Network exploration tool and security / port scanner
|
-n (No DNS resolution) .
Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be
slow even with Nmap´s built-in parallel stub resolver, this option can slash scanning times.
|
-p port ranges (Only scan specified ports) .
This option specifies which ports you want to scan and overrides the default. Individual port numbers
are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a
range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan
ports from 1 through 65535. Scanning port zero. is allowed if you specify it explicitly. For IP
protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).
When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port
numbers by T: or U:. The qualifier lasts until you specify another qualifier. For example, the
argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the
listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP
scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added
to all protocol lists. Ports can also be specified by name according to what the port is referred to
in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP
and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and
quote the argument to -p if unsure.
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear
in nmap-services. For example, the following will scan all ports in nmap-services equal to or below
1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.
|
-sS (TCP SYN scan) .
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly,
scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. SYN
scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works
against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as
Nmap´s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation
between the open, closed, and filtered states.
This technique is often referred to as half-open scanning, because you don´t open a full TCP
connection. You send a SYN packet, as if you are going to open a real connection and then wait for a
response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a
non-listener. If no response is received after several retransmissions, the port is marked as
filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10,
or 13) is received.
|
-PN (No ping) .
This option skips the Nmap discovery stage altogether. Normally, Nmap uses this stage to determine
active machines for heavier scanning. By default, Nmap only performs heavy probing such as port
scans, version detection, or OS detection against hosts that are found to be up. Disabling host
discovery with -PN causes Nmap to attempt the requested scanning functions against every target IP
address specified. So if a class B sized target address space (/16) is specified on the command line,
all 65,536 IP addresses are scanned. Proper host discovery is skipped as with the list scan, but
instead of stopping and printing the target list, Nmap continues to perform requested functions as if
each target IP is active. To skip ping scan and port scan, while still allowing NSE to run, use the
two options -PN -sP together.
For machines on a local ethernet network, ARP scanning will still be performed (unless --send-ip is
specified) because Nmap needs MAC addresses to further scan target hosts. This option flag used to be
P0 (uses zero), but was renamed to avoid confusion with protocol ping´s PO (uses the letter O) flag.
|
--open (Show only open (or possibly open) ports) .
Sometimes you only care about ports you can actually connect to (open ones), and don´t want results
cluttered with closed, filtered, and closed|filtered ports. Output customization is normally done
after the scan using tools such as grep, awk, and Perl, but this feature was added due to
overwhelming requests. Specify --open to only see open, open|filtered, and unfiltered ports. These
three ports are treated just as they normally are, which means that open|filtered and unfiltered may
be condensed into counts if there are an overwhelming number of them.
|
nmap [Scan Type...] [Options] {target specification}
|
Pipelines
A pipeline is a sequence of one or more commands separated by one of the control operators | or |&. The
format for a pipeline is:
[time [-p]] [ ! ] command [ [|⎪|&] command2 ... ]
The standard output of command is connected via a pipe to the standard input of command2. This
connection is performed before any redirections specified by the command (see REDIRECTION below). If |&
is used, the standard error of command is connected to command2's standard input through the pipe; it is
shorthand for 2>&1 |. This implicit redirection of the standard error is performed after any
redirections specified by the command.
The return status of a pipeline is the exit status of the last command, unless the pipefail option is
enabled. If pipefail is enabled, the pipeline's return status is the value of the last (rightmost)
command to exit with a non-zero status, or zero if all commands exit successfully. If the reserved word
! precedes a pipeline, the exit status of that pipeline is the logical negation of the exit status as
described above. The shell waits for all commands in the pipeline to terminate before returning a value.
If the time reserved word precedes a pipeline, the elapsed as well as user and system time consumed by
its execution are reported when the pipeline terminates. The -p option changes the output format to that
specified by POSIX. When the shell is in posix mode, it does not recognize time as a reserved word if
the next token begins with a `-'. The TIMEFORMAT variable may be set to a format string that specifies
how the timing information should be displayed; see the description of TIMEFORMAT under Shell Variables
below.
When the shell is in posix mode, time may be followed by a newline. In this case, the shell displays the
total user and system time consumed by the shell and its children. The TIMEFORMAT variable may be used
to specify the format of the time information.
Each command in a pipeline is executed as a separate process (i.e., in a subshell).
|
search a file for a pattern
|
pattern scanning and processing language
|
program
If no -f option is specified, the first operand to awk shall be the text of the awk program. The
application shall supply the program operand as a single argument to awk. If the text does not end
in a <newline>, awk shall interpret the text as if it did.
argument
Either of the following two types of argument can be intermixed:
file
A pathname of a file that contains the input to be read, which is matched against the set of
patterns in the program. If no file operands are specified, or if a file operand is '-' , the
standard input shall be used.
assignment
An operand that begins with an underscore or alphabetic character from the portable character set
(see the table in the Base Definitions volume of IEEE Std 1003.1-2001, Section 6.1, Portable
Character Set), followed by a sequence of underscores, digits, and alphabetics from the portable
character set, followed by the '=' character, shall specify a variable assignment rather than a
pathname. The characters before the '=' represent the name of an awk variable; if that name is an
awk reserved word (see Grammar ) the behavior is undefined. The characters following the equal
sign shall be interpreted as if they appeared in the awk program preceded and followed by a
double-quote ( ' )' character, as a STRING token (see Grammar ), except that if the last character
is an unescaped backslash, it shall be interpreted as a literal backslash rather than as the first
character of the sequence "\"" . The variable shall be assigned the value of that STRING token
and, if appropriate, shall be considered a numeric string (see Expressions in awk ), the variable
shall also be assigned its numeric value. Each such variable assignment shall occur just prior to
the processing of the following file, if any. Thus, an assignment before the first file argument
shall be executed after the BEGIN actions (if any), while an assignment after the last file
argument shall occur before the END actions (if any). If there are no file arguments, assignments
shall be executed before processing the standard input.
|
while list-1; do list-2; done
until list-1; do list-2; done
The while command continuously executes the list list-2 as long as the last command in the list
list-1 returns an exit status of zero. The until command is identical to the while command,
except that the test is negated; list-2 is executed as long as the last command in list-1 returns
a non-zero exit status. The exit status of the while and until commands is the exit status of the
last command executed in list-2, or zero if none was executed.
|
catenate files
|
send ICMP ECHO_REQUEST packets to network hosts
|
-c count
Stop after sending (and receiving) count ECHO_RESPONSE packets.
|
AND and OR lists are sequences of one of more pipelines separated by the && and || control operators,
respectively. AND and OR lists are executed with left associativity. An AND list has the form
command1 && command2
command2 is executed if, and only if, command1 returns an exit status of zero.
An OR list has the form
command1 || command2
command2 is executed if and only if command1 returns a non-zero exit status. The return status of AND
and OR lists is the exit status of the last command executed in the list.
|
echo arguments
|