Network exploration tool and security / port scanner
|
-sS (TCP SYN scan) .
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly,
scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. SYN
scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works
against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as
Nmap´s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation
between the open, closed, and filtered states.
This technique is often referred to as half-open scanning, because you don´t open a full TCP
connection. You send a SYN packet, as if you are going to open a real connection and then wait for a
response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a
non-listener. If no response is received after several retransmissions, the port is marked as
filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10,
or 13) is received.
|
-sU (UDP scans) .
While most popular services on the Internet run over the TCP protocol, UDP[6] services are widely
deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common.
Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore
these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly
don´t ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports.
UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan
(-sS) to check both protocols during the same run.
UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and
161, a protocol-specific payload is sent, but for most ports the packet is empty.. The --data-length
option can be used to send a fixed-length random payload to every port. If an ICMP port unreachable
error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors (type 3, codes
1, 2, 9, 10, or 13) mark the port as filtered. Occasionally, a service will respond with a UDP
packet, proving that it is open. If no response is received after retransmissions, the port is
classified as open|filtered. This means that the port could be open, or perhaps packet filters are
blocking the communication. Version detection (-sV) can be used to help differentiate the truly open
ports from the filtered ones.
A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any
response, leaving Nmap to time out and then conduct retransmissions just in case the probe or
response were lost. Closed ports are often an even bigger problem. They usually send back an ICMP
port unreachable error. But unlike the RST packets sent by closed TCP ports in response to a SYN or
connect scan, many hosts rate limit. ICMP port unreachable messages by default. Linux and Solaris
are particularly strict about this. For example, the Linux 2.4.20 kernel limits destination
unreachable messages to one per second (in net/ipv4/icmp.c).
Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless
packets that the target machine will drop. Unfortunately, a Linux-style limit of one packet per
second makes a 65,536-port scan take more than 18 hours. Ideas for speeding your UDP scans up include
scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from
behind the firewall, and using --host-timeout to skip slow hosts.
|
-p port ranges (Only scan specified ports) .
This option specifies which ports you want to scan and overrides the default. Individual port numbers
are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a
range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan
ports from 1 through 65535. Scanning port zero. is allowed if you specify it explicitly. For IP
protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).
When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port
numbers by T: or U:. The qualifier lasts until you specify another qualifier. For example, the
argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the
listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP
scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added
to all protocol lists. Ports can also be specified by name according to what the port is referred to
in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP
and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and
quote the argument to -p if unsure.
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear
in nmap-services. For example, the following will scan all ports in nmap-services equal to or below
1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.
|
-O (Enable OS detection) .
Enables OS detection, as discussed above. Alternatively, you can use -A to enable OS detection along
with other things.
|
--script filename|category|directory|expression|all[,...] .
Runs a script scan using the comma-separated list of filenames, script categories, and directories.
Each element in the list may also be a Boolean expression describing a more complex set of scripts.
Each element is interpreted first as an expression, then as a category, and finally as a file or
directory name. The special argument all makes every script in Nmap´s script database eligible to
run. The all argument should be used with caution as NSE may contain dangerous scripts including
exploits, brute force authentication crackers, and denial of service attacks.
File and directory names may be relative or absolute. Absolute names are used directly. Relative
paths are looked for in the following places until found:
--datadir
$NMAPDIR
~/.nmap (not searched on Windows)
NMAPDATADIR
the current directory
A scripts subdirectory is also tried in each of these.
When a directory name is given, Nmap loads every file in the directory whose name ends with .nse. All
other files are ignored and directories are not searched recursively. When a filename is given, it
does not have to have the .nse extension; it will be added automatically if necessary. Nmap scripts
are stored in a scripts subdirectory of the Nmap data directory by default (see
http://nmap.org/book/data-files.html).
For efficiency, scripts are indexed in a database stored in scripts/script.db,. which lists the
category or categories in which each script belongs. When referring to scripts from script.db by
name, you can use a shell-style ‘*’ wildcard.
nmap --script "http-*"
Loads all scripts whose name starts with http-, such as http-auth.nse and http-open-proxy.nse.
The argument to --script had to be in quotes to protect the wildcard from the shell.
More complicated script selection can be done using the and, or, and not operators to build Boolean
expressions. The operators have the same precedence[12] as in Lua: not is the highest, followed by
and and then or. You can alter precedence by using parentheses. Because expressions contain space
characters it is necessary to quote them.
nmap --script "not intrusive"
Loads every script except for those in the intrusive category.
nmap --script "default or safe"
This is functionally equivalent to nmap --script "default,safe". It loads all scripts that are in
the default category or the safe category or both.
nmap --script "default and safe"
Loads those scripts that are in both the default and safe categories.
nmap --script "(default or safe or intrusive) and not http-*"
Loads scripts in the default, safe, or intrusive categories, except for those whose names start
with http-.
|
-sV (Version detection) .
Enables version detection, as discussed above. Alternatively, you can use -A, which enables version
detection among other things.
|
--allports (Don´t exclude any ports from version detection) .
By default, Nmap version detection skips TCP port 9100 because some printers simply print anything
sent to that port, leading to dozens of pages of HTTP GET requests, binary SSL session requests, etc.
This behavior can be changed by modifying or removing the Exclude directive in nmap-service-probes,
or you can specify --allports to scan all ports regardless of any Exclude directive.
|
--version-all (Try every single probe) .
An alias for --version-intensity 9, ensuring that every single probe is attempted against each port.
|
-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template) .
While the fine-grained timing controls discussed in the previous section are powerful and effective,
some people find them confusing. Moreover, choosing the appropriate values can sometimes take more
time than the scan you are trying to optimize. So Nmap offers a simpler approach, with six timing
templates. You can specify them with the -T option and their number (0–5) or their name. The template
names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first
two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine
resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by
making the assumption that you are on a reasonably fast and reliable network. Finally insane mode.
assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for
speed.
These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick
the exact timing values. The templates also make some minor speed adjustments for which fine-grained
control options do not currently exist. For example, -T4. prohibits the dynamic scan delay from
exceeding 10 ms for TCP ports and -T5 caps that value at 5 ms. Templates can be used in combination
with fine-grained controls, and the fine-grained controls will you specify will take precedence over
the timing template default for that parameter. I recommend using -T4 when scanning reasonably modern
and reliable networks. Keep that option even when you add fine-grained controls so that you benefit
from those extra minor optimizations that it enables.
If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some
people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because they
think it is less likely to crash hosts or because they consider themselves to be polite in general.
They often don´t realize just how slow -T polite. really is. Their scan may take ten times longer
than a default scan. Machine crashes and bandwidth problems are rare with the default timing options
(-T3) and so I normally recommend that for cautious scanners. Omitting version detection is far more
effective than playing with timing values at reducing these problems.
While -T0. and -T1. may be useful for avoiding IDS alerts, they will take an extraordinarily long
time to scan thousands of machines or ports. For such a long scan, you may prefer to set the exact
timing values you need rather than rely on the canned -T0 and -T1 values.
The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting
five minutes between sending each probe. T1 and T2 are similar but they only wait 15 seconds and 0.4
seconds, respectively, between probes. T3 is Nmap´s default behavior, which includes
parallelization.. -T4 does the equivalent of --max-rtt-timeout 1250 --initial-rtt-timeout 500
--max-retries 6 and sets the maximum TCP scan delay to 10 milliseconds. T5 does the equivalent of
--max-rtt-timeout 300 --min-rtt-timeout 50 --initial-rtt-timeout 250 --max-retries 2 --host-timeout
15m as well as setting the maximum TCP scan delay to 5 ms.
|