nmap

Network Scanning

Network exploration tool and security / port scanner

Much of the original documentation includes philosophy and reasoning for using particular options. Read that at nmap.org
This version is terse with minial description.(DGG)

nmap [Scan Type] [options] target specification

"Network Mapper" is an tool for network exploration and security auditing.
Commonly used for security audits, useful for network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Uses special packets to determine host availablity, services (applications) offered, OS running, type of filters/firewalls , etc.

Example:
-A: enables OS and version detection, script scanning
-t: traceroute

Aborted scans ( ^C) can be resumed with proper output option.

A representative scan

agressive detection (with traceroute) and timing,
TCP SYN, only checking most popular ports, starting with level 2 verbosity,
outputting to a normal file called scan… hosts within a small subnet: 

sudo nmap -A -T aggressive  -sS --top-ports 10  -v -oN scan-%D-%T  192.168.1.1/28  # .0-.7 

    Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-23 07:39 EDT
    NSE: Loaded 93 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating Ping Scan at 07:39
    Scanning 8 hosts [2 ports/host]
    Completed Ping Scan at 07:39, 1.21s elapsed (8 total hosts)
    Initiating Parallel DNS resolution of 8 hosts. at 07:39
    Completed Parallel DNS resolution of 8 hosts. at 07:39, 0.02s elapsed
    Nmap scan report for 192.168.1.0 [host down]
    Nmap scan report for 192.168.1.5 [host down]
    Nmap scan report for 192.168.1.7 [host down]
    Initiating Connect Scan at 07:39
    Scanning 5 hosts [1000 ports/host]
    Discovered open port 80/tcp on 192.168.1.4
    Discovered open port 3306/tcp on 192.168.1.4
    Discovered open port 21/tcp on 192.168.1.4
    Discovered open port 80/tcp on 192.168.1.1
    …
    
full file


 sudo nmap -A -T normal scanme.nmap.org playground #scan 2 specific hosts

Starting Nmap ( http://nmap.org )
Interesting ports on scanme.nmap.org (64.13.134.52):
(The 1663 ports scanned but not shown below are in state: filtered)
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 3.9p1 (protocol 1.99)
53/tcp  open   domain
70/tcp  closed gopher
80/tcp  open   http    Apache httpd 2.0.52 ((Fedora))
113/tcp closed auth
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11

Interesting ports on playground.nmap.org (192.168.0.40):
(The 1659 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn
389/tcp  open  ldap?
445/tcp  open  microsoft-ds  Microsoft Windows XP microsoft-ds
1002/tcp open  windows-icfw?
1025/tcp open  msrpc         Microsoft Windows RPC
1720/tcp open  H.323/Q.931   CompTek AquaGateKeeper
5800/tcp open  vnc-http      RealVNC 4.0 (Resolution 400x250; VNC port: 5900)
5900/tcp open  vnc           VNC (protocol 3.8)
MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications)
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro RC1+ through final release
Service Info: OSs: Windows, Windows XP

Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds 





nmap -sP   `hostname`/24 |sed "/Nmap sc/N; s/\n//;s/Nmap scan report for//; s/Host is up//; s/(0\./\./;s/ latency)\.//"

Target Specification

next: Host Discovery
Everything on the command-line that isn't an option or option argument is treated as a target specification (nmap.org).
The simplest case is to specify a single target .

Multiple formats are permitted: nmap scanMe.nmap.org   192.168.3.0/24   10.0.0,1,17-63.0-255

-iL tfile Include List, Reads targets from tfile.
    Example uses:
  • A DHCP server exports various 837 current leases.
  • Scan addresses not leased locates hosts using unauthorized addresses.

-iL=- reads hosts from STDIN, like piped from some filters (ex: grep, grep -v).
Entries separated by spaces, tabs, or newlines.
-iR num_hosts include num_hosts Random targets.
Undesirable IPs such as those in certain private, multicast, or unallocated address ranges are not generated.
Specify 0 for a continuing scan.

--exclude host1[,host2[,…]],           net1[,net2[,…]] Comma-separated list of targets, hostnames, CIDR netblocks, octet ranges, etc.
When network includes untouchable mission-critical servers, systems that are known to react adversely to port scans, or subnets administered by others.
--excludefile file targets are newline, space, or tab delimited

Host Discovery

 next:Ports
Develop a list of interesting hosts. nmap.org

Security auditors should care about every single device with an nerwork.
An external penetration tester may use a diverse set of probes in an attempt to locate possible exploits.

ARP discovery (-PR) is done on a local ethernet network.
For non-local targets, TCP ACK packet for port 80 and an ICMP echo request query is sent
(unprivileged users use a SYN packet using the connect system call ) Defaults are equivalent to -PA -PE.

Host discovery is followed by a port scan.

Port states

open An application is actively accepting TCP connections, UDP datagrams or SCTP associations.
closed accessible (it receives and responds to probe packets), but there is no application listening on it, now.
filtered packet filtering prevents probes from reaching the port by a dedicated firewall , router rules, or host-based firewall.
It may be only the host sending the packets is having a problem. Try from another host.
unfiltered
ACK scan 		port is accessible, cannot determine if it is open. Scanning with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve if the port is open.
open|filtered
UDP, IP protocol,
FIN, NULL, and Xmas 		unable to determine whether a port is open or filtered. Occurs for scan types in which open ports give no response.
The lack of response could mean that a packet filter dropped the probe or any response it elicited.
closed|filtered
IP ID idle scan 		unable to determine whether a port is closed or filtered.

State combinations open.filtered and closed.filtered: it cannot be determined which describe a port best.
For IP protocol scan (-sO), information on supported protocols is provided.

Discussin on probe effectivness
-sL ScanList

Lists hosts of the network(s), without sending any packets to the target hosts!
FAST! Does reverse-DNS resolution to look up names.
Good sanity check to validate addresses specification for targets.

Example: List all hosts within the subnet as this host (and use sed to supress titles & addresses without hostnames): style=background-color:cornsilk 

 > nmap -sL   `hostname`/24 |sed "s/^Nmap scan report for//; /^ [[:digit:]]\{1,3\}./d"

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-13 18:26 EDT
 rtr.germans (192.168.1.1)
 pi-0-roof.germans (192.168.1.3)
 o4-etc-hosts (192.168.1.4)
 smacpro (192.168.1.5)
rDNS record for 192.168.1.5: smacpro.germans  (running host)
 Denniss-iPhone.germans (192.168.1.6)
 tammy-PC.germans (192.168.1.7)
 sligiga.germans (192.168.1.8)
 MarilynSsiPhone.germans (192.168.1.10)
 dlinkap.germans (192.168.1.11)
 raspberrypi.germans (192.168.1.14)
 IP-STB1.germans (192.168.1.100)
Nmap done: 256 IP addresses (0 hosts up) scanned in 13.53 seconds


 >nmap -sL cccu.us

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-10 07:33 EDT
 cccu.us (50.63.202.17)
rDNS record for 50.63.202.17: ip-50-63-202-17.ip.secureserver.net
Nmap done: 1 IP address (0 hosts up) scanned in 4.04 seconds


> nmap -sL 172.17.54.110/27 |sed "s/Nmap scan report for// ; /^ [[:digit:]]/d "| column 

Starting Nmap 7.00 ( https://nmap.org ) at 2016-04-22 08:52 EDT      (not best example      (_)  )
Nmap done: 32 IP addresses (0 hosts up) scanned in 0.24 seconds
-sP
-sn 		Scan Ping
Scan no Port, ping scan aka ping sweep (supresses port scan).

  • Privileged user: sends an icmp ECHO request, a TCP SYN to port 443, a TCP ACK to port 80 and an ICMP timestamp request.
    On a local ethernet network, ARP requests are used unless --send-ip was specified.
  • Unprivileged user: a SYN packet is sent to port 80 and 443.
With other discovery probe types (-P*, except -PN (pingNot) ), default probes are overridden.

Recommended when strict firewalls are in use, otherwise hosts will be missed if the firewall drops probes or responses.
Slightly intrusive, Counts available machines and checks server availability.
More reliable than pinging the broadcast address because many hosts do not reply to that.

Traceroute and NSE host scripts may be also requested, but no further testing (such as port scanning or OS detection) is performed. 

sudo nmap -sP   `hostname`/24 |\
sed "/Nmap/N; s/\n//;s/Nmap scan report for//; s/Host is up//; s/(0\./\./;s/ latency)\.//"

Starting Nmap 7.00 ( http://nmap.org ) at 2012-09-23 20:49 EDT

192.168.1.1                   .0059s
kitchen.germans (192.168.1.2) .0073s 
192.168.1.3                   .0080s
smackerPro (192.168.1.6)      .00022s
rDNS record for 192.168.1.6: smackerPro.germans

192.168.1.7                   .016s 
IP-STB1.germans (192.168.1.101) .015s 
Nmap done: 256 IP addresses (6 hosts up) scanned in 5.37 seconds



sudo nmap -sP   `hostname`/24 |sed "s/Nmap scan report for/\n/"

Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-23 19:17 EDT

 192.168.1.1
Host is up (0.0038s latency).
MAC Address: 00:18:01:8F:23:ED (Actiontec Electronics)

 kitchen.germans (192.168.1.2)
Host is up (0.013s latency).
MAC Address: 00:1B:21:A4:32:BD (Intel Corporate)

 192.168.1.3
Host is up (0.013s latency).
MAC Address: 00:50:FC:9C:E0:18 (Edimax Technology CO.)

 smackerPro (192.168.1.4)
Host is up.

 192.168.1.5
Host is up (0.0036s latency).
MAC Address: 18:20:32:9F:54:75 (Apple)

 IP-STB1.germans (192.168.1.101)
Host is up (0.0047s latency).
MAC Address: 00:1F:C4:EF:5D:F1 (Motorola Mobility)
Nmap done: 256 IP addresses (6 hosts up) scanned in 3.71 seconds
-Pn Ping Not: skip discovery ping.
Warning: Causes scanning functions to be performed against every target specified. Normally, heavier probing such as port scans are only performed against hosts that were found to be up.

For machines on a local ethernet network, ARP scanning will still be performed (unless --send-ip is specified) because MAC addresses are needed to further scan targets .

-PR ARP Ping Any response means the host is up. Fastest.
Used when scanning ethernet hosts on a local ethernet network, even if different ping types are specified.
To avoid an ARP scan, specify --send-ip.
-PS ports TCP SYN Ping Sends an empty packet with the SYN flag set as if attempting to establish a connection.
Default port 80

Syntax is as for the -p except that port type specifiers like T: are not allowed.
Examples: -PS22 and -PS22-25,80,113,1050,35000 (No space between -PS and the ports )
Multiple probes are sent in parallel.

additional information at nmap.org
Use with TCP ACK ping probe to maximize the chances of bypassing firewalls.

-PA ports TCP ACK Ping Similar to SYN ping, ACK flag is set instead.
This acknowledges data over an established TCP connection, since no such connection exists, remote hosts should always respond with a RST packet, disclosing their existence.
Default 80. nmap.org
Use with TCP SYN Ping probe to maximize the chances of bypassing firewalls.
-PU ports UDP Ping Sends an empty (unless --data-length is specified) UDP packet. Default:31338, nmap.org
-PY ports SCTP INIT Ping SCTP ( Stream Control Transmission Protocol) packet containing a minimal INIT chunk. Default: 80
-PE ICMP echo request type 8 (frequently blocked)
-PP ICMP timestamp request code 13,
-PM ICMP address mask request code 17
-PO protos IP Protocol Ping Send packets with the specified protocol number .
The protos is in the format as port lists
Default: send multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4).
For the ICMP, IGMP, TCP (protocol 6), and UDP (protocol 17), packets are sent with the proper protocol headers while other protocols are sent with no additional data (unless --data-length is specified).

Looks for either responses using the same protocol as a probe, or ICMP protocol unreachable message's signifing the protocol isn't supported on the destination host. Either response signifies the target is alive.

Additional options useful with scan options.
--traceroute Trace path to host performed post-scan. Works with all scan types except -sT and -sI.
--reason Host and port state reasons
Displays the type of the packet that determined a port or hosts state.
For example, A RST packet from a closed port or an echo reply from an alive host. The information provided is determined by the type of scan or ping. The SYN scan and SYN ping (-sS and -PS) are very detailed, but the TCP connect scan (-sT) is limited.
Enabled by the debug option (-d) and results are always stored in XML log.
-n No DNS resolution improve performance
-R Reverse DNS resolution for ALL targets Normally only against responsive hosts.
--system-dns Use system DNS resolver
Default: queries name servers configured on your host.
--dns-servers server1[,server2[,…]] Servers for reverse DNS
Default : determine DNS servers from the your host. Ignored with --system-dns or an IPv6 scan.
Multiple servers is faster, improves stealth.

Scan for port 53( DNS) then try list scans (-sL) specifying each name server one at a time with --dns-servers to find one which works correctly.

back to host discoverey, output control

Port Scanning

next:Service and Version

nmap target scans more than 1,660 TCP ports on target.

Port states are not intrinsic properties of the port itself, but describe how Nmap sees them.
For example, a scan from within the same network as the target may show port 135/tcp as open,
a scan with the same options from across the Internet might show that port as filtered.

The port states defined by Nmap:

  1. open An application is actively accepting TCP connections or UDP packets. Close or protect with firewall without thwarting legitimate users. also interesting for non-security scans because they show services available for use on the network.

  2. closed Accessible (receives and responds to packets), but no application is listening .
    May become open if a daemon starts and begins fielding queries.
    Control with a firewall causing it to appear filtered

  3. filtered Cannot determine if the port is open because packet filtering prevents probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. Sometimes respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common.
    Several probes are sent in case the probe was dropped due to network congestion rather than filtering. slowing down the scan dramatically.
  4. unfiltered port is accessible, but Nmap is unable to determine whether it is open or closed.
    Only the ACK scan, used to map firewall rulesets, classifies ports into this state.
    Scanning unfiltered ports with other scan types such as Window , SYN , or FIN scans, may resolve the port as open.
  5. open.filtered unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response which could also mean that a packet filter dropped the probe or any response it elicited. UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
  6. closed|filtered Nmap is unable to determine whether a port is closed or filtered. It is only by the IP ID idle scan.

Port Scanning Techniques


Most are only available to privileged users. Nmap sometimes works for unprivileged users when WinPcap has been loaded.
Unprivileged users can execute connect and FTP bounce .

Only one method may be used at a time, except that UDP scan (-sU) may be combined with any one of the TCP scan types.
Form -sC.
Default: SYN, (or connect if the user does not have proper privileges to send raw packets or if IPv6 targets were specified.

-sS TCP SYN fast
Default.
Quickly, scanning thousands of ports per second, not hampered by restrictive firewalls.
Relatively unobtrusive and stealthy
Does not depend on idiosyncrasies of implementation.
Allows clear, reliable differentiation between the open, closed, and filtered

Sends SYN packet, as if going to open a connection.
A response of SYN/ACK indicates the port is listening (open), RST (reset) is indicative of a non-listener.
If no response is received after several retransmissions or if an ICMP unreachable error is received marked filtered .

-sT TCP connect not fast
Default when SYN is not specified, when no raw packet privileges or scanning IPv6 networks.
Does not write raw packets, rather asks the operating system to establish a connection with the target by issuing the connect system call. The same high-level system call that web browsers and other applications use to establish a connection.

Less efficient than SYN which is usually a better choice. Target machines are more likely to log the connection. Unix systems will add a note to syslog, for connects without sending data.

-sU UDP slow
Sends a UDP header only.
A service responng with a UDP packet: open.
If ICMP port unreachable is returned, it is closed or filtered.
If no response is received the port is classified as open.filtered.

Open and filtered ports rarely send any response, leaving time out and then conduct retransmissions just in case the probe or response were lost.
Closed ports may send back an ICMP port unreachable error. But hosts rate limit ICMP port unreachable messages by default.

Detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop.
A limit of one packet per second makes a 65,536-port scan take more than 18 hours!.

To speed up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using --host-timeout to skip slow hosts.

Version detection (-sV) can differentiate the truly open ports from the filtered ones.
Combine with a scan type such as SYN (-sS) checks both during the same run.

-sN
-sF
-sX 		TCP NULL Does not set any bits (header flags are 0)
FIN Sets only the FIN .
Xmas Sets FIN, PSH, and URG , lighting the packet up like a Christmas tree.
(more are possible with --scanflags

Differentiate between open and closed ports.
See nmap.org.

-sA TCP ACK
May map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
Never determines open or open.filtered ports.
See nmap.org.
-sW TCP Window
Like ACK. May differentiate open from closed.
Rather than always displaying unfiltered when RST is returned.
Examines the TCP Window field of the RST packets returned.
-sM TCP Maimon As NULL, FIN, and Xmas scans, except that the probe is FIN/ACK.
--scanflags n |
FFFUUUAAA		 Argument can be a numerical flag value such as 9 (PSH and FIN), or
symbolic name URG, ACK, PSH, RST, SYN, and FIN combinations .
Example: --scanflags URGACKPSHRSTSYNFIN

Specify a TCP scan type (such as -sA or -sF) default: SYN.

-sI zombie host[:probeport] idle
Advanced scan method , no packets are sent to the target from your IP ).
Too complex to fully describe here, see nmap.org/book/idlescan.html
-sO IP protocol Determines protocols (TCP, ICMP, IGMP, etc.) supported
Uses -p to select scanned protocol.
 >sudo nmap -sO kitchen

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 12:44 EDT
 kitchen (192.168.1.6)
rDNS record for 192.168.1.6: kitchen
1        open  icmp
17       open  udp

Nmap done: 1 IP address (1 host up) scanned in 19.16 seconds
-b [u:p]@server[:p] FTP relay host (FTP bounce scan) FTP server to port scan other hosts. Have FTP server to send a file to each interesting port . The error message will describe whether the port is open or not.
May bypass firewalls because organizational FTP servers often have access to other internal hosts.
FTP bounce scan with -b argument of the form [username:password]@server[:port].
Server is the name or IP address of a vulnerable FTP server.
Omit username:password anonymous login credentials (user: anonymous password:-wwwuser@) are used.
Port defaults to 21.

Port Specification and Scan Order

Default: all ports up to and including 1024(priveledge ports) as well as higher numbered ports listed in nmap-services

--top-ports n Scans the n highest-ratio ports from nmap-services 
-sS -top-ports 20
1 21   ftp           2  22   ssh           3 23   telnet          4 25  smtp          
5 53   domain           80   http           110   pop3             111  rpcbind       
 135   msrpc           139   netbios-ssn    143   imap             443  https         
 445   microsoft-ds    993   imaps          995   pop3s           1723  pptp          
3306   mysql           3389   ms-wbt-srvr   5900   vnc             8080  http-proxy    

 --top-ports 5000 (on LAN 139.74 seconds)
Gibson Research Corp great port reference.
-F Fast (limited port)
Only scan ports in /usr/local/share/nmap/nmap-services (or the protocols file for -sO).
Contains so many ports (more than 27,000!)
Fastest is with --top-ports 4
--port-ratio r Scans all ports in nmap-services with a ratio greater r
Selected examples:
domain  53/udp  .213496    dhcps   67/udp  .228010    dhcpc   68/udp  .140118    
finger  79/tcp  .006022    ftp     21/tcp  .197667 (control)    
http    80/tcp  .484143    https   443/tcp .208669    
ntp     123/udp .330879    pop3    110/tcp .077142    
route   520/udp .139376    smtp    25/tcp  .131314    ssh     22/tcp  .182286     
syslog  514/udp .119804    telnet  23/tcp  .221265    tftp    69/udp  .102835    
zeroconf 5353/udp.100166    
ipp     631/udp .450281    # Internet Printing Protocol   
--port-ratio .001     217 ports,( on LAN 8.28 seconds)
-p port ranges Only scan specified ports
Individual ports , ranges (Default 1-65535). port zero is allowed if specifed explicitly.
For IP protocol scanning (-sO), specifies the protocol numbers (0-255).

When scanning both TCP and UDP ports, specify a particular protocol by preceding the port numbers by T: or U:. The qualifier lasts until another qualifier.
For example:
-p U:53,111,137,T:21-25,80,139,8080
To scan both UDP and TCP, specify -sU and at least one TCP scan type (such as -sS, -sF, or -sT).
If no protocol qualifier is given, the port numbers are added to all protocol lists.

Ports can also be specified by name according to what the port is referred to in the /usr/local/share/nmap/nmap-services including wildcards * and ? . For example, to scan FTP and all ports whose names begin with "http", use -p ftp,http*.
Ranges of ports can be enclosed in square brackets .
For example, scan all ports in /usr/local/share/nmap/nmap-services up to 1024:
"-p [-1024]".
Be careful about shell expansions and quote the argument if unsure.

-r Don't randomize, i.e. scan sequentially

Back to ports

Service and Version Detection

Next timing
After ports are discovered, nmap.org target=nmap>version detection interrogates them interrogates them

Some UDP ports are open.filtered . Version detection elicits a response from these and changes them to open if successful. TCP open.filtered ports are treated the same way.

-sV Version detection, (-A also enables version detection, among other things).
--allports Don't exclude any ports
--version-intensity 0..9 Higher values are more accurate but take longer.
Default: 7.
--version-light --version-intensity 2. faster, but it is slightly less likely to identify services.
--version-all --version-intensity 9
--version-trace Output debugging info about version scanning, a subset of --packet-trace. additional output: 
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 192.168.1.1
mass_rdns: 0.01s 0/15 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 11]
DNS resolution of 15 IPs took 0.04s. Mode: Async [#: 1, OK: 9, NX: 6, DR: 0, SF: 0, TR: 15, CN: 0]
No data files read.
-sR RPC scan When RPC services are discovered, addition interragation is automatically performed
in conjunction with the various port scans.
Takes all ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and what program and version number they serve up.
obtain the same info as rpcinfo -p even if the target's portmapper is behind a firewall (or protected by TCP wrappers).
Decoys do not currently work with RPC scan.
Enabled as part of version scan (-sV) . Version detection includes this and is more comprehensive, -sR
is rarely needed.

OS Detection

See nmap.org.

-O Enable OS detection
Use Agressive( -A) to include version (-sV) and script scanning (-sC) and traceroute (--traceroute) .
--osscan-limit Limit OS detection to promising targets, Faster Only with -O or -A.
--osscan-guess
--fuzzy 		Guess OS when unable to detect a perfect match.
Sometimes displays near-matches as possibilities, imperfect match notice is output with confidence level .
--max-os-tries nmaximum number of detection tries when failing to find a perfect match.
Default:5 if conditions are favorable , 2 when conditions aren't good.
A lower value (1) speeds up, higher value rarely used.

Timing and Performance

A default scan (nmap hostname) on the local network takes a 200 milliseconds.
UDP scanning and version detection can increase scan times substantially.
time is in milliseconds, append s, m, or h to the value to specify seconds, minutes, or hours.
--host-timeout arguments 900000, 900s, and 15m are equivalent.
--min-hostgroup numhosts
--max-hostgroup numhosts 		parallel scan group size.
--min-parallelism np
--max-parallelism np 		probe parallelization
--max-rtt-timeout time
--initial-rtt-timeout time
--min-rtt-timeout time 		probe timeouts
--max-retries numtries  
--host-timeout time Give up on slow target hosts
--scan-delay time
--max-scan-delay time		delay between probes
--min-rate nper second. Greater than 300 means try to keep the sending rate at or above 300 packets per second.
--max-rate nper second.
100 limits sending to 100 packets per second on a fast network.
0.1 for a slow scan of one packet every ten seconds.
--defeat-rst-ratelimit Using this option can reduce accuracy. With a SYN scan, the non-response results in the port being labeled filtered rather than the closed state we see when RST packets are received.


-T approach

Timing template
  • paranoid (0) serialize the scan, only one port at a time,
                   waits 5 minutes between probes avoiding IntrusionDetectionSystem.
  • sneaky (1) waits 15 seconds to avoid IDS, use less bandwidth and target machine resources.
  • polite (2) waits .4 seconds
  • normal (3) is the default sends scans in parallel.
  • aggressive (4) mode speeds scans up expecting a reasonably fast and reliable network.
  • insane (5) expects extraordinarily fast network or are willing to sacrifice some accuracy for speed.
    nmap.org

    • Firewall/IDS Evasion and Spoofing

    Network obstructions such as firewalls make mapping a network exceedingly difficult.
    IDSs ship with rules designed to detect Nmap scans because scans are sometimes a precursor to attacks.
    Intrusion Prevention Systems (IPS) that block traffic deemed malicious.
    Deploying only modern, patched FTP servers is a far more powerful defense than trying to prevent the distribution of tools implementing the FTP bounce attack.

    Too funky to describe here.

    See nmap.org

    -e interface Use specified interface
    -f m
    --mtu m    		fragment packets using the specified MTU
    -D decoy1[,decoy2][,ME][,…] Cloak a scan with decoys. Makes it appear to the remote host that the decoys are scanning the target too.
    -S IP_Address Spoof source address
    --source-port p
    -g p     		Spoof source port number
    A common misconception is to trust traffic based only on the source port number.
    --data-length n Append random data to sent packets
    Normally minimalist packets containing only a header are sent.
    --ip-options
       S |
       T |
       U |
       R [hop hop …] |
       L [hop hop …]
        …

    --ip-options hex string

    		Send packets with specified IP options
    IP protocol options are rarely seen and can be useful in some cases.
    Use record route (R) to determine a path to a target when traceroute-style approaches fail.
    Record-timestamp (T) or both (U)if packets are being dropped by a certain firewall.
    Loose or strict source routing specified with an
    L or S followed by a space and then a space-separated list of IP addresses, specify a different route.

    --ip-options use \xdd hexadecimal format to specify option bits explicitly.
    Repeat characters by following them with an asterisk and a repeat count.
    Example: \x01\x07\x04\x00*36\x01 includes 36 NULLs.
    Display options in packets specify --packet-trace.
    see seclists.org/nmap-dev/2006/q3/0052.htm.l

    --ttl value
    --randomize-hosts May make the scans less obvious to network monitoring systems.
    Combine it with slow timing options . See nmap.org
    --spoof-mac MAC address, prefix, or vendor name Address of 0 uses random MAC. See nmap.org
    Examples: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco. Only affects raw packet scans such as SYN scan or OS detection, not connection-oriented features such as version detection
    Implies --send-eth
    --badsum Send packets with invalid checksums
    Responses come from a firewall or IDS that didn't validate the checksum. See nmap.org/p60-12

    NMAP Scripting engine (NSE)

    Automate a wide variety of networking tasks. The scripts are executed in parallel.

    Too funky to describe here.

    See nmap.org/book/nse-usage.html#nse-categories.
    Scripting details at nmap.org/book/nse.html

    -sC Performs a script scan using the default set of scripts, equivalent to --script=default.
    Scripts in this category are considered
    intrusive and should not be run against a target without permission.
    --script script-categories | directory | filename | all
    --script-args name1=value1,name2={name3=value3},name4=value4
    --script-trace all incoming and outgoing communication performed by a script is output.
    --script-updatedb updates the script database

    OUTPUT

    Output files may be used to resume aborted scans.

    1. interactive output, to standard output (stdout), default .
    2. Normal output, displays less runtime information and warnings

    interactive output is displayed in addition to file output.

    filenames support strftime-like conversions: %H, %M, %S, %m, %d, %y, and %Y. %T is %H%M%S, %R is %H%M and %D is %m%d%y.
    Example: -oX 'scan-%D-%T.xml' will output to scan-144840-121307.xml.

    -oN fileNormal
    -oX file XML
    -oS file Script output, like interactive output, except it is post-processed
    -oG file grepable output Deprecated.

    Consists of comments and target lines wich include labeled fields, separated by tabs and followed with a colon:
    Host, Ports, Protocols, Ignored State, OS, Seq Index, IP ID, and Status

    Ports is a comma separated list of port entries. and of the form of seven slash (/) separated subfields.
    Port number, State, Protocol, Owner, Service, SunRPC info, and Version 

    # Nmap 7.00 scan initiated Tue Mar  1 12:14:37 2016 as: nmap -v -v -sS --top-ports 10 -oA train_%T -A smackerpro.local/23
# Ports scanned: TCP(10;21-23,25,80,110,139,443,445,3389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.56.104.1 ()    Ports: 21/filtered/tcp//ftp///, 22/filtered/tcp//ssh///, 23/filtered/tcp//telnet///, 25/closed/tcp//smtp///, 
        80/open/tcp//http//lighttpd/, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 
        3389/closed/tcp//ms-wbt-server///    Seq Index: 195  IP I+D Seq: All zeros
Host: 10.56.104.24 ()   Ports: 21/closed/tcp//ftp///, 22/closed/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 
        80/closed/tcp//http///, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 
        3389/closed/tcp//ms-wbt-server///
Host: 10.56.104.25 ()   Ports: 21/closed/tcp//ftp///, 22/closed/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 
        80/closed/tcp//http///, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 
        3389/closed/tcp//ms-wbt-server///

    See nmap.org/book/output-formats-grepable-output.html.

    -oA basename all formats to: basename.nmap, basename.xml, and basename.gnmap.

    Verbosity and debugging options

    -v verbosity.
    Open ports shown as found and completion time estimates are provided.
    Use it twice or more for more. While running, v increases verbosity, V decreases. See nmap.org
    -d [level] debug output
    While running, d increases, D decreases. See nmap.org
    --packet-trace Trace packets and data
    output summary of every packet sent or received. Used for debugging. See nmap.org 
    
Packet Tracing enabled.
SENT (4.6944s) TCP 192.168.1.8:52616 > 192.168.1.6:2811  S ttl=49 id=11069 iplen=44  seq=4254715915 win=1024 <mss 1460>
SENT (4.8018s) TCP 192.168.1.8:52615 > 192.168.1.11:1218 S ttl=41 id=53597 iplen=44  seq=4254650378 win=1024 <mss 1460>
RCVD (4.8057s) TCP 192.168.1.11:1218 > 192.168.1.8:52615 RA ttl=64 id=15801 iplen=40  seq=0 win=0
SENT (4.8243s) TCP 192.168.1.8:52626 > 192.168.1.6:139   S ttl=40 id=14479 iplen=44  seq=4237873418 win=1024 <mss 1460>
SENT (4.8244s) TCP 192.168.1.8:52616 > 192.168.1.3:443   S ttl=49 id=23356 iplen=44  seq=4254715915 win=1024 <mss 1460>
RCVD (4.8258s) TCP 192.168.1.5:139   > 192.168.1.8:52626 SA ttl=128 id=22102 iplen=44  seq=2168289427 win=8192 <mss 1460>
RCVD (4.8266s) TCP 192.168.1.6:139   > 192.168.1.8:52626 SA ttl=128 id=2213 iplen=44  seq=2599483217 win=8192 <mss 1460>
SENT (4.8462s) TCP 192.168.1.8:52616 > 192.168.1.3:8888  S ttl=47 id=39457 iplen=44  seq=4254715915 win=1024 <mss 1460>
    --open Show only open (or possibly open) ports. See nmap.org
    --iflist (List interfaces and routes)
    outputs interface list and system routes, useful for debugging. See nmap.org
    --log-errors Log errors/warnings to normal mode output file
    Usually go only to the screen (interactive output), leaving any normal-format output files (usually specified with -oN) uncluttered.
    messages will appear in interactive mode too.
    An alternative to --log-errors is redirecting interactive output (including the standard error stream) to a file. See nmap.org

    Miscellaneous output options

    --resume filename Resume aborted scan if normal (-oN) logs were kept, resume scanning.
    No other arguments are permitted
    --append-output
    --stylesheet path or URL XSL stylesheet to transform XML output. See nmap.org
    --webxml Load stylesheet from Nmap.Org
    --no-stylesheet Omit XSL stylesheet declaration from XML

    MISCELLANEOUS OPTIONS

    -6 Enable IPv6 scanning
    Ping scanning (TCP-only), connect scanning, and version detection .
    Use IPv6 syntax to specify an address like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0.
    Hostnames are recommended.
    Output includes the IPv6 address on the "interesting ports" line
    see nmap.org
    -A Aggressive scan
    enables OS detection (-O), version and (-sV) script scanning (-sC) and traceroute (--traceroute).
    Do not use against target networks as it is considered intrusive.
    Does not set agresive timing options (such as -T4) or verbosity (-v) .

    --datadir ddircustom data file location for: nmap-service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap-mac-prefixes, and nmap-os-db.
    --servicedb or --versiondb may be used.
    Files not found in ddir, are searched for in $NMAPDIR, then ~/.nmap, location of the Nmap executable and then a compiled-in location such as /usr/local/share/nmap or /usr/share/nmap

    Causes a fast scan (-F) to be used.

    --versiondb service probes file (Specify custom service probes file)
    --send-eth send raw ethernet
    Send data at link layeri rather then network layer. default, chooses the layer best for the platform it is on. See nmap.org
    --send-ip Send at raw IP level
    rather than lower level ethernet frames. complement of --send-eth
    --privileged enough to perform raw socket sends, packet sniffing which require root privileges on *nix .
    Must preceed flags requiring privileges
    $NMAP_PRIVILEGED set as an equivalent
    --unprivileged user lacks raw socket privileges, opposite of --privileged.
    $NMAP_UNPRIVILEGED set as an alternative
    --release-memory before quitting only useful for memory-leak debugging.
    --interactive Start in interactive mode offers a prompt allowing launching multiple scans see nmap.org
    -V
    --version     		output version number and exit.
    Nmap version 7.40 ( https://nmap.org )
Platform: x86_64-apple-darwin13.4.0
Compiled with: liblua-5.3.3 openssl-1.0.2j nmap-libpcre-7.6 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: kqueue poll select
    -h
    --help     		help summary page 
     Nmap 4.76 ( http://nmap.org )
           Usage: nmap [Scan Type(s)] [Options] {target specification}
           TARGET SPECIFICATION:
             Can pass hostnames, IP addresses, networks, etc.
             Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
             -iL <inputfilename>: Input from list of hosts/networks
             -iR <num hosts>: Choose random targets
             --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
             --excludefile <exclude_file>: Exclude list from file
           HOST DISCOVERY:
             -sL: List Scan - simply list targets to scan
             -sP: Ping Scan - go no further than determining if host is online
             -PN: Treat all hosts as online -- skip host discovery
             -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
             -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
             -PO [protocol list]: IP Protocol Ping
             -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
             --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
             --system-dns: Use OS's DNS resolver
           SCAN TECHNIQUES:
             -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
             -sU: UDP Scan
             -sN/sF/sX: TCP Null, FIN, and Xmas scans
             --scanflags <flags>: Customize TCP scan flags
             -sI <zombie host[:probeport]>: Idle scan
             -sO: IP protocol scan
             -b <FTP relay host>: FTP bounce scan
             --traceroute: Trace hop path to each host
             --reason: Display the reason a port is in a particular state
           PORT SPECIFICATION AND SCAN ORDER:
             -p <port ranges>: Only scan specified ports
               Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
             -F: Fast mode - Scan fewer ports than the default scan
             -r: Scan ports consecutively - don't randomize
             --top-ports <number>: Scan <number> most common ports
             --port-ratio <ratio>: Scan ports more common than <ratio>
           SERVICE/VERSION DETECTION:
             -sV: Probe open ports to determine service/version info
             --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
             --version-light: Limit to most likely probes (intensity 2)
             --version-all: Try every single probe (intensity 9)
             --version-trace: Show detailed version scan activity (for debugging)
           SCRIPT SCAN:
             -sC: equivalent to --script=default
             --script=: <Lua scripts> is a comma separated list of
                      directories, script-files or script-categories
             --script-args=: provide arguments to scripts
             --script-trace: Show all data sent and received
             --script-updatedb: Update the script database.
           OS DETECTION:
             -O: Enable OS detection
             --osscan-limit: Limit OS detection to promising targets
             --osscan-guess: Guess OS more aggressively
           TIMING AND PERFORMANCE:
             Options which take <time> are in milliseconds, unless you append 's'
             (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
             -T[0-5]: Set timing template (higher is faster)
             --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
             --min-parallelism/max-parallelism <time>: Probe parallelization
             --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
                 probe round trip time.
             --max-retries <tries>: Caps number of port scan probe retransmissions.
             --host-timeout <time>: Give up on target after this long
             --scan-delay/--max-scan-delay <time>: Adjust delay between probes
             --min-rate <number>: Send packets no slower than <number> per second
             --max-rate <number>: Send packets no faster than <number> per second
           FIREWALL/IDS EVASION AND SPOOFING:
             -f; --mtu <val>: fragment packets (optionally w/given MTU)
             -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
             -S <IP_Address>: Spoof source address
             -e <iface>: Use specified interface
             -g/--source-port <portnum>: Use given port number
             --data-length <num>: Append random data to sent packets
             --ip-options <options>: Send packets with specified ip options
             --ttl <val>: Set IP time-to-live field
             --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
             --badsum: Send packets with a bogus TCP/UDP checksum
           OUTPUT:
             -oN/-oX/-oS <file>: Output scan in normal, XML, s|: Output in the three major formats at once
             -v: Increase verbosity level (use twice or more for greater effect)
             -d[level]: Set or increase debugging level (Up to 9 is meaningful)
             --open: Only show open (or possibly open) ports
             --packet-trace: Show all packets sent and received
             --iflist: Print host interfaces and routes (for debugging)
             --log-errors: Log errors/warnings to the normal-format output file
             --append-output: Append to rather than clobber specified output files
             --resume <filename>: Resume an aborted scan
             --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
             --webxml: Reference stylesheet from Nmap.Org for more portable XML
             --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
           MISC:
             -6: Enable IPv6 scanning
             -A: Enables OS detection and Version detection, Script scanning and Traceroute
             --datadir <dirname>: Specify custom Nmap data file location
             --send-eth/--send-ip: Send using raw ethernet frames or IP packets
             --privileged: Assume that the user is fully privileged
             --unprivileged: Assume the user lacks raw socket privileges
             -V: Print version number
             -h: Print this help summary page.
           EXAMPLES:
             nmap -v -A scanme.nmap.org
             nmap -v -sP 192.168.0.0/16 10.0.0.0/8
             nmap -v -iR 10000 -PN -p 80
           </pre>

    RUNTIME INTERACTION

    Keys pressed during execution change options, output status message .
    lowercase increase the amount of output , Uppercase Decrease
    v verbosity
    d debugging
    p packet tracing
    ? Output a runtime interaction help screen
    Anything else, outputs a status message like :
       Stats: 0:00:08 elapsed; 111 hosts completed (5 up), 5 undergoing Service Scan
      Service scan Timing: About 28.00% done; ETC: 16:18 (0:00:15 remaining)

    Examples

    Some actual addresses and names are used to make things more concrete.
    For testing purposes, you have permission to scan ScanMen.nmap.org, only via Nmap.
    Version 7.60 includes:brute force SSH password cracking, query servers about what auth methods and public keys they accept, and even log in using known or discovered credentials to execute arbitrary commands

    LEGAL NOTICES

    The Nmap Security Scanner is © Insecure.Com LLC. Nmap is also a registered trademark of Insecure.Com LLC.

    AUTHOR

    Gordon "Fyodor" Lyon Insecure.Org Author. Copyright (C) 2008 Nmap Project

    NOTES

    1. wikipedia article on nmap
    2. RFC 1122 Requirements for Internet Hosts -- Communication Layers
    3. RFC 792 IMCP -internet control message protocoL
    4. RFC 1918
    5. UDP
    6. TCP RFC
    7. RFC 959
    8. RFC 1323
    9. IP protocol
    10. Nmap::Scanner
    11. Nmap::Parser
    12. tunnel brokers
    13. Creative Commons Attribution License
    14. Apache Software Foundation
    15. Libpcap portable packet capture library
    16. WinPcap library
    17. PCRE library
    18. Libdnet
    19. OpenSSL cryptography toolkit
    20. Lua programming language
    Nmap can be obtained from nmap.org., man page http://nmap.org/book/man.html.