Network exploration tool and security / port scanner
|
-sS (TCP SYN scan) .
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly,
scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. SYN
scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works
against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as
Nmap´s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation
between the open, closed, and filtered states.
This technique is often referred to as half-open scanning, because you don´t open a full TCP
connection. You send a SYN packet, as if you are going to open a real connection and then wait for a
response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a
non-listener. If no response is received after several retransmissions, the port is marked as
filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10,
or 13) is received.
|
-sV (Version detection) .
Enables version detection, as discussed above. Alternatively, you can use -A, which enables version
detection among other things.
|
--script filename|category|directory|expression|all[,...] .
Runs a script scan using the comma-separated list of filenames, script categories, and directories.
Each element in the list may also be a Boolean expression describing a more complex set of scripts.
Each element is interpreted first as an expression, then as a category, and finally as a file or
directory name. The special argument all makes every script in Nmap´s script database eligible to
run. The all argument should be used with caution as NSE may contain dangerous scripts including
exploits, brute force authentication crackers, and denial of service attacks.
File and directory names may be relative or absolute. Absolute names are used directly. Relative
paths are looked for in the following places until found:
--datadir
$NMAPDIR
~/.nmap (not searched on Windows)
NMAPDATADIR
the current directory
A scripts subdirectory is also tried in each of these.
When a directory name is given, Nmap loads every file in the directory whose name ends with .nse. All
other files are ignored and directories are not searched recursively. When a filename is given, it
does not have to have the .nse extension; it will be added automatically if necessary. Nmap scripts
are stored in a scripts subdirectory of the Nmap data directory by default (see
http://nmap.org/book/data-files.html).
For efficiency, scripts are indexed in a database stored in scripts/script.db,. which lists the
category or categories in which each script belongs. When referring to scripts from script.db by
name, you can use a shell-style ‘*’ wildcard.
nmap --script "http-*"
Loads all scripts whose name starts with http-, such as http-auth.nse and http-open-proxy.nse.
The argument to --script had to be in quotes to protect the wildcard from the shell.
More complicated script selection can be done using the and, or, and not operators to build Boolean
expressions. The operators have the same precedence[12] as in Lua: not is the highest, followed by
and and then or. You can alter precedence by using parentheses. Because expressions contain space
characters it is necessary to quote them.
nmap --script "not intrusive"
Loads every script except for those in the intrusive category.
nmap --script "default or safe"
This is functionally equivalent to nmap --script "default,safe". It loads all scripts that are in
the default category or the safe category or both.
nmap --script "default and safe"
Loads those scripts that are in both the default and safe categories.
nmap --script "(default or safe or intrusive) and not http-*"
Loads scripts in the default, safe, or intrusive categories, except for those whose names start
with http-.
|
-n (No DNS resolution) .
Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be
slow even with Nmap´s built-in parallel stub resolver, this option can slash scanning times.
|
--open (Show only open (or possibly open) ports) .
Sometimes you only care about ports you can actually connect to (open ones), and don´t want results
cluttered with closed, filtered, and closed|filtered ports. Output customization is normally done
after the scan using tools such as grep, awk, and Perl, but this feature was added due to
overwhelming requests. Specify --open to only see open, open|filtered, and unfiltered ports. These
three ports are treated just as they normally are, which means that open|filtered and unfiltered may
be condensed into counts if there are an overwhelming number of them.
|
nmap [Scan Type...] [Options] {target specification}
|
--min-rate number; --max-rate number (Directly control the scanning rate) .
Nmap´s dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes,
however, you may happen to know an appropriate scanning rate for a network, or you may have to
guarantee that a scan will be finished by a certain time. Or perhaps you must keep Nmap from scanning
too quickly. The --min-rate and --max-rate options are designed for these situations.
When the --min-rate option is given Nmap will do its best to send packets as fast as or faster than
the given rate. The argument is a positive real number representing a packet rate in packets per
second. For example, specifying --min-rate 300 means that Nmap will try to keep the sending rate at
or above 300 packets per second. Specifying a minimum rate does not keep Nmap from going faster if
conditions warrant.
Likewise, --max-rate limits a scan´s sending rate to a given maximum. Use --max-rate 100, for
example, to limit sending to 100 packets per second on a fast network. Use --max-rate 0.1 for a slow
scan of one packet every ten seconds. Use --min-rate and --max-rate together to keep the rate inside
a certain range.
These two options are global, affecting an entire scan, not individual hosts. They only affect port
scans and host discovery scans. Other features like OS detection implement their own timing.
There are two conditions when the actual scanning rate may fall below the requested minimum. The
first is if the minimum is faster than the fastest rate at which Nmap can send, which is dependent on
hardware. In this case Nmap will simply send packets as fast as possible, but be aware that such high
rates are likely to cause a loss of accuracy. The second case is when Nmap has nothing to send, for
example at the end of a scan when the last probes have been sent and Nmap is waiting for them to time
out or be responded to. It´s normal to see the scanning rate drop at the end of a scan or in between
hostgroups. The sending rate may temporarily exceed the maximum to make up for unpredictable delays,
but on average the rate will stay at or below the maximum.
Specifying a minimum rate should be done with care. Scanning faster than a network can support may
lead to a loss of accuracy. In some cases, using a faster rate can make a scan take longer than it
would with a slower rate. This is because Nmap´s
adaptive retransmission algorithms will detect the network congestion caused by an excessive scanning
rate and increase the number of retransmissions in order to improve accuracy. So even though packets
are sent at a higher rate, more packets are sent overall. Cap the number of retransmissions with the
--max-retries option if you need to set an upper limit on total scan time.
|
--max-retries numtries (Specify the maximum number of port scan probe retransmissions) .
When Nmap receives no response to a port scan probe, it could mean the port is filtered. Or maybe the
probe or response was simply lost on the network. It is also possible that the target host has rate
limiting enabled that temporarily blocked the response. So Nmap tries again by retransmitting the
initial probe. If Nmap detects poor network reliability, it may try many more times before giving up
on a port. While this benefits accuracy, it also lengthen scan times. When performance is critical,
scans may be sped up by limiting the number of retransmissions allowed. You can even specify
--max-retries 0 to prevent any retransmissions, though that is only recommended for situations such
as informal surveys where occasional missed ports and hosts are acceptable.
The default (with no -T template) is to allow ten retransmissions. If a network seems reliable and
the target hosts aren´t rate limiting, Nmap usually only does one retransmission. So most target
scans aren´t even affected by dropping --max-retries to a low value such as three. Such values can
substantially speed scans of slow (rate limited) hosts. You usually lose some information when Nmap
gives up on ports early, though that may be preferable to letting the --host-timeout expire and
losing all information about the target.
|
-d [level] (Increase or set debugging level) .
When even verbose mode doesn´t provide sufficient data for you, debugging is available to flood you
with much more! As with the verbosity option (-v), debugging is enabled with a command-line flag (-d)
and the debug level can be increased by specifying it multiple times.. Alternatively, you can set a
debug level by giving an argument to -d. For example, -d9 sets level nine. That is the highest
effective level and will produce thousands of lines unless you run a very simple scan with very few
ports and targets.
Debugging output is useful when a bug is suspected in Nmap, or if you are simply confused as to what
Nmap is doing and why. As this feature is mostly intended for developers, debug lines aren´t always
self-explanatory. You may get something like: Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta
14987 ==> srtt: 14987 rttvar: 14987 to: 100000. If you don´t understand a line, your only recourses
are to ignore it, look it up in the source code, or request help from the development list
(nmap-dev).. Some lines are self explanatory, but the messages become more obscure as the debug
level is increased.
|
--stylesheet path or URL (Set XSL stylesheet to transform XML output) .
Nmap ships with an XSL stylesheet named nmap.xsl for viewing or translating XML output to HTML. The
XML output includes an xml-stylesheet directive which points to nmap.xml where it was initially
installed by Nmap (or in the current working directory on Windows). Simply load Nmap´s XML output in
a modern web browser and it should retrieve nmap.xsl from the filesystem and use it to render
results. If you wish to use a different stylesheet, specify it as the argument to --stylesheet. You
must pass the full pathname or URL. One common invocation is --stylesheet
http://nmap.org/data/nmap.xsl. This tells a browser to load the latest version of the stylesheet from
Nmap.Org. The --webxml option does the same thing with less typing and memorization. Loading the XSL
from Nmap.Org makes it easier to view results on a machine that doesn´t have Nmap (and thus nmap.xsl)
installed. So the URL is often more useful, but the local filesystem location of nmap.xsl is used by
default for privacy reasons.
|
-oA basename (Output to all formats) .
As a convenience, you may specify -oA basename to store scan results in normal, XML, and grepable
formats at once. They are stored in basename.nmap, basename.xml, and basename.gnmap, respectively. As
with most programs, you can prefix the filenames with a directory path, such as ~/nmaplogs/foocorp/
on Unix or c:\hacking\sco on Windows.
|
-v (Increase verbosity level) .
Increases the verbosity level, causing Nmap to print more information about the scan in progress.
Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a
scan will take more than a few minutes. Use it twice or more for even greater verbosity.
Most changes only affect interactive output, and some also affect normal and script kiddie output.
The other output types are meant to be processed by machines, so Nmap can give substantial detail by
default in those formats without fatiguing a human user. However, there are a few changes in other
modes where output size can be reduced substantially by omitting some detail. For example, a comment
line in the grepable output that provides a list of all ports scanned is only printed in verbose mode
because it can be quite long.
|
-p port ranges (Only scan specified ports) .
This option specifies which ports you want to scan and overrides the default. Individual port numbers
are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a
range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan
ports from 1 through 65535. Scanning port zero. is allowed if you specify it explicitly. For IP
protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).
When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port
numbers by T: or U:. The qualifier lasts until you specify another qualifier. For example, the
argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the
listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP
scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added
to all protocol lists. Ports can also be specified by name according to what the port is referred to
in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP
and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and
quote the argument to -p if unsure.
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear
in nmap-services. For example, the following will scan all ports in nmap-services equal to or below
1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.
|