Network exploration tool and security / port scanner
|
-sS (TCP SYN scan) .
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly,
scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. SYN
scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works
against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as
Nmap´s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation
between the open, closed, and filtered states.
This technique is often referred to as half-open scanning, because you don´t open a full TCP
connection. You send a SYN packet, as if you are going to open a real connection and then wait for a
response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a
non-listener. If no response is received after several retransmissions, the port is marked as
filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10,
or 13) is received.
|
-n (No DNS resolution) .
Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be
slow even with Nmap´s built-in parallel stub resolver, this option can slash scanning times.
|
--open (Show only open (or possibly open) ports) .
Sometimes you only care about ports you can actually connect to (open ones), and don´t want results
cluttered with closed, filtered, and closed|filtered ports. Output customization is normally done
after the scan using tools such as grep, awk, and Perl, but this feature was added due to
overwhelming requests. Specify --open to only see open, open|filtered, and unfiltered ports. These
three ports are treated just as they normally are, which means that open|filtered and unfiltered may
be condensed into counts if there are an overwhelming number of them.
|
--min-hostgroup numhosts; --max-hostgroup numhosts (Adjust parallel scan group sizes) .
Nmap has the ability to port scan or version scan multiple hosts in parallel. Nmap does this by
dividing the target IP space into groups and then scanning one group at a time. In general, larger
groups are more efficient. The downside is that host results can´t be provided until the whole group
is finished. So if Nmap started out with a group size of 50, the user would not receive any reports
(except for the updates offered in verbose mode) until the first 50 hosts are completed.
By default, Nmap takes a compromise approach to this conflict. It starts out with a group size as low
as five so the first results come quickly and then increases the groupsize to as high as 1024. The
exact default numbers depend on the options given. For efficiency reasons, Nmap uses larger group
sizes for UDP or few-port TCP scans.
When a maximum group size is specified with --max-hostgroup, Nmap will never exceed that size.
Specify a minimum size with --min-hostgroup and Nmap will try to keep group sizes above that level.
Nmap may have to use smaller groups than you specify if there are not enough target hosts left on a
given interface to fulfill the specified minimum. Both may be set to keep the group size within a
specific range, though this is rarely desired.
These options do not have an effect during the host discovery phase of a scan. This includes plain
ping scans (-sP). Host discovery always works in large groups of hosts to improve speed and accuracy.
The primary use of these options is to specify a large minimum group size so that the full scan runs
more quickly. A common choice is 256 to scan a network in Class C sized chunks. For a scan with many
ports, exceeding that number is unlikely to help much. For scans of just a few port numbers, host
group sizes of 2048 or more may be helpful.
|
--min-parallelism numprobes; --max-parallelism numprobes (Adjust probe parallelization) .
These options control the total number of probes that may be outstanding for a host group. They are
used for port scanning and host discovery. By default, Nmap calculates an ever-changing ideal
parallelism based on network performance. If packets are being dropped, Nmap slows down and allows
fewer outstanding probes. The ideal probe number slowly rises as the network proves itself worthy.
These options place minimum or maximum bounds on that variable. By default, the ideal parallelism can
drop to one if the network proves unreliable and rise to several hundred in perfect conditions.
The most common usage is to set --min-parallelism to a number higher than one to speed up scans of
poorly performing hosts or networks. This is a risky option to play with, as setting it too high may
affect accuracy. Setting this also reduces Nmap´s ability to control parallelism dynamically based on
network conditions. A value of ten might be reasonable, though I only adjust this value as a last
resort.
The --max-parallelism option is sometimes set to one to prevent Nmap from sending more than one probe
at a time to hosts. The --scan-delay option, discussed later, is another way to do this.
|
--host-timeout time (Give up on slow target hosts) .
Some hosts simply take a long time to scan. This may be due to poorly performing or unreliable
networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few
percent of the scanned hosts can eat up a majority of the scan time. Sometimes it is best to cut your
losses and skip those hosts initially. Specify --host-timeout with the maximum amount of time you are
willing to wait. For example, specify 30m to ensure that Nmap doesn´t waste more than half an hour on
a single host. Note that Nmap may be scanning other hosts at the same time during that half an hour,
so it isn´t a complete loss. A host that times out is skipped. No port table, OS detection, or
version detection results are printed for that host.
|
-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template) .
While the fine-grained timing controls discussed in the previous section are powerful and effective,
some people find them confusing. Moreover, choosing the appropriate values can sometimes take more
time than the scan you are trying to optimize. So Nmap offers a simpler approach, with six timing
templates. You can specify them with the -T option and their number (0–5) or their name. The template
names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first
two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine
resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by
making the assumption that you are on a reasonably fast and reliable network. Finally insane mode.
assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for
speed.
These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick
the exact timing values. The templates also make some minor speed adjustments for which fine-grained
control options do not currently exist. For example, -T4. prohibits the dynamic scan delay from
exceeding 10 ms for TCP ports and -T5 caps that value at 5 ms. Templates can be used in combination
with fine-grained controls, and the fine-grained controls will you specify will take precedence over
the timing template default for that parameter. I recommend using -T4 when scanning reasonably modern
and reliable networks. Keep that option even when you add fine-grained controls so that you benefit
from those extra minor optimizations that it enables.
If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some
people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they
think it is less likely to crash hosts or because they consider themselves to be polite in general.
They often don´t realize just how slow -T polite. really is. Their scan may take ten times longer
than a default scan. Machine crashes and bandwidth problems are rare with the default timing options
(-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more
effective than playing with timing values at reducing these problems.
While -T0. and -T1. may be useful for avoiding IDS alerts, they will take an extraordinarily long
time to scan thousands of machines or ports. For such a long scan, you may prefer to set the exact
timing values you need rather than rely on the canned -T0 and -T1 values.
The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting
five minutes between sending each probe. T1 and T2 are similar but they only wait 15 seconds and 0.4
seconds, respectively, between probes. T3 is Nmap´s default behavior, which includes
parallelization.. -T4 does the equivalent of --max-rtt-timeout 1250 --initial-rtt-timeout 500
--max-retries 6 and sets the maximum TCP scan delay to 10 milliseconds. T5 does the equivalent of
--max-rtt-timeout 300 --min-rtt-timeout 50 --initial-rtt-timeout 250 --max-retries 2 --host-timeout
15m as well as setting the maximum TCP scan delay to 5 ms.
|
-v (Increase verbosity level) .
Increases the verbosity level, causing Nmap to print more information about the scan in progress.
Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a
scan will take more than a few minutes. Use it twice or more for even greater verbosity.
Most changes only affect interactive output, and some also affect normal and script kiddie output.
The other output types are meant to be processed by machines, so Nmap can give substantial detail by
default in those formats without fatiguing a human user. However, there are a few changes in other
modes where output size can be reduced substantially by omitting some detail. For example, a comment
line in the grepable output that provides a list of all ports scanned is only printed in verbose mode
because it can be quite long.
|
-p port ranges (Only scan specified ports) .
This option specifies which ports you want to scan and overrides the default. Individual port numbers
are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a
range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan
ports from 1 through 65535. Scanning port zero. is allowed if you specify it explicitly. For IP
protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).
When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port
numbers by T: or U:. The qualifier lasts until you specify another qualifier. For example, the
argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the
listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP
scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added
to all protocol lists. Ports can also be specified by name according to what the port is referred to
in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP
and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and
quote the argument to -p if unsure.
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear
in nmap-services. For example, the following will scan all ports in nmap-services equal to or below
1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.
|
-iL inputfilename (Input from list) .
Reads target specifications from inputfilename. Passing a huge list of hosts is often awkward on the
command line, yet it is a common desire. For example, your DHCP server might export a list of 10,000
current leases that you wish to scan. Or maybe you want to scan all IP addresses except for those to
locate hosts using unauthorized static IP addresses. Simply generate the list of hosts to scan and
pass that filename to Nmap as an argument to the -iL option. Entries can be in any of the formats
accepted by Nmap on the command line (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry
must be separated by one or more spaces, tabs, or newlines. You can specify a hyphen (-) as the
filename if you want Nmap to read hosts from standard input rather than an actual file.
The input file may contain comments that start with # and extend to the end of the line.
|
-oX filespec (XML output) .
Requests that XML output be directed to the given filename. Nmap includes a document type definition
(DTD) which allows XML parsers to validate Nmap XML output. While it is primarily intended for
programmatic use, it can also help humans interpret Nmap XML output. The DTD defines the legal
elements of the format, and often enumerates the attributes and values they can take on. The latest
version is always available from http://nmap.org/data/nmap.dtd.
XML offers a stable format that is easily parsed by software. Free XML parsers are available for all
major computer languages, including C/C++, Perl, Python, and Java. People have even written bindings
for most of these languages to handle Nmap output and execution specifically. Examples are
Nmap::Scanner[15] and Nmap::Parser[16] in Perl CPAN. In almost all cases that a non-trivial
application interfaces with Nmap, XML is the preferred format.
The XML output references an XSL stylesheet which can be used to format the results as HTML. The
easiest way to use this is simply to load the XML output in a web browser such as Firefox or IE. By
default, this will only work on the machine you ran Nmap on (or a similarly configured one) due to
the hard-coded nmap.xsl filesystem path. Use the --webxml or --stylesheet options to create portable
XML files that render as HTML on any web-connected machine.
|