|
|
|
|
@@ -2,12 +2,12 @@
|
|
|
|
|
.\" Title: nmap
|
|
|
|
|
.\" Author: [see the "Authors" section]
|
|
|
|
|
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
|
|
|
|
|
.\" Date: 09/28/2018
|
|
|
|
|
.\" Date: 08/12/2019
|
|
|
|
|
.\" Manual: Nmap Reference Guide
|
|
|
|
|
.\" Source: Nmap
|
|
|
|
|
.\" Language: English
|
|
|
|
|
.\"
|
|
|
|
|
.TH "NMAP" "1" "09/28/2018" "Nmap" "Nmap Reference Guide"
|
|
|
|
|
.TH "NMAP" "1" "08/12/2019" "Nmap" "Nmap Reference Guide"
|
|
|
|
|
.\" -----------------------------------------------------------------
|
|
|
|
|
.\" * Define some portability stuff
|
|
|
|
|
.\" -----------------------------------------------------------------
|
|
|
|
|
@@ -119,7 +119,7 @@ This options summary is printed when Nmap is run with no arguments, and the late
|
|
|
|
|
.RS 4
|
|
|
|
|
.\}
|
|
|
|
|
.nf
|
|
|
|
|
Nmap 7\&.70SVN ( https://nmap\&.org )
|
|
|
|
|
Nmap 7\&.80 ( https://nmap\&.org )
|
|
|
|
|
Usage: nmap [Scan Type(s)] [Options] {target specification}
|
|
|
|
|
TARGET SPECIFICATION:
|
|
|
|
|
Can pass hostnames, IP addresses, networks, etc\&.
|
|
|
|
|
@@ -344,7 +344,8 @@ tool\&. Users can skip the ping step entirely with a list scan (\fB\-sL\fR) or b
|
|
|
|
|
.PP
|
|
|
|
|
If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request\&. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6\&.) These defaults are equivalent to the
|
|
|
|
|
\fB\-PE \-PS443 \-PA80 \-PP\fR
|
|
|
|
|
options\&. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery
|
|
|
|
|
options\&. The exceptions to this are the ARP
|
|
|
|
|
(for IPv4) and Neighbor Discovery
|
|
|
|
|
(for IPv6) scans which are used for any targets on a local ethernet network\&. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the
|
|
|
|
|
\fBconnect\fR
|
|
|
|
|
system call\&.
|
|
|
|
|
@@ -352,8 +353,9 @@ This host discovery is often sufficient when scanning local networks, but a more
|
|
|
|
|
.PP
|
|
|
|
|
The
|
|
|
|
|
\fB\-P*\fR
|
|
|
|
|
options (which select ping types) can be combined\&. You can increase your odds of penetrating strict firewalls by sending many probe types using different TCP ports/flags and ICMP codes\&. Also note that ARP/Neighbor Discovery (\fB\-PR\fR)
|
|
|
|
|
is done by default against targets on a local ethernet network even if you specify other
|
|
|
|
|
options (which select ping types) can be combined\&. You can increase your odds of penetrating strict firewalls by sending many probe types using different TCP ports/flags and ICMP codes\&. Also note that ARP/Neighbor Discovery
|
|
|
|
|
|
|
|
|
|
is done by default against targets on a local Ethernet network even if you specify other
|
|
|
|
|
\fB\-P*\fR
|
|
|
|
|
options, because it is almost always faster and more effective\&.
|
|
|
|
|
.PP
|
|
|
|
|
@@ -489,7 +491,7 @@ and
|
|
|
|
|
Another host discovery option is the UDP ping, which sends a UDP packet to the given ports\&. For most ports, the packet will be empty, though some use a protocol\-specific payload that is more likely to elicit a response\&.
|
|
|
|
|
The payload database is described at \m[blue]\fB\%https://nmap.org/book/nmap-payloads.html\fR\m[]\&.
|
|
|
|
|
|
|
|
|
|
\&. Packet content can also be affected with the
|
|
|
|
|
Packet content can also be affected with the
|
|
|
|
|
\fB\-\-data\fR,
|
|
|
|
|
\fB\-\-data\-string\fR, and
|
|
|
|
|
\fB\-\-data\-length\fR
|
|
|
|
|
@@ -575,22 +577,6 @@ options are specified)\&.
|
|
|
|
|
This host discovery method looks for either responses using the same protocol as a probe, or ICMP protocol unreachable messages which signify that the given protocol isn\*(Aqt supported on the destination host\&. Either type of response signifies that the target host is alive\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-PR\fR (ARP Ping)
|
|
|
|
|
.RS 4
|
|
|
|
|
One of the most common Nmap usage scenarios is to scan an ethernet LAN\&. On most LANs, especially those using private address ranges specified by
|
|
|
|
|
\m[blue]\fBRFC 1918\fR\m[]\&\s-2\u[5]\d\s+2, the vast majority of IP addresses are unused at any given time\&. When Nmap tries to send a raw IP packet such as an ICMP echo request, the operating system must determine the destination hardware (ARP) address corresponding to the target IP so that it can properly address the ethernet frame\&. This is often slow and problematic, since operating systems weren\*(Aqt written with the expectation that they would need to do millions of ARP requests against unavailable hosts in a short time period\&.
|
|
|
|
|
.sp
|
|
|
|
|
ARP scan puts Nmap and its optimized algorithms in charge of ARP requests\&. And if it gets a response back, Nmap doesn\*(Aqt even need to worry about the IP\-based ping packets since it already knows the host is up\&. This makes ARP scan much faster and more reliable than IP\-based scans\&. So it is done by default when scanning ethernet hosts that Nmap detects are on a local ethernet network\&. Even if different ping types (such as
|
|
|
|
|
\fB\-PE\fR
|
|
|
|
|
or
|
|
|
|
|
\fB\-PS\fR) are specified, Nmap uses ARP instead for any of the targets which are on the same LAN\&. If you absolutely don\*(Aqt want to do an ARP scan, specify
|
|
|
|
|
\fB\-\-disable\-arp\-ping\fR\&.
|
|
|
|
|
.sp
|
|
|
|
|
For IPv6 (\-6 option),
|
|
|
|
|
\fB\-PR\fR
|
|
|
|
|
uses ICMPv6 Neighbor Discovery instead of ARP\&. Neighbor Discovery, defined in RFC 4861, can be seen as the IPv6 equivalent of ARP\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-\-disable\-arp\-ping\fR (No ARP or ND Ping)
|
|
|
|
|
.RS 4
|
|
|
|
|
Nmap normally does ARP or IPv6 Neighbor Discovery (ND) discovery of locally connected ethernet hosts, even if other host discovery options such as
|
|
|
|
|
@@ -613,11 +599,10 @@ Traceroute works by sending packets with a low TTL (time\-to\-live) in an attemp
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-n\fR (No DNS resolution)
|
|
|
|
|
.RS 4
|
|
|
|
|
|
|
|
|
|
Tells Nmap to
|
|
|
|
|
\fInever\fR
|
|
|
|
|
do reverse DNS
|
|
|
|
|
|
|
|
|
|
resolution on the active IP addresses it finds\&. Since DNS can be slow even with Nmap\*(Aqs built\-in parallel stub resolver, this option can slash scanning times\&.
|
|
|
|
|
do reverse DNS resolution on the active IP addresses it finds\&. Since DNS can be slow even with Nmap\*(Aqs built\-in parallel stub resolver, this option can slash scanning times\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-R\fR (DNS resolution for all targets)
|
|
|
|
|
@@ -743,7 +728,7 @@ call than with raw packets, making it less efficient\&. The system call complete
|
|
|
|
|
\fB\-sU\fR (UDP scans)
|
|
|
|
|
.RS 4
|
|
|
|
|
While most popular services on the Internet run over the TCP protocol,
|
|
|
|
|
\m[blue]\fBUDP\fR\m[]\&\s-2\u[6]\d\s+2
|
|
|
|
|
\m[blue]\fBUDP\fR\m[]\&\s-2\u[5]\d\s+2
|
|
|
|
|
services are widely deployed\&. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common\&. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports\&. This is a mistake, as exploitable UDP services are quite common and attackers certainly don\*(Aqt ignore the whole protocol\&. Fortunately, Nmap can help inventory UDP ports\&.
|
|
|
|
|
.sp
|
|
|
|
|
UDP scan is activated with the
|
|
|
|
|
@@ -771,7 +756,7 @@ to skip slow hosts\&.
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-sY\fR (SCTP INIT scan)
|
|
|
|
|
.RS 4
|
|
|
|
|
\m[blue]\fBSCTP\fR\m[]\&\s-2\u[7]\d\s+2
|
|
|
|
|
\m[blue]\fBSCTP\fR\m[]\&\s-2\u[6]\d\s+2
|
|
|
|
|
is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi\-homing and multi\-streaming\&. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well\&. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan\&. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls\&. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations\&. It also allows clear, reliable differentiation between the
|
|
|
|
|
open,
|
|
|
|
|
closed, and
|
|
|
|
|
@@ -786,7 +771,7 @@ This technique is often referred to as half\-open scanning, because you don\*(Aq
|
|
|
|
|
These three scan types (even more are possible with the
|
|
|
|
|
\fB\-\-scanflags\fR
|
|
|
|
|
option described in the next section) exploit a subtle loophole in the
|
|
|
|
|
\m[blue]\fBTCP RFC\fR\m[]\&\s-2\u[8]\d\s+2
|
|
|
|
|
\m[blue]\fBTCP RFC\fR\m[]\&\s-2\u[7]\d\s+2
|
|
|
|
|
to differentiate between
|
|
|
|
|
open
|
|
|
|
|
and
|
|
|
|
|
@@ -875,7 +860,7 @@ He described the technique in
|
|
|
|
|
Phrack
|
|
|
|
|
Magazine issue #49 (November 1996)\&.
|
|
|
|
|
Nmap, which included this technique, was released two issues later\&. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK\&. According to
|
|
|
|
|
\m[blue]\fBRFC 793\fR\m[]\&\s-2\u[8]\d\s+2
|
|
|
|
|
\m[blue]\fBRFC 793\fR\m[]\&\s-2\u[7]\d\s+2
|
|
|
|
|
(TCP), a RST packet should be generated in response to such a probe whether the port is open or closed\&. However, Uriel noticed that many BSD\-derived systems simply drop the packet if the port is open\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
@@ -962,7 +947,7 @@ open|filtered
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-b \fR\fB\fIFTP relay host\fR\fR (FTP bounce scan)
|
|
|
|
|
.RS 4
|
|
|
|
|
An interesting feature of the FTP protocol (\m[blue]\fBRFC 959\fR\m[]\&\s-2\u[9]\d\s+2) is support for so\-called proxy FTP connections\&. This allows a user to connect to one FTP server, then ask that files be sent to a third\-party server\&. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it\&. One of the abuses this feature allows is causing the FTP server to port scan other hosts\&. Simply ask the FTP server to send a file to each interesting port of a target host in turn\&. The error message will describe whether the port is open or not\&. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would\&. Nmap supports FTP bounce scan with the
|
|
|
|
|
An interesting feature of the FTP protocol (\m[blue]\fBRFC 959\fR\m[]\&\s-2\u[8]\d\s+2) is support for so\-called proxy FTP connections\&. This allows a user to connect to one FTP server, then ask that files be sent to a third\-party server\&. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it\&. One of the abuses this feature allows is causing the FTP server to port scan other hosts\&. Simply ask the FTP server to send a file to each interesting port of a target host in turn\&. The error message will describe whether the port is open or not\&. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would\&. Nmap supports FTP bounce scan with the
|
|
|
|
|
\fB\-b\fR
|
|
|
|
|
option\&. It takes an argument of the form
|
|
|
|
|
\fIusername\fR:\fIpassword\fR@\fIserver\fR:\fIport\fR\&.
|
|
|
|
|
@@ -1180,7 +1165,7 @@ or
|
|
|
|
|
\(lqincremental\(rq
|
|
|
|
|
class, which means that they increment the ID field in the IP header for each packet they send\&. This makes them vulnerable to several advanced information gathering and spoofing attacks\&.
|
|
|
|
|
.PP
|
|
|
|
|
Another bit of extra information enabled by OS detection is a guess at a target\*(Aqs uptime\&. This uses the TCP timestamp option (\m[blue]\fBRFC 1323\fR\m[]\&\s-2\u[10]\d\s+2) to guess when a machine was last rebooted\&. The guess can be inaccurate due to the timestamp counter not being initialized to zero or the counter overflowing and wrapping around, so it is printed only in verbose mode\&.
|
|
|
|
|
Another bit of extra information enabled by OS detection is a guess at a target\*(Aqs uptime\&. This uses the TCP timestamp option (\m[blue]\fBRFC 1323\fR\m[]\&\s-2\u[9]\d\s+2) to guess when a machine was last rebooted\&. The guess can be inaccurate due to the timestamp counter not being initialized to zero or the counter overflowing and wrapping around, so it is printed only in verbose mode\&.
|
|
|
|
|
.PP
|
|
|
|
|
A paper documenting the workings, usage, and customization of OS detection is available at \m[blue]\fB\%https://nmap.org/book/osdetect.html\fR\m[]\&.
|
|
|
|
|
.PP
|
|
|
|
|
@@ -1217,7 +1202,7 @@ value (such as 1) speeds Nmap up, though you miss out on retries which could pot
|
|
|
|
|
.SH "NMAP SCRIPTING ENGINE (NSE)"
|
|
|
|
|
.PP
|
|
|
|
|
The Nmap Scripting Engine (NSE) is one of Nmap\*(Aqs most powerful and flexible features\&. It allows users to write (and share) simple scripts (using the
|
|
|
|
|
\m[blue]\fBLua programming language\fR\m[]\&\s-2\u[11]\d\s+2
|
|
|
|
|
\m[blue]\fBLua programming language\fR\m[]\&\s-2\u[10]\d\s+2
|
|
|
|
|
|
|
|
|
|
) to automate a wide variety of networking tasks\&. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap\&. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs\&.
|
|
|
|
|
.PP
|
|
|
|
|
@@ -1324,7 +1309,7 @@ and,
|
|
|
|
|
or, and
|
|
|
|
|
not
|
|
|
|
|
operators to build Boolean expressions\&. The operators have the same
|
|
|
|
|
\m[blue]\fBprecedence\fR\m[]\&\s-2\u[12]\d\s+2
|
|
|
|
|
\m[blue]\fBprecedence\fR\m[]\&\s-2\u[11]\d\s+2
|
|
|
|
|
as in Lua:
|
|
|
|
|
not
|
|
|
|
|
is the highest, followed by
|
|
|
|
|
@@ -1575,7 +1560,6 @@ There are two conditions when the actual scanning rate may fall below the reques
|
|
|
|
|
Specifying a minimum rate should be done with care\&. Scanning faster than a network can support may lead to a loss of accuracy\&. In some cases, using a faster rate can make a scan take
|
|
|
|
|
\fIlonger\fR
|
|
|
|
|
than it would with a slower rate\&. This is because Nmap\*(Aqs
|
|
|
|
|
|
|
|
|
|
adaptive retransmission
|
|
|
|
|
algorithms will detect the network congestion caused by an excessive scanning rate and increase the number of retransmissions in order to improve accuracy\&. So even though packets are sent at a higher rate, more packets are sent overall\&. Cap the number of retransmissions with the
|
|
|
|
|
\fB\-\-max\-retries\fR
|
|
|
|
|
@@ -1830,7 +1814,7 @@ because accuracy there requires probe consistency, but most pinging and portscan
|
|
|
|
|
\fB\-\-ip\-options \fR\fB\fIS|R [route]|L [route]|T|U \&.\&.\&. \fR\fR\fB;\fR \fB\-\-ip\-options \fR\fB\fIhex string\fR\fR (Send packets with specified ip options)
|
|
|
|
|
.RS 4
|
|
|
|
|
The
|
|
|
|
|
\m[blue]\fBIP protocol\fR\m[]\&\s-2\u[13]\d\s+2
|
|
|
|
|
\m[blue]\fBIP protocol\fR\m[]\&\s-2\u[12]\d\s+2
|
|
|
|
|
offers several options which may be placed in packet headers\&. Unlike the ubiquitous TCP options, IP options are rarely seen due to practicality and security concerns\&. In fact, many Internet routers block the most dangerous options such as source routing\&. Yet options can still be useful in some cases for determining and manipulating the network route to target machines\&. For example, you may be able to use the record route option to determine a path to a target even when more traditional traceroute\-style approaches fail\&. Or if your packets are being dropped by a certain firewall, you may be able to specify a different route with the strict or loose source routing options\&.
|
|
|
|
|
.sp
|
|
|
|
|
The most powerful way to specify IP options is to simply pass in values as the argument to
|
|
|
|
|
@@ -1922,9 +1906,9 @@ Asks Nmap to use an invalid TCP, UDP or SCTP checksum for packets sent to target
|
|
|
|
|
Asks Nmap to use the deprecated Adler32 algorithm for calculating the SCTP checksum\&. If
|
|
|
|
|
\fB\-\-adler32\fR
|
|
|
|
|
is not given, CRC\-32C (Castagnoli) is used\&.
|
|
|
|
|
\m[blue]\fBRFC 2960\fR\m[]\&\s-2\u[14]\d\s+2
|
|
|
|
|
\m[blue]\fBRFC 2960\fR\m[]\&\s-2\u[13]\d\s+2
|
|
|
|
|
originally defined Adler32 as checksum algorithm for SCTP;
|
|
|
|
|
\m[blue]\fBRFC 4960\fR\m[]\&\s-2\u[7]\d\s+2
|
|
|
|
|
\m[blue]\fBRFC 4960\fR\m[]\&\s-2\u[6]\d\s+2
|
|
|
|
|
later redefined the SCTP checksums to use CRC\-32C\&. Current SCTP implementations should be using CRC\-32C, but in order to elicit responses from old, legacy SCTP implementations, it may be preferable to use Adler32\&.
|
|
|
|
|
.RE
|
|
|
|
|
.SH "OUTPUT"
|
|
|
|
|
@@ -2021,9 +2005,9 @@ Requests that XML output be directed to the given filename\&. Nmap includes a do
|
|
|
|
|
\m[blue]\fB\%https://svn.nmap.org/nmap/docs/nmap.dtd\fR\m[]\&.
|
|
|
|
|
.sp
|
|
|
|
|
XML offers a stable format that is easily parsed by software\&. Free XML parsers are available for all major computer languages, including C/C++, Perl, Python, and Java\&. People have even written bindings for most of these languages to handle Nmap output and execution specifically\&. Examples are
|
|
|
|
|
\m[blue]\fBNmap::Scanner\fR\m[]\&\s-2\u[15]\d\s+2
|
|
|
|
|
\m[blue]\fBNmap::Scanner\fR\m[]\&\s-2\u[14]\d\s+2
|
|
|
|
|
and
|
|
|
|
|
\m[blue]\fBNmap::Parser\fR\m[]\&\s-2\u[16]\d\s+2
|
|
|
|
|
\m[blue]\fBNmap::Parser\fR\m[]\&\s-2\u[15]\d\s+2
|
|
|
|
|
in Perl CPAN\&. In almost all cases that a non\-trivial application interfaces with Nmap, XML is the preferred format\&.
|
|
|
|
|
.sp
|
|
|
|
|
The XML output references an XSL stylesheet which can be used to format the results as HTML\&. The easiest way to use this is simply to load the XML output in a web browser such as Firefox or IE\&. By default, this will only work on the machine you ran Nmap on (or a similarly configured one) due to the hard\-coded
|
|
|
|
|
@@ -2184,10 +2168,10 @@ option\&. All output filenames specified in that Nmap execution will then be app
|
|
|
|
|
\fB\-\-resume \fR\fB\fIfilename\fR\fR (Resume aborted scan)
|
|
|
|
|
.RS 4
|
|
|
|
|
Some extensive Nmap runs take a very long time\(emon the order of days\&. Such scans don\*(Aqt always run to completion\&. Restrictions may prevent Nmap from being run during working hours, the network could go down, the machine Nmap is running on might suffer a planned or unplanned reboot, or Nmap itself could crash\&. The administrator running Nmap could cancel it for any other reason as well, by pressing
|
|
|
|
|
ctrl\-C\&. Restarting the whole scan from the beginning may be undesirable\&. Fortunately, if normal (\fB\-oN\fR) or grepable (\fB\-oG\fR) logs were kept, the user can ask Nmap to resume scanning with the target it was working on when execution ceased\&. Simply specify the
|
|
|
|
|
ctrl\-C\&. Restarting the whole scan from the beginning may be undesirable\&. Fortunately, if scan output files were kept, the user can ask Nmap to resume scanning with the target it was working on when execution ceased\&. Simply specify the
|
|
|
|
|
\fB\-\-resume\fR
|
|
|
|
|
option and pass the normal/grepable output file as its argument\&. No other arguments are permitted, as Nmap parses the output file to use the same ones specified previously\&. Simply call Nmap as
|
|
|
|
|
\fBnmap \-\-resume \fR\fB\fIlogfilename\fR\fR\&. Nmap will append new results to the data files specified in the previous execution\&. Resumption does not support the XML output format because combining the two runs into one valid XML file would be difficult\&.
|
|
|
|
|
option and pass the output file as its argument\&. No other arguments are permitted, as Nmap parses the output file to use the same ones specified previously\&. Simply call Nmap as
|
|
|
|
|
\fBnmap \-\-resume \fR\fB\fIlogfilename\fR\fR\&. Nmap will append new results to the data files specified in the previous execution\&. Scans can be resumed from any of the 3 major output formats: Normal, Grepable, or XML
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-\-stylesheet \fR\fB\fIpath or URL\fR\fR (Set XSL stylesheet to transform XML output)
|
|
|
|
|
@@ -2202,7 +2186,7 @@ xml\-stylesheet
|
|
|
|
|
directive which points to
|
|
|
|
|
nmap\&.xml
|
|
|
|
|
where it was initially installed by Nmap\&. Run the XML file through an XSLT processor such as
|
|
|
|
|
\m[blue]\fBxsltproc\fR\m[]\&\s-2\u[17]\d\s+2
|
|
|
|
|
\m[blue]\fBxsltproc\fR\m[]\&\s-2\u[16]\d\s+2
|
|
|
|
|
to produce an HTML file\&. Directly opening the XML file in a browser no longer works well because modern browsers limit the locations a stylesheet may be loaded from\&. If you wish to use a different stylesheet, specify it as the argument to
|
|
|
|
|
\fB\-\-stylesheet\fR\&. You must pass the full pathname or URL\&. One common invocation is
|
|
|
|
|
\fB\-\-stylesheet https://nmap\&.org/svn/docs/nmap\&.xsl\fR\&. This tells an XSLT processor to load the latest version of the stylesheet from Nmap\&.Org\&. The
|
|
|
|
|
@@ -2241,7 +2225,7 @@ line being the only IPv6 giveaway\&.
|
|
|
|
|
While IPv6 hasn\*(Aqt exactly taken the world by storm, it gets significant use in some (usually Asian) countries and most modern operating systems support it\&. To use Nmap with IPv6, both the source and target of your scan must be configured for IPv6\&. If your ISP (like most of them) does not allocate IPv6 addresses to you, free tunnel brokers are widely available and work fine with Nmap\&. I use the free IPv6 tunnel broker
|
|
|
|
|
service at
|
|
|
|
|
\m[blue]\fB\%http://www.tunnelbroker.net\fR\m[]\&. Other tunnel brokers are
|
|
|
|
|
\m[blue]\fBlisted at Wikipedia\fR\m[]\&\s-2\u[18]\d\s+2\&. 6to4 tunnels are another popular, free approach\&.
|
|
|
|
|
\m[blue]\fBlisted at Wikipedia\fR\m[]\&\s-2\u[17]\d\s+2\&. 6to4 tunnels are another popular, free approach\&.
|
|
|
|
|
.sp
|
|
|
|
|
On Windows, raw\-socket IPv6 scans are supported only on ethernet devices (not tunnels), and only on Windows Vista
|
|
|
|
|
and later\&. Use the
|
|
|
|
|
@@ -2567,7 +2551,7 @@ If you have received a written license agreement or contract for Covered Softwar
|
|
|
|
|
This
|
|
|
|
|
Nmap Reference Guide
|
|
|
|
|
is (C) 2005\(en2018 Insecure\&.Com LLC\&. It is hereby placed under version 3\&.0 of the
|
|
|
|
|
\m[blue]\fBCreative Commons Attribution License\fR\m[]\&\s-2\u[19]\d\s+2\&. This allows you redistribute and modify the work as you desire, as long as you credit the original source\&. Alternatively, you may choose to treat this document as falling under the same license as Nmap itself (discussed previously)\&.
|
|
|
|
|
\m[blue]\fBCreative Commons Attribution License\fR\m[]\&\s-2\u[18]\d\s+2\&. This allows you redistribute and modify the work as you desire, as long as you credit the original source\&. Alternatively, you may choose to treat this document as falling under the same license as Nmap itself (discussed previously)\&.
|
|
|
|
|
.SS "Source Code Availability and Community Contributions"
|
|
|
|
|
.PP
|
|
|
|
|
Source is provided to this software because we believe users have a right to know exactly what a program is going to do before they run it\&. This also allows you to audit the software for security holes\&.
|
|
|
|
|
@@ -2596,24 +2580,24 @@ That would open up a major security vulnerability as other users on the system (
|
|
|
|
|
.SS "Third\-Party Software and Funding Notices"
|
|
|
|
|
.PP
|
|
|
|
|
This product includes software developed by the
|
|
|
|
|
\m[blue]\fBApache Software Foundation\fR\m[]\&\s-2\u[20]\d\s+2\&. A modified version of the
|
|
|
|
|
\m[blue]\fBLibpcap portable packet capture library\fR\m[]\&\s-2\u[21]\d\s+2
|
|
|
|
|
\m[blue]\fBApache Software Foundation\fR\m[]\&\s-2\u[19]\d\s+2\&. A modified version of the
|
|
|
|
|
\m[blue]\fBLibpcap portable packet capture library\fR\m[]\&\s-2\u[20]\d\s+2
|
|
|
|
|
is distributed along with Nmap\&. The Windows version of Nmap utilizes the Libpcap\-derived
|
|
|
|
|
\m[blue]\fBNcap library\fR\m[]\&\s-2\u[22]\d\s+2
|
|
|
|
|
\m[blue]\fBNcap library\fR\m[]\&\s-2\u[21]\d\s+2
|
|
|
|
|
instead\&. Regular expression support is provided by the
|
|
|
|
|
\m[blue]\fBPCRE library\fR\m[]\&\s-2\u[23]\d\s+2,
|
|
|
|
|
\m[blue]\fBPCRE library\fR\m[]\&\s-2\u[22]\d\s+2,
|
|
|
|
|
which is open\-source software, written by Philip Hazel\&.
|
|
|
|
|
Certain raw networking functions use the
|
|
|
|
|
\m[blue]\fBLibdnet\fR\m[]\&\s-2\u[24]\d\s+2
|
|
|
|
|
\m[blue]\fBLibdnet\fR\m[]\&\s-2\u[23]\d\s+2
|
|
|
|
|
networking library, which was written by Dug Song\&.
|
|
|
|
|
A modified version is distributed with Nmap\&. Nmap can optionally link with the
|
|
|
|
|
\m[blue]\fBOpenSSL cryptography toolkit\fR\m[]\&\s-2\u[25]\d\s+2
|
|
|
|
|
\m[blue]\fBOpenSSL cryptography toolkit\fR\m[]\&\s-2\u[24]\d\s+2
|
|
|
|
|
for SSL version detection support\&. The Nmap Scripting Engine uses an embedded version of the
|
|
|
|
|
\m[blue]\fBLua programming language\fR\m[]\&\s-2\u[26]\d\s+2\&.
|
|
|
|
|
\m[blue]\fBLua programming language\fR\m[]\&\s-2\u[25]\d\s+2\&.
|
|
|
|
|
The
|
|
|
|
|
\m[blue]\fBLiblinear linear classification library\fR\m[]\&\s-2\u[27]\d\s+2
|
|
|
|
|
\m[blue]\fBLiblinear linear classification library\fR\m[]\&\s-2\u[26]\d\s+2
|
|
|
|
|
is used for our
|
|
|
|
|
\m[blue]\fBIPv6 OS detection machine learning techniques\fR\m[]\&\s-2\u[28]\d\s+2\&.
|
|
|
|
|
\m[blue]\fBIPv6 OS detection machine learning techniques\fR\m[]\&\s-2\u[27]\d\s+2\&.
|
|
|
|
|
|
|
|
|
|
All of the third\-party software described in this paragraph is freely redistributable under BSD\-style software licenses\&.
|
|
|
|
|
.PP
|
|
|
|
|
@@ -2622,20 +2606,20 @@ LICENSES
|
|
|
|
|
files\&.
|
|
|
|
|
.PP
|
|
|
|
|
This software was supported in part through the
|
|
|
|
|
\m[blue]\fBGoogle Summer of Code\fR\m[]\&\s-2\u[29]\d\s+2
|
|
|
|
|
\m[blue]\fBGoogle Summer of Code\fR\m[]\&\s-2\u[28]\d\s+2
|
|
|
|
|
and the
|
|
|
|
|
\m[blue]\fBDARPA CINDER program\fR\m[]\&\s-2\u[30]\d\s+2
|
|
|
|
|
\m[blue]\fBDARPA CINDER program\fR\m[]\&\s-2\u[29]\d\s+2
|
|
|
|
|
(DARPA\-BAA\-10\-84)\&.
|
|
|
|
|
.SS "United States Export Control"
|
|
|
|
|
.PP
|
|
|
|
|
Nmap only uses encryption when compiled with the optional OpenSSL support and linked with OpenSSL\&. When compiled without OpenSSL support, the Nmap Project believes that Nmap is not subject to U\&.S\&.
|
|
|
|
|
\m[blue]\fBExport Administration Regulations (EAR)\fR\m[]\&\s-2\u[31]\d\s+2
|
|
|
|
|
\m[blue]\fBExport Administration Regulations (EAR)\fR\m[]\&\s-2\u[30]\d\s+2
|
|
|
|
|
export control\&. As such, there is no applicable ECCN (export control classification number) and exportation does not require any special license, permit, or other governmental authorization\&.
|
|
|
|
|
.PP
|
|
|
|
|
When compiled with OpenSSL support or distributed as source code, the Nmap Project believes that Nmap falls under U\&.S\&. ECCN
|
|
|
|
|
\m[blue]\fB5D002\fR\m[]\&\s-2\u[32]\d\s+2
|
|
|
|
|
\m[blue]\fB5D002\fR\m[]\&\s-2\u[31]\d\s+2
|
|
|
|
|
(\(lqInformation Security Software\(rq)\&. We distribute Nmap under the TSU exception for publicly available encryption software defined in
|
|
|
|
|
\m[blue]\fBEAR 740\&.13(e)\fR\m[]\&\s-2\u[33]\d\s+2\&.
|
|
|
|
|
\m[blue]\fBEAR 740\&.13(e)\fR\m[]\&\s-2\u[32]\d\s+2\&.
|
|
|
|
|
.SH "NOTES"
|
|
|
|
|
.IP " 1." 4
|
|
|
|
|
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
|
|
|
|
|
@@ -2658,146 +2642,141 @@ RFC 950
|
|
|
|
|
\%http://www.rfc-editor.org/rfc/rfc950.txt
|
|
|
|
|
.RE
|
|
|
|
|
.IP " 5." 4
|
|
|
|
|
RFC 1918
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.rfc-editor.org/rfc/rfc1918.txt
|
|
|
|
|
.RE
|
|
|
|
|
.IP " 6." 4
|
|
|
|
|
UDP
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.rfc-editor.org/rfc/rfc768.txt
|
|
|
|
|
.RE
|
|
|
|
|
.IP " 7." 4
|
|
|
|
|
.IP " 6." 4
|
|
|
|
|
SCTP
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.rfc-editor.org/rfc/rfc4960.txt
|
|
|
|
|
.RE
|
|
|
|
|
.IP " 8." 4
|
|
|
|
|
.IP " 7." 4
|
|
|
|
|
TCP RFC
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.rfc-editor.org/rfc/rfc793.txt
|
|
|
|
|
.RE
|
|
|
|
|
.IP " 9." 4
|
|
|
|
|
.IP " 8." 4
|
|
|
|
|
RFC 959
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.rfc-editor.org/rfc/rfc959.txt
|
|
|
|
|
.RE
|
|
|
|
|
.IP "10." 4
|
|
|
|
|
.IP " 9." 4
|
|
|
|
|
RFC 1323
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.rfc-editor.org/rfc/rfc1323.txt
|
|
|
|
|
.RE
|
|
|
|
|
.IP "11." 4
|
|
|
|
|
.IP "10." 4
|
|
|
|
|
Lua programming language
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://lua.org
|
|
|
|
|
.RE
|
|
|
|
|
.IP "12." 4
|
|
|
|
|
.IP "11." 4
|
|
|
|
|
precedence
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.lua.org/manual/5.1/manual.html#2.5.3
|
|
|
|
|
.RE
|
|
|
|
|
.IP "13." 4
|
|
|
|
|
.IP "12." 4
|
|
|
|
|
IP protocol
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.rfc-editor.org/rfc/rfc791.txt
|
|
|
|
|
.RE
|
|
|
|
|
.IP "14." 4
|
|
|
|
|
.IP "13." 4
|
|
|
|
|
RFC 2960
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.rfc-editor.org/rfc/rfc2960.txt
|
|
|
|
|
.RE
|
|
|
|
|
.IP "15." 4
|
|
|
|
|
.IP "14." 4
|
|
|
|
|
Nmap::Scanner
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://sourceforge.net/projects/nmap-scanner/
|
|
|
|
|
.RE
|
|
|
|
|
.IP "16." 4
|
|
|
|
|
.IP "15." 4
|
|
|
|
|
Nmap::Parser
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://nmapparser.wordpress.com/
|
|
|
|
|
.RE
|
|
|
|
|
.IP "17." 4
|
|
|
|
|
.IP "16." 4
|
|
|
|
|
xsltproc
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://xmlsoft.org/XSLT/
|
|
|
|
|
.RE
|
|
|
|
|
.IP "18." 4
|
|
|
|
|
.IP "17." 4
|
|
|
|
|
listed at Wikipedia
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
|
|
|
|
|
.RE
|
|
|
|
|
.IP "19." 4
|
|
|
|
|
.IP "18." 4
|
|
|
|
|
Creative Commons Attribution License
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://creativecommons.org/licenses/by/3.0/
|
|
|
|
|
.RE
|
|
|
|
|
.IP "20." 4
|
|
|
|
|
.IP "19." 4
|
|
|
|
|
Apache Software Foundation
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.apache.org
|
|
|
|
|
.RE
|
|
|
|
|
.IP "21." 4
|
|
|
|
|
.IP "20." 4
|
|
|
|
|
Libpcap portable packet capture library
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.tcpdump.org
|
|
|
|
|
.RE
|
|
|
|
|
.IP "22." 4
|
|
|
|
|
.IP "21." 4
|
|
|
|
|
Ncap library
|
|
|
|
|
.RS 4
|
|
|
|
|
\%https://npcap.org
|
|
|
|
|
.RE
|
|
|
|
|
.IP "23." 4
|
|
|
|
|
.IP "22." 4
|
|
|
|
|
PCRE library
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.pcre.org
|
|
|
|
|
.RE
|
|
|
|
|
.IP "24." 4
|
|
|
|
|
.IP "23." 4
|
|
|
|
|
Libdnet
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://libdnet.sourceforge.net
|
|
|
|
|
.RE
|
|
|
|
|
.IP "25." 4
|
|
|
|
|
.IP "24." 4
|
|
|
|
|
OpenSSL cryptography toolkit
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.openssl.org
|
|
|
|
|
.RE
|
|
|
|
|
.IP "26." 4
|
|
|
|
|
.IP "25." 4
|
|
|
|
|
Lua programming language
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.lua.org
|
|
|
|
|
.RE
|
|
|
|
|
.IP "27." 4
|
|
|
|
|
.IP "26." 4
|
|
|
|
|
Liblinear linear classification library
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.csie.ntu.edu.tw/~cjlin/liblinear/
|
|
|
|
|
.RE
|
|
|
|
|
.IP "28." 4
|
|
|
|
|
.IP "27." 4
|
|
|
|
|
IPv6 OS detection machine learning techniques
|
|
|
|
|
.RS 4
|
|
|
|
|
\%https://nmap.org/book/osdetect-guess.html#osdetect-guess-ipv6
|
|
|
|
|
.RE
|
|
|
|
|
.IP "29." 4
|
|
|
|
|
.IP "28." 4
|
|
|
|
|
Google Summer of Code
|
|
|
|
|
.RS 4
|
|
|
|
|
\%https://nmap.org/soc/
|
|
|
|
|
.RE
|
|
|
|
|
.IP "30." 4
|
|
|
|
|
.IP "29." 4
|
|
|
|
|
DARPA CINDER program
|
|
|
|
|
.RS 4
|
|
|
|
|
\%https://www.fbo.gov/index?s=opportunity&mode=form&id=585e02a51f77af5cb3c9e06b9cc82c48&tab=core&_cview=1
|
|
|
|
|
.RE
|
|
|
|
|
.IP "31." 4
|
|
|
|
|
.IP "30." 4
|
|
|
|
|
Export Administration Regulations (EAR)
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.access.gpo.gov/bis/ear/ear_data.html
|
|
|
|
|
.RE
|
|
|
|
|
.IP "32." 4
|
|
|
|
|
.IP "31." 4
|
|
|
|
|
5D002
|
|
|
|
|
.RS 4
|
|
|
|
|
\%https://www.bis.doc.gov/index.php/documents/regulations-docs/federal-register-notices/federal-register-2014/951-ccl5-pt2/file
|
|
|
|
|
.RE
|
|
|
|
|
.IP "33." 4
|
|
|
|
|
.IP "32." 4
|
|
|
|
|
EAR 740.13(e)
|
|
|
|
|
.RS 4
|
|
|
|
|
\%http://www.access.gpo.gov/bis/ear/pdf/740.pdf
|
|
|
|
|
|
dmiller