PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-09 06:01:28 +00:00
Code Issues Projects Releases Wiki Activity

Merge 7.70 release branch into trunk

Browse Source
This commit is contained in:
dmiller
2018-03-20 18:08:25 +00:00
parent 67f828ca12
commit cadb66231f
32 changed files with 1376 additions and 1362 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
docs/nmap.1
View File

@@ -2,12 +2,12 @@
.\" Title: nmap
.\" Author: [see the "Author" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 08/07/2017
.\" Date: 03/15/2018
.\" Manual: Nmap Reference Guide
.\" Source: Nmap
.\" Language: English
.\"
.TH "NMAP" "1" "08/07/2017" "Nmap" "Nmap Reference Guide"
.TH "NMAP" "1" "03/15/2018" "Nmap" "Nmap Reference Guide"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -119,7 +119,7 @@ This options summary is printed when Nmap is run with no arguments, and the late
.RS 4
.\}
.nf
Nmap 7\&.60SVN ( https://nmap\&.org )
Nmap 7\&.70 ( https://nmap\&.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc\&.
@@ -243,11 +243,9 @@ Everything on the Nmap command\-line that isn\*(Aqt an option (or option argumen
.PP
When a hostname is given as a target, it is
resolved
via the Domain Name System (DNS) to determine the IP address to scan\&. If the name resolves to more than one IP address, only the first one will be scanned\&. To make Nmap scan all the resolved addresses instead of only the first one, append
*all
to the hostname like so:
example\&.com*all
via the Domain Name System (DNS) to determine the IP address to scan\&. If the name resolves to more than one IP address, only the first one will be scanned\&. To make Nmap scan all the resolved addresses instead of only the first one, use the
\fB\-\-resolve\-all\fR
option\&.
.PP
Sometimes you wish to scan a whole network of adjacent hosts\&. For this, Nmap supports CIDR\-style
addressing\&. You can append
@@ -629,6 +627,12 @@ Tells Nmap to
do reverse DNS resolution on the target IP addresses\&. Normally reverse DNS is only performed against responsive (online) hosts\&.
.RE
.PP
\fB\-\-resolve\-all\fR (Scan each resolved address)
.RS 4
If a hostname target resolves to more than one address, scan all of them\&. The default behavior is to only scan the first resolved address\&. Regardless, only addresses in the appropriate address family will be scanned: IPv4 by default, IPv6 with
\fB\-6\fR\&.
.RE
.PP
\fB\-\-system\-dns\fR (Use system DNS resolver)
.RS 4
By default, Nmap reverse\-resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses\&. Many requests (often dozens) are performed in parallel to improve performance\&. Specify this option to use your system resolver instead (one IP at a time via the
@@ -703,7 +707,7 @@ on the other hand, try to solve every problem with the default SYN scan\&. Since
.PP
Most of the scan types are only available to privileged users\&.
This is because they send and receive raw packets,
which requires root access on Unix systems\&. Using an administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when WinPcap has already been loaded into the OS\&. Requiring root privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts\&. Now, the world is different\&. Computers are cheaper, far more people have always\-on direct Internet access, and desktop Unix systems (including Linux and Mac OS X) are prevalent\&. A Windows version of Nmap is now available, allowing it to run on even more desktops\&. For all these reasons, users have less need to run Nmap from limited shared shell accounts\&. This is fortunate, as the privileged options make Nmap far more powerful and flexible\&.
which requires root access on Unix systems\&. Using an administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when Npcap has already been loaded into the OS\&. Requiring root privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts\&. Now, the world is different\&. Computers are cheaper, far more people have always\-on direct Internet access, and desktop Unix systems (including Linux and Mac OS X) are prevalent\&. A Windows version of Nmap is now available, allowing it to run on even more desktops\&. For all these reasons, users have less need to run Nmap from limited shared shell accounts\&. This is fortunate, as the privileged options make Nmap far more powerful and flexible\&.
.PP
While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines (or firewalls in front of them)\&. Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap\&. Much more common are non\-RFC\-compliant hosts that do not respond as they should to Nmap probes\&. FIN, NULL, and Xmas scans are particularly susceptible to this problem\&. Such issues are specific to certain scan types and so are discussed in the individual scan type entries\&.
.PP
@@ -1488,7 +1492,7 @@ mailing list\&.
.PP
\fB\-\-max\-retries \fR\fB\fInumtries\fR\fR (Specify the maximum number of port scan probe retransmissions)
.RS 4
When Nmap receives no response to a port scan probe, it could mean the port is filtered\&. Or maybe the probe or response was simply lost on the network\&. It is also possible that the target host has rate limiting enabled that temporarily blocked the response\&. So Nmap tries again by retransmitting the initial probe\&. If Nmap detects poor network reliability, it may try many more times before giving up on a port\&. While this benefits accuracy, it also lengthen scan times\&. When performance is critical, scans may be sped up by limiting the number of retransmissions allowed\&. You can even specify
When Nmap receives no response to a port scan probe, it could mean the port is filtered\&. Or maybe the probe or response was simply lost on the network\&. It is also possible that the target host has rate limiting enabled that temporarily blocked the response\&. So Nmap tries again by retransmitting the initial probe\&. If Nmap detects poor network reliability, it may try many more times before giving up on a port\&. While this benefits accuracy, it also lengthens scan times\&. When performance is critical, scans may be sped up by limiting the number of retransmissions allowed\&. You can even specify
\fB\-\-max\-retries 0\fR
to prevent any retransmissions, though that is only recommended for situations such as informal surveys where occasional missed ports and hosts are acceptable\&.
.sp
@@ -1514,11 +1518,9 @@ to ensure that Nmap doesn\*(Aqt waste more than half an hour on a single host\&.
.PP
\fB\-\-script\-timeout \fR\fB\fItime\fR\fR
.RS 4
Some scripts take
\fIlong\fR
time before they complete their execution, this can happen due to many reasons maybe some bug in script, delay in the network or nature of the script itself(example:http\-slowloris)\&. If you want to keep some limit on time for which script should run then you need to specify
While some scripts complete in fractions of a second, others can take hours or more depending on the nature of the script, arguments passed in, network and application conditions, and more\&. The
\fB\-\-script\-timeout\fR
with the maximum amount of time for which script should be run\&. Note that all scripts will have same timeout\&. Once script gets timed out no output for that script will be shown\&. Whether a script has timed out or not, can be seen in debug output\&.
option sets a ceiling on script execution time\&. Any script instance which exceeds that time will be terminated and no output will be shown\&. If debugging (\fB\-d\fR) is enabled, Nmap will report on each timeout\&. For host and service scripts, a script instance only scans a single target host or port and the timeout period will be reset for the next instance\&.
.RE
.PP
\fB\-\-scan\-delay \fR\fB\fItime\fR\fR; \fB\-\-max\-scan\-delay \fR\fB\fItime\fR\fR (Adjust delay between probes)
@@ -1627,7 +1629,7 @@ to see which engines are supported\&.
.PP
\fB\-T paranoid|sneaky|polite|normal|aggressive|insane\fR (Set a timing template)
.RS 4
While the fine\-grained timing controls discussed in the previous section are powerful and effective, some people find them confusing\&. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize\&. So Nmap offers a simpler approach, with six timing templates\&. You can specify them with the
While the fine\-grained timing controls discussed in the previous section are powerful and effective, some people find them confusing\&. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize\&. Fortunately, Nmap offers a simpler approach, with six timing templates\&. You can specify them with the
\fB\-T\fR
option and their number (0\(en5) or their name\&. The template names are
\fBparanoid\fR\ \&(\fB0\fR),
@@ -1644,7 +1646,7 @@ These templates allow the user to specify how aggressive they wish to be, while
\fB\-T4\fR
prohibits the dynamic scan delay from exceeding 10\ \&ms for TCP ports and
\fB\-T5\fR
caps that value at 5\ \&ms\&. Templates can be used in combination with fine\-grained controls, and the fine\-grained controls will you specify will take precedence over the timing template default for that parameter\&. I recommend using
caps that value at 5\ \&ms\&. Templates can be used in combination with fine\-grained controls, and the fine\-grained controls that you specify will take precedence over the timing template default for that parameter\&. I recommend using
\fB\-T4\fR
when scanning reasonably modern and reliable networks\&. Keep that option even when you add fine\-grained controls so that you benefit from those extra minor optimizations that it enables\&.
.sp
@@ -2446,22 +2448,15 @@ for more information\&.
.SH "BUGS"
.PP
Like its author, Nmap isn\*(Aqt perfect\&. But you can help make it better by sending bug reports or even writing patches\&. If Nmap doesn\*(Aqt behave the way you expect, first upgrade to the latest version available from
\m[blue]\fB\%https://nmap.org\fR\m[]\&. If the problem persists, do some research to determine whether it has already been discovered and addressed\&. Try searching for the error message on our search page at
\m[blue]\fB\%http://insecure.org/search.html\fR\m[]
or at Google\&. Also try browsing the
nmap\-dev
archives at
\m[blue]\fB\%http://seclists.org/\fR\m[]\&.
Read this full manual page as well\&. If nothing comes of this, mail a bug report to
<dev@nmap\&.org>\&. Please include everything you have learned about the problem, as well as what version of Nmap you are running and what operating system version it is running on\&. Problem reports and Nmap usage questions sent to
<dev@nmap\&.org>
are far more likely to be answered than those sent to Fyodor directly\&. If you subscribe to the nmap\-dev list before posting, your message will bypass moderation and get through more quickly\&. Subscribe at
\m[blue]\fB\%https://nmap.org/mailman/listinfo/dev\fR\m[]\&.
\m[blue]\fB\%https://nmap.org\fR\m[]\&. If the problem persists, do some research to determine whether it has already been discovered and addressed\&. Try searching for the problem or error message on Google since that aggregates so many forums\&. If nothing comes of this, create an Issue on our tracker (\m[blue]\fB\%http://issues.nmap.org\fR\m[]) and/or mail a bug report to
<dev@nmap\&.org>\&. If you subscribe to the nmap\-dev list before posting, your message will bypass moderation and get through more quickly\&. Subscribe at
\m[blue]\fB\%https://nmap.org/mailman/listinfo/dev\fR\m[]\&. Please include everything you have learned about the problem, as well as what version of Nmap you are using and what operating system version it is running on\&. Other suggestions for improving Nmap may be sent to the Nmap dev mailing list as well\&.
.PP
Code patches to fix bugs are even better than bug reports\&. Basic instructions for creating patch files with your changes are available at
\m[blue]\fB\%https://svn.nmap.org/nmap/HACKING\fR\m[]\&. Patches may be sent to
nmap\-dev
(recommended) or to Fyodor directly\&.
If you are able to write a patch improving Nmap or fixing a bug, that is even better! Instructions for submitting patches or git pull requests are available from
\m[blue]\fB\%https://github.com/nmap/nmap/blob/master/CONTRIBUTING.md\fR\m[]
.PP
Particularly sensitive issues such as a security reports may be sent directly to Nmap\*(Aqs author Fyodor directly at
<fyodor@nmap\&.org>\&. All other reports and comments should use the dev list or issue tracker instead because more people read, follow, and respond to those\&.
.SH "AUTHOR"
.PP
Gordon
@@ -2477,7 +2472,7 @@ file which is distributed with Nmap and also available from
.SH "LEGAL NOTICES"
.SS "Nmap Copyright and Licensing"
.PP
The Nmap Security Scanner is (C) 1996\(en2016 Insecure\&.Com LLC ("The Nmap Project")\&. Nmap is also a registered trademark of the Nmap Project\&. This program free software; you may redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2 (\(lqGPL\(rq), BUT ONLY WITH ALL OF THE CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN\&. This guarantees your right to use, modify, and redistribute this software under certain conditions\&. If you wish to embed Nmap technology into proprietary software, we sell alternative licenses (contact
The Nmap Security Scanner is (C) 1996\(en2018 Insecure\&.Com LLC ("The Nmap Project")\&. Nmap is also a registered trademark of the Nmap Project\&. This program free software; you may redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2 (\(lqGPL\(rq), BUT ONLY WITH ALL OF THE CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN\&. This guarantees your right to use, modify, and redistribute this software under certain conditions\&. If you wish to embed Nmap technology into proprietary software, we sell alternative licenses (contact
<sales@nmap\&.com>)\&. Dozens of software vendors already license Nmap technology such as host discovery, port scanning, OS detection, version detection, and the Nmap Scripting Engine\&.
.PP
Note that the GPL places important restrictions on
@@ -2564,7 +2559,7 @@ Any redistribution of Covered Software, including any derived works, must obey a
.PP
Because this license imposes special exceptions to the GPL, Covered Work may not be combined (even as part of a larger work) with plain GPL software\&. The terms, conditions, and exceptions of this license must be included as well\&. This license is incompatible with some other open source licenses as well\&. In some cases we can relicense portions of Nmap or grant special permissions to use it in other open source software\&. Please contact fyodor@nmap\&.org with any such requests\&. Similarly, we don\*(Aqt incorporate incompatible open source software into Covered Software without special permission from the copyright holders\&.
.PP
If you have any questions about the licensing restrictions on using Nmap in other works, are happy to help\&. As mentioned above, we also offer alternative license to integrate Nmap into proprietary applications and appliances\&. These contracts have been sold to dozens of software vendors, and generally include a perpetual license as well as providing for priority support and updates\&. They also fund the continued development of Nmap\&. Please email
If you have any questions about the licensing restrictions on using Nmap in other works, we are happy to help\&. As mentioned above, we also offer an alternative license to integrate Nmap into proprietary applications and appliances\&. These contracts have been sold to dozens of software vendors, and generally include a perpetual license as well as providing support and updates\&. They also fund the continued development of Nmap\&. Please email
<sales@nmap\&.com>
for further information\&.
.PP
@@ -2573,7 +2568,7 @@ If you have received a written license agreement or contract for Covered Softwar
.PP
This
Nmap Reference Guide
is (C) 2005\(en2016 Insecure\&.Com LLC\&. It is hereby placed under version 3\&.0 of the
is (C) 2005\(en2018 Insecure\&.Com LLC\&. It is hereby placed under version 3\&.0 of the
\m[blue]\fBCreative Commons Attribution License\fR\m[]\&\s-2\u[19]\d\s+2\&. This allows you redistribute and modify the work as you desire, as long as you credit the original source\&. Alternatively, you may choose to treat this document as falling under the same license as Nmap itself (discussed previously)\&.
.SS "Source Code Availability and Community Contributions"
.PP
@@ -2605,8 +2600,8 @@ That would open up a major security vulnerability as other users on the system (
This product includes software developed by the
\m[blue]\fBApache Software Foundation\fR\m[]\&\s-2\u[20]\d\s+2\&. A modified version of the
\m[blue]\fBLibpcap portable packet capture library\fR\m[]\&\s-2\u[21]\d\s+2
is distributed along with Nmap\&. The Windows version of Nmap utilized the Libpcap\-derived
\m[blue]\fBWinPcap library\fR\m[]\&\s-2\u[22]\d\s+2
is distributed along with Nmap\&. The Windows version of Nmap utilizes the Libpcap\-derived
\m[blue]\fBNcap library\fR\m[]\&\s-2\u[22]\d\s+2
instead\&. Regular expression support is provided by the
\m[blue]\fBPCRE library\fR\m[]\&\s-2\u[23]\d\s+2,
which is open\-source software, written by Philip Hazel\&.
@@ -2637,12 +2632,14 @@ and the
.PP
Nmap only uses encryption when compiled with the optional OpenSSL support and linked with OpenSSL\&. When compiled without OpenSSL support, the Nmap Project believes that Nmap is not subject to U\&.S\&.
\m[blue]\fBExport Administration Regulations (EAR)\fR\m[]\&\s-2\u[31]\d\s+2
export control\&. As such, there is no applicable ECCN (export control classification number) and exportation does not require any special license, permit, or other governmental authorization\&.
export control\&. It is exempt in accordance with
\m[blue]\fBScope of the Export Administration Regulations\fR\m[]\&\s-2\u[32]\d\s+2
per \(sc734\&.2(b)(3)(i) and \(sc734\&.7(a)(4)\&. As such, there is no applicable ECCN (export control classification number) and exportation does not require any special license, permit, or other governmental authorization\&.
.PP
When compiled with OpenSSL support or distributed as source code, the Nmap Project believes that Nmap falls under U\&.S\&. ECCN
\m[blue]\fB5D002\fR\m[]\&\s-2\u[32]\d\s+2
\m[blue]\fB5D002\fR\m[]\&\s-2\u[33]\d\s+2
(\(lqInformation Security Software\(rq)\&. We distribute Nmap under the TSU exception for publicly available encryption software defined in
\m[blue]\fBEAR 740\&.13(e)\fR\m[]\&\s-2\u[33]\d\s+2\&.
\m[blue]\fBEAR 740\&.13(e)\fR\m[]\&\s-2\u[34]\d\s+2\&.
.SH "NOTES"
.IP " 1." 4
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
@@ -2750,9 +2747,9 @@ Libpcap portable packet capture library
\%http://www.tcpdump.org
.RE
.IP "22." 4
WinPcap library
Ncap library
.RS 4
\%http://www.winpcap.org
\%http://www.npcap.org
.RE
.IP "23." 4
PCRE library
@@ -2800,11 +2797,16 @@ Export Administration Regulations (EAR)
\%http://www.access.gpo.gov/bis/ear/ear_data.html
.RE
.IP "32." 4
5D002
Scope of the Export Administration Regulations
.RS 4
\%http://www.access.gpo.gov/bis/ear/pdf/ccl5-pt2.pdf
\%https://bis.doc.gov/index.php/forms-documents/doc_view/412-part-734-scope-of-the-export-administration-regulations
.RE
.IP "33." 4
5D002
.RS 4
\%https://www.bis.doc.gov/index.php/documents/regulations-docs/federal-register-notices/federal-register-2014/951-ccl5-pt2/file
.RE
.IP "34." 4
EAR 740.13(e)
.RS 4
\%http://www.access.gpo.gov/bis/ear/pdf/740.pdf