diff --git a/docs/refguide.xml b/docs/refguide.xml index 9c89a7944..b9486f455 100644 --- a/docs/refguide.xml +++ b/docs/refguide.xml @@ -192,9 +192,9 @@ you would expect. (Input from list) + -iL - -iL Reads target specifications from inputfilename. Passing a huge list of hosts is often awkward on the command line, yet it @@ -217,9 +217,9 @@ you would expect. (Choose random targets) + -iR - -iR For Internet-wide surveys and other research, you may want to choose targets at random. The num hosts argument @@ -240,9 +240,9 @@ you would expect. (Exclude hosts/networks) + --exclude - --exclude Specifies a comma-separated list of targets to be excluded from the scan even if they are part of the overall network range you specify. The list you pass in uses normal @@ -257,9 +257,9 @@ you would expect. (Exclude list from file) + --excludefile - --excludefile This offers the same functionality as the option, except that the excluded targets are provided in a newline, space, or tab delimited @@ -340,10 +340,11 @@ you would expect. - (List Scan) - + (List Scan) -sL List scan + + The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts. By @@ -371,7 +372,6 @@ you would expect. (Ping Scan) - This option tells Nmap to only -sP Ping scan @@ -417,9 +417,9 @@ you would expect. (No ping) + -P0 - -P0 This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning. By default, Nmap only performs heavy @@ -440,11 +440,12 @@ you would expect. - (TCP SYN Ping) - - + (TCP SYN Ping) -PS SYN ping + + + This option sends an empty TCP packet with the SYN flag set. The default destination port is 80 (configurable at compile time by changing DEFAULT_TCP_PROBE_PORT in @@ -492,10 +493,11 @@ you would expect. - (TCP ACK Ping) - + (TCP ACK Ping) -PA ACK ping + + The TCP ACK ping is quite similar to the just-discussed SYN ping. The difference, as you could likely guess, is that the TCP ACK flag is set instead of the @@ -547,11 +549,12 @@ you would expect. - (UDP Ping) - - + (UDP Ping) -PU UDP ping + + + Another host discovery option is the UDP ping, which sends an empty (unless is specified) UDP packet to the given ports. The portlist @@ -591,13 +594,14 @@ you would expect. ; ; - (ICMP Ping Types) - - + (ICMP Ping Types) -PE -PP -PM ICMP ping + + + In addition to the unusual TCP and UDP host discovery types discussed previously, Nmap can send the standard packets sent by the ubiquitous @@ -640,11 +644,12 @@ you would expect. - (ARP Ping) - - + (ARP Ping) -PR ARP ping + + + One of the most common Nmap usage scenarios is to scan an ethernet LAN. On most LANs, especially those using RFC1918-blessed private address ranges, the vast majority of @@ -677,10 +682,10 @@ you would expect. (Trace path to host) - - --traceroute Trace path to host + + Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target. It works with all scan types except connect scans (-sT) and idle scans (-sI). All traces use nmap's dynamic timing model and are performed in parallel. @@ -695,10 +700,10 @@ Traceroute works by sending packets with a low TTL (time-to-live) in an attempt (Host and port state reasons) - - --reason Host and port state reasons + + Shows the reason each port is set to a specific state and the reason each host is up or down. This option displays the type of the packet that determined a port or hosts state. For example, A RST packet from a closed port or an echo reply from an alive host. The information nmap can provide is determined by the type of scan or ping. The SYN scan and SYN ping (\fB\-sS and -PT\fR) are very detailed. Whilst the TCP connect scan and ping (\fB\-sT\fR) are limited by the implementation of connect(). This feature is automatically enabled by the debug flag (\fB\-d\fR) and the results are stored in XML log files even if this option is not specified. @@ -709,9 +714,10 @@ Shows the reason each port is set to a specific state and the reason each host i (No DNS resolution) + -n - -n + Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub @@ -722,9 +728,9 @@ Shows the reason each port is set to a specific state and the reason each host i (DNS resolution for all targets) + -R - -R Tells Nmap to always do reverse DNS resolution on the target IP addresses. Normally reverse DNS is @@ -735,9 +741,10 @@ Shows the reason each port is set to a specific state and the reason each host i (Use system DNS resolver) + --system-dns - --system-dns + By default, Nmap resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses. Many requests (often @@ -754,9 +761,10 @@ Shows the reason each port is set to a specific state and the reason each host i (Servers to use for reverse DNS queries) + --dns-servers - --dns-servers + By default Nmap will try to determine your DNS servers (for rDNS resolution) from your resolv.conf file (UNIX) or the registry (Win32). Alternatively, you may use this @@ -930,11 +938,12 @@ scans. - (TCP SYN scan) + (TCP SYN scan) + -sS + SYN scan + --sS -SYN scan SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls. SYN scan @@ -960,10 +969,11 @@ error (type 3, code 1,2, 3, 9, 10, or 13) is received. - (TCP connect scan) + (TCP connect scan) + -sT + connect() scan + --sT -connect() scan TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw @@ -997,11 +1007,12 @@ know that she has been connect scanned. - (UDP scans) - - + (UDP scans) -sU UDP scan + + + While most popular services on the Internet run over the TCP protocol, UDP services @@ -1054,15 +1065,16 @@ hosts. - ; ; (TCP Null, FIN, and Xmas scans) - - + ; ; (TCP Null, FIN, and Xmas scans) -sN -sF -sX NULL scan FIN scan Xmas scan + + + These three scan types (even more are possible with the option described in the next section) exploit a subtle loophole in the filtered ones, leaving you with the response - (TCP ACK scan) + (TCP ACK scan) + -sA + ACK scan + --sA -ACK scan This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out @@ -1147,11 +1160,12 @@ or 13), are labeled filtered. - (TCP Window scan) - - + (TCP Window scan) -sW Window scan + + + Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing @@ -1180,11 +1194,12 @@ ports, then those three may very well be the truly open ones. - (TCP Maimon scan) - - + (TCP Maimon scan) -sM Maimon scan + + + The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. @@ -1199,10 +1214,11 @@ simply drop the packet if the port is open. - (Custom TCP scan) + (Custom TCP scan) + --scanflags ---scanflags + Truly advanced Nmap users need not limit themselves to the canned scan types offered. The option allows you to design your own scan by specifying arbitrary TCP flags. Let @@ -1234,12 +1250,13 @@ used. (Idlescan) + host[:probeport]> (Idlescan) + -sI + Idle scan + - -sI - Idle scan This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique @@ -1271,11 +1288,12 @@ used. - (IP protocol scan) - - + (IP protocol scan) -sO Protocol scan + + + IP Protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers @@ -1322,11 +1340,12 @@ after retransmissions, the protocol is marked - (FTP bounce scan) - - + (FTP bounce scan) -b FTP bounce scan + + + An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy ftp connections. This allows a user to @@ -1380,10 +1399,11 @@ way. (Only scan specified ports) + -p - -p + This option specifies which ports you want to scan and overrides the default. Individual port numbers are OK, as are ranges separated by a hyphen (e.g. 1-1023). The @@ -1407,8 +1427,8 @@ way. ). If no protocol qualifier is given, the port numbers are added to all protocol lists. - wildcard - Ports can also be specified by name according to what the + + wildcardPorts can also be specified by name according to what the port is referred to in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan ftp and all ports whose names begin with http, use . @@ -1425,10 +1445,9 @@ way. (Fast (limited port) scan) + -F - - -F Specifies that you only wish to scan for ports listed in the nmap-services file which comes with nmap (or the protocols file for @@ -1445,9 +1464,9 @@ way. (Don't randomize ports) + -r - -r By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This @@ -1462,9 +1481,10 @@ way. - Service and Version Detection + Service and Version Detection + <indexterm><primary>version scan</primary></indexterm> + - version scan Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of about 2,200 well-known services, @@ -1530,10 +1550,11 @@ way. - (Version detection) + (Version detection) + -sV - -sV + Enables version detection, as discussed above. Alternatively, you can use , which enables version detection among other things. @@ -1545,9 +1566,10 @@ way. (Don't exclude any ports from version detection) + --allports - --allports + By default, Nmap version detection skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of http get requests, binary @@ -1564,10 +1586,11 @@ way. (Set version scan intensity) + --version-intensity - --version-intensity + When performing a version scan (), nmap sends a series of probes, each of which is assigned a rarity value between 1 and 9. The lower-numbered probes are effective @@ -1589,9 +1612,10 @@ way. (Enable light mode) + --version-light - --version-light + This is a convenience alias for . This light mode makes version scanning much faster, but it is slightly less @@ -1602,9 +1626,10 @@ way. (Try every single probe) + --version-all - --version-all + An alias for , ensuring that every single probe is attempted against each port. @@ -1614,9 +1639,9 @@ way. (Trace version scan activity) + --version-trace - --version-trace This causes Nmap to print out extensive debugging info about what version scanning is doing. It is a subset of what you get with . @@ -1625,9 +1650,10 @@ way. - (RPC scan) + (RPC scan) + --sR + - --sR This method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an @@ -1648,9 +1674,9 @@ way. - OS Detection + OS Detection + <indexterm><primary>OS detection</primary></indexterm> - OS detection One of Nmap's best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit @@ -1706,9 +1732,10 @@ way. (Enable OS detection) + -O - -O + Enables OS detection, as discussed above. Alternatively, you can use to enable @@ -1725,9 +1752,10 @@ way. (2nd Generation OS Detection Only) + -O2 - -O2 + Enables 2nd generation OS detection, but never falls back to the old (1st generation) system, even if it fails to @@ -1740,9 +1768,10 @@ way. (1nd Generation OS Detection Only) + -O1 - -O1 + Tells Nmap to only use the old OS detection system. If just gives you a fingerprint to @@ -1763,9 +1792,10 @@ way. (Limit OS detection to promising targets) + --osscan-limit - --osscan-limit + OS detection is far more effective if at least one open and one closed TCP port are found. Set this option and Nmap will not even try OS detection against hosts @@ -1778,9 +1808,10 @@ way. ; (Guess OS detection results) + --osscan-guess - --osscan-guess + When Nmap is unable to detect a perfect OS match, it sometimes offers up near-matches as possibilities. The match has to be very close for Nmap to do this by default. @@ -1794,9 +1825,10 @@ way. (Set the maximum number of OS detection tries against a target) + --max-os-tries - --max-os-tries + When Nmap performs OS detection against a target and fails to find a perfect match, it usually repeats the @@ -1819,10 +1851,8 @@ way. - NSE—Scripting extension to the Nmap network scanner - - NSE - + NSE—Scripting extension to the Nmap network scanner + <indexterm><primary>NSE</primary></indexterm> The Nmap Scripting Engine (NSE) combines the efficiency of Nmap's network handling with the versatility of the lightweight scripting language @@ -1906,12 +1936,13 @@ way. - - - + -sC + + + performs a script scan using the default set of scripts. it is equivalent to --script=safe,intrusive @@ -1919,12 +1950,11 @@ way. - + + --script - - --script - + gives you the opportunity to choose from a custom set of scripts. You can specify script-categories, single scripts and/or @@ -1943,12 +1973,10 @@ way. - + + --script-args - - --script-args - lets you provide arguments to NSE-scripts. Arguments are passed as name=value pairs. The provided argument is processed and stored @@ -1972,12 +2000,10 @@ way. - + + --script-trace - - --script-trace - This option does what does, just one ISO layer higher. If this option is specified all incoming @@ -1991,12 +2017,11 @@ way. - + + --script-updatedb - - --script-updatedb - + updates the script database which stores a mapping from category tags to filenames. The database is a Lua script which is @@ -2046,10 +2071,11 @@ or ‘h’ to the value to specify seconds, minutes, or hours. So the ; (Adjust parallel scan group sizes) + <numhosts> (Adjust parallel scan group sizes) + --min-hostgroup + --max-hostgroup + ---min-hostgroup ---max-hostgroup Nmap has the ability to port scan or version scan multiple hosts in parallel. Nmap does this by dividing the target IP space into groups and then scanning one group at a time. In general, larger @@ -2089,11 +2115,12 @@ helpful. ; (Adjust probe parallelization) + <numprobes> (Adjust probe parallelization) + --min-parallelism + --max-parallelism + ---min-parallelism ---max-parallelism These options control the total number of probes that may be outstanding for a host group. They are used for port scanning and host discovery. By default, Nmap calculates an ever-changing ideal @@ -2126,12 +2153,13 @@ enough by itself. , , (Adjust probe timeouts) + <time> (Adjust probe timeouts) + --min-rtt-timeout + --max-rtt-timeout + --initial-rtt-timeout + ---min-rtt-timeout ---max-rtt-timeout ---initial-rtt-timeout Nmap maintains a running timeout value for determining how long it will wait for a probe response before giving up or retransmitting the probe. This is @@ -2176,10 +2204,11 @@ list. (Specify the maximum number of port scan probe retransmissions) + --max-retries ---max-retries + When Nmap receives no response to a port scan probe, it could mean the port is filtered. Or maybe the probe or response was simply lost on the network. It is also possible that the target host has @@ -2211,10 +2240,11 @@ about the target. (Give up on slow target hosts) + --host-timeout ---host-timeout + Some hosts simply take a long time to scan. This may be due to poorly performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The @@ -2237,11 +2267,12 @@ for that host. ; (Adjust delay between probes) + <time> (Adjust delay between probes) + --scan-delay + --max-scan-delay + ---scan-delay ---max-scan-delay This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting. Solaris machines @@ -2267,11 +2298,10 @@ threshold based intrusion detection and prevention systems (IDS/IPS). - + + --defeat-rst-ratelimit ---defeat-rst-ratelimit - Many hosts have long used rate limiting to reduce the number of ICMP error messages (such as port-unreachable errors) they send. Some systems now apply similar rate limits to the RST (reset) @@ -2299,10 +2329,11 @@ worth the extra time. (Set a timing template) + --T ---T + While the fine grained timing controls discussed in the previous section are powerful and effective, some people find them confusing. Moreover, choosing the appropriate values can sometimes take more time @@ -2439,11 +2470,11 @@ lists the relevant options and describes what they do. (fragment packets); (using the specified MTU) + -f + --mtu - -f - --mtu The option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to @@ -2480,10 +2511,9 @@ lists the relevant options and describes what they do. (Cloak a scan with decoys) + -D - - -D Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS @@ -2526,9 +2556,10 @@ lists the relevant options and describes what they do. (Spoof source address) + -S - -S + In some circumstances, Nmap may not be able to determine your source address ( @@ -2552,9 +2583,10 @@ lists the relevant options and describes what they do. (Use specified interface) + -e - -e + Tells Nmap what interface to send and receive packets on. Nmap should be able to detect this automatically, but it @@ -2566,11 +2598,11 @@ lists the relevant options and describes what they do. (Spoof source port number) + --source-port + --g ---source-port ---g One surprisingly common misconfiguration is to trust traffic based only on the source port number. It is easy to understand how this comes about. An administrator will set up a shiny new firewall, @@ -2617,9 +2649,9 @@ support the option completely, as does UDP scan. (Append random data to sent packets) + --data-length - --data-length Normally Nmap sends minimalist packets containing only a header. So its TCP packets are generally 40 bytes and ICMP echo requests are just 28. This option @@ -2635,10 +2667,9 @@ support the option completely, as does UDP scan. (Send packets with specified ip options) + --ip-options - --ip-options - The IP protocol offers several options which may be placed in packet headers. Unlike the ubiquitous TCP options, IP options @@ -2682,9 +2713,10 @@ support the option completely, as does UDP scan. (Set IP time-to-live field) + --ttl - --ttl + Sets the IPv4 time-to-live field in sent packets to the given value. @@ -2693,9 +2725,10 @@ support the option completely, as does UDP scan. (Randomize target host order) + --randomize-hosts - --randomize-hosts + Tells Nmap to shuffle each group of up to 8096 hosts before it scans them. This can make the scans less obvious to various network monitoring systems, especially when you @@ -2714,10 +2747,10 @@ support the option completely, as does UDP scan. (Spoof MAC address) + --spoof-mac - --spoof-mac Asks Nmap to use the given MAC address for all of the raw ethernet frames it sends. This option implies to ensure that Nmap actually sends @@ -2740,10 +2773,11 @@ support the option completely, as does UDP scan. (Send packets with bogus TCP/UDP checksums) + --badsum - --badsum + Asks Nmap to use an invalid TCP or UDP checksum for packets sent to target hosts. Since virtually all host IP stacks properly drop these packets, any responses received @@ -2832,9 +2866,10 @@ described below. Nmap Output Formats - (Normal output) + (Normal output) + -oN - -oN + Requests that normal output be directed to the given filename. As discussed above, this differs slightly from interactive output. @@ -2843,10 +2878,11 @@ described below. - (XML output) + (XML output) + -oX - -oX + Requests that XML output be directed to the given filename. Nmap includes a document type definition (DTD) which allows XML parsers to validate @@ -2885,9 +2921,10 @@ described below. - (ScRipT KIdd|3 oUTpuT) + (ScRipT KIdd|3 oUTpuT) + -oS - -oS + Script kiddie output is like interactive output, except that it is post-processed to better suit the l33t HaXXorZ who previously looked down on Nmap due to its consistent capitalization @@ -2899,10 +2936,11 @@ described below. - (Grepable output) + (Grepable output) + -oG - -oG + This output format is covered last because it is deprecated. The XML output format is far more powerful, and is nearly as convenient for experienced users. XML is a standard for which dozens @@ -2945,9 +2983,10 @@ url="http://www.unspecific.com/nmap-oG-output" />. - (Output to all formats) + (Output to all formats) + -oA - -oA + As a convenience, you may specify to store scan results in normal, XML, and grepable formats at once. They @@ -2967,9 +3006,10 @@ url="http://www.unspecific.com/nmap-oG-output" />. (Increase verbosity level) + -v - -v + Increases the verbosity level, causing Nmap to print more information about the scan in progress. Open ports are shown as they are found and completion time @@ -2994,10 +3034,11 @@ url="http://www.unspecific.com/nmap-oG-output" />. (Increase or set debugging level) + -d - -d + When even verbose mode doesn't provide sufficient data for you, debugging is available to flood you with much more! As with the verbosity option (), debugging is enabled with a @@ -3025,9 +3066,10 @@ increased. (Trace packets and data sent and received) + --packet-trace - --packet-trace + Causes Nmap to print a summary of every packet sent or received. This is often used for debugging, but is also a valuable way for new users to understand exactly @@ -3042,10 +3084,11 @@ increased. (Show only open (or possibly open) ports) + --open - --open + Sometimes you only care about ports you can actually connect to (open ones), and don't want results cluttered with @@ -3065,19 +3108,20 @@ overwhelming requests. Specify to only see (List interfaces and routes) - --iflist + Prints the interface list and system routes as detected by Nmap. This is useful for debugging routing problems or device mischaracterization (such as Nmap treating a PPP - connection as Ethernet). + connection as ethernet). (Log errors/warnings to normal mode output file) + --log-errors - --log-errors + Warnings and errors printed by Nmap usually go only to the screen (interactive output), leaving any specified normal-fomat output files uncluttered. But when you do want @@ -3103,9 +3147,10 @@ overwhelming requests. Specify to only see (Append to rather than clobber output files) + --append-output - --append-output + When you specify a filename to an output format flag such as or , that file is overwritten by default. If you prefer to keep the @@ -3122,10 +3167,11 @@ overwhelming requests. Specify to only see (Resume aborted scan) + --resume - --resume + Some extensive Nmap runs take a very long time—on the order of days. Such scans don't always run to completion. Restrictions may prevent Nmap from being run @@ -3154,9 +3200,10 @@ overwhelming requests. Specify to only see (Set XSL stylesheet to transform XML output) + --stylesheet - --stylesheet + Nmap ships with an XSL stylesheet named nmap.xsl for viewing or translating XML output to HTML. The XML output includes an xml-stylesheet @@ -3185,9 +3232,10 @@ overwhelming requests. Specify to only see (Load stylesheet from Insecure.Org) + --webxml - --webxml + This convenience option is simply an alias for . @@ -3196,9 +3244,10 @@ overwhelming requests. Specify to only see (Omit XSL stylesheet declaration from XML) + --no_stylesheet - --no_stylesheet + Specify this option to prevent Nmap from associating any XSL stylesheet with its XML output. The xml-stylesheet directive is omitted. @@ -3219,11 +3268,11 @@ overwhelming requests. Specify to only see (Enable IPv6 scanning) + -6 + IPv6 - -6 - IPv6 Since 2002, Nmap has offered IPv6 support for its most popular features. In particular, ping scanning (TCP-only), connect scanning, and version detection all support IPv6. @@ -3254,9 +3303,10 @@ overwhelming requests. Specify to only see (Aggressive scan options) + -A - -A + This option enables additional advanced and aggressive options. I haven't decided exactly which it stands for yet. Presently this enables OS Detection @@ -3275,9 +3325,10 @@ overwhelming requests. Specify to only see (Specify custom Nmap data file location) + --datadir - --datadir + Nmap obtains some special data at runtime in files named nmap-service-probes, nmap-services, @@ -3303,9 +3354,10 @@ overwhelming requests. Specify to only see (Specify custom services file) + --servicedb - --servicedb + Asks Nmap to use the specified services file rather than the nmap-services data file that comes with Nmap. Using this option also causes a fast scan @@ -3318,9 +3370,10 @@ overwhelming requests. Specify to only see (Specify custom service probes file) + --versiondb - --versiondb + Asks Nmap to use the specified service probes file rather than the nmap-service-probes data file that comes with Nmap. See the description for @@ -3332,9 +3385,10 @@ overwhelming requests. Specify to only see (Use raw ethernet sending) + --send-eth - --send-eth + Asks Nmap to send packets at the raw ethernet (data link) layer rather than the higher IP (network) layer. By default, Nmap chooses the one which is generally best for @@ -3351,9 +3405,10 @@ overwhelming requests. Specify to only see (Send at raw IP level) + --send-ip - --send-ip + Asks Nmap to send packets via raw IP sockets rather than sending lower level ethernet frames. It is the complement to the option discussed @@ -3364,9 +3419,10 @@ overwhelming requests. Specify to only see (Assume that the user is fully privileged) + --privileged - --privileged + Tells Nmap to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require root privileges on @@ -3386,9 +3442,10 @@ overwhelming requests. Specify to only see (Assume that the user lacks raw socket privileges) + --unprivileged - --unprivileged + This option is the opposite of . It tells Nmap to treat the @@ -3406,9 +3463,10 @@ overwhelming requests. Specify to only see (Release memory before quitting) + --release-memory - --release-memory + This option is only useful for memory-leak debugging. It causes Nmap to release allocated memory just before it quits so that actual memory leaks are easier to spot. @@ -3421,9 +3479,10 @@ overwhelming requests. Specify to only see (Start in interactive mode) + --interactive - --interactive + Starts Nmap in interactive mode, which offers an interactive Nmap prompt allowing easy launching of multiple scans (either synchronously or in the @@ -3442,10 +3501,10 @@ overwhelming requests. Specify to only see ; (Print version number) - - -V --version + + Prints the Nmap version number and exits. @@ -3453,10 +3512,10 @@ overwhelming requests. Specify to only see ; (Print help summary page) - - -h --help + + Prints a short help screen with the most common command flags. Running Nmap without any arguments does the same thing. @@ -3467,9 +3526,10 @@ overwhelming requests. Specify to only see - Runtime Interaction + Runtime Interaction + <indexterm><primary>runtime interaction</primary></indexterm> - runtime interaction + During the execution of nmap, all key presses are captured. This allows you to interact with the program without aborting and restarting it. Certain special