1NMAP(1)                      Nmap Reference Guide                      NMAP(1)
2
3
4

NAME

6       nmap - Network exploration tool and security / port scanner
7

SYNOPSIS

9       nmap [Scan Type...] [Options] {target specification}
10

DESCRIPTION

12       Nmap (“Network Mapper”) is an open source tool for network exploration
13       and security auditing. It was designed to rapidly scan large networks,
14       although it works fine against single hosts. Nmap uses raw IP packets
15       in novel ways to determine what hosts are available on the network,
16       what services (application name and version) those hosts are offering,
17       what operating systems (and OS versions) they are running, what type of
18       packet filters/firewalls are in use, and dozens of other
19       characteristics. While Nmap is commonly used for security audits, many
20       systems and network administrators find it useful for routine tasks
21       such as network inventory, managing service upgrade schedules, and
22       monitoring host or service uptime.
23
24       The output from Nmap is a list of scanned targets, with supplemental
25       information on each depending on the options used. Key among that
26       information is the “interesting ports table”..  That table lists the
27       port number and protocol, service name, and state. The state is either
28       open, filtered, closed, or unfiltered.  Open.  means that an
29       application on the target machine is listening for connections/packets
30       on that port.  Filtered.  means that a firewall, filter, or other
31       network obstacle is blocking the port so that Nmap cannot tell whether
32       it is open or closed.  Closed.  ports have no application listening on
33       them, though they could open up at any time. Ports are classified as
34       unfiltered.  when they are responsive to Nmap's probes, but Nmap cannot
35       determine whether they are open or closed. Nmap reports the state
36       combinations open|filtered.  and closed|filtered.  when it cannot
37       determine which of the two states describe a port. The port table may
38       also include software version details when version detection has been
39       requested. When an IP protocol scan is requested (-sO), Nmap provides
40       information on supported IP protocols rather than listening ports.
41
42       In addition to the interesting ports table, Nmap can provide further
43       information on targets, including reverse DNS names, operating system
44       guesses, device types, and MAC addresses.
45
46       A typical Nmap scan is shown in Example 1. The only Nmap arguments used
47       in this example are -A, to enable OS and version detection, script
48       scanning, and traceroute; -T4 for faster execution; and then the two
49       target hostnames.
50
51       Example 1. A representative Nmap scan
52
53           # nmap -A -T4 scanme.nmap.org
54
55           Nmap scan report for scanme.nmap.org (74.207.244.221)
56           Host is up (0.029s latency).
57           rDNS record for 74.207.244.221: li86-221.members.linode.com
58           Not shown: 995 closed ports
59           PORT     STATE    SERVICE     VERSION
60           22/tcp   open     ssh         OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
61           | ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
62           |_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
63           80/tcp   open     http        Apache httpd 2.2.14 ((Ubuntu))
64           |_http-title: Go ahead and ScanMe!
65           646/tcp  filtered ldp
66           1720/tcp filtered H.323/Q.931
67           9929/tcp open     nping-echo  Nping echo
68           Device type: general purpose
69           Running: Linux 2.6.X
70           OS CPE: cpe:/o:linux:linux_kernel:2.6.39
71           OS details: Linux 2.6.39
72           Network Distance: 11 hops
73           Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
74
75           TRACEROUTE (using port 53/tcp)
76           HOP RTT      ADDRESS
77           [Cut first 10 hops for brevity]
78           11  17.65 ms li86-221.members.linode.com (74.207.244.221)
79
80           Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
81
82       The newest version of Nmap can be obtained from http://nmap.org. The
83       newest version of this man page is available at
84       http://nmap.org/book/man.html.  It is also included as a chapter of
85       Nmap Network Scanning: The Official Nmap Project Guide to Network
86       Discovery and Security Scanning (see http://nmap.org/book/).
87

OPTIONS SUMMARY

89       This options summary is printed when Nmap is run with no arguments, and
90       the latest version is always available at
91       https://svn.nmap.org/nmap/docs/nmap.usage.txt. It helps people remember
92       the most common options, but is no substitute for the in-depth
93       documentation in the rest of this manual. Some obscure options aren't
94       even included here.
95
96           Nmap 6.40 ( http://nmap.org )
97           Usage: nmap [Scan Type(s)] [Options] {target specification}
98           TARGET SPECIFICATION:
99             Can pass hostnames, IP addresses, networks, etc.
100             Ex: scanme.nmap.org, 192.168.0.1; 10.0.0-255.1-254
101             -iL <inputfilename>: Input from list of hosts/networks
102             -iR <num hosts>: Choose random targets
103             --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
104             --excludefile <exclude_file>: Exclude list from file
105           HOST DISCOVERY:
106             -sL: List Scan - simply list targets to scan
107             -sn: Ping Scan - disable port scan
108             -Pn: Treat all hosts as online -- skip host discovery
109             -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
110             -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
111             -PO[protocol list]: IP Protocol Ping
112             -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
113             --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
114             --system-dns: Use OS's DNS resolver
115             --traceroute: Trace hop path to each host
116           SCAN TECHNIQUES:
117             -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
118             -sU: UDP Scan
119             -sN/sF/sX: TCP Null, FIN, and Xmas scans
120             --scanflags <flags>: Customize TCP scan flags
121             -sI <zombie host[:probeport]>: Idle scan
122             -sY/sZ: SCTP INIT/COOKIE-ECHO scans
123             -sO: IP protocol scan
124             -b <FTP relay host>: FTP bounce scan
125           PORT SPECIFICATION AND SCAN ORDER:
126             -p <port ranges>: Only scan specified ports
127               Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
128             -F: Fast mode - Scan fewer ports than the default scan
129             -r: Scan ports consecutively - don't randomize
130             --top-ports <number>: Scan <number> most common ports
131             --port-ratio <ratio>: Scan ports more common than <ratio>
132           SERVICE/VERSION DETECTION:
133             -sV: Probe open ports to determine service/version info
134             --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
135             --version-light: Limit to most likely probes (intensity 2)
136             --version-all: Try every single probe (intensity 9)
137             --version-trace: Show detailed version scan activity (for debugging)
138           SCRIPT SCAN:
139             -sC: equivalent to --script=default
140             --script=<Lua scripts>: <Lua scripts> is a comma separated list of
141                      directories, script-files or script-categories
142             --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
143             --script-args-file=filename: provide NSE script args in a file
144             --script-trace: Show all data sent and received
145             --script-updatedb: Update the script database.
146             --script-help=<Lua scripts>: Show help about scripts.
147                      <Lua scripts> is a comma separated list of script-files or
148                      script-categories.
149           OS DETECTION:
150             -O: Enable OS detection
151             --osscan-limit: Limit OS detection to promising targets
152             --osscan-guess: Guess OS more aggressively
153           TIMING AND PERFORMANCE:
154             Options which take <time> are in seconds, or append 'ms' (milliseconds),
155             's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
156             -T<0-5>: Set timing template (higher is faster)
157             --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
158             --min-parallelism/max-parallelism <numprobes>: Probe parallelization
159             --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
160                 probe round trip time.
161             --max-retries <tries>: Caps number of port scan probe retransmissions.
162             --host-timeout <time>: Give up on target after this long
163             --scan-delay/--max-scan-delay <time>: Adjust delay between probes
164             --min-rate <number>: Send packets no slower than <number> per second
165             --max-rate <number>: Send packets no faster than <number> per second
166           FIREWALL/IDS EVASION AND SPOOFING:
167             -f; --mtu <val>: fragment packets (optionally w/given MTU)
168             -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
169             -S <IP_Address>: Spoof source address
170             -e <iface>: Use specified interface
171             -g/--source-port <portnum>: Use given port number
172             --data-length <num>: Append random data to sent packets
173             --ip-options <options>: Send packets with specified ip options
174             --ttl <val>: Set IP time-to-live field
175             --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
176             --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
177           OUTPUT:
178             -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
179                and Grepable format, respectively, to the given filename.
180             -oA <basename>: Output in the three major formats at once
181             -v: Increase verbosity level (use -vv or more for greater effect)
182             -d: Increase debugging level (use -dd or more for greater effect)
183             --reason: Display the reason a port is in a particular state
184             --open: Only show open (or possibly open) ports
185             --packet-trace: Show all packets sent and received
186             --iflist: Print host interfaces and routes (for debugging)
187             --log-errors: Log errors/warnings to the normal-format output file
188             --append-output: Append to rather than clobber specified output files
189             --resume <filename>: Resume an aborted scan
190             --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
191             --webxml: Reference stylesheet from Nmap.Org for more portable XML
192             --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
193           MISC:
194             -6: Enable IPv6 scanning
195             -A: Enable OS detection, version detection, script scanning, and traceroute
196             --datadir <dirname>: Specify custom Nmap data file location
197             --send-eth/--send-ip: Send using raw ethernet frames or IP packets
198             --privileged: Assume that the user is fully privileged
199             --unprivileged: Assume the user lacks raw socket privileges
200             -V: Print version number
201             -h: Print this help summary page.
202           EXAMPLES:
203             nmap -v -A scanme.nmap.org
204             nmap -v -sn 192.168.0.0/16 10.0.0.0/8
205             nmap -v -iR 10000 -Pn -p 80
206           SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
207

TARGET SPECIFICATION

209       Everything on the Nmap command-line that isn't an option (or option
210       argument) is treated as a target host specification. The simplest case
211       is to specify a target IP address or hostname for scanning.
212
213       Sometimes you wish to scan a whole network of adjacent hosts. For this,
214       Nmap supports CIDR-style.  addressing. You can append /numbits to an
215       IPv4 address or hostname and Nmap will scan every IP address for which
216       the first numbits are the same as for the reference IP or hostname
217       given. For example, 192.168.10.0/24 would scan the 256 hosts between
218       192.168.10.0 (binary: 11000000 10101000 00001010 00000000) and
219       192.168.10.255 (binary: 11000000 10101000 00001010 11111111),
220       inclusive.  192.168.10.40/24 would scan exactly the same targets. Given
221       that the host scanme.nmap.org.  is at the IP address 64.13.134.52, the
222       specification scanme.nmap.org/16 would scan the 65,536 IP addresses
223       between 64.13.0.0 and 64.13.255.255. The smallest allowed value is /0,
224       which targets the whole Internet. The largest value is /32, which scans
225       just the named host or IP address because all address bits are fixed.
226
227       CIDR notation is short but not always flexible enough. For example, you
228       might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or
229       .255 because they may be used as subnet network and broadcast
230       addresses. Nmap supports this through octet range addressing. Rather
231       than specify a normal IP address, you can specify a comma-separated
232       list of numbers or ranges for each octet. For example,
233       192.168.0-255.1-254 will skip all addresses in the range that end in .0
234       or .255, and 192.168.3-5,7.1 will scan the four addresses 192.168.3.1,
235       192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of a range may
236       be omitted; the default values are 0 on the left and 255 on the right.
237       Using - by itself is the same as 0-255, but remember to use 0- in the
238       first octet so the target specification doesn't look like a
239       command-line option. Ranges need not be limited to the final octets:
240       the specifier 0-255.0-255.13.37 will perform an Internet-wide scan for
241       all IP addresses ending in 13.37. This sort of broad sampling can be
242       useful for Internet surveys and research.
243
244       IPv6 addresses can only be specified by their fully qualified IPv6
245       address or hostname. CIDR and octet ranges aren't yet supported for
246       IPv6.
247
248       IPv6 addresses with non-global scope need to have a zone ID suffix. On
249       Unix systems, this is a percent sign followed by an interface name; a
250       complete address might be fe80::a8bb:ccff:fedd:eeff%eth0. On Windows,
251       use an interface index number in place of an interface name:
252       fe80::a8bb:ccff:fedd:eeff%1. You can see a list of interface indexes by
253       running the command netsh.exe interface ipv6 show interface.
254
255       Nmap accepts multiple host specifications on the command line, and they
256       don't need to be the same type. The command nmap scanme.nmap.org
257       192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.
258
259       While targets are usually specified on the command lines, the following
260       options are also available to control target selection:
261
262       -iL inputfilename (Input from list) .
263           Reads target specifications from inputfilename. Passing a huge list
264           of hosts is often awkward on the command line, yet it is a common
265           desire. For example, your DHCP server might export a list of 10,000
266           current leases that you wish to scan. Or maybe you want to scan all
267           IP addresses except for those to locate hosts using unauthorized
268           static IP addresses. Simply generate the list of hosts to scan and
269           pass that filename to Nmap as an argument to the -iL option.
270           Entries can be in any of the formats accepted by Nmap on the
271           command line (IP address, hostname, CIDR, IPv6, or octet ranges).
272           Each entry must be separated by one or more spaces, tabs, or
273           newlines. You can specify a hyphen (-) as the filename if you want
274           Nmap to read hosts from standard input rather than an actual file.
275
276           The input file may contain comments that start with # and extend to
277           the end of the line.
278
279       -iR num hosts (Choose random targets) .
280           For Internet-wide surveys and other research, you may want to
281           choose targets at random. The num hosts argument tells Nmap how
282           many IPs to generate. Undesirable IPs such as those in certain
283           private, multicast, or unallocated address ranges are automatically
284           skipped. The argument 0 can be specified for a never-ending scan.
285           Keep in mind that some network administrators bristle at
286           unauthorized scans of their networks and may complain. Use this
287           option at your own risk! If you find yourself really bored one
288           rainy afternoon, try the command nmap -Pn -sS -p 80 -iR 0 --open.
289           to locate random web servers for browsing.
290
291       --exclude host1[,host2[,...]] (Exclude hosts/networks) .
292           Specifies a comma-separated list of targets to be excluded from the
293           scan even if they are part of the overall network range you
294           specify. The list you pass in uses normal Nmap syntax, so it can
295           include hostnames, CIDR netblocks, octet ranges, etc. This can be
296           useful when the network you wish to scan includes untouchable
297           mission-critical servers, systems that are known to react adversely
298           to port scans, or subnets administered by other people.
299
300       --excludefile exclude_file (Exclude list from file) .
301           This offers the same functionality as the --exclude option, except
302           that the excluded targets are provided in a newline-, space-, or
303           tab-delimited exclude_file rather than on the command line.
304
305           The exclude file may contain comments that start with # and extend
306           to the end of the line.
307

HOST DISCOVERY

309       One of the very first steps in any network reconnaissance mission is to
310       reduce a (sometimes huge) set of IP ranges into a list of active or
311       interesting hosts. Scanning every port of every single IP address is
312       slow and usually unnecessary. Of course what makes a host interesting
313       depends greatly on the scan purposes. Network administrators may only
314       be interested in hosts running a certain service, while security
315       auditors may care about every single device with an IP address. An
316       administrator may be comfortable using just an ICMP ping to locate
317       hosts on his internal network, while an external penetration tester may
318       use a diverse set of dozens of probes in an attempt to evade firewall
319       restrictions.
320
321       Because host discovery needs are so diverse, Nmap offers a wide variety
322       of options for customizing the techniques used. Host discovery is
323       sometimes called ping scan, but it goes well beyond the simple ICMP
324       echo request packets associated with the ubiquitous ping tool. Users
325       can skip the ping step entirely with a list scan (-sL) or by disabling
326       ping (-Pn), or engage the network with arbitrary combinations of
327       multi-port TCP SYN/ACK, UDP, SCTP INIT and ICMP probes. The goal of
328       these probes is to solicit responses which demonstrate that an IP
329       address is actually active (is being used by a host or network device).
330       On many networks, only a small percentage of IP addresses are active at
331       any given time. This is particularly common with private address space
332       such as 10.0.0.0/8. That network has 16 million IPs, but I have seen it
333       used by companies with less than a thousand machines. Host discovery
334       can find those machines in a sparsely allocated sea of IP addresses.
335
336       If no host discovery options are given, Nmap sends an ICMP echo
337       request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and
338       an ICMP timestamp request. (For IPv6, the ICMP timestamp request is
339       omitted because it is not part of ICMPv6.) These defaults are
340       equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this
341       are the ARP (for IPv4) and Neighbor Discovery.  (for IPv6) scans which
342       are used for any targets on a local ethernet network. For unprivileged
343       Unix shell users, the default probes are a SYN packet to ports 80 and
344       443 using the connect system call..  This host discovery is often
345       sufficient when scanning local networks, but a more comprehensive set
346       of discovery probes is recommended for security auditing.
347
348       The -P* options (which select ping types) can be combined. You can
349       increase your odds of penetrating strict firewalls by sending many
350       probe types using different TCP ports/flags and ICMP codes. Also note
351       that ARP/Neighbor Discovery (-PR).  is done by default against targets
352       on a local ethernet network even if you specify other -P* options,
353       because it is almost always faster and more effective.
354
355       By default, Nmap does host discovery and then performs a port scan
356       against each host it determines is online. This is true even if you
357       specify non-default host discovery types such as UDP probes (-PU). Read
358       about the -sn option to learn how to perform only host discovery, or
359       use -Pn to skip host discovery and port scan all target hosts. The
360       following options control host discovery:
361
362       -sL (List Scan) .
363           The list scan is a degenerate form of host discovery that simply
364           lists each host of the network(s) specified, without sending any
365           packets to the target hosts. By default, Nmap still does
366           reverse-DNS resolution on the hosts to learn their names. It is
367           often surprising how much useful information simple hostnames give
368           out. For example, fw.chi is the name of one company's Chicago
369           firewall.  Nmap also reports the total number of IP addresses at
370           the end. The list scan is a good sanity check to ensure that you
371           have proper IP addresses for your targets. If the hosts sport
372           domain names you do not recognize, it is worth investigating
373           further to prevent scanning the wrong company's network.
374
375           Since the idea is to simply print a list of target hosts, options
376           for higher level functionality such as port scanning, OS detection,
377           or ping scanning cannot be combined with this. If you wish to
378           disable ping scanning while still performing such higher level
379           functionality, read up on the -Pn (skip ping) option.
380
381       -sn (No port scan) .
382           This option tells Nmap not to do a port scan after host discovery,
383           and only print out the available hosts that responded to the scan.
384           This is often known as a “ping scan”, but you can also request that
385           traceroute and NSE host scripts be run. This is by default one step
386           more intrusive than the list scan, and can often be used for the
387           same purposes. It allows light reconnaissance of a target network
388           without attracting much attention. Knowing how many hosts are up is
389           more valuable to attackers than the list provided by list scan of
390           every single IP and host name.
391
392           Systems administrators often find this option valuable as well. It
393           can easily be used to count available machines on a network or
394           monitor server availability. This is often called a ping sweep, and
395           is more reliable than pinging the broadcast address because many
396           hosts do not reply to broadcast queries.
397
398           The default host discovery done with -sn consists of an ICMP echo
399           request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP
400           timestamp request by default. When executed by an unprivileged
401           user, only SYN packets are sent (using a connect call) to ports 80
402           and 443 on the target. When a privileged user tries to scan targets
403           on a local ethernet network, ARP requests are used unless --send-ip
404           was specified. The -sn option can be combined with any of the
405           discovery probe types (the -P* options, excluding -Pn) for greater
406           flexibility. If any of those probe type and port number options are
407           used, the default probes are overridden. When strict firewalls are
408           in place between the source host running Nmap and the target
409           network, using those advanced techniques is recommended. Otherwise
410           hosts could be missed when the firewall drops probes or their
411           responses.
412
413           In previous releases of Nmap, -sn was known as -sP..
414
415       -Pn (No ping) .
416           This option skips the Nmap discovery stage altogether. Normally,
417           Nmap uses this stage to determine active machines for heavier
418           scanning. By default, Nmap only performs heavy probing such as port
419           scans, version detection, or OS detection against hosts that are
420           found to be up. Disabling host discovery with -Pn causes Nmap to
421           attempt the requested scanning functions against every target IP
422           address specified. So if a class B target address space (/16) is
423           specified on the command line, all 65,536 IP addresses are scanned.
424           Proper host discovery is skipped as with the list scan, but instead
425           of stopping and printing the target list, Nmap continues to perform
426           requested functions as if each target IP is active. To skip ping
427           scan and port scan, while still allowing NSE to run, use the two
428           options -Pn -sn together.
429
430           For machines on a local ethernet network, ARP scanning will still
431           be performed (unless --disable-arp-ping or --send-ip is specified)
432           because Nmap needs MAC addresses to further scan target hosts. In
433           previous versions of Nmap, -Pn was -P0.  and -PN..
434
435       -PS port list (TCP SYN Ping) .
436           This option sends an empty TCP packet with the SYN flag set. The
437           default destination port is 80 (configurable at compile time by
438           changing DEFAULT_TCP_PROBE_PORT_SPEC.  in nmap.h)..  Alternate
439           ports can be specified as a parameter. The syntax is the same as
440           for the -p except that port type specifiers like T: are not
441           allowed. Examples are -PS22 and -PS22-25,80,113,1050,35000. Note
442           that there can be no space between -PS and the port list. If
443           multiple probes are specified they will be sent in parallel.
444
445           The SYN flag suggests to the remote system that you are attempting
446           to establish a connection. Normally the destination port will be
447           closed, and a RST (reset) packet sent back. If the port happens to
448           be open, the target will take the second step of a TCP
449           three-way-handshake.  by responding with a SYN/ACK TCP packet. The
450           machine running Nmap then tears down the nascent connection by
451           responding with a RST rather than sending an ACK packet which would
452           complete the three-way-handshake and establish a full connection.
453           The RST packet is sent by the kernel of the machine running Nmap in
454           response to the unexpected SYN/ACK, not by Nmap itself.
455
456           Nmap does not care whether the port is open or closed. Either the
457           RST or SYN/ACK response discussed previously tell Nmap that the
458           host is available and responsive.
459
460           On Unix boxes, only the privileged user root.  is generally able to
461           send and receive raw TCP packets..  For unprivileged users, a
462           workaround is automatically employed.  whereby the connect system
463           call is initiated against each target port. This has the effect of
464           sending a SYN packet to the target host, in an attempt to establish
465           a connection. If connect returns with a quick success or an
466           ECONNREFUSED failure, the underlying TCP stack must have received a
467           SYN/ACK or RST and the host is marked available. If the connection
468           attempt is left hanging until a timeout is reached, the host is
469           marked as down.
470
471       -PA port list (TCP ACK Ping) .
472           The TCP ACK ping is quite similar to the just-discussed SYN ping.
473           The difference, as you could likely guess, is that the TCP ACK flag
474           is set instead of the SYN flag. Such an ACK packet purports to be
475           acknowledging data over an established TCP connection, but no such
476           connection exists. So remote hosts should always respond with a RST
477           packet, disclosing their existence in the process.
478
479           The -PA option uses the same default port as the SYN probe (80) and
480           can also take a list of destination ports in the same format. If an
481           unprivileged user tries this, the connect workaround discussed
482           previously is used. This workaround is imperfect because connect is
483           actually sending a SYN packet rather than an ACK.
484
485           The reason for offering both SYN and ACK ping probes is to maximize
486           the chances of bypassing firewalls. Many administrators configure
487           routers and other simple firewalls to block incoming SYN packets
488           except for those destined for public services like the company web
489           site or mail server. This prevents other incoming connections to
490           the organization, while allowing users to make unobstructed
491           outgoing connections to the Internet. This non-stateful approach
492           takes up few resources on the firewall/router and is widely
493           supported by hardware and software filters. The Linux
494           Netfilter/iptables.  firewall software offers the --syn convenience
495           option to implement this stateless approach. When stateless
496           firewall rules such as this are in place, SYN ping probes (-PS) are
497           likely to be blocked when sent to closed target ports. In such
498           cases, the ACK probe shines as it cuts right through these rules.
499
500           Another common type of firewall uses stateful rules that drop
501           unexpected packets. This feature was initially found mostly on
502           high-end firewalls, though it has become much more common over the
503           years. The Linux Netfilter/iptables system supports this through
504           the --state option, which categorizes packets based on connection
505           state. A SYN probe is more likely to work against such a system, as
506           unexpected ACK packets are generally recognized as bogus and
507           dropped. A solution to this quandary is to send both SYN and ACK
508           probes by specifying -PS and -PA.
509
510       -PU port list (UDP Ping) .
511           Another host discovery option is the UDP ping, which sends a UDP
512           packet to the given ports. For most ports, the packet will be
513           empty, though for a few a protocol-specific payload will be sent
514           that is more likely to get a response..  The --data-length.  option
515           can be used to send a fixed-length random payload to every port or
516           (if you specify a value of 0) to disable payloads. You can also
517           disable payloads by specifying --data-length 0.
518
519           The port list takes the same format as with the previously
520           discussed -PS and -PA options. If no ports are specified, the
521           default is 40125..  This default can be configured at compile-time
522           by changing DEFAULT_UDP_PROBE_PORT_SPEC.  in nmap.h..  A highly
523           uncommon port is used by default because sending to open ports is
524           often undesirable for this particular scan type.
525
526           Upon hitting a closed port on the target machine, the UDP probe
527           should elicit an ICMP port unreachable packet in return. This
528           signifies to Nmap that the machine is up and available. Many other
529           types of ICMP errors, such as host/network unreachables or TTL
530           exceeded are indicative of a down or unreachable host. A lack of
531           response is also interpreted this way. If an open port is reached,
532           most services simply ignore the empty packet and fail to return any
533           response. This is why the default probe port is 40125, which is
534           highly unlikely to be in use. A few services, such as the Character
535           Generator (chargen) protocol, will respond to an empty UDP packet,
536           and thus disclose to Nmap that the machine is available.
537
538           The primary advantage of this scan type is that it bypasses
539           firewalls and filters that only screen TCP. For example, I once
540           owned a Linksys BEFW11S4 wireless broadband router. The external
541           interface of this device filtered all TCP ports by default, but UDP
542           probes would still elicit port unreachable messages and thus give
543           away the device.
544
545       -PY port list (SCTP INIT Ping) .
546           This option sends an SCTP packet containing a minimal INIT chunk.
547           The default destination port is 80 (configurable at compile time by
548           changing DEFAULT_SCTP_PROBE_PORT_SPEC.  in nmap.h). Alternate ports
549           can be specified as a parameter. The syntax is the same as for the
550           -p except that port type specifiers like S: are not allowed.
551           Examples are -PY22 and -PY22,80,179,5060. Note that there can be no
552           space between -PY and the port list. If multiple probes are
553           specified they will be sent in parallel.
554
555           The INIT chunk suggests to the remote system that you are
556           attempting to establish an association. Normally the destination
557           port will be closed, and an ABORT chunk will be sent back. If the
558           port happens to be open, the target will take the second step of an
559           SCTP four-way-handshake.  by responding with an INIT-ACK chunk. If
560           the machine running Nmap has a functional SCTP stack, then it tears
561           down the nascent association by responding with an ABORT chunk
562           rather than sending a COOKIE-ECHO chunk which would be the next
563           step in the four-way-handshake. The ABORT packet is sent by the
564           kernel of the machine running Nmap in response to the unexpected
565           INIT-ACK, not by Nmap itself.
566
567           Nmap does not care whether the port is open or closed. Either the
568           ABORT or INIT-ACK response discussed previously tell Nmap that the
569           host is available and responsive.
570
571           On Unix boxes, only the privileged user root.  is generally able to
572           send and receive raw SCTP packets..  Using SCTP INIT Pings is
573           currently not possible for unprivileged users..
574
575       -PE; -PP; -PM (ICMP Ping Types) .
576           In addition to the unusual TCP, UDP and SCTP host discovery types
577           discussed previously, Nmap can send the standard packets sent by
578           the ubiquitous ping program. Nmap sends an ICMP type 8 (echo
579           request) packet to the target IP addresses, expecting a type 0
580           (echo reply) in return from available hosts..  Unfortunately for
581           network explorers, many hosts and firewalls now block these
582           packets, rather than responding as required by RFC 1122[2]..  For
583           this reason, ICMP-only scans are rarely reliable enough against
584           unknown targets over the Internet. But for system administrators
585           monitoring an internal network, they can be a practical and
586           efficient approach. Use the -PE option to enable this echo request
587           behavior.
588
589           While echo request is the standard ICMP ping query, Nmap does not
590           stop there. The ICMP standards (RFC 792[3].  and RFC 950[4].  “a
591           host SHOULD NOT implement these messages”. Timestamp and address
592           mask queries can be sent with the -PP and -PM options,
593           respectively. A timestamp reply (ICMP code 14) or address mask
594           reply (code 18) discloses that the host is available. These two
595           queries can be valuable when administrators specifically block echo
596           request packets while forgetting that other ICMP queries can be
597           used for the same purpose.
598
599       -PO protocol list (IP Protocol Ping) .
600           One of the newer host discovery options is the IP protocol ping,
601           which sends IP packets with the specified protocol number set in
602           their IP header. The protocol list takes the same format as do port
603           lists in the previously discussed TCP, UDP and SCTP host discovery
604           options. If no protocols are specified, the default is to send
605           multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and
606           IP-in-IP (protocol 4). The default protocols can be configured at
607           compile-time by changing DEFAULT_PROTO_PROBE_PORT_SPEC.  in nmap.h.
608           Note that for the ICMP, IGMP, TCP (protocol 6), UDP (protocol 17)
609           and SCTP (protocol 132), the packets are sent with the proper
610           protocol headers.  while other protocols are sent with no
611           additional data beyond the IP header (unless the --data-length.
612           option is specified).
613
614           This host discovery method looks for either responses using the
615           same protocol as a probe, or ICMP protocol unreachable messages
616           which signify that the given protocol isn't supported on the
617           destination host. Either type of response signifies that the target
618           host is alive.
619
620       -PR (ARP Ping) .
621           One of the most common Nmap usage scenarios is to scan an ethernet
622           LAN. On most LANs, especially those using private address ranges
623           specified by RFC 1918[5], the vast majority of IP addresses are
624           unused at any given time. When Nmap tries to send a raw IP packet
625           such as an ICMP echo request, the operating system must determine
626           the destination hardware (ARP) address corresponding to the target
627           IP so that it can properly address the ethernet frame. This is
628           often slow and problematic, since operating systems weren't written
629           with the expectation that they would need to do millions of ARP
630           requests against unavailable hosts in a short time period.
631
632           ARP scan puts Nmap and its optimized algorithms in charge of ARP
633           requests. And if it gets a response back, Nmap doesn't even need to
634           worry about the IP-based ping packets since it already knows the
635           host is up. This makes ARP scan much faster and more reliable than
636           IP-based scans. So it is done by default when scanning ethernet
637           hosts that Nmap detects are on a local ethernet network. Even if
638           different ping types (such as -PE or -PS) are specified, Nmap uses
639           ARP instead for any of the targets which are on the same LAN. If
640           you absolutely don't want to do an ARP scan, specify
641           --disable-arp-ping.
642
643           For IPv6 (-6 option), -PR uses ICMPv6 Neighbor Discovery instead of
644           ARP. Neighbor Discovery, defined in RFC 4861, can be seen as the
645           IPv6 equivalent of ARP.
646
647       --disable-arp-ping (No ARP or ND Ping) .
648           Nmap normally does ARP or IPv6 Neighbor Discovery (ND) discovery of
649           locally connected ethernet hosts, even if other host discovery
650           options such as -Pn or -PE are used. To disable this implicit
651           behavior, use the --disable-arp-ping option.
652
653           The default behavior is normally faster, but this option is useful
654           on networks using proxy ARP, in which a router speculatively
655           replies to all ARP requests, making every target appear to be up
656           according to ARP scan.
657
658       --traceroute (Trace path to host) .
659           Traceroutes are performed post-scan using information from the scan
660           results to determine the port and protocol most likely to reach the
661           target. It works with all scan types except connect scans (-sT) and
662           idle scans (-sI). All traces use Nmap's dynamic timing model and
663           are performed in parallel.
664
665           Traceroute works by sending packets with a low TTL (time-to-live)
666           in an attempt to elicit ICMP Time Exceeded messages from
667           intermediate hops between the scanner and the target host. Standard
668           traceroute implementations start with a TTL of 1 and increment the
669           TTL until the destination host is reached. Nmap's traceroute starts
670           with a high TTL and then decrements the TTL until it reaches zero.
671           Doing it backwards lets Nmap employ clever caching algorithms to
672           speed up traces over multiple hosts. On average Nmap sends 5–10
673           fewer packets per host, depending on network conditions. If a
674           single subnet is being scanned (i.e. 192.168.0.0/24) Nmap may only
675           have to send two packets to most hosts.
676
677       -n (No DNS resolution) .
678           Tells Nmap to never do reverse DNS resolution on the active IP
679           addresses it finds. Since DNS can be slow even with Nmap's built-in
680           parallel stub resolver, this option can slash scanning times.
681
682       -R (DNS resolution for all targets) .
683           Tells Nmap to always do reverse DNS resolution on the target IP
684           addresses. Normally reverse DNS is only performed against
685           responsive (online) hosts.
686
687       --system-dns (Use system DNS resolver) .
688           By default, Nmap resolves IP addresses by sending queries directly
689           to the name servers configured on your host and then listening for
690           responses. Many requests (often dozens) are performed in parallel
691           to improve performance. Specify this option to use your system
692           resolver instead (one IP at a time via the getnameinfo call). This
693           is slower and rarely useful unless you find a bug in the Nmap
694           parallel resolver (please let us know if you do). The system
695           resolver is always used for IPv6 scans.
696
697       --dns-servers server1[,server2[,...]]  (Servers to use for reverse DNS
698       queries) .
699           By default, Nmap determines your DNS servers (for rDNS resolution)
700           from your resolv.conf file (Unix) or the Registry (Win32).
701           Alternatively, you may use this option to specify alternate
702           servers. This option is not honored if you are using --system-dns
703           or an IPv6 scan. Using multiple DNS servers is often faster,
704           especially if you choose authoritative servers for your target IP
705           space. This option can also improve stealth, as your requests can
706           be bounced off just about any recursive DNS server on the Internet.
707
708           This option also comes in handy when scanning private networks.
709           Sometimes only a few name servers provide proper rDNS information,
710           and you may not even know where they are. You can scan the network
711           for port 53 (perhaps with version detection), then try Nmap list
712           scans (-sL) specifying each name server one at a time with
713           --dns-servers until you find one which works.
714

PORT SCANNING BASICS

716       While Nmap has grown in functionality over the years, it began as an
717       efficient port scanner, and that remains its core function. The simple
718       command nmap target scans 1,000 TCP ports on the host target. While
719       many port scanners have traditionally lumped all ports into the open or
720       closed states, Nmap is much more granular. It divides ports into six
721       states: open, closed, filtered, unfiltered, open|filtered, or
722       closed|filtered.
723
724       These states are not intrinsic properties of the port itself, but
725       describe how Nmap sees them. For example, an Nmap scan from the same
726       network as the target may show port 135/tcp as open, while a scan at
727       the same time with the same options from across the Internet might show
728       that port as filtered.
729
730       The six port states recognized by Nmap
731
732           An application is actively accepting TCP connections, UDP datagrams
733           or SCTP associations on this port. Finding these is often the
734           primary goal of port scanning. Security-minded people know that
735           each open port is an avenue for attack. Attackers and pen-testers
736           want to exploit the open ports, while administrators try to close
737           or protect them with firewalls without thwarting legitimate users.
738           Open ports are also interesting for non-security scans because they
739           show services available for use on the network.
740
741           A closed port is accessible (it receives and responds to Nmap probe
742           packets), but there is no application listening on it. They can be
743           helpful in showing that a host is up on an IP address (host
744           discovery, or ping scanning), and as part of OS detection. Because
745           closed ports are reachable, it may be worth scanning later in case
746           some open up. Administrators may want to consider blocking such
747           ports with a firewall. Then they would appear in the filtered
748           state, discussed next.
749
750           Nmap cannot determine whether the port is open because packet
751           filtering prevents its probes from reaching the port. The filtering
752           could be from a dedicated firewall device, router rules, or
753           host-based firewall software. These ports frustrate attackers
754           because they provide so little information. Sometimes they respond
755           with ICMP error messages such as type 3 code 13 (destination
756           unreachable: communication administratively prohibited), but
757           filters that simply drop probes without responding are far more
758           common. This forces Nmap to retry several times just in case the
759           probe was dropped due to network congestion rather than filtering.
760           This slows down the scan dramatically.
761
762           The unfiltered state means that a port is accessible, but Nmap is
763           unable to determine whether it is open or closed. Only the ACK
764           scan, which is used to map firewall rulesets, classifies ports into
765           this state. Scanning unfiltered ports with other scan types such as
766           Window scan, SYN scan, or FIN scan, may help resolve whether the
767           port is open.
768
769           Nmap places ports in this state when it is unable to determine
770           whether a port is open or filtered. This occurs for scan types in
771           which open ports give no response. The lack of response could also
772           mean that a packet filter dropped the probe or any response it
773           elicited. So Nmap does not know for sure whether the port is open
774           or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans
775           classify ports this way.
776
777           This state is used when Nmap is unable to determine whether a port
778           is closed or filtered. It is only used for the IP ID idle scan.
779

PORT SCANNING TECHNIQUES

781       As a novice performing automotive repair, I can struggle for hours
782       trying to fit my rudimentary tools (hammer, duct tape, wrench, etc.) to
783       the task at hand. When I fail miserably and tow my jalopy to a real
784       mechanic, he invariably fishes around in a huge tool chest until
785       pulling out the perfect gizmo which makes the job seem effortless. The
786       art of port scanning is similar. Experts understand the dozens of scan
787       techniques and choose the appropriate one (or combination) for a given
788       task. Inexperienced users and script kiddies,.  on the other hand, try
789       to solve every problem with the default SYN scan. Since Nmap is free,
790       the only barrier to port scanning mastery is knowledge. That certainly
791       beats the automotive world, where it may take great skill to determine
792       that you need a strut spring compressor, then you still have to pay
793       thousands of dollars for it.
794
795       Most of the scan types are only available to privileged users..  This
796       is because they send and receive raw packets,.  which requires root
797       access on Unix systems. Using an administrator account on Windows is
798       recommended, though Nmap sometimes works for unprivileged users on that
799       platform when WinPcap has already been loaded into the OS. Requiring
800       root privileges was a serious limitation when Nmap was released in
801       1997, as many users only had access to shared shell accounts. Now, the
802       world is different. Computers are cheaper, far more people have
803       always-on direct Internet access, and desktop Unix systems (including
804       Linux and Mac OS X) are prevalent. A Windows version of Nmap is now
805       available, allowing it to run on even more desktops. For all these
806       reasons, users have less need to run Nmap from limited shared shell
807       accounts. This is fortunate, as the privileged options make Nmap far
808       more powerful and flexible.
809
810       While Nmap attempts to produce accurate results, keep in mind that all
811       of its insights are based on packets returned by the target machines
812       (or firewalls in front of them). Such hosts may be untrustworthy and
813       send responses intended to confuse or mislead Nmap. Much more common
814       are non-RFC-compliant hosts that do not respond as they should to Nmap
815       probes. FIN, NULL, and Xmas scans are particularly susceptible to this
816       problem. Such issues are specific to certain scan types and so are
817       discussed in the individual scan type entries.
818
819       This section documents the dozen or so port scan techniques supported
820       by Nmap. Only one method may be used at a time, except that UDP scan
821       (-sU) and any one of the SCTP scan types (-sY, -sZ) may be combined
822       with any one of the TCP scan types. As a memory aid, port scan type
823       options are of the form -sC, where C is a prominent character in the
824       scan name, usually the first. The one exception to this is the
825       deprecated FTP bounce scan (-b). By default, Nmap performs a SYN Scan,
826       though it substitutes a connect scan if the user does not have proper
827       privileges to send raw packets (requires root access on Unix). Of the
828       scans listed in this section, unprivileged users can only execute
829       connect and FTP bounce scans.
830
831       -sS (TCP SYN scan) .
832           SYN scan is the default and most popular scan option for good
833           reasons. It can be performed quickly, scanning thousands of ports
834           per second on a fast network not hampered by restrictive firewalls.
835           It is also relatively unobtrusive and stealthy since it never
836           completes TCP connections. SYN scan works against any compliant TCP
837           stack rather than depending on idiosyncrasies of specific platforms
838           as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows
839           clear, reliable differentiation between the open, closed, and
840           filtered states.
841
842           This technique is often referred to as half-open scanning, because
843           you don't open a full TCP connection. You send a SYN packet, as if
844           you are going to open a real connection and then wait for a
845           response. A SYN/ACK indicates the port is listening (open), while a
846           RST (reset) is indicative of a non-listener. If no response is
847           received after several retransmissions, the port is marked as
848           filtered. The port is also marked filtered if an ICMP unreachable
849           error (type 3, code 1, 2, 3, 9, 10, or 13) is received. The port is
850           also considered open if a SYN packet (without the ACK flag) is
851           received in response. This can be due to an extremely rare TCP
852           feature known as a simultaneous open or split handshake connection
853           (see http://nmap.org/misc/split-handshake.pdf).
854
855       -sT (TCP connect scan) .
856           TCP connect scan is the default TCP scan type when SYN scan is not
857           an option. This is the case when a user does not have raw packet
858           privileges. Instead of writing raw packets as most other scan types
859           do, Nmap asks the underlying operating system to establish a
860           connection with the target machine and port by issuing the connect
861           system call. This is the same high-level system call that web
862           browsers, P2P clients, and most other network-enabled applications
863           use to establish a connection. It is part of a programming
864           interface known as the Berkeley Sockets API. Rather than read raw
865           packet responses off the wire, Nmap uses this API to obtain status
866           information on each connection attempt.
867
868           When SYN scan is available, it is usually a better choice. Nmap has
869           less control over the high level connect call than with raw
870           packets, making it less efficient. The system call completes
871           connections to open target ports rather than performing the
872           half-open reset that SYN scan does. Not only does this take longer
873           and require more packets to obtain the same information, but target
874           machines are more likely to log the connection. A decent IDS will
875           catch either, but most machines have no such alarm system. Many
876           services on your average Unix system will add a note to syslog, and
877           sometimes a cryptic error message, when Nmap connects and then
878           closes the connection without sending data. Truly pathetic services
879           crash when this happens, though that is uncommon. An administrator
880           who sees a bunch of connection attempts in her logs from a single
881           system should know that she has been connect scanned.
882
883       -sU (UDP scans) .
884           While most popular services on the Internet run over the TCP
885           protocol, UDP[6] services are widely deployed. DNS, SNMP, and DHCP
886           (registered ports 53, 161/162, and 67/68) are three of the most
887           common. Because UDP scanning is generally slower and more difficult
888           than TCP, some security auditors ignore these ports. This is a
889           mistake, as exploitable UDP services are quite common and attackers
890           certainly don't ignore the whole protocol. Fortunately, Nmap can
891           help inventory UDP ports.
892
893           UDP scan is activated with the -sU option. It can be combined with
894           a TCP scan type such as SYN scan (-sS) to check both protocols
895           during the same run.
896
897           UDP scan works by sending a UDP packet to every targeted port. For
898           some common ports such as 53 and 161, a protocol-specific payload
899           is sent, but for most ports the packet is empty..  The
900           --data-length option can be used to send a fixed-length random
901           payload to every port or (if you specify a value of 0) to disable
902           payloads. If an ICMP port unreachable error (type 3, code 3) is
903           returned, the port is closed. Other ICMP unreachable errors (type
904           3, codes 1, 2, 9, 10, or 13) mark the port as filtered.
905           Occasionally, a service will respond with a UDP packet, proving
906           that it is open. If no response is received after retransmissions,
907           the port is classified as open|filtered. This means that the port
908           could be open, or perhaps packet filters are blocking the
909           communication. Version detection (-sV) can be used to help
910           differentiate the truly open ports from the filtered ones.
911
912           A big challenge with UDP scanning is doing it quickly. Open and
913           filtered ports rarely send any response, leaving Nmap to time out
914           and then conduct retransmissions just in case the probe or response
915           were lost. Closed ports are often an even bigger problem. They
916           usually send back an ICMP port unreachable error. But unlike the
917           RST packets sent by closed TCP ports in response to a SYN or
918           connect scan, many hosts rate limit.  ICMP port unreachable
919           messages by default. Linux and Solaris are particularly strict
920           about this. For example, the Linux 2.4.20 kernel limits destination
921           unreachable messages to one per second (in net/ipv4/icmp.c).
922
923           Nmap detects rate limiting and slows down accordingly to avoid
924           flooding the network with useless packets that the target machine
925           will drop. Unfortunately, a Linux-style limit of one packet per
926           second makes a 65,536-port scan take more than 18 hours. Ideas for
927           speeding your UDP scans up include scanning more hosts in parallel,
928           doing a quick scan of just the popular ports first, scanning from
929           behind the firewall, and using --host-timeout to skip slow hosts.
930
931       -sY (SCTP INIT scan) .
932           SCTP[7] is a relatively new alternative to the TCP and UDP
933           protocols, combining most characteristics of TCP and UDP, and also
934           adding new features like multi-homing and multi-streaming. It is
935           mostly being used for SS7/SIGTRAN related services but has the
936           potential to be used for other applications as well. SCTP INIT scan
937           is the SCTP equivalent of a TCP SYN scan. It can be performed
938           quickly, scanning thousands of ports per second on a fast network
939           not hampered by restrictive firewalls. Like SYN scan, INIT scan is
940           relatively unobtrusive and stealthy, since it never completes SCTP
941           associations. It also allows clear, reliable differentiation
942           between the open, closed, and filtered states.
943
944           This technique is often referred to as half-open scanning, because
945           you don't open a full SCTP association. You send an INIT chunk, as
946           if you are going to open a real association and then wait for a
947           response. An INIT-ACK chunk indicates the port is listening (open),
948           while an ABORT chunk is indicative of a non-listener. If no
949           response is received after several retransmissions, the port is
950           marked as filtered. The port is also marked filtered if an ICMP
951           unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received.
952
953       -sN; -sF; -sX (TCP NULL, FIN, and Xmas scans) .
954           These three scan types (even more are possible with the --scanflags
955           option described in the next section) exploit a subtle loophole in
956           the TCP RFC[8] to differentiate between open and closed ports. Page
957           65 of RFC 793 says that “if the [destination] port state is CLOSED
958           .... an incoming segment not containing a RST causes a RST to be
959           sent in response.”  Then the next page discusses packets sent to
960           open ports without the SYN, RST, or ACK bits set, stating that:
961           “you are unlikely to get here, but if you do, drop the segment, and
962           return.”
963
964           When scanning systems compliant with this RFC text, any packet not
965           containing SYN, RST, or ACK bits will result in a returned RST if
966           the port is closed and no response at all if the port is open. As
967           long as none of those three bits are included, any combination of
968           the other three (FIN, PSH, and URG) are OK. Nmap exploits this with
969           three scan types:
970
971           Null scan (-sN)
972               Does not set any bits (TCP flag header is 0)
973
974           FIN scan (-sF)
975               Sets just the TCP FIN bit.
976
977           Xmas scan (-sX)
978               Sets the FIN, PSH, and URG flags, lighting the packet up like a
979               Christmas tree.
980
981           These three scan types are exactly the same in behavior except for
982           the TCP flags set in probe packets. If a RST packet is received,
983           the port is considered closed, while no response means it is
984           open|filtered. The port is marked filtered if an ICMP unreachable
985           error (type 3, code 1, 2, 3, 9, 10, or 13) is received.
986
987           The key advantage to these scan types is that they can sneak
988           through certain non-stateful firewalls and packet filtering
989           routers. Another advantage is that these scan types are a little
990           more stealthy than even a SYN scan. Don't count on this though—most
991           modern IDS products can be configured to detect them. The big
992           downside is that not all systems follow RFC 793 to the letter. A
993           number of systems send RST responses to the probes regardless of
994           whether the port is open or not. This causes all of the ports to be
995           labeled closed. Major operating systems that do this are Microsoft
996           Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does
997           work against most Unix-based systems though. Another downside of
998           these scans is that they can't distinguish open ports from certain
999           filtered ones, leaving you with the response open|filtered.
1000
1001       -sA (TCP ACK scan) .
1002           This scan is different than the others discussed so far in that it
1003           never determines open (or even open|filtered) ports. It is used to
1004           map out firewall rulesets, determining whether they are stateful or
1005           not and which ports are filtered.
1006
1007           The ACK scan probe packet has only the ACK flag set (unless you use
1008           --scanflags). When scanning unfiltered systems, open and closed
1009           ports will both return a RST packet. Nmap then labels them as
1010           unfiltered, meaning that they are reachable by the ACK packet, but
1011           whether they are open or closed is undetermined. Ports that don't
1012           respond, or send certain ICMP error messages back (type 3, code 1,
1013           2, 3, 9, 10, or 13), are labeled filtered.
1014
1015       -sW (TCP Window scan) .
1016           Window scan is exactly the same as ACK scan except that it exploits
1017           an implementation detail of certain systems to differentiate open
1018           ports from closed ones, rather than always printing unfiltered when
1019           a RST is returned. It does this by examining the TCP Window field
1020           of the RST packets returned. On some systems, open ports use a
1021           positive window size (even for RST packets) while closed ones have
1022           a zero window. So instead of always listing a port as unfiltered
1023           when it receives a RST back, Window scan lists the port as open or
1024           closed if the TCP Window value in that reset is positive or zero,
1025           respectively.
1026
1027           This scan relies on an implementation detail of a minority of
1028           systems out on the Internet, so you can't always trust it. Systems
1029           that don't support it will usually return all ports closed. Of
1030           course, it is possible that the machine really has no open ports.
1031           If most scanned ports are closed but a few common port numbers
1032           (such as 22, 25, 53) are filtered, the system is most likely
1033           susceptible. Occasionally, systems will even show the exact
1034           opposite behavior. If your scan shows 1,000 open ports and three
1035           closed or filtered ports, then those three may very well be the
1036           truly open ones.
1037
1038       -sM (TCP Maimon scan) .
1039           The Maimon scan is named after its discoverer, Uriel Maimon..  He
1040           described the technique in Phrack Magazine issue #49 (November
1041           1996)..  Nmap, which included this technique, was released two
1042           issues later. This technique is exactly the same as NULL, FIN, and
1043           Xmas scans, except that the probe is FIN/ACK. According to RFC
1044           793[8] (TCP), a RST packet should be generated in response to such
1045           a probe whether the port is open or closed. However, Uriel noticed
1046           that many BSD-derived systems simply drop the packet if the port is
1047           open.
1048
1049       --scanflags (Custom TCP scan) .
1050           Truly advanced Nmap users need not limit themselves to the canned
1051           scan types offered. The --scanflags option allows you to design
1052           your own scan by specifying arbitrary TCP flags..  Let your
1053           creative juices flow, while evading intrusion detection systems.
1054           whose vendors simply paged through the Nmap man page adding
1055           specific rules!
1056
1057           The --scanflags argument can be a numerical flag value such as 9
1058           (PSH and FIN), but using symbolic names is easier. Just mash
1059           together any combination of URG, ACK, PSH, RST, SYN, and FIN. For
1060           example, --scanflags URGACKPSHRSTSYNFIN sets everything, though
1061           it's not very useful for scanning. The order these are specified in
1062           is irrelevant.
1063
1064           In addition to specifying the desired flags, you can specify a TCP
1065           scan type (such as -sA or -sF). That base type tells Nmap how to
1066           interpret responses. For example, a SYN scan considers no-response
1067           to indicate a filtered port, while a FIN scan treats the same as
1068           open|filtered. Nmap will behave the same way it does for the base
1069           scan type, except that it will use the TCP flags you specify
1070           instead. If you don't specify a base type, SYN scan is used.
1071
1072       -sZ (SCTP COOKIE ECHO scan) .
1073           SCTP COOKIE ECHO scan is a more advanced SCTP scan. It takes
1074           advantage of the fact that SCTP implementations should silently
1075           drop packets containing COOKIE ECHO chunks on open ports, but send
1076           an ABORT if the port is closed. The advantage of this scan type is
1077           that it is not as obvious a port scan than an INIT scan. Also,
1078           there may be non-stateful firewall rulesets blocking INIT chunks,
1079           but not COOKIE ECHO chunks. Don't be fooled into thinking that this
1080           will make a port scan invisible; a good IDS will be able to detect
1081           SCTP COOKIE ECHO scans too. The downside is that SCTP COOKIE ECHO
1082           scans cannot differentiate between open and filtered ports, leaving
1083           you with the state open|filtered in both cases.
1084
1085       -sI zombie host[:probeport] (idle scan) .
1086           This advanced scan method allows for a truly blind TCP port scan of
1087           the target (meaning no packets are sent to the target from your
1088           real IP address). Instead, a unique side-channel attack exploits
1089           predictable IP fragmentation ID sequence generation on the zombie
1090           host to glean information about the open ports on the target. IDS
1091           systems will display the scan as coming from the zombie machine you
1092           specify (which must be up and meet certain criteria).  This
1093           fascinating scan type is too complex to fully describe in this
1094           reference guide, so I wrote and posted an informal paper with full
1095           details at http://nmap.org/book/idlescan.html.
1096
1097           Besides being extraordinarily stealthy (due to its blind nature),
1098           this scan type permits mapping out IP-based trust relationships
1099           between machines. The port listing shows open ports from the
1100           perspective of the zombie host.  So you can try scanning a target
1101           using various zombies that you think might be trusted.  (via
1102           router/packet filter rules).
1103
1104           You can add a colon followed by a port number to the zombie host if
1105           you wish to probe a particular port on the zombie for IP ID
1106           changes. Otherwise Nmap will use the port it uses by default for
1107           TCP pings (80).
1108
1109       -sO (IP protocol scan) .
1110           IP protocol scan allows you to determine which IP protocols (TCP,
1111           ICMP, IGMP, etc.) are supported by target machines. This isn't
1112           technically a port scan, since it cycles through IP protocol
1113           numbers rather than TCP or UDP port numbers. Yet it still uses the
1114           -p option to select scanned protocol numbers, reports its results
1115           within the normal port table format, and even uses the same
1116           underlying scan engine as the true port scanning methods. So it is
1117           close enough to a port scan that it belongs here.
1118
1119           Besides being useful in its own right, protocol scan demonstrates
1120           the power of open-source software. While the fundamental idea is
1121           pretty simple, I had not thought to add it nor received any
1122           requests for such functionality. Then in the summer of 2000,
1123           Gerhard Rieger.  conceived the idea, wrote an excellent patch
1124           implementing it, and sent it to the announce mailing list.  (then
1125           called nmap-hackers)..  I incorporated that patch into the Nmap
1126           tree and released a new version the next day. Few pieces of
1127           commercial software have users enthusiastic enough to design and
1128           contribute their own improvements!
1129
1130           Protocol scan works in a similar fashion to UDP scan. Instead of
1131           iterating through the port number field of a UDP packet, it sends
1132           IP packet headers and iterates through the eight-bit IP protocol
1133           field. The headers are usually empty, containing no data and not
1134           even the proper header for the claimed protocol. The exceptions are
1135           TCP, UDP, ICMP, SCTP, and IGMP. A proper protocol header for those
1136           is included since some systems won't send them otherwise and
1137           because Nmap already has functions to create them. Instead of
1138           watching for ICMP port unreachable messages, protocol scan is on
1139           the lookout for ICMP protocol unreachable messages. If Nmap
1140           receives any response in any protocol from the target host, Nmap
1141           marks that protocol as open. An ICMP protocol unreachable error
1142           (type 3, code 2) causes the protocol to be marked as closed Other
1143           ICMP unreachable errors (type 3, code 1, 3, 9, 10, or 13) cause the
1144           protocol to be marked filtered (though they prove that ICMP is open
1145           at the same time). If no response is received after
1146           retransmissions, the protocol is marked open|filtered
1147
1148       -b FTP relay host (FTP bounce scan) .
1149           An interesting feature of the FTP protocol (RFC 959[9]) is support
1150           for so-called proxy FTP connections. This allows a user to connect
1151           to one FTP server, then ask that files be sent to a third-party
1152           server. Such a feature is ripe for abuse on many levels, so most
1153           servers have ceased supporting it. One of the abuses this feature
1154           allows is causing the FTP server to port scan other hosts. Simply
1155           ask the FTP server to send a file to each interesting port of a
1156           target host in turn. The error message will describe whether the
1157           port is open or not. This is a good way to bypass firewalls because
1158           organizational FTP servers are often placed where they have more
1159           access to other internal hosts than any old Internet host would.
1160           Nmap supports FTP bounce scan with the -b option. It takes an
1161           argument of the form username:password@server:port.  Server is the
1162           name or IP address of a vulnerable FTP server. As with a normal
1163           URL, you may omit username:password, in which case anonymous login
1164           credentials (user: anonymous password:-wwwuser@) are used. The port
1165           number (and preceding colon) may be omitted as well, in which case
1166           the default FTP port (21) on server is used.
1167
1168           This vulnerability was widespread in 1997 when Nmap was released,
1169           but has largely been fixed. Vulnerable servers are still around, so
1170           it is worth trying when all else fails. If bypassing a firewall is
1171           your goal, scan the target network for port 21 (or even for any FTP
1172           services if you scan all ports with version detection) and use the
1173           ftp-bounce.  NSE script. Nmap will tell you whether the host is
1174           vulnerable or not. If you are just trying to cover your tracks, you
1175           don't need to (and, in fact, shouldn't) limit yourself to hosts on
1176           the target network. Before you go scanning random Internet
1177           addresses for vulnerable FTP servers, consider that sysadmins may
1178           not appreciate you abusing their servers in this way.
1179

PORT SPECIFICATION AND SCAN ORDER

1181       In addition to all of the scan methods discussed previously, Nmap
1182       offers options for specifying which ports are scanned and whether the
1183       scan order is randomized or sequential. By default, Nmap scans the most
1184       common 1,000 ports for each protocol.
1185
1186       -p port ranges (Only scan specified ports) .
1187           This option specifies which ports you want to scan and overrides
1188           the default. Individual port numbers are OK, as are ranges
1189           separated by a hyphen (e.g.  1-1023). The beginning and/or end
1190           values of a range may be omitted, causing Nmap to use 1 and 65535,
1191           respectively. So you can specify -p- to scan ports from 1 through
1192           65535. Scanning port zero.  is allowed if you specify it
1193           explicitly. For IP protocol scanning (-sO), this option specifies
1194           the protocol numbers you wish to scan for (0–255).
1195
1196           When scanning a combination of protocols (e.g. TCP and UDP), you
1197           can specify a particular protocol by preceding the port numbers by
1198           T: for TCP, U: for UDP, S: for SCTP, or P: for IP Protocol. The
1199           qualifier lasts until you specify another qualifier. For example,
1200           the argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP
1201           ports 53, 111,and 137, as well as the listed TCP ports. Note that
1202           to scan both UDP and TCP, you have to specify -sU and at least one
1203           TCP scan type (such as -sS, -sF, or -sT). If no protocol qualifier
1204           is given, the port numbers are added to all protocol lists.  Ports
1205           can also be specified by name according to what the port is
1206           referred to in the nmap-services. You can even use the wildcards *
1207           and ?  with the names. For example, to scan FTP and all ports whose
1208           names begin with “http”, use -p ftp,http*. Be careful about shell
1209           expansions and quote the argument to -p if unsure.
1210
1211           Ranges of ports can be surrounded by square brackets to indicate
1212           ports inside that range that appear in nmap-services. For example,
1213           the following will scan all ports in nmap-services equal to or
1214           below 1024: -p [-1024]. Be careful with shell expansions and quote
1215           the argument to -p if unsure.
1216
1217       -F (Fast (limited port) scan) .
1218           Specifies that you wish to scan fewer ports than the default.
1219           Normally Nmap scans the most common 1,000 ports for each scanned
1220           protocol. With -F, this is reduced to 100.
1221
1222           Nmap needs an nmap-services file with frequency information in
1223           order to know which ports are the most common. If port frequency
1224           information isn't available, perhaps because of the use of a custom
1225           nmap-services file, Nmap scans all named ports plus ports 1-1024.
1226           In that case, -F means to scan only ports that are named in the
1227           services file.
1228
1229       -r (Don't randomize ports) .
1230           By default, Nmap randomizes the scanned port order (except that
1231           certain commonly accessible ports are moved near the beginning for
1232           efficiency reasons). This randomization is normally desirable, but
1233           you can specify -r for sequential (sorted from lowest to highest)
1234           port scanning instead.
1235
1236       --port-ratio ratio<decimal number between 0 and 1>
1237           Scans all ports in nmap-services file with a ratio greater than the
1238           one given.  ratio must be between 0.0 and 1.1.
1239
1240       --top-ports n
1241           Scans the n highest-ratio ports found in nmap-services file.  n
1242           must be 1 or greater.
1243

SERVICE AND VERSION DETECTION

1245       Point Nmap at a remote machine and it might tell you that ports 25/tcp,
1246       80/tcp, and 53/udp are open. Using its nmap-services.  database of
1247       about 2,200 well-known services,.  Nmap would report that those ports
1248       probably correspond to a mail server (SMTP), web server (HTTP), and
1249       name server (DNS) respectively. This lookup is usually accurate—the
1250       vast majority of daemons listening on TCP port 25 are, in fact, mail
1251       servers. However, you should not bet your security on this! People can
1252       and do run services on strange ports..
1253
1254       Even if Nmap is right, and the hypothetical server above is running
1255       SMTP, HTTP, and DNS servers, that is not a lot of information. When
1256       doing vulnerability assessments (or even simple network inventories) of
1257       your companies or clients, you really want to know which mail and DNS
1258       servers and versions are running. Having an accurate version number
1259       helps dramatically in determining which exploits a server is vulnerable
1260       to. Version detection helps you obtain this information.
1261
1262       After TCP and/or UDP ports are discovered using one of the other scan
1263       methods, version detection interrogates those ports to determine more
1264       about what is actually running. The nmap-service-probes.  database
1265       contains probes for querying various services and match expressions to
1266       recognize and parse responses. Nmap tries to determine the service
1267       protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC
1268       BIND, Apache httpd, Solaris telnetd), the version number, hostname,
1269       device type (e.g. printer, router), the OS family (e.g. Windows,
1270       Linux). When possible, Nmap also gets the Common Platform Enumeration
1271       (CPE).  representation of this information. Sometimes miscellaneous
1272       details like whether an X server is open to connections, the SSH
1273       protocol version, or the KaZaA user name, are available. Of course,
1274       most services don't provide all of this information. If Nmap was
1275       compiled with OpenSSL support, it will connect to SSL servers to deduce
1276       the service listening behind that encryption layer..  Some UDP ports
1277       are left in the open|filtered state after a UDP port scan is unable to
1278       determine whether the port is open or filtered. Version detection will
1279       try to elicit a response from these ports (just as it does with open
1280       ports), and change the state to open if it succeeds.  open|filtered TCP
1281       ports are treated the same way. Note that the Nmap -A option enables
1282       version detection among other things.  A paper documenting the
1283       workings, usage, and customization of version detection is available at
1284       http://nmap.org/book/vscan.html.
1285
1286       When RPC services are discovered, the Nmap RPC grinder.  is
1287       automatically used to determine the RPC program and version numbers. It
1288       takes all the TCP/UDP ports detected as RPC and floods them with SunRPC
1289       program NULL commands in an attempt to determine whether they are RPC
1290       ports, and if so, what program and version number they serve up. Thus
1291       you can effectively obtain the same info as rpcinfo -p even if the
1292       target's portmapper is behind a firewall (or protected by TCP
1293       wrappers). Decoys do not currently work with RPC scan..
1294
1295       When Nmap receives responses from a service but cannot match them to
1296       its database, it prints out a special fingerprint and a URL for you to
1297       submit if to if you know for sure what is running on the port. Please
1298       take a couple minutes to make the submission so that your find can
1299       benefit everyone. Thanks to these submissions, Nmap has about 6,500
1300       pattern matches for more than 650 protocols such as SMTP, FTP, HTTP,
1301       etc..
1302
1303       Version detection is enabled and controlled with the following options:
1304
1305       -sV (Version detection) .
1306           Enables version detection, as discussed above. Alternatively, you
1307           can use -A, which enables version detection among other things.
1308
1309           -sR.  is an alias for -sV. Prior to March 2011, it was used to
1310           active the RPC grinder separately from version detection, but now
1311           these options are always combined.
1312
1313       --allports (Don't exclude any ports from version detection) .
1314           By default, Nmap version detection skips TCP port 9100 because some
1315           printers simply print anything sent to that port, leading to dozens
1316           of pages of HTTP GET requests, binary SSL session requests, etc.
1317           This behavior can be changed by modifying or removing the Exclude
1318           directive in nmap-service-probes, or you can specify --allports to
1319           scan all ports regardless of any Exclude directive.
1320
1321       --version-intensity intensity (Set version scan intensity) .
1322           When performing a version scan (-sV), Nmap sends a series of
1323           probes, each of which is assigned a rarity value between one and
1324           nine. The lower-numbered probes are effective against a wide
1325           variety of common services, while the higher-numbered ones are
1326           rarely useful. The intensity level specifies which probes should be
1327           applied. The higher the number, the more likely it is the service
1328           will be correctly identified. However, high intensity scans take
1329           longer. The intensity must be between 0 and 9..  The default is 7..
1330           When a probe is registered to the target port via the
1331           nmap-service-probesports directive, that probe is tried regardless
1332           of intensity level. This ensures that the DNS probes will always be
1333           attempted against any open port 53, the SSL probe will be done
1334           against 443, etc.
1335
1336       --version-light (Enable light mode) .
1337           This is a convenience alias for --version-intensity 2. This light
1338           mode makes version scanning much faster, but it is slightly less
1339           likely to identify services.
1340
1341       --version-all (Try every single probe) .
1342           An alias for --version-intensity 9, ensuring that every single
1343           probe is attempted against each port.
1344
1345       --version-trace (Trace version scan activity) .
1346           This causes Nmap to print out extensive debugging info about what
1347           version scanning is doing. It is a subset of what you get with
1348           --packet-trace.
1349

OS DETECTION

1351       One of Nmap's best-known features is remote OS detection using TCP/IP
1352       stack fingerprinting. Nmap sends a series of TCP and UDP packets to the
1353       remote host and examines practically every bit in the responses. After
1354       performing dozens of tests such as TCP ISN sampling, TCP options
1355       support and ordering, IP ID sampling, and the initial window size
1356       check, Nmap compares the results to its nmap-os-db.  database of more
1357       than 2,600 known OS fingerprints and prints out the OS details if there
1358       is a match. Each fingerprint includes a freeform textual description of
1359       the OS, and a classification which provides the vendor name (e.g. Sun),
1360       underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type
1361       (general purpose, router, switch, game console, etc). Most fingerprints
1362       also have a Common Platform Enumeration (CPE).  representation, like
1363       cpe:/o:linux:linux_kernel:2.6.
1364
1365       If Nmap is unable to guess the OS of a machine, and conditions are good
1366       (e.g. at least one open port and one closed port were found), Nmap will
1367       provide a URL you can use to submit the fingerprint if you know (for
1368       sure) the OS running on the machine. By doing this you contribute to
1369       the pool of operating systems known to Nmap and thus it will be more
1370       accurate for everyone.
1371
1372       OS detection enables some other tests which make use of information
1373       that is gathered during the process anyway. One of these is TCP
1374       Sequence Predictability Classification. This measures approximately how
1375       hard it is to establish a forged TCP connection against the remote
1376       host. It is useful for exploiting source-IP based trust relationships
1377       (rlogin, firewall filters, etc) or for hiding the source of an attack.
1378       This sort of spoofing is rarely performed any more, but many machines
1379       are still vulnerable to it. The actual difficulty number is based on
1380       statistical sampling and may fluctuate. It is generally better to use
1381       the English classification such as “worthy challenge” or “trivial
1382       joke”. This is only reported in normal output in verbose (-v) mode.
1383       When verbose mode is enabled along with -O, IP ID sequence generation
1384       is also reported. Most machines are in the “incremental” class, which
1385       means that they increment the ID field in the IP header for each packet
1386       they send. This makes them vulnerable to several advanced information
1387       gathering and spoofing attacks.
1388
1389       Another bit of extra information enabled by OS detection is a guess at
1390       a target's uptime. This uses the TCP timestamp option (RFC 1323[10]) to
1391       guess when a machine was last rebooted. The guess can be inaccurate due
1392       to the timestamp counter not being initialized to zero or the counter
1393       overflowing and wrapping around, so it is printed only in verbose mode.
1394
1395       A paper documenting the workings, usage, and customization of OS
1396       detection is available at http://nmap.org/book/osdetect.html.
1397
1398       OS detection is enabled and controlled with the following options:
1399
1400       -O (Enable OS detection) .
1401           Enables OS detection, as discussed above. Alternatively, you can
1402           use -A to enable OS detection along with other things.
1403
1404       --osscan-limit (Limit OS detection to promising targets) .
1405           OS detection is far more effective if at least one open and one
1406           closed TCP port are found. Set this option and Nmap will not even
1407           try OS detection against hosts that do not meet this criteria. This
1408           can save substantial time, particularly on -Pn scans against many
1409           hosts. It only matters when OS detection is requested with -O or
1410           -A.
1411
1412       --osscan-guess; --fuzzy (Guess OS detection results) .
1413           When Nmap is unable to detect a perfect OS match, it sometimes
1414           offers up near-matches as possibilities. The match has to be very
1415           close for Nmap to do this by default. Either of these (equivalent)
1416           options make Nmap guess more aggressively. Nmap will still tell you
1417           when an imperfect match is printed and display its confidence level
1418           (percentage) for each guess.
1419
1420       --max-os-tries (Set the maximum number of OS detection tries against a
1421       target) .
1422           When Nmap performs OS detection against a target and fails to find
1423           a perfect match, it usually repeats the attempt. By default, Nmap
1424           tries five times if conditions are favorable for OS fingerprint
1425           submission, and twice when conditions aren't so good. Specifying a
1426           lower --max-os-tries value (such as 1) speeds Nmap up, though you
1427           miss out on retries which could potentially identify the OS.
1428           Alternatively, a high value may be set to allow even more retries
1429           when conditions are favorable. This is rarely done, except to
1430           generate better fingerprints for submission and integration into
1431           the Nmap OS database.
1432

NMAP SCRIPTING ENGINE (NSE)

1434       The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and
1435       flexible features. It allows users to write (and share) simple scripts
1436       (using the Lua programming language[11],
1437
1438       Tasks we had in mind when creating the system include network
1439       discovery, more sophisticated version detection, vulnerability
1440       detection. NSE can even be used for vulnerability exploitation.
1441
1442       To reflect those different uses and to simplify the choice of which
1443       scripts to run, each script contains a field associating it with one or
1444       more categories. Currently defined categories are auth, broadcast,
1445       default.  discovery, dos, exploit, external, fuzzer, intrusive,
1446       malware, safe, version, and vuln. These are all described at
1447       http://nmap.org/book/nse-usage.html#nse-categories.
1448
1449       Scripts are not run in a sandbox and thus could accidentally or
1450       maliciously damage your system or invade your privacy. Never run
1451       scripts from third parties unless you trust the authors or have
1452       carefully audited the scripts yourself.
1453
1454       The Nmap Scripting Engine is described in detail at
1455       http://nmap.org/book/nse.html and is controlled by the following
1456       options:
1457
1458       -sC .
1459           Performs a script scan using the default set of scripts. It is
1460           equivalent to --script=default. Some of the scripts in this
1461           category are considered intrusive and should not be run against a
1462           target network without permission.
1463
1464       --script filename|category|directory|expression[,...] .
1465           Runs a script scan using the comma-separated list of filenames,
1466           script categories, and directories. Each element in the list may
1467           also be a Boolean expression describing a more complex set of
1468           scripts. Each element is interpreted first as an expression, then
1469           as a category, and finally as a file or directory name.
1470
1471           There are two special features for advanced users only. One is to
1472           prefix script names and expressions with + to force them to run
1473           even if they normally wouldn't (e.g. the relevant service wasn't
1474           detected on the target port). The other is that the argument all
1475           may be used to specify every script in Nmap's database. Be cautious
1476           with this because NSE contains dangerous scripts such as exploits,
1477           brute force authentication crackers, and denial of service attacks.
1478
1479           File and directory names may be relative or absolute. Absolute
1480           names are used directly. Relative paths are looked for in the
1481           scripts of each of the following places until found: --datadir
1482           $NMAPDIR.
1483           ~/.nmap (not searched on Windows).
1484           HOME\AppData\Roaming\nmap (only on Windows).
1485           the directory containing the nmap executable
1486           the directory containing the nmap executable, followed by
1487           ../share/nmap
1488           NMAPDATADIR.
1489           the current directory.
1490
1491       When a directory name is given, Nmap loads every file in the directory
1492       whose name ends with .nse. All other files are ignored and directories
1493       are not searched recursively. When a filename is given, it does not
1494       have to have the .nse extension; it will be added automatically if
1495       necessary.  Nmap scripts are stored in a scripts subdirectory of the
1496       Nmap data directory by default (see
1497       http://nmap.org/book/data-files.html).  For efficiency, scripts are
1498       indexed in a database stored in scripts/script.db,.  which lists the
1499       category or categories in which each script belongs.  When referring to
1500       scripts from script.db by name, you can use a shell-style ‘*’ wildcard.
1501
1502       nmap --script "http-*"
1503           Loads all scripts whose name starts with http-, such as http-auth
1504           and http-open-proxy. The argument to --script had to be in quotes
1505           to protect the wildcard from the shell.
1506
1507       More complicated script selection can be done using the and, or, and
1508       not operators to build Boolean expressions. The operators have the same
1509       precedence[12] as in Lua: not is the highest, followed by and and then
1510       or. You can alter precedence by using parentheses. Because expressions
1511       contain space characters it is necessary to quote them.
1512
1513       nmap --script "not intrusive"
1514           Loads every script except for those in the intrusive category.
1515
1516       nmap --script "default or safe"
1517           This is functionally equivalent to nmap --script "default,safe". It
1518           loads all scripts that are in the default category or the safe
1519           category or both.
1520
1521       nmap --script "default and safe"
1522           Loads those scripts that are in both the default and safe
1523           categories.
1524
1525       nmap --script "(default or safe or intrusive) and not http-*"
1526           Loads scripts in the default, safe, or intrusive categories, except
1527           for those whose names start with http-.
1528
1529       --script-args n1=v1,n2={n3=v3},n4={v4,v5} .
1530           Lets you provide arguments to NSE scripts. Arguments are a
1531           comma-separated list of name=value pairs. Names and values may be
1532           strings not containing whitespace or the characters ‘{’, ‘}’, ‘=’,
1533           or ‘,’. To include one of these characters in a string, enclose the
1534           string in single or double quotes. Within a quoted string, ‘\’
1535           escapes a quote. A backslash is only used to escape quotation marks
1536           in this special case; in all other cases a backslash is interpreted
1537           literally. Values may also be tables enclosed in {}, just as in
1538           Lua. A table may contain simple string values or more name-value
1539           pairs, including nested tables. Many scripts qualify their
1540           arguments with the script name, as in xmpp-info.server_name. You
1541           may use that full qualified version to affect just the specified
1542           script, or you may pass the unqualified version (server_name in
1543           this case) to affect all scripts using that argument name. A script
1544           will first check for its fully qualified argument name (the name
1545           specified in its documentation) before it accepts an unqualified
1546           argument name. A complex example of script arguments is
1547           --script-args
1548           'user=foo,pass=",{}=bar",whois={whodb=nofollow+ripe},xmpp-info.server_name=localhost'.
1549           The online NSE Documentation Portal at http://nmap.org/nsedoc/
1550           lists the arguments that each script accepts.
1551
1552       --script-args-file filename .
1553           Lets you load arguments to NSE scripts from a file. Any arguments
1554           on the command line supersede ones in the file. The file can be an
1555           absolute path, or a path relative to Nmap's usual search path
1556           (NMAPDIR, etc.) Arguments can be comma-separated or
1557           newline-separated, but otherwise follow the same rules as for
1558           --script-args, without requiring special quoting and escaping,
1559           since they are not parsed by the shell.
1560
1561       --script-help filename|category|directory|expression|all[,...] .
1562           Shows help about scripts. For each script matching the given
1563           specification, Nmap prints the script name, its categories, and its
1564           description. The specifications are the same as those accepted by
1565           --script; so for example if you want help about the ftp-anon
1566           script, you would run nmap --script-help ftp-anon. In addition to
1567           getting help for individual scripts, you can use this as a preview
1568           of what scripts will be run for a specification, for example with
1569           nmap --script-help default.
1570
1571       --script-trace .
1572           This option does what --packet-trace does, just one ISO layer
1573           higher. If this option is specified all incoming and outgoing
1574           communication performed by a script is printed. The displayed
1575           information includes the communication protocol, the source, the
1576           target and the transmitted data. If more than 5% of all transmitted
1577           data is not printable, then the trace output is in a hex dump
1578           format. Specifying --packet-trace enables script tracing too.
1579
1580       --script-updatedb .
1581           This option updates the script database found in scripts/script.db
1582           which is used by Nmap to determine the available default scripts
1583           and categories. It is only necessary to update the database if you
1584           have added or removed NSE scripts from the default scripts
1585           directory or if you have changed the categories of any script. This
1586           option is generally used by itself: nmap --script-updatedb.
1587

TIMING AND PERFORMANCE

1589       One of my highest Nmap development priorities has always been
1590       performance. A default scan (nmap hostname) of a host on my local
1591       network takes a fifth of a second. That is barely enough time to blink,
1592       but adds up when you are scanning hundreds or thousands of hosts.
1593       Moreover, certain scan options such as UDP scanning and version
1594       detection can increase scan times substantially. So can certain
1595       firewall configurations, particularly response rate limiting. While
1596       Nmap utilizes parallelism and many advanced algorithms to accelerate
1597       these scans, the user has ultimate control over how Nmap runs. Expert
1598       users carefully craft Nmap commands to obtain only the information they
1599       care about while meeting their time constraints.
1600
1601       Techniques for improving scan times include omitting non-critical
1602       tests, and upgrading to the latest version of Nmap (performance
1603       enhancements are made frequently). Optimizing timing parameters can
1604       also make a substantial difference. Those options are listed below.
1605
1606       Some options accept a time parameter. This is specified in seconds by
1607       default, though you can append ‘ms’, ‘s’, ‘m’, or ‘h’ to the value to
1608       specify milliseconds, seconds, minutes, or hours. So the --host-timeout
1609       arguments 900000ms, 900, 900s, and 15m all do the same thing.
1610
1611       --min-hostgroup numhosts; --max-hostgroup numhosts (Adjust parallel
1612       scan group sizes) .
1613           Nmap has the ability to port scan or version scan multiple hosts in
1614           parallel. Nmap does this by dividing the target IP space into
1615           groups and then scanning one group at a time. In general, larger
1616           groups are more efficient. The downside is that host results can't
1617           be provided until the whole group is finished. So if Nmap started
1618           out with a group size of 50, the user would not receive any reports
1619           (except for the updates offered in verbose mode) until the first 50
1620           hosts are completed.
1621
1622           By default, Nmap takes a compromise approach to this conflict. It
1623           starts out with a group size as low as five so the first results
1624           come quickly and then increases the groupsize to as high as 1024.
1625           The exact default numbers depend on the options given. For
1626           efficiency reasons, Nmap uses larger group sizes for UDP or
1627           few-port TCP scans.
1628
1629           When a maximum group size is specified with --max-hostgroup, Nmap
1630           will never exceed that size. Specify a minimum size with
1631           --min-hostgroup and Nmap will try to keep group sizes above that
1632           level. Nmap may have to use smaller groups than you specify if
1633           there are not enough target hosts left on a given interface to
1634           fulfill the specified minimum. Both may be set to keep the group
1635           size within a specific range, though this is rarely desired.
1636
1637           These options do not have an effect during the host discovery phase
1638           of a scan. This includes plain ping scans (-sn). Host discovery
1639           always works in large groups of hosts to improve speed and
1640           accuracy.
1641
1642           The primary use of these options is to specify a large minimum
1643           group size so that the full scan runs more quickly. A common choice
1644           is 256 to scan a network in Class C sized chunks. For a scan with
1645           many ports, exceeding that number is unlikely to help much. For
1646           scans of just a few port numbers, host group sizes of 2048 or more
1647           may be helpful.
1648
1649       --min-parallelism numprobes; --max-parallelism numprobes (Adjust probe
1650       parallelization) .
1651           These options control the total number of probes that may be
1652           outstanding for a host group. They are used for port scanning and
1653           host discovery. By default, Nmap calculates an ever-changing ideal
1654           parallelism based on network performance. If packets are being
1655           dropped, Nmap slows down and allows fewer outstanding probes. The
1656           ideal probe number slowly rises as the network proves itself
1657           worthy. These options place minimum or maximum bounds on that
1658           variable. By default, the ideal parallelism can drop to one if the
1659           network proves unreliable and rise to several hundred in perfect
1660           conditions.
1661
1662           The most common usage is to set --min-parallelism to a number
1663           higher than one to speed up scans of poorly performing hosts or
1664           networks. This is a risky option to play with, as setting it too
1665           high may affect accuracy. Setting this also reduces Nmap's ability
1666           to control parallelism dynamically based on network conditions. A
1667           value of 10 might be reasonable, though I only adjust this value as
1668           a last resort.
1669
1670           The --max-parallelism option is sometimes set to one to prevent
1671           Nmap from sending more than one probe at a time to hosts. The
1672           --scan-delay option, discussed later, is another way to do this.
1673
1674       --min-rtt-timeout time, --max-rtt-timeout time, --initial-rtt-timeout
1675       time (Adjust probe timeouts) .
1676           Nmap maintains a running timeout value for determining how long it
1677           will wait for a probe response before giving up or retransmitting
1678           the probe. This is calculated based on the response times of
1679           previous probes.
1680
1681           If the network latency shows itself to be significant and variable,
1682           this timeout can grow to several seconds. It also starts at a
1683           conservative (high) level and may stay that way for a while when
1684           Nmap scans unresponsive hosts.
1685
1686           Specifying a lower --max-rtt-timeout and --initial-rtt-timeout than
1687           the defaults can cut scan times significantly. This is particularly
1688           true for pingless (-Pn) scans, and those against heavily filtered
1689           networks. Don't get too aggressive though. The scan can end up
1690           taking longer if you specify such a low value that many probes are
1691           timing out and retransmitting while the response is in transit.
1692
1693           If all the hosts are on a local network, 100 milliseconds
1694           (--max-rtt-timeout 100ms) is a reasonable aggressive value. If
1695           routing is involved, ping a host on the network first with the ICMP
1696           ping utility, or with a custom packet crafter such as Nping.  that
1697           is more likely to get through a firewall. Look at the maximum round
1698           trip time out of ten packets or so. You might want to double that
1699           for the --initial-rtt-timeout and triple or quadruple it for the
1700           --max-rtt-timeout. I generally do not set the maximum RTT below
1701           100 ms, no matter what the ping times are. Nor do I exceed 1000 ms.
1702
1703           --min-rtt-timeout is a rarely used option that could be useful when
1704           a network is so unreliable that even Nmap's default is too
1705           aggressive. Since Nmap only reduces the timeout down to the minimum
1706           when the network seems to be reliable, this need is unusual and
1707           should be reported as a bug to the nmap-dev mailing list..
1708
1709       --max-retries numtries (Specify the maximum number of port scan probe
1710       retransmissions) .
1711           When Nmap receives no response to a port scan probe, it could mean
1712           the port is filtered. Or maybe the probe or response was simply
1713           lost on the network. It is also possible that the target host has
1714           rate limiting enabled that temporarily blocked the response. So
1715           Nmap tries again by retransmitting the initial probe. If Nmap
1716           detects poor network reliability, it may try many more times before
1717           giving up on a port. While this benefits accuracy, it also lengthen
1718           scan times. When performance is critical, scans may be sped up by
1719           limiting the number of retransmissions allowed. You can even
1720           specify --max-retries 0 to prevent any retransmissions, though that
1721           is only recommended for situations such as informal surveys where
1722           occasional missed ports and hosts are acceptable.
1723
1724           The default (with no -T template) is to allow ten retransmissions.
1725           If a network seems reliable and the target hosts aren't rate
1726           limiting, Nmap usually only does one retransmission. So most target
1727           scans aren't even affected by dropping --max-retries to a low value
1728           such as three. Such values can substantially speed scans of slow
1729           (rate limited) hosts. You usually lose some information when Nmap
1730           gives up on ports early, though that may be preferable to letting
1731           the --host-timeout expire and losing all information about the
1732           target.
1733
1734       --host-timeout time (Give up on slow target hosts) .
1735           Some hosts simply take a long time to scan. This may be due to
1736           poorly performing or unreliable networking hardware or software,
1737           packet rate limiting, or a restrictive firewall. The slowest few
1738           percent of the scanned hosts can eat up a majority of the scan
1739           time. Sometimes it is best to cut your losses and skip those hosts
1740           initially. Specify --host-timeout with the maximum amount of time
1741           you are willing to wait. For example, specify 30m to ensure that
1742           Nmap doesn't waste more than half an hour on a single host. Note
1743           that Nmap may be scanning other hosts at the same time during that
1744           half an hour, so it isn't a complete loss. A host that times out is
1745           skipped. No port table, OS detection, or version detection results
1746           are printed for that host.
1747
1748       --scan-delay time; --max-scan-delay time (Adjust delay between probes)
1749       .
1750           This option causes Nmap to wait at least the given amount of time
1751           between each probe it sends to a given host. This is particularly
1752           useful in the case of rate limiting..  Solaris machines (among many
1753           others) will usually respond to UDP scan probe packets with only
1754           one ICMP message per second. Any more than that sent by Nmap will
1755           be wasteful. A --scan-delay of 1s will keep Nmap at that slow rate.
1756           Nmap tries to detect rate limiting and adjust the scan delay
1757           accordingly, but it doesn't hurt to specify it explicitly if you
1758           already know what rate works best.
1759
1760           When Nmap adjusts the scan delay upward to cope with rate limiting,
1761           the scan slows down dramatically. The --max-scan-delay option
1762           specifies the largest delay that Nmap will allow. A low
1763           --max-scan-delay can speed up Nmap, but it is risky. Setting this
1764           value too low can lead to wasteful packet retransmissions and
1765           possible missed ports when the target implements strict rate
1766           limiting.
1767
1768           Another use of --scan-delay is to evade threshold based intrusion
1769           detection and prevention systems (IDS/IPS)..
1770
1771       --min-rate number; --max-rate number (Directly control the scanning
1772       rate) .
1773           Nmap's dynamic timing does a good job of finding an appropriate
1774           speed at which to scan. Sometimes, however, you may happen to know
1775           an appropriate scanning rate for a network, or you may have to
1776           guarantee that a scan will be finished by a certain time. Or
1777           perhaps you must keep Nmap from scanning too quickly. The
1778           --min-rate and --max-rate options are designed for these
1779           situations.
1780
1781           When the --min-rate option is given Nmap will do its best to send
1782           packets as fast as or faster than the given rate. The argument is a
1783           positive real number representing a packet rate in packets per
1784           second. For example, specifying --min-rate 300 means that Nmap will
1785           try to keep the sending rate at or above 300 packets per second.
1786           Specifying a minimum rate does not keep Nmap from going faster if
1787           conditions warrant.
1788
1789           Likewise, --max-rate limits a scan's sending rate to a given
1790           maximum. Use --max-rate 100, for example, to limit sending to 100
1791           packets per second on a fast network. Use --max-rate 0.1 for a slow
1792           scan of one packet every ten seconds. Use --min-rate and --max-rate
1793           together to keep the rate inside a certain range.
1794
1795           These two options are global, affecting an entire scan, not
1796           individual hosts. They only affect port scans and host discovery
1797           scans. Other features like OS detection implement their own timing.
1798
1799           There are two conditions when the actual scanning rate may fall
1800           below the requested minimum. The first is if the minimum is faster
1801           than the fastest rate at which Nmap can send, which is dependent on
1802           hardware. In this case Nmap will simply send packets as fast as
1803           possible, but be aware that such high rates are likely to cause a
1804           loss of accuracy. The second case is when Nmap has nothing to send,
1805           for example at the end of a scan when the last probes have been
1806           sent and Nmap is waiting for them to time out or be responded to.
1807           It's normal to see the scanning rate drop at the end of a scan or
1808           in between hostgroups. The sending rate may temporarily exceed the
1809           maximum to make up for unpredictable delays, but on average the
1810           rate will stay at or below the maximum.
1811
1812           Specifying a minimum rate should be done with care. Scanning faster
1813           than a network can support may lead to a loss of accuracy. In some
1814           cases, using a faster rate can make a scan take longer than it
1815           would with a slower rate. This is because Nmap's adaptive
1816           retransmission algorithms will detect the network congestion caused
1817           by an excessive scanning rate and increase the number of
1818           retransmissions in order to improve accuracy. So even though
1819           packets are sent at a higher rate, more packets are sent overall.
1820           Cap the number of retransmissions with the --max-retries option if
1821           you need to set an upper limit on total scan time.
1822
1823       --defeat-rst-ratelimit .
1824           Many hosts have long used rate limiting.  to reduce the number of
1825           ICMP error messages (such as port-unreachable errors) they send.
1826           Some systems now apply similar rate limits to the RST (reset)
1827           packets they generate. This can slow Nmap down dramatically as it
1828           adjusts its timing to reflect those rate limits. You can tell Nmap
1829           to ignore those rate limits (for port scans such as SYN scan which
1830           don't treat non-responsive ports as open) by specifying
1831           --defeat-rst-ratelimit.
1832
1833           Using this option can reduce accuracy, as some ports will appear
1834           non-responsive because Nmap didn't wait long enough for a
1835           rate-limited RST response. With a SYN scan, the non-response
1836           results in the port being labeled filtered rather than the closed
1837           state we see when RST packets are received. This option is useful
1838           when you only care about open ports, and distinguishing between
1839           closed and filtered ports isn't worth the extra time.
1840
1841       --nsock-engine epoll|kqueue|poll|select .
1842           Enforce use of a given nsock IO multiplexing engine. Only the
1843           select(2)-based fallback engine is guaranteed to be available on
1844           your system. Engines are named after the name of the IO management
1845           facility they leverage. Engines currenty implemented are epoll,
1846           kqueue, poll, and select, but not all will be present on any
1847           platform. Use nmap -V to see which engines are supported.
1848
1849       -T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing
1850       template) .
1851           While the fine-grained timing controls discussed in the previous
1852           section are powerful and effective, some people find them
1853           confusing. Moreover, choosing the appropriate values can sometimes
1854           take more time than the scan you are trying to optimize. So Nmap
1855           offers a simpler approach, with six timing templates. You can
1856           specify them with the -T option and their number (0–5) or their
1857           name. The template names are paranoid (0), sneaky (1), polite (2),
1858           normal (3), aggressive (4), and insane (5). The first two are for
1859           IDS evasion. Polite mode slows down the scan to use less bandwidth
1860           and target machine resources. Normal mode is the default and so -T3
1861           does nothing. Aggressive mode speeds scans up by making the
1862           assumption that you are on a reasonably fast and reliable network.
1863           Finally insane mode.  assumes that you are on an extraordinarily
1864           fast network or are willing to sacrifice some accuracy for speed.
1865
1866           These templates allow the user to specify how aggressive they wish
1867           to be, while leaving Nmap to pick the exact timing values. The
1868           templates also make some minor speed adjustments for which
1869           fine-grained control options do not currently exist. For example,
1870           -T4.  prohibits the dynamic scan delay from exceeding 10 ms for TCP
1871           ports and -T5 caps that value at 5 ms. Templates can be used in
1872           combination with fine-grained controls, and the fine-grained
1873           controls will you specify will take precedence over the timing
1874           template default for that parameter. I recommend using -T4 when
1875           scanning reasonably modern and reliable networks. Keep that option
1876           even when you add fine-grained controls so that you benefit from
1877           those extra minor optimizations that it enables.
1878
1879           If you are on a decent broadband or ethernet connection, I would
1880           recommend always using -T4. Some people love -T5 though it is too
1881           aggressive for my taste. People sometimes specify -T2 because they
1882           think it is less likely to crash hosts or because they consider
1883           themselves to be polite in general. They often don't realize just
1884           how slow -T polite.  really is. Their scan may take ten times
1885           longer than a default scan. Machine crashes and bandwidth problems
1886           are rare with the default timing options (-T3) and so I normally
1887           recommend that for cautious scanners. Omitting version detection is
1888           far more effective than playing with timing values at reducing
1889           these problems.
1890
1891           While -T0.  and -T1.  may be useful for avoiding IDS alerts, they
1892           will take an extraordinarily long time to scan thousands of
1893           machines or ports. For such a long scan, you may prefer to set the
1894           exact timing values you need rather than rely on the canned -T0 and
1895           -T1 values.
1896
1897           The main effects of T0 are serializing the scan so only one port is
1898           scanned at a time, and waiting five minutes between sending each
1899           probe.  T1 and T2 are similar but they only wait 15 seconds and 0.4
1900           seconds, respectively, between probes.  T3 is Nmap's default
1901           behavior, which includes parallelization..  does the equivalent of
1902           --max-rtt-timeout 1250ms --initial-rtt-timeout 500ms --max-retries
1903           6 and sets the maximum TCP scan delay to 10 milliseconds.  T5 does
1904           the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms
1905           --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m as
1906           well as setting the maximum TCP scan delay to 5 ms.
1907

FIREWALL/IDS EVASION AND SPOOFING

1909       Many Internet pioneers envisioned a global open network with a
1910       universal IP address space allowing virtual connections between any two
1911       nodes. This allows hosts to act as true peers, serving and retrieving
1912       information from each other. People could access all of their home
1913       systems from work, changing the climate control settings or unlocking
1914       the doors for early guests. This vision of universal connectivity has
1915       been stifled by address space shortages and security concerns. In the
1916       early 1990s, organizations began deploying firewalls for the express
1917       purpose of reducing connectivity. Huge networks were cordoned off from
1918       the unfiltered Internet by application proxies, network address
1919       translation, and packet filters. The unrestricted flow of information
1920       gave way to tight regulation of approved communication channels and the
1921       content that passes over them.
1922
1923       Network obstructions such as firewalls can make mapping a network
1924       exceedingly difficult. It will not get any easier, as stifling casual
1925       reconnaissance is often a key goal of implementing the devices.
1926       Nevertheless, Nmap offers many features to help understand these
1927       complex networks, and to verify that filters are working as intended.
1928       It even supports mechanisms for bypassing poorly implemented defenses.
1929       One of the best methods of understanding your network security posture
1930       is to try to defeat it. Place yourself in the mind-set of an attacker,
1931       and deploy techniques from this section against your networks. Launch
1932       an FTP bounce scan, idle scan, fragmentation attack, or try to tunnel
1933       through one of your own proxies.
1934
1935       In addition to restricting network activity, companies are increasingly
1936       monitoring traffic with intrusion detection systems (IDS). All of the
1937       major IDSs ship with rules designed to detect Nmap scans because scans
1938       are sometimes a precursor to attacks. Many of these products have
1939       recently morphed into intrusion prevention systems (IPS).  that
1940       actively block traffic deemed malicious. Unfortunately for network
1941       administrators and IDS vendors, reliably detecting bad intentions by
1942       analyzing packet data is a tough problem. Attackers with patience,
1943       skill, and the help of certain Nmap options can usually pass by IDSs
1944       undetected. Meanwhile, administrators must cope with large numbers of
1945       false positive results where innocent activity is misdiagnosed and
1946       alerted on or blocked.
1947
1948       Occasionally people suggest that Nmap should not offer features for
1949       evading firewall rules or sneaking past IDSs. They argue that these
1950       features are just as likely to be misused by attackers as used by
1951       administrators to enhance security. The problem with this logic is that
1952       these methods would still be used by attackers, who would just find
1953       other tools or patch the functionality into Nmap. Meanwhile,
1954       administrators would find it that much harder to do their jobs.
1955       Deploying only modern, patched FTP servers is a far more powerful
1956       defense than trying to prevent the distribution of tools implementing
1957       the FTP bounce attack.
1958
1959       There is no magic bullet (or Nmap option) for detecting and subverting
1960       firewalls and IDS systems. It takes skill and experience. A tutorial is
1961       beyond the scope of this reference guide, which only lists the relevant
1962       options and describes what they do.
1963
1964       -f (fragment packets); --mtu (using the specified MTU) .
1965           The -f option causes the requested scan (including ping scans) to
1966           use tiny fragmented IP packets. The idea is to split up the TCP
1967           header over several packets to make it harder for packet filters,
1968           intrusion detection systems, and other annoyances to detect what
1969           you are doing. Be careful with this! Some programs have trouble
1970           handling these tiny packets. The old-school sniffer named Sniffit
1971           segmentation faulted immediately upon receiving the first fragment.
1972           Specify this option once, and Nmap splits the packets into eight
1973           bytes or less after the IP header. So a 20-byte TCP header would be
1974           split into three packets. Two with eight bytes of the TCP header,
1975           and one with the final four. Of course each fragment also has an IP
1976           header. Specify -f again to use 16 bytes per fragment (reducing the
1977           number of fragments)..  Or you can specify your own offset size
1978           with the --mtu option. Don't also specify -f if you use --mtu. The
1979           offset must be a multiple of eight. While fragmented packets won't
1980           get by packet filters and firewalls that queue all IP fragments,
1981           such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel,
1982           some networks can't afford the performance hit this causes and thus
1983           leave it disabled. Others can't enable this because fragments may
1984           take different routes into their networks. Some source systems
1985           defragment outgoing packets in the kernel. Linux with the iptables.
1986           connection tracking module is one such example. Do a scan while a
1987           sniffer such as Wireshark.  is running to ensure that sent packets
1988           are fragmented. If your host OS is causing problems, try the
1989           --send-eth.  option to bypass the IP layer and send raw ethernet
1990           frames.
1991
1992           Fragmentation is only supported for Nmap's raw packet features,
1993           which includes TCP and UDP port scans (except connect scan and FTP
1994           bounce scan) and OS detection. Features such as version detection
1995           and the Nmap Scripting Engine generally don't support fragmentation
1996           because they rely on your host's TCP stack to communicate with
1997           target services.
1998
1999       -D decoy1[,decoy2][,ME][,...] (Cloak a scan with decoys) .
2000           Causes a decoy scan to be performed, which makes it appear to the
2001           remote host that the host(s) you specify as decoys are scanning the
2002           target network too. Thus their IDS might report 5–10 port scans
2003           from unique IP addresses, but they won't know which IP was scanning
2004           them and which were innocent decoys. While this can be defeated
2005           through router path tracing, response-dropping, and other active
2006           mechanisms, it is generally an effective technique for hiding your
2007           IP address.
2008
2009           Separate each decoy host with commas, and you can optionally use
2010           ME.  as one of the decoys to represent the position for your real
2011           IP address. If you put ME in the sixth position or later, some
2012           common port scan detectors (such as Solar Designer's.  excellent
2013           Scanlogd).  are unlikely to show your IP address at all. If you
2014           don't use ME, Nmap will put you in a random position. You can also
2015           use RND.  to generate a random, non-reserved IP address, or
2016           RND:number to generate number addresses.
2017
2018           Note that the hosts you use as decoys should be up or you might
2019           accidentally SYN flood your targets. Also it will be pretty easy to
2020           determine which host is scanning if only one is actually up on the
2021           network. You might want to use IP addresses instead of names (so
2022           the decoy networks don't see you in their nameserver logs).
2023
2024           Decoys are used both in the initial ping scan (using ICMP, SYN,
2025           ACK, or whatever) and during the actual port scanning phase. Decoys
2026           are also used during remote OS detection (-O). Decoys do not work
2027           with version detection or TCP connect scan. When a scan delay is in
2028           effect, the delay is enforced between each batch of spoofed probes,
2029           not between each individual probe. Because decoys are sent as a
2030           batch all at once, they may temporarily violate congestion control
2031           limits.
2032
2033           It is worth noting that using too many decoys may slow your scan
2034           and potentially even make it less accurate. Also, some ISPs will
2035           filter out your spoofed packets, but many do not restrict spoofed
2036           IP packets at all.
2037
2038       -S IP_Address (Spoof source address) .
2039           In some circumstances, Nmap may not be able to determine your
2040           source address (Nmap will tell you if this is the case). In this
2041           situation, use -S with the IP address of the interface you wish to
2042           send packets through.
2043
2044           Another possible use of this flag is to spoof the scan to make the
2045           targets think that someone else is scanning them. Imagine a company
2046           being repeatedly port scanned by a competitor! The -e option and
2047           -Pn are generally required for this sort of usage. Note that you
2048           usually won't receive reply packets back (they will be addressed to
2049           the IP you are spoofing), so Nmap won't produce useful reports.
2050
2051       -e interface (Use specified interface) .
2052           Tells Nmap what interface to send and receive packets on. Nmap
2053           should be able to detect this automatically, but it will tell you
2054           if it cannot.
2055
2056       --source-port portnumber; -g portnumber (Spoof source port number) .
2057           One surprisingly common misconfiguration is to trust traffic based
2058           only on the source port number. It is easy to understand how this
2059           comes about. An administrator will set up a shiny new firewall,
2060           only to be flooded with complaints from ungrateful users whose
2061           applications stopped working. In particular, DNS may be broken
2062           because the UDP DNS replies from external servers can no longer
2063           enter the network. FTP is another common example. In active FTP
2064           transfers, the remote server tries to establish a connection back
2065           to the client to transfer the requested file.
2066
2067           Secure solutions to these problems exist, often in the form of
2068           application-level proxies or protocol-parsing firewall modules.
2069           Unfortunately there are also easier, insecure solutions. Noting
2070           that DNS replies come from port 53 and active FTP from port 20,
2071           many administrators have fallen into the trap of simply allowing
2072           incoming traffic from those ports. They often assume that no
2073           attacker would notice and exploit such firewall holes. In other
2074           cases, administrators consider this a short-term stop-gap measure
2075           until they can implement a more secure solution. Then they forget
2076           the security upgrade.
2077
2078           Overworked network administrators are not the only ones to fall
2079           into this trap. Numerous products have shipped with these insecure
2080           rules. Even Microsoft has been guilty. The IPsec filters that
2081           shipped with Windows 2000 and Windows XP contain an implicit rule
2082           that allows all TCP or UDP traffic from port 88 (Kerberos). In
2083           another well-known case, versions of the Zone Alarm personal
2084           firewall up to 2.1.25 allowed any incoming UDP packets with the
2085           source port 53 (DNS) or 67 (DHCP).
2086
2087           Nmap offers the -g and --source-port options (they are equivalent)
2088           to exploit these weaknesses. Simply provide a port number and Nmap
2089           will send packets from that port where possible. Most scanning
2090           operations that use raw sockets, including SYN and UDP scans,
2091           support the option completely. The option notably doesn't have an
2092           effect for any operations that use normal operating system sockets,
2093           including DNS requests, TCP connect scan,.  version detection, and
2094           script scanning. Setting the source port also doesn't work for OS
2095           detection, because Nmap must use different port numbers for certain
2096           OS detection tests to work properly.
2097
2098       --data-length number (Append random data to sent packets) .
2099           Normally Nmap sends minimalist packets containing only a header. So
2100           its TCP packets are generally 40 bytes and ICMP echo requests are
2101           just 28. Some UDP ports.  and IP protocols.  get a custom payload
2102           by default. This option tells Nmap to append the given number of
2103           random bytes to most of the packets it sends, and not to use any
2104           protocol-specific payloads. (Use --data-length 0 for no random or
2105           protocol-specific payloads..  OS detection (-O) packets are not
2106           affected.  because accuracy there requires probe consistency, but
2107           most pinging and portscan packets support this. It slows things
2108           down a little, but can make a scan slightly less conspicuous.
2109
2110       --ip-options S|R [route]|L [route]|T|U ... ; --ip-options hex string
2111       (Send packets with specified ip options) .
2112           The IP protocol[13] offers several options which may be placed in
2113           packet headers. Unlike the ubiquitous TCP options, IP options are
2114           rarely seen due to practicality and security concerns. In fact,
2115           many Internet routers block the most dangerous options such as
2116           source routing. Yet options can still be useful in some cases for
2117           determining and manipulating the network route to target machines.
2118           For example, you may be able to use the record route option to
2119           determine a path to a target even when more traditional
2120           traceroute-style approaches fail. Or if your packets are being
2121           dropped by a certain firewall, you may be able to specify a
2122           different route with the strict or loose source routing options.
2123
2124           The most powerful way to specify IP options is to simply pass in
2125           values as the argument to --ip-options. Precede each hex number
2126           with \x then the two digits. You may repeat certain characters by
2127           following them with an asterisk and then the number of times you
2128           wish them to repeat. For example, \x01\x07\x04\x00*36\x01 is a hex
2129           string containing 36 NUL bytes.
2130
2131           Nmap also offers a shortcut mechanism for specifying options.
2132           Simply pass the letter R, T, or U to request record-route,.
2133           record-timestamp,.  or both options together, respectively. Loose
2134           or strict source routing.  may be specified with an L or S followed
2135           by a space and then a space-separated list of IP addresses.
2136
2137           If you wish to see the options in packets sent and received,
2138           specify --packet-trace. For more information and examples of using
2139           IP options with Nmap, see http://seclists.org/nmap-dev/2006/q3/52.
2140
2141       --ttl value (Set IP time-to-live field) .
2142           Sets the IPv4 time-to-live field in sent packets to the given
2143           value.
2144
2145       --randomize-hosts (Randomize target host order) .
2146           Tells Nmap to shuffle each group of up to 16384 hosts before it
2147           scans them. This can make the scans less obvious to various network
2148           monitoring systems, especially when you combine it with slow timing
2149           options. If you want to randomize over larger group sizes, increase
2150           PING_GROUP_SZ.  in nmap.h.  and recompile. An alternative solution
2151           is to generate the target IP list with a list scan (-sL -n -oN
2152           filename), randomize it with a Perl script, then provide the whole
2153           list to Nmap with -iL..
2154
2155       --spoof-mac MAC address, prefix, or vendor name (Spoof MAC address) .
2156           Asks Nmap to use the given MAC address for all of the raw ethernet
2157           frames it sends. This option implies --send-eth.  to ensure that
2158           Nmap actually sends ethernet-level packets. The MAC given can take
2159           several formats. If it is simply the number 0, Nmap chooses a
2160           completely random MAC address for the session. If the given string
2161           is an even number of hex digits (with the pairs optionally
2162           separated by a colon), Nmap will use those as the MAC. If fewer
2163           than 12 hex digits are provided, Nmap fills in the remainder of the
2164           six bytes with random values. If the argument isn't a zero or hex
2165           string, Nmap looks through nmap-mac-prefixes to find a vendor name
2166           containing the given string (it is case insensitive). If a match is
2167           found, Nmap uses the vendor's OUI (three-byte prefix).  and fills
2168           out the remaining three bytes randomly. Valid --spoof-mac argument
2169           examples are Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and
2170           Cisco. This option only affects raw packet scans such as SYN scan
2171           or OS detection, not connection-oriented features such as version
2172           detection or the Nmap Scripting Engine.
2173
2174       --badsum (Send packets with bogus TCP/UDP checksums) .
2175           Asks Nmap to use an invalid TCP, UDP or SCTP checksum for packets
2176           sent to target hosts. Since virtually all host IP stacks properly
2177           drop these packets, any responses received are likely coming from a
2178           firewall or IDS that didn't bother to verify the checksum. For more
2179           details on this technique, see http://nmap.org/p60-12.html
2180
2181       --adler32 (Use deprecated Adler32 instead of CRC32C for SCTP checksums)
2182       .
2183           Asks Nmap to use the deprecated Adler32 algorithm for calculating
2184           the SCTP checksum. If --adler32 is not given, CRC-32C (Castagnoli)
2185           is used.  RFC 2960[14] originally defined Adler32 as checksum
2186           algorithm for SCTP; RFC 4960[7] later redefined the SCTP checksums
2187           to use CRC-32C. Current SCTP implementations should be using
2188           CRC-32C, but in order to elicit responses from old, legacy SCTP
2189           implementations, it may be preferable to use Adler32.
2190

OUTPUT

2192       Any security tool is only as useful as the output it generates. Complex
2193       tests and algorithms are of little value if they aren't presented in an
2194       organized and comprehensible fashion. Given the number of ways Nmap is
2195       used by people and other software, no single format can please
2196       everyone. So Nmap offers several formats, including the interactive
2197       mode for humans to read directly and XML for easy parsing by software.
2198
2199       In addition to offering different output formats, Nmap provides options
2200       for controlling the verbosity of output as well as debugging messages.
2201       Output types may be sent to standard output or to named files, which
2202       Nmap can append to or clobber. Output files may also be used to resume
2203       aborted scans.
2204
2205       Nmap makes output available in five different formats. The default is
2206       called interactive output,.  and it is sent to standard output
2207       (stdout)..  There is also normal output,.  which is similar to
2208       interactive except that it displays less runtime information and
2209       warnings since it is expected to be analyzed after the scan completes
2210       rather than interactively.
2211
2212       XML output.  is one of the most important output types, as it can be
2213       converted to HTML, easily parsed by programs such as Nmap graphical
2214       user interfaces, or imported into databases.
2215
2216       The two remaining output types are the simple grepable output.  which
2217       includes most information for a target host on a single line, and
2218       sCRiPt KiDDi3 0utPUt.  for users who consider themselves |<-r4d.
2219
2220       While interactive output is the default and has no associated
2221       command-line options, the other four format options use the same
2222       syntax. They take one argument, which is the filename that results
2223       should be stored in. Multiple formats may be specified, but each format
2224       may only be specified once. For example, you may wish to save normal
2225       output for your own review while saving XML of the same scan for
2226       programmatic analysis. You might do this with the options -oX
2227       myscan.xml -oN myscan.nmap. While this chapter uses the simple names
2228       like myscan.xml for brevity, more descriptive names are generally
2229       recommended. The names chosen are a matter of personal preference,
2230       though I use long ones that incorporate the scan date and a word or two
2231       describing the scan, placed in a directory named after the company I'm
2232       scanning.
2233
2234       While these options save results to files, Nmap still prints
2235       interactive output to stdout as usual. For example, the command nmap
2236       -oX myscan.xml target prints XML to myscan.xml and fills standard
2237       output with the same interactive results it would have printed if -oX
2238       wasn't specified at all. You can change this by passing a hyphen
2239       character as the argument to one of the format types. This causes Nmap
2240       to deactivate interactive output, and instead print results in the
2241       format you specified to the standard output stream. So the command nmap
2242       -oX - target will send only XML output to stdout..  Serious errors may
2243       still be printed to the normal error stream, stderr..
2244
2245       Unlike some Nmap arguments, the space between the logfile option flag
2246       (such as -oX) and the filename or hyphen is mandatory. If you omit the
2247       flags and give arguments such as -oG- or -oXscan.xml, a backwards
2248       compatibility feature of Nmap will cause the creation of normal format
2249       output files named G- and Xscan.xml respectively.
2250
2251       All of these arguments support strftime-like.  conversions in the
2252       filename.  %H, %M, %S, %m, %d, %y, and %Y are all exactly the same as
2253       in strftime.  %T is the same as %H%M%S, %R is the same as %H%M, and %D
2254       is the same as %m%d%y. A % followed by any other character just yields
2255       that character (%% gives you a percent symbol). So -oX 'scan-%T-%D.xml'
2256       will use an XML file with a name in the form of scan-144840-121307.xml.
2257
2258       Nmap also offers options to control scan verbosity and to append to
2259       output files rather than clobbering them. All of these options are
2260       described below.
2261
2262       Nmap Output Formats
2263
2264       -oN filespec (normal output) .
2265           Requests that normal output be directed to the given filename. As
2266           discussed above, this differs slightly from interactive output.
2267
2268       -oX filespec (XML output) .
2269           Requests that XML output be directed to the given filename. Nmap
2270           includes a document type definition (DTD) which allows XML parsers
2271           to validate Nmap XML output. While it is primarily intended for
2272           programmatic use, it can also help humans interpret Nmap XML
2273           output. The DTD defines the legal elements of the format, and often
2274           enumerates the attributes and values they can take on. The latest
2275           version is always available from
2276           https://svn.nmap.org/nmap/docs/nmap.dtd.
2277
2278           XML offers a stable format that is easily parsed by software. Free
2279           XML parsers are available for all major computer languages,
2280           including C/C++, Perl, Python, and Java. People have even written
2281           bindings for most of these languages to handle Nmap output and
2282           execution specifically. Examples are Nmap::Scanner[15].  and
2283           Nmap::Parser[16].  in Perl CPAN. In almost all cases that a
2284           non-trivial application interfaces with Nmap, XML is the preferred
2285           format.
2286
2287           The XML output references an XSL stylesheet which can be used to
2288           format the results as HTML. The easiest way to use this is simply
2289           to load the XML output in a web browser such as Firefox or IE. By
2290           default, this will only work on the machine you ran Nmap on (or a
2291           similarly configured one) due to the hard-coded nmap.xsl filesystem
2292           path. Use the --webxml or --stylesheet options to create portable
2293           XML files that render as HTML on any web-connected machine.
2294
2295       -oS filespec (ScRipT KIdd|3 oUTpuT) .
2296           Script kiddie output is like interactive output, except that it is
2297           post-processed to better suit the l33t HaXXorZ who previously
2298           looked down on Nmap due to its consistent capitalization and
2299           spelling. Humor impaired people should note that this option is
2300           making fun of the script kiddies before flaming me for supposedly
2301           “helping them”.
2302
2303       -oG filespec (grepable output) .
2304           This output format is covered last because it is deprecated. The
2305           XML output format is far more powerful, and is nearly as convenient
2306           for experienced users. XML is a standard for which dozens of
2307           excellent parsers are available, while grepable output is my own
2308           simple hack. XML is extensible to support new Nmap features as they
2309           are released, while I often must omit those features from grepable
2310           output for lack of a place to put them.
2311
2312           Nevertheless, grepable output is still quite popular. It is a
2313           simple format that lists each host on one line and can be trivially
2314           searched and parsed with standard Unix tools such as grep, awk,
2315           cut, sed, diff, and Perl. Even I usually use it for one-off tests
2316           done at the command line. Finding all the hosts with the SSH port
2317           open or that are running Solaris takes only a simple grep to
2318           identify the hosts, piped to an awk or cut command to print the
2319           desired fields.
2320
2321           Grepable output consists of comments (lines starting with a pound
2322           (#)).  and target lines. A target line includes a combination of
2323           six labeled fields, separated by tabs and followed with a colon.
2324           The fields are Host, Ports, Protocols, Ignored State, OS, Seq
2325           Index, IP ID, and Status.
2326
2327           The most important of these fields is generally Ports, which gives
2328           details on each interesting port. It is a comma separated list of
2329           port entries. Each port entry represents one interesting port, and
2330           takes the form of seven slash (/) separated subfields. Those
2331           subfields are: Port number, State, Protocol, Owner, Service, SunRPC
2332           info, and Version info.
2333
2334           As with XML output, this man page does not allow for documenting
2335           the entire format. A more detailed look at the Nmap grepable output
2336           format is available from
2337           http://nmap.org/book/output-formats-grepable-output.html.
2338
2339       -oA basename (Output to all formats) .
2340           As a convenience, you may specify -oA basename to store scan
2341           results in normal, XML, and grepable formats at once. They are
2342           stored in basename.nmap, basename.xml, and basename.gnmap,
2343           respectively. As with most programs, you can prefix the filenames
2344           with a directory path, such as ~/nmaplogs/foocorp/ on Unix or
2345           c:\hacking\sco on Windows.
2346
2347       Verbosity and debugging options
2348
2349       -v (Increase verbosity level) .
2350           Increases the verbosity level, causing Nmap to print more
2351           information about the scan in progress. Open ports are shown as
2352           they are found and completion time estimates are provided when Nmap
2353           thinks a scan will take more than a few minutes. Use it twice or
2354           more for even greater verbosity: -vv, or give a verbosity level
2355           directly, for example -v3..
2356
2357           Most changes only affect interactive output, and some also affect
2358           normal and script kiddie output. The other output types are meant
2359           to be processed by machines, so Nmap can give substantial detail by
2360           default in those formats without fatiguing a human user. However,
2361           there are a few changes in other modes where output size can be
2362           reduced substantially by omitting some detail. For example, a
2363           comment line in the grepable output that provides a list of all
2364           ports scanned is only printed in verbose mode because it can be
2365           quite long.
2366
2367       -d (Increase debugging level) .
2368           When even verbose mode doesn't provide sufficient data for you,
2369           debugging is available to flood you with much more! As with the
2370           verbosity option (-v), debugging is enabled with a command-line
2371           flag (-d) and the debug level can be increased by specifying it
2372           multiple times,.  as in -dd, or by setting a level directly. For
2373           example, -d9 sets level nine. That is the highest effective level
2374           and will produce thousands of lines unless you run a very simple
2375           scan with very few ports and targets.
2376
2377           Debugging output is useful when a bug is suspected in Nmap, or if
2378           you are simply confused as to what Nmap is doing and why. As this
2379           feature is mostly intended for developers, debug lines aren't
2380           always self-explanatory. You may get something like: Timeout vals:
2381           srtt: -1 rttvar: -1 to: 1000000 delta 14987 ==> srtt: 14987 rttvar:
2382           14987 to: 100000. If you don't understand a line, your only
2383           recourses are to ignore it, look it up in the source code, or
2384           request help from the development list (nmap-dev)..  Some lines are
2385           self explanatory, but the messages become more obscure as the debug
2386           level is increased.
2387
2388       --reason (Host and port state reasons) .
2389           Shows the reason each port is set to a specific state and the
2390           reason each host is up or down. This option displays the type of
2391           the packet that determined a port or hosts state. For example, A
2392           RST packet from a closed port or an echo reply from an alive host.
2393           The information Nmap can provide is determined by the type of scan
2394           or ping. The SYN scan and SYN ping (-sS and -PS) are very detailed,
2395           but the TCP connect scan (-sT) is limited by the implementation of
2396           the connect system call. This feature is automatically enabled by
2397           the debug option (-d).  and the results are stored in XML log files
2398           even if this option is not specified.
2399
2400       --stats-every time (Print periodic timing stats) .
2401           Periodically prints a timing status message after each interval of
2402           time. The time is a specification of the kind described in the
2403           section called “TIMING AND PERFORMANCE”; so for example, use
2404           --stats-every 10s to get a status update every 10 seconds. Updates
2405           are printed to interactive output (the screen) and XML output.
2406
2407       --packet-trace (Trace packets and data sent and received) .
2408           Causes Nmap to print a summary of every packet sent or received.
2409           This is often used for debugging, but is also a valuable way for
2410           new users to understand exactly what Nmap is doing under the
2411           covers. To avoid printing thousands of lines, you may want to
2412           specify a limited number of ports to scan, such as -p20-30. If you
2413           only care about the goings on of the version detection subsystem,
2414           use --version-trace instead. If you only care about script tracing,
2415           specify --script-trace. With --packet-trace, you get all of the
2416           above.
2417
2418       --open (Show only open (or possibly open) ports) .
2419           Sometimes you only care about ports you can actually connect to
2420           (open ones), and don't want results cluttered with closed,
2421           filtered, and closed|filtered ports. Output customization is
2422           normally done after the scan using tools such as grep, awk, and
2423           Perl, but this feature was added due to overwhelming requests.
2424           Specify --open to only see hosts with at least one open,
2425           open|filtered, or unfiltered port, and only see ports in those
2426           states. These three states are treated just as they normally are,
2427           which means that open|filtered and unfiltered may be condensed into
2428           counts if there are an overwhelming number of them.
2429
2430       --iflist (List interfaces and routes) .
2431           Prints the interface list and system routes as detected by Nmap.
2432           This is useful for debugging routing problems or device
2433           mischaracterization (such as Nmap treating a PPP connection as
2434           ethernet).
2435
2436       Miscellaneous output options
2437
2438       --append-output (Append to rather than clobber output files) .
2439           When you specify a filename to an output format flag such as -oX or
2440           -oN, that file is overwritten by default. If you prefer to keep the
2441           existing content of the file and append the new results, specify
2442           the --append-output option. All output filenames specified in that
2443           Nmap execution will then be appended to rather than clobbered. This
2444           doesn't work well for XML (-oX) scan data as the resultant file
2445           generally won't parse properly until you fix it up by hand.
2446
2447       --resume filename (Resume aborted scan) .
2448           Some extensive Nmap runs take a very long time—on the order of
2449           days. Such scans don't always run to completion. Restrictions may
2450           prevent Nmap from being run during working hours, the network could
2451           go down, the machine Nmap is running on might suffer a planned or
2452           unplanned reboot, or Nmap itself could crash. The administrator
2453           running Nmap could cancel it for any other reason as well, by
2454           pressing ctrl-C. Restarting the whole scan from the beginning may
2455           be undesirable. Fortunately, if normal (-oN) or grepable (-oG) logs
2456           were kept, the user can ask Nmap to resume scanning with the target
2457           it was working on when execution ceased. Simply specify the
2458           --resume option and pass the normal/grepable output file as its
2459           argument. No other arguments are permitted, as Nmap parses the
2460           output file to use the same ones specified previously. Simply call
2461           Nmap as nmap --resume logfilename. Nmap will append new results to
2462           the data files specified in the previous execution. Resumption does
2463           not support the XML output format because combining the two runs
2464           into one valid XML file would be difficult.
2465
2466       --stylesheet path or URL (Set XSL stylesheet to transform XML output) .
2467           Nmap ships with an XSL.  stylesheet.  named nmap.xsl.  for viewing
2468           or translating XML output to HTML..  The XML output includes an
2469           xml-stylesheet directive which points to nmap.xml where it was
2470           initially installed by Nmap. Run the XML file through an XSLT
2471           processor such as xsltproc[17].  to produce an HTML file. Directly
2472           opening the XML file in a browser no longer works well because
2473           modern browsers limit the locations a stylesheet may be loaded
2474           from. If you wish to use a different stylesheet, specify it as the
2475           argument to --stylesheet. You must pass the full pathname or URL.
2476           One common invocation is --stylesheet
2477           http://nmap.org/svn/docs/nmap.xsl. This tells an XSLT processor to
2478           load the latest version of the stylesheet from Nmap.Org. The
2479           --webxml option does the same thing with less typing and
2480           memorization. Loading the XSL from Nmap.Org makes it easier to view
2481           results on a machine that doesn't have Nmap (and thus nmap.xsl)
2482           installed. So the URL is often more useful, but the local
2483           filesystem location of nmap.xsl is used by default for privacy
2484           reasons.
2485
2486       --webxml (Load stylesheet from Nmap.Org) .
2487           This is a convenience option, nothing more than an alias for
2488           --stylesheet http://nmap.org/svn/docs/nmap.xsl.
2489
2490       --no-stylesheet (Omit XSL stylesheet declaration from XML) .
2491           Specify this option to prevent Nmap from associating any XSL
2492           stylesheet with its XML output. The xml-stylesheet directive is
2493           omitted.
2494

MISCELLANEOUS OPTIONS

2496       This section describes some important (and not-so-important) options
2497       that don't really fit anywhere else.
2498
2499       -6 (Enable IPv6 scanning) .
2500           Nmap has IPv6 support for its most popular features. Ping scanning,
2501           port scanning, version detection, and the Nmap Scripting Engine all
2502           support IPv6. The command syntax is the same as usual except that
2503           you also add the -6 option. Of course, you must use IPv6 syntax if
2504           you specify an address rather than a hostname. An address might
2505           look like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are
2506           recommended. The output looks the same as usual, with the IPv6
2507           address on the “interesting ports” line being the only IPv6
2508           giveaway.
2509
2510           While IPv6 hasn't exactly taken the world by storm, it gets
2511           significant use in some (usually Asian) countries and most modern
2512           operating systems support it. To use Nmap with IPv6, both the
2513           source and target of your scan must be configured for IPv6. If your
2514           ISP (like most of them) does not allocate IPv6 addresses to you,
2515           free tunnel brokers are widely available and work fine with Nmap. I
2516           use the free IPv6 tunnel broker.  service at
2517           http://www.tunnelbroker.net. Other tunnel brokers are listed at
2518           Wikipedia[18]. 6to4 tunnels are another popular, free approach.
2519
2520           On Windows, raw-socket IPv6 scans are supported only on ethernet
2521           devices (not tunnels), and only on Windows Vista.  and later. Use
2522           the --unprivileged.  option in other situations.
2523
2524       -A (Aggressive scan options) .
2525           This option enables additional advanced and aggressive options. I
2526           haven't decided exactly which it stands for yet. Presently this
2527           enables OS detection (-O), version scanning (-sV), script scanning
2528           (-sC) and traceroute (--traceroute)..  More features may be added
2529           in the future. The point is to enable a comprehensive set of scan
2530           options without people having to remember a large set of flags.
2531           However, because script scanning with the default set is considered
2532           intrusive, you should not use -A against target networks without
2533           permission. This option only enables features, and not timing
2534           options (such as -T4) or verbosity options (-v) that you might want
2535           as well.
2536
2537       --datadir directoryname (Specify custom Nmap data file location) .
2538           Nmap obtains some special data at runtime in files named
2539           nmap-service-probes, nmap-services, nmap-protocols, nmap-rpc,
2540           nmap-mac-prefixes, and nmap-os-db. If the location of any of these
2541           files has been specified (using the --servicedb or --versiondb
2542           options), that location is used for that file. After that, Nmap
2543           searches these files in the directory specified with the --datadir
2544           option (if any). Any files not found there, are searched for in the
2545           directory specified by the NMAPDIR.  environment variable. Next
2546           comes ~/.nmap.  for real and effective UIDs; or on Windows,
2547           HOME\AppData\Roaming\nmap (where HOME is the user's home directory,
2548           like C:\Users\user). This is followed by the location of the nmap
2549           executable and the same location with ../share/nmap appended. Then
2550           a compiled-in location such as /usr/local/share/nmap or
2551           /usr/share/nmap.
2552
2553       --servicedb services file (Specify custom services file) .
2554           Asks Nmap to use the specified services file rather than the
2555           nmap-services data file that comes with Nmap. Using this option
2556           also causes a fast scan (-F) to be used. See the description for
2557           --datadir for more information on Nmap's data files.
2558
2559       --versiondb service probes file (Specify custom service probes file) .
2560           Asks Nmap to use the specified service probes file rather than the
2561           nmap-service-probes data file that comes with Nmap. See the
2562           description for --datadir for more information on Nmap's data
2563           files.
2564
2565       --send-eth (Use raw ethernet sending) .
2566           Asks Nmap to send packets at the raw ethernet (data link) layer
2567           rather than the higher IP (network) layer. By default, Nmap chooses
2568           the one which is generally best for the platform it is running on.
2569           Raw sockets (IP layer).  are generally most efficient for Unix
2570           machines, while ethernet frames are required for Windows operation
2571           since Microsoft disabled raw socket support. Nmap still uses raw IP
2572           packets on Unix despite this option when there is no other choice
2573           (such as non-ethernet connections).
2574
2575       --send-ip (Send at raw IP level) .
2576           Asks Nmap to send packets via raw IP sockets rather than sending
2577           lower level ethernet frames. It is the complement to the --send-eth
2578           option discussed previously.
2579
2580       --privileged (Assume that the user is fully privileged) .
2581           Tells Nmap to simply assume that it is privileged enough to perform
2582           raw socket sends, packet sniffing, and similar operations that
2583           usually require root privileges.  on Unix systems. By default Nmap
2584           quits if such operations are requested but geteuid is not zero.
2585           --privileged is useful with Linux kernel capabilities and similar
2586           systems that may be configured to allow unprivileged users to
2587           perform raw-packet scans. Be sure to provide this option flag
2588           before any flags for options that require privileges (SYN scan, OS
2589           detection, etc.). The NMAP_PRIVILEGED.  environment variable may be
2590           set as an equivalent alternative to --privileged.
2591
2592       --unprivileged (Assume that the user lacks raw socket privileges) .
2593           This option is the opposite of --privileged. It tells Nmap to treat
2594           the user as lacking network raw socket and sniffing privileges.
2595           This is useful for testing, debugging, or when the raw network
2596           functionality of your operating system is somehow broken. The
2597           NMAP_UNPRIVILEGED.  environment variable may be set as an
2598           equivalent alternative to --unprivileged.
2599
2600       --release-memory (Release memory before quitting) .
2601           This option is only useful for memory-leak debugging. It causes
2602           Nmap to release allocated memory just before it quits so that
2603           actual memory leaks are easier to spot. Normally Nmap skips this as
2604           the OS does this anyway upon process termination.
2605
2606       -V; --version (Print version number) .
2607           Prints the Nmap version number and exits.
2608
2609       -h; --help (Print help summary page) .
2610           Prints a short help screen with the most common command flags.
2611           Running Nmap without any arguments does the same thing.
2612

RUNTIME INTERACTION

2614       During the execution of Nmap, all key presses are captured. This allows
2615       you to interact with the program without aborting and restarting it.
2616       Certain special keys will change options, while any other keys will
2617       print out a status message telling you about the scan. The convention
2618       is that lowercase letters increase the amount of printing, and
2619       uppercase letters decrease the printing. You may also press ‘?’ for
2620       help.
2621
2622       v / V
2623           Increase / decrease the verbosity level
2624
2625       d / D
2626           Increase / decrease the debugging Level
2627
2628       p / P
2629           Turn on / off packet tracing
2630
2631       ?
2632           Print a runtime interaction help screen
2633
2634       Anything else
2635           Print out a status message like this:
2636
2637               Stats: 0:00:07 elapsed; 20 hosts completed (1 up), 1 undergoing Service Scan
2638               Service scan Timing: About 33.33% done; ETC: 20:57 (0:00:12 remaining)
2639

EXAMPLES

2641       Here are some Nmap usage examples, from the simple and routine to a
2642       little more complex and esoteric. Some actual IP addresses and domain
2643       names are used to make things more concrete. In their place you should
2644       substitute addresses/names from your own network. While I don't think
2645       port scanning other networks is or should be illegal, some network
2646       administrators don't appreciate unsolicited scanning of their networks
2647       and may complain. Getting permission first is the best approach.
2648
2649       For testing purposes, you have permission to scan the host
2650       scanme.nmap.org..  This permission only includes scanning via Nmap and
2651       not testing exploits or denial of service attacks. To conserve
2652       bandwidth, please do not initiate more than a dozen scans against that
2653       host per day. If this free scanning target service is abused, it will
2654       be taken down and Nmap will report Failed to resolve given hostname/IP:
2655       scanme.nmap.org. These permissions also apply to the hosts
2656       scanme2.nmap.org, scanme3.nmap.org, and so on, though those hosts do
2657       not currently exist.
2658
2659       This option scans all reserved TCP ports on the machine scanme.nmap.org
2660       . The -v option enables verbose mode.
2661
2662       Launches a stealth SYN scan against each machine that is up out of the
2663       256 IPs on the class C sized network where Scanme resides. It also
2664       tries to determine what operating system is running on each host that
2665       is up and running. This requires root privileges because of the SYN
2666       scan and OS detection.
2667
2668       Launches host enumeration and a TCP scan at the first half of each of
2669       the 255 possible eight-bit subnets in the 198.116 class B address
2670       space. This tests whether the systems run SSH, DNS, POP3, or IMAP on
2671       their standard ports, or anything on port 4564. For any of these ports
2672       found open, version detection is used to determine what application is
2673       running.
2674
2675       Asks Nmap to choose 100,000 hosts at random and scan them for web
2676       servers (port 80). Host enumeration is disabled with -Pn since first
2677       sending a couple probes to determine whether a host is up is wasteful
2678       when you are only probing one port on each target host anyway.
2679
2680       This scans 4096 IPs for any web servers (without pinging them) and
2681       saves the output in grepable and XML formats.
2682

NMAP BOOK

2684       While this reference guide details all material Nmap options, it can't
2685       fully demonstrate how to apply those features to quickly solve
2686       real-world tasks. For that, we released Nmap Network Scanning: The
2687       Official Nmap Project Guide to Network Discovery and Security Scanning.
2688       Topics include subverting firewalls and intrusion detection systems,
2689       optimizing Nmap performance, and automating common networking tasks
2690       with the Nmap Scripting Engine. Hints and instructions are provided for
2691       common Nmap tasks such as taking network inventory, penetration
2692       testing, detecting rogue wireless access points, and quashing network
2693       worm outbreaks. Examples and diagrams show actual communication on the
2694       wire. More than half of the book is available free online. See
2695       http://nmap.org/book for more information.
2696

BUGS

2698       Like its author, Nmap isn't perfect. But you can help make it better by
2699       sending bug reports or even writing patches. If Nmap doesn't behave the
2700       way you expect, first upgrade to the latest version available from
2701       http://nmap.org. If the problem persists, do some research to determine
2702       whether it has already been discovered and addressed. Try searching for
2703       the error message on our search page at http://insecure.org/search.html
2704       or at Google. Also try browsing the nmap-dev archives at
2705       http://seclists.org/..  Read this full manual page as well. If nothing
2706       comes of this, mail a bug report to <dev@nmap.org>. Please include
2707       everything you have learned about the problem, as well as what version
2708       of Nmap you are running and what operating system version it is running
2709       on. Problem reports and Nmap usage questions sent to <dev@nmap.org> are
2710       far more likely to be answered than those sent to Fyodor directly. If
2711       you subscribe to the nmap-dev list before posting, your message will
2712       bypass moderation and get through more quickly. Subscribe at
2713       http://nmap.org/mailman/listinfo/dev.
2714
2715       Code patches to fix bugs are even better than bug reports. Basic
2716       instructions for creating patch files with your changes are available
2717       at https://svn.nmap.org/nmap/HACKING. Patches may be sent to nmap-dev
2718       (recommended) or to Fyodor directly.
2719

AUTHOR

2721       Gordon “Fyodor” Lyon <fyodor@nmap.org> (http://insecure.org)
2722
2723       Hundreds of people have made valuable contributions to Nmap over the
2724       years. These are detailed in the CHANGELOG.  file which is distributed
2725       with Nmap and also available from http://nmap.org/changelog.html.
2726
2728   Nmap Copyright and Licensing
2729       The Nmap Security Scanner is (C) 1996–2012 Insecure.Com LLC. Nmap is
2730       also a registered trademark of Insecure.Com LLC. This program is free
2731       software; you may redistribute and/or modify it under the terms of the
2732       GNU General Public License as published by the Free Software
2733       Foundation; Version 2 with the clarifications and exceptions described
2734       below. This guarantees your right to use, modify, and redistribute this
2735       software under certain conditions. If you wish to embed Nmap technology
2736       into proprietary software, we sell alternative licenses (contact
2737       <sales@insecure.com>). Dozens of software vendors already license Nmap
2738       technology such as host discovery, port scanning, OS detection, and
2739       version detection.
2740
2741       Note that the GPL places important restrictions on “derived works”, yet
2742       it does not provide a detailed definition of that term. To avoid
2743       misunderstandings, we consider an application to constitute a
2744       “derivative work” for the purpose of this license if it does any of the
2745       following:
2746
2747       ·   Integrates source code from Nmap
2748
2749       ·   Reads or includes Nmap copyrighted data files, such as nmap-os-db
2750           or nmap-service-probes.
2751
2752       ·   Executes Nmap and parses the results (as opposed to typical shell
2753           or execution-menu apps, which simply display raw Nmap output and so
2754           are not derivative works.)
2755
2756       ·   Integrates/includes/aggregates Nmap into a proprietary executable
2757           installer, such as those produced by InstallShield.
2758
2759       ·   Links to a library or executes a program that does any of the
2760           above.
2761
2762       The term “Nmap” should be taken to also include any portions or derived
2763       works of Nmap. This list is not exclusive, but is meant to clarify our
2764       interpretation of derived works with some common examples. Our
2765       interpretation applies only to Nmap—we don't speak for other people's
2766       GPL works.
2767
2768       If you have any questions about the GPL licensing restrictions on using
2769       Nmap in non-GPL works, we would be happy to help. As mentioned above,
2770       we also offer alternative license to integrate Nmap into proprietary
2771       applications and appliances. These contracts have been sold to many
2772       security vendors, and generally include a perpetual license as well as
2773       providing for priority support and updates as well as helping to fund
2774       the continued development of Nmap technology. Please email
2775       <sales@insecure.com> for further information.
2776
2777       As a special exception to the GPL terms, Insecure.Com LLC grants
2778       permission to link the code of this program with any version of the
2779       OpenSSL library which is distributed under a license identical to that
2780       listed in the included COPYING.OpenSSL file, and distribute linked
2781       combinations including the two..  You must obey the GNU GPL in all
2782       respects for all of the code used other than OpenSSL. If you modify
2783       this file, you may extend this exception to your version of the file,
2784       but you are not obligated to do so.
2785
2786       If you received these files with a written license agreement or
2787       contract stating terms other than the terms above, then that
2788       alternative license agreement takes precedence over these comments.
2789
2790   Creative Commons License for this Nmap Guide
2791       This Nmap Reference Guide is (C) 2005–2012 Insecure.Com LLC. It is
2792       hereby placed under version 3.0 of the Creative Commons Attribution
2793       License[19]. This allows you redistribute and modify the work as you
2794       desire, as long as you credit the original source. Alternatively, you
2795       may choose to treat this document as falling under the same license as
2796       Nmap itself (discussed previously).
2797
2798   Source Code Availability and Community Contributions
2799       Source is provided to this software because we believe users have a
2800       right to know exactly what a program is going to do before they run it.
2801       This also allows you to audit the software for security holes (none
2802       have been found so far).
2803
2804       Source code also allows you to port Nmap to new platforms, fix bugs,
2805       and add new features. You are highly encouraged to send your changes to
2806       <dev@nmap.org> for possible incorporation into the main distribution.
2807       By sending these changes to Fyodor or one of the Insecure.Org
2808       development mailing lists, it is assumed that you are offering the Nmap
2809       Project (Insecure.Com LLC) the unlimited, non-exclusive right to reuse,
2810       modify, and relicense the code. Nmap will always be available open
2811       source,.  but this is important because the inability to relicense code
2812       has caused devastating problems for other Free Software projects (such
2813       as KDE and NASM). We also occasionally relicense the code to third
2814       parties as discussed above. If you wish to specify special license
2815       conditions of your contributions, just say so when you send them.
2816
2817   No Warranty.
2818       This program is distributed in the hope that it will be useful, but
2819       WITHOUT ANY WARRANTY; without even the implied warranty of
2820       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
2821       General Public License v2.0 for more details at
2822       http://www.gnu.org/licenses/gpl-2.0.html, or in the COPYING file
2823       included with Nmap.
2824
2825       It should also be noted that Nmap has occasionally been known to crash
2826       poorly written applications, TCP/IP stacks, and even operating
2827       systems..  While this is extremely rare, it is important to keep in
2828       mind.  Nmap should never be run against mission critical systems unless
2829       you are prepared to suffer downtime. We acknowledge here that Nmap may
2830       crash your systems or networks and we disclaim all liability for any
2831       damage or problems Nmap could cause.
2832
2833   Inappropriate Usage
2834       Because of the slight risk of crashes and because a few black hats like
2835       to use Nmap for reconnaissance prior to attacking systems, there are
2836       administrators who become upset and may complain when their system is
2837       scanned. Thus, it is often advisable to request permission before doing
2838       even a light scan of a network.
2839
2840       Nmap should never be installed with special privileges (e.g. suid
2841       root)..  That would open up a major security vulnerability as other
2842       users on the system (or attackers) could use it for privilege
2843       escalation.
2844
2845   Third-Party Software and Funding Notices
2846       This product includes software developed by the Apache Software
2847       Foundation[20]. A modified version of the Libpcap portable packet
2848       capture library[21].  is distributed along with Nmap. The Windows
2849       version of Nmap utilized the Libpcap-derived WinPcap library[22].
2850       instead. Regular expression support is provided by the PCRE
2851       library[23],.  which is open-source software, written by Philip Hazel..
2852       Certain raw networking functions use the Libdnet[24].  networking
2853       library, which was written by Dug Song..  A modified version is
2854       distributed with Nma.p Nmap can optionally link with the OpenSSL
2855       cryptography toolkit[25].  for SSL version detection support. The Nmap
2856       Scripting Engine uses an embedded version of the Lua programming
2857       language[26]..  The Liblinear linear classification library[27] is used
2858       for our IPv6 OS detection machine learning techniques[28].  All of the
2859       third-party software described in this paragraph is freely
2860       redistributable under BSD-style software licenses.
2861
2862       Binary packages for Windows and Mac OS X include support libraries
2863       necessary to run Zenmap and Ndiff with Python and PyGTK. (Unix
2864       platforms commonly make these libraries easy to install, so they are
2865       not part of the packages.) A listing of these support libraries and
2866       their licenses is included in the LICENSES files.
2867
2868       This software was supported in part through the Google Summer of
2869       Code[29] and the DARPA CINDER program[30] (DARPA-BAA-10-84).
2870
2871   United States Export Control.
2872       Nmap only uses encryption when compiled with the optional OpenSSL
2873       support and linked with OpenSSL. When compiled without OpenSSL support,
2874       Insecure.Com LLC believes that Nmap is not subject to U.S.  Export
2875       Administration Regulations (EAR)[31] export control. As such, there is
2876       no applicable ECCN (export control classification number) and
2877       exportation does not require any special license, permit, or other
2878       governmental authorization.
2879
2880       When compiled with OpenSSL support or distributed as source code,
2881       Insecure.Com LLC believes that Nmap falls under U.S. ECCN 5D002[32]
2882       (“Information Security Software”). We distribute Nmap under the TSU
2883       exception for publicly available encryption software defined in EAR
2884       740.13(e)[33].
2885

NOTES

2887        1. Nmap Network Scanning: The Official Nmap Project Guide to Network
2888           Discovery and Security Scanning
2889           http://nmap.org/book/
2890
2891        2. RFC 1122
2892           http://www.rfc-editor.org/rfc/rfc1122.txt
2893
2894        3. RFC 792
2895           http://www.rfc-editor.org/rfc/rfc792.txt
2896
2897        4. RFC 950
2898           http://www.rfc-editor.org/rfc/rfc950.txt
2899
2900        5. RFC 1918
2901           http://www.rfc-editor.org/rfc/rfc1918.txt
2902
2903        6. UDP
2904           http://www.rfc-editor.org/rfc/rfc768.txt
2905
2906        7. SCTP
2907           http://www.rfc-editor.org/rfc/rfc4960.txt
2908
2909        8. TCP RFC
2910           http://www.rfc-editor.org/rfc/rfc793.txt
2911
2912        9. RFC 959
2913           http://www.rfc-editor.org/rfc/rfc959.txt
2914
2915       10. RFC 1323
2916           http://www.rfc-editor.org/rfc/rfc1323.txt
2917
2918       11. Lua programming language
2919           http://lua.org
2920
2921       12. precedence
2922           http://www.lua.org/manual/5.1/manual.html#2.5.3
2923
2924       13. IP protocol
2925           http://www.rfc-editor.org/rfc/rfc791.txt
2926
2927       14. RFC 2960
2928           http://www.rfc-editor.org/rfc/rfc2960.txt
2929
2930       15. Nmap::Scanner
2931           http://sourceforge.net/projects/nmap-scanner/
2932
2933       16. Nmap::Parser
2934           http://nmapparser.wordpress.com/
2935
2936       17. xsltproc
2937           http://xmlsoft.org/XSLT/
2938
2939       18. listed at Wikipedia
2940           http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
2941
2942       19. Creative Commons Attribution License
2943           http://creativecommons.org/licenses/by/3.0/
2944
2945       20. Apache Software Foundation
2946           http://www.apache.org
2947
2948       21. Libpcap portable packet capture library
2949           http://www.tcpdump.org
2950
2951       22. WinPcap library
2952           http://www.winpcap.org
2953
2954       23. PCRE library
2955           http://www.pcre.org
2956
2957       24. Libdnet
2958           http://libdnet.sourceforge.net
2959
2960       25. OpenSSL cryptography toolkit
2961           http://www.openssl.org
2962
2963       26. Lua programming language
2964           http://www.lua.org
2965
2966       27. Liblinear linear classification library
2967           http://www.csie.ntu.edu.tw/~cjlin/liblinear/
2968
2969       28. IPv6 OS detection machine learning techniques
2970           http://nmap.org/book/osdetect-guess.html#osdetect-guess-ipv6
2971
2972       29. Google Summer of Code
2973           http://nmap.org/soc/
2974
2975       30. DARPA CINDER program
2976           https://www.fbo.gov/index?s=opportunity&mode=form&id=585e02a51f77af5cb3c9e06b9cc82c48&tab=core&_cview=1
2977
2978       31. Export Administration Regulations (EAR)
2979           http://www.access.gpo.gov/bis/ear/ear_data.html
2980
2981       32. 5D002
2982           http://www.access.gpo.gov/bis/ear/pdf/ccl5-pt2.pdf
2983
2984       33. EAR 740.13(e)
2985           http://www.access.gpo.gov/bis/ear/pdf/740.pdf
2986
2987
2988
2989Nmap                              07/28/2013                           NMAP(1)
Impressum