nmap
Network exploration tool and security / port scanner
Usage
Usage: nmap [Scan Type(s)] [Options] {target specification}
Options
TARGET SPECIFICATION
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, 192.168.0.1; 10.0.0-255.1-254
| Option | Description |
|---|
-iL <inputfilename> | Input from list of hosts/networks |
--exclude <host1[,host2][,host3],...> | Exclude hosts/networks |
--excludefile <exclude_file> | Exclude list from file |
HOST DISCOVERY
| Option | Description |
|---|
-sL | List Scan - simply list targets to scan |
-sn | Ping Scan - disable port scan |
-PS/PA/PU/PY[portlist] | TCP SYN/ACK, UDP or SCTP discovery to given ports |
-PE/PP/PM | ICMP echo, timestamp, and netmask request discovery probes |
-n/-R | Never do DNS resolution/Always resolve [default: sometimes] |
--dns-servers <serv1[,serv2],...> | Specify custom DNS servers |
--traceroute | Trace hop path to each host |
SCAN TECHNIQUES
| Option | Description |
|---|
-sS/sT/sA/sW/sM | TCP SYN/Connect()/ACK/Window/Maimon scans |
-sU | UDP Scan |
-sN/sF/sX | TCP Null, FIN, and Xmas scans |
--scanflags <flags> | Customize TCP scan flags |
-sO | IP protocol scan |
PORT SPECIFICATION AND SCAN ORDER
| Option | Description |
|---|
-p <port ranges> | Only scan specified ports. Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 |
--exclude-ports <port ranges> | Exclude the specified ports from scanning |
-F | Fast mode - Scan fewer ports than the default scan |
-r | Scan ports sequentially - don’t randomize |
-top-ports <number> | Scan <number> most common ports |
SERVICE/VERSION DETECTION
| Option | Description |
|---|
-sV | Probe open ports to determine service/version info |
--version-intensity <level> | Set from 0 (light) to 9 (try all probes) |
--version-light | Limit to most likely probes (intensity 2) |
--version-all | Try every single probe (intensity 9) |
SCRIPT SCAN
| Option | Description |
|---|
-sC | equivalent to --script=default |
--script=<Lua scripts> | <Lua scripts> is a comma separated list of directories, script-files or script-categories. The scripts are commonly found at /usr/share/nmap/scripts |
--script-updatedb | Update the script database. |
OS DETECTION
| Option | Description |
|---|
-O | Enable OS detection |
--osscan-limit | Limit OS detection to promising targets |
--osscan-guess | Guess OS more aggressively |
Options which take <time> are in seconds, or append ‘ms’ (milliseconds), ‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).
| Option | Descriptions |
|---|
-T<0-5> | Set timing template (higher is faster) |
--min-hostgroup/max-hostgroup <size> | Parallel host scan group sizes |
--min-parallelism/max-parallelism <numprobes> | Probe parallelization |
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> | Specifies probe round trip time. |
--max-retries <tries> | Caps number of port scan probe retransmissions. |
--host-timeout <time> | Give up on target after this long |
--scan-delay/--max-scan-delay <time> | Adjust delay between probes |
--min-rate <number> | Send packets no slower than <number> per second |
--max-rate <number> | Send packets no faster than <number> per second |
FIREWALL/IDS EVASION AND SPOOFING
| Option | Description |
|---|
-f; --mtu <val> | fragment packets (optionally w/given MTU) |
-D <decoy1,decoy2[,ME],...> | Cloak a scan with IP decoys |
-S <IP_Address> | Spoof source address |
-e <iface> | Use specified interface |
-g/--source-port <portnum> | Use given port number |
--proxies <url1,[url2],...> | Relay connections through HTTP/SOCKS4 proxies |
--data <hex string> | Append a custom payload to sent packets |
--data-string <string> | Append a custom ASCII string to sent packets |
--data-length <num> | Append random data to sent packets |
--ip-options <options> | Send packets with specified ip options |
--ttl <val> | Set IP time-to-live field |
--spoof-mac <mac address/prefix/vendor name> | Spoof your MAC address |
--badsum | Send packets with a bogus TCP/UDP/SCTP checksum |
OUTPUT
| Option | Description |
|---|
-oN/-oX/-oS/-oG <file> | Output scan in normal, XML, scrIpt kIddi3, and Grepable format, respectively, to the given filename. |
-oA <basename> | Output in the three major formats at once |
-v | Increase verbosity level (use -vv or more for greater effect) |
--open | Only show open (or possibly open) ports |
--append-output | Append to rather than clobber specified output files |
--resume <filename> | Resume an aborted scan |
--stylesheet <path/URL> | XSL stylesheet to transform XML output to HTML |
--webxml | Reference stylesheet from Nmap.Org for more portable XML |
--no-stylesheet | Prevent associating of XSL stylesheet w/XML output |