diff --git a/docs/nmap-install.xml b/docs/nmap-install.xml index f64de23ce..743ff0a50 100644 --- a/docs/nmap-install.xml +++ b/docs/nmap-install.xml @@ -21,7 +21,7 @@ have it. Many free operating system distributions (including most Linux and BSD systems) come with Nmap, although it may not be installed by default. On Unix systems, open a terminal window and try executing the command nmap . -If Nmap exists and is in your $PATH, +If Nmap exists and is in your PATH, PATH environment variable you should see output similar to . @@ -38,7 +38,7 @@ felix~> If Nmap does not -exist on the system (or if your $PATH is incorrectly +exist on the system (or if your PATH is incorrectly set), an error message such as nmap: Command not found is reported. As the example above shows, Nmap responds to the command by printing its diff --git a/docs/refguide.xml b/docs/refguide.xml index 1211aaa45..f5db48e18 100644 --- a/docs/refguide.xml +++ b/docs/refguide.xml @@ -58,7 +58,7 @@ open, filtered, closed, or unfiltered. open port state - Open means that an application on the target machine is listening for + Open means that an application on the target machine is listening for connections/packets on that port. filtered port state Filtered means that a firewall, filter, or other network @@ -334,7 +334,7 @@ you would expect. to each target machine. An exception to this is that an ARP scan is used for any targets which are on a local ethernet network. For unprivileged Unix shell users, a SYN packet is sent - instead of the ack using the connect() + instead of the ACK using the connect() system call. unprivileged userslimitations of These defaults are equivalent to the @@ -778,7 +778,7 @@ you would expect. -Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target. It works with all scan types except connect scans (-sT) and idle scans (-sI). All traces use Nmap's dynamic timing model and are performed in parallel. +Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target. It works with all scan types except connect scans () and idle scans (). All traces use Nmap's dynamic timing model and are performed in parallel. @@ -985,7 +985,7 @@ options from across the Internet might show that port as filtered @@ -1039,7 +1039,7 @@ that all of its insights are based on packets returned by the target machines (or firewalls in front of them). Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap. Much more common are non-RFC-compliant hosts that do not respond as -they should to Nmap probes. FIN, null, and Xmas scans are +they should to Nmap probes. FIN, NULL, and Xmas scans are particularly susceptible to this problem. Such issues are specific to certain scan types and so are discussed in the individual scan type entries. @@ -1073,7 +1073,7 @@ second on a fast network not hampered by restrictive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's -FIN/null/Xmas, Maimon and idle scans do. It also allows clear, +FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states. @@ -1159,7 +1159,7 @@ codes 1, 2, 9, 10, or 13) mark the port as filtered. Occasio service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps -packet filters are blocking the communication. Versions scan +packet filters are blocking the communication. Version detection () can be used to help differentiate the truly open ports from the filtered ones. @@ -1329,7 +1329,7 @@ ports, then those three may very well be the truly open ones. He described the technique in Phrack Magazine issue #49 (November 1996). Phrack Nmap, which included this technique, was released two issues later. -This technique is exactly the same as null, FIN, and Xmas scans, except +This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems @@ -1551,7 +1551,7 @@ way. This option specifies which ports you want to scan and overrides the default. Individual port numbers are OK, as - are ranges separated by a hyphen (e.g. 1-1023). The + are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify to scan ports from 1 through @@ -1638,7 +1638,7 @@ way. nmap-services nmap-services database of about 2,200 well-known services, - well known ports + well-known ports Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accurate—the vast @@ -1860,7 +1860,7 @@ way. the initial window size check, Nmap compares the results to its nmap-os-db nmap-os-db - database of more than 800 known + database of more than a thousand known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name @@ -2014,9 +2014,9 @@ way. version)—While Nmap already offers its Service and Version detection system, which is unmatched in terms of efficiency and scope, this power has its downside when it comes to services requiring more - complex probes. The Skype-Protocol version 2 for instance can be identified + complex probes. The Skype Protocol version 2 for instance can be identified by sending 2 independent probes to it, which the built-in system is not laid - out for: a simple NSE-script can do the job and update the port's service + out for: a simple NSE script can do the job and update the port's service information. @@ -2079,7 +2079,7 @@ way. - A NSE-script basically is a chunk of Lua-code which has (among some + An NSE script basically is a chunk of Lua-code which has (among some informational fields, like name, id and categories) 2 functions: a test whether the particular script should be run against a certain host or port (called a hostrule @@ -2128,10 +2128,11 @@ way. --datadir/; NMAPDIR environment variable -$(NMAPDIR)/; -~user/nmap/ (not searched on Windows); -NMAPDATADIR -NMAPDATADIR/ or +$NMAPDIR/; +~/.nmap/ (not searched on Windows); +.nmap directory +NMAPDATADIR +NMAPDATADIR/ or ./. A scripts/ subdirectory is also tried in each of these. Give the argument all to execute all scripts in the Nmap script database. @@ -2157,7 +2158,7 @@ categories. script arguments -lets you provide arguments to NSE-scripts. Arguments are passed +lets you provide arguments to NSE scripts. Arguments are passed as name=value pairs. The provided argument is processed and stored inside a Lua table, to which all scripts have access. The names are taken as strings (which must be alphanumeric @@ -2368,7 +2369,7 @@ timing out and retransmitting while the response is in transit. If all the hosts are on a local network, 100 milliseconds is a reasonable aggressive value. If routing is involved, ping a host on the network first with the ICMP -ping utility, or with a custom packet crafter such as hping2 +ping utility, or with a custom packet crafter such as hping2 hping2 that is more likely to get through a firewall. Look at the maximum round trip @@ -2505,7 +2506,7 @@ that a scan will be finished by a certain time. When the option is given Nmap will do its best to send packets as fast or faster than the given rate. The argument is a positive real number representing a packet rate in packets per second. -For example, specifying --min-rate 300 means that +For example, specifying means that Nmap will try to keep the sending rate at or above 300 packets per second. Specifying a minimum rate does not keep Nmap from going faster if conditions warrant. @@ -2580,12 +2581,12 @@ worth the extra time. timing templatesparanoid, sneaky, polite, normal, aggressive, and insane -paranoid timing template -sneaky timing template -polite timing template -normal timing template -aggressive timing template -insane timing template +paranoid timing template +sneaky timing template +polite timing template +normal timing template +aggressive timing template +insane timing template While the fine-grained timing controls discussed in the previous @@ -2594,17 +2595,17 @@ Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize. So Nmap offers a simpler approach, with six timing templates. You can specify them with the option and their number (0–5) or their name. -The template names are (), +The template names are  (), paranoid () timing template - (), + (), sneaky () timing template - (), + (), polite () timing template - (), + (), normal () timing template - (), and + (), and aggressive () timing template - (). + (). insane () timing template The first two are for IDS evasion. intrusion detection systemsavoiding @@ -2621,10 +2622,10 @@ wish to be, while leaving Nmap to pick the exact timing values. The templates also make some minor speed adjustments for which fine-grained control options do not currently exist. For example, -aggressive () timing templage +aggressive () timing template prohibits the dynamic scan delay from exceeding 10 ms for TCP ports and caps that value at 5 ms. -insane () timing templage +insane () timing template Templates can be used in combination with fine-grained controls, and the fine-grained controls will you specify will take precedence over the timing template default for that parameter. I @@ -2640,7 +2641,7 @@ sometimes specify because they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow -polite () timing templage +polite () timing template really is. Their scan may take ten times longer than a default scan. Machine crashes and bandwidth problems are rare with the @@ -2650,9 +2651,9 @@ far more effective than playing with timing values at reducing these problems. While -paranoid () timing templage +paranoid () timing template and -sneaky () timing templage +sneaky () timing template may be useful for avoiding IDS alerts, they will take an extraordinarily long time to scan thousands of machines or ports. For such a long scan, @@ -2666,11 +2667,14 @@ between sending each probe. and are similar but they only wait 15 seconds and 0.4 seconds, respectively, between probes. is Nmap's default behavior, which includes parallelization. -normal () timing templage - +normal () timing template + +aggressive () timing template does the equivalent of and sets the maximum TCP scan delay -to 10 milliseconds. does the equivalent of +to 10 milliseconds. +insane () timing template +does the equivalent of as well as setting the maximum TCP scan delay to 5 ms. @@ -2777,7 +2781,7 @@ lists the relevant options and describes what they do. specify if you use . The offset must be a multiple of 8. While fragmented packets won't get by packet filters and firewalls that queue all IP fragments, - such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux + such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, some networks can't afford the performance hit this causes and thus leave it disabled. Others can't enable this because fragments may take different routes into their @@ -2824,12 +2828,12 @@ lists the relevant options and describes what they do. excellent Scanlogd) Scanlogd are unlikely to show your IP address at - all. If you don't use ME, nmap will put - you in a random position. You can also use RND + all. If you don't use ME, Nmap will put + you in a random position. You can also use RND RND (decoy address) to generate - a random, non-reserved IP address, or RND:<number> to - generate <number> addresses. Note that the hosts + a random, non-reserved IP address, or RND:number to + generate number addresses. Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets. Also it will be pretty easy to determine which host is scanning if only one is actually up on the @@ -2865,8 +2869,7 @@ lists the relevant options and describes what they do. In some circumstances, Nmap may not be able to determine your - source address ( - Nmap will tell you if this is the + source address (Nmap will tell you if this is the case). In this situation, use with the IP address of the interface you wish to send packets through. @@ -3087,6 +3090,7 @@ support the option completely, as does UDP scan. (it is case insensitive). If a match is found, Nmap uses the vendor's OUI (3-byte prefix) organizationally unique identifier (OUI) + organizationally unique identifier (OUI)nmap-max-prefixes and fills out the remaining 3 bytes randomly. Valid argument examples are Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco. This option only affects raw packet scans such as SYN scan or OS detection, not connection-oriented features such as version detection or the Nmap Scripting Engine. @@ -3138,28 +3142,28 @@ files, which Nmap can append to or clobber. Output files may also be used to resume aborted scans. Nmap makes output available in five different formats. -The default is called interactive output, +The default is called interactive output, interactive output and it is sent to standard output (stdout). stdout standard output -There is also normal output, +There is also normal output, normal output -which is similar to interactive except that it +which is similar to interactive except that it displays less runtime information and warnings since it is expected to be analyzed after the scan completes rather than interactively. -XML output +XML output XML output is one of the most important output types, as it can be converted to HTML, easily parsed by programs such as Nmap graphical user interfaces, or imported into databases. -The two remaining output types are the simple grepable -output +The two remaining output types are the simple grepable +output grepable output which includes most information for a target host on -a single line, and sCRiPt KiDDi3 0utPUt +a single line, and sCRiPt KiDDi3 0utPUt scR1pT kIddI3 output for users who consider themselves |<-r4d. @@ -3739,8 +3743,9 @@ overwhelming requests. Specify to only see option (if any). Any files not found there, are searched for in the directory specified by the NMAPDIR environmental variableNMAPDIR environment variable. - Next comes ~/.nmap for - real and effective UIDs (POSIX systems only) or location of + Next comes ~/.nmap + .nmap directory + for real and effective UIDs (POSIX systems only) or location of the Nmap executable (Win32 only), and then a compiled-in location such as /usr/local/share/nmap or /usr/share/nmap . As a last resort, Nmap will look in the current @@ -3833,7 +3838,7 @@ overwhelming requests. Specify to only see configured to allow unprivileged users to perform raw-packet scans. Be sure to provide this option flag before any flags for options that require privileges (SYN scan, OS detection, - etc.). The NMAP_PRIVILEGED environmental variable + etc.). The NMAP_PRIVILEGED environmental variable NMAP_PRIVILEGED may be set as an equivalent alternative to . @@ -3854,7 +3859,7 @@ overwhelming requests. Specify to only see unprivileged users This is useful for testing, debugging, or when the raw network functionality of your operating system is somehow - broken. The NMAP_UNPRIVILEGED environmental variable + broken. The NMAP_UNPRIVILEGED environmental variable NMAP_UNPRIVILEGED may be set as an equivalent alternative to . diff --git a/docs/scripting.xml b/docs/scripting.xml index 15b1db172..ceb693a17 100644 --- a/docs/scripting.xml +++ b/docs/scripting.xml @@ -413,10 +413,11 @@ searched in the following places until found: scriptslocation of --datadir/; NMAPDIR environment variable -$(NMAPDIR)/; -~user/nmap/ (not searched on Windows); -NMAPDATADIR -NMAPDATADIR/ or +$NMAPDIR/; +.nmap directory +~/.nmap/ (not searched on Windows); +NMAPDATADIR +NMAPDATADIR/ or ./. A scripts/ subdirectory is also tried in each of these. Give the argument all to execute all scripts in the Nmap script database. @@ -732,7 +733,7 @@ that. use, small in size, compatible with the Nmap license, scalable, fast and parallelizable. There have been several efforts to design a security auditing language from scratch - which have resulted in well known awkward solutions. It was + which have resulted in well-known awkward solutions. It was clear from the beginning that we would not go down this road. For a while the Guile scheme interpreter was considered but the preference drifted towards Elk in favor of its more @@ -740,7 +741,7 @@ that. difficult. In addition, the subset of Nmap users familiar with functional programming is regarded too small to consider Scheme as an option. Larger interpreters like Perl, Python or - Ruby are well known and loved, but are difficult to embed + Ruby are well-known and loved, but are difficult to embed efficiently. In the end, Lua exceeded in all criteria for NSE. It is small, distributed under the MIT license, has coroutines for efficient parallel script @@ -1179,7 +1180,7 @@ if(s) code_to_be_done_on_match end checks whether an IP address, provided as a string in dotted-quad notation, is part of the non-routed private IP address - space, as described in RFC 1918. These addresses are the well known + space, as described in RFC 1918. These addresses are the well-known 10.0.0.0/8, 192.168.0.0/16 and 172.16.0.0/12 networks. @@ -1251,7 +1252,7 @@ if(s) code_to_be_done_on_match end This is a combination of the above functions, since many scripts - explicitly try to run against the well known ports, but want + explicitly try to run against the well-known ports, but want also to run against any other port which was discovered to run the named service. A typical example for this function is: portrule = shortport.port_or_service(22,"ssh"). @@ -3536,7 +3537,7 @@ require "shortport" We want to check whether the service behind the port is finger, -or whether it runs on finger's well known port 79. Through this we can +or whether it runs on finger's well-known port 79. Through this we can use the information gathered during the version scan (if finger runs on a non-standard port) or still run against at least the port we expect it, should the version detection information not be available.