-v (Increase verbosity level) .
Increases the verbosity level, causing Nmap to print more information about the scan in progress.
Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a
scan will take more than a few minutes. Use it twice or more for even greater verbosity.
Most changes only affect interactive output, and some also affect normal and script kiddie output.
The other output types are meant to be processed by machines, so Nmap can give substantial detail by
default in those formats without fatiguing a human user. However, there are a few changes in other
modes where output size can be reduced substantially by omitting some detail. For example, a comment
line in the grepable output that provides a list of all ports scanned is only printed in verbose mode
because it can be quite long.
|
-sS (TCP SYN scan) .
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly,
scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. SYN
scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works
against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as
Nmap´s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation
between the open, closed, and filtered states.
This technique is often referred to as half-open scanning, because you don´t open a full TCP
connection. You send a SYN packet, as if you are going to open a real connection and then wait for a
response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a
non-listener. If no response is received after several retransmissions, the port is marked as
filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10,
or 13) is received.
|
-p port ranges (Only scan specified ports) .
This option specifies which ports you want to scan and overrides the default. Individual port numbers
are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a
range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan
ports from 1 through 65535. Scanning port zero. is allowed if you specify it explicitly. For IP
protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).
When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port
numbers by T: or U:. The qualifier lasts until you specify another qualifier. For example, the
argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the
listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one TCP
scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added
to all protocol lists. Ports can also be specified by name according to what the port is referred to
in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP
and all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and
quote the argument to -p if unsure.
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear
in nmap-services. For example, the following will scan all ports in nmap-services equal to or below
1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.
|
--max-retries numtries (Specify the maximum number of port scan probe retransmissions) .
When Nmap receives no response to a port scan probe, it could mean the port is filtered. Or maybe the
probe or response was simply lost on the network. It is also possible that the target host has rate
limiting enabled that temporarily blocked the response. So Nmap tries again by retransmitting the
initial probe. If Nmap detects poor network reliability, it may try many more times before giving up
on a port. While this benefits accuracy, it also lengthen scan times. When performance is critical,
scans may be sped up by limiting the number of retransmissions allowed. You can even specify
--max-retries 0 to prevent any retransmissions, though that is only recommended for situations such
as informal surveys where occasional missed ports and hosts are acceptable.
The default (with no -T template) is to allow ten retransmissions. If a network seems reliable and
the target hosts aren´t rate limiting, Nmap usually only does one retransmission. So most target
scans aren´t even affected by dropping --max-retries to a low value such as three. Such values can
substantially speed scans of slow (rate limited) hosts. You usually lose some information when Nmap
gives up on ports early, though that may be preferable to letting the --host-timeout expire and
losing all information about the target.
|