nmap

Network Scanning

Network exploration tool and security / port scanner

Much of the original documentation includes philosophy and reasoning for using particular options. Read that at nmap.org
This version is terse with minial description.(DGG)

nmap [Scan Type] [options] target specification

"Network Mapper" is an tool for network exploration and security auditing.
Commonly used for security audits, useful for network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Uses special packets to determine host availablity, services (applications) offered, OS running, type of filters/firewalls , etc.

Example:
-A: enables OS and version detection, script scanning
-t: traceroute

Aborted scans ( ^C) can be resumed with proper output option.

A representative scan

agressive detection (with traceroute) and timing,
TCP SYN, only checking most popular ports, starting with level 2 verbosity,
outputting to a normal file called scan… hosts within a small subnet:

sudo /usr/local/bin/nmap -A -T aggressive  -sS --top-ports 10  -v -oN scan-%D-%T  192.168.1.1/28  # .0-.7 

    Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-23 07:39 EDT
    NSE: Loaded 93 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating Ping Scan at 07:39
    Scanning 8 hosts [2 ports/host]
    Completed Ping Scan at 07:39, 1.21s elapsed (8 total hosts)
    Initiating Parallel DNS resolution of 8 hosts. at 07:39
    Completed Parallel DNS resolution of 8 hosts. at 07:39, 0.02s elapsed
    Nmap scan report for 192.168.1.0 [host down]
    Nmap scan report for 192.168.1.5 [host down]
    Nmap scan report for 192.168.1.7 [host down]
    Initiating Connect Scan at 07:39
    Scanning 5 hosts [1000 ports/host]
    Discovered open port 80/tcp on 192.168.1.4
    Discovered open port 3306/tcp on 192.168.1.4
    Discovered open port 21/tcp on 192.168.1.4
    Discovered open port 80/tcp on 192.168.1.1
    …
    
full file

sudo /usr/local/bin/nmap -A -T normal scanme.nmap.org playground #scan 2 specific hosts Starting Nmap ( http://nmap.org ) Interesting ports on scanme.nmap.org (64.13.134.52): (The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.0.52 ((Fedora)) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Interesting ports on playground.nmap.org (192.168.0.40): (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1002/tcp open windows-icfw? 1025/tcp open msrpc Microsoft Windows RPC 1720/tcp open H.323/Q.931 CompTek AquaGateKeeper 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900) 5900/tcp open vnc VNC (protocol 3.8) MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP Pro RC1+ through final release Service Info: OSs: Windows, Windows XP Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds
/usr/local/bin/nmap -sn `hostname`/24 |sed "/Nmap sc/N; s/\n//;s/Nmap scan report for//; s/Host is up//; s/(0\./\./;s/ latency)\.//"

Target Specification

next: Host Discovery
Everything on the command-line that isn't an option or option argument is treated as a target specification (
nmap.org).
The simplest case is to specify a single target .

Multiple formats are permitted: nmap scanMe.nmap.org   192.168.3.0/24   10.0.0,1,17-63.0-255

-iL targetsFile include from targetsFile.
    Example uses:
  • A DHCP server exports various 837 current leases.
  • Scan addresses not leased locates hosts using unauthorized addresses.

-iL=- reads hosts from STDIN, like piped from some filters (ex: grep, grep -v).
Entries separated by spaces, tabs, or newlines.
-iR num_hosts include num_hosts Random targets.
Undesirable IPs such as those in certain private, multicast, or unallocated address ranges are not generated.
Specify 0 for a continuing scan.

--exclude host1[,host2[,…]],           net1[,net2[,…]] Exclude list of targets, hostnames, CIDR netblocks, octet ranges, etc.
For example: untouchable mission-critical servers, systems that are known to react adversely to port scans, or subnets administered by others.
--excludefile file targets are newline, space, or tab delimited

Host Discovery

next:Ports
Develop a list of interesting hosts. nmap.org

ARP discovery (-PR) is done on a local ethernet network.
For non-local targets, TCP ACK packet for port 80 and an ICMP echo request query is sent
(unprivileged users use a SYN packet using the connect system call ) Defaults are equivalent to -PA -PE.

Host discovery is followed by a port scan.

Port states

open An application is accepting TCP connections, UDP datagrams or SCTP associations on that port.
closed accessible, receives and responds to probe packets, but no application listening.
filtered Packet filtering prevents probes from reaching the host:port by a dedicated firewall , router rules, or host-based firewall.
It may be the host sending the packets is having a problem.
Try from another host.
unfiltered
ACK scan
accessible, cannot determine if it is open.
Scanning with other scan types such as Window scan, SYN scan, or FIN scan, may help if the port is open.
open|filtered
UDP, IP protocol,
FIN, NULL, and Xmas
unable to determine whether it is open or filtered. Occurs for scan types in which open ports give no response which could mean that a packet filter dropped the probe or any response it elicited.
closed|filtered
IP ID idle scan
unable to determine whether a port is closed or filtered.

State combinations open.filtered and closed.filtered: it cannot be determined which describe a port best.
For IP protocol scan (-sO), information on supported protocols is provided.

Discussin on probe effectivness
-sL ScanList

Lists hosts of the network(s), without sending any packets to the target hosts!
FAST! Does reverse-DNS resolution to look up names.
Good sanity check to validate addresses specification for targets.

Example: List all hosts within the subnet as this host (and use sed to supress titles & addresses without hostnames):

 > /usr/local/bin/nmap -sL   `hostname`/24 |sed "s/^Nmap scan report for//; /^ [[:digit:]]\{1,3\}./d"|columns -t | sort
Starting             Nmap             7.93  (   https://nmap.org  )   at     2023-09-11  17:03    EDT
CR1000A.germans.com  (192.168.1.1)
RuuviGatewayFCC3     (192.168.1.2)
pycom                (192.168.1.3)
RuuviGatewayD828     (192.168.1.6)
ESP_5290F7           (192.168.1.7)
ESP-2116B0           (192.168.1.8)
pi93graf             (192.168.1.9)
jebh                 (192.168.1.10)
smac14               (192.168.1.12)
answer               (192.168.1.13)
slammer              (192.168.1.15)
host19               (192.168.1.19)
host22               (192.168.1.22)
dapi2                (192.168.1.26)
LGwebOSTV            (192.168.1.27)
AmbientWS            (192.168.1.37)
vz-stb               (192.168.1.100)
hp                   (192.168.1.233)
Nmap                 done:            256   IP  addresses         (0  hosts  up)         scanned  in   2.59  seconds

>/usr/local/bin/nmap -sL cccu.us Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-10 07:33 EDT cccu.us (50.63.202.17) rDNS record for 50.63.202.17: ip-50-63-202-17.ip.secureserver.net Nmap done: 1 IP address (0 hosts up) scanned in 4.04 seconds
> /usr/local/bin/nmap -sL 172.17.54.110/27 |sed "s/Nmap scan report for// ; /^ [[:digit:]]/d "| column Starting Nmap 7.00 ( https://nmap.org ) at 2016-04-22 08:52 EDT (not best example (_) ) Nmap done: 32 IP addresses (0 hosts up) scanned in 0.24 seconds
-sn Scan no Port, ping scan aka ping sweep (supresses port scan).

  • Privileged user: sends an icmp ECHO request, a TCP SYN to port 443, a TCP ACK to port 80 and an ICMP timestamp request.
    On a local ethernet network, ARP requests are used unless --send-ip was specified.
  • Unprivileged user: a SYN packet is sent to port 80 and 443.
With other discovery probe types (-P*, except -PN (pingNot) ), default probes are overridden.

Recommended when strict firewalls are in use, otherwise hosts will be missed if the firewall drops probes or responses.
Slightly intrusive, Counts available machines and checks server availability.
More reliable than pinging the broadcast address because many hosts do not reply to that.

Traceroute and NSE host scripts may be also requested, but no further testing (such as port scanning or OS detection) is performed.

/usr/local/bin/nmap -sn   "$HOST"/24 |\
sed --unbuffered "N;s/\n//;s/Host is up (0\.0\{1,3\}/ /;  s/s latency)/ms/; s/Nmap scan report for //"  # subnet I am on.

Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-09 21:11 ESTInitiating Ping Scan at 21:11
Scanning 256 hosts [2 ports/host]Completed Ping Scan at 21:11, 5.71s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 11 hosts. at 21:11Completed Parallel DNS resolution of 11 hosts. at 21:11, 0.01s elapsed

JEBHO (192.168.1.2) 69ms.
dapi2 (192.168.1.14) 29ms.
RuuviGateway (192.168.1.15) 28ms.
192.168.1.17 84ms.
192.168.1.20 87ms.
pi93graf (192.168.1.23) 11ms.
smac14 (192.168.1.31) 17ms.
ESP_5290F7 (192.168.1.47) 12ms.
kitchen (192.168.1.56) 63ms.
RuuviGatewayD828 (192.168.1.60) 87ms.
ruuvcollector (192.168.1.61) 16ms.
192.168.1.62 20ms.
RuuviGatewayD828 (192.168.1.63) 91ms.
vz-stb (192.168.1.100) 94ms.
hp (192.168.1.233) 11ms.

Nmap done: 256 IP addresses (6 hosts up) scanned in 5.37 seconds

-Pn Ping Not: skip discovery ping.
Warning: Causes scanning functions to be performed against every target specified. Normally, heavier probing such as port scans are only performed against hosts that were found to be up.

For machines on a local ethernet network, ARP scanning will still be performed (unless --send-ip is specified) because MAC addresses are needed to further scan targets .

-PR ARP Ping Any response means the host is up. Fastest.
Used when scanning ethernet hosts on a local ethernet network, even if different ping types are specified.
To avoid an ARP scan, specify --send-ip.
-PS ports TCP SYN Ping Sends an empty packet with SYN set as if attempting to establish a connection.
Default port 80

Syntax is as for the -p except that port type specifiers like T: are not allowed.
Examples: -PS22 and -PS22-25,80,113,1050,35000 (No space between -PS and the ports )
Multiple probes are sent in parallel.

additional information at nmap.org
Use with TCP ACK ping probe to maximize the chances of bypassing firewalls.

-PA ports TCP ACK Ping Similar to SYN ping, ACK flag is set instead.
This acknowledges data over an established TCP connection, since no such connection exists, remote hosts should always respond with a RST packet, disclosing their existence.
Default 80. nmap.org
Use with TCP SYN Ping probe to maximize the chances of bypassing firewalls.
-PU ports UDP Ping Sends an empty (unless --data-length is specified) UDP packet. Default:31338, nmap.org
-PY ports SCTP INIT Ping SCTP ( Stream Control Transmission Protocol) packet containing a minimal INIT chunk. Default: 80
-PE ICMP echo request type 8 (frequently blocked)
-PP ICMP timestamp request code 13,
-PM ICMP address mask request code 17
-PO protos IP Protocol Ping Send packets with the specified protocol number .
The protos is in the format as port lists
Default: send multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4).
For the ICMP, IGMP, TCP (protocol 6), and UDP (protocol 17), packets are sent with the proper protocol headers while other protocols are sent with no additional data (unless --data-length is specified).

Looks for either responses using the same protocol as a probe, or ICMP protocol unreachable message's signifing the protocol isn't supported on the destination host. Either response signifies the target is alive.

Additional options useful with scan options.
--traceroute Trace path to host performed post-scan. Not with -sT and -sI.
--reason Host and port state reasons
Displays the type of the packet that determined a port or hosts state.
For example, A RST packet from a closed port or an echo reply from an alive host. The information provided is determined by the type of scan or ping. The SYN scan and SYN ping (-sS and -PS) are very detailed, but the TCP connect scan (-sT) is limited.
Enabled by the debug option (-d) and results are always stored in XML log.
-n No DNS resolution improve performance
-R Reverse DNS resolution for ALL targets Normally only against responsive hosts.
--system-dns Use system DNS resolver
Default: queries name servers configured on your host.
--dns-servers server1[,server2[,…]] Servers for reverse DNS
Default : determine DNS servers from the your host. Ignored with --system-dns or an IPv6 scan.
Multiple servers is faster, improves stealth.

Scan for port 53( DNS) then try list scans (-sL) specifying each name server one at a time with --dns-servers to find one which works correctly.

back to host discoverey, output control

Port Scanning

next:Service and Version

nmap target scans more than 1,660 TCP ports on target.

Port states are not intrinsic properties of the port itself, but describe how Nmap sees them.
For example, a scan from within the same network as the target may show port 135/tcp as open,
a scan with the same options from across the Internet might show that port as filtered.

The port states defined by Nmap:

  1. open An application is actively accepting TCP connections or UDP packets. Close or protect with firewall without thwarting legitimate users. also interesting for non-security scans because they show services available for use on the network.

  2. closed Accessible (receives and responds to packets), but no application is listening .
    May become open if a daemon starts and begins fielding queries.
    Control with a firewall causing it to appear filtered

  3. filtered Cannot determine if the port is open because packet filtering prevents probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. Sometimes respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common.
    Several probes are sent in case the probe was dropped due to network congestion rather than filtering. slowing down the scan dramatically.
  4. unfiltered port is accessible, but Nmap is unable to determine whether it is open or closed.
    Only the ACK scan, used to map firewall rulesets, classifies ports into this state.
    Scanning unfiltered ports with other scan types such as Window , SYN , or FIN scans, may resolve the port as open.
  5. open.filtered unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response which could also mean that a packet filter dropped the probe or any response it elicited. UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
  6. closed|filtered Nmap is unable to determine whether a port is closed or filtered. It is only by the IP ID idle scan.

Port Scanning Techniques


Most are only available to privileged users. Nmap sometimes works for unprivileged users when WinPcap has been loaded.
Unprivileged users can execute connect and FTP bounce .

Only one method may be used at a time, except that UDP scan (-sU) may be combined with any one of the TCP scan types.
Form -sC.
Default: SYN, (or connect if the user does not have proper privileges to send raw packets or if IPv6 targets were specified.

-sS TCP SYN fast
Default.
Quickly, scanning thousands of ports per second, not hampered by restrictive firewalls.
Relatively unobtrusive and stealthy
Does not depend on idiosyncrasies of implementation.
Allows clear, reliable differentiation between the open, closed, and filtered

Sends SYN packet, as if going to open a connection.
A response of SYN/ACK indicates the port is listening (open), RST (reset) is indicative of a non-listener.
If no response is received after several retransmissions or if an ICMP unreachable error is received marked filtered .

-sT TCP connect not fast
Default when SYN is not specified, when no raw packet privileges or scanning IPv6 networks.
Does not write raw packets, rather asks the operating system to establish a connection with the target by issuing the connect system call. The same high-level system call that web browsers and other applications use to establish a connection.

Less efficient than SYN which is usually a better choice. Target machines are more likely to log the connection. Unix systems will add a note to syslog, for connects without sending data.

-sU UDP slow
Sends a UDP header only.
A service responng with a UDP packet: open.
If ICMP port unreachable is returned, it is closed or filtered.
If no response is received the port is classified as open.filtered.

Open and filtered ports rarely send any response, leaving time out and then conduct retransmissions just in case the probe or response were lost.
Closed ports may send back an ICMP port unreachable error. But hosts rate limit ICMP port unreachable messages by default.

Detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop.
A limit of one packet per second makes a 65,536-port scan take more than 18 hours!.

To speed up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using --host-timeout to skip slow hosts.

Version detection (-sV) can differentiate the truly open ports from the filtered ones.
Combine with a scan type such as SYN (-sS) checks both during the same run.

-sN
-sF
-sX
TCP NULL Does not set any bits (header flags are 0)
FIN Sets only the FIN .
Xmas Sets FIN, PSH, and URG , lighting the packet up like a Christmas tree.
(more are possible with --scanflags

Differentiate between open and closed ports.
See nmap.org.

-sA TCP ACK
May map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
Never determines open or open.filtered ports.
See nmap.org.
-sW TCP Window
Like ACK. May differentiate open from closed.
Rather than always displaying unfiltered when RST is returned.
Examines the TCP Window field of the RST packets returned.
-sM TCP Maimon As NULL, FIN, and Xmas scans, except that the probe is FIN/ACK.
--scanflags n |
FFFUUUAAA
Argument can be a numerical flag value such as 9 (PSH and FIN), or
symbolic name URG, ACK, PSH, RST, SYN, and FIN combinations .
Example: --scanflags URGACKPSHRSTSYNFIN

Specify a TCP scan type (such as -sA or -sF) default: SYN.

-sI zombie host[:probeport] idle
Advanced scan method , no packets are sent to the target from your IP ).
Too complex to fully describe here, see nmap.org/book/idlescan.html
-sO IP protocol Determines protocols (TCP, ICMP, IGMP, etc.) supported
Uses -p to select scanned protocol.
 >sudo /usr/local/bin/nmap -sO kitchen

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 12:44 EDT
 kitchen (192.168.1.6)
rDNS record for 192.168.1.6: kitchen
1        open  icmp
17       open  udp

Nmap done: 1 IP address (1 host up) scanned in 19.16 seconds
-b [u:p]@server[:p] FTP relay host (FTP bounce scan) FTP server to port scan other hosts. Have FTP server to send a file to each interesting port . The error message will describe whether the port is open or not.
May bypass firewalls because organizational FTP servers often have access to other internal hosts.
FTP bounce scan with -b argument of the form [username:password]@server[:port].
Server is the name or IP address of a vulnerable FTP server.
Omit username:password anonymous login credentials (user: anonymous password:-wwwuser@) are used.
Port defaults to 21.

Port Specification and Scan Order

Default: all ports up to and including 1024(priveledge ports) as well as higher numbered ports listed in nmap-services

--top-ports n Scans the n highest-ratio ports from nmap-services
-sS -top-ports 20
1 21   ftp           2  22   ssh           3 23   telnet          4 25  smtp          
5 53   domain           80   http           110   pop3             111  rpcbind       
 135   msrpc           139   netbios-ssn    143   imap             443  https         
 445   microsoft-ds    993   imaps          995   pop3s           1723  pptp          
3306   mysql           3389   ms-wbt-srvr   5900   vnc             8080  http-proxy    

 --top-ports 5000 (on LAN 139.74 seconds)
Gibson Research Corp great port reference.
-F Fast (limited port)
Only scan ports in /usr/local/share/nmap/nmap-services (or the protocols file for -sO).
Contains so many ports (more than 27,000!)
Fastest is with --top-ports 4
--port-ratio r Scans all ports in nmap-services with a ratio greater r
Selected examples:
domain  53/udp  .213496    dhcps   67/udp  .228010    dhcpc   68/udp  .140118    
finger  79/tcp  .006022    ftp     21/tcp  .197667 (control)    
http    80/tcp  .484143    https   443/tcp .208669    
ntp     123/udp .330879    pop3    110/tcp .077142    
route   520/udp .139376    smtp    25/tcp  .131314    ssh     22/tcp  .182286     
syslog  514/udp .119804    telnet  23/tcp  .221265    tftp    69/udp  .102835    
zeroconf 5353/udp.100166    
ipp     631/udp .450281    # Internet Printing Protocol   
--port-ratio .001     217 ports,( on LAN 8.28 seconds) 
-p port ranges Only scan specified ports
Individual ports , ranges (Default 1-65535). port zero is allowed if specifed explicitly.
For IP protocol scanning (-sO), specifies the protocol numbers (0-255).

When scanning both TCP and UDP ports, specify a particular protocol by preceding the port numbers by T: or U:. The qualifier lasts until another qualifier.
For example:
-p U:53,111,137,T:21-25,80,139,8080
To scan both UDP and TCP, specify -sU and at least one TCP scan type (such as -sS, -sF, or -sT).
If no protocol qualifier is given, the port numbers are added to all protocol lists.

Ports can also be specified by name according to what the port is referred to in the /usr/local/share/nmap/nmap-services including wildcards * and ? . For example, to scan FTP and all ports whose names begin with "http", use -p ftp,http*.
Ranges of ports can be enclosed in square brackets .
For example, scan all ports in /usr/local/share/nmap/nmap-services up to 1024:
"-p [-1024]".
Be careful about shell expansions and quote the argument if unsure.

-r Don't randomize, i.e. scan sequentially

Back to ports

Service and Version Detection

Next timing
After ports are discovered, nmap.org target=nmap>version detection interrogates them interrogates them

Some UDP ports are open.filtered . Version detection elicits a response from these and changes them to open if successful. TCP open.filtered ports are treated the same way.

-sV Version detection, (-A also enables version detection, among other things).
--allports Don't exclude any ports
--version-intensity 0..9 Higher values are more accurate but take longer.
Default: 7.
--version-light --version-intensity 2. faster, slightly less likely to identify services.
--version-all --version-intensity 9
--version-trace Output debugging info about version scanning, a subset of --packet-trace.
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
mass_rdns: Using DNS server 192.168.1.1
mass_rdns: 0.01s 0/15 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 11]
DNS resolution of 15 IPs took 0.04s. Mode: Async [#: 1, OK: 9, NX: 6, DR: 0, SF: 0, TR: 15, CN: 0]
No data files read.
-sR RPC scan 600 RPC programs.
same as rpcinfo -p part of version scan (-sV)

OS Detection

See nmap.org.

-O Enable OS detection
Use Agressive( -A) to include version (-sV) and script scanning (-sC) and traceroute (--traceroute) .
--osscan-limit Limit OS detection to promising targets, Faster Only with -O or -A.
--osscan-guess
--fuzzy
Guess OS when unable to detect a perfect match.
Sometimes displays near-matches as possibilities, imperfect match notice is output with confidence level .
--max-os-tries nmaximum number of detection tries when failing to find a perfect match.
Default:5 if conditions are favorable , 2 when conditions aren't good.
A lower value (1) speeds up, higher value rarely used.

Timing and Performance

A default scan (nmap hostname) on the local network takes a 200 milliseconds.
UDP scanning and version detection can increase scan times substantially.
time is in milliseconds, append s, m, or h to the value to specify seconds, minutes, or hours.
--host-timeout arguments 900000, 900s, and 15m are equivalent.
--min-hostgroup numhosts
--max-hostgroup numhosts
parallel scan group size.
--min-parallelism np
--max-parallelism np
probe parallelization
--max-rtt-timeout time
--initial-rtt-timeout time
--min-rtt-timeout time
probe timeouts
--max-retries numtries  
--host-timeout time Give up on slow target hosts
--scan-delay time
--max-scan-delay time
delay between probes
--min-rate nper second. Greater than 300 means try to keep the sending rate at or above 300 packets per second.
--max-rate nper second.
100 limits sending to 100 packets per second on a fast network.
0.1 for a slow scan of one packet every ten seconds.
--defeat-rst-ratelimit Using this option can reduce accuracy. With a SYN scan, the non-response results in the port being labeled filtered rather than the closed state we see when RST packets are received.


-T approach

Timing template
  • paranoid (0) serialize the scan, only one port at a time,
                   waits 5 minutes between probes avoiding IntrusionDetectionSystem.
  • sneaky (1) waits 15 seconds to avoid IDS, use less bandwidth and target machine resources.
  • polite (2) waits .4 seconds
  • normal (3) is the default sends scans in parallel.
  • aggressive (4) mode speeds scans up expecting a reasonably fast and reliable network.
  • insane (5) expects extraordinarily fast network or are willing to sacrifice some accuracy for speed.
    nmap.org
  • Firewall/IDS Evasion and Spoofing

    Network obstructions such as firewalls make mapping a network exceedingly difficult.
    IDSs ship with rules designed to detect Nmap scans because scans are sometimes a precursor to attacks.
    Intrusion Prevention Systems (IPS) that block traffic deemed malicious.
    Deploying only modern, patched FTP servers is a far more powerful defense than trying to prevent the distribution of tools implementing the FTP bounce attack.

    Too funky to describe here.

    See nmap.org

    -e interface Use specified interface
    -f m
    --mtu m
    fragment packets using the specified MTU
    -D decoy1[,decoy2][,ME][,…] Cloak a scan with decoys. Makes it appear to the remote host that the decoys are scanning the target too.
    -S IP_Address Spoof source address
    --source-port p
    -g p
    Spoof source port number
    A common misconception is to trust traffic based only on the source port number.
    --data-length n Append random data to sent packets
    Normally minimalist packets containing only a header are sent.
    --ip-options
       S |
       T |
       U |
       R [hop hop …] |
       L [hop hop …]
        …

    --ip-options hex string

    Send packets with specified IP options
    IP protocol options are rarely seen and can be useful in some cases.
    Use record route (R) to determine a path to a target when traceroute-style approaches fail.
    Record-timestamp (T) or both (U)if packets are being dropped by a certain firewall.
    Loose or strict source routing specified with an
    L or S followed by a space and then a space-separated list of IP addresses, specify a different route.

    --ip-options use \xdd hexadecimal format to specify option bits explicitly.
    Repeat characters by following them with an asterisk and a repeat count.
    Example: \x01\x07\x04\x00*36\x01 includes 36 NULLs.
    Display options in packets specify --packet-trace.
    see seclists.org/nmap-dev/2006/q3/0052.htm.l

    --ttl value
    --randomize-hosts May make the scans less obvious to network monitoring systems.
    Combine it with slow timing options . See nmap.org
    --spoof-mac MAC address, prefix, or vendor name Address of 0 uses random MAC. See nmap.org
    Examples: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco. Only affects raw packet scans such as SYN scan or OS detection, not connection-oriented features such as version detection
    Implies --send-eth
    --badsum Send packets with invalid checksums
    Responses come from a firewall or IDS that didn't validate the checksum. See nmap.org/p60-12

    NMAP Scripting engine (NSE)

    Automate a wide variety of networking tasks. The scripts are executed in parallel.

    Too funky to describe here.

    See nmap.org/book/nse-usage.html#nse-categories.
    Scripting details at nmap.org/book/nse.html

    -sC Performs a script scan using the default set of scripts, equivalent to --script=default.
    Scripts in this category are considered
    intrusive and should not be run against a target without permission.
    --script script-categories | directory | filename | all
    --script-args name1=value1,name2={name3=value3},name4=value4
    --script-trace all incoming and outgoing communication performed by a script is output.
    --script-updatedb updates the script database

    OUTPUT

    Output files may be used to resume aborted scans.

    1. interactive output, to standard output (stdout), default .
    2. Normal output, displays less runtime information and warnings

    filenames support strftime-like conversions: %H, %M, %S, %m, %d, %y, and %Y. %T is %H%M%S, %R is %H%M and %D is %m%d%y.
    Example: -oX 'scan-%D-%T.xml' will output to scan-144840-121307.xml.

    -oN fileNormal
    -oX file XML
    -oS file Script output, like interactive output, except it is post-processed
    -oG file grepable output Deprecated.

    Consists of comments and target lines wich include labeled fields, separated by tabs and followed with a colon:
    Host, Ports, Protocols, Ignored State, OS, Seq Index, IP ID, and Status

    Ports is a comma separated list of port entries. and of the form of seven slash (/) separated subfields.
    Port number, State, Protocol, Owner, Service, SunRPC info, and Version

    # Nmap 7.00 scan initiated Tue Mar  1 12:14:37 2016 as: nmap -v -v -sS --top-ports 10 -oA train_%T -A smackerpro.local/23
    # Ports scanned: TCP(10;21-23,25,80,110,139,443,445,3389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
    Host: 10.56.104.1 ()    Ports: 21/filtered/tcp//ftp///, 22/filtered/tcp//ssh///, 23/filtered/tcp//telnet///, 25/closed/tcp//smtp///, 
            80/open/tcp//http//lighttpd/, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 
            3389/closed/tcp//ms-wbt-server///    Seq Index: 195  IP I+D Seq: All zeros
    Host: 10.56.104.24 ()   Ports: 21/closed/tcp//ftp///, 22/closed/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 
            80/closed/tcp//http///, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 
            3389/closed/tcp//ms-wbt-server///
    Host: 10.56.104.25 ()   Ports: 21/closed/tcp//ftp///, 22/closed/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 
            80/closed/tcp//http///, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 
            3389/closed/tcp//ms-wbt-server///
    

    See nmap.org/book/output-formats-grepable-output.html.

    -oA basename all formats to: basename.nmap, basename.xml, and basename.gnmap.

    Verbosity and debugging options

    -v verbosity.
    Open ports shown as found and completion time estimates are provided.
    Use it twice or more for more. While running, v increases verbosity, V decreases. See nmap.org
    -d [level] debug output
    While running, d increases, D decreases. See nmap.org
    --packet-trace Trace packets and data
    output summary of every packet sent or received. Used for debugging. See nmap.org
    
    Packet Tracing enabled.
    SENT (4.6944s) TCP 192.168.1.8:52616 > 192.168.1.6:2811  S ttl=49 id=11069 iplen=44  seq=4254715915 win=1024 <mss 1460>
    SENT (4.8018s) TCP 192.168.1.8:52615 > 192.168.1.11:1218 S ttl=41 id=53597 iplen=44  seq=4254650378 win=1024 <mss 1460>
    RCVD (4.8057s) TCP 192.168.1.11:1218 > 192.168.1.8:52615 RA ttl=64 id=15801 iplen=40  seq=0 win=0
    SENT (4.8243s) TCP 192.168.1.8:52626 > 192.168.1.6:139   S ttl=40 id=14479 iplen=44  seq=4237873418 win=1024 <mss 1460>
    SENT (4.8244s) TCP 192.168.1.8:52616 > 192.168.1.3:443   S ttl=49 id=23356 iplen=44  seq=4254715915 win=1024 <mss 1460>
    RCVD (4.8258s) TCP 192.168.1.5:139   > 192.168.1.8:52626 SA ttl=128 id=22102 iplen=44  seq=2168289427 win=8192 <mss 1460>
    RCVD (4.8266s) TCP 192.168.1.6:139   > 192.168.1.8:52626 SA ttl=128 id=2213 iplen=44  seq=2599483217 win=8192 <mss 1460>
    SENT (4.8462s) TCP 192.168.1.8:52616 > 192.168.1.3:8888  S ttl=47 id=39457 iplen=44  seq=4254715915 win=1024 <mss 1460>
    --open Show only open (or possibly open) ports. See nmap.org
    --iflist (List interfaces and routes)
    outputs interface list and system routes, useful for debugging. See nmap.org
    --log-errors Log errors/warnings to normal mode output file
    Usually go only to the screen (interactive output), leaving normal-format files (-oN) uncluttered.
    Alternatly redirecting interactive output (including stderr 2>&1>) to a file.

    Miscellaneous output options

    --resume filename Resume aborted scan if normal (-oN) logs were kept, resume scanning.
    No other arguments are permitted
    --append-output
    --stylesheet path or URL XSL stylesheet to transform XML output. See nmap.org
    --webxml Load stylesheet from Nmap.Org
    --no-stylesheet Omit XSL stylesheet declaration from XML

    MISCELLANEOUS OPTIONS

    -6 Enable IPv6 scanning
    Ping (TCP-only) & connect scanning, and version detection .
    IPv6 syntax example 3ffe:7501:4819:2000:210:f3ff:fe03:14d0.
    Hostnames are recommended.
    -A Aggressive
    Enables OS detection (-O), version & (-sV) script scanning (-sC) and traceroute (--traceroute).
    Do not use against networks it is considered intrusive.
    Ignores agresive timing (such as -T4) or verbosity (-v) .

    --datadir ddircustom data file location for: nmap-service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap-mac-prefixes, and nmap-os-db.
    --servicedb or --versiondb may be used.
    Files not found in ddir, are searched for in $NMAPDIR, then ~/.nmap, location of the Nmap executable and then a compiled-in location such as /usr/local/share/nmap or /usr/share/nmap

    Causes a fast scan (-F) to be used.

    --versiondb service probes file (Specify custom service probes file)
    --send-eth send at raw ethernet link layer rather then network layer. default. See nmap.org
    --send-ip Send at raw IP level rather than lower level ethernet frames. complement of --send-eth
    --privileged enough to perform raw socket sends, packet sniffing Must preceed flags requiring privileges
    $NMAP_PRIVILEGED set as an equivalent
    --unprivileged user lacks raw socket privileges, opposite of --privileged.
    $NMAP_UNPRIVILEGED set as an alternative
    --release-memory before quitting only useful for memory-leak debugging.
    --interactive Start in interactive mode offers a prompt allowing launching multiple scans see nmap.org
    -V
    --version
    output version number and exit.
    Nmap version 7.40 ( https://nmap.org )
    Platform: x86_64-apple-darwin13.4.0
    Compiled with: liblua-5.3.3 openssl-1.0.2j nmap-libpcre-7.6 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
    Compiled without:
    Available nsock engines: kqueue poll select
    
    -h
    --help
    help summary page
    Nmap 7.93 ( https://nmap.org )
    Usage: nmap [Scan Type(s)] [Options] {target specification}
    TARGET SPECIFICATION:
      Can pass hostnames, IP addresses, networks, etc.
      Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
      -iL : Input from list of hosts/networks
      -iR : Choose random targets
      --exclude : Exclude hosts/networks
      --excludefile : Exclude list from file
    HOST DISCOVERY:
      -sL: List Scan - simply list targets to scan
      -sn: Ping Scan - disable port scan
      -Pn: Treat all hosts as online -- skip host discovery
      -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
      -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
      -PO[protocol list]: IP Protocol Ping
      -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
      --dns-servers : Specify custom DNS servers
      --system-dns: Use OS's DNS resolver
      --traceroute: Trace hop path to each host
    SCAN TECHNIQUES:
      -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
      -sU: UDP Scan
      -sN/sF/sX: TCP Null, FIN, and Xmas scans
      --scanflags : Customize TCP scan flags
      -sI : Idle scan
      -sY/sZ: SCTP INIT/COOKIE-ECHO scans
      -sO: IP protocol scan
      -b : FTP bounce scan
    PORT SPECIFICATION AND SCAN ORDER:
      -p : Only scan specified ports
        Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
      --exclude-ports : Exclude the specified ports from scanning
      -F: Fast mode - Scan fewer ports than the default scan
      -r: Scan ports sequentially - don't randomize
      --top-ports : Scan  most common ports
      --port-ratio : Scan ports more common than 
    SERVICE/VERSION DETECTION:
      -sV: Probe open ports to determine service/version info
      --version-intensity : Set from 0 (light) to 9 (try all probes)
      --version-light: Limit to most likely probes (intensity 2)
      --version-all: Try every single probe (intensity 9)
      --version-trace: Show detailed version scan activity (for debugging)
    SCRIPT SCAN:
      -sC: equivalent to --script=default
      --script=:  is a comma separated list of
               directories, script-files or script-categories
      --script-args=: provide arguments to scripts
      --script-args-file=filename: provide NSE script args in a file
      --script-trace: Show all data sent and received
      --script-updatedb: Update the script database.
      --script-help=: Show help about scripts.
                is a comma-separated list of script-files or
               script-categories.
    OS DETECTION:
      -O: Enable OS detection
      --osscan-limit: Limit OS detection to promising targets
      --osscan-guess: Guess OS more aggressively
    TIMING AND PERFORMANCE:
      Options which take 

    RUNTIME INTERACTION

    Keys pressed during execution change options, output status message .
    lowercase increase the amount of output , Uppercase Decrease
    v verbosity
    d debugging
    p packet tracing
    ? Output a runtime interaction help screen
    Anything else, outputs a status message like :
       Stats: 0:00:08 elapsed; 111 hosts completed (5 up), 5 undergoing Service Scan
      Service scan Timing: About 28.00% done; ETC: 16:18 (0:00:15 remaining)

    Examples

    Some actual addresses and names are used to make things more concrete.
    For testing purposes, you have permission to scan ScanMen.nmap.org, only via Nmap.
    Version 7.60 includes:brute force SSH password cracking, query servers about what auth methods and public keys they accept, and even log in using known or discovered credentials to execute arbitrary commands

    LEGAL NOTICES

    The Nmap Security Scanner is © Insecure.Com LLC. Nmap is also a registered trademark of Insecure.Com LLC.

    AUTHOR

    Gordon "Fyodor" Lyon Insecure.Org Author. Copyright (C) 2008 Nmap Project

    NOTES

    1. wikipedia article on nmap
    2. RFC 1122 Requirements for Internet Hosts -- Communication Layers
    3. RFC 792 IMCP -internet control message protocoL
    4. RFC 1918
    5. UDP
    6. TCP RFC
    7. RFC 959
    8. RFC 1323
    9. IP protocol
    10. Nmap::Scanner
    11. Nmap::Parser
    12. tunnel brokers
    13. Creative Commons Attribution License
    14. Apache Software Foundation
    15. Libpcap portable packet capture library
    16. WinPcap library
    17. PCRE library
    18. Libdnet
    19. OpenSSL cryptography toolkit
    20. Lua programming language
    Nmap can be obtained from nmap.org., man page http://nmap.org/book/man.html.