nmap
Network exploration tool and security / port scanner
Usage
Usage: nmap [Scan Type(s)] [Options] {target specification}
Options
TARGET SPECIFICATION
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, 192.168.0.1; 10.0.0-255.1-254
| Option |
Description |
-iL <inputfilename> |
Input from list of hosts/networks |
--exclude <host1[,host2][,host3],...> |
Exclude hosts/networks |
--excludefile <exclude_file> |
Exclude list from file |
HOST DISCOVERY
| Option |
Description |
-sL |
List Scan - simply list targets to scan |
-sn |
Ping Scan - disable port scan |
-PS/PA/PU/PY[portlist] |
TCP SYN/ACK, UDP or SCTP discovery to given ports |
-PE/PP/PM |
ICMP echo, timestamp, and netmask request discovery probes |
-n/-R |
Never do DNS resolution/Always resolve [default: sometimes] |
--dns-servers <serv1[,serv2],...> |
Specify custom DNS servers |
--traceroute |
Trace hop path to each host |
SCAN TECHNIQUES
| Option |
Description |
-sS/sT/sA/sW/sM |
TCP SYN/Connect()/ACK/Window/Maimon scans |
-sU |
UDP Scan |
-sN/sF/sX |
TCP Null, FIN, and Xmas scans |
--scanflags <flags> |
Customize TCP scan flags |
-sO |
IP protocol scan |
PORT SPECIFICATION AND SCAN ORDER
| Option |
Description |
-p <port ranges> |
Only scan specified ports. Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 |
--exclude-ports <port ranges> |
Exclude the specified ports from scanning |
-F |
Fast mode - Scan fewer ports than the default scan |
-r |
Scan ports sequentially - don't randomize |
-top-ports <number> |
Scan <number> most common ports |
SERVICE/VERSION DETECTION
| Option |
Description |
-sV |
Probe open ports to determine service/version info |
--version-intensity <level> |
Set from 0 (light) to 9 (try all probes) |
--version-light |
Limit to most likely probes (intensity 2) |
--version-all |
Try every single probe (intensity 9) |
SCRIPT SCAN
| Option |
Description |
-sC |
equivalent to --script=default |
--script=<Lua scripts> |
<Lua scripts> is a comma separated list of directories, script-files or script-categories. The scripts are commonly found at /usr/share/nmap/scripts |
--script-updatedb |
Update the script database. |
OS DETECTION
| Option |
Description |
-O |
Enable OS detection |
--osscan-limit |
Limit OS detection to promising targets |
--osscan-guess |
Guess OS more aggressively |
TIMING AND PERFORMANCE
Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
| Option |
Descriptions |
-T<0-5> |
Set timing template (higher is faster) |
--min-hostgroup/max-hostgroup <size> |
Parallel host scan group sizes |
--min-parallelism/max-parallelism <numprobes> |
Probe parallelization |
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> |
Specifies probe round trip time. |
--max-retries <tries> |
Caps number of port scan probe retransmissions. |
--host-timeout <time> |
Give up on target after this long |
--scan-delay/--max-scan-delay <time> |
Adjust delay between probes |
--min-rate <number> |
Send packets no slower than <number> per second |
--max-rate <number> |
Send packets no faster than <number> per second |
FIREWALL/IDS EVASION AND SPOOFING
| Option |
Description |
-f; --mtu <val> |
fragment packets (optionally w/given MTU) |
-D <decoy1,decoy2[,ME],...> |
Cloak a scan with IP decoys |
-S <IP_Address> |
Spoof source address |
-e <iface> |
Use specified interface |
-g/--source-port <portnum> |
Use given port number |
--proxies <url1,[url2],...> |
Relay connections through HTTP/SOCKS4 proxies |
--data <hex string> |
Append a custom payload to sent packets |
--data-string <string> |
Append a custom ASCII string to sent packets |
--data-length <num> |
Append random data to sent packets |
--ip-options <options> |
Send packets with specified ip options |
--ttl <val> |
Set IP time-to-live field |
--spoof-mac <mac address/prefix/vendor name> |
Spoof your MAC address |
--badsum |
Send packets with a bogus TCP/UDP/SCTP checksum |
OUTPUT
| Option |
Description |
-oN/-oX/-oS/-oG <file> |
Output scan in normal, XML, scrIpt kIddi3, and Grepable format, respectively, to the given filename. |
-oA <basename> |
Output in the three major formats at once |
-v |
Increase verbosity level (use -vv or more for greater effect) |
--open |
Only show open (or possibly open) ports |
--append-output |
Append to rather than clobber specified output files |
--resume <filename> |
Resume an aborted scan |
--stylesheet <path/URL> |
XSL stylesheet to transform XML output to HTML |
--webxml |
Reference stylesheet from Nmap.Org for more portable XML |
--no-stylesheet |
Prevent associating of XSL stylesheet w/XML output |
