Much of the original documentation includes philosophy and reasoning for using particular options. Read that at nmap.org
This version is terse with minial description.(DGG)
nmap [Scan Type…] [options] target specification
"Network Mapper" is an tool for network exploration and security auditing.
Commonly used for security audits, useful for network inventory, managing service upgrade
schedules, and monitoring host or service uptime.
Uses special packets to determine host availablity, services (applications) offered, OS running, type of filters/firewalls , etc.
Example:
-A
: enables OS and version detection, script scanning
-t
: traceroute
Stats: 0:00:22 elapsed; 248 hosts completed (7 up), 7 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 63.99% done; ETC: 11:26 (0:00:11 remaining)
v
/V
increases/decrease verbosity
d
/D
increases/decrease debugging
p
/P
enable/disable packet tracing
Aborted scans ( ^C
) can be resumed with proper output option.
A representative scan
agressive detection (with traceroute) and timing, sudo /usr/local/bin/nmap -A -T aggressive -sS --top-ports 10 -v -oN scan-%D-%T 192.168.1.1/28 # .0-.7 Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-23 07:39 EDT NSE: Loaded 93 scripts for scanning. NSE: Script Pre-scanning. Initiating Ping Scan at 07:39 Scanning 8 hosts [2 ports/host] Completed Ping Scan at 07:39, 1.21s elapsed (8 total hosts) Initiating Parallel DNS resolution of 8 hosts. at 07:39 Completed Parallel DNS resolution of 8 hosts. at 07:39, 0.02s elapsed Nmap scan report for 192.168.1.0 [host down] Nmap scan report for 192.168.1.5 [host down] Nmap scan report for 192.168.1.7 [host down] Initiating Connect Scan at 07:39 Scanning 5 hosts [1000 ports/host] Discovered open port 80/tcp on 192.168.1.4 Discovered open port 3306/tcp on 192.168.1.4 Discovered open port 21/tcp on 192.168.1.4 Discovered open port 80/tcp on 192.168.1.1 … full file |
Target Specification | next: Host Discovery |
hostname
/numbits
to a target. Every address with the first numbits
which are the same is target
.
192.168.10.0/25
scans the 64 hosts with the same 25 high order bits 192.168.10.40/25
specifies the same range( the .40
being masked out. 192.168.10.130/24
specifies the the 128 hosts from 192.168.10.128-255. scanMe.nmap.org/28
: Given scanMe.nmap.org
is 64.13.134.52, scan the 16 addresses 64.13.134.48 through 64.13.134.63.
Note that increasing numbits
take geometricly longer time since each additional bit doubles the number of addresses
CIDR notation is not always flexible enough. For example, skipping IPs ending with .0 or .255 because they are commonly broadcast addresses.
192.168.0-127.1-254
specifies a range for the 3rd octet and will skip all addresses that end in .0 and or .255.
Multiple formats are permitted: nmap scanMe.nmap.org 192.168.3.0/24 10.0.0,1,17-63.0-255
-iL targetsFile |
Host Discovery | next:Ports |
ARP discovery (-PR
) is done on a local ethernet network.
For non-local targets, TCP ACK packet for port 80 and an ICMP echo request query is sent
(unprivileged users use a SYN packet using the connect system call )
Defaults are equivalent to -PA -PE
.
Host discovery is followed by a port scan.
open |
State combinations open.filtered
and closed.filtered
: it cannot be determined which describe a port best.
For IP protocol scan (-sO
), information on supported protocols is provided.
Discussin on probe effectivness
-sL |
Additional options useful with scan options. | |||||||||||
--traceroute |
nmap target
scans more than 1,660 TCP ports on target.
Port states are not intrinsic properties of the port itself, but describe how Nmap sees them.
For example, a scan from within the same network as the target may show port 135/tcp as open,
a scan with the same options from across the Internet might show that port as filtered.
The port states defined by Nmap:
SYN
,
or FIN
scans, may resolve the port as open.
connect
and FTP bounce
.
Only one method may be used at a time, except that UDP scan (-sU
) may be combined with any one of the TCP scan types.
Form -sC
.
Default: SYN
, (or connect
if the user does not have proper privileges to send raw packets or if IPv6 targets were
specified.
-sS | TCP SYN fast Default. Quickly, scanning thousands of ports per second, not hampered by restrictive firewalls. Relatively unobtrusive and stealthy Does not depend on idiosyncrasies of implementation. Allows clear, reliable differentiation between the open, closed , and filtered
Sends SYN packet, as if going to open a connection. | ||||||||||||||||||
-sT |
--top-ports n |
Back to ports
Service and Version Detection
Next timing
After ports are discovered, nmap.org target=nmap>version detection interrogates them interrogates them
Some UDP ports are open.filtered
.
Version detection elicits a response from these and changes them to open
if successful. TCP open.filtered
ports are treated the same way.
-sV |
-O |
nmap hostname
) on the local network takes a 200 milliseconds.time
is in milliseconds, append s
, m
, or h
to the value to specify seconds, minutes, or hours. --host-timeout
arguments 900000, 900s, and 15m are equivalent.
--min-hostgroup numhosts | parallel scan group size. | ||||||||||||||
--min-parallelism np --max-parallelism np | probe parallelization | ||||||||||||||
--max-rtt-timeout time |
-e interface | Use specified interface |
-f m --mtu m | fragment packets using the specified MTU |
-D decoy1[,decoy2][,ME][,…] | Cloak a scan with decoys. Makes it appear to the remote host that the decoys are scanning the target too. |
| Spoof source address |
--source-port p | Spoof source port number A common misconception is to trust traffic based only on the source port number. |
--data-length n | Append random data to sent packets Normally minimalist packets containing only a header are sent. |
--ip-options | Send packets with specified IP options IP protocol options are rarely seen and can be useful in some cases. Use record route ( R ) to determine a path to a target when traceroute-style approaches fail. Record-timestamp ( T ) or both (U )if packets are being dropped by a certain firewall. Loose or strict source routing specified with an L or S followed by a space and then a space-separated list of IP addresses, specify a different route.
|
--ttl value | |
--randomize-hosts | May make the scans less obvious to network monitoring systems. Combine it with slow timing options . See nmap.org |
--spoof-mac MAC address, prefix, or vendor name |
Address of 0 uses random MAC. See nmap.org Examples: Apple, 0, 01:02:03:04:05:06, deadbeefcafe,
0020F2, and Cisco . Only affects raw packet scans such as SYN scan or OS detection,
not connection-oriented features such as version detection Implies --send-eth
|
--badsum | Send packets with invalid checksums Responses come from a firewall or IDS that didn't validate the checksum. See nmap.org/p60-12 |
-sC |
filenames
support strftime
-like conversions:
%H, %M, %S, %m, %d, %y, and %Y. %T
is %H%M%S, %R
is %H%M
and %D
is %m%d%y
.
Example: -oX 'scan-%D-%T.xml'
will output to scan-144840-121307.xml
.
-oN file |
-v | verbosity. Open ports shown as found and completion time estimates are provided. Use it twice or more for more. While running, v increases verbosity, V decreases. See nmap.org
|
-d [level] | debug output While running, d increases, D decreases. See nmap.org
|
--packet-trace | Trace packets and data output summary of every packet sent or received. Used for debugging. See nmap.org Packet Tracing enabled. SENT (4.6944s) TCP 192.168.1.8:52616 > 192.168.1.6:2811 S ttl=49 id=11069 iplen=44 seq=4254715915 win=1024 <mss 1460> SENT (4.8018s) TCP 192.168.1.8:52615 > 192.168.1.11:1218 S ttl=41 id=53597 iplen=44 seq=4254650378 win=1024 <mss 1460> RCVD (4.8057s) TCP 192.168.1.11:1218 > 192.168.1.8:52615 RA ttl=64 id=15801 iplen=40 seq=0 win=0 SENT (4.8243s) TCP 192.168.1.8:52626 > 192.168.1.6:139 S ttl=40 id=14479 iplen=44 seq=4237873418 win=1024 <mss 1460> SENT (4.8244s) TCP 192.168.1.8:52616 > 192.168.1.3:443 S ttl=49 id=23356 iplen=44 seq=4254715915 win=1024 <mss 1460> RCVD (4.8258s) TCP 192.168.1.5:139 > 192.168.1.8:52626 SA ttl=128 id=22102 iplen=44 seq=2168289427 win=8192 <mss 1460> RCVD (4.8266s) TCP 192.168.1.6:139 > 192.168.1.8:52626 SA ttl=128 id=2213 iplen=44 seq=2599483217 win=8192 <mss 1460> SENT (4.8462s) TCP 192.168.1.8:52616 > 192.168.1.3:8888 S ttl=47 id=39457 iplen=44 seq=4254715915 win=1024 <mss 1460> |
--open | Show only open (or possibly open) ports. See nmap.org |
--iflist | (List interfaces and routes) outputs interface list and system routes, useful for debugging. See nmap.org |
--log-errors | Log errors/warnings to normal mode output file Usually go only to the screen (interactive output), leaving normal-format files ( -oN ) uncluttered. Alternatly redirecting interactive output (including stderr 2>&1>) to a file.
|
Miscellaneous output options | |
--resume filename | Resume aborted scan if normal (-oN ) logs were kept, resume scanning.No other arguments are permitted |
--append-output | |
--stylesheet path or URL | XSL stylesheet to transform XML output. See nmap.org |
--webxml | Load stylesheet from Nmap.Org |
--no-stylesheet | Omit XSL stylesheet declaration from XML |
-6 | Enable IPv6 scanning Ping (TCP-only) & connect scanning, and version detection . IPv6 syntax example 3ffe:7501:4819:2000:210:f3ff:fe03:14d0 . Hostnames are recommended. | ||||||||
-A | Aggressive Enables OS detection ( -O ), version & (-sV ) script scanning (-sC ) and traceroute (--traceroute ). Do not use against networks it is considered intrusive. Ignores agresive timing (such as -T4 ) or verbosity (-v ) .
| ||||||||
--datadir ddir | custom data file location
for: nmap-service-probes, nmap-services,
nmap-protocols, nmap-rpc, nmap-mac-prefixes, and nmap-os-db .--servicedb or --versiondb may be used.Files not found in ddir , are searched for in
$NMAPDIR , then ~/.nmap , location of the Nmap executable and then a compiled-in location
such as /usr/local/share/nmap or /usr/share/nmap
Causes a fast scan ( | ||||||||
--versiondb service probes file | (Specify custom service probes file) | ||||||||
--send-eth | send at raw ethernet link layer rather then network layer. default. See nmap.org | ||||||||
--send-ip | Send at raw IP level rather than lower level ethernet frames. complement of --send-eth
| ||||||||
--privileged | enough to perform raw socket sends, packet sniffing
Must preceed flags requiring privileges$NMAP_PRIVILEGED set as an equivalent
| ||||||||
--unprivileged | user lacks raw socket privileges, opposite of --privileged. $NMAP_UNPRIVILEGED set as an alternative
| ||||||||
--release-memory | before quitting only useful for memory-leak debugging. | ||||||||
--interactive | Start in interactive mode offers a prompt allowing launching multiple scans see nmap.org | ||||||||
-V | output version number and exit.Nmap version 7.40 ( https://nmap.org ) Platform: x86_64-apple-darwin13.4.0 Compiled with: liblua-5.3.3 openssl-1.0.2j nmap-libpcre-7.6 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: kqueue poll select | ||||||||
-h | help summary page
Nmap 7.93 ( https://nmap.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL RUNTIME INTERACTIONKeys pressed during execution change options, output status message .lowercase increase the amount of output , Uppercase Decrease
|
sudo /usr/local/bin/nmap -v scanme.nmap.org
sudo /usr/local/bin/nmap -sS -O scanme.nmap.org/24
sudo /usr/local/bin/nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
-PN
(first sending a couple probes to determine whether a host is up is
time wasting when probing one port on each target host anyway.)
sudo /usr/local/bin/nmap -v -iR 100000 -PN -p 80/blockquote>- Scan 4096 IPs for web servers (without pinging ) and save the output in XML format.
sudo /usr/local/bin/nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20