diff --git a/docs/refguide.xml b/docs/refguide.xml
index 762154b3c..1211aaa45 100644
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -1,3 +1,5 @@
+man pagereference guide
+reference guide (man page)nmap
@@ -24,6 +26,7 @@
Description
+ Nmapdescription ofThis document describes the very latest version of
Nmap available from The output from Nmap is a list of scanned targets, with
supplemental information on each depending on the options
used. Key among that information is the interesting ports
- table. That table lists the port number and protocol,
+ table.
+ portsinteresting
+ That table lists the port number and protocol,
service name, and state. The state is either
open, filtered,
- closed, or unfiltered. Open
- means that an application on the target machine is listening for
- connections/packets on that port. Filtered means that a firewall,
- filter, or other network obstacle is blocking the port so that
- Nmap cannot tell whether it is open or closed. Closed ports have
- no application listening on them, though they could open up at any
- time. Ports are classified as unfiltered when they are responsive
- to Nmap's probes, but Nmap cannot determine whether they are open
- or closed. Nmap reports the state combinations
- open|filtered and
+ closed, or unfiltered.
+ open port state
+ Open means that an application on the target machine is listening for
+ connections/packets on that port.
+ filtered port state
+ Filtered means that a firewall, filter, or other network
+ obstacle is blocking the port so that Nmap cannot tell whether it is
+ open or closed.
+ closed port state
+ Closed ports have no application listening on them,
+ though they could open up at any time.
+ unfiltered port state
+ Ports are classified as unfiltered when they are
+ responsive to Nmap's probes, but Nmap cannot determine whether they are
+ open or closed.
+ open|filtered port state
+ closed|filtered port state
+ Nmap reports the state combinations open|filtered and
closed|filtered when it cannot determine which
of the two states describe a port. The port table may also
include software version details when version detection has been
@@ -79,6 +92,7 @@
faster execution; and then the two target hostnames.A representative Nmap scan
+example of
# nmap -A -T4 scanme.nmap.org playground
@@ -136,20 +150,25 @@ substitute for the in-depth documentation in the rest of this
manual. Some obscure options aren't even included here.
+summary of options
&nmap-usage;
+Target Specification
+ target specificationEverything on the Nmap command-line that isn't an option (or
option argument) is treated as a target host specification. The
simplest case is to specify a target IP address or hostname for scanning.Sometimes you wish to scan a whole network of adjacent hosts.
-For this, Nmap supports CIDR-style addressing. You can appendCIDR addressing
+For this, Nmap supports CIDR-style addressing.
+Classless Inter-Domain Routing (CIDR)
+You can appendCIDR addressing
/numbits to an IP address or hostname and
Nmap will scan every IP address for which the first
numbits are the same as for the reference
@@ -164,6 +183,7 @@ scanme.nmap.org/16 would scan the 65,536 IP addresses between
which scans the whole Internet. The largest value is /32, which scans
just the named host or IP address because all address bits are fixed.
+address rangesCIDR notation is short but not always flexible enough. For example, you
might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or
.255 because they are commonly broadcast addresses. Nmap supports
@@ -191,7 +211,8 @@ you would expect.
(Input from list)
- -iL
+
+ target specificationfrom listReads target specifications from
@@ -216,7 +237,9 @@ you would expect.
(Choose random targets)
- -iR
+
+ random targets
+ target specificationat randomFor Internet-wide surveys
@@ -239,7 +262,8 @@ you would expect.
(Exclude hosts/networks)
- --exclude
+
+ excluding targetsSpecifies a comma-separated list of targets to be
@@ -256,7 +280,7 @@ you would expect.
(Exclude list from file)
- --excludefile
+ This offers the same functionality as the
@@ -271,6 +295,7 @@ you would expect.Host Discovery
+ host discoveryOne of the very first steps in any network reconnaissance
mission is to reduce a (sometimes huge) set of IP ranges into a
@@ -310,7 +335,9 @@ you would expect.
used for any targets which are on a local ethernet network.
For unprivileged Unix shell users, a SYN packet is sent
instead of the ack using the connect()
- system call. These defaults are equivalent to the
+ system call.
+ unprivileged userslimitations of
+ These defaults are equivalent to the
options. This host discovery is
often sufficient when scanning local networks, but a more
comprehensive set of discovery probes is recommended for
@@ -340,7 +367,7 @@ you would expect.
(List Scan)
- -sL
+ List scan
@@ -351,6 +378,7 @@ you would expect.
to learn their names. It is often surprising how much
useful information simple hostnames give out. For example,
fw.chi is the name of one company's Chicago firewall.
+ DNSrecords as source of information
Nmap also reports the total number of
IP addresses at the end. The list scan is a good sanity
check to ensure that you have proper IP addresses for your
@@ -369,9 +397,12 @@ you would expect.
- (Ping Scan)
+ (Ping Scan)
+
+ ping scan
+
- This option tells Nmap to only-sPping scan
+ This option tells Nmap to only
perform a ping scan (host discovery), then print out the available hosts
that responded to the scan. No further testing (such as
port scanning or OS detection) is performed. This is one
@@ -414,7 +445,8 @@ you would expect.
(No ping)
- -PN
+
+ host discoverydisablingThis option skips the Nmap discovery stage altogether.
@@ -440,15 +472,18 @@ you would expect.
(TCP SYN Ping)
- -PS
+ SYN pingThis option sends an empty TCP packet with the SYN
flag set. The default destination port is 80 (configurable
- at compile time by changing DEFAULT_TCP_PROBE_PORT_SPEC in
- nmap.h). Alternate ports can be
+ at compile time by changing DEFAULT_TCP_PROBE_PORT_SPEC
+ DEFAULT_TCP_PROBE_PORT_SPEC
+ in nmap.h).
+ nmap.h
+ Alternate ports can be
specified as a parameter. The syntax is the same as for the
except that port type specifiers like
T: are not allowed. Examples are
@@ -462,7 +497,9 @@ you would expect.
are attempting to establish a connection. Normally the
destination port will be closed, and a RST (reset) packet
sent back. If the port happens to be open, the target will
- take the second step of a TCP 3-way-handshake by responding
+ take the second step of a TCP 3-way-handshake
+ three-way handshake
+ by responding
with a SYN/ACK TCP packet. The machine running Nmap then
tears down the nascent connection by responding with a RST
rather than sending an ACK packet which would complete the
@@ -476,10 +513,16 @@ you would expect.
Nmap that the host is available and responsive.
On Unix boxes, only the privileged user
- root is generally able to send and
- receive raw TCP packets. For unprivileged users, a
+ root
+ authorized (root) user
+ is generally able to send and
+ receive raw TCP packets.
+ raw packets
+ For unprivileged users, a
workaround is automatically employed whereby the connect()
- system call is initiated against each target port. This has
+ system call is initiated against each target port.
+ unprivileged userslimitations on
+ This has
the effect of sending a SYN packet to the target host, in an
attempt to establish a connection. If connect() returns
with a quick success or an ECONNREFUSED failure, the
@@ -488,7 +531,9 @@ you would expect.
is left hanging until a timeout is reached, the host is
marked as down. This workaround is also used for IPv6
connections, as raw IPv6 packet building support is not yet
- available in Nmap.
+ available in Nmap.
+ IPv6limitations of
+
@@ -496,7 +541,7 @@ you would expect.
(TCP ACK Ping)
- -PA
+ ACK ping
@@ -527,7 +572,10 @@ you would expect.
outgoing connections to the Internet. This non-stateful
approach takes up few resources on the firewall/router and
is widely supported by hardware and software filters. The
- Linux Netfilter/iptables firewall software offers the
+ Linux Netfilter/iptables
+ Netfilter
+ iptables
+ firewall software offers the
convenience option to implement this
stateless approach. When stateless firewall rules such as
this are in place, SYN ping probes ()
@@ -552,7 +600,7 @@ you would expect.
(UDP Ping)
- -PU
+ UDP ping
@@ -564,7 +612,10 @@ you would expect.
and options. If
no ports are specified, the default is 31338. This default
can be configured at compile-time by changing
- DEFAULT_UDP_PROBE_PORT_SPEC in nmap.h.
+ DEFAULT_UDP_PROBE_PORT_SPEC
+ DEFAULT_UDP_PROBE_PORT_SPEC
+ in nmap.h.
+ nmap.h
A highly uncommon port is used by default because sending to
open ports is often undesirable for this particular scan
type.
@@ -597,9 +648,9 @@ you would expect.
;
;
(ICMP Ping Types)
- -PE
- -PP
- -PM
+
+
+ ICMP ping
@@ -610,7 +661,9 @@ you would expect.
ping program. Nmap sends an ICMP
type 8 (echo request) packet to the target IP addresses,
expecting a type 0 (echo reply) in return from available
- hosts. Unfortunately for network explorers, many hosts and
+ hosts.
+ ICMP echo
+ Unfortunately for network explorers, many hosts and
firewalls now block these packets, rather than responding as
required by RFC
@@ -647,7 +700,7 @@ you would expect.
(IP Protocol Ping)
- -PO
+ IP Protocol ping
@@ -661,7 +714,10 @@ you would expect.
IP packets for ICMP (protocol 1), IGMP (protocol 2), and
IP-in-IP (protocol 4). The default protocols can be
configured at compile-time by changing
- DEFAULT_PROTO_PROBE_PORT_SPEC in nmap.h.
+ DEFAULT_PROTO_PROBE_PORT_SPEC
+ DEFAULT_PROTO_PROBE_PORT_SPEC
+ in nmap.h.
+ nmap.h
Note that for the ICMP, IGMP, TCP (protocol 6), and UDP
(protocol 17), the packets are sent with the proper protocol
headers while other protocols are sent with no additional data
@@ -679,7 +735,7 @@ you would expect.
(ARP Ping)
- -PR
+ ARP ping
@@ -716,8 +772,8 @@ you would expect.
(Trace path to host)
- --traceroute
- Trace path to host
+
+ traceroute
@@ -734,8 +790,7 @@ Traceroute works by sending packets with a low TTL (time-to-live) in an attempt
(Host and port state reasons)
- --reason
- Host and port state reasons
+
@@ -748,7 +803,9 @@ Nmap can provide is determined by the type of scan or ping. The SYN
scan and SYN ping ( and ) are very detailed, but the
TCP connect scan () is limited by the
implementation of the connect system call. This feature is automatically enabled by
-the debug option () and the results are stored in XML log files
+the debug option ()
+implied by
+and the results are stored in XML log files
even if this option is not specified.
@@ -758,12 +815,14 @@ even if this option is not specified.
(No DNS resolution)
- -n
+ Tells Nmap to never do reverse
- DNS resolution on the active IP addresses it finds. Since
+ DNS
+ reverse DNSdisabling with
+ resolution on the active IP addresses it finds. Since
DNS can be slow even with Nmap's built-in parallel stub
resolver, this option can slash scanning times.
@@ -772,7 +831,7 @@ even if this option is not specified.
(DNS resolution for all targets)
- -R
+ Tells Nmap to
@@ -785,7 +844,7 @@ even if this option is not specified.
(Use system DNS resolver)
- --system-dns
+
@@ -797,7 +856,9 @@ even if this option is not specified.
IP at a time via the getnameinfo() call). This is slower
and rarely useful unless you find a bug in the Nmap parallel
resolver (please let us know if you do). The system
- resolver is always used for IPv6 scans.
+ resolver is always used for IPv6 scans.
+ IPv6limitations of
+
@@ -805,7 +866,7 @@ even if this option is not specified.
(Servers to use for reverse DNS queries)
- --dns-servers
+
@@ -833,6 +894,7 @@ even if this option is not specified.
+
@@ -860,7 +922,9 @@ options from across the Internet might show that port as filteredThe six port states recognized by Nmap
- open
+
+ open port state
+ openAn application is actively accepting TCP
connections or UDP packets on this port. Finding these is often the
primary goal of port scanning. Security-minded people know that
@@ -871,7 +935,9 @@ options from across the Internet might show that port as filtered
- closed
+
+ closed port state
+ closedA closed port is accessible (it receives and
responds to Nmap probe packets), but there is no application
@@ -883,7 +949,9 @@ options from across the Internet might show that port as filtered
- filtered
+
+ filtered port state
+ filteredNmap cannot determine whether the port is open
because packet filtering prevents its probes from reaching the port.
@@ -897,7 +965,9 @@ options from across the Internet might show that port as filtered
- unfiltered
+
+ unfiltered port state
+ unfilteredThe unfiltered state means that a port is accessible,
but Nmap is unable to determine whether it is open or closed. Only
the ACK scan, which is used to map firewall rulesets, classifies
@@ -906,7 +976,9 @@ options from across the Internet might show that port as filtered
- open|filtered
+
+ open|filtered port state
+ open|filteredNmap places ports in this state when it is unable to
determine whether a port is open or filtered. This occurs for scan
types in which open ports give no response. The lack of
@@ -916,7 +988,9 @@ options from across the Internet might show that port as filtered
- closed|filtered
+
+ closed|filtered port state
+ closed|filteredThis state is used when Nmap is unable to determine
whether a port is closed or filtered. It is only used for the IP ID
idle scan.
@@ -933,7 +1007,9 @@ jalopy to a real mechanic, he invariably fishes around in a huge tool chest unti
pulling out the perfect gizmo which makes the job seem effortless. The
art of port scanning is similar. Experts understand the dozens of
scan techniques and choose the appropriate one (or combination) for a
-given task. Inexperienced users and script kiddies, on the other
+given task. Inexperienced users and script kiddies,
+script kiddies
+on the other
hand, try to solve every problem with the default SYN scan. Since Nmap is
free, the only barrier to port scanning mastery is knowledge. That
certainly beats the automotive world, where it may take great skill to
@@ -941,7 +1017,10 @@ determine that you need a strut spring compressor, then you still
have to pay thousands of dollars for it.
Most of the scan types are only available to privileged users.
-This is because they send and receive raw packets, which requires root
+authorized (root) users
+This is because they send and receive raw packets,
+raw packets
+which requires root
access on Unix systems. Using an administrator account on Windows is
recommended, though Nmap sometimes works for unprivileged users on that
platform when WinPcap has already been loaded into the OS. Requiring
@@ -983,7 +1062,7 @@ scans.
(TCP SYN scan)
- -sS
+ SYN scan
@@ -1014,7 +1093,7 @@ error (type 3, code 1,2, 3, 9, 10, or 13) is received.
(TCP connect scan)
- -sT
+ connect() scan
@@ -1091,6 +1170,7 @@ response were lost. Closed ports are often an even bigger problem.
They usually send back an ICMP port unreachable error. But unlike the
RST packets sent by closed TCP ports in response to a SYN or connect
scan, many hosts rate limit ICMP port unreachable messages by default.
+rate limiting
Linux and Solaris are particularly strict about this. For example, the
Linux 2.4.20 kernel limits destination unreachable messages to one per
second (in net/ipv4/icmp.c).
@@ -1110,10 +1190,10 @@ hosts.
; ; (TCP Null, FIN, and Xmas scans)
--sN
--sF
--sX
-null scan
+
+
+
+NULL scanFIN scanXmas scan
@@ -1178,7 +1258,7 @@ certain filtered ones, leaving you with the response
(TCP ACK scan)
- -sA
+ ACK scan
@@ -1205,7 +1285,7 @@ or 13), are labeled filtered.
(TCP Window scan)
--sW
+Window scan
@@ -1239,13 +1319,14 @@ ports, then those three may very well be the truly open ones.
(TCP Maimon scan)
--sM
+Maimon scan
-The Maimon scan is named after its discoverer, Uriel Maimon. He
-described the technique in Phrack Magazine issue #49 (November 1996).
+The Maimon scan is named after its discoverer, Uriel Maimon.
+Maimon, Uriel
+He described the technique in Phrack Magazine issue #49 (November 1996).
Phrack
Nmap, which included this technique, was released two issues later.
This technique is exactly the same as null, FIN, and Xmas scans, except
@@ -1260,14 +1341,17 @@ simply drop the packet if the port is open.
(Custom TCP scan)
- --scanflags
+ Truly advanced Nmap users need not limit themselves to the
canned scan types offered. The option allows
-you to design your own scan by specifying arbitrary TCP flags. Let
-your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules!
+you to design your own scan by specifying arbitrary TCP flags.
+TCP flags
+Let your creative juices flow, while evading intrusion detection systems
+intrusion detection systemsavoiding
+whose vendors simply paged through the Nmap man page adding specific rules!The argument can be a numerical
flag value such as 9 (PSH and FIN), but using symbolic names is
@@ -1296,7 +1380,7 @@ used.
(idle scan)
- -sI
+ idle scan
@@ -1328,7 +1412,9 @@ used.
from the perspective of the zombie
host. So you can try scanning a target using
various zombies that you think might be trusted (via
- router/packet filter rules).
+ router/packet filter rules).
+ trust relationships
+
You can add a colon followed by a port number to the
zombie host if you wish to probe a particular port on the
@@ -1341,8 +1427,8 @@ used.
(IP protocol scan)
- -sO
- Protocol scan
+
+ IP protocol scan
@@ -1359,8 +1445,11 @@ close enough to a port scan that it belongs here.
demonstrates the power of open source software. While the fundamental
idea is pretty simple, I had not thought to add it nor received any
requests for such functionality. Then in the summer of 2000, Gerhard
-Rieger conceived the idea, wrote an excellent patch implementing it,
+Rieger
+Rieger, Gerhard
+conceived the idea, wrote an excellent patch implementing it,
and sent it to the nmap-hackers mailing list.
+nmap-hackers mailing list
I incorporated that patch into the Nmap tree and released a new
version the next day. Few pieces of commercial software have users
enthusiastic enough to design and contribute their own
@@ -1394,7 +1483,7 @@ after retransmissions, the protocol is marked
(FTP bounce scan)
- -b
+ FTP bounce scan
@@ -1443,16 +1532,19 @@ way.
Port Specification and Scan Order
+ port specificationIn addition to all of the scan methods discussed previously,
Nmap offers options for specifying which ports are scanned and
- whether the scan order is randomized or sequential. By default, Nmap scans all ports up to and including 1024 as well as higher numbered ports listed in the nmap-services file for the protocol(s) being scanned.
+ whether the scan order is randomized or sequential. By default, Nmap scans all ports up to and including 1024 as well as higher numbered ports listed in the nmap-services file for the protocol(s) being scanned.
+ default ports
+
(Only scan specified ports)
- -p
+
@@ -1463,7 +1555,9 @@ way.
beginning and/or end values of a range may be omitted,
causing Nmap to use 1 and 65535, respectively. So you can
specify to scan ports from 1 through
- 65535. Scanning port zero is allowed if you specify it
+ 65535. Scanning port zero
+ port zero
+ is allowed if you specify it
explicitly. For IP protocol scanning (), this option
specifies the protocol numbers you wish to scan for
(0-255).
@@ -1481,7 +1575,7 @@ way.
the port numbers are added to all protocol lists.
- wildcardPorts can also be specified by name according to what the
+ wildcards in port specificationsPorts can also be specified by name according to what the
port is referred to in the nmap-services. You
can even use the wildcards * and ? with the names. For example, to scan
FTP and all ports whose names begin with http, use .
@@ -1498,7 +1592,7 @@ way.
(Fast (limited port) scan)
- -F
+ Specifies that you only wish to scan
@@ -1517,7 +1611,8 @@ way.
(Don't randomize ports)
- -r
+
+ randomization of portsBy default, Nmap randomizes the scanned port order
@@ -1534,18 +1629,24 @@ way.
- Service and Version Detection<indexterm><primary>version scan</primary></indexterm>
+ Service and Version Detection
+ version detectionPoint Nmap at a remote machine and it might tell you
that ports 25/tcp, 80/tcp, and 53/udp are open. Using its
- nmap-services database of about 2,200 well-known services,
+ nmap-services
+ nmap-services
+ database of about 2,200 well-known services,
+ well known ports
Nmap would report that those ports probably correspond to a
mail server (SMTP), web server (HTTP), and name server (DNS)
respectively. This lookup is usually accurate—the vast
majority of daemons listening on TCP port 25 are, in fact, mail
servers. However, you should not bet your security on this!
- People can and do run services on strange ports.
+ People can and do run services on strange ports.
+ non-standard ports
+ Even if Nmap is right, and the hypothetical server above is
running SMTP, HTTP, and DNS servers, that is not a lot of
@@ -1560,7 +1661,9 @@ way.After TCP and/or UDP ports are discovered using one of the
other scan methods, version detection interrogates those ports to
determine more about what is actually running. The
- nmap-service-probes database contains probes
+ nmap-service-probes
+ nmap-service-probes
+ database contains probes
for querying various services and match expressions to recognize
and parse responses. Nmap tries to determine the service protocol
(e.g. FTP, SSH, telnet, HTTP), the application name (e.g. ISC
@@ -1571,9 +1674,13 @@ way.
version, or the KaZaA user name). Of course, most services don't
provide all of this information. If Nmap was compiled with
OpenSSL support, it will connect to SSL servers to deduce the
- service listening behind that encryption layer. When RPC services are
- discovered, the Nmap RPC grinder () is
- automatically used to determine the RPC program and version
+ service listening behind that encryption layer.
+ SSLin version detection
+ When RPC services are
+ discovered, the Nmap RPC grinder ()
+ RPC grinder
+
+ is automatically used to determine the RPC program and version
numbers. Some UDP ports are left in the
open|filtered state after a UDP port scan is
unable to determine whether the port is open or filtered. Version
@@ -1598,7 +1705,9 @@ way.
on the port. Please take a couple minutes to make the submission
so that your find can benefit everyone. Thanks to these
submissions, Nmap has about 3,000 pattern matches for more than
- 350 protocols such as SMTP, FTP, HTTP, etc.
+ 350 protocols such as SMTP, FTP, HTTP, etc.
+ submission of service fingerprints
+
Version detection is enabled and controlled with the
following options:
@@ -1609,7 +1718,7 @@ way.
(Version detection)
- -sV
+
@@ -1624,7 +1733,7 @@ way.
(Don't exclude any ports from
version detection)
- --allports
+
@@ -1636,7 +1745,9 @@ way.
directive in nmap-service-probes, or
you can specify to scan all
ports regardless of any Exclude
- directive.
+ directive.
+ Exclude directive (nmap-service-probes)
+
@@ -1644,7 +1755,7 @@ way.
(Set
version scan intensity)
- --version-intensity
+
@@ -1657,8 +1768,11 @@ way.
specifies which probes should be applied. The higher the
number, the more likely it is the service will be correctly
identified. However, high intensity scans take longer. The
- intensity must be between 0 and 9. The default is 7. When a
- probe is registered to the target port via the
+ intensity must be between 0 and 9.
+ version detectionintensity
+ The default is 7.
+ version detectiondefault intensity
+ When a probe is registered to the target port via the
nmap-service-probesports directive, that probe is tried
regardless of intensity level. This ensures that the DNS
probes will always be attempted against any open port 53,
@@ -1670,7 +1784,7 @@ way.
(Enable light mode)
- --version-light
+
@@ -1684,7 +1798,7 @@ way.
(Try every single probe)
- --version-all
+
@@ -1697,7 +1811,7 @@ way.
(Trace version scan activity)
- --version-trace
+ This causes Nmap to print out extensive debugging info
@@ -1709,7 +1823,8 @@ way.
(RPC scan)
- -sR
+
+ RPC scanThis method works in conjunction with the various port
@@ -1720,6 +1835,7 @@ way.
effectively obtain the same info as rpcinfo -p even if the
target's portmapper is behind a firewall (or protected by
TCP wrappers). Decoys do not currently work with RPC scan.
+ decoyswhich scans use
This is automatically enabled as part of version scan
() if you request that. As version
detection includes this and is much more comprehensive,
@@ -1728,11 +1844,13 @@ way.
+
- OS Detection<indexterm><primary>OS detection</primary></indexterm>
+ OS Detection
+ OS detectionOne of Nmap's best-known features is remote OS detection
using TCP/IP stack fingerprinting. Nmap sends a series of TCP and
@@ -1740,7 +1858,9 @@ way.
in the responses. After performing dozens of tests such as TCP
ISN sampling, TCP options support and ordering, IP ID sampling, and
the initial window size check, Nmap compares the results to its
- nmap-os-db database of more than 800 known
+ nmap-os-db
+ nmap-os-db
+ database of more than 800 known
OS fingerprints and prints out the OS details if there is a match.
Each fingerprint includes a freeform textual description of the
OS, and a classification which provides the vendor name
@@ -1795,7 +1915,7 @@ way.
(Enable OS detection)
- -O
+
@@ -1811,7 +1931,7 @@ way.
(Limit OS detection to
promising targets)
- --osscan-limit
+
@@ -1827,7 +1947,8 @@ way.
; (Guess OS detection results)
- --osscan-guess
+
+ --osscan-guess
@@ -1844,7 +1965,7 @@ way.
(Set the maximum number of OS detection tries against a target)
- --max-os-tries
+
@@ -1866,13 +1987,17 @@ way.
+
- Nmap Scripting Engine (NSE)<indexterm><primary>NSE</primary></indexterm>
+ Nmap Scripting Engine (NSE)
+ Nmap Scripting Engine (NSE)
The Nmap Scripting Engine (NSE) combines the efficiency of Nmap's
network handling with the versatility of the lightweight scripting language
- Lua, thus providing innumerable
+ Lua,
+ Lua programming language
+ thus providing innumerable
opportunities. A more extensive documentation of the NSE (including its
API) can be found
at .
@@ -1882,7 +2007,9 @@ way.
creating customized tests. Uses for the NSE include (but definitely are
not limited to):
+ Nmap Scripting Engine (NSE)uses of
+ version script categoryEnhanced version detection (category
version)—While Nmap already offers its Service and
Version detection system, which is unmatched in terms of efficiency and
@@ -1894,6 +2021,8 @@ way.
+ malware script category
+ backdoor script categoryMalware-detection (category malware)—Both attackers
and worms often leave backdoors—be it in form of SMTP-servers listening on
uncommon ports mostly used by spammers for mail relay, or in form of an
@@ -1902,6 +2031,7 @@ way.
+ vulnerability script categoryVulnerability Detection (category
vuln)—NSE's capacity in detecting risks ranges
from testing whether an SMTP server supports relaying mail from arbitrary
@@ -1910,6 +2040,7 @@ way.
+ auth script categoryDetermination of Authentication Credentials (category
auth)—NSE can be used for determining authentication
credentials on the target's services, with a common method being brute-force
@@ -1917,6 +2048,9 @@ way.
+ safe script category
+ intrusive script category
+ discovery script categoryNetwork Discovery and Information Gathering
(categories safe, intrusive and
discovery)—By providing you with a scripting language
@@ -1932,7 +2066,9 @@ way.
To reflect those different uses and to simplify the choice of which
scripts to run, each script contains a field associating it with one or more
of the above mentioned categories. To maintain the matching from scripts to
- categories a file called script.db is installed along
+ categories a file called script.db
+ script.db
+ is installed along
with the distributed scripts. Therefore, if you, for example, want to see if
a machine is infected by any worm Nmap provides a script for you can simply
run nmap --script=malware target-ip and check the output
@@ -1946,8 +2082,13 @@ way.
A NSE-script basically is a chunk of Lua-code which has (among some
informational fields, like name, id and categories) 2 functions: a test
whether the particular script should be run against a certain host or port
- (called a hostrule or portrule
- respectively) and an action to be carried out if the test
+ (called a hostrule
+ hostrule script variable
+ or portrule
+ portrule script variable
+ respectively) and an action
+ action script variable
+ to be carried out if the test
returns true. Scripts have access to most information gathered by Nmap
during earlier stages. For each host this includes the IP address, hostname and (if
available) operating system. If a script is targeted at a port it has access
@@ -1966,7 +2107,7 @@ way.
- -sC
+
@@ -1980,10 +2121,11 @@ way.
- --script
+ Runs a script scan (like ) with the scripts you have chosen rather than the defaults. Arguments can be script categories, single scripts or directories with scripts which are to be run against the target hosts instead of the default set. Nmap will try to interpret the arguments at first as categories and afterwards as files or directories. Absolute paths are used as is, relative paths are searched in the following places until found:
+--datadir/;
NMAPDIR environment variable$(NMAPDIR)/;
@@ -2012,7 +2154,7 @@ categories.
- --script-args
+ script argumentslets you provide arguments to NSE-scripts. Arguments are passed
@@ -2038,7 +2180,7 @@ script knows about its special argument.
- --script-trace
+
@@ -2055,7 +2197,7 @@ script knows about its special argument.
- --script-updatedb
+
@@ -2072,10 +2214,13 @@ script knows about its special argument.
+ Timing and Performance
+ timing
+ performanceOne of my highest Nmap development priorities has always been
performance. A default scan (nmap
hostname) of a host on my local
@@ -2109,8 +2254,8 @@ or ‘h’ to the value to specify seconds, minutes, or hours. So the
;
(Adjust parallel scan group sizes)
- --min-hostgroup
- --max-hostgroup
+
+ Nmap has the ability to port scan or version scan multiple hosts
@@ -2158,8 +2303,8 @@ helpful.
;
(Adjust probe parallelization)
- --min-parallelism
- --max-parallelism
+
+
@@ -2196,9 +2341,9 @@ enough by itself.
,
(Adjust probe timeouts)
- --min-rtt-timeout
- --max-rtt-timeout
- --initial-rtt-timeout
+
+
+
@@ -2223,7 +2368,9 @@ timing out and retransmitting while the response is in transit.
If all the hosts are on a local network, 100 milliseconds is a
reasonable aggressive value. If
routing is involved, ping a host on the network first with the ICMP
-ping utility, or with a custom packet crafter such as hping2 that is
+ping utility, or with a custom packet crafter such as hping2
+hping2
+that is
more likely to get through a firewall. Look at the maximum round trip
time out of ten packets or so. You might want to double that for the
and triple or quadruple it for
@@ -2248,7 +2395,7 @@ list.
(Specify the
maximum number of port scan probe retransmissions)
- --max-retries
+
@@ -2284,7 +2431,7 @@ about the target.
(Give
up on slow target hosts)
- --host-timeout
+
@@ -2312,8 +2459,8 @@ for that host.
;
(Adjust delay between probes)
- --scan-delay
- --max-scan-delay
+
+
@@ -2336,7 +2483,9 @@ packet retransmissions and possible missed ports when the target
implements strict rate limiting.
Another use of is to evade
-threshold based intrusion detection and prevention systems (IDS/IPS).
+threshold based intrusion detection and prevention systems (IDS/IPS).
+intrusion detection systemsavoiding
+
@@ -2345,7 +2494,7 @@ threshold based intrusion detection and prevention systems (IDS/IPS).
(Specify a minimum scanning rate)
- --min-rate
+
@@ -2395,11 +2544,12 @@ timing.
- --defeat-rst-ratelimit
+ Many hosts have long used rate limiting to reduce the number
of ICMP error messages (such as port-unreachable errors) they send.
+rate limiting
Some systems now apply similar rate limits to the RST (reset)
packets they generate. This can slow Nmap down dramatically as it
adjusts its timing to reflect those rate limits. You can tell Nmap to
@@ -2425,9 +2575,17 @@ worth the extra time.
(Set a timing template)
- -T
+
+ timing templates
+ timing templatesparanoid, sneaky, polite, normal, aggressive, and insane
+paranoid timing template
+sneaky timing template
+polite timing template
+normal timing template
+aggressive timing template
+insane timing templateWhile the fine-grained timing controls discussed in the previous
@@ -2437,11 +2595,20 @@ than the scan you are trying to optimize. So Nmap offers a simpler
approach, with six timing templates. You can specify them with the
option and their number (0–5) or their name.
The template names are (),
- (),
-(), (),
+paranoid () timing template
+ (),
+sneaky () timing template
+ (),
+polite () timing template
+ (),
+normal () timing template
(), and
- (). The first two are for
-IDS evasion. Polite mode slows down the scan to use less bandwidth
+aggressive () timing template
+ ().
+insane () timing template
+The first two are for IDS evasion.
+intrusion detection systemsavoiding
+Polite mode slows down the scan to use less bandwidth
and target machine resources. Normal mode is the default and so
does nothing. Aggressive mode speeds scans up by
making the assumption that you are on a reasonably fast and reliable
@@ -2453,8 +2620,11 @@ for speed.
wish to be, while leaving Nmap to pick the exact timing values. The
templates also make some minor speed adjustments for which
fine-grained control options do not currently exist. For example,
- prohibits the dynamic scan delay from exceeding
+
+aggressive () timing templage
+prohibits the dynamic scan delay from exceeding
10 ms for TCP ports and caps that value at 5 ms.
+insane () timing templage
Templates can be used in combination with fine-grained
controls, and the fine-grained controls will you specify will take
precedence over the timing template default for that parameter. I
@@ -2469,7 +2639,9 @@ recommend always using . Some people love
sometimes specify because they think it is less
likely to crash hosts or because they consider themselves to be polite
in general. They often don't realize just how slow really is. Their scan may take ten times longer than a
+polite
+polite () timing templage
+really is. Their scan may take ten times longer than a
default scan.
Machine crashes and bandwidth problems are rare with the
default timing options () and so I normally
@@ -2477,7 +2649,11 @@ recommend that for cautious scanners. Omitting version detection is
far more effective than playing with timing values at reducing these
problems.
-While and may be
+While
+paranoid () timing templage
+and
+sneaky () timing templage
+may be
useful for avoiding IDS alerts, they will take an extraordinarily long
time to scan thousands of machines or ports. For such a long scan,
you may prefer to set the exact timing values you need rather than
@@ -2489,7 +2665,9 @@ so only one port is scanned at a time, and waiting five minutes
between sending each probe. and
are similar but they only wait 15 seconds and 0.4
seconds, respectively, between probes. is Nmap's
-default behavior, which includes parallelization.
+default behavior, which includes parallelization.
+normal () timing templage
+
does the equivalent of and sets the maximum TCP scan delay
to 10 milliseconds. does the equivalent of
@@ -2500,10 +2678,14 @@ setting the maximum TCP scan delay to 5 ms.
+
+ Firewall/IDS Evasion and Spoofing
+ firewallsbypassing
+ intrusion detection systemsavoidingMany Internet pioneers envisioned a global open network with a
universal IP address space allowing virtual connections between any
@@ -2538,7 +2720,9 @@ increasingly monitoring traffic with intrusion detection systems
(IDS). All of the major IDSs ship with rules designed to detect Nmap
scans because scans are sometimes a precursor to attacks. Many of
these products have recently morphed into intrusion
-prevention systems (IPS) that actively block
+prevention systems (IPS)
+intrusion prevention systemsintrusion detection systems
+that actively block
traffic deemed malicious. Unfortunately for network administrators
and IDS vendors, reliably detecting bad intentions by analyzing packet
data is a tough problem. Attackers with patience, skill, and the help
@@ -2569,8 +2753,8 @@ lists the relevant options and describes what they do.
(fragment packets);
(using the specified MTU)
- -f
- --mtu
+
+
@@ -2599,10 +2783,15 @@ lists the relevant options and describes what they do.
this because fragments may take different routes into their
networks. Some source
systems defragment outgoing packets in the kernel. Linux
- with the iptables connection tracking module is one such
+ with the iptables
+ iptables
+ connection tracking module is one such
example. Do a scan while a sniffer such as Wireshark
- is running to ensure that sent packets are
- fragmented. If your host OS is causing problems, try the option to bypass the IP layer and send raw ethernet frames.
+ Wireshark
+ is running to ensure that sent packets are fragmented. If your host
+ OS is causing problems, try the
+
+ option to bypass the IP layer and send raw ethernet frames.
@@ -2610,7 +2799,8 @@ lists the relevant options and describes what they do.
(Cloak a scan with decoys)
- -D
+
+ decoysCauses a decoy scan to be performed, which makes it
@@ -2624,13 +2814,20 @@ lists the relevant options and describes what they do.
hiding your IP address.
Separate each decoy host with commas, and you can
- optionally use ME as one of the decoys to
+ optionally use ME
+ ME (decoy address)
+ as one of the decoys to
represent the position for your real IP address. If you put
ME in the 6th position or later, some
common port scan detectors (such as Solar Designer's
- excellent Scanlogd) are unlikely to show your IP address at
+ Solar Designer
+ excellent Scanlogd)
+ Scanlogd
+ are unlikely to show your IP address at
all. If you don't use ME, nmap will put
- you in a random position. You can also use RND to generate
+ you in a random position. You can also use RND
+ RND (decoy address)
+ to generate
a random, non-reserved IP address, or RND:<number> to
generate <number> addresses.Note that the hosts
you use as decoys should be up or you might accidentally SYN
@@ -2661,7 +2858,8 @@ lists the relevant options and describes what they do.
(Spoof source address)
- -S
+
+ spoofing source address
@@ -2688,7 +2886,8 @@ lists the relevant options and describes what they do.
(Use specified interface)
- -e
+
+ interface
@@ -2703,8 +2902,9 @@ lists the relevant options and describes what they do.
(Spoof source port number)
- --source-port
- -g
+
+
+ source port number
@@ -2754,7 +2954,7 @@ support the option completely, as does UDP scan.
(Append random
data to sent packets)
- --data-length
+ Normally Nmap sends minimalist packets containing only
@@ -2772,7 +2972,8 @@ support the option completely, as does UDP scan.
(Send packets with specified ip options)
- --ip-options
+
+ IP optionsThe IP
@@ -2801,8 +3002,14 @@ support the option completely, as does UDP scan.Nmap also offers a shortcut mechanism for specifying
options. Simply pass the letter R,
T, or U to request
- record-route, record-timestamp, or both options together,
- respectively. Loose or strict source routing may be specified
+ record-route,
+ record-route IP option
+ record-timestamp,
+ record-timestamp IP option
+ or both options together,
+ respectively. Loose or strict source routing
+ source routing
+ may be specified
with an L or S followed by
a space and then a space-separated list of IP addresses.
@@ -2818,7 +3025,8 @@ support the option completely, as does UDP scan.
(Set IP time-to-live field)
- --ttl
+
+ time to live (TTL)
@@ -2830,7 +3038,8 @@ support the option completely, as does UDP scan.
(Randomize target host order)
- --randomize-hosts
+
+ randomization of hosts
@@ -2839,7 +3048,11 @@ support the option completely, as does UDP scan.
to various network monitoring systems, especially when you
combine it with slow timing options. If you
want to randomize over larger group sizes, increase
- PING_GROUP_SZ in nmap.h and recompile.
+ PING_GROUP_SZ
+ PING_GROUP_SZ
+ in nmap.h
+ nmap.h
+ and recompile.
An alternative solution is to generate the target IP list
with a list scan (), randomize it
@@ -2852,13 +3065,17 @@ support the option completely, as does UDP scan.
(Spoof MAC address)
- --spoof-mac
+
+ spoofing MAC address
- Asks Nmap to use the given MAC address for all of the
- raw ethernet frames it sends. This option implies
- to ensure that Nmap actually sends
+ Asks Nmap to use the given MAC address
+ MAC address
+ for all of the raw ethernet frames it sends. This option implies
+
+ implied by
+ to ensure that Nmap actually sends
ethernet-level packets. The MAC given can take several formats. If
it is simply the number 0, Nmap chooses a completely random MAC address
for the session. If the given string is an even number of hex
@@ -2868,7 +3085,9 @@ support the option completely, as does UDP scan.
argument isn't a 0 or hex string, Nmap looks through
nmap-mac-prefixes to find a vendor name containing the given string
(it is case insensitive). If a match is found, Nmap uses the
- vendor's OUI (3-byte prefix) and fills out the remaining 3 bytes
+ vendor's OUI (3-byte prefix)
+ organizationally unique identifier (OUI)
+ and fills out the remaining 3 bytes
randomly. Valid argument examples are Apple, 0,
01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco. This option only affects raw packet scans such as SYN scan or OS detection, not connection-oriented features such as version detection or the Nmap Scripting Engine.
@@ -2878,7 +3097,9 @@ support the option completely, as does UDP scan.
(Send packets with bogus TCP/UDP checksums)
- --badsum
+
+ TCP checksum
+ checksums
@@ -2894,10 +3115,13 @@ support the option completely, as does UDP scan.
+
+ Output
+ output formatsAny security tools is only as useful as the output it
generates. Complex tests and algorithms are of little value if
@@ -2914,22 +3138,30 @@ files, which Nmap can append to or clobber. Output files may also be
used to resume aborted scans.Nmap makes output available in five different formats.
-The default is called interactive output, and it is sent to standard
-output (stdout).
+The default is called interactive output,
+interactive output
+and it is sent to standard output (stdout).
stdoutstandard output
There is also normal output,
+normal output
which is similar to interactive except that it
displays less runtime information and warnings since it is expected to
be analyzed after the scan completes rather than interactively.
-XML output is one of the most important output types, as it can
+XML output
+XML output
+is one of the most important output types, as it can
be converted to HTML, easily parsed by programs such as Nmap graphical
user interfaces, or imported into databases.The two remaining output types are the simple grepable
-output which includes most information for a target host on
-a single line, and sCRiPt KiDDi3 0utPUt for users
+output
+grepable output
+which includes most information for a target host on
+a single line, and sCRiPt KiDDi3 0utPUt
+scR1pT kIddI3 output
+for users
who consider themselves |<-r4d.While interactive output is the default and has no associated
@@ -2958,8 +3190,12 @@ command nmap -oX - target will send only XML output to
stdout.
stdoutstandard output
+outputto stdout with -
Serious errors may still be printed to the normal error
-stream, stderr.
+stream, stderr.
+standard error
+stderr
+Unlike some Nmap arguments, the space between the logfile option
flag (such as ) and the filename or hyphen is
@@ -2971,6 +3207,7 @@ compatibility feature of Nmap will cause the creation of
respectively.All of these arguments support strftime()-like
+strftime conversions in filenames
conversions in the filename. %H, %M,
%S, %m, %d,
%y, and %Y are all exactly the same
@@ -2990,7 +3227,8 @@ described below.
(normal output)
- -oN
+
+ normal outputRequests that normal output be
@@ -3002,7 +3240,8 @@ described below.
(XML output)
- -oX
+
+ XML output
@@ -3023,8 +3262,11 @@ described below.
languages to handle Nmap output and execution specifically.
Examples are Nmap::Scanner
+ Nmap::Scanner
and Nmap::Parser in Perl
+ url="http://www.nmapparser.com">Nmap::Parser
+ Nmap::Parser
+ in Perl
CPAN. In almost all cases that a non-trivial application
interfaces with Nmap, XML is the preferred format.
@@ -3045,7 +3287,8 @@ described below.
(ScRipT KIdd|3 oUTpuT)
- -oS
+
+ scR1pT kIddI3 outputScript kiddie output is like interactive output, except that
@@ -3060,7 +3303,8 @@ described below.
(grepable output)
- -oG
+
+ grepable output
@@ -3081,7 +3325,9 @@ are running Solaris takes only a simple grep to identify the hosts,
piped to an awk or cut command to print the desired fields.
Grepable output consists of comments (lines starting with a
-pound (#)) and target lines. A target line includes a combination
+pound (#))
+grepable outputcomments in
+and target lines. A target line includes a combination
of 6 labeled fields, separated by tabs and followed with a colon.
The fields are Host, Ports,
Protocols, Ignored State,
@@ -3109,7 +3355,7 @@ format is available
(Output to all formats)
- -oA
+
As a convenience, you may specify
+ verbosity.
+ giving more than once
+ Most changes only affect interactive output, and some
also affect normal and script kiddie output. The other
@@ -3159,7 +3408,8 @@ format is available
(Increase or set debugging level)
- -d
+
+ debugging
@@ -3168,7 +3418,9 @@ format is available
debugging is available to flood you with much more! As with the
verbosity option (), debugging is enabled with a
command-line flag () and the debug level can be
-increased by specifying it multiple times. Alternatively, you can set
+increased by specifying it multiple times.
+giving more than once
+Alternatively, you can set
a debug level by giving an argument to . For
example, sets level nine. That is the highest
effective level and will produce thousands of lines unless you run a
@@ -3193,7 +3445,7 @@ increased.
(Trace packets and data sent and received)
- --packet-trace
+
@@ -3211,7 +3463,7 @@ increased.
(Show only open (or possibly open) ports)
- --open
+
@@ -3235,7 +3487,7 @@ overwhelming requests. Specify to only see
(List interfaces and routes)
- --iflist
+ Prints the interface list and system routes as detected
by Nmap. This is useful for debugging routing problems or
@@ -3245,7 +3497,7 @@ overwhelming requests. Specify to only see
(Log errors/warnings to normal mode output file)
- --log-errors
+
@@ -3278,7 +3530,7 @@ overwhelming requests. Specify to only see
(Append to rather than clobber output files)
- --append-output
+
@@ -3298,7 +3550,8 @@ overwhelming requests. Specify to only see
(Resume aborted scan)
- --resume
+
+ resuming scans
@@ -3331,13 +3584,19 @@ overwhelming requests. Specify to only see
(Set XSL stylesheet to transform XML output)
- --stylesheet
+
- Nmap ships with an XSL stylesheet named
- nmap.xsl for viewing or translating XML
- output to HTML. The XML output includes an xml-stylesheet
+ Nmap ships with an XSL
+ XSL
+ stylesheet
+ stylesheet
+ named nmap.xsl
+ nmap.xsl
+ for viewing or translating XML output to HTML.
+ HTMLfrom XML output
+ The XML output includes an xml-stylesheet
directive which points to nmap.xml
where it was initially installed by Nmap (or in the current
working directory on Windows). Simply load Nmap's XML
@@ -3363,7 +3622,7 @@ overwhelming requests. Specify to only see
(Load stylesheet from Nmap.Org)
- --webxml
+
@@ -3375,7 +3634,7 @@ overwhelming requests. Specify to only see
(Omit XSL stylesheet declaration from XML)
- --no-stylesheet
+
@@ -3388,6 +3647,7 @@ overwhelming requests. Specify to only see
+
@@ -3399,7 +3659,7 @@ overwhelming requests. Specify to only see
(Enable IPv6 scanning)
- -6
+ IPv6
@@ -3437,7 +3697,7 @@ overwhelming requests. Specify to only see
(Aggressive scan options)
- -A
+
@@ -3461,7 +3721,7 @@ overwhelming requests. Specify to only see
(Specify custom Nmap data file location)
- --datadir
+
@@ -3478,7 +3738,7 @@ overwhelming requests. Specify to only see
searches these files in the directory specified with the
option (if any). Any files not
found there, are searched for in the directory specified by
- the NMAPDIR environmental variableNMAPDIR environment variable.
+ the NMAPDIR environmental variableNMAPDIR environment variable.
Next comes ~/.nmap for
real and effective UIDs (POSIX systems only) or location of
the Nmap executable (Win32 only), and then a compiled-in
@@ -3491,7 +3751,7 @@ overwhelming requests. Specify to only see
(Specify custom services file)
- --servicedb
+
@@ -3507,7 +3767,7 @@ overwhelming requests. Specify to only see
(Specify custom service probes file)
- --versiondb
+
@@ -3522,14 +3782,16 @@ overwhelming requests. Specify to only see
(Use raw ethernet sending)
- --send-eth
+ Asks Nmap to send packets at the raw ethernet (data
link) layer rather than the higher IP (network) layer. By
default, Nmap chooses the one which is generally best for
- the platform it is running on. Raw sockets (IP layer) are
+ the platform it is running on. Raw sockets (IP layer)
+ raw sockets
+ are
generally most efficient for Unix machines, while ethernet
frames are required for Windows operation since Microsoft
disabled raw socket support. Nmap still uses raw IP packets
@@ -3542,7 +3804,7 @@ overwhelming requests. Specify to only see
(Send at raw IP level)
- --send-ip
+
@@ -3556,22 +3818,24 @@ overwhelming requests. Specify to only see
(Assume that the user is fully privileged)
- --privileged
+ Tells Nmap to simply assume that it is privileged
enough to perform raw socket sends, packet sniffing, and
- similar operations that usually require root privileges on
- Unix systems. By default Nmap quits if such operations are
+ similar operations that usually require root privileges
+ authorized (root) users
+ on Unix systems. By default Nmap quits if such operations are
requested but geteuid() is not
zero. is useful with Linux
kernel capabilities and similar systems that may be
configured to allow unprivileged users to perform raw-packet
scans. Be sure to provide this option flag before any flags
for options that require privileges (SYN scan, OS detection,
- etc.). The NMAP_PRIVILEGED environmental variable may be set as an
- equivalent alternative to
+ etc.). The NMAP_PRIVILEGED environmental variable
+ NMAP_PRIVILEGED
+ may be set as an equivalent alternative to
.
@@ -3579,7 +3843,7 @@ overwhelming requests. Specify to only see
(Assume that the user lacks raw socket privileges)
- --unprivileged
+
@@ -3587,10 +3851,12 @@ overwhelming requests. Specify to only see
This option is the opposite of
. It tells Nmap to treat the
user as lacking network raw socket and sniffing privileges.
+ unprivileged users
This is useful for testing, debugging, or when the raw
network functionality of your operating system is somehow
- broken. The NMAP_UNPRIVILEGED environmental variable may be set as an
- equivalent alternative to
+ broken. The NMAP_UNPRIVILEGED environmental variable
+ NMAP_UNPRIVILEGED
+ may be set as an equivalent alternative to
.
@@ -3600,7 +3866,7 @@ overwhelming requests. Specify to only see
(Release memory before quitting)
- --release-memory
+
@@ -3616,7 +3882,7 @@ overwhelming requests. Specify to only see
(Start in interactive mode)
- --interactive
+
@@ -3631,15 +3897,17 @@ overwhelming requests. Specify to only see
help. This option is rarely used because proper shells
are usually more familiar and feature-complete. This option
includes a bang (!) operator for executing shell commands,
- which is one of many reasons not to install Nmap setuid root.
+ which is one of many reasons not to install Nmap setuid root.
+ setuid
+
; (Print version number)
- -V
- --version
+
+ Prints the Nmap version number and exits.
@@ -3649,8 +3917,8 @@ overwhelming requests. Specify to only see
; (Print help summary page)
- -h
- --help
+
+ Prints a short help screen with the most common
@@ -3748,12 +4016,15 @@ overwhelming requests. Specify to only see
do not currently exist.
+ example ofnmap -v scanme.nmap.orgThis option scans all reserved TCP ports on the machine
scanme.nmap.org . The
option enables verbose mode.
+ example of
+ example ofnmap -sS -O scanme.nmap.org/24Launches a stealth SYN scan against each machine that is
@@ -3763,6 +4034,8 @@ overwhelming requests. Specify to only see
running. This requires root privileges because of the SYN scan
and OS detection.
+ example of
+ example ofnmap -sV -p 22,53,110,143,4564
198.116.0-255.1-127
@@ -3775,7 +4048,10 @@ overwhelming requests. Specify to only see
what application is running.
- nmap -v -iR 100000 -PN -p 80
+ example of
+ example of
+ example of
+ nmap -v -iR 100000 -PN -p 80Asks Nmap to choose 100,000 hosts at random and scan them
@@ -3785,6 +4061,10 @@ overwhelming requests. Specify to only see
probing one port on each target host anyway.
+ example of
+ example of
+ example of
+ example ofnmap -PN -p80 -oX logs/pb-port80scan.xml -oG
logs/pb-port80scan.gnmap 216.163.128.20/20
@@ -3795,6 +4075,7 @@ overwhelming requests. Specify to only see
Bugs
+ bugsLike its author, Nmap isn't perfect. But you can help make
it better by sending bug reports or even writing patches. If Nmap
@@ -3831,7 +4112,9 @@ overwhelming requests. Specify to only see
Hundreds of people have made valuable contributions to Nmap
over the years. These are detailed in the
- CHANGELOG file which is distributed with Nmap
+ CHANGELOG
+ changelog
+ file which is distributed with Nmap
and also available from .
@@ -3841,3 +4124,4 @@ overwhelming requests. Specify to only see
&legal-notices;
+reference guide (man page)