×
Create a new article
Write your page title here:
We currently have 3,185 articles on s23. Type your article name above or create one of the articles listed here!



    s23
    3,185Articles

    A very popular port scanner.

    The freely distributable source code is available at

    US President George W. Bush visited the NSA headquarters at Fort Meade in January 2006. A wall-sized status screen in the background displays the latest versions of Nmap and some of our other favorite open source tools.

    Nmap in the News - Bush

    NAME
    
           nmap - Network exploration tool and security scanner
    
    
    
    SYNOPSIS
    
           nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>
    
    
    DESCRIPTION
    
           Nmap  is designed to allow system administrators and curi¡
           ous individuals to scan large networks to determine  which
           hosts  are  up  and what services they are offering.  nmap
           supports a large number of scanning  techniques  such  as:
           UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce
           attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep,
           Xmas  Tree,  SYN sweep, and Null scan.  See the Scan Types
           section for more details.  nmap also offers  a  number  of
           advanced  features  such as remote OS detection via TCP/IP
           fingerprinting,  stealth  scanning,  dynamic   delay   and
           retransmission  calculations, parallel scanning, detection
           of down hosts via parallel  pings,  decoy  scanning,  port
           filtering detection, direct (non-portmapper) RPC scanning,
           fragmentation scanning, and flexible target and port spec¡
           ification.
    
           Significant  effort  has been put into decent nmap perfor¡
           mance for non-root users.   Unfortunately,  many  critical
           kernel interfaces (such as raw sockets) require root priv¡
           ileges.  nmap should be run as root whenever possible.
    
           The result of running nmap is usually a list of  interest¡
           ing  ports on the machine(s) being scanned (if any).  Nmap
           always gives the port's  "well  known"  service  name  (if
           any),  number,  state,  and protocol.  The state is either
           'open', ┤filtered┤, or ┤unfiltered┤.  Open means that  the
           target  machine  will  accept()  connections on that port.
           Filtered means that a firewall, filter, or  other  network
           obstacle  is  covering  the  port and preventing nmap from
           determining whether the port is  open.   Unfiltered  means
           that  the  port is known by nmap to be closed and no fire¡
           wall/filter seems to be interfering with  nmap's  attempts
           to  determine  this.  Unfiltered ports are the common case
           and are only shown when most of the scanned ports  are  in
           the filtered state.
    
           Depending  on  options used, nmap may also report the fol¡
           lowing characteristics of the remote host: OS in use,  TCP
           sequencability,  usernames running the programs which have
           bound to each port, the DNS name, whether the  host  is  a
           smurf address, and a few others.
    
    
    
    OPTIONS
    
           Options  that  make  sense  together can generally be com¡
           bined.  Some options are specific to certain  scan  modes.
           nmap  tries  to catch and warn the user about psychotic or
           unsupported option combinations.
           If you are impatient, you can skip to the examples section
           at the end, which demonstrates common usage.  You can also
           run nmap -h for a quick reference  page  listing  all  the
           options.
    
           SCAN TYPES
    
           -sT    TCP  connect() scan: This is the most basic form of
                  TCP scanning. The connect() system call provided by
                  your  operating system is used to open a connection
                  to every interesting port on the  machine.  If  the
                  port  is  listening, connect() will succeed, other¡
                  wise the port isn't reachable. One strong advantage
                  to  this  technique is that you don't need any spe¡
                  cial privileges. Any user on  most  UNIX  boxes  is
                  free to use this call.
    
                  This  sort  of  scan is easily detectable as target
                  host logs will show a bunch of connection and error
                  messages  for  the services which accept() the con¡
                  nection just to have it immediately shutdown.
    
           -sS    TCP SYN scan: This technique is often  referred  to
                  as  "half-open"  scanning, because you don't open a
                  full TCP connection. You send a SYN packet,  as  if
                  you  are  going  to  open a real connection and you
                  wait for a response. A SYN|ACK indicates  the  port
                  is  listening.  A  RST  is indicative of a non-lis¡
                  tener.  If a SYN|ACK is received, a RST is  immedi¡
                  ately  sent  to  tear down the connection (actually
                  our OS kernel does this for us). The primary advan¡
                  tage to this scanning technique is that fewer sites
                  will log it.  Unfortunately you  need  root  privi¡
                  leges to build these custom SYN packets.
    
           -sF -sX -sN
                  Stealth  FIN,  Xmas Tree, or Null scan modes: There
                  are times when even SYN scanning isn't  clandestine
                  enough. Some firewalls and packet filters watch for
                  SYNs to restricted ports, and programs like Synlog¡
                  ger  and  Courtney  are  available  to detect these
                  scans. These advanced scans, on the other hand, may
                  be able to pass through unmolested.
    
                  The idea is that closed ports are required to reply
                  to your probe packet with an RST, while open  ports
                  must ignore the packets in question (see RFC 793 pp
                  64).  The FIN  scan  uses  a  bare  (surprise)  FIN
                  packet as the probe, while the Xmas tree scan turns
                  on the FIN, URG, and PUSH  flags.   The  Null  scan
                  turns off all flags.  Unfortunately Microsoft (like
                  usual) decided to completely  ignore  the  standard
                  and  do  things their own way.  Thus this scan type
                  will not work against systems running Windows95/NT.
                  On the positive side, this is a good way to distin¡
                  guish between the two platforms.  If the scan finds
                  open  ports,  you know the machine is not a Windows
                  box.  If a -sF,-sX,or  -sN  scan  shows  all  ports
                  closed,  yet  a  SYN  (-sS)  scan shows ports being
                  opened, you are probably looking at a Windows  box.
                  This  is  less  useful  now that nmap has proper OS
                  detection built in.  There are  also  a  few  other
                  systems that are broken in the same way Windows is.
                  They include Cisco, BSDI,  HP/UX,  MVS,  and  IRIX.
                  All  of  the  above send resets from the open ports
                  when they should just drop the packet.
    
           -sP    Ping scanning: Sometimes  you  only  want  to  know
                  which  hosts on a network are up.  Nmap can do this
                  by sending ICMP echo request packets  to  every  IP
                  address  on  the  networks you specify.  Hosts that
                  respond are up.  Unfortunately, some sites such  as
                  microsoft.com  block  echo  request  packets.  Thus
                  nmap can also send a TCP ack packet to (by default)
                  port  80.   If  we get an RST back, that machine is
                  up.  A  third  technique  involves  sending  a  SYN
                  packet  and  waiting  for  a RST or a SYN/ACK.  For
                  non-root users, a connect() method is used.
    
                  By default (for root users),  nmap  uses  both  the
                  ICMP  and  ACK  techniques  in  parallel.   You can
                  change the -P option described later.
    
                  Note that pinging is done by  default  anyway,  and
                  only hosts that respond are scanned.  Only use this
                  option if you wish to ping sweep without doing  any
                  actual port scans.
    
           -sU    UDP  scans:  This method is used to determine which
                  UDP (User Datagram Protocol,  RFC  768)  ports  are
                  open  on  a  host.  The technique is to send 0 byte
                  udp packets to each port on the target machine.  If
                  we  receive  an ICMP port unreachable message, then
                  the port is closed.   Otherwise  we  assume  it  is
                  open.
    
                  Some people think UDP scanning is pointless. I usu¡
                  ally remind them  of  the  recent  Solaris  rcpbind
                  hole.  Rpcbind  can  be  found hiding on an undocu¡
                  mented  UDP  port  somewhere  above  32770.  So  it
                  doesn't matter that 111 is blocked by the firewall.
                  But can you find which of the more than 30,000 high
                  ports  it  is  listening on? With a UDP scanner you
                  can!  There is also the cDc Back  Orifice  backdoor
                  program  which  hides on a configurable UDP port on
                  Windows machines.  Not to mention the many commonly
                  vulnerable  services that utilize UDP such as snmp,
                  tftp, NFS, etc.
                  Unfortunately UDP scanning is  sometimes  painfully
                  slow since most hosts impliment a suggestion in RFC
                  1812 (section 4.3.2.8) of limiting the  ICMP  error
                  message  rate.   For  example, the Linux kernel (in
                  net/ipv4/icmp.h)  limits  destination   unreachable
                  message  generation to 80 per 4 seconds, with a 1/4
                  second penalty if that is  exceeded.   Solaris  has
                  much  more strict limits (about 2 messages per sec¡
                  ond) and thus takes  even  longer  to  scan.   nmap
                  detects  this  rate limiting and slows down accord¡
                  ingly, rather than flood the network  with  useless
                  packets that will be ignored by the target machine.
    
                  As is typical, Microsoft ignored the suggestion  of
                  the  RFC  and does not seem to do any rate limiting
                  at all on Win95 and NT machines.  Thus we can  scan
                  all  65K  ports  of a Windows machine very quickly.
                  Woop!
    
           -sA    ACK scan: This advanced method is usually  used  to
                  map  out  firewall rulesets.  In particular, it can
                  help determine whether a firewall  is  stateful  or
                  just  a  simple  packet filter that blocks incoming
                  SYN packets.
    
                  This scan type sends an  ACK  packet  (with  random
                  looking  acknowledgement/sequence  numbers)  to the
                  ports specified.  If a RST comes back, the ports is
                  classified  as "unfiltered".  If nothing comes back
                  (or if an ICMP unreachable is returned),  the  port
                  is  classified  as "filtered".  Note that nmap usu¡
                  ally doesn't print "unfiltered" ports,  so  getting
                  no ports shown in the output is usually a sign that
                  all the probes got  through  (and  returned  RSTs).
                  This  scan  will  obviously never show ports in the
                  "open" state.
    
           -sW    Window scan: This advanced scan is very similar  to
                  the  ACK  scan, except that it can sometimes detect
                  open ports as well as filtered/nonfiltered  due  to
                  an anomaly in the TCP window size reporting by some
                  operating  systems.   Systems  vulnerable  to  this
                  include at least some versions of AIX, Amiga, BeOS,
                  BSDI, Cray, Tru64  UNIX,  DG/UX,  OpenVMS,  Digital
                  UNIX,  FreeBSD,  HP-UX,  OS/2, IRIX, MacOS, NetBSD,
                  OpenBSD,  OpenStep,  QNX,  Rhapsody,   SunOS   4.X,
                  Ultrix,  VAX,  and  VxWorks.   See the nmap-hackers
                  mailing list archive for a full list.
    
           -sR    RPC scan.  This method works  in  combination  with
                  the  various  port  scan methods of Nmap.  It takes
                  all the TCP/UDP ports found open  and  then  floods
                  them  with  SunRPC  program  NULL  commands  in  an
                  attempt to determine whether they  are  RPC  ports,
                  and  if  so,  what  program and version number they
                  serve up.  Thus you can effectively obtain the same
                  info  as  firewall  (or protected by TCP wrappers).
                  Decoys do not currently work with RPC scan, at some
                  point I may add decoy support for UDP RPC scans.
    
           -b <ftp relay host>
                  FTP  bounce attack: An interesting "feature" of the
                  ftp protocol (RFC 959) is support for  "proxy"  ftp
                  connections.  In  other  words, I should be able to
                  connect from evil.com to the  FTP  server  of  tar¡
                  get.com  and  request  that  the server send a file
                  ANYWHERE on the internet!  Now this may have worked
                  well  in  1985  when  the  RFC  was written. But in
                  today's Internet, we can't  have  people  hijacking
                  ftp servers and requesting that data be spit out to
                  arbitrary points on the internet. As *Hobbit* wrote
                  back  in  1995,  this protocol flaw "can be used to
                  post virtually untraceable mail and news, hammer on
                  servers at various sites, fill up disks, try to hop
                  firewalls, and generally be annoying  and  hard  to
                  track  down at the same time." What we will exploit
                  this for is to (surprise, surprise) scan TCP  ports
                  from  a  "proxy" ftp server. Thus you could connect
                  to an ftp server behind a firewall, and  then  scan
                  ports  that are more likely to be blocked (139 is a
                  good one). If the ftp server  allows  reading  from
                  and  writing to some directory (such as /incoming),
                  you can send arbitrary data to ports  that  you  do
                  find open (nmap doesn't do this for you though).
    
                  The  argument  passed to the 'b' option is the host
                  you want to use as a proxy, in standard  URL  nota¡
                  tion.      The     format     is:    username:pass¡
                  word@server:port.    Everything   but   server   is
                  optional.  To determine what servers are vulnerable
                  to this attack, you can see my  article  in  Phrack
                  51.   And  updated version is available at the nmap
                  URL (http://www.insecure.org/nmap).
    
           GENERAL OPTIONS
                  None of these are required but some  can  be  quite
                  useful.
    
           -P0    Do  not  try  and ping hosts at all before scanning
                  them.  This allows the scanning  of  networks  that
                  don't  allow  ICMP  echo  requests  (or  responses)
                  through their firewall.  microsoft.com is an  exam¡
                  ple  of  such a network, and thus you should always
                  use -P0 or -PT80 when portscanning microsoft.com.
    
           -PT    Use TCP "ping" to  determine  what  hosts  are  up.
                  Instead  of  sending  ICMP echo request packets and
                  waiting for a response, we spew out TCP ACK packets
                  throughout  the  target  network  (or  to  a single
                  machine) and then wait  for  responses  to  trickle
                  back.  Hosts that are up should respond with a RST.
                  This option preserves the efficiency of only  scan¡
                  ning  hosts that are up while still allowing you to
                  scan networks/hosts that block ping  packets.   For
                  non  root users, we use connect().  To set the des¡
                  tination port of the  probe  packets  use  -PT<port
                  number>.   The  default port is 80, since this port
                  is often not filtered out.
    
           -PS    This option uses SYN (connection  request)  packets
                  instead  of ACK packets for root users.  Hosts that
                  are up should respond with a  RST  (or,  rarely,  a
                  SYN|ACK).
    
           -PI    This  option  uses  a true ping (ICMP echo request)
                  packet.  It finds hosts that are up and also  looks
                  for  subnet-directed  broadcast  addresses  on your
                  network.  These are IP addresses which  are  exter¡
                  nally  reachable  and  translate  to a broadcast of
                  incomming IP packets  to  a  subnet  of  computers.
                  These  should  be eliminated if found as they allow
                  for numerous denial of service  attacks  (Smurf  is
                  the most common).
    
           -PB    This  is  the  default ping type.  It uses both the
                  ACK ( -PT ) and ICMP ( -PI )  sweeps  in  parallel.
                  This  way  you can get firewalls that filter either
                  one (but not both).
    
           -O     This option activates  remote  host  identification
                  via TCP/IP fingerprinting.  In other words, it uses
                  a bunch of techniques to detect subtleties  in  the
                  underlying  operating  system  network stack of the
                  computers you are scanning.  It uses this  informa¡
                  tion  to  create  a 'fingerprint' which it compares
                  with its database of  known  OS  fingerprints  (the
                  nmap-os-fingerprints  file)  to decide what type of
                  system you are scanning.
    
                  If you find a machine that is misdiagnosed and  has
                  at  least  one port open, it would be useful if you
                  mail me the details (ie OS  blah  version  foo  was
                  detected  as  OS  blah version bar).  If you find a
                  machine with at least one port open for which  nmap
                  says  'unknown  operating system', then it would be
                  useful if you send me the IP address along with the
                  OS  name and version number.  If you can't send the
                  IP address, the next best thing is to run nmap with
                  the  -d  option  and send me the three fingerprints
                  that should result along with the OS name and  ver¡
                  sion  number.   By doing this you contribute to the
                  pool of operating systems known to nmap and thus it
                  will be more accurate for everyone.
    
           -I     This  turns on TCP reverse ident scanning. As noted
                  by Dave Goldsmith in a 1996 Bugtraq post, the ident
                  protocol  (rfc  1413)  allows for the disclosure of
                  the username that owns any  process  connected  via
                  TCP,  even if that process didn't initiate the con¡
                  nection. So you can, for example,  connect  to  the
                  http  port  and then use identd to find out whether
                  the server is running as root.  This  can  only  be
                  done  with a full TCP connection to the target port
                  (i.e. the -sT scanning option).  When -I  is  used,
                  the  remote  host's identd is queried for each open
                  port found.  Obviously this won't work if the  host
                  is not running identd.
    
           -f     This option causes the requested SYN, FIN, XMAS, or
                  NULL scan to use tiny fragmented IP  packets.   The
                  idea  is  to  split  up the TCP header over several
                  packets to  make  it  harder  for  packet  filters,
                  intrusion  detection  systems, and other annoyances
                  to detect what you are doing. Be careful with this!
                  Some  programs  have  trouble  handling  these tiny
                  packets. My favorite sniffer  segmentation  faulted
                  immediately  upon receiving the first 36-byte frag¡
                  ment. After that comes a 24 byte  one!  While  this
                  method  won't  get  by packet filters and firewalls
                  that  queue  all  IP  fragments  (like   the   CON¡
                  FIG_IP_ALWAYS_DEFRAG  option  in the Linux kernel),
                  some networks can't afford the performance hit this
                  causes and thus leave it disabled.
    
                  Note  that I do not yet have this option working on
                  all systems.  It works fine for my Linux,  FreeBSD,
                  and  OpenBSD  boxes  and  some people have reported
                  success with other *NIX variants.
    
           -v     Verbose mode.  This is a highly recommended  option
                  and  it  gives  out  more information about what is
                  going on.  You can use it twice for greater effect.
                  Use  -d a couple of times if you really want to get
                  crazy with scrolling the screen!
    
           -h     This handy option display a quick reference  screen
                  of  nmap  usage  options.  As you may have noticed,
                  this man page is not exactly a 'quick reference' :)
    
           -oN <logfilename>
                  This  logs  the  results  of your scans in a normal
                  human readable form into the file you specify as an
                  argument.
    
           -oM <logfilename>
                  This  logs  the  results of your scans in a machine
                  parseable form into the  file  you  specify  as  an
                  argument.   You  can give the argument ┤-┤ (without
                  quotes) to shoot  output  into  stdout  (for  shell
                  pipelines,  etc).   In this case normal output will
                  be suppressed.  Watch out for error messages if you
                  use this (they will still go to stderr).  Also note
                  that ┤-v┤ will cause some extra information  to  be
                  printed.
    
           -oS <logfilename>
                  thIs  l0gz  th3  r3suLtS  of YouR ScanZ iN a s|<ipT
                  kiDd|3 f0rM iNto THe fiL3 U sPecfy 4s an  arGuMEnT!
                  U  kAn  gIv3  the  4rgument ┤-┤ (wItHOUt qUOteZ) to
                  sh00t output iNT0 stDouT!@!!
    
           --resume <logfilename>
                  A network scan that is cancelled due to  control-C,
                  network  outage,  etc.  can  be  resumed using this
                  option.  The logfilename must be  either  a  normal
                  (-oN)  or  machine  parsable  (-oM)  log  from  the
                  aborted scan.  No other options can be given  (they
                  will  be  the same as the aborted scan).  Nmap will
                  start on the machine after the  last  one  success¡
                  fully scanned in the log file.
    
           -iL <inputfilename>
                  Reads target specifications from the file specified
                  RATHER than from the command line.  The file should
                  contain  a  list  of  host  or  network expressions
                  seperated by spaces,  tabs,  or  newlines.   Use  a
                  hyphen  (-)  as  inputfilename  if you want nmap to
                  read host expressions from stdin (like at  the  end
                  of  a  pipe).  See the section target specification
                  for more information on the  expressions  you  fill
                  the file with.
    
           -iR    This option tells Nmap to generate its own hosts to
                  scan by simply picking random numbers :).  It  will
                  never end.  This can be useful for statistical sam¡
                  pling of the Internet to estimate  various  things.
                  If  you  are ever really bored, try nmap -sS -iR -p
                  80 to find some web servers to look at.
    
           -p <port ranges>
                  This option specifies what ports you want to  spec¡
                  ify.  For  example '-p 23' will only try port 23 of
                  the target host(s).   ┤-p  20-30,139,60000-┤  scans
                  ports  between  20  and 30, port 139, and all ports
                  greater than 60000.  The default  is  to  scan  all
                  ports  between  1  and  1024  as  well as any ports
                  listed in the services file which comes with  nmap.
    
           -F Fast scan mode.
                  Specifies  that  you  only  wish  to scan for ports
                  listed in the services file which comes with  nmap.
                  This  is  obviously  much  faster than scanning all
                  65535 ports on a host.
    
           -D <decoy1 [,decoy2][,ME],...>
                  Causes a decoy scan to be performed which makes  it
                  appear  to  the  remote  host  that the host(s) you
                  specify as decoys are scanning the  target  network
                  too.   Thus  their IDS might report 5-10 port scans
                  from unique IP addresses, but they won't know which
                  IP  was  scanning  them  and  which  were  innocent
                  decoys.  While this can be defeated through  router
                  path tracing, response-dropping, and other "active"
                  mechanisms, it is generally an extremely  effective
                  technique for hiding your IP address.
    
                  Separate  each  decoy host with commas, and you can
                  optionally use 'ME' as one of the decoys to  repre¡
                  sent  the  position  you want your IP address to be
                  used.  If your put 'ME'  in  the  6th  position  or
                  later,  some  common  port  scan detectors (such as
                  Solar Designer's excellent scanlogd) are  unlikeley
                  to  show  your IP address at all.  If you don't use
                  'ME', nmap will put you in a random position.
    
                  Note that the hosts you use as decoys should be  up
                  or  you  might  accidently  SYN flood your targets.
                  Also it will be pretty easy to determine which host
                  is  scanning if only one is actually up on the net¡
                  work.  You might want to use IP  addresses  instead
                  of  names  (so  the decoy networks don't see you in
                  their nameserver logs).
    
                  Also note that some (stupid) "port scan  detectors"
                  will  firewall/deny  routing  to hosts that attempt
                  port scans.  Thus you might inadvertantly cause the
                  machine  you  scan  to  lose  connectivity with the
                  decoy machines you are using.  This could cause the
                  target  machines  major  problems  if the decoy is,
                  say, its  internet  gateway  or  even  "localhost".
                  Thus  you  might want to be careful of this option.
                  The real moral of the story is  that  detectors  of
                  spoofable port scans should not take action against
                  the machine that seems like  it  is  port  scanning
                  them.  It could just be a decoy!
    
                  Decoys  are  used  both  in  the  initial ping scan
                  (using ICMP, SYN, ACK, or whatever) and during  the
                  actual  port  scanning phase.  Decoys are also used
                  during remote OS detection ( -O ).
    
                  It is worth noting that using too many  decoys  may
                  slow  your  scan  and potentially even make it less
                  accurate.  Also, some ISPs  will  filter  out  your
                  spoofed  packets, although many (currently most) do
                  not restrict spoofed IP packets at all.
    
           -S <IP_Address>
                  In some circumstances, nmap  may  not  be  able  to
                  determine  your source address ( nmap will tell you
                  if this is the case).  In this  situation,  use  -S
                  with  your IP address (of the interface you wish to
                  send packets through).
    
                  Another possible use of this flag is to  spoof  the
                  scan to make the targets think that someone else is
                  scanning them.  Imagine a company being  repeatedly
                  port  scanned  by a competitor!  This is not a sup¡
                  ported usage (or the main purpose) of this flag.  I
                  just  think  it  raises  an interesting possibility
                  that people should  be  aware  of  before  they  go
                  accusing  others  of  port scanning them.  -e would
                  generally be required for this sort of usage.
    
           -e <interface>
                  Tells nmap what interface to send and receive pack¡
                  ets  on.  Nmap should be able to detect this but it
                  will tell you if it cannot.
    
           -g <portnumber>
                  Sets the source port number used  in  scans.   Many
                  naive firewall and packet filter installations make
                  an exception in their ruleset to allow DNS (53)  or
                  FTP-DATA (20) packets to come through and establish
                  a connection.  Obviously this  completely  subverts
                  the  security  advantages  of  the  firewall  since
                  intruders can just masquerade as FTP or DNS by mod¡
                  ifying their source port.  Obviously for a UDP scan
                  you should try 53 first and TCP scans should try 20
                  before  53.   Note  that  this is only a request --
                  nmap will honor it only if and when it is able  to.
                  For example, you can't do TCP ISN sampling all from
                  one host:port to one host:port, so nmap changes the
                  source port even if you used -g.
    
                  Be  aware that there is a small performance penalty
                  on some scans for  using  this  option,  because  I
                  sometimes  store  useful  information in the source
                  port number.
    
           -r     Tells Nmap NOT to  randomize  the  order  in  which
                  ports are scanned.
    
           --randomize_hosts
                  Tells  Nmap  to  shuffle  each  group of up to 2048
                  hosts before it scans  them.   This  can  make  the
                  scans  less  obvious  to various network monitoring
                  systems, especially when you combine it  with  slow
                  timing options (see below).
    
           -M <max sockets>
                  Sets  the  maximum  number  of sockets that will be
                  used in parallel for  a  TCP  connect()  scan  (the
                  default).   This  is useful to slow down the scan a
                  little bit  and  avoid  crashing  remote  machines.
                  Another  approach is to use -sS, which is generally
                  easier for machines to handle.
    
           TIMING OPTIONS
                  Generally Nmap does a good  job  at  adjusting  for
                  Network  characteristics at runtime and scanning as
                  fast as possible while minimizing that  chances  of
                  hosts/ports  going  undetected.  However, there are
                  same cases where Nmap's default timing  policy  may
                  not  meet  your  objectives.  The following options
                  provide a fine level of control over the scan  tim¡
                  ing:
    
           -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
                  These  are  canned timing policies for conveniently
                  expressing your priorities to Nmap.  Paranoid  mode
                  scans  very  slowly in the hopes of avoiding detec¡
                  tion by IDS systems.  It serializes all  scans  (no
                  parallel  scanning)  and generally waits at least 5
                  minutes between sending packets.  Sneaky  is  simi¡
                  lar,  except it only waits 15 seconds between send¡
                  ing packets.  Polite is meant to ease load  on  the
                  network   and   reduce   the  chances  of  crashing
                  machines.  It serializes the probes  and  waits  at
                  least  0.4  seconds  between  them.   Normal is the
                  default Nmap  behaviour,  which  tries  to  run  as
                  quickly as possible without overloading the network
                  or missing hosts/ports.  Aggressive mode adds  a  5
                  minute  timeout  per  host  and it never waits more
                  than 1.25 seconds for probe responses.   Insane  is
                  only  suitable  for very fast networks or where you
                  don't mind losing some information.  It  times  out
                  hosts  in 75 seconds and only waits 0.3 seconds for
                  individual probes.  It does allow  for  very  quick
                  network  sweeps  though :).  You can also reference
                  these by number (0-5).  For example, ┤-T  0┤  gives
                  you Paranoid mode and ┤-T 5┤ is Insane mode.
    
                  These  canned  timing  modes  should NOT be used in
                  combination with the  lower  level  controls  given
                  below.
    
           --host_timeout <milliseconds>
                  Specifies  the  amount  of  time Nmap is allowed to
                  spend scanning a single host before  giving  up  on
                  that IP.  The default timing mode has no host time¡
                  out.
    
           --max_rtt_timeout <milliseconds>
                  Specifies  the  maximum  amount  of  time  Nmap  is
                  allowed   to  wait  for  a  probe  response  before
                  retransmitting or timing out that particular probe.
                  The default mode sets this to about 9000.
    
           --min_rtt_timeout <milliseconds>
                  When  the target hosts start to establish a pattern
                  of responding very quickly, Nmap  will  shrink  the
                  amount of time given per probe.  This speeds up the
                  scan,  but  can  lead  to  missed  packets  when  a
                  response takes longer than usual.  With this param¡
                  eter you can guarantee that Nmap will wait at least
                  the  given  amount  of  time  before giving up on a
                  probe.
    
           --initial_rtt_timeout <milliseconds>
                  Specifies the initial probe timeout.  This is  gen¡
                  erally  only  useful  when scanning firwalled hosts
                  with -P0.  Normally Nmap can obtain good RTT  esti¡
                  mates  from the ping and the first few probes.  The
                  default mode uses 6000.
    
           --max_parallelism <number>
                  Specifies the  maximum  number  of  scans  Nmap  is
                  allowed  to  perform  in parallel.  Setting this to
                  one means Nmap will never try to scan more  than  1
                  port  at  a  time.   It also effects other parallel
                  scans such as ping sweep, RPC scan, etc.
    
           --scan_delay <milliseconds>
                  Specifies the minimum amount of time Nmap must wait
                  between  probes.   This  is mostly useful to reduce
                  network load or to slow the scan way down to  sneak
                  under IDS thresholds.
    
    
    
    TARGET SPECIFICATION
    
           Everything  that  isn't  an option (or option argument) in
           nmap is treated as a target host specification.  The  sim¡
           plest  case is listing single hostnames or IP addresses on
           the command line.  If you want to  scan  a  subnet  of  IP
           addresses,  you  can  append '/mask' to the hostname or IP
           address.  mask must be between 0 (scan the whole internet)
           and  32 (scan the single host specified).  Use /24 to scan
           a class 'C' address and /16 for a class 'B'.
    
           Nmap also has a more  powerful  notation  which  lets  you
           specify an IP address using lists/ranges for each element.
           Thus you can scan the whole class 'B' network  128.210.*.*
           by  specifying  '128.210.*.*'  or '128.210.0-255.0-255' or
           even use the mask notation: '128.210.0.0/16'.   These  are
           all equivalent.  If you use asterisks ('*'), remember that
           most shells require you to escape them with  back  slashes
           or protect them with quotes.
    
           Another  interesting thing to do is slice the Internet the
           other way.  Instead of scanning all the hosts in  a  class
           specifying hosts to scan, see the examples section.
    
    
    
    EXAMPLES
    
           Here are some examples of using nmap, from simple and nor¡
           mal to a little more complex/esoteric.  Note  that  actual
           numbers  and  some  actual  domain  names are used to make
           things more concrete.  In their place you  should  substi¡
           tute  addresses/names  from  your  own  network.  I do not
           think portscanning other networks is illegal;  nor  should
           portscans  be  construed  by  others as an attack.  I have
           scanned  hundreds  of  thousands  of  machines  and   have
           received  only  one  complaint.  But I am not a lawyer and
           some (anal) people may be annoyed  by  nmap  probes.   Get
           permission first or use at your own risk.
    
           nmap -v target.example.com
    
           This  option  scans  all reserved TCP ports on the machine
           target.example.com .  The -v means turn on verbose mode.
    
           nmap -sS -O target.example.com/24
    
           Launches a stealth SYN scan against each machine  that  is
           up out of the 255 machines on class 'C' where target.exam¡
           ple.com resides.  It also tries to determine what  operat¡
           ing system is running on each host that is up and running.
           This requires root privileges because of the SYN scan  and
           the OS detection.
    
           nmap -sX -p 22,53,110,143,4564 128.210.*.1-127
    
           Sends  an  Xmas tree scan to the first half of each of the
           255 possible 8  bit  subnets  in  the  128.210  class  'B'
           address  space.   We  are  testing whether the systems run
           sshd, DNS, pop3d, imapd, or port  4564.   Note  that  Xmas
           scan  doesn't  work  on Microsoft boxes due to their defi¡
           cient TCP stack.  Same goes with CISCO, IRIX,  HP/UX,  and
           BSDI boxes.
    
           nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
    
           Rather  than focus on a specific IP range, it is sometimes
           interesting to slice up the entire  Internet  and  scan  a
           small  sample from each slice.  This command finds all web
           servers on machines with  IP  addresses  ending  in  .2.3,
           .2.4,  or  .2.5 find more interesting machines starting at
           127. so you might want to use  '127-222'  instead  of  the
           first asterisks because that section has a greater density
           of interesting machines (IMHO).
    
           host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
    
           Do a DNS zone transfer to find the  hosts  in  company.com
           and  then  feed  the IP addresses to nmap.  The above com¡
           mands are for my GNU/Linux box.  You  may  need  different
           commands/options on other operating systems.
    
    
    
    BUGS
    
           Bugs?  What bugs?  Send me any that you find.  Patches are
           nice too :) Remember to also send in new  OS  fingerprints
           so we can grow the database.  Nmap will give you a submis¡
           sion URL when an appropriate fingerprint is found.
    
    
    
    AUTHOR
    
           Fyodor <fyodor@dhp.com>
    
    
    DISTRIBUTION
    
           The  newest  version  of  nmap  can   be   obtained   from
           http://www.insecure.org/nmap/
    
           nmap  is  (C)  1997,1998,1999,2000 by Fyodor (fyodor@inse¡
           cure.org)
    
           libpcap is also distributed along with nmap.  It is  copy¡
           righted  by  Van Jacobson, Craig Leres and Steven McCanne,
           all of the Lawrence Berkeley National Laboratory,  Univer¡
           sity of California, Berkeley, CA.  The version distributed
           with nmap may be modified, pristine sources are  available
           from ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
    
           This  program  is  free  software; you can redistribute it
           and/or modify it under the terms of the GNU General Public
           License as published by the Free Software Foundation; Ver¡
           sion 2.  This guarantees your right to  use,  modify,  and
           redistribute  Nmap  under  certain  conditions.   If  this
           license is unacceptable to you, Insecure.Org may be  will¡
           ing to sell alternative licenses (contact fyodor@dhp.com).
    
           Source is provided to this  software  because  we  believe
           users have a right to know exactly what a program is going
           to do before they run it.  This also allows you  to  audit
           the  software  for security holes (none have been found so
           far).
    
           Source code also allows you to port nmap to new platforms,
           fix bugs, and add new features.  You are highly encouraged
           to send your changes to Fyodor for possible  incorporation
           into the main Nmap distribution.  By sending these changes
           to Fyodor or nmap-hackers, it  is  assumed  that  you  are
           offering  Fyodor  the  unlimited,  non-exclusive  right to
           reuse, modify, and relicense the code.   If  you  wish  to
           specify  special license conditions of your contributions,
           please state them up front.
    
           This program is distributed in the hope that  it  will  be
           useful, but WITHOUT ANY WARRANTY; without even the implied
           warranty of MERCHANTABILITY or FITNESS  FOR  A  PARTICULAR
           PURPOSE.   See  the  GNU  General  Public License for more
           details (it is in the COPYING file of the  nmap  distribu¡
           tion).
    
           It  should also be noted that Nmap has been known to crash
           certain poorly written applications,  TCP/IP  stacks,  and
           even  operating systems.  Nmap should never be run against
           mission critical systems unless you are prepared to suffer
           downtime.   We  acknowledge  here that Nmap may crash your
           systems or networks and we disclaim all liability for  any
           damage or problems Nmap could cause.
    
           All  versions  of  Nmap  equal  to or greater than 2.0 are
           believed to be Year 2000 (Y2K) compliant in all  respects.
           There  is  no  reason to believe versions earlier than 2.0
           are susceptible to problems, but we have not tested  them.
    
    
    Cookies help us deliver our services. By using our services, you agree to our use of cookies.
    Cookies help us deliver our services. By using our services, you agree to our use of cookies.