nmap
Network Scanning
Network exploration tool and security / port scanner
Much of the original documentation includes philosophy and reasoning for using particular options. Read that at nmap.org
This version is terse version with minial description.(DGG)
nmap [Scan Type…] [options] target specification
"Network Mapper" is an tool for network exploration and security auditing.
Commonly used for security audits, useful for network inventory, managing service upgrade
schedules, and monitoring host or service uptime.
Uses special packets to determine host availablity, services (applications) offered, OS running, type of filters/firewalls , etc.
Example:
-A
: enables OS and version detection, script scanning
-t
: traceroute
Key presses while running: (echo is supressed, may take several seconds to acknowledge)
- ↵ (enter) progress
Stats: 0:00:22 elapsed; 248 hosts completed (7 up), 7 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 63.99% done; ETC: 11:26 (0:00:11 remaining)
-
v
/V
increases/decrease verbosity
d
/D
increases/decrease debugging
p
/P
enable/disable packet tracing
- ENTER display status
Aborted scans ( ^C
) can be resumed with proper output option.
A representative scan
agressive detection (with traceroute) and timing,
TCP SYN, only checking most popular ports, starting with level 2 verbosity,
outputting to a normal file called scan… hosts within a small subnet:
sudo nmap -A -T aggressive -sS --top-ports 10 -v -oN scan-%D-%T 192.168.1.1/28 # .0-.7
Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-23 07:39 EDT
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 07:39
Scanning 8 hosts [2 ports/host]
Completed Ping Scan at 07:39, 1.21s elapsed (8 total hosts)
Initiating Parallel DNS resolution of 8 hosts. at 07:39
Completed Parallel DNS resolution of 8 hosts. at 07:39, 0.02s elapsed
Nmap scan report for 192.168.1.0 [host down]
Nmap scan report for 192.168.1.5 [host down]
Nmap scan report for 192.168.1.7 [host down]
Initiating Connect Scan at 07:39
Scanning 5 hosts [1000 ports/host]
Discovered open port 80/tcp on 192.168.1.4
Discovered open port 3306/tcp on 192.168.1.4
Discovered open port 21/tcp on 192.168.1.4
Discovered open port 80/tcp on 192.168.1.1
…
full file
sudo nmap -A -T normal scanme.nmap.org playground #scan 2 specific hosts
Starting Nmap ( http://nmap.org )
Interesting ports on scanme.nmap.org (64.13.134.52):
(The 1663 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
53/tcp open domain
70/tcp closed gopher
80/tcp open http Apache httpd 2.0.52 ((Fedora))
113/tcp closed auth
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11
Interesting ports on playground.nmap.org (192.168.0.40):
(The 1659 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
389/tcp open ldap?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1002/tcp open windows-icfw?
1025/tcp open msrpc Microsoft Windows RPC
1720/tcp open H.323/Q.931 CompTek AquaGateKeeper
5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900)
5900/tcp open vnc VNC (protocol 3.8)
MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications)
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro RC1+ through final release
Service Info: OSs: Windows, Windows XP
Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds
nmap -sP `hostname`/24 |sed "/Nmap sc/N; s/\n//;s/Nmap scan report for//; s/Host is up//; s/(0\./\./;s/ latency)\.//"
|
Everything on the command-line that isn't an option or option argument is treated as a target specification (nmap.org).
The simplest case is to specify a single target .
-
hostname
- CIDR-style addressing: consecutive addresses, append
/numbits
to a target. Every address with the first numbits
which are the same is target
.
Examples:
192.168.10.0/25
scans the 64 hosts with the same 25 high order bits
with all combinations of the lower 7 bits, i.e
192.168.10.0 (11000000 10101000 00001010 00000000) through
192.168.10.127 (11000000 10101000 00001010 01111111), inclusive.
192.168.10.40/25
specifies the same range( the .40
being masked out.
192.168.10.130/24
specifies the the 128 hosts from 192.168.10.128-255.
scanMe.nmap.org/28
: Given scanMe.nmap.org
is 64.13.134.52, scan the 16 addresses 64.13.134.48 through 64.13.134.63.
Note that increasing numbits
take geometricly longer time since each additional bit doubles the number of addresses
CIDR notation is not always flexible enough. For example, skipping IPs ending with .0 or .255 because they are commonly broadcast addresses.
- range addressing: comma separated list of numbers or ranges for each octet.
For example, 192.168.0-127.1-254
specifies a range for the 3rd octet and will skip all addresses that end in .0 and or .255.
- IPv6 addresses can only be specified by their fully qualified IPv6 address or hostname.
Multiple formats are permitted: nmap scanMe.nmap.org 192.168.3.0/24 10.0.0,1,17-63.0-255
-iL tfile Include List, Reads targets from tfile .
Example uses:
- A DHCP server exports various 837 current leases.
- Scan addresses not leased locates hosts using unauthorized addresses.
-iL=- reads hosts from STDIN , like piped from some filters (ex: grep, grep -v ).
Entries separated by spaces, tabs, or newlines.
| -iR num_hosts include num_hosts Random targets.
Undesirable IPs such as those in certain private, multicast, or unallocated address ranges are not generated.
Specify 0 for a continuing scan.
| --exclude host1[,host2[,…]], net1[,net2[,…]]
Comma-separated list of targets, hostnames, CIDR netblocks, octet ranges, etc.
When network includes untouchable mission-critical servers, systems that are known to react
adversely to port scans, or subnets administered by others.
| --excludefile file | targets are newline, space, or tab delimited
| | | |
Develop a list of interesting hosts. nmap.org
Security auditors should care about every single device with an nerwork.
An external penetration tester may use a diverse set of probes in an attempt to locate possible exploits.
ARP discovery (-PR
) is done on a local ethernet network.
For non-local targets, TCP ACK packet for port 80 and an ICMP echo request query is sent
(unprivileged users use a SYN packet using the connect system call )
Defaults are equivalent to -PA -PE
.
Host discovery is followed by a port scan.
Port states
Open
an application is listening for connections/packets
Unfiltered
responsive to probes, but cannot determine if they are open
Filtered
a firewall, filter, etc. is restricting access
Closed
ports have no application listening on them, now.
State combinations open.filtered
and closed.filtered
: it cannot be determined which describe a port best.
For IP protocol scan (-sO
), information on supported protocols is provided.
Discussin on probe effectivness
-sL ScanList Lists each host of the network(s), without sending any packets to the target hosts!
Does reverse-DNS resolution on the hosts to look up their names.
Good sanity check to validate addresses specification for targets.
Example: List all hosts within the subnet as this host (and use sed to supress titles & addresses whithout hostnames):
>nmap -sL cccu.us
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-10 07:33 EDT
cccu.us (50.63.202.17)
rDNS record for 50.63.202.17: ip-50-63-202-17.ip.secureserver.net
Nmap done: 1 IP address (0 hosts up) scanned in 4.04 seconds
> nmap -sL `hostname`/24 |sed "s/^Nmap scan report for//; /^ [[:digit:]]\{1,3\}./d"
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-13 18:26 EDT
rtr.germans (192.168.1.1)
pi-0-roof.germans (192.168.1.3)
o4-etc-hosts (192.168.1.4)
smacpro (192.168.1.5)
rDNS record for 192.168.1.5: smacpro.germans (running host)
Denniss-iPhone.germans (192.168.1.6)
tammy-PC.germans (192.168.1.7)
sligiga.germans (192.168.1.8)
MarilynSsiPhone.germans (192.168.1.10)
dlinkap.germans (192.168.1.11)
raspberrypi.germans (192.168.1.14)
IP-STB1.germans (192.168.1.100)
Nmap done: 256 IP addresses (0 hosts up) scanned in 13.53 seconds
> nmap -sL 172.17.54.110/27 |sed "s/Nmap scan report for// ; /^ [[:digit:]]/d "| column
Starting Nmap 7.00 ( https://nmap.org ) at 2016-04-22 08:52 EDT (not best example (_) )
Nmap done: 32 IP addresses (0 hosts up) scanned in 0.24 seconds
| -sP
-sn
Scan Ping
Scan No Port, ping scan aka ping sweep (supresses port scan).
- Privileged user: sends an ICMP echo request, a TCP SYN to port 443, a TCP ACK to port 80 and an ICMP timestamp request.
On a local ethernet network, ARP requests are used unless --send-ip was specified.
- Unprivileged user: only a SYN packet is sent (using a connect call) to port 80 and 443.
When combined with other discovery probe types (-P*, except -PN (pingNot) ) ,
the default probes (ACK and echo request) are overridden.
Recommended when strict firewalls are in use, otherwise hosts will be missed
if the firewall drops probes or responses.
Slightly intrusive, allows light reconnaissance of a target without attracting much attention.
Valuable as it counts available machines and checks server availability.
More reliable than pinging the broadcast address because many hosts do not reply to that.
Traceroute and NSE host scripts may be also requested, but no further testing (such as port scanning or OS detection) is performed.
sudo nmap -sP `hostname`/24 |sed "/Nmap/N; s/\n//;s/Nmap scan report for//; s/Host is up//; s/(0\./\./;s/ latency)\.//"
Starting Nmap 7.00 ( http://nmap.org ) at 2012-09-23 20:49 EDT
192.168.1.1 .0059s
kitchen.germans (192.168.1.2) .0073s
192.168.1.3 .0080s
smackerPro (192.168.1.6) .00022s
rDNS record for 192.168.1.6: smackerPro.germans
192.168.1.7 .016s
IP-STB1.germans (192.168.1.101) .015s
Nmap done: 256 IP addresses (6 hosts up) scanned in 5.37 seconds
sudo nmap -sP `hostname`/24 |sed "s/Nmap scan report for/\n/"
Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-23 19:17 EDT
192.168.1.1
Host is up (0.0038s latency).
MAC Address: 00:18:01:8F:23:ED (Actiontec Electronics)
kitchen.germans (192.168.1.2)
Host is up (0.013s latency).
MAC Address: 00:1B:21:A4:32:BD (Intel Corporate)
192.168.1.3
Host is up (0.013s latency).
MAC Address: 00:50:FC:9C:E0:18 (Edimax Technology CO.)
smackerPro (192.168.1.4)
Host is up.
192.168.1.5
Host is up (0.0036s latency).
MAC Address: 18:20:32:9F:54:75 (Apple)
IP-STB1.germans (192.168.1.101)
Host is up (0.0047s latency).
MAC Address: 00:1F:C4:EF:5D:F1 (Motorola Mobility)
Nmap done: 256 IP addresses (6 hosts up) scanned in 3.71 seconds
| | |
| -Pn Ping Not: skip discovery ping.
Warning: Causes scanning functions to be performed against every target specified.
Normally, heavier probing such as port scans are only performed against hosts that were found to be up.
For machines on a local ethernet network, ARP scanning will still be performed (unless --send-ip is specified) because
MAC addresses are needed to further scan targets .
| -PR ARP Ping Any response means the host is up. Fastest.
Used when scanning ethernet hosts on a local ethernet network, even if different ping types are specified.
To avoid an ARP scan, specify --send-ip .
| -PS ports | TCP SYN Ping Sends an empty packet with the SYN flag set as if attempting to establish a connection.
Default port 80
Syntax is as for the -p except that port type specifiers like T: are not allowed.
Examples: -PS22 and -PS22-25,80,113,1050,35000 (No space between -PS and the ports )
Multiple probes are sent in parallel.
additional information at nmap.org
Use with TCP ACK ping probe to maximize the chances of bypassing firewalls.
| -PA ports TCP ACK Ping Similar to SYN ping, ACK flag is set instead.
This acknowledges data over an established TCP connection, since no such connection
exists, remote hosts should always respond with a RST packet, disclosing their existence.
Default 80. nmap.org
Use with TCP SYN Ping probe to maximize the chances of bypassing firewalls.
| -PU ports UDP Ping Sends an empty (unless --data-length is specified) UDP packet. Default:31338, nmap.org
| -PY ports SCTP INIT Ping SCTP ( Stream Control Transmission Protocol) packet containing a minimal INIT chunk. Default: 80
| -PE ICMP echo request type 8 (frequently blocked)
| -PP ICMP timestamp request code 13,
| -PM ICMP address mask request code 17
| -PO protos IP Protocol Ping Send packets with the specified protocol number .
The protos is in the format as port lists
Default: send multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4).
For the ICMP, IGMP, TCP (protocol 6), and UDP (protocol 17), packets are sent with the proper protocol headers while other protocols are
sent with no additional data (unless --data-length is specified).
Looks for either responses using the same protocol as a probe, or ICMP
protocol unreachable message's signifing the protocol isn't supported on the
destination host. Either response signifies the target is alive.
| | | | | | | | | | | |
Additional options useful with scan options.
|
--traceroute Trace path to host performed post-scan. Works with all scan types except
-sT and -sI .
| --reason Host and port state reasons
Displays the type of the packet that determined a port or hosts state.
For example, A RST packet from a closed port or an echo reply from an alive host. The information
provided is determined by the type of scan or ping. The SYN scan and SYN ping (-sS and -PS ) are
very detailed, but the TCP connect scan (-sT ) is limited.
Enabled by the debug option (-d ) and results are always stored in XML log.
| -n No DNS resolution improve performance
| -R Reverse DNS resolution for ALL targets Normally only against responsive hosts.
| --system-dns Use system DNS resolver
Default: queries name servers configured on your host.
| --dns-servers server1[,server2[,…]] Servers for reverse DNS
Default : determine DNS servers from the your host. Ignored with --system-dns or an IPv6 scan.
Multiple servers is faster, improves stealth.
Scan for port 53( DNS) then try list scans (-sL) specifying each name server one at a time with --dns-servers to find one which works correctly.
| | | | | | |
back to host discoverey, output control
Port Scanning
next:Service and Version
nmap target
scans more than 1,660 TCP ports on target.
Port states are not intrinsic properties of the port itself, but describe how Nmap sees them.
For example, a scan from within the same network as the target may show port 135/tcp as open,
a scan with the same options from across the Internet might show that port as filtered.
The port states defined by Nmap:
- open
An application is actively accepting TCP connections or UDP packets.
Close or protect with firewall without thwarting legitimate users.
also interesting for non-security scans because they show services available for use on the network.
- closed
Accessible (receives and responds to packets), but no application is listening .
May become open if a daemon starts and begins fielding queries.
Control with a firewall causing it to appear filtered
- filtered
Cannot determine if the port is open because packet filtering prevents probes from
reaching the port. The filtering could be from a dedicated firewall device, router rules, or
host-based firewall software.
Sometimes respond with ICMP error messages such as type 3 code 13 (destination
unreachable: communication administratively prohibited), but filters that simply drop probes
without responding are far more common.
Several probes are sent in case the probe was dropped due to network congestion rather than filtering. slowing down the scan dramatically.
- unfiltered port is accessible, but Nmap is unable to determine whether it is open or closed.
Only the ACK scan, used to map firewall rulesets, classifies ports into this state.
Scanning unfiltered ports with other scan types such as Window , SYN
,
or FIN
scans, may resolve the port as open.
- open.filtered unable to determine whether a port is open or
filtered. This occurs for scan types in which open ports give no response
which could also mean that a packet filter dropped the probe or any response it elicited.
UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
- closed|filtered Nmap is unable to determine whether a port is closed or filtered. It is
only by the IP ID idle scan.
Port Scanning Techniques
Most are only available to privileged users. Nmap sometimes works for unprivileged users when WinPcap has been loaded.
Unprivileged users can execute connect
and FTP bounce
.
Only one method may be used at a time, except that UDP scan (-sU
) may be combined with any one of the TCP scan types.
Form -sC
.
Default: SYN
, (or connect
if the user does not have proper privileges to send raw packets or if IPv6 targets were
specified.
-sS | TCP SYN fast
Default.
Quickly, scanning thousands of ports per second, not hampered by restrictive firewalls.
Relatively unobtrusive and stealthy
Does not depend on idiosyncrasies of implementation.
Allows clear, reliable differentiation between the open, closed , and filtered
Sends SYN packet, as if going to open a connection.
A response of SYN/ACK indicates the port is listening (open ), RST (reset) is indicative of a non-listener.
If no response is received after several retransmissions or if an ICMP unreachable error is received marked filtered .
|
-sT TCP connect not fast
Default when SYN is not specified, when no raw packet privileges or scanning IPv6 networks.
Does not write raw packets, rather asks the operating system to establish a
connection with the target by issuing the connect system call. The same
high-level system call that web browsers and other applications use to establish a connection.
Less efficient than SYN which is usually a better choice.
Target machines are more likely to log the connection.
Unix systems will add a note to syslog, for connects without sending data.
| -sU UDP slow
Sends a UDP header only.
A service responng with a UDP packet: open.
If ICMP port unreachable is returned, it is closed or filtered.
If no response is received the port is classified as open.filtered.
Open and filtered ports rarely send any response, leaving time out and then conduct retransmissions just in case the probe or
response were lost.
Closed ports may send back an ICMP port unreachable error. But hosts rate limit ICMP port unreachable messages by default.
Detects rate limiting and slows down accordingly to avoid flooding the network with useless
packets that the target machine will drop.
A limit of one packet per second makes a 65,536-port scan take more than 18 hours!.
To speed up include scanning more hosts in parallel, doing a quick scan of just the popular ports first,
scanning from behind the firewall, and using --host-timeout to skip slow hosts.
Version detection (-sV ) can differentiate the truly open ports from the filtered ones.
Combine with a scan type such as SYN (-sS ) checks both during the same run.
| -sN -sF -sX TCP NULL Does not set any bits (header flags are 0)
FIN Sets only the FIN .
Xmas Sets FIN, PSH, and URG , lighting the packet up like a Christmas tree.
(more are possible with --scanflags
Differentiate between open and closed ports.
See nmap.org.
| -sA TCP ACK
May map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
Never determines open or open.filtered ports.
See nmap.org.
| -sW TCP Window
Like ACK. May differentiate open from closed.
Rather than always displaying unfiltered when RST is returned.
Examines the TCP Window field of the RST packets returned.
| -sM TCP Maimon As NULL, FIN, and Xmas scans, except that the probe is FIN/ACK.
| --scanflags n | FFFUUUAAA…
Argument can be a numerical flag value such as 9 (PSH and FIN), or
symbolic name URG, ACK, PSH, RST, SYN, and FIN combinations .
Example: --scanflags URGACKPSHRSTSYNFIN
Specify a TCP scan type (such as -sA or
-sF ) default: SYN .
| -sI zombie host[:probeport] | idle
Advanced scan method , no packets are sent to the target from your IP ).
Too complex to fully describe here, see nmap.org/book/idlescan.html
| -sO IP protocol
Determines protocols (TCP, ICMP, IGMP, etc.) supported
Uses -p to select scanned protocol. >sudo nmap -sO kitchen
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 12:44 EDT
kitchen (192.168.1.6)
rDNS record for 192.168.1.6: kitchen
1 open icmp
17 open udp
Nmap done: 1 IP address (1 host up) scanned in 19.16 seconds
| -b [u:p]@server[:p] FTP relay host (FTP bounce scan)
FTP server to port scan other hosts. Have FTP server to send a file to each interesting port .
The error message will describe whether the port is open or not.
May bypass firewalls because organizational FTP servers often have access to other internal hosts.
FTP bounce scan with -b argument of the form [username:password]@server[:port] .
Server is the name or IP address of a vulnerable FTP server.
Omit username:password anonymous login credentials (user: anonymous password:-wwwuser@) are used.
Port defaults to 21.
| | | | | | | | | |
Port Specification and Scan Order
Default: all ports up to and including 1024(priveledge ports) as well as
higher numbered ports listed in nmap-services
--top-ports n Scans the n highest-ratio ports from nmap-services
-sS -top-ports 20
1 21 ftp 2 22 ssh 3 23 telnet 4 25 smtp
5 53 domain 80 http 110 pop3 111 rpcbind
135 msrpc 139 netbios-ssn 143 imap 443 https
445 microsoft-ds 993 imaps 995 pop3s 1723 pptp
3306 mysql 3389 ms-wbt-srvr 5900 vnc 8080 http-proxy
--top-ports 5000 (on LAN 139.74 seconds)
Gibson Research Corp great port reference.
| -F Fast (limited port)
Only scan ports in /usr/local/share/nmap/nmap-services (or the protocols file for -sO ).
Contains so many ports (more than 27,000!)
Fastest is with --top-ports 4
| --port-ratio r |
Scans all ports in nmap-services with a ratio greater r
Selected examples:domain 53/udp .213496 dhcps 67/udp .228010 dhcpc 68/udp .140118
finger 79/tcp .006022 ftp 21/tcp .197667 (control)
http 80/tcp .484143 https 443/tcp .208669
ntp 123/udp .330879 pop3 110/tcp .077142
route 520/udp .139376 smtp 25/tcp .131314 ssh 22/tcp .182286
syslog 514/udp .119804 telnet 23/tcp .221265 tftp 69/udp .102835
zeroconf 5353/udp.100166
ipp 631/udp .450281 # Internet Printing Protocol
--port-ratio .001 217 ports,( on LAN 8.28 seconds)
| -p port ranges Only scan specified ports
Individual ports , ranges (Default 1-65535).
port zero is allowed if specifed explicitly.
For IP protocol scanning (-sO ), specifies the protocol numbers (0-255).
When scanning both TCP and UDP ports, specify a particular protocol by preceding the port
numbers by T: or U:. The qualifier lasts until another qualifier.
For example:
-p U:53,111,137,T:21-25,80,139,8080
To scan both UDP and TCP, specify -sU and at least one TCP scan type (such as -sS, -sF , or -sT ).
If no protocol qualifier is given, the port numbers are added to all protocol lists.
Ports can also be specified by name according to what the port is referred to in the
/usr/local/share/nmap/nmap-services including wildcards * and ? . For example, to scan FTP
and all ports whose names begin with "http", use -p ftp,http* .
Ranges of ports can be enclosed in square brackets .
For example, scan all ports in /usr/local/share/nmap/nmap-services
up to 1024:
"-p [-1024]" †.
Be careful about shell expansions and quote the argument if unsure.
| -r Don't randomize, i.e. scan sequentially
| | | | |
Back to ports
Service and Version Detection
Next timing
After ports are discovered, nmap.org target=nmap>version detection interrogates them interrogates them
Some UDP ports are open.filtered
.
Version detection elicits a response from these and changes them to open
if successful. TCP open.filtered
ports are treated the same way.
-sV Version detection,
(-A also enables version detection, among other things).
| --allports | Don't exclude any ports
| --version-intensity 0..9 | Higher values are more accurate but take longer.
Default: 7.
| --version-light --version-intensity 2 . faster, but it is slightly less likely to identify services.
| --version-all --version-intensity 9
| --version-trace Output debugging info about version scanning, a subset of --packet-trace.
additional output:
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 192.168.1.1
mass_rdns: 0.01s 0/15 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 11]
DNS resolution of 15 IPs took 0.04s. Mode: Async [#: 1, OK: 9, NX: 6, DR: 0, SF: 0, TR: 15, CN: 0]
No data files read.
| -sR RPC scan
When RPC services are discovered, addition interragation is automatically performed
in conjunction with the various port scans.
Takes all ports found open and floods them with SunRPC program NULL commands in an attempt to
determine whether they are RPC ports, and what program and version number they serve up.
obtain the same info as rpcinfo -p even if the target's portmapper is
behind a firewall (or protected by TCP wrappers).
Decoys do not currently work with RPC scan.
Enabled as part of version scan (-sV ) . Version detection includes this and is more comprehensive, -sR
is rarely needed.
| | | | | |
OS Detection
See nmap.org.
-O Enable OS detection
Use Agressive( -A ) to include version (-sV ) and script scanning (-sC ) and traceroute (--traceroute) .
--osscan-limit Limit OS detection to promising targets, Faster
Only with -O or -A .
| --osscan-guess
--fuzzy Guess OS when unable to detect a perfect match.
Sometimes displays near-matches as possibilities, imperfect match notice is output with confidence level .
| --max-os-tries n | maximum number of detection tries
when failing to find a perfect match.
Default:5 if conditions are favorable , 2 when conditions aren't good.
A lower value (1) speeds up, higher value rarely used.
| | | | |
A default scan (nmap hostname
) on the local network takes a 200 milliseconds.
UDP scanning and version detection can increase scan times substantially.
time
is in milliseconds, append s
, m
, or h
to the value to specify seconds, minutes, or hours.
--host-timeout
arguments 900000, 900s, and 15m are equivalent.
--min-hostgroup numhosts
--max-hostgroup numhosts | parallel scan group size.
|
--min-parallelism np --max-parallelism np | probe parallelization
|
--max-rtt-timeout time
--initial-rtt-timeout time
--min-rtt-timeout time† probe timeouts
| --max-retries numtries
| --host-timeout time Give up on slow target hosts
| --scan-delay time
--max-scan-delay timedelay between probes
| --min-rate nper second. Greater than 300 means try to keep the sending rate at or above 300 packets per second.
| --max-rate nper second.
100 limits sending to 100 packets per second on a fast network.
0.1 for a slow scan of one packet every ten seconds.
| --defeat-rst-ratelimit Using this option can reduce accuracy.
With a SYN scan, the non-response results in the port being labeled filtered rather than the closed state we see when RST packets
are received.
|
-T approach
Timing template
paranoid (0) serialize the scan, only one port at a time,
waits 5 minutes between probes
avoiding IntrusionDetectionSystem.
sneaky (1) waits 15 seconds to avoid IDS, use less bandwidth and target machine resources.
polite (2) waits .4 seconds
normal (3) is the default sends scans in parallel.
aggressive (4) mode speeds scans up expecting a reasonably fast and reliable network.
insane (5) expects extraordinarily fast network or are willing to sacrifice some accuracy for speed.
nmap.org
|
| | | | | | | |
Firewall/IDS Evasion and Spoofing
Network obstructions such as firewalls make mapping a network exceedingly difficult.
IDSs ship with rules designed to detect Nmap scans because scans are sometimes a precursor to attacks.
Intrusion Prevention Systems (IPS) that block traffic deemed malicious.
Deploying only modern, patched FTP servers is a far more powerful defense than trying to prevent the distribution of tools
implementing the FTP bounce attack.
Too funky to describe here.
See nmap.org
-e interface | Use specified interface
|
-f m
--mtu m | fragment packets using the specified MTU
|
-D decoy1[,decoy2][,ME][,…] | Cloak a scan with decoys.
Makes it appear to the remote host that the decoys are scanning the target too.
|
-S IP_Address | Spoof source address
|
--source-port p -g p | Spoof source port number
A common misconception is to trust traffic based only on the source port number.
|
--data-length n | Append random data to sent packets
Normally minimalist packets containing only a header are sent.
|
--ip-options
S |
T |
U |
R [hop hop …] |
L [hop hop …]
…
--ip-options hex string | Send packets with specified IP options
IP protocol options are rarely seen and can be useful in some cases.
Use record route (R ) to determine a path to a target when traceroute-style approaches fail.
Record-timestamp (T ) or both (U )if packets are being dropped by a certain firewall.
Loose or strict source routing specified with an
L or S followed by a space and then a space-separated list of IP addresses, specify a different route.
--ip-options use \xdd hexadecimal format to specify option bits explicitly.
Repeat characters by following them with an asterisk and a repeat count.
Example: \x01\x07\x04\x00*36\x01 includes 36 NULLs.
Display options in packets specify --packet-trace .
see seclists.org/nmap-dev/2006/q3/0052.htm.l
|
--ttl value |
|
--randomize-hosts | May make the scans less obvious to network monitoring systems.
Combine it with slow timing options . See nmap.org
|
--spoof-mac MAC address, prefix, or vendor name |
Address of 0 uses random MAC. See nmap.org
Examples: Apple, 0, 01:02:03:04:05:06, deadbeefcafe,
0020F2, and Cisco . Only affects raw packet scans such as SYN scan or OS detection,
not connection-oriented features such as version detection
Implies --send-eth
|
--badsum | Send packets with invalid checksums
Responses come from a firewall or IDS that didn't validate the checksum. See nmap.org/p60-12
|
NMAP Scripting engine (NSE)
Automate a wide variety of networking tasks. The scripts are executed in parallel.
Too funky to describe here.
See nmap.org/book/nse-usage.html#nse-categories.
Scripting details at nmap.org/book/nse.html
-sC
Performs a script scan using the default set of scripts, equivalent to --script=default .
Scripts in this category are considered intrusive and should not be run against a
target without permission.
| --script script-categories | directory | filename | all
--script-args name1=value1,name2={name3=value3},name4=value4
--script-trace all incoming and outgoing communication performed by a script is output.
| --script-updatedb | updates the script database
| | | | |
OUTPUT
Output files may be used to resume aborted scans.
- interactive output, to standard output (stdout), default .
- Normal output, displays less runtime information and warnings
interactive output is displayed in addition to file output.
filenames
support strftime
-like conversions:
%H, %M, %S, %m, %d, %y, and %Y. %T
is %H%M%S, %R
is %H%M
and %D
is %m%d%y
.
Example: -oX 'scan-%D-%T.xml'
will output to scan-144840-121307.xml
.
-oN fileNormal
| -oX file XML
| -oS file | Script output, like interactive output, except it is post-processed
| -oG file | grepable output Deprecated.
Consists of comments and target lines wich include labeled fields, separated by tabs and followed with a colon:
Host, Ports, Protocols, Ignored State, OS, Seq Index, IP ID, and Status
Ports is a comma separated list of port entries. and of the form of seven slash (/) separated subfields.
Port number, State, Protocol, Owner, Service, SunRPC info, and Version # Nmap 7.00 scan initiated Tue Mar 1 12:14:37 2016 as: nmap -v -v -sS --top-ports 10 -oA train_%T -A smackerpro.local/23
# Ports scanned: TCP(10;21-23,25,80,110,139,443,445,3389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.56.104.1 () Ports: 21/filtered/tcp//ftp///, 22/filtered/tcp//ssh///, 23/filtered/tcp//telnet///, 25/closed/tcp//smtp///,
80/open/tcp//http//lighttpd/, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///,
3389/closed/tcp//ms-wbt-server/// Seq Index: 195 IP I+D Seq: All zeros
Host: 10.56.104.24 () Ports: 21/closed/tcp//ftp///, 22/closed/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///,
80/closed/tcp//http///, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///,
3389/closed/tcp//ms-wbt-server///
Host: 10.56.104.25 () Ports: 21/closed/tcp//ftp///, 22/closed/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///,
80/closed/tcp//http///, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///,
3389/closed/tcp//ms-wbt-server///
See nmap.org/book/output-formats-grepable-output.html.
| -oA basename | all formats
to: basename.nmap, basename.xml, and basename.gnmap.
| | |
Verbosity and debugging options
-v | verbosity.
Open ports shown as found and completion time estimates are provided.
Use it twice or more for more.
While running, v increases verbosity, V decreases. See nmap.org
|
-d [level] | debug output
While running, d increases, D decreases. See nmap.org
|
--packet-trace | Trace packets and data
output summary of every packet sent or received. Used for debugging. See nmap.org
Packet Tracing enabled.
SENT (4.6944s) TCP 192.168.1.8:52616 > 192.168.1.6:2811 S ttl=49 id=11069 iplen=44 seq=4254715915 win=1024 <mss 1460>
SENT (4.8018s) TCP 192.168.1.8:52615 > 192.168.1.11:1218 S ttl=41 id=53597 iplen=44 seq=4254650378 win=1024 <mss 1460>
RCVD (4.8057s) TCP 192.168.1.11:1218 > 192.168.1.8:52615 RA ttl=64 id=15801 iplen=40 seq=0 win=0
SENT (4.8243s) TCP 192.168.1.8:52626 > 192.168.1.6:139 S ttl=40 id=14479 iplen=44 seq=4237873418 win=1024 <mss 1460>
SENT (4.8244s) TCP 192.168.1.8:52616 > 192.168.1.3:443 S ttl=49 id=23356 iplen=44 seq=4254715915 win=1024 <mss 1460>
RCVD (4.8258s) TCP 192.168.1.5:139 > 192.168.1.8:52626 SA ttl=128 id=22102 iplen=44 seq=2168289427 win=8192 <mss 1460>
RCVD (4.8266s) TCP 192.168.1.6:139 > 192.168.1.8:52626 SA ttl=128 id=2213 iplen=44 seq=2599483217 win=8192 <mss 1460>
SENT (4.8462s) TCP 192.168.1.8:52616 > 192.168.1.3:8888 S ttl=47 id=39457 iplen=44 seq=4254715915 win=1024 <mss 1460>
|
--open | Show only open (or possibly open) ports. See nmap.org
|
--iflist | (List interfaces and routes)
outputs interface list and system routes, useful for debugging. See nmap.org
|
--log-errors | Log errors/warnings to normal mode output file
Usually go only to the screen (interactive output), leaving
any normal-format output files (usually specified with -oN ) uncluttered.
messages will appear in interactive mode too.
An alternative to --log-errors is redirecting interactive output (including the standard error
stream) to a file. See nmap.org
|
Miscellaneous output options
|
--resume filename | Resume aborted scan if normal (-oN ) logs were kept, resume scanning.
No other arguments are permitted
|
--append-output |
|
--stylesheet path or URL | XSL stylesheet to transform XML output. See nmap.org
|
--webxml | Load stylesheet from Nmap.Org
|
--no-stylesheet | Omit XSL stylesheet declaration from XML
|
MISCELLANEOUS OPTIONS
-6 | Enable IPv6 scanning
Ping scanning (TCP-only), connect scanning, and version detection .
Use IPv6 syntax to specify an address like
3ffe:7501:4819:2000:210:f3ff:fe03:14d0.
Hostnames are recommended.
Output includes the IPv6 address on the "interesting ports" line see nmap.org
|
-A | Aggressive scan
enables OS detection (-O ), version and (-sV ) script scanning (-sC ) and traceroute (--traceroute ).
Do not use against target networks as it is considered intrusive.
Does not set agresive timing options (such as -T4 ) or verbosity (-v ) .
|
--datadir ddir | custom data file location
for: nmap-service-probes, nmap-services,
nmap-protocols, nmap-rpc, nmap-mac-prefixes, and nmap-os-db .
--servicedb or --versiondb may be used.
Files not found in ddir , are searched for in
$NMAPDIR , then ~/.nmap , location of the Nmap executable and then a compiled-in location
such as /usr/local/share/nmap or /usr/share/nmap
Causes a fast scan (-F ) to be used.
|
--versiondb service probes file | (Specify custom service probes file)
|
--send-eth | send raw ethernet
Send data at link layeri rather then network layer. default, chooses the layer best for the platform it is
on. See nmap.org
|
--send-ip | Send at raw IP level
rather than lower level ethernet frames. complement of --send-eth
|
--privileged | enough to perform raw socket sends, packet
sniffing which require root privileges on *nix .
Must preceed flags requiring privileges
$NMAP_PRIVILEGED set as an equivalent
|
--unprivileged | user lacks raw socket privileges, opposite of --privileged.
$NMAP_UNPRIVILEGED set as an alternative
|
--release-memory | before quitting only useful for memory-leak debugging.
|
--interactive | Start in interactive mode offers a prompt allowing launching multiple scans see nmap.org
|
-V --version | output version number and exit.Nmap version 7.40 ( https://nmap.org )
Platform: x86_64-apple-darwin13.4.0
Compiled with: liblua-5.3.3 openssl-1.0.2j nmap-libpcre-7.6 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: kqueue poll select
|
-h --help | help summary page
Nmap 4.76 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-PN: Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
--traceroute: Trace hop path to each host
--reason: Display the reason a port is in a particular state
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=: provide arguments to scripts
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in milliseconds, unless you append 's'
(seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5]: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <time>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
-oN/-oX/-oS <file>: Output scan in normal, XML, s|: Output in the three major formats at once
-v: Increase verbosity level (use twice or more for greater effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection, Script scanning and Traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -PN -p 80
</pre>
|
RUNTIME INTERACTION
Keys pressed during execution change options, output status message .
lowercase increase the amount of output , Uppercase Decrease
v verbosity
| d debugging
| p packet tracing
| ? Output a runtime interaction help screen
| | | | |
Anything else, outputs a status message like :
Stats: 0:00:08 elapsed; 111 hosts completed (5 up), 5 undergoing Service Scan
Service scan Timing: About 28.00% done; ETC: 16:18 (0:00:15 remaining)
Examples
Some actual addresses and names are used to make things more concrete.
For testing purposes, you have permission to scan ScanMen.nmap.org, only via Nmap.
- Scan all reserved TCP ports verbosely.
nmap -v scanme.nmap.org
- Stealth SYN scan against each machine of the 255 machines on "class C"
network where Scanme resides, determine os.
Requires root privileges because of the SYN scan and OS detection.
sudo nmap -sS -O scanme.nmap.org/24
- Host enumeration and a TCP scan on the first half of each of the 255 possible 8 bit subnets
in the 198.116 class B address space. Test whether the systems run SSH, DNS, POP3, or IMAP on
standard ports, or anything on port 4564, version detection
to determine what application is running on the open ports.
nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
- 100,000 hosts at random and scan for web servers (port 80). Host enumeration
is disabled with
-PN
(first sending a couple probes to determine whether a host is up is
time wasting when probing one port on each target host anyway.)
nmap -v -iR 100000 -PN -p 80/blockquote>
- Scan 4096 IPs for web servers (without pinging ) and save the output in XML format.
nmap -PN -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20
Version 7.60 includes:brute force SSH password cracking, query servers about what
auth methods and public keys they accept, and even log in using known or
discovered credentials to execute arbitrary commands
LEGAL NOTICES
The Nmap Security Scanner is © Insecure.Com LLC. Nmap is also a registered trademark of
Insecure.Com LLC.
AUTHOR
Gordon "Fyodor" Lyon Insecure.Org Author. Copyright (C) 2008 Nmap Project
NOTES
- wikipedia article on nmap
- RFC 1122 Requirements for Internet Hosts -- Communication Layers
- RFC 792 IMCP -internet control message protocoL
- RFC 1918
- UDP
- TCP RFC
- RFC 959
- RFC 1323
- IP protocol
- Nmap::Scanner
- Nmap::Parser
- tunnel brokers
- Creative Commons Attribution License
- Apache Software Foundation
- Libpcap portable packet capture library
- WinPcap library
- PCRE library
- Libdnet
- OpenSSL cryptography toolkit
- Lua programming language
Nmap can be obtained from nmap.org., man page http://nmap.org/book/man.html.