adresse source.
-.I Nmap 
-vous avertira si c'est le cas). Dans cette situation, utilisez
-\-S avec votre adresse IP (ou l'interface depuis laquelle vous voulez envoyer les paquets).
-.Sp
-Une autre utilisation possible de ce drapeau est d'usurper le scan pour faire croire
-aux cibles que
-.B quelqu'un d'autre les scanne.
-Imaginez une entreprise qui se croit rИguliХrement scannИe par un concurrent\ !
-Ce n'est pas l'utilisation premiХre ni le but principal de ce drapeau.
-Je pense que c'est juste une possibilitИ intИressante pour les personnes qui sont au courant
-avant qu'elles n'en accusent d'autres de les scanner.
-.B \-e
-est gИnИralement requis pour ce type d'utilisation.
-.TP
-.B \-e <interface>
-indique l'interface rИseau Ю utiliser pour envoyer et recevoir les paquets.
-\fBNmap\fR devrait Йtre capable de dИtecter ceci mais il vous prИviendra s'il n'y parvient pas.
-.TP
-.B \-g <portnumber>
-SpИcifie le numИro de port source dans le scan. 
-Beaucoup de pare-feux et de filtreur de paquets naОfs
-feront une exception dans leurs rХgles pour autoriser le passage des paquets
-DNS (53) ou FTP-DATA (20) pour Иtablir une connexion.
-иvidemment Гa rИduit complХtement les avantages de sИcuritИ d'un pare-feu
-puisque les intrus n'ont qu'Ю se dИguiser en FTP ou DNS en modifiant leur
-port source. иvidemment pour un scan UDP vous devriez utiliser
-53 en premier et pour les scans TCP vous devriez utiliser
-20 avant 53.
-Remarquer que ce n'est qu'une requЙte -- nmap ne le fera que s'il y parvient.
-Par exemple, vous ne pouvez pas faire des analyse en parallХle avec un seul port.
-Aussi \fBnmap\fR changera le port source mЙme si vous utilisez \fB-g\fR.
-.Sp
-Sachez qu'il y a une petite pИnalitИ de performance sur certains scans si vous utilisez
-cette option, parce que j'enregistre parfois des informations utiles dans le numИro de port
-source.
-.TP
-.B \--data_length <nombre>
-Normalement nmap envoie des paquets minimalistes qui ne contiennent que l'en-tЙte.
-Ainsi, les paquets TCP font 40 octets et les requЙtes d'Иcho ICMP, 28 octets.
-Cette option indique Ю Nmap d'ajouter le nombre spИcifiИ d'octets initialisИs Ю 0
-Ю la plupart des paquets qu'il envoie. La dИtection de systХme d'exploitation
-(-O) n'est pas affectИe, mais la plupart des paquets de ping et de scan de port
-le sont. гa ralentit les choses, mais Гa peut Йtre un peu moins voyant.
-.TP
-.B \-n
-Dit Ю Nmap de ne 
-.B JAMAIS
-faire de rИsolution DNS inverse sur une adresse IP active. Comme DNS est
-souvent lent,
-Гa peut aider Ю accИlИrer les choses.
-.TP
-.B \-R
-Dit Ю Nmap de 
-.B TOUJOURS
-faire la rИsolution DNS inverse des adresses IP cibles. Normalement
-ceci n'est fait que pour les machines vivantes.
-.TP
-.B \-r
-Dit Ю Nmap 
-.B DE NE PAS
-changer alИatoirement l'ordre dans lequel les ports seront analysИs.
-.TP
-.B \-\-randomize_hosts
-Dit Ю nmap de mИlanger chaque groupe comprenant jusqu'Ю 2048 hТtes avant de les analyser.
-Ceci rend les scans moins Иvidents Ю de nombreux systХmes de surveillance rИseau,
-particuliХrement quand vous le combinez avec des options
-pour ralentir le timing (voir ci-dessous).
-.TP
-.B \-M <max sockets>
-SpИcifie le nombre maximum de sockets qui seront utilisИs en parallХle
-pour le scan TCP connect() (celui par dИfaut). C'est utile pour
-ralentir lИgХrement le scan et Иviter de crasher les machines cibles. Une autre
-approche consiste Ю utiliser \fB-sS\fR, qui est gИnИralement plus facile Ю gИrer
-pour les machines.
-.TP
-.B OPTIONS TIMING
-gИnИralement nmap parvient Ю s'ajuster correctement
-aux caractИristiques du rИseau et Ю analyser aussi vite que possible
-tout en minimisant la probabilitИ d'Йtre dИtectИ.
-Cependant, il y a des cas oЫ les timings par dИfaut
-de Nmap ne correspondent pas Ю vos objectifs. Les options suivantes
-permettent un contrТle fin des timings\ :
-.TP
-.B -T <Paranoid | Sneaky | Polite | Normal | Aggressive | Insane>
-Ce sont les diffИrentes politiques de timing pour communiquer de
-maniХre pratique vos prioritИs Ю nmap.
-
-.B Paranoid 
-analyse
-.B trХs lentement
-dans l'espoir d'Иviter d'Йtre repИrИ par les systХme de dИtection d'intrusion.
-Il sИrialise tous les scans (pas de scan parallХle) et attend au moins
-5 minutes entre les envois de paquets.
-
-.B Sneaky 
-c'est la mЙme chose, sauf qu'il attend 15 secondes entre les envois de paquets. 
-
-.B Polite
-essaye de minimiser la charge sur le rИseau et de rИduire la probabilitИ de
-crasher des machines. Il sИrialises les test et attend
-.B au moins
-0,4 secondes entre chaque. 
-
-.B Normal
-c'est le comportement par dИfaut de Nmap, qui essaye de s'exИcuter aussi
-vite que possible sans surcharger le rИseau ou oublier des
-hТtes/ports.
-
-.B Aggressive
-ajoute un dИcompte de 5 minutes par hТte et n'attends jamais les rИponses
-individuelles plus de 1.25 secondes.
-
-.B Insane 
-ne convient qu'aux rИseaux ultra-rapides oЫ vous ne risquez par de perdre
-d'informations. Il ajoute un dИcompte de 75
-secondes et n'attend les rИponses individuelles que pendant
-0,3 secondes. Il permet de balayer trХs rapidement les rИseaux.
-Vous pouvez aussi rИfИrencer ces modes par numИro (0-5).
-Par exemple, '-T 0' donne le mode Paranoid et '-T 5' le mode Insane.
-.Sp
-Ces modes timings NE devrait PAS Йtre utiliser en combinaison avec les contrТles
-de bas niveau donnИs ci-dessous.
-.TP
-.B --host_timeout <millisecondes>
-SpИcifie la durИe que \fBnmap\fR est autorisИe Ю consacrer
-Ю l'analyse d'un hТte unique avant d'abandonner cette IP.
-Par dИfaut il n'y a pas de temps limite pour un hТte.
-.TP
-.B --max_rtt_timeout <millisecondes>
-SpИcifie la durИe maximale que \fBnmap\fR peut laisser s'Иcouler en attendant
-une rИponse Ю ses tests avant de retransmettre ou de laisser tomber.
-La valeur par dИfaut est 9\ 000.
-.TP
-.B --min_rtt_timeout <millisecondes>
-Quand les hТtes cibles commencent Ю Иtablir un modХle de rИponse trХs
-rapidement, \fBnmap\fR diminuera la durИe accordИe par test.
-Ceci augmente la vitesse du scan, mais peut conduire Ю la perte de paquets
-quand une rИponse prend plus de temps que d'habitude.
-Avec ce paramХtre vous pouvez garantir que \fBnmap\fR attende au moins
-une certaine durИe avant de laisser tomber un test.
-.TP
-.B --initial_rtt_timeout <millisecondes>
-SpИcifie le dИcompte du test initial. Ce n'est gИnИralement utile
-que lors de l'analyse d'hТte derriХre un pare-feu avec -P0.
-Normalement \fBnmap\fR obtient de bonnes estimations Ю partir
-du ping et des premiers tests. Le mode par dИfaut est 6\ 000.
-.TP
-.B --max_parallelism <nombre>
-SpИcifie le nombre maximum de scans que \fBnmap\fR est autorisИ Ю mener en parallХle.
-Positionner ceci Ю 1 signifie que \fBnmap\fR n'essayera jamais de
-scanner plus d'un port Ю la fois. Ce nombre affecte aussi les autres scans
-parallХle comme le balayage de ping, RPC scan, etc.
-.TP
-.B --scan_delay <millisecondes>
-SpИcifie la durИe 
-.B minimum
-que \fBnmap\fR doit laisser s'Иcouler entre ses envois. C'est utile pour rИduire la
-charge du rИseau ou pour ralentir le dИbit du scan afin de ne pas atteindre
-le seuil de dИclenchement des systХmes de dИtection d'intrusion.
-
-.SH SPиCIFICATION DE CIBLE
-Tout ce qui n'est pas une option ou un argument d'option
-est traitИ par nmap comme une spИcification d'hТte.
-Le cas le plus simple et une liste de nom d'hТtes ou d'adresse IP sur la ligne
-de commande. 
-Si vous voulez analyser un sous rИseau d'adresses IP vous pouvez ajouter
-.B '/mask' 
-au nom d'hТtes
-.B mask 
-doit Йtre compris entre 0 (scanner tout internet) et 32 (scanner un seul
-hТte). Utiliser /24 pour analyser des adresses de classe 'C' 
-et /16 pour la classe 'B'.
-.Sp
-\fBNmap\fR utilise une notation puissante pour spИcifier une adresse IP
-en utilisant des listes/intervalles pour chaque ИlИment.
-Ainsi vous pouvez analyser tout un rИseau de classe B
-192.168.*.* en spИcifiant '192.168.*.*' ou '192.168.0-255.0-255' ou 
-mЙme '192.168.1-50,51-255.1,2,3,4,5-255'. Et bien sШr, vous pouvez utiliser
-la notation mask : '192.168.0.0/16'. Elles sont toutes Иquivalentes
-Si vous utilisez des astИrisques ('*'), souvenez-vous que la plupart des
-shells nИcessitent que vous les prИcИdiez par des anti-slash ou que vous les 
-protИgiez par des guillemets.
-.Sp
-Une autre chose intИressante Ю faire et de dИcouper Internet\ :
-au lieu de scanner les hТtes dans une classe 'B', 
-scanner '*.*.5.6-7' pour analyser toutes les adresses IP se terminant
-par .5.6 ou .5.7. Pour plus d'informations sur la spИcification
-des hТtes Ю analyser, voyez la section
-.I exemples.
-.SH EXEMPLES
-Voici quelques exemples d'utilisation de \fBnmap\fR du plus simple au plus compliquИ.
-Remarquez que les noms et adresses sont utilisИes pour rendre les choses
-plus concrХtes. ю leur place vous devriez substituer les noms et adresses
-de
-.B votre propre rИseau.
-Je ne pense pas que l'analyse de ports d'autres rИseaux soit illИgale, ni
-que l'analyse de ports doit Йtre considИrИe par les autres comme une attaque.
-J'ai analysИ des centaines de milliers de machines et je n'ai reГu 
-qu'une seule plainte. Mais je ne suis pas juriste et certaines personnes pourraient
-Йtre ennuyИes par les tests de
-.I nmap. 
-Aussi demandez prИalablement la permission ou utilisez \fBnmap\fR
-Ю vos risques et pИrils.
-.Sp
-.B nmap -v cible.exemple.com
-.Sp
-Cette option analyse tous les ports TCP rИservИs sur la machine
-cible.exemple.com . Le \-v signifie d'activer le mode verbeux.
-.Sp
-.B nmap -sS -O cible.exemple.com/24
-.Sp
-Envoie un scan SYN furtif contre chaque machine active parmi
-les 255 machines de classe 'C' qui sont sur cible.exemple.com.
-Il essaye aussi de dИterminer quel systХme d'exploitation fonctionne sur
-chaque hТte. Ceci nИcessite les privilХges root en raison du scan SYN et
-de la dИtection de systХme d'exploitation.
-.Sp
-.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
-.Sp
-Envoie un scan Xmas tree Ю la premiХre moitiИ
-de chacun des 255 sous-rИseaux de l'espace d'adresse de classe B
-198.116. Nous sommes en train de tester si les systХmes font fonctionner sshd,
-DNS, pop3d, imapd, ou port 4564. Remarquez que les scan Xmas 
-ne fonctionnent pas contre les machines Microsoft en raison de leur pile TCP
-dИficiente. Le mЙme problХme se produit aussi avec les machines
-CISCO, IRIX, HP/UX, et BSDI.
-.Sp
-.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
-.Sp
-PlutТt que de se concentrer sur une plage spИcifique d'IP,
-il est parfois intИressant de dИcouper l'ensemble d'Internet et 
-d'analyser un petit Иchantillon de chaque tranche. Cette commande
-trouve tous les serveurs web sur des machines dont l'adresse IP
-se termine par .2.3, .2.4 ou .2.5 .
-Si vous Йtes root, vous pouvez aussi ajouter \fB-sS\fR. 
-Vous trouverez plus de machine intИressantes en commenГant Ю 127, aussi
-vous utiliserez '127-222' Ю la place de la premiХre astИrisque
-car cette section possХde une plus grande densitИ de machine intИressantes.
-.Sp
-.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
-.Sp
-Fait un transfert DNS pour dИcouvrir les hТtes de company.com
-et utiliser leurs adresses IP pour alimenter 
-\fInmap\fR.
-Les commandes ci-dessus sont pour mon ordinateur GNU/Linux. 
-Vous pouvez avoir besoin d'autres commandes/options pour d'autres systХmes d'exploitations.
-.SH BOGUES 
-Bogues\ ? Quels bogues\ ? Envoyez-moi tout ce que vous trouverez.
-Les patchs sont les bienvenus. Souvenez-vous
-que vous pouvez aussi envoyer les empreintes de nouveaux systХmes
-d'exploitation pour enrichir la base de donnИes.
-Si une empreinte appropriИe est trouvИe, Nmap 
-affichera l'URL Ю laquelle vous pourrez l'envoyer.
-.SH AUTEUR
-.Sp
-Fyodor
-.I <fyodor@insecure.org>
-.SH DISTRIBUTION
-La derniХre version de
-.I nmap
-peut Йtre obtenu depuis
-.I http://www.insecure.org/nmap/
-.Sp
-.I nmap 
-est (C) 1995-2001 par Insecure.Com LLC
-.Sp
-.I libpcap
-est aussi distribuИe avec nmap. Il est copyrightИ par
-Van Jacobson, Craig Leres et Steven McCanne, tous du
-Lawrence Berkeley National Laboratory, University of
-California, Berkeley, CA. La version distribuИe avec nmap
-peut Йtre modifiИe, les sources d'origine sont disponibles
-Ю ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
-.Sp
-Ce programme est un logiciel libre, vous pouvez
-le redistribuer et/ou le modifier sous les termes de la
-GNU General Public License telle que publiИe par
-par la Free Software Foundation\ ;
-Version 2. Ceci garantit votre droit d'utiliser, modifier
-et redistribuer Nmap sous certaines conditions.
-Si cette licence est inacceptable pour vous, Insecure.Org 
-pourrait Иventuellement vendre d'autres licences.
-(contacter \fBfyodor@dhp.com\fR).
-.Sp
-Les sources sont fournies avec ce logiciel
-car nous croyons que les utilisateurs ont le droit de savoir exactement ce que
-fait un programme avant de le lancer. Ceci vous permet aussi d'auditer le
-logiciel pour rechercher des trous de sИcuritИ
-(aucun n'a ИtИ trouvИ jusqu'Ю prИsent).
-.Sp
-Le code source vous permet aussi de porter Nmap vers de nouvelles plates-formes, 
-corriger des bogues et ajouter de nouvelles caractИristiques. 
-Vous Йtes vivement encouragИ Ю envoyer vos modifications
-Ю \fBfyodor@insecure.org\fR pour une Иventuelle incorporation dans
-la distribution principale. En envoyant ces modifications Ю
-Fyodor ou Ю quelqu'un de la liste de diffusion de dИveloppement
-de insecure.org, il est supposИ que vous offrez Ю 
-Fyodor le droit illimitИ et non exclusif de rИutiliser,
-modifier et relicencier le code. C'est important parce que l'impossibilitИ
-de relicencier le code a provoquИ des problХmes dИvastateurs dans d'autres
-projets de logiciel libre (comme KDE et NASM).
-Nmap sera toujours disponible en Open Source. 
-Si vous dИsirez spИcifier des conditions particuliХres de licence pour vos
-contributions, dites-le nous simplement quand vous nous les envoyez.
-.Sp
-Ce programme est distribuИ dans l'espoir d'Йtre utile, mais 
-.B SANS AUCUNE GARANTIE
-mЙme la garantie implicite relative Ю la 
-.B QUALITи MARCHANDE
-ou 
-.B D'APTITUDE ю UNE UTILISATION PARTICULIхRE.
-Voir la licence GPL (c'est le fichier COPYING de la
-distribution \fInmap\fR. 
-.Sp
-Remarque\ : Nmap a dИjЮ fait planter certaines
-applications, des piles TCP/IP et mЙme des systХmes d'exploitations mal Иcrits.
-Par consИquent
-.B Nmap ne devrait jamais Йtre utilisИ contre des systХmes qui ont une mission
-critique Ю moins que vous ne soyez prЙt Ю souffrir d'une Иventuelle
-interruption de service. Nous reconnaissons ici que \fbnmap\fR
-peut crasher vos systХmes et rИseaux mais nous ne sommes pas responsables
-des dИgБts que Nmap pourrait provoquer.
-.Sp
-En raison du lИger risque de crashs et parce que quelques personnes
-mal intentionnИes utilisent nmap pour les reconnaissances prИliminaires Ю une
-attaque, certains administrateurs deviennent furieux et se plaignent quand leurs
-systХmes sont scannИs. C'est pourquoi il est plus sage de demander la permission
-avant de lancer l'analyse d'un rИseau.
-.Sp
-Nmap ne devrait jamais Йtre lancИ avec des privilХges (par exemple suid root) 
-pour des raisons de sИcuritИ.
-.Sp
-Toutes les versions de Nmap postИrieures Ю la 2.0 sont compatibles 
-an 2000. Il n'y a aucune raison de penser que les versions antИrieures ont des
-problХmes, mais nous ne les avons pas testИes.
-.SH TRADUCTION
-SИbastien Blanchet, 2002 <sebastien.blanchet AT free.fr>
-.SH RELECTURE
-GИrard Delafond
diff --git a/docs/nmap_german.1 b/docs/nmap_german.1
deleted file mode 100644
index da4234f96..000000000
--- a/docs/nmap_german.1
+++ /dev/null
@@ -1,991 +0,0 @@
-.\" This definition swiped from the gcc(1) man page
-.de Sp
-.if n .sp
-.if t .sp 0.4
-..
-.TH NMAP 1
-.SH NAME
-nmap - Auswertungstool fuer Netzwerke und Security Scanner
-.SH SYNTAX
-.B nmap
-[Scan-Typ(en)] [Optionen] <Host oder Netz #1 ... [#N]>
-.SH BESCHREIBUNG
-
-.I Nmap 
-wurde entwickelt, um Systemadministratoren und kuriosen Individuen die
-Moeglichkeit zu geben, ansprechbare Systeme und die durch sie bereitgestellten
-Dienste in grossen Netzwerken zu identifizieren.
-.I nmap 
-unterstuetzt eine Vielzahl verschiedener Scanning-Techniken, wie zum Beispiel
-UDP, TCP connect(), TCP SYN (half open), FTP-Proxy (bounce attack),
-Reverse-ident, ICMP (Ping-Suchlauf), FIN, ACK-Suchlauf, Xmas-Tree,
-SYN-Suchlauf, IP-Protocol und Null-Scan.
-Siehe Absatz
-.I Scan-Typen 
-fuer mehr Informationen. Ebenso ermoeglicht nmap eine Vielzahl von
-zusaetzlichen Moeglichkeiten, wie das Erkennen von Betriebssystemen mittels
-TCP/IP-Fingerprinting, Stealth-Scanning, dynamische Verzoegerungen und
-Uebertragungswiederholungs-Berechnungen, paralleles Scanning, Entdecken
-abgeschalteter Systeme mittels parallelem Scanning, Decoy-Scanning, entdecken
-von Port-Filtering, direktes RPC-Scanning (ohne Portmapper), fragmentiertes
-Scanning sowie flexible Ziel und Port Spezifizierung.
-.PP
-Ein Grossteil der Arbeit wurde in die Moeglichkeiten fuer non-root Benutzer
-investiert. Leider benoetigen viele exotische Techniken (z.B. die Kernel-nahen
-raw sockets) root-Privilegien. Aus diesem Grund sollte nmap stets als root
-genutzt werden, sofern dies moeglich ist (natuerlich kein setuid root).
-.PP
-Das Resultat eines nmap-Durchlaufs ist normalerweise eine Liste saemtlicher
-interessanter Ports der gescannten Geraete (falls vorhanden). Sofern eine
-Zuweisung stattfinden kann, benennt nmap die well-known Ports direkt mit ihrem
-Service-Namen, Portnummer, Status und Protokoll. Der Status ist
-entweder 'open', 'filtered' oder 'unfiltered'. Open (dt. offen) bedeutet, dass
-das Zielsystem auf diesem Port Verbindungen anzunehmen in der Lage ist.
-Filtered (dt. gefiltert) weist darauf hin, dass ein dediziertes
-Firewall-System, TCP/IP-Filter oder Netzwerk-Element die Arbeit von nmap
-behindert und somit keine verlaesslichen Rueckschluesse gemacht werden
-koennen. Unfiltered (dt. ungefiltert) heisst, dass nmap den Port kennt, jedoch
-beim Zugriff keinerlei Filter-Mechanismen ausgemacht werden konnten. Der
-ungefilterte Status wird in den meisten aller Faelle vorhanden sein, weshalb
-ein solcher nur immer dann ausgwiesen wird, wenn die meisten der gescannten
-Ports gefiltert (engl. filtered) sind.
-.PP
-Jenachdem, welche Optionen angewandt wurden, ist nmap in der Lage Auskunft
-ueber die folgenden Charakteristiken des Zielsystems zu geben: Genutztes
-Betriebssystem, TCP-Sequenznummern, Benutzername der an die Ports gebundene
-Software, DNS-Name, ob es sich um ein Smurf-System handelt und viele mehr.
-.SH OPTIONEN
-Das Zusammenspiel verschiedener Optionen ist immer dann moeglich, wenn dies
-auch Sinn macht. Einige Parameter koennen nur in Verbindung mit spezifischen
-Scan-Methoden genutzt werden.
-.I nmap 
-versucht unlogische und nicht unterstuetzte Kombinationen von Parametern
-abzufangen und den Benutzer entsprechend zu warnen.
-.Sp
-Falls Sie ungeduldig sind, koennen Sie den Abschnitt 
-.I Beispiele
-ueberspringen. Darin werden typische Befehlseingaben gezeigt. Ebenso kann
-.B nmap -h
-ausgefuehrt werden, um eine kurze Optionsreferenz ausgeben zu lassen.
-.TP
-.B SCAN-TYPEN
-.TP
-.B -sS
-TCP SYN-Scan: Diese Technik wird oft als "halb-offen" (engl. "half-open")
-bezeichnet, da keine volle TCP-Verbindung zustande kommt. Der Scanner schickt
-ein TCP-Datagramm mit gesetzter SYN-Flagge an das Zielsystem, so wie dies im
-Rahmen des Drei-Wege-Handschlags von TCP normalerweise auch der Fall ist. Nun
-wird auf eine positive Rueckmeldung des Zielsystems gewartet. Kommt ein Paket
-mit gesetzter SYN/ACK-Flagge zurueck, so wird der Zielport als im Status
-LISTENING (dt. abhoerend) identifiziert. Im Gegenzug deutet ein RST-Datangramm
-auf einen geschlossenen Port (engl. closed) hin. Wird ein SYN/ACK-Datagramm
-entgegengenommen, schickt nmap (bzw. der Betriebssystem-Kernel) automatisch
-ein RST zurueck, um den Verbindungsaufbau zu abzubrechen. Der primaere Vorteil
-dieser Vorgehensweise ist, dass viele Systeme solcherlei Zugriffe nicht
-protokollieren (Die meisten Applikationen interessieren sich nur fuer
-vollstaendig etablierte Verbindungen). Leider setzt diese Scan-Technik
-root-Privilegien voraus, da eine Generierung verhaeltnismaessig exotischer
-Paket-Sequenzen von Noeten ist. Dies ist die standardmaessige Scan-Methode
-fuer priviligierte Benutzer.
-.TP
-.B -sT 
-TCP connect()-Scan: Dies ist die klassische Form des TCP-Portscannings. Der
-connect()-System-Call, der das Betriebssystem zur Verfuegung stellt, wird
-immer dann genutzt, wenn eine Verbindung zum Port eines Zielsystems
-hergestellt werden soll. Befindet sich der Zielport im Status LISTENING, so
-wird der connect()-Zugriff erfolgreich ausfallen. Der entscheidende Vorteil
-dieser Methode ist, dass keine erweiterten Rechte zur Durchfuehrung
-erforderlich sind. Jeder Benutzer der meisten UNIX-Systeme ist in der Lage
-solcherlei Zugriffe durchzufuehren.
-.Sp
-Diese Scan-Technik ist einfach zu entdecken und wird mit groesster
-Wahrscheinlichkeit in den Protokoll-Dateien des Zielsystems auftauchen. Dies
-ist der standardmaessig aktivierte Scan-Typ fuer unprivilegierte Anwender.
-.TP
-.B -sF -sX -sN 
-Stealth FIN-, Xmas-Tree- oder Null-Scan-Modis: Es gibt Momente, wo SYN-Scans
-nicht heimlich genug ausfallen. Einige Firewall-Systeme (z.B. Packet-Filter)
-sind in der Lage verdaechtige SYN-Aktivitaeten zu erkennen; ebenso koennen
-Programme wie Synlogger oder Courtney die SYN-Portscans als solche ausweisen.
-Diese erweiterten Scan-Techniken koennen somit in manchen Faellen ungehindert
-die gewuenschten Resultate liefern.
-.Sp
-Die Idee ist, dass geschlossene Ports auf solcherlei Zugriffe mit einem
-RST-Datagramm antworten muessten, waehrend ansprechbare Ports die Anfragen
-ignorieren sollten (siehe RFC 793, S. 64). Der FIN-Scan nutzt ein
-TCP-Datagramm mit gesetzter FIN-Flagge, waehrend der Xmas-Tree-Scan die
-TCP-Flaggen FIN, URG und PSH aktiviert. Der Null-Scan schaltet alle optionalen
-Flags ab. Leider ignoriert einmal mehr Microsoft die gaengigen Standards und
-reagiert auf die exotischen Scan-Techniken ganz unerwartet. Dies bedeutet,
-dass diese Scanning-Methoden nicht gegen Windows 9x, ME, NT, 2000 und XP
-funktionieren. Auf der anderen Seite ist dies natuerlich hervorragend, wenn es
-um das Identifizieren der TCP/IP-Implementierung von Microsoft geht: Findet
-einer dieser Scans einen offenen Port, so kann davon ausgegangen werden, dass
-es sich beim Zielsystem nicht um ein Windows handelt - Im Gegenzug deuten
-unrealistisch viele offene Ports auf eine Windows-Maschine hin. Es gilt sich
-jedoch noch die Meinung einer klassischen Scan-Methode (z.B. SYN) einzuholen.
-Es gibt noch einige andere Betriebssysteme, die sich aehnlich demjenigen von
-Microsoft verhalten. Dies sind zum Beispiel Cisco, BSDI, HP/UX, MVS und IRIX.
-All diese retournieren ein Reset, auch wenn es sich um einen ansprechbaren
-Port handelt. Mittlerweile ist diese knifflige Unterscheidungs-Arbeit mittels
-exotischer Scanning-Techniken eher weniger wichtig, da nmap eine erweiterte
-Methode fuer das Erkennen des eingesetzten Betriebssystems mitbringt.
-.TP
-.B -sP
-Ping-Scanning: Manchmal ist es lediglich gefragt, welche Hosts in einem
-Netzwerk aktiv sind. nmap kann diese Frage beantworten, indem eine ICMP echo
-request-Anfrage an jede IP-Adresse im spezifizierten Netzwerk geschickt wird.
-Hosts, die mit einer ICMP echo reply antworten, koennen als aktiv ausgewiesen
-werden. Viele gewissenhafte Firewall- und Systemadministratoren filtern bzw.
-verwerfen unnoetigen ICMP-Verkehr. nmap greift sodann auf eine andere Technik
-zurueck. Es wird ein TCP-Datagramm mit gesetzter ACK-Flagge an einen
-potentiell offenen Port des Zielsystems geschickt (standardmaessig TCP-Port
-80). Wird ein RST zurueckgeschickt, so ist das Zielsystem vorhanden und
-ansprechbar. Eine dritte Technik greift auf ein SYN-Datagramm zurueck, das auf
-ein RST oder SYN/ACK wartet. Alle non-root Benutzer fuehren einen
-connect()-Zugriff durch.
-.Sp
-Standardmaessig (bei root-Benutzern) fuehrt nmap beides - ICMP- und
-ACK-Technik - parallel durch. Dies kann durch das Heranziehen der spaeter noch
-detaillierter beschriebenen Option
-.B -P 
-geaendert werden.
-.Sp
-Wichtig ist zu wissen, dass der Ping-Zugriff standardmaessig stets erfolgt.
-Abhaengig der Erreichbarkeit eines Systems wird ein solches dann gescannt.
-Benutzen Sie diese Option lediglich dann, wenn es um das Durchfuehren eines
-Ping-Suchlaufs (
-.B ohne
-Portscan) geht.
-.TP
-.B -sU
-UDP-Scans: Diese Methode wird stets dann herangezogen, wenn es um das
-Identifizieren der offenen UDP-Ports (siehe RFC 768) eines Systems geht. Diese
-Technik basiert darauf, dass ein UDP-Datagramm mit 0 Byte an Nutzdaten an
-jeden Port des Zielsystems geschickt wird. Erhalten wir eine ICMP port
-unreachable-Nachricht, so ist der Zielport geschlossen. Andererseits handelt
-es sich um einen offenen Port.
-.Sp
-Einige Leute denken, dass UDP-Scanning sinnlos ist. Ich moechte in diesem
-Zusammenhang auf die Luecke in Solaris' rpcbind hinweisen. rpcbind kann an
-einem undokumentierten UDP-Port ueber 32770 gefunden werden. Bei diesem
-Angriff und der vorangehenden Auswertung ist es sodann zu einem hohen Grad
-irrelevant, ob Port 111 durch eine Firewall blockiert wird oder nicht. Ebenso
-existiert das populaere, von cDc entwickelte Backdoor namens Back Orifice, das
-durch einen frei waehlbaren UDP-Port Windows-Maschinen kontrollieren laesst.
-Und nicht zu vergessen die vielen potentiell verwundbaren Dienste, die auf UDP
-zurueckgreifen: SNMP, TFTP, NFS, etc.
-.Sp
-Traurigerweise ist UDP-Scanning in den meisten Faellen schmerzhaft langsam,
-seitdem viele Betriebssystem-Entwickler der Empfehlung von RFC 1812 (Absatz
-4.3.2.8) nachgekommen sind, die Anzahl ausgehender ICMP-Fehlernachrichten zu
-limitieren. Zum Beispiel definiert der Linux-Kernel (in net/ipv4/icmp.h) die
-Anzahl ausgehender ICMP destination unreachable-Fehlermeldungen auf 80 fuer 4
-Sekunden, mit einer 1/4 Sekunde Zusatz fuer jeden Uebertritt. Solaris weist
-einiges striktere Limitierungen auf (2 Nachrichten pro Sekunde), weshalb ein
-UDP-Portscan gegen ein Solaris-System sehr lange dauert.
-.I nmap
-ist in der Lage solcherlei Limitierungen zu erkennen und mit einem dynamischen
-Verlangsamen der Geschwindigkeit zu reagieren. Dies verhindert das Verstopfen
-des Netzwerks mit unnoetigen Paketen, die sowieso vom Zielsystem ignoriert
-werden wuerden.
-.Sp
-Einmal mehr typisch, ignoriert Microsoft die Empfehlungen des RFCs, weshalb
-eine Einschraenkung ausgehender ICMP-Fehlermeldungen gaenzlich bei der
-TCP/IP-Implementierung auf Windows 9x und NT fehlt. Das scannen saemtlicher
-UDP-Ports auf einer Windows-Maschine ist somit kein groesseres Problem.
-.TP
-.B -sO
-IP protocol-Scans: Diese Methode kommt dann zum Tragen, wenn herausgefunden
-werden will, welche IP-Protokolle vom Zielsystem unterstuetzt werden. Diese
-Technik basiert darauf, dass fuer jedes IP-Protokoll ein RAW IP-Paket mit
-fehlendem Protokoll-Header an das Zielsystem geschickt wird. Erhalten wir eine
-ICMP protocol unreachable-Fehlermeldung, so koennen wir davon ausgehen, dass
-das besagte Protokoll nicht unterstuetzt wird. Faellt das Resultat anders aus,
-kann mit einer Protokoll-Unterstuetzung gerechnet werden. Es ist wichtig zu
-bemerken, dass einige Betriebssysteme (z.B. AIX, HP-UX und Digital UNIX) und
-Firewall-Loesungen auf das Versenden der ICMP protocol
-unreachable-Fehlermeldungen gaenzlich verzichten. Das Resultat eines solchen
-Verhaltens ist die durch nmap generierte Ausgabe, dass saemtliche Protokolle
-"offen" sind.
-.Sp
-Aufgrund dessen, dass diese Scan-Methode in ihren Grundzuegen auf den
-Prinzipien des UDP-Portscannings aufbaut, spielt die Rate der potentiell
-generierten ICMP-Fehlermeldungen eine beachtliche Wichtigkeit. Da das
-IP-Protokoll Feld nur 8 Bits hat, muessen lediglich 256 Protokolle gescannt
-werden, was sich in einem angemessenen Zeitrahmen erledigen laesst.
-.TP
-.B -sI <Zombie-Host[:Zielport]>
-Idlescan: Diese erweiterte Scan-Technik ermoeglicht ein blindes Scannen der
-TCP-Port eines Ziels (dies bedeutet, dass keinerlei Pakete mit der richtigen
-IP-Absenderadresse verschickt werden). Stattdessen wird eine einzigartige
-Attacke angewandt, die die Berechenbarkeit der IP Fragmentation ID eines
-Zombie-Hosts ausnutzt. Intrusion Detection-Systeme werden den Scan-Versuch
-dem spezifizierte Zombie-System zuschreiben (welches ansprechbar sein und
-bestimmte Kriterien erfuellen muss). Ich habe eine Publikation zu diesem
-Thema verfasst, die sich unter http://www.insecure.org/nmap/idlescan.html
-findet.
-.Sp
-Neben der vollkommenen Sicherheit, nicht direkt erkannt werden zu koennen,
-ermoeglicht dieser Scan-Typ das Erkennen von IP-basierenden
-Vertrauensbeziehungen zwischen Geraeten. Das Port-Listing zeigt die offenen
-Ports
-.I aus der Sicht des Zombie-Systems.
-Es ist sodann Moeglich das effektive Zielsystem durch verschiedene Zombies
-scannen zu lassen, die eine bestehende Vertrauensbeziehung haben (via Router-
-oder Packetfilter-Regeln). Ganz offensichtlich ist dies eine gewichtige
-Information, wenn es um das Priorisieren von Angriffszielen geht. Andererseits
-muessten Penetration Tester zuerst muehsam ein System kompromittieren, bis
-verlaesslich gesagt werden kann, ob ueberhaupt die erforderliche
-Vertrauensbeziehung besteht.
-.Sp
-Durch einen Doppelpunkt laesst sich die Portnummer des Zombiesystems
-definieren. Ohne diese Angabe waehlt nmap den Standardport, der auch bei
-TCP-Pings Verwendung findet (TCP-Port 80).
-.TP
-.B -sA
-ACK-Scan: Auf diese erweiterte Scan-Technik wird normalerweise immer dann
-zurueckgegriffen, wenn es um das Identifizieren eines Firewall-Regelwerks
-geht. Zusaetzlich kann diese Methode eine Determinierung des Vorhandenseins
-einer Stateful Inspection, die eingehende SYN-Pakete blockt, ermoeglichen.
-.Sp
-Dieser Scan-Typ schickt ein ACK-Paket (mit zufaellig gewaehlten
-Bestaetigungs-/Sequenznummern) an den spezifizierten Zielport. Kommt ein RST
-zurueck, wird der besagte Port als "unfiltered" (dt. ungefiltert) eingestuft.
-Erhalten wir keine Rueckantwort (oder kommt ein ICMP unreachable zurueck), so
-weist nmap den Port als "filtered" (dt. gefiltert) aus. Wichtig ist, dass
-.I nmap
-normalerweise keine "unfiltered" ausgibt. So sind
-.B keine
-Ports in der Ausgabe ein Indiz dafuer, dass alle Zugriffe durchgekommen sind
-(und ein RST verursacht haben). Dieser Scan wird die Ports nie in einem
-"open" (dt. offenen) Status zeigen.
-.TP
-.B -sW
-Window-Scan: Diese erweiterte Scan-Technik ist dem ACK-Scan sehr aehnlich.
-Ausser, dass hiermit manchmal auch offene, ungefilterte und gefilterte Ports
-durch eine Anomalie in der durch die Betriebssysteme gewaehlten TCP window
-size entdeckt werden koennen. Systeme, die gegen diese Attacke verwundbar sind,
-sind einige Versionen von AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX,
-OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD,
-OpenStep, QNX, Rhapsody, SunOS 4.x, Ultrix, VAX and VxWorks. Siehe das Archiv
-der nmap-Hackers Mailingliste fuer eine vollstaendige Auflistung.
-.TP
-.B -sR  
-RPC-Scan: Diese Methode arbeitet in Kombination mit den meisten moeglichen
-Scan-Typen von nmap zusammen. Jeder als offen identifizierte TCP- und UDP-Port
-wird mit einer Vielzahl von SunRPC-Nullkommandos ueberflutet, um eine
-Identifizierung von RPC-Ports vorzunehmen. Falls ein solcher gefunden wurde,
-wird der Programmname und die Version ausgelesen, sofern diese Information zur
-Verfuegung gestellt wird. Diese Vorgehensweise ist ebenso mit dem Heranziehen
-von 'rpcinfo -p' moeglich; besonders dann, wenn des Zielsystems Portmapper
-hinter einer restriktiven Firewall steht oder durch einen TCP-Wrapper
-geschuetzt wird. Decoy-Scans arbeiten zur Zeit nicht mit RPC-Scans zusammen.
-Irgendwann wird vielleicht Decoy-Scanning im Zusammenhang mit UDP-RPC-Scans
-moeglich sein.
-.TP
-.B -sL
-List-Scan: Diese simple Methode generiert eine Liste aller IP-Adressen und
-Hostnamen, ohne die Zielsysteme direkt anzusprechen (Ping oder Portscan).
-Eine Namensaufloesung ueber DNS findet stets statt, sofern dies nicht durch
-das Heranziehen von -n unterbunden wird.
-.TP
-.B -b <FTP-Relay Host>
-FTP-Bounce Attacke: Ein interessantes "Feature" des File Transport Protocols
-(RFC 959) ist die Unterstuetzung von "Proxy"-FTP-Verbindungen. Mit anderen
-Worten ist es moeglich, sich von boese.com auf ziel.com zu verbinden und
-eine Datei ueberall hin zu schicken. Nun, dies hat wohl ausgezeichnet
-funktioniert, als 1985 das besagte RFC geschrieben wurde. In der heutigen
-Zeit ist es nicht mehr ohne weiteres Moeglich, sich auf fremde FTP-Server zu
-verbinden und nach Belieben Dateien zu versenden. *Hobbit* schrieb 1995
-folgendes zu dieser Schwachstelle: "[This protocol flaw] can be used to post
-virtually untraceable mail and news, hammer on servers at various sites, fill
-up disks, try to hop firewalls, and generally be annoying and hard to track
-down at the same time." Bei dieser Scanning-Methode wird ein als Proxy
-fungierender FTP-Server genutzt, um die offenen Ports eines Zielsystems
-ausfindig zu machen. Beispielsweise kann dadurch zu einem hinter einer
-Firewall positionierten FTP-Server verbunden werden, um danach interne, durch
-das Firewall-Element gegen externe Zugriffe geschuetzte Ports (z.B. die
-NetBIOS-Ports) anzusprechen. Falls auf dem FTP-Server ein Verzeichnis
-existiert, bei dem sowohl Lese- als auch Schreibrechte vorhanden sind (z.B.
-/incoming), kann eine semi-manuelle Uebergabe von Daten an die Zielports
-durchgefuehrt werden (nmap nimmt einem diese Arbeit nicht ab).
-.Sp
-Das mit der Option '-b' uebergebene Argument, spezifiziert den als Proxy
-gewollten Host, wobei die standard URL-Notation gilt. Das Format lautet
-.I Benutzername:Passwort@Server:Port.
-Alles, ausser
-.I Server
-ist optional. Wie eine Determinierung der gegen diese Zugriffsform verwundbare
-Server vorgenommen werden kann, kann in meinem Artikel in
-.I Phrack
-51 nachgelesen werden. Eine aktualisierte Version ist auf der
-.I nmap
-Webseite (http://www.insecure.org/nmap) verfuegbar.
-.TP
-.B GENERELLE OPTIONEN
-Keine der folgenden Optionen ist erforderlich. Einige von ihnen koennen jedoch
-nuetzlich sein.
-.TP
-.B -P0
-Verhindert das Pingen eines Hosts, bevor er gescannt wird. Dies ermoeglicht
-das Scannen von Netzwerken, die keine ICMP echo requests (oder responses)
-aufgrund einer restriktiv konfigurierten Firewall zulassen. microsoft.com ist
-ein Beispiel fuer ein solches Netzwerk, in dem diese Funktion stets genutzt
-werden sollte. Gebrauchen Sie
-.B -P0
-oder
-.B -PT80
-wenn ein Portscan gegen microsoft.com durchgefuehrt werden soll.
-.TP
-.B -PT
-Benutzt einen TCP-Ping, um die Erreichbarkeit eines Hosts zu verifizieren.
-Anstatt ICMP echo request-Abfragen zu verschicken und auf die entsprechenden
-ICMP echo reply-Rueckantworten zu warten, wird auf ein TCP-Datagramm mit
-gesetzter ACK-Flagge gesetzt. Ansprechbare Systeme sollten mit einem RST
-antworten. Diese Funktion ist immer dann anzuwenden, wenn Systeme oder
-Netzwerke gescannt werden sollen, die keine Erreichbarkeitsueberpruefung
-mittels ICMP zulassen und trotzdem zuerst die Erreichbarkeit identifiziert
-werden soll. Bei non-root Benutzern wird connect() angewandt. Um den Zielport
-des Zugriffs zu spezifizieren, kann -PT<Portnummer> herangezogen werden. Der
-Standardport ist einmal mehr TCP/80 (HTTP), da dieser eher selten durch einen
-Filter gedeckt wird.
-.TP
-.B -PS
-Diese Option benutzt fuer root-Benutzer SYN (Verbindungsanforderungen) anstatt
-ACK-Pakete. Ansprechbare Hosts sollten mit einem RST (oder in seltenen Faellen
-mit einem SYN/ACK) antworten. Das Setzen des Zielports kann auf die selbe Art
-wie beim zuvor erlaeuterten -PT umgesetzt werden.
-.TP
-.B -PI
-Diese Option nutzt einen klassischen Ping (ICMP echo request), um die
-Erreichbarkeit von Systemen und Broadcast-Adressen von Subnetzen zu
-identifizieren. Letztere sind extern erreichbare IP-Adressen, die eine
-Umwandlung zu einem internen Broadcast des Subnetzes durchfuehren. Solcherlei
-sollten verhindert werden, denn sie sind Voraussetzung fuer eine Reihe von
-Denial of Service-Attacken (Smurf ist die bekannteste Variante).
-.TP
-.B -PP
-Benutzt eine ICMP timestamp-Anfrage (Typ 13, Code 0), um ansprechbare Hosts zu
-finden.
-.TP
-.B -PM
-Das Gleiche wie
-.B -PI
-und
-.B -PP
-, ausser, dass eine ICMP address mask request (Typ 17, Code 0) zum Tragen kommt.
-.TP
-.B -PB
-Dies ist der standardmaessig gewaehlte Ping-Typus. Er benutzt beide Techniken,
-ACK (
-.B -PT
-) und ICMP echo requests (
-.B -PI
-), die jeweils parallel durchgefuehrt werden. Auf diese Weise koennen
-Firewall-Elemente ausgetrickst werden, die eine der beiden Protokolle (nicht
-beide) filtern. Der Zielport fuer den TCP-Zugriff kann auf die gleiche Weise
-gesetzt werden, wie im zuvor erklaerten -PT.
-.TP
-.B -O
-Diese Option aktiviert das Identifizieren des am Zielsystem eingesetzten
-Betriebssystems anhand des TCP/IP-Fingerabdrucks (engl. TCP/IP fingerprint).
-Es wird eine Anzahl spezifischer Tests umgesetzt, die das typische Verhalten
-der jeweiligen TCP/IP-Implementierungen erkennen koennen sollen. Die
-gegebenen Informationen stellen quasi einen 'Fingerabdruck' dar, der mit der
-Datenbank der bekannten Betriebssystem-Fingerabdrucke (die
-nmap-os-fingerprints Datei) verglichen wird.
-.Sp
-Falls nmap nicht in der Lage ist, eine mehr oder weniger eindeutige
-Identifikation des am Zielsystem eingesetzten Betriebssystems vorzunehmen und
-die gegebenen Bedingungen gut sind (mindestens ein ansprechbarer Port), gibt
-nmap eine URL aus, bei der neu gefundene Fingerprints eingesendet werden
-koennen. Dies setzt natuerlich voraus, dass Sie sich eindeutig im Klaren
-darueber sind, um was fuer ein Betriebssystem es sich handelt. Durch diesen
-Schritt koennen Sie aktiv an der Erweiterung der Datenbank mithelfen, wodurch
-sie attraktiver fuer saemtliche Benutzer wird. Falls Sie beim Einsenden des
-neuen Fingerabdrucks die IP-Adresse des Zielsystems mitangeben, muessen Sie
-damit rechnen, dass es von uns zu Ueberpruefungszwecken gescannt wird.
-.Sp
-Die Option -O aktiviert ebenso einige weitere Tests. Einer dieser ist das
-Messen der "Uptime". Hierzu wird das Timestamp-Feature von TCP genutzt (RFC
-1323), um erkennen zu koennen, wann das Zielsystem das letzte mal neu
-gestartet wurde. Diese Funktionalitaet wird natuerlich nur dann genutzt werden
-koennen, wenn das Zielsystem diese Information auch entsprechend bereitstellt.
-.Sp 
-Ein anderer Check, der durch die Option -O aktiviert wird, ist die
-Klassifizierung der Berechenbarkeit der TCP-Sequenznummer des Zielsystems.
-Das Ergebnis dieses Tests sagt aus, wie schwer es ist, eine bestehende
-Verbindung des Zielsystems zu uebernehmen. Dies ist dann nuetzlich, wenn
-auf IP-Adressen basierende Vertrauensbeziehungen (z.B. rlogin und
-Firewall-Filter) missbraucht oder die Quelle eines Angriffs versteckt werden
-sollen. Die mitgelieferte Difficulty-Number ist statistisch berechnet und kann
-jeweils leicht abweichen. Zusaetzlich wird in knappen Worten (z.B. "worthy
-challenge" or "trivial joke") der Zustand beschrieben. All dies wird nur dann
-ausgegeben, wenn der Parameter -v mitangegeben wurde.
-.Sp
-Wenn die Option -O zusammen mit dem Verbose-Modus (-v) genutzt wird, wird
-ebenso die Sequenz-Generierung der IPID ausgewiesen. Die meisten Geraete
-werden als "incremental" klassifiziert, was bedeutet, dass sie fuer jedes
-verschickte Paket eine Inkrementierung des ID-Felds im IP-Header vornehmen.
-Ein solches Verhalten macht sie verwundbar gegen eine Reihe verschiedener
-Auswertungs- und Spoofing-Attacken.
-.TP
-.B -6
-Diese Option aktiviert die IPv6-Unterstuetzung. Saemtliche Ziele muessen mit
-IPv6 zurecht kommen, sofern diese Option genutzt werden soll. Das
-Spezifizieren der Ziele kann ganz normal ueber den DNS-Namen (AAAA record)
-oder IPv6-Adresse (z.B. 3ffe:501:4819:2000:210:f3ff:fe03:4d0) geschehen.
-Momentan sind TCP connect()- und Ping-Scans von nmap unterstuetzt. Falls UDP-
-oder andere Scan-Typen genutzt werden sollen, lohnt sich ein Blick auf
-http://nmap6.sourceforge.net/ .
-.TP
-.B -I
-Hiermit wird das TCP reverse ident-Scanning aktiviert. Wie Dave Goldsmith in
-einem Bugtraq-Posting aus dem Jahre 1996 publiziert hat, ermoeglicht das
-ident-Protokoll (RFC 1413) das Identifizieren des Besitzers eines
-TCP-Dienstes. So kann zum Beispiel eine Verbindung zum HTTP-Port des
-Zielsystems hergestellt werden, um danach mittels ident herauszufinden, ob
-der Webserver als root laeuft. Dies kann nur mit der Hilfe eines full-connect
-TCP-Portscans (-sT) geschehen. Wenn
-.B -I
-aktiviert wird, wird der identd des Zielsystems fuer jeden als offen
-identifizierten Port abgefragt. Logischerweise funktioniert diese ganze
-Prozedur nicht, wenn das Zielsystem keinen identd aktiv hat.
-.TP
-.B -f
-Diese Option erreicht, dass der durchgefuehrte SYN-, FIN-, Xmas- oder
-Null-Scan mit fragmentierten IP-Paketen arbeitet. Die Idee ist, dass der
-TCP-Header ueber mehrere Pakete verteilt werden soll, wodurch eine
-Inspizierung durch Firewall- oder Intrusion Detection-Systeme erschwert wird.
-Bei dieser Funktion ist Vorsicht geboten, denn viele der verbreiteten
-Netzwerkanwendungen kommen mit derlei Datenverkehr nicht klar. Beispielsweise
-erhielt ich bei meinem liebsten Sniffer ein segemtation fault, nachdem das
-erste 36-byte Fragment eingelesen wurde. Danach kam gar ein 24-byte Paket!
-Waehrend diese Methode keinen Erfolg bei Elementen verspricht, die eine
-Warteschlange fuer IP-Fragmente haben (wie dies mittels der Option
-CONFIG_IP_ALWAYS_DEFRAG unter Linux normalerweise der Fall ist), koennen
-andere Umgebungen den enormen Aufwand fuer eine solche Analyse nicht tragen,
-verzichten darauf und koennen deshalb ausgetrickst werden.
-.Sp
-Es bleibt zu bemerken, dass diese Option nicht auf allen Betriebssystemen
-einwandfrei genutzt werden kann. Es arbeitet ohne Zwischenfaelle auf meinem
-Linux, FreeBSD und OpenBSD; einige Leute berichten gar, dass es auch auf
-anderen *NIX funktioniert.
-.TP
-.B -v
-Verbose-Modus: Diese, eine sehr zu empfehlende Option, ermoeglicht eine
-erweiterte Ausgabe von Informationen. Eine doppelte Nutzung ergibt einen
-doppelt so grossen Effekt. Ebenso kann
-.B -d
-einige Male aktiviert werden, falls Sie wirklich vor einem ueberlasteten
-Bildschirm verrueckt werden wollen!
-.TP
-.B -h
-Diese handliche Funktion zeigt eine Kurzreferenz der nmap-Parameter. Wie Sie
-vielleicht gemerkt haben, handelt es sich bei dieser man-Page nicht unbedingt
-um eine 'handliche Kurzreferenz' :)
-.TP
-.B -oN <Protokoll-Dateiname>
-Dies protokolliert die Resultate des Scans in einem normalen, fuer
-.B Menschen lesbaren
-Format in eine durch ein Argument spezifizierte Datei.
-.TP
-.B -oX <Protokoll-Dateiname>
-Dies protokolliert die Resultate des Scans als
-.B XML
-in die durch ein Argument spezifizierte Datei. Dadurch koennen andere
-Programme unkompliziert die durch nmap generierten Informationen auswerten und
-verarbeiten. Durch das Argument '-' (ohne Anfuehrungszeichen) kann die
-Ausgabe auf stdout (fuer Pipeline-Verarbeitung, etc.) umgeleitet werden. In
-diesem Fall wird die normale Bildschirmausgabe unterdrueckt. Achtung vor
-Fehlermeldungen (diese werden nach wie vor nach stderr geschickt). Ebenso ist
-wichtig, dass '-v' in den meisten Faellen einige zusaetzliche Informationen
-gewaehrleisten koennen wird. Die Dokumententypendefinition (engl. Document
-Type Definition, abk. DTD), die fuer die XML-Ausgabe genutzt wird, steht unter
-http://www.insecure.org/nmap/data/nmap.dtd bereit.
-.TP
-.B -oG <Protokoll-Dateiname>
-Dies protokolliert die Resultate des Scans in eine
-.B grepbare
-Form in eine durch ein Argument spezifizierte Datei. Dadurch wird ein simples
-Format angestrebt, welches alle Informationen auf einer Zeile ausgibt, weshalb
-ganz einfach ein grep fuer Ports, OS-Informationen oder IP-Adressen umgesetzt
-werden kann. Dieses einfache Format stellt meistens nicht so viele
-Informationen bereit, wie dies bei anderen Ausgabevarianten der Fall ist.
-Diese Form war die urspruenglich, fuer die Verarbeitung durch externe Programme
-vorgehesene Dokumentierungs-Ausgabe. Mittlerweile ist jedoch XML empfohlen
-(-oX). Einmal mehr kann die Angabe von '-' (ohne Anfuehrungszeichen) eine
-Ausgabe auf stdout erzwingen (fuer Pipeline-Verarbeitung, etc.). Auch hier
-wird die normale Ausgabe unterdrueckt. Ebenso werden Fehlermeldungen wie
-ueblich auf stderr ausgegeben. Und '-v' wird in den meisten Faellen einige
-zusaetzliche Informationen gewaehrleisten koennen.
-.TP
-.B -oA <Basisdateiname>
-Dies veranlasst nmap in der Form ALLER wichtigen Formate (normal, grepbar und
-XML) zu protokollieren. Sie geben den Dateinamen an, wobei nmap die
-Erweiterungen in Form von basis.nmap, basis.gnmap und basis.xml automatisch
-anfuegen wird.
-.TP
-.B -oS <Protokoll-Dateiname>
-Dies protokolliert die Resultate der Scans in einem fuer
-.B s|<ripT kiDd|3
-lesbaren Format in eine durch ein Argument spezifizierte Datei. Durch die
-Angabe des Arguments '-' (ohne Anfuehrungszeichen) kann die Ausgabe auf
-stdout umgeleitet werden.
-.TP
-.B --resume <Protokoll-Dateiname>
-Ein Netzwerk-Scan, der durch das Druecken von Control-C unterbrochen wurde,
-kann durch diese Option reaktiviert werden. Der Protokoll-Dateiname muss
-entweder eine normale (-oN) oder durch Maschinen verarbeitbare (-oM)
-Scan-Protokoll-Datei sein. Die Angabe abweichender oder zusaetzlicher Optionen
-ist nicht moeglich - Sie werden vom abgebrochenen Scan uebernommen. nmap wird
-mit der zuletzt in der Protokoll-Datei erfolgreich gescannt vermerkten
-Maschine starten.
-.TP
-.B --append_output
-Weist nmap an, die Scan-Resultate an die spezifizierten Protokoll-Datei
-anzuhaengen, anstatt die besagten Dateien zu ueberschreiben.
-.TP
-.B -iL <Eingabe-Dateiname>
-Liest die Ziel-Spezifizierung ZUERST von der angegebenen Datei ein, und erst
-danach von der Kommandozeileneingabe. Die Datei sollte eine Liste von Hosts
-oder Netzwerken enthalten, die jeweils durch ein Leer-, Tabulator- oder
-Neuezeile-Zeichen getrennt sind. Benutzen Sie einen Bindestrich (-) als
-.I Eingabe-Dateiname
-, falls Sie wollen, dass nmap die Zielspezifizierungen von stdin liest (wie
-im Zusammenhang mit einer Pipe). Siehe den Absatz
-.I Ziel-Definition
-fuer zusaetzliche Informationen zu der gueltigen Ausdrucksweise.
-.TP
-.B -iR
-Diese Option weist nmap an, zufaellig generierte Hosts zu scannen :). Dies hat
-kein Ende. Eine solche Funktion ist zum Beispiel fuer eine statistische
-Auswertung innerhalb des Internets nuetzlich. Falls Sie einmal wirklich sehr
-gelangweilt sein sollten, so versuchen Sie
-.I nmap -sS -iR -p 80
-um Webserver-Systeme zu finden.
-.TP
-.B -p <Port-Bereich>
-Diese Option spezifiziert, welche Ports gescannt werden sollen. Zum Beispiel
-wird '-p 23' lediglich einen Zugriff auf den Port 23 (Telnet) der Zielsysteme
-durchfuehren. '-p 20-30,139,60000-' scannt die Ports zwischen 20 und 30,
-Port 139 und alle Ports groesser als 60000. Standardmaessig werden saemtliche
-well-known Ports zwischen 1 und 1024 sowie alle in der services-Datei von nmap
-gelisteten Dienste gescannt. Fuer einen IP-Protokoll-Scan (-sO) kann mit
-dieser Option die zu scannende Protokoll-Nummer (0-255) angegeben werden.
-.Sp
-Werden gleichzeitig TCP- und UDP-Ports gescannt, so kann das jeweilige
-Protokoll durch ein vorangestelltes "T:" oder "U:" angewaehlt werden. Die
-mitgegebenen Ports gelten so lange fuer das spezifizierte
-Uebertragungsprotokoll, bis ein anderes angegeben wird. Zum Beispiel werden
-mit dem Argument "-p U:53,111,137,T:21-25,80,139,8080" die UDP-Ports 53, 111
-und 137 sowie die TCP-Ports 21 bis 25, 80, 139 und 8080 gescannt. Wichtig ist,
-dass bei einem gleichzeitigen TCP- und UDP-Scan neben der Angabe von -sU
-mindestens eine TCP-Scan-Variante mitangegeben werden muss (zum Beispiel -sS,
--sF oder -sT). Wird bei der Wahl der Zielports auf das spezifizieren eines
-Protokolls verzichtet, bezieht sich die Option auf saemtliche
-Uebertragungsprotokolle.
-.TP
-.B -F
-Schneller Scan-Modus (engl. Fast scan mode): Dies gibt an, dass Sie lediglich
-die in der services-Datei von nmap gelisteten Dienste scannen wollen (oder bei
--sO die Protokolle der protocols-Datei). Selbstverstaendlich ist dies viel
-schneller, als saemtliche 65535 Ports eines Hosts zu ueberpruefen.
-.TP
-.B -D <Decoy1 [,Decoy2][,ME],...>
-Veranlasst einen sogenannten Decoy-Scan (dt. Lockvolgel). Bei diesem sieht es
-so aus, als wuerde eine Reihe zusaetzlicher Hosts die Zielumgebung scannen.
-Ein Intrusion Detection-System wird zwischen 5 und 10 Portscans verschiedener
-IP-Adressen protokollieren, wobei ohne weiteres nicht genau festgestellt
-werden kann, welches System den Scan wirklich durchfuehrt. Waehrend diese
-Methode durch Router Path Traceing, Response-Dropping und andere "aktive"
-Mechanismen niedergeschlagen werden kann, ist es doch eine extrem effektive
-Technik, um die eigene IP-Adresse zu verstecken.
-.Sp
-Die jeweiligen Lockvoegel koennen durch ein Komma getrennt werden. Optional
-kann durch die Angabe von 'ME' (dt. mich) die eigene Position in der
-Zugriffsreihenfolge gewaehlt werden. Falls 'ME' in die sechste oder noch eine
-spaetere Position gesetzt wird, sind einige Portscan-Detektoren (z.B. Solar
-Designers scanlogd) nicht in der Lage, die richtige IP-Adresse anzuzeigen.
-Falls Sie 'ME' nicht mitangeben, wird nmap eine zufaellige Position bestimmen.
-.Sp
-Achtung, die als Decoys angegebenen Hosts sollten vom Zielsystem erreichbar
-sein. Andernfalls ist es durchaus moeglich, dass dieses durch einen SYN-Flood
-in die Knie gezwungen wird. Zudem ist es relativ einfach zu erkennen, welches
-System den Scan durchfuehrt, wenn nur dieses eine System wirklich im Netzwerk
-aktiv ist. Es lohnt sich IP-Adressen anstatt Hostnamen bei der Spezifizierung
-der Lockvogel-Systeme anzugeben (so ist keine Namensaufloesung noetig und die
-Protokoll-Eintraege in den Nameservern bleibt aus).
-.Sp
-Ebenso weisen einige (dumme) "Portscan-Detektoren" Firewalling-Funktionalitaet
-auf, und sie unterbinden die Verbindungsmoeglichkeit jeglichen Systems, das
-einen Portscan durchfuehrt. So kann es durchaus sein, dass die
-Verbindungsmoeglichkeit des Zielsystems zu den Lockvoegeln verhindert wird.
-Dies ist dann problematisch, wenn es sich um ein wichtiges System, wie zum
-Beispiel das Standard-Gateway, handelt. Also, es gilt vorsichtig im Umgang
-mit dieser Option zu sein. Die Moral dieser Geschichte ist, dass
-Portscan-Detektoren mit automatisierter Strike-Back Funktionalitaet keine gute
-Idee sind - Hinter jedem Portscan koennte sich ein Lockvogel verbergen!
-.Sp
-Die Lockvoegel werden im initialen Ping-Scan (ICMP, SYN oder ACK) und waehrend
-der eigentlichen Portscan-Phase verwendet. Ebenso finden sie beim Durchfuehren
-einer Betriebssystem-Erkennung (
-.B -O
-) Verwendung.
-.Sp 
-Es bleibt zu sagen, dass zu viele Lockvoegel einen Scan verlangsamen und
-ineffizienter machen koennen. Ebenso filtern einige ISPs gespoofte Pakete
-heraus, obwohl dies zur Zeit die wenigsten machen.
-.TP
-.B -S <IP-Adresse>
-Unter bestimmten Umstaenden ist
-.I nmap
-nicht in der Lage, Ihre Quell-IP-Adresse zu identifizieren (
-.I nmap 
-wird Ihnen dies mitteilen). In einer solchen Situation kann mit der Hilfe der
-Option -S die IP-Adresse (der gewuenschten Schnittstelle) festgelegt werden.
-.Sp
-Eine andere Moeglichkeit dieser Option ist die Quelle des Scans zu spoofen, so
-dass das Zielsystem glaubt, dass
-.B jemand anderes
-die Zugriffe durchfuehrt. Stellen Sie sich vor, dass eine Firma ploetzlich von
-ihrem Konkurrenten einen Scan verzeichnet! Dies ist nicht der Hauptnutzen
-dieser Option. Ich denke lediglich, dass diese Theorie einen guten Grund
-bereitstellt, nicht sofort jeden als Scanner zu beschimpfen, nur weil es
-scheint, dass von ihm ein Scan gestartet wurde.
-.TP
-.B -e <Schnittstelle>
-Weist nmap an, ueber welche Schnittstelle die Daten verschickt und empfangen
-werden sollen. nmap sollte in der Lage sein diesen Umstand von sich aus zu
-erkennen. Falls dem nicht so ist, kann diese Option herangezogen werden.
-.TP
-.B -g <Portnummer>
-Definiert den Quellport fuer die Scans. Einige naive
-Firewall-Implementierungen machen bei DNS (53) und FTP-DATA (20) eine Ausnahme
-und lassen solcherlei Verbindung entgegen der Bestimmungen im Regelwerk zu.
-Obschon dieser Umstand ganz einfach durch Angreifer ausgenutzt werden kann, um
-sich als FTP- oder DNS-System maskierend einen Vorteil zu verschaffen. Fuer
-einen UDP-Scan sollte 53 als erstes ausprobiert werden. Bei einem TCP-Scan
-bieten sich 20 und 53 an. Achtung, es handelt sich bei dieser Option lediglich
-um eine Anfrage, die nicht zwingend in jeder Situation von nmap umgesetzt
-werden will und kann. Zum Beispiel ist eine ISN-Analyse nicht von System:Port
-zu System:Port moeglich, so dass nmap eine dynamische Portzuweisung
-durchfuehrt, auch wenn anderes durch -g angegeben wurde.
-.Sp
-Seien Sie gewarnt, dass diese Option bei einigen Scan-Varianten
-Performance-Einbussen mit sich bringt.
-.TP
-.B --data_length <Anzahl>
-Normalerweise verschickt nmap moeglichst kleine Pakete, die lediglich aus dem
-Header bestehen. So weisen TCP-Datagramme im Normalfall eine Laenge von 40 und
-ICMP echo request-Anfragen 28 Bytes auf. Diese Option weist nmap an, die
-verschickten Pakete um Null-Bytes zu verlaengern. Pakete zur Erkennung des
-Betriebssystens (-O) sind nicht betroffen. Ganz im Gegensatz zu
-Ping-Zugriffen und Portscan-Paketen. Dies verlangsamt natuerlich die Zugriffe
-unter Umstaenden - Aber ebenso kann es die Unauffaelligkeit des Scans
-erhoehen.
-.TP
-.B -n
-Sagt nmap, dass
-.B NIE
-reverse DNS-Aufloesungen von als aktiv identifizierten IP-Adressen
-durchgefuehrt werden sollen. Da DNS oft langsam ist, kann diese Option die
-Zugriffe beschleunigen.
-.TP
-.B -R
-Sagt nmap, dass
-.B IMMER
-reverse DNS-Aufloesungen von als Ziel spezifizierten IP-Adressen durchgefuehrt
-werden sollen. Dies wird im Normalfall nur immer dann durchgefuehrt, wenn ein
-Zielsystem als aktiv identifiziert werden konnte.
-.TP
-.B -r
-Sagt nmap, dass
-.B KEINE
-zufaellige Wahl beim Scannen der Ports gewuenscht ist.
-.TP
-.B --ttl <time to live>
-Setzt den "Time to live" Wert im IPv4 Header.
-.TP
-.B --randomize_hosts (dt. zufaellige Reihenfolge der Hosts)
-Sagt nmap, dass bei einer Gruppe von bis zu 2048 Zielen eine zufaellige
-Reihenfolge gewaehlt werden soll, bevor sie gescannt werden. Dies kann den
-Scanvorgang fuer viele Netzwerk-Monitoring-Systeme schwieriger zu entdecken
-machen; ganz besonders dann, wenn langsame Timing-Optionen angewandt werden
-(siehe unten).
-.TP
-.B -M <Maximale Sockets>
-Setzt die maximale Anzahl der Sockets bei einem parallel durchgefuehrten TCP
-connect()-Scan fest. Dies ist zum Beispiel in Situationen nuetzlich, wenn der
-Scanvorgang kuenstlich verlangsamt werden soll, damit das Zielsystem nicht
-unter der Last der Zugriffe zusammenbricht. Eine andere Herangehensweise ist
-durch -sS gegeben, die durch die Geraete oft einfacher zu handhaben ist.
-.TP
-.B TIMING-OPTIONEN
-Normalerweise macht nmap hervorragende Arbeit, um waehrend eines Scans das
-Maximum an Performance herauszuholen, ohne Fehlermeldungen zu Hosts oder Ports
-zu provozieren. Trotzdem kann es Situationen geben, in denen das Timing von
-nmap nicht dem von Ihnen gewuenschten entspricht. Die folgenden Optionen
-ermoeglichen eine feine Skalierbarkeit der Kontrolle bezueglich des
-Scan-Timings:
-.TP
-.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
-Diese vordefinierten Timing-Richtlinien erlauben Ihnen nmap Ihre Prioritaeten
-mitzuteilen. Der
-.B Paranoid
--Modus scannt
-.B sehr
-langsam, in der Hoffnung, nicht von Intrusion Detection-Systemen entdeckt zu
-werden. Die Scans werden in Serie geschaltet (kein paralleles Scanning) und im
-Normalfall wird bis zu 5 Minuten zwischen dem Versand der Pakete gewartet.
-.B Sneaky
-(dt. schleichend) ist aehnlich, ausser, dass lediglich 15 Sekunden zwischen
-dem Paket-Versand gewartet wird.
-.B Polite
-(dt. hoeflich) wird dann relevant, wenn die Netzwerkbelastung niedrig gehalten
-werden will. Zum Beispiel, um Abstuerze von Systemen zu vermeiden. Die
-Zugriffe werden wiederum in Serie geschaltet und zwischen den Zugriffen wird 
-.B mindestens
-0.4 Sekunden gewartet.
-.B Normal
-spiegelt das normale Verhalten von nmap wieder, was einen Kompromiss zwischen
-maximaler Geschwindigkeit bei absoluter Zuverlaessigkeit darstellt.
-.B Aggressive
-(dt. aggressiv) fuegt eine Wartezeit von 5 Minuten zwischen den einzelnen
-Hosts hinzu. Es wird jedoch nie laenger als 1.25 Sekunden auf Antworten
-gewartet.
-.B Insane
-(dt. geisteskrank) ist lediglich in sehr schnellen Netzwerken moeglich. Oder
-ueberall dort, wo auf die Zuverlaessigkeit des Resultat nicht sonderlich viel
-gegeben wird. Zwischen den einzelnen Systemen wird 75 und zwischen den
-Zugriffen 0.3 Sekunden gewartet. Dies lohnt sich zum Beispiel fuer einen
-schnellen Netzwerk-Suchlauf :). Die einzelnen Modi koennen ebenso durch eine
-Nummer (0-5) referenziert werden. Zum Beispiel gibt '-T 0' den
-Paranoid-Modus an und '-T 5' steht fuer Insane.
-.Sp
-Diese spezifischen Timing-Modi sollten NICHT zusammen mit den nun folgend
-vorgestellten Timing-Optionen verwendet werden.
-.TP
-.B --host_timeout <Millisekunden>
-Spezifiziert den Zeitraum, der nmap gegeben wird, um ein einzelnes System zu
-scannen, bevor sich einer neuen IP-Adresse gewidmet wird. Der Standardwert hat
-kein Timeout fuer Hosts.
-.TP
-.B --max_rtt_timeout <Millisekunden>
-Spezifiziert den Zeitraum, der nmap gegeben wird, um eine Antwort zu warten,
-bevor eine Uebertragunswiederholung eingeleitet wird oder das Timeout in Kraft
-tritt. Der Standardwert ist auf 9000 gesetzt.
-.TP
-.B --min_rtt_timeout <Millisekunden>
-Antwortet ein Host sehr schnell auf unsere Anfragen, wird nmap das Zeitlimit
-fuer zukuenftige Zugriffe auf das besagte Zielsystem verkleinern. Dies bringt
-einen Geschwindigkeitsvorteil mit sich, wobei jedoch auch Pakete verloren
-gehen koennen, falls ploetzlich ein Antworten in der vorhergesehenen
-Zeitspanne nicht mehr moeglich sein sollte. Mit dieser Option kann nmap
-angewiesen werden, dass immer mindestens ein bestimmter Zeitwert gewartet
-werden soll, bevor der Vorgang abgebrochen wird.
-.TP
-.B --initial_rtt_timeout <Millisekunden>
-Spezifiziert das Timetout fuer den initialen Zugriff. Dies ist normalerweise
-nur dann sinnvoll, wenn durch Firewall-Systeme geschuetzte Hosts mit der
-Option -P0 gescannt werden sollen. Normalerweise ist nmap in der Lage den
-RTT-Wert anhand des Ping-Zugriffs und der ersten Auswertungen optimal
-festzulegen. Der Standardwert lautet 6000.
-.TP
-.B --max_parallelism <Anzahl>
-Spezifiziert die maximale Anzahl parallel von nmap durchfuehrbaren Zugriffe.
-Das Setzen dieser Option heisst fuer nmap, dass nie mehr als 1 Port auf einmal
-gescannt werden soll. Ebenso sind andere Scan-Typen betroffen, die
-normalerweise parallel durchgefuehrt werden koennen (z.B. Ping-Suchlauf,
-RPC-Scan, etc.).
-.TP
-.B --min_parallelism <Anzahl>
-Weist nmap an, beim Scan eine gewisse Anzahl von Ports parallel zu scannen.
-Dies kann unter Umstaenden den Auswertungs-Vorgang von Firewall-Systemen
-beschleunigen. Aber seien Sie vorsichtig: Die Resultate werden umso
-unzuverlaessiger, desto hoeher die Anzahl paralleler Zugriffe gesetzt wird.
-.TP
-.B --scan_delay <Millisekunden>
-Spezifiziert das
-.B Minimum
-der Zeit, die nmap zwischen den jeweiligen Zugriffen warten muss. Dies ist
-sehr nuetzlich, um das Datenaufkommen in Netzwerken zu reduzieren oder durch
-den langsameren Scanvorgang vor IDS-Tresholds verborgen zu bleiben.
-.TP
-.B --packet_trace
-Sagt nmap, dass saemtliche verschickten und empfangenen Pakete in einem
-tcpdump-aehnlichen Format dargestellt werden sollen. Dies ist ganz besonders
-fuer Debugging nuetzlich. Ausserdem kann so viel ueber die Funktionsweise
-gelernt werden.
-.SH ZIEL-SPEZIFIKATION
-Alles, das nmap nicht als Option mitgegeben wird (oder ein Argument einer
-Option darstellt) wird als Ziel-Spezifikation angesehen. Die einfachste Form
-dessen, ist das Auflisten von einzelnen Hostnamen oder IP-Adressen in der
-Kommandozeile. Falls Sie ein Subnetz scannen wollen, so koennen Sie
-.B '/Maske' 
-am Hostnamen oder der IP-Adresse anfuegen. Die
-.B Maske
-muss einen Wert zwischen 0 (das ganze Internet scannen) und 32 (den einzelnen
-Host scannen) aufweisen. Benutzen Sie /24 fuer das Scannen eines Klasse
-C-Netzwerks und /16 fuer ein Klasse B-Netzwerk.
-.Sp
-nmap greift zudem auf eine sehr maechtige Notation zurueck, die eine sehr
-komfortable Spezifikation von IP-Adressbereichen zulaesst. So kann das Klasse
-B-Netzwerk 192.168.*.* mit der Angabe von '192.168.*.*'
-oder '192.168.0-255.0-255' oder '192.168.1-50,51-255.1,2,3,4,5-255' gescannt
-werden. Und selbstverstaendlich ist auch die verbreitete Netzmasken-Notation
-zulaessig: '192.168.0.0/16'. All diese Eingaben fuehren zum gleichen Ziel.
-Falls Sie das Asteriks-Zeichen (dt. Stern, '*') benutzen wollen, denken Sie
-daran, dass einige Shells das Escapen mittels Backslashes oder das
-Auskommentieren mittels Gaensefuesschen verlangen.
-.Sp
-Eine andere Moeglichkeit ist genau durch das umgekehrte Herangehen gegeben.
-Anstatt ein ganzes Klasse B-Netzwerk zu scannen, kann mit der Angabe
-von '*.*.5.6-7' jede IP-Adresse gescannt werden, die auf .5.6 oder .5.7 endet.
-Fuer zusaetzliche Informationen, konsultieren Sie den Abschnitt
-.I Beispiele
-.SH BEISPIELE
-Hier folgen nun einige Beispiele fuer das Nutzen von nmap. Diese reichen von
-einfachen ueber normale bis hin zu komplexen Ansaetzen. Es werden existente
-IP-Adressen und Domainnamen verwendet, um die Beispiele konkreter zu
-gestalten. Anstatt ihrer Stelle sollten Sie Adressen und Namen
-.B Ihres eigenen Netzwerks
-benutzen. Ich bin der Meinung, dass Portscanning fremder Netzwerke nicht
-illegal ist; ebenso sollten Portscans nicht als Angriffe gewertet werden. Ich
-habe tausende Maschinen gescannt und bisher erst eine Rueckmeldung erfahren.
-Jedoch bin ich kein Anwalt und einige (langweilige) Leute koennten durch
-mittels
-.I nmap
-generierter Zugriffe nervoes werden. Holen Sie sich zuerst eine Erlaubnis fuer
-Ihre Aktivitaeten ein oder tragen Sie die Risiken selbst.
-.Sp
-.B nmap -v ziel.beispiel.com
-.Sp
-Diese Option scannt alle reservierten TCP-Ports am Zielsystem mit dem Namen
-ziel.beispiel.com. Das -v aktiviert den Verbose-Modus.
-.Sp
-.B nmap -sS -O ziel.beispiel.com/24
-.Sp
-Hier wird ein stealth SYN-Scan gegen jede der 255 Maschinen des Klasse
-C-Netzwerks von ziel.beispiel.com gestartet. Ebenso wird versucht das
-Betriebssystem der aktiven Systeme zu ermitteln. Dieser Vorgang erfordert
-root-Privilegien aufgrund des SYN-Scans und der Betriebssystemerkennung.
-.Sp
-.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
-.Sp
-Startet einen Xmas-Tree-Scan auf die erste Haelfte der 255 moeglichen 8
-Bit Subnetze des Klasse B-Adressraums von 198.116. Wir ueberpruefen, ob am
-Zielsystem SSHD, DNS, POP3D, IMAPD oder der Port 4564 aktiv ist. Wichtig ist,
-dass Xmas-Scans nicht gegen Microsoft-Geraete funktionieren, da einige
-Abweichungen bei der Implementierung des TCP-Stacks gemacht wurden. Das gleiche
-gilt fuer Cisco-, IRIX-, HP/UX- und BSDI-Maschinen.
-.Sp
-.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
-.Sp
-Manchmal ist es nicht erforderlich einen IP-Adressbereich zu scannen. So kann
-es durchaus sein, dass in einer Situation das Absuchen spezieller Geraete
-noetig wird. Dieses Kommando findet saemtliche Webserver, die eine IP-Adresse
-aufweisen, die auf .2.3, .2.4 oder .2.5 endet. Falls Sie root sind, so kommt
-eventuell ein Hinzufuegen von -sS in Frage. Ebenso koennten mehr interessante
-Systeme gefunden werden, wenn bei 127 gestartet wird (IMHO). In diesem Fall
-koennen die durch die Sterne gegebenen Platzhalter durch '127-222' ersetzt
-werden.
-.Sp
-.B host -l firma.com | cut '-d ' -f 4 | ./nmap -v -iL -
-.Sp
-Fuehrt einen DNS-Zonetransfer durch, um saemtliche Hosts von firma.com zu
-finden. Die Ausgabe der IP-Adressen wird sodann fuer die weitere Verarbeitung
-zu
-.I nmap
-umgeleitet. Die dokumentierte Kommandofolge funktioniert nur auf Geraeten mit
-GNU/Linux. Vielleicht muessen Sie auf anderen Betriebssystemen andere Kommandos
-und Optionen heranziehen.
-.SH FEHLER
-Fehler? Was fuer Fehler? Senden Sie sie mir, falls sie solche finden.
-Entsprechende Patches waeren auch gleich nett :) Denken Sie ausserdem daran,
-neue OS-Fingerabdruecke einzusenden, damit die Datenbank wachsen kann. nmap
-gibt eine URL zur Uebermittlung des unbekannten Fingerabdrucks aus.
-.SH AUTOR
-.Sp
-Fyodor
-.I <fyodor@insecure.org>
-.SH UEBERSETZUNG
-.Sp
-Marc Ruef
-.I <marc.ruef@computec.ch>
-.Sp
-http://www.computec.ch
-.Sp
-Wettingen, Oktober 2002
-.SH DISTRIBUTION
-Die neueste Version von
-.I nmap
-kann jeweils von
-.I http://www.insecure.org/nmap/
-bezogen werden.
-.Sp
-.I nmap 
-is (C) 1995-2002 by Insecure.Com LLC
-.Sp
-Dieses Programm gilt als freie Software; Sie koennen sie unter den
-Lizenzbestimmungen der GNU General Public License, wie sie von der Free
-Software Foundation in der Version 2 publiziert wurde, weitergeben und/oder
-veraendern. Dies weist Ihnen das Recht zu, die Software unter den gegebenen
-Bestimmungen zu nutzen, modifizieren und weiterzugeben. Falls Sie diese
-Lizenzbestimmungen nicht akzeptieren wollen, ist Insecure.Org unter Umstaenden
-in der Lage, eine alternative Lizenzbestimmung auszuhandeln (kontaktieren Sie
-fyodor@insecure.org).
-.Sp
-Der Quelltext dieser Software wird aus diesem Grund zur Verfuegung gestellt,
-weil wir glauben, dass die Benutzer ein Recht darauf haben zu wissen, was die
-von ihnen eingesetzten Programme machen. Dies ermoeglicht zudem das
-Ueberpruefen der Software auf etwaige Sicherheitsschwachstellen (bisher wurden
-keine gefunden).
-.Sp
-Der Quelltext ermoeglicht zudem das Portieren von nmap auf neue Plattformen,
-das Beheben von Fehlern und Hinzufuegen neuer Funktionalitaeten. Ich darf Sie
-bitten entsprechende Aenderungen an fyodor@insecure.org zu schicken, um eine
-etwaige Zusammenarbeit zu besprechen. Durch das Senden von Neuerungen an
-Fyodor oder einem der Mitglieder der Entwickler-Meilingliste erlauben Sie die
-unlimitierte, nicht-exklusive Weiterverwendung, Modifizierung und
-Relizensierung. Dies ist insofern wichtig, da einige andere Free Software
-Projekte (zum Beispiel KDE und NASM) sich mit unnoetigen Lizenzproblemen
-konfrontiert sahen. nmap wird stets als open-source zur Verfuegung stehen.
-Falls Sie sich an andere Lizenzbestimmungen halten moechten, so vermerken Sie
-dies doch bitte beim Einsenden Ihres Materials.
-.Sp
-Dieses Programm wurde in der Hoffnung entwickelt, dass es nuetzlich ist;
-jedoch
-.B OHNE JEGLICHE GARANTIE.
-Siehe die GNU General Public License fuer zusaetzliche Informationen (sie ist
-in der Datei namens COPYING, die mit
-.I nmap 
-mitgeliefert wird, enthalten).
-.Sp
-Es muss zusaetzlich erwaehnt werden, dass nmap in der Lage ist, schlecht
-geschriebene Anwendungen, TCP/IP-Stacks und Betriebssysteme abstuerzen zu
-lassen.
-.B nmap sollte nie auf mission-critical Systeme angewandt werden
-, ausser, wenn ein entsprechender Ausfall (engl. downtime) verkraftet werden
-kann. Wir bestaetigen hiermit, dass nmap unter Umstaenden Systeme und Netzwerke
-negativ beeinflussen kann. Wir tragen keine Verantwortung fuer Probleme, die
-beim Nutzen von nmap entstehen koennen.
-.Sp
-Aufgrund dessen, dass das Risiko eines Absturzes besteht und einige Black Hats
-nmap fuer das Auswerten von Angriffszielen missbrauchen, koennen einige
-Administratoren allergisch auf das Scannen ihrer Systeme reagieren. Somit ist
-es stets empfehlenswert, die Erlaubnis fuer das Scannen eines Netzwerks
-einzuholen.
-.Sp
-nmap sollte aus Sicherheitsgruenden nie mit erweiterten Privilegien (z.B. suid
-root) gestartet werden.
-.Sp 
-Dieses Produkt beinhaltet Software-Teile, die von der Apache Software
-Foundation (http://www.apache.org/) entwickelt wurden. Die
-.I Libpcap
-portable Bibliothek wird als Teil von nmap mitgeliefert. Libpcap wurde
-urspruenglich durch Van Jacobson, Craig Leres und Steven McCanne,
-alle vom Lawrence Berkeley National Laboratory, Universitaet von Kalifornien,
-Berkeley, CA, entwickelt. Zur Zeit wird sie von http://www.tcpdump.org
-betreut.
diff --git a/docs/nmap_italian.1 b/docs/nmap_italian.1
deleted file mode 100644
index a58d1ade6..000000000
--- a/docs/nmap_italian.1
+++ /dev/null
@@ -1,887 +0,0 @@
-.\" This definition swiped from the gcc(1) man page
-.\" Traslated in Italian by deneb <deneb@penguin.it>
-.\" Wen Aug 30 2000
-.de Sp
-.if n .sp
-.if t .sp 0.4
-..
-.TH NMAP 1
-.SH NOME
-nmap \- Utility di esplorazione per le rete e security scanner
-.SH SINTASSI
-.B nmap
-[Tipi Scan] [Opzioni] <host o rete #1 ... [#N]>
-.SH DESCRIZIONI
-
-.I Nmap 
-Х progettato per permettere agli ammistratori di sistema e
-alle persone curiose lo scan di grandi reti al fine di 
-determinare quali host sono attivi e quali servizi offrono.
-.I nmap 
-supporta un grande numero di tecniche per lo scanning come 
-ad esempio: UDP, TCP connect(), TCP SYN (semi aperto), 
-ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), 
-FIN, ACK sweep, Xmas Tree, SYN sweep, e scan Null.  
-Vedete la sezione 
-.I Tipi di scan 
-per ulteriori informazioni.
-nmap offre anche varie caratteristiche avanzate come per esempio
-il rilevamento del S.O. via TCP/IP fingerprinting, lo scan stealth
-(invisibile), ritardo dinamico e i calcoli delle ritrasmissioni,
-lo scan parallelo, il rilevamento degli host non attivi mediante
-i ping paralleli, lo scan mediante decoy, il rilevamento del 
-filtraggio delle porte, lo scan RPC diretto (non-portmapper),
-lo scan di frammentazione, la specifica flessibile della 
-destinazione e delle porte.
-.PP
-Sforzi significativi sono stati impiegati nel rendere decenti
-le performance per gli utenti non root. Sfortunatamente,
-molte interfacce del kernel critiche (come ad esempio i 
-socket raw) richiedono i privilegi di root.
-nmap dovrebbe essere eseguito da root ogni volta che Х
-possibile.
-.PP
-Il risultato di un'esecuzione di nmap Х di solito una lista 
-di porte interessanti sulla/e macchina/e, che sono state 
-sottoposte allo scan (se ve ne sono). Nmap da sempre
-il nome del servizio "ben noto" (se noto), il numero, lo 
-stato, e il protocollo. Lo stato puР essere 'open' (aperto),
-'filtered' (filtrato), o 'unfiltered' (non-filtrato).
-Open significa che la macchina destinazione accetterЮ (
-mediante accept()) le connessioni su quella porta. Filtered
-significa che un firewall, filtro, o un altro ostacolo di 
-rete sta coprendo la porta e impedendo a nmap di determinare
-se la porta Х aperta. Unfiltered significa che nmap ha 
-riconosciuto la porta come chiusa e nessun firewall/filtro
-sembra aver interferito con il tentativo di nmap di 
-rilevare se la porta fosse aperta o chiusa.
-Le porte unfiltered (non-filtrate) sono il caso piЫ comune e 
-sono mostrate solo quando la maggior parte delle porte 
-esaminate sono nello stato filtered (filtrate).
-.PP
-A seconda delle opzioni usate, nmap puР riportare le seguenti
-caratteristiche dell'host remoto: S.O. in uso, sequenziabilitЮ
-TCP, nomi gli utenti che hanno eseguito i programmi che sono 
-associati ad una data porta, il nome del DNS, se l'host Х un
-indirizzo smurf, e poco altro.
-.SH OPZIONI
-Le opzioni che assieme hanno senso possono essere generalmente
-combinate. Alcune opzioni sono specifiche a date modalitЮ di scan.
-.I nmap 
-prova a rilevare e avvisare l'utente su combinazioni psicotiche o
-non supportate.
-.Sp
-Se siete impazienti, potete passare direttamente alla sezioni di 
-.I esempi
-posta alla fine, che dimostra l'utilizzo comune. Potete anche 
-eseguire
-.B nmap -h
-per ottenere una pagina di riferimento rapido, che elenca tutte 
-le opzioni. 
-.TP
-.B TIPI DI SCAN
-.TP
-.B \-sT 
-Scan TCP connect(): Questa Х la forma base dello scan TCP. La 
-chiamata di sistema connect() fornita dal vostro sistema 
-operativo Х usata per aprire una connessione ad ogni porta 
-interessante sulla macchina. Se la porta Х in ascolto, la
-connect() avrЮ luogo, altrimenti la porta non Х raggiungibile.
-Ogni utente sulla maggior parte dei sistemi UNIX Х libero
-di usare questa chiamata.
-.Sp
-Questo genere di scan Х facilmente rilevabile in quanto 
-i log dell'host destinazione mostreranno un gruppo di connessioni
-e messaggi di errore per i servizi che accettano la connessione
-mediante accept() solo per chiuderla immediatamente dopo.
-.TP
-.B \-sS
-Scan TCP SYN: Questa tecnica Х spesso chiamata scan "semi-aperto",
-perchХ non aprite una completa connessione TCP. Mandate un pacchetto 
-SYN, come se aveste intenzione di aprire una vera connessione,
-e aspettate la risposta. Un SYN|ACK come risposta indica che  
-la porta Х in ascolto. Un RST Х indicativa di una porta 
-non in ascolto. Se viene ricevuto un SYN|ACK come risposta
-, viene mandato immediatamente un RST per chiudere la connessione
-( allo stato attuale il kernel del vostro S.O. lo fa per noi).
-Il vantaggio primario di questa tecnica di scanning Х che pochi 
-siti la loggeranno.
-Sfortunatamente avete bisogno dei privilegi di root per 
-poter creare questi appositi pacchetti SYN.
-.TP
-.B \-sF \-sX \-sN 
-Le modalitЮ di scan Stealth FIN, Xmas Tree, o Null: 
-Ci sono delle volte che anche lo scan SYN non Х 
-abbastanza anonimo. Alcuni firewall e packet filter
-controllano i SYN per le porte riservate, e programmi come
-Synlogger e Courtney sono disponibili per rilevare 
-questi scan. Questi scan avanzati, d'altra parte, possono
-essere in grado di passare attraverso i firewall, packet 
-filter e/o programmi loggers indisturbati.
-.Sp
-L'idea Х che le porte chiuse devono rispondere al vostro 
-pacchetto di prova con un RST, mentre le porte aperte devono
-ignorare il pacchetto in questione (vedere RFC 793 pagina 64). 
-Lo scan FIN usa (sorpresa) un semplice pacchetto FIN come prova,
-mentre lo scan Xmas attiva i flag FIN, URG, e PUSH. 
-Lo scan Null disattiva tutti i flag. Sfortunatamente Microsoft
-(come sua consuetudine) ha deciso di ignorare completamente lo
-standard e fare le cose a modo suo. CosЛ questo tipo di scan 
-non funziona contro i sistemi in cui gira Windows95/NT. Se 
-prendiamo la cosa dal punto di vista positivo, questo fatto
-Х un buon modo per distinguere tra le due piattaforme. 
-Se lo scan trova porte aperte, sapete che la macchina non Х
-un computer con Windows. Se uno scan -sF,-sX, o -sN  mostra
-tutte le porte chiuse, ma uno scan SYN (-sS) vi fa vedere
-porte aperte, probabilmente state guardando una macchina 
-Windows. Questo ora Х meno utile in quanto nmap ha un 
-proprio un rilevamento di S.O. integrato. Ci sono anche 
-alcuni altri sistemi che violano lo standard nella stessa
-maniera di Windows. Questi includono Cisco, BSDI, HP/UX, MVS,
-e IRIX.
-Tutti i sistemi operativi soprastanti mandano resets da 
-porte aperte quando invece dovrebbero solo ignorare il 
-pacchetto.
-.TP
-.B \-sP
-Ping scanning: 
-Alcune volte volete solo sapere quali host sulla rete sono 
-attivi. Nmap puР scoprire questo mandando pacchetti 
-ICMP echo request ad ogni indirizzo IP sulla rete che voi
-specificate. Gli host che rispondono sono attivi. Sfortunatamente,
-alcuni siti come ad esempio microsoft.com bloccano i pacchetti
-echo-request. CosЛ nmap puР mandare anche un pacchetto ack TCP (per 
-default) alla porta 80. Se ottenenete indietro un RST, la macchina 
-Х attiva. Una terza tecnica comporta il mandare un pacchetto 
-SYN e aspettare un RST o un SYN/ACK. Per gli uttenti non-root,
-viene usato il metodo connect().
-.Sp
-Di default (per gli utenti root), nmap usa le tecniche sia ICMP 
-che ACK in parallelo. Potete cambiare questo comportamento con
-l'opzione
-.B \-P 
-descritta successivamente.
-.Sp
-Notate che il pinging comunque viene fatto di default, e solo gli 
-host che rispondono vengono sottoposti a scan. Usate questa opzione
-solo se desiderate fare un ping sweep 
-.B senza 
-fare dei reali portscan.
-.TP
-.B \-sU
-Scan UDP: Questo metodo viene usato per determinare quali porte UDP
-(User Datagram Protocol, RFC 768) sono aprte su un host. La tecnica
-Х mandare paccheti udp di 0 byte ad ogni porta sulla macchina
-destinazione. Se riceviamo un messaggio ICMP port unreachable, allora
-la porta Х chiusa. Altrimenti presumiamo che essa sia aperta.
-.Sp
-Alcune persone pensano che lo scan UDP sia inutile. Di solito ricordo
-loro il bug recente di rcpbind in Solaris. Rpcbind puР essere trovato 
-nascosto su una porta UDP non documentata a patto che essa sia maggiore 
-di 32770. Cosi' non ha importanza se la 111 Х bloccata dal firewall.
-Ma, potete trovare quali porte alte maggiori della 30.000 siano in ascolto?
-Con uno scanner UDP potete!
-Esiste anche il programma backdoor Back Orifice del cDc, che 
-si nasconde su una porta UDP configurabile sulle macchine Windows. 
-Per non parlare i vari servizi comunemente vulnerabili che utilizzano
-UDP come ad esempio snmp, tftp, NFS, ecc.
-.Sp
-Sfortunatamente lo scan UDP Х alcune volte spaventosamente lento 
-in quanto molti host implementano la proposta di limitare il tasso 
-dei messaggi di errore ICMP fornita dalla RFC 1812 (sezione 4.3.2.8).
-Per esempio, il kernel di Linux (in net/ipv4/icmp.h) limita la generazione 
-dei messaggi di destination unreachable ad 80 per 4 secondi, con una 
-penalitЮ di 1/4 di secondo se questo limite viene sorpassato.
-Solaris ha limiti piЫ stretti (circa 2 messaggi per secondo) 
-e cosi si impiega piЫ tempo per lo scan.
-.I nmap
-rileva questo tasso limitando e rallentando lo scan di conseguenza,
-piuttosto che flooddare la rete con pacchetti inutili che saranno
-ignorati dalla macchina destinazione.
-.Sp
-Come Х tipico, Microsoft ha ignorato la proposta della RFC e
-non sembra aver imposto nessun tasso di limitazione sulle macchine
-Win95 e NT. CosЛ possiamo fare lo scan di tutte le 65K porte di una
-macchina Windows 
-.B molto
-velocemente. 
-.TP
-.B \-sA
-Scan ACK: Questo metodo avanzato viene usato solitamente per scoprire
-gli insiemi delle regole dei firewall. In particolare, puР aiutare  
-determinare se un firewall sia stateful o solo un 
-semplice filtro di pacchetti che blocca i pacchetti SYN in entrata.
-.Sp
-Questo tipo di scan manda un pacchetto ACK 
-(con acknowledgement/sequence numbers apparentemente casuali)
-alle porte specificate.
-Se si ha come ritorno un RST, le porta viene classificata come
-"unfiltered" (non-filtrata).  Se non si ritorno ( o se si ha come
-ritorno un pacchetto ICMP
-unreachable), la porta viene classificata come 
-"filtered" (filtrata).  Notate che di solito 
-.I nmap
-non stampa le porte "unfiltered",
-cosЛ se 
-.B non
-otteniamo nessuna porta mostrata nell'output Х di solito un 
-segno che tutte le prove sono state portate a termine ( e hanno
-restituito dei RST). Questo scan ovviamente non mostrerЮ mai
-porte nello stato "open" (aperto).
-.TP
-.B \-sW
-Scan window: Questo scan avanzato Х molto simile allo scan ACK,
-eccetto che alcune volte puР rilevare sia le port aperte che 
-filtrate/non filtrate a causa di un'anomalia nel TCP window size
-reporting di alcuni sistemi operativi. I sistemi vulnerabili a 
-questo problema includono almeno alcune versioni di AIX, Amiga, 
-BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital
-UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD,
-OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, e
-VxWorks.  Vedere l'archivio della mailing list 
-.I nmap-hackers 
-per un'elenco completo.
-.TP
-.B \-sR  
-Scan RPC. Questo metodo funziona in combinazione con i diversi
-metodi di port scan di Nmap. Esso prende tutte le porte TCP/UDP 
-trovate aperte e poi le flodda con comandi NULL del programma
-SunRPC nel tentativo di determinare se sono porte RCP, e se
-le sono, quale programma e numero di versione esse servono.
-In questo modo potete effettivamente ottenere le stesse informazioni
-di 'rcpinfo -p' anche se il portmapper di destinazione Х dietro
-un firewall (o protetto da TCP wrappers). I decoy non funzionano 
-allo stato attuale con lo scan RPC, in un qualche momento posso
-aggiungere il supporto per i decoy negli scan RPC UDP.
-.TP
-.B \-b <ftp relay host>
-FTP bounce attack: Una "caratteristica" interessante del protocollo
-ftp (RFC 959) Х il supporto per le connessioni ftp "proxy".
-In altre parole, io dovrei essere in grado di connettemi da evil.com
-al server FTP di target.com e richiedere che tale server mandi un 
-file OVUNQUE su internet! Ora questo poteva andare bene nel 1985 
-quando la RFC fu scritta. Ma nell'Internet di oggi non possiamo avere
-persone che fanno l'hijacking dei server ftp e che richiedono che i dati
-siano spediti a punti arbitrari su Internet. Come *Hobbit* scrisse 
-nel 1995, questo punto debole nel protocollo "puР essere usato per 
-postare mail e news virtualmente irritracciabili, riempire i dischi,
-provare a scavalcare i firewall, e generalmente Х fastidioso e difficile
-da rintracciare allo stesso tempo."
-Noi sfrutteremo questo problema per (sorpesa,sopresa) fare lo scan delle 
-porte TCP da un server ftp "proxy". Cosi potrete collegarvi a un 
-server ftp dietro un firewall, e poi dare lo scan di porte che
-sono molto probabilmente bloccate (la 139 Х una porta buona). 
-Se il server ftp permette la lettura da e la scrittura a 
-qualche directory (come ad esempio /incoming), potete mandare 
-dati arbitrari  porte che trovate aperte (anche se 
-nmap non fa questo per voi).
-.Sp
-L'argomento passato all'opzione 'b' Х l'host che volete 
-usare come proxy, in una notazione standard URL. Il formato Х:
-.I username:password@server:porta.  
-Tutto tranne il
-.I server
-Х opzionale. Per determinare quali server siano vulenrabili a 
-questo attacco, potete vedere il mio articolo in
-.I Phrack
-51.  E una versione aggiornata Х disponibili all'URL di
-.I nmap
-(http://www.insecure.org/nmap)
-.TP
-.B OPZIONI GENERALI
-Nessuna di queste opzioni Х richiesta ma alcune possono essere abbastanza utili
-.TP
-.B \-P0
-Non provare e fare il ping degli host completo prima di fare 
-lo scan degli stessi. Queso permette lo scan di reti che non
-permettono ICMP echo request (o risposte) attraverso il loro 
-firewall.
-microsoft.com Х un esempio di tale rete, cosЛ dovreste sempre
-usare
-.B \-P0
-o
-.B \-PT80
-quando fate il portscan di microsoft.com
-.TP
-.B \-PT
-Usate il "ping" TCP per determinare quali host sono attivi.
-Invece di mandare pacchetti ICMP echo request e aspettare una 
-risposta, mandiamo pacchetti TCP ACK attraverso la rete 
-destinazione (o a una macchina singola) e poi aspettiamo 
-le risposte per ottenere informazioni sull'host. Gli host 
-che sono attivi dovrebbero rispondere con un RST. Questa 
-opzione preserva l'efficenza dell'esaminare solo host che
-sono attivi permettendovi anche di fare lo scan di reti/host
-che bloccno i pacchetti ping. Per gli utenti non root, usiamo
-la funzione connect(). Per impostare la porta di destinazione
-dei pacchetti di prova usiamo -PT<numero porta>. La porta di
-default Х la 80, in quanto questa porta spesso non Х filtrata.
-.TP
-.B \-PS
-Questa opzione usa dei pacchetti SYN (richiesta di connessione)
-invece dei pacchetti ACK per gli utenti root. Gli host che sono
-attivi dovrebbero rispondere con un RST (o, raramente con un SYN|ACK).
-.TP 
-.B \-PI
-Questa opzione usa un vero pacchetto ping (ICMP echo request).
-Esso trova gli host che sono attivi e cerca anche nella vostra
-rete indirizzi broadcast orientati alla sottorete. Questi sono
-indirizzi IP che sono esternamente raggiungibili e traduce a 
-un broadcast di pacchetti in entrata a una sottorete di computer.
-Questi dovrebbero essere eliminati se scoperti in quanto permettono
-numerosi attacchi denial of service (Smurf Х il piЫ comune).
-.TP
-.B \-PB
-Questo Х il tipo di ping di default. Esso usa gli sweep ACK (
-.B \-PT
-) e ICMP (
-.B \-PI
-) in parallelo.  In questo modo potete rilevare i firewall che filtrano 
-uno dei due (ma non entrambe).
-.TP
-.B \-O
-Questa opzione attiva l'identificazione dell'host remoto via 
-TCP/IP fingerprinting.  In altre parole, usa un'insieme di 
-tecniche per rilevare le sottigliezze nello strato sottostante 
-dello stack di rete del sistema operativo del computer sottoposto
-a scan. Usa questa informazione per creare una 'impronta'
-.I (fingerprint)
-che viene confrontata con il suo database di impronte note relative
-ai vari S.O. (il file nmap-os-fingerprints) per decidere a quale 
-tipo di sistema state facendo lo scan.
-.Sp
-Se trovate una macchina che Х mal diagnosticata e ha almeno
-una porta aperta, sarebbe utile se voi mi madate via mail i
-dettagli (per esempio il S.O pippo versione numero Х stato rilevato
-come S.O. pluto versione numero1). Se trovate una macchina 
-con almeno una porta aperta con almeno una porta aperta per
-quale nmap dice 'unknown operating system' (sistema operativo 
-sconosciuto), allora sarebbe utile se mi mandaste l'indirizzo IP
-assieme con il nome del S.O. e il numero di versione. Se non 
-potete mandarmi l'indirizzo IP, la cosa migliore da fare Х 
-di eseguire nmap con l'opzione
-.B \-d
-e mandarmi le tre fingerprint che dovreste ottenere assieme
-al nome del S.O. e il numero di versione. Facendo questo 
-voi contribuite all'elenco dei sistemi operativi conosciuti ad
-nmap e cosЛ tale elenco sarЮ piЫ accurato per tutti.
-.TP
-.B \-I
-Questa opzione abilita lo scanning TCP reverse ident. Come 
-notato da Dave Goldsmith in un post del 1996 a BugTraq, il
-protocollo ident (rfc 1413) permette di scoprire il nome
-dell'utente appartenente ad ogni processo connesso via TCP,
-anche se il processo non ha iniziato una connessione. CosЛ
-potete, per esempio collegarvi alla porta http e poi usare
-identd per scoprire se il server Х in esecuzione con i 
-diritti di root. Questo scan puР essere fatto solo con una 
-connessione TCP completa alla porta destinazione (per esempio
-con l'opzione -sT). Quando viene usata l'opzione 
-.B \-I
-l'identd dell'host remoto viene interrogato per ogni porta 
-aperta. Ovviamente questo scan non funziona se nell'host
-non Х in esecuzione identd.
-.TP
-.B \-f
-Questa opzione provoca gli scan SYN, FIN, XMAS, o  NULL
-ad usare minuscoli pacchetti IP frammentati. L'idea Х di
-suddividere l'header TCP in diversi pacchetti per rendere
-piЫ difficile ai filtri di pacchetti (packet filters), 
-ai sistemi di rilevamento delle intrusioni (IDS), e
-altre seccature rilevare quello che state facendo.
-State attenti con questa opzione! Alcuni programmi hanno 
-problemi nella gestione di questi pacchetti minuscoli.
-Il mio sniffer preferito Х andato in segmentation fault 
-immediatamente dopo aver ricevuto il primo frammento
-di 36-byte. Dopo quello ne viene mandato un'altro da 
-24 byte! Sebbene questo metodo non passerЮ i filtri di 
-pacchetto e firewall che mettono in coda tutti i frammenti
-IP (come l'opzione CONFIG_IP_ALWAYS_DEFRAG nel kernel Linux), 
-alcune reti non possono permettersi l'abbattimento 
-delle prestazioni che questa opzioni causa e cosЛ la lasciano
-disabilitata.
-.Sp
-Notate che non ho ancora questa opzione funzionante su tutti
-i sistemi. Funziona bene per le mie mcchine Linux, FreeBSD, e
-OpenBSD e alcune persone hanno r con altre varianti *NIX.
-.TP
-.B \-v
-ModalitЮ verbose. Questa Х un'opzione altamente raccomandata 
-e da molte piЫ informazioni su quello che sta accadendo. 
-Potete usarla due volte per ottendere maggiori effetti. Usate
-.B \-d
-un paio di volte se volete realmente impazzire con lo scrolling dello
-schermo!
-.TP
-.B \-h
-Questa comoda opzione mostra una schermata di riferimento 
-rapido sulle opzioni di utilizzo di nmap. Come potete aver notato,
-questa man page non Х esattamente un 'riferimento rapido' :)
-.TP
-.B \-oN <nomefiledilog>
-Questa opzione logga i risultati dei vostri scan nella normale forma
-.B  chiaramente leggibile
-nel file che specificate come argomento.
-.TP
-.B \-oM <nomefiledilog>
-Questa opzione logga i risultati dei vostri scan nella forma 
-.B analizzabile dalla macchina
-nel file che specificate come argomento. Potete dare l'argomento
-\'-\' (senza apici) per inviare l'output allo stdout 
-(per fare shell pipe, ecc.). In questo caso l'output normale 
-sarЮ sopresso. Controllate i messaggi di errore se usate 
-quest'ultima possibilitЮ (essi andranno ancora allo stderr).
-Notate anche che \'-v\' farЮ in modo che informazioni extra
-vengano stampate.
-.TP
-.B \-oS <nomefiledilog>
-QuEsT0 l0gGa | rIsUlTaT| d3i v0sTr| Scanz iN 
-UnA f0rMa
-.B s|<ipT kiDd|3  
-n3L fiL3  sPec\|fiCaT0 C0mE arGuMEnT0!  
-P0t3t3 Dar3 L'Arg0M3nt0 \'-\' (s3Nza Virg0L3Tt3) 
-p3R mAnDAr3 L'0uTput n3ll0 stDouT!@!!
-.TP
-.B \--resume <nomefiledilog>
-Uno scan di rete che Х stato cancellato a causa di un control-C,
-problemi di rete, ecc. puР essere riprestinto usando questa opzione.
-Il nomefiledilog deve essere o un log normale (-oN) o un log
-analizzabile dalla macchina (-oM) dello scan interrotto.
-Nessun'altra opzione deve essere data (le opzioni saranno le stesse
-dello scan interrotto).
-Nmap inizierЮ a fare lo scan sulla macchina posta dopo l'ultima 
-macchina di cui Х stato fatto lo scan nel file di log.
-.TP
-.B \-iL <nomedelfilediinput>
-Legge le specifiche della destinazione da un file specificato
-PIUTTOSTO che da linea di comando. Il file dovrebbe contenere
-una lista di host o espressioni di rete separate da spazi,
-caratteri di tabulazione, o newline. Usate una linea trattegiata
-(-) come 
-.I nomedelfilediinput 
-se volte che nmap legga le espressioni dell'host dallo stdin
-(come alla fine di una pipe). Vedere la sezione 
-.I specifica della destinazione
-per ulteriori informazioni sulle espressioni con le quali 
-potete riempire il file.
-.TP
-.B \-iR
-Questa opzioni dicono ad Nmap di generare i propri host da 
-esaminare prendendo semplicemente numeri casuali :). Non 
-terminerЮ main. Questa opzione puР essere utile per campionamenti
-statistici di Internet per stimare diverse cose. Se siete 
-veramente annoiati, provate
-.I nmap \-sS \-iR \-p 80
-per trovare dei web server da guardare.
-.TP
-.B \-p <intervallo di porte>
-Questa opzione specifica quali porte volete specificare. Per
-esempio con '-p 23' Nmap proverЮ la porta 23 del/degli host
-destinazione.
-Con \'\-p 20-30,139,60000-\' Nmap farЮ lo scan delle porte 
-tra 20 e 30, la porta 139, e tutte le porte maggiori di 60000.
-Di default Nmap fa lo scan sia di tutte le porte tra 1 e 1024
-che di ogni porta elencata nel file services fornito con nmap.
-.TP
-.B \-F ModalitЮ di scan veloce.
-Specifica che desiderate esaminare solo le porte elencate nel
-file servizi fornito con nmap. Questo tipo di scan Х ovviamente
-piЫ veloce di fare lo scan di tutte le 65535 porte di un host.
-.TP
-.B \-D <decoy1 [,decoy2][,ME],...>
-Causa lo svolgimento di uno scan decoy, che fa in modo che 
-all'host remoto posto sotto scan appaiano anche lo/gli host che 
-specificate come decoy (esche). CosЛ i loro IDS potrebbero
-riportare 5-10 port scan da un unico indirizzo IP, ma non sanno
-quale IP stava effettuando lo scn e quali sono innocenti decoy.
-Sebbene questo scan possa essere sconfitto attraverso il
-router path tracing, il response-dropping e altri meccanismi "attivi",
-Х generalmente una tecnica estremamente efficace per nascondere il
-vostro indirizzo IP.
-.Sp
-Separate ciascun host decoy con virgole, e potete opzionalmente
-usare 'ME' come uno dei decoy per rappresentare la posizione 
-nella quale volete il vostro indirizzo IP venga usato.
-Se mettete 'ME' nella sesta posizione o oltre, per alcuni 
-rilevatori di portscan comuni (come ad esempio l'eccellente 
-scanlogd di Solar Designer) Х molto poco probabile che 
-mostrino il vostro indirizzo IP. Se non usate 'ME', nmap
-lo porrЮ in una posizione casuale.
-.Sp
-Notate che gli host che usate come decoy dovrebbero essere
-attivi o potreste accidentalmente fare il SYN flood delle
-destinazioni. Dovrebbe essere anche abbastanza semplice 
-determinare quale host Х sottoposto a scan se uno solo Х
-allo stato attuale attivo sulla rete. Potreste voler usare
-gli indirizzi IP invece dei nomi (in questo modo le rete dei
-decoy non vi vedono nei log dei loro nameserver).
-.Sp
-Notate anche che alcuni "rilevatori di port scan" (stupidi)
-firewalleranno/negheranno il routing agli host che provano
-a fare il portscan. CosЛ potreste inavvertitamente causare
-alla macchina sottoposta a scan la perdita di connettivitЮ
-con le macchine decoy che state usando,
-Questo potrebbe causare alle macchine target maggiori problemi
-se il decoy, Х diciamo, il suo gateway internet o anche "localhost".
-CosЛ potreste voler essere prundenti con questa opzione. 
-La vera morale della storia Х che i rilevatori dei portscan 
-spoofabili non dovrebbero agire contro la macchina che a loro
-sembra stia eseguendo lo scan. Potrebbe essere solo un decoy!
-.Sp
-I decoy sono usati sia nello scan ping iniziale (usando ICMP,
-SYN, ACK, o altro) e durante la fase attuale fase di port 
-scanning. I decoy sono anche usate durante il rilevamento
-remoto del S.O. (
-.B \-O
-).
-.Sp 
-Vale la pena notare che usare troppi decoy puР rallentare il
-vostro scan e renderlo potenzialmente anche meno accurato. 
-Inoltre, alcuni ISP filtreranno i vostri pacchetti spoofati,
-sebbene molti (attualmente la maggior parte) non 
-restringono i pacchetti IP spoffati completamente.
-.TP
-.B \-S <Indirizzo_IP>
-In alcune circostanze,
-.I nmap
-puР non essere in grado di determinare il vostro indirizzo sorgente (
-.I nmap 
-vi informerЮ se questo Х il caso).  In questa situazione, usate
-\-S con il vostro indirizzo IP (dell'interfaccia mediante la quale 
-desiderate mandare i pacchetti).
-.Sp
-Un'altro possibile uso di questo flag Х di spooffare lo scan
-per fare in modo che le destinazioni pensino che
-.B qualcun altro
-le stia scannando.
-Immaginate una societЮ sulla quale un'altra rivale fa ripetutamente
-dei port scan!. Questo non Х un utilizzo supportato ( o lo scopo 
-principale) di questo flag. Ho giЮ pensato che questo flag
-avanza una interessante possibilitЮ di cui le persone dovrebbero
-essere consapevoli prima che vadano accusando altri di fare 
-lo portscanning contro di loro.
-.B \-e
-sarebbe generalmente richiesta per questo tipo di utilizzo.
-.TP
-.B \-e <interfaccia
-Dice ad nmap su quale interfaccia mandare e ricevere i pacchetti.
-Nmap dovrebbe essere ingrado di rilevare tale interfaccia, ma
-questa opzione permette di dirgliela se non Х in grado.
-.TP
-.B \-g <numeroporta>
-Imposta il numero di porta sorgente usata negli scan. Molti 
-firewall nativi e installzioni di filtri di pacchetti fanno 
-un'eccezione nel loro insieme di regole per permettere ai
-pacchetti DNS (53) o FTP-DATA (20) di passare attraverso e 
-stabilire una connessione. Ovviamente questo sovverte i 
-vantaggi di sicurezza di un firewall in quanto gli intrusi
-possono mascherarsi come FTP o DNS modificando la loro porta
-sorgente.
-Ovviamente per uno scan UDP dovreste prima provare uno scan UDP
-e gli scan TCP dovrebbero trovare 20 prima di 53.
-Notate che questa Х solo una richiesta -- nmap la onorerЮ solo
-se Х in grado di farlo. Per esempio, non potete fare il campionamento
-TCP ISN da un host:porta a un'altro host:porta, cosЛ 
-nmap cambia la porta sorgente anche se avete usato -g. 
-.Sp
-Rendetevi conto che usando questa opzione v'Х una lieve 
-penalitЮ nelle prestazione, perchХ alcune volte io memorizzo
-informazioni utili nel numero della porta sorgente.
-.TP
-.B \-r
-Dice ad Nmap
-.B DI NON 
-rendere casuale l'ordine nel quale le porte sono esaminate.
-.TP
-.B \-\-randomize_hosts
-Dice ad Nmap di mescolare ciascun gruppo di host, fino a 2048 
-host prima di farne lo scanner. Questo puР renedere gli scan 
-meno ovvi ai diversi sistemi di monitoraggio della rete, 
-specialmente quando lo combinare con opzioni di timing 
-lente (vedere sotto).
-.TP
-.B \-M <max sockets>
-Imposta il numero massimo di socket che saranno usati in 
-parallelo per uno scan TCP connect() (lo scan di default).
-Questa opzione Х utile per rallentare di poco lo scan e evitare
-il crash delle macchine remote. Un'altro approccio Х usare 
-\-sS, opzione che Х generalmente piЫ semplice da gestire le 
-le macchine.
-.TP
-.B OPZIONI DI TIMING
-Generalmente Nmap fa un ottimo lavoro nell'adattarsi alle
-caratteristiche di rete a run-time e fare lo scan tanto veloce
-quanto possibile minimizando le possibilitЮ che degli host/ delle
-porte rimangano non rilevate. Comunque, possono esservi casi lo 
-stesso in qui l politica di timing impostata di default possa
-non incontrare i vostri obiettivi. Le seguenti opzioni forniscono
-un buon livello di controllo sul timing di uno scan:
-.TP
-.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
-
-Queste sono possibili politiche di timing per esprimere 
-convenientemente le vostre prioritЮ ad Nmap.
-
-La modalitЮ 
-.B Paranoid 
-fa gli scan
-.B molto
-lentamente nella speranza di evitare il rilevamento dai sistemi IDS.
-Essa serializza tutti gli scan (nessuno scanning parallelo) e 
-generalmente aspetta almeno 5 minuti tra i pacchetti mandati.
-.B Sneaky 
-Х simile, eccetto che aspetta solo 15 secondi tra i pacchetti mandati.  
-.B Polite
-Х stato pensata per facilitare il carico sulla reta e ridurre le
-possibilitЮ di mandare in crash le macchine. Serializza le prove 
-e aspetta 
-.B almeno
-0.4 secondi tra esse.  
-.B Normal
-Х il comportamento di default di Nmap, che prova a fare gli scan
-tanto velocemente quanto gli Х possibile senza sovracaricare la
-rete o mancare degli host/delle porte.
-La modalitЮ
-.B Aggressive
-aggiunge un timeout di 5 minuti per host e non aspetta mai
-piЫ di 1.25 secondi per le risposte di prova.
-.B Insane 
-Х solo adatto per reti molto veloci o dove non vi importa
-la perditЮ di alcune informazioni. Manda in time out gli 
-host in 75 secondi e aspetta solo 0.3 per le prove individuali.
-Pero non permette sweep di rete molto veloci :). Potete anche
-fare riferimento a questi numeri. Per esempio, \'-T
-0\' vi da la modalitЮ Paranoid e \'-T 5\' Х la modalitЮ Insane.
-.Sp
-Queste possibili modalitЮ di timing NON dovrebbe essere usata con
-i controlli a basso livello dati sotto.
-.TP
-.B --host_timeout <millisecondi>
-Specifica la quantitЮ di tempo, permessa ad Nmap per
-fare lo scan di un singolo host prima di terminare lo 
-scan su quel dato IP. La modalitЮ di timing impostata 
-per default non ha host timeout.
-.TP
-.B --max_rtt_timeout <millisecondi>
-Specifica la somma massima di tempo permessa ad Nmap per
-aspettare un risultato di una prova prima di ritrasmettere 
-o mandare in time-out quella prova particolare. La modalitЮ
-di default imposta questo limite a circa 9000 ms.
-.TP
-.B --min_rtt_timeout <millisecondi>
-Quando gli host destinazione iniziano a stabilire un pattern
-di risposta molto velocemente, Nmap diminuirЮ la somma di tempo
-data per prova. Questo velocizza lo scan, ma puР condurre a 
-pacchetti mancati quando una risposta impiega di piЫ del solito.
-Con questo parametro potete garantire che Nmap aspetterЮ 
-al meno la data quantitЮ di tempo prima di terminare una prova.
-.TP
-.B --initial_rtt_timeout <millisecondi>
-Specifica il timeout iniziale di prova. Questo Х generalmente
-utile solo quando fate lo scan di host firewallati con -P0. 
-Normalmente Nmap puР ottenere buone stime RTT dal ping e dalle
-prime prove. La modalitЮ di default usa 6000.
-.TP
-.B --max_parallelism <numero>
-Specifica il massimo numero di scan da svolgere
-in parallelo, che Х permesso a Nmap. Se impostate questo a 1
-Nmap non proverЮ mai ad esaminare piЫ di una porta alla volta.
-Questa opzione ha effetto anche sugli altri scan paralleli come
-i ping sweep, lo scan RPC, ecc.
-.TP
-.B --scan_delay <millisecondi>
-Specifica la quantitЮ di tempo 
-.B minima
-nella quale Nmap deve aspettare tra le prove.  Questa opzione
-Х utile principalmente per ridurre il carico di rete o per 
-rallentare il metodo di scan per penetrare furtivamente 
-sotto le soglie degli IDS.
-
-.SH SPECIFICA DELLA DESTINAZIONE
-Tutto ciР che non Х un'opzione (o un argomenti di un'opzione) 
-viene trattato in nmap come specifica dell'host destinazione.
-Il caso piЫ semplice Х elencare hostname singoli o indirizzi IP 
-sulla linea di comando. Se volete fare lo scan di una sottorete
-di indirizzi IP, potete aggiungere
-.B '/mask' 
-al nome host 
-o all'indirizzo IP
-.B mask 
-deve essere compreso tra 0 (fai lo scan dell'intera internet)
-e 32 (fai lo scan del singolo host specificato). Usate /24 per 
-fare lo scan di un indirizzo di classe 'C' e /16 per fare lo scan
-di un indirizzo di classe 'B'.
-.Sp
-Nmap ha anche un notazione piЫ potente che vi permette di
-specificare un indirizzo IP usando liste/intervalli per ogni
-elemento. Cosi potete fare lo scan dell'intera rete classe 'B' 
-128.210.*.* specificando '128.210.*.*' o '128.210.0-255.0-255' o
-anche '128.210.1-50,51-255.1,2,3,4,5-255'.  E certamente potete 
-usare la notazione maschera: '128.210.0.0/16'. Queste sono tutte
-equivalenti. Se usate asterischi ('*'), ricordatevi che la maggior
-parte delle shell vi richiedono che voi ne facciate l'escape con 
-le backslashes o li proteggiate con gli apici.
-.Sp
-Un'altra cosa interessante da fare Х quantizzare Internet
-in un'altro modo. Invece di fare lo scan di tutti gli host 
-in una classe 'B', fate lo scan '*.*.5.6-7' per esaminare 
-ogni indirizzo IP che finisce in .5.6 o .5.7. Decidete i 
-voi i vostri numeri. Per ulteriori informazioni sulla
-specifica degli host su cui fare lo scan, vedere la sezione
-.I esempi
-.SH ESEMPI
-Ecco qui vi sono alcuni esempi di utilizzo per nmap, da quelli
-semplici e normali a quelli piЫ complessi/esoterici. Notate che
-numeri attuali e alcuni nomi di dominio attuali sono stati usati 
-per rendere le cose piЫ concrete. Al loro posto dovreste sostituire
-gli indirizzi/nome della 
-.B vostra rete.
-Non penso che fare il portscanning di altre reti sia illegale;
-i portscan non dovrebbero essere interpretati dagli altri
-come un attacco. Ho fatto lo scan di centinaia di migliaia
-di macchine e ho ricevuto solo una lamentela. Ma non sono un 
-avvocato e alcune persone (anali) protrebbero essere infastidite
-dalle prove con
-.I nmap.
-Ottete il permesso prima o usatelo a vostro rischio.
-.Sp
-.B nmap -v destinazione.esempio.com
-.Sp
-Questa opzione fa lo scan di tutte le porte riservate TCP sulla
-macchina destinazione.esempio.com. Il \-v significa aabilita 
-la modalitЮ verbose.
-.Sp
-.B nmap -sS -O destinazione.esempio.com/24
-.Sp
-Lancia uno scan SYN invisibile (stealth) contro ogni macchina 
-che Х attiva compresa nelle 255 macchine della classe 'C' dove
-destinazione.esempio.com risiede. Prova anche a determinare 
-quale sistema opertivo Х in esecuzione su ciascun host 
-che Х attivo.
-Questo scan richiede i privilegi di root a causa dello scan
-SYN ed del rilevamento del S.O.
-.Sp
-.B nmap -sX -p 22,53,110,143,4564 "128.210.*.1-127"
-.Sp
-Manda uno scan Xmas tree alla prima meta di ciascuno delle
-possibili sottoreti a 8 bit nello spazio di indirizzo classe
-'B' 128.210.
-Stiamo testando se i sistemi hanno in esecuzione sshd, DNS,
-pop3d, imapd, o la porta 4564 aperta.  
-Notate che lo scan Xmas non funziona sulle macchine Microsoft
-a causa del loro stack TCP deficente.
-Lo stesso vale per le macchine CISCO, IRIX, HP/UX, e BSDI.
-.Sp
-.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
-.Sp
-Piuttosto che concentrarsi su un'intervallo IP specifico, 
-alcune volte Х interessante suddividere in parti l'intera Internet 
-e fare lo scan di una piccola parte. Questo comando trova 
-tutti i server web sulle macchine con gli indirizzi IP che 
-terminano in .2.3, .2.4, o .2.5. Se siete root potrete allo
-stesso modo aggiungere -sS. Potrete anche trovare macchine 
-piЫ interessanti che iniziano con 127. cosi potreste voler usare
-'127-222' invece dei primi asterischi perche quella sezione ha 
-una maggior densitЮ di macchine interessanti (IMHO).
-.Sp
-.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
-.Sp
-Fa un DNS zone tranfer per trovare gli host in company.com 
-e poi da in pasto gli indirizzi IP a
-.I nmap.
-I comandi sopra visti sono per la mia macchina GNU/Linux. 
-Potreste aver bisogno di diversi comandi/opzioni su altri
-sistemi operativi.
-.SH BUGS 
-Bugs?  Che bugs?  Mandatemeli se li trovate. Anche patch sono 
-gradite :) Ricordate anche di mandare i fingerprint per i nuovi
-S.O. cosЛ possiamo far crescere il database. Nmap vi darЮ una 
-URL di submission quando Х stata trovata un'appropriata fingerprint.
-.SH AUTORE
-.Sp
-Fyodor
-.I <fyodor@insecure.org>
-.SH DISTRIBUZIONE
-La piЫ recente distribuzione di nmap 
-.I nmap
-puo' essere ottenuta al
-.I http://www.insecure.org/nmap/
-.Sp
-.I nmap 
-is (C) 1997,1998,1999,2000 by Fyodor (fyodor@insecure.org)
-.Sp
-.I libpcap
-viene anche distribuita assieme ad nmap. Il suo copyright 
-Х detenuto da Van Jacobson, Craig Leres and Steven McCanne, 
-tutti del Lawrence Berkeley National Laboratory, UniversitЮ 
-della California, Berkeley, CA.  
-La versione distributa con nmap puР essere stata modificata
-i sorgenti originali sono disponibili al
-ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
-.Sp
-Questo programma Х software libero; potete ridistribuirlo e/o
-modificarlo rispettando i termini della GNU General Public 
-License com pubblicata dalla Free Software Foundation;
-Versione 2. Questa garantisce i vostri diritti di usare, modificare 
-e ridistribuire Nmap sotto certe condizioni. Se questa licenza
-Х per voi inaccettabile, Insecure.Org puР essere in grado di 
-vendervi licenze alternative (contattate fyodor@insecure.org).
-.Sp
-Il sorgente viene fornito con questo software perchХ crediamo
-che gli utenti abbiano il diritto di sapere cosa esattamente
-un programma ha intenzione di fare prima di eseguirlo.
-Questo potrebbe anche permettevi di correggere di testare il
-software per buchi alla sicurezza (non ne sono stati trovati 
-da molto).
-.Sp
-Il codice sorgente vi permette anche di fare il port di nmap
-a nuove architetture, fissare i bug, e aggiungere nuove
-caratteristiche. Siete fortemente incoraggiati di mandare i
-vostri cambi a Fyodor per la possibile inclusione nella
-distribuzione principale di Nmap. Mandando questi cambi
-a Fyodor, o a nmap-hackers, si assume che voi stiate offrendo
-a Fyodor il diritto illimitato, non esclusivo di riusare,
-di modificare, e porre sotto nuova licenza il codice.
-Se desiderate specificare condizioni speciali per la licenza
-dei vostri contributi, dichiarateli prima sul contributo stesso.
-.Sp
-Questo programma Х distribuito nella speranza che sia utile, ma
-.B SENZA ALCUNA GARANZIA;
-senza anche l'implicita garanzia di
-.B COMMERCIABILITA'
-o
-.B ADEGUATEZZA AD UNO SCOPO PARTICOLARE.
-Vedere la GNU Public License per ulteriori dettagli (essa Х nel file
-COPYING della distribuzione di
-.I nmap
-).  
-.Sp
-Si dovrebbe notare che Nmap puР mandare in crash determinate
-applicazioni mal progettate, stack TCP/IP, e anche 
-sistemi operativi.
-.B Nmap non dovrebbe mai essere eseguito contro sistemi, 
-che hanno compiti critici (detti anche mission critical systems) 
-a meno che non siate preparati a tollerare 
-il tempo in cui essi siano disattivi.
-Qui riconosciamo che Nmap puР mandare in crash i vostri sistemi o 
-reti e non ci assumiamo nessuna responabilitЮ per ogni danno o 
-problema che Nmap potrebbe causare.
-.Sp
-Tutte le versioni di Nmap a partire dalla 2.0 inclusa
-non presentano problemi in tutti i loro aspetti
-con il bug dell'anno 2000 (Y2K bug).
-Non esiste nessuna ragione di credere che le versioni 
-precedenti alla 2.0 siano suscettibili a tale problema,
-ma non sono state testate.
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/docs/nmap_latvian.1 b/docs/nmap_latvian.1
deleted file mode 100644
index 331336a0e..000000000
--- a/docs/nmap_latvian.1
+++ /dev/null
@@ -1,389 +0,0 @@
-.\" This definition swiped from the gcc(1) man page
-.de Sp
-.if n .sp
-.if t .sp 0.4
-..
-.TH NMAP 1
-.SH VбRDS
-nmap \- Network exploration tool and security scanner
-.SH NOSAUKUMS
-.B nmap
-[skanГПanas metode(s)] [opcijas] <host vai tНkls#1...[#N]>
-.SH APRAKSTS
-
-.I Ar Nmap var skanГt neierobeЧotu daudzumu un lielumu tНklus, noteikt to droПНbas pakБpi, apzinБt atvГrtos portus, kБ arН atbilstoПo servisu esamНbu. пН uzdevuma НstenoПanai Nmap izmanto daudz daЧБdas skanГПanas metodes, kБ piemГram UDP, TCP connect(), TCP SYN, FTP proxy (skanГПana caur ftp), Reverse-ident, ICMP (ping) FIN, ACK, Xmas tree, SYN, NULL metodes. TuvБk tБs apskatНtas nodaОБ "SkanГПanas opcijas". 
-.I Nmap satur daudz daЧБdas papildus iespГjas, konkrГtБk: datora operГtБjsistГmas noteikПana (tБlБk tekstБ OS) izmantojot TCP/IP steka sniegto informБciju, "neredzamo" skanГПanu, dinamiski ЛenerГtas aiztures un atkБrtota pakeПu pБrraidНПana, paralГlБ skanГПana, neaktНva host`a noteikПana izmantojot paralГlo ping pieprasНjumu, skanГПana no neeksistГjoПiem hostiem, noteikt pakeПu filtru esamНbu, tieПБ (neizmantojot portmapper) RPC skanГПana, skanГПana izmantojot IP-fragmentБciju. 
-
-
-.I Kaut arН Nmap ir maksimБli optimizГts priekП parastiem lietotБjiem, daudzas tБ iespГjas ir atОautas tikai root lietotБjam. Ieteicam Nmap laist ar root tiesНbБm. 
-
-
-.PP
-Nmap rezultБti tiek izvadНti kБ interesГjoПo portu saraksts uz skanГtБ kompjШtera, protokola tips, servisa nosaukums. Portiem klБt ir apzНmГjumi "atvГrts" (open), "filtrГts" (filtered), "nefiltrГts" (unfiltered). "atvГrts" nozНmГ, ka Пim portam var pieslГgties, "filtrГts" - ugunsmШris (firewall) pakeПu filtrs , vai kБds cits apstБklis neОauj Nmap noteikt, vai ports ir atvГrts vai nГ, "nefiltrГts" - ports ir aizvГrts, lai gan nekas netraucГja Nmap to skanГt. 
-
-
-.PP
-AtkarНbБ no dotajБm komandБm, Nmap spГj noteikt ПБdas skanГjamБ host`a НpaПНbas: lietotБja OS, TCP ISN ЛenerГПanas metodi, lietotБja vБrdu (username) kam "pieder" noteikts serviss, DNS nosaukumu u.t.t. 
-
-
-.SH OPCIJAS
-Vairumu opciju ir iespГjams kombinГt savБ starpБ.Vienas opcijas paredzГtas priekП skanГПanas metoЧu izvГlГs, citas savukБrt atbild par daЧБdu papildus iespГju izmantoПanu, vai arН atbild par daЧБdiem skanГПanas parametriem. PalaiЧot programmu Nmap ar opciju '-h' vienmГr ir iespГjams iegШt informБciju par visБm tБs iespГjБm. 
-.TP
-.B SKANгпANAS VEIDI
-.TP
-.B \-sS
-(scan SYN) - Izmantot TCP SYN metodi. пo metodi sauc par "pusatverto" skanГПanu, jo pilnНgs savienojums ar attБlinБtБ datora portu nenotiek. Nmap nosШta SYN paketi, itkБ pieprasot nodibinБt savienojumu un gaida attБlinБtБs sistГmas atbildi. Atbildot sistГma nosШta paketi ar SYN|ACK marМГjumu (flag), ka ir gatava nodibinБt savienojumu. Kad Nmap saРem SYN|ACK paketi, atpakaО nekavГjoties tiek nosШtНta RST pakete liekot saprast attБlinБtajai sistГmai, ka nevГlas nodibinБt vГl neveikto savienojumu. Ne visas sistГmas fiksГ ПБda tipa skanГПanu. LietotБjam vajadzНgas root tiesНbas, lai varГtu izveidot SYN paketes. 
-.Sp
-Lai paБtrinБtu skanГПanu, skanГjot lielus tНklus, kopБ ar opciju '-sS' var lietot saНsinБjumu, kurП atОauj pieprasНt norБdНto portu visБm aktНvajБm sistГmБm jШsu skanГtajБ diapazonБ daudz БtrБk, nekБ izmantojot tikai '-p' opciju. To var izdarНt ar saНsinБjuma -PS palНdzНbu. PiemГram, ja ir nepiecieПamНba noteik, cik sistГmas noteiktБ diapazonБ ir atvГruПas 25 portu jums ieteicams lietot Пo saНsinБjumu. (piem): 
-
-nmap -n -sS -p25 -PS25 24.0.0.0/8 
-
-
-
-.TP
-.B \-sT 
-(scan TCP) - izmanto TCP connect() metodi. пН ir visizplatНtБkБ TCP portu skanГПanas metode. Funkcija connect(), ir iekОauta jebkurБ OS, tБdejБdi atОaujot Нstenot savienojumus ar vienalga kБdu attБlinБtБs sistГmas portu. Ja skanГjamais ports uz attБlinБtБs sistГmas bШs pieejams, tad funkcija connect() noritГs veiksmНgi, pretГjБ gadНjumБ ports skaitБs slГgts, vai arН aizsargБts ar ugunsmШri, vai ko tamlНdzНgu. 
-
-.Sp
-Lai izmantotu Пo skanГПanas metodi, lietotБjam nav vajadzНgas t.s. priviliЛГtБs tiesНbas. пБdu skanГПanu Оoti viegli konstatГ skanГjamБ datorБ НpБПnieks, jo viss tiek akurБti ierakstНts log failБ. 
-
-
-.TP
-.B \-sF \-sX \-sN 
-(scan FIN, scan Xmas, scan NULL) - "neredzamБ" FIN, Xmas Tree un NULL skanГПana. пo metodi lieto, ja SYN skanГПana kБdu iemeslu dГО nav iespГjama. PiemГram daЧi ugunsmШri filtrГ SYN paketes, kas tiek nosШtНtas uz viРu aizsargБtajiem portiem, un tБdas programmas kБ Synlogger spГjНgas fiksГt SYN skanГПanas mГЛinБjumu. 
-
-.Sp
-DotБs skanГПanas laikБ notiek sekojoПais. FIN skanГПanu veic ar FIN paketГm. Xmas Tree izmanto FIN|URG|PSH paketes, NULL skanГПanas gadНjumБ tiek nosШtНtas nemarМГtas paketes. Vadoties pГc RFC 973 rakstНtБ, skanГjamБs sistГmas OS ir jБatbild uz ПБda veida paketГm, no slГgtiem portiem ar RST paketi, tajБ paПБ laikБ atvГrtie porti Пo nemarМГto paketi ignorГ. 
-KБ vienmГr Microsoft Windows izstrБdБtБji nerГМinБs ar pieРemto standartu, tБdГО Пi skanГПanas metode bШs neefektНva skanГjot jebkuru sistГmu, kas izmanto Microsoft veidotБs OS. Ja FIN skanГПanas rezultБtБ, tiek izmests atvГrto portu saraksts, tad attБlinБtБs sistГmas OS nav Windows. Ja visas ПНs metodes izmet paziРojumu, ka visi porti slГgti, turpretНm SYN skanГПana atklБj atvГrtus portus, tad visticamБk attБlinБtБs sistГmas OS ir Windows. JБpiebilst, ka Windows nav vienНgБ OS, kura satur Пo nepilnНbu. Pie ПБda tipa OS var pieskaitНt arН Cisco, BSDI, IRIX, HP/UX un MVS. Visas Пis OS neatbild nemarМГtБm paketГm. 
-
-
-.TP
-.B \-sP
-scan Ping) - ping "skanГПana". DaЧreiz ir nepiecieПamНba uzzinБt tikai aktНvo hostu adreses. Nmap to spГj izdarНt, nosШtot ICMP ECHO pieprasНjumu katrai ip adresei norБdНtajБ diapazonБ. Hosts, kas atbild uz Пo pieprasНjumu ir aktНvs, t.i. ir pieslГgts tНklam. 
-
-.Sp
-DaЧi hosti (piemГram microsoft.com) bloМГ ECHO pieprasНjumus, tБdГО Nmap papildus nosШta TCP ACK paketi uz 80 portu (noklusГti). Ja hosts atbild ar RST paketi, tad viРП ir aktНvs. TreПБ metode izmanto SYN paketi, par atbildi gaidot RST vai SYN|ACK paketi. LietotБjiem, kuriem nav root privilГЛijas tiek izmantota connect() metode. 
-
-.Sp
-LietotБjiem ar root privilГЛijБm Nmap noklusГti lieto abas metodes - ICMP un ACK. пo iestБdijumu var mainНt izmantojot opciju .B \-P 
-, kur aprakstНta zemБk. Ping skanГПana tiek lietota vienmГr un tikai aktНvБs sistГmas tiek skanГtas, tБdГО Пo skanГПanas metodi izmatojiet tikai ta, ja vГlaties uzzinБt aktНvo sistГmu daudzumu, ne veikt to portu skanГПanu. 
-
-
-.TP
-.B \-sU
-(scan UDP) - пН skanГПanas metode Оauj noteikt kБdi UDP porti (RFC 768) ir atvГrti uz attБlinБtБs sistГmas. Uz katru skanГjamБs sistГmas portu tiek nosШtНta UDP pakete, kas nesatur datus. Ja sistГma atbild ar ICMP paziРojumu "port unreachable" tad ports ir aizvГrts, pretГjБ gadНjumБ tas tiek uzskatНts par atvГrtu. DaЧi uzskata, ka skanГt UDP portus nav nekБdas jГgas. пinН gadНjumБ atgБdinu par "slavenНbu" ieguvuПo gОuku iekП dГmona rpcbind OS Solaris. пis dГmons grieЧas uz jebkura no nedokumentГtajiem UDP portiem, kas ir lielБki par 32770. 
-
-.Sp
-Par noЧГloПanu jБatdzНst, ka UDP skanГПana velkas lГni, jo gandrНz visas OS seko RFC 1812 (sadaОa 4.3.2.8) rekomendБcijБm iegroЧot ICMP "port unreachable" ЛenerГПanas Бtrumu. PiemГram Linux kernelis (katalogs net/ipv4/icmp.h) ierobeЧo ПБda tipa paziРojumu ЛenerГПanu lНdz 80, 4 sekundГs ar 1/4 sekundes novГloПanu, ja ПН robeЧa tiek pБrsniegta. OS Solaris ir vГl striktБki ierobeЧojumi (2 ziРojumi sekundГ), tБdГО sistГmu skanГПana kuras grieЧas uz OS Solaris ir vГl lГnБka. 
-
-
-.Sp
-Nmap nosaka Пo ierobeЧojumu parametrus un atbilstoПi tiem samazina ЛenerГjamos pieprasНjumus, tБdejБdi atturoties no tНkla piemГsloПanas ar nevajadzНgБm paketГm, kuras ignorГ attБlinБtБ sistГma. KБ jau ierasts kompБnija Microsoft ignorГ visas rekomendБcijas un neizmanto savБs OS nekБdus ierobeЧojumus. TБdejБdi jШs varat Оoti Бtri noskanГt visus 65535 UDP portus sistГmai, kas grieЧas zem OS Windows. 
-
-
-.TP
-.B \-sO
-(scan Open protocol) - DotБ metode tiek izmantota, lai noteiktu IP protokolus, kurus uztur attБlinБtБ sistГma. AttБlinБtajai sistГmai tiek sШtНtas IP paketes, kurБm nav nekБda marМГjuma. TБs tiek sШtНtas katram protokolam. Ja par atbildi tiek saРemts paziРojums "protocol ureachable", tad doto protokolu attБlinБtБ sistГma neuztur. PretГjБ gadНjumБ Nmap uzskata, ka protokols tiek uzturГts. 
-.Sp
-DaЧas OS (AIX, HP-UX, Digital UNIX) kБ arН ugunsmШris var bloМГt ziРojumus "protocol ureachable", tБ rezultБtБ visi protokoli tiks uzskatНti par uzturГtiem.
-Par cik aprakstНtБ metode ir lНdzНga UDP skanГПanas metodei, tad ICMP ЛenerГПanas ierobeЧojumu noteikПana paliek spГkБ, taХu tБdГО ka IP paketes "header" sastБv tikai no 8 bitiem visus 256 protokolus izdodas noskanГt pieРemamБ БtrumБ. 
-.TP
-.B \-sA
-(scan ACK) - ACK skanГПanas metode. пН papildus metode Оauj noteikt ugunmШra konfigurБciju (rulesets). Izmantojot Пo metodi var noteikt, vai attБlinБtБ sistГma ir aizsargБta ar ugunsmШri vai tikai ar pakeПu filtru, kurП bloМГ ienБkoПБs SYN paketes. 
-.Sp
-SkanГjamajai sistГmai tiek nosШtНta ACK pakete (ar gadНjuma skaitОu acknowledgement number un sequence number). Ja par atbildi tiek saРemta RST pakete, ports tiek uzskatНts par nefiltrГtu. Ja atbilde nepienБk (vai arН pienБk ICMP "port unreachable") tad ports tiek uzskatНts par filtrГtu. 
-.Sp
-JБpiebilst, ka Nmap nerБda "nefiltrГtos" portus, tБpГc, ja skanГjot attБlinБtu sistГmu jums neatklБj nevienu atvГrtu portu, tas nozНmГ ka porti skaitБs nefiltrГti. пН metode nekad rezultБtos nerБdНs portus kuri skaitБs atvГrti. 
-.TP
-.B \-sW
-(scan Window) - Izmanto TCP Window metodi. пН metode lНdzinБs ACK skanГПanai, izРemot to, ka daЧreiz ar ПНs metodes palНdzНbu var noteikt kБ atvГrtos, tБ filtrГtos/nefiltrГtos portus. To iespГjams izdarНt, pБrbaudot Initial Window datus TCP paketГ, kurus nosШta attБlinБtБ sistГma par atbildi tai nosШtitajai paketei, kuru tБ nepareizi apstrБdБ. 
-SistГmas kurБs ir ПН kОuda: vairБkas AIX versijas, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX un VxWorks. TuvБku informБciju var iegШt aplШkojot Nmap-hackers listes arhНvus. 
-
-
-.TP
-.B \-sR  
-(scan RPC) - Izmantot RPC skanГПanas metodi. пo metodi izmanto kopБ ar citБm. TБ palНdz noteikt, kБda programma apkalpo RPC portu un tБs versiju. Lai to noteiktu, visi TCP/UDP porti tiek flШdoti ar SunRPC NULL pieprasНjumiem pГc tam nosakot programmu kas apkalpo RPC portu(s). Izmantojot Пo metodi jШs viegli iegШstat tБdu paПu informБciju kБ palaiЧot komandu 'rpcinfo -p', arН tБdБ gadНjumБ, ja attБlinБtБs sistГmas portmapper ir aizsargБts ar ugunsmШri vai TCP_wrapper. 
-
-.TP
-.B \-sL
-(scan List) - IegШt skanГjamo adreПu sarakstu. пН opcija Оauj jums aplШkot adreПu sarakstu, kuras TIKS skanГtas ar Nmap palНdzНbu. NoklusГti tiek noteikti to DNS nosaukumi. пo iespГju var aizliegt izmantojot -n opciju. 
-.TP
-.B \-b <ftp relay host>
-(bounce scan) - Izmantot "ftp bounce attack" uzbrukumu. пi interesantБ FTP protokola iespГja tuvБk aprakstНta RFC 959. No hosta source.com var nodibinБt savienpjumu ar target.com ftp serveri un nosШtНt failus, kas tur atrodas uz vienalga kБdu adresi. пis uzbrukums tika atklБts 1985 gadБ, kad tika uzrakstНts augПminГtais RFC. Nmap izmanto Пo kОШdu lai skanГtu portus no "uzticamБ" ftp servera. 
-.Sp
-IespГjams pieslГgties ftp serverim, kuru apsargБ ugunsmШris un noskanГt pБrГjos aizsargБtos portus. Ja ftp serveris atОauj lasНt un rakstНt datus kБdБ katalogБ (piemГram /incoming), jШs varat nosШtНt jebkБdus datus uz Пo portu. Opcija '-b', norБda ftp servera adresi, kurП tiek izmantots kБ "uzticamais" serveris. URL formБts: 
-.I login:parole@serveris:ports
-Adrese nepiecieПama obligБti, pБrГjo var neievadНt. 
-.TP
-.B PAPILDUS IESPгjAS
-пНs opcijas nav nepiecieПams lietot obligБti, taХu daЧreiz tБs var bШt diezgan noderНgas.
-.TP
-.B \-P0
-(Ping 0) - Nepingot attБlinБto sistГmu pirms skanГПanas. пН opcija atОauj skanГt tНklus kuri neatОauj ICMP ECHO pieprasНjumus, vai atbildes uz tiem. piemГram microsoft.com. Var izmantot .B \-P0
-vai 
-.B \-PT80
-kad skanГjat tБdu tiklu. 
-.TP
-.B \-PT
-(Ping TCP) - Izmantot TCP "ping". ICMP ECHO vietБ Nmap nosШta TCP ACK paketi skanГjamajai sistГmai un gaida tБs atbildi. Ja sistГma ir "aktНva" tБ atbild ar RST paketi. LietotБju, kuriem nav root privilГЛijas tiek izmantota connect() funkcija. пН opcija jums Оauj noteikt attБlinБtБs sistГmas stБvokli pat tБdБ gadНjumБ , ja ICMP pieprasНjumu tiek aizliegti ar ugunsmШra palНdzНbu. Lai norБdНtu kuram attБlinБtБs sistГmas portam sШtНt pieprasНjumu izmantojiet opciju '-PT <porta_nummurs>'. NoklusГti pieprasНjums tiek sШtНts uz 80 portu, jo tas praktiski nekad netiek filtrГts.
-.TP
-.B \-PS
- (Ping SYN) - opcija, kas arНdzan tiek izmantota ping pieprasНПanai. пinН gadНjumБ ACK paketes vietБ tiek sШtНta SYN pakete. AktНvБs sistГmas atbild ar RST paketi (retБk ar SYN|ACK). 
-.TP
-.B \-PI
-(Ping ICMP) - пН opcija ping pieprasНПanai izmanto normБlu ping paketi (ICMP ECHO). Opcija tiek izmantota, lai meklГtu aktНvas sistГmas, kБ arН nepareizi konfigurГtas sistГmas, kuras atОauj veikt DoS uzbrukumus citБm sistГmБm (piemГram Smurf). 
-.TP
-.B \-PP
-Izmanto ICMP timestamp pieprasНjuma paketi, lai atrastu aktНvus hostus. 
-.TP
-.B \-PM
-LidzНga kБ -PI un -PP, vienНgБ atПМirНba ir netmask pieprasНjums. 
-.TP
-.B \-PB
-(Ping Both) - VienlaicНgi izmantot ACK un ICMP pieprasНjumu.
-.TP
-.B \-O
-(Operating system detection) - пН opcija Оauj noteikt attБlinБtБs sistГmas OS izmantojot t.s. TCP/IP steka "pirkstu nospiedumus". Citiem vБrdiem skaidrojot, Nmap nosШta pieprasНjumus uz attБlinБto sistГmu un saРemot atbildi salНdzina to ar savu datubБzi, kura glabБjas failБ Nmap-os-fingerprinting. Ja Nmap nespГj noteikt attБlinБtБs sistГmas OS jums tiek piedБvБts nosШtНt rezultБtus Nmap autoram, ja jШs zinБt attБlinБtБs sistГmas OS un esat pБrliecinБts, ka Nmap nespГja to atpazНt. 
-.TP
-.B \-I
-(Ident scan) - Izmanto reverse-ident skanГПanu. Ident protokols (RFC 1413) atОauj uzzinБt tБ lietotБja vБrdu (username), kuram pieder process, kurП izmanto TCP, pat tБdБ gadНjumБ ja Пis process nenodibina savienojumu. PiemГram var pieslГgties http portam un izmantojot ident uzzinБt vai serveris grieЧas zem root lietotБja. Tas ir iespГjams tikai nodibinot "pilnНgu" TCP savienojumu ar skanГjamБs sistГmas portu (t.i. nepiecieПams izmantot arН opciju '-sT'). Nmap pieprasa ident`am informБciju par katru atvГrto portu. Protams ПН metode nestrБdБs ja skanГjamБ sistГma neuztur ident. 
-.TP
-.B \-f
-(use fragmentation) - ПН opcija izmantojama kopБ ar SYN, FIN, Xmas vai NULL skanГПanas metodГm un norБda uz vajadzНbu izmantot IP fragmentБciju ar mazizmГra fragmentiem. SkanГПanas laikБ TCP header tiek sadalНta pa vairБkБm paketГm, tБdejБdi apgrШtinot pakeПu filtriem, IDS, un tamlНdzНgБm aizsardzНbas metodГm noteikt ko tu vГlies darНt. Lietojiet Пo opciju piesardzНgi. DaЧas programmas uzkarБs cenПoties savБkt kopБ tik sНkus fragmentus. 
-.TP
-.B \-v
-(verbose output) - пo opciju ir ieteicams lietot, jo tБ sniedz vairБk informБciju par to kas paПreiz notiek. Nmap atskaitБs detalizГtБk par to ko viРП paПreiz dara. PriekП lielБka efekta ieteicams to lietot divreiz. KopБ ar '-d' opciju var iegШt visdetalizГtako informБciju. 
-.TP
-.B \-h
-(show help) - izmet Nmap help`u. 
-.TP
-.B \-oN <logfilename>
-(output Normal) - ieraksta skanГПanas rezultБtus lasНПanai ГrtБ formБ norБdНtБjБ failБ.
-.TP
-.B \-oX <logfilename>
-(output XML) - ПН opcija ieraksta saРemtos datus XML formБ. 
-.TP
-.B \-oG <logfilename>
-(output grepable) - ПН opcija ieraksta saРemtos datus norБdНtajБ failБ vienБ rindiРБ. 
-.TP
-.B \-oA <basefilename>
-output All) - liek Nmap logot rezultБtus izmantojot visas logoПanas metodes (normal, grepable, un XML). 
-.TP
-.B \-oS <logfilename>
-thIs l0gz th3 r3suLtS of YouR ScanZ iN a
-.B s|<ipT kiDd|3  
-f0rM iNto THe fiL3 U sPec\|fy 4s an arGuMEnT!  U kAn gIv3
-the 4rgument \'-\' (wItHOUt qUOteZ) to sh00t output iNT0
-stDouT!@!!
-.TP
-.B \--resume <logfilename>
-ja kБda iemesla dГО esat bijis spiests pБrtraukt skanГПanu nospieЧot <Ctrl C>, jШs varat izmantot Пo opciju, ja skanГПanas rezultБti ierakstНti izmantojot opcijas '-oM' vai '-oN'. lai atjaunotu skanГПanu no tБs vietas, kur pБrtraucБt. VairБk nekБdas papildus opcijas lietot nav nepiecieПams. 
-.TP
-.B \--append_output
-liek Nmap rakstНt rezultБtus tБlБk tajБ paПБ failБ, kurП izmantots iepriekП. 
-.TP
-.B \-iL <inputfilename>
-(input List) - lasНt adreses no norБdНtБ faila. AdresГm failБ jБbur atdalНtБm ar tukПumu, ar tab, vai ar <CR><LF> kombinБciju (katrs hosts jaunБ rindБ). 
-.TP
-.B \-iR
-(input Random) - lietojot Пo opciju Nmap skanГs gadНjuma izvГlГtas adreses. пis process vilksies tik ilgi, kamГr jШs to neapturГsiet. пН opcija ir noderНga, lai veiktu Internet statistiku. 
-.TP
-.B \-p <port ranges>
-(ports) - ПН opcija norБda Nmap, kБdus portus nepiecieПams skanГt. Piem. opcija '-p23' liek tam skanГt skanГs tikai 23 portu. Ja norБdНs ko lНdzНgu Пai opcijai '-p 20-30,139,60000-', Nmap skanГs portus no 20 lНdz 30 ieskaitot, 139 portu un visus portus, kas lielБki par 60000. NoklusГti Nmap skanГ portus no 1 lНdz 1024. 
-.Sp
-SkanГjot TCP un UDP portus tu vari norБdНt '-p U:53,11,137,T:21-25,139,8080'. Lai skanГtu ПБdi tev nepiecieПams norБdНt vismaz vienu TCP skanГПanas tipu (piem. -sS, -sF, vai -sT). Ja netiek norБdНts protokols, tad dotie porti tiek skanГti visos protokolos. 
-.TP
-.B \-F (Fast scan) - 
-norБda skanГt tikai tos portus kas norБdНti servisu failБ (iekОauts kopБ ar Nmap). 
-.TP
-.B \-D <decoy1 [,decoy2][,ME],...>
-use Decoy hosts). - пajБ reЧНmБ Nmap liek attБlinБtajai sistГmai domБt, ka tБ tiek skanГta no vairБkiem hostiem.TБdejБdi ir grШtБk noteikt, no kurienes reБli tiek skanГts. пН ir Оoti efektНga metodГ, lai slГptu savu IP adresi skanГjot. 
-.Sp
-JШs varat norБdНt savu IP adresi kБ 'ME' TБ norБda, kad tiks lietota tava IP adrese. PiemГram, ja tu to ieraksti kБ sesto vai vГl tБlБk, tad daudzi skanГПanas detektori uz attБlinБtБs sistГmas var vispБr neielogot tavu IP adresi. JБpiebilst, ka norБdНtajiem attБlinБtajiem hostiem ir jБbШt pieslГgtiem pie tНkla, pretГjБ gadНjumБ jШs varat pБrslogot skanГjamo sistГmu ar SYN paketГm. JБpiebilst, ka pastБv iespГja tБdejБdi noteikt tavu IP adresi, ja tevis norБdНtie attБlinБtie hosti reБli neeksistГs. 
-.Sp
-Ja tu norБdi daudzus attБlinБtus hostus, tas var ievГrojami palГlinБt skanГПanas Бtrumu. пo iespГju var izmantot jebkurБ skanГПanas veidБ. DaЧi provaideri var filtrГt jШsu paketes, tБdejБdi Пi opcija var nedot jums vГlamos rezultБtus. 
-.TP
-.B \-S <IP_Address>
-(set Source) - Ja Nmap nespГj patstБvНgi noteikt jШsu hosta ip adresi (viРП par to jШs brНdinБs), jums ir nepiecieПams to viРam norБdНt. VГl viens pielietojums Пai opcijai var bШt - izlikties, ka skanГПana notiek no citas IP adreses. пinН gadНjumБ jШs nevarat iegШt rezultБtus, taХu attБlinБtБ sistГma domБs, ka skanГ no tevis norБdНtБs adreses. пai gasНjumБ nepiecieПams lietot opciju '-S' kopБ ar '-e'. 
-.TP
-.B \-e <interface>
-(interface) - norБda Nmap, kБds interfeiss tiks izmantots lai saРemtu/sШtНtu paketes. Nmap parasti pats nosaka, kБds interfeiss tiek lietots. 
-.TP
-.B \-g <portnumber>
- norБda porta numuru uz tava datora, kuru Nmap izmatos skanГПanai. Daudzi pakeПu filtri vai ugunsmШri laiЧ cauri DNS paketes (53 ports)un FTP-DATA (20 ports) tБdejБdi atОaujot nodibinБts savienojumu ar attБlinБtu aizsargБtu sistГmu. SkanГjot UDP portus Nmap no sБkuma izmГЛina 53 portu, pГctam 20 poru. SkanГjot TCP portus - otrБdБk. 
-.TP
-.B \--data_length <number>
-Parasti Nmap sШta maziРas paketes, kuras satur tikai header informБciju. пН opcija atОauj tБs palielinБt tБdejБdi palГlinot skanГПanas Бtrumu, taХu samazinot iespГju ka jШsu skanГПanu kБds pamanНs. 
-.TP
-.B \-n
-norБda, lai Nmap nekad nenoteiktu DNS IP adresГm, kuras tas atrod. пН opcija var paБtrinБt skanГПanu. 
-.TP
-.B \-R
-norБda, lai Nmap vienmГr noteiktu atrasto IP adreПu DNS. 
-.TP
-.B \-r
-(randomize off) - Nmap skanГ visus portus noteiktБ secНbБ katrai skanГjamai sistГmai. 
-.TP
-.B \-\-randomize_hosts
-NorБda lai Nmap skanГ attБlinБto sistГmu portus neregulБri. Piem. vienai sistГmai tas noskanГ 23 portu otrai sistГmai noskanГ 665 portu, tad atkal pirmajai sistГmai 45 utt. TБdejБdi ir iespГjams skanГt 2048 sistГmas vienlaicНgi. 
-.TP
-.B \-M <max sockets>
-(Max sockets) - norБda maksimБlo soketu skaitu, kas tiks izmantots paralГli skanГjot ar TCP connect() metodi. TБdejБdi var izvairНties no attБlinБto sistГmu nokБrПanas. Var izmantot arН '-sS' opciju, jo SYN paketes jebkura OS "pacieП" vieglБk. 
-.TP
-.B LAIKA IESTбDнпANA
-Parasti Nmap automБtiski nosaka kБdБ laika intervБlБ tiks sШtНtas paketes un notiks skanГПana. пНs opcijas paredzГtu, gan lai palielinБtu skanГПanas Бtrumu, gan lai samazinБtu kОudas, gan lai palГlinБtu Бtrumu un samazinБtu iespГju attБlinБtБs sistГmas administrБtorБm fiksГt skanГПanas mГЛinБjumu. 
-.TP
-.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> (Timing options) - пН opcija tiek izmantota, lai regulГtu skanГПanas Бtrumu.
-.B Paranoid reЧНms tiek izmantots tad, ja ir liela iespГjamНba, ka uz attБlinБtБs sistГmas ir uzstБdНts IDS. пinН gadНjumБ skanГПana noris Оoti lГni. ParalГla skanГПana netiek izmantota. Pakete tiek izsШtНtБ kБ minimums ar 5 minШПu intervБlu.
-.B Sneaky 
- reЧНms ir lНdzНgs Paranoid reЧНmam. Tas sШta paketes ar 15 sekunЧu intervБlu.
-.B Polite
-reЧНms tiek izmantots gadНjumos, kad ir vajadzНba samazinБt tНkla noslogotНbu lНdz minimumam. пinН reЧНmБ paketes tiek sШtНtas ar minimБlo intervБlu 0,4 sekundes. 
-.B Normal
-reЧНmu Nmap izmanto noklusГti. пinН reЧНmБ tiek nodroПinБts maksimБlo iespГjamo Бtrumu, tajБ paПБ laikБ nenoslogojot tНklu un cenПoties izvairНties no kОШdБm skanГПanas gaitБ.
-.B Aggressive
-reЧНmБ tiek uzstБdНts 5 minШПu skanГПanas limits katram hostam, un Nmap nekad negaida ilgБk par 1,25 sekundi uz atbildi. 
-.B Insane 
-reЧНms ir ieteicams tikai priekП Оoti Бtriem tНkliem, vai arН tad ja tu vari samierinБties ar iespГjamБm kОШdБm skБnГПanas norisГ. Tiek uzstБdНts 75 sekunЧu limits katram hostam un tiek gaidНts tikai 0.3 sekundes uz atbildi. 
-.Sp
-Katram reЧНmam ir piesaistНts nummurs. Piem. opcija '-T0' apzНmГ paranoid reЧНmu, bet '-T5' - Insane 
-.TP
-.B --host_timeout <milliseconds>
-UzstБda laiku, norБdit Nmap cik ilgs laiks tiek atvГlГts priekП viena hosta pilnНgas noskanГПanas. NoklusГti Пis parametrs netiek izmantost. Nmap sБk skanГt nБkoПo hostu pГc tam, kad pabeidzis skanГt iepriekПГjo.
-.TP
-.B --max_rtt_timeout <milliseconds>
-(maximal round-trip time timeout) - MaksimБlais laiks, cik ilgi Nmap gaidНs uz nosШtНto pieprasНjuma atbildi, pГc tam nosШtot jaunu, vai pБrtraucot gaidНПanu. StandartБ tas ir nostБdНts uz 9000 milisekundГm.
-.TP
-.B --min_rtt_timeout <milliseconds>
-MinimБlais laiks, cik ilgi Nmap gadНs uz nosШtНtБ pieprasНjuma atbildi. пН opcija var paБtrinБt skanГПanas Бtrumu, taХu var tika pazaudГtas paketes. 
-.TP
-.B --initial_rtt_timeout <milliseconds>
-NorБda vidГjo laiku, cik ilgi Nmap gaidНs nosШtНtБ pieprasНjuma atbildi. Parasti Пo opciju izmanto, kad tiek skanГtas sistГmas kas tiek aizsargБtas ar ugunsmШri. Parasti Nmap Пo lielumu nosaka automБtiski pГc pirmo pБris pieprasНjumu noteikПanu. StandartБ tas ir 6000 milisekundes 
-.TP
-.B --max_parallelism <number>
-UzstБda skaitu cik daudz paketes tiks sШtНtas paralГli. Ja Пis parametrs tiek norБdНts kБ 1 tad tas nozНmГ, ka Nmap nekad neskanГs vairБk par vienu portu reizГ. 
-.TP
-.B --scan_delay <milliseconds>
- NorБda minimБlo laiku, cik ilgi Nmap gaidНs starp pieprasНjumu nosШtНПanu. пН opcija Оauj minimБli noslogot tНklu un/vai izvairНties no skanГПanas pamanНПanas uz attБlinБtБs sistГmas.
-.TP
-.SH SKANгJAMб MгRмA NORбDнпANAS IESPгJAS
-Visu, kas nav opcijas vai to argumenti, Nmap pieРem kБ adresi vai attБlinБtБs sistГmas DNS. ViselementБrБkais veids kБ norБdНt skanГjamo hostu, ir, norБdНt to aiz opcijБm. Ja jШs vГlaties noskanГt subnet`u, jums nepiecieПams norБdНt parametru '/<mask>' pГc skanГjamБs sistГmas DNS vai ip adreses. Subnet`a masku var norБdНt ПБdos veidos: 
-.Sp
-'/0' - skanГt visu Internetu; 
-.Sp
-'/16' - skanГt B klases adreses; 
-.Sp
-'/24' - skanГt C klases adreses; 
-.Sp
-'/32' - skanГt tikai norБdНto hostu.
-.TP
-Nmap tБdБ paПБ veidБ atОauj norБdНt ip adreses izmantojot sarakstu, vai arН diapazonu katram tБs elementam. Piem. ir vajadzНba noskanГt B klases subnetu ar adresi 128.210.*.*. To iespГjams norБdНt sekojoПos veidos: 
-.Sp
-128.210.*.* 
-.Sp
-128.210.0-255.0-255 
-.Sp
-128.210.1-50,51-255.1,2,3,4,5-255 
-.Sp
-128.210.0.0/16
-.TP
-Visas ПНs komandas ir vienБdas. Ja jШs izmantojat *, tad vairБkumБ shell`os nepiecieПams tБs atdalНt ar ' vai apostrofu. VГl viens piemГrs: Ja jШs norБdat adresi ПБdБ formБtБ '*.*.5.6-7' , tad Nmap noskanГs visas ip adreses, kas beidzas ar .5.6 vai .5.7 
-.SH PIEMгRI
-.Sp
-.B nmap -v target.example.com
-.Sp
-NorБda skanГt visus atvГrtos portus hostam target.example.com. Opcija '-v' atОauj novГrot skanГПanas procesu detalizГtБk.
-.Sp
-.B nmap -sS -O target.example.com/24
-.Sp
-Visi 255 kompji ar C klases adresГm, no kurБm viens ir target.example.com tiks noskanГti izmantojot SYN skanГПanas metodi. VГl tiks noteikta OS kas grieЧas uz ПНm sistГmБm. Lai izmantotu Пo metodi jums nepiecieПamas root tiesНbas. 
-.Sp
-.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
-.Sp
-Nmap skanГs pirmo pusi ar adresГm (0-127) katrБ no 255 B klases subnet`iem ar Xmas skanГПanas metodi ip zonБ 128.210.*.*. пajos hostos tiks konstatГta sshd (22 ports), DNS (53), pop3 (110), imapd (143) un 4564 portu pieejamНba. VГlГtos pievГrst uzmanНbu faktam, ka Xmas skanГПanas metodi nevar izmantot sistГmБm, kuras grieЧas uz WinOS, CISCO, IRIX, HP/UX un BSDI. 
-.Sp
-.B nmap -v --randomize_hosts -p 80 \'*.*.2.3-5\'
-.Sp
-Nmap meklГs visus kompjus ar IP adresГm, kuras beidzas ar .2.3, .2.4 un .2.5. Ja jums ir root tiesНbas, tad jШs varБt pie reizes arН noskanГt portus izmantojot opciju '-sS'. JШs varat atrast daudz interesantas sistГmas skanГjot diapazonu 127-222.*.* 
-.Sp
-.B host -l company.com | cut \'-d \' -f 4 | ./nmap -v -iL -
-.Sp
-Atrast eksistГjoПus hostus domГnБ company.com, nodot Nmap to adreses. пН komanda strБdБ GNU/Linux OS. Ja izmantojat citu OS jums var bШt vajadzНba rakstНt to savБdБk. 
-.SH IESPгJAMбS KошDAS 
-Ja jШs gadНjumБ konstatГjat kБdas kОШdas Nmap darbНbБ, lШdzu paziРojiet par to autoram
-.SH AUTORS
-.Sp
-Fyodor
-.I <fyodor@insecure.org>
-.I http://www.insecure.org/nmap/
-.Sp
-.I nmap 
-is (C) 1995-2001 by Insecure.Com LLC
-.Sp
-This program is free software; you can redistribute it
-and/or modify it under the terms of the GNU General Public
-License as published by the Free Software Foundation;
-Version 2.  This guarantees your right to use, modify, and
-redistribute Nmap under certain conditions.  If this license
-is unacceptable to you, Insecure.Org may be willing to sell
-alternative licenses (contact fyodor@insecure.org).
-.Sp
-Source is provided to this software because we believe users
-have a right to know exactly what a program is going to do
-before they run it.  This also allows you to audit the
-software for security holes (none have been found so far).
-.Sp
-Source code also allows you to port Nmap to new platforms, fix bugs,
-and add new features.  You are highly encouraged to send your changes
-to fyodor@insecure.org for possible incorporation into the main
-distribution.  By sending these changes to Fyodor or one the
-insecure.org development mailing lists, it is assumed that you are
-offering Fyodor the unlimited, non-exclusive right to reuse, modify,
-and relicense the code.  This is important because the inability to
-relicense code has caused devastating problems for other Free Software
-projects (such as KDE and NASM).  Nmap will always be available Open
-Source.  If you wish to specify special license conditions of your
-contributions, just say so when you send them.
-.Sp
-This program is distributed in the hope that it will be useful, but
-.B WITHOUT ANY WARRANTY;
-without even the implied warranty of
-.B MERCHANTABILITY 
-or 
-.B FITNESS FOR A PARTICULAR PURPOSE.
-See the GNU
-General Public License for more details (it is in the COPYING file of
-the
-.I nmap 
-distribution).  
-.Sp
-It should also be noted that Nmap has been known to crash
-certain poorly written applications, TCP/IP stacks, and even
-operating systems.
-.B Nmap should never be run against mission critical systems 
-unless you are prepared to suffer downtime.  We acknowledge
-here that Nmap may crash your systems or networks and we
-disclaim all liability for any damage or problems Nmap could
-cause.
-.Sp
-Because of the slight risk of crashes and because a few black hats like 
-to use Nmap for reconnaissance prior to attacking systems, there are
-administrators who become upset and may complain when their system is
-scanned.  Thus, it is often advisable to request permission before
-doing even a light scan of a network.
-.Sp
-Nmap should never be run with privileges (eg suid root) for security
-reasons.
-.Sp 
-
-This product includes software developed by the Apache Software
-Foundation (http://www.apache.org/).  The
-.I Libpcap 
-portable packet capture library is distributed along with nmap.
-Libpcap was originally copyrighted by Van Jacobson, Craig Leres and
-Steven McCanne, all of the Lawrence Berkeley National Laboratory,
-University of California, Berkeley, CA.  It is now maintained by
-http://www.tcpdump.org .
-.Sp
-Latviski manuБli pБrtulkojis m|sc (misc@inbox.lv)
-(Var gadНties daЧi gОuki tekstБ, taХu ko lai dara, ja latvieПu valodБ nav normБli datortermini.) 
diff --git a/docs/nmap_lithuanian.1 b/docs/nmap_lithuanian.1
deleted file mode 100644
index a7575d949..000000000
--- a/docs/nmap_lithuanian.1
+++ /dev/null
@@ -1,436 +0,0 @@
-.\" а LietuviЬ kalbЮ iПvertК
-.\" Aurimas Mikalauskas <inner@crazy.lt>
-.\" 2001 03 17
-.de Sp
-.if n .sp
-.if t .sp 0.4
-..
-.TH NMAP 1
-.SH PAVADINIMAS
-nmap \- tinklo tyrinКjimo Аrankis bei saugumo skeneris
-.SH SINTAKSк
-.B nmap
-[skanavimo tipas(ai)] [opcijos] <hostas/tinklas #1 ... #n>
-.SH APIBшDINIMAS
-
-.I nmap'as
-yra sukurtas tam, kad leistЬ sistemЬ
-administratoriams bei smalsiems individams skanuoti
-didelius tinklus, siekiant nustatyti kokie hostai
-yra veikiantys ir kokias paslaugas jie siШlo.
-.I nmap'as
-turi be galo daug skanavimo technologijЬ,
-tai: UDP, TCP connect(), TCP SYN (pusiau atviras),
-ftp proxy (bounce ataka), Reverse-ident,
-ICMP(ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep,
-bei Null skan'as.
-.I Skanavimo Tipai
-sekcijoje rasite apie tai smulkesnКs informacijos.
-nmap'as taip pat turi nemaЧai paЧangiЬ savybiЬ, tokiЬ
-kaip nutolusio kompiuterio (toliau vadinamo 'remote')
-(O)peracinКs (S)istemos nustatymas per TCP/IP
-fingerprintinima, stealth (vogtinis)  skanavimas,
-dinaminКs pauzКs ir retransimisijos skaiХiavimai,
-lygiagretusis skanavimas , nepasiekiamЬ host'Ь nustatymas
-skanuojant lygiagreХiu skanavimo metodu, decoy skanavimas,
-filtruojamЬ portЬ nustatymas, tiesioginis RPC skanavimas,
-fragmentinis skanavimas, bei labai lankstus taikinio
-ir portЬ nurodymas.
-.PP
-nmap'o autorius stengiasi kaip galima daugiau АvairiЬ
-nmap'o galimybiЬ suteikti ne tik root vartotojui, bet ir
-paprastam sistemos vartotojui, deja daugКlis kritiniЬ
-sistemos branduolio (kernel) interfeisЬ (tokiЬ kaip
-"raw socket'ai") reikalauja root'o privilegijЬ, todКl
-nmap'as turКtЬ bШti naudojamas root'u kai tik Аmanoma.
-.PP
-nmap'o naudojimo rezultatas daЧniausiai bШna
-paprasХiausias sЮraПas АdomiЬ portЬ, rastЬ skanuojamoje
-maПinoje(se). Nmap'as visada parodo kokiЮ paslaugЮ (service)
-teikia portas, jo numerА, bШsenЮ bei protokolЮ. BШsanЮ
-nusako vienas iП trijЬ ЧodЧiЬ: "open", "filtered", "unfiltered".
-"open" (atviras) reiПkia, kad taikinys leis prisijungti prie
-Пito porto. "filtered" (filtruojamas) reiПkia, kad firewall'as
-(ugnies siena), filtras ar dar kaЧkoks Аdomus Аrankis dengia
-portЮ, dКl to nmap'as tiklsiai negali nustatyti ar portas
-atviras. "unfiltered" (nefiltruojamas) parodo, kad portas
-yra tikrai "closed" (uЧdarytas) ir nera dengiamas jokio
-firewall'o/filtro. Nefiltruojamas portas yra gan Аprastas
-atvКjis ir yra rodomas tik tuo atveju, kai dauguma iП skanuotЬ
-portЬ yra filtruojami.
-.PP
-Priklausomai nuo to, kokios opcijos naudojamos, nmap'as
-taip pat gali parodyti ir nutolusio kompiuterio: (O)peracinФ
-(S)istemЮ, TCP susekamumЮ, vartotoju vardus, kuriems priklauso
-tam tikri procesai, DNS vardus ir dar vienЮ kitЮ.
-.SH OPCIJOS
-Prasmingos opcijos visos gali bШti raПomos kartu (t.y. vienoje
-eilutКje).
-.I nmap'as
-stengsis pasakyti, kokias klaidas esate padarФ
-(aiПku jei esate :).
-.Sp
-Jei esate nekantrus, galite iПkarto Пoktelti А sekcijЮ
-.I pavyzdЧiai
-gale dokumento, kur gan aiПkiai parodo naudojimЮ. Taip pat
-galite paleisti
-.B nmap -h
-ir pamatysite pagrindines opcijas, su trumpais apraПymais.
-.TP
-.B SKANAVIMь TIPAI
-.TP
-.B \-sT
-paprasХiausias TCP connect() skanavimas. JШs bandote prisijungti
-prie kiekvieno porto iП eilКs. Jei portas klausosi, nmap'as
-prisijungia prie jo, taigi jei host'as logina, jis matys, kad
-bandote jungtis. пis metodas yra tiksliausias, bet rekomenduoХiau
-jА naudoti tik tuo atveju, jei skanuojate savo ar draugo
-kompiuterА, t.y. tokА, dКl kurio vКliau tikrai nesusilauksite
-nemalonumЬ.
-.TP
-.B \-sS
-TCP SYN skanavimas, kitaip dar daЧnai vadinamas kaip
-"pusiau-atviras" skanavimas, nes nКra padaromas TCP prisijungimas.
-JШs paprasХiausiai nusiunХiate TCP SYN paketukЮ kaip kad norКdamas
-prisijungti ir laukiate atsakymo. Pakankamai neblogas metodas,
-bet jei yra filtruojamЬ portЬ (pvz. pastatytas firewall'as) ir
-host kompiuteris juos logina, - bШsite pastebКtas.
-.TP
-.B \-sF \-sX \-sN
-Stealth FIN, Xmas Tree bei Null skanavimo reЧimai. Tai yra Пiek
-tiek saugesni skanavimo bШdai nei TCP SYN (pastebimumo
-atЧvilgiu), bet deja nei vienas iП jЬ neveikia M$ sistemoms.
-IП kitos pusКs, tai nebloga priemonК, kurios pagalba galima
-nustatyti ar tai M$ sistema ar ne, t.y. jei -sF -sX arba -sN
-parodo, kad visi portai uЧdaryti, o -sS rodo kelis atvirus
-portus, taikinys greiХiausiai windows dКЧutК.
-.TP
-.B \-sP
-Tai paprasХiausias ping'as, kuris parodo kurie hostai tinkle
-yra gyvi. Atliekama paprasХiausiai siunХiant ICMP echo praПymЮ
-(request). Deja kai kurie saitai (kaip mail.takas.lt) blokuoja
-praПymus. Kad iП tikro Аsitikinti, ar hostas negyvas, nmap'as
-nusiunХia ir TCP ack paketukЮ А 80 (standartiПkai) portЮ. Jei
-gauname atgal RST, reiПkia hostas gyvas. Pagal standartЮ
-(r00t'ui) nmap'as naudoja abu ICMP bei ACK metodus. Pakankamai
-efektyvu, nes vienu metu galite patikrinti #n hostЬ.
-.TP
-.B \-sU
-UDP skanavimas. Naudojamas tam, kad nustatyti kokie UDP (User
-Datagram Protocol,  RFC 768) portai yra atviri.
-.Sp
-Kai kurie mano, kad UDP skanavimas yra beprasmiПkas, bet jА
-prisiminti verta vien dКl vienos Solaris rcpbind skylКs. Taip
-pat yra cDc Back Orifice trojanas, kuris atsidaro UDP portЮ ant
-window'sЬ. Gaila tik, kad UDP skanavimas kartais gali trukti
-labai ilgai.
-.TP
-.B \-SO
-IP protokolo skanavimas. пis metodas yra naudojamas tam, kad
-nustatyti kokius protokolus naudoja jШsЬ taikinys. Technika
-labai paprasta: siunХiami IP paketai be jokio protokolo header'io
-А visus nurodytus protokolus. Jeigu pvz gauname "ICMP protocol
-unreachible" (ICMP protoklolas nepasiekiamas) atsakymЮ, vadinasi
-protokolas nenaudojamas, prieПingu atveju skaitoma, kad jis
-atviras.
-.TP
-.B \-sA
-ACK skanavimas: Пitas metodas paprastai yra naudojamas tam,
-kad iПsiaiПkinti firewall'Ь (ugnies sinЬ) taisykles. Jis gali
-padКti nustatyti ar firewall'as tikras, ar paprasХiausias
-paketЬ filtras, blokuojantis АplaukianХius SYN paketukus.
-.TP
-.B \-sW
-Window skanavimas. пis skanavimo bШdas labai panaПus А ACK
-skanЮ, skirtumas tik tas, kad Пis skanavimo metodas kartais
-parodo ir atvirus portus (ACK jЬ nerodo).
-.TP
-.B \-sR
-RPC skanavimas. Praskanavus parodoma kokia programa ir jos versija
-laiko RPC portus atvirus.
-.TP
-.B \-b <ftp relay hostas>
-Dar vienas pakankamai originalus skanavimo bШdas, t.y.
-pasinaudojant ftp proxy serveriu. <ftp relay host'o> formatas
-gali bШti useris:passwordas@serveris:portas . Viskas iПskyrus
-serverА yra nebШtina.
-.TP
-.B BENDROSIOS OPCIJOS
-Nei viena iП ПiЬ nКra bШtina, bet kai kurios gali bШti pakankamai
-naudingos
-.TP
-.B \-P0
-Skanuoti iП kart, nepabandЧius iП pradЧiЬ ping'int serverio.
-Tai naudinga skanuojant tokius kaip mail.takas.lt, kurie
-neatsakinКja А ICMP echo request'us. Tokiu atveju reikКtЬ
-naudoti
-.B \-P0
-arba
-.B \-PT80.
-.TP
-.B \-PT
-Naudoti TCP "ping'Ю" vietoje standartinio ICMP ping'o. Naudinga
-tokiais atvejais, kai serveris neatsakinКja i ICMO echo
-request'us. Taip pat galima naudoti kartu su postu (-PT<portas>).
-.TP
-.B \-PS
-Naudoja SYN (prisijungimo praПymЮ) vietoje ACP
-.TP
-.B \-PI
-Paprastas ping'as + suranda subnet'o broadcast'u adresus tinkle.
-.TP
-.B \-PB
-Standartinis ping'inimo metodas: naudoja ACP bei ICMP ping'us
-kartu. Geriausia bШdas patikrinti firewall'us, kurie blokuoja
-vienЮ iП jЬ.
-.TP
-.B \-O
-Viena geriausiЬ nmap'o ypatybiЬ - serverio OS'o atpaЧinimas
-pagal jo fingerprint'us (jei atvirai, pats nelabai Чinau kas
-per biesas tie fingerprintai).
-.TP
-.B \-I
-аjungiamas TCP reverse ident skanavimas. Kaip 1996  Dave'as
-Goldsmith'as pastebКjo, ident protokolas (rfc 1413) leidЧia
-pamatyti, kokiam useriui priklauso procesas, kuris naudoja
-TCP susijungima. Taigi, tu gali pvz prisijungti prie 80 porto
-ir tada pasinaudojes inentd'u, gali pamatyti ar http serveris
-yra paleistas root'u ar kokiu kitu userium.
-.TP
-.B \-f
-Skanuojant SYN (-sS) , FIN (-sF), XMAS (-sX) arba NULL (-sN)
-metodu, naudojami labai maЧyХiai sufragmentuoti IP paketai.
-.TP
-.B \-v
-Verbose mode. Labai rekomenduojama opcija, ypaХ jei norit geriau
-suprasti kas Хia dedasi. naudodamas ПiЮ opcijЮ du kartus, efektas
-bus dar geresnis. Gali naudoti ir dvigubЮ -d, efektas - nerealus.
-NepabandФs, nesuprasi.
-.TP
-.B \-h
-Jei norite kad nedidelis langelis jums trumpai primintu kelias
-pagrindines komandas, Пi opcija - jums.
-.TP
-.B \-oN <logas>
-Viskas, kas vyksta ekrane bus loginama А "logas" failЮ.
-.TP
-.B \-oX <logas>
-Skanavimo rezultatai iПsaugomi XML formatu А failЮ, kurА nurodote
-kaip argumentЮ Пiai opcijai.
-.TP
-.B \-oG <logas>
-пi opcija iПsaugo skanavimo rezultatus taip, kad jШs juos galetumКte
-lengvai grepinti. пis gan primityvus formatas iПsaugo viskЮ vienoje
-eilutКje.
-.TP
-.B \-oS <logas>
-Loginama А failЮ "logas" "skipt kiddie" formatu.
-.TP
-.B \--resume <logas>
-Skanavimas, kuris buvo nutrauktas su ^C, gali bШti pratФstas,
-su sЮlyga, kad viskas buvo loginama su -oN opcija.
-Daugiau jokie parametrai negali bШti pateikti (jie bus tokie,
-kokie buvo naudojami loginant). nmap'as pradКs skanuoti nuo
-sekanХios maПinos, po tos, kuri paskutinК buvo sКkmingai
-nuskanuota..
-.TP
-.B \-iL <failas>
-Nuskaito hostus (IP adresus) iП failo "failas". Hostai faile turi
-bШti atskirti tarpais, TAB'ais arba atskirose linijose. deja
-opcijЬ nurodyti jokiЬ negalite tame faile, uЧtat yra galimybК jas
-nurodyti komandinКje eilutКje.
-.TP
-.B \-iR
-пita opcija priverХia nmap'Ю generuoti atsitiktinius hostus. Jei
-kada neturКsite kЮ veikti, pabandykite `nmap -sS -iR -p 80', kad
-surastumКte keletЮ www serveriЬ.
-.TP
-.B \-p <portai>
-Galite nurodyti kurА/kuriuos portus tikrinti. pvz. -p 110
-patikrins ar hostas turi pop3 serverА, taip pat galite miПriai
-nurodinКti portus:
-
-    -p 21,60-90,1243     --  21, visi nuo 60 iki 90 bei 1243 portas
-    -p 1-                --  visi portai nuo 1 iki 65535.
-.TP
-.B \-F
-Greitasis metodas. Skanuoja tik tuos portus, kurie nurodyti nmap'o
-services faile (pagal default'Ю - /usr/local/lib/nmap/nmap-services)
-.TP
-.B \-D <decoy1 [,decoy2][,decoyN][,ME]>
-Decoy skanavimas priverХia skanuojamЮ host'Ю manyti, kad jА vienu
-metu skanuoja visi nurodyti decoy'iai. HostЬ logai gali parodyti
-5-10 skanavimЬ iП unikaliЬ IP adresЬ, bet kuris iП jЬ skanuoja
-iП tikro jie pasakyti negalКs.
-.Sp
-Atskirk kiekvienЮ decoy'А kableliais (be tarpo) ir gali tarp jЬ
-Аterpti 'ME' kaip vienЮ iП decoy'iЬ. nmap'as ten Аterps tavo
-adresЮ. Jei Пito nenurodysi, nmap'as atsitiktinai iПrinks tau
-vietЮ. Tiesa, jei 'ME' АraПysi 6-oje ar dar vКlesnКje vietoje,
-kai kurie skanavimЬ detektoriai (tokie kaip Solar Designer'io
-nepakartojamas scanlog daemon'as) gali tavo IP iПviso neparodyti.
-.Sp
-NepamirПk, kad hostai, kuruos naudosi kaip decoy'ius, turi bШti
-gyvi, kitaip gali uЧ-SYN-flood'inti taikinА, o be to labai
-nesunku bus surasti skanuotojЮ, jei jis bus vienintelis gyvas
-visame tinkle.
-.Sp
-Atkreipk dКmesА ir А tai, kad kai kurie (durnesni) portЬ
-skanavimЬ detektoriai gali aplamai skanuojantiems host'ams
-uЧdrausti priКjimЮ. аsivaizduok, kas gali nutikti, jei vienЮ
-iП decoy'iЬ nurodytum "localhost'Ю" :)
-.Sp
-Decoy skanavimas gali bШti naudojamas kartu su ping (naudojant
-ICMP, SYN, ACK, ar dar kЮ nors) arba tikru portЬ skanavimu bei
-bandant surasti remote OS'Ю ( -O ).
-.TP
-.B \-S <IP_adresas>
-Kartais nmap'as gali nerasti jШsЬ adreso. Tokiu atveju galite
-naudoti -S opcijЮ su jШsЬ IP adresu bei interfeisu, kuriuo
-siШsite paketus.
-.TP
-.B \-e <interfeisas>
-Nurodo nmap'ui kokiu interfeisu siЬsti paketus.
-(lo, ppp0, eth0 ir etc.)
-.TP
-.B \-g <portas>
-Nurodo iП kokio porto skanuoti. Daugelis firewall'Ь bei filtrЬ
-padaro iПimtis DNS (53) bei FTP-DATA (20) paketams.
-.TP
-.B \-n
-Liepia nmap'ui net nemКginti rezolvinti ip adresЬ i jЬ vardus,
-nes daЧnai tai bШna labai lКtas procesas ir stabdo nmap'o darbЮ.
-.TP
-.B \-R
-PrieПingai nei -n opcija, -R liepia nmap'ui visada pamКginti
-iПrezolvinti ip adresЮ.
-.TP
-.B \-r
-Nurodo nmap'ui portus skanuoti
-.B NE
-atsitiktine tvarka.
-.TP
-.B --randomize_hosts
-Nmap'as atsitiktine tvarka iПmaiПo kiekvienЮ grupФ iП daugiau nei
-2048 hostЬ prieП pradedant juos skanuoti. Tai Пiek tiek suklaidina
-Аvairius tinklo stebejimo Аrankius.
-.TP
-.B \-M <maximalus susijungimu skaicius>
-Nustato naksimalЬ susijungimu skaiХiЬ, kuris bus naudojamas
-paralelКje su TCP(standartiПkai) skanavimu.
-.TP
-.B LAIKO APRIBOJIMAI
-.TP
-.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
-Paranoid - pats lКХiausias skanavimo bШdas, Insane - pats
-greiХiausias, deja ne toks tikslus, ypaХ jei tinklas lКtas.
-Vietoj ЧodЧiЬ galite naudoti ir -T (0-5), kur 0 == Paranoid,
-1 == Sneaky ir t.t.
-.TP
-.B --host_timeout <milisekundКs>
-Nurodo kiek laiko nmap'as gali skanuoti duotЮjА IP. Laikas turi
-bШti nemaЧiau nei 200 milisekundЧiЬ.
-.TP
-.B --max_rtt_timeout <milisekundКs>
-Kiek daugiausia laiko nmap'as gali laukti atsakymo iП skanuojamo
-IP.
-.TP
-.B --scan_delay <milisekundКs>
-Nustato minimalЬ laiko tarpЮ, kuri nmap'as turi laukti tarp
-bandymЬ. Tai naudingiausia siekiant sumaЧinti tinklo apkrovimЮ.
-
-.SH TAIKINIO NURODYMO BшDAI
-Viskas, kas nКra opcijos, nmap'e suprantama kaip taikinys.
-PaprasХiausias bШdas yra nurodyti konkreХius IP arba hostus.
-Jeigu norite nuskanuoti IP adresЬ subnet'Ю, galite pridКti
-.B /maskФ
-hostname'ui ar IP adresui.
-.B MaskК
-turi bШti tarp 0
-(norint nuskanuoti visЮ internetЮ) ir 32 (norint nuskanuoti
-konkretЬ host'Ю/IP. Naudok /24 'C' klasКs adresЬ skanavimui
-bei /16 'B' klasКs adresЬ skanavimui.
-.Sp
-nmap'as taip pat turi gan patogiЮ galimybФ nustatinКti IP
-adresus sЮraПais/atstumais. pvz. gali nuskanuoti 'B' klasФ
-uЧraПydamas 128.210.*.* arba 128.210.0-255.0-255 arba dar
-128.210.0-50,51-255.1,2,3,4,5-255 . Manau kad tai pakankamai
-patogu ir nesudКtinga.
-.SH KELETAS PAVYZDчIь
-.Sp
-.B nmap -sX -e lo -P0 -S 127.0.0.3 localhost
-.Sp
-Pasinaudodamas Xmas Tree skanavimo metodu, apsimetinКdamas,
-kad esu 127.0.0.3 Loopback protokolu skanuoju savo localhost'Ю
-пtai kaip atrodo ipchains'Ь log'as:
-.Sp
-Packet log: input DENY lo PROTO=6 127.0.0.3:37009 127.0.0.1:139
-L=40 S=0x00 I=53682 F=0x0000 T=41 (#1)
-.Sp
-kaip matote, kernelis yra АsitikinФs, kad jА skanuoja iП 127.0.0.3
-o tai ir yra vienas svarbiausiЬ uЧdaviniЬ - likti nematomiems :)
-.Sp
-.B nmap -sS -O target.example.com/24
-.Sp
-stealth SYN metodu nuskanuoja visas 255 maПinas, esanХias
-target.example.com 'C' klasКje. Taip pat bando nustatyti
-kiekvieno iП jЬ operacinФ sistemЮ.
-.Sp
-.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
-.Sp
-suranda visus *.company.com hostus ir atiduoda juos nmap'ui,
-kuris savo ruoЧtu АsijungФs verbose mode visus juos nuskanuoja.
-.Sp
-.B nmap -sN -D microsoft.com,mail.takas.lt,ME -oN /root/crazy -p 1-1024 -O crazy.com
-.Sp
-skanauoja Null skanavimo reЧimu, panaudoja du decoy adresus,
-viskЮ logina А /root/crazy failЮ, skanuoja nuo 1 iki 1024 crazy.com
-portus bei stengiasi atspКti crazy.com serverio operacinФ sistemЮ
-.SH BUGAI
-VabalКliai? Kokie dar vabalКliai? Na.. jei rasit kokiЬ, bШtinai
-siШskit autoriui: <fyodor@insecure.org> . Pachai taip pat labai
-laukiami. Taip pat nepamirПkite siШsti OS'Ь fingerprintus, kad
-nmap'o autoriai galКtЬ plКsti duom. bazФ. Apie tai smulkiau
-galite rasti docs/nmap-fingerprinting-article.txt dokumente
-arba nmap'o puslapyje: http://www.insecure.org/nmap
-.SH AUTORIUS
-.Sp
-Fyodor
-.I <fyodor@insecure.org>
-.SH IпVERTк
-.Sp
-Aurimas Mikalauskas
-.I <inner@crazy.lt>
-.Sp
-.SH PLATINIMAS
-.Sp
-NaujausiЮ
-.I nmap'o
-versijЮ visada galite rasti Хia:
-.Sp
-.I http://www.insecure.org/nmap/
-.Sp
-.I nmap
-is (C) 1997,1998,1999,2000 by Fyodor (fyodor@insecure.org)
-.Sp
-.I libpcap'as
-yra taip pat platinamas kartu su nmap'u. Autorines
-teises А jА turi Van Jacobson, Craig Leres ir Steven McCanne,
-visi iП Lawrence Berkeley nacionalinКs Laboratorijos Kalifornijos
-Universiteto,  Berkeley,  CA. Versija platinama su nmap'u gali
-bШti perraПinКjama. Sourcus galit parsisiШsti iП
-.I ftp://ftp.ee.lbl.gov/libpcap.tar.Z
-.Sp
-.SH PABAIGAI
-DЧiaugiuosi, kad pagaliau pasiekКte galЮ. Dabar jau galite skaityti
-save kvalifikuotu nmap'o guru.
-.Sp
-beje, jei norite kЮ nors pridКti ar pakeisti Пiame dokumente,
-arba (neduok Dieve) radot kokiЬ tai bug'u, raПykit man adresu,
-pateiktu sekcijoje
-.B iПvertК.
-пiaip Пitas manualas abejoju ar bus atnaujinamas,
-bet paХiЮ naujausiЮ nmap-lt-HOWTO visada galite
-rasti mano puslapyje:
-.Sp
-.I http://crazy.lt/~inner
diff --git a/docs/nmap_manpage-de.html b/docs/nmap_manpage-de.html
deleted file mode 100644
index bdf5e1f2c..000000000
--- a/docs/nmap_manpage-de.html
+++ /dev/null
@@ -1,8 +0,0 @@
-Content-type: text/html
-
-<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
-<BODY>
-<H1>man2html: bad invocation</H1>
-Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
-or:   man2html -r [filename]
-</BODY></HTML>
diff --git a/docs/nmap_manpage-es.html b/docs/nmap_manpage-es.html
deleted file mode 100644
index bdf5e1f2c..000000000
--- a/docs/nmap_manpage-es.html
+++ /dev/null
@@ -1,8 +0,0 @@
-Content-type: text/html
-
-<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
-<BODY>
-<H1>man2html: bad invocation</H1>
-Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
-or:   man2html -r [filename]
-</BODY></HTML>
diff --git a/docs/nmap_manpage-fr.html b/docs/nmap_manpage-fr.html
deleted file mode 100644
index bdf5e1f2c..000000000
--- a/docs/nmap_manpage-fr.html
+++ /dev/null
@@ -1,8 +0,0 @@
-Content-type: text/html
-
-<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
-<BODY>
-<H1>man2html: bad invocation</H1>
-Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
-or:   man2html -r [filename]
-</BODY></HTML>
diff --git a/docs/nmap_manpage-it.html b/docs/nmap_manpage-it.html
deleted file mode 100644
index bdf5e1f2c..000000000
--- a/docs/nmap_manpage-it.html
+++ /dev/null
@@ -1,8 +0,0 @@
-Content-type: text/html
-
-<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
-<BODY>
-<H1>man2html: bad invocation</H1>
-Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
-or:   man2html -r [filename]
-</BODY></HTML>
diff --git a/docs/nmap_manpage-lt.html b/docs/nmap_manpage-lt.html
deleted file mode 100644
index 3088713f5..000000000
--- a/docs/nmap_manpage-lt.html
+++ /dev/null
@@ -1,8 +0,0 @@
-Content-type: text/html
-
-<HTML><HEAD><META http-equiv="Content-Type" content="text/html; charset=windows-1257"><TITLE>man2html: bad invocation</TITLE></HEAD>
-<BODY>
-<H1>man2html: bad invocation</H1>
-Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
-or:   man2html -r [filename]
-</BODY></HTML>
diff --git a/docs/nmap_manpage-lv.html b/docs/nmap_manpage-lv.html
deleted file mode 100644
index bdf5e1f2c..000000000
--- a/docs/nmap_manpage-lv.html
+++ /dev/null
@@ -1,8 +0,0 @@
-Content-type: text/html
-
-<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
-<BODY>
-<H1>man2html: bad invocation</H1>
-Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
-or:   man2html -r [filename]
-</BODY></HTML>
diff --git a/docs/nmap_manpage-pt.html b/docs/nmap_manpage-pt.html
deleted file mode 100644
index bdf5e1f2c..000000000
--- a/docs/nmap_manpage-pt.html
+++ /dev/null
@@ -1,8 +0,0 @@
-Content-type: text/html
-
-<HTML><HEAD><TITLE>man2html: bad invocation</TITLE></HEAD>
-<BODY>
-<H1>man2html: bad invocation</H1>
-Call: man2html [-l|-h host.domain:port] [-p|-q] [filename]
-or:   man2html -r [filename]
-</BODY></HTML>
diff --git a/docs/nmap_manpage-ru.html b/docs/nmap_manpage-ru.html
deleted file mode 100644
index 1ab30cce6..000000000
--- a/docs/nmap_manpage-ru.html
+++ /dev/null
@@ -1,1054 +0,0 @@
-<HTML>
-<HEAD>
-<TITLE>Nmap network security scanner man page (Russian translation)</TITLE>
-</HEAD>
-<BODY>
-<H1>Nmap network security scanner man page (Russian translation)</H1>
-<HR>
-<PRE>
-<!-- Manpage converted by man2html 3.0.1 -->
-XXX
-XXX WARNING: old character encoding and/or character set
-XXX
-<B>NMAP(1)</B>                                                                <B>NMAP(1)</B>
-
-
-
-
-</PRE>
-<H2>цц╝цц║цц╨цц╥цц║цц╝цц╘цц╔ цц╟цц╡цц╞цц╖цц╡цц║цц╜цц╜цц╧</H2><PRE>
-       nmap  - the Network Mapper - ц┴ц▌ц⌠ц■ц▓ц∙ц█ц┘ц▌ц■ ц└ц▄ц▒ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц┴ ц┴ц⌠ц⌠ц▄ц┘ц└ц▐ц≈ц│ц▌ц┴ц▒
-       ц┌ц┘ц ц▐ц░ц│ц⌠ц▌ц▐ц⌠ц■ц┴ цЁц┘ц■ц┴.
-
-
-</PRE>
-<H2>цц╘ццЁцц╟цц╞цц╛цц╦цц╨цц╞цц╥цц║цц╝цц╘цц╔</H2><PRE>
-       <B>nmap</B> [ц■ц┴ц░(ц≥) ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒] [ц▐ц░ц┐ц┴ц┴] &lt;ц┬ц▐ц⌠ц■ ц┴ц▄ц┴ ц⌠ц┘ц■ц≤ #1 ... [#N]&gt;
-
-
-</PRE>
-<H2>цц╞цц╟цц╘ццЁцц║цц╝цц╘цц╔</H2><PRE>
-       Nmap ц⌠ц▐ц ц└ц│ц▌ ц└ц▄ц▒ ц⌠ц┴ц⌠ц■ц┘ц█ц▌ц≥ц┬ ц│ц└ц█ц┴ц▌ц┴ц⌠ц■ц▓ц│ц■ц▐ц▓ц▐ц≈ ц┴ ц▄ц─ц┌ц▐ц░ц≥ц■ц▌ц≥ц┬ ц┴ц▌ц└ц┴ц≈ц┴ц└ц∙ц∙ц█ц▐ц≈ ц└ц▄ц▒
-       ц■ц▐ц┤ц▐,  ц·ц■ц▐  ц┌ц≥  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤  ц⌠ц┘ц■ц┴  ц⌠  ц▄ц─ц┌ц≥ц█  ц▀ц▐ц▄ц┴ц·ц┘ц⌠ц■ц≈ц▐ц█  ц▐ц┌ц÷ц┘ц▀ц■ц▐ц≈  ц└ц▄ц▒
-       ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒ ц└ц▐ц⌠ц■ц∙ц░ц▌ц▐ц⌠ц■ц┴ ц┬ц▐ц⌠ц■ц▐ц≈ ц┴ ц┴ц└ц┘ц▌ц■ц┴ц├ц┴ц▀ц│ц┐ц┴ц┴  ц⌠ц┘ц▓ц≈ц┴ц⌠ц▐ц≈,  ц▀ц▐ц■ц▐ц▓ц≥ц┘  ц▐ц▌ц┴
-       ц░ц▓ц┘ц└ц▐ц⌠ц■ц│ц≈ц▄ц▒ц─ц■.
-
-       Nmap  ц░ц▐ц└ц└ц┘ц▓ц√ц┴ц≈ц│ц┘ц■ ц■ц│ц▀ц┴ц┘ ц≈ц┴ц└ц≥ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц▀ц│ц▀: UDP, TCP connect(), TCP
-       SYN (ц░ц▐ц▄ц∙ц▐ц■ц▀ц▓ц≥ц■ц▐ц┘ ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘), ftp proxy (bounce attack), ICMP  (ping),
-       FIN, ACK, Xmas Tree, SYN, IP Protocol ц┴ NULL.
-
-       цЁц█ц▐ц■ц▓ц┴ц■ц┘ ц⌠ц┘ц▀ц┐ц┴ц─ ц╢ц┴ц░ц≥ цЁц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц└ц▄ц▒ ц┌ц▐ц▄ц┘ц┘ ц░ц▐ц└ц▓ц▐ц┌ц▌ц▐ц┼ ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц┴.
-
-       Nmap  ц■ц│ц▀ц√ц┘  ц░ц▐ц└ц└ц┘ц▓ц√ц┴ц≈ц│ц┘ц■  ц▓ц▒ц└  ц▓ц│ц⌠ц⌡ц┴ц▓ц┘ц▌ц▌ц≥ц┬  ц▐ц⌠ц▐ц┌ц┘ц▌ц▌ц▐ц⌠ц■ц┘ц┼,  -  ц▌ц│ц░ц▓ц┴ц█ц┘ц▓
-       ц∙ц└ц│ц▄бёц▌ц▌ц▐ц┘ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц┘ ц▐ц░ц┘ц▓ц│ц┐ц┴ц▐ц▌ц▌ц▐ц┼  ц⌠ц┴ц⌠ц■ц┘ц█ц≥  ц█ц┘ц■ц▐ц└ц▐ц█  ц⌠ц▌ц▒ц■ц┴ц▒  ц▐ц■ц░ц┘ц·ц│ц■ц▀ц│
-       TCP/IP  ц⌠ц■ц┘ц▀ц│,  ц⌠ц■ц┘ц▄ц⌠-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘,  ц≈ц≥ц·ц┴ц⌠ц▄ц┘ц▌ц┴ц┘ ц└ц┴ц▌ц│ц█ц┴ц·ц┘ц⌠ц▀ц▐ц┼ ц ц│ц└ц┘ц▓ц√ц▀ц┴ ц┴
-       ц┴ц▌ц■ц┘ц▓ц≈ц│ц▄ц│ ц░ц▐ц≈ц■ц▐ц▓ц▌ц▐ц┼ ц░ц┘ц▓ц┘ц└ц│ц·ц┴,  ц░ц│ц▓ц│ц▄ц▄ц┘ц▄ц≤ц▌ц▐ц┘  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘,  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц┘
-       ц▌ц┘ц│ц▀ц■ц┴ц≈ц▌ц≥ц┬ ц┬ц▐ц⌠ц■ц▐ц≈ ц█ц┘ц■ц▐ц└ц▐ц█ ц░ц│ц▓ц│ц▄ц▄ц┘ц▄ц≤ц▌ц▐ц┤ц▐ ping-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒, ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘
-       ц⌠ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц┘ц█ ц▄ц▐ц√ц▌ц≥ц┬ ц┬ц▐ц⌠ц■ц▐ц≈, ц▐ц┌ц▌ц│ц▓ц∙ц√ц┘ц▌ц┴ц┘ ц⌠ц┴ц⌠ц■ц┘ц█  ц├ц┴ц▄ц≤ц■ц▓ц│ц┐ц┴ц┴  ц■ц▓ц│ц├ц┴ц▀ц│
-       (port  filtering  detection),  ц░ц▓ц▒ц█ц▐ц┘  (ц┌ц┘ц   ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц▒  portmapper)
-       RPC-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘,   IP-ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц│ц┐ц┴ц─   ц░ц▓ц┴   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┴,    ц│    ц■ц│ц▀ц√ц┘
-       ц░ц▓ц▐ц┴ц ц≈ц▐ц▄ц≤ц▌ц▐ц┘ ц∙ц▀ц│ц ц│ц▌ц┴ц┘ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┬ ц│ц└ц▓ц┘ц⌠ц▐ц≈ ц┴ ц░ц▐ц▓ц■ц▐ц≈.
-
-       ц╜ц▌ц▐ц┤ц▐ ц▓ц│ц┌ц▐ц■ц≥ ц░ц▓ц▐ц≈ц▐ц└ц┴ц▄ц▐ц⌠ц≤ ц▌ц│ц└ ц│ц└ц│ц░ц■ц│ц┐ц┴ц┘ц┼ nmap ц└ц▄ц▒ ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц┘ц┼ ц┌ц┘ц  ц░ц▓ц│ц≈
-       root. ц╚ ц⌠ц▐ц√ц│ц▄ц┘ц▌ц┴ц─, ц█ц▌ц▐ц┤ц▐ ц▀ц▓ц┴ц■ц┴ц·ц┘ц⌠ц▀ц┴ц┬ ц▒ц└ц┘ц▓ц▌ц≥ц┬ ц┴ц▌ц■ц┘ц▓ц├ц┘ц┼ц⌠ц▐ц≈ (ц▀ц│ц▀, ц▌ц│ц░ц▓ц┴ц█ц┘ц▓
-       raw-ц⌠ц▐ц▀ц┘ц■ц≥)  ц■ц▓ц┘ц┌ц∙ц─ц■ root-ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц┼, ц■ц│ц▀ ц·ц■ц▐ ц⌠ц■ц│ц▓ц│ц┼ц■ц┘ц⌠ц≤ ц ц│ц░ц∙ц⌠ц▀ц│ц■ц≤ nmap
-       ц┴ц█ц┘ц▌ц▌ц▐ ц⌠ ц°ц■ц┴ц█ц┴ ц░ц▓ц│ц≈ц│ц█ц┴ (ц▌ц┘ setuid root, ц▀ц▐ц▌ц┘ц·ц▌ц▐).
-
-       ц╡ц┘ц ц∙ц▄ц≤ц■ц│ц■ц▐ц█ ц▓ц│ц┌ц▐ц■ц≥ nmap ц▐ц┌ц≥ц·ц▌ц▐ ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒ ц⌠ц░ц┴ц⌠ц▐ц▀  ц▐ц■ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┬  ц░ц▐ц▓ц■ц▐ц≈
-       ц▌ц│  ц∙ц└ц│ц▄ц┘ц▌ц▌ц▐ц┼  ц█ц│ц⌡ц┴ц▌ц┘(ц│ц┬)  ц⌠  ц∙ц▀ц│ц ц│ц▌ц┴ц┘ц█  ц▌ц▐ц█ц┘ц▓ц│ ц┴ ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц▒ ц░ц▐ц▓ц■ц│, ц■ц┴ц░ц│
-       ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц█ц▐ц┤ц▐ ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц│, ц│ ц■ц│ц▀ц√ц┘ ц▌ц│ц ц≈ц│ц▌ц┴ц▒ ц⌠ц▄ц∙ц√ц┌ц≥, ц ц│ц▀ц▓ц┘ц░ц▄ц┘ц▌ц▌ц▐ц┼ ц ц│  ц°ц■ц┴ц█
-       ц░ц▐ц▓ц■ц▐ц█.  ц╟ц▐ц▓ц■ ц┬ц│ц▓ц│ц▀ц■ц┘ц▓ц┴ц ц┴ц▓ц∙ц┘ц■ц⌠ц▒ ц≈ц▐ц ц█ц▐ц√ц▌ц≥ц█ц┴ ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц▒ц█ц┴: "ц▐ц■ц▀ц▓ц≥ц■"(open),
-       "ц ц│ц▀ц▓ц≥ц■"(closed),  "ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц┼"(filtered)   ц┴   "ц▌ц┘ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц┼"(unfil-
-       tered).   цЁц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┘  ц░ц▐ц▓ц■ц│  "open" ц▐ц ц▌ц│ц·ц│ц┘ц■, ц·ц■ц▐ ц▌ц│ ц∙ц└ц│ц▄бёц▌ц▌ц▐ц┼ ц█ц│ц⌡ц┴ц▌ц┘ ц ц│
-       ц°ц■ц┴ц█ ц░ц▐ц▓ц■ц▐ц█ ц ц│ц▀ц▓ц┘ц░ц▄бёц▌ ц▐ц░ц▓ц┘ц└ц┘ц▄бёц▌ц▌ц≥ц┼ ц⌠ц┘ц▓ц≈ц┴ц⌠ ц┴ ц▐ц▌ ц█ц▐ц√ц┘ц■ ц░ц▓ц┴ц▌ц▒ц■ц≤ ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘
-       ц▌ц│ ц°ц■ц▐ц■ ц░ц▐ц▓ц■.  цЁц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┘ ц░ц▐ц▓ц■ц│ "close" ц▐ц ц▌ц│ц·ц│ц┘ц■, ц·ц■ц▐ ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц▒ ц▌ц│ ц°ц■ц▐ц■
-       ц░ц▐ц▓ц■ ц▌ц┘ц≈ц▐ц ц█ц▐ц√ц▌ц≥.  цЁц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┘ ц░ц▐ц▓ц■ц│  "filtered"  ц▐ц ц▌ц│ц·ц│ц┘ц■,  ц·ц■ц▐  ц├ц│ц┘ц▓ц≈ц▐ц▄,
-       ц░ц│ц▀ц┘ц■ц▌ц≥ц┼  ц├ц┴ц▄ц≤ц■ц▓  ц┴ц▄ц┴  ц▄ц─ц┌ц│ц▒  ц└ц▓ц∙ц┤ц│ц▒ ц░ц▐ц█ц┘ц┬ц│ ц█ц┘ц⌡ц│ц┘ц■ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤ ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┘
-       ц░ц▐ц▓ц■ц│. цЁц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┘ ц░ц▐ц▓ц■ц│  "unfiltered"  -  ц▐ц ц▌ц│ц·ц│ц┘ц■  ц·ц■ц▐  ц░ц▐ц▓ц■  ц ц│ц▀ц▓ц≥ц■  ц┴
-       ц⌠ц┴ц⌠ц■ц┘ц█ц│  ц ц│ц²ц┴ц■ц≥  ц▌ц┘ ц█ц┘ц⌡ц│ц┘ц■ ц°ц■ц▐ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤. ц╢ц│ц▀ц▐ц┘ ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┘ ц▐ц■ц▐ц┌ц▓ц│ц√ц│ц┘ц■ц⌠ц▒
-       ц┘ц⌠ц▄ц┴ ц┌ц▐ц▄ц≤ц⌡ц┴ц▌ц⌠ц■ц≈ц▐ ц░ц▐ц▓ц■ц▐ц≈ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼ ц█ц│ц⌡ц┴ц▌ц≥ ц▌ц│ц┬ц▐ц└ц┴ц■ц⌠ц▒ ц≈  ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┴  fil-
-       tered. ц╥ ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┬ ц⌠ц▄ц∙ц·ц│ц▒ц┬ nmap ц▌ц┘ ц█ц▐ц√ц┘ц■ ц■ц▐ц·ц▌ц▐ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤ ц▓ц│ц ц▌ц┴ц┐ц∙ ц█ц┘ц√ц└ц∙
-       ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц▒ц█ц┴ ц░ц▐ц▓ц■ц│ filtered, open ц┴ц▄ц┴ closed. ц╝ц│ц░ц▓ц┴ц█ц┘ц▓, ц░ц▐ц▓ц■ ц▀ц▐ц■ц▐ц▓ц≥ц┼  ц▌ц┘
-       ц▐ц■ц≈ц┘ц·ц│ц┘ц■  ц▌ц│ FIN-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ ц█ц▐ц√ц┘ц■ ц▌ц│ц┬ц▐ц└ц┴ц■ц≤ц⌠ц▒ ц≈ ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┴ ц▀ц│ц▀ open ц■ц│ц▀
-       ц┴  filtered.  ц╥  ц░ц▐ц└ц▐ц┌ц▌ц≥ц┬  ц⌠ц▄ц∙ц·ц│ц▒ц┬  nmap  ц▐ц■ц▐ц┌ц▓ц│ц√ц│ц┘ц■  ц■ц│ц▀ц┴ц┘  ц░ц▐ц▓ц■ц≥  ц▀ц│ц▀
-       "open|filtered" ц┴ц▄ц┴ "closed|filtered".
-
-       ц╥ ц ц│ц≈ц┴ц⌠ц┴ц█ц▐ц⌠ц■ц┴ ц▐ц■ ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┬ ц▐ц░ц┐ц┴ц┼, nmap ц■ц│ц▀ц√ц┘ ц█ц▐ц√ц┘ц■ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤ ц⌠ц▄ц┘ц└ц∙ц─ц²ц┴ц┘
-       ц┬ц│ц▓ц│ц▀ц■ц┘ц▓ц┴ц⌠ц■ц┴ц▀ц┴ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐ ц┬ц▐ц⌠ц■ц│: ц■ц┴ц░ ц╞цЁ, ц█ц┘ц■ц▐ц└ ц┤ц┘ц▌ц┘ц▓ц│ц┐ц┴ц┴ TCP ISN, ц┴ц█ц▒
-       ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц▒    (username)   ц≈ц▄ц│ц└ц┘ц▄ц≤ц┐ц│   ц░ц▓ц▐ц┐ц┘ц⌠ц⌠ц│,   ц ц│ц▓ц┘ц ц┘ц▓ц≈ц┴ц▓ц▐ц≈ц│ц≈ц⌡ц┘ц┤ц▐
-       ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼  ц░ц▐ц▓ц■,  ц⌠ц┴ц█ц≈ц▐ц▄ц≤ц▌ц≥ц┘   ц┴ц█ц┘ц▌ц│,   ц⌠ц▐ц▐ц■ц≈ц┘ц■ц⌠ц■ц≈ц∙ц─ц²ц┴ц┘   ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц█
-       IP-ц│ц└ц▓ц┘ц⌠ц│ц█ ц┴ ц■.ц░.
-
-
-</PRE>
-<H2>цц╞цц╟ццёцц╘цц╘</H2><PRE>
-        ц╒ц▐ц▄ц≤ц⌡ц┴ц▌ц⌠ц■ц≈ц▐ ц▐ц░ц┐ц┴ц┼ ц█ц▐ц┤ц∙ц■ ц▀ц▐ц█ц┌ц┴ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ц⌠ц▒ ц└ц▓ц∙ц┤ ц⌠ ц└ц▓ц∙ц┤ц▐ц█. ц╞ц└ц▌ц┴ ц▐ц░ц┐ц┴ц┴
-        ц░ц▓ц┘ц└ц▌ц│ц ц▌ц│ц·ц┘ц▌ц≥ ц└ц▄ц▒ ц≈ц≥ц┌ц▐ц▓ц│ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц▌ц▐ц┤ц▐ ц█ц┘ц■ц▐ц└ц│ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒, ц└ц▓ц∙ц┤ц┴ц┘
-        ц∙ц▀ц│ц ц≥ц≈ц│ц─ц■ ц▌ц│ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц┘ ц└ц▐ц░ц▐ц▄ц▌ц┴ц■ц┘ц▄ц≤ц▌ц≥ц┬ ц≈ц▐ц ц█ц▐ц√ц▌ц▐ц⌠ц■ц┘ц┼ ц┴ц▄ц┴ ц⌠ц▄ц∙ц√ц│ц■ ц└ц▄ц▒
-        ц▌ц│ц⌠ц■ц▓ц▐ц┼ц▀ц┴ ц▓ц│ц ц▄ц┴ц·ц▌ц≥ц┬ ц░ц│ц▓ц│ц█ц┘ц■ц▓ц▐ц≈ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒. Nmap ц░ц▓ц┘ц└ц∙ц░ц▓ц┘ц√ц└ц│ц┘ц■
-        ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц▒ ц▐ ц▌ц┘ц└ц▐ц░ц∙ц⌠ц■ц┴ц█ц▐ц█ ц⌠ц▐ц·ц┘ц■ц│ц▌ц┴ц┴ ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┬ ц┴ц█ ц▐ц░ц┐ц┴ц┼.
-
-        ц╔ц⌠ц▄ц┴ ц≈ц≥ ц▌ц┘ц█ц┘ц└ц▄ц┘ц▌ц▌ц▐ ц┬ц▐ц■ц┴ц■ц┘ ц▌ц│ц·ц│ц■ц≤ ц▓ц│ц┌ц▐ц■ц∙ ц⌠ nmap, ц█ц▐ц√ц┘ц■ц┘ ц░ц▓ц▐ц░ц∙ц⌠ц■ц┴ц■ц≤ ц°ц■ц▐ц■
-        ц▓ц│ц ц└ц┘ц▄ ц┴ ц░ц┘ц▓ц┘ц┼ц■ц┴ ц▀ ц┴ц ц∙ц·ц┘ц▌ц┴ц─ ц░ц▓ц┴ц█ц┘ц▓ц▐ц≈ ц≈ц≥ц ц▐ц≈ц│ nmap ц≈ ц▀ц▐ц▌ц┐ц┘ ц└ц│ц▌ц▌ц▐ц┤ц▐
-        ц▓ц∙ц▀ц▐ц≈ц▐ц└ц⌠ц■ц≈ц│. ц╥ц≥ ц█ц▐ц√ц┘ц■ц┘ ц■ц│ц▀ц√ц┘ ц ц│ц░ц∙ц⌠ц■ц┴ц■ц≤ ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц∙ nmap ц⌠ ц▀ц▄ц─ц·ц▐ц█  Б─≥  <B>-h</B>Б─<B>Б</B>─≥
-       ц└ц▄ц▒ ц░ц▐ц▄ц∙ц·ц┘ц▌ц┴ц▒ ц▀ц▓ц│ц■ц▀ц▐ц┼ ц⌠ц░ц▓ц│ц≈ц▀ц┴ ц░ц▐ ц≈ц⌠ц┘ц█ ц▐ц░ц┐ц┴ц▒ц█.
-
-       ц<B>ц</B>╢ц<B>ц</B>╘ц<B>ц</B>╟ц<B>ц</B>╧ ц<B>ц</B>Ёц<B>ц</B>╚ц<B>ц</B>║ц<B>ц</B>╝ц<B>ц</B>╘ц<B>ц</B>╡ц<B>ц</B>╞ц<B>ц</B>╥ц<B>ц</B>║ц<B>ц</B>╝ц<B>ц</B>╘ц<B>ц</B>╠
-
-       <B>-sS</B>    цЁц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц█ц┘ц■ц▐ц└ц▐ц█  SYN. ц╪ц■ц▐ц■ ц█ц┘ц■ц▐ц└ ц▌ц│ц ц≥ц≈ц│ц┘ц■ц⌠ц▒ "ц░ц▐ц▄ц∙ц▐ц■ц▀ц▓ц≥ц■ц▐ц┘"
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘,   ц░ц▐ц⌠ц▀ц▐ц▄ц≤ц▀ц∙   ц░ц▐ц▄ц▌ц▐ц┘   TCP-ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘   ц⌠   ц░ц▐ц▓ц■ц▐ц█
-              ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼  ц█ц│ц⌡ц┴ц▌ц≥ ц▌ц┘ ц∙ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц┘ц■ц⌠ц▒. Nmap ц░ц▐ц⌠ц≥ц▄ц│ц┘ц■ SYN-ц░ц│ц▀ц┘ц■,
-              ц▀ц│ц▀ ц┌ц≥  ц▌ц│ц█ц┘ц▓ц┘ц≈ц│ц▒ц⌠ц≤  ц▐ц■ц▀ц▓ц≥ц■ц≤  ц▌ц│ц⌠ц■ц▐ц▒ц²ц┘ц┘  ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘,  ц┴  ц▐ц√ц┴ц└ц│ц┘ц■
-              ц▐ц■ц≈ц┘ц■.  ц╕ц▄ц│ц┤ц┴  SYN|ACK  ц≈  ц▐ц■ц≈ц┘ц■ц┘  ц∙ц▀ц│ц ц≥ц≈ц│ц─ц■  ц▌ц│  ц■ц▐,  ц·ц■ц▐  ц░ц▐ц▓ц■
-              ц∙ц└ц│ц▄ц┘ц▌ц▌ц▐ц┼ ц█ц│ц⌡ц┴ц▌ц≥ ц▐ц■ц▀ц▓ц≥ц■. ц╕ц▄ц│ц┤ RST  ц∙ц▀ц│ц ц≥ц≈ц│ц┘ц■  ц▌ц│  ц■ц▐,  ц·ц■ц▐  ц░ц▐ц▓ц■
-              ц∙ц└ц│ц▄бёц▌ц▌ц▐ц┼  ц█ц│ц⌡ц┴ц▌ц≥  ц ц│ц▀ц▓ц≥ц■.  ц╔ц⌠ц▄ц┴ nmap ц░ц▓ц┴ц▌ц▒ц▄ ц░ц│ц▀ц┘ц■ SYN|ACK, ц■ц▐ ц≈
-              ц▐ц■ц≈ц┘ц■ ц▌ц┘ц█ц┘ц└ц▄ц┘ц▌ц▌ц▐ ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц┘ц■ц⌠ц▒ (ц▐ц░ц┘ц▓ц│ц┐ц┴ц▐ц▌ц▌ц▐ц┼ ц⌠ц┴ц⌠ц■ц┘ц█ц▐ц┼)  RST-ц░ц│ц▀ц┘ц■
-              ц└ц▄ц▒  ц⌠ц┌ц▓ц▐ц⌠ц│  ц┘ц²ц┘  ц▌ц┘  ц∙ц⌠ц■ц│ц▌ц▐ц≈ц▄ц┘ц▌ц▌ц▐ц┤ц▐  ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц▒.  ц╞ц·ц┘ц▌ц≤ ц▌ц┘ц█ц▌ц▐ц┤ц▐
-              ц⌠ц│ц┼ц■ц▐ц≈ ц⌠ц░ц▐ц⌠ц▐ц┌ц▌ц≥ ц▐ц┌ц▌ц│ц▓ц∙ц√ц┴ц■ц≤  ц■ц│ц▀ц▐ц┘  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘,  ц▐ц└ц▌ц│ц▀ц▐  ц┬ц▐ц▓ц▐ц⌡ц▐
-              ц▌ц│ц⌠ц■ц▓ц▐ц┘ц▌ц▌ц≥ц┼  ц├ц│ц┘ц▓ц≈ц▐ц▄  ц▌ц│ ц°ц■ц▐ ц⌠ц░ц▐ц⌠ц▐ц┌ц┘ц▌. ц╟ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц≤ ц└ц▐ц▄ц√ц┘ц▌ ц┴ц█ц┘ц■ц≤
-              root-ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц┴ ц└ц▄ц▒ ц├ц▐ц▓ц█ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц░ц▐ц└ц└ц┘ц▄ц≤ц▌ц▐ц┤ц▐  SYN-ц░ц│ц▀ц┘ц■ц│.  ц╪ц■ц▐ц■
-              ц■ц┴ц░    ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒   ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒   ц░ц▓ц┴ц█ц┘ц▌ц┴ц█ц≥ц█   ц░ц▐-ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─   ц└ц▄ц▒
-              ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┬ ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц┘ц┼.
-
-       <B>-sT</B>    цЁц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц█ц┘ц■ц▐ц└ц▐ц█  TCP  connect().  ц╝ц│ц┴ц┌ц▐ц▄ц┘ц┘  ц░ц▓ц▐ц⌠ц■ц▐ц┼  ц█ц┘ц■ц▐ц└
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒     TCP-ц░ц▐ц▓ц■ц▐ц≈.    цЁц┴ц⌠ц■ц┘ц█ц▌ц≥ц┼    ц≈ц≥ц ц▐ц≈    connect(),
-              ц░ц▓ц┴ц⌠ц∙ц■ц⌠ц■ц≈ц∙ц─ц²ц┴ц┼ ц≈ ц▄ц─ц┌ц▐ц┼ ц╞цЁ, ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■ ц⌠ц▐ц ц└ц│ц■ц≤ ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘ ц⌠  ц▄ц─ц┌ц≥ц█
-              ц░ц▐ц▓ц■ц▐ц█   ц∙ц└ц│ц▄ц┘ц▌ц▌ц▐ц┼   ц█ц│ц⌡ц┴ц▌ц≥.   цЁц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘   ц░ц▓ц▐ц┴ц⌠ц┬ц▐ц└ц┴ц■   ц█ц┘ц■ц▐ц└ц▐ц█
-              ц⌠ц■ц│ц▌ц└ц│ц▓ц■ц▌ц▐ц┤ц▐ "tcp-ц▓ц∙ц▀ц▐ц░ц▐ц√ц│ц■ц┴ц▒", - ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц─ц²ц│ц▒ ц█ц│ц⌡ц┴ц▌ц│  ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц┘ц■
-              ц▌ц│ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц∙ц─ ц░ц│ц▀ц┘ц■ ц⌠ ц├ц▄ц│ц┤ц▐ц█ SYN, ц┘ц⌠ц▄ц┴ ц≈ ц▐ц■ц≈ц┘ц■ ц░ц▓ц┴ц┬ц▐ц└ц┴ц■ ц░ц│ц▀ц┘ц■ ц⌠
-              ц├ц▄ц│ц┤ц▐ц█ RST -  ц■ц▐  ц░ц▐ц▓ц■  ц ц│ц▀ц▓ц≥ц■,  ц┘ц⌠ц▄ц┴  SYN|ACK,  ц■ц▐  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц─ц²ц│ц▒
-              ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц┘ц■ ACK ц┴ ц■ц▐ц┤ц└ц│ ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘ ц∙ц⌠ц■ц│ц▌ц▐ц≈ц▄ц┘ц▌ц▐). ц╔ц⌠ц▄ц┴ ц░ц▐ц▓ц■ ц▐ц■ц▀ц▓ц≥ц■
-              ц┴ ц░ц▓ц▐ц⌠ц▄ц∙ц⌡ц┴ц≈ц│ц┘ц■ц⌠ц▒ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼ ц█ц│ц⌡ц┴ц▌ц▐ц┼,  ц■ц▐  ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■  ц≈ц≥ц░ц▐ц▄ц▌ц┘ц▌ц┴ц▒
-              connect()  ц┌ц∙ц└ц┘ц■ ц∙ц⌠ц░ц┘ц⌡ц▌ц≥ц█ (ц■.ц┘. ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘ ц┌ц∙ц└ц┘ц■ ц∙ц⌠ц■ц│ц▌ц▐ц≈ц▄ц┘ц▌ц▐), ц≈
-              ц░ц▓ц▐ц■ц┴ц≈ц▌ц▐ц█ ц⌠ц▄ц∙ц·ц│ц┘ ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┼ ц░ц▐ц▓ц■ ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒ ц ц│ц▀ц▓ц≥ц■ц≥ц█ ц┴ц▄ц┴  ц└ц▐ц⌠ц■ц∙ц░  ц▀
-              ц▌ц┘ц█ц∙  ц┌ц▄ц▐ц▀ц┴ц▓ц∙ц┘ц■ц⌠ц▒.   ц╔ц└ц┴ц▌ц⌠ц■ц≈ц┘ц▌ц▌ц≥ц█  ц░ц▓ц┘ц┴ц█ц∙ц²ц┘ц⌠ц■ц≈ц▐ц█  ц└ц│ц▌ц▌ц▐ц┤ц▐ ц█ц┘ц■ц▐ц└ц│
-              ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒ ц■ц▐, ц·ц■ц▐ ц┘ц┤ц▐ ц█ц▐ц√ц▌ц▐ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц┌ц┘ц  root-ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц┼.
-
-              ц╪ц■ц▐ц■ ц█ц┘ц■ц▐ц└ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц▄ц┘ц┤ц▀ц▐ ц▐ц┌ц▌ц│ц▓ц∙ц√ц┴ц█, ц░ц▐ц⌠ц▀ц▐ц▄ц≤ц▀ц∙  ц≈  log-ц├ц│ц┼ц▄ц┘
-              ц▌ц│   ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼   ц█ц│ц⌡ц┴ц▌ц┘  ц⌠ц▐ц┬ц▓ц│ц▌ц▒ц■ц⌠ц▒  ц ц│ц░ц┴ц⌠ц┴  ц▐  ц█ц▌ц▐ц┤ц▐ц·ц┴ц⌠ц▄ц┘ц▌ц▌ц≥ц┬
-              ц░ц▐ц░ц≥ц■ц▀ц│ц┬ ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц▒ ц┴  ц▐ц┌  ц▐ц⌡ц┴ц┌ц▀ц│ц┬  ц≈ц≥ц░ц▐ц▄ц▌ц┘ц▌ц┴ц▒  ц└ц│ц▌ц▌ц▐ц┼  ц▐ц░ц┘ц▓ц│ц┐ц┴ц┴
-              ц⌠ц▄ц∙ц√ц┌ц│ц█ц┴,   ц▀   ц▀ц▐ц■ц▐ц▓ц≥ц█   ц░ц▓ц▐ц┴ц ц≈ц▐ц└ц┴ц▄ц▐ц⌠ц≤   ц░ц▐ц└ц▀ц▄ц─ц·ц┘ц▌ц┴ц┘,  ц│  ц ц│ц■ц┘ц█
-              ц█ц┤ц▌ц▐ц≈ц┘ц▌ц▌ц▐ц┘ ц ц│ц≈ц┘ц▓ц⌡ц┘ц▌ц┴ц┘ ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц▒. ц╪ц■ц▐ц■ ц■ц┴ц░ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒
-              ц░ц▓ц┴ц█ц┘ц▌ц┴ц█ц≥ц█ ц░ц▐-ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ ц└ц▄ц▒ ц▌ц┘ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┬ ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц┘ц┼.
-
-       <B>-sF</B> <B>-sX</B> <B>-sN</B>
-              цЁц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ ц█ц┘ц■ц▐ц└ц▐ц█ stealth-FIN, Xmas Tree ц┴ц▄ц┴ NULL. ц╪ц■ц┴ ц█ц┘ц■ц▐ц└ц≥
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц─ц■ц⌠ц▒  ц≈  ц⌠ц▄ц∙ц·ц│ц┘,  ц┘ц⌠ц▄ц┴  SYN-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц░ц▐  ц▀ц│ц▀ц┴ц█-ц▄ц┴ц┌ц▐
-              ц░ц▓ц┴ц·ц┴ц▌ц│ц█  ц▌ц┘  ц└ц│ц▄ц▐  ц▐ц√ц┴ц└ц│ц┘ц█ц▐ц┤ц▐  ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц│. ц╝ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц├ц│ц┘ц▓ц≈ц▐ц▄ц≥ ц┴
-              ц░ц│ц▀ц┘ц■ц▌ц≥ц┘ ц├ц┴ц▄ц≤ц■ц▓ц≥ ц▐ц√ц┴ц└ц│ц─ц■ SYN-ц░ц│ц▀ц┘ц■ц≥ ц▌ц│ ц ц│ц²ц┴ц²ц│ц┘ц█ц≥ц┘ ц┴ц█ц┴  ц░ц▐ц▓ц■ц≥,  ц┴
-              ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц≥   ц■ц┴ц░ц│   Synlogger  ц┴ц▄ц┴  Courtney  ц⌠ц░ц▐ц⌠ц▐ц┌ц▌ц≥  ц▐ц■ц⌠ц▄ц┘ц└ц┴ц■ц≤
-              SYN-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘. ц╥ц≥ц⌡ц┘ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┘ ц■ц┴ц░ц≥ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц█ц▐ц┤ц∙ц■ ц┌ц≥ц■ц≤  ц▌ц┘
-              ц ц│ц█ц┘ц·ц┘ц▌ц≥ ц⌠ц┴ц⌠ц■ц┘ц█ц│ц█ц┴ ц ц│ц²ц┴ц■ц≥.
-
-              FIN-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┴  ц≈  ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘  ц ц│ц░ц▓ц▐ц⌠ц│ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ FIN-ц░ц│ц▀ц┘ц■. ц╥
-              Xmas Tree ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц░ц│ц▀ц┘ц■ ц⌠  ц▌ц│ц┌ц▐ц▓ц▐ц█  ц├ц▄ц│ц┤ц▐ц≈  FIN|URG|PSH,  ц│
-              NULL-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ ц░ц│ц▀ц┘ц■ ц┌ц┘ц  ц├ц▄ц│ц┤ц▐ц≈. цЁц▐ц┤ц▄ц│ц⌠ц▌ц▐ RFC 793
-              ц⌠ц■ц▓.64, ц ц│ц▀ц▓ц≥ц■ц≥ц┼ ц░ц▐ц▓ц■ ц└ц▐ц▄ц√ц┘ц▌ ц▐ц■ц≈ц┘ц■ц┴ц■ц≤ ц▌ц│ ц▐ц└ц┴ц▌ ц┴ц  ц■ц│ц▀ц┴ц┬ ц░ц▐ц⌠ц▄ц│ц▌ц▌ц≥ц┬
-              ц▌ц│ц█ц┴  ц░ц│ц▀ц┘ц■  ц░ц│ц▀ц┘ц■ц▐ц█  ц⌠  ц├ц▄ц│ц┤ц▐ц█ RST. ц╕ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц┘ ц░ц▐ц▓ц■ц≥ ц▐ц┌ц≥ц·ц▌ц▐ ц▌ц┘
-              ц▐ц■ц≈ц┘ц·ц│ц─ц■ ц▌ц│ ц■ц│ц▀ц┴ц┘ ц░ц│ц▀ц┘ц■ц≥, ц░ц▐ц°ц■ц▐ц█ц∙  nmap  ц▐ц┌ц▐ц ц▌ц│ц·ц│ц┘ц■  ц■ц│ц▀ц▐ц┼  ц░ц▐ц▓ц■
-              "open|filered".  ц╔ц⌠ц▄ц┴ ц└ц▐ц┌ц│ц≈ц┴ц■ц≤ ц▐ц░ц┐ц┴ц─ ц▓ц│ц⌠ц░ц▐ц ц▌ц│ц≈ц│ц▌ц┴ц▒ ц≈ц┘ц▓ц⌠ц┴ц┴ (-sV),
-              nmap ц░ц▐ц░ц≥ц■ц│ц┘ц■ц⌠ц▒ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤  ц■ц▐ц·ц▌ц▐  ц▄ц┴  ц■ц│ц▀ц┴ц┘  ц░ц▐ц▓ц■ц≥  ц▐ц■ц▀ц▓ц≥ц■ц≥.  ц╚
-              ц▌ц┘ц⌠ц·ц│ц⌠ц■ц≤ц─,  Microsoft  ц▀ц│ц▀  ц≈ц⌠ц┘ц┤ц└ц│ ц▓ц┘ц⌡ц┴ц▄ц│ ц░ц▐ц▄ц▌ц▐ц⌠ц■ц≤ц─ ц┴ц┤ц▌ц▐ц▓ц┴ц▓ц▐ц≈ц│ц■ц≤
-              ц≈ц⌠ц┘ ц▐ц┌ц²ц┘ц░ц▓ц┴ц▌ц▒ц■ц≥ц┘ ц⌠ц■ц│ц▌ц└ц│ц▓ц■ц≥ ц┴ ц░ц▐ц┼ц■ц┴ ц⌠ц≈ц▐ц┴ц█ ц░ц∙ц■бёц█. ц╟ц▐ц°ц■ц▐ц█ц∙ ц▄ц─ц┌ц│ц▒ ц╞цЁ
-              ц⌠ц┘ц█ц┘ц┼ц⌠ц■ц≈ц│ Windows ц▌ц┘ ц░ц▐ц⌠ц≥ц▄ц│ц┘ц■ ц≈ ц▐ц■ц≈ц┘ц■ RST-ц░ц│ц▀ц┘ц■, ц┴ ц└ц│ц▌ц▌ц≥ц┘ ц█ц┘ц■ц▐ц└ц≥
-              ц▌ц┘ ц┌ц∙ц└ц∙ц■ ц▓ц│ц┌ц▐ц■ц│ц■ц≤ ц⌠ ц°ц■ц┴ц█ц┴ ц╞цЁ.  цЁ  ц└ц▓ц∙ц┤ц▐ц┼  ц⌠ц■ц▐ц▓ц▐ц▌ц≥  ц≈  nmap  ц°ц■ц▐ц■
-              ц░ц▓ц┴ц ц▌ц│ц▀  ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒  ц▐ц⌠ц▌ц▐ц≈ц▌ц≥ц█  ц└ц▄ц▒ ц▓ц│ц ц▄ц┴ц·ц┘ц▌ц┴ц▒ ц▐ц░ц┘ц▓ц│ц┐ц┴ц▐ц▌ц▌ц≥ц┬ ц⌠ц┴ц⌠ц■ц┘ц█,
-              ц┘ц⌠ц▄ц┴ ц└ц│ц▌ц▌ц≥ц┘ ц■ц┴ц░ц≥ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц▌ц│ц⌡ц▄ц┴  ц▐ц■ц▀ц▓ц≥ц■ц≥ц┘  ц░ц▐ц▓ц■ц≥  -  ц⌠ц▀ц▐ц▓ц┘ц┘
-              ц≈ц⌠ц┘ц┤ц▐  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц│ц▒ ц█ц│ц⌡ц┴ц▌ц│ ц▓ц│ц┌ц▐ц■ц│ц┘ц■ ц▌ц┘ ц░ц▐ц└ ц∙ц░ц▓ц│ц≈ц▄ц┘ц▌ц┴ц┘ц█ windows. ц╚
-              ц⌠ц▐ц√ц│ц▄ц┘ц▌ц┴ц─,  Windows  ц▌ц┘   ц┘ц└ц┴ц▌ц⌠ц■ц≈ц┘ц▌ц▌ц│ц▒   ц╞цЁ,   ц▐ц┌ц▄ц│ц└ц│ц─ц²ц│ц▒   ц°ц■ц┴ц█
-              ц▌ц┘ц└ц▐ц⌠ц■ц│ц■ц▀ц▐ц█. ц╚ ц■ц│ц▀ц┴ц█ ц╞цЁ ц▐ц■ц▌ц▐ц⌠ц▒ц■ц⌠ц▒ ц■ц│ц▀ц√ц┘ Cisco, BSDI, IRIX, HP/UX
-              ц┴ MVS. ц╥ц⌠ц┘ ц°ц■ц┴ ц╞цЁ ц▌ц┘ ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц─ц■ RST-ц░ц│ц▀ц┘ц■ц≥. ц╝ц▐ ц°ц■ц▐ ц▌ц┘ ц■ц│ц▀ ц≈ц│ц√ц▌ц▐,
-              ц░ц▐ц⌠ц▀ц▐ц▄ц≤ц▀ц∙  nmap  ц█ц▐ц√ц┘ц■  ц▐ц░ц▓ц┘ц└ц┘ц▄ц▒ц■ц≤  ц▐ц░ц┘ц▓ц│ц┐ц┴ц▐ц▌ц▌ц∙ц─ ц⌠ц┴ц⌠ц■ц┘ц█ц∙ ц└ц▓ц∙ц┤ц┴ц█ц┴
-              ц█ц┘ц■ц▐ц└ц│ц█ц┴ ц│ц≈ц■ц▐ц█ц│ц■ц┴ц·ц┘ц⌠ц▀ц┴.
-
-       <B>-sP</B>    Ping-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘: ц╘ц▌ц▐ц┤ц└ц│ ц≈ц│ц█ ц▌ц┘ц▐ц┌ц┬ц▐ц└ц┴ц█ц▐ ц▄ц┴ц⌡ц≤ ц∙ц ц▌ц│ц■ц≤ ц▀ц│ц▀ц┴ц┘ ц┬ц▐ц⌠ц■ц≥
-              ц│ц▀ц■ц┴ц≈ц▌ц≥  ц≈  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼  ц⌠ц┘ц■ц┴.  Nmap  ц█ц▐ц√ц┘ц■  ц⌠ц└ц┘ц▄ц│ц■ц≤ ц°ц■ц▐, ц░ц▐ц⌠ц▄ц│ц≈
-              ICMP-ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц┘ "ц°ц┬ц▐  ц ц│ц░ц▓ц▐ц⌠"  ц▌ц│  ц▀ц│ц√ц└ц≥ц┼  IP-ц│ц└ц▓ц┘ц⌠,  ц▀ц▐ц■ц▐ц▓ц≥ц┼  ц≈ц≥
-              ц∙ц▀ц│ц√ц┘ц■ц┘.   ц╗ц▐ц⌠ц■,  ц▐ц■ц░ц▓ц│ц≈ц┴ц≈ц⌡ц┴ц┼  ц▐ц■ц≈ц┘ц■  ц▌ц│ ц°ц┬ц▐, ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒ ц│ц▀ц■ц┴ц≈ц▌ц≥ц█.
-              ц╝ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц⌠ц│ц┼ц■ц≥ (ц▌ц│ц░ц▓ц┴ц█ц┘ц▓ microsoft.com) ц┌ц▄ц▐ц▀ц┴ц▓ц∙ц─ц■ ц░ц│ц▀ц┘ц■ц≥ ц⌠  ц°ц┬ц▐
-              ц ц│ц░ц▓ц▐ц⌠ц▐ц█. ц╟ц▐ц°ц■ц▐ц█ц∙ nmap ц■ц│ц▀ц√ц┘ ц░ц▐ц⌠ц≥ц▄ц│ц┘ц■ TCP ц║цЁц╚-ц░ц│ц▀ц┘ц■ ц▌ц│ 80-ц┼ ц░ц▐ц▓ц■
-              ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐ ц┬ц▐ц⌠ц■ц│ (ц░ц▐ ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─).  ц╔ц⌠ц▄ц┴  ц≈  ц▐ц■ц≈ц┘ц■  ц█ц≥  ц░ц▐ц▄ц∙ц·ц┴ц▄ц┴
-              RST-ц░ц│ц▀ц┘ц■,  -  ц┬ц▐ц⌠ц■  ц│ц▀ц■ц┴ц≈ц┘ц▌.  ц╢ц▓ц┘ц■ц┴ц┼ ц█ц┘ц■ц▐ц└ ц░ц▐ц⌠ц≥ц▄ц│ц┘ц■ SYN-ц░ц│ц▀ц┘ц■ ц┴
-              ц▐ц√ц┴ц└ц│ц┘ц■  ц≈  ц▐ц■ц≈ц┘ц■  RST  ц▄ц┴ц┌ц▐  SYN|ACK.  ц╓ц▄ц▒  ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц┘ц┼,   ц▌ц┘
-              ц▐ц┌ц▄ц│ц└ц│ц─ц²ц┴ц┬ ц⌠ц■ц│ц■ц∙ц⌠ц▐ц█ root, ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц█ц┘ц■ц▐ц└ connect().
-
-              ц╓ц▄ц▒ ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┬ ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц┘ц┼ nmap ц░ц▐ ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■
-              ц░ц│ц▓ц│ц▄ц▄ц┘ц▄ц≤ц▌ц▐ ц▐ц┌ц│ ц█ц┘ц■ц▐ц└ц│ - ICMP ц┴ ACK.  ц╥ц≥  ц█ц▐ц√ц┘ц■ц┘  ц┴ц ц█ц┘ц▌ц┴ц■ц≤  ц°ц■ц▐,
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц▒ ц▐ц░ц┐ц┴ц─ Б─≥ <B>-P</B>
-
-              ц╞ц┌ц▓ц│ц■ц┴ц■ц┘    ц≈ц▌ц┴ц█ц│ц▌ц┴ц┘,   ц·ц■ц▐   ping-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘   ц░ц▐   ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─
-              ц≈ц≥ц░ц▐ц▄ц▌ц▒ц┘ц■ц⌠ц▒ ц≈ ц▄ц─ц┌ц▐ц█ ц⌠ц▄ц∙ц·ц│ц┘ ц┴ ц■ц▐ц▄ц≤ц▀ц▐ ц│ц▀ц■ц┴ц≈ц▌ц≥ц┘ ц┬ц▐ц⌠ц■ц≥  ц░ц▐ц└ц≈ц┘ц▓ц┤ц│ц─ц■ц⌠ц▒
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц─.   ц╘ц⌠ц░ц▐ц▄ц≤ц ц∙ц┼ц■ц┘  ц°ц■ц∙  ц▐ц░ц┐ц┴ц─ ц■ц▐ц▄ц≤ц▀ц▐ ц≈ ц⌠ц▄ц∙ц·ц│ц┘, ц┘ц⌠ц▄ц┴ ц≈ц≥
-              ц┬ц▐ц■ц┴ц■ц┘ ц░ц▓ц▐ц┴ц ц≈ц┘ц⌠ц■ц┴ ц■ц▐ц▄ц≤ц▀ц▐ ping-ц▐ц░ц▓ц▐ц⌠,  ц▌ц┘  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц▒  ц░ц▐ц▓ц■ц≥.   <B>-sV</B>
-              ц╥ц▀ц▄ц─ц·ц┴ц■ц≤  ц▓ц┘ц√ц┴ц█ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒ ц≈ц┘ц▓ц⌠ц┴ц┼ ц⌠ц▄ц∙ц√ц┌, ц ц│ ц▀ц▐ц■ц▐ц▓ц≥ц█ц┴ ц ц│ц▀ц▓ц┘ц░ц▄ц┘ц▌ц≥
-              ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┘ ц░ц▐ц▓ц■ц≥. ц╟ц▐ц⌠ц▄ц┘ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ TCP ц┴/ц┴ц▄ц┴ UDP-ц░ц▐ц▓ц■ц▐ц≈ ц▄ц─ц┌ц≥ц█
-              ц█ц┘ц■ц▐ц└ц▐ц█,  nmap ц░ц▐ц░ц≥ц■ц│ц┘ц■ц⌠ц▒ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤ ц░ц▓ц┴ц≈ц▒ц ц│ц▌ц▌ц≥ц┼ ц▀ ц°ц■ц┴ц█ ц▐ц■ц▀ц▓ц≥ц■ц≥ц█
-              ц░ц▐ц▓ц■ц│ц█ ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ ц⌠ц▄ц∙ц√ц┌ц≥ (ftp, ssh, telnet, http), ц┴ц█ц▒  ц░ц▓ц┴ц▄ц▐ц√ц┘ц▌ц┴ц▒
-              (ISC  Bind,  Apache  httpd,  Solaris  telnetd),  ц▌ц▐ц█ц┘ц▓  ц≈ц┘ц▓ц⌠ц┴ц┴ ц┴
-              ц└ц▐ц░ц▐ц▄ц▌ц┴ц■ц┘ц▄ц≤ц▌ц≥ц┘  ц└ц┘ц■ц│ц▄ц┴  (ц▌ц│ц░ц▓ц┴ц█ц┘ц▓,  ц▐ц■ц▀ц▓ц≥ц■  ц▄ц┴  ц╗   ц⌠ц┘ц▓ц≈ц┘ц▓   ц└ц▄ц▒
-              ц░ц▐ц└ц▀ц▄ц─ц·ц┘ц▌ц┴ц┼ ц┴ц▄ц┴ ц≈ц┘ц▓ц⌠ц┴ц─ ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц│ SSH). ц╕ц│ц┼ц▄, ц▌ц│ц ц≈ц│ц▌ц▌ц≥ц┼ nmap-ser-
-              vice-probes ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц└ц▄ц▒ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒ ц▐ц░ц■ц┴ц█ц│ц▄ц≤ц■ц≥ц┬  ц■ц┘ц⌠ц■ц▐ц≈,  ц⌠
-              ц░ц▐ц█ц▐ц²ц≤ц─  ц▀ц▐ц■ц▐ц▓ц≥ц┬  ц█ц▐ц√ц▌ц▐ ц░ц▐ц▄ц∙ц·ц┴ц■ц≤ ц█ц│ц▀ц⌠ц┴ц█ц│ц▄ц≤ц▌ц▐ ц■ц▐ц·ц▌ц∙ц─ ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц─ ц≈
-              ц└ц│ц▌ц▌ц≥ц┬ ц∙ц⌠ц▄ц▐ц≈ц┴ц▒ц┬. ц╔ц⌠ц▄ц┴ nmap ц⌠ц▀ц▐ц█ц░ц┴ц▄ц┴ц▓ц▐ц≈ц│ц▌ ц⌠  ц░ц▐ц└ц└ц┘ц▓ц√ц▀ц▐ц┼  OpenSSL,
-              ц▐ц▌ ц░ц▐ц└ц▀ц▄ц─ц·ц┴ц■ц⌠ц▒ ц▀ SSL-ц⌠ц┘ц▓ц≈ц┘ц▓ц∙ ц⌠ ц░ц▐ц░ц≥ц■ц▀ц▐ц┼ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤, ц▀ц│ц▀ц│ц▒ ц⌠ц▄ц∙ц√ц┌ц│
-              ц▓ц│ц┌ц▐ц■ц│ц┘ц■  ц ц│  ц⌡ц┴ц├ц▓ц▐ц≈ц│ц▌ц┴ц┘ц█.  ц╔ц⌠ц▄ц┴  ц▐ц┌ц▌ц│ц▓ц∙ц√ц┘ц▌ц│  ц⌠ц▄ц∙ц√ц┌ц│  RPC,  nmap
-              ц░ц▓ц┘ц└ц░ц▓ц┴ц█ц┘ц■  ц│ц■ц│ц▀ц∙ ц▌ц│ RPC ц░ц▐ ц█ц┘ц■ц▐ц└ц∙ "ц┤ц▓ц∙ц┌ц▐ц┼ ц⌠ц┴ц▄ц≥" ц└ц▄ц▒ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒
-              ц▌ц▐ц█ц┘ц▓ц│  ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц≥  RPC  ц┴  ц▌ц▐ц█ц┘ц▓ц│  ц≈ц┘ц▓ц⌠ц┴ц┴.  ц╝ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘  UDP-ц░ц▐ц▓ц■ц≥
-              ц▐ц⌠ц■ц│ц─ц■ц⌠ц▒  ц≈  ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┴  "open|filtered" ц┘ц⌠ц▄ц┴ UDP-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ ц▌ц┘
-              ц⌠ц█ц▐ц√ц┘ц■  ц■ц▐ц·ц▌ц▐  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤  ц≈  ц▀ц│ц▀ц▐ц█  ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┴  ц▌ц│ц┬ц▐ц└ц┴ц■ц⌠ц▒  ц░ц▐ц▓ц■.
-              ц╞ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц┘ц▄ц≤ ц≈ц┘ц▓ц⌠ц┴ц┴ ц░ц▐ц░ц≥ц■ц│ц┘ц■ц⌠ц▒ ц⌠ц▐ц┘ц└ц┴ц▌ц┴ц■ц≤ц⌠ц▒ ц▌ц│ ц■ц│ц▀ц▐ц┼ ц░ц▐ц▓ц■, ц┴ ц┘ц⌠ц▄ц┴
-              ц▐ц▌ ц▐ц■ц▀ц▓ц≥ц■, ц■ц▐ ц┘ц┤ц▐ ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┘ ц┴ц ц█ц┘ц▌ц┴ц■ц⌠ц▒ ц▌ц│ open. ц╞ц░ц┐ц┴ц▒ Б─≥-AБ─≥  ц■ц│ц▀ц√ц┘
-              ц≈ц▀ц▄ц─ц·ц│ц┘ц■  ц°ц■ц▐ц■ ц▓ц┘ц√ц┴ц█.  ц╟ц▓ц┴ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц┴ ц▐ц░ц┐ц┴ц┴ Б─≥--version_traceБ─≥
-              nmap ц┌ц∙ц└ц┘ц■ ц▐ц■ц▐ц┌ц▓ц│ц√ц│ц■ц≤ ц≈ц⌠ц─  ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц─  ц▐  ц░ц▓ц▐ц┴ц⌠ц┬ц▐ц└ц▒ц²ц┘ц█  ц░ц▓ц▐ц┐ц┘ц⌠ц⌠ц┘
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒   ц≈ц┘ц▓ц⌠ц┴ц┴  (ц°ц■ц▐  ц▌ц┘ц▀ц▐ц■ц▐ц▓ц│ц▒  ц▓ц│ц ц▌ц▐ц≈ц┴ц└ц▌ц▐ц⌠ц■ц≤  ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц┴
-              ц▀ц▐ц■ц▐ц▓ц∙ц─ ц█ц▐ц√ц▌ц▐ ц░ц▐ц▄ц∙ц·ц┴ц■ц≤ ц░ц▓ц┴ ц≈ц▀ц▄ц─ц·ц┘ц▌ц┴ц┴ ц▐ц░ц┐ц┴ц┴ Б─≥--packet_traceБ─≥).
-
-       <B>-sU</B>    UDP-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘:  ц°ц■ц▐ц■  ц■ц┴ц░   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒   ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒   ц└ц▄ц▒
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒  ц▐ц■ц▀ц▓ц≥ц■ц≥ц┬  UDP  (User  Datagram  Protocol,  RFC 768)
-              ц░ц▐ц▓ц■ц▐ц≈ ц▌ц│ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼ ц█ц│ц⌡ц┴ц▌ц┘. Nmap ц░ц▐ц⌠ц≥ц▄ц│ц┘ц■ 0-ц┌ц│ц┼ц■ц▌ц≥ц┼  UDP-ц░ц│ц▀ц┘ц■
-              ц▌ц│  ц▀ц│ц√ц└ц≥ц┼  ц░ц▐ц▓ц■  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼  ц█ц│ц⌡ц┴ц▌ц≥.  ц╔ц⌠ц▄ц┴  ц≈  ц▐ц■ц≈ц┘ц■  ц░ц▐ц▄ц∙ц·ц┘ц▌ц▐
-              ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц┘ ICMP "port unreachable"  (ICMP  ц░ц▐ц▓ц■  ц▌ц┘ц└ц▐ц⌠ц■ц∙ц░ц┘ц▌),  ц■ц▐
-              ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼  ц░ц▐ц▓ц■  ц ц│ц▀ц▓ц≥ц■,  ц┘ц⌠ц▄ц┴ ц·ц■ц▐-ц■ц▐ ц└ц▓ц∙ц┤ц▐ц┘ - ц■ц▐ ц▐ц■ц▀ц▓ц≥ц■. ц╔ц⌠ц▄ц┴
-              ц▐ц■ц≈ц┘ц■ ц≈ц▐ц▐ц┌ц²ц┘ ц▌ц┘  ц░ц▓ц┴ц┬ц▐ц└ц┴ц■,  ц■ц▐  nmap  ц░ц▐ц█ц┘ц·ц│ц┘ц■  ц░ц▐ц▓ц■  ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┘ц█
-              "open|filtered",  ц┴  ц°ц■ц▐  ц ц▌ц│ц·ц┴ц■ ц·ц■ц▐ ц░ц▐ц▓ц■ ц▐ц■ц▀ц▓ц≥ц■, ц▌ц▐ ц├ц│ц┘ц▓ц≈ц▐ц▄ ц┴ц▄ц┴
-              ц└ц▓ц∙ц┤ц▐ц┼  ц░ц│ц▀ц┘ц■ц▌ц≥ц┼  ц├ц┴ц▄ц≤ц■ц▓  ц┌ц▄ц▐ц▀ц┴ц▓ц∙ц┘ц■  ц└ц▐ц⌠ц■ц∙ц░  ц▀  ц└ц│ц▌ц▌ц▐ц█ц∙   ц░ц▐ц▓ц■ц∙.
-              ц╥ц▀ц▄ц─ц·ц┘ц▌ц┴ц┘  ц▓ц┘ц√ц┴ц█ц│  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒  ц≈ц┘ц▓ц⌠ц┴ц┼  ц⌠ц▄ц∙ц√ц┌ (-sV) ц█ц▐ц√ц┘ц■ ц░ц▐ц█ц▐ц·ц≤
-              ц■ц▐ц·ц▌ц▐ ц▓ц│ц⌠ц░ц▐ц ц▌ц│ц■ц≤ ц▐ц■ц▀ц▓ц≥ц■ц≥ц┘ ц┴ ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц┘ ц░ц▐ц▓ц■ц≥.
-
-              ц╝ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘   ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц┴   ц⌠ц·ц┴ц■ц│ц─ц■    ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘    UDP-ц░ц▐ц▓ц■ц▐ц≈
-              ц┌ц┘ц⌠ц░ц▐ц▄ц┘ц ц▌ц≥ц█  ц ц│ц▌ц▒ц■ц┴ц┘ц█.  ц╜ц≥  ц▐ц┌ц≥ц·ц▌ц▐  ц≈  ц°ц■ц▐ц█ ц⌠ц▄ц∙ц·ц│ц┘ ц▌ц│ц░ц▐ц█ц┴ц▌ц│ц┘ц█ ц▐ц┌
-              ц┴ц ц≈ц┘ц⌠ц■ц▌ц▐ц┼ ц└ц≥ц▓ц┘ ц≈ ц└ц┘ц█ц▐ц▌ц┘ rpcbind ц╞цЁ Solaris. Rpcbind  ц█ц▐ц√ц┘ц■  ц┌ц≥ц■ц≤
-              ц▐ц┌ц▌ц│ц▓ц∙ц√ц┘ц▌  ц▌ц│ ц▄ц─ц┌ц▐ц█ ц┴ц  ц▌ц┘ц└ц▐ц▀ц∙ц█ц┘ц▌ц■ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┬ UDP-ц░ц▐ц▓ц■ц▐ц≈ ц⌠ ц▌ц▐ц█ц┘ц▓ц▐ц█,
-              ц┌ц▐ц▄ц≤ц⌡ц┘ 32770. ц╔ц⌠ц▄ц┴ ц≈ц≥ ц▐ц┌ц▌ц│ц▓ц∙ц√ц┴ц■ц┘ ц┘ц┤ц▐, ц■ц▐  ц┌ц∙ц└ц┘ц■  ц∙ц√ц┘  ц▌ц┘  ц≈ц│ц√ц▌ц▐,
-              ц┌ц▄ц▐ц▀ц┴ц▓ц∙ц┘ц■ц⌠ц▒  ц▄ц┴  111-ц┼  ц░ц▐ц▓ц■ ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц█ ц┴ц▄ц┴ ц▌ц┘ц■. ц╝ц▐ ц▀ц│ц▀ ц≈ц≥ ц█ц▐ц√ц┘ц■ц┘
-              ц▐ц┌ц▌ц│ц▓ц∙ц√ц┴ц■ц≤ ц▌ц│ ц▀ц│ц▀ц▐ц█ ц┴ц█ц┘ц▌ц▌ц▐ ц┴ц   30,000  ц░ц▐ц▓ц■ц▐ц≈  ц ц│ц░ц∙ц²ц┘ц▌  rpcbind?
-              ц╚ц▐ц▌ц┘ц·ц▌ц▐ ц√ц┘ ц⌠ ц░ц▐ц█ц▐ц²ц≤ц─ UDP-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒. ц╢ц│ц▀ц√ц┘ ц▌ц┘ц└ц▐ц▀ц∙ц█ц┘ц▌ц■ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┘
-              (ц⌠ц≈ц≥ц⌡ц┘  1024  ц▌ц▐ц█ц┘ц▓ц│)  ц░ц▐ц▓ц■ц≥  ц·ц│ц⌠ц■ц▐  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц─ц■ц⌠ц▒  ц■ц▓ц▐ц▒ц▌ц│ц█ц┴  ц┴ц▄ц┴
-              DDoS-ц▀ц▄ц┴ц┘ц▌ц■ц│ц█ц┴.  ц╞ц·ц┘ц▌ц≤  ц·ц│ц⌠ц■ц▐  ц■ц│ц▀ц┴ц┘ UDP-ц⌠ц┘ц▓ц≈ц┴ц⌠ц≥ ц▀ц│ц▀ snmp, tftp,
-              NFS ц■ц│ц▀ц√ц┘ ц┴ц█ц┘ц─ц■ ц∙ц▒ц ц≈ц┴ц█ц▐ц⌠ц■ц┴.
-
-              ц╚ ц⌠ц▐ц√ц│ц▄ц┘ц▌ц┴ц─, ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ UDP-ц░ц▐ц▓ц■ц▐ц≈  ц▐ц·ц┘ц▌ц≤  ц█ц┘ц└ц▄ц┘ц▌ц▌ц≥ц┼  ц░ц▓ц▐ц┐ц┘ц⌠ц⌠,
-              ц░ц▐ц⌠ц▀ц▐ц▄ц≤ц▀ц∙  ц░ц▓ц│ц▀ц■ц┴ц·ц┘ц⌠ц▀ц┴  ц≈ц⌠ц┘  ц╞цЁ  ц⌠ц▄ц┘ц└ц∙ц─ц■  ц▓ц┘ц▀ц▐ц█ц┘ц▌ц└ц│ц┐ц┴ц┴  RFC 1812
-              (ц▓ц│ц ц└ц┘ц▄   4.3.2.8)   ц░ц▐   ц▐ц┤ц▓ц│ц▌ц┴ц·ц┘ц▌ц┴ц─   ц⌠ц▀ц▐ц▓ц▐ц⌠ц■ц┴   ц┤ц┘ц▌ц┘ц▓ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒
-              ICMP-ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц┼  "ц░ц▐ц▓ц■  ц▌ц┘ц└ц▐ц⌠ц■ц∙ц░ц┘ц▌". ц╝ц│ц░ц▓ц┴ц█ц┘ц▓, ц▒ц└ц▓ц▐ Linux (ц├ц│ц┼ц▄ -
-              net/ipv4/icmp.h) ц▐ц┤ц▓ц│ц▌ц┴ц·ц┴ц≈ц│ц┘ц■ ц┤ц┘ц▌ц┘ц▓ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ ц■ц│ц▀ц┴ц┬  ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц┼  ц└ц▐
-              80  ц ц│  4  ц⌠ц┘ц▀ц∙ц▌ц└ц≥ ц⌠ ц░ц▓ц▐ц⌠ц■ц▐ц┘ц█ 0,25 ц⌠ц┘ц▀ц∙ц▌ц└ц≥, ц┘ц⌠ц▄ц┴ ц°ц■ц▐ ц▐ц┤ц▓ц│ц▌ц┴ц·ц┘ц▌ц┴ц┘
-              ц┌ц≥ц▄ц▐ ц░ц▓ц┘ц≈ц≥ц⌡ц┘ц▌ц▐. ц╣ ц╞цЁ Solaris ц┘ц²ц┘ ц┌ц▐ц▄ц┘ц┘  ц√ц┘ц⌠ц■ц▀ц▐ц┘  ц▐ц┤ц▓ц│ц▌ц┴ц·ц┘ц▌ц┴ц┘  (2
-              ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц▒  ц≈  ц⌠ц┘ц▀ц∙ц▌ц└ц∙),  ц┴ ц░ц▐ц°ц■ц▐ц█ц∙ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ Solaris ц░ц▓ц▐ц┬ц▐ц└ц┴ц■
-              ц┘ц²ц┘ ц┌ц▐ц▄ц┘ц┘ ц█ц┘ц└ц▄ц┘ц▌ц▌ц▐. Nmap ц▐ц░ц▓ц┘ц└ц┘ц▄ц▒ц┘ц■ ц░ц│ц▓ц│ц█ц┘ц■ц▓ц≥ ц°ц■ц▐ц┤ц▐ ц▐ц┤ц▓ц│ц▌ц┴ц·ц┘ц▌ц┴ц▒,
-              ц┴  ц⌠ц▐ц▐ц■ц≈ц┘ц■ц⌠ц■ц≈ц┘ц▌ц▌ц▐  ц∙ц█ц┘ц▌ц≤ц⌡ц│ц┘ц■  ц▀ц▐ц▄ц┴ц·ц┘ц⌠ц■ц≈ц▐  ц┤ц┘ц▌ц┘ц▓ц┴ц▓ц∙ц┘ц█ц≥ц┬ ц ц│ц░ц▓ц▐ц⌠ц▐ц≈,
-              ц░ц▓ц┘ц└ц▐ц■ц≈ц▓ц│ц²ц│ц▒  ц■ц┘ц█  ц⌠ц│ц█ц≥ц█  ц ц│ц■ц▐ц░ц▄ц┘ц▌ц┴ц┘  ц⌠ц┘ц■ц┴  ц▌ц┘ц▌ц∙ц√ц▌ц≥ц█ц┴  ц░ц│ц▀ц┘ц■ц│ц█ц┴,
-              ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц┴ц┤ц▌ц▐ц▓ц┴ц▓ц∙ц─ц■ц⌠ц▒ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼ ц█ц│ц⌡ц┴ц▌ц▐ц┼.
-
-              ц╚ц│ц▀  ц▐ц┌ц≥ц·ц▌ц▐,  Microsoft  ц░ц▓ц▐ц┴ц┤ц▌ц▐ц▓ц┴ц▓ц▐ц≈ц│ц▄ц│  ц▓ц┘ц▀ц▐ц█ц┘ц▌ц└ц│ц┐ц┴ц┴ RFC, ц┴ ц▌ц┘
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ ц≈ ц⌠ц≈ц▐ц┴ц┬ ц╞цЁ ц▌ц┴ц▀ц│ц▀ц┴ц┬ ц▐ц┤ц▓ц│ц▌ц┴ц·ц┘ц▌ц┴ц┼.  ц╟ц▐ц°ц■ц▐ц█ц∙  nmap  ц█ц▐ц√ц┘ц■
-              ц▐ц·ц┘ц▌ц≤   ц┌ц≥ц⌠ц■ц▓ц▐   ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤   ц≈ц⌠ц┘  65535  UDP-ц░ц▐ц▓ц■ц▐ц≈  ц┬ц▐ц⌠ц■ц│,
-              ц▓ц│ц┌ц▐ц■ц│ц─ц²ц┘ц┤ц▐ ц░ц▐ц└ ц∙ц░ц▓ц│ц≈ц▄ц┘ц▌ц┴ц┘ц█ ц╞цЁ Windows. :-)
-
-       <B>-sO</B>    цЁц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц▐ц≈  IP.  ц╓ц│ц▌ц▌ц≥ц┼  ц█ц┘ц■ц▐ц└  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒   ц└ц▄ц▒
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒   IP-ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц▐ц≈,  ц▀ц▐ц■ц▐ц▓ц≥ц┘  ц░ц▐ц└ц└ц┘ц▓ц√ц┴ц≈ц│ц┘ц■  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼
-              ц┬ц▐ц⌠ц■.   ц╜ц┘ц■ц▐ц└  ц ц│ц▀ц▄ц─ц·ц│ц┘ц■ц⌠ц▒  ц≈  ц▐ц■ц░ц▓ц│ц≈ц▀ц┘  ц┬ц▐ц⌠ц■ц∙  IP-ц░ц│ц▀ц┘ц■ц▐ц≈   ц┌ц┘ц 
-              ц ц│ц┤ц▐ц▄ц▐ц≈ц▀ц│  ц└ц▄ц▒  ц▀ц│ц√ц└ц▐ц┤ц▐  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐  ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц│.  ц╔ц⌠ц▄ц┴ ц░ц▐ц▄ц∙ц·ц┘ц▌ц▐
-              ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц┘ ICMP "protocol unreachable" (ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ ц▌ц┘ц└ц▐ц⌠ц■ц∙ц░ц┘ц▌),  ц■ц▐
-              ц└ц│ц▌ц▌ц≥ц┼  ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ ц┬ц▐ц⌠ц■ц▐ц█ ц▌ц┘ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒. ц╥ ц░ц▓ц▐ц■ц┴ц≈ц▌ц▐ц█ ц⌠ц▄ц∙ц·ц│ц┘ nmap
-              ц░ц▓ц┘ц└ц░ц▐ц▄ц│ц┤ц│ц┘ц■,  ц·ц■ц▐   ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄   ц┬ц▐ц⌠ц■ц▐ц█   ц░ц▐ц└ц└ц┘ц▓ц√ц┴ц≈ц│ц┘ц■ц⌠ц▒.   цЁц■ц▐ц┴ц■
-              ц ц│ц█ц┘ц■ц┴ц■ц≤, ц·ц■ц▐ ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц╞цЁ (AIX, HP-UX, Digital UNIX) ц┴ ц├ц│ц┘ц▓ц≈ц▐ц▄ц≥
-              ц█ц▐ц┤ц∙ц■ ц┌ц▄ц▐ц▀ц┴ц▓ц▐ц≈ц│ц■ц≤ ц░ц┘ц▓ц┘ц└ц│ц·ц∙  ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц┼  "ICMP  protocol  unreach-
-              able". ц╟ц▐ ц°ц■ц▐ц┼ ц░ц▓ц┴ц·ц┴ц▌ц┘ ц≈ц⌠ц┘ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┘ ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц≥ nmap ц▐ц┌ц▐ц ц▌ц│ц·ц│ц┘ц■
-              ц▀ц│ц▀ "open" (ц■.ц┘.  ц░ц▐ц└ц└ц┘ц▓ц√ц┴ц≈ц│ц─ц■ц⌠ц▒).
-
-              ц╟ц▐ц⌠ц▀ц▐ц▄ц≤ц▀ц∙ ц▐ц░ц┴ц⌠ц│ц▌ц▌ц│ц▒ ц■ц┘ц┬ц▌ц┴ц▀ц│ ц⌠ц┬ц▐ц√ц│ ц⌠ц▐  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ц█  UDP-ц░ц▐ц▓ц■ц▐ц≈,
-              ц■ц▐    ц┴    ц⌠ц▐ц▐ц■ц≈ц┘ц■ц⌠ц■ц≈ц┘ц▌ц▌ц▐    ц┘ц⌠ц■ц≤   ц▄ц┴ц█ц┴ц■   ц⌠ц▀ц▐ц▓ц▐ц⌠ц■ц┴   ц┤ц┘ц▌ц┘ц▓ц│ц┐ц┴ц┴
-              ICMP-ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц┼.   ц╞ц└ц▌ц│ц▀ц▐  ц░ц▐ц▄ц┘  "ц■ц┴ц░   ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц│"   IP-ц ц│ц┤ц▐ц▄ц▐ц≈ц▀ц│
-              ц⌠ц▐ц⌠ц■ц▐ц┴ц■  ц≈ц⌠ц┘ц┤ц▐  ц▄ц┴ц⌡ц≤  ц┴ц   8  ц┌ц┴ц■,  ц░ц▐ц°ц■ц▐ц█ц∙  256 ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц▐ц≈ ц┌ц∙ц└ц∙ц■
-              ц▐ц■ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц≥ ц ц│ ц░ц▓ц┴ц┘ц█ц▄ц┘ц█ц▐ц┘ ц≈ц▓ц┘ц█ц▒.
-
-       <B>-sI</B> <B>&lt;</B>ц<B>ц</B> ц<B>ц</B>▐ц<B>ц</B>█ц<B>ц</B>┌ц<B>ц</B>┴<B>-</B>ц<B>ц</B>┬ц<B>ц</B>▐ц<B>ц</B>⌠ц<B>ц</B>■<B>[:</B>ц<B>ц</B>░ц<B>ц</B>▐ц<B>ц</B>▓ц<B>ц</B>■<B>]&gt;</B>
-              Idle-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ -  ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■  ц░ц▓ц▐ц┴ц ц≈ц┘ц⌠ц■ц┴  ц│ц┌ц⌠ц▐ц▄ц─ц■ц▌ц▐  ц▌ц┘ц≈ц┴ц└ц┴ц█ц▐ц┘
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц░ц▐ц▓ц■ц▐ц≈.  ц╪ц■ц▐ ц▐ц ц▌ц│ц·ц│ц┘ц■, ц·ц■ц▐ ц▌ц┴ц▀ц│ц▀ц┴ц┘ ц░ц│ц▀ц┘ц■ц≥ ц⌠ ц≈ц│ц⌡ц┘ц┤ц▐
-              ц▓ц┘ц│ц▄ц≤ц▌ц▐ц┤ц▐ ip-aц└ц▓ц┘ц⌠ц│ ц▌ц┘ ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц─ц■ц⌠ц▒ ц▌ц│ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц∙ц─ ц█ц│ц⌡ц┴ц▌ц∙. ц╜ц┘ц■ц▐ц└
-              IdleScan  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■  ц⌠ц■ц▐ц▓ц▐ц▌ц▌ц┴ц┼  ц▀ц│ц▌ц│ц▄ ц└ц▄ц▒ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒, ц▀ц▐ц■ц▐ц▓ц▐ц┘
-              ц░ц▓ц▐ц┬ц▐ц└ц┴ц■ ц·ц┘ц▓ц┘ц  ц┬ц▐ц⌠ц■-ц ц▐ц█ц┌ц┴, ц┴ ц▐ц⌠ц▌ц▐ц≈ц│ц▌ц▐ ц▌ц│  ц█ц┘ц■ц▐ц└ц┘  ц░ц▓ц┘ц└ц∙ц┤ц│ц└ц≥ц≈ц│ц▌ц┴ц▒
-              ц┤ц┘ц▌ц┘ц▓ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐  ц▌ц│  ц┬ц▐ц⌠ц■ц┘-ц ц▐ц█ц┌ц┴  ц ц▌ц│ц·ц┘ц▌ц┴ц▒  "IP fragmentation ID".
-              цЁц┴ц⌠ц■ц┘ц█ц≥  ц ц│ц²ц┴ц■ц≥  ц▌ц│  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц█  ц┬ц▐ц⌠ц■ц┘   ц▐ц░ц▓ц┘ц└ц┘ц▄ц▒ц■   ц┴ц⌠ц■ц▐ц·ц▌ц┴ц▀ц▐ц█
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц┬ц▐ц⌠ц■-ц ц▐ц█ц┌ц┴, ц▀ц▐ц■ц▐ц▓ц≥ц┼ ц≈ц≥ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц┘.
-
-              ц╚ц▓ц▐ц█ц┘  ц│ц┌ц⌠ц▐ц▄ц─ц■ц▌ц▐ц┼  ц▌ц┘ц≈ц┴ц└ц┴ц█ц▐ц⌠ц■ц┴,  ц°ц■ц▐ц■ ц■ц┴ц░ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤  ц░ц▐ц▄ц┴ц■ц┴ц▀ц∙  ц└ц▐ц≈ц┘ц▓ц┴ц▒  ц█ц┘ц√ц└ц∙  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц█ц┴  ц█ц│ц⌡ц┴ц▌ц│ц█ц┴  ц▌ц│
-              ц∙ц▓ц▐ц≈ц▌ц┘ ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц│ IP. ц╛ц┴ц⌠ц■ц┴ц▌ц┤ ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц▐ц≈ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц▐ц■ц▐ц┌ц▓ц│ц√ц│ц┘ц■
-              ц░ц▐ц▓ц■ц≥  ц▐ц■ц▀ц▓ц≥ц■ц≥ц┘  ц└ц▄ц▒   ц┬ц▐ц⌠ц■ц│-"ц ц▐ц█ц┌ц┴".   ц╢ц│ц▀ц┴ц█   ц▐ц┌ц▓ц│ц ц▐ц█,   ц█ц▐ц√ц▌ц▐
-              ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц┐ц┘ц▄ц≤ ц⌠ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц┘ц█ ц▌ц┘ц⌠ц▀ц▐ц▄ц≤ц▀ц┴ц┬ "ц ц▐ц█ц┌ц┴", ц▀ц▐ц■ц▐ц▓ц≥ц█
-              ц┐ц┘ц▄ц≤ ц█ц▐ц√ц┘ц■ "ц└ц▐ц≈ц┘ц▓ц▒ц■ц≤", ц≈ ц▐ц┌ц┬ц▐ц└ ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц≈  ц┴  ц░ц│ц▀ц┘ц■ц▌ц≥ц┬  ц├ц┴ц▄ц≤ц■ц▓ц▐ц≈.
-              ц╢ц│ц▀ц▐ц┤ц▐  ц▓ц▐ц└ц│  ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц▒  ц█ц▐ц√ц┘ц■  ц┌ц≥ц■ц≤  ц⌠ц│ц█ц▐ц┼  ц≈ц│ц√ц▌ц▐ц┼  ц░ц▓ц┴ ц≈ц≥ц┌ц▐ц▓ц┘
-              ц░ц▓ц┴ц▐ц▓ц┴ц■ц┘ц■ц▌ц≥ц┬ ц┐ц┘ц▄ц┘ц┼ ц└ц▄ц▒ ц│ц■ц│ц▀ц┴.
-
-              ц╥ц≥ ц█ц▐ц√ц┘ц■ц┘ ц∙ц▀ц│ц ц│ц■ц≤ ц▀ц▐ц▌ц▀ц▓ц┘ц■ц▌ц≥ц┼ ц░ц▐ц▓ц■ ц└ц▄ц▒ ц░ц▓ц▐ц≈ц┘ц▓ц▀ц┴ ц┴ц ц█ц┘ц▌ц┘ц▌ц┴ц▒ IPID ц▌ц│
-              ц┬ц▐ц⌠ц■ц┘-"ц ц▐ц█ц┌ц┴". ц╥ ц┴ц▌ц▐ц█ ц⌠ц▄ц∙ц·ц│ц┘ nmap ц┌ц∙ц└ц┘ц■ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц▌ц▐ц█ц┘ц▓ ц░ц▐ц▓ц■ц│
-              ц░ц▐ ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ ц└ц▄ц▒ "tcp ping".
-
-              ц╬ц■ц▐ ц┌ц≥ ц∙ц ц▌ц│ц■ц≤, ц█ц▐ц√ц▌ц▐ ц▄ц┴ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц┬ц▐ц⌠ц■ ц≈  ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘  ц ц▐ц█ц┌ц┴,  -
-              ц▌ц∙ц√ц▌ц▐ ц ц│ц░ц∙ц⌠ц■ц┴ц■ц≤ nmap c ц└ц▐ц░ц▐ц▄ц▌ц┴ц■ц┘ц▄ц≤ц▌ц≥ц█ц┴ ц▐ц░ц┐ц┴ц▒ц█ц┴ "-O -v", ц┴ ц≈ ц░ц▐ц▄ц┘
-              IPID Sequence Generation ц┌ц∙ц└ц┘ц■ ц∙ц▀ц│ц ц│ц▌  ц■ц┴ц░  ц┤ц┘ц▌ц┘ц▓ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒.  ц╔ц⌠ц▄ц┴
-              "Incremental" - ц■ц▐ ц°ц■ц▐ц■ ц┬ц▐ц⌠ц■ ц█ц▐ц√ц▌ц▐ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц▀ц│ц▀ ц ц▐ц█ц┌ц┴.
-
-       <B>-sA</B>    цЁц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц█ц┘ц■ц▐ц└ц▐ц█  ACK.  ц╪ц■ц▐ц■  ц█ц┘ц■ц▐ц└ ц▐ц┌ц≥ц·ц▌ц▐ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц└ц▄ц▒
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒ ц▌ц│ц┌ц▐ц▓ц│ ц░ц▓ц│ц≈ц┴ц▄ ц├ц│ц┘ц▓ц≈ц▐ц▄ц│.  ц╥  ц·ц│ц⌠ц■ц▌ц▐ц⌠ц■ц┴,  ц▐ц▌  ц░ц▐ц█ц▐ц┤ц│ц┘ц■
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤  ц ц│ц²ц┴ц²ц┘ц▌  ц▄ц┴  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼  ц┬ц▐ц⌠ц■  ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц█ ц┴ц▄ц┴ ц░ц▓ц▐ц⌠ц■ц▐
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц░ц│ц▀ц┘ц■ц▌ц≥ц┼ ц├ц┴ц▄ц≤ц■ц▓, ц┌ц▄ц▐ц▀ц┴ц▓ц∙ц─ц²ц┴ц┼ ц≈ц┬ц▐ц└ц▒ц²ц┴ц┘ SYN-ц░ц│ц▀ц┘ц■ц≥.
-
-              ц╪ц■ц▐ц■ ц█ц┘ц■ц▐ц└ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц░ц▐ц└ц▓ц│ц ц∙ц█ц┘ц≈ц│ц┘ц■  ц▐ц■ц░ц▓ц│ц≈ц▀ц∙  ACK-ц░ц│ц▀ц┘ц■ц│  (ц⌠ц▐
-              ц⌠ц▄ц∙ц·ц│ц┼ц▌ц≥ц█ц┴  ц ц▌ц│ц·ц┘ц▌ц┴ц▒ц█ц┴  ц░ц▐ц▄ц┘ц┼  acknowledgement number ц┴ sequence
-              number)  ц▌ц│  ц░ц▐ц▓ц■  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐  ц┬ц▐ц⌠ц■ц│.  ц╔ц⌠ц▄ц┴  ц≈  ц▐ц■ц≈ц┘ц■   ц░ц▓ц┴ц⌡ц┘ц▄
-              RST-ц░ц│ц▀ц┘ц■,  ц░ц▐ц▓ц■  ц▐ц┌ц▐ц ц▌ц│ц·ц│ц┘ц■ц⌠ц▒ ц▀ц│ц▀ "unfiltered" (ц▌ц┘ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц┼).
-              ц╔ц⌠ц▄ц┴ ц▐ц■ц≈ц┘ц■ц│ ц▌ц┘  ц░ц▐ц⌠ц▄ц┘ц└ц▐ц≈ц│ц▄ц▐  (ц┴ц▄ц┴  ц░ц▓ц┴ц⌡ц▄ц▐  ICMP-ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц┘  "port
-              unreachable"), ц░ц▐ц▓ц■ ц▐ц┌ц▐ц ц▌ц│ц·ц│ц┘ц■ц⌠ц▒ ц▀ц│ц▀ "ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц┼". ц╨ц│ц█ц┘ц■ц┴ц█, ц·ц■ц▐
-              ц▐ц┌ц≥ц·ц▌ц▐ nmap ц▌ц┘ ц▐ц■ц▐ц┌ц▓ц│ц√ц│ц┘ц■  ц▌ц┘ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц┘  ц░ц▐ц▓ц■ц≥  ц≈  ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц│ц┬,
-              ц░ц▐ц°ц■ц▐ц█ц∙  ц┘ц⌠ц▄ц┴  ц░ц▐ц⌠ц▄ц┘  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц█ц┘ц■ц▐ц└ц▐ц█ ц║цЁц╚ ц▌ц┘ ц▐ц┌ц▌ц│ц▓ц∙ц√ц┘ц▌ц▐ ц▌ц┴
-              ц▐ц└ц▌ц▐ц┤ц▐ ц▐ц■ц▀ц▓ц≥ц■ц▐ц┤ц▐ ц░ц▐ц▓ц■ц│, ц■ц▐ ц°ц■ц▐ ц▐ц ц▌ц│ц·ц│ц┘ц■, ц·ц■ц▐ ц≈ц⌠ц┘ ц░ц▐ц▓ц■ц≥  ц▒ц≈ц▄ц▒ц─ц■ц⌠ц▒
-              ц▌ц┘ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц█ц┴ (ц≈ ц▐ц■ц≈ц┘ц■ ц░ц▓ц┴ц⌡ц┘ц▄ RST-ц░ц│ц▀ц┘ц■). ц╪ц■ц▐ц■ ц█ц┘ц■ц▐ц└ ц▌ц┴ц▀ц▐ц┤ц└ц│ ц▌ц┘
-              ц░ц▐ц▀ц│ц ц≥ц≈ц│ц┘ц■ ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┘ ц░ц▐ц▓ц■ц│ "open" ц≈ ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц│ц┬ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒.
-
-       <B>-sW</B>    Cц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц█ц┘ц■ц▐ц└ц▐ц█  TCP  Window.  ц╪ц■ц▐ц■  ц█ц┘ц■ц▐ц└  ц▐ц·ц┘ц▌ц≤  ц░ц▐ц┬ц▐ц√  ц▌ц│
-              ACK-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘,  ц ц│ ц┴ц⌠ц▀ц▄ц─ц·ц┘ц▌ц┴ц┘ц█ ц■ц▐ц┤ц▐, ц·ц■ц▐ ц┴ц▌ц▐ц┤ц└ц│ ц⌠ ц┘ц┤ц▐ ц░ц▐ц█ц▐ц²ц≤ц─
-              ц█ц▐ц√ц▌ц▐  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤  ц▐ц■ц▀ц▓ц≥ц■ц≥ц┘  ц░ц▐ц▓ц■ц≥   ц■ц▐ц·ц▌ц▐   ц■ц│ц▀   ц√ц┘,   ц▀ц│ц▀   ц┴
-              ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц┘/ц▌ц┘ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц┘,  ц░ц▓ц▐ц≈ц┘ц▓ц▒ц▒  ц ц▌ц│ц·ц┘ц▌ц┴ц┘  ц░ц▐ц▄ц▒ window size
-              TCP-ц░ц│ц▀ц┘ц■ц│,  ц≈ц▐ц ц≈ц▓ц│ц²ц│ц┘ц█ц▐ц┤ц▐  ц┬ц▐ц⌠ц■ц▐ц█  ц≈  ц▐ц■ц≈ц┘ц■  ц▌ц│  ц░ц▐ц⌠ц▄ц│ц▌ц▌ц≥ц┼  ц┘ц█ц∙
-              ц ц│ц░ц▓ц▐ц⌠, ц░ц▐ц⌠ц▀ц▐ц▄ц≤ц▀ц∙ ц┘ц⌠ц■ц≤ ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц│ц▌ц▐ц█ц│ц▄ц┴ц┴ ц▐ц┌ц▓ц│ц┌ц▐ц■ц▀ц┴ ц└ц│ц▌ц▌ц▐ц┤ц▐ ц░ц▐ц▄ц▒
-              ц∙ ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┬ ц╞цЁ. цЁц░ц┴ц⌠ц▐ц▀ ц∙ц▒ц ц≈ц┴ц█ц≥ц┬ ц▐ц░ц┘ц▓ц│ц┐ц┴ц▐ц▌ц▌ц≥ц┬ ц⌠ц┴ц⌠ц■ц┘ц█  ц≈ц▀ц▄ц─ц·ц│ц┘ц■  ц≈
-              ц⌠ц┘ц┌ц▒  ц▌ц┘ц⌠ц▀ц▐ц▄ц≤ц▀ц▐ ц≈ц┘ц▓ц⌠ц┴ц┼ AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX,
-              DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS,
-              NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX
-              ц┴  VxWorks.  ц╓ц▄ц▒  ц┌ц▐ц▄ц┘ц┘  ц░ц▐ц└ц▓ц▐ц┌ц▌ц▐ц┼  ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц┴  ц⌠ц█ц▐ц■ц▓ц┴ц■ц┘   ц│ц▓ц┬ц┴ц≈
-              ц▀ц▐ц▌ц├ц┘ц▓ц┘ц▌ц┐ц┴ц┴ nmap-hackers.
-
-       <B>-sR</B>    RPC-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘.  ц╜ц┘ц■ц▐ц└  ц▓ц│ц┌ц▐ц■ц│ц┘ц■ ц■ц▐ц▄ц≤ц▀ц▐ ц≈ ц▀ц▐ц█ц┌ц┴ц▌ц│ц┐ц┴ц┴ ц⌠ ц└ц▓ц∙ц┤ц┴ц█ц┴
-              ц█ц┘ц■ц▐ц└ц│ц█ц┴  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒.   ц╥ц⌠ц┘   ц░ц▓ц┘ц└ц≈ц│ц▓ц┴ц■ц┘ц▄ц≤ц▌ц▐   ц▐ц■ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┘
-              ц▐ц■ц▀ц▓ц≥ц■ц≥ц┘  ц░ц▐ц▓ц■ц≥ ц ц│ц■ц▐ц░ц▄ц▒ц─ц■ц⌠ц▒ NULL-ц▀ц▐ц█ц│ц▌ц└ц│ц█ц┴ ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц≥ SunRPC, ц└ц▄ц▒
-              ц■ц▐ц┤ц▐ ц·ц■ц▐ц┌ц≥ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤ ц▀ц│ц▀ц┴ц┘ ц┴ц  ц°ц■ц┴ц┬ ц░ц▐ц▓ц■ц▐ц≈ ц▒ц≈ц▄ц▒ц─ц■ц⌠ц▒ RPC-ц░ц▐ц▓ц■ц│ц█ц┴,
-              ц┴  ц▀ц│ц▀ц┴ц┘ ц ц│ ц▌ц┴ц█ц┴ ц ц│ц▀ц▓ц┘ц░ц▄ц┘ц▌ц▌ц≥ц┘ ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц≥. ц╢ц│ц▀ц┴ц█ ц▐ц┌ц▓ц│ц ц▐ц█, ц≈ц≥ ц▄ц┘ц┤ц▀ц▐
-              ц░ц▐ц▄ц∙ц·ц│ц┘ц■ц┘  ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц─,  ц▀ц▐ц■ц▐ц▓ц∙ц─  ц█ц▐ц┤ц▄ц┴  ц┌ц≥  ц░ц▐ц▄ц∙ц·ц┴ц■ц≤  ц⌠  ц░ц▐ц█ц▐ц²ц≤ц─
-              ц▀ц▐ц█ц│ц▌ц└ц≥  Б─≥rpcinfo  -pБ─≥,  ц└ц│ц√ц┘ ц┘ц⌠ц▄ц┴ portmapper ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐ ц┬ц▐ц⌠ц■ц│
-              ц ц│ц▀ц▓ц≥ц■  ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц█  ц┴ц▄ц┴  TCP-wrapperБ─≥ц▐ц█.  ц╪ц■ц▐ц■  ц■ц┴ц░  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒
-              ц≈ц▀ц▄ц─ц·ц│ц┘ц■ц⌠ц▒  ц■ц│ц▀ц√ц┘  ц░ц▓ц┴  ц≈ц≥ц┌ц▐ц▓ц┘  ц▐ц░ц┐ц┴ц┴  Б─≥-sVБ─≥  (ц▓ц┘ц√ц┴ц█ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒
-              ц≈ц┘ц▓ц⌠ц┴ц┼ ц⌠ц▄ц∙ц√ц┌).
-
-       <B>-sL</B>    Cц▐ц⌠ц■ц│ц≈ц┴ц■ц≤ ц⌠ц░ц┴ц⌠ц▐ц▀  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒.  ц╪ц■ц▐ц■  ц█ц┘ц■ц▐ц└  ц░ц▓ц▐ц⌠ц■ц▐  ц┤ц┘ц▌ц┘ц▓ц┴ц▓ц∙ц┘ц■
-              ц⌠ц░ц┴ц⌠ц▐ц▀  IP-ц│ц└ц▓ц┘ц⌠ц▐ц≈  ц┴ц▄ц┴  ц┴ц█бёц▌ ц┬ц▐ц⌠ц■ц▐ц≈ ц┌ц┘ц  ц▄ц─ц┌ц▐ц┤ц▐ ц┴ц┬ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒.
-              ц╘ц█ц┘ц▌ц│ ц┬ц▐ц⌠ц■ц▐ц≈ ц▐ц░ц▓ц┘ц└ц┘ц▄ц▒ц─ц■ц⌠ц▒ ц░ц▐-ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─, ц▌ц▐  ц°ц■ц▐  ц█ц▐ц√ц▌ц▐  ц▐ц■ц█ц┘ц▌ц┴ц■ц≤
-              ц▐ц░ц┐ц┴ц┘ц┼ -n.
-
-       <B>-b</B> <B>&lt;ftp</B> <B>relay</B> <B>host&gt;</B>
-              ц╟ц▓ц▐ц▓ц≥ц≈  ц·ц┘ц▓ц┘ц   FTP. ц╘ц▌ц■ц┘ц▓ц┘ц⌠ц▌ц▐ц┼ "ц≈ц▐ц ц█ц▐ц√ц▌ц▐ц⌠ц■ц≤ц─" ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц│ FTP (RFC
-              959) ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒ ц░ц▐ц└ц└ц┘ц▓ц√ц▀ц│ proxy ftp-ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┼. ц╓ц▓ц∙ц┤ц┴ц█ц┴ ц⌠ц▄ц▐ц≈ц│ц█ц┴, ц⌠
-              ц└ц▐ц≈ц┘ц▓ц┘ц▌ц▌ц▐ц┤ц▐ ц┬ц▐ц⌠ц■ц│ evil.com ц█ц▐ц√ц▌ц▐ ц⌠ц▐ц┘ц└ц┴ц▌ц┴ц■ц≤ц⌠ц▒ ц⌠ ftp-ц⌠ц┘ц▓ц≈ц┘ц▓ц▐ц█ tar-
-              get.com ц┴ ц▐ц■ц░ц▓ц│ц≈ц┴ц■ц≤ ц├ц│ц┼ц▄, ц▌ц│ц┬ц▐ц└ц▒ц²ц┴ц┼ц⌠ц▒ ц▌ц│ ц▌ц┘ц█, ц▌ц│ ц▄ц─ц┌ц▐ц┼  ц│ц└ц▓ц┘ц⌠  ц≈
-              ц╘ц▌ц■ц┘ц▓ц▌ц┘ц■!  ц╨ц│ц█ц┘ц■ц┴ц█, ц·ц■ц▐ ц└ц│ц▌ц▌ц│ц▒ ц≈ц▐ц ц█ц▐ц√ц▌ц▐ц⌠ц■ц≤ ц┴ц ц≈ц┘ц⌠ц■ц▌ц│ ц⌠ 1985 ц┤ц▐ц└ц│,
-              ц▀ц▐ц┤ц└ц│ ц┌ц≥ц▄ ц▌ц│ц░ц┴ц⌠ц│ц▌ ц°ц■ц▐ц■ RFC. Nmap ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ ц°ц■ц∙  ц∙ц▒ц ц≈ц┴ц█ц▐ц⌠ц■ц≤  ц└ц▄ц▒
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒   ц░ц▐ц▓ц■ц▐ц≈  ц⌠  proxy  ftp-ц⌠ц┘ц▓ц≈ц┘ц▓ц│.  ц╘ц■ц│ц▀,  ц≈ц≥  ц█ц▐ц√ц┘ц■ц┘
-              ц░ц▐ц└ц▀ц▄ц─ц·ц┴ц■ц≤ц⌠ц▒ ц▀ ftp-ц⌠ц┘ц▓ц≈ц┘ц▓ц∙ ц ц│ ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц█ ц┴  ц ц│ц■ц┘ц█  ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤
-              ц ц│ц┌ц▄ц▐ц▀ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┘ ц░ц▐ц▓ц■ц≥, ц▌ц│ц░ц▓ц┴ц█ц┘ц▓ 139-ц┼. ц╔ц⌠ц▄ц┴ ftp-ц⌠ц┘ц▓ц≈ц┘ц▓ ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■
-              ц·ц┴ц■ц│ц■ц≤  ц┴  ц ц│ц░ц┴ц⌠ц≥ц≈ц│ц■ц≤  ц└ц│ц▌ц▌ц≥ц┘  ц≈  ц▀ц│ц▀ц▐ц┼-ц▄ц┴ц┌ц▐  ц▀ц│ц■ц│ц▄ц▐ц┤  (ц▌ц│ц░ц▓ц┴ц█ц┘ц▓
-              /incoming), ц≈ц≥ ц■ц│ц▀ц√ц┘ ц█ц▐ц√ц┘ц■ц┘ ц▐ц■ц░ц▓ц│ц≈ц┴ц■ц≤ ц▄ц─ц┌ц≥ц┘ ц└ц│ц▌ц▌ц≥ц┘ ц▌ц│ ц°ц■ц┴ ц░ц▐ц▓ц■ц≥.
-              (ц▌ц▐ nmap ц ц│ ц≈ц│ц⌠ ц°ц■ц▐ ц└ц┘ц▄ц│ц■ц≤ ц▌ц┘ ц┌ц∙ц└ц┘ц■).
-
-              ц║ц▓ц┤ц∙ц█ц┘ц▌ц■,  ц∙ц▀ц│ц ц≥ц≈ц│ц┘ц█ц≥ц┼  ц░ц▐ц⌠ц▄ц┘  Б─≥-bБ─≥,  ц°ц■ц▐   URL   ц⌠ц┘ц▓ц≈ц┘ц▓ц│   ftp,
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц█ц▐ц┤ц▐   ц≈   ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘   proxy.   ц╕ц▐ц▓ц█ц│ц■   URL  ц⌠ц▄ц┘ц└ц∙ц─ц²ц┴ц┼:
-              ц┴ц█ц▒_ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц▒:ц░ц│ц▓ц▐ц▄ц≤@ц⌠ц┘ц▓ц≈ц┘ц▓:ц░ц▐ц▓ц■. ц║ц└ц▓ц┘ц⌠ ц⌠ц┘ц▓ц≈ц┘ц▓ц│ ц▌ц∙ц√ц▌ц▐ ц∙ц▀ц│ц ц│ц■ц≤
-              ц▐ц┌ц▒ц ц│ц■ц┘ц▄ц≤ц▌ц▐,  ц▐ц⌠ц■ц│ц▄ц≤ц▌ц▐ц┘  -  ц▐ц░ц┐ц┴ц▐ц▌ц│ц▄ц≤ц▌ц▐.  ц╝ц∙ц√ц▌ц▐  ц ц│ц█ц┘ц■ц┴ц■ц≤, ц·ц■ц▐ ц≈
-              ц└ц│ц▌ц▌ц▐ц┘ ц≈ц▓ц┘ц█ц▒ ц°ц■ц▐ц■ ц≈ц┴ц└ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц▌ц┘  ц°ц├ц├ц┘ц▀ц■ц┴ц≈ц┘ц▌,  ц░ц▐ц■ц▐ц█ц∙  ц▀ц│ц▀
-              ц░ц▐ц·ц■ц┴   ц≈ц▐  ц≈ц⌠ц┘ц┬  ц░ц▓ц┴ц▄ц▐ц√ц┘ц▌ц┴ц▒ц┬  ц∙ц▒ц ц≈ц┴ц█ц▐ц⌠ц■ц≤,  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц█ц│ц▒  ц└ц│ц▌ц▌ц≥ц█
-              ц█ц┘ц■ц▐ц└ц▐ц█, ц∙ц⌠ц■ц▓ц│ц▌ц┘ц▌ц│.
-
-       ц<B>ц</B>╝ц<B>ц</B>║ц<B>ц</B>Ёц<B>ц</B>╢ц<B>ц</B>╡ц<B>ц</B>╞ц<B>ц</B>╙ц<B>ц</B>╚ц<B>ц</B>║ ц<B>ц</B>╓ц<B>ц</B>╞ц<B>ц</B>╟ц<B>ц</B>╞ц<B>ц</B>╛ц<B>ц</B>╝ц<B>ц</B>╘ц<B>ц</B>╢ц<B>ц</B>╔ц<B>ц</B>╛ц<B>ц</B>╦ц<B>ц</B>╝ц<B>ц</B>╧ц<B>ц</B>╗ ц<B>ц</B>╟ц<B>ц</B>║ц<B>ц</B>╡ц<B>ц</B>║ц<B>ц</B>╜ц<B>ц</B>╔ц<B>ц</B>╢ц<B>ц</B>╡ц<B>ц</B>╞ц<B>ц</B>╥ ц<B>ц</B>Ёц<B>ц</B>╚ц<B>ц</B>║ц<B>ц</B>╝ц<B>ц</B>╘ц<B>ц</B>╡ц<B>ц</B>╞ц<B>ц</B>╥ц<B>ц</B>║ц<B>ц</B>╝ц<B>ц</B>╘ц<B>ц</B>╠
-              ц╝ц┴ ц▐ц└ц▌ц│ ц┴ц   ц▌ц┴ц√ц┘ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┬  ц▐ц░ц┐ц┴ц┼  ц▌ц┘  ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒  ц▌ц┘ц▐ц┌ц┬ц▐ц└ц┴ц█ц▐ц┼,  ц▌ц▐
-              ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц█ц▐ц┤ц∙ц■ ц┌ц≥ц■ц≤ ц▐ц·ц┘ц▌ц≤ ц░ц▐ц▄ц┘ц ц▌ц≥ц█ц┴.
-
-       <B>-P0</B>    ц╥ц▐ц▐ц┌ц²ц┘  ц▌ц┘ ц░ц▓ц▐ц┴ц ц≈ц▐ц└ц┴ц■ц≤ ping-ц▐ц░ц▓ц▐ц⌠ ц┬ц▐ц⌠ц■ц▐ц≈ ц░ц┘ц▓ц┘ц└ ц┴ц┬ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ц█.
-              ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒ ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■ ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц⌠ц┘ц■ц┴,  ц┌ц▄ц▐ц▀ц┴ц▓ц∙ц─ц²ц┴ц┘  ц▐ц┌ц▓ц│ц┌ц▐ц■ц▀ц∙
-              ICMP-ц°ц┬ц│  ц⌠  ц░ц▐ц█ц▐ц²ц≤ц─  ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц≈.  ц╟ц▓ц┴ц█ц┘ц▓ц▐ц█  ц■ц│ц▀ц▐ц┼  ц⌠ц┘ц■ц┴ ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒
-              microsoft.com, ц┴ ц≈ц≥ ц≈ц⌠ц┘ц┤ц└ц│ ц└ц▐ц▄ц√ц▌ц≥ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц▐ц░ц┐ц┴ц─ Б─≥ <B>-P0</B> <B>-PS80</B>
-              ц°ц■ц▐ц█ ц⌠ц▄ц∙ц·ц│ц┘ "ping" ц╞ц┌ц▐ц ц▌ц│ц·ц│ц┘ц■ ц▌ц┘ц⌠ц▀ц▐ц▄ц≤ц▀ц▐ ц┌ц▐ц▄ц≤ц⌡ц┘, ц·ц┘ц█ ц■ц▓ц│ц└ц┴ц┐ц┴ц▐ц▌ц▌ц≥ц┼
-              ICMP echo request ц░ц│ц▀ц┘ц■. Nmap ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ ц▓ц│ц ц▌ц≥ц┘ ц▀ц▐ц█ц┌ц┴ц▌ц│ц┐ц┴ц┴  TCP,
-              UDP  ц┴ ICMP ц░ц│ц▀ц┘ц■ц▐ц≈ ц└ц▄ц▒ ц■ц▐ц┤ц▐, ц·ц■ц▐ ц┌ц≥ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤ ц│ц▀ц■ц┴ц≈ц┘ц▌ ц▄ц┴ ц┬ц▐ц⌠ц■.
-              ц╟ц▐-ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ nmap ц░ц▐ц⌠ц≥ц▄ц│ц┘ц■ ICMP echo request ц┴ TCP ACK ц░ц│ц▀ц┘ц■  ц▌ц│
-              ц░ц▐ц▓ц■ 80.
-
-       <B>-PA</B> <B>[</B>ц<B>ц</B>░ц<B>ц</B>▐ц<B>ц</B>▓ц<B>ц</B>■<B>(</B>ц<B>ц</B>≥<B>)]</B>
-              ц╘ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  TCP  ACK  ping ц└ц▄ц▒ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒ ц░ц▓ц┴ц⌠ц∙ц■ц⌠ц■ц≈ц┴ц▒ ц┬ц▐ц⌠ц■ц│ ц≈
-              ц⌠ц┘ц■ц┴. ц╥ц█ц┘ц⌠ц■ц▐ ц■ц▐ц┤ц▐, ц·ц■ц▐ ц┌ц≥ ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц■ц≤ ICMP echo request  ц░ц│ц▀ц┘ц■  ц┴
-              ц√ц└ц│ц■ц≤  ц▐ц■ц≈ц┘ц■ц│,  ц█ц≥ ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц┘ц█ TCP ACK ц░ц│ц▀ц┘ц■ ц▌ц│ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼ ц┬ц▐ц⌠ц■.
-              ц╔ц⌠ц▄ц┴ ц≈ ц▐ц■ц≈ц┘ц■  ц█ц≥  ц░ц▐ц▄ц∙ц·ц┴ц█  RST-ц░ц│ц▀ц┘ц■,  ц ц▌ц│ц·ц┴ц■  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼  ц┬ц▐ц⌠ц■
-              ц│ц▀ц■ц┴ц≈ц┘ц▌.  ц╪ц■ц│  ц▐ц░ц┐ц┴ц▒  ц░ц▐ц█ц▐ц┤ц│ц┘ц■  ц┴ц ц┌ц┘ц√ц│ц■ц≤ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц▌ц┘ц│ц▀ц■ц┴ц≈ц▌ц≥ц┬
-              ц┬ц▐ц⌠ц■ц▐ц≈ ц≈ ц⌠ц┘ц■ц┴, ц┌ц▄ц▐ц▀ц┴ц▓ц∙ц─ц²ц┘ц┼ ICMP-ц░ц│ц▀ц┘ц■ц≥. ц╓ц▄ц▒  ц▌ц┘ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┬
-              ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц┘ц┼   ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒   connect()   ц█ц┘ц■ц▐ц└,   ц░ц▓ц┴  ц▀ц▐ц■ц▐ц▓ц▐ц█
-              ц│ц▀ц■ц┴ц≈ц▌ц▐ц⌠ц■ц≤  ц┬ц▐ц⌠ц■ц│  ц├ц│ц▀ц■ц┴ц·ц┘ц⌠ц▀ц┴  ц▐ц░ц▓ц┘ц└ц┘ц▄ц▒ц┘ц■ц⌠ц▒   ц┘ц┤ц▐   ц▐ц■ц≈ц┘ц■ц▐ц█   ц▌ц│
-              ц░ц▐ц⌠ц▄ц│ц▌ц▌ц≥ц┼  ц▌ц│ц█ц┴ SYN-ц░ц│ц▀ц┘ц■. ц╬ц■ц▐ ц┌ц≥ ц∙ц▀ц│ц ц│ц■ц≤ ц░ц▐ц▓ц■(ц≥) ц▌ц│ц ц▌ц│ц·ц┘ц▌ц┴ц▒ ц└ц▄ц▒
-              ц▌ц│ц⌡ц┘ц┤ц▐   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒    -    ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┼ц■ц┘    Б─≥-PA[,port2][...]Б─≥.
-              ц╟ц▐-ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ 80-ц≥ц┼ ц░ц▐ц▓ц■, ц░ц▐ц⌠ц▀ц▐ц▄ц≤ц▀ц∙ ц·ц│ц²ц┘ ц≈ц⌠ц┘ц┤ц▐ ц▐ц▌ ц▌ц┘
-              ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц■ц⌠ц▒.
-
-       <B>-PS</B> <B>[</B>ц<B>ц</B>░ц<B>ц</B>▐ц<B>ц</B>▓ц<B>ц</B>■<B>(</B>ц<B>ц</B>≥<B>)]</B>
-              ц╘ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ SYN-ц░ц│ц▀ц┘ц■ (ц ц│ц░ц▓ц▐ц⌠ ц▌ц│ ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘) ц≈ц█ц┘ц⌠ц■ц▐ ACK-ц░ц│ц▀ц┘ц■ц▐ц≈
-              ц└ц▄ц▒   ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┬  ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц┘ц┼.  ц║ц▀ц■ц┴ц≈ц▌ц≥ц┘  ц┬ц▐ц⌠ц■ц≥  ц└ц▐ц▄ц√ц▌ц≥
-              ц▐ц■ц≈ц┘ц■ц┴ц■ц≤ ц▌ц│ ц▌ц│ц⌡ ц░ц│ц▀ц┘ц■ RST-ц░ц│ц▀ц┘ц■ц▐ц█ (ц┴ц▄ц┴ ц·ц■ц▐ ц∙ц√ц┘ ц▓ц┘ц└ц▀ц▐ - SYN|ACK).
-              ц╜ц▐ц√ц▌ц▐ ц∙ц▀ц│ц ц│ц■ц≤ ц░ц▐ц▓ц■ц≥ ц▌ц│ц ц▌ц│ц·ц┘ц▌ц┴ц▒ ц■ц▐ц·ц▌ц▐ ц■ц│ц▀ ц√ц┘ ц▀ц│ц▀ ц┴ ц≈ Б─≥-PAБ─≥ ц▐ц░ц┐ц┴ц┴.
-
-       <B>-PR</B>    ц╘ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ raw  ethernet  ARP  ping.  ц╚ц▐ц┤ц└ц│  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼  ц┬ц▐ц⌠ц■
-              ц▌ц│ц┬ц▐ц└ц┴ц■ц⌠ц▒ ц≈ ц▐ц└ц▌ц▐ц█ ц├ц┴ц ц┴ц·ц┘ц⌠ц▀ц▐ц█ ц⌠ц┘ц┤ц█ц┘ц▌ц■ц┘ ц⌠ц┘ц■ц┴ ц⌠ц▐ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц─ц²ц┴ц█, ц█ц▐ц√ц▌ц▐
-              ц┌ц▐ц▄ц┘ц┘ ц┌ц≥ц⌠ц■ц▓ц▐ ц┴ ц▌ц│ц└бёц√ц▌ц▐ (ARP-ц░ц│ц▀ц┘ц■ц≥ ц▌ц┘ ц├ц┴ц▄ц≤ц■ц▓ц∙ц─ц■ц⌠ц▒ ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц█  ц┴ц▄ц┴
-              ц└ц▓ц∙ц┤ц┴ц█  IP-ц├ц┴ц▄ц≤ц■ц▓ц▐ц█)  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤  ц│ц▀ц■ц┴ц≈ц┘ц▌  ц▄ц┴  ц▐ц▌. Nmap ц░ц▐ц⌠ц≥ц▄ц│ц┘ц■
-              IPv4-to-Ethernet ARP-ц ц│ц░ц▓ц▐ц⌠ ц└ц▄ц▒  ц▀ц│ц√ц└ц▐ц┤ц▐  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐  ц┬ц▐ц⌠ц■ц│  ц┴
-              ц⌠ц█ц▐ц■ц▓ц┴ц■   ц ц│   ц░ц▓ц┴ц┬ц▐ц└ц▒ц²ц┴ц█ц┴  ARP-ц▐ц■ц≈ц┘ц■ц│ц█ц┴.  ц╪ц■ц│  ц▐ц░ц┐ц┴ц▒  ц▌ц┘  ц█ц▐ц√ц┘ц■
-              ц▀ц▐ц█ц┌ц┴ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ц⌠ц▒ ц⌠ ц▐ц⌠ц■ц│ц▄ц≤ц▌ц≥ц█ц┴ ц■ц┴ц░ц│ц█ц┴ ping-ц▐ц░ц▓ц▐ц⌠ц│.  <B>-PU</B>  <B>[</B>ц<B>ц</B>░ц<B>ц</B>▐ц<B>ц</B>▓ц<B>ц</B>■<B>(</B>ц<B>ц</B>≥<B>)]</B>
-              ц╪ц■ц│  ц▐ц░ц┐ц┴ц▒  ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц┘ц■  UDP-ц ц│ц░ц▓ц▐ц⌠  ц▌ц│  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼ ц┬ц▐ц⌠ц■. ц╔ц⌠ц▄ц┴ ц≈
-              ц▐ц■ц≈ц┘ц■ ц░ц▓ц┴ц┬ц▐ц└ц┴ц■ ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц┘ "ICMP port unreachable", ц┴ц▄ц┴  UDP-ц▐ц■ц≈ц┘ц■
-              (ц░ц▐ц▓ц■  ц▐ц■ц▀ц▓ц≥ц■),  ц■ц▐  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼  ц┬ц▐ц⌠ц■ ц│ц▀ц■ц┴ц≈ц┘ц▌. ц╟ц▐ц⌠ц▀ц▐ц▄ц≤ц▀ц∙ ц█ц▌ц▐ц┤ц┴ц┘
-              UDP-ц⌠ц┘ц▓ц≈ц┴ц⌠ц≥  ц▌ц┘  ц▐ц■ц≈ц┘ц·ц│ц─ц■  ц▌ц│  ц░ц∙ц⌠ц■ц▐ц┼  ц░ц│ц▀ц┘ц■,  ц▄ц∙ц·ц⌡ц┘   ц∙ц▀ц│ц ц≥ц≈ц│ц■ц≤
-              ц░ц▓ц┘ц└ц░ц▐ц▄ц▐ц√ц┴ц■ц┘ц▄ц≤ц▌ц▐ ц ц│ц▀ц▓ц≥ц■ц≥ц┼ ц░ц▐ц▓ц■.
-
-       <B>-PE</B>    ц╘ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  "ц▌ц│ц⌠ц■ц▐ц▒ц²ц┴ц┼"  ping  (ц░ц▐ц⌠ц≥ц▄ц│ц■ц≤  ц▌ц│  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼ ц┬ц▐ц⌠ц■
-              "ICMP echo request" ц░ц│ц▀ц┘ц■).  ц╟ц▓ц┴  ц≈ц▀ц▄ц─ц·ц┘ц▌ц┴ц┴  ц°ц■ц▐ц┼  ц▐ц░ц┐ц┴ц┴  ц┴ц²ц∙ц■ц⌠ц▒
-              ц│ц▀ц■ц┴ц≈ц▌ц≥ц┘  ц┬ц▐ц⌠ц■ц≥  ц┴  broadcast-ц│ц└ц▓ц┘ц⌠ц│  (ц│ц└ц▓ц┘ц⌠ц│  ц▀ц▐ц■ц▐ц▓ц≥ц┘  ц└ц▐ц⌠ц■ц∙ц░ц▌ц≥
-              ц≈ц▌ц┘ц⌡ц▌ц┘,  ц┴  ц■ц▓ц│ц▌ц⌠ц▄ц┴ц▓ц∙ц─ц■   ц░ц▓ц┴ц┬ц▐ц└ц▒ц²ц┴ц┘   IP-ц░ц│ц▀ц┘ц■ц≥   ц≈ц⌠ц┘ц█   ц┬ц▐ц⌠ц■ц│ц█
-              ц≈ц▌ц∙ц■ц▓ц┘ц▌ц▌ц┘ц┼   ц⌠ц┘ц■ц┴).    ц╢ц│ц▀ц┴ц┘  ц│ц└ц▓ц┘ц⌠ц│  ц█ц▐ц┤ц∙ц■  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ц⌠ц▒  ц└ц▄ц▒
-              ц▐ц▓ц┤ц│ц▌ц┴ц ц│ц┐ц┴ц┴ DoS-ц│ц■ц│ц▀. (ц║ц■ц│ц▀ц│ ц■ц┴ц░ц│ ц▐ц■ц▀ц│ц  ц≈ ц▐ц┌ц⌠ц▄ц∙ц√ц┴ц≈ц│ц▌ц┴ц┴)
-
-       <B>-PP</B>    ц╘ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  ц░ц│ц▀ц┘ц■  ICMP  "timestamp  request  (type  13)"  ц└ц▄ц▒
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒ ц│ц▀ц■ц┴ц≈ц▌ц≥ц┬ ц┬ц▐ц⌠ц■ц▐ц≈.
-
-       <B>-PM</B>    ц╘ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤   ц░ц│ц▀ц┘ц■   ICMP  "netmask  request  (type  17)"  ц└ц▄ц▒
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒ ц│ц▀ц■ц┴ц≈ц▌ц≥ц┬ ц┬ц▐ц⌠ц■ц▐ц≈.
-
-       <B>-PB</B> <B>[</B>ц<B>ц</B>░ц<B>ц</B>▐ц<B>ц</B>▓ц<B>ц</B>■<B>(</B>ц<B>ц</B>≥<B>)]</B>
-              ц╪ц■ц▐ ц■ц┴ц░ ping-ц▐ц░ц▓ц▐ц⌠ц│ ц░ц▐-ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─. ц╞ц▌ ц░ц│ц▓ц│ц▄ц▄ц┘ц▄ц≤ц▌ц▐ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■  ACK
-              (  <B>-PA</B>  )  ц┴ "ICMP echo request" ц░ц│ц▀ц┘ц■ ( <B>-PE</B> ). ц╪ц■ц┴ц█ ц░ц∙ц■ц┘ц█ ц█ц▐ц√ц▌ц▐
-              ц▐ц┌ц▐ц┼ц■ц┴ ц├ц│ц┘ц▓ц≈ц▐ц▄ ц▀ц▐ц■ц▐ц▓ц≥ц┼ ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц■ ц▐ц└ц┴ц▌ ц┴ц  ц°ц■ц┴ц┬ ц░ц│ц▀ц┘ц■ц▐ц≈.
-
-       <B>-O</B>     (Operating system detection) - ц°ц■ц│  ц▐ц░ц┐ц┴ц▒  ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤
-              ц▐ц░ц┘ц▓ц│ц┐ц┴ц▐ц▌ц▌ц∙ц─   ц⌠ц┴ц⌠ц■ц┘ц█ц∙   ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐  ц┬ц▐ц⌠ц■ц│  ц⌠  ц░ц▐ц█ц▐ц²ц≤ц─  ц⌠ц▌ц▒ц■ц┴ц▒
-              ц▐ц■ц░ц┘ц·ц│ц■ц▀ц▐ц≈ ц⌠ц■ц┘ц▀ц│  TCP/IP.  ц╓ц▓ц∙ц┤ц┴ц█ц┴  ц⌠ц▄ц▐ц≈ц│ц█ц┴,  nmap  ц│ц▀ц■ц┴ц≈ц┴ц ц┴ц▓ц∙ц┘ц■
-              ц█ц▐ц²ц▌ц≥ц┼  ц│ц▄ц┤ц▐ц▓ц┴ц■ц█,  ц├ц∙ц▌ц▀ц┐ц┴ц▐ц▌ц┴ц▓ц∙ц─ц²ц┴ц┼  ц▌ц│  ц▐ц⌠ц▌ц▐ц≈ц┘  ц│ц▌ц│ц▄ц┴ц ц│  ц⌠ц≈ц▐ц┼ц⌠ц■ц≈
-              ц⌠ц┘ц■ц┘ц≈ц▐ц┤ц▐  ц⌠ц■ц┘ц▀ц│  ц∙ц⌠ц■ц│ц▌ц▐ц≈ц▄ц┘ц▌ц▌ц▐ц┼  ц▌ц│  ц┬ц▐ц⌠ц■ц┘   ц╞цЁ.   ц╥   ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц┘
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц░ц▐ц▄ц∙ц·ц│ц┘ц■ц⌠ц▒  "ц▐ц■ц░ц┘ц·ц│ц■ц▐ц▀",  ц⌠ц▐ц⌠ц■ц▐ц▒ц²ц┴ц┼ ц┴ц  ц⌠ц■ц│ц▌ц└ц│ц▓ц■ц▌ц≥ц┬
-              ц■ц┘ц⌠ц■ц▐ц≈ц≥ц┬ ц ц│ц░ц▓ц▐ц⌠ц▐ц≈ ц┴ "ц▐ц■ц≈ц┘ц■ц▐ц≈" ц┬ц▐ц⌠ц■ц│  ц▌ц│  ц▌ц┴ц┬.  ц╨ц│ц■ц┘ц█  ц░ц▐ц▄ц∙ц·ц┘ц▌ц▌ц≥ц┼
-              ц▐ц■ц░ц┘ц·ц│ц■ц▐ц▀  ц⌠ц▓ц│ц≈ц▌ц┴ц≈ц│ц┘ц■ц⌠ц▒  ц⌠  ц┴ц█ц┘ц─ц²ц┘ц┼ц⌠ц▒  ц┌ц│ц ц▐ц┼ ц⌠ц■ц│ц▌ц└ц│ц▓ц■ц▌ц≥ц┬ ц▐ц■ц≈ц┘ц■ц▐ц≈
-              ц┴ц ц≈ц┘ц⌠ц■ц▌ц≥ц┬ ц╞цЁ, ц┬ц▓ц│ц▌ц▒ц²ц┘ц┼ц⌠ц▒ ц≈ ц├ц│ц┼ц▄ц┘  nmap-os-fingerprinting,  ц┴  ц▌ц│
-              ц▐ц⌠ц▌ц▐ц≈ц│ц▌ц┴ц┴   ц°ц■ц▐ц┤ц▐   ц░ц▓ц┴ц▌ц┴ц█ц│ц┘ц■ц⌠ц▒  ц▓ц┘ц⌡ц┘ц▌ц┴ц┘  ц▐  ц■ц┴ц░ц┘  ц┴  ц≈ц┘ц▓ц⌠ц┴ц┴  ц╞цЁ
-              ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐ ц┬ц▐ц⌠ц■ц│.
-
-              ц╔ц⌠ц▄ц┴ nmap ц▌ц┘ ц⌠ц█ц▐ц┤ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤ OC ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼ ц█ц│ц⌡ц┴ц▌ц≥,  ц░ц▐ц■ц▐ц█ц∙  ц·ц■ц▐
-              ц■ц│ц▀ц▐ц┤ц▐   ц▐ц■ц░ц┘ц·ц│ц■ц▀ц│  ц┘ц²бё  ц▌ц┘ц■  ц≈  ц┌ц│ц ц┘,  ц▌ц▐  ц░ц▐ц▄ц∙ц·ц┘ц▌ц┴ц┘  ц▐ц■ц░ц┘ц·ц│ц■ц▀ц│
-              ц░ц▓ц┘ц└ц⌠ц■ц│ц≈ц▄ц▒ц┘ц■ц⌠ц▒ ц≈ц▐ц ц█ц▐ц√ц▌ц≥ц█ (ц▌ц│ ц█ц│ц⌡ц┴ц▌ц┘ ц┬ц▐ц■ц▒ ц┌ц≥ ц▐ц└ц┴ц▌ ц▐ц■ц▀ц▓ц≥ц■ц≥ц┼  ц░ц▐ц▓ц■)
-              nmap  ц∙ц▀ц│ц√ц┘ц■  url, ц▌ц│ ц▀ц▐ц■ц▐ц▓ц▐ц█ ц≈ц≥ ц⌠ц█ц▐ц√ц┘ц■ц┘ ц▐ц■ц░ц▓ц│ц≈ц┴ц■ц≤ ц▐ц■ц░ц┘ц·ц│ц■ц▐ц▀ ц└ц▄ц▒
-              ц≈ц▌ц┘ц⌠ц┘ц▌ц┴ц▒ ц┘ц┤ц▐ ц▓ц│ц ц▓ц│ц┌ц▐ц■ц·ц┴ц▀ц│ц█ц┴ ц≈ ц┌ц│ц ц∙  ц▐ц■ц░ц┘ц·ц│ц■ц▀ц▐ц≈,  ц┘ц⌠ц▄ц┴  ц≈ц≥  ц■ц▐ц·ц▌ц▐
-              ц ц▌ц│ц┘ц■ц┘  ц·ц■ц▐  ц ц│  ц╞цЁ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц▌ц│ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц█ ц┬ц▐ц⌠ц■ц┘. ц╨ц│ц█ц┘ц■ц≤ц■ц┘,
-              ц┘ц⌠ц▄ц┴  ц≈ц≥  ц∙ц▀ц│ц√ц┘ц■ц┘  ip-ц│ц└ц▓ц┘ц⌠  ц█ц│ц⌡ц┴ц▌ц≥,  ц└ц▄ц▒  ц▀ц▐ц■ц▐ц▓ц▐ц┼  ц≈ц≥  ц░ц▓ц┴ц⌠ц▄ц│ц▄ц┴
-              ц▐ц■ц░ц┘ц·ц│ц■ц▐ц▀,  ц■ц▐  ц░ц▓ц┴ ц≈ц▌ц┘ц⌠ц┘ц▌ц┴ц┴ ц┘ц┤ц▐ ц≈ ц┌ц│ц ц∙ ц°ц■ц│ ц█ц│ц⌡ц┴ц▌ц│ ц┌ц∙ц└ц┘ц■ ц┘ц²бё ц▓ц│ц 
-              ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц│ ц└ц▄ц▒ ц░ц▐ц└ц■ц≈ц┘ц▓ц√ц└ц┘ц▌ц┴ц▒ ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц▐ц≈.
-
-              ц╞ц░ц┐ц┴ц▒ Б─≥-ц╞Б─≥ ц■ц│ц▀ц√ц┘ ц┴ц▌ц┴ц┐ц┴ц│ц▄ц┴ц ц┴ц▓ц∙ц┘ц■ ц▌ц┘ц⌠ц▀ц▐ц▄ц≤ц▀ц▐ ц└ц▓ц∙ц┤ц┴ц┬ ц■ц┘ц⌠ц■ц▐ц≈. ц╞ц└ц┴ц▌ ц┴ц 
-              ц■ц│ц▀ц┴ц┬  ц▀ц│ц▀  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц┘  "TCP  timestamp" ц▐ц░ц┐ц┴ц┴ (RFC 1323) ц└ц▄ц▒
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒ ц≈ц▓ц┘ц█ц┘ц▌ц┴ ц│ц▀ц■ц┴ц≈ц▌ц▐ц⌠ц■ц┴ ц┬ц▐ц⌠ц■ц│  ц⌠  ц█ц▐ц█ц┘ц▌ц■ц│  ц┘ц┤ц▐  ц░ц▐ц⌠ц▄ц┘ц└ц▌ц┘ц┼
-              ц░ц┘ц▓ц┘ц ц│ц┤ц▓ц∙ц ц▀ц┴. ц╪ц■ц│ ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц▒ ц░ц▓ц┘ц└ц▐ц⌠ц■ц│ц≈ц▄ц▒ц┘ц■ц⌠ц▒ ц■ц▐ц▄ц≤ц▀ц▐ ц⌠ ц▓ц│ц ц▓ц┘ц⌡ц┘ц▌ц┴ц▒
-              ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐ ц┬ц▐ц⌠ц■ц│.
-
-              ц╓ц▓ц∙ц┤ц▐ц┼ ц■ц┘ц⌠ц■, ц┴ц▌ц┴ц┐ц┴ц│ц▄ц┴ц ц┴ц▓ц∙ц┘ц█ц≥ц┘ ц▐ц░ц┐ц┴ц┘ц┼ Б─≥-OБ─≥ -  ц°ц■ц▐  "TCP  Sequence
-              Predictability  Classification"  - ц▀ц▄ц│ц⌠ц⌠ц┴ц├ц┴ц▀ц│ц┐ц┴ц▒ ц░ц▓ц┘ц└ц⌠ц▀ц│ц ц∙ц┘ц█ц▐ц⌠ц■ц┴
-              ц░ц▐ц⌠ц▄ц┘ц└ц▐ц≈ц│ц■ц┘ц▄ц≤ц▌ц▐ц⌠ц■ц┴ TCP.  ц╔ц┤ц▐  ц⌠ц∙ц■ц≤  ц≈  ц■ц▐ц█,  ц·ц■ц▐  ц┌ц≥  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤
-              ц▌ц│ц⌠ц▀ц▐ц▄ц≤ц▀ц▐  ц■ц▒ц√ц┘ц▄ц▐  ц∙ц⌠ц■ц│ц▌ц▐ц≈ц┴ц■ц≤  ц░ц▐ц└ц└ц┘ц▄ц≤ц▌ц▐ц┘ ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘ ц⌠ ц∙ц└ц│ц▄бёц▌ц▌ц▐ц┼
-              ц█ц│ц⌡ц┴ц▌ц▐ц┼. ц╪ц■ц│ ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц▒ ц█ц▐ц√ц┘ц■  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ц⌠ц▒  ц└ц▄ц▒  ц▐ц┌ц┬ц▐ц└ц│  ц░ц▓ц│ц≈
-              ц└ц▐ц⌠ц■ц∙ц░ц│  ц▀  ц∙ц└ц│ц▄бёц▌ц▌ц▐ц┼  ц█ц│ц⌡ц┴ц▌ц┘  ц┴ц▄ц┴  ц⌠ц▀ц▓ц≥ц■ц┴ц▒ ц┴ц⌠ц■ц▐ц·ц▌ц┴ц▀ц│ ц│ц■ц│ц▀ц┴. ц╪ц■ц│
-              ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц▒ ц▐ц■ц▐ц┌ц▓ц│ц√ц│ц┘ц■ц⌠ц▒ ц░ц▓ц┴ ц≈ц▀ц▄ц─ц·ц┘ц▌ц▌ц▐ц┼ ц▐ц░ц┐ц┴ц┴ Б─≥-vБ─≥.
-
-              ц╚ц▐ц┤ц└ц│ ц▐ц░ц┐ц┴ц▒ Б─≥-vБ─≥ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц≈ц█ц┘ц⌠ц■ц┘ ц⌠ Б─≥-OБ─≥, - ц·ц│ц⌠ц■ц▐ц■ц│ ц┤ц┘ц▌ц┘ц▓ц│ц┐ц┴ц┴
-              IPID  ц■ц│ц▀ц√ц┘  ц▐ц■ц▐ц┌ц▓ц│ц√ц│ц┘ц■ц⌠ц▒.  ц╒ц▐ц▄ц≤ц⌡ц┴ц▌ц⌠ц■ц≈ц▐  ц█ц│ц⌡ц┴ц▌  ц▐ц■ц▐ц┌ц▓ц│ц√ц│ц─ц■ц⌠ц▒ ц▀ц│ц▀
-              "incremental", ц·ц■ц▐ ц▐ц ц▌ц│ц·ц│ц┘ц■ ц┴ц ц█ц┘ц▌ц┘ц▌ц┴ц┘ ц░ц▐ц▄ц▒ "ID" ц≈  ц ц│ц┤ц▐ц▄ц▐ц≈ц▀ц┘  IP
-              ц└ц▄ц▒  ц▀ц│ц√ц└ц▐ц┤ц▐  ц▐ц■ц░ц▓ц│ц≈ц▄ц┘ц▌ц▌ц▐ц┤ц▐  ц░ц│ц▀ц┘ц■ц│  ц▌ц│ ц▐ц└ц┴ц▌ц│ц▀ц▐ц≈ц∙ц─ ц≈ц┘ц▄ц┴ц·ц┴ц▌ц∙, ц·ц■ц▐
-              ц└ц┘ц▄ц│ц┘ц■ ц┴ц┬ ц∙ц▒ц ц≈ц┴ц█ц≥ц█ц┴  ц└ц▄ц▒  ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┬  ц∙ц┤ц▄ц∙ц┌ц▄бёц▌ц▌ц≥ц┬  ц█ц┘ц■ц▐ц└ц▐ц≈  ц⌠ц┌ц▐ц▓ц│
-              ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц┴ ц┴ spoof-ц│ц■ц│ц▀.
-
-       <B>--osscan_limit</B>
-              ц╞ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц┘  ц╞цЁ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼ ц█ц│ц⌡ц┴ц▌ц≥ ц ц▌ц│ц·ц┴ц■ц┘ц▄ц≤ц▌ц▐ ц°ц├ц├ц┘ц▀ц■ц┴ц≈ц▌ц┘ц┘, ц┘ц⌠ц▄ц┴
-              ц▌ц│ц┼ц└ц┘ц▌ц≥ ц┬ц▐ц■ц▒ ц┌ц≥ ц▐ц└ц┴ц▌ ц ц│ц▀ц▓ц≥ц■ц≥ц┼ ц┴ ц▐ц■ц▀ц▓ц≥ц■ц≥ц┼ ц░ц▐ц▓ц■.  ц╘ц⌠ц░ц▐ц▄ц≤ц ц∙ц┼ц■ц┘  ц°ц■ц∙
-              ц▐ц░ц┐ц┴ц─  ц┴  nmap  ц▌ц┘  ц┌ц∙ц└ц┘ц■  ц░ц▓ц▐ц┌ц▐ц≈ц│ц■ц≤ ц▐ц░ц▓ц┘ц└ц┘ц▄ц▒ц■ц≤ ц╞цЁ, ц┘ц⌠ц▄ц┴ ц■ц│ц▀ц▐ц≈ц≥ц┬
-              ц░ц▐ц▓ц■ц▐ц≈ ц▌ц┘  ц▌ц│ц┼ц└ц┘ц▌ц▐.  ц╪ц■ц▐  ц█ц▐ц√ц┘ц■  ц⌠ц▐ц▀ц▓ц│ц■ц┴ц■ц≤  ц≈ц▓ц┘ц█ц▒  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒,
-              ц▌ц│ц░ц▓ц┴ц█ц┘ц▓  ц░ц▓ц┴  -P0  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┴  ц█ц▌ц▐ц√ц┘ц⌠ц■ц≈ц│  ц┬ц▐ц⌠ц■ц▐ц≈.  ц╪ц■ц│  ц▐ц░ц┐ц┴ц▒
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц■ц▐ц▄ц≤ц▀ц▐ ц≈ц█ц┘ц⌠ц■ц┘ ц⌠ Б─≥-OБ─≥ ц┴ц▄ц┴ Б─≥-AБ─≥ ц▐ц░ц┐ц┴ц▒ц█ц┴.
-
-       <B>-A</B>     ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒  ц≈ц▀ц▄ц─ц·ц│ц┘ц■  ц▓ц┘ц√ц┴ц█  Additional  Advanced  ц┴  Aggressive,
-              ц▐ц┌ц÷ц┘ц└ц┴ц▌ц▒ц▒  ц▐ц░ц┐ц┴ц┴  Б─≥-OБ─≥  ц┴ Б─≥-sVБ─≥. ц╥ ц┌ц∙ц└ц∙ц²ц┘ц█ ц°ц■ц│ ц▐ц░ц┐ц┴ц▒ ц░ц▄ц│ц▌ц┴ц▓ц∙ц┘ц■ц⌠ц▒
-              ц└ц▄ц▒ ц▐ц┌ц÷ц┘ц└ц┴ц▌ц┘ц▌ц┴ц▒ ц█ц▌ц▐ц┤ц┴ц┬ ц▐ц░ц┐ц┴ц┼, ц└ц▄ц▒ ц■ц▐ц┤ц▐ ц·ц■ц▐ ц┌ц≥ ц█ц┘ц▌ц≤ц⌡ц┘ ц ц│ц░ц▐ц█ц┴ц▌ц│ц■ц≤.
-              ;-)
-
-       <B>-6</B>     ц╪ц■ц│  ц▐ц░ц┐ц┴ц▒  ц≈ц▀ц▄ц─ц·ц│ц┘ц■  ц░ц▐ц└ц└ц┘ц▓ц√ц▀ц∙  ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц│ IPv6. ц╥ц⌠ц┘ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┘
-              ц┬ц▐ц⌠ц■ц≥ ц└ц▐ц▄ц√ц▌ц≥ ц░ц▐ц└ц└ц┘ц▓ц√ц┴ц≈ц│ц■ц≤ IPv6 ц░ц▓ц┴ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц┴ ц°ц■ц▐ц┼  ц▐ц░ц┐ц┴ц┴,  ц┴
-              ц█ц▐ц┤ц∙ц■ ц┌ц≥ц■ц≤ ц∙ц▀ц│ц ц│ц▌ц≥ ц░ц∙ц■ц┘ц█ ц▌ц▐ц▓ц█ц│ц▄ц≤ц▌ц▐ц┤ц▐ ц┴ц█ц┘ц▌ц┴ DNS (ц ц│ц░ц┴ц⌠ц≤ AAAA) ц┴ц▄ц┴
-              ц▄ц┴ц■ц┘ц▓ц│ц▄ц≤ц▌ц≥ц█                 IP-ц│ц└ц▓ц┘ц⌠ц▐ц█,                 ц▌ц│ц░ц▓ц┴ц█ц┘ц▓
-              3ffe:501:4819:2000:210:f3ff:fe03:4d0.    ц╝ц│    ц└ц│ц▌ц▌ц≥ц┼    ц█ц▐ц█ц┘ц▌ц■,
-              ц░ц▐ц└ц└ц┘ц▓ц√ц┴ц≈ц│ц─ц■ц⌠ц▒ ц■ц▐ц▄ц≤ц▀ц▐ ц█ц┘ц■ц▐ц└ц≥ TCP  connect()-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц┴  TCP
-              connect()  Ping-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘. ц╔ц⌠ц▄ц┴ ц╥ц│ц⌠ ц┴ц▌ц■ц┘ц▓ц┘ц⌠ц∙ц┘ц■ UDP ц┴ц▄ц┴ ц└ц▓ц∙ц┤ц▐ц┼
-              ц■ц┴ц░ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒, ц░ц▐ц⌠ц┘ц■ц┴ц■ц┘ http://nmap6.sourceforge.net/.
-
-       <B>--send_eth</B>
-              ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒ ц ц│ц⌠ц■ц│ц≈ц▄ц▒ц┘ц■ nmap ц▐ц■ц⌠ц≥ц▄ц│ц■ц≤ ц░ц│ц▀ц┘ц■ц≥  ц▌ц│  ц▀ц│ц▌ц│ц▄ц≤ц▌ц▐ц█  ц∙ц▓ц▐ц≈ц▌ц┘
-              (data  link  layer)  ц≈ц█ц┘ц⌠ц■ц▐  ц⌠ц┘ц■ц┘ц≈ц▐ц┤ц▐  ц∙ц▓ц▐ц≈ц▌ц▒  (network  layer).
-              ц╟ц▐-ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ nmap ц⌠ц│ц█ ц≈ц≥ц┌ц┴ц▓ц│ц┘ц■ ц▌ц│ ц▀ц│ц▀ц▐ц█ ц∙ц▓ц▐ц≈ц▌ц┘ ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц■ц≤ ц░ц│ц▀ц┘ц■ц≥
-              ц≈  ц ц│ц≈ц┴ц⌠ц┴ц█ц▐ц⌠ц■ц┴  ц▐ц■  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц█ц▐ц┼  ц░ц▄ц│ц■ц├ц▐ц▓ц█ц≥. Raw-ц⌠ц▐ц▀ц┘ц■ц≥ (ц⌠ц┘ц■ц┘ц≈ц▐ц┼
-              ц∙ц▓ц▐ц≈ц┘ц▌ц≤) ц┌ц▐ц▄ц┘ц┘ ц°ц├ц├ц┘ц▀ц■ц┴ц≈ц▌ц▐ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц▌ц│ UNIX  ц█ц│ц⌡ц┴ц▌ц│ц┬,  ц▐ц└ц▌ц│ц▀ц▐
-              ц▌ц│  ц▀ц│ц▌ц│ц▄ц≤ц▌ц▐ц█ ц∙ц▓ц▐ц≈ц▌ц┘ ц▄ц∙ц·ц⌡ц┘ ц├ц∙ц▌ц▀ц┐ц┴ц▐ц▌ц┴ц▓ц∙ц─ц■ ц╞цЁ ц⌠ц┘ц█ц┘ц┼ц⌠ц■ц≈ц│ Windows, ц≈
-              ц▀ц▐ц■ц▐ц▓ц≥ц┬  Microsoft   ц▐ц■ц▀ц▄ц─ц·ц┴ц▄ц│   ц░ц▐ц└ц└ц┘ц▓ц√ц▀ц∙   raw-ц⌠ц▐ц▀ц┘ц■ц▐ц≈.   Nmap
-              ц▐ц└ц▌ц▐ц ц▌ц│ц·ц▌ц▐ ц┌ц∙ц└ц┘ц■ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ raw-ц⌠ц▐ц▀ц┘ц■ц≥ ц┘ц⌠ц▄ц┴ ц▌ц┘ц■ ц└ц▓ц∙ц┤ц▐ц┤ц▐ ц≈ц≥ц┌ц▐ц▓ц│
-              (ц▌ц│ц░ц▓ц┴ц█ц┘ц▓ ц≈ ц▌ц┘ ц▄ц▐ц▀ц│ц▄ц≤ц▌ц▐ц┼ ц⌠ц┘ц■ц┴).
-
-       <B>--send_ip</B>
-              ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒ ц ц│ц⌠ц■ц│ц≈ц▄ц▒ц┘ц■ nmap  ц▐ц■ц⌠ц≥ц▄ц│ц■ц≤  ц░ц│ц▀ц┘ц■ц≥  ц▌ц│  ц⌠ц┘ц■ц┘ц≈ц▐ц█  ц∙ц▓ц▐ц≈ц▌ц┘
-              (network   layer)  ц≈ц█ц┘ц⌠ц■ц▐  ц▀ц│ц▌ц│ц▄ц≤ц▌ц▐ц┤ц▐  (data  link  layer).  ц╪ц■ц▐
-              ц░ц▓ц▐ц■ц┴ц≈ц▐ц░ц▐ц▄ц▐ц√ц▌ц│ц▒ ц▐ц░ц┐ц┴ц▒ ц▀ Б─≥--send_ethБ─≥.
-
-       <B>--spoof_mac</B> <B>[mac,</B> <B>prefix,</B> <B>or</B> <B>vendor</B> <B>substring]</B>
-              ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒ ц ц│ц⌠ц■ц│ц≈ц▄ц▒ц┘ц■ nmap  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  ц ц│ц└ц│ц▌ц▌ц≥ц┼  MAC-ц│ц└ц▓ц┘ц⌠  ц≈ц▐
-              ц≈ц⌠ц┘ц┬   ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц┘ц█ц≥ц┬   ц░ц│ц▀ц┘ц■ц│ц┬  ц▀ц│ц▌ц│ц▄ц≤ц▌ц▐ц┤ц▐  ц∙ц▓ц▐ц≈ц▌ц▒.  ц║ц└ц▓ц┘ц⌠  ц█ц▐ц√ц┘ц■
-              ц ц│ц└ц│ц≈ц│ц■ц≤ц⌠ц▒ ц≈ ц▌ц┘ц⌠ц▀ц▐ц▄ц≤ц▀ц┴ц┬ ц├ц▐ц▓ц█ц│ц■ц│ц┬. ц╔ц⌠ц▄ц┴ ц°ц■ц▐  ц░ц▓ц▐ц⌠ц■ц▐  ц⌠ц■ц▓ц▐ц▀ц│  "0",
-              nmap ц≈ц≥ц┌ц┘ц▓ц┘ц■ ц░ц▐ц▄ц▌ц▐ц⌠ц■ц≤ц─ ц⌠ц▄ц∙ц·ц│ц┼ц▌ц≥ц┼ MAC-ц│ц└ц▓ц┘ц⌠ ц└ц▄ц▒ ц°ц■ц▐ц┼ ц⌠ц┘ц⌠ц⌠ц┴ц┴. ц╔ц⌠ц▄ц┴
-              ц ц│ц└ц│ц▌ц▌ц≥ц┼ ц│ц└ц▓ц┘ц⌠ - ц▌ц│ц┌ц▐ц▓ ц⌡ц┘ц⌠ц■ц▌ц│ц└ц┐ц│ц■ц┘ц▓ц┴ц·ц▌ц≥ц┬ ц·ц┴ц⌠ц┘ц▄, ц⌠ ц▓ц│ц ц└ц┘ц▄ц┴ц■ц┘ц▄ц┘ц█ ц≈
-              ц≈ц┴ц└ц┘   ц└ц≈ц▐ц┘ц■ц▐ц·ц┴ц▒,   nmap   ц┌ц∙ц└ц┘ц■  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  ц°ц■ц∙  ц⌠ц■ц▓ц▐ц▀ц∙  ц▀ц│ц▀
-              ц╜ц║цЁ-ц│ц└ц▓ц┘ц⌠. ц╔ц⌠ц▄ц┴ ц ц│ц└ц│ц▌ц▐ ц█ц┘ц▌ц≤ц⌡ц┘ 12 ц⌡ц┘ц⌠ц■ц▌ц│ц└ц┐ц│ц■ц┘ц▓ц┴ц·ц▌ц≥ц┬  ц·ц┴ц⌠ц┘ц▄,  nmap
-              ц⌠ц│ц█  ц ц│ц░ц▐ц▄ц▌ц┴ц■  ц▌ц┘ц└ц▐ц⌠ц■ц│ц─ц²ц┴ц┘  ц⌠ц▄ц∙ц·ц│ц┼ц▌ц≥ц█ц┴ ц ц▌ц│ц·ц┘ц▌ц┴ц▒ц█ц┴. ц╔ц⌠ц▄ц┴ ц ц│ц└ц│ц▌ц▌ц≥ц┼
-              ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ ц▌ц┘ 0 ц┴  ц▌ц┘  ц⌡ц┘ц⌠ц■ц▌ц│ц└ц┐ц│ц■ц┘ц▓ц┴ц·ц▌ц│ц▒  ц⌠ц■ц▓ц▐ц▀ц│,  ц■ц▐  nmap  ц┌ц∙ц└ц┘ц■
-              ц┴ц⌠ц▀ц│ц■ц≤  ц≈  ц├ц│ц┼ц▄ц┘  nmap-mac-prefixes  ц░ц▐ц┬ц▐ц√ц┘ц┘  ц ц▌ц│ц·ц┘ц▌ц┴ц┘  ц≈ ц┴ц█ц┘ц▌ц│ц┬
-              ц░ц▓ц▐ц┴ц ц≈ц▐ц└ц┴ц■ц┘ц▄ц┘ц┼ ц⌠ц┘ц■ц┘ц≈ц▐ц┤ц▐ ц▐ц┌ц▐ц▓ц∙ц└ц▐ц≈ц│ц▌ц┴ц▒. ц╔ц⌠ц▄ц┴  ц■ц│ц▀ц▐ц┼  ц░ц▓ц▐ц┴ц ц≈ц▐ц└ц┴ц■ц┘ц▄ц≤
-              ц┌ц∙ц└ц┘ц■  ц▌ц│ц┼ц└ц┘ц▌, nmap ц≈ц▐ц ц≤ц█ц┘ц■ OUI (3ц┌ц│ц┼ц■ц▌ц≥ц┼ ц░ц▓ц┘ц├ц┴ц▀ц⌠) ц░ц▓ц▐ц┴ц ц≈ц▐ц└ц┴ц■ц┘ц▄ц▒
-              ц┴ ц└ц▐ц░ц▐ц▄ц▌ц┴ц■ ц┘ц┤ц▐ ц⌠ц▄ц∙ц·ц│ц┼ц▌ц≥ц█ц┴  3  ц┌ц│ц┼ц■ц│ц█ц┴,  ц≈  ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц┘  ц░ц▐ц▄ц∙ц·ц┴ц■ц⌠ц▒
-              ц░ц▐ц└ц└ц┘ц▄ц≤ц▌ц≥ц┼  ц╜ц║цЁ-ц│ц└ц▓ц┘ц⌠  ц▐ц░ц▓ц┘ц└ц┘ц▄бёц▌ц▌ц▐ц┤ц▐  ц░ц▓ц▐ц┴ц ц≈ц▐ц└ц┴ц■ц┘ц▄ц▒. ц╟ц▓ц│ц≈ц┴ц▄ц≤ц▌ц≥ц█ц┴
-              ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ц│ц█ц┴   --spoof_mac   ц┌ц∙ц└ц∙ц■,   ц▌ц│ц░ц▓ц┴ц█ц┘ц▓:   "Apple",   "0",
-              "01:02:03:04:05:06", "deadbeefcafe", "0020F2", ц┴ "Cisco".
-
-       <B>-f</B>     (fragment  packets)  -  ц°ц■ц│  ц▐ц░ц┐ц┴ц▒ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц⌠ц▐ц≈ц█ц┘ц⌠ц■ц▌ц▐ ц⌠ SYN,
-              FIN, Xmas ц┴ц▄ц┴ NULL-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┴  ц┴  ц∙ц▀ц│ц ц≥ц≈ц│ц┘ц■  ц▌ц│  ц▌ц┘ц▐ц┌ц┬ц▐ц└ц┴ц█ц▐ц⌠ц■ц≤
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц▒  IP-ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц│ц┐ц┴ц┴.  ц╘ц└ц┘ц▒  ц ц│ц▀ц▄ц─ц·ц│ц┘ц■ц⌠ц▒  ц≈ ц■ц▐ц█, ц·ц■ц▐ц┌ц≥
-              ц▓ц│ц ц┌ц┴ц■ц≤ TCP-ц ц│ц┤ц▐ц▄ц▐ц≈ц▐ц▀ ц┴ц⌠ц┬ц▐ц└ц▒ц²ц┘ц┤ц▐ ц░ц│ц▀ц┘ц■ц│ ц▌ц│ ц▌ц┘ц⌠ц▀ц▐ц▄ц≤ц▀ц▐ ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц▐ц≈.
-              цЁц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼   ц┬ц▐ц⌠ц■   ц└ц┘ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц┴ц▓ц∙ц┘ц■  ц°ц■ц┴  IP-ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц≥  ц≈  ц▐ц└ц┴ц▌
-              TCP-ц░ц│ц▀ц┘ц■.  ц╕ц▓ц│ц┤ц█ц┘ц▌ц■ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц ц▌ц│ц·ц┴ц■ц┘ц▄ц≤ц▌ц▐  ц∙ц⌠ц▄ц▐ц√ц▌ц▒ц┘ц■  ц├ц┴ц▄ц≤ц■ц▓ц│ц┐ц┴ц─
-              ц░ц│ц▀ц┘ц■ц▐ц≈,  ц▓ц│ц┌ц▐ц■ц∙  ц⌠ц┴ц⌠ц■ц┘ц█  ц▐ц┌ц▌ц│ц▓ц∙ц√ц┘ц▌ц┴ц▒  ц┴ ц└ц▓ц∙ц┤ц┴ц┬ ц░ц▐ц└ц▐ц┌ц▌ц≥ц┬ ц⌠ц▓ц┘ц└ц⌠ц■ц≈
-              ц ц│ц²ц┴ц■ц≥, ц┴ ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■ nmap ц⌠ц▀ц▓ц≥ц■ц≤ ц⌠ц≈ц▐ц┴  ц└ц┘ц┼ц⌠ц■ц≈ц┴ц▒.  ц╞ц└ц▌ц│ц▀ц▐  ц⌠ц▄ц┘ц└ц∙ц┘ц■
-              ц▐ц⌠ц■ц▐ц▓ц▐ц√ц▌ц▐  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц└ц│ц▌ц▌ц∙ц─ ц▐ц░ц┐ц┴ц─, ц░ц▐ц⌠ц▀ц▐ц▄ц≤ц▀ц∙ ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц⌠ц■ц│ц▓ц≥ц┘
-              ц┴ц▄ц┴  ц▌ц┘ц░ц▓ц▐ц├ц┘ц⌠ц⌠ц┴ц▐ц▌ц│ц▄ц≤ц▌ц≥ц┘  ц▌ц▐ц≈ц≥ц┘  ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц≥,  ц▌ц│ц░ц▓ц┴ц█ц┘ц▓   ц⌠ц▌ц┴ц├ц├ц┘ц▓ц≥,
-              ц░ц▓ц▐ц⌠ц■ц▐  ц ц│ц≈ц┴ц⌠ц│ц─ц■  ц░ц▓ц┴ ц░ц▐ц░ц≥ц■ц▀ц┘ ц⌠ц▐ц┌ц▓ц│ц■ц≤ ц■ц│ц▀ц┴ц┘ ц█ц│ц▄ц┘ц▌ц≤ц▀ц┴ц┘ ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц≥.
-              ц╣ц▀ц│ц√ц┴ц■ц┘ ц°ц■ц∙ ц▐ц░ц┐ц┴ц─ ц▐ц└ц┴ц▌ ц▓ц│ц  ц┴  nmap  ц┌ц∙ц└ц┘ц■  ц▓ц│ц ц┌ц┴ц≈ц│ц■ц≤  ц░ц│ц▀ц┘ц■ц≥  ц▌ц│
-              8ц┌ц│ц┼ц■ц▐ц≈ц≥ц┘  ц┴ц▄ц┴  ц█ц┘ц▌ц≤ц⌡ц┘  ц░ц│ц▀ц┘ц■ц≥, ц┴ц⌠ц▀ц▄ц─ц·ц│ц▒ IP-ц ц│ц┤ц▐ц▄ц▐ц≈ц▐ц▀. ц╝ц│ц░ц▓ц┴ц█ц┘ц▓,
-              20-ц┌ц│ц┼ц■ц▐ц≈ц≥ц┼ TCP ц ц│ц┤ц▐ц▄ц▐ц≈ц▐ц▀ ц┌ц∙ц└ц┘ц■ ц▓ц│ц ц┌ц┴ц■ ц▌ц│ 3 ц░ц│ц▀ц┘ц■ц│  -  ц▌ц│  2  ц░ц▐
-              8ц┌ц│ц┼ц■   ц┴   ц▐ц└ц┴ц▌  ц▌ц│  4.   ц╚ц▐ц▌ц┘ц·ц▌ц▐  ц√ц┘,  ц▀ц│ц√ц└ц≥ц┼  ц├ц▓ц│ц┤ц█ц┘ц▌ц■  ц┴ц█ц┘ц┘ц■
-              ц⌠ц▐ц┌ц⌠ц■ц≈ц┘ц▌ц▌ц≥ц┼ IP-ц ц│ц┤ц▐ц▄ц▐ц≈ц▐ц▀.  ц╣ц▀ц│ц√ц┴ц■ц┘ ц▐ц░ц┐ц┴ц─ Б─≥-fБ─≥ ц┘ц²бё ц▓ц│ц   ц┴  ц░ц│ц▀ц┘ц■ц≥
-              ц┌ц∙ц└ц∙ц■  ц▓ц│ц ц┌ц┴ц≈ц│ц■ц≤ц⌠ц▒ ц⌠ц▐ц▐ц■ц≈ц┘ц■ц⌠ц■ц≈ц┘ц▌ц▌ц▐ ц▌ц│ 16ц┌ц│ц┼ц■ц▌ц≥ц┘ ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц≥. ц╘ц▄ц┴ ц≈ц≥
-              ц█ц▐ц√ц┘ц■ц┘ ц∙ц▀ц│ц ц│ц■ц≤  ц⌠ц≈ц▐ц┼  ц⌠ц▐ц┌ц⌠ц■ц≈ц┘ц▌ц▌ц≥ц┼  ц▓ц│ц ц█ц┘ц▓  ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц│,  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц▒
-              ц▐ц░ц┐ц┴ц─  Б─≥--mtuБ─≥.  ц╝ц┘ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┼ц■ц┘ ц°ц■ц┴ (-f ц┴ --mtu) ц▐ц░ц┐ц┴ц┴ ц≈ц█ц┘ц⌠ц■ц┘, ц┴
-              ц▌ц┘ ц ц│ц┌ц≥ц≈ц│ц┼ц■ц┘, ц·ц■ц▐ ц▓ц│ц ц█ц┘ц▓ ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц│ ц└ц▐ц▄ц√ц┘ц▌ ц┌ц≥ц■ц≤ ц▀ц▓ц│ц■ц┘ц▌ 8.
-
-              ц╨ц│ц█ц┘ц■ц≤ц■ц┘, ц·ц■ц▐ ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц╞цЁ, ц▌ц│ц░ц▓ц┴ц█ц┘ц▓ Linux c ц≈ц▀ц▄ц─ц·ц┘ц▌ц▌ц≥ц█  ц█ц▐ц└ц∙ц▄ц┘ц█
-              ip  tables connection tracking, ц└ц┘ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц┴ц▓ц∙ц─ц■ ц┴ц⌠ц┬ц▐ц└ц▒ц²ц┴ц┘ ц░ц│ц▀ц┘ц■ц≥
-              ц▌ц│ ц∙ц▓ц▐ц≈ц▌ц┘ ц▒ц└ц▓ц│. ц╟ц▓ц▐ц⌠ц█ц▐ц■ц▓ц┴ц■ц┘ ц┤ц┘ц▌ц┘ц▓ц┴ц▓ц∙ц┘ц█ц≥ц┼ nmap  ц├ц▓ц│ц┤ц█ц┘ц▌ц■ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┼
-              ц■ц▓ц│ц├ц┴ц▀ ц⌠ц▌ц┴ц├ц├ц┘ц▓ц▐ц█, ц·ц■ц▐ ц┌ц≥ ц≈ц≥ц▒ц⌠ц▌ц┴ц■ц≤ ц▓ц│ц┌ц▐ц■ц│ц┘ц■ ц▄ц┴ ц▐ц░ц┐ц┴ц▒ Б─≥-fБ─≥.
-
-       <B>-v</B>     (verbose output) - ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц▓ц┘ц√ц┴ц█ ц░ц▐ц└ц▓ц▐ц┌ц▌ц▐ц┤ц▐ ц▐ц■ц·ц┘ц■ц│. ц╔ц⌠ц▄ц┴ ц≈ц≥
-              ц∙ц▀ц│ц√ц┘ц■ц┘  ц°ц■ц∙  ц▐ц░ц┐ц┴ц─,  nmap  ц┌ц∙ц└ц┘ц■  ц░ц▐ц└ц▓ц▐ц┌ц▌ц▐  ц⌠ц▐ц▐ц┌ц²ц│ц■ц≤   ц▐   ц┬ц▐ц└ц┘
-              ц≈ц≥ц░ц▐ц▄ц▌ц┘ц▌ц┴ц▒ ц■ц┘ц▀ц∙ц²ц┘ц┼ ц▐ц░ц┘ц▓ц│ц┐ц┴ц┴. ц╓ц▄ц▒ ц░ц▐ц▄ц∙ц·ц┘ц▌ц┴ц▒ ц▄ц∙ц·ц⌡ц┘ц┤ц▐ ц°ц├ц├ц┘ц▀ц■ц│ ц█ц▐ц√ц▌ц▐
-              ц∙ц▀ц│ц ц│ц■ц≤ ц┘ц┘ ц└ц≈ц│ц√ц└ц≥. ц╜ц▐ц√ц┘ц■ц┘ ц┘ц²бё ц▌ц┘ц⌠ц▀ц▐ц▄ц≤ц▀ц▐ ц▓ц│ц  ц∙ц▀ц│ц ц│ц■ц≤ ц▐ц░ц┐ц┴ц─ Б─≥ <B>-d</B>
-
-       <B>-h</B>     (help) - ц░ц▐ц▀ц│ц ц≥ц≈ц│ц┘ц■ ц▀ц▓ц│ц■ц▀ц∙ц─ ц┴ц▌ц⌠ц■ц▓ц∙ц▀ц┐ц┴ц─ ц░ц▐ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц─  nmap  ц⌠
-              ц∙ц▀ц│ц ц│ц▌ц┴ц┘ц█  ц▐ц░ц┐ц┴ц┼  ц┴  ц▀ц▓ц│ц■ц▀ц▐ц┤ц▐  ц┴ц┬  ц▐ц░ц┴ц⌠ц│ц▌ц┴ц▒,  ц▌ц┘  ц ц│ц░ц∙ц⌠ц▀ц│ц▒  ц⌠ц│ц█ц∙
-              ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц∙.
-
-       <B>-oN</B> <B>&lt;</B>ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>▒<B>_</B>ц<B>ц</B>├ц<B>ц</B>│ц<B>ц</B>┼ц<B>ц</B>▄ц<B>ц</B>│<B>&gt;</B>
-              (output Normal) - ц ц│ц░ц┴ц⌠ц≥ц≈ц│ц┘ц■ ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц≥ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц≈  ц∙ц└ц▐ц┌ц▌ц▐ц┼
-              ц└ц▄ц▒ ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц▒ ц├ц▐ц▓ц█ц┘ ц≈ ц├ц│ц┼ц▄, ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┼ ц≈ ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘ ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ц│.
-
-       <B>-oX</B> <B>&lt;</B>ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>▒<B>_</B>ц<B>ц</B>├ц<B>ц</B>│ц<B>ц</B>┼ц<B>ц</B>▄ц<B>ц</B>│<B>&gt;</B>
-              (output  XML) - ц ц│ц░ц┴ц⌠ц≥ц≈ц│ц┘ц■ ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц≥ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц≈ ц├ц▐ц▓ц█ц│ц■ц┘ <B>XML</B>
-              ц≈ ц├ц│ц┼ц▄, ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┼ ц≈ ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘ ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ц│. ц╪ц■ц▐ ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■ ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц│ц█
-              ц▄ц┘ц┤ц·ц┘ ц▐ц┌ц▓ц│ц┌ц│ц■ц≥ц≈ц│ц■ц≤ ц≈ц≥ц≈ц▐ц└ nmapБ─≥ц│. ц╥ц≥ ц█ц▐ц√ц┘ц■ц┘ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц│ц▓ц┤ц∙ц█ц┘ц▌ц■
-              ц⌠ц▄ц∙ц·ц│ц┘ ц▌ц┘ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒. ц╥ц▌ц┴ц█ц│ц■ц┘ц▄ц≤ц▌ц▐ ц⌠ц▄ц┘ц└ц┴ц■ц┘  ц ц│  ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц▒ц█ц┴  ц▐ц┌
-              ц▐ц⌡ц┴ц┌ц▀ц│ц┬, ц░ц▐ц■ц▐ц█ц∙ ц▀ц│ц▀ ц▐ц▌ц┴ ц≈ц≥ц≈ц▐ц└ц▒ц■ц⌠ц▒ ц▌ц│ stderr. Document Type Defi-
-              nition (DTD), ц▐ц┌ц÷ц▒ц⌠ц▌ц▒ц─ц²ц┴ц┼ ц⌠ц■ц▓ц∙ц▀ц■ц∙ц▓ц∙ ц≈ц≥ц≈ц▐ц└ц│  ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц▐ц≈  nmap  ц≈
-              ц├ц▐ц▓ц█ц│ц■ц┘      XML      ц└ц▐ц⌠ц■ц∙ц░ц┘ц▌      ц ц└ц┘ц⌠ц≤:      http://www.inse-
-              cure.org/nmap/nmap.dtd.
-
-       <B>--stylesheet</B> <B>&lt;</B>ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>▒<B>_</B>ц<B>ц</B>├ц<B>ц</B>│ц<B>ц</B>┼ц<B>ц</B>▄ц<B>ц</B>│<B>&gt;</B>
-              Nmap  ц▐ц┌ц▓ц│ц²ц│ц┘ц■ц⌠ц▒  ц▀  XSL  ц■ц│ц┌ц▄ц┴ц┐ц┘  ц⌠ц■ц┴ц▄ц┘ц┼,  ц▀ц▐ц■ц▐ц▓ц│ц▒   ц▌ц│ц ц≥ц≈ц│ц┘ц■ц⌠ц▒
-              nmap.xsl,  ц└ц▄ц▒  ц░ц▓ц▐ц⌠ц█ц▐ц■ц▓ц│  ц┴ц▄ц┴  ц■ц▓ц│ц▌ц⌠ц▄ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ XML ц≈ц≥ц≈ц▐ц└ц│ ц≈ HTML
-              ц├ц▐ц▓ц█ц│ц■.  ц╔ц⌠ц▄ц┴  ц≈ц≥  ц√ц┘ц▄ц│ц┘ц■ц┘  ц∙ц▀ц│ц ц│ц■ц≤  ц└ц▓ц∙ц┤ц∙ц─  ц■ц│ц┌ц▄ц┴ц┐ц∙  ц⌠ц■ц┴ц▄ц┘ц┼   -
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┼ц■ц┘  ц°ц■ц∙  ц▐ц░ц┐ц┴ц─. ц╥ ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘ ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ц│ ц∙ц▀ц│ц ц≥ц≈ц│ц┘ц■ц⌠ц▒ ц░ц▐ц▄ц▌ц≥ц┼
-              ц░ц∙ц■ц≤   ц┴ц▄ц┴   url,   ц▌ц│ц░ц▓ц┴ц█ц┘ц▓   Б─≥--stylesheet    http://www.inse-
-              cure.org/nmap/data/nmap.xslБ─≥,   ц·ц■ц▐  ц∙ц▀ц│ц√ц┘ц■  ц┌ц▓ц│ц∙ц ц┘ц▓ц∙  ц ц│ц┤ц▓ц∙ц ц┴ц■ц≤
-              ц░ц▐ц⌠ц▄ц┘ц└ц▌ц─ц─ ц≈ц┘ц▓ц⌠ц┴ц─ ц■ц│ц┌ц▄ц┴ц┐ц≥  ц⌠ц■ц┴ц▄ц┘ц┼  ц⌠  ц⌠ц┘ц▓ц≈ц┘ц▓ц│  insecure.org.  ц╪ц■ц│
-              ц■ц│ц┌ц▄ц┴ц┐ц│  ц█ц▐ц√ц┘ц■  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ц⌠ц▒  ц└ц▄ц▒ ц░ц▓ц▐ц⌠ц█ц▐ц■ц▓ц│ nmap XML-ц≈ц≥ц≈ц▐ц└ц│ ц▌ц│
-              ц█ц│ц⌡ц┴ц▌ц┘  ц┤ц└ц┘  nmap  ц▌ц┘  ц∙ц⌠ц■ц│ц▌ц▐ц≈ц▄ц┘ц▌.   ц╟ц▐   ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─,   ц≈   ц┐ц┘ц▄ц▒ц┬
-              ц┌ц┘ц ц▐ц░ц│ц⌠ц▌ц▐ц⌠ц■ц┴, ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц▄ц▐ц▀ц│ц▄ц≤ц▌ц│ц▒ ц▀ц▐ц░ц┴ц▒ nmap.xsl.
-
-       <B>--no_stylesheet</B>
-              ц╣ц▀ц│ц ц≥ц≈ц│ц┘ц■  nmap  ц▌ц┘  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц▌ц┴ц▀ц│ц▀ц▐ц┼ XSL ц■ц│ц┌ц▄ц┴ц┐ц≥ ц⌠ц■ц┴ц▄ц┘ц┼ ц└ц▄ц▒
-              ц▐ц■ц▐ц┌ц▓ц│ц√ц┘ц▌ц┴ц▒ XML-ц≈ц≥ц≈ц▐ц└ц│.
-
-       <B>-oG</B> <B>&lt;</B>ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>▒<B>_</B>ц<B>ц</B>├ц<B>ц</B>│ц<B>ц</B>┼ц<B>ц</B>▄ц<B>ц</B>│<B>&gt;</B>
-              (output Grepable) - ц ц│ц░ц┴ц⌠ц≥ц≈ц│ц┘ц■ ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц≥ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц≈ ц∙ц└ц▐ц┌ц▌ц▐ц┼
-              ц└ц▄ц▒ ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц≥ grep ц├ц▐ц▓ц█ц┘ ц≈ ц├ц│ц┼ц▄, ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┼ ц≈ ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘ ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ц│.
-              ц╥ц≥ ц█ц▐ц√ц┘ц■ц┘ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ Б─≥-Б─≥ (ц┌ц┘ц  ц▀ц│ц≈ц≥ц·ц┘ц▀) ц└ц▄ц▒ ц≈ц≥ц≈ц▐ц└ц│  ц▌ц│
-              stdout.   ц╝ц▐ц▓ц█ц│ц▄ц≤ц▌ц≥ц┼   ц≈ц≥ц≈ц▐ц└  ц≈  ц°ц■ц▐ц█  ц⌠ц▄ц∙ц·ц│ц┘  ц▌ц┘  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒.
-              ц╥ц▌ц┴ц█ц│ц■ц┘ц▄ц≤ц▌ц▐ ц⌠ц▄ц┘ц└ц┴ц■ц┘ ц ц│ ц⌠ц▐ц▐ц┌ц²ц┘ц▌ц┴ц▒ц█ц┴ ц▐ц┌ ц▐ц⌡ц┴ц┌ц▀ц│ц┬,  ц░ц▐ц■ц▐ц█ц∙  ц▀ц│ц▀  ц▐ц▌ц┴
-              ц≈ц≥ц≈ц▐ц└ц▒ц■ц⌠ц▒ ц▌ц│ stderr. ц╥ ц▌ц≥ц▌ц┘ц⌡ц▌ц┘ц┘ ц≈ц▓ц┘ц█ц▒ ц▓ц┘ц▀ц▐ц█ц┘ц▌ц└ц∙ц┘ц■ц⌠ц▒ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤
-              XML-ц≈ц≥ц≈ц▐ц└ (-oX).
-
-       <B>-oA</B> <B>&lt;</B>ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>▒<B>_</B>ц<B>ц</B>┌ц<B>ц</B>│ц<B>ц</B> ц<B>ц</B>≥<B>&gt;</B>
-              (output All) - ц ц│ц░ц┴ц⌠ц≥ц≈ц│ц┘ц■ ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц≥ ц≈ц▐ ц≈ц⌠ц┘ц┬  ц▐ц⌠ц▌ц▐ц≈ц▌ц≥ц┬  ц├ц▐ц▓ц█ц│ц■ц│ц┬
-              (ц▌ц▐ц▓ц█ц│ц▄ц≤ц▌ц▐ц█,  grep  ц┴  XML). ц╥ц≥ ц∙ц▀ц│ц ц≥ц≈ц│ц┘ц■ц┘ ц┌ц│ц ц▐ц≈ц▐ц┘ ц┴ц█ц▒, ц▌ц│ц░ц▓ц┴ц█ц┘ц▓
-              base, ц┴ ц≈ц≥ц┬ц▐ц└ц▌ц≥ц┘ ц├ц│ц┼ц▄ц≥ ц┌ц∙ц└ц∙ц■ ц▌ц│ц ц≥ц≈ц│ц■ц≤ц⌠ц▒ base.nmap, base.gnmap  ц┴
-              base.xml.
-
-       <B>-oS</B> <B>&lt;</B>ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>▒<B>_</B>ц<B>ц</B>├ц<B>ц</B>│ц<B>ц</B>┼ц<B>ц</B>▄ц<B>ц</B>│<B>&gt;</B>
-              thIs l0gz th3 r3suLtS of YouR ScanZ iN a <B>s|&lt;ipT</B> <B>kiDd|3</B> f0rM iNto
-              THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3  the  4rgument  "-"
-              (wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!!
-
-       <B>--resume</B> <B>&lt;</B>ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>▒<B>_</B>ц<B>ц</B>├ц<B>ц</B>│ц<B>ц</B>┼ц<B>ц</B>▄ц<B>ц</B>│<B>&gt;</B>
-              ц╔ц⌠ц▄ц┴  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц┌ц≥ц▄ц▐  ц░ц▓ц┘ц▓ц≈ц│ц▌ц▐ ц▌ц│ц√ц│ц■ц┴ц┘ц█ ц▀ц▐ц█ц┌ц┴ц▌ц│ц┐ц┴ц┴ [Ctrl+C],
-              ц⌠ц┘ц■ц┘ц≈ц≥ц█ ц⌠ц┌ц▐ц┘ц█ ц┴ ц■.ц░., ц■ц▐ ц▐ц▌ц▐ ц█ц▐ц√ц┘ц■  ц┌ц≥ц■ц≤  ц░ц▓ц▐ц└ц▐ц▄ц√ц┘ц▌ц▐  ц≈ц▀ц▄ц─ц·ц┘ц▌ц┴ц┘ц█
-              ц°ц■ц▐ц┼    ц▐ц░ц┐ц┴ц┴.    ц╔ц⌠ц▄ц┴   ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц≥   ц░ц▓ц┘ц▓ц≈ц│ц▌ц▌ц▐ц┤ц▐   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒
-              ц ц│ц░ц┴ц⌠ц≥ц≈ц│ц▄ц┴ц⌠ц≤ ц≈ ц▄ц▐ц┤-ц├ц│ц┼ц▄ ц⌠ ц░ц▐ц█ц▐ц²ц≤ц─ ц▐ц░ц┐ц┴ц┼ Б─≥-oGБ─≥ ц┴ц▄ц┴ Б─≥-oNБ─≥,  ц░ц▓ц▐ц⌠ц■ц▐
-              ц ц│ц░ц∙ц⌠ц■ц┴ц■ц┘  nmap  ц⌠  ц∙ц▀ц│ц ц│ц▌ц┴ц┘ц█  ц°ц■ц▐ц┼  ц▐ц░ц┐ц┴ц┴  ц┴ ц┴ц█ц┘ц▌ц┴ ц▄ц▐ц┤-ц├ц│ц┼ц▄ц│, ц≈
-              ц▀ц▐ц■ц▐ц▓ц≥ц┼ ц░ц▓ц▐ц┴ц ц≈ц▐ц└ц┴ц▄ц│ц⌠ц≤ ц ц│ц░ц┴ц⌠ц≤ ц░ц▓ц┘ц└ц≥ц└ц∙ц²ц┘ц┤ц▐ ц⌠ц┘ц│ц▌ц⌠ц│.  ц╝ц┘  ц∙ц▀ц│ц ц≥ц≈ц│ц┼ц■ц┘
-              ц▌ц┴ц▀ц│ц▀ц┴ц┬  ц└ц▓ц∙ц┤ц┴ц┬  ц▐ц░ц┐ц┴ц┼, ц░ц▐ц⌠ц▀ц▐ц▄ц≤ц▀ц∙ ц░ц▓ц┴ ц≈ц▐ц ц▐ц┌ц▌ц▐ц≈ц▄ц┘ц▌ц┴ц┴ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒
-              ц┌ц∙ц└ц∙ц■ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ц⌠ц▒ ц▐ц░ц┐ц┴ц┴, ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┘ ц≈ ц░ц▓ц┘ц└ц≥ц└ц∙ц²ц┘ц█ ц⌠ц┘ц│ц▌ц⌠ц┘.  Nmap
-              ц░ц▓ц▐ц└ц▐ц▄ц√ц┴ц■   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘   ц⌠  ц│ц└ц▓ц┘ц⌠ц│,  ц⌠ц▄ц┘ц└ц∙ц─ц²ц┘ц┤ц▐  ц ц│  ц░ц▐ц⌠ц▄ц┘ц└ц▌ц┴ц█
-              ц▐ц■ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц█.
-
-       <B>--exclude</B> <B>&lt;</B>ц<B>ц</B>┬ц<B>ц</B>▐ц<B>ц</B>⌠ц<B>ц</B>■<B>1</B> <B>[,</B>ц<B>ц</B>┬ц<B>ц</B>▐ц<B>ц</B>⌠ц<B>ц</B>■<B>2][,</B>ц<B>ц</B>┬ц<B>ц</B>▐ц<B>ц</B>⌠ц<B>ц</B>■<B>3],..."&gt;</B>
-              ц╘ц⌠ц▀ц▄ц─ц·ц┴ц■ц≤  ц┴ц    ц⌠ц░ц┴ц⌠ц▀ц│   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒   ц┐ц┘ц▄ц┴   (ц┬ц▐ц⌠ц■ц≥,   ц⌠ц┘ц■ц┘ц≈ц≥ц┘
-              ц└ц┴ц│ц░ц│ц ц▐ц▌ц≥), ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц▌ц┘ ц└ц▐ц▄ц√ц▌ц≥ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ц⌠ц▒.
-
-       <B>--excludefile</B> <B>&lt;</B>ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>▒<B>_</B>ц<B>ц</B>├ц<B>ц</B>│ц<B>ц</B>┼ц<B>ц</B>▄ц<B>ц</B>│<B>&gt;</B>
-              цЁц█ц≥ц⌠ц▄  ц°ц■ц▐ц┼  ц▐ц░ц┐ц┴ц┴  ц■ц│ц▀ц▐ц┼ ц√ц┘, ц▀ц│ц▀ ц┴ Б─≥--excludeБ─≥, ц■ц▐ц▄ц≤ц▀ц▐ ц┐ц┘ц▄ц┴ ц└ц▄ц▒
-              ц┴ц⌠ц▀ц▄ц─ц·ц┘ц▌ц┴ц▒ ц ц│ц└ц│ц─ц■ц⌠ц▒ ц├ц│ц┼ц▄ц▐ц█, ц▀ц│ц√ц└ц│ц▒ ц ц│ц░ц┴ц⌠ц≤ - ц≈ ц▐ц■ц└ц┘ц▄ц≤ц▌ц▐ц┼  ц⌠ц■ц▓ц▐ц▀ц┘.
-
-       <B>--allports</B>
-              ц╞ц░ц┐ц┴ц▒  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒  ц≈ц█ц┘ц⌠ц■ц┘  ц⌠  ц▓ц┘ц√ц┴ц█ц▐ц█ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц▒ ц≈ц┘ц▓ц⌠ц┴ц┼ ц⌠ц▄ц∙ц√ц┌
-              (-sV)  ц┴  ц▓ц│ц ц▓ц┘ц⌡ц│ц┘ц■  ц▓ц│ц┌ц▐ц■ц│ц■ц≤  ц⌠ц▐  ц≈ц⌠ц┘ц█ц┴  ц▌ц│ц┼ц└ц┘ц▌ц▌ц≥ц█ц┴   ц▐ц■ц▀ц▓ц≥ц■ц≥ц█ц┴
-              ц░ц▐ц▓ц■ц│ц█ц┴, ц└ц│ц√ц┘ ц⌠ ц■ц┘ц█ц┴, ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц░ц▐ц█ц┘ц·ц┘ц▌ц≥ ц▀ц│ц▀ ц▐ц░ц│ц⌠ц▌ц≥ц┘ ц≈ ц├ц│ц┼ц▄ц┘ nmap-
-              service-probes.
-
-       <B>--append_output</B>
-              ц╓ц▐ц░ц┴ц⌠ц≥ц≈ц│ц■ц≤ ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц≥ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц≈  ц▄ц▐ц┤-ц├ц│ц┼ц▄,  ц│  ц▌ц┘  ц ц│ц■ц┴ц▓ц│ц■ц≤
-              ц░ц▓ц┘ц└ц≥ц└ц∙ц²ц∙ц─ ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц─ ц≈ ц▌бёц█.
-
-       <B>-iL</B> <B>&lt;</B>ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>▒<B>_</B>ц<B>ц</B>├ц<B>ц</B>│ц<B>ц</B>┼ц<B>ц</B>▄ц<B>ц</B>│<B>&gt;</B>
-              (input  List)  -  ц⌠ц·ц┴ц■ц≥ц≈ц│ц■ц≤  ц⌠ц░ц┴ц⌠ц▐ц▀  ц┬ц▐ц⌠ц■ц▐ц≈  ц└ц▄ц▒ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц┴ц 
-              ц├ц│ц┼ц▄ц│, ц ц│ц└ц│ц▌ц▌ц▐ц┤ц▐ ц≈ ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘  ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ц│.  ц╕ц│ц┼ц▄  ц└ц▐ц▄ц√ц┘ц▌  ц⌠ц▐ц└ц┘ц▓ц√ц│ц■ц≤
-              ц⌠ц░ц┴ц⌠ц▐ц▀   ц┴ц█ц┘ц▌  ц┬ц▐ц⌠ц■ц▐ц≈  ц┴ц▄ц┴  IP-ц│ц└ц▓ц┘ц⌠ц▐ц≈,  ц▓ц│ц ц└ц┘ц▄ц┘ц▌ц▌ц≥ц┬  ц░ц▓ц▐ц┌ц┘ц▄ц│ц█ц┴,
-              ц ц▌ц│ц▀ц│ц█ц┴ ц■ц│ц┌ц∙ц▄ц▒ц┐ц┴ц┴ ц┴ц▄ц┴ ц·ц■ц▐ ц┌ц≥  ц▀ц│ц√ц└ц│ц▒  ц ц│ц░ц┴ц⌠ц≤  ц┌ц≥ц▄ц│  ц≈  ц▐ц■ц└ц┘ц▄ц≤ц▌ц▐ц┼
-              ц⌠ц■ц▓ц▐ц▀ц┘. ц╬ц■ц▐ ц┌ц≥ nmap ц⌠ц·ц┴ц■ц│ц▄ ц⌠ц░ц┴ц⌠ц▐ц▀ ц┬ц▐ц⌠ц■ц▐ц≈ ц⌠ StdIn, ц∙ц▀ц│ц√ц┴ц■ц┘ ц≈ц█ц┘ц⌠ц■ц▐
-              ц┴ц█ц┘ц▌ц┴ ц├ц│ц┼ц▄ц│ ц⌠ц┴ц█ц≈ц▐ц▄ ц▓ц│ц ц└ц┘ц▄ц┘ "цЁц░ц▐ц⌠ц▐ц┌ц≥ ц ц│ц└ц│ц▌ц┴ц▒ ц┐ц┘ц▄ц┴".
-
-       <B>-iR</B> <B>&lt;</B>ц<B>ц</B>▀ц<B>ц</B>▐ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>·ц<B>ц</B>┘ц<B>ц</B>⌠ц<B>ц</B>■ц<B>ц</B>≈ц<B>ц</B>▐<B>_</B>ц<B>ц</B>┬ц<B>ц</B>▐ц<B>ц</B>⌠ц<B>ц</B>■ц<B>ц</B>▐ц<B>ц</B>≈<B>&gt;</B>
-              ц╔ц⌠ц▄ц┴  ц∙ц▀ц│ц ц│ц■ц≤  ц°ц■ц∙  ц▐ц░ц┐ц┴ц─,  ц■ц▐  nmap  ц┌ц∙ц└ц┘ц■  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤   ц┬ц▐ц⌠ц■ц≥
-              ц≈ц≥ц┌ц▓ц│ц▌ц▌ц≥ц┘  ц⌠ц▄ц∙ц·ц│ц┼ц▌ц≥ц█  ц▐ц┌ц▓ц│ц ц▐ц█. ц╘ц⌠ц░ц▐ц▄ц≤ц ц∙ц┼ц■ц┘ 0 ц≈ ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘ ц ц│ц└ц│ц▌ц▌ц▐ц┼
-              ц┐ц┘ц▄ц┴ ц└ц▄ц▒ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒, ц┴ nmap ц┌ц∙ц└ц┘ц■ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц░ц▐ц▀ц│ ц≈ц≥  ц┘ц┤ц▐  ц▌ц┘
-              ц▐ц⌠ц■ц│ц▌ц▐ц≈ц┴ц■ц┘.     ц╪ц■ц│    ц▐ц░ц┐ц┴ц▒   ц█ц▐ц√ц┘ц■   ц┌ц≥ц■ц≤   ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц│   ц└ц▄ц▒
-              ц⌠ц■ц│ц■ц┴ц⌠ц■ц┴ц·ц┘ц⌠ц▀ц┴ц┬ ц┴ц⌠ц⌠ц▄ц┘ц└ц▐ц≈ц│ц▌ц┴ц┼ ц╘ц▌ц■ц┘ц▓ц▌ц┘ц■ц│.  ц╔ц⌠ц▄ц┴  ц≈ц│ц█  ц└ц┘ц┼ц⌠ц■ц≈ц┴ц■ц┘ц▄ц≤ц▌ц▐
-              ц⌠ц▀ц∙ц·ц▌ц▐  -  ц ц│ц░ц∙ц⌠ц▀ц│ц┼ц■ц┘  "nmap -sS -PS80 -iR 0 -p 80" ц·ц■ц▐ ц┌ц≥ ц▌ц│ц┼ц■ц┴
-              ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц≈ц┘ц┌-ц⌠ц┘ц▓ц≈ц┘ц▓ц│, ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц█ц▐ц┤ц∙ц■ ц≈ц│ц⌠ ц ц│ц┴ц▌ц■ц┘ц▓ц┘ц⌠ц▐ц≈ц│ц■ц≤.
-
-       <B>-p</B> <B>&lt;</B>ц<B>ц</B>└ц<B>ц</B>┴ц<B>ц</B>│ц<B>ц</B>░ц<B>ц</B>│ц<B>ц</B> ц<B>ц</B>▐ц<B>ц</B>▌<B>_</B>ц<B>ц</B>░ц<B>ц</B>▐ц<B>ц</B>▓ц<B>ц</B>■ц<B>ц</B>▐ц<B>ц</B>≈<B>&gt;</B>
-              ц╪ц■ц▐ц┼  ц▐ц░ц┐ц┴ц┘ц┼  ц≈ц≥  ц█ц▐ц√ц┘ц■ц┘  ц ц│ц└ц│ц■ц≤  ц░ц▐ц▓ц■ц≥,   ц▀ц▐ц■ц▐ц▓ц≥ц┘   ц≈ц≥   ц┬ц▐ц■ц┴ц■ц┘
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤.   ц╓ц▄ц▒  ц░ц▓ц┴ц█ц┘ц▓ц│,  ц┘ц⌠ц▄ц┴  ц ц│ц└ц│ц■ц≤  "-ц▓  23",  ц■ц▐  ц┌ц∙ц└ц┘ц■
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ц⌠ц▒ ц■ц▐ц▄ц≤ц▀ц▐ 23 ц░ц▐ц▓ц■  ц▌ц│  ц┬ц▐ц⌠ц■ц┘.  "-ц▓  20-30,139,60000-"
-              ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц■  ц░ц▐ц▓ц■ц≥  ц▐ц■  20 ц└ц▐ 30, 139 ц░ц▐ц▓ц■, ц┴ ц≈ц⌠ц┘ ц░ц▐ц▓ц■ц≥, ц▌ц▐ц█ц┘ц▓ц│
-              ц▀ц▐ц■ц▐ц▓ц≥ц┬ ц┌ц▐ц▄ц≤ц⌡ц┘ 60000. ц╟ц▐ ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц─ц■ц⌠ц▒  ц░ц▐ц▓ц■ц≥  ц▐ц■  1  ц└ц▐
-              1024,   ц┴   ц■ц┘,  ц▀ц▐ц■ц▐ц▓ц≥ц┘  ц∙ц▀ц│ц ц│ц▌ц≥  ц≈  ц├ц│ц┼ц▄ц┘  nmap-services.  ц╓ц▄ц▒
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ц▐ц≈  IP  (-sO)  ц°ц■ц│  ц▐ц░ц┐ц┴ц▒  ц∙ц▀ц│ц ц≥ц≈ц│ц┘ц■  ц▀ц│ц▀ц▐ц┼
-              ц░ц▓ц▐ц■ц▐ц▀ц▐ц▄ ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ (0-255).
-
-              ц╚ц▐ц┤ц└ц│  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц─ц■ц⌠ц▒  ц▀ц│ц▀  TCP  ц■ц│ц▀  ц┴  UDP  ц░ц▐ц▓ц■ц≥,  ц█ц▐ц√ц▌ц▐ ц∙ц▀ц│ц ц│ц■ц≤
-              ц└ц┴ц│ц░ц│ц ц▐ц▌ ц└ц▄ц▒ ц▀ц│ц√ц└ц▐ц┤ц▐ ц■ц┴ц░ц│ ц░ц▐ц▓ц■ц▐ц≈  ц▐ц■ц└ц┘ц▄ц≤ц▌ц▐,  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц▒  ц░ц▓ц┘ц├ц┴ц▀ц⌠ц≥
-              "ц╢:"  ц┴  "U:" ц⌠ц▐ц▐ц■ц≈ц┘ц■ц⌠ц■ц≈ц┘ц▌ц▌ц▐. ц╝ц│ц░ц▓ц┴ц█ц┘ц▓, ц┘ц⌠ц▄ц┴ ц ц│ц└ц│ц■ц≤ ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ "-ц▓
-              U:53,111,137,T:21-25,80,139,8080"  ц■ц▐  ц┌ц∙ц└ц∙ц■  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ц⌠ц▒  53,
-              111,  ц┴  137  UDP-ц░ц▐ц▓ц■ц≥, ц┴ ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┘ ц╢цЁц╡-ц░ц▐ц▓ц■ц≥. ц╨ц│ц█ц┘ц■ц≤ц■ц┘, ц·ц■ц▐ ц┌ц≥
-              ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ UDP ц┴ ц╢цЁц╡ ц░ц▐ц▓ц■ц≥, ц▌ц∙ц√ц▌ц▐ ц∙ц▀ц│ц ц│ц■ц≤ -sU ц┴ ц┬ц▐ц■ц▒ ц┌ц≥ ц▐ц└ц┴ц▌
-              ц┴ц  ц█ц┘ц■ц▐ц└ц▐ц≈ ц╢цЁц╡-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ (-sS, -sF, -sT).
-
-       <B>-F</B>     ц╒ц≥ц⌠ц■ц▓ц▐ц┘  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘.  ц╔ц⌠ц▄ц┴  ц∙ц▀ц│ц ц│ц■ц≤  ц°ц■ц∙  ц▐ц░ц┐ц┴ц─, ц■ц▐ nmap ц┌ц∙ц└ц┘ц■
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц░ц▐ц▓ц■ц≥ ц■ц▐ц▄ц≤ц▀ц▐ ц■ц┘ц┬ ц⌠ц▄ц∙ц√ц┌, ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц░ц┘ц▓ц┘ц·ц┴ц⌠ц▄ц┘ц▌ц≥ ц≈  ц├ц│ц┼ц▄ц┘
-              nmap-services   (ц┴ц▄ц┴  nmap-protocols  ц└ц▄ц▒  Б─≥-sOБ─≥).  цЁц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘
-              ц░ц▓ц▐ц┬ц▐ц└ц┴ц■ ц┤ц▐ц▓ц│ц ц└ц▐ ц┌ц≥ц⌠ц■ц▓ц┘ц┘, ц·ц┘ц█ ц┘ц⌠ц▄ц┴ ц┌ц≥ nmap ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▄ ц≈ц⌠ц┘  65535
-              ц░ц▐ц▓ц■ц▐ц≈ ц┬ц▐ц⌠ц■ц│.
-
-       <B>-D</B> <B>&lt;</B>ц<B>ц</B>▄ц<B>ц</B>▐ц<B>ц</B>√ц<B>ц</B>▌ц<B>ц</B>≥ц<B>ц</B>┼<B>_</B>ц<B>ц</B>┬ц<B>ц</B>▐ц<B>ц</B>⌠ц<B>ц</B>■<B>1,[</B>ц<B>ц</B>▄ц<B>ц</B>▐ц<B>ц</B>√ц<B>ц</B>▌ц<B>ц</B>≥ц<B>ц</B>┼<B>_</B>ц<B>ц</B>┬ц<B>ц</B>▐ц<B>ц</B>⌠ц<B>ц</B>■<B>2],[,ME],...&gt;</B>
-              ц╪ц■ц│   ц▐ц░ц┐ц┴ц▒   ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒   ц└ц▄ц▒  ц⌠ц▐ц▀ц▓ц≥ц■ц┴ц▒  ц▓ц┘ц│ц▄ц≤ц▌ц▐ц┤ц▐  ц┴ц⌠ц■ц▐ц·ц▌ц┴ц▀ц│
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒, ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц▒ ц▄ц▐ц√ц▌ц≥ц┘ ц┬ц▐ц⌠ц■ц≥. ц╥ц█ц┘ц⌠ц■ц┘ ц⌠  ц▌ц│ц⌡ц┴ц█ц┴  ц░ц│ц▀ц┘ц■ц│ц█ц┴
-              ц▌ц│ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼ ц┬ц▐ц⌠ц■ ц▐ц■ц⌠ц≥ц▄ц│ц─ц■ц⌠ц▒ ц■ц│ц▀ц┴ц┘ ц√ц┘ ц░ц│ц▀ц┘ц■ц≥, ц▌ц▐ ц⌠ ц░ц▐ц└ц└ц┘ц▄ц≤ц▌ц≥ц█ц┴
-              ц│ц└ц▓ц┘ц⌠ц│ц█ц┴ ц┴ц⌠ц■ц▐ц·ц▌ц┴ц▀ц│.  ц╨ц│ц²ц┴ц■ц▌ц│ц▒  ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц│  ц▌ц│  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц█  ц┬ц▐ц⌠ц■ц┘
-              ц█ц▐ц√ц┘ц■  ц▐ц■ц▐ц┌ц▓ц│ц ц┴ц■ц≤ 5-10 ц░ц▐ц░ц≥ц■ц▐ц▀ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц⌠ ц▓ц│ц ц▌ц≥ц┬ ц┴ц⌠ц■ц▐ц·ц▌ц┴ц▀ц▐ц≈,
-              ц▌ц▐  ц∙ц ц▌ц│ц■ц≤  ц⌠  ц▀ц│ц▀ц▐ц┤ц▐   ц┴ц█ц┘ц▌ц▌ц▐   ц┬ц▐ц⌠ц■ц│   ц░ц▓ц▐ц┴ц ц≈ц▐ц└ц┴ц■ц⌠ц▒   ц┴ц⌠ц■ц┴ц▌ц▌ц▐ц┘
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц⌠ц▄ц▐ц√ц▌ц▐, ц▐ц⌠ц▐ц┌ц┘ц▌ц▌ц▐ ц┘ц⌠ц▄ц┴ ц∙ц▀ц│ц ц│ц■ц≤ ц█ц▌ц▐ц┤ц▐ ц▄ц▐ц√ц▌ц≥ц┬ ц┬ц▐ц⌠ц■ц▐ц≈.
-
-              ц╣ц▀ц│ц ц≥ц≈ц│ц┼ц■ц┘ ц▄ц▐ц√ц▌ц≥ц┘ ц┬ц▐ц⌠ц■ц≥ ц·ц┘ц▓ц┘ц  ц ц│ц░ц▒ц■ц∙ц─, ц┴  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┼ц■ц┘  "ц╜ц╔"  ц└ц▄ц▒
-              ц▐ц┌ц▐ц ц▌ц│ц·ц┘ц▌ц┴ц▒  ц⌠ц≈ц▐ц┘ц┤ц▐ ц┬ц▐ц⌠ц■ц│ ц≈ ц°ц■ц▐ц┼ ц┐ц┘ц░ц▐ц·ц▀ц┘. ц╝ц│ц░ц▓ц┴ц█ц┘ц▓, ц┘ц⌠ц▄ц┴ ц∙ц▀ц│ц ц│ц■ц≤
-              "ц╜ц╔" ц▌ц│ 5 ц░ц▐ц ц┴ц┐ц┴ц┴, ц■ц▐ ц┴ц⌠ц■ц┴ц▌ц▌ц≥ц┘  ц░ц│ц▀ц┘ц■ц≥  ц┌ц∙ц└ц∙ц■  ц▐ц■ц░ц▓ц│ц≈ц▄ц┘ц▌ц≥  ц░ц▐ц⌠ц▄ц┘
-              ц░ц▓ц┘ц└ц≥ц└ц∙ц²ц┴ц┬  ц·ц┘ц■ц≥ц▓ц┘ц┬  ц▄ц▐ц√ц▌ц≥ц┬.  ц╔ц⌠ц▄ц┴ ц▌ц┘ ц∙ц▀ц│ц ц│ц■ц≤ "ME", nmap ц≈ц≥ц┌ц┘ц▓ц┘ц■
-              ц░ц▐ц ц┴ц┐ц┴ц─ ц└ц▄ц▒ ц≈ц│ц⌡ц┘ц┤ц▐ ц┬ц▐ц⌠ц■ц│ ц⌠ц▄ц∙ц·ц│ц┼ц▌ц≥ц█ ц▐ц┌ц▓ц│ц ц▐ц█.
-
-              ц╣ц·ц■ц┴ц■ц┘, ц·ц■ц▐ ц┬ц▐ц⌠ц■ц≥, ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц≈ц≥ ц∙ц▀ц│ц√ц┘ц■ц┘ ц▀ц│ц▀ ц▄ц▐ц√ц▌ц≥ц┘, ц└ц▐ц▄ц√ц▌ц≥ ц┌ц≥ц■ц≤  ц≈
-              ц│ц▀ц■ц┴ц≈ц▌ц▐ц█   ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┴,   ц┴ц▌ц│ц·ц┘   ц≈ц≥   ц█ц▐ц√ц┘ц■ц┘   ц⌠ц▄ц∙ц·ц│ц┼ц▌ц▐  ц ц│ц■ц▐ц░ц┴ц■ц≤
-              ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц∙ц─ ц┐ц┘ц▄ц≤ SYN-ц░ц│ц▀ц┘ц■ц│ц█ц┴, ц┴ц▄ц┴ ц┌ц∙ц└ц┘ц■ ц▐ц·ц┘ц▌ц≤ ц▄ц┘ц┤ц▀ц▐  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤
-              ц┴ц⌠ц■ц▐ц·ц▌ц┴ц▀   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘,   ц┘ц⌠ц▄ц┴   ц■ц▐ц▄ц≤ц▀ц▐  ц≈ц│ц⌡ц│  ц█ц│ц⌡ц┴ц▌ц│  ц▐ц▀ц│ц√ц┘ц■ц⌠ц▒
-              ц│ц▀ц■ц┴ц≈ц▌ц▐ц┼. ц╢ц│ц▀ц√ц┘ ц░ц▓ц┘ц└ц░ц▐ц·ц■ц┴ц■ц┘ц▄ц≤ц▌ц▐  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  ip-ц│ц└ц▓ц┘ц⌠ц│  ц≈ц█ц┘ц⌠ц■ц▐
-              dns-ц┴ц█бёц▌,  ц┴ц▌ц│ц·ц┘  ц▌ц│  ц⌠ц┘ц▓ц≈ц┘ц▓ц┘  ц┴ц█бёц▌  ц▄ц▐ц√ц▌ц≥ц┬  ц┬ц▐ц⌠ц■ц▐ц≈  ц≈ ц▄ц▐ц┤-ц├ц│ц┼ц▄ц┘
-              ц⌠ц▐ц┬ц▓ц│ц▌ц▒ц■ц⌠ц▒ ц ц│ц░ц┴ц⌠ц┴ ц▐ ц≈ц│ц⌡ц┴ц┬ ц▐ц┌ц▓ц│ц²ц┘ц▌ц┴ц▒ц┬ ц▀ ц▌ц┴ц█.
-
-              цЁц■ц▐ц┴ц■ ц ц│ц█ц┘ц■ц┴ц■ц≤,  ц·ц■ц▐  ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘  ц└ц┘ц■ц┘ц▀ц■ц▐ц▓ц≥  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц░ц▐ц▓ц■ц▐ц≈
-              ц┌ц▄ц▐ц▀ц┴ц▓ц∙ц─ц■  ц└ц▐ц⌠ц■ц∙ц░  ц┬ц▐ц⌠ц■ц∙,  ц▐ц⌠ц∙ц²ц┘ц⌠ц■ц≈ц┴ц≈ц⌡ц┘ц█ц∙  ц░ц▐ц░ц≥ц■ц▀ц∙ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒.
-              ц╟ц▐ц°ц■ц▐ц█ц∙ ц▄ц▐ц√ц▌ц≥ц┼ ц┬ц▐ц⌠ц■ ц█ц▐ц√ц┘ц■  ц░ц▐ц■ц┘ц▓ц▒ц■ц≤  ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц┘  ц⌠ц▐  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц█
-              ц┬ц▐ц⌠ц■ц▐ц█. ц╪ц■ц│ ц⌠ц┴ц■ц∙ц│ц┐ц┴ц▒ ц█ц▐ц√ц┘ц■ ц≈ц▐ц ц▌ц┴ц▀ц▌ц∙ц■ц≤ ц└ц│ц√ц┘ ц≈ ц■ц▐ц█ ц⌠ц▄ц∙ц·ц│ц┘, ц┘ц⌠ц▄ц┴ ц≈ц≥
-              ц∙ц▀ц│ц ц│ц▄ц┴ ц≈ ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘ ц▄ц▐ц√ц▌ц▐ц┤ц▐ ц┬ц▐ц⌠ц■ц│ ц│ц└ц▓ц┘ц⌠ ц⌡ц▄ц─ц ц│ ц┴ц▄ц┴  ц⌠ц┘ц▓ц≈ц┘ц▓ц│  ц┴ц█бёц▌.
-              ц╟ц▐ц°ц■ц▐ц█ц∙ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┼ц■ц┘ ц°ц■ц∙ ц▐ц░ц┐ц┴ц─ ц▐ц·ц┘ц▌ц≤ ц▐ц⌠ц■ц▐ц▓ц▐ц√ц▌ц▐.
-
-              ц╛ц▐ц√ц▌ц≥ц┘  ц┬ц▐ц⌠ц■ц≥  ц█ц▐ц√ц▌ц▐  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц≈ ц▄ц─ц┌ц▐ц█ ц█ц┘ц■ц▐ц└ц┘ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц│
-              ц■ц│ц▀ц√ц┘ ц░ц▓ц┴  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц┴  ц▐ц░ц┘ц▓ц│ц┐ц┴ц▐ц▌ц▌ц▐ц┼  ц⌠ц┴ц⌠ц■ц┘ц█ц≥  ц∙ц└ц│ц▄бёц▌ц▌ц▐ц┤ц▐  ц┬ц▐ц⌠ц■ц│
-              (-O).
-
-              ц╔ц⌠ц▄ц┴  ц≈ц≥  ц∙ц▀ц│ц√ц┘ц■ц┘  ц█ц▌ц▐ц┤ц▐  ц▄ц▐ц√ц▌ц≥ц┬  ц┬ц▐ц⌠ц■ц▐ц≈,  ц░ц▓ц▐ц┐ц┘ц⌠ц⌠  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒
-              ц ц│ц█ц┘ц└ц▄ц┴ц■ц⌠ц▒  ц┴  ц⌠ц■ц│ц▌ц┘ц■  ц█ц┘ц▌ц┘ц┘  ц│ц▀ц▀ц∙ц▓ц│ц■ц▌ц≥ц█.  ц╝ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘  ц░ц▓ц▐ц≈ц│ц┼ц└ц┘ц▓ц≥
-              ц├ц┴ц▄ц≤ц■ц▓ц∙ц─ц■  ц░ц▐ц└ц└ц┘ц▄ц≤ц▌ц≥ц┘  ц┴ц⌠ц┬ц▐ц└ц▒ц²ц┴ц┘  ц░ц│ц▀ц┘ц■ц≥,  ц■ц│ц▀  ц·ц■ц▐  ц└ц│ц▌ц▌ц≥ц┼  ц≈ц┴ц└
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц█ц▐ц√ц┘ц■ ц≈ц▐ц▐ц┌ц²ц┘ ц▌ц┘ ц└ц▐ц⌠ц■ц┴ц·ц≤ ц√ц┘ц▄ц│ц┘ц█ц▐ц┤ц▐ ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц│.
-
-       <B>-S</B> <B>&lt;ip-</B>ц<B>ц</B>│ц<B>ц</B>└ц<B>ц</B>▓ц<B>ц</B>┘ц<B>ц</B>⌠<B>&gt;</B>
-              ц╟ц▓ц┴ ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┬ ц▐ц┌ц⌠ц■ц▐ц▒ц■ц┘ц▄ц≤ц⌠ц■ц≈ц│ц┬  nmap  ц▌ц┘  ц⌠ц█ц▐ц√ц┘ц■  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤  ц≈ц│ц⌡
-              ip-ц│ц└ц▓ц┘ц⌠  (nmap  ц⌠ц▐ц▐ц┌ц²ц┴ц■  ц≈ц│ц█  ц▐ц┌  ц°ц■ц▐ц█).  ц╥ ц■ц│ц▀ц┴ц┬ ц⌠ц▄ц∙ц·ц│ц▒ц┬ ц█ц▐ц√ц▌ц▐
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц°ц■ц∙ ц▐ц░ц┐ц┴ц─ ц└ц▄ц▒ ц▒ц≈ц▌ц▐ц┤ц▐ ц∙ц▀ц│ц ц│ц▌ц┴ц▒ ц≈ц│ц⌡ц┘ц┤ц▐ ip-ц│ц└ц▓ц┘ц⌠ц│.
-
-              ц╓ц▓ц∙ц┤ц▐ц┼ ц≈ц│ц▓ц┴ц│ц▌ц■ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц▒ ц°ц■ц▐ц┼ ц▐ц░ц┐ц┴ц┴  -  ц▐ц■ц░ц▓ц│ц≈ц▀ц│  ц░ц│ц▀ц┘ц■ц▐ц≈  ц⌠
-              ц░ц▐ц└ц└ц┘ц▄ц≤ц▌ц≥ц█  ip-ц│ц└ц▓ц┘ц⌠ц▐ц█.  ц╪ц■ц▐  ц█ц▐ц√ц┘ц■  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ц⌠ц▒ ц└ц▄ц▒ ц⌠ц▐ц ц└ц│ц▌ц┴ц▒
-              ц≈ц┴ц└ц┴ц█ц▐ц⌠ц■ц┴ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц┐ц┘ц▄ц┘ц≈ц▐ц┤ц▐ ц┬ц▐ц⌠ц■ц│ ц▀ц┘ц█-ц■ц▐  ц└ц▓ц∙ц┤ц┴ц█,  ц▐ц└ц▌ц│ц▀ц▐  ц≈
-              ц■ц│ц▀ц▐ц█   ц⌠ц▄ц∙ц·ц│ц┘   ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц█ц▐ц√ц▌ц▐  ц░ц▐ц▄ц∙ц·ц┴ц■ц≤  ц▄ц┴ц⌡ц≤
-              ц░ц▓ц▐ц⌠ц▄ц∙ц⌡ц┴ц≈ц│ц▒ ц■ц▓ц│ц├ц┴ц▀, ц░ц▓ц▐ц┬ц▐ц└ц▒ц²ц┴ц┼ ц█ц┘ц√ц└ц∙ ц┐ц┘ц▄ц┘ц≈ц≥ц█  ц┬ц▐ц⌠ц■ц▐ц█  ц┴  ц┬ц▐ц⌠ц■ц▐ц█,
-              ц░ц│ц▀ц┘ц■ц≥  ц▀ц▐ц■ц▐ц▓ц▐ц┤ц▐  ц≈ц≥  ц░ц▐ц└ц└ц┘ц▄ц≥ц≈ц│ц┘ц■ц┘.  ц╬ц■ц▐  ц┌ц≥ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц└ц│ц▌ц▌ц≥ц┼
-              ц█ц┘ц■ц▐ц└, ц▌ц┘ц▐ц┌ц┬ц▐ц└ц┴ц█ц▐ ц■ц│ц▀ ц√ц┘ ц≈ц▀ц▄ц─ц·ц┴ц■ц≤ ц▐ц░ц┐ц┴ц─ Б─≥-eБ─≥.
-
-       <B>-e</B> <B>&lt;</B>ц<B>ц</B>┴ц<B>ц</B>▌ц<B>ц</B>■ц<B>ц</B>┘ц<B>ц</B>▓ц<B>ц</B>├ц<B>ц</B>┘ц<B>ц</B>┼ц<B>ц</B>⌠<B>&gt;</B>
-              ц╔ц⌠ц▄ц┴ nmap ц▌ц┘ ц█ц▐ц√ц┘ц■ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤ ц▀ц│ц▀ц▐ц┼ ц┴ц▌ц■ц┘ц▓ц├ц┘ц┼ц⌠  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  ц└ц▄ц▒
-              ц░ц▓ц┴бёц█ц│  ц┴  ц▐ц■ц░ц▓ц│ц≈ц▀ц┴  ц░ц│ц▀ц┘ц■ц▐ц≈,  ц■ц▐  ц°ц■ц▐ц┼ ц▐ц░ц┐ц┴ц┘ц┼ ц█ц▐ц√ц▌ц▐ ц∙ц▀ц│ц ц│ц■ц≤ ц┘ц┤ц▐
-              ц▒ц≈ц▌ц▐.
-
-       <B>--source_port</B> <B>&lt;</B>ц<B>ц</B>▌ц<B>ц</B>▐ц<B>ц</B>█ц<B>ц</B>┘ц<B>ц</B>▓<B>_</B>ц<B>ц</B>░ц<B>ц</B>▐ц<B>ц</B>▓ц<B>ц</B>■ц<B>ц</B>│<B>&gt;</B>
-              ц╘ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  ц░ц▐ц▓ц■  ц▐ц■ц░ц▓ц│ц≈ц▀ц┴  ц⌠  ц▐ц░ц▓ц┘ц└ц┘ц▄бёц▌ц▌ц≥ц█   ц▌ц▐ц█ц┘ц▓ц▐ц█.   ц╜ц▌ц▐ц┤ц▐
-              ц▌ц┘ц░ц▓ц▐ц├ц┘ц⌠ц⌠ц┴ц▐ц▌ц│ц▄ц≤ц▌ц≥ц┬   ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц≈  ц┴  ц░ц│ц▀ц┘ц■ц▌ц≥ц┬  ц├ц┴ц▄ц≤ц■ц▓ц▐ц≈  ц░ц▐ц ц≈ц▐ц▄ц▒ц─ц■
-              ц░ц│ц▀ц┘ц■ц│ц█, ц▐ц■ц░ц▓ц│ц≈ц▄ц┘ц▌ц▌ц≥ц█ ц⌠ ц■ц│ц▀ц┴ц┬ ц░ц▐ц▓ц■ц▐ц≈ ц▀ц│ц▀ ц▌ц│ц░ц▓ц┴ц█ц┘ц▓ 53  (DNS)  ц┴ц▄ц┴
-              20   (FTP-DATA),   ц⌠ц≈ц▐ц┌ц▐ц└ц▌ц▐   ц┴ц▌ц┴ц┐ц┴ц│ц▄ц┴ц ц┴ц▓ц▐ц≈ц│ц■ц≤   ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц▒   ц▌ц│
-              ц ц│ц²ц┴ц²ц│ц┘ц█ц▐ц█ ц┬ц▐ц⌠ц■ц┘. цЁц▐ц▐ц■ц≈ц┘ц■ц⌠ц■ц≈ц┘ц▌ц▌ц▐, ц┴ц ц█ц┘ц▌ц┴ц≈ ц▌ц│ц⌡ ц░ц▐ц▓ц■  ц▐ц■ц░ц▓ц│ц≈ц▀ц┴  ц▌ц│
-              ц▓ц│ц ц▓ц┘ц⌡ц┘ц▌ц▌ц≥ц┼  ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц█  ц░ц▐ц▓ц■ ц█ц≥ ц█ц▐ц√ц┘ц█ ц∙ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц■ц≤ ц⌠ц▐ц┘ц└ц┴ц▌ц┘ц▌ц┴ц▒ ц⌠
-              ц ц│ц²ц┴ц²бёц▌ц▌ц▐ц┼  ц°ц■ц┴ц█  ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц█  ц█ц│ц⌡ц┴ц▌ц▐ц┼.   ц╓ц▄ц▒   UDP   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒
-              ц░ц▐ц░ц▓ц▐ц┌ц∙ц┼ц■ц┘  ц⌠ц▌ц│ц·ц│ц▄ц│  ц∙ц⌠ц■ц│ц▌ц▐ц≈ц┴ц■ц≤  53 ц░ц▐ц▓ц■, ц│ ц└ц▄ц▒ TCP - 20. ц╞ц└ц▌ц│ц▀ц▐
-              ц°ц■ц│  ц■ц┘ц┬ц▌ц┴ц▀ц│  ц▌ц┘  ц≈ц⌠ц┘ц┤ц└ц│  ц▓ц│ц┌ц▐ц■ц│ц┘ц■,  ц≈ц≥  ц▌ц┘  ц⌠ц█ц▐ц√ц┘ц■ц┘  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤
-              ц┬ц│ц▓ц│ц▀ц■ц┘ц▓ ц┴ц ц█ц┘ц▌ц┘ц▌ц┴ц▒ ISN, ц≈ ц⌠ц≈ц▒ц ц┴ ц⌠ ц·ц┘ц█ nmap ц⌠ц│ц█ц▐ц⌠ц■ц▐ц▒ц■ц┘ц▄ц≤ц▌ц▐ ц⌠ц█ц┘ц▌ц┴ц■
-              ц▌ц▐ц█ц┘ц▓ ц░ц▐ц▓ц■ц│ ц└ц▄ц▒ ц°ц■ц▐ц┼ ц┐ц┘ц▄ц┴, ц└ц│ц√ц┘ ц┘ц⌠ц▄ц┴ ц≈ц≥ ц∙ц▀ц│ц ц│ц▄ц┴ ц°ц■ц∙ ц▐ц░ц┐ц┴ц─.
-
-       <B>--data_length</B> <B>&lt;</B>ц<B>ц</B>▀ц<B>ц</B>▐ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>·ц<B>ц</B>┘ц<B>ц</B>⌠ц<B>ц</B>■ц<B>ц</B>≈ц<B>ц</B>▐<B>_</B>ц<B>ц</B>┌ц<B>ц</B>│ц<B>ц</B>┼ц<B>ц</B>■<B>&gt;</B>
-              ц╞ц┌ц≥ц·ц▌ц▐ nmap ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ ц█ц┴ц▌ц┴ц█ц│ц▄ц≤ц▌ц≥ц┘ ц░ц▐  ц▓ц│ц ц█ц┘ц▓ц∙  ц░ц│ц▀ц┘ц■ц≥,  ц▀ц▐ц■ц▐ц▓ц≥ц┘
-              ц⌠ц▐ц└ц┘ц▓ц√ц│ц■ ц■ц▐ц▄ц≤ц▀ц▐ ц ц│ц┤ц▐ц▄ц▐ц≈ц▐ц▀. TCP ц░ц│ц▀ц┘ц■ц≥ ц▐ц┌ц≥ц·ц▌ц▐ ц▓ц│ц ц█ц┘ц▓ц▐ц█ ц≈ 40 ц┌ц│ц┼ц■,
-              ц│ ICMP ц°ц┬ц▐ ц ц│ц░ц▓ц▐ц⌠ - ц≈ц⌠ц┘ц┤ц▐ 28. ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒ ц∙ц▀ц│ц ц≥ц≈ц│ц┘ц■ nmap ц└ц▐ц░ц▐ц▄ц▌ц▒ц■ц≤
-              ц▐ц■ц⌠ц≥ц▄ц│ц┘ц█ц≥ц┘    ц░ц│ц▀ц┘ц■ц≥   ц ц│ц└ц│ц▌ц▌ц≥ц█   ц▀ц▐ц▄ц┴ц·ц┘ц⌠ц■ц≈ц▐ц█   ц┌ц│ц┼ц■   ц⌠ц▄ц∙ц·ц│ц┼ц▌ц▐ц┼
-              ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц┴.  ц╟ц│ц▀ц┘ц■ц≥ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц█ц≥ц┘ ц░ц▓ц┴ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц┴ ц╞цЁ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐
-              ц┬ц▐ц⌠ц■ц│ ц▌ц┘ ц┴ц ц█ц┘ц▌ц▒ц─ц■ц⌠ц▒.
-
-       <B>-n</B>     ц╣ц▀ц│ц ц≥ц≈ц│ц┘ц■  nmap  ц▌ц┴ц▀ц▐ц┤ц└ц│  ц▌ц┘  ц░ц▓ц┘ц▐ц┌ц▓ц│ц ц▐ц≈ц≥ц≈ц│ц■ц≤ ip-ц│ц└ц▓ц┘ц⌠ц│ ц│ц▀ц■ц┴ц≈ц▌ц≥ц┬
-              ц┬ц▐ц⌠ц■ц▐ц≈  ц≈  DNS-ц│ц└ц▓ц┘ц⌠a.  ц╣ц≈ц┘ц▄ц┴ц·ц┴ц≈ц│ц┘ц■  ц⌠ц▀ц▐ц▓ц▐ц⌠ц■ц≤   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒   ц┴
-              ц░ц▓ц┘ц└ц▐ц■ц≈ц▓ц│ц²ц│ц┘ц■  ц░ц▐ц▒ц≈ц▄ц┘ц▌ц┴ц┘ ц ц│ц░ц┴ц⌠ц┘ц┼ ц▐ dns-ц ц│ц░ц▓ц▐ц⌠ц│ц┬ nmap ц≈ ц▄ц▐ц┤-ц├ц│ц┼ц▄ц┘
-              ц▌ц│ ц⌠ц┘ц▓ц≈ц┘ц▓ц┘ ц┴ц█ц┘ц▌.
-
-       <B>-R</B>     ц╣ц▀ц│ц ц≥ц≈ц│ц┘ц■  nmap  ц≈ц⌠ц┘ц┤ц└ц│  ц░ц▓ц┘ц▐ц┌ц▓ц│ц ц▐ц≈ц≥ц≈ц│ц■ц≤  ip-ц│ц└ц▓ц┘ц⌠ц│   ц┬ц▐ц⌠ц■ц▐ц≈   ц≈
-              DNS-ц│ц└ц▓ц┘ц⌠a. ц╞ц┌ц≥ц·ц▌ц▐ ц°ц■ц▐ ц░ц▓ц▐ц┴ц⌠ц┬ц▐ц└ц┴ц■ ц■ц▐ц▄ц≤ц▀ц▐ ц┘ц⌠ц▄ц┴ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┘ ц█ц│ц⌡ц┴ц▌ц≥
-              ц▌ц│ц┬ц▐ц└ц▒ц■ц⌠ц▒ ц≈ ц│ц▀ц■ц┴ц≈ц▌ц▐ц█ ц⌠ц▐ц⌠ц■ц▐ц▒ц▌ц┴ц┴.
-
-       <B>-r</B>     ц╣ц▀ц│ц ц≥ц≈ц│ц┘ц■ nmap ц▌ц┘ ц┴ц ц█ц┘ц▌ц▒ц■ц≤ ц░ц▐ц▓ц▒ц└ц▐ц▀  ц▌ц▐ц█ц┘ц▓ц▐ц≈  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┬  ц░ц▐ц▓ц■ц▐ц≈
-              ц⌠ц▄ц∙ц·ц│ц┼ц▌ц≥ц█ ц▐ц┌ц▓ц│ц ц▐ц█.
-
-       <B>--ttl</B> <B>&lt;</B>ц<B>ц</B> ц<B>ц</B>▌ц<B>ц</B>│ц<B>ц</B>·ц<B>ц</B>┘ц<B>ц</B>▌ц<B>ц</B>┴ц<B>ц</B>┘<B>&gt;</B>
-              ц╣ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц■ц≤  ц≈  ц░ц▐ц▄ц┘  TTL  ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц┘ц█ц≥ц┬  ц░ц│ц▀ц┘ц■ц▐ц≈ IPv4 ц ц│ц└ц│ц▌ц▌ц▐ц┘
-              ц ц▌ц│ц·ц┘ц▌ц┴ц┘.
-
-       <B>--privileged</B>
-              ц╣ц▀ц│ц ц≥ц≈ц│ц┘ц■ nmap, ц·ц■ц▐ ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц≤  ц┴ц█ц┘ц┘ц■  ц└ц▐ц⌠ц■ц│ц■ц▐ц·ц▌ц≥ц┘  ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц┴
-              ц└ц▄ц▒  ц■ц│ц▀ц┴ц┬ ц▐ц░ц┘ц▓ц│ц┐ц┴ц┼ ц▀ц│ц▀ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц┘ raw-ц⌠ц▐ц▀ц┘ц■ц▐ц≈, ц░ц▓ц▐ц⌠ц▄ц∙ц⌡ц┴ц≈ц│ц▌ц┴ц┘
-              ц■ц▓ц│ц├ц┴ц▀ц│, ц┴ ц■.ц░. ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒  ц≈  ц■ц│ц▀ц┴ц┬  ц⌠ц┴ц⌠ц■ц┘ц█ц│ц┬,  ц┤ц└ц┘
-              ц▌ц┘ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц█  ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц▒ц█  ц▒ц└ц▓ц▐  ц▓ц│ц ц▓ц┘ц⌡ц│ц┘ц■ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤
-              ц├ц∙ц▌ц▀ц┐ц┴ц┴, ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц└ц▐ц⌠ц■ц∙ц░ц▌ц≥ ц■ц▐ц▄ц≤ц▀ц▐ ц░ц▓ц┴ц≈ц┴ц▄ц┘ц┤ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц█,  ц▌ц│ц░ц▓ц┴ц█ц┘ц▓  ц≈
-              ц⌠ц░ц┘ц┐ц┴ц│ц▄ц≤ц▌ц▐  ц⌠ц▀ц▐ц▌ц├ц┴ц┤ц∙ц▓ц┴ц▓ц▐ц≈ц│ц▌ц▌ц▐ц┼  ц╞цЁ  Linux.  Nmap  ц▌ц┘ ц█ц▐ц√ц┘ц■ ц°ц■ц▐ц┤ц▐
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤, ц■ц│ц▀ ц▀ц│ц▀ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ ц├ц∙ц▌ц▀ц┐ц┴ц─ getuid(), ц┴ ц≈ ц°ц■ц▐ц█ ц⌠ц▄ц∙ц·ц│ц┘
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒  ц└ц│ц▌ц▌ц│ц▒  ц▐ц░ц┐ц┴ц▒,  ц▀ц▐ц■ц▐ц▓ц∙ц─ ц▌ц┘ц▐ц┌ц┬ц▐ц└ц┴ц█ц▐ ц∙ц▀ц│ц ц≥ц≈ц│ц■ц≤ ц░ц┘ц▓ц┘ц└
-              ц≈ц⌠ц┘ц█ц┴ ц▐ц⌠ц■ц│ц▄ц≤ц▌ц≥ц█ц┴ ц▐ц░ц┐ц┴ц▒ц█ц┴. ц╥ ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘  ц│ц▄ц≤ц■ц┘ц▓ц▌ц│ц■ц┴ц≈ц≥  --privileged
-              ц█ц▐ц√ц▌ц▐ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц░ц┘ц▓ц┘ц█ц┘ц▌ц▌ц∙ц─ NMAP_PRIVILEGED.
-
-       <B>--interactive</B>
-              ц╨ц│ц░ц∙ц⌠ц▀ц│ц┘ц■   nmap  ц≈  ц┴ц▌ц■ц┘ц▓ц│ц▀ц■ц┴ц≈ц▌ц▐ц█  ц▓ц┘ц√ц┴ц█ц┘.  ц╪ц■ц∙  ц▐ц░ц┐ц┴ц─  ц░ц▐ц▄ц┘ц ц▌ц▐
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  ц≈   ц█ц▌ц▐ц┤ц▐ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц≤ц⌠ц▀ц┴ц┬   ц⌠ц┴ц⌠ц■ц┘ц█ц│ц┬,   ц■ц│ц▀   ц▀ц│ц▀,
-              ц▌ц│ц░ц▓ц┴ц█ц┘ц▓,  ц≈ ц┴ц⌠ц■ц▐ц▓ц┴ц┴ ц▀ц▐ц█ц│ц▌ц└ц▌ц▐ц┼ ц⌠ц■ц▓ц▐ц▀ц┴ ц▌ц┘ ц▐ц⌠ц■ц│бёц■ц⌠ц▒ ц∙ц▀ц│ц ц│ц▌ц▌ц≥ц┬ ц≈ц│ц█ц┴
-              ц░ц│ц▓ц│ц█ц┘ц■ц▓ц▐ц≈.
-
-       <B>--randomize_hosts</B>
-              ц╣ц▀ц│ц ц≥ц≈ц│ц┘ц■ nmap ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц┬ц▐ц⌠ц■ц≥ ц≈ ц⌠ц▄ц∙ц·ц│ц┼ц▌ц▐ц┼ ц░ц▐ц⌠ц▄ц┘ц└ц▐ц≈ц│ц■ц┘ц▄ц≤ц▌ц▐ц⌠ц■ц┴.
-              ц╘ц⌠ц░ц▐ц▄ц≤ц ц∙ц─ц■ц⌠ц▒   ц┤ц▓ц∙ц░ц░ц≥   ц└ц▐   2048   ц┬ц▐ц⌠ц■ц▐ц≈.   ц╪ц■ц│  ц▐ц░ц┐ц┴ц▒  ц└ц┘ц▄ц│ц┘ц■
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц█ц┘ц▌ц┘ц┘  ц ц│ц█ц┘ц■ц▌ц≥ц█  ц└ц▄ц▒  ц▓ц│ц ц▄ц┴ц·ц▌ц≥ц┬  ц⌠ц┴ц⌠ц■ц┘ц█   ц⌠ц┘ц■ц┘ц≈ц▐ц┤ц▐
-              ц█ц▐ц▌ц┴ц■ц▐ц▓ц┴ц▌ц┤ц│, ц▐ц⌠ц▐ц┌ц┘ц▌ц▌ц▐ ц┘ц⌠ц▄ц┴ ц≈ц≥ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц┘ ц┘ц┘ ц⌠ц▐ц≈ц█ц┘ц⌠ц■ц▌ц▐ ц⌠ ц▐ц░ц┐ц┴ц▒ц█ц┴
-              ц▌ц│ц⌠ц■ц▓ц▐ц┼ц▀ц┴ ц≈ц▓ц┘ц█ц┘ц▌ц▌ц≥ц┬ ц░ц│ц▓ц│ц█ц┘ц■ц▓ц▐ц≈.
-
-       <B>-M</B> <B>&lt;</B>ц<B>ц</B>█ц<B>ц</B>│ц<B>ц</B>▀ц<B>ц</B>⌠ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>│ц<B>ц</B>▄ц<B>ц</B>≤ц<B>ц</B>▌ц<B>ц</B>▐ц<B>ц</B>┘<B>_</B>ц<B>ц</B>▀ц<B>ц</B>▐ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>·ц<B>ц</B>┘ц<B>ц</B>⌠ц<B>ц</B>■ц<B>ц</B>≈ц<B>ц</B>▐<B>_</B>ц<B>ц</B>⌠ц<B>ц</B>▐ц<B>ц</B>▀ц<B>ц</B>┘ц<B>ц</B>■ц<B>ц</B>▐ц<B>ц</B>≈<B>&gt;</B>
-              ц╣ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц┘ц■  ц█ц│ц▀ц⌠ц┴ц█ц│ц▄ц≤ц▌ц▐ц┘  ц▀ц▐ц▄ц┴ц·ц┘ц⌠ц■ц≈ц▐  ц⌠ц▐ц▀ц┘ц■ц▐ц≈,   ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц█ц≥ц┬
-              ц░ц│ц▓ц│ц▄ц▄ц┘ц▄ц≤ц▌ц▐ ц≈ ц█ц┘ц■ц▐ц└ц┘ TCP connect() ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒. ц╪ц■ц∙ ц▐ц░ц┐ц┴ц─ ц█ц▐ц√ц▌ц▐
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤   ц└ц▄ц▒   ц ц│ц█ц┘ц└ц▄ц┘ц▌ц┴ц▒    ц░ц▓ц▐ц┐ц┘ц⌠ц⌠ц│    ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒    ц┴
-              ц░ц▓ц┘ц└ц▐ц■ц≈ц▓ц│ц²ц┘ц▌ц┴ц▒ ц≈ц≥ц≈ц┘ц└ц┘ц▌ц┴ц▒ ц┴ц  ц⌠ц■ц▓ц▐ц▒ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┤ц▐ ц┬ц▐ц⌠ц■ц│.
-
-       <B>--packet_trace</B>
-              ц╣ц▀ц│ц ц≥ц≈ц│ц┘ц■  nmap ц▐ц■ц▐ц┌ц▓ц│ц√ц│ц■ц≤ ц≈ц⌠ц┘ ц░ц▓ц┴ц▌ц┴ц█ц│ц┘ц█ц≥ц┘ ц┴ ц░ц┘ц▓ц┘ц└ц│ц≈ц│ц┘ц█ц≥ц┘ ц░ц│ц▀ц┘ц■ц≥
-              ц≈ ц├ц▐ц▓ц█ц│ц■ц┘ TCPDump. ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒ ц█ц▐ц√ц┘ц■  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ц⌠ц▒  ц└ц▄ц▒  ц▐ц■ц▄ц│ц└ц▀ц┴
-              ц▓ц│ц┌ц▐ц■ц≥ nmap ц┴ ц⌠ц┘ц■ц┴, ц│ ц■ц│ц▀ц√ц┘ ц≈ ц▐ц┌ц∙ц·ц│ц─ц²ц┴ц┬ ц┐ц┘ц▄ц▒ц┬.
-
-       <B>--datadir</B> <B>[</B>ц<B>ц</B>┴ц<B>ц</B>█ц<B>ц</B>▒<B>_</B>ц<B>ц</B>└ц<B>ц</B>┴ц<B>ц</B>▓ц<B>ц</B>┘ц<B>ц</B>▀ц<B>ц</B>■ц<B>ц</B>▐ц<B>ц</B>▓ц<B>ц</B>┴ц<B>ц</B>┴<B>]</B>
-              ц╟ц▓ц┴ ц ц│ц░ц∙ц⌠ц▀ц┘ nmap ц⌠ц·ц┴ц■ц≥ц≈ц│ц┘ц■ ц└ц│ц▌ц▌ц≥ц┘ ц┴ц  ц├ц│ц┼ц▄ц▐ц≈ nmap-service-probes,
-              nmap-services,  nmap-protocols,  nmap-rpc,  nmap-mac-prefixes  ц┴
-              nmap-os-fingerprints.  цЁц▌ц│ц·ц│ц▄ц│  nmap ц┴ц²ц┘ц■ ц°ц■ц┴ ц├ц│ц┼ц▄ц≥ ц≈ ц└ц┴ц▓ц┘ц▀ц■ц▐ц▓ц┴ц┴
-              ц∙ц▀ц│ц ц│ц▌ц▌ц▐ц┼ ц≈ ц▐ц░ц┐ц┴ц┴ --nmapdir. ц╔ц⌠ц▄ц┴ ц├ц│ц┼ц▄ц≥ ц▌ц┘ ц▌ц│ц┼ц└ц┘ц▌ц≥ - ц░ц▓ц▐ц≈ц┘ц▓ц▒ц┘ц■ц⌠ц▒
-              ц░ц┘ц▓ц┘ц█ц┘ц▌ц▌ц│ц▒  ц▐ц▀ц▓ц∙ц√ц┘ц▌ц┴ц▒  NMAPDIR,  ц░ц▐ц⌠ц▄ц┘ ц·ц┘ц┤ц▐ ~/nmap, ц│ ц ц│ц■ц┘ц█ ц░ц∙ц■ц≤
-              ц▌ц│ц░ц▐ц└ц▐ц┌ц┴ц┴ /usr/local/share/nmap ц┴ц▄ц┴ /usr/share/nmap. ц╘  ц▌ц│ц▀ц▐ц▌ц┘ц┐,
-              nmap ц┴ц²ц┘ц■ ц°ц■ц┴ ц├ц│ц┼ц▄ц≥ ц≈ ц■ц┘ц▀ц∙ц²ц┘ц█ ц▀ц│ц■ц│ц▄ц▐ц┤ц┘. ц╪ц■ц▐ц┼ ц▐ц░ц┐ц┴ц┘ц┼ ц█ц▐ц√ц▌ц▐ ц ц│ц└ц│ц■ц≤
-              ц▒ц≈ц▌ц▐ц┘ ц┴ц█ц▒ ц└ц┴ц▓ц┘ц▀ц■ц▐ц▓ц┴ц┴ ц┤ц└ц┘ ц▓ц│ц⌠ц░ц▐ц▄ц▐ц√ц┘ц▌ц≥ ц°ц■ц┴ ц├ц│ц┼ц▄ц≥.
-
-       ц<B>ц</B>╝ц<B>ц</B>║ц<B>ц</B>Ёц<B>ц</B>╢ц<B>ц</B>╡ц<B>ц</B>╞ц<B>ц</B>╙ц<B>ц</B>╚ц<B>ц</B>║ ц<B>ц</B>╥ц<B>ц</B>╡ц<B>ц</B>╔ц<B>ц</B>╜ц<B>ц</B>╔ц<B>ц</B>╝ц<B>ц</B>╝ц<B>ц</B>╧ц<B>ц</B>╗ ц<B>ц</B>╟ц<B>ц</B>║ц<B>ц</B>╡ц<B>ц</B>║ц<B>ц</B>╜ц<B>ц</B>╔ц<B>ц</B>╢ц<B>ц</B>╡ц<B>ц</B>╞ц<B>ц</B>╥
-              ц╞ц┌ц≥ц·ц▌ц▐ nmap ц│ц≈ц■ц▐ц█ц│ц■ц┴ц·ц┘ц⌠ц▀ц┴ ц▌ц│ц⌠ц■ц▓ц│ц┴ц≈ц│ц┘ц■  ц≈ц▓ц┘ц█ц┘ц▌ц▌ц≥ц┘  ц░ц│ц▓ц│ц█ц┘ц■ц▓ц≥  ц░ц▓ц┴
-              ц ц│ц░ц∙ц⌠ц▀ц┘, ц≈ ц⌠ц▐ц▐ц■ц≈ц┘ц■ц⌠ц■ц≈ц┴ц┴ ц⌠ ц┬ц│ц▓ц│ц▀ц■ц┘ц▓ц┴ц⌠ц■ц┴ц▀ц│ц█ц┴ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼ ц⌠ц┘ц■ц┴, ц·ц■ц▐
-              ц┌ц≥ ц░ц▓ц▐ц┴ц ц≈ц┘ц⌠ц■ц┴ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ ц▀ц│ц▀ ц█ц▐ц√ц▌ц▐ ц┌ц≥ц⌠ц■ц▓ц┘ц┘ ц┴ ц■ц▐ц·ц▌ц┘ц┘. ц╝ц▐ ц┴ц▌ц▐ц┤ц└ц│
-              ц┌ц≥ц≈ц│ц─ц■   ц⌠ц▄ц∙ц·ц│ц┴,   ц▀ц▐ц┤ц└ц│   ц⌠ц│ц█ц▐ц⌠ц■ц▐ц▒ц■ц┘ц▄ц≤ц▌ц│ц▒  ц▌ц│ц⌠ц■ц▓ц▐ц┼ц▀ц│  ц≈ц▓ц┘ц█ц┘ц▌ц▌ц≥ц┬
-              ц░ц│ц▓ц│ц█ц┘ц■ц▓ц▐ц≈ nmap ц≈ц│ц⌠ ц▌ц┘  ц∙ц⌠ц■ц▓ц│ц┴ц≈ц│ц┘ц■.  ц╥  ц°ц■ц▐ц█  ц⌠ц▄ц∙ц·ц│ц┘  ц≈ц≥  ц█ц▐ц√ц┘ц■ц┘
-              ц≈ц▐ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ц⌠ц▒ ц⌠ц▄ц┘ц└ц∙ц─ц²ц┴ц█ц┴ ц▐ц░ц┐ц┴ц▒ц█ц┴:
-
-       <B>-T</B> <B>&lt;Paranoid|Sneaky|Polite|Normal|Aggressive|Insane&gt;</B>
-              ц╥ц▐ц ц█ц▐ц√ц▌ц▐ц⌠ц■ц≤   ц∙ц⌠ц■ц│ц▌ц▐ц≈ц▄ц┘ц▌ц┴ц▒   ц▓ц┘ц√ц┴ц█ц▐ц≈   ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц⌠  ц┤ц▐ц■ц▐ц≈ц≥ц█ц┴
-              ц▌ц│ц┌ц▐ц▓ц│ц█ц┴ ц░ц▓ц│ц≈ц┴ц▄ ц░ц▐  ц∙ц⌠ц■ц│ц▌ц▐ц≈ц▀ц┘  ц≈ц▓ц┘ц█ц┘ц▌ц▌ц≥ц┬  ц┴ц▌ц■ц┘ц▓ц≈ц│ц▄ц▐ц≈.   <B>Paranoid</B>
-              ц▓ц┘ц√ц┴ц█  -  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ ц░ц▓ц▐ц┴ц⌠ц┬ц▐ц└ц┴ц■ ц▐ц·ц┘ц▌ц≤ ц█ц┘ц└ц▄ц┘ц▌ц▌ц▐ ц└ц▄ц▒ ц■ц▐ц┤ц▐ ц·ц■ц▐ ц┌ц≥
-              ц⌠ц┴ц⌠ц■ц┘ц█ц≥   ц ц│ц²ц┴ц■ц≥   ц▌ц┘   ц▓ц│ц⌠ц░ц▐ц ц▌ц│ц▄ц┴   ц┘ц┤ц▐.   ц╟ц│ц▀ц┘ц■ц≥    ц░ц▐ц⌠ц≥ц▄ц│ц─ц■ц⌠ц▒
-              ц░ц▐ц⌠ц▄ц┘ц└ц▐ц≈ц│ц■ц┘ц▄ц≤ц▌ц▐,  ц⌠  ц┴ц▌ц■ц┘ц▓ц≈ц│ц▄ц▐ц█ ц≈ 5 ц█ц┴ц▌ц∙ц■. ц╡ц┘ц√ц┴ц█ <B>Sneaky</B> ц░ц▐ц┬ц▐ц√ ц▌ц│
-              ц▓ц┘ц√ц┴ц█ Paranoid.  ц╡ц│ц ц▌ц┴ц┐ц│ ц▄ц┴ц⌡ц≤ ц≈ ц■ц▐ц█, ц·ц■ц▐ ц┴ц▌ц■ц┘ц▓ц≈ц│ц▄ ц█ц┘ц√ц└ц∙ ц░ц▐ц⌠ц≥ц▄ц▀ц▐ц┼
-              ц░ц│ц▀ц┘ц■ц▐ц≈  ц⌠ц▐ц⌠ц■ц│ц≈ц▄ц▒ц┘ц■  15  ц⌠ц┘ц▀ц∙ц▌ц└.  ц╡ц┘ц√ц┴ц█  <B>Polite</B>  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒  ц≈
-              ц⌠ц▄ц∙ц·ц│ц┘,  ц▀ц▐ц┤ц└ц│  ц▌ц┘ц▐ц┌ц┬ц▐ц└ц┴ц█ц▐  ц·ц■ц▐  ц┌ц≥  ц▌ц│ц┤ц▓ц∙ц ц▀ц│   ц▌ц│   ц⌠ц┘ц■ц≤   ц┌ц≥ц▄ц│
-              ц█ц┴ц▌ц┴ц█ц│ц▄ц≤ц▌ц▐ц┼. ц╥ ц°ц■ц▐ц█ ц▓ц┘ц√ц┴ц█ц┘ ц░ц│ц▀ц┘ц■ц≥ ц▐ц■ц░ц▓ц│ц≈ц▄ц▒ц─ц■ц⌠ц▒ ц░ц▐ц⌠ц▄ц┘ц└ц▐ц≈ц│ц■ц┘ц▄ц≤ц▌ц▐ ц⌠
-              ц┴ц▌ц■ц┘ц▓ц≈ц│ц▄ц▐ц█ ц█ц┴ц▌ц┴ц█ц∙ц█ 0,4 ц⌠ц┘ц▀ц∙ц▌ц└ц≥.  ц╡ц┘ц√ц┴ц█ <B>Normal</B> ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒  nmap
-              ц░ц▐   ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─.   ц╥  ц°ц■ц▐ц█  ц▓ц┘ц√ц┴ц█ц┘  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц░ц▓ц▐ц┴ц ц≈ц▐ц└ц┴ц■ц⌠ц▒  ц⌠
-              ц█ц│ц▀ц⌠ц┴ц█ц│ц▄ц≤ц▌ц▐ц┼ ц⌠ц▀ц▐ц▓ц▐ц⌠ц■ц≤ц─, ц┴ ц░ц▐ ц≈ц▐ц ц█ц▐ц√ц▌ц▐ц⌠ц■ц┴ ц┌ц┘ц  ц░ц┘ц▓ц┘ц┤ц▓ц∙ц ц▀ц┴  ц⌠ц┘ц■ц┴  ц┴
-              ц░ц▐ц■ц┘ц▓ц┴  ц░ц│ц▀ц┘ц■ц▐ц≈.  ц╡ц┘ц√ц┴ц█  <B>Aggressive</B>  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒  ц└ц▄ц▒  ц┌ц≥ц⌠ц■ц▓ц▐ц┤ц▐
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒   ц┬ц▐ц▓ц▐ц⌡ц▐   ц├ц┴ц▄ц≤ц■ц▓ц∙ц┘ц█ц≥ц┬   ц⌠ц┘ц■ц┘ц┼,    ц▐ц⌠ц▐ц┌ц┘ц▌ц▌ц▐    ц┘ц⌠ц▄ц┴
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒   SYN-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘.   ц╡ц┘ц√ц┴ц█   <B>Insane</B>  ц▓ц┘ц▀ц▐ц█ц┘ц▌ц└ц∙ц┘ц■ц⌠ц▒
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц┴ц▄ц┴ ц≈  ц▐ц·ц┘ц▌ц≤  ц┌ц≥ц⌠ц■ц▓ц≥ц┬  ц⌠ц┘ц■ц▒ц┬,  ц┴ц▄ц┴  ц┘ц⌠ц▄ц┴  ц≈ц≥  ц■ц▐ц·ц▌ц▐
-              ц ц▌ц│ц┘ц■ц┘,  ц·ц■ц▐  ц░ц│ц▀ц┘ц■ц≥  ц▌ц┘  ц ц│ц■ц┘ц▓ц▒ц─ц■ц⌠ц▒.  ц╥ц▓ц┘ц█ц▒ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц▐ц└ц▌ц▐ц┤ц▐
-              ц┬ц▐ц⌠ц■ц│ - 15 ц█ц┴ц▌ц∙ц■, ц│ ц▐ц√ц┴ц└ц│ц▌ц┴ц┘ ц▐ц■ц≈ц┘ц■ц│ ц▌ц│ ц ц│ц░ц▓ц▐ц⌠ - 0,3 ц⌠ц┘ц▀ц∙ц▌ц└ц≥.
-
-              ц╚ц│ц√ц└ц▐ц█ц∙ ц▓ц┘ц√ц┴ц█ц∙ ц░ц▓ц┴ц⌠ц≈ц▐ц┘ц▌ ц▐ц░ц▓ц┘ц└ц┘ц▄бёц▌ц▌ц≥ц┼ ц▌ц▐ц█ц┘ц▓ ц▐ц■  0  ц└ц▐  5,  ц┴  ц┘ц┤ц▐
-              ц█ц▐ц√ц▌ц▐  ц∙ц▀ц│ц ц│ц■ц≤  ц≈ц█ц┘ц⌠ц■ц▐  ц░ц▐ц▄ц▌ц▐ц┤ц▐ ц▌ц│ц ц≈ц│ц▌ц┴ц▒ ц▓ц┘ц√ц┴ц█ц│. ц╝ц│ц░ц▓ц┴ц█ц┘ц▓, ц▐ц░ц┐ц┴ц▒
-              Б─≥-T0Б─≥ ц▐ц ц▌ц│ц·ц│ц┘ц■ ц▓ц┘ц√ц┴ц█ Paranoid, ц│ Б─≥-T5Б─≥ - Insane. ц╔ц⌠ц▄ц┴ ц≈ц≥  ц┬ц▐ц■ц┴ц■ц┘
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  ц■ц│ц▀ц┴ц┘ ц▐ц░ц┐ц┴ц┴ ц▀ц│ц▀ --max_rtt_timeout ц┴ц▄ц┴ --host_time-
-              out, ц▓ц│ц⌠ц░ц▐ц▄ц│ц┤ц│ц┼ц■ц┘ ц┴ц┬ ц≈ ц▀ц▐ц█ц│ц▌ц└ц▌ц▐ц┼ ц⌠ц■ц▓ц▐ц▀ц┘ ц░ц▐ц⌠ц▄ц┘ ц▄ц─ц┌ц≥ц┬ Б─≥-TБ─≥  ц▐ц░ц┐ц┴ц┼.
-
-       <B>--host_timeout</B> <B>&lt;</B>ц<B>ц</B>█ц<B>ц</B>┴ц<B>ц</B>▄ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>⌠ц<B>ц</B>┘ц<B>ц</B>▀ц<B>ц</B>∙ц<B>ц</B>▌ц<B>ц</B>└ц<B>ц</B>≥<B>&gt;</B>
-              ц╣ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц┘ц■  ц≈ц▓ц┘ц█ц▒,  ц▐ц■ц≈ц▐ц└ц┴ц█ц▐ц┘  nmap  ц▌ц│  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц▐ц└ц▌ц▐ц┤ц▐
-              ц┬ц▐ц⌠ц■ц│,  ц░ц▓ц┘ц√ц└ц┘  ц·ц┘ц█  ц▐ц▌  ц░ц┘ц▓ц┘ц┼ц└ц┘ц■  ц▀  ц▐ц·ц┘ц▓ц┘ц└ц▌ц▐ц█ц∙  IP-ц│ц└ц▓ц┘ц⌠ц∙.  ц╟ц▐
-              ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ ц°ц■ц▐ц■ ц░ц│ц▓ц│ц█ц┘ц■ц▓ ц▌ц┘ ц┴ц█ц┘ц┘ц■ ц▐ц┤ц▓ц│ц▌ц┴ц·ц┘ц▌ц┴ц▒.
-
-       <B>--max_rtt_timeout</B> <B>&lt;</B>ц<B>ц</B>█ц<B>ц</B>┴ц<B>ц</B>▄ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>⌠ц<B>ц</B>┘ц<B>ц</B>▀ц<B>ц</B>∙ц<B>ц</B>▌ц<B>ц</B>└<B>&gt;</B>
-              ц╣ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц┘ц■   ц█ц│ц▀ц⌠ц┴ц█ц│ц▄ц≤ц▌ц▐ц┘   ц▀ц▐ц▄ц┴ц·ц┘ц⌠ц■ц≈ц▐   ц≈ц▓ц┘ц█ц┘ц▌ц┴,  ц≈  ц■ц┘ц·ц┘ц▌ц┴ц┘
-              ц▀ц▐ц■ц▐ц▓ц▐ц┤ц▐ nmap ц▐ц√ц┴ц└ц│ц┘ц■ ц▐ц■ц≈ц┘ц■  ц▌ц│  ц░ц▐ц⌠ц▄ц│ц▌ц▌ц≥ц┼  ц ц│ц░ц▓ц▐ц⌠,  ц░ц▓ц┘ц√ц└ц┘  ц·ц┘ц█
-              ц░ц▐ц≈ц■ц▐ц▓ц┴ц■ц≤  ц ц│ц░ц▓ц▐ц⌠  ц┴ц▄ц┴  ц⌠ц·ц┴ц■ц│ц■ц≤  ц┘ц┤ц▐ ц∙ц■ц┘ц▓ц▒ц▌ц▌ц≥ц█. ц╟ц▐ ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ ц°ц■ц▐
-              ц ц▌ц│ц·ц┘ц▌ц┴ц┘ ц∙ц⌠ц■ц│ц▌ц▐ц≈ц▄ц┘ц▌ц▐ ц▓ц│ц≈ц▌ц≥ц█ 9000 ц█ц┴ц▄ц▄ц┴ц⌠ц┘ц▀ц∙ц▌ц└.
-
-       <B>--min_rtt_timeout</B> <B>&lt;</B>ц<B>ц</B>█ц<B>ц</B>┴ц<B>ц</B>▄ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>⌠ц<B>ц</B>┘ц<B>ц</B>▀ц<B>ц</B>∙ц<B>ц</B>▌ц<B>ц</B>└<B>&gt;</B>
-              ц╔ц⌠ц▄ц┴ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┼ ц┬ц▐ц⌠ц■ ц▐ц·ц┘ц▌ц≤ ц┌ц≥ц⌠ц■ц▓ц▐  ц▐ц■ц≈ц┘ц·ц│ц┘ц■  ц▌ц│  ц ц│ц░ц▓ц▐ц⌠ц≥,  nmap
-              ц┌ц∙ц└ц┘ц■   ц│ц≈ц■ц▐ц█ц│ц■ц┴ц·ц┘ц⌠ц▀ц┴   ц∙ц█ц┘ц▌ц≤ц⌡ц│ц■ц≤   ц┴ц▌ц■ц┘ц▓ц≈ц│ц▄  ц█ц┘ц√ц└ц∙  ц░ц▐ц⌠ц≥ц▄ц│ц┘ц█ц≥ц█ц┴
-              ц ц│ц░ц▓ц▐ц⌠ц│ц█ц┴. ц╪ц■ц▐ ц∙ц⌠ц▀ц▐ц▓ц▒ц┘ц■ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘, ц▌ц▐ ц█ц▐ц√ц┘ц■ ц░ц▓ц┴ц≈ц┘ц⌠ц■ц┴ ц▀ ц░ц▐ц■ц┘ц▓ц┘
-              ц░ц│ц▀ц┘ц■ц▐ц≈  ц⌠  ц▐ц■ц≈ц┘ц■ц│ц█ц┴,  ц░ц▓ц┴ц⌡ц┘ц└ц⌡ц┴ц█ц┴  ц░ц▐ц ц√ц┘,  ц·ц┘ц█ ц▐ц┌ц≥ц·ц▌ц▐. ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒
-              ц▐ц░ц▓ц┘ц└ц┘ц▄ц▒ц┘ц■ ц⌠ц▀ц▐ц▄ц≤ц▀ц▐ ц≈ц▓ц┘ц█ц┘ц▌ц┴ nmap  ц└ц▐ц▄ц√ц┘ц▌  ц√ц└ц│ц■ц≤  ц░ц┘ц▓ц┘ц└  ц▐ц■ц░ц▓ц│ц≈ц▀ц▐ц┼
-              ц▐ц·ц┘ц▓ц┘ц└ц▌ц▐ц┤ц▐ ц░ц│ц▀ц┘ц■ц│.
-
-       <B>--initial_rtt_timeout</B> <B>&lt;</B>ц<B>ц</B>█ц<B>ц</B>┴ц<B>ц</B>▄ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>⌠ц<B>ц</B>┘ц<B>ц</B>▀ц<B>ц</B>∙ц<B>ц</B>▌ц<B>ц</B>└<B>&gt;</B>
-              ц╣ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц┘ц■  ц≈ц▓ц┘ц█ц▒, ц▐ц■ц≈ц▐ц└ц┴ц█ц▐ц┘ ц▌ц│ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц┘ ц│ц▀ц■ц┴ц≈ц▌ц▐ц⌠ц■ц┴ ц┬ц▐ц⌠ц■ц│.
-              ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒  ц≈  ц▐ц⌠ц▌ц▐ц≈ц▌ц▐ц█  ц└ц▄ц▒  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц┬ц▐ц⌠ц■ц▐ц≈,
-              ц ц│ц²ц┴ц²ц┘ц▌ц▌ц≥ц┬  ц├ц│ц┘ц▓ц≈ц▐ц▄ц▐ц█,  ц⌠ц▐ц≈ц█ц┘ц⌠ц■ц▌ц▐  ц⌠  ц▐ц░ц┐ц┴ц┘ц┼  Б─≥-P0Б─≥. ц╞ц┌ц≥ц·ц▌ц▐ nmap
-              ц│ц≈ц■ц▐ц█ц│ц■ц┴ц·ц┘ц⌠ц▀ц┴  ц≈ц≥ц┌ц┴ц▓ц│ц┘ц■  ц▐ц░ц■ц┴ц█ц│ц▄ц≤ц▌ц▐ц┘  ц ц▌ц│ц·ц┘ц▌ц┴ц┘  ц°ц■ц▐ц┤ц▐  ц░ц│ц▓ц│ц█ц┘ц■ц▓ц│
-              ц░ц▐ц⌠ц▄ц┘  ц▐ц■ц░ц▓ц│ц≈ц▀ц┴  ping  ц┴  ц░ц┘ц▓ц≈ц≥ц┬  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц─ц²ц┴ц┬  ц░ц│ц▀ц┘ц■ц▐ц≈  ц▌ц│ ц┬ц▐ц⌠ц■.
-              ц╨ц▌ц│ц·ц┘ц▌ц┴ц┘ ц░ц▐ ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ ц⌠ц▐ц⌠ц■ц│ц≈ц▄ц▒ц┘ц■ 6000 ц█ц┴ц▄ц▄ц┴ц⌠ц┘ц▀ц∙ц▌ц└.
-
-       <B>--max_hostgroup</B> <B>&lt;</B>ц<B>ц</B>▀ц<B>ц</B>▐ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>·ц<B>ц</B>┘ц<B>ц</B>⌠ц<B>ц</B>■ц<B>ц</B>≈ц<B>ц</B>▐<B>_</B>ц<B>ц</B>┬ц<B>ц</B>▐ц<B>ц</B>⌠ц<B>ц</B>■ц<B>ц</B>▐ц<B>ц</B>≈<B>&gt;</B>
-              ц╣ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц┘ц■ ц█ц│ц▀ц⌠ц┴ц█ц│ц▄ц≤ц▌ц▐ц┘ ц▀ц▐ц▄ц┴ц·ц┘ц⌠ц■ц≈ц▐ ц┬ц▐ц⌠ц■ц▐ц≈, ц▀ц▐ц■ц▐ц▓ц▐ц┘ nmap ц█ц▐ц√ц┘ц■
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤  ц░ц│ц▓ц│ц▄ц▄ц┘ц▄ц≤ц▌ц▐. ц╒ц▐ц▄ц≤ц⌡ц┴ц▌ц⌠ц■ц≈ц▐ ц■ц┘ц┬ц▌ц┴ц▀ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц░ц▐ц▓ц■ц▐ц≈
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц─ц■ ц▐ц└ц▌ц▐ц≈ц▓ц┘ц█ц┘ц▌ц▌ц▐ц┘  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц▌ц┘ц⌠ц▀ц▐ц▄ц≤ц▀ц┴ц┬  ц┬ц▐ц⌠ц■ц▐ц≈,  ц·ц■ц▐
-              ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■ ц▓ц│ц┌ц▐ц■ц│ц■ц≤ ц┌ц≥ц⌠ц■ц▓ц┘ц┘. ц╝ц▐ ц·ц■ц▐ ц┌ц≥ ц└ц▐ц√ц└ц│ц■ц≤ц⌠ц▒ ц≈ц⌠ц┘ц┬ ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц▐ц≈
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц≈ц│ц█ ц▌ц┘ц▐ц┌ц┬ц▐ц└ц┴ц█ц▐ ц√ц└ц│ц■ц≤, ц░ц▐ц▀ц│ ц┌ц∙ц└ц∙ц■ ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц≥ ц≈ц⌠ц┘
-              ц┬ц▐ц⌠ц■ц≥.  ц╔ц⌠ц▄ц┴  ц≈ц≥ ц┬ц▐ц■ц┴ц■ц┘, ц·ц■ц▐ ц┌ц≥ ц┬ц▐ц⌠ц■ц≥ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▄ц┴ц⌠ц≤ ц░ц▐ц▐ц·ц┘ц▓бёц└ц▌ц▐ ц┴
-              ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц≥ ц≈ц≥ц≈ц▐ц└ц┴ц▄ц┴ц⌠ц≤ ц▐ц■ц▌ц▐ц⌠ц┴ц■ц┘ц▄ц≤ц▌ц▐ ц▀ц│ц√ц└ц▐ц┤ц▐ ц┬ц▐ц⌠ц■ц│ ц┌ц┘ц  ц ц│ц└ц┘ц▓ц√ц▀ц┴  -
-              ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┼ц■ц┘   1   ц≈   ц▀ц│ц·ц┘ц⌠ц■ц≈ц┘  ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ц│.  ц╨ц│ц█ц┘ц■ц≤ц■ц┘,  ц·ц■ц▐  ping
-              -ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  ц┤ц▓ц∙ц░ц░ц┴ц▓ц∙ц┘ц■  ц┬ц▐ц⌠ц■ц≥  ц░ц▐-ц⌠ц≈ц▐ц┘ц█ц∙  ц┴  ц┴ц┤ц▌ц▐ц▓ц┴ц▓ц∙ц┘ц■  ц°ц■ц▐ц■
-              ц░ц│ц▓ц│ц█ц┘ц■ц▓.
-
-       <B>--min_hostgroup</B> <B>&lt;</B>ц<B>ц</B>▀ц<B>ц</B>▐ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>·ц<B>ц</B>┘ц<B>ц</B>⌠ц<B>ц</B>■ц<B>ц</B>≈ц<B>ц</B>▐<B>_</B>ц<B>ц</B>┬ц<B>ц</B>▐ц<B>ц</B>⌠ц<B>ц</B>■ц<B>ц</B>▐ц<B>ц</B>≈<B>&gt;</B>
-              ц╣ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц┘ц■ ц█ц┴ц▌ц┴ц█ц│ц▄ц≤ц▌ц▐ц┘ ц▀ц▐ц▄ц┴ц·ц┘ц⌠ц■ц≈ц▐ ц┬ц▐ц⌠ц■ц▐ц≈, ц▀ц▐ц■ц▐ц▓ц▐ц┘ nmap ц└ц▐ц▄ц√ц┘ц▌
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц░ц│ц▓ц│ц▄ц▄ц┘ц▄ц≤ц▌ц▐. (ц⌠ц█. --max_hostgroup)
-
-       <B>--max_parallelism</B> <B>&lt;</B>ц<B>ц</B>▀ц<B>ц</B>▐ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>·ц<B>ц</B>┘ц<B>ц</B>⌠ц<B>ц</B>■ц<B>ц</B>≈ц<B>ц</B>▐<B>&gt;</B>
-              ц╣ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц┘ц■  ц█ц│ц▀ц⌠ц┴ц█ц│ц▄ц≤ц▌ц▐ц┘  ц▀ц▐ц▄ц┴ц·ц┘ц⌠ц■ц≈ц▐  ц░ц│ц▓ц│ц▄ц▄ц┘ц▄ц≤ц▌ц≥ц┬  ц░ц▓ц▐ц┐ц┘ц⌠ц⌠ц▐ц≈
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  nmap. ц╣ц⌠ц■ц│ц▌ц▐ц≈ц▀ц│ ц°ц■ц▐ц┤ц▐ ц░ц│ц▓ц│ц█ц┘ц■ц▓ц│ ц▓ц│ц≈ц▌ц≥ц█ 1 ц▐ц ц▌ц│ц·ц│ц┘ц■,
-              ц·ц■ц▐ nmap ц▌ц┴ц▀ц▐ц┤ц└ц│ ц▌ц┘ ц┌ц∙ц└ц┘ц■ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц┌ц▐ц▄ц┘ц┘ ц▐ц└ц▌ц▐ц┤ц▐ ц░ц▐ц▓ц■ц│ ц≈  ц▐ц└ц┴ц▌
-              ц█ц▐ц█ц┘ц▌ц■    ц≈ц▓ц┘ц█ц┘ц▌ц┴.    ц╪ц■ц▐ц■    ц░ц│ц▓ц│ц█ц┘ц■ц▓   ц■ц│ц▀ц√ц┘   ц≈ц▄ц┴ц▒ц┘ц■   ц┴   ц▌ц│
-              ping-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘, RPC-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ ц┴ ц■.ц░.
-
-       <B>--min_parallelism</B> <B>&lt;</B>ц<B>ц</B>▀ц<B>ц</B>▐ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>·ц<B>ц</B>┘ц<B>ц</B>⌠ц<B>ц</B>■ц<B>ц</B>≈ц<B>ц</B>▐<B>&gt;</B>
-              ц╣ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц┘ц■  ц█ц┴ц▌ц┴ц█ц│ц▄ц≤ц▌ц▐ц┘  ц▀ц▐ц▄ц┴ц·ц┘ц⌠ц■ц≈ц▐  ц░ц│ц▓ц│ц▄ц▄ц┘ц▄ц≤ц▌ц≥ц┬   ц░ц▓ц▐ц┐ц┘ц⌠ц⌠ц▐ц≈
-              ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  nmap.  ц╣ц≈ц┘ц▄ц┴ц·ц┴ц≈ц│ц┘ц■  ц⌠ц▀ц▐ц▓ц▐ц⌠ц■ц≤  ц░ц▓ц▐ц┬ц▐ц√ц└ц┘ц▌ц┴ц▒  ц░ц│ц▀ц┘ц■ц▐ц≈
-              ц·ц┘ц▓ц┘ц  ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц├ц│ц┘ц▓ц≈ц▐ц▄ц≥, ц▐ц└ц▌ц│ц▀ц▐ ц┘ц⌠ц▄ц┴ ц∙ц⌠ц■ц│ц▌ц▐ц≈ц┴ц■ц≤ ц⌠ц▄ц┴ц⌡ц▀ц▐ц█ ц┌ц▐ц▄ц≤ц⌡ц▐ц┘
-              ц ц▌ц│ц·ц┘ц▌ц┴ц┘, - ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц≥ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц┌ц∙ц└ц∙ц■ ц▌ц┘ц▌ц│ц└бёц√ц▌ц≥ц█ц┴.
-
-       <B>--scan_delay</B> <B>&lt;</B>ц<B>ц</B>█ц<B>ц</B>┴ц<B>ц</B>▄ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>⌠ц<B>ц</B>┘ц<B>ц</B>▀ц<B>ц</B>∙ц<B>ц</B>▌ц<B>ц</B>└ц<B>ц</B>≥<B>&gt;</B>
-              ц╣ц⌠ц■ц│ц▌ц│ц≈ц▄ц┴ц≈ц│ц┘ц■   ц█ц┴ц▌ц┴ц█ц│ц▄ц≤ц▌ц▐ц┘   ц≈ц▓ц┘ц█ц▒   ц ц│ц└ц┘ц▓ц√ц▀ц┴  ц█ц┘ц√ц└ц∙  ц▐ц■ц░ц▓ц│ц≈ц▀ц▐ц┼
-              ц░ц│ц▀ц┘ц■ц▐ц≈.  ц╪ц■ц│ ц▐ц░ц┐ц┴ц▒ ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц┘ц■ц⌠ц▒ ц└ц▄ц▒ ц⌠ц▌ц┴ц√ц┘ц▌ц┴ц▒ ц▌ц│ц┤ц▓ц∙ц ц▀ц┴ ц▌ц│ ц⌠ц┘ц■ц≤ ц┴
-              ц∙ц█ц┘ц▌ц≤ц⌡ц┘ц▌ц┴ц▒  ц≈ц┘ц▓ц▐ц▒ц■ц▌ц▐ц⌠ц■ц┴  ц▐ц┌ц▌ц│ц▓ц∙ц√ц┘ц▌ц┴ц▒  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒.  Nmap ц┴ц▌ц▐ц┤ц└ц│
-              ц█ц▐ц√ц┘ц■ ц∙ц≈ц┘ц▄ц┴ц·ц┴ц≈ц│ц■ц≤ ц°ц■ц▐ ц ц▌ц│ц·ц┘ц▌ц┴ц┘ ц⌠ц│ц█ц▐ц⌠ц■ц▐ц▒ц■ц┘ц▄ц≤ц▌ц▐, ц┘ц⌠ц▄ц┴ ц▐ц┌ц▌ц│ц▓ц∙ц√ц┴ц≈ц│ц┘ц■
-              ц ц▌ц│ц·ц┴ц■ц┘ц▄ц≤ц▌ц≥ц┘  ц░ц▐ц■ц┘ц▓ц┴  ц░ц│ц▀ц┘ц■ц▐ц≈.  ц╝ц│ц░ц▓ц┴ц█ц┘ц▓,  ц╞цЁ  Solaris  ц▐ц■ц≈ц┘ц·ц│ц─ц■
-              ц■ц▐ц▄ц≤ц▀ц▐  ц▐ц└ц▌ц┴ц█  ICMP  port  unreachable  ц░ц│ц▀ц┘ц■ц▐ц█  ц≈  ц⌠ц┘ц▀ц∙ц▌ц└ц∙  ц░ц▓ц┴
-              UDP-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┴.  Nmap  ц⌠ц■ц│ц▓ц│ц┘ц■ц⌠ц▒  ц▐ц░ц▓ц┘ц└ц┘ц▄ц┴ц■ц≤  ц°ц■ц▐  ц┴ ц∙ц≈ц┘ц▄ц┴ц·ц┴ц■ц≤
-              ц█ц┴ц▌ц┴ц█ц│ц▄ц≤ц▌ц▐ц┘ ц≈ц▓ц┘ц█ц▒ ц ц│ц└ц┘ц▓ц√ц▀ц┴ ц└ц▐ ц▐ц└ц▌ц▐ц┼ ц⌠ц┘ц▀ц∙ц▌ц└ц≥.
-
-       <B>--max_scan_delay</B> <B>&lt;</B>ц<B>ц</B>█ц<B>ц</B>┴ц<B>ц</B>▄ц<B>ц</B>▄ц<B>ц</B>┴ц<B>ц</B>⌠ц<B>ц</B>┘ц<B>ц</B>▀ц<B>ц</B>∙ц<B>ц</B>▌ц<B>ц</B>└ц<B>ц</B>≥<B>&gt;</B>
-              ц╚ц│ц▀ ц▐ц■ц█ц┘ц·ц┘ц▌ц▐  ц≈ц≥ц⌡ц┘,  nmap  ц█ц▐ц√ц┘ц■  ц│ц≈ц■ц▐ц█ц│ц■ц┴ц·ц┘ц⌠ц▀ц┴  ц┴ц ц█ц┘ц▌ц▒ц■ц≤  ц≈ц▓ц┘ц█ц▒
-              ц ц│ц└ц┘ц▓ц√ц▀ц┴  ц█ц┘ц√ц└ц∙  ц▐ц■ц░ц▓ц│ц≈ц▀ц▐ц┼  ц░ц│ц▀ц┘ц■ц▐ц≈.  ц╪ц■ц▐  ц█ц▐ц√ц┘ц■  ц└ц│ц≈ц│ц■ц≤  ц▄ц∙ц·ц⌡ц┴ц┘
-              ц▓ц┘ц ц∙ц▄ц≤ц■ц│ц■ц≥ ц░ц▓ц┴ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┴, ц▌ц▐ ц ц▌ц│ц·ц┴ц■ц┘ц▄ц≤ц▌ц▐  ц ц│ц█ц┘ц└ц▄ц▒ц■ц≤  ц┘ц┤ц▐.  ц╟ц▐
-              ц∙ц█ц▐ц▄ц·ц│ц▌ц┴ц─ (ц┌ц┘ц  ц≈ц▀ц▄ц─ц·ц┘ц▌ц▌ц▐ц┼ Б─≥-ц╢Б─≥ ц▐ц░ц┐ц┴ц┴), nmap ц█ц▐ц√ц┘ц■ ц┴ц ц█ц┘ц▌ц▒ц■ц≤ ц≈ц▓ц┘ц█ц▒
-              ц ц│ц└ц┘ц▓ц√ц▀ц┴ ц█ц┘ц√ц└ц∙ ц▐ц■ц░ц▓ц│ц≈ц▀ц▐ц┼ ц░ц│ц▀ц┘ц■ц▐ц≈  ц└ц▐  1  ц≈  ц⌠ц┘ц▀ц∙ц▌ц└ц∙.  ц╪ц■ц│  ц▐ц░ц┐ц┴ц▒
-              ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■  ц∙ц⌠ц■ц│ц▌ц▐ц≈ц┴ц■ц≤ ц┌ц▐ц▄ц≤ц⌡ц┘ц┘ ц┴ц▄ц┴ ц█ц┘ц▌ц≤ц⌡ц┘ц┘ ц█ц│ц▀ц⌠ц┴ц█ц│ц▄ц≤ц▌ц▐ц┘ ц ц▌ц│ц·ц┘ц▌ц┴ц┘.
-
-
-</PRE>
-<H2>ццЁцц╟цц╞ццЁцц╞цц╒цц╧ цц╨цц║цц╓цц║цц╝цц╘цц╠ ццёцц╔цц╛цц╘</H2><PRE>
-       ц╥ц⌠бё, ц·ц■ц▐ ц▌ц┘ ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒ ц▐ц░ц┐ц┴ц┘ц┼ (ц┴ц▄ц┴ ц│ц▓ц┤ц∙ц█ц┘ц▌ц■ц▐ц█ ц▐ц░ц┐ц┴ц┴) nmap  ц┴ц▌ц■ц┘ц▓ц░ц▓ц┘ц■ц┴ц▓ц∙ц┘ц■
-       ц▀ц│ц▀  ц│ц└ц▓ц┘ц⌠  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц▐ц┼  ц┐ц┘ц▄ц┴.  ц╟ц▓ц▐ц⌠ц■ц┘ц┼ц⌡ц┴ц┼  ц≈ц│ц▓ц┴ц│ц▌ц■ - ц∙ц▀ц│ц ц│ц■ц≤ ц┴ц█ц┘ц▌ц│ ц┴ц▄ц┴
-       ip-ц│ц└ц▓ц┘ц⌠ц│ ц┬ц▐ц⌠ц■ц▐ц≈ ц≈ ц▀ц▐ц█ц│ц▌ц└ц▌ц▐ц┼  ц⌠ц■ц▓ц▐ц▀ц┘.  ц╔ц⌠ц▄ц┴  ц≈ц≥  ц┬ц▐ц■ц┴ц■ц┘  ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤
-       ц░ц▐ц└ц⌠ц┘ц■ц≤  ip-ц│ц└ц▓ц┘ц⌠ц▐ц≈, ц≈ц≥ ц█ц▐ц√ц┘ц■ц┘ ц└ц▐ц░ц▐ц▄ц▌ц┴ц■ц≤ <B>/</B>ц<B>ц</B>█ц<B>ц</B>│ц<B>ц</B>⌠ц<B>ц</B>▀ц<B>ц</B>∙ ц⌠ц┘ц■ц┴ ц▀ ip-ц│ц└ц▓ц┘ц⌠ц∙. ц╜ц│ц⌠ц▀ц│
-       ц└ц▐ц▄ц√ц▌ц│ ц┌ц≥ц■ц≤  ц≈  ц└ц┴ц│ц░ц│ц ц▐ц▌ц┘  ц▐ц■  0  (ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤  ц≈ц┘ц⌠ц≤  ц╘ц▌ц■ц┘ц▓ц▌ц┘ц■)  ц└ц▐  32
-       (ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц┘ц└ц┴ц▌ц⌠ц■ц≈ц┘ц▌ц▌ц≥ц┼ ц┬ц▐ц⌠ц■). ц╘ц⌠ц░ц▐ц▄ц≤ц ц∙ц┼ц■ц┘ /24 ц└ц▄ц▒ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒ ц┐ц┘ц▄ц▐ц┼
-       ц⌠ц┘ц■ц┴ ц▀ц▄ц│ц⌠ц⌠ц│ "цЁ" ц┴ /16 ц└ц▄ц▒ ц⌠ц┘ц■ц┴ ц▀ц▄ц│ц⌠ц⌠ц│ "ц╥".
-
-       Nmap ц■ц│ц▀ц√ц┘ ц░ц▐ц ц≈ц▐ц▄ц▒ц┘ц■ ц┌ц▐ц▄ц┘ц┘ ц┤ц┴ц┌ц▀ц▐ ц∙ц▀ц│ц ц│ц■ц≤ ц┐ц┘ц▄ц┘ц≈ц≥ц┘  IP-ц│ц└ц▓ц┘ц⌠ц│,  ц┴ц⌠ц░ц▐ц▄ц≤ц ц∙ц▒
-       ц⌠ц░ц┴ц⌠ц▀ц┴   ц┴   ц└ц┴ц│ц░ц│ц ц▐ц▌ц≥   ц└ц▄ц▒   ц▀ц│ц√ц└ц▐ц┤ц▐  ц┴ц┬  ц°ц▄ц┘ц█ц┘ц▌ц■ц│.  ц╝ц│ц░ц▓ц┴ц█ц┘ц▓,  ц·ц■ц▐ц┌ц≥
-       ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц░ц▐ц└ц⌠ц┘ц■ц≤ ц▀ц▄ц│ц⌠ц⌠ц│ "B" ц⌠ ц│ц└ц▓ц┘ц⌠ц▐ц█  192.168.*.*.  ц≈  ц▀ц▐ц█ц│ц▌ц└ц▌ц▐ц┼
-       ц⌠ц■ц▓ц▐ц▀ц┘  ц≈ц≥  ц█ц▐ц√ц┘ц■ц┘ ц∙ц▀ц│ц ц│ц■ц≤ " <B>192.168.*.*</B>  " ц┴ц▄ц┴ " <B>192.168.0-255.0-255</B> "
-       ц┴ц▄ц┴ ц└ц│ц√ц┘ "  <B>192.168.1-50,51-255.1,2,3,4,5-255</B>  ".  ц╘,  ц▀ц▐ц▌ц┘ц·ц▌ц▐  ц√ц┘,  ц≈ц≥
-       ц█ц▐ц√ц┘ц■ц┘  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤  ц█ц│ц⌠ц▀ц∙  -  "  <B>192.168.0.0/16"</B>  ("*"), ц░ц▐ц█ц▌ц┴ц■ц┘, ц·ц■ц▐
-       ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘ ц▀ц▐ц█ц│ц▌ц└ц▌ц≥ц┘ ц┴ц▌ц■ц┘ц▓ц░ц▓ц┘ц■ц│ц■ц▐ц▓ц≥ ц■ц▓ц┘ц┌ц∙ц─ц■ ц∙ц▀ц│ц ц≥ц≈ц│ц■ц≤ "
-
-       ц╔ц²бё ц▐ц└ц▌ц┴ц█ ц≈ц│ц▓ц┴ц│ц▌ц■ц▐ц█ ц ц│ц└ц│ц▌ц┴ц▒ ц│ц└ц▓ц┘ц⌠ц▐ц≈  ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒  ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц┘  ц░ц▓ц┘ц├ц┴ц▀ц⌠ц│.
-       ц╝ц│ц░ц▓ц┴ц█ц┘ц▓, ц·ц■ц▐ ц┌ц≥ ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц≈ц⌠ц┘ ц│ц└ц▓ц┘ц⌠ц│ ц≈ ц⌠ц┘ц■ц┴, ц ц│ц▀ц│ц▌ц·ц┴ц≈ц│ц─ц²ц┴ц┘ц⌠ц▒ ц▌ц│
-
-
-</PRE>
-<H2>цц╟цц╡цц╘цц╜цц╔цц╡цц╧</H2><PRE>
-       ц╥  ц°ц■ц▐ц█  ц▓ц│ц ц└ц┘ц▄ц┘  ц░ц▓ц┴ц≈ц▐ц└ц▒ц■ц⌠ц▒  ц▌ц┘ц▀ц▐ц■ц▐ц▓ц≥ц┘  ц░ц▓ц┴ц█ц┘ц▓ц≥ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц▌ц┴ц▒ nmap, ц▐ц■
-       ц░ц▓ц▐ц⌠ц■ц≥ц┬ ц└ц▐ ц┌ц▐ц▄ц┘ц┘ ц⌠ц▄ц▐ц√ц▌ц≥ц┬.
-
-       <B>nmap</B> <B>-v</B> <B>target.example.com</B>
-
-       цЁц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤  ц≈ц⌠ц┘  ц ц│ц▓ц┘ц ц┘ц▓ц≈ц┴ц▓ц▐ц≈ц│ц▌ц▌ц≥ц┘  TCP-ц░ц▐ц▓ц■ц≥  ц▌ц│  ц┬ц▐ц⌠ц■ц┘  target.exam-
-       ple.com.   ц╞ц░ц┐ц┴ц▒  Б─≥-vБ─≥ ц▐ц ц▌ц│ц·ц│ц┘ц■ ц≈ц▀ц▄ц─ц·ц┴ц■ц≤ ц▓ц┘ц√ц┴ц█ ц░ц▐ц└ц▓ц▐ц┌ц▌ц▐ц┤ц▐ ц▐ц■ц·ц┘ц■ц│ ц▐ ц┬ц▐ц└ц┘
-       ц░ц▓ц▐ц┐ц┘ц⌠ц⌠ц│ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒.
-
-       <B>nmap</B> <B>-sS</B> <B>-O</B> <B>target.example.com/24</B>
-
-       ц╨ц│ц░ц∙ц⌠ц▀ц│ц┘ц■ SYN-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ (-sS) ц≈ц⌠ц┘ц┬ 255(ц█ц│ц⌠ц▀ц│ /24) ц█ц│ц⌡ц┴ц▌  ц⌠  ц│ц└ц▓ц┘ц⌠ц│ц█ц┴
-       ц▀ц▄ц│ц⌠ц⌠ц│   "C",  ц▐ц└ц▌ц▐ц┼  ц┴ц   ц▀ц▐ц■ц▐ц▓ц≥ц┬  ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒  target.example.com.  ц╢ц│ц▀ц√ц┘
-       ц▐ц⌠ц∙ц²ц┘ц⌠ц■ц≈ц▄ц▒ц┘ц■ц⌠ц▒ ц▐ц░ц▓ц┘ц└ц┘ц▄ц┘ц▌ц┴ц┘ ц╞цЁ (-O) ц▀ц│ц√ц└ц▐ц┤ц▐ ц┴ц  ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц┘ц█ц≥ц┬  ц┬ц▐ц⌠ц■ц▐ц≈.  ц╓ц▄ц▒
-       ц≈ц≥ц░ц▐ц▄ц▌ц┘ц▌ц┴ц▒ ц°ц■ц┴ц┬ ц└ц┘ц┼ц⌠ц■ц≈ц┴ц┼ ц≈ц│ц█ ц▌ц┘ц▐ц┌ц┬ц▐ц└ц┴ц█ ц⌠ц■ц│ц■ц∙ц⌠ root.
-
-       <B>nmap</B> <B>-sX</B> <B>-p</B> <B>22,53,110,143,4564</B> <B>198.116.*.1-127</B>
-
-       ц╨ц│ц░ц∙ц⌠ц▀ц│ц┘ц■  Xmas-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘  (-sX)  ц░ц┘ц▓ц≈ц▐ц┼  ц░ц▐ц▄ц▐ц≈ц┴ц▌ц≥  ц│ц└ц▓ц┘ц⌠ц▐ц≈  (0-127)
-       ц▀ц│ц√ц└ц▐ц┼ ц┴ц  255 ц░ц▐ц└ц⌠ц┘ц■ц┘ц┼ ц▀ц▄ц│ц⌠ц⌠ц│ "B" ц│ц└ц▓ц┘ц⌠ц▌ц▐ц┤ц▐  ц░ц▓ц▐ц⌠ц■ц▓ц│ц▌ц⌠ц■ц≈ц│  128.210.*.*.
-       ц╝ц│ ц°ц■ц┴ц┬ ц┬ц▐ц⌠ц■ц│ц┬ ц⌠ц▀ц│ц▌ц┴ц▓ц∙ц─ц■ц⌠ц▒ 22, 53, 110, 143 ц┴ 4564 ц░ц▐ц▓ц■ц≥. ц╨ц│ц█ц┘ц■ц≤ц■ц┘, ц·ц■ц▐
-       Xmas-ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц┘ ц▓ц│ц┌ц▐ц■ц│ц┘ц■ ц⌠ ц╞цЁ Windows,  CISCO,  IRIX,  HP/UX  ц┴  BSDI
-       ц█ц│ц⌡ц┴ц▌ц│ц█ц┴.
-
-       <B>nmap</B> <B>-v</B> <B>--randomize_hosts</B> <B>-p</B> <B>80</B> <B>*.*.2.3-5</B>
-
-       ц╥ц█ц┘ц⌠ц■ц▐  ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц▌ц┴ц▒  ц▀ц▐ц▌ц▀ц▓ц┘ц■ц▌ц≥ц┬  ц│ц└ц▓ц┘ц⌠ц▌ц≥ц┬  ц└ц┴ц│ц░ц│ц ц▐ц▌ц▐ц≈,  ц┴ц▌ц▐ц┤ц└ц│  ц┌ц≥ц≈ц│ц┘ц■
-       ц┴ц▌ц■ц┘ц▓ц┘ц⌠ц▌ц▐ ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц┬ц▐ц⌠ц■ц≥, ц≈ц≥ц┌ц▓ц│ц▌ц▌ц≥ц┘ ц⌠ц▄ц∙ц·ц│ц┼ц▌ц≥ц█ ц▐ц┌ц▓ц│ц ц▐ц█.  ц╪ц■ц│  ц▀ц▐ц█ц│ц▌ц└ц│
-       ц┴ц²ц┘ц■  ц≈ц┘ц┌-ц⌠ц┘ц▓ц≈ц┘ц▓ц│,  ip-ц│ц└ц▓ц┘ц⌠ ц▀ц▐ц■ц▐ц▓ц≥ц┬ ц▐ц▀ц│ц▌ц·ц┴ц≈ц│ц┘ц■ц⌠ц▒ ц▌ц│ .2.3, .2.4 ц┴ .2.5.
-       ц╔ц⌠ц▄ц┴ ц≈ц│ц⌡ ц⌠ц■ц│ц■ц∙ц⌠ root, ц≈ц≥ ц■ц│ц▀ц√ц┘ ц█ц▐ц√ц┘ц■ц┘ ц░ц▓ц▐ц⌠ц▀ц│ц▌ц┴ц▓ц▐ц≈ц│ц■ц≤ ц░ц▐ц▓ц■ц≥ ц▐ц┌ц▌ц│ц▓ц∙ц√ц┘ц▌ц▌ц≥ц┬
-       ц┬ц▐ц⌠ц■ц▐ц≈,  ц∙ц▀ц│ц ц│ц≈  ц▐ц░ц┐ц┴ц─  Б─≥-sSБ─≥.  ц╥ц≥ ц█ц▐ц√ц┘ц■ц┘ ц▌ц│ц┼ц■ц┴ ц█ц▌ц▐ц┤ц▐ ц┴ц▌ц■ц┘ц▓ц┘ц⌠ц▌ц≥ц┬ ц█ц│ц⌡ц┴ц▌,
-       ц│ц└ц▓ц┘ц⌠ц│ ц▀ц▐ц■ц▐ц▓ц≥ц┬ ц▌ц│ц·ц┴ц▌ц│ц─ц■ц⌠ц▒ ц▌ц│ 127.  ц╓ц▄ц▒  ц°ц■ц▐ц┤ц▐  ц∙ц▀ц│ц√ц┴ц■ц┘  ц≈ц█ц┘ц⌠ц■ц▐  ц░ц┘ц▓ц≈ц▐ц┤ц▐
-       ц│ц⌠ц■ц┘ц▓ц┴ц⌠ц▀ц│ Б─≥127-222Б─≥.
-
-       <B>host</B> <B>-l</B> <B>company.com</B> <B>|</B> <B>cut</B> <B>-d</B> <B>-f</B> <B>4</B> <B>|</B> <B>./nmap</B> <B>-v</B> <B>-iL</B> <B>-</B>
-
-       ц╟ц▓ц▐ц⌠ц█ц▐ц■ц▓ц┘ц■ц≤  ц⌠ц┘ц▓ц≈ц┘ц▓ц≥  DNS  ц ц▐ц▌ц≥  ц┴  ц▌ц│ц┼ц■ц┴  ц┬ц▐ц⌠ц■ц≥  ц≈ ц└ц▐ц█ц┘ц▌ц┘ company.com,
-       ц░ц┘ц▓ц┘ц└ц│ц≈ ц ц│ц■ц┘ц█ ц≈ nmap ц┴ц┬ ц│ц└ц▓ц┘ц⌠ц│. ц╢ц│ц▀ ц≈ц≥ц┤ц▄ц▒ц└ц┴ц■ ц▀ц▐ц█ц│ц▌ц└ц│ ц└ц▄ц▒ GNU/Linux,  ц▌ц▐
-       ц└ц▄ц▒ ц└ц▓ц∙ц┤ц┴ц┬ ц╞цЁ ц▐ц▌ц│ ц█ц▐ц√ц┘ц■ ц≈ц≥ц┤ц▄ц▒ц└ц┘ц■ц≤ ц▌ц┘ц⌠ц▀ц▐ц▄ц≤ц▀ц▐ ц┴ц▌ц│ц·ц┘.
-
-
-</PRE>
-<H2>цц╞цц╩цц╘цц╒цц╚цц╘</H2><PRE>
-       ц╞ц⌡ц┴ц┌ц▀ц┴?  ц╚ц│ц▀ц┴ц┘  ц▐ц⌡ц┴ц┌ц▀ц┴?  ц╔ц⌠ц▄ц┴ ц≈ц≥ ц▌ц│ц⌡ц▄ц┴ ц▐ц⌡ц┴ц┌ц▀ц┴ - ц░ц▓ц▐ц⌠ц≤ц┌ц│ ц▌ц┘ц ц│ц█ц┘ц└ц▄ц┴ц■ц┘ц▄ц≤ц▌ц▐
-       ц⌠ц▐ц▐ц┌ц²ц┴ц■ц≤ ц▐ ц▌ц┴ц┬. (ц√ц┘ц▄ц│ц■ц┘ц▄ц≤ц▌ц▐ ц░ц▓ц┴ц⌠ц≥ц▄ц│ц■ц≤ ц┴ ц┴ц⌠ц░ц▓ц│ц≈ц▄ц┘ц▌ц┴ц▒ :-) ). ц╝ц┘ ц ц│ц┌ц≥ц≈ц│ц┼ц■ц┘
-       ц■ц│ц▀ц√ц┘   ц░ц▓ц┴ц⌠ц≥ц▄ц│ц■ц≤   ц▌ц▐ц≈ц≥ц┘  ц▐ц■ц░ц┘ц·ц│ц■ц▀ц┴  ц╞цЁ  ц└ц▄ц▒  ц░ц▐ц░ц▐ц▄ц▌ц┘ц▌ц┴ц▒  ц▐ц┌ц²ц┘ц┼  ц┌ц│ц ц≥.
-       ц╞ц■ц░ц▓ц│ц≈ц▄ц▒ц┼ц■ц┘  ц┴ц▌ц├ц▐ц▓ц█ц│ц┐ц┴ц─   ц▌ц│   e-mail   fyodor[@]insecure.org   ц┴ц▄ц┴   ц≈
-       ц▀ц▐ц▌ц├ц┘ц▓ц┘ц▌ц┐ц┴ц─ http://seclists.org/#nmap-dev.
-
-
-</PRE>
-<H2>цц║цц╥цц╢цц╞цц╡</H2><PRE>
-       Fyodor <I>&lt;fyodor@insecure.org&gt;</I>
-
-
-</PRE>
-<H2>цц╡цц║ццЁцц╟цц╡цц╞ццЁцц╢цц╡цц║цц╝цц╔цц╝цц╘цц╔</H2><PRE>
-       ц╝ц▐ц≈ц┘ц┼ц⌡ц∙ц─  ц≈ц┘ц▓ц⌠ц┴ц─  nmap  ц≈ц≥  ц█ц▐ц√ц┘ц■ц┘  ц⌠ц▀ц│ц·ц│ц■ц≤  ц░ц▐ ц│ц└ц▓ц┘ц⌠ц∙ http://www.inse-
-       cure.org/nmap/
-
-       ц╟ц▓ц│ц≈ц│ ц▌ц│ Nmap Security Scanner ц░ц▓ц┴ц▌ц│ц└ц▄ц┘ц√ц│ц■ 1996-2004 Insecure.Com  LLC.
-       Nmap  ц■ц│ц▀ц√ц┘  ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒  ц ц│ц▓ц┘ц┤ц┴ц⌠ц■ц▓ц┴ц▓ц▐ц≈ц│ц▌ц▌ц▐ц┼  ц■ц▐ц▓ц┤ц▐ц≈ц▐ц┼ ц█ц│ц▓ц▀ц▐ц┼ Insecure.Com
-       LLC.  ц╪ц■ц│ ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц│ ц▒ц≈ц▄ц▒ц┘ц■ц⌠ц▒ ц┌ц┘ц⌠ц░ц▄ц│ц■ц▌ц≥ц█  ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц▌ц≥ц█  ц▐ц┌ц┘ц⌠ц░ц┘ц·ц┘ц▌ц┴ц┘ц█.  ц╥ц≥
-       ц█ц▐ц√ц┘ц■ц┘ ц⌠ц≈ц▐ц┌ц▐ц└ц▌ц▐ ц▓ц│ц⌠ц░ц▓ц▐ц⌠ц■ц▓ц│ц▌ц▒ц■ц≤ ц┴/ц┴ц▄ц┴ ц█ц▐ц└ц┴ц├ц┴ц┐ц┴ц▓ц▐ц≈ц│ц■ц≤ ц┘ц┘ ц≈ ц⌠ц▐ц▐ц■ц≈ц┘ц■ц⌠ц■ц≈ц┴ц┴ ц⌠
-       ц■ц▓ц┘ц┌ц▐ц≈ц│ц▌ц┴ц▒ц█ц┴ GNU General Public License, ц▐ц░ц∙ц┌ц▄ц┴ц▀ц▐ц≈ц│ц▌ц▌ц▐ц┼  Free  Software
-       Foundation;  ц╥ц┘ц▓ц⌠ц┴ц▒  2.  ц╔ц⌠ц▄ц┴  ц≈ц≥ ц┬ц▐ц■ц┴ц■ц┘ ц┴ц⌠ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц≤ ц■ц┘ц┬ц▌ц▐ц▄ц▐ц┤ц┴ц┴ nmap ц≈
-       ц·ц│ц⌠ц■ц▌ц≥ц┬  ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц▌ц≥ц┬  ц░ц▓ц▐ц└ц∙ц▀ц■ц│ц┬  -  ц█ц≥  ц█ц▐ц√ц┘ц█  ц░ц▓ц▐ц└ц│ц■ц≤   ц│ц▄ц≤ц■ц┘ц▓ц▌ц│ц■ц┴ц≈ц▌ц≥ц┘
-       ц▄ц┴ц┐ц┘ц▌ц ц┴ц┴.  ц╞ц┌ц▓ц│ц²ц│ц┼ц■ц┘ц⌠ц≤ ц▌ц│ sales@insecure.com
-
-       ц╪ц╢ц║ ц╟ц╡ц╞ц╖ц╡ц║ц╜ц╜ц║ ц╟ц╞цЁц╢ц║ц╥ц╛ц╠ц╔ц╢цЁц╠ ц╒ц╔ц╨ ц╟ц╡ц╔ц╓ц╞цЁц╢ц║ц╥ц╛ц╔ц╝ц╘ц╠ ц╚ц║ц╚ц╘ц╗-ц╛ц╘ц╒ц╞ ц╖ц║ц╡ц║ц╝ц╢ц╘ц╙.
-
-       ц╪ц■ц▐ц■   ц░ц▓ц▐ц└ц∙ц▀ц■   ц■ц│ц▀ц√ц┘   ц≈ц▀ц▄ц─ц·ц│ц┘ц■   ц≈   ц⌠ц┘ц┌ц▒   ц░ц▓ц▐ц┤ц▓ц│ц█ц█ц▌ц▐ц┘  ц▐ц┌ц┘ц⌠ц░ц┘ц·ц┘ц▌ц┴ц┘
-       ц░ц▓ц▐ц┴ц ц≈ц┘ц└бёц▌ц▌ц▐ц┘ Apache Software Foundation (http://www.apache.org/)
-
-       ц║ц≈ц■ц▐ц▓ц⌠ц▀ц┴ц┘ ц░ц▓ц│ц≈ц│ ц▌ц│ ц┌ц┴ц┌ц▄ц┴ц▐ц■ц┘ц▀ц∙ PCRE  (Perl  Compatible  Regular  Expres-
-       sions), ц⌠ц▐ц ц└ц│ц▌ц▌ц∙ц─ Philip Hazel, ц░ц▓ц┴ц▌ц│ц└ц▄ц┘ц√ц│ц■ ц╚ц°ц█ц┌ц▓ц┴ц└ц√ц⌠ц▀ц▐ц█ц∙ ц╣ц▌ц┴ц≈ц┘ц▓ц⌠ц┴ц■ц┘ц■ц∙.
-       ц╟ц▐ц└ц▓ц▐ц┌ц▌ц┘ц┘ - http://www.pcre.org/
-
-       ц╒ц┴ц┌ц▄ц┴ц▐ц■ц┘ц▀ц│ Libpcap ц▓ц│ц⌠ц░ц▓ц▐ц⌠ц■ц▓ц│ц▌ц▒ц┘ц■ц⌠ц▒ ц≈ц█ц┘ц⌠ц■ц┘ ц⌠ nmap ц┴ ц│ц≈ц■ц▐ц▓ц⌠ц▀ц┴ц┘ ц░ц▓ц│ц≈ц│  ц▌ц│
-       ц▌ц┘бё   ц░ц▓ц┴ц▌ц│ц└ц▄ц┘ц√ц│ц■   Van   Jacobson,   Craig  Leres  ц┴  Steven  McCanne,
-       ц╝ц│ц┐ц┴ц▐ц▌ц│ц▄ц≤ц▌ц│ц▒ ц▄ц│ц┌ц▐ц▓ц│ц■ц▐ц▓ц┴ц▒ Lawrence Berkley ц╚ц│ц▄ц┴ц├ц▐ц▓ц▌ц┴ц┼ц⌠ц▀ц▐ц┤ц▐ ц∙ц▌ц┴ц≈ц┘ц▓ц⌠ц┴ц■ц┘ц■ц│,
-       ц╒ц┘ц▓ц▀ц▄ц┴,    ц╚ц│ц▄ц┴ц├ц▐ц▓ц▌ц┴ц▒.    цЁц┘ц┼ц·ц│ц⌠    ц°ц■ц│    ц┌ц┴ц┌ц▄ц┴ц▐ц■ц┘ц▀ц│    ц⌠ц▐ц░ц▓ц▐ц≈ц▐ц√ц└ц│ц┘ц■ц⌠ц▒
-       http://www.tcpdump.org.
-
-       Nmap  ц▐ц░ц┐ц┴ц▐ц▌ц│ц▄ц≤ц▌ц▐  ц█ц▐ц√ц┘ц■  ц┌ц≥ц■ц≤  ц⌠ц▀ц▐ц█ц░ц┴ц▄ц┴ц▓ц▐ц≈ц│ц▌  ц⌠  ц░ц▐ц└ц└ц┘ц▓ц√ц▀ц▐ц┼   OpenSSL.
-       ц╟ц▐ц└ц▓ц▐ц┌ц▌ц┘ц┘ - http://www.openssl.org/.
-
-       ц╟ц┘ц▓ц┘ц≈ц▐ц└ ц▓ц∙ц▀ц▐ц≈ц▐ц└ц⌠ц■ц≈ц│ ц░ц▐ц▄ц≤ц ц▐ц≈ц│ц■ц┘ц▄ц▒ ц▌ц│ ц▓ц∙ц⌠ц⌠ц▀ц┴ц┼ : ц║ц┼ц≈ц┴ ц╡ц┴ц ц  5B43694E5D
-
-
-
-                                                                       <B>NMAP(1)</B>
-</PRE>
-<HR>
-<ADDRESS>
-Man(1) output converted with
-<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
-</ADDRESS>
-</BODY>
-</HTML>
diff --git a/docs/nmap_manpage.html b/docs/nmap_manpage.html
deleted file mode 100644
index e810e67a1..000000000
--- a/docs/nmap_manpage.html
+++ /dev/null
@@ -1,2356 +0,0 @@
-<HTML>
-<HEAD>
-<TITLE>Nmap network security scanner man page</TITLE>
-</HEAD>
-<BODY>
-<H1>Nmap network security scanner man page</H1>
-<HR>
-<PRE>
-<!-- Manpage converted by man2html 3.0.1 -->
-<B>NMAP(1)</B>                      Nmap Reference Guide                      <B>NMAP(1)</B>
-
-
-
-
-</PRE>
-<H2>NAME</H2><PRE>
-       nmap - Network exploration tool and security / port scanner
-
-
-</PRE>
-<H2>SYNOPSIS</H2><PRE>
-       <B>nmap</B> [<I>Scan</I> <I>Type</I>...] [<I>Options</I>] {<I>target</I> <I>specification</I>}
-
-
-</PRE>
-<H2>DESCRIPTION</H2><PRE>
-       Nmap (Б─°Network MapperБ─²) is an open source tool for network exploration
-       and security auditing. It was designed to rapidly scan large networks,
-       although it works fine against single hosts. Nmap uses raw IP packets
-       in novel ways to determine what hosts are available on the network,
-       what services (application name and version) those hosts are offering,
-       what operating systems (and OS versions) they are running, what type of
-       packet filters/firewalls are in use, and dozens of other
-       characteristics. While Nmap is commonly used for security audits, many
-       systems and network administrators find it useful for routine tasks
-       such as network inventory, managing service upgrade schedules, and
-       monitoring host or service uptime.
-
-       The output from Nmap is a list of scanned targets, with supplemental
-       information on each depending on the options used. Key among that
-       information is the Б─°interesting ports tableБ─². That table lists the port
-       number and protocol, service name, and state. The state is either open,
-       filtered, closed, or unfiltered. Open means that an application on the
-       target machine is listening for connections/packets on that port.
-       Filtered means that a firewall, filter, or other network obstacle is
-       blocking the port so that Nmap cannot tell whether it is open or
-       closed.  Closed ports have no application listening on them, though
-       they could open up at any time. Ports are classified as unfiltered when
-       they are responsive to NmapБ─≥s probes, but Nmap cannot determine whether
-       they are open or closed. Nmap reports the state combinations
-       open|filtered and closed|filtered when it cannot determine which of the
-       two states describe a port. The port table may also include software
-       version details when version detection has been requested. When an IP
-       protocol scan is requested (<B>-sO</B>), Nmap provides information on
-       supported IP protocols rather than listening ports.
-
-       In addition to the interesting ports table, Nmap can provide further
-       information on targets, including reverse DNS names, operating system
-       guesses, device types, and MAC addresses.
-
-       A typical Nmap scan is shown in Example 15.1, Б─°A representative Nmap
-       scanБ─². The only Nmap arguments used in this example are <B>-A</B>, to enable
-       OS and version detection, <B>-T4</B> for faster execution, and then the two
-       target hostnames.  Example 15.1. A representative Nmap scan.sp
-       # nmap -A -T4 scanme.nmap.org playground
-
-       Starting nmap ( http://www.insecure.org/nmap/ )
-       Interesting ports on scanme.nmap.org (205.217.153.62):
-       (The 1663 ports scanned but not shown below are in state: filtered)
-       PORT    STATE  SERVICE VERSION
-       22/tcp  open   ssh     OpenSSH 3.9p1 (protocol 1.99)
-       53/tcp  open   domain
-       70/tcp  closed gopher
-       80/tcp  open   http    Apache httpd 2.0.52 ((Fedora))
-       113/tcp closed auth
-       Device type: general purpose
-       Running: Linux 2.4.X|2.5.X|2.6.X
-       OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11
-       Uptime 33.908 days (since Thu Jul 21 03:38:03 2005)
-
-       Interesting ports on playground.nmap.org (192.168.0.40):
-       (The 1659 ports scanned but not shown below are in state: closed)
-       PORT     STATE SERVICE       VERSION
-       135/tcp  open  msrpc         Microsoft Windows RPC
-       139/tcp  open  netbios-ssn
-       389/tcp  open  ldap?
-       445/tcp  open  microsoft-ds  Microsoft Windows XP microsoft-ds
-       1002/tcp open  windows-icfw?
-       1025/tcp open  msrpc         Microsoft Windows RPC
-       1720/tcp open  H.323/Q.931   CompTek AquaGateKeeper
-       5800/tcp open  vnc-http      RealVNC 4.0 (Resolution 400x250; VNC TCP port: 5900)
-       5900/tcp open  vnc           VNC (protocol 3.8)
-       MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications)
-       Device type: general purpose
-       Running: Microsoft Windows NT/2K/XP
-       OS details: Microsoft Windows XP Pro RC1+ through final release
-       Service Info: OSs: Windows, Windows XP
-
-       Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds
-
-
-</PRE>
-<H2>OPTIONS SUMMARY</H2><PRE>
-       This options summary is printed when Nmap is run with no arguments, and
-       the latest version is always available at
-       <I>http://www.insecure.org/nmap/data/nmap.usage.txt</I>. It helps people
-       remember the most common options, but is no substitute for the in-depth
-       documentation in the rest of this manual. Some obscure options arenБ─≥t
-       even included here.
-
-       Usage: nmap [Scan Type(s)] [Options] {target specification}
-       TARGET SPECIFICATION:
-         Can pass hostnames, IP addresses, networks, etc.
-         Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0-255.0-255.1-254
-         -iL &lt;inputfilename&gt;: Input from list of hosts/networks
-         -iR &lt;num hosts&gt;: Choose random targets
-         --exclude &lt;host1[,host2][,host3],...&gt;: Exclude hosts/networks
-         --excludefile &lt;exclude_file&gt;: Exclude list from file
-       HOST DISCOVERY:
-         -sL: List Scan - simply list targets to scan
-         -sP: Ping Scan - go no further than determining if host is online
-         -P0: Treat all hosts as online -- skip host discovery
-         -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery probes to given ports
-         -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-         -n/-R: Never do DNS resolution/Always resolve [default: sometimes resolve]
-       SCAN TECHNIQUES:
-         -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-         -sN/sF/sX: TCP Null, FIN, and Xmas scans
-         --scanflags &lt;flags&gt;: Customize TCP scan flags
-         -sI &lt;zombie host[:probeport]&gt;: Idlescan
-         -sO: IP protocol scan
-         -b &lt;ftp relay host&gt;: FTP bounce scan
-       PORT SPECIFICATION AND SCAN ORDER:
-         -p &lt;port ranges&gt;: Only scan specified ports
-           Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-         -F: Fast - Scan only the ports listed in the nmap-services file)
-         -r: Scan ports consecutively - donБ─≥t randomize
-       SERVICE/VERSION DETECTION:
-         -sV: Probe open ports to determine service/version info
-         --version_light: Limit to most likely probes for faster identification
-         --version_all: Try every single probe for version detection
-         --version_trace: Show detailed version scan activity (for debugging)
-       OS DETECTION:
-         -O: Enable OS detection
-         --osscan_limit: Limit OS detection to promising targets
-         --osscan_guess: Guess OS more aggressively
-       TIMING AND PERFORMANCE:
-         -T[0-6]: Set timing template (higher is faster)
-         --min_hostgroup/max_hostgroup &lt;msec&gt;: Parallel host scan group sizes
-         --min_parallelism/max_parallelism &lt;msec&gt;: Probe parallelization
-         --min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout &lt;msec&gt;: Specifies
-             probe round trip time.
-         --host_timeout &lt;msec&gt;: Give up on target after this long
-         --scan_delay/--max_scan_delay &lt;msec&gt;: Adjust delay between probes
-       FIREWALL/IDS EVASION AND SPOOFING:
-         -f; --mtu &lt;val&gt;: fragment packets (optionally w/given MTU)
-         -D &lt;decoy1,decoy2[,ME],...&gt;: Cloak a scan with decoys
-         -S &lt;IP_Address&gt;: Spoof source address
-         -e &lt;iface&gt;: Use specified interface
-         -g/--source_port &lt;portnum&gt;: Use given port number
-         --data_length &lt;num&gt;: Append random data to sent packets
-         --ttl &lt;val&gt;: Set IP time-to-live field
-         --spoof_mac &lt;mac address, prefix, or vendor name&gt;: Spoof your MAC address
-       OUTPUT:
-         -oN/-oX/-oS/-oG &lt;file&gt;: Output scan results in normal, XML, s|&lt;rIpt kIddi3,
-            and Grepable format, respectively, to the given filename.
-         -oA &lt;basename&gt;: Output in the three major formats at once
-         -v: Increase verbosity level (use twice for more effect)
-         -d[level]: Set or increase debugging level (Up to 9 is meaningful)
-         --packet_trace: Show all packets sent and received
-         --iflist: Print host interfaces and routes (for debugging)
-         --append_output: Append to rather than clobber specified output files
-         --resume &lt;filename&gt;: Resume an aborted scan
-         --stylesheet &lt;path/URL&gt;: XSL stylesheet to transform XML output to HTML
-         --no_stylesheet: Prevent Nmap from associating XSL stylesheet w/XML output
-       MISC:
-         -6: Enable IPv6 scanning
-         -A: Enables OS detection and Version detection
-         --datadir &lt;dirname&gt;: Specify custom Nmap data file location
-         --send_eth/--send_ip: Send packets using raw ethernet frames or IP packets
-         --privileged: Assume that the user is fully privileged
-         -V: Print version number
-         -h: Print this help summary page.
-       EXAMPLES:
-         nmap -v -A scanme.nmap.org
-         nmap -v -sP 192.168.0.0/16 10.0.0.0/8
-         nmap -v -iR 10000 -P0 -p 80
-
-
-
-</PRE>
-<H2>TARGET SPECIFICATION</H2><PRE>
-       Everything on the Nmap command-line that isnБ─≥t an option (or option
-       argument) is treated as a target host specification. The simplest case
-       is to specify a target IP address or hostname for scanning.
-
-       Sometimes you wish to scan a whole network of adjacent hosts. For this,
-       Nmap supports CIDR-style addressing. You can append /<I>numbits</I> to an IP
-       address or hostname and Nmap will scan every IP address for which the
-       first <I>numbits</I> are the same as for the reference IP or hostname given.
-       For example, 192.168.10.0/24 would scan the 256 hosts between
-       192.168.10.0 (binary: 11000000 10101000 00001010 00000000) and
-       192.168.10.255 (binary: 11000000 10101000 00001010 11111111),
-       inclusive. 192.168.10.40/24 would do exactly the same thing. Given that
-       the host scanme.nmap.org is at the IP address 205.217.153.62, the
-       specification scanme.nmap.org/16 would scan the 65,536 IP addresses
-       between 205.217.0.0 and 205.217.255.255. The smallest allowed value is
-       /1, which scans half the Internet. The largest value is 32, which scans
-       just the named host or IP address because all address bits are fixed.
-
-       CIDR notation is short but not always flexible enough. For example, you
-       might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or
-       .255 because they are commonly broadcast addresses. Nmap supports this
-       through octet range addressing. Rather than specify a normal IP
-       address, you can specify a comma separated list of numbers or ranges
-       for each octet. For example, 192.168.0-255.1-254 will skip all
-       addresses in the range that end in .0 and or .255. Ranges need not be
-       limited to the final octects: the specifier 0-255.0-255.13.37 will
-       perform an Internet-wide scan for all IP addresses ending in 13.37.
-       This sort of broad sampling can be useful for Internet surveys and
-       research.
-
-       IPv6 addresses can only be specified by their fully qualified IPv6
-       address or hostname. CIDR and octet ranges arenБ─≥t supported for IPv6
-       because they are rarely useful.
-
-       Nmap accepts multiple host specifications on the command line, and they
-       donБ─≥t need to be the same type. The command <B>nmap</B> <B>scanme.nmap.org</B>
-       <B>192.168.0.0/8</B> <B>10.0.0,1,3-7.0-255</B> does what you would expect.
-
-       While targets are usually specified on the command lines, the following
-       options are also available to control target selection:
-
-       <B>-iL</B> <B>&lt;inputfilename&gt;</B> (Input from list)
-              Reads target specifications from <I>inputfilename</I>. Passing a huge
-              list of hosts is often awkward on the command line, yet it is a
-              common desire. For example, your DHCP server might export a list
-              of 10,000 current leases that you wish to scan. Or maybe you
-              want to scan all IP addresses <I>except</I> for those to locate hosts
-              using unauthorized static IP addresses. Simply generate the list
-              of hosts to scan and pass that filename to Nmap as an argument
-              to the <B>-iL</B> option. Entries can be in any of the formats accepted
-              by Nmap on the command line (IP address, hostname, CIDR, IPv6,
-              or octet ranges). Each entry must be separated by one or more
-              spaces, tabs, or newlines. You can specify a hyphen (-) as the
-              filename if you want Nmap to read hosts from standard input
-              rather than an actual file.
-
-       <B>-iR</B> <B>&lt;num</B> <B>hosts&gt;</B> (Choose random targets)
-              For Internet-wide surveys and other research, you may want to
-              choose targets at random. The <I>num</I> <I>hosts</I> argument tells Nmap how
-              many IPs to generate. Undesirable IPs such as those in certain
-              private, multicast, or unallocated address ranges are
-              automatically skipped. The argument 0 can be specified for a
-              never-ending scan. Keep in mind that some network administrators
-              bristle at unauthorized scans of their networks and may
-              complain. Use this option at your own risk! If you find yourself
-              really bored one rainy afternoon, try the command <B>nmap</B> <B>-sS</B> <B>-PS80</B>
-              <B>-iR</B> <B>0</B> <B>-p</B> <B>80</B> to locate random web servers for browsing.
-
-       <B>--exclude</B> <B>&lt;host1[,host2][,host3],...&gt;</B> (Exclude hosts/networks)
-              Specifies a comma-separated list of targets to be excluded from
-              the scan even if they are part of the overall network range you
-              specify. The list you pass in uses normal Nmap syntax, so it can
-              include hostnames, CIDR netblocks, octet ranges, etc. This can
-              be useful when the network you wish to scan includes untouchable
-              mission-critical servers, systems that are known to react
-              adversely to port scans, or subnetworks administered by other
-              people.
-
-       <B>--excludefile</B> <B>&lt;exclude_file&gt;</B> (Exclude list from file)
-              This offers the same functionality as the <B>--exclude</B> option,
-              except that the excluded targets are provided in a newline,
-              space, or tab delimited <I>exclude</I><B>_</B><I>file</I> rather than on the command
-              line.
-
-
-</PRE>
-<H2>HOST DISCOVERY</H2><PRE>
-       One of the very first steps in any network reconnaissance mission is to
-       reduce a (sometimes huge) set of IP ranges into a list of active or
-       interesting hosts. Scanning every port of every single IP address is
-       slow and usually unnecessary. Of course what makes a host interesting
-       depends greatly on the scan purposes. Network administrators may only
-       be interested in hosts running a certain service, while security
-       auditors may care about every single device with an IP address. An
-       administrator may be comfortable using just an ICMP ping to locate
-       hosts on his internal network, while an external penetration tester may
-       use a diverse set of dozens of probes in an attempt to evade firewall
-       restrictions.
-
-       Because host discovery needs are so diverse, Nmap offers a wide variety
-       of options for customizing the techniques used. Host discovery is
-       sometimes called ping scan, but it goes well beyond the simple ICMP
-       echo request packets associated with the ubiquitous ping tool. Users
-       can skip the ping step entirely with a list scan (<B>-sL</B>) or by disabling
-       ping (<B>-P0</B>), or engage the network with arbitrary combinations of
-       multi-port TCP SYN/ACK, UDP, and ICMP probes. The goal of these probes
-       is to solicit responses which demonstrate that an IP address is
-       actually active (is being used by a host or network device). On many
-       networks, only a small percentage of IP addresses are active at any
-       given time. This is particularly common with RFC1918-blessed private
-       address space such as 10.0.0.0/8. That network has 16 million IPs, but
-       I have seen it used by companies with less than a thousand machines.
-       Host discovery can find those machines in a sparsely allocated sea of
-       IP addresses.
-
-       If no host discovery options are given, Nmap sends a TCP ACK packet
-       destined for port 80 and an ICMP Echo Request query to each target
-       machine. An exception to this is that an ARP scan is used for any
-       targets which are on a local ethernet network. For unprivileged UNIX
-       shell users, a SYN packet is sent instead of the ack using the
-       <B>connect()</B> system call. These defaults are equivalent to the <B>-PA</B> <B>-PE</B>
-       options. This host discovery is often sufficent when scanning local
-       networks, but a more comprehensive set of discovery probes is
-       recommended for security auditing.
-
-       The <B>-P*</B> options (which select ping types) can be combined. You can
-       increase your odds of penetrating strict firewalls by sending many
-       probe types using different TCP ports/flags and ICMP codes. Also note
-       that ARP discovery (<B>-PR</B>) is done by default against targets on a local
-       ethernet network even if you specify other <B>-P*</B> options, because it is
-       almost always faster and more effective.
-
-       The following options control host discovery.
-
-       <B>-sL</B> (List Scan)
-              The list scan is a degenerate form of host discovery that simply
-              lists each host of the network(s) specified, without sending any
-              packets to the target hosts. By default, Nmap still does
-              reverse-DNS resolution on the hosts to learn their names. It is
-              often surprising how much useful information simple hostnames
-              give out. For example, fw.chi.playboy.com is the firewall for
-              the Chicago office of Playboy Enterprises. Nmap also reports the
-              total number of IP addresses at the end. The list scan is a good
-              sanity check to ensure that you have proper IP addresses for
-              your targets. If the hosts sport domain names you do not
-              recognize, it is worth investigating further to prevent scanning
-              the wrong companyБ─≥s network.
-
-              Since the idea is to simply print a list of target hosts,
-              options for higher level functionality such as port scanning, OS
-              detection, or ping scanning cannot be combined with this. If you
-              wish to disable ping scanning while still performing such higher
-              level functionality, read up on the <B>-P0</B> option.
-
-       <B>-sP</B> (Ping Scan)
-              This option tells Nmap to <I>only</I> perform a ping scan (host
-              discovery), then print out the available hosts that responded to
-              the scan. No further testing (such as port scanning or OS
-              detection) is performed. This is one step more intrusive than
-              the list scan, and can often be used for the same purposes. It
-              allows light reconnaissance of a target network without
-              attracting much attention. Knowing how many hosts are up is more
-              valuable to attackers than the list provided by list scan of
-              every single IP and host name.
-
-              Systems administrators often find this option valuable as well.
-              It can easily be used to count available machines on a network
-              or monitor server availability. This is often called a ping
-              sweep, and is more reliable than pinging the broadcast address
-              because many hosts do not reply to broadcast queries.
-
-              The <B>-sP</B> option sends an ICMP echo request and a TCP packet to
-              port 80 by default. When executed by an unprivileged user, a SYN
-              packet is sent (using a <B>connect()</B> call) to port 80 on the
-              target. When a privileged user tries to scan targets on a local
-              ethernet network, ARP requests (<B>-PR</B>) are used unless <B>--send_ip</B>
-              was specified. The <B>-sP</B> option can be combined with any of the
-              discovery probe types (the <B>-P*</B> options, excluding <B>-P0</B>) for
-              greater flexibility. If any of those probe type and port number
-              options are used, the default probes (ACK and echo request) are
-              overridden. When strict firewalls are in place between the
-              source host running Nmap and the target network, using those
-              advanced techniques is recommended. Otherwise hosts could be
-              missed when the firewall drops probes or their responses.
-
-       <B>-P0</B> (No ping)
-              This option skips the Nmap discovery stage altogether. Normally,
-              Nmap uses this stage to determine active machines for heavier
-              scanning. By default, Nmap only performs heavy probing such as
-              port scans, version detection, or OS detection against hosts
-              that are found to be up. Disabling host discovery with <B>-P0</B>
-              causes Nmap to attempt the requested scanning functions against
-              <I>every</I> target IP address specified. So if a class B sized target
-              address space (/16) is specified on the command line, all 65,536
-              IP addresses are scanned. That second option character in <B>-P0</B> is
-              a zero and not the letter O. Proper host discovery is skipped as
-              with the list scan, but instead of stopping and printing the
-              target list, Nmap continues to perform requested functions as if
-              each target IP is active.
-
-       <B>-PS</B> <B>[portlist]</B> (TCP SYN Ping)
-              This option sends an empty TCP packet with the SYN flag set. The
-              default destination port is 80 (configurable at compile time by
-              changing DEFAULT_TCP_PROBE_PORT in <I>nmap.h</I>), but an alternate
-              port can be specified as a parameter. A comma separated list of
-              ports can even be specified (e.g.
-              <B>-PS22,23,25,80,113,1050,35000</B>), in which case probes will be
-              attempted against each port in parallel.
-
-              The SYN flag suggests to the remote system that you are
-              attempting to establish a connection. Normally the destination
-              port will be closed, and a RST (reset) packet sent back. If the
-              port happens to be open, the target will take the second step of
-              a TCP 3-way-handshake by responding with a SYN/ACK TCP packet.
-              The machine running Nmap then tears down the nascent connection
-              by responding with a RST rather than sending an ACK packet which
-              would complete the 3-way-handshake and establish a full
-              connection. The RST packet is sent by the kernel of the machine
-              running Nmap in response to the unexpected SYN/ACK, not by Nmap
-              itself.
-
-              Nmap does not care whether the port is open or closed. Either
-              the RST or SYN/ACK response discussed previously tell Nmap that
-              the host is available and responsive.
-
-              On UNIX boxes, only the privileged user root is generally able
-              to send and receive raw TCP packets. For unprivileged users, a
-              workaround is automatically employed whereby the connect()
-              system call is initiated against each target port. This has the
-              effect of sending a SYN packet to the target host, in an attempt
-              to establish a connection. If connect() returns with a quick
-              success or an ECONNREFUSED failure, the underlying TCP stack
-              must have received a SYN/ACK or RST and the host is marked
-              available. If the connection attempt is left hanging until a
-              timeout is reached, the host is marked as down. This workaround
-              is also used for IPv6 connections, as raw IPv6 packet building
-              support is not yet available in Nmap.
-
-       <B>-PA</B> <B>[portlist]</B> (TCP ACK Ping)
-              The TCP ACK ping is quite similar to the just-discussed SYN
-              ping. The difference, as you could likely guess, is that the TCP
-              ACK flag is set instead of the SYN flag. Such an ACK packet
-              purports to be acknowledging data over an established TCP
-              connection, but no such connection exists. So remote hosts
-              should always respond with a RST packet, disclosing their
-              existence in the process.
-
-              The <B>-PA</B> option uses the same default port as the SYN probe (80)
-              and can also take a list of destination ports in the same
-              format. If an unprivileged user tries this, or an IPv6 target is
-              specified, the connect() workaround discussed previously is
-              used. This workaround is imperfect because connect() is actually
-              sending a SYN packet rather than an ACK.
-
-              The reason for offering both SYN and ACK ping probes is to
-              maximize the chances of bypassing firewalls. Many administrators
-              configure routers and other simple firewalls to block incoming
-              SYN packets except for those destined for public services like
-              the company web site or mail server. This prevents other
-              incoming connections to the organization, while allowing users
-              to make unobstructed outgoing connections to the Internet. This
-              non-stateful approach takes up few resources on the
-              firewall/router and is widely supported by hardware and software
-              filters. The Linux Netfilter/iptables firewall software offers
-              the <B>--syn</B> convenience option to implement this stateless
-              approach. When stateless firewall rules such as this are in
-              place, SYN ping probes (<B>-PS</B>) are likely to be blocked when sent
-              to closed target ports. In such cases, the ACK probe shines as
-              it cuts right through these rules.
-
-              Another common type of firewall uses stateful rules that drop
-              unexpected packets. This feature was initially found mostly on
-              high-end firewalls, though it has become much more common over
-              the years. The Linux Netfilter/iptables system supports this
-              through the <B>--state</B> option, which categorizes packets based on
-              connection state. A SYN probe is more likely to work against
-              such a system, as unexpected ACK packets are generally
-              recognized as bogus and dropped. A solution to this quandary is
-              to send both SYN and ACK probes by specifying <B>-PS</B> and <B>-PA</B>.
-
-       <B>-PU</B> <B>[portlist]</B> (UDP Ping)
-              Another host discovery option is the UDP ping, which sends an
-              empty (unless <B>--data_length</B> is specified) UDP packet to the
-              given ports. The portlist takes the same format as with the
-              previously discussed <B>-PS</B> and <B>-PA</B> options. If no ports are
-              specified, the default is 31338. This default can be configured
-              at compile-time by changing DEFAULT_UDP_PROBE_PORT in <I>nmap.h</I>. A
-              highly uncommon port is used by default because sending to open
-              ports is often undesirable for this particular scan type.
-
-              Upon hitting a closed port on the target machine, the UDP probe
-              should elicit an ICMP port unreachable packet in return. This
-              signifies to Nmap that the machine is up and available. Many
-              other types of ICMP errors, such as host/network unreachables or
-              TTL exceeded are indicative of a down or unreachable host. A
-              lack of response is also interpreted this way. If an open port
-              is reached, most services simply ignore the empty packet and
-              fail to return any response. This is why the default probe port
-              is 31338, which is highly unlikely to be in use. A few services,
-              such as chargen, will respond to an empty UDP packet, and thus
-              disclose to Nmap that the machine is available.
-
-              The primary advantage of this scan type is that it bypasses
-              firewalls and filters that only screen TCP. For example, I once
-              owned a Linksys BEFW11S4 wireless broadband router. The external
-              interface of this device filtered all TCP ports by default, but
-              UDP probes would still elicit port unreachable messages and thus
-              give away the device.
-
-       <B>-PE</B>; <B>-PP</B>; <B>-PM</B> (ICMP Ping Types)
-              In addition to the unusual TCP and UDP host discovery types
-              discussed previously, Nmap can send the standard packets sent by
-              the ubiquitous ping program. Nmap sends an ICMP type 8 (echo
-              request) packet to the target IP addresses, expecting a type 0
-              (Echo Reply) in return from available hosts. Unfortunately for
-              network explorers, many hosts and firewalls now block these
-              packets, rather than responding as required by [1]<I>RFC</I> <I>1122</I>. For
-              this reason, ICMP-only scans are rarely reliable enough against
-              unknown targets over the Internet. But for system administrators
-              monitoring an internal network, they can be a practical and
-              efficient approach. Use the <B>-PE</B> option to enable this echo
-              request behavior.
-
-              While echo request is the standard ICMP ping query, Nmap does
-              not stop there. The ICMP standard ([2]<I>RFC</I> <I>792</I>) also specifies
-              timestamp request, information request, and address mask request
-              packets as codes 13, 15, and 17, respectively. While the
-              ostensible purpose for these queries is to learn information
-              such as address masks and current times, they can easily be used
-              for host discovery. A system that replies is up and available.
-              Nmap does not currently implement information request packets,
-              as they are not widely supported. RFC 1122 insists that Б─°a host
-              SHOULD NOT implement these messagesБ─². Timestamp and address mask
-              queries can be sent with the <B>-PP</B> and <B>-PM</B> options, respectively.
-              A timestamp reply (ICMP code 14) or address mask reply (code 18)
-              discloses that the host is available. These two queries can be
-              valuable when admins specifically block echo request packets
-              while forgetting that other ICMP queries can be used for the
-              same purpose.
-
-       <B>-PR</B> (ARP Ping)
-              One of the most common Nmap usage scenarios is to scan an
-              ethernet LAN. On most LANs, especially those using
-              RFC1918-blessed private address ranges, the vast majority of IP
-              addresses are unused at any given time. When Nmap tries to send
-              a raw IP packet such as an ICMP echo request, the operating
-              system must determine the destination hardware (ARP) address
-              corresponding to the target IP so that it can properly address
-              the ethernet frame. This is often slow and problematic, since
-              operating systems werenБ─≥t written with the expectation that they
-              would need to do millions of ARP requests against unavailable
-              hosts in a short time period.
-
-              ARP scan puts Nmap and its optimized algorithms in charge of ARP
-              requests. And if it gets a response back, Nmap doesnБ─≥t even need
-              to worry about the IP-based ping packets since it already knows
-              the host is up. This makes ARP scan much faster and more
-              reliable than IP-based scans. So it is done by default when
-              scanning ethernet hosts that Nmap detects are on a local
-              ethernet network. Even if different ping types (such as <B>-PE</B> or
-              <B>-PS</B>) are specified, Nmap uses ARP instead for any of the targets
-              which are on the same LAN. If you absolutely donБ─≥t want to do an
-              ARP scan, specify <B>--send_ip</B>.
-
-       <B>-n</B> (No DNS resolution)
-              Tells Nmap to <I>never</I> do reverse DNS resolution on the active IP
-              addresses it finds. Since DNS is often slow, this speeds things
-              up.
-
-       <B>-R</B> (DNS resolution for all targets)
-              Tells Nmap to <I>always</I> do reverse DNS resolution on the target IP
-              addresses. Normally this is only performed when a machine is
-              found to be alive.
-
-       <B>--system_dns</B> (Use system DNS resolver)
-              By default, Nmap resolves IP addresses by sending queries
-              directly to the name servers configured on your host and then
-              listening for responses. Many requests (often dozens) are
-              performed in parallel for performance. Specify this option if
-              you wish to use your system resolver instead (one IP at a time
-              via the getnameinfo() call). This is slower and rarely useful
-              unless there is a bug in the Nmap DNS code -- please contact us
-              if that is the case. The system resolver is always used for IPv6
-              scans.
-
-
-</PRE>
-<H2>PORT SCANNING BASICS</H2><PRE>
-       While Nmap has grown in functionality over the years, it began as an
-       efficient port scanner, and that remains its core function. The simple
-       command <B>nmap</B> <I>target</I> scans more than 1660 TCP ports on the host <I>target</I>.
-       While many port scanners have traditionally lumped all ports into the
-       open or closed states, Nmap is much more granular. It divides ports
-       into six states: open, closed, filtered, unfiltered, open|filtered, or
-       closed|filtered.
-
-       These states are not intrinsic properties of the port itself, but
-       describe how Nmap sees them. For example, an Nmap scan from the same
-       network as the target may show port 135/tcp as open, while a scan at
-       the same time with the same options from across the Internet might show
-       that port as filtered.
-
-       <B>The</B> <B>six</B> <B>port</B> <B>states</B> <B>recognized</B> <B>by</B> <B>Nmap</B>
-
-       open   An application is actively accepting TCP connections or UDP
-              packets on this port. Finding these is often the primary goal of
-              port scanning. Security-minded people know that each open port
-              is an avenue for attack. Attackers and pen-testers want to
-              exploit the open ports, while administrators try to close or
-              protect them with firewalls without thwarting legitimate users.
-              Open ports are also interesting for non-security scans because
-              they show services available for use on the network.
-
-       closed A closed port is accessible (it receives and responds to Nmap
-              probe packets), but there is no application listening on it.
-              They can be helpful in showing that a host is up on an IP
-              address (host discovery, or ping scanning), and as part of OS
-              detection. Because closed ports are reachable, it may be worth
-              scanning later in case some open up. Administrators may want to
-              consider blocking such ports with a firewall. Then they would
-              appear in the filtered state, discussed next.
-
-       filtered
-              Nmap cannot determine whether the port is open because packet
-              filtering prevents its probes from reaching the port. The
-              filtering could be from a dedicated firewall device, router
-              rules, or host-based firewall software. These ports frustrate
-              attackers because they provide so little information. Sometimes
-              they respond with ICMP error messages such as type 3 code 13
-              (destination unreachable: communication administratively
-              prohibited), but filters that simply drop probes without
-              responding are far more common. This forces Nmap to retry
-              several times just in case the probe was dropped due to network
-              congestion rather than filtering. This slows down the scan
-              dramatically.
-
-       unfiltered
-              The unfiltered state means that a port is accessible, but Nmap
-              is unable to determine whether it is open or closed. Only the
-              ACK scan, which is used to map firewall rulesets, classifies
-              ports into this state. Scanning unfiltered ports with other scan
-              types such as Window scan, SYN scan, or FIN scan, may help
-              resolve whether the port is open.
-
-       open|filtered
-              Nmap places ports in this state when it is unable to determine
-              whether a port is open or filtered. This occurs for scan types
-              in which open ports give no response. The lack of response could
-              also mean that a packet filter dropped the probe or any response
-              it elicited. So Nmap does not know for sure whether the port is
-              open or being filtered. The UDP, IP Protocol, FIN, Null, and
-              Xmas scans classify ports this way.
-
-       closed|filtered
-              This state is used when Nmap is unable to determine whether a
-              port is closed or filtered. It is only used for the IPID Idle
-              scan.
-
-
-</PRE>
-<H2>PORT SCANNING TECHNIQUES</H2><PRE>
-       As a novice performing automotive repair, I can struggle for hours
-       trying to fit my rudimentary tools (hammer, duct tape, wrench, etc.) to
-       the task at hand. When I fail miserably and tow my jalopy to a real
-       mechanic, he invariably fishes around in a huge tool chest until
-       pulling out the perfect gizmo which makes the job seem effortless. The
-       art of port scanning is similar. Experts understand the dozens of scan
-       techniques and choose the appropriate one (or combination) for a given
-       task. Inexperienced users and script kiddies, on the other hand, try to
-       solve every problem with the default SYN scan. Since Nmap is free, the
-       only barrier to port scanning mastery is knowledge. That certainly
-       beats the automotive world, where it may take great skill to determine
-       that you need a strut spring compressor, then you still have to pay
-       thousands of dollars for it.
-
-       Most of the scan types are only available to privileged users. This is
-       because they send and receive raw packets, which requires root access
-       on UNIX systems. Using an administrator account on Windows is
-       recommended, though Nmap sometimes works for unprivileged users on that
-       platform when WinPcap has already been loaded into the OS. Requiring
-       root privileges was a serious limitation when Nmap was released in
-       1997, as many users only had access to shared shell accounts. Now, the
-       world is different. Computers are cheaper, far more people have
-       always-on direct Internet access, and desktop UNIX systems (including
-       Linux and MAC OS X) are prevalent. A Windows version of Nmap is now
-       available, allowing it to run on even more desktops. For all these
-       reasons, users have less need to run Nmap from limited shared shell
-       accounts. This is fortunate, as the privileged options make Nmap far
-       more powerful and flexible.
-
-       While Nmap attempts to produce accurate results, keep in mind that all
-       of its insights are based on packets returned by the target machines
-       (or firewalls in front of them). Such hosts may be untrustworthy and
-       send responses intended to confuse or mislead Nmap. Much more common
-       are non-RFC-compliant hosts that do not respond as they should to Nmap
-       probes. FIN, Null, and Xmas scans are particularly susceptible to this
-       problem. Such issues are specific to certain scan types and so are
-       discussed in the individual scan type entries.
-
-       This section documents the dozen or so port scan techniques supported
-       by Nmap. Only one method may be used at a time, except that UDP scan
-       (<B>-sU</B>) may be combined with any one of the TCP scan types. As a memory
-       aid, port scan type options are of the form <B>-s</B><I>C</I>, where <I>C</I> is a prominent
-       character in the scan name, usually the first. The one exception to
-       this is the deprecated FTP bounce scan (<B>-b</B>). By default, Nmap performs
-       a SYN Scan, though it substitutes a Connect() scan if the user does not
-       have proper privileges to send raw packets (requires root access on
-       UNIX) or if IPv6 targets were specified. Of the scans listed in this
-       section, unprivileged users can only execute connect() and ftp bounce
-       scans.
-
-       <B>-sS</B> (TCP SYN scan)
-              SYN scan is the default and most popular scan option for good
-              reasons. It can be performed quickly, scanning thousands of
-              ports per second on a fast network not hampered by intrusive
-              firewalls. SYN scan is relatively unobtrusive and stealthy,
-              since it never completes TCP connections. It also works against
-              any compliant TCP stack rather than depending on idiosyncrasies
-              of specific platforms as NmapБ─≥s Fin/Null/Xmas, Maimon and Idle
-              scans do. It also allows clear, reliable differentiation between
-              the open, closed, and filtered states.
-
-              This technique is often referred to as half-open scanning,
-              because you donБ─≥t open a full TCP connection. You send a SYN
-              packet, as if you are going to open a real connection and then
-              wait for a response. A SYN/ACK indicates the port is listening
-              (open), while a RST (reset) is indicative of a non-listener. If
-              no response is received after several retransmissions, the port
-              is marked as filtered. The port is also marked filtered if an
-              ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is
-              received.
-
-       <B>-sT</B> (TCP connect() scan)
-              TCP Connect() scan is the default TCP scan type when SYN scan is
-              not an option. This is the case when a user does not have raw
-              packet privileges or is scanning IPv6 networks. Instead of
-              writing raw packets as most other scan types do, Nmap asks the
-              underlying operating system to establish a connection with the
-              target machine and port by issuing the connect() system call.
-              This is the same high-level system call that web browsers, P2P
-              clients, and most other network-enabled applications use to
-              establish a connection. It is part of a programming interface
-              known as the Berkeley Sockets API. Rather than read raw packet
-              responses off the wire, Nmap uses this API to obtain status
-              information on each connection attempt.
-
-              When SYN scan is available, it is usually a better choice. Nmap
-              has less control over the high level connect() call than with
-              raw packets, making it less efficient. The system call completes
-              connections to open target ports rather than performing the
-              half-open reset that SYN scan does. Not only does this take
-              longer and require more packets to obtain the same information,
-              but target machines are more likely to log the connection. A
-              decent IDS will catch either, but most machines have no such
-              alarm system. Many services on your average UNIX system will add
-              a note to syslog, and sometimes a cryptic error message, when
-              Nmap connects and then closes the connection without sending
-              data. Truly pathetic services crash when this happens, though
-              that is uncommon. An administrator who sees a bunch of
-              connection attempts in her logs from a single system should know
-              that she has been connect scanned.
-
-       <B>-sU</B> (UDP scans)
-              While most popular services on the Internet run over the TCP
-              protocol, [3]<I>UDP</I> services are widely deployed. DNS, SNMP, and
-              DHCP (registered ports 53, 161/162, and 67/68) are three of the
-              most common. Because UDP scanning is generally slower and more
-              difficult than TCP, some security auditors ignore these ports.
-              This is a mistake, as exploitable UDP services are quite common
-              and attackers certainly donБ─≥t ignore the whole protocol.
-              Fortunately, Nmap can help inventory UDP ports.
-
-              UDP scan is activated with the <B>-sU</B> option. It can be combined
-              with a TCP scan type such as SYN scan (<B>-sS</B>) to check both
-              protocols during the same run.
-
-              UDP scan works by sending an empty (no data) UDP header to every
-              targeted port. If an ICMP port unreachable error (type 3, code
-              3) is returned, the port is closed. Other ICMP unreachable
-              errors (type 3, codes 1, 2, 9, 10, or 13) mark the port as
-              filtered. Occasionally, a service will respond with a UDP
-              packet, proving that it is open. If no response is received
-              after retransmissions, the port is classified as open|filtered.
-              This means that the port could be open, or perhaps packet
-              filters are blocking the communication. Versions scan (<B>-sV</B>) can
-              be used to help differentiate the truly open ports from the
-              filtered ones.
-
-              A big challenge with UDP scanning is doing it quickly. Open and
-              filtered ports rarely send any response, leaving Nmap to time
-              out and then conduct retransmissions just in case the probe or
-              response were lost. Closed ports are often an even bigger
-              problem. They usually send back an ICMP port unreachable error.
-              But unlike the RST packets sent by closed TCP ports in response
-              to a SYN or Connect scan, many hosts rate limit ICMP port
-              unreachable messages by default. Linux and Solaris are
-              particularly strict about this. For example, the Linux 2.4.20
-              kernel limits destination unreachable messages to one per second
-              (in <I>net/ipv4/icmp.c</I>).
-
-              Nmap detects rate limiting and slows down accordingly to avoid
-              flooding the network with useless packets that the target
-              machine will drop. Unfortunately, a Linux-style limit of one
-              packet per second makes a 65,536-port scan take more than 18
-              hours. Ideas for speeding your UDP scans up include scanning
-              more hosts in parallel, doing a quick scan of just the popular
-              ports first, scanning from behind the firewall, and using
-              <B>--host_timeout</B> to skip slow hosts.
-
-       <B>-sN</B>; <B>-sF</B>; <B>-sX</B> (TCP Null, FIN, and Xmas scans)
-              These three scan types (even more are possible with the
-              <B>--scanflags</B> option described in the next section) exploit a
-              subtle loophole in the [4]<I>TCP</I> <I>RFC</I> to differentiate between open
-              and closed ports. Page 65 says that Б─°if the [destination] port
-              state is CLOSED .... an incoming segment not containing a RST
-              causes a RST to be sent in response.Б─²  Then the next page
-              discusses packets sent to open ports without the SYN, RST, or
-              ACK bits set, stating that: Б─°you are unlikely to get here, but
-              if you do, drop the segment, and return.Б─²
-
-              When scanning systems compliant with this RFC text, any packet
-              not containing SYN, RST, or ACK bits will result in a returned
-              RST if the port is closed and no response at all if the port is
-              open. As long as none of those three bits are included, any
-              combination of the other three (FIN, PSH, and URG) are OK. Nmap
-              exploits this with three scan types:
-
-              Null scan (<B>-sN</B>)
-                     Does not set any bits (tcp flag header is 0)
-
-              FIN scan (<B>-sF</B>)
-                     Sets just the TCP FIN bit.
-
-              Xmas scan (<B>-sX</B>)
-                     Sets the FIN, PSH, and URG flags, lighting the packet up
-                     like a Christmas tree.
-
-              These three scan types are exactly the same in behavior except
-              for the TCP flags set in probe packets. If a RST packet is
-              received, the port is considered closed, while no response means
-              it is open|filtered. The port is marked filtered if an ICMP
-              unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is
-              received.
-
-              The key advantage to these scan types is that they can sneak
-              through certain non-stateful firewalls and packet filtering
-              routers. Another advantage is that these scan types are a little
-              more stealthy than even a SYN scan. DonБ─≥t count on this though
-              -- most modern IDS products can be configured to detect them.
-              The big downside is that not all systems follow RFC 793 to the
-              letter. A number of systems send RST responses to the probes
-              regardless of whether the port is open or not. This causes all
-              of the ports to be labeled closed. Major operating systems that
-              do this are Microsoft Windows, many Cisco devices, BSDI, and IBM
-              OS/400. This scan does work against most UNIX-based systems
-              though. Another downside of these scans is that they canБ─≥t
-              distinguish open ports from certain filtered ones, leaving you
-              with the response open|filtered.
-
-       <B>-sA</B> (TCP ACK scan)
-              This scan is different than the others discussed so far in that
-              it never determines open (or even open|filtered) ports. It is
-              used to map out firewall rulesets, determining whether they are
-              stateful or not and which ports are filtered.
-
-              The ACK scan probe packet has only the ACK flag set (unless you
-              use <B>--scanflags</B>). When scanning unfiltered systems, open and
-              closed ports will both return a RST packet. Nmap then labels
-              them as unfiltered, meaning that they are reachable by the ACK
-              packet, but whether they are open or closed is undetermined.
-              Ports that donБ─≥t respond, or send certain ICMP error messages
-              back (type 3, code 1, 2, 3, 9, 10, or 13), are labeled filtered.
-
-       <B>-sW</B> (TCP Window scan)
-              Window scan is exactly the same as ACK scan except that it
-              exploits an implementation detail of certain systems to
-              differentiate open ports from closed ones, rather than always
-              printing unfiltered when a RST is returned. It does this by
-              examining the TCP Window field of the RST packets returned. On
-              some systems, open ports use a positive window size (even for
-              RST packets) while closed ones have a zero window. So instead of
-              always listing a port as unfiltered when it receives a RST back,
-              Window scan lists the port as open or closed if the TCP Window
-              value in that reset is positive or zero, respectively.
-
-              This scan relies on an implementation detail of a minority of
-              systems out on the Internet, so you canБ─≥t always trust it.
-              Systems that donБ─≥t support it will usually return all ports
-              closed. Of course, it is possible that the machine really has no
-              open ports. If most scanned ports are closed but a few common
-              port numbers (such as 22, 25, 53) are filtered, the system is
-              most likely susceptible. Occasionally, systems will even show
-              the exact opposite behavior. If your scan shows 1000 open ports
-              and 3 closed or filtered ports, then those three may very well
-              be the truly open ones.
-
-       <B>-sM</B> (TCP Maimon scan)
-              The Maimon scan is named after its discoverer, Uriel Maimon. He
-              described the technique in Phrack Magazine issue #49 (November
-              1996). Nmap, which included this technique, was released two
-              issues later. This technique is exactly the same as Null, FIN,
-              and Xmas scans, except that the probe is FIN/ACK. According to
-              RFC 793 (TCP), a RST packet should be generated in response to
-              such a probe whether the port is open or closed. However, Uriel
-              noticed that many BSD-derived systems simply drop the packet if
-              the port is open.
-
-       <B>--scanflags</B> (Custom TCP scan)
-              Truly advanced Nmap users need not limit themselves to the
-              canned scan types offered. The <B>--scanflags</B> option allows you to
-              design your own scan by specifying arbitrary TCP flags. Let your
-              creative juices flow, while evading intrusion detection systems
-              whose vendors simply paged through the Nmap man page adding
-              specific rules!
-
-              The <B>--scanflags</B> argument can be a numerical flag value such as 9
-              (PSH and FIN), but using symbolic names is easier. Just mash
-              together any combination of URG, ACK, PSH, RST, SYN, and FIN.
-              For example, <B>--scanflags</B> <B>URGACKPSHRSTSYNFIN</B> sets everything,
-              though itБ─≥s not very useful for scanning. The order these are
-              specified in is irrelevant.
-
-              In addition to specifying the desired flags, you can specify a
-              TCP scan type (such as <B>-sA</B> or <B>-sF</B>). That base type tells Nmap
-              how to interpret responses. For example, a SYN scan considers
-              no-response to indicate a filtered port, while a FIN scan treats
-              the same as open|filtered. Nmap will behave the same way it does
-              for the base scan type, except that it will use the TCP flags
-              you specify instead. If you donБ─≥t specify a base type, SYN scan
-              is used.
-
-       <B>-sI</B> <B>&lt;zombie</B> <B>host[:probeport]&gt;</B> (Idlescan)
-              This advanced scan method allows for a truly blind TCP port scan
-              of the target (meaning no packets are sent to the target from
-              your real IP address). Instead, a unique side-channel attack
-              exploits predictable IP fragmentation ID sequence generation on
-              the zombie host to glean information about the open ports on the
-              target. IDS systems will display the scan as coming from the
-              zombie machine you specify (which must be up and meet certain
-              criteria). This fascinating scan type is too complex to fully
-              describe in this reference guide, so I wrote and posted an
-              informal paper with full details at
-              <I>http://www.insecure.org/nmap/idlescan.html</I>.
-
-              Besides being extraordinarily stealthy (due to its blind
-              nature), this scan type permits mapping out IP-based trust
-              relationships between machines. The port listing shows open
-              ports <I>from</I> <I>the</I> <I>perspective</I> <I>of</I> <I>the</I> <I>zombie</I> <I>host.</I>  So you can try
-              scanning a target using various zombies that you think might be
-              trusted (via router/packet filter rules).
-
-              You can add a colon followed by a port number to the zombie host
-              if you wish to probe a particular port on the zombie for IPID
-              changes. Otherwise Nmap will use the port it uses by default for
-              tcp pings (80).
-
-       <B>-sO</B> (IP protocol scan)
-              IP Protocol scan allows you to determine which IP protocols
-              (TCP, ICMP, IGMP, etc.) are supported by target machines. This
-              isnБ─≥t technically a port scan, since it cycles through IP
-              protocol numbers rather than TCP or UDP port numbers. Yet it
-              still uses the <B>-p</B> option to select scanned protocol numbers,
-              reports its results within the normal port table format, and
-              even uses the same underlying scan engine as the true port
-              scanning methods. So it is close enough to a port scan that it
-              belongs here.
-
-              Besides being useful in its own right, protocol scan
-              demonstrates the power of open source software. While the
-              fundamental idea is pretty simple, I had not thought to add it
-              nor received any requests for such functionality. Then in the
-              summer of 2000, Gerhard Rieger conceived the idea, wrote an
-              excellent patch implementing it, and sent it to the nmap-hackers
-              mailing list. I incorporated that patch into the Nmap tree and
-              released a new version the next day. Few pieces of commercial
-              software have users enthusiastic enough to design and contribute
-              their own improvements!
-
-              Protocol scan works in a similar fashion to UDP scan. Instead of
-              iterating through the port number field of a UDP packet, it
-              sends IP packet headers and iterates through the 8-bit IP
-              protocol field. The headers are usually empty, containing no
-              data and not even the proper header for the claimed protocol.
-              The three exceptions are TCP, UDP, and ICMP. A proper protocol
-              header for those is included since some systems wonБ─≥t send them
-              otherwise and because Nmap already has functions to create them.
-              Instead of watching for ICMP port unreachable messages, protocol
-              scan is on the lookout for ICMP <I>protocol</I> unreachable messages.
-              If Nmap receives any response in any protocol from the target
-              host, Nmap marks that protocol as open. An ICMP protocol
-              unreachable error (type 3, code 2) causes the protocol to be
-              marked as closed Other ICMP unreachable errors (type 3, code 1,
-              3, 9, 10, or 13) cause the protocol to be marked filtered
-              (though they prove that ICMP is open at the same time). If no
-              response is received after retransmissions, the protocol is
-              marked open|filtered
-
-       <B>-b</B> <B>&lt;ftp</B> <B>relay</B> <B>host&gt;</B> (FTP bounce scan)
-              An interesting feature of the FTP protocol ([5]<I>RFC</I> <I>959</I>) is
-              support for so-called proxy ftp connections. This allows a user
-              to connect to one FTP server, then ask that files be sent to a
-              third-party server. Such a feature is ripe for abuse on many
-              levels, so most servers have ceased supporting it. One of the
-              abuses this feature allows is causing the FTP server to port
-              scan other hosts. Simply ask the FTP server to send a file to
-              each interesting port of a target host in turn. The error
-              message will describe whether the port is open or not. This is a
-              good way to bypass firewalls because organizational FTP servers
-              are often placed where they have more access to other internal
-              hosts than any old Internet host would. Nmap supports ftp bounce
-              scan with the <B>-b</B> option. It takes an argument of the form
-              <I>username</I>:<I>password</I>@<I>server</I>:<I>port</I>.  <I>Server</I> is the name or IP address
-              of a vulnerable FTP server. As with a normal URL, you may omit
-              <I>username</I>:<I>password</I>, in which case anonymous login credentials
-              (user: anonymous password:-wwwuser@) are used. The port number
-              (and preceding colon) may be omitted as well, in which case the
-              default FTP port (21) on <I>server</I> is used.
-
-              This vulnerability was widespread in 1997 when Nmap was
-              released, but has largely been fixed. Vulnerable servers are
-              still around, so it is worth trying when all else fails. If
-              bypassing a firewall is your goal, scan the target network for
-              open port 21 (or even for any ftp services if you scan all ports
-              with version detection), then try a bounce scan using each. Nmap
-              will tell you whether the host is vulnerable or not. If you are
-              just trying to cover your tracks, you donБ─≥t need to (and, in
-              fact, shouldnБ─≥t) limit yourself to hosts on the target network.
-              Before you go scanning random Internet addresses for vulnerable
-              FTP servers, consider that sysadmins may not appreciate you
-              abusing their servers in this way.
-
-
-</PRE>
-<H2>PORT SPECIFICATION AND SCAN ORDER</H2><PRE>
-       In addition to all of the scan methods discussed previously, Nmap
-       offers options for specifying which ports are scanned and whether the
-       scan order is randomized or sequential. By default, Nmap scans all
-       ports up to and including 1024 as well as higher numbered ports listed
-       in the <I>nmap-services</I> file for the protocol(s) being scanned.
-
-       <B>-p</B> <B>&lt;port</B> <B>ranges&gt;</B> (Only scan specified ports)
-              This option specifies which ports you want to scan and overrides
-              the default. Individual port numbers are OK, as are ranges
-              separated by a hyphen (e.g. 1-1023). The beginning and/or end
-              values of a range may be omitted, causing Nmap to use 1 and
-              65535, respectively. So you can specify <B>-p-</B> to scan ports from 1
-              through 65535. Scanning port zero is allowed if you specify it
-              explicitly. For IP protocol scanning (<B>-sO</B>), this option
-              specifies the protocol numbers you wish to scan for (0-255).
-
-              When scanning both TCP and UDP ports, you can specify a
-              particular protocol by preceding the port numbers by T: or U:.
-              The qualifier lasts until you specify another qualifier. For
-              example, the argument <B>-p</B> <B>U:53,111,137,T:21-25,80,139,8080</B> would
-              scan UDP ports 53,111,and 137, as well as the listed TCP ports.
-              Note that to scan both UDP &amp; TCP, you have to specify <B>-sU</B> and at
-              least one TCP scan type (such as <B>-sS</B>, <B>-sF</B>, or <B>-sT</B>). If no
-              protocol qualifier is given, the port numbers are added to all
-              protocol lists.
-
-       <B>-F</B> (Fast (limited port) scan)
-              Specifies that you only wish to scan for ports listed in the
-              <I>nmap-services</I> file which comes with nmap (or the protocols file
-              for <B>-sO</B>). This is much faster than scanning all 65535 ports on a
-              host. Because this list contains so many TCP ports (more than
-              1200), the speed difference from a default TCP scan (about 1650
-              ports) isnБ─≥t dramatic. The difference can be enormous if you
-              specify your own tiny <I>nmap-services</I> file using the <B>--datadir</B>
-              option.
-
-       <B>-r</B> (DonБ─≥t randomize ports)
-              By default, Nmap randomizes the scanned port order (except that
-              certain commonly accessible ports are moved near the beginning
-              for efficiency reasons). This randomization is normally
-              desirable, but you can specify <B>-r</B> for sequential port scanning
-              instead.
-
-
-</PRE>
-<H2>SERVICE AND VERSION DETECTION</H2><PRE>
-       Point Nmap at a remote machine and it might tell you that ports 25/tcp,
-       80/tcp, and 53/udp are open. Using its <I>nmap-services</I> database of about
-       2,200 well-known services, Nmap would report that those ports probably
-       correspond to a mail server (SMTP), web server (HTTP), and name server
-       (DNS) respectively. This lookup is usually accurate -- the vast
-       majority of daemons listening on TCP port 25 are, in fact, mail
-       servers. However, you should not bet your security on this! People can
-       and do run services on strange ports.
-
-       Even if Nmap is right, and the hypothetical server above is running
-       SMTP, HTTP, and DNS servers, that is not a lot of information. When
-       doing vulnerability assessments (or even simple network inventories) of
-       your companies or clients, you really want to know which mail and DNS
-       servers and versions are running. Having an accurate version number
-       helps dramatically in determining which exploits a server is vulnerable
-       to. Version detection helps you obtain this information.
-
-       After TCP and/or UDP ports are discovered using one of the other scan
-       methods, version detection interrogates those ports to determine more
-       about what is actually running. The <I>nmap-service-probes</I> database
-       contains probes for querying various services and match expressions to
-       recognize and parse responses. Nmap tries to determine the service
-       protocol (e.g. ftp, ssh, telnet, http), the application name (e.g. ISC
-       Bind, Apache httpd, Solaris telnetd), the version number, hostname,
-       device type (e.g. printer, router), the OS family (e.g. Windows, Linux)
-       and sometimes miscellaneous details like whether an X server is open to
-       connections, the SSH protocol version, or the KaZaA user name). Of
-       course, most services donБ─≥t provide all of this information. If Nmap
-       was compiled with OpenSSL support, it will connect to SSL servers to
-       deduce the service listening behind that encryption layer. When RPC
-       services are discovered, the Nmap RPC grinder (<B>-sR</B>) is automatically
-       used to determine the RPC program and version numbers. Some UDP ports
-       are left in the open|filtered state after a UDP port scan is unable to
-       determine whether the port is open or filtered. Version detection will
-       try to elicit a response from these ports (just as it does with open
-       ports), and change the state to open if it succeeds.  open|filtered TCP
-       ports are treaded the same way. Note that the Nmap <B>-A</B> option enables
-       version detection among other things. A paper documenting the workings,
-       usage, and customization of version detection is available at
-       <I>http://www.insecure.org/nmap/vscan/</I>.
-
-       When Nmap receives responses from a service but cannot match them to
-       its database, it prints out a special fingerprint and a URL for you to
-       submit if to if you know for sure what is running on the port. Please
-       take a couple minutes to make the submission so that your find can
-       benefit everyone. Thanks to these submissions, Nmap has about 3,000
-       pattern matches for more than 350 protocols such as smtp, ftp, http,
-       etc.
-
-       Version detection is enabled and controlled with the following options:
-
-       <B>-sV</B> (Version detection)
-              Enables version detection, as discussed above. Alternatively,
-              you can use <B>-A</B> to enable both OS detection and version
-              detection.
-
-       <B>--allports</B> (DonБ─≥t exclude any ports from version detection)
-              By default, Nmap version detection skips TCP port 9100 because
-              some printers simply print anything sent to that port, leading
-              to dozens of pages of HTTP get requests, binary SSL session
-              requests, etc. This behavior can be changed by modifying or
-              removing the Exclude directive in <I>nmap-service-probes</I>, or you
-              can specify <B>--allports</B> to scan all ports regardless of any
-              Exclude directive.
-
-       <B>--version_intensity</B> <B>&lt;intensity&gt;</B> (Set version scan intensity)
-              When performing a version scan (<B>-sV</B>), nmap sends a series of
-              probes, each of which is assigned a rarity value between 1 and
-              9. The lower-numbered probes are effective against a wide
-              variety of common services, while the higher numbered ones are
-              rarely useful. The intensity level specifies which probes should
-              be applied. The higher the number, the more likely it is the
-              service will be correctly identified. However, high intensity
-              scans take longer. The intensity must be between 0 and 9. The
-              default is 7. When a probe is registered to the target port via
-              the <I>nmap-service-probes</I>ports directive, that probe is tried
-              regardless of intensity level. This ensures that the DNS probes
-              will always be attempted against any open port 53, the SSL probe
-              will be done against 443, etc.
-
-       <B>--version_light</B> (Enablie light mode)
-              This is a convenience alias for <B>--version_intensity</B> <B>2</B>. This
-              light mode makes version scanning much faster, but it is
-              slightly less likely to identify services.
-
-       <B>--version_all</B> (Try every single probe)
-              An alias for <B>--version_intensity</B> <B>9</B>, ensuring that every single
-              probe is attempted against each port.
-
-       <B>--version_trace</B> (Trace version scan activity)
-              This causes Nmap to print out extensive debugging info about
-              what version scanning is doing. It is a subset of what you get
-              with <B>--packet_trace</B>.
-
-       <B>-sR</B> (RPC scan)
-              This method works in conjunction with the various port scan
-              methods of Nmap. It takes all the TCP/UDP ports found open and
-              floods them with SunRPC program NULL commands in an attempt to
-              determine whether they are RPC ports, and if so, what program
-              and version number they serve up. Thus you can effectively
-              obtain the same info as <B>rpcinfo</B> <B>-p</B> even if the targetБ─≥s
-              portmapper is behind a firewall (or protected by TCP wrappers).
-              Decoys do not currently work with RPC scan. This is
-              automatically enabled as part of version scan (<B>-sV</B>) if you
-              request that. As version detection includes this and is much
-              more comprehensive, <B>-sR</B> is rarely needed.
-
-
-</PRE>
-<H2>OS DETECTION</H2><PRE>
-       One of NmapБ─≥s best-known features is remote OS detection using TCP/IP
-       stack fingerprinting. Nmap sends a series of TCP and UDP packets to the
-       remote host and examines practically every bit in the responses. After
-       performing dozens of tests such as TCP ISN sampling, TCP options
-       support and ordering, IPID sampling, and the initial window size check,
-       Nmap compares the results to its <I>nmap-os-fingerprints</I> database of more
-       than 1500 known OS fingerprints and prints out the OS details if there
-       is a match. Each fingerprint includes a freeform textual description of
-       the OS, and a classification which provides the vendor name (e.g. Sun),
-       underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type
-       (general purpose, router, switch, game console, etc).
-
-       If Nmap is unable to guess the OS of a machine, and conditions are good
-       (e.g. at least one open port and one closed port were found), Nmap will
-       provide a URL you can use to submit the fingerprint if you know (for
-       sure) the OS running on the machine. By doing this you contribute to
-       the pool of operating systems known to Nmap and thus it will be more
-       accurate for everyone.
-
-       OS detection enables several other tests which make use of information
-       that is gathered during the process anyway. One of these is uptime
-       measurement, which uses the TCP timestamp option (RFC 1323) to guess
-       when a machine was last rebooted. This is only reported for machines
-       which provide this information. Another is TCP Sequence Predictability
-       Classification. This measures approximately how hard it is to establish
-       a forged TCP connection against the remote host. It is useful for
-       exploiting source-IP based trust relationships (rlogin, firewall
-       filters, etc) or for hiding the source of an attack. This sort of
-       spoofing is rarely performed any more, but many machines are still
-       vulnerable to it. The actual difficulty number is based on statistical
-       sampling and may fluctuate. It is generally better to use the English
-       classification such as Б─°worthy challengeБ─² or Б─°trivial jokeБ─². This is
-       only reported in normal output in verbose (<B>-v</B>) mode. When verbose mode
-       is enabled along with <B>-O</B>, IPID Sequence Generation is also reported.
-       Most machines are in the Б─°incrementalБ─² class, which means that they
-       increment the ID field in the IP header for each packet they send. This
-       makes them vulnerable to several advanced information gathering and
-       spoofing attacks.
-
-       A paper documenting the workings, usage, and customization of version
-       detection is available in more than a dozen languages at
-       <I>http://www.insecure.org/nmap/nmap-fingerprinting-article.html</I>.
-
-       OS detection is enabled and controlled with the following options:
-
-       <B>-O</B> (Enable OS detection)
-              Enables OS detection, as discussed above. Alternatively, you can
-              use <B>-A</B> to enable both OS detection and version detection.
-
-       <B>--osscan_limit</B> (Limit OS detection to promising targets)
-              OS detection is far more effective if at least one open and one
-              closed TCP port are found. Set this option and Nmap will not
-              even try OS detection against hosts that do not meet this
-              criteria. This can save substantial time, particularly on <B>-P0</B>
-              scans against many hosts. It only matters when OS detection is
-              requested with <B>-O</B> or <B>-A</B>.
-
-       <B>--osscan_guess</B>; <B>--fuzzy</B> (Guess OS detection results)
-              When Nmap is unable to detect a perfect OS match, it sometimes
-              offers up near-matches as possibilities. The match has to be
-              very close for Nmap to do this by default. Either of these
-              (equivalent) options make Nmap guess more aggressively.
-
-
-</PRE>
-<H2>TIMING AND PERFORMANCE</H2><PRE>
-       One of my highest Nmap development priorities has always been
-       performance. A default scan (<B>nmap</B> <I>hostname</I>) of a host on my local
-       network takes a fifth of a second. That is barely enough time to blink,
-       but adds up when you are scanning tens or hundreds of thousands of
-       hosts. Moreover, certain scan options such as UDP scanning and version
-       detection can increase scan times substantially. So can certain
-       firewall configurations, particularly response rate limiting. While
-       Nmap utilizes parallelism and many advanced algorithms to accelerate
-       these scans, the user has ultimate control over how Nmap runs. Expert
-       users carefully craft Nmap commands to obtain only the information they
-       care about while meeting their time constraints.
-
-       Techniques for improving scan times include omitting non-critical
-       tests, and upgrading to the latest version of Nmap (performance
-       enhancements are made frequently). Optimizing timing parameters can
-       also make a substantial difference. Those options are listed below.
-
-       <B>--min_hostgroup</B> <B>&lt;milliseconds&gt;</B>; <B>--max_hostgroup</B> <B>&lt;milliseconds&gt;</B> (Adjust
-       parallel scan group sizes)
-              Nmap has the ability to port scan or version scan multiple hosts
-              in parallel. Nmap does this by dividing the target IP space into
-              groups and then scanning one group at a time. In general, larger
-              groups are more efficient. The downside is that host results
-              canБ─≥t be provided until the whole group is finished. So if Nmap
-              started out with a group size of 50, the user would not receive
-              any reports (except for the updates offered in verbose mode)
-              until the first 50 hosts are completed.
-
-              By default, Nmap takes a compromise approach to this conflict.
-              It starts out with a group size as low as five so the first
-              results come quickly and then increases the groupsize to as high
-              as 1024. The exact default numbers depend on the options given.
-              For efficiency reasons, Nmap uses larger group sizes for UDP or
-              few-port TCP scans.
-
-              When a maximum group size is specified with <B>--max_hostgroup</B>,
-              Nmap will never exceed that size. Specify a minimum size with
-              <B>--min_hostgroup</B> and Nmap will try to keep group sizes above that
-              level. Nmap may have to use smaller groups than you specify if
-              there are not enough target hosts left on a given interface to
-              fulfill the specified minimum. Both may be set to keep the group
-              size within a specific range, though this is rarely desired.
-
-              The primary use of these options is to specify a large minimum
-              group size so that the full scan runs more quickly. A common
-              choice is 256 to scan a network in Class C sized chunks. For a
-              scan with many ports, exceeding that number is unlikely to help
-              much. For scans of just a few port numbers, host group sizes of
-              2048 or more may be helpful.
-
-       <B>--min_parallelism</B> <B>&lt;milliseconds&gt;</B>; <B>--max_parallelism</B> <B>&lt;milliseconds&gt;</B>
-       (Adjust probe parallelization)
-              These options control the total number of probes that may be
-              outstanding for a host group. They are used for port scanning
-              and host discovery. By default, Nmap calculates an ever-changing
-              ideal parallelism based on network performance. If packets are
-              being dropped, Nmap slows down and allows fewer outstanding
-              probes. The ideal probe number slowly rises as the network
-              proves itself worthy. These options place minimum or maximum
-              bounds on that variable. By default, the ideal parallelism can
-              drop to 1 if the network proves unreliable and rise to several
-              hundred in perfect conditions.
-
-              The most common usage is to set <B>--min_parallelism</B> to a number
-              higher than one to speed up scans of poorly performing hosts or
-              networks. This is a risky option to play with, as setting it too
-              high may affect accuracy. Setting this also reduces NmapБ─≥s
-              ability to control parallelism dynamically based on network
-              conditions. A value of ten might be reasonable, though I only
-              adjust this value as a last resort.
-
-              The <B>--max_parallelism</B> option is sometimes set to one to prevent
-              Nmap from sending more than one probe at a time to hosts. This
-              can be useful in combination with <B>--scan_delay</B> (discussed
-              later), although the latter usually serves the purpose well
-              enough by itself.
-
-       <B>--min_rtt_timeout</B> <B>&lt;milliseconds&gt;</B>, <B>--max_rtt_timeout</B> <B>&lt;milliseconds&gt;</B>,
-       <B>--initial_rtt_timeout</B> <B>&lt;milliseconds&gt;</B> (Adjust probe timeouts)
-              Nmap maintains a running timeout value for determining how long
-              it will wait for a probe response before giving up or
-              retransmitting the probe. This is calculated based on the
-              response times of previous probes. If the network latency shows
-              itself to be significant and variable, this timeout can grow to
-              several seconds. It also starts at a conservative (high) level
-              and may stay that way for a while when Nmap scans unresponsive
-              hosts.
-
-              These options take a value in milliseconds. Specifying a lower
-              <B>--max_rtt_timeout</B> and <B>--initial_rtt_timeout</B> than the defaults
-              can cut scan times significantly. This is particularly true for
-              pingless (<B>-P0</B>) scans, and those against heavily filtered
-              networks. DonБ─≥t get too aggressive though. The scan can end up
-              taking longer if you specify such a low value that many probes
-              are timing out and retransmitting while the response is in
-              transit.
-
-              If all the hosts are on a local network, 100 milliseconds is a
-              reasonable aggressive <B>--max_rtt_timeout</B> value. If routing is
-              involved, ping a host on the network first with the ICMP ping
-              utility, or with a custom packet crafter such as hping2 that is
-              more likely to get through a firewall. Look at the maximum round
-              trip time out of ten packets or so. You might want to double
-              that for the <B>--initial_rtt_timeout</B> and triple or quadruple it
-              for the <B>--max_rtt_timeout</B>. I generally do not set the maximum
-              rtt below 100ms, no matter what the ping times are. Nor do I
-              exceed 1000ms.
-
-              <B>--min_rtt_timeout</B> is a rarely used option that could be useful
-              when a network is so unreliable that even NmapБ─≥s default is too
-              aggressive. Since Nmap only reduces the timeout down to the
-              minimum when the network seems to be reliable, this need is
-              unusual and should be reported as a bug to the nmap-dev mailing
-              list.
-
-       <B>--host_timeout</B> <B>&lt;milliseconds&gt;</B> (Give up on slow target hosts)
-              Some hosts simply take a <I>long</I> time to scan. This may be due to
-              poorly performing or unreliable networking hardware or software,
-              packet rate limiting, or a restrictive firewall. The slowest few
-              percent of the scanned hosts can eat up a majority of the scan
-              time. Sometimes it is best to cut your losses and skip those
-              hosts initially. This can be done by specifying <B>--host_timeout</B>
-              with the number of milliseconds you are willing to wait. I often
-              specify 1800000 to ensure that Nmap doesnБ─≥t waste more than half
-              an hour on a single host. Note that Nmap may be scanning other
-              hosts at the same time during that half an hour as well, so it
-              isnБ─≥t a complete loss. A host that times out is skipped. No port
-              table, OS detection, or version detection results are printed
-              for that host.
-
-       <B>--scan_delay</B> <B>&lt;milliseconds&gt;</B>; <B>--max_scan_delay</B> <B>&lt;milliseconds&gt;</B> (Adjust
-       delay between probes)
-              This option causes Nmap to wait at least the given number of
-              milliseconds between each probe it sends to a given host. This
-              is particularly useful in the case of rate limiting. Solaris
-              machines (among many others) will usually respond to UDP scan
-              probe packets with only one ICMP message per second. Any more
-              than that sent by Nmap will be wasteful. A <B>--scan_delay</B> of 1000
-              will keep Nmap at that slow rate. Nmap tries to detect rate
-              limiting and adjust the scan delay accordingly, but it doesnБ─≥t
-              hurt to specify it explicitly if you already know what rate
-              works best.
-
-              Another use of <B>--scan_delay</B> is to evade threshold based
-              intrusion detection and prevention systems (IDS/IPS).
-
-       <B>-T</B> <B>&lt;Paranoid|Sneaky|Polite|Normal|Aggressive|Insane&gt;</B> (Set a timing
-       template)
-              While the fine grained timing controls discussed in the previous
-              section are powerful and effective, some people find them
-              confusing. Moreover, choosing the appropriate values can
-              sometimes take more time than the scan you are trying to
-              optimize. So Nmap offers a simpler approach, with six timing
-              templates. You can specify them with the <B>-T</B> option and their
-              number (0 - 5) or their name. The template names are paranoid
-              (0), sneaky (1), polite (2), normal (3), aggressive (4), and
-              insane (5). The first two are for IDS evasion. Polite mode slows
-              down the scan to use less bandwidth and target machine
-              resources. Normal mode is the default and so <B>-T3</B> does nothing.
-              Aggressive mode speeds scans up by making the assumption that
-              you are on a reasonably fast and reliable network. Finally
-              Insane mode assumes that you are on an extraordinarily fast
-              network or are willing to sacrifice some accuracy for speed.
-
-              These templates allow the user to specify how aggressive they
-              wish to be, while leaving Nmap to pick the exact timing values.
-              The templates also make some minor speed adjustments for which
-              fine grained control options do not currently exist. For
-              example, <B>-T4</B> prohibits the dynamic scan delay from exceeding
-              10ms for TCP ports and <B>-T5</B> caps that value at 5 milliseconds.
-              Templates can be used in combination with fine grained controls,
-              as long as the template is specified first. Otherwise the
-              standard values for the template may override the values you
-              specify. I recommend using <B>-T4</B> when scanning reasonably modern
-              and reliable networks. Keep that option (at the beginning of the
-              command line) even when you add fine grained controls so that
-              you benefit from those extra minor optimizations that it
-              enables.
-
-              If you are on a decent broadband or ethernet connection, I would
-              recommend always using <B>-T4</B>. Some people love <B>-T5</B> though it is
-              too aggressive for my taste. People sometimes specify <B>-T2</B>
-              because they think it is less likely to crash hosts or because
-              they consider themselves to be polite in general. They often
-              donБ─≥t realize just how slow <B>-T</B> <B>Polite</B> really is. Their scan may
-              take ten times longer than a default scan. Machine crashes and
-              bandwidth problems are rare with the default timing options
-              (<B>-T3</B>) and so I normally recommend that for cautious scanners.
-              Omitting version detection is far more effective than playing
-              with timing values at reducing these problems.
-
-              While <B>-T0</B> and <B>-T1</B> may be useful for avoiding IDS alerts, they
-              will take an extraordinarily long time to scan thousands of
-              machines or ports. For such a long scan, you may prefer to set
-              the exact timing values you need rather than rely on the canned
-              <B>-T0</B> and <B>-T1</B> values.
-
-              The main effects of <B>T0</B> are serializing the scan so only one port
-              is scanned at a time, and waiting five minutes between sending
-              each probe.  <B>T1</B> and <B>T2</B> are similar but they only wait 15 seconds
-              and 0.4 seconds, respectively, between probes.  <B>T3</B> is NmapБ─≥s
-              default behavior, which includes parallelization.  <B>T4</B> does the
-              equivalent of <B>--max_rtt_timeout</B> <B>1250</B> <B>--initial_rtt_timeout</B> <B>500</B>
-              and sets the maximum TCP scan delay to 10 milliseconds.  <B>T5</B> does
-              the equivalent of <B>--max_rtt_timeout</B> <B>300</B> <B>--min_rtt_timeout</B> <B>50</B>
-              <B>--initial_rtt_timeout</B> <B>250</B> <B>--host_timeout</B> <B>900000</B> as well as
-              setting the maximum TCP scan delay to 5ms.
-
-
-</PRE>
-<H2>FIREWALL/IDS EVASION AND SPOOFING</H2><PRE>
-       Many Internet pioneers envisioned a global open network with a
-       universal IP address space allowing virtual connections between any two
-       nodes. This allows hosts to act as true peers, serving and retrieving
-       information from each other. People could access all of their home
-       systems from work, changing the climate control settings or unlocking
-       the doors for early guests. This vision of universal connectivity has
-       been stifled by address space shortages and security concerns. In the
-       early 1990s, organizations began deploying firewalls for the express
-       purpose of reducing connectivity. Huge networks were cordoned off from
-       the unfiltered Internet by application proxies, network address
-       translation, and packet filters. The unrestricted flow of information
-       gave way to tight regulation of approved communication channels and the
-       content that passes over them.
-
-       Network obstructions such as firewalls can make mapping a network
-       exceedingly difficult. It will not get any easier, as stifling casual
-       reconnaissance is often a key goal of implementing the devices.
-       Nevertheless, Nmap offers many features to help understand these
-       complex networks, and to verify that filters are working as intended.
-       It even supports mechanisms for bypassing poorly implemented defenses.
-       One of the best methods of understanding your network security posture
-       is to try to defeat it. Place yourself in the mindset of an attacker,
-       and deploy techniques from this section against your networks. Launch
-       an FTP bounce scan, Idle scan, fragmentation attack, or try to tunnel
-       through one of your own proxies.
-
-       In addition to restricting network activity, companies are increasingly
-       monitoring traffic with intrusion detection systems (IDS). All of the
-       major IDSs ship with rules designed to detect Nmap scans because scans
-       are sometimes a precursor to attacks. Many of these products have
-       recently morphed into intrusion <I>prevention</I> systems (IPS) that actively
-       block traffic deemed malicious. Unfortunately for network
-       administrators and IDS vendors, reliably detecting bad intentions by
-       analyzing packet data is a tough problem. Attackers with patience,
-       skill, and the help of certain Nmap options can usually pass by IDSs
-       undetected. Meanwhile, administrators must cope with large numbers of
-       false positive results where innocent activity is misdiagnosed and
-       alerted on or blocked.
-
-       Occasionally people suggest that Nmap should not offer features for
-       evading firewall rules or sneaking past IDSs. They argue that these
-       features are just as likely to be misused by attackers as used by
-       administrators to enhance security. The problem with this logic is that
-       these methods would still be used by attackers, who would just find
-       other tools or patch the functionality into Nmap. Meanwhile,
-       administrators would find it that much harder to do their jobs.
-       Deploying only modern, patched FTP servers is a far more powerful
-       defense than trying to prevent the distribution of tools implementing
-       the FTP bounce attack.
-
-       There is no magic bullet (or Nmap option) for detecting and subverting
-       firewalls and IDS systems. It takes skill and experience. A tutorial is
-       beyond the scope of this reference guide, which only lists the relevant
-       options and describes what they do.
-
-       <B>-f</B> (fragment packets); <B>--mtu</B> (using the specified MTU)
-              The <B>-f</B> option causes the requested scan (including ping scans)
-              to use tiny fragmented IP packets. The idea is to split up the
-              TCP header over several packets to make it harder for packet
-              filters, intrusion detection systems, and other annoyances to
-              detect what you are doing. Be careful with this! Some programs
-              have trouble handling these tiny packets. The old-school sniffer
-              named Sniffit segmentation faulted immediately upon receiving
-              the first fragment. Specify this option once, and Nmap splits
-              the packets into 8 bytes or less after the IP header. So a
-              20-byte TCP header would be split into 3 packets. Two with eight
-              bytes of the TCP header, and one with the final four. Of course
-              each fragment also has an IP header. Specify <B>-f</B> again to use 16
-              bytes per fragment (reducing the number of fragments). Or you
-              can specify your own offset size with the <B>--mtu</B> option. DonБ─≥t
-              also specify <B>-f</B> if you use <B>--mtu</B>. The offset must be a multiple
-              of 8. While fragmented packets wonБ─≥t get by packet filters and
-              firewalls that queue all IP fragments, such as the
-              CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, some
-              networks canБ─≥t afford the performance hit this causes and thus
-              leave it disabled. Others canБ─≥t enable this because fragments
-              may take different routes into their networks. Some source
-              systems defragment outgoing packets in the kernel. Linux with
-              the iptables connection tracking module is one such example. Do
-              a scan while a sniffer such as Ethereal is running to ensure
-              that sent packets are fragmented. If your host OS is causing
-              problems, try the <B>--send_eth</B> option to bypass the IP layer and
-              send raw ethernet frames.
-
-       <B>-D</B> <B>&lt;decoy1</B> <B>[,decoy2][,ME],...&gt;</B> (Cloak a scan with decoys)
-              Causes a decoy scan to be performed, which makes it appear to
-              the remote host that the host(s) you specify as decoys are
-              scanning the target network too. Thus their IDS might report
-              5-10 port scans from unique IP addresses, but they wonБ─≥t know
-              which IP was scanning them and which were innocent decoys. While
-              this can be defeated through router path tracing,
-              response-dropping, and other active mechanisms, it is generally
-              an effective technique for hiding your IP address.
-
-              Separate each decoy host with commas, and you can optionally use
-              ME as one of the decoys to represent the position for your real
-              IP address. If you put ME in the 6th position or later, some
-              common port scan detectors (such as Solar DesignerБ─≥s excellent
-              scanlogd) are unlikely to show your IP address at all. If you
-              donБ─≥t use ME, nmap will put you in a random position.
-
-              Note that the hosts you use as decoys should be up or you might
-              accidentally SYN flood your targets. Also it will be pretty easy
-              to determine which host is scanning if only one is actually up
-              on the network. You might want to use IP addresses instead of
-              names (so the decoy networks donБ─≥t see you in their nameserver
-              logs).
-
-              Decoys are used both in the initial ping scan (using ICMP, SYN,
-              ACK, or whatever) and during the actual port scanning phase.
-              Decoys are also used during remote OS detection (<B>-O</B>). Decoys do
-              not work with version detection or TCP connect() scan.
-
-              It is worth noting that using too many decoys may slow your scan
-              and potentially even make it less accurate. Also, some ISPs will
-              filter out your spoofed packets, but many do not restrict
-              spoofed IP packets at all.
-
-       <B>-S</B> <B>&lt;IP_Address&gt;</B> (Spoof source address)
-              In some circumstances, Nmap may not be able to determine your
-              source address ( Nmap will tell you if this is the case). In
-              this situation, use <B>-S</B> with the IP address of the interface you
-              wish to send packets through.
-
-              Another possible use of this flag is to spoof the scan to make
-              the targets think that <I>someone</I> <I>else</I> is scanning them. Imagine a
-              company being repeatedly port scanned by a competitor! The <B>-e</B>
-              option would generally be required for this sort of usage, and
-              <B>-P0</B> would normally be advisable as well.
-
-       <B>-e</B> <B>&lt;interface&gt;</B> (Use specified interface)
-              Tells Nmap what interface to send and receive packets on. Nmap
-              should be able to detect this automatically, but it will tell
-              you if it cannot.
-
-       <B>--source_port</B> <B>&lt;portnumber&gt;;</B> <B>-g</B> <B>&lt;portnumber&gt;</B> (Spoof source port number)
-              One surprisingly common misconfiguration is to trust traffic
-              based only on the source port number. It is easy to understand
-              how this comes about. An administrator will set up a shiny new
-              firewall, only to be flooded with complains from ungrateful
-              users whose applications stopped working. In particular, DNS may
-              be broken because the UDP DNS replies from external servers can
-              no longer enter the network. FTP is another common example. In
-              active FTP transfers, the remote server tries to establish a
-              connection back to the client to transfer the requested file.
-
-              Secure solutions to these problems exist, often in the form of
-              application-level proxies or protocol-parsing firewall modules.
-              Unfortunately there are also easier, insecure solutions. Noting
-              that DNS replies come from port 53 and active ftp from port 20,
-              many admins have fallen into the trap of simply allowing
-              incoming traffic from those ports. They often assume that no
-              attacker would notice and exploit such firewall holes. In other
-              cases, admins consider this a short-term stop-gap measure until
-              they can implement a more secure solution. Then they forget the
-              security upgrade.
-
-              Overworked network administrators are not the only ones to fall
-              into this trap. Numerous products have shipped with these
-              insecure rules. Even Microsoft has been guilty. The IPsec
-              filters that shipped with Windows 2000 and Windows XP contain an
-              implicit rule that allows all TCP or UDP traffic from port 88
-              (Kerberos). In another well-known case, versions of the Zone
-              Alarm personal firewall up to 2.1.25 allowed any incoming UDP
-              packets with the source port 53 (DNS) or 67 (DHCP).
-
-              Nmap offers the <B>-g</B> and <B>--source_port</B> options (they are
-              equivalent) to exploit these weaknesses. Simply provide a port
-              number and Nmap will send packets from that port where possible.
-              Nmap must use different port numbers for certain OS detection
-              tests to work properly, and DNS requests ignore the
-              <B>--source_port</B> flag because Nmap relies on system libraries to
-              handle those. Most TCP scans, including SYN scan, support the
-              option completely, as does UDP scan.
-
-       <B>--data_length</B> <B>&lt;number&gt;</B> (Append random data to sent packets)
-              Normally Nmap sends minimalist packets containing only a header.
-              So its TCP packets are generally 40 bytes and ICMP echo requests
-              are just 28. This option tells Nmap to append the given number
-              of random bytes to most of the packets it sends. OS detection
-              (<B>-O</B>) packets are not affected, but most pinging and portscan
-              packets are. This slows things down, but can make a scan
-              slightly less conspicuous.
-
-       <B>--ttl</B> <B>&lt;value&gt;</B> (Set IP time-to-live field)
-              Sets the IPv4 time-to-live field in sent packets to the given
-              value.
-
-       <B>--randomize_hosts</B> (Randomize target host order)
-              Tells Nmap to shuffle each group of up to 8096 hosts before it
-              scans them. This can make the scans less obvious to various
-              network monitoring systems, especially when you combine it with
-              slow timing options. If you want to randomize over larger group
-              sizes, increase PING_GROUP_SZ in <I>nmap.h</I> and recompile. An
-              alternative solution is to generate the target IP list with a
-              list scan (<B>-sL</B> <B>-n</B> <B>-oN</B> <I>filename</I>), randomize it with a Perl
-              script, then provide the whole list to Nmap with <B>-iL</B>.
-
-       <B>--spoof_mac</B> <B>&lt;mac</B> <B>address,</B> <B>prefix,</B> <B>or</B> <B>vendor</B> <B>name&gt;</B> (Spoof MAC address)
-              Asks Nmap to use the given MAC address for all of the raw
-              ethernet frames it sends. This option implies <B>--send_eth</B> to
-              ensure that Nmap actually sends ethernet-level packets. The MAC
-              given can take several formats. If it is simply the string Б─°0Б─²,
-              Nmap chooses a completely random MAC for the session. If the
-              given string is an even number of hex digits (with the pairs
-              optionally separated by a colon), Nmap will use those as the
-              MAC. If less than 12 hex digits are provided, Nmap fills in the
-              remainder of the 6 bytes with random values. If the argument
-              isnБ─≥t a 0 or hex string, Nmap looks through <I>nmap-mac-prefixes</I> to
-              find a vendor name containing the given string (it is case
-              insensitive). If a match is found, Nmap uses the vendorБ─≥s OUI
-              (3-byte prefix) and fills out the remaining 3 bytes randomly.
-              Valid <B>--spoof_mac</B> argument examples are Apple, 0,
-              01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco.
-
-
-</PRE>
-<H2>OUTPUT</H2><PRE>
-       Any security tools is only as useful as the output it generates.
-       Complex tests and algorithms are of little value if they arenБ─≥t
-       presented in an organized and comprehensible fashion. Given the number
-       of ways Nmap is used by people and other software, no single format can
-       please everyone. So Nmap offers several formats, including the
-       interactive mode for humans to read directly and XML for easy parsing
-       by software.
-
-       In addition to offering different output formats, Nmap provides options
-       for controlling the verbosity of output as well as debugging messages.
-       Output types may be sent to standard output or to named files, which
-       Nmap can append to or clobber. Output files may also be used to resume
-       aborted scans.
-
-       Nmap makes output available in five different formats. The default is
-       called interactive output, and it is sent to standard output (stdout).
-       There is also normal output, which is similar to interactive except
-       that it displays less runtime information and warnings since it is
-       expected to be analyzed after the scan completes rather than
-       interactively.
-
-       XML output is one of the most important output types, as it can be
-       converted to HTML, easily parsed by programs such as Nmap graphical
-       user interfaces, or imported into databases.
-
-       The two remaining output types are the simple grepable output which
-       includes most information for a target host on a single line, and
-       sCRiPt KiDDi3 0utPUt for users who consider themselves |&lt;-r4d.
-
-       While interactive output is the default and has no associated
-       command-line options, the other four format options use the same
-       syntax. They take one argument, which is the filename that results
-       should be stored in. Multiple formats may be specified, but each format
-       may only be specified once. For example, you may wish to save normal
-       output for your own review while saving XML of the same scan for
-       programmatic analysis. You might do this with the options <B>-oX</B>
-       <B>myscan.xml</B> <B>-oN</B> <B>myscan.nmap</B>. While this chapter uses the simple names
-       like myscan.xml for brevity, more descriptive names are generally
-       recommended. The names chosen are a matter of personal preference,
-       though I use long ones that incorporate the scan date and a word or two
-       describing the scan, placed in a directory named after the company IБ─≥m
-       scanning.
-
-       While these options save results to files, Nmap still prints
-       interactive output to stdout as usual. For example, the command <B>nmap</B>
-       <B>-oX</B> <B>myscan.xml</B> <B>target</B> prints XML to <I>myscan.xml</I> and fills standard
-       output with the same interactive results it would have printed if <B>-oX</B>
-       wasnБ─≥t specified at all. You can change this by passing a hyphen
-       character as the argument to one of the format types. This causes Nmap
-       to deactivate interactive output, and instead print results in the
-       format you specified to the standard output stream. So the command <B>nmap</B>
-       <B>-oX</B> <B>-</B> <B>target</B> will send only XML output to stdout. Serious errors may
-       still be printed to the normal error stream, stderr.
-
-       Unlike some Nmap arguments, the space between the logfile option flag
-       (such as <B>-oX</B>) and the filename or hyphen is mandatory. If you omit the
-       flags and give arguments such as <B>-oG-</B> or <B>-oXscan.xml</B>, a backwards
-       compatibility feature of Nmap will cause the creation of <I>normal</I> <I>format</I>
-       output files named <I>G-</I> and <I>Xscan.xml</I> respectively.
-
-       Nmap also offers options to control scan verbosity and to append to
-       output files rather than clobbering them. All of these options are
-       described belowe.
-
-       <B>Nmap</B> <B>Output</B> <B>Formats</B>
-
-       <B>-oN</B> <B>&lt;filespec&gt;</B> (Normal output)
-              Requests that normal output be directed to the given filename.
-              As discussed above, this differs slightly from interactive
-              output.
-
-       <B>-oX</B> <B>&lt;filespec&gt;</B> (XML output)
-              Requests that XML output be directed to the given filename. Nmap
-              includes a document type definition (DTD) which allows XML
-              parsers to validate Nmap XML output. While it is primarily
-              intended for programmatic use, it can also help humans interpret
-              Nmap XML output. The DTD defines the legal elements of the
-              format, and often enumerates the attributes and values they can
-              take on. The latest version is always available from
-              <I>http://www.insecure.org/nmap/data/nmap.dtd</I>.
-
-              XML offers a stable format that is easily parsed by software.
-              Free XML parsers are available for all major computer languages,
-              including C/C++, Perl, Python, and Java. People have even
-              written bindings for most of these languages to handle Nmap
-              output and execution specifically. Examples are [6]<I>Nmap::Scanner</I>
-              and [7]<I>Nmap::Parser</I> in Perl CPAN. In almost all cases that a
-              non-trivial application interfaces with Nmap, XML is the
-              preferred format.
-
-              The XML output references an XSL stylesheet which can be used to
-              format the results as HTML. The easiest way to use this is
-              simply to load the XML output in a web browser such as Firefox
-              or IE. By default, this will only work on the machine you ran
-              Nmap on (or a similarly configured one) due to the hard-coded
-              <I>nmap.xsl</I> filesystem path. See the <B>--stylesheet</B> option for a way
-              to create a portable XML file that renders as HTML on any
-              web-connected machine.
-
-       <B>-oS</B> <B>&lt;filespec&gt;</B> (ScRipT KIdd|3 oUTpuT)
-              Script kiddie output is like interactive output, except that it
-              is post-processed to better suit the Б─≥l33t HaXXorZ who
-              previously looked down on Nmap due to its consistent
-              capitalization and spelling. Humor impaired people should note
-              that this option is making fun of the script kiddies before
-              flaming me for supposedly Б─°helping themБ─².
-
-       <B>-oG</B> <B>&lt;filespec&gt;</B> (Grepable output)
-              This output format is covered last because it is deprecated. The
-              XML output format is far more powerful, and is nearly as
-              convenient for experienced users. XML is a standard for which
-              dozens of excellent parsers are available, while grepable output
-              is my own simple hack. XML is extensible to support new Nmap
-              features as they are released, while I often must omit those
-              features from grepable output for lack of a place to put them.
-
-              Nevertheless, grepable output is still quite popular. It is a
-              simple format that lists each host on one line and can be
-              trivially searched and parsed with standard UNIX tools such as
-              grep, awk, cut, sed, diff, and Perl. Even I usually use it for
-              one-off tests done at the command line. Finding all the hosts
-              with the ssh port open or that are running Solaris takes only a
-              simple grep to identify the hosts, piped to an awk or cut
-              command to print the desired fields.
-
-              Grepable output consists of comments (lines starting with a
-              pound (#)) and target lines. A target line includes a
-              combination of 6 labeled fields, separated by tabs and followed
-              with a colon. The fields are Host, Ports, Protocols, Ignored
-              State, OS, Seq Index, IPID, and Status.
-
-              The most important of these fields is generally Ports, which
-              gives details on each interesting port. It is a comma separated
-              list of port entries. Each port entry represents one interesting
-              port, and takes the form of seven slash (/) separated subfields.
-              Those subfields are: Port number, State, Protocol, Owner,
-              Service, SunRPC info, and Version info.
-
-              As with XML output, this man page does not allow for documenting
-              the entire format. A more detailed look at the Nmap grepable
-              output format is available from
-              <I>http://www.unspecific.com/nmap-oG-output</I>.
-
-       <B>-oA</B> <B>&lt;basename&gt;</B> (Output to all formats)
-              As a convenience, you may specify <B>-oA</B> <I>basename</I> to store scan
-              results in normal, XML, and grepable formats at once. They are
-              stored in <I>basename</I>.nmap, <I>basename</I>.xml, and <I>basename</I>.gnmap,
-              respectively. As with most programs, you can prefix the
-              filenames with a directory path, such as <I>~/nmaplogs/foocorp/</I> on
-              UNIX or <I>c:\hacking\sco</I> on Windows.
-
-       <B>Verbosity</B> <B>and</B> <B>debugging</B> <B>options</B>
-
-       <B>-v</B> (Increase verbosity level)
-              Increases the verbosity level, causing Nmap to print more
-              information about the scan in progress. Open ports are shown as
-              they are found and completion time estimates are provided when
-              Nmap thinks a scan will take more than a few minutes. Use it
-              twice for even greater verbosity. Using it more than twice has
-              no effect.
-
-              Most changes only affect interactive output, and some also
-              affect normal and script kiddie output. The other output types
-              are meant to be processed by machines, so Nmap can give
-              substantial detail by default in those formats without fatiguing
-              a human user. However, there are a few changes in other modes
-              where output size can be reduced substantially by omitting some
-              detail. For example, a comment line in the grepable output that
-              provides a list of all ports scanned is only printed in verbose
-              mode because it can be quite long.
-
-       <B>-d</B> <B>[level]</B> (Increase or set debugging level)
-              When even verbose mode doesnБ─≥t provide sufficient data for you,
-              debugging is available to flood you with much more! As with the
-              verbosity option (<B>-v</B>), debugging is enabled with a command-line
-              flag (<B>-d</B>) and the debug level can be increased by specifying it
-              multiple times. Alternatively, you can set a debug level by
-              giving an argument to <B>-d</B>. For example, <B>-d9</B> sets level nine. That
-              is the highest effective level and will produce thousands of
-              lines unless you run a very simple scan with very few ports and
-              targets.
-
-              Debugging output is useful when a bug is suspected in Nmap, or
-              if you are simply confused as to what Nmap is doing and why. As
-              this feature is mostly intended for developers, debug lines
-              arenБ─≥t always self-explanatory. You may get something like:
-              Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 14987 ==&gt;
-              srtt: 14987 rttvar: 14987 to: 100000. If you donБ─≥t understand a
-              line, your only recourses are to ignore it, look it up in the
-              source code, or request help from the development list
-              (nmap-dev). Some lines are self explanatory, but the messages
-              become more obscure as the debug level is increased.
-
-       <B>--packet_trace</B> (Trace packets and data sent and received)
-              Causes Nmap to print a summary of every packet sent or received.
-              This is often used for debugging, but is also a valuable way for
-              new users to understand exactly what Nmap is doing under the
-              covers. To avoid printing thousands of lines, you may want to
-              specify a limited number of ports to scan, such as <B>-p20-30</B>. If
-              you only care about the goings on of the version detection
-              subsystem, use <B>--version_trace</B> instead.
-
-       <B>--iflist</B> (List interfaces and routes)
-              Prints the interface list and system routes as detected by Nmap.
-              This is useful for debugging routing problems or device
-              mischaracterization (such as Nmap treating a PPP connection as
-              Ethernet).
-
-       <B>Miscellaneous</B> <B>output</B> <B>options</B>
-
-       <B>--append_output</B> (Append to rather than clobber output files)
-              When you specify a filename to an output format flag such as <B>-oX</B>
-              or <B>-oN</B>, that file is overwritten by default. If you prefer to
-              keep the existing content of the file and append the new
-              results, specify the <B>--append_output</B> option. All output
-              filenames specified in that Nmap execution will then be appended
-              to rather than clobbered. This doesnБ─≥t work well for XML (<B>-oX</B>)
-              scan data as the resultant file generally wonБ─≥t parse properly
-              until you fix it up by hand.
-
-       <B>--resume</B> <B>&lt;filename&gt;</B> (Resume aborted scan)
-              Some extensive Nmap runs take a very long time -- on the order
-              of days. Such scans donБ─≥t always run to completion. Restrictions
-              may prevent Nmap from being run during working hours, the
-              network could go down, the machine Nmap is running on might
-              suffer a planned or unplanned reboot, or Nmap itself could
-              crash. The admin running Nmap could cancel it for any other
-              reason as well, by pressing ctrl-C. Restarting the whole scan
-              from the beginning may be undesirable. Fortunately, if normal
-              (<B>-oN</B>) or grepable (<B>-oG</B>) logs were kept, the user can ask Nmap to
-              resume scanning with the target it was working on when execution
-              ceased. Simply specify the <B>--resume</B> option and pass the
-              normal/grepable output file as its argument. No other arguments
-              are permitted, as Nmap parses the output file to use the same
-              ones specified previously. Simply call Nmap as <B>nmap</B> <B>--resume</B>
-              <I>logfilename</I>. Nmap will append new results to the data files
-              specified in the previous execution. Resumption does not support
-              the XML output format because combining the two runs into one
-              valid XML file would be difficult.
-
-       <B>--stylesheet</B> <B>&lt;path</B> <B>or</B> <B>URL&gt;</B> (Set XSL stylesheet to transform XML output)
-              Nmap ships with an XSL stylesheet named <I>nmap.xsl</I> for viewing or
-              translating XML output to HTML. The XML output includes an
-              xml-stylesheet directive which points to <I>nmap.xml</I> where it was
-              initially installed by Nmap (or in the current working directory
-              on Windows). Simply load NmapБ─≥s XML output in a modern web
-              browser and it should retrieve <I>nmap.xsl</I> from the filesystem and
-              use it to render results. If you wish to use a different
-              stylesheet, specify it as the argument to <B>--stylesheet</B>. You must
-              pass the full pathname or URL. One common invocation is
-              <B>--stylesheet</B> <B>http://www.insecure.org/nmap/data/nmap.xsl</B>
-              <I>nmap.xsl</I>) installed. So the URL is often more useful, but the
-              local filesystem location of nmap.xsl is used by default for
-              privacy reasons.
-
-       <B>--no_stylesheet</B> (Omit XSL stylesheet declaration from XML)
-              Specify this option to prevent Nmap from associating any XSL
-              stylesheet with its XML output. The xml-stylesheet directive is
-              omitted.
-
-
-</PRE>
-<H2>MISCELLANEOUS OPTIONS</H2><PRE>
-       This section describes some important (and not-so-important) options
-       that donБ─≥t really fit anywhere else.
-
-       <B>-6</B> (Enable IPv6 scanning)
-              Since 2002, Nmap has offered IPv6 support for its most popular
-              features. In particular, ping scanning (TCP-only), connect()
-              scanning, and version detection all support IPv6. The command
-              syntax is the same as usual except that you also add the <B>-6</B>
-              option. Of course, you must use IPv6 syntax if you specify an
-              address rather than a hostname. An address might look like
-              3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
-              recommended. The output looks the same as usual, with the IPv6
-              address on the Б─°interesting portsБ─² line being the only IPv6 give
-              away.
-
-              While IPv6 hasnБ─≥t exactly taken the world by storm, it gets
-              significant use in some (usually Asian) countries and most
-              modern operating systems support it. To use Nmap with IPv6, both
-              the source and target of your scan must be configured for IPv6.
-              If your ISP (like most of them) does not allocate IPv6 addresses
-              to you, free tunnel brokers are widely available and work fine
-              with Nmap. One of the better ones is run by BT Exact at
-              <I>https://tb.ipv6.btexact.com/</I>. I have also used one that
-              Hurricane Electric provides at <I>http://ipv6tb.he.net/</I>. 6to4
-              tunnels are another popular, free approach.
-
-       <B>-A</B> (Aggressive scan options)
-              This option enables additional advanced and aggressive options.
-              I havenБ─≥t decided exactly which it stands for yet. Presently
-              this enables OS Detection (<B>-O</B>) and version scanning (<B>-sV</B>). More
-              features may be added in the future. The point is to enable a
-              comprehensive set of scan options without people having to
-              remember a large set of flags. This option only enables
-              features, and not timing options (such as <B>-T4</B>) or verbosity
-              options (<B>-v</B>) that you might want as well.
-
-       <B>--datadir</B> <B>&lt;directoryname&gt;</B> (Specify custom Nmap data file location)
-              Nmap obtains some special data at runtime in files named
-              <I>nmap-service-probes</I>, <I>nmap-services</I>, <I>nmap-protocols</I>, <I>nmap-rpc</I>,
-              <I>nmap-mac-prefixes</I>, and <I>nmap-os-fingerprints</I>. Nmap first searches
-              these files in the directory specified with the <B>--datadir</B> option
-              (if any). Any files not found there, are searched for in the
-              directory specified by the NMAPDIR environmental variable. Next
-              comes <I>~/.nmap</I> for real and effective UIDs (POSIX systems only)
-              or location of the Nmap executable (Win32 only), and then a
-              compiled-in location such as <I>/usr/local/share/nmap</I> or
-              <I>/usr/share/nmap</I>
-
-       <B>--send_eth</B> (Use raw ethernet sending)
-              Asks Nmap to send packets at the raw ethernet (data link) layer
-              rather than the higher IP (network) layer. By default, Nmap
-              chooses the one which is generally best for the platform it is
-              running on. Raw sockets (IP layer) are generally most efficient
-              for UNIX machines, while ethernet frames are required for
-              Windows operation since Microsoft disabled raw socket support.
-              Nmap still uses raw IP packets on UNIX despite this option when
-              there is no other choice (such as non-ethernet connections).
-
-       <B>--send_ip</B> (Send at raw IP level)
-              Asks Nmap to send packets via raw IP sockets rather than sending
-              lower level ethernet frames. It is the complement to the
-              <B>--send-eth</B> option discussed previously.
-
-       <B>--privileged</B> (Assume that the user is fully privileged)
-              Tells Nmap to simply assume that it is privileged enough to
-              perform raw socket sends, packet sniffing, and similar
-              operations that usually require root privileges on UNIX systems.
-              By default Nmap quits if such operations are requested but
-              geteuid() is not zero.  <B>--privileged</B> is useful with Linux kernel
-              capabilities and similar systems that may be configured to allow
-              unprivileged users to perform raw-packet scans. Be sure to
-              provide this option flag before any flags for options that
-              require privileges (SYN scan, OS detection, etc.). The
-              NMAP_PRIVILEGED variable may be set as an equivalent alternative
-              to <B>--privileged</B>.
-
-       <B>--interactive</B> (Start in interactive mode)
-              Starts Nmap in interactive mode, which offers an interactive
-              Nmap prompt allowing easy launching of multiple scans (either
-              synchronously or in the background). This is useful for people
-              who scan from multi-user systems as they often want to test
-              their security without letting everyone else on the system know
-              exactly which systems they are scanning. Use <B>--interactive</B> to
-              activate this mode and then type h for help. This option is
-              rarely used because proper shells are usually more familiar and
-              feature-complete. This option includes a bang (!) operator for
-              executing shell commands, which is one of many reasons not to
-              install Nmap setuid root.
-
-       <B>-V</B>; <B>--version</B> (Print version number)
-              Prints the Nmap version number and exits.
-
-       <B>-h</B>; <B>--help</B> (Print help summary page)
-              Prints a short help screen with the most common command flags.
-              Running Nmap without any arguments does the same thing.
-
-
-</PRE>
-<H2>RUNTIME INTERACTION</H2><PRE>
-       This feature does not yet exist in Nmap. I need to either add it or
-       remove this section
-
-       During the execution of nmap, all key presses are captured. This allows
-       you to interact with the program without aborting and restarting it.
-       Certain special keys will change options, while any other keys will
-       print out a status message telling you about the scan. The convention
-       is that <I>lowercase</I> <I>letters</I> <I>increase</I> the amount of printing, and
-       <I>uppercase</I> <I>letters</I> <I>decrease</I> the printing.
-
-       <B>v</B> / <B>V</B>  Increase / Decrease the Verbosity
-
-       <B>d</B> / <B>D</B>  Increase / Decrease the Debugging Level
-
-       <B>p</B> / <B>P</B>  Turn on / off Packet Tracing
-
-       Anything else
-              Print out a status message like this:
-
-              Stats: 0:00:08 elapsed; 111 hosts completed (5 up), 5 undergoing
-              Service Scan
-
-              Service scan Timing: About 28.00% done; ETC: 16:18 (0:00:15
-              remaining)
-
-
-</PRE>
-<H2>EXAMPLES</H2><PRE>
-       Here are some Nmap usage examples, from the simple and routine to a
-       little more complex and esoteric. Some actual IP addresses and domain
-       names are used to make things more concrete. In their place you should
-       substitute addresses/names from <I>your</I> <I>own</I> <I>network.</I>. While I donБ─≥t think
-       port scanning other networks is or should be illegal, some network
-       administrators donБ─≥t appreciate unsolicited scanning of their networks
-       and may complain. Getting permission first is the best approach.
-
-       For testing purposes, you have permission to scan the host
-       scanme.nmap.org. This permission only includes scanning via Nmap and
-       not testing exploits or denial of service attacks. To conserve
-       bandwidth, please do not initiate more than a dozen scans against that
-       host per day. If this free scanning target service is abused, it will
-       be taken down and Nmap will report Failed to resolve given hostname/IP:
-       scanme.nmap.org. These permissions also apply to the hosts
-       scanme2.nmap.org, scanme3.nmap.org, and so on, though those hosts do
-       not currently exist.
-
-       <B>nmap</B> <B>-v</B> <B>scanme.nmap.org</B>
-
-       This option scans all reserved TCP ports on the machine scanme.nmap.org
-       <B>-v</B> option enables verbose mode.
-
-       <B>nmap</B> <B>-sS</B> <B>-O</B> <B>scanme.nmap.org/24</B>
-
-       Launches a stealth SYN scan against each machine that is up out of the
-       255 machines on Б─°class CБ─² network where Scanme resides. It also tries
-       to determine what operating system is running on each host that is up
-       and running. This requires root privileges because of the SYN scan and
-       OS detection.
-
-       <B>nmap</B> <B>-sV</B> <B>-p</B> <B>22,53,110,143,4564</B> <B>198.116.0-255.1-127</B>
-
-       Launches host enumeration and a TCP scan at the first half of each of
-       the 255 possible 8 bit subnets in the 198.116 class B address space.
-       This tests whether the systems run sshd, DNS, pop3d, imapd, or port
-       4564. For any of these ports found open, version detection is used to
-       determine what application is running.
-
-       <B>nmap</B> <B>-v</B> <B>-iR</B> <B>100000</B> <B>-P0</B> <B>-p</B> <B>80</B>
-
-       Asks Nmap to choose 100,000 hosts at random and scan them for web
-       servers (port 80). Host enumeration is disabled with <B>-P0</B> since first
-       sending a couple probes to determine whether a host is up is wasteful
-       when you are only probing one port on each target host anyway.
-
-       <B>nmap</B> <B>-P0</B> <B>-p80</B> <B>-oX</B> <B>logs/pb-port80scan.xml</B> <B>-oG</B> <B>logs/pb-port80scan.gnmap</B>
-       <B>216.163.128.20/20</B>
-
-       This scans 4096 IPs for any webservers (without pinging them) and saves
-       the output in grepable and XML formats.
-
-       <B>host</B> <B>-l</B> <B>company.com</B> <B>|</B> <B>cut</B> <B>-d</B> <B>-f</B> <B>4</B> <B>|</B> <B>nmap</B> <B>-v</B> <B>-iL</B> <B>-</B>
-
-       Do a DNS zone transfer to find the hosts in company.com and then feed
-       the IP addresses to nmap. The above commands are for my GNU/Linux box
-       -- other systems have different commands for performing a zone
-       transfer.
-
-
-</PRE>
-<H2>BUGS</H2><PRE>
-       Like its author, Nmap isnБ─≥t perfect. But you can help make it better by
-       sending bug reports or even writing patches. If Nmap doesnБ─≥t behave the
-       way you expect, first upgrade to the latest version available from
-       <I>http://www.insecure.org/nmap/</I>. If the problem persists, do some
-       research to determine whether it has already been discovered and
-       addressed. Try Googling the error message or browsing the Nmap-dev
-       archives at <I>http://seclists.org/</I>. Read this full munaual page as well.
-       If nothing comes of this, mail a bug report to &lt;nmap-dev@insecure.org&gt;.
-       Please include everything you have learned about the problem, as well
-       as what version of Nmap you are running and what operating system
-       version it is running on. Problem reports and Nmap usage questions sent
-       to nmap-dev@insecure.org are far more likely to be answered than those
-       sent to Fyodor directly.
-
-       Code patches to fix bugs are even better than bug reports. Basic
-       instructions for creating patch files with your changes are available
-       at <I>http://www.insecure.org/nmap/data/HACKING</I>. Patches may be sent to
-       nmap-dev (recommended) or to Fyodor directly.
-
-
-</PRE>
-<H2>AUTHOR</H2><PRE>
-       Fyodor &lt;fyodor@insecure.org&gt; (<I>http://www.insecure.org</I>)
-
-       Hundreds of people have made valuable contributions to Nmap over the
-       years. These are detailed in the <I>CHANGELOG</I> file which is distributed
-       with Nmap and also available from
-       <I>http://www.insecure.org/nmap/nmap</I><B>_</B><I>changelog.html</I>.
-
-
-</PRE>
-<H2>LEGAL NOTICES</H2><PRE>
-       The newest version of Nmap can be obtained from
-       <I>http://www.insecure.org/nmap/</I>
-
-   <B>Copyright</B> <B>and</B> <B>Licensing</B>
-       The Nmap Security Scanner is (C) 1996-2005 Insecure.Com LLC. Nmap is
-       also a registered trademark of Insecure.Com LLC. This program is free
-       software; you may redistribute and/or modify it under the terms of the
-       GNU General Public License as published by the Free Software
-       Foundation; Version 2. This guarantees your right to use, modify, and
-       redistribute this software under certain conditions. If you wish to
-       embed Nmap technology into proprietary software, we may be willing to
-       sell alternative licenses (contact &lt;sales@insecure.com&gt;). Many security
-       scanner vendors already license Nmap technology such as host discovery,
-       port scanning, OS detection, and service/version detection.
-
-       Note that the GPL places important restrictions on Б─°derived worksБ─², yet
-       it does not provide a detailed definition of that term. To avoid
-       misunderstandings, we consider an application to constitute a
-       Б─°derivative workБ─² for the purpose of this license if it does any of the
-       following:
-
-       б╥  Integrates source code from Nmap
-
-       б╥  Reads or includes Nmap copyrighted data files, such as
-          <I>nmap-os-fingerprints</I> or <I>nmap-service-probes</I>.
-
-       б╥  Executes Nmap and parses the results (as opposed to typical shell or
-          execution-menu apps, which simply display raw Nmap output and so are
-          not derivative works.)
-
-       б╥  Integrates/includes/aggregates Nmap into a proprietary executable
-          installer, such as those produced by InstallShield.
-
-       б╥  Links to a library or executes a program that does any of the above.
-
-       The term Б─°NmapБ─² should be taken to also include any portions or derived
-       works of Nmap. This list is not exclusive, but is just meant to clarify
-       our interpretation of derived works with some common examples. These
-       restrictions only apply when you actually redistribute Nmap. For
-       example, nothing stops you from writing and selling a proprietary
-       front-end to Nmap. Just distribute it by itself, and point people to
-       <I>http://www.insecure.org/nmap/</I> to download Nmap.
-
-       We donБ─≥t consider these to be added restrictions on top of the GPL, but
-       just a clarification of how we interpret Б─°derived worksБ─² as it applies
-       to our GPL-licensed Nmap product. This is similar to the way Linus
-       Torvalds has announced his interpretation of how Б─°derived worksБ─²
-       applies to Linux kernel modules. Our interpretation refers only to Nmap
-       - we donБ─≥t speak for any other GPL products.
-
-       If you have any questions about the GPL licensing restrictions on using
-       Nmap in non-GPL works, we would be happy to help. As mentioned above,
-       we also offer alternative license to integrate Nmap into proprietary
-       applications and appliances. These contracts have been sold to many
-       security vendors, and generally include a perpetual license as well as
-       providing for priority support and updates as well as helping to fund
-       the continued development of Nmap technology. Please email
-       &lt;sales@insecure.com&gt; for further information.
-
-       As a special exception to the GPL terms, Insecure.Com LLC grants
-       permission to link the code of this program with any version of the
-       OpenSSL library which is distributed under a license identical to that
-       listed in the included Copying.OpenSSL file, and distribute linked
-       combinations including the two. You must obey the GNU GPL in all
-       respects for all of the code used other than OpenSSL. If you modify
-       this file, you may extend this exception to your version of the file,
-       but you are not obligated to do so.
-
-       If you received these files with a written license agreement or
-       contract stating terms other than the terms above, then that
-       alternative license agreement takes precedence over these comments.
-
-   <B>Source</B> <B>code</B> <B>availability</B> <B>and</B> <B>community</B> <B>contributions</B>
-       Source is provided to this software because we believe users have a
-       right to know exactly what a program is going to do before they run it.
-       This also allows you to audit the software for security holes (none
-       have been found so far).
-
-       Source code also allows you to port Nmap to new platforms, fix bugs,
-       and add new features. You are highly encouraged to send your changes to
-       &lt;fyodor@insecure.org&gt; for possible incorporation into the main
-       distribution. By sending these changes to Fyodor or one of the
-       Insecure.Org development mailing lists, it is assumed that you are
-       offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right
-       to reuse, modify, and relicense the code. Nmap will always be available
-       Open Source, but this is important because the inability to relicense
-       code has caused devastating problems for other Free Software projects
-       (such as KDE and NASM). We also occasionally relicense the code to
-       third parties as discussed above. If you wish to specify special
-       license conditions of your contributions, just say so when you send
-       them.
-
-   <B>No</B> <B>Warranty</B>
-       This program is distributed in the hope that it will be useful, but
-       WITHOUT ANY WARRANTY; without even the implied warranty of
-       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-       General Public License for more details at
-       <I>http://www.gnu.org/copyleft/gpl.html</I>, or in the COPYING file included
-       with Nmap.
-
-       It should also be noted that Nmap has occasionally been known to crash
-       poorly written applications, TCP/IP stacks, and even operating systems.
-       While this is extremely rare, it is important to keep in mind.  <I>Nmap</I>
-       <I>should</I> <I>never</I> <I>be</I> <I>run</I> <I>against</I> <I>mission</I> <I>critical</I> <I>systems</I> unless you are
-       prepared to suffer downtime. We acknowledge here that Nmap may crash
-       your systems or networks and we disclaim all liability for any damage
-       or problems Nmap could cause.
-
-   <B>Inappropriate</B> <B>Usage</B>
-       Because of the slight risk of crashes and because a few black hats like
-       to use Nmap for reconnaissance prior to attacking systems, there are
-       administrators who become upset and may complain when their system is
-       scanned. Thus, it is often advisable to request permission before doing
-       even a light scan of a network.
-
-       Nmap should never be installed with special privileges (e.g. suid root)
-       for security reasons.
-
-   <B>Third-Party</B> <B>Software</B>
-       This product includes software developed by the [8]<I>Apache</I> <I>Software</I>
-       <I>Foundation</I>. A modified version of the [9]<I>Libpcap</I> <I>portable</I> <I>packet</I>
-       <I>capture</I> <I>library</I> is distributed along with nmap. The Windows version of
-       Nmap utilized the libpcap-derived [10]<I>WinPcap</I> <I>library</I> instead. Regular
-       expression support is provided by the [11]<I>PCRE</I> <I>library</I>, which is open
-       source software, written by Philip Hazel. Certain raw networking
-       functions use the [12]<I>Libdnet</I> networking library, which was written by
-       Dug Song. A modified version is distributed with Nmap. Nmap can
-       optionally link with the [13]<I>OpenSSL</I> <I>cryptography</I> <I>toolkit</I> for SSL
-       version detection support. All of the third-party software described in
-       this paragraph is freely redistributable under BSD-style software
-       licenses.
-
-   <B>US</B> <B>Export</B> <B>Control</B> <B>Classification</B>
-       US Export Control: Insecure.Com LLC believes that Nmap falls under US
-       ECCN (export control classification number) 5D992. This category is
-       called Б─°Information Security software not controlled by 5D002Б─². The
-       only restriction of this classification is AT (anti-terrorism), which
-       applies to almost all goods and denies export to a handful of rogue
-       nations such as Iran and North Korea. Thus exporting Nmap does not
-       require any special license, permit, or other governmental
-       authorization.
-
-
-</PRE>
-<H2>REFERENCES</H2><PRE>
-        1. RFC 1122
-           http://www.rfc-editor.org/rfc/rfc1122.txt
-
-        2. RFC 792
-           http://www.rfc-editor.org/rfc/rfc792.txt
-
-        3. UDP
-           http://www.rfc-editor.org/rfc/rfc768.txt
-
-        4. TCP RFC
-           http://www.rfc-editor.org/rfc/rfc793.txt
-
-        5. RFC 959
-           http://www.rfc-editor.org/rfc/rfc959.txt
-
-        6. Nmap::Scanner
-           http://sourceforge.net/projects/nmap-scanner/
-
-        7. Nmap::Parser
-           http://www.nmapparser.com
-
-        8. Apache Software Foundation
-           http://www.apache.org
-
-        9. Libpcap portable packet capture library
-           http://www.tcpdump.org
-
-       10. WinPcap library
-           http://www.winpcap.org
-
-       11. PCRE library
-           http://www.pcre.org
-
-       12. Libdnet
-           http://libdnet.sourceforge.net
-
-       13. OpenSSL cryptography toolkit
-           http://www.openssl.org
-
-
-
-                                  11/17/2005                           <B>NMAP(1)</B>
-</PRE>
-<HR>
-<ADDRESS>
-Man(1) output converted with
-<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
-</ADDRESS>
-</BODY>
-</HTML>
diff --git a/docs/nmap_portuguese.1 b/docs/nmap_portuguese.1
deleted file mode 100644
index 541e7151f..000000000
--- a/docs/nmap_portuguese.1
+++ /dev/null
@@ -1,412 +0,0 @@
-.\"Traduzido para a lingua Portuguesa
-.\"AntТnio Pires de Castro Jr. <apcastro@ic.unicamp.br>
-.\"<apcastro@cultura.com.br>, <apcastro@ondefor.com.br>
-.\"em 17/10/2000
-.\"This definition swiped from the gcc(1) man page
-.de Sp
-.if n .sp
-.if t .sp 0.4
-..
-.TH NMAP 1
-.SH NOME
-nmap \- Ferramenta de exploraГЦo de rede e scanner de seguranГa.
-.SH SYNOPSIS
-.B nmap
-[Tipo(s) de Scan] [OpГУes] <computador ou rede #1 ... [#N]>
-.SH DESCRICAO
-
-.I Nmap
-И projetado para permitir aos administradores de sistemas e indivМduos curiosos explorar grandes redes para determinar quais computadores estЦo ativos e quais serviГos sЦo fornecidos.
-.I Nmap
-suporta um grande nЗmero de tИcnicas de scan, como: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol, and Null scan. Veja as seГУes de
-.I Tipos de Scan
-para maiores detalhes. Nmap, tambИm, oferece um nЗmero de avanГadas caracterМsticas, como: detecГЦo remota do SO via TCP/IP fingerprinting, stealth scanning, dynamic delay e retransmission calculations, scanning paralelo, detecГЦo de hosts inativos atravИs de pings paralelos, decoy scanning, detecГЦo de portas filtradas, scanning direto de RPC (nЦo-portmapper), fragmentation scanning e flexibilidade do alvo e especificaГЦo de porta.
-.PP
-EsforГos significantes tem sido gastos na performance do nmap para usuАrios comuns, usuАrios nЦo-root. Infelizmente, vАrias interfaces crМticas do kernel (como os sockets raw) requerem privilИgios de root. Nmap deve ser executado como root sempre que possМvel.
-.PP
-O resultado da execuГЦo do nmap И usualmente uma lista de portas
-interessantes na(s) mАquina(s) sendo explorada(s). Nmap sempre fornece o nome do serviГo, o nЗmero, o estado, e o protocolo das portas "bem conhecidas". O estado pode ser tanto 'aberto' (open), 'filtrado'(filtered) ou nЦo filtrado (unfiltered). Aberto significa que a mАquina alvo aceitarА (accept()) conexУes na porta. Filtrado significa que o firewall, filtro ou outro obstАculo da rede estА cobrindo a porta e prevenindo o nmap de determinar quando a porta estА aberta. NЦo filtrado significa que a porta И conhecida pelo nmap para estar fechada e nenhum firewall/filtro parece estar interferindo com a tentativa de determina-lА pelo nmap. Portas nЦo filtradas sЦo um caso comum e sЦo mostradas, somente, quando a maioria das portas exploradas estЦo no estado filtrado.
-.PP
-Dependendo da opГЦo usada, o nmap pode, tambИm, reportar as seguintes caracterМsticas do host remoto: SO em uso, sequenciabilidade do TCP, os nomes dos usuАrios executando os programas em determinadas portas, o nome DNS, quando um host tem um endereco de smurf, e vАrias outras.
-.SH OPгуES
-OpГУes que juntamente fazem sentido podem geralmente ser combinadas. VАrias opГУes sЦo especМficas para certos modos de scan.
-.I Nmap 
-tenta capturar e avisar o usuАrio sobre erros ou combinaГУes nЦo suportadas de opГУes.
-.Sp
-Se vocЙ estА impaciente, vocЙ pode ir direto para a seГЦo de 
-.I exemplos
-no final, os quais demonstram o uso comum do nmap. VocЙ pode, tambИm, executar
-.B nmap -h
-para uma rАpida pАgina de referЙncia, a qual lista todas as opГУes.
-.TP
-.B TIPOS DE SCAN
-.TP
-.B \-sT 
-TCP connect() scan: Esta И a mais bАsica forma de TCP scanning. A chamada de sistema, connect(), provida pelo seu sistema operacional И usada para abrir uma conexЦo para toda porta interessante na mАquina. Se a porta estА no estado listening, connect() irА ter sucesso, por outro lado a porta nЦo serА alcanГada. Uma grande vantagem desta tИcnica И que vocЙ nЦo precisa de nenhum privilИgio especial. Qualquer usuАrio em UNIX estА livre para usar esta chamada.
-.Sp
-Este tipo de scan И facilmente detectАvel pelo log do host alvo, o qual mostrarА o grupo de conexУes e mensagens de erro para os serviГos os quais aceitam, accept(), a conexЦo somente para tЙ-la imediatamente desligada.
-.TP
-.B \-sS
-TCP SYN scan: Esta tИcnica И muito conhecida como "half-open" scanning,
-porque nЦo abre uma conexЦo TCP completa. и enviado um pacote com o flag SYN
-setado, como se fosse abrir uma conexЦo real e И esperado pela resposta. Uma
-resposta SYN/ACK indica que a porta estА no estado listening. O flag RST И
-uma indicaГЦo de estado nЦo listening. Se o flag SYN/ACK И recebido, o flag
-RST И imediatamente enviado para encerrar a conexЦo (atualmente o nЗcleo do SO faz isso por nСs). A principal vantagem desta tИcnica de scanning И que poucos sites irЦo registra-lА no arquivo de log. Desafortunadamente И necessАrio privilИgios de super usuАrio (root) para construir estes pacotes SYN customizados.
-.TP
-.B \-sF \-sX \-sN 
-Modos Stealth FIN, Xmas Tree, ou Null scan: Algumas vezes nem mesmo a
-tИcnica SYN scanning И clandestina suficiente. VАrios firewalls e filtros de pacotes observam por SYNs para portas restritas, e programas como Synlogger e Courtney estЦo disponМveis para detectar este tipo de scan. Por outro lado, scans avanГados (stealth FIN, Xmas Tree, ou Null scan), podem ser capazes de passar atravИs destes filtros sem serem molestados.
-.Sp
-A idИia И que portas fechadas sЦo exigidas por responder aos pacotes de teste com um RST, enquanto portas abertas precisam ignorar os pacotes em questЦo (veja RFC 793 pp 64). A tИcnica de scan FIN utiliza o limitado pacote FIN como teste, enquanto a tИcnica de scan Xmas Tree seta os flags FIN, URG e PUSH. A tИcnica de scan Null nЦo seta nenhum flag. Desafortunadamente a Microsoft (como usual) decidiu completamente ignorar o padrЦo e faz as coisas do seu prСprio jeito. EntЦo este tipo de scan nЦo funcionarА contra sistemas executando Windows95/NT. Do lado positivo, estА И uma Сtima maneira de distinguir entre duas plataformas. Se o scan encontrar portas abertas, И possМvel saber que a mАquina nЦo utiliza o Windows. Se as tИcnicas de scan -sF, -sX ou -sN mostram todas as portas fechadas, mesmo assim a tИcnica de scan SYN (-sS) mostra portas sendo abertas, vocЙ poderА estar olhando para uma mАquina Windows. Esta И a maneira menos usada pelo nmap para testar a detecГЦo do SO. Exitem, tambИm, alguns outros sistemas que sЦo descobertos da mesma maneira que descobrimos o windows. Estes incluem Cisco, BSDI, HP/UX, MVS, and IRIX. Todos acima enviam resets (RST) de portas abertas quando estes devem, somente, descartar o pacote.
-.TP
-.B \-sP
-Ping scanning: Algumas vezes vocЙ somente quer saber quais os hosts da rede
-estЦo ativos. O Nmap pode fazer isso enviando um pacote de requisiГЦo ICMP
-(ICMP echo request) para todo endereГo IP especificado da rede. Os hosts que
-respondem estЦo vivos. Desafortunadamente, vАrios sites, como a
-microsoft.com, bloqueiam pacotes de requisiГЦo ICMP (echo request). EntЦo, o
-nmap pode, tambИm, enviar um pacote ACK TCP para (por definiГЦo) a porta 80.
-Se nСs pegarmos o flag RST novamente, a mАquina esta viva. A terceira tИcnica envolve o envio de pacotes SYN e a espera pelo pacote com o flag RST ou os flags SYN/ACK. O mИtodo connect() И usado por usuАrios comuns (nЦo root).
-.Sp
-Por definiГЦo (para super usuАrios), o nmap usa tanto as tИcnicas do ICMP e a do flag ACK em paralelo. VocЙ pode mudar as
-.B \-P
-opГУes descritas mais a frente.
-.Sp
-Note que o ping, por definiГЦo, И feito de qualquer forma, e somente os hosts que respondem sЦo scanneados. Somente use esta opГЦo se vocЙ desejar vasculhar
-.B sem
-fazer qualquer scan real de portas.
-.TP
-.B \-sU
-UDP scans: Este mИtodo И usado para determinar quais portas UDP (User Datagram Protocol, RFC 768) estЦo abertas no host. A tИcnica implica em enviar 0 bytes de dados de pacotes UDP para cada porta da mАquina alvo. Se nСs recebermos uma mensagem de ICMP port unreachable (porta ICMP nЦo alcanГada), entЦo a porta estА fechada. Por outro lado nСs assumimos que a porta estА aberta.
-.Sp
-VАrias pessoas pensam que a tИcnica UDP scanning И supИrfluo. Eu, usualmente, lembro desta como uma recente falha no rpcbind do Solaris. O Rpcbind pode ser encontrado escondido em uma porta UDP nЦo documentada em algum lugar acima de 32770. EntЦo nЦo importa que a porta 111 esteja bloqueada por um firewall. PorИm, vocЙ pode encontrar quais as portas altas, maiores de 30.000, que estЦo no estado listening? Com o scanner UDP vocЙ pode! Existe, tambИm, o programa cDc Back Orifice backdoor o qual se oculta em uma porta UDP configurАvel em mАquinas Windows. Alguns serviГos comumente vulnerАveis que utilizam o UDP sЦo: snmp, tftp, NFS, etc.
-.Sp
-Desafortunadamente UDP scanning И algumas vezes, dolorosamente, vagarosa desde que a maioria dos hosts implementam a sugestЦo da RFC 1812 (seГЦo 4.3.2.8) de limitar a taxa de mensagens de erro ICMP. Por exemplo, o nЗcleo do Linux (em net/ipv4/icmp.h) limita a geraГЦo de mensagens de destination unreachable para 80 por 4 segundos, com 1/4 segundos de penalidade se esta for excedida. O Solaris tem um limite muito mais restrito (mais ou menos 2 mensagens por segundo) e assim gasta um tempo maior para realizar o scan.
-.I Nmap
-detecta esta taxa limitante e reduz conformemente, por outro lado inunda a rede com pacotes sem uso que irЦo ser ignorados pela mАquina alvo.
-.Sp
-Como И tМpico, a Microsoft ignorou a sugestЦo da RFC e nЦo parece ter feito nenhuma taxa limitante por completo no Win95 e no NT. EntЦo И possМvel scannear, 
-.B rapidamente
-, todas as portas de 64K das mАquinas windows. Beleza!
-.TP
-.B \-sO
-Scan do Protocolo IP: Este mИtodo И usado para determinar quais protocolos IPs sЦo usados no host. A tИcnica consiste em enviar pacotes IP raw sem promover nenhum cabeГalho para cada protocolo especМfico na mАquina alvo. Se nСs recebermos uma mensagem do protocolo ICMP unreachable, entЦo o protocolo nЦo estА sendo usado. Por outro lado nСs assumimos que estА aberto. Note que vАrios hosts (AIX, HP-UX, Digital UNIX) e firewalls podem nЦo enviar mensagens de protocolo unreachable. Assim faz parecer que todos os protocolos estЦo "abertos".
-.Sp
-Isso porque a tИcnica implementada И muito similar ao scanning da porta UDP, onde a taxa limite de ICMP pode ser aplicada tambИm. PorИm o campo do protocolo IP tem somente 8 bits, entЦo no mАximo 256 protocolos podem ser testados, os quais devem ser possМveis de serem testados em tempo razoАvel.
-.TP
-.B \-sA
-ACK scan: Este mИtodo avanГado И usualmente usado para mapear o conjunto de regras de um firewall. Em particular, esta pode ajudar a determinar quando um firewall И stateful ou somente um filtro de pacotes simples que bloqueia pacotes SYN de chegada.
-.Sp
-Este tipo de scan envia pacotes com o flag ACK setado para uma porta especМfica. Se um RST voltar, a porta И classificada como "nЦo filtrada". Se nЦo voltar nada ou um ICMP unreachable voltar, a porta И classificada como "filtrada". Note que o 
-.I nmap
-usualmente nЦo imprime portas "nЦo filtradas", obtendo, assim, 
-.B nenhuma
-porta mostrada na saМda И usualmente um sinal que todos os testes foram suscedidos (e retornado RSTs). Esta tИcnica de scan nunca irА, obviamente, mostrar portas no estado "aberto".
-.TP
-.B \-sW
-Window scan: Este scan avanГado И muito similar ao ACK scan, exceto que as vezes pode ser possМvel detectar portas abertas mesmo sendo filtradas, isso devido a anomalia do tamanho da janela TCP reportado por vАrios sistemas operacionais. Sistemas vulnerАveis para isso incluem no mМnimo vАrias versУes do AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, and VxWorks. Vejam no arquivo, na lista de discussЦo nmap-hackers, a lista completa.
-.TP
-.B \-sR  
-RPC scan.  Este mИtodo trabalha em combinaГЦo com vАrias tИcnicas de scan de portas do Nmap. Ele pega todas as portas TCP/UDP encontradas abertas e inunda elas com comandos NULL de programas SunRPC numa tentativa de determinar quando elas sЦo portas RPC, e se sЦo, qual programa e versЦo dos serviГos. Com este mИtodo vocЙ pode efetivamente obter a mesma informaГЦo como se usasse 'rpcinfo -p' mesmo se o portmapper alvo estiver atrАs de um firewall (ou protegido pelo TCP wrappers). Decoy nЦo trabalha correntemente com RPC scan, em algum ponto eu posso adicionar o suporte decoy para UDP RPC scans.
-.TP
-.B \-b <ftp relay host>
-FTP bounce attack: Uma interessante "caracterМstica" do protocolo ftp (RFC 959) И sustentada para conexУes ftp "proxy". Em outras palavras, eu devo ser capaz de conectar do evil.com para um servidor FTP, target.com, e requerer que o servidor envie um arquivo para qualquer lugar na internet! Isto pode ter sido explorado bem em 1985 quando a RFC foi escrita. PorИm na internet hoje, nСs nЦo podemos ter pessoas hijacking servidores ftp e requisitando que os dados sejam jogados para arbitrАrios pontos na internet. Como *Hobbit* escreveu em 1995, este protocolo torna inЗtil "pode ser usado para portar virtualmente nЦo determinАveis emails ou news, forjando em servidores vАrios sites, preenchendo discos, tentando saltar firewalls, e geralmente sendo aborrecido, ficando, assim, difМcil seguir a pista ao mesmo tempo." O que nСs iremos explorar disto И o scan de portas TCP do servidor "proxy" de ftp. EntЦo vocЙ pode conectar a um servidor ftp atrАs do firewall, e entЦo scannear portas que estЦo mais provАvelmente bloqueadas (139 И uma boa). Se o servidor ftp permitir ler de e escrever para algum diretСrio (como /incoming), vocЙ pode enviar dados arbitrАrios para portas que vocЙ achar abertas (nmap nЦo faz isso por vocЙ).
-.Sp
-Os argumentos passados para a opГЦo 'b' И o host que vocЙ quer usar como proxy, na notaГЦo de padrЦo URL. O formato И:
-.I username:password@server:port.  
-Tudo, menos o
-.I server
-И opcional.  Para determinar quais servidores sЦo vulnerАveis para este ataque, vocЙ pode ver meu artigo em 
-.I Phrack
-51. A versЦo atualizada estА disponМvel em
-.I nmap
-URL (http://www.insecure.org/nmap).
-.TP
-.B OPгуES GERAIS
-Nenhuma destas sЦo requeridas, porИm algumas podem ser absolutamente proveitosas.
-.TP
-.B \-P0
-Pinga os hosts antes de scanneА-los. Isto permite scannear as redes que nЦo permitem ICMP echo requests (ou responses) atravИs dos seus firewalls. microsoft.com И um exemplo desta rede, e entЦo vocЙ deve sempre usar
-.B \-P0
-ou
-.B \-PT80
-quando portscanning microsoft.com.
-.TP
-.B \-PT
-Use TCP "ping" para determinar quais hosts estЦo ativos. Ao invez de enviar pacotes ICMP echo request e esperar pelas respostas, nСs enviamos pacotes TCP ACK por toda parte na rede alvo (ou para uma simples mАquina) e entЦo esperamos por respostas. Hosts que estЦo ativos devem responder com um RST. Esta opГЦo preserva a eficiЙncia de somente scannear hosts que estЦo ativos, enquanto ainda permite scannear redes/hosts que bloquearam pacotes ping. Para usuАrios nЦo root, И usado o connect(). Para setar a porta destino dos pacotes de teste usem -PT<nЗmero da porta>. A porta default И 80, desde que estА porta И muitas vezes nЦo filtrada.
-.TP
-.B \-PS
-EstА opГЦo usa pacotes com SYN (connection request) ao invez de pacotes com ACK para usuАrios root. Hosts que estЦo ativos devem responder com RST (ou, raramente, um SYN|ACK).
-.TP
-.B \-PI
-EstА opГЦo usa um pacote ping verdadeiro (ICMP echo request). Esta encontra os hosts que estЦo ativos e tambИm procura por um endereГo de broadcast para a subrede da sua rede. Estes sЦo endereГos IPs que sЦo externamente alcanГАveis e traduzidos para broadcast de pacotes IP de chegada para uma subrede de computadores. Estes devem ser eliminados se encontrado, como ele permitem por numerosos ataques de negaГЦo de serviГo (DoS) (Smurf И o mais comum).
-.TP
-.B \-PB
-Este И o tipo de ping default. Ele usa tanto pacotes com ACK (
-.B \-PT
-) e pacotes ICMP (
-.B \-PI
-) sweeps em paralelo.  Desta maneira vocЙ pode obter os firewalls que
-filtram cada uma (porИm nЦo ambas).
-.TP
-.B \-O
-Esta opГЦo ativa a identificaГЦo de hosts remotos via TCP/IP fingerprinting. Em outras palavras, ela usa uma grande quantidade de tИcnicas para detectar sutilezas na pilha de rede do sistema operacional do computador que vocЙ estА scanneando. Ele usa estas informaГУes para criar a 'fingerprint' a qual И comparada com sua base de dados de conhecidos fingerprints de SOs (o arquivo nmap-os-fingerprints) para decidir qual o tipo de sistema que vocЙ estА escanneando.
-.Sp
-Se o Nmap estА desabilitado para resolver o SO da mАquina, e as condiГУes sЦo boas (ex. ao menos uma porta aberta), Nmap irА prover a URL que vocЙ pode usar para submeter a fingerprint se vocЙ conhecer (com certeza) o SO sendo executado na mАquina. Por fazer isso vocЙ contribui para o conjunto de sistemas operacionais conhecidos pelo nmap e entЦo serА mais correto para todos.
-.Sp
-A opГЦo \-O tambИm possibilita classificar e fazer o prognostico da
-sequЙncia TCP. Esta И uma medida que descreve aproximadamente qual a
-dificuldade em estabelecer uma conexЦo TCP forjada contra um host remoto.
-Esta И Зtil para explorar o IP de origem baseado na relaГЦo de confianГa
-(rlogin, firewall filters, etc) ou por esconder a origem do ataque. O nЗmero
-difficulty mostrado И baseado em uma simples amostra estatМstica e pode
-variar. Este nЗmero И geralmente melhor apresentado como uma frase em InglЙs como "worthy challenge" ou "trivial joke".
-.TP
-.B \-I
-Esta ativa o scanning do ident reverso TCP. Como notado por Dave Goldsmith em 1996 na mensagem para a Bugtraq, o protocolo ident (rfc 1413) permite revelar o username dos donos dos processos conectados via TCP, mesmo se estes processos nЦo iniciaram a conexЦo. EntЦo vocЙ pode, por exemplo, conectar a porta http e entЦo usar o identd para encontrar quando o servidor estА sendo executado como root. Isto pode somente ser feito com uma conexЦo TCP completa para a porta alvo (ex.: a opГЦo de scanning -sT). Quando
-.B \-I
-И usada, o identd do host remoto И pesquisado para cada porta aberta encontrada. Obviamente isso nЦo funciona se o host nЦo estiver rodando o identd.
-.TP
-.B \-f
-Esta opГЦo requere os flags SYN, FIN, XMAS, ou NULL scan para usar cuidadosos pacotes IP fragmentados. A idИia И dividir o cabeГalho TCP sobre vАrios pacotes para ficar difМcil para o filtro de pacotes, sistemas de detecГЦo de intrusЦo, e outros aborrecimentos para detectar o que vocЙ estА fazendo. Seja cuidadoso com isso! VАrios programas tem preocupaГУes lidando com estes cuidadosos pacotes. Enquanto este mИtodo nЦo obtem pacotes filtrados e firewalls que enfileram todos os fragmentos IP (como a opГЦo CONFIG_IP_ALWAYS_DEFRAG no kernel do linux), vАrias redes nЦo conseguem assegurar o golpe de performance que este fato causa, entЦo И melhor deixar este desabilitado.
-.Sp
-Note que esta opГЦo, ainda, nЦo esta funcionando em todos os sistemas. Esta
-funciona bem para o Linux, FreeBSD, e OpenBSD e outras pessoas tem reportado
-sucessos com outras variaГУes  *NIX.
-.TP
-.B \-v
-Modo Verbose. Esta И uma opГЦo altamente recomendada e fornece mais informaГУes sobre o que esta acontecendo. VocЙ pode usА-la duas vezes para um melhor efeito. Use
-.B \-d
-em conjunto se vocЙ realmente quiser ficar louco com a quantidade de informaГУes na tela!
-.TP
-.B \-h
-Esta cТmoda opГЦo mostra uma rАpida tela de referЙncia das opГУes usadas no nmap. Como vocЙ deve ter notado, estА man page nЦo И exatamente uma 'rАpida referЙncia' :o)
-.TP
-.B \-oN <logfilename>
-Este log mostra o resultado do seu scan em uma forma
-.B humanamente legМvel
-no arquivo que vocЙ especificou como argumento.
-.TP
-.B \-oX <logfilename>
-Este log mostra o resultado do seu scan na forma de 
-.B XML
-no arquivo que vocЙ especificou como argumento. Isto permite aos programas facilmente capturar e interpretar os resultados do Nmap. VocЙ pode fornecer o argumento \'-\'(sem quotas) para colocar em uma stdout (para shell pipelines, etc). Neste caso uma saМda normal serА suprimida. Tomar cuidado para as mensagem de erro se vocЙ esta usando esta (elas, ainda, irЦo para stderr). TambИm, note que \'-v\' pode causar algumas informaГУes extras para ser impressas.
-.TP
-.B \-oG <logfilename>
-Este log mostra o resultado do seu scan na forma do
-.B grepable
-no arquivo que vocЙ especificou como argumento. Este simples formato provЙ todas as informaГУes em uma linha (entЦo vocЙ pode facilmente usar o grep para portas ou obter informaГУes de SOs e ver todos os endereГos IPs). Este И o mecanismo preferido pelos programas para interagir com o Nmap, porИm agora И recomendado usar a saМda em XML (-oX). Este simples formato pode nЦo conter tantas informaГУes quanto os outros formatos. VocЙ pode fornecer o argumento \'-\'(sem quotas) para colocar em uma stdout (para shell pipelines, etc). Neste caso uma saМda normal serА suprimida. Tomar cuidado para as mensagem de erro se vocЙ esta usando esta (elas, ainda, irЦo para stderr). TambИm, note que \'-v\' irА fornecer vАrias informaГУes extras para ser impressas.
-.TP
-.B \-oS <logfilename>
-thIs l0gz th3 r3suLtS of YouR ScanZ iN a
-.B s|<ipT kiDd|3  
-f0rM iNto THe fiL3 U sPec\|fy 4s an arGuMEnT!  U kAn gIv3
-the 4rgument \'-\' (wItHOUt qUOteZ) to sh00t output iNT0
-stDouT!@!!
-.TP
-.B \--resume <logfilename>
-O scan de rede que И cancelado devido a um control-C, interrupГЦo da rede, etc. pode ser resumido usando esta opГЦo. O logfilename precisa ser normal (-oN) ou parsable na mАquina (-oM) para registrar o scan abortado. Nenhuma outra opГЦo pode ser usada. Nmap comeГarА na mАquina depois que a Зltima foi scanneada com sucesso e armazenada no arquivo de log.
-.TP
-.B \-iL <inputfilename>
-и feita a leitura de um arquivo alvo especificado na linha de comando. O arquivo deve conter uma lista de hosts ou expressУes de rede separados por espaГos, tabs, ou novas linhas. Use o hМfen  (-) como 
-.I inputfilename 
-se vocЙ quisesse que o nmap leia expressУes do hosts de stdin (como no final do pipe). Veja a seГЦo
-.I especificaГЦo do alvo
-para maiores informaГУes nas expressУes que vocЙ preencherА no arquivo.
-.TP
-.B \-iR
-Esta opГЦo fala para o Nmap para gerar seus prСprios hosts para scannear, usando simplesmente nЗmeros randomicos :o). Isso nunca irА terminar. Isso pode ser muito Зtil para tirar amostras estatМsticas da internet para estimar vАrias coisas. Se vocЙ nunca estiver realmente entediado, tente
-.I nmap \-sS \-iR \-p 80
-para encontrar vАrios servidores web para observar.
-.TP
-.B \-p <port ranges>
-Esta opГЦo especifica quais portas vocЙ quer para descrever. Por exemplo '-p 23' irА tentar somente a porta 23 do host(s) alvo. \'\-p 20-30,139,60000-\' irА scannear portas entre 20 e 30, porta 139, e todas as portas maiores que 60000. Por definiГЦo И para scannear todas as portas entre 1 e 1024 tЦo bem quanto qualquer porta listada no arquivo de serviГos o qual vem com o nmap. Para o scan de protocolos IP (-sO), especifica o nЗmero do protocolo que vocЙ deseja para (0-255).
-.TP
-.B \-F Modo de scan rАpido.
-Especifica que vocЙ somente deseja scannear por portas catalogadas no arquivo services o qual vem com o nmap (ou o arquivo de protocolos para -sO). Este И obviamente muito mais rАpido do que scannear todas 65535 portas no host.
-.TP
-.B \-D <decoy1 [,decoy2][,ME],...>
-O processo de decoy scan serА executado fazendo ele mostrar-se para o host
-remoto que o(s) host(s) que vocЙ especificou como decoys estЦo scanneando a rede alvo tambИm. EntЦo seus IDS precisarЦo reportar 5-10 scan de portas de um Зnico endereГo IP, porИm eles nЦo saberЦo qual o endereГo IP que os estava scanneando e quais eram os decoys inocentes. Enquanto isto pode ser descoberto atravИs de uma rota, respostas soltas, e outras mecanismos ativos, este И geralmente uma tИcnica extremamente efetiva para esconder seu endereГo IP.
-.Sp
-Separando cada decoy host com vМrgulas, vocЙ pode usar opcionalmente 'ME' como um dos decoys para representar a posiГЦo que vocЙ quer seu endereГo IP para ser usado. Se vocЙ colocar 'ME' na sexta posiГЦo ou outra maior, vАrias detectores comuns de scan de portas nЦo serЦo razoАveis para mostrar seu endereГo IP por completo. Se vocЙ nЦo usar 'ME', o nmap irА colocar vocЙ em uma posiГЦo randomica.
-.Sp
-Note que os hosts que vocЙ usa como decoys devem estar ativos ou vocЙ precisarА acidentalmente inundar com pacotes SYN seu alvo. TambИm, ele serА muito fАcil para determinar quais hosts estЦo scanneando se somente um estА atualmente ativo na rede. VocЙ deverА querer usar o endereГo IP ao invez de nomes (entЦo redes decoy nЦo irЦo ver vocЙ em seus nameserver logs).
-.Sp
-TambИm, note que vАrios (estЗpidos) "detectores de scan de portas" irЦo firewall/deny roteamento para hosts que tentam fazer o scan de portas. EntЦo vocЙ precisa descuidadosamente causar a perda de conexЦo da mАquina que vocЙ estА scanneando com a mАquina decoy que vocЙ esta usando. Isto pode causar maiores problemas para a mАquina alvo se o decoy estА sendo usado, digo, seu internet gateway ou atИ "localhost". EntЦo vocЙ pode querer ser cuidadoso com esta opГЦo. A real moral da histСria И que os detectores de scan de portas spoofable nЦo devem gastar aГУes contra a mАquina que parece estar scanneando suas portas. Este pode ser somente um decoy, ou seja, uma isca, uma armadilha!
-.Sp
-Decoys sЦo usados tanto em ping scan inicial (usando ICMP, SYN, ACK, ou o que seja) e durante a fase de atual scanneamento de porta. Decoy sЦo tambИm usados durante a detecГЦo remota de SO (
-.B \-O
-).
-.Sp
-Este И um digno registrador que usa vАrios decoys que podem atrasar seu scan e potencialmente atИ fazer este menos preciso. TambИm, vАrios ISPs filtram pacotes spoofed, embora vАrios (correntemente a maioria) nЦo restrigem pacotes IP spoofed por inteiro.
-.TP
-.B \-S <IP_Address>
-Em vАrias circunstБncias, 
-.I nmap
-pode nЦo ser capaz de determinar seu endereГo de origem (
-.I nmap 
-irА avisА-lo se este И o caso). Nesta situaГЦo, use
-\-S com seu endereГo IP (atravИs da interface que vocЙ deseja enviar pacotes).
-.Sp
-Outro possМvel uso deste flag И para spoofar o scan para fazer o alvo pensar que 
-.B alguИm mais
-estА scanneando. Imagine uma companhia sendo repetidamente port scanned pelo seu competidor! Este nЦo И um uso suportado (ou o principal propСsito) deste flag. Eu penso somente que isso levanta uma interessante discussЦo, em que as pessoas devem estar cientes antes que elas acusem outras pessoas de estar scanneando suas portas.
-.B \-e
-geralmente serА requerida para este tipo de uso.
-.TP
-.B \-e <interface>
-Fala para o nmap qual interface enviar e receber pacotes. Nmap deve ser capaz de detectar isto, porИm este contarА para vocЙ se nЦo puder.
-.TP
-.B \-g <portnumber>
-Conjunto de nЗmeros de portas de origens usadas no scan. VАrios ingЙnuos firewalls e filtros de pacotes instalados fazem uma exceГЦo em seus conjuntos de regras para permitir pacotes DNS (53) ou FTP-DATA (20) para entrar e estabelecer a conexЦo. Obviamente isto contesta completamente as vantagens de seguranГa do firewall desde que intrusos podem somente mascarar como FTP ou DNS por modificar suas portas de origem. Obviamente para UDP scan vocЙ deve tentar 53 primeiro e TCP scans devem tentar 20 antes da porta 53. Note que isso И somente uma requisiГЦo -- nmap honrarА isso somente quando esta estiver hАbil para. Por exemplo, vocЙ nЦo pode amostrar todo TCP ISN de um host:porta para um host:porta, entЦo nmap muda a porta de origem mesmo que seja usado -g.
-.Sp
-Seja ciente que existe uma penalidade na performance em vАrios scans por usar esta opГЦo, porque eu algumas vezes armazeno informaГУes Зteis no nЗmero da porta de origem.
-.TP
-.B \-r
-Fala para o Nmap para
-.B NцO
-randomizar a ordem na qual as portas serЦo scanneada.
-.TP
-.B \-\-randomize_hosts
-Fala para o Nmap para embaralhar cada grupo acima de 2048 hosts antes de scanneА-los. Isto pode fazer o scan menos evidente para vАrios sistemas de monitoraГЦo de rede, especialmente quando vocЙ combina estes com as opГУes de baixo tempo (slow timing) (veja abaixo).
-.TP
-.B \-M <max sockets>
-Conjunto mАximo de nЗmeros de sockets que serА usado em paralelo pelo TCP connect() scan (por definiГЦo). Esta И Зtil para diminuir um pouco o scan e anular a possibilidade de travar a mАquina remota. Outra aproximaГЦo И para usar \-sS, a qual И geralmente fАcil para as mАquinas descreverem.
-.TP
-.B OPгуES DE TEMPO
-Geralmente o Nmap faz um bom trabalho em ajustar para as caracterМsticas da rede um tempo de execuГЦo e scanning tЦo rАpido quanto possМvel enquanto minimiza as chances do hosts/portas serem nЦo detectadas. Entretanto, existem vАrios casos onde a polМtica de tempo default do Nmap pode nЦo encontrar seus objetivos. As seguintes opГУes provЙem um fino nМvel de controle sobre o tempo de scan:
-.TP
-.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
-Estas sЦo polМticas de tempo preservados para convenientemente expressar suas prioridades para o Nmap.
-.B Paranoid 
-modo de scan
-.B muito
-lento na esperanГa de prevenir a detecГЦo pelo sistema IDS. Este serializa todos os scans (scanning nЦo paralelo) e geralmente espera no mМnimo 5 minutos entre o envio de pacotes.
-.B Sneaky 
-И similar, exceto que somente espera 15 segundos entre o envio de pacotes.
-.B Polite
-tem o significado para facilitar a carga na rede e reduzir as chances de travar a mАquina. Ele serializa os testes e espera 
-.B no mМnimo 
-0.4 segundos entre eles.  
-.B Normal
-И o comportamento default do Nmap, o qual tenta executar tЦo rАpido quanto possМvel sem sobrecarregar a rede ou perder hosts/portas.
-.B Aggressive
-esse modo adiciona um timeout de 5 minutos por host e nunca espera mais que 1.25 segundos para testar as respostas.
-.B Insane 
-И somente adequando para redes muito rАpidas ou onde vocЙ nЦo se importa em perder algumas informaГУes. Nesta opГЦo o timeout dos hosts acontecem em 75 segundos e espera somente 0.3 segundos por teste individual. Esta possibilita, de qualquer forma, uma varredura extremamente rАpida na rede :o). VocЙ pode tambИm referenciar isso por nЗmeros (0-5). Por exemplo, \'-T 0\' fornece para vocЙ o modo Paranoid e \'-T 5\' И o modo Insane.
-.Sp
-Estes modos, para preservar o tempo, NцO devem ser usados em combinaГЦo com controles de baixo nМvel, como os fornecidos abaixo.
-.TP
-.B --host_timeout <milliseconds>
-Especifica a soma de tempo que o Nmap permite para gastar scanneando um simples host antes de desistir daquele IP. O modo de tempo default nЦo tem o timeout do host.
-.TP
-.B --max_rtt_timeout <milliseconds>
-Especifica a soma mАxima de tempo do Nmap tem permitido para esperar pela resposta de teste antes de retransmitir ou ocorrer um timeout de um particular teste. O modo default seta este valor em 9000.
-.TP
-.B --min_rtt_timeout <milliseconds>
-Quando um host alvo comeГa a estabelecer um padrЦo de resposta muito rАpido, Nmap irА contrair a soma de tempo fornecida por teste. Isto aumenta a velocidade do scan, porИm pode levar a perder pacotes quando a resposta gasta mais tempo que o usual. Com este parБmetro vocЙ pode garantir que o Nmap irА esperar ao menos a soma de tempo fornecida antes de abrir mЦo do teste.
-.TP
-.B --initial_rtt_timeout <milliseconds>
-Especifica o timeout do teste inicial. Isto И geralmente Зtil quando scanning firewalled hosts com -P0. Normalmente o Nmap pode obter boas estimativas RTT do ping e dos primeiros testes. O modo default usa 6000.
-.TP
-.B --max_parallelism <number>
-Especifica o nЗmero mАximo de Nmap scans permitidos para serem performados em paralelo. Ajustando este para 1 significa que o Nmap nunca irА tentar scannear mais que uma porta por vez. Este, tambИm, afeta outros scans paralelos como o ping sweep, RPC scan, etc.
-.TP
-.B --scan_delay <milliseconds>
-Especifica a 
-.B mМnima
-soma de tempo que o Nmap precisa esperar entre testes. Este И, na maioria das vezes, Зtil para reduzir a carga da rede ou para diminuir a maneira de scan para esquivar-se do IDS.
-
-.SH ESPECIFICAгцO DO ALVO
-Tudo que nЦo И uma opГЦo (ou argumento de opГЦo) no nmap И tratado como especificaГЦo do host alvo. No caso mais simples sЦo registrados simples hostnames ou endereГos IPs na linha de comando. Se vocЙ quiser scannear uma subrede de endereГos IPs, vocЙ pode anexar
-.B '/mask' 
-para o hostname ou endereГo IP.
-.B mask 
-precisa estar entre 0 (faz o scan de toda internet) e 32 (faz o scan de um simples host especificado). Use /24 para scannear a classe de endereГo 'C' e /16 para a classe de endereГo 'B'.
-.Sp
-Nmap, tambИm, tem a mais poderosa notaГЦo a qual permite vocЙ especificar um
-endereГo IP usando uma lista/fileira para cada elemento. EntЦo vocЙ pode scannear todo o endereГo classe 'B' da rede 192.168.*.* especificando '192.168.*.*' ou '192.168.0-255.0-255' ou atИ '192.168.1-50,51-255.1,2,3,4,5-255'. E И claro, vocЙ pode usar a notaГЦo de mАscara: '192.168.0.0/16'. Estes todos sЦo equivalentes.
-.Sp
-Outra coisa interessante para fazer И dividir em pedaГos a Internet de outra maneira. Ao invez de scannear todos os hosts da classe 'B', scan '*.*.5.6-7' com o objetivo de explorar todos os endereГos IPs que terminam em .5.6 ou .5.7 escolhendo seus prСprios nЗmeros. Para mais informaГУes dos hosts especМficos para scannear, veja a seГЦo de 
-.I exemplos.
-.SH EXEMPLOS
-Aqui existem vАrios exemplos de uso do nmap, do simples e normal para um pouco mais complexo/esotИrico. Note que nЗmeros atuais e vАrios nomes de domМnios atuais sЦo usados para tornar as coisas mais concretas. Em seus lugares vocЙ deve substituir por endereГos/nomes da 
-.B sua prСpria rede.
-Eu nЦo penso que scannear portas de outras rede И ilegal; nem deve o scanneamento de portas ser feito por outros como um ataque. Eu tenho scanneado centenas de milhares de mАquinas e tenho recebido somente uma reclamaГЦo. PorИm eu nЦo sou advogado e alguma pessoa pode estar irritado pelos testes do 
-.I nmap 
-.  Primeiramente, obtenha permissЦo ou use sobre seu prСprio risco.
-.Sp
-.B nmap -v target.example.com
-.Sp
-Esta opГЦo faz o scan de todas as portas TCP reservadas na mАquina target.example.com. A opГЦo \-v significa ligar o modo verbose.
-.Sp
-.B nmap -sS -O target.example.com/24
-.Sp
-LanГa um stealth SYN scan contra cada mАquina que estА ativa, abrangendo todas as 255 mАquinas de classe 'C' onde target.example.com reside. Este exemplo, tambИm, tenta determinar o sistema operacional que esta executando em cada host que esta ativo. Este requere privilИgios de root (super usuАrio) por causa da tИcnica SYN scan e da detecГЦo de SOs.
-.Sp
-.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
-.Sp
-Envia um Xmas tree scan para a primeira metade de cada uma das 255 possibilidades de subredes de 8 bit no espaГo de endereГos classe 'B' em 198.116. NСs estamos testando quando o sistema executa sshd, DNS, pop3d, imapd, ou a porta 4564. Note que o Xmas scan nЦo trabalha com a Microsoft devido a sua deficiente pilha TCP. O mesmo acontece com CISCO, IRIX, HP/UX, e BSDI.
-.Sp
-.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
-.Sp
-Em lugar de focar somente um especМfico IP, И interessante, algumas vezes, abranger um fatia de toda a internet e fazer o scan de um pequena amostra de cada fatia. Este comando encontra todos os servidores web em mАquinas com endereГos IPs terminando em .2.3, .2.4, ou .2.5. Se vocЙ И super usuАrio (root) vocЙ pode adicionar -sS. TambИm, vocЙ irА encontrar mais mАquinas interessantes comeГando com 127., entЦo vocЙ pode querer usar '127-222' ao invez dos primeiros asterМsticos porque essa parte tem uma alta densidade de mАquinas interessantes
-(IMHO).
-.Sp
-.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
-.Sp
-Fazer uma transferЙncia de zona de DNS para encontrar hosts em company.com e entЦo alimentar os endereГos IPs para o 
-.I nmap.
-Os comandos acima sЦo para minha caixa GNU/Linux. VocЙ pode precisar de diferentes comandos/opГУes em outros sistemas operacionais.
-.SH BUGS 
-Bugs? O que И bugs? Envie-me os bugs que vocЙ encontrar. Patches sЦo uma boa tambИm :o) Lembrem-se de, tambИm, enviar novos SO fingerprints para que possamos aumentar nossa base de dados. O Nmap irА fornecer para vocЙ uma URL de submissЦo quando um apropriado fingerprint for encontrado.
-.SH AUTOR
-.Sp
-Fyodor
-.I <fyodor@insecure.org>
-.SH TRADUTOR
-.Sp
-AntТnio Pires de Castro Jr
-.I <apcastro@ic.unicamp.br>; <apcastro@ondefor.com.br>
-Texto traduzido em 17 de Outubro de 2000.
-.SH NOTA DO TRADUTOR
-.Sp
-Esta traduГЦo foi realizada usando a man page oficial do nmap (NMAP 2.54BETA7), e nЦo possui nenhum compromisso com www.insecure.org. Este trabalho foi realizado pela livre e expontБnea vontade do tradutor. Qualquer correГЦo desta pode ser feita enviando um email para o tradutor.
-.SH DISTRIBUIгцO
-A mais nova versЦo do 
-.I nmap
-pode ser obtida em
-.I http://www.insecure.org/nmap/
-.Sp
-.I nmap 
- (C) 1997,1998,1999,2000 por Fyodor (fyodor@insecure.org)
-.Sp
-.I libpcap
-И, tambИm, distribuМda junto com nmap. Esta И uma copyrighted por Van Jacobson, Craig Leres and Steven McCanne, todos do LaboratСrio Nacional de Lawrence em Berkeley, University of California, Berkeley, CA.  A versЦo distribuМda com o nmap pode ser modificada, a fonte original estА disponМvel em ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
-.Sp
-Este programa И um software livre; vocЙ pode redistribuМ-lo e/ou modificА-lo sobre os termos da LicenГa PЗblica Geral GNU como publicado pelo Free Software Foundation; VersЦo 2. Esta garante seu direito de usar, modificar e redistribuir o Nmap sobre certas condiГУes. Se esta licenГa for inaceitАvel para vocЙ, o Insecure.Org pode estar querendo negociar alternativas licenГas (entre em contato com fyodor@insecure.org).
-.Sp
-O cСdigo de origem И fornecido para este software porque nСs acreditamos que os usuАrios tem o direito de conhecer exatamente qual o programa ele irА usar antes de executА-lo. Isto, tambИm, permite vocЙ auditar o software para furos de seguranГa (nenhum foi encontrado).
-.Sp
-O cСdigo de origem tambИm permite vocЙ portar o Nmap para novas plataformas, consertar bugs, e adicionar novas caracterМsticas. VocЙ esta altamente encorajado para enviar suas mudanГas para fyodor@insecure.org para possМveis encorporaГУes em sua principal distribuiГЦo. Por enviar estas mudanГas para Fyodor ou uma das listas de discussЦo dos desenvolvedores insecure.org, serА assumido que vocЙ estА oferecendo nenhum limite a Fyodor, nЦo-exclusivo direito de reusar, modificar, e relicenciar o cСdigo. Isto И importante por causa da incapacidade para relicenciar cСdigos, isso tem causado devastadores problemas para outros projetos de software livres (como KDE e NASM). O cСdigo fonte do Nmap sempre estarА disponМvel. Se vocЙ desejar especificar especiais condiГУes de licenГa das suas contribuiГУes, somente diga quando vocЙ as enviar.
-.Sp
-Este programa И distribuМdo na esperanГa de ser Зtil, porИm
-.B SEM NENHUMA GARANTIA;
-sem mesmo implicar garantia de 
-.B COMERCIABILIDADE 
-ou 
-.B ADAPTAгцO PARA UM PROPсSITO PARTICULAR.
-Veja a LicenГa PЗblica Geral GNU por mais detalhes (esta estА no arquivo COPYING da distribuiГЦo do
-.I nmap 
-). 
-.Sp
-TambИm deve ser notado que o Nmap tem sido conhecido por travar certas aplicaГУes pobremente escritas, pilhas TCP/IP, e mesmo certos sistemas operacionais.
-.B O Nmap nunca deve ser executado contra sistemas crМticos de missЦo ao menos que vocЙ esteja preparado para sofrer com o tempo ocioso. NСs reconhecemos aqui que o Nmap pode travar seu sistema ou rede e nСs renunciamos todas responsabilidades por qualquer dano ou problemas que o Nmap possa causar.
-.Sp
-Por menosprezar os riscos de travar e por causa de vАrios usuАrios malМciosos gostarem de usar o Nmap para fazer o levantamento topolСgico da rede antes de atacar o sistema, existem administradores que estЦo preocupados e podem reclamar quando seus sistemas sЦo scanneados. Por isso, И muitas vezes conveniente requerer permissЦo antes de fazer, mesmo que seja, um simples scan na rede.
-.Sp
-O Nmap nunca deve ser executado com privilИgios (ex.: suid root) por razУes de seguranГa.
-.Sp
-Todas as versУes do Nmap igual А ou maiores que 2.0 sЦo acreditadas nЦo ter problemas, em todos os aspectos, com o bug do ano 2000 (Y2K). PorИm, nЦo existe razЦo para acreditar que versУes anteriores a 2.0 sЦo susceptМveis a problemas, porИm nСs nЦo as testamos.
diff --git a/docs/nmap_russian.1 b/docs/nmap_russian.1
deleted file mode 100644
index 1ee0fa09b..000000000
--- a/docs/nmap_russian.1
+++ /dev/null
@@ -1,1020 +0,0 @@
-.\" This definition swiped from the gcc(1) man page
-.de Sp
-.if n .sp
-.if t .sp 0.4
-..
-.TH NMAP 1
-.SH НАЗВАНИЕ ПРОГРАММЫ
-nmap \- the Network Mapper \- инструмент для сканирования и исследования безопасности Сети.
-.SH ИСПОЛЬЗОВАНИЕ
-.B nmap
-[тип(ы) сканирования] [опции] <хост или сеть #1 ... [#N]>
-.SH ОПИСАНИЕ
-Nmap создан для системных администраторов и любопытных индивидуумов для
-того, что бы сканировать сети с любым количеством объектов для
-определения доступности хостов и идентификации сервисов, которые они
-предоставляют.
-.PP
-Nmap поддерживает такие виды сканирования как: UDP, TCP connect(), TCP
-SYN (полуоткрытое соединение), ftp proxy (bounce attack), ICMP (ping),
-FIN, ACK, Xmas Tree, SYN, IP Protocol и NULL.
-.PP
-Смотрите секцию Типы Сканирования для более подробной информации.
-.PP
-Nmap также поддерживает ряд расширенных особенностей, - например
-удалённое определение операционной системы методом снятия отпечатка
-TCP/IP стека, стелс-сканирование, вычисление динамической задержки и
-интервала повторной передачи, параллельное сканирование, определение 
-неактивных хостов методом параллельного ping-сканирования, сканирование с
-использованием ложных хостов, обнаружение систем фильтрации трафика (port
-filtering detection), прямое (без использования portmapper) RPC-сканирование, IP-фрагментацию при сканировании, а также произвольное
-указание сканируемых адресов и портов.
-.PP
-Много работы проводилось над адаптацией nmap для пользователей без прав
-root. К сожалению, много критических ядерных интерфейсов (как, например
-raw-сокеты) требуют root-привилегий, так что старайтесь запускать nmap
-именно с этими правами (не setuid root, конечно).
-.PP
-Результатом работы nmap обычно является список отсканированных портов на
-удаленной машине(ах) с указанием номера и состояния порта, типа
-используемого протокола, а также названия службы, закрепленной за этим
-портом. Порт характеризируется возможными состояниями: "открыт"(open),
-"закрыт"(closed), "фильтруемый"(filtered) и "нефильтруемый"(unfiltered).
-Состояние порта "open" означает, что на удалённой машине за этим портом
-закреплён определённый сервис и он может принять соединение на этот порт.
-Состояние порта "close" означает, что соединения на этот порт невозможны.
-Состояние порта "filtered" означает, что фаервол, пакетный фильтр или
-любая другая помеха мешает определить состояние порта. Состояние порта
-"unfiltered" - означает что порт закрыт и система защиты не мешает это
-определить. Такое состояние отображается если большинство портов
-сканируемой машины находится в состоянии filtered. В некоторых случаях
-nmap не может точно определить разницу между состояниями порта filtered,
-open или closed. Например, порт который не отвечает на FIN-сканирование
-может находиться в состоянии как open так и filtered. В подобных случаях
-nmap отображает такие порты как "open|filtered" или "closed|filtered".
-.PP
-В зависимости от указанных опций, nmap также может определить следующие
-характеристики сканируемого хоста: тип ОС, метод генерации TCP ISN, имя
-пользователя (username) владельца процесса, зарезервировавшего
-сканируемый порт, символьные имена, соответствующие сканируемым IP-адресам и т.п.
-.SH ОПЦИИ
- Большинство опций могут комбинироваться друг с другом. Одни опции
- предназначены для выбора определенного метода сканирования, другие
- указывают на использование дополнительных возможностей или служат для
- настройки различных параметров сканирования. Nmap предупреждает
- пользователя о недопустимом сочетании указанных им опций.
-.Sp
- Если вы немедленно хотите начать работу с nmap, можете пропустить этот
- раздел и перейти к изучению примеров вызова nmap в конце данного
- руководства. Вы можете также запустить программу nmap с ключом '
-.B -h'
-для получения краткой справки по всем опциям.
-.TP
-.B ТИПЫ СКАНИРОВАНИЯ
-.TP
-.B \-sS
-Сканирование методом SYN. Этот метод называется "полуоткрытое"
-сканирование, поскольку полное TCP-соединение с портом сканируемой
-машины не устанавливается. Nmap посылает SYN-пакет, как бы
-намереваясь открыть настоящее соединение, и ожидает ответ. Флаги
-SYN|ACK в ответе указывают на то, что порт удаленной машины
-открыт. Флаг RST указывает на то, что порт удалённой машины
-закрыт. Если nmap принял пакет SYN|ACK, то в ответ немедленно
-отправляется (операционной системой) RST-пакет для сброса еще не
-установленного соединения. Очень немного сайтов способны
-обнаружить такое сканирование, однако хорошо настроенный фаервол
-на это способен. Пользователь должен иметь root-привилегии
-для формирования поддельного SYN-пакета. Этот тип сканирования
-является применимым по-умолчанию для привилегированных
-пользователей.
-.TP
-.B \-sT 
-Сканирование методом TCP connect(). Наиболее простой метод
-сканирования TCP-портов. Системный вызов connect(), присутствующий
-в любой ОС, позволяет создать соединение с любым портом удаленной
-машины. Соединение происходит методом стандартного "tcp-рукопожатия", - сканирующая машина отправляет на сканируемую
-пакет с флагом SYN, если в ответ приходит пакет с флагом RST - то
-порт закрыт, если SYN|ACK, то сканирующая отправляет ACK и тогда
-соединение установлено). Если порт открыт и прослушивается
-сканируемой машиной, то результат выполнения connect() будет
-успешным (т.е. соединение будет установлено), в противном случае
-указанный порт является закрытым или доступ к нему блокируется.
-Единственным преимуществом данного метода является то, что его
-можно использовать без root-привилегий.
-.Sp
-Этот метод сканирования легко обнаружим, поскольку в log-файле на
-сканируемой машине сохранятся записи о многочисленных попытках
-соединения и об ошибках выполнения данной операции службами, к
-которым производилось подключение, а затем мгновенное завершение
-соединения. Этот тип сканирования является применимым по-умолчанию
-для непривилегированных пользователей.
-.TP
-.B \-sF \-sX \-sN 
-Сканирование методом stealth-FIN, Xmas Tree или NULL. Эти методы
-используются в случае, если SYN-сканирование по каким-либо
-причинам не дало ожидаемого результата. Некоторые фаерволы и
-пакетные фильтры ожидают SYN-пакеты на защищаемые ими порты, и
-программы типа Synlogger или Courtney способны отследить SYN-сканирование. Вышеуказанные типы сканирования могут быть не
-замечены системами защиты.
-.Sp
-FIN-сканировании в качестве запроса используется FIN-пакет. В Xmas
-Tree используется пакет с набором флагов FIN|URG|PSH, а NULL-сканирование использует пакет без флагов. Согласно RFC 793
-стр.64, закрытый порт должен ответить на один из таких посланных
-нами пакет пакетом с флагом RST. Фильтруемые порты обычно не
-отвечают на такие пакеты, поэтому nmap обозначает такой порт
-"open|filered". Если добавить опцию распознавания версии (-sV),
-nmap попытается определить точно ли такие порты открыты. К
-несчастью, Microsoft как всегда решила полностью игнорировать все
-общепринятые стандарты и пойти своим путём. Поэтому любая ОС
-семейства Windows не посылает в ответ RST-пакет, и данные методы
-не будут работать с этими ОС. С другой стороны в nmap этот признак
-является основным для различения операционных систем, если данные
-типы сканирования нашли открытые порты - скорее всего сканируемая
-машина работает не под управлением windows. К сожалению, Windows
-не единственная ОС, обладающая этим недостатком. К таким ОС
-относятся также Cisco, BSDI, IRIX, HP/UX и MVS. Все эти ОС не
-отправляют RST-пакеты. Но это не так важно, поскольку nmap может
-определять операционную систему другими методами автоматически.
-.TP
-.B \-sP
-Ping-сканирование: Иногда вам необходимо лишь узнать какие хосты
-активны в сканируемой сети. Nmap может сделать это, послав ICMP-сообщение "эхо запрос" на каждый IP-адрес, который вы укажете.
-Хост, отправивший ответ на эхо, является активным. Некоторые сайты
-(например microsoft.com) блокируют пакеты с эхо запросом. Поэтому
-nmap также посылает TCP АСК-пакет на 80-й порт сканируемого хоста
-(по умолчанию). Если в ответ мы получили RST-пакет, - хост
-активен. Третий метод посылает SYN-пакет и ожидает в ответ RST
-либо SYN|ACK. Для пользователей, не обладающих статусом
-root, используется метод connect().
-.Sp
-Для привилегированных пользователей nmap по умолчанию использует
-параллельно оба метода - ICMP и ACK. Вы можете изменить это,
-используя опцию '
-.B \-P
-', описанную ниже.
-.Sp
-Обратите внимание, что ping-сканирование по умолчанию выполняется
-в любом случае и только активные хосты подвергаются сканированию.
-Используйте эту опцию только в случае, если вы хотите произвести
-только ping-опрос, не сканируя порты.
-.B \-sV
-Включить режим определения версий служб, за которыми закреплены
-сканируемые порты. После сканирования TCP и/или UDP-портов любым
-методом, nmap попытается определить привязанный к этим открытым
-портам протокол службы (ftp, ssh, telnet, http), имя приложения
-(ISC Bind, Apache httpd, Solaris telnetd), номер версии и
-дополнительные детали (например, открыт ли Х сервер для
-подключений или версию протокола SSH). Файл, названный nmap-service-probes используется для определения оптимальтых тестов, с
-помощью которых можно получить максимально точную информацию в
-данных условиях. Если nmap скомпилирован с поддержкой OpenSSL, он
-подключится к SSL-серверу с попыткой определить, какая служба
-работает за шифрованием. Если обнаружена служба RPC, nmap
-предпримет атаку на RPC по методу "грубой силы" для определения
-номера программы RPC и номера версии. Некоторые UDP-порты остаются
-в состоянии "open|filtered" если UDP-сканирование не сможет точно
-определить в каком состоянии находится порт. Определитель версии
-попытается соединиться на такой порт, и если он открыт, то его
-состояние изменится на open. Опция '-A' также включает этот режим.
-При использовании опции '--version_trace' nmap будет отображать
-всю информацию о происходящем процессе определения версии (это
-некоторая разновидность информации которую можно получить при
-включении опции '--packet_trace').
-.TP
-.B \-sU
-UDP-сканирование: этот тип сканирования используется для
-определения открытых UDP (User Datagram Protocol, RFC 768) портов
-на сканируемой машине. Nmap посылает 0-байтный UDP-пакет на каждый
-порт сканируемой машины. Если в ответ получено сообщение ICMP
-"port unreachable" (ICMP порт недоступен), то сканируемый порт
-закрыт, если что-то другое - то открыт. Если ответ вообще не 
-приходит, то nmap помечает порт состоянием "open|filtered", и это
-значит что порт открыт, но фаервол или другой пакетный фильтр
-блокирует доступ к данному порту. Включение режима определения
-версий служб (-sV) может помочь точно распознать открытые и
-фильтруемые порты.
-.Sp
-Некоторые пользователи считают сканирование UDP-портов бесполезным
-занятием. Мы обычно в этом случае напоминаем об известной дыре в
-демоне rpcbind ОС Solaris. Rpcbind может быть обнаружен на любом
-из недокументированных UDP-портов с номером, больше 32770. Если вы
-обнаружите его, то будет уже не важно, блокируется ли 111-й порт
-фаерволом или нет. Но как вы можете обнаружить на каком именно из
-30,000 портов запущен rpcbind? Конечно же с помощью UDP-сканирования. Также недокументированные (свыше 1024 номера) порты
-часто используются троянами или DDoS-клиентами. Очень часто такие
-UDP-сервисы как snmp, tftp, NFS также имеют уязвимости.
-.Sp
-К сожалению, сканирование UDP-портов очень медленный процесс,
-поскольку практически все ОС следуют рекомендации RFC 1812 (раздел
-4.3.2.8) по ограничению скорости генерирования ICMP-сообщений
-"порт недоступен". Например, ядро Linux (файл - net/ipv4/icmp.h)
-ограничивает генерирование таких сообщений до 80 за 4 секунды с
-простоем 0,25 секунды, если это ограничение было превышено. У ОС
-Solaris еще более жесткое ограничение (2 сообщения в секунду), и
-поэтому сканирование Solaris проходит еще более медленно. Nmap
-определяет параметры этого ограничения, и соответственно уменьшает
-количество генерируемых запросов, предотвращая тем самым
-затопление сети ненужными пакетами, которые игнорируются
-сканируемой машиной.
-.Sp
-Как обычно, Microsoft проигнорировала рекомендации RFC, и не
-использует в своих ОС никаких ограничений. Поэтому nmap может
-очень быстро просканировать все 65535 UDP-портов хоста,
-работающего под управлением ОС Windows. :-)
-.TP
-.B \-sO
-Сканирование протоколов IP. Данный метод используется для
-определения IP-протоколов, которые поддерживает сканируемый хост.
-Метод заключается в отправке хосту IP-пакетов без заголовка для
-каждого сканируемого протокола. Если получено сообщение ICMP
-"protocol unreachable" (протокол недоступен), то данный протокол
-хостом не используется. В противном случае nmap предполагает, что
-протокол хостом поддерживается. Стоит заметить, что некоторые ОС
-(AIX, HP-UX, Digital UNIX) и фаерволы могут блокировать передачу
-сообщений "ICMP protocol unreachable". По этой причине все
-сканируемые протоколы nmap обозначает как "open" (т.е.
-поддерживаются).
-.Sp
-Поскольку описанная техника схожа со сканированием UDP-портов, то
-и соответственно есть лимит скорости генерации ICMP-сообщений.
-Однако поле "тип протокола" IP-заголовка состоит всего лишь из 8
-бит, поэтому 256 протоколов будут отсканированы за приемлемое
-время.
-.TP
-.B \-sI <зомби-хост[:порт]>
-Idle-сканирование - позволяет произвести абсолютно невидимое
-сканирование портов. Это означает, что никакие пакеты с вашего
-реального ip-aдреса не отправляются на сканируемую машину. Метод
-IdleScan использует сторонний канал для сканирования, которое
-проходит через хост-зомби, и основано на методе предугадывания
-генерируемого на хосте-зомби значения "IP fragmentation ID".
-Системы защиты на сканируемом хосте определят источником
-сканирования хост-зомби, который вы используете.
-.Sp
-Кроме абсолютной невидимости, этот тип сканирования позволяет
-определить политику доверия между сканируемыми машинами на уровне
-протокола IP. Листинг результатов сканирования отображает порты
-открытые для хоста-"зомби". Таким образом, можно просканировать
-цель с использованием нескольких "зомби", которым цель может
-"доверять", в обход фаерволов и пакетных фильтров. Такого рода
-информация может быть самой важной при выборе приоритетных целей
-для атаки.
-.Sp
-Вы можете указать конкретный порт для проверки изменения IPID на
-хосте-"зомби". В ином случае nmap будет использовать номер порта
-по умолчанию для "tcp ping".
-.Sp
-Что бы узнать, можно ли использовать хост в качестве зомби, 
-- нужно запустить nmap c дополнительными опциями "-O -v", и в поле
-IPID Sequence Generation будет указан тип генерирования. Если
-"Incremental" - то этот хост можно использовать как зомби.
-.TP
-.B \-sA
-Сканирование методом ACK. Этот метод обычно используется для
-определения набора правил фаервола. В частности, он помогает
-определить защищен ли сканируемый хост фаерволом или просто
-используется пакетный фильтр, блокирующий входящие SYN-пакеты.
-.Sp
-Этот метод сканирования подразумевает отправку ACK-пакета (со
-случайными значениями полей acknowledgement number и sequence
-number) на порт сканируемого хоста. Если в ответ пришел RST-пакет,
-порт обозначается как "unfiltered" (нефильтруемый). Если ответа не
-последовало (или пришло ICMP-сообщение "port unreachable"), порт
-обозначается как "фильтруемый". Заметим, что обычно nmap не
-отображает нефильтруемые порты в результатах, поэтому если после
-сканирования методом АСК не обнаружено ни одного открытого порта,
-то это означает, что все порты являются нефильтруемыми (в ответ
-пришел RST-пакет). Этот метод никогда не показывает состояние
-порта "open" в результатах сканирования. 
-.TP
-.B \-sW
-Cканировать методом TCP Window. Этот метод очень похож на ACK-сканирование, за исключением того, что иногда с его помощью можно
-определить открытые порты точно так же, как и
-фильтруемые/нефильтруемые, проверяя значение поля window size TCP-пакета, возвращаемого хостом в ответ на посланный ему запрос,
-поскольку есть некоторые аномалии обработки данного поля у
-некоторых ОС. Список уязвимых операционных систем включает в себя
-несколько версий AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX,
-OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD,
-OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX и
-VxWorks. Для более подробной информации смотрите архив конференции
-nmap-hackers.
-.TP
-.B \-sR 
-RPC-сканирование. Метод работает только в комбинации с другими
-методами сканирования. Все предварительно отсканированные открытые
-порты затопляются NULL-командами программы SunRPC, для того чтобы
-определить какие из этих портов являются RPC-портами, и какие за
-ними закрепленные программы. Таким образом, вы легко получаете
-информацию, которую могли бы получить с помощью команды 'rpcinfo 
--p', даже если portmapper сканируемого хоста закрыт фаерволом или
-TCP-wrapper'ом. Этот тип сканирования включается также при выборе
-опции '-sV' (режим определения версий служб).
-.TP
-.B \-sL
-Cоставить список сканирования. Этот метод просто генерирует список
-IP-адресов или имён хостов без любого их сканирования. Имена
-хостов определяются по-умолчанию, но это можно отменить опцией -n.
-.TP
-.B \-b <ftp relay host>
-Прорыв через FTP. Интересной "возможностью" протокола FTP (RFC
-959) является поддержка proxy ftp-соединений. Другими словами, с
-доверенного хоста evil.com можно соединиться с ftp-сервером
-target.com и отправить файл, находящийся на нем, на любой адрес в
-Интернет! Заметим, что данная возможность известна с 1985 года,
-когда был написан этот RFC. Nmap использует эту уязвимость для
-сканирования портов с proxy ftp-сервера. Итак, вы можете
-подключиться к ftp-серверу за фаерволом и затем просканировать
-заблокированные порты, например 139-й. Если ftp-сервер
-позволяет читать и записывать данные в какой-либо каталог
-(например /incoming), вы также можете отправить любые данные на
-эти порты. (но nmap за вас это делать не будет).
-.Sp
-Аргумент, указываемый после '-b', это URL сервера ftp,
-используемого в качестве proxy. Формат URL следующий:
-имя_пользователя:пароль@сервер:порт. Адрес сервера нужно указать
-обязательно, остальное - опционально. Нужно заметить, что в данное
-время этот вид сканирования не эффективен, потому как почти во
-всех приложениях уязвимость, используемая данным методом,
-устранена.
-.TP
-.B НАСТРОЙКА ДОПОЛНИТЕЛЬНЫХ ПАРАМЕТРОВ СКАНИРОВАНИЯ
-Ни одна из нижеуказанных опций не является необходимой, но некоторые могут быть очень полезными.
-.TP
-.B \-P0
-Вообще не производить ping-опрос хостов перед их сканированием.
-Эта опция позволяет просканировать сети, блокирующие обработку
-ICMP-эха с помощью фаерволов. Примером такой сети является
-microsoft.com, и вы всегда должны использовать опцию '
-.B \-P0
-' или '
-.B \-PS80
-' (см. ниже), когда сканируете такую сеть. Заметьте, что в
-этом случае "ping" Обозначает несколько больше, чем традиционный
-ICMP echo request пакет. Nmap использует разные комбинации TCP,
-UDP и ICMP пакетов для того, что бы определить активен ли хост.
-По-умолчанию nmap посылает ICMP echo request и TCP ACK пакет на
-порт 80.
-.TP
-.B \-PA [порт(ы)]
-Использовать TCP ACK ping для определения присутствия хоста в
-сети. Вместо того, что бы отправлять ICMP echo request пакет и
-ждать ответа, мы отправляем TCP ACK пакет на сканируемый хост.
-Если в ответ мы получим RST-пакет, значит сканируемый хост
-активен. Эта опция помогает избежать сканирования неактивных
-хостов в сети, блокирующей ICMP-пакеты. Для непривилегированных
-пользователей используется connect() метод, при котором активность
-хоста фактически определяется его ответом на посланный нами SYN-пакет. Что бы указать порт(ы) назначения для нашего сканирования
-- используйте '-PA[,port2][...]'. По-умолчанию используется
-80-ый порт, поскольку чаще всего он не фильтруется.
-.TP
-.B \-PS [порт(ы)]
-Использовать SYN-пакет (запрос на соединение) вместо ACK-пакетов
-для привилегированных пользователей. Активные хосты должны
-ответить на наш пакет RST-пакетом (или что уже редко - SYN|ACK).
-Можно указать порты назначения точно так же как и в '-PA' опции.
-.TP
-.B \-PR
-Использовать raw ethernet ARP ping. Когда сканируемый хост
-находится в одном физическом сегменте сети со сканирующим, можно
-более быстро и надёжно (ARP-пакеты не фильтруются фаерволом или
-другим IP-фильтром) определить активен ли он. Nmap посылает IPv4-to-Ethernet ARP-запрос для каждого сканируемого хоста и смотрит
-за приходящими ARP-ответами. Эта опция не может комбинироваться с
-остальными типами ping-опроса. 
-.B \-PU [порт(ы)]
-Эта опция отправляет UDP-запрос на сканируемый хост. Если в ответ
-приходит сообщение "ICMP port unreachable", или UDP-ответ (порт
-открыт), то сканируемый хост активен. Поскольку многие UDP-сервисы
-не отвечают на пустой пакет, лучше указывать предположительно
-закрытый порт.
-.TP
-.B \-PE
-Использовать "настоящий" ping (посылать на сканируемый хост "ICMP
-echo request" пакет). При включении этой опции ищутся активные
-хосты и broadcast-адреса (адреса которые доступны внешне, и
-транслируют приходящие IP-пакеты всем хостам внутренней сети).
-Такие адреса могут использоваться для организации DoS-атак. (Атака
-типа отказ в обслуживании)
-.TP
-.B \-PP
-Использовать пакет ICMP "timestamp request (type 13)" для определения активных хостов.
-.TP
-.B \-PM
-Использовать пакет ICMP "netmask request (type 17)" для определения активных хостов.
-.TP
-.B \-PB [порт(ы)]
-Это тип ping-опроса по-умолчанию. Он параллельно использует ACK 
-(
-.B -PA
-) и "ICMP echo request" пакет (
-.B -PE
-). Этим путем можно обойти
-фаервол который фильтрует один из этих пакетов.
-.TP
-.B \-O
-(Operating system detection) - эта опция позволяет определить
-операционную систему сканируемого хоста с помощью снятия
-отпечатков стека TCP/IP. Другими словами, nmap активизирует мощный
-алгоритм, функционирующий на основе анализа свойств сетевого стека
-установленной на хосте ОС. В результате сканирования получается
-"отпечаток", состоящий из стандартных тестовых запросов и
-"ответов" хоста на них. Затем полученный отпечаток сравнивается с
-имеющейся базой стандартных ответов известных ОС, хранящейся в
-файле nmap-os-fingerprinting, и на основании этого принимается
-решение о типе и версии ОС сканируемого хоста.
-.Sp
-Если nmap не смог определить OC сканируемой машины, потому что
-такого отпечатка ещё нет в базе, но получение отпечатка
-представляется возможным (на машине хотя бы один открытый порт)
-nmap укажет url, на котором вы сможете отправить отпечаток для
-внесения его разработчиками в базу отпечатков, если вы точно
-знаете что за ОС используется на сканируемом хосте. Заметьте, если
-вы укажете ip-адрес машины, для которой вы прислали отпечаток, то
-при внесении его в базу эта машина будет ещё раз просканирована
-для подтверждения результатов.
-.Sp
-Опция '-О' также инициализирует несколько других тестов. Один из
-таких как использование "TCP timestamp" опции (RFC 1323) для
-определения времени активности хоста с момента его последней
-перезагрузки. Эта информация предоставляется только с разрешения
-сканируемого хоста.
-.Sp
-Другой тест, инициализируемые опцией '-O' - это "TCP Sequence
-Predictability Classification" - классификация предсказуемости
-последовательности TCP. Его суть в том, что бы определить
-насколько тяжело установить поддельное соединение с удалённой
-машиной. Эта информация может использоваться для обхода прав
-доступа к удалённой машине или скрытия источника атаки. Эта
-информация отображается при включенной опции '-v'.
-.Sp
-Когда опция '-v' используется вместе с '-O', - частота генерации
-IPID также отображается. Большинство машин отображаются как
-"incremental", что означает изменение поля "ID" в заголовке IP для
-каждого отправленного пакета на одинаковую величину, что делает их
-уязвимыми для некоторых углублённых методов сбора информации и
-spoof-атак.
-.TP
-.B \--osscan_limit
-Определение ОС сканируемой машины значительно эффективнее, если
-найдены хотя бы один закрытый и открытый порт. Используйте эту
-опцию и nmap не будет пробовать определять ОС, если таковых портов
-не найдено. Это может сократить время сканирования, например при 
--P0 сканировании множества хостов. Эта опция используется только
-вместе с '-O' или '-A' опциями.
-.TP
-.B \-A
-Эта опция включает режим Additional Advanced и Aggressive,
-объединяя опции '-O' и '-sV'. В будущем эта опция планируется для
-объединения многих опций, для того что бы меньше запоминать. ;-)
-.TP
-.B \-6
-Эта опция включает поддержку протокола IPv6. Все сканируемые хосты
-должны поддерживать IPv6 при использовании этой опции, и могут
-быть указаны путем нормального имени DNS (запись AAAA) или
-литеральным IP-адресом, например
-3ffe:501:4819:2000:210:f3ff:fe03:4d0. На данный момент,
-поддерживаются только методы TCP connect()-сканирование и TCP
-connect() Ping-сканирование. Если Вас интересует UDP или другой
-тип сканирования, посетите http://nmap6.sourceforge.net/.
-.TP
-.B \--send_eth
-Эта опция заставляет nmap отсылать пакеты на канальном уровне
-(data link layer) вместо сетевого уровня (network layer). По-умолчанию nmap сам выбирает на каком уровне отправлять пакеты в
-зависимости от используемой платформы. Raw-сокеты (сетевой
-уровень) более эффективно использовать на UNIX машинах, однако на
-канальном уровне лучше функционируют ОС семейства Windows, в
-которых Microsoft отключила поддержку raw-сокетов. Nmap однозначно
-будет использовать raw-сокеты если нет другого выбора (например в
-не локальной сети).
-.TP
-.B --send_ip
-Эта опция заставляет nmap отсылать пакеты на сетевом уровне
-(network layer) вместо канального (data link layer). Это
-противоположная опция к '--send_eth'.
-.TP
-.B \--spoof_mac [mac, prefix, or vendor substring]
-Эта опция заставляет nmap использовать заданный MAC-адрес во всех
-отправляемых пакетах канального уровня. Адрес может задаваться в
-нескольких форматах. Если это просто строка "0", nmap выберет
-полностью случайный MAC-адрес для этой сессии. Если заданный адрес
-- набор шестнадцатеричных чисел, с разделителем в виде двоеточия,
-nmap будет использовать эту строку как МАС-адрес. Если задано
-меньше 12 шестнадцатеричных чисел, nmap сам заполнит недостающие
-случайными значениями. Если заданный аргумент не 0 и не
-шестнадцатеричная строка, то nmap будет искать в файле nmap-mac-prefixes похожее значение в именах производителей сетевого
-оборудования. Если такой производитель будет найден, nmap возьмет
-OUI (3байтный префикс) производителя и дополнит его случайными 3
-байтами, в результате получится поддельный МАС-адрес определённого
-производителя. Правильными аргументами --spoof_mac будут, например: "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", и "Cisco".
-.TP
-.B \-f
-(fragment packets) - эта опция используется совместно с SYN, FIN,
-Xmas или NULL-сканировании и указывает на необходимость
-использования IP-фрагментации. Идея заключается в том, чтобы
-разбить TCP-заголовок исходящего пакета на несколько фрагментов.
-Сканируемый хост дефрагментирует эти IP-фрагменты в один TCP-пакет. Фрагментирование значительно усложняет фильтрацию пакетов,
-работу систем обнаружения и других подобных средств защиты, и
-позволяет nmap скрыть свои действия. Однако следует осторожно
-использовать данную опцию, поскольку некоторые старые или
-непрофессиональные новые программы, например снифферы, просто
-зависают при попытке собрать такие маленькие фрагменты. Укажите
-эту опцию один раз и nmap будет разбивать пакеты на 8байтовые или
-меньше пакеты, исключая IP-заголовок. Например, 20-байтовый TCP
-заголовок будет разбит на 3 пакета - на 2 по 8байт и один на 4.
-Конечно же, каждый фрагмент имеет собственный IP-заголовок.
-Укажите опцию '-f' ещё раз и пакеты будут разбиваться
-соответственно на 16байтные фрагменты. Или вы можете указать свой
-собственный размер фрагмента, используя опцию '--mtu'. Не
-используйте эти (-f и --mtu) опции вместе, и не забывайте, что
-размер фрагмента должен быть кратен 8.
-.Sp
-Заметьте, что некоторые ОС, например Linux c включенным модулем ip
-tables connection tracking, дефрагментируют исходящие пакеты на
-уровне ядра. Просмотрите генерируемый nmap фрагментированный
-трафик сниффером, что бы выяснить работает ли опция '-f'.
-.TP
-.B \-v
-(verbose output) - использовать режим подробного отчета. Если вы
-укажете эту опцию, nmap будет подробно сообщать о ходе выполнения
-текущей операции. Для получения лучшего эффекта можно указать ее
-дважды. Можете ещё несколько раз указать опцию '
-.B \-d
-', но в таком случае от скроллинга экрана вам может поплохеть. ;-)
-.TP
-.B \-h
-(help) - показывает краткую инструкцию по использованию nmap
-с указанием опций и краткого их описания, не запуская саму
-программу.
-.TP
-.B \-oN <имя_файла>
-(output Normal) - записывает результаты сканирования в удобной для
-пользователя форме в файл, указанный в качестве аргумента. 
-.TP
-.B \-oX <имя_файла>
-(output XML) - записывает результаты сканирования в формате 
-.B XML
-в файл, указанный в качестве аргумента. Это позволяет программам
-легче обрабатывать вывод nmap'а. Вы можете использовать аргумент
-'-' (без кавычек) для вывода на stdout. Нормальный вывод в этом
-случае не используется. Внимательно следите за сообщениями об
-ошибках, потому как они выводятся на stderr. Document Type
-Definition (DTD), объясняющий структуру вывода результатов nmap в
-формате XML доступен здесь: http://www.insecure.org/nmap/nmap.dtd.
-.TP
-.B \--stylesheet <имя_файла>
-Nmap обращается к XSL таблице стилей, которая называется nmap.xsl,
-для просмотра или транслирования XML вывода в HTML формат. Если вы
-желаете указать другую таблицу стилей - используйте эту опцию. В
-качестве аргумента указывается полный путь или url, например '--stylesheet http://www.insecure.org/nmap/data/nmap.xsl', что
-укажет браузеру загрузить последнюю версию таблицы стилей с
-сервера insecure.org. Эта таблица может использоваться для
-просмотра nmap XML-вывода на машине где nmap не установлен. По
-умолчанию, в целях безопасности, используется локальная копия
-nmap.xsl.
-.TP
-.B \--no_stylesheet
-Указывает nmap не использовать никакой XSL таблицы стилей для
-отображения XML-вывода.
-.TP
-.B \-oG <имя_файла>
-(output Grepable) - записывает результаты сканирования в удобной
-для программы grep форме в файл, указанный в качестве аргумента.
-Вы можете использовать аргумент '-' (без кавычек) для вывода на
-stdout. Нормальный вывод в этом случае не используется.
-Внимательно следите за сообщениями об ошибках, потому как они
-выводятся на stderr. В нынешнее время рекомендуется использовать
-XML-вывод (-oX).
-.TP
-.B \-oA <имя_базы>
-(output All) - записывает результаты во всех основных форматах
-(нормальном, grep и XML). Вы указываете базовое имя, например
-base, и выходные файлы будут называться base.nmap, base.gnmap и
-base.xml.
-.TP
-.B \-oS <имя_файла>
-thIs l0gz th3 r3suLtS of YouR ScanZ iN a
-.B s|<ipT kiDd|3 
-f0rM iNto THe fiL3 U sPec\|fy 4s an arGuMEnT! U kAn gIv3
-the 4rgument "-" (wItHOUt qUOteZ) to sh00t output iNT0
-stDouT!@!!
-.TP
-.B \--resume <имя_файла>
-Если сканирование было прервано нажатием комбинации [Ctrl+C],
-сетевым сбоем и т.п., то оно может быть продолжено включением этой
-опции. Если результаты прерванного сканирования записывались в
-лог-файл с помощью опций '-oG' или '-oN', просто запустите nmap с
-указанием этой опции и имени лог-файла, в который производилась
-запись предыдущего сеанса. Не указывайте никаких других опций,
-поскольку при возобновлении сканирования будут использоваться
-опции, указанные в предыдущем сеансе. Nmap продолжит сканирование
-с адреса, следующего за последним отсканированным.
-.TP
-.B \--exclude <хост1 [,хост2][,хост3],...">
-Исключить из списка сканирования цели (хосты, сетевые диапазоны),
-которые не должны сканироваться.
-.TP
-.B \--excludefile <имя_файла>
-Смысл этой опции такой же, как и '--exclude', только цели для
-исключения задаются файлом, каждая запись - в отдельной строке.
-.TP
-.B \--allports
-Опция используется вместе с режимом определения версий служб (-sV)
-и разрешает работать со всеми найденными открытыми портами, даже с
-теми, которые помечены как опасные в файле nmap-service-probes.
-.TP
-.B \--append_output
-Дописывать результаты сканирования в лог-файл, а не затирать
-предыдущую информацию в нём.
-.TP
-.B \-iL <имя_файла>
-(input List) - считывать список хостов для сканирования из файла,
-заданного в качестве аргумента. Файл должен содержать список имен
-хостов или IP-адресов, разделенных пробелами, знаками табуляции
-или что бы каждая запись была в отдельной строке. Что бы nmap
-считал список хостов с StdIn, укажите вместо имени файла символ
-'-'. Более подробная информация о форматах выражений приведены в
-разделе "Способы задания цели". 
-.TP
-.B \-iR <количество_хостов>
-Если указать эту опцию, то nmap будет сканировать хосты выбранные
-случайным образом. Используйте 0 в качестве заданной цели для
-сканирования, и nmap будет сканировать пока вы его не остановите.
-Эта опция может быть использована для статистических исследований
-Интернета. Если вам действительно скучно - запускайте "nmap -sS -PS80 -iR 0 -p 80" что бы найти некоторые веб-сервера, которые
-могут вас заинтересовать.
-.TP
-.B \-p <диапазон_портов>
-Этой опцией вы можете задать порты, которые вы хотите сканировать.
-Для примера, если задать "-р 23", то будет сканироваться только 23
-порт на хосте. "-р 20-30,139,60000-" просканирует порты от 20 до
-30, 139 порт, и все порты, номера которых больше 60000. По
-умолчанию сканируются порты от 1 до 1024, и те, которые указаны в
-файле nmap-services. Для сканирования протоколов IP (-sO) эта
-опция указывает какой протокол просканировать (0-255).
-.Sp
-Когда сканируются как TCP так и UDP порты, можно указать диапазон
-для каждого типа портов отдельно, используя префиксы "Т:" и "U:"
-соответственно. Например, если задать аргумент "-р
-U:53,111,137,T:21-25,80,139,8080" то будут сканироваться 53, 111,
-и 137 UDP-порты, и указанные ТСР-порты. Заметьте, что бы
-просканировать UDP и ТСР порты, нужно указать -sU и хотя бы один
-из методов ТСР-сканирования (-sS, -sF, -sT).
-.TP
-.B \-F
-Быстрое сканирование. Если указать эту опцию, то nmap будет
-сканировать порты только тех служб, которые перечислены в файле
-nmap-services (или nmap-protocols для '-sO'). Сканирование
-проходит гораздо быстрее, чем если бы nmap сканировал все 65535
-портов хоста.
-.TP
-.B \-D <ложный_хост1,[ложный_хост2],[,ME],...>
-Эта опция используется для сокрытия реального источника
-сканирования, используя ложные хосты. Вместе с нашими пакетами на
-сканируемый хост отсылаются такие же пакеты, но с поддельными
-адресами источника. Защитная программа на сканируемом хосте может
-отобразить 5-10 попыток сканирования с разных источников, но
-узнать с какого именно хоста производится истинное сканирование
-сложно, особенно если указать много ложных хостов.
-.Sp
-Указывайте ложные хосты через запятую, и используйте "МЕ" для
-обозначения своего хоста в этой цепочке. Например, если указать
-"МЕ" на 5 позиции, то истинные пакеты будут отправлены после
-предыдущих четырех ложных. Если не указать "ME", nmap выберет
-позицию для вашего хоста случайным образом.
-.Sp
-Учтите, что хосты, которые вы укажете как ложные, должны быть в
-активном состоянии, иначе вы можете случайно затопить сканируемую
-цель SYN-пакетами, или будет очень легко определить источник
-сканирование, если только ваша машина окажется активной. Также
-предпочтительно использовать ip-адреса вместо dns-имён, иначе на
-сервере имён ложных хостов в лог-файле сохранятся записи о ваших
-обращениях к ним.
-.Sp
-Стоит заметить, что некоторые детекторы сканирования портов
-блокируют доступ хосту, осуществившему попытку сканирования.
-Поэтому ложный хост может потерять соединение со сканируемым
-хостом. Эта ситуация может возникнуть даже в том случае, если вы
-указали в качестве ложного хоста адрес шлюза или сервера имён.
-Поэтому используйте эту опцию очень осторожно.
-.Sp
-Ложные хосты можно использовать в любом методе сканирования а
-также при определении операционной системы удалённого хоста (-O).
-.Sp
-Если вы укажете много ложных хостов, процесс сканирования
-замедлится и станет менее аккуратным. Некоторые провайдеры
-фильтруют поддельные исходящие пакеты, так что данный вид
-сканирования может вообще не достичь желаемого результата.
-.TP
-.B \-S <ip-адрес>
-При некоторых обстоятельствах nmap не сможет определить ваш ip-адрес (nmap сообщит вам об этом). В таких случаях можно
-использовать эту опцию для явного указания вашего ip-адреса.
-.Sp
-Другой вариант использования этой опции - отправка пакетов с
-поддельным ip-адресом. Это может использоваться для создания
-видимости сканирования целевого хоста кем-то другим, однако в
-таком случае результат сканирования можно получить лишь
-прослушивая трафик, проходящий между целевым хостом и хостом,
-пакеты которого вы подделываете. Что бы использовать данный метод,
-необходимо так же включить опцию '-e'.
-.TP
-.B \-e <интерфейс>
-Если nmap не может определить какой интерфейс использовать для
-приёма и отправки пакетов, то этой опцией можно указать его явно.
-.TP
-.B \--source_port <номер_порта>
-Использовать порт отправки с определённым номером. Много
-непрофессиональных фаерволов и пакетных фильтров позволяют
-пакетам, отправленным с таких портов как например 53 (DNS) или 20
-(FTP-DATA), свободно инициализировать соединения на защищаемом
-хосте. Соответственно, изменив наш порт отправки на разрешенный
-фаерволом порт мы можем устанавливать соединения с защищённой этим
-фаерволом машиной. Для UDP сканирования попробуйте сначала
-установить 53 порт, а для TCP - 20. Однако эта техника не всегда
-работает, вы не сможете определить характер изменения ISN, в связи
-с чем nmap самостоятельно сменит номер порта для этой цели, даже
-если вы указали эту опцию.
-.TP
-.B \--data_length <количество_байт>
-Обычно nmap использует минимальные по размеру пакеты, которые
-содержат только заголовок. TCP пакеты обычно размером в 40 байт, а
-ICMP эхо запрос - всего 28. Эта опция указывает nmap дополнять
-отсылаемые пакеты заданным количеством байт случайной информации.
-Пакеты используемые при определении ОС сканируемого хоста не
-изменяются.
-.TP
-.B \-n
-Указывает nmap никогда не преобразовывать ip-адреса активных
-хостов в DNS-адресa. Увеличивает скорость сканирования и
-предотвращает появление записей о dns-запросах nmap в лог-файле
-на сервере имен.
-.TP
-.B \-R
-Указывает nmap всегда преобразовывать ip-адреса хостов в DNS-адресa. Обычно это происходит только если сканируемые машины
-находятся в активном состоянии.
-.TP
-.B \-r
-Указывает nmap не изменять порядок номеров сканируемых портов случайным образом.
-.TP
-.B \-\-ttl <значение>
-Устанавливать в поле TTL отправляемых пакетов IPv4 заданное значение.
-.TP
-.B \-\-privileged
-Указывает nmap, что пользователь имеет достаточные привилегии для
-таких операций как использование raw-сокетов, прослушивание
-трафика, и т.п. Эта опция используется в таких системах, где
-непривилегированным пользователям ядро разрешает использовать
-функции, которые доступны только привилегированным, например в
-специально сконфигурированной ОС Linux. Nmap не может этого
-определить, так как использует функцию getuid(), и в этом случае
-используется данная опция, которую необходимо указывать перед
-всеми остальными опциями. В качестве альтернативы --privileged
-можно использовать переменную NMAP_PRIVILEGED.
-.TP
-.B \-\-interactive
-Запускает nmap в интерактивном режиме. Эту опцию полезно
-использовать в многопользовательских системах, так как, например,
-в истории командной строки не остаётся указанных вами параметров.
-.TP
-.B \-\-randomize_hosts
-Указывает nmap сканировать хосты в случайной последовательности.
-Используются группы до 2048 хостов. Эта опция делает сканирование
-менее заметным для различных систем сетевого мониторинга, особенно
-если вы используете ее совместно с опциями настройки временных
-параметров.
-.TP
-.B \-M <максимальное_количество_сокетов>
-Устанавливает максимальное количество сокетов, используемых
-параллельно в методе TCP connect() сканирования. Эту опцию можно
-использовать для замедления процесса сканирования и предотвращения
-выведения из строя сканируемого хоста.
-.TP
-.B --packet_trace
-Указывает nmap отображать все принимаемые и передаваемые пакеты в
-формате TCPDump. Эта опция может использоваться для отладки работы
-nmap и сети, а также в обучающих целях.
-.TP
-.B --datadir [имя_директории]
-При запуске nmap считывает данные из файлов nmap-service-probes,
-nmap-services, nmap-protocols, nmap-rpc, nmap-mac-prefixes и nmap-os-fingerprints. Сначала nmap ищет эти файлы в директории
-указанной в опции --nmapdir. Если файлы не найдены - проверяется
-переменная окружения NMAPDIR, после чего ~/nmap, а затем путь
-наподобии /usr/local/share/nmap или /usr/share/nmap. И наконец,
-nmap ищет эти файлы в текущем каталоге. Этой опцией можно задать
-явное имя директории где расположены эти файлы.
-.TP
-.B НАСТРОЙКА ВРЕМЕННЫХ ПАРАМЕТРОВ
-Обычно nmap автоматически настраивает временные параметры при
-запуске, в соответствии с характеристиками сканируемой сети, что
-бы произвести сканирование как можно быстрее и точнее. Но иногда
-бывают случаи, когда самостоятельная настройка временных
-параметров nmap вас не устраивает. В этом случае вы можете
-воспользоваться следующими опциями:
-.TP
-.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
-Возможность установления режимов сканирования с готовыми наборами
-правил по установке временных интервалов. 
-.B Paranoid
-режим - сканирование происходит очень медленно для того что бы системы
-защиты не распознали его. Пакеты посылаются последовательно, с
-интервалом в 5 минут. Режим 
-.B Sneaky
-похож на режим Paranoid.
-Разница лишь в том, что интервал между посылкой пакетов составляет
-15 секунд. Режим 
-.B Polite
-используется в случае, когда необходимо
-что бы нагрузка на сеть была минимальной. В этом режиме пакеты
-отправляются последовательно с интервалом минимум 0,4 секунды.
-Режим 
-.B Normal
-используется nmap по умолчанию. В этом режиме
-сканирование производится с максимальной скоростью, и по
-возможности без перегрузки сети и потери пакетов. Режим 
-.B Aggressive
-используется для быстрого сканирования хорошо фильтруемых сетей,
-особенно если используется SYN-сканирование. Режим 
-.B Insane
-рекомендуется использовать или в очень быстрых сетях, или если вы
-точно знаете, что пакеты не затеряются. Время сканирования одного
-хоста - 15 минут, а ожидание ответа на запрос - 0,3 секунды.
-.Sp
-Каждому режиму присвоен определённый номер от 0 до 5, и его можно
-указать вместо полного названия режима. Например, опция '-T0'
-означает режим Paranoid, а '-T5' - Insane. Если вы хотите
-использовать такие опции как --max_rtt_timeout или --host_timeout,
-располагайте их в командной строке после любых '-T' опций.
-.TP
-.B --host_timeout <миллисекунды>
-Устанавливает время, отводимое nmap на сканирование одного хоста,
-прежде чем он перейдет к очередному IP-адресу. По умолчанию этот
-параметр не имеет ограничения.
-.TP
-.B --max_rtt_timeout <миллисекунд>
-Устанавливает максимальное количество времени, в течение которого
-nmap ожидает ответ на посланный запрос, прежде чем повторить
-запрос или считать его утерянным. По умолчанию это значение
-установлено равным 9000 миллисекунд.
-.TP
-.B --min_rtt_timeout <миллисекунд>
-Если сканируемый хост очень быстро отвечает на запросы, nmap будет
-автоматически уменьшать интервал между посылаемыми запросами. Это
-ускоряет сканирование, но может привести к потере пакетов с
-ответами, пришедшими позже, чем обычно. Эта опция определяет
-сколько времени nmap должен ждать перед отправкой очередного
-пакета.
-.TP
-.B --initial_rtt_timeout <миллисекунд>
-Устанавливает время, отводимое на определение активности хоста.
-Эта опция используется в основном для сканирования хостов,
-защищенных фаерволом, совместно с опцией '-P0'. Обычно nmap
-автоматически выбирает оптимальное значение этого параметра после
-отправки ping и первых сканирующих пакетов на хост. Значение по
-умолчанию составляет 6000 миллисекунд.
-.TP
-.B --max_hostgroup <количество_хостов>
-Устанавливает максимальное количество хостов, которое nmap может
-сканировать параллельно. Большинство техник сканирования портов
-используют одновременное сканирование нескольких хостов, что
-позволяет работать быстрее. Но что бы дождаться всех результатов
-сканирования вам необходимо ждать, пока будут просканированы все
-хосты. Если вы хотите, что бы хосты сканировались поочерёдно и
-результаты выводились относительно каждого хоста без задержки 
-- используйте 1 в качестве аргумента. Заметьте, что ping
--сканирование группирует хосты по-своему и игнорирует этот
-параметр.
-.TP
-.B --min_hostgroup <количество_хостов>
-Устанавливает минимальное количество хостов, которое nmap должен
-сканировать параллельно. (см. --max_hostgroup)
-.TP
-.B --max_parallelism <количество>
-Устанавливает максимальное количество параллельных процессов
-сканирования nmap. Установка этого параметра равным 1 означает,
-что nmap никогда не будет сканировать более одного порта в один
-момент времени. Этот параметр также влияет и на ping-сканирование,
-RPC-сканирование и т.п.
-.TP
-.B --min_parallelism <количество>
-Устанавливает минимальное количество параллельных процессов
-сканирования nmap. Увеличивает скорость прохождения пакетов через
-некоторые фаерволы, однако если установить слишком большое
-значение, - результаты сканирования будут ненадёжными.
-.TP
-.B --scan_delay <миллисекунды>
-Устанавливает минимальное время задержки между отправкой пакетов.
-Эта опция используется для снижения нагрузки на сеть и уменьшения
-вероятности обнаружения сканирования. Nmap иногда может
-увеличивать это значение самостоятельно, если обнаруживает
-значительные потери пакетов. Например, ОС Solaris отвечают только
-одним ICMP port unreachable пакетом в секунду при UDP-сканировании. Nmap старается определить это и увеличить
-минимальное время задержки до одной секунды.
-.TP
-.B --max_scan_delay <миллисекунды>
-Как отмечено выше, nmap может автоматически изменять время
-задержки между отправкой пакетов. Это может давать лучшие
-результаты при сканировании, но значительно замедлять его. По
-умолчанию (без включенной '-Т' опции), nmap может изменять время
-задержки между отправкой пакетов до 1 в секунду. Эта опция
-позволяет установить большее или меньшее максимальное значение.
-.SH СПОСОБЫ ЗАДАНИЯ ЦЕЛИ
-Всё, что не является опцией (или аргументом опции) nmap интерпретирует
-как адрес сканируемой цели. Простейший вариант - указать имена или ip-адреса хостов в командной строке. Если вы хотите просканировать подсеть
-ip-адресов, вы можете дополнить 
-.B /маску
-сети к ip-адресу. Маска должна
-быть в диапазоне от 0 (сканировать весь Интернет) до 32 (сканировать
-единственный хост). Используйте /24 для сканирования целой сети класса
-"С" и /16 для сети класса "В".
-.Sp
-Nmap также позволяет более гибко указать целевые IP-адреса, используя
-списки и диапазоны для каждого их элемента. Например, чтобы
-просканировать подсеть класса "B" с адресом 192.168.*.*. в командной
-строке вы можете указать "
-.B 192.168.*.*
-" или "
-.B 192.168.0-255.0-255
-" или даже "
-.B 192.168.1-50,51-255.1,2,3,4,5-255
-". И, конечно же, вы можете
-использовать маску - "
-.B 192.168.0.0/16"
-. Если вы используете астериск
-("*"), помните, что некоторые командные интерпретаторы требуют указывать
-"\" перед этим символом, или другие спецсимволы.
-.Sp
-Ещё одним вариантом задания адресов является использование префикса.
-Например, что бы просканировать все адреса в сети, заканчивающиеся на
-.6.7 можно задать "*.*.6.7".
-.SH ПРИМЕРЫ
-В этом разделе приводятся некоторые примеры использования nmap, от
-простых до более сложных.
-.Sp
-.B nmap -v target.example.com
-.Sp
-Сканировать все зарезервированные TCP-порты на хосте target.example.com.
-Опция '-v' означает включить режим подробного отчета о ходе процесса
-сканирования.
-.Sp
-.B nmap -sS -O target.example.com/24
-.Sp
-Запускает SYN-сканирование (-sS) всех 255(маска /24) машин с адресами
-класса "C", одной из которых является target.example.com. Также
-осуществляется определение ОС (-O) каждого из сканируемых хостов. Для
-выполнения этих действий вам необходим статус root.
-.Sp
-.B nmap -sX -p 22,53,110,143,4564 198.116.*.1-127
-.Sp
-Запускает Xmas-сканирование (-sX) первой половины адресов (0-127) каждой
-из 255 подсетей класса "B" адресного пространства 128.210.*.*. На этих
-хостах сканируются 22, 53, 110, 143 и 4564 порты. Заметьте, что Xmas-сканирование работает с ОС Windows, CISCO, IRIX, HP/UX и BSDI машинами.
-.Sp
-.B nmap -v --randomize_hosts -p 80 *.*.2.3-5
-.Sp
-Вместо сканирования конкретных адресных диапазонов, иногда бывает
-интересно сканировать хосты, выбранные случайным образом. Эта команда
-ищет веб-сервера, ip-адрес которых оканчивается на .2.3, .2.4 и .2.5.
-Если ваш статус root, вы также можете просканировать порты обнаруженных
-хостов, указав опцию '-sS'. Вы можете найти много интересных машин,
-адреса которых начинаются на 127. Для этого укажите вместо первого
-астериска '127-222'.
-.Sp
-.B host -l company.com | cut -d -f 4 | ./nmap -v -iL -
-.Sp
-Просмотреть серверы DNS зоны и найти хосты в домене company.com, передав
-затем в nmap их адреса. Так выглядит команда для GNU/Linux, но для других
-ОС она может выглядеть несколько иначе.
-.SH ОШИБКИ
-Ошибки? Какие ошибки? Если вы нашли ошибки - просьба незамедлительно
-сообщить о них. (желательно присылать и исправления :-) ). Не забывайте
-также присылать новые отпечатки ОС для пополнения общей базы. Отправляйте
-информацию на e-mail fyodor[@]insecure.org или в конференцию http://seclists.org/#nmap-dev.
-.SH АВТОР
-.Sp
-Fyodor
-.I <fyodor@insecure.org>
-.SH РАСПРОСТРАНЕНИЕ
-Новейшую версию nmap вы можете скачать по адресу http://www.insecure.org/nmap/
-.Sp
-Права на Nmap Security Scanner принадлежат 1996-2004 Insecure.Com LLC.
-Nmap также является зарегистрированной торговой маркой Insecure.Com LLC.
-Эта программа является бесплатным программным обеспечением. Вы можете
-свободно распространять и/или модифицировать ее в соответствии с
-требованиями GNU General Public License, опубликованной Free Software
-Foundation; Версия 2. Если вы хотите использовать технологии nmap в
-частных программных продуктах - мы можем продать альтернативные лицензии.
-Обращайтесь на sales@insecure.com
-.Sp
-ЭТА ПРОГРАММА ПОСТАВЛЯЕТСЯ БЕЗ ПРЕДОСТАВЛЕНИЯ КАКИХ-ЛИБО ГАРАНТИЙ.
-.Sp
-Этот продукт также включает в себя программное обеспечение произведённое
-Apache Software Foundation (http://www.apache.org/)
-.Sp
-Авторские права на библиотеку PCRE (Perl Compatible Regular Expressions),
-созданную Philip Hazel, принадлежат Кэмбриджскому Университету. Подробнее - http://www.pcre.org/
-.Sp
-Библиотека Libpcap распространяется вместе с nmap и авторские права на
-неё принадлежат Van Jacobson, Craig Leres и Steven McCanne, Национальная
-лаборатория Lawrence Berkley Калифорнийского университета, Беркли,
-Калифорния. Сейчас эта библиотека сопровождается http://www.tcpdump.org.
-.Sp
-Nmap опционально может быть скомпилирован с поддержкой OpenSSL. Подробнее - http://www.openssl.org/.
-.Sp
-Перевод руководства пользователя на русский : Айви Ризз 5B43694E5D
\ No newline at end of file
diff --git a/docs/nmap_spanish.1 b/docs/nmap_spanish.1
deleted file mode 100644
index ed1b370df..000000000
--- a/docs/nmap_spanish.1
+++ /dev/null
@@ -1,549 +0,0 @@
-.\"Traducido al espaЯol por
-.\"Antonio Aneiros <aneiros@ctv.es>
-.\"el 04-08-1999
-.de Sp
-.if n .sp
-.if t .sp 0.4
-..
-.TH NMAP 1
-.SH NOMBRE
-nmap \- Herramienta de exploraciСn de red y escАner de seguridad.
-.SH SINOPSIS
-.B nmap
-[Tipos(s)de escaneo] [Opciones] <servidor o red #1 ... [#N]>
-.SH DESCRIPCIсN
-.I Nmap
-ha sido diseЯado para permitir a administradores de sistemas y gente curiosa
-en general el escaneo de grandes redes para determinar quИ servidores se
-encuentran activos y quИ servicios ofrecen.
-.I nmap
-es compatible con un gran nЗmero de tИcnicas de escaneo como: UDP, TCP connect(),
-TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping
-sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, and Null scan. VИase la secciСn
-.I Tipos de Escaneo
-para mАs detalles.
-.I nmap
-proporciona tambiИn caracterМsticas avanzadas como la detecciСn remota del
-sistema operativo por medio de huellas TCP/IP , escaneo tipo stealth (oculto),
-retraso dinАmico y cАlculos de retransmisiСn, escaneo paralelo, detecciСn de
-servidores inactivos por medio de pings paralelos, escaneo con seЯuelos,
-detecciСn de filtrado de puertos, escaneo por fragmentaciСn y especificaciСn
-flexible de destino y puerto.
-.PP
-Se han hecho grandes esfuerzos encaminados a proporcionar un rendimiento
-decente para usuarios normales (no root). Por desgracia, muchos de los
-interfaces crМticos del kernel ( tales como los raw sockets) requieren
-privilegios de root.
-DeberМa ejecutarse
-.I nmap
-como root siempre que sea posible.
-
-.SH OPCIONES
-
-En general, pueden combinarse aquellas opciones que tengan sentido en conjunto.
-Algunas de ellas son especМficas para ciertos modos de escaneo.
-.I nmap
-trata de detectar y advertir al usuario sobre el uso de combinaciones de
-opciones sicСticas o no permitidas.
-.Sp
-Si usted es una persona impaciente, puede pasar directamente a la secciСn 
-.I ejemplos
-al final de este documento, donde encontrarА ejemplos de los usos mАs
-corrientes. TambiИn puede ejecutar el comando
-.B nmap -h
-para una pАgina de referencia rАpida con un listado de todas las opciones.
-.TP
-.B Tipos de Escaneo
-.TP
-.B \-sT
-Escaneo TCP connect(): Es la forma mАs bАsica de escaneo TCP. La llamada de
-sistema connect() proporcionada por nuestro sistema operativo se usa para
-establecer una conexiСn con todos los puertos interesantes de la mАquina. Si
-el puerto estА a la escucha, connect() tendrА Иxito, de otro modo, el puerto
-resulta inalcanzable. Una ventaja importante de esta tИcnica es que no resulta
-necesario tener privilegios especiales. Cualquier usuario en la mayorМa de los
-sistemas UNIX tiene permiso para usar esta llamada.
-.Sp
-Este tipo de escaneo resulta fАcilmente detectable dado que los registros del
-servidor de destino muestran un montСn de conexiones y mensajes de error para
-aquellos servicios que accept() (aceptan) la conexiСn para luego cerrarla
-inmediatamente.
-.TP
-.B \-sS
-Escaneo TCP SYN: A menudo se denomina a esta tИcnica escaneo "half open" (medio
-abierto), porque no se abre una conexiСn TCP completa. Se envМa un paquete
-SYN, como si se fuese a abrir una conexiСn real y se espera que llegue una
-respuesta. Un SYN|ACK indica que el puerto estА a la escucha. Un RST es
-indicativo de que el puerto no estА a la escucha. Si se recibe un SYN|ACK, se
-envМa un RST inmediatamente para cortar la conexiСn (en realidad es el kernel
-de nuestro sistema operativo el que hace esto por nosotros). La ventaja
-principal de esta tИcnica de escaneo es que serА registrada por muchos menos
-servidores que la anterior. Por desgracia se necesitan privilegios de root
-para construir estos paquetes SYN modificados.
-.TP
-.B \-sF \-sX \-sN 
-Modos Stealth FIN, Xmas Tree o Nul scan: A veces ni siquiera el escaneo SYN
-resulta lo suficientemente clandestino. Algunas firewalls y filtros de
-paquetes vigilan el envМo de paquetes SYN a puertos restringidos, y programas
-disponibles como Synlogger y Courtney detectan este tipo de escaneo. Estos
-tipos de escaneo avanzado, sin embargo, pueden cruzar estas barreras sin ser
-detectados.
-.Sp
-La idea es que se requiere que los puertos cerrados respondan a nuestro
-paquete de prueba con un RST, mientras que los puertos abiertos deben ignorar
-los paquetes en cuestiСn (vИase RFC 794 pp 64). El escaneo FIN utiliza un
-paquete FIN vacМo (sorpresa) como prueba, mientras que el escaneo Xmas tree
-activa las flags FIN, URG y PUSH. El escaneo NULL desactiva todas las flags.
-Por desgracia Microsoft (como de costumbre) decidiС ignorar el estАndar
-completamente y hacer las cosas a su manera. Debido a esto, este tipo de
-escaneo no funcionarА con sistemas basados en Windows95/NT. En el lado
-positivo, esta es una buena manera de distinguir entre las dos plataformas. Si
-el escaneo encuentra puertos cerrados, probablemente se trate de una mАquina
-UNIX, mientras que todos los puertos abiertos es indicativo de Windows.
-Excepcionalmente, Cisco, BSDI, HP/UX, MVS, y IRIX tambiИn envМan RSTs en vez
-de desechar el paquete.
-.TP
-.B \-sP
-Escaneo ping: A veces Зnicamente se necesita saber quИ servidores en una red
-se encuentran activos. Nmap puede hacer esto enviando peticiones de respuesta
-ICMP a cada direcciСn IP de la red que se especifica. Aquellos servidores que
-responden se encuentran activos. Desafortunadamente, algunos sitios web como
-microsoft.com bloquean este tipo de paquetes. Nmap puede enviar
-tambiИn un paquete TCP ack al puerto 80 (por defecto). Si se obtiene por
-respuesta un RST, esa mАquina estА activa. Una tercera tИcnica implica el
-envМo de  un paquete SYN y la espera de de un RST o un SYN/ACK. Para usuarios
-no root se usa un mИtodo connect().
-.Sp
-Por defecto (para usuarios no root), nmap usa las tИcnicas ICMP y ACK en
-paralelo. Se puede cambiar la opciСn
-.B \-p
-descrita mАs adelante.
-.Sp
-NСtese que el envio de pings se realiza por defecto de todas maneras y que
-sСlamente se escanean aquellos servidores de los que se obtiene respuesta. Use
-esta opciСn sСlamente en el caso de que desee un ping sweep (barrido ping)
-.B sin
-hacer ningЗn tipo de escaneo de puertos.
-.TP
-.B \-sU
-Escaneo Udp: Este mИtodo se usa para saber quИ puertos UDP (Protocolo de
-Datagrama de Usuario, RFC 768) estАn abiertos en un servidor. La tИcnica
-consiste en enviar paquetes UCP de 0 bytes a cada puerto de la mАquina
-objetivo. Si se recibe un mensaje ICMP de puerto no alcanzable, entonces el
-puerto estА cerrado. De lo contrario, asumimos que estА abierto.
-.Sp
-Alguna gente piensa que el escaneo UDP no tiene sentido. Normalmente les
-recuerdo el reciente agujero Solaris rcpbind. Puede encontrarse a rcpbind
-escondido en un puerto UDP no documentado en algЗn lugar por encima del 32770.
-Por lo tanto, no importa que el 111 estИ bloqueado por la firewall.
-Pero, ©quiИn puede decir en cual de los mАs de 30000 puertos altos se
-encuentra a la escucha el programa? ║Con un escАner UDP se puede! Tenemos
-tambiИn el programa de puerta trasera cDc Back Orifice que se oculta en un
-puerto UDP configurable en las mАquinas Windows, por no mencionar los muchos
-servicios frecuentemente vulnerables que usan UDP como snmp, tftp, NFS, etc.
-.Sp
-Por desgracia, el escaneo UDP resulta a veces tremendamente lento debido a que
-la mayorМa de los servidores implementan una sugerencia recogida en el RFC
-1812 (secciСn 4.3.2.8) acerca de la limitaciСn de la frecuencia de mensajes de
-error ICMP. Por ejemplo, el kernel de Linux (en /ipv4/icmp.h) limita la
-generaciСn de mensajes de destino inalcanzable a 80 cada cuatro segundos, con
-una penalizaciСn de 1/4 de segundo si se rebasa dicha cantidad. Solaris tiene
-unos lМmites mucho mАs estrictos (mАs o menos 2 mensajes por segundo) y por lo
-tanto lleva mАs tiempo hacerle un escaneo.
-.I nmap
-detecta este lМmite de frecuencia y se ralentiza en consecuencia, en vez de
-desbordar la red con paquetes inЗtiles que la mАquina destino ignorarА.
-.Sp
-Como de costumbre, Microsoft ignorС esta sugerencia del RFC y no parece que
-haya previsto ningЗn tipo de lМmite de frecuencia para las mАquinas Windows.
-Debido a esto resulta posible escanear los 65K puertos de una mАquina Windows
-.B muy
-rАpidamente. ║Woop!
-.TP
-.B \-b <ftp relay host>
-Ataque de rebote FTP: Una caracterМstica "interesante" del protocolo FTP (FRC
-959) es la posibilidad de realizar conexiones ftp tipo "proxy". En otras
-palabras, ║me resultarМa posible conectarme desde malvado.com al servidor ftp
-de destino.com y pedirle a ese servidor que enviase un archivo a CUALQUIER
-PARTE de Internet! Aun asМ, esto podrМa haber funcionado bien en 1985 cuando
-se escribiС el RFC, pero en la Internet actual, no podemos permitir que la
-gente vaya por ahМ asaltando servidores ftp y pidiИndoles que escupan sus
-datos a puntos arbitrarios de Internet. Tal y como escribiС *Hobbit* en 1985,
-este defecto del protocolo "puede usarse para enviar mensajes de correo y
-noticias cuyo rastro serА virtualmente imposible de seguir, machacar
-servidores en varios sitios web, llenar discos, tratar de saltarse firewalls y
-, en general, resultar molesto y difМcil de detectar al mismo tiempo." Nosotros
-explotaremos este defecto para (sorpresa, sorpresa) escanear puertos TCP desde
-un servidor ftp "proxy". De este modo nos podrМamos conectar a un servidor ftp
-tras una firewall, y luego escanear aquellos puertos que con mАs probabilidad
-se encuentren bloqueados (el 139 es uno bueno). Si el servidor ftp permite la
-lectura y escritura en algЗn directorio (como por ejemplo /incoming), se
-pueden enviar datos arbitrarios a puertos que se encuentren abiertos (aunque
-nmap no realiza esta funciСn por sМ mismo).
-.Sp
-El argumento que se pasa a la opciСn 'b' es el host que se pretende usar como
-proxy, en notaciСn URL estАndar. El formato es:
-.I nombre_de_usuario:password@servidor:puerto.
-Todo excepto
-.I servidor
-es opcional. Para determinar quИ servidores son vulnerables a este ataque,
-vИase mi artМculo en
-.I Phrack
-51. Se encuentra disponible una versiСn actualizada en la URL de
-.I nmap
-(http://www.insecure.org/nmap).
-.TP
-.B Opciones Generales
-No se requiere ninguna pero algunas de ellas pueden resultar de gran utilidad.
-.TP
-.B \-p0
-No intenta hacer ping a un servidor antes de escanearlo. Esto permite el
-escaneo de redes que no permiten que pasen peticiones (o respuestas)de ecos
-ICMP a travИs de su firewall. microsoft.com es un ejemplo de una red de este
-tipo, y, por lo tanto, deberМa usarse siempre
-.B \-p0
-o
-.B \-PT80
-al escanear microsoft.com.
-.TP
-.B \-PT
-Usa el ping TCP para determinar quИ servidores estАn activos. En vez de enviar
-paquetes de peticiСn de ecos ICMP y esperar una respuesta, se lanzan paquetes
-TCP ACK a travИs de la red de destino (o a una sola mАquina) y luego se espera
-a que lleguen las respuestas. Los servidores activos responden con un RST.
-Esta opciСn mantiene la eficiencia de escanear Зnicamente aquellos servidores
-que se encuentran activos y la combina con la posibilidad de escanear
-redes/servidores que bloquean los paquetes ping. Para los usuarios no root 
-se usa connect(). Para establecer el puerto de destino de los paquetes de
-prueba use -PT <nЗmero de puerto). El puerto por defecto es el 80, dado que
-normalmente este puerto no es un puerto filtrado.
-.TP
-.B \-PS
-Esta opciСn usa paquetes SYN (peticiСn de conexiСn) en vez de los paquetes ACK
-para usuarios root. Los servidores activos deberМan responder con un RST (o,
-en raras ocasiones, un SYN|ACK).
-.TP
-.B \-PI
-Esta opciСn usa un paquete ping (peticiСn de eco ICMP) verdadero. Encuentra
-servidores que estАn activos y tambiИn busca direcciones de broadcast
-dirigidas a subredes en una red. Se trata de direcciones IP 
-alcanzables desde el exterior que envМan los paquetes IP entrantes a una subred
-de servidores. Estas direcciones deberМan eliminarse, si se encontrase alguna,
-dado que suponen un riesgo elevado ante numerosos ataques de denegaciСn de
-servicio (el mАs corriente es Smurf).
-.TP
-.B \-PB
-Este es el tipo de ping por defecto. Usa los barridos ACK (
-.B \-PT
-) e ICMP (
-.B \-PI
-) en paralelo. De este modo se pueden alcanzar firewalls que filtren uno de los
-dos (pero no ambos).
-.TP
-.B \-O
-Esta opciСn activa la detecciСn remota del sistema operativo por medio de la
-huella TCP/IP. En otras palabras, usa un puЯado de tИcnicas para detectar
-sutilezas en la pila de red subyacente del sistema operativo de los servidores
-que se escanean. Usa esta informaciСn para crear una 'huella' que luego
-compara con una base de datos de huellas de sistemas operativos conocidas (el
-archivo nmap-os-fingerprints) para decidir quИ tipo de sistema se estА
-escaneando.
-.Sp
-Si encuentra una mАquina diagnosticada errСneamente que tenga por lo menos un
-puerto abierto, me serМa de gran utilidad que me enviase los detalles en un
-email (es decir, se encontrС la versiСn xxx de tal cosa y se detectС este u
-otro sistema operativo..). Si encuentra una mАquina con al menos un puerto
-abierto de la cual nmap le informe "sistema operativo desconocido", 
-le estarМa agradecido si me enviase la direcciСn IP junto con el nombre del
-sistema operativo y el nЗmero de su versiСn. Si no me puede enviar la
-direcciСn IP, una alternativa serМa ejecutar nmap con la opciСn
-.B \-d
-y enviarme las tres huellas que obtendrМa como resultado junto con el nombre
-del sistema operativo y el nЗmero de versiСn. Al hacer esto, estА 
-contribuyendo a aumentar el nЗmero importante de sistemas operativos conocidos
-por namp y de este modo el programa resultarА mАs exacto para todo el mundo.
-.TP
-.B \-I
-Esta opciСn activa el escaneo TCP de identificaciСn contraria. Tal y como
-comenta Dave Goldsmith en un correo Bugtrat de 1996, el protocolo ident (rfc
-1413) permite la revelaciСn del nombre del usuario propietario de cualquier
-proceso conectado vМa TCP, incluso aunque ese proceso no haya iniciado la
-conexiСn. De este modo se puede, por ejemplo, conectar con el puerto http y
-luego usar identd para descubrir si el servidor estА ejecutАndose como root.
-Esto sСlo se puede hacer con una conexiСn TCP completa con el puerto de
-destino (o sea, la opciСn de escaneo -sT).
-Cuando se usa
-.B \-I,
-se consulta al identd del servidor remoto sobre cada uno de los puertos
-abiertos encontrados en el sistema. Por supuesto, esto no funcionarА si el
-servidor en cuestiСn no estА ejecutando identd.
-.TP
-.B \-f
-Esta opciСn hace que el escaneo solicitado de tipo SYN, FIN, XMAS, o NULL use
-pequeЯos paquetes IP fragmentados. La idea consiste en dividir la cabecera TCP
-en varios paquetes para ponИrselo mАs difМcil a los filtros de paquetes,
-sistemas de detecciСn de intrusiСn y otras inconveniencias por el estilo que
-tratan de saber lo uno estА haciendo. ║Tenga cuidado con esto! Algunos
-programas tienen problemas a la hora de manejar estos paquetes tan pequeЯos.
-Mi sniffer favorito produjo un error de segmentaciСn inmediatamente despuИs de
-recibir el primer fragmento de 36 bytes. ║DespuИs de este viene uno de 24
-bytes! Mientras que este mИtodo no podrА con filtros de paquetes y firewalls
-que ponen en cola todos los fragmentos IP (como en el caso de la opciСn
-CONFIG_IP_ALWAYS_DEFRAG en la configuraciСn del kernel de Linux), tambiИn
-es verdad que algunas redes no pueden permitirse el efecto negativo que esta
-opciСn causa sobre su rendimiento y por lo tanto la dejan desactivada.
-.Sp
-NСtese que no he coseguido que esta opciСn funcione con todos los sistemas.
-Funciona bien con mis sistemas Linux, FreeBSD y OpenBSD y algunas personas
-han informado de Иxitos con otras variantes *NIX.
-.TP
-.B \-v
-Modo de informaciСn ampliada. Esta opciСn resulta muy recomendable y
-proporciona gran cantidad de informaciСn sobre lo que estА sucediendo. Puede
-usarla dos veces para un efecto mayor. ║Use
-.B \-d
-un par veces si lo que quiere es volverse loco haciendo scroll en su pantalla!
-.TP
-.B \-h
-Esta opciСn tan prАctica muestra una pantalla de referencia rАpida sobre las
-opciones de uso de nmap. QuizАs haya notado que esta pАgina de manual no es
-precisamente una "referencia rАpida" :)
-.TP
-.B \-o <nombre_de_archivo_de_registro>
-Esta opciСn guarda los resultados de sus escaneos en forma
-.B humanamente inteligible
-en el archivo especificado como argumento.
-.TP
-.B \-m <nombre_de_archivo_de_registro>
-Esta opciСn guarda los resultados de sus escaneos en un formato
-.B comprensible para una mАquina
-en el archivo especificado como argumento.
-.TP
-.B \-i <nombre_de_archivo_de_entrada>
-Lee especificaciones de servidores o redes de destino a partir del archivo
-especificado en vez de hacerlo de la lМnea de comandos. El archivo debe
-contener una lista de expresiones de servidores o redes separadas por
-espacios, tabuladores o nuevas lМneas. Use un guiСn (-) como
-.I nombre_de_archivo_de_entrada
-si desea que nmap tome las expresiones de servidores de stdin. VИase la secciСn
-.I EspecificaciСn de Objetivo
-para mАs informaciСn sobre expresiones con las que poder completar este
-archivo.
-.TP
-.B \-p <rango de puertos>
-Esta opciСn determina los puertos que se quieren especificar. Por ejemplo, '-p
-23' probarА solo el puerto 23 del servidor(es) objetivo. '-p
-20-30,139,60000-' escanea los puertos del 20 al 30, el puerto 139 y todos los
-puertos por encima de 60000. Por defecto se escanean todos los puertos entre
-el 1 y el 1024 asМ como los que figuran en el archivo /etc/services. 
-.TP
-.B \-F Modo de escaneo rАpido.
-Implica que sСlo se desean escanear aquellos puertos que figuran en
-/etc/services. Obviamente esto resulta mucho mАs rАpido que escanear cada uno
-de los 65535 puertos de un servidor.
-.TP
-.B \-D <seЯuelo1 [,seЯuelo2][,ME],...>
-Especifica que se desea efectuar un escaneo con seЯuelos, el cual hace que el
-servidor escaneado piense que la red destino del escaneo estА siendo escaneada
-tambiИn por el servidor(es) especificados como seЯuelos. AsМ, sus IDs pueden
-informar de entre 5 y 10 escaneos procedentes de direcciСnes IP Зnicas, pero
-no sabrАn que direcciСn IP les estaba escaneando realmente y cЗales eran
-seЯuelos inocentes.
-.Sp 
-Separe cada servidor seЯuelo con comas, y puede usar opcionalmente 'ME' como
-seЯuelo que representa la posiciСn que quiere que ocupe su direcciСn IP. Si
-coloca 'ME' en la sexta posiciСn o superior, es muy poco probable que algunos
-escАneres de puertos comunes (como el excelente scanlogd de Solar Designer)
-lleguen incluso a mostrar su direcciСn IP. Si no se usa 'ME', nmap le colocarА
-a usted en una posiciСn aleatoria.
-.Sp
-NСtese que aquellos servidores usados como seЯuelos deben escontrarse activos,
-o, de lo contrario podrМa provocar un desbordamiento (flood) SYN en su
-objetivo. Por otra parte, resultarА bastante fАcil saber quИ servidor estА
-escaneando si Зnicamente hay uno activo en la red.
-.Sp
-NСtese tambiИn que algunos (estЗpidos) "detectores de escАneres de puertos"
-opondrАn una firewall o bien denegarАn el rutaje a aquellos servidores que
-intenten escanear sus puertos. De este modo se podrМa provocar
-inadvertidamente que la mАquina que se estА intentando escanear perdiese
-contacto con los servidores usados como seЯuelos. Esto podrМa causarles a los
-servidores escaneados verdaderos problemas si los servidores seЯuelo fuesen,
-por ejemplo, su gateway a internet o incluso "localhost". DeberМa usarse esta
-opciСn con extremo cuidado. La verdadera moraleja de este asunto es que un
-detector de escaneos de puertos que aparenten tener intenciones poco
-amistosas no deberМa llevar a cabo acciСn alguna contra la mАquina que
-aparentemente le estА escaneando. ║PodrМa no ser mАs que un seЯuelo!
-.Sp
-Los seЯuelos se usan tanto en el escaneo ping inicial (usando ICMP, SYN, ACK,
-o lo que sea) como en la fase de escaneo de puertos propiamente dicha. TambiИn
-se usan los seЯuelos en la fase de detecciСn remota del sistema operativo (
-.B \-O
-).
-.Sp
-Vale la pena destacar que el uso de demasiados seЯuelos puede ralentizar el
-proceso de escaneo y, potencialmente, hacer que sea menos exacto. Por otra
-parte, algunos ISPs filtrarАn los paquetes manipulados y los desecharАn,
-aunque muchos (actualmente la mayorМa) no ponen restricciones a este tipo de
-paquetes.
-.TP
-.B \-S <DirecciСn_IP>
-En determinadas circunstancias, es posible que 
-.I nmap
-no sea capaz de determinar su (de usted) direcciСn IP de origen (
-.I nmap
-se lo harА saber si este es el caso). En este caso, use -S con su direcciСn IP
-(del interfaz a travИs del cual desea enviar los paquetes).
-.Sp
-Otro posible uso de esta opciСn es el de manipular el escaneo para hacer creer
-a los servidores de destino que
-.B alguien mАs
-les estА escaneando. ║ImagМnese a una compaЯМa escaneada repetidamente por una
-compaЯМa rival! Esta no es la funciСn para la que se ha diseЯado esta opciСn
-(ni su propСsito principal). Simplemente pienso que revela una posibilidad que
-la gente deberМa tener en cuenta antes de acusar a los demАs de escanear sus
-puertos.
-La opciСn
-.B \-e
-serА necesaria en general para este tipo de uso.
-.TP
-.B \-e <interfaz>
-Le dice a nmap quИ interfaz ha de usar para enviar y recibir paquetes. El
-programa deberМa detectar esto por sМ mismo, pero le informarА si no es asМ.
-.TP
-.B \-g <nЗmero_de_puerto>
-Establece el nЗmero de puerto de origen a usar en los escaneos. Muchas
-instalaciones de firewalls y filtros de paquetes inocentes hacen una excepciСn
-en sus reglas para permitir que las atraviesen y establezcan una conexiСn
-paquetes DNS (53) o FTP-DATA (20). Evidentemente esto contraviene
-completamente las ventajas en materia de seguridad que comporta una firewall
-dado que los intrusos pueden enmascararse como DNS o FTP con una simple
-modificaciСn de su puerto de origen. Por supuesto, deberМa probarse primero
-con el puerto 53 para un escaneo UDP y los escaneos TCP deberМan probar el 20
-antes del 53.
-.Sp
-NСtese que el uso de esta opciСn penaliza levemente el rendimiento del
-escaneo, porque a veces se almacena informaciСn Зtil en el nЗmero de puerto
-de origen.
-.TP
-.B \-M <max sockets>
-Establece el nЗmero mАximo de sockets que se usarАn en paralelo para un
-escaneo TCP connect() (escaneo por defecto). Resulta Зtil a la hora de
-ralentizar ligeramente el proceso de escaneo con el fin de evitar que
-la mАquina de destino se cuelgue. Otra manera de hacerlo es usar \-sS, que
-normalmente les resulta mАs fАcil de asumir a las mАquinas de destino.
-.TP
-.B EspecificaciСn de Objetivo
-Cualquier cosa que no es una opciСn (o el argumento de una opciСn) en namp se
-trata como una especificaciСn de servidor de destino. El caso mАs simple
-consiste en especificar servidores aislados o direcciones IP en la lМnea de
-comandos. Si pretende escanear una subred de direcciones IP, entonces se puede
-aЯadir
-.B '/mask'
-a la direcciСn IP o al nombre del servidor.
-.B mask
-debe estar entre 0 (escanea toda Internet) y 32 (escanea Зnicamente el
-servidor especificado). Use /24 para escanear una direcciСn de clase 'C' y /16
-para la clase 'B'.
-.Sp
-Nmap dispone tambiИn de una notaciСn mucho mАs potente que permite la
-especificaciСn de direcciones IP usando listas/rangos para cada elemento. De
-este modo, se puede escanear la red de clase 'B' completa 128.210.*.* 
-especificando '128.210.*.*' o '128.210.0-255.0-255' o incluso
-'128.210.1-50,51-255.1,2,3,4,5-255'. Y, por supuesto, se puede usar la
-notaciСn de mАscara: '128.210.0.0/16'. Todas ellas son equivalentes. Si se
-usan asteriscos ('*'), ha de tenerse en cuenta que la mayorМa de los shells
-requieren que se salga de ellos con caracteres / o que se les proteja con
-comillas.
-.Sp
-Otra posibilidad interesante consiste en dividir Internet en el otro sentido.
-En vez de escanear todos los servidores en una clase 'B', se puede 
-escanear '*.*.5.6-7' para escanear todas las direcciones IP terminadas en .5.6 o .5.7
-Escoja sus propios nЗmeros. Para mАs informaciСn sobre la especificaciСn de
-servidores a escanear, vИase la secciСn
-.I ejemplos
-a continuaciСn.
-
-.SH EJEMPLOS
-A continuaciСn se muestran algunos ejemplos del uso de nmap que abarcan desde
-los usos mАs normales y frecuentes a los mАs complejos o incluso esotИricos.
-NСtese que se han incluido direciones IP y nombres de dominio reales para hacer
-las cosas mАs concretas. Usted deberМa sustituirlos por nЗmeros y direcciones
-de su
-.B propia red.
-No creo que escanear otras redes sea ilegal; ni se deberМan considerar los
-escaneos de puertos como ataques. He escaneado cientos de miles de mАquinas y
-tan sСlo he recibido una queja. Pero no soy abogado y es posible que los
-intentos de
-.I nmap
-lleguen a molestar a alguna gente. Obtenga primero el permiso para hacerlo o
-hАgalo bajo su propia responsabilidad.
-.Sp
-.B nmap -v objetivo.ejemplo.com
-.Sp
-Esta opciСn escanea todos los puertos TCP reservados en la mАquina
-objetivo.ejemplo.com. La \-v implica la activaciСn del modo de informaciСn
-ampliada.
-.Sp
-.B nmap -sS -O objetivo.ejemplo.com/24
-.Sp
-Lanza un escaneo SYN oculto contra cada una de las mАquinas activas de las 255
-mАquinas de la classe 'C' donde se aloja objetivo.ejemplo.com. TambiИn trata
-de determinar el sistema operativo usado en cada una de las mАquinas activas.
-Este escaneo requiere privilegios de roor a causa del escaneo SYN y la
-detecciСn del sistema operativo.
-.Sp
-.B nmap -sX -p 22,53,110,143 "128.210.*.1-127"
-.Sp
-EnvМa un escaneo Xmas tree a la primera mitad de cada una de las 255 posibles
-subredes de 8 bits en el espacio de direcciones clase 'B' 128.210 . Se trata
-de comprobar si los sistemas ejecutan sshd, DNS, pop3d, imapd o el puerto
-4564. NСtese que el escaneo Xmas no funciona contra servidores ejecutando
-cualquier sistema operativo de Microsoft debido a una pila TCP deficiente. Lo
-mismo se aplica a los sistemas CISCO, IRIX, HP/UX, y BSDI.
-.Sp
-.B nmap -v -p 80 '*.*.2.3-5'
-.Sp
-En vez de centrarse en un rango especМfico de direcciones IP, resulta a veces
-interesante dividir Internet en porciones y escanear una pequeЯa muestra de
-cada porciСn. Este comando encuentra todos los servidores web en mАquinas
-cuyas direcciones IP terminen en .2.3, .2.4, o .2.5 . Si usted es root podrМa
-aЯadir tambiИn -sS. TambiИn encontrarА mАquinas mucho mАs interesantes
-si empieza en 127. asМ que es posible que desee usar '127-222' en vez de el
-primer asterisco dado que esa secciСn tiene una densidad mucho mayor de
-mАquinas interesantes (IMHO).
-.Sp
-.B host -l compaЯМa.com | cut '-d ' -f 4 | ./nmap -v -i -
-.Sp
-Hace una transferencia de DNS de zona para descubrir los servidores en
-compaЯМa.com y luego pasar las direcciones IP a 
-.I nmap.
-Los comandos arriba indicados son para mi sistema Linux. Es posible que se
-necesiten comandos/opciones diferentes para otros sistemas operativos.
-.SH BUGS
-©Bugs? ©QuИ bugs? Por favor, envМeme cualquier bug que descubra. Los parches
-tampoco estarМan mal :) Recuerde enviar tambiИn nuevas huellas de sistemas
-operativos para que podamos ampliar nuestra base de datos.
-.SH AUTOR
-.Sp
-Fyodor
-.I <fyodor@insecure.org>Tipos de Escaneo
-.SH DISTRIBUCIсN
-La Зltima versiСn de
-.I nmap
-se puede obtener en
-.I http://www.insecure.org/nmap
-.Sp
-.I nmap 
-es (C) 1997,1998 de Fyodor (fyodor@insecure.org, fyodor@insecure.org)
-.Sp
-Este programa es software libre; puede redistribuirse y/o modificarse bajo los
-tИrminos de la Licencia PЗblica General GNU tal y como la publica la FundaciСn
-de Software Libre; VersiСn 2.
-.Sp
-Este programa se distribuye con la esperanza de que pueda resultar de
-utilidad, pero SIN NINGзN TIPO DE GARANTмA; sin tan siquiera la garantМa e ser
-apto para su COMECIALIZACIсN o ADECUADO PARA UN PROPсSITO EN PARTICULAR. VИase
-la Licencia PЗblica General GNU para mАs detalles (estА en el archivo COPYING
-de la distribuciСn de
-.I nmap
-).
diff --git a/nmap.spec.in b/nmap.spec.in
index 96e79c3c3..23003cf82 100644
--- a/nmap.spec.in
+++ b/nmap.spec.in
@@ -55,7 +55,7 @@ be installed before installing nmap-frontend.
 %build
 export CFLAGS="$RPM_OPT_FLAGS"
 export CXXFLAGS="$RPM_OPT_FLAGS"
-./configure --prefix=%{prefix} --mandir=%{prefix}/share/man --without-openssl
+./configure --prefix=%{prefix} --mandir=%{prefix}/share/man --without-openssl --without-umit
 %if "%{static}" == "1"
 make static
 %else
diff --git a/nse_nmaplib.cc b/nse_nmaplib.cc
index 1ffd44065..5737c19e0 100644
--- a/nse_nmaplib.cc
+++ b/nse_nmaplib.cc
@@ -399,18 +399,18 @@ static int l_set_port_version(lua_State* l, Target* target, Port* port) {
 }
 
 static int l_print_debug_unformatted(lua_State *l) {
-	int verbosity=1, stack_counter(1);
-	const char *out;
-
-	if (lua_gettop(l) != 2) return luaL_error(l, "Incorrect number of arguments\n");
-
-	verbosity = luaL_checkinteger(l, 1);
-	if (verbosity > o.verbose) return 0;
-	out = luaL_checkstring(l, 2);
-
-	log_write(LOG_STDOUT, "%s DEBUG: %s\n", SCRIPT_ENGINE, out);
-
-	return 0;
+  int verbosity=1;
+  const char *out;
+  
+  if (lua_gettop(l) != 2) return luaL_error(l, "Incorrect number of arguments\n");
+  
+  verbosity = luaL_checkinteger(l, 1);
+  if (verbosity > o.verbose) return 0;
+  out = luaL_checkstring(l, 2);
+  
+  log_write(LOG_STDOUT, "%s DEBUG: %s\n", SCRIPT_ENGINE, out);
+  
+  return 0;
 }
 
 static int l_exc_finalize(lua_State *l) {
diff --git a/nselib/Makefile.in b/nselib/Makefile.in
index 35de048b8..30ce5b83b 100644
--- a/nselib/Makefile.in
+++ b/nselib/Makefile.in
@@ -1,16 +1,10 @@
 PLATFORM=@host@
 
-#ugly hack to get the includes right
-ifeq ($(LIBLUA_LIBS),$(LIBLUADIR)/liblua.a)
-LIBLUA_INCLUDE= -I../$(LIBLUADIR)
-endif
-LIBSUFFIX=@LIBSUFFIX@
 CC = @CC@
 CXX = @CXX@
 CCOPT = 
 DBGFLAGS = 
 
-# LIBPCREDIR = @LIBPCREDIR@
 
 SHTOOL = ../shtool
 INSTALL = $(SHTOOL) install 
@@ -21,7 +15,7 @@ LTFLAGS = --tag=CC --silent
 all: bit.so
 
 bit.so: bit.c @LIBTOOL_DEPS@
-	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) $(LIBLUA_INCLUDE) $(CFLAGS) -c bit.c
+	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) @LUAINCLUDE@ $(CFLAGS) -c bit.c
 	$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -avoid-version -module -rpath /usr/local/lib -o bit.la bit.lo
 	mv .libs/bit.so bit.so
 
diff --git a/nselib/configure b/nselib/configure
index 0ef4dfa5f..ab5d01b34 100755
--- a/nselib/configure
+++ b/nselib/configure
@@ -836,6 +836,7 @@ FFLAGS
 ac_ct_F77
 LIBTOOL
 LIBTOOL_DEPS
+LUAINCLUDE
 LIBOBJS
 LTLIBOBJS'
 ac_subst_files=''
@@ -3630,7 +3631,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 3633 "configure"' > conftest.$ac_ext
+  echo '#line 3634 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -6252,11 +6253,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:6255: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:6256: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:6259: \$? = $ac_status" >&5
+   echo "$as_me:6260: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -6520,11 +6521,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:6523: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:6524: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:6527: \$? = $ac_status" >&5
+   echo "$as_me:6528: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -6624,11 +6625,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:6627: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:6628: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:6631: \$? = $ac_status" >&5
+   echo "$as_me:6632: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -8921,7 +8922,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 8924 "configure"
+#line 8925 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -9021,7 +9022,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 9024 "configure"
+#line 9025 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -11361,11 +11362,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11364: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:11365: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:11368: \$? = $ac_status" >&5
+   echo "$as_me:11369: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -11465,11 +11466,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11468: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:11469: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:11472: \$? = $ac_status" >&5
+   echo "$as_me:11473: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -13026,11 +13027,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13029: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13030: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:13033: \$? = $ac_status" >&5
+   echo "$as_me:13034: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -13130,11 +13131,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13133: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13134: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:13137: \$? = $ac_status" >&5
+   echo "$as_me:13138: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -15321,11 +15322,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15324: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15325: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:15328: \$? = $ac_status" >&5
+   echo "$as_me:15329: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -15589,11 +15590,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15592: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15593: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:15596: \$? = $ac_status" >&5
+   echo "$as_me:15597: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -15693,11 +15694,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15696: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15697: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:15700: \$? = $ac_status" >&5
+   echo "$as_me:15701: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -18386,6 +18387,141 @@ case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
 
 
 
+# needed for lua-includes
+if test "${ac_cv_header_lua_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for lua.h" >&5
+echo $ECHO_N "checking for lua.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_lua_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_lua_h" >&5
+echo "${ECHO_T}$ac_cv_header_lua_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking lua.h usability" >&5
+echo $ECHO_N "checking lua.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <lua.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking lua.h presence" >&5
+echo $ECHO_N "checking lua.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <lua.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: lua.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: lua.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: lua.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: lua.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: lua.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: lua.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: lua.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: lua.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: lua.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: lua.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: lua.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: lua.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: lua.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: lua.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: lua.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: lua.h: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for lua.h" >&5
+echo $ECHO_N "checking for lua.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_lua_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_lua_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_lua_h" >&5
+echo "${ECHO_T}$ac_cv_header_lua_h" >&6; }
+
+fi
+if test $ac_cv_header_lua_h = yes; then
+  :
+else
+  { echo "$as_me:$LINENO: using lua-includefiles provided with nmap" >&5
+echo "$as_me: using lua-includefiles provided with nmap" >&6;};LUAINCLUDE=-I../liblua/
+fi
+
+
+
 
 ac_config_files="$ac_config_files Makefile"
 
@@ -19086,11 +19222,12 @@ FFLAGS!$FFLAGS$ac_delim
 ac_ct_F77!$ac_ct_F77$ac_delim
 LIBTOOL!$LIBTOOL$ac_delim
 LIBTOOL_DEPS!$LIBTOOL_DEPS$ac_delim
+LUAINCLUDE!$LUAINCLUDE$ac_delim
 LIBOBJS!$LIBOBJS$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 71; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 72; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
diff --git a/nselib/configure.ac b/nselib/configure.ac
index 4ced0c671..e97d1ac15 100644
--- a/nselib/configure.ac
+++ b/nselib/configure.ac
@@ -15,6 +15,9 @@ AC_SUBST(LIBTOOL_DEPS)
 
 AC_CANONICAL_HOST
 
+# needed for lua-includes
+AC_CHECK_HEADER([lua.h],,[AC_MSG_NOTICE(using lua-includefiles provided with nmap);[LUAINCLUDE=-I../liblua/]],)
+AC_SUBST(LUAINCLUDE)
 
 AC_CONFIG_FILES([Makefile])
 AC_OUTPUT
diff --git a/osscan.cc b/osscan.cc
index ecff3c454..ea4ff71b5 100644
--- a/osscan.cc
+++ b/osscan.cc
@@ -120,6 +120,8 @@
 # endif
 #endif
 
+#include <list>
+
 extern NmapOps o;
 
 /* Note that a sport of 0 really will (try to) use zero as the source
diff --git a/output.cc b/output.cc
index 45deb3305..da0f17c43 100644
--- a/output.cc
+++ b/output.cc
@@ -115,6 +115,8 @@
 #include "utils.h"
 
 #include <string>
+#include <vector>
+#include <list>
 
 /* Workaround for lack of namespace std on HP-UX 11.00 */
 namespace std {};
diff --git a/traceroute.h b/traceroute.h
index 2ec5637b4..2661d2904 100644
--- a/traceroute.h
+++ b/traceroute.h
@@ -101,6 +101,8 @@
 
 #include "Target.h"
 
+#include <vector>
+
 /* Probe types */
 #define PROBE_TRACE 0
 #define PROBE_TTL 1