|
|
|
|
@@ -2,12 +2,12 @@
|
|
|
|
|
.\" Title: nmap
|
|
|
|
|
.\" Author: [see the "Authors" section]
|
|
|
|
|
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
|
|
|
|
|
.\" Date: 08/06/2021
|
|
|
|
|
.\" Date: 02/18/2022
|
|
|
|
|
.\" Manual: Nmap Reference Guide
|
|
|
|
|
.\" Source: Nmap
|
|
|
|
|
.\" Language: English
|
|
|
|
|
.\"
|
|
|
|
|
.TH "NMAP" "1" "08/06/2021" "Nmap" "Nmap Reference Guide"
|
|
|
|
|
.TH "NMAP" "1" "02/18/2022" "Nmap" "Nmap Reference Guide"
|
|
|
|
|
.\" -----------------------------------------------------------------
|
|
|
|
|
.\" * Define some portability stuff
|
|
|
|
|
.\" -----------------------------------------------------------------
|
|
|
|
|
@@ -119,7 +119,7 @@ This options summary is printed when Nmap is run with no arguments, and the late
|
|
|
|
|
.RS 4
|
|
|
|
|
.\}
|
|
|
|
|
.nf
|
|
|
|
|
Nmap 7\&.92 ( https://nmap\&.org )
|
|
|
|
|
Nmap 7\&.92SVN ( https://nmap\&.org )
|
|
|
|
|
Usage: nmap [Scan Type(s)] [Options] {target specification}
|
|
|
|
|
TARGET SPECIFICATION:
|
|
|
|
|
Can pass hostnames, IP addresses, networks, etc\&.
|
|
|
|
|
@@ -335,6 +335,51 @@ The exclude file may contain comments that start with
|
|
|
|
|
#
|
|
|
|
|
and extend to the end of the line\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-n\fR (No DNS resolution)
|
|
|
|
|
.RS 4
|
|
|
|
|
|
|
|
|
|
Tells Nmap to
|
|
|
|
|
\fInever\fR
|
|
|
|
|
do reverse DNS resolution on the active IP addresses it finds\&. Since DNS can be slow even with Nmap\*(Aqs built\-in parallel stub resolver, this option can slash scanning times\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-R\fR (DNS resolution for all targets)
|
|
|
|
|
.RS 4
|
|
|
|
|
Tells Nmap to
|
|
|
|
|
\fIalways\fR
|
|
|
|
|
do reverse DNS resolution on the target IP addresses\&. Normally reverse DNS is only performed against responsive (online) hosts\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-\-resolve\-all\fR (Scan each resolved address)
|
|
|
|
|
.RS 4
|
|
|
|
|
If a hostname target resolves to more than one address, scan all of them\&. The default behavior is to only scan the first resolved address\&. Regardless, only addresses in the appropriate address family will be scanned: IPv4 by default, IPv6 with
|
|
|
|
|
\fB\-6\fR\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-\-unique\fR (Scan each address only once)
|
|
|
|
|
.RS 4
|
|
|
|
|
Scan each IP address only once\&. The default behavior is to scan each address as many times as it is specified in the target list, such as when network ranges overlap or different hostnames resolve to the same address\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-\-system\-dns\fR (Use system DNS resolver)
|
|
|
|
|
.RS 4
|
|
|
|
|
By default, Nmap reverse\-resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses\&. Many requests (often dozens) are performed in parallel to improve performance\&. Specify this option to use your system resolver instead (one IP at a time via the
|
|
|
|
|
\fBgetnameinfo\fR
|
|
|
|
|
call)\&. This is slower and rarely useful unless you find a bug in the Nmap parallel resolver (please let us know if you do)\&. The system resolver is always used for forward lookups (getting an IP address from a hostname)\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-\-dns\-servers \fR\fB\fIserver1\fR\fR\fB[,\fIserver2\fR[,\&.\&.\&.]]\fR\fB \fR (Servers to use for reverse DNS queries)
|
|
|
|
|
.RS 4
|
|
|
|
|
By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv\&.conf file (Unix) or the Registry (Win32)\&. Alternatively, you may use this option to specify alternate servers\&. This option is not honored if you are using
|
|
|
|
|
\fB\-\-system\-dns\fR\&. Using multiple DNS servers is often faster, especially if you choose authoritative servers for your target IP space\&. This option can also improve stealth, as your requests can be bounced off just about any recursive DNS server on the Internet\&.
|
|
|
|
|
.sp
|
|
|
|
|
This option also comes in handy when scanning private networks\&. Sometimes only a few name servers provide proper rDNS information, and you may not even know where they are\&. You can scan the network for port 53 (perhaps with version detection), then try Nmap list scans (\fB\-sL\fR) specifying each name server one at a time with
|
|
|
|
|
\fB\-\-dns\-servers\fR
|
|
|
|
|
until you find one which works\&.
|
|
|
|
|
.sp
|
|
|
|
|
This option might not be honored if the DNS response exceeds the size of a UDP packet\&. In such a situation our DNS resolver will make the best effort to extract a response from the truncated packet, and if not successful it will fall back to using the system resolver\&. Also, responses that contain CNAME aliases will fall back to the system resolver\&.
|
|
|
|
|
.RE
|
|
|
|
|
.SH "HOST DISCOVERY"
|
|
|
|
|
.PP
|
|
|
|
|
One of the very first steps in any network reconnaissance mission is to reduce a (sometimes huge) set of IP ranges into a list of active or interesting hosts\&. Scanning every port of every single IP address is slow and usually unnecessary\&. Of course what makes a host interesting depends greatly on the scan purposes\&. Network administrators may only be interested in hosts running a certain service, while security auditors may care about every single device with an IP address\&. An administrator may be comfortable using just an ICMP ping to locate hosts on his internal network, while an external penetration tester may use a diverse set of dozens of probes in an attempt to evade firewall restrictions\&.
|
|
|
|
|
@@ -602,46 +647,6 @@ Traceroutes are performed post\-scan using information from the scan results to
|
|
|
|
|
.sp
|
|
|
|
|
Traceroute works by sending packets with a low TTL (time\-to\-live) in an attempt to elicit ICMP Time Exceeded messages from intermediate hops between the scanner and the target host\&. Standard traceroute implementations start with a TTL of 1 and increment the TTL until the destination host is reached\&. Nmap\*(Aqs traceroute starts with a high TTL and then decrements the TTL until it reaches zero\&. Doing it backwards lets Nmap employ clever caching algorithms to speed up traces over multiple hosts\&. On average Nmap sends 5\(en10 fewer packets per host, depending on network conditions\&. If a single subnet is being scanned (i\&.e\&. 192\&.168\&.0\&.0/24) Nmap may only have to send two packets to most hosts\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-n\fR (No DNS resolution)
|
|
|
|
|
.RS 4
|
|
|
|
|
|
|
|
|
|
Tells Nmap to
|
|
|
|
|
\fInever\fR
|
|
|
|
|
do reverse DNS resolution on the active IP addresses it finds\&. Since DNS can be slow even with Nmap\*(Aqs built\-in parallel stub resolver, this option can slash scanning times\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-R\fR (DNS resolution for all targets)
|
|
|
|
|
.RS 4
|
|
|
|
|
Tells Nmap to
|
|
|
|
|
\fIalways\fR
|
|
|
|
|
do reverse DNS resolution on the target IP addresses\&. Normally reverse DNS is only performed against responsive (online) hosts\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-\-resolve\-all\fR (Scan each resolved address)
|
|
|
|
|
.RS 4
|
|
|
|
|
If a hostname target resolves to more than one address, scan all of them\&. The default behavior is to only scan the first resolved address\&. Regardless, only addresses in the appropriate address family will be scanned: IPv4 by default, IPv6 with
|
|
|
|
|
\fB\-6\fR\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-\-system\-dns\fR (Use system DNS resolver)
|
|
|
|
|
.RS 4
|
|
|
|
|
By default, Nmap reverse\-resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses\&. Many requests (often dozens) are performed in parallel to improve performance\&. Specify this option to use your system resolver instead (one IP at a time via the
|
|
|
|
|
\fBgetnameinfo\fR
|
|
|
|
|
call)\&. This is slower and rarely useful unless you find a bug in the Nmap parallel resolver (please let us know if you do)\&. The system resolver is always used for forward lookups (getting an IP address from a hostname)\&.
|
|
|
|
|
.RE
|
|
|
|
|
.PP
|
|
|
|
|
\fB\-\-dns\-servers \fR\fB\fIserver1\fR\fR\fB[,\fIserver2\fR[,\&.\&.\&.]]\fR\fB \fR (Servers to use for reverse DNS queries)
|
|
|
|
|
.RS 4
|
|
|
|
|
By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv\&.conf file (Unix) or the Registry (Win32)\&. Alternatively, you may use this option to specify alternate servers\&. This option is not honored if you are using
|
|
|
|
|
\fB\-\-system\-dns\fR\&. Using multiple DNS servers is often faster, especially if you choose authoritative servers for your target IP space\&. This option can also improve stealth, as your requests can be bounced off just about any recursive DNS server on the Internet\&.
|
|
|
|
|
.sp
|
|
|
|
|
This option also comes in handy when scanning private networks\&. Sometimes only a few name servers provide proper rDNS information, and you may not even know where they are\&. You can scan the network for port 53 (perhaps with version detection), then try Nmap list scans (\fB\-sL\fR) specifying each name server one at a time with
|
|
|
|
|
\fB\-\-dns\-servers\fR
|
|
|
|
|
until you find one which works\&.
|
|
|
|
|
.sp
|
|
|
|
|
This option might not be honored if the DNS response exceeds the size of a UDP packet\&. In such a situation our DNS resolver will make the best effort to extract a response from the truncated packet, and if not successful it will fall back to using the system resolver\&. Also, responses that contain CNAME aliases will fall back to the system resolver\&.
|
|
|
|
|
.RE
|
|
|
|
|
.SH "PORT SCANNING BASICS"
|
|
|
|
|
.PP
|
|
|
|
|
While Nmap has grown in functionality over the years, it began as an efficient port scanner, and that remains its core function\&. The simple command
|
|
|
|
|
@@ -2499,7 +2504,7 @@ file distributed with Nmap and also available from
|
|
|
|
|
.SH "LEGAL NOTICES"
|
|
|
|
|
.SS "Nmap Copyright and Licensing"
|
|
|
|
|
.PP
|
|
|
|
|
The Nmap Security Scanner is (C) 1996\(en2020 Insecure\&.Com LLC ("The Nmap Project")\&. Nmap is also a registered trademark of the Nmap Project\&. It is published under the
|
|
|
|
|
The Nmap Security Scanner is (C) 1996\(en2021 Nmap Software LLC ("The Nmap Project")\&. Nmap is also a registered trademark of the Nmap Project\&. It is published under the
|
|
|
|
|
\m[blue]\fBNmap Public Source License\fR\m[]\&\s-2\u[18]\d\s+2\&. This generally allows end users to download and use Nmap for free\&. It doesn\*(Aqt not allow Nmap to be used and redistributed within commercial software or hardware products (including appliances, virtual machines, and traditional applications)\&. We fund the project by selling a special Nmap OEM Edition for this purpose, as described at
|
|
|
|
|
\m[blue]\fB\%https://nmap.org/oem\fR\m[]\&. Hundreds of large and small software vendors have already purchased OEM licenses to embed Nmap technology such as host discovery, port scanning, OS detection, version detection, and the Nmap Scripting Engine within their products\&.
|
|
|
|
|
.PP
|
|
|
|
|
@@ -2512,7 +2517,7 @@ If you have received a written license agreement or contract for Nmap stating te
|
|
|
|
|
.PP
|
|
|
|
|
This
|
|
|
|
|
Nmap Reference Guide
|
|
|
|
|
is (C) 2005\(en2020 Insecure\&.Com LLC\&. It is hereby placed under version 3\&.0 of the
|
|
|
|
|
is (C) 2005\(en2021 Nmap Software LLC\&. It is hereby placed under version 3\&.0 of the
|
|
|
|
|
\m[blue]\fBCreative Commons Attribution License\fR\m[]\&\s-2\u[19]\d\s+2\&. This allows you redistribute and modify the work as you desire, as long as you credit the original source\&. Alternatively, you may choose to treat this document as falling under the same license as Nmap itself (discussed previously)\&.
|
|
|
|
|
.SS "Source Code Availability and Community Contributions"
|
|
|
|
|
.PP
|
|
|
|
|
@@ -2695,7 +2700,7 @@ Libpcap portable packet capture library
|
|
|
|
|
.IP "23." 4
|
|
|
|
|
Ncap library
|
|
|
|
|
.RS 4
|
|
|
|
|
\%https://npcap.org
|
|
|
|
|
\%https://npcap.com
|
|
|
|
|
.RE
|
|
|
|
|
.IP "24." 4
|
|
|
|
|
PCRE library
|
|
|
|
|
|
dmiller