122 lines
11 KiB
Markdown
122 lines
11 KiB
Markdown
---
|
|
obj: application
|
|
website: https://nmap.org
|
|
repo: https://github.com/nmap/nmap
|
|
---
|
|
|
|
# nmap
|
|
Network exploration tool and security / port scanner
|
|
|
|
## Usage
|
|
Usage: `nmap [Scan Type(s)] [Options] {target specification}`
|
|
|
|
### Options
|
|
#### TARGET SPECIFICATION
|
|
Can pass hostnames, IP addresses, networks, etc.
|
|
Ex: scanme.nmap.org, 192.168.0.1; 10.0.0-255.1-254
|
|
|
|
| Option | Description |
|
|
| --------------------------------------- | --------------------------------- |
|
|
| `-iL <inputfilename>` | Input from list of hosts/networks |
|
|
| `--exclude <host1[,host2][,host3],...>` | Exclude hosts/networks |
|
|
| `--excludefile <exclude_file>` | Exclude list from file |
|
|
|
|
#### HOST DISCOVERY
|
|
| Option | Description |
|
|
| ----------------------------------- | --------------------------------------------------------------------------------------------------- |
|
|
| `-sL` | List Scan - simply list targets to scan |
|
|
| `-sn` | Ping Scan - disable port scan |
|
|
| `-PS/PA/PU/PY[portlist]` | [TCP](../../../internet/TCP.md) SYN/ACK, [UDP](../../../internet/UDP.md) or SCTP discovery to given ports |
|
|
| `-PE/PP/PM` | ICMP echo, timestamp, and netmask request discovery probes |
|
|
| `-n/-R` | Never do [DNS](../../../internet/DNS.md) resolution/Always resolve \[default: sometimes] |
|
|
| `--dns-servers <serv1[,serv2],...>` | Specify custom [DNS](../../../internet/DNS.md) servers |
|
|
| `--traceroute` | Trace hop path to each host |
|
|
|
|
#### SCAN TECHNIQUES
|
|
| Option | Description |
|
|
| --------------------- | ------------------------------------------------------------------ |
|
|
| `-sS/sT/sA/sW/sM` | [TCP](../../../internet/TCP.md) SYN/Connect()/ACK/Window/Maimon scans |
|
|
| `-sU` | [UDP](../../../internet/UDP.md) Scan |
|
|
| `-sN/sF/sX` | [TCP](../../../internet/TCP.md) Null, FIN, and Xmas scans |
|
|
| `--scanflags <flags>` | Customize [TCP](../../../internet/TCP.md) scan flags |
|
|
| `-sO` | IP protocol scan |
|
|
|
|
#### PORT SPECIFICATION AND SCAN ORDER
|
|
| Option | Description |
|
|
| ------------------------------- | --------------------------------------------------------------------------------------------- |
|
|
| `-p <port ranges>` | Only scan specified ports. Ex: `-p22`; `-p1-65535`; `-p U:53,111,137,T:21-25,80,139,8080,S:9` |
|
|
| `--exclude-ports <port ranges>` | Exclude the specified ports from scanning |
|
|
| `-F` | Fast mode - Scan fewer ports than the default scan |
|
|
| `-r` | Scan ports sequentially - don't randomize |
|
|
| `-top-ports <number>` | Scan \<number> most common ports |
|
|
|
|
#### SERVICE/VERSION DETECTION
|
|
| Option | Description |
|
|
| ----------------------------- | -------------------------------------------------- |
|
|
| `-sV` | Probe open ports to determine service/version info |
|
|
| `--version-intensity <level>` | Set from 0 (light) to 9 (try all probes) |
|
|
| `--version-light` | Limit to most likely probes (intensity 2) |
|
|
| `--version-all` | Try every single probe (intensity 9) |
|
|
|
|
#### SCRIPT SCAN
|
|
| Option | Description |
|
|
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
| `-sC` | equivalent to `--script=default` |
|
|
| `--script=<Lua scripts>` | \<Lua scripts> is a comma separated list of directories, script-files or script-categories. The scripts are commonly found at `/usr/share/nmap/scripts` |
|
|
| `--script-updatedb` | Update the script database. |
|
|
|
|
#### OS DETECTION
|
|
| Option | Description |
|
|
| ---------------- | --------------------------------------- |
|
|
| `-O` | Enable OS detection |
|
|
| `--osscan-limit` | Limit OS detection to promising targets |
|
|
| `--osscan-guess` | Guess OS more aggressively |
|
|
|
|
#### TIMING AND PERFORMANCE
|
|
Options which take \<time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
|
|
|
|
| Option | Descriptions |
|
|
| -------------------------------------------------------------- | ------------------------------------------------ |
|
|
| `-T<0-5>` | Set timing template (higher is faster) |
|
|
| `--min-hostgroup/max-hostgroup <size>` | Parallel host scan group sizes |
|
|
| `--min-parallelism/max-parallelism <numprobes>` | Probe parallelization |
|
|
| `--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>` | Specifies probe round trip time. |
|
|
| `--max-retries <tries>` | Caps number of port scan probe retransmissions. |
|
|
| `--host-timeout <time>` | Give up on target after this long |
|
|
| `--scan-delay/--max-scan-delay <time>` | Adjust delay between probes |
|
|
| `--min-rate <number>` | Send packets no slower than \<number> per second |
|
|
| `--max-rate <number>` | Send packets no faster than \<number> per second |
|
|
|
|
#### FIREWALL/IDS EVASION AND SPOOFING
|
|
| Option | Description |
|
|
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------- |
|
|
| `-f; --mtu <val>` | fragment packets (optionally w/given MTU) |
|
|
| `-D <decoy1,decoy2[,ME],...>` | Cloak a scan with IP decoys |
|
|
| `-S <IP_Address>` | Spoof source address |
|
|
| `-e <iface>` | Use specified interface |
|
|
| `-g/--source-port <portnum>` | Use given port number |
|
|
| `--proxies <url1,[url2],...>` | Relay connections through [HTTP](../../../internet/HTTP.md)/SOCKS4 proxies |
|
|
| `--data <hex string>` | Append a custom payload to sent packets |
|
|
| `--data-string <string>` | Append a custom [ASCII](../../../files/ASCII.md) string to sent packets |
|
|
| `--data-length <num>` | Append random data to sent packets |
|
|
| `--ip-options <options>` | Send packets with specified ip options |
|
|
| `--ttl <val>` | Set IP time-to-live field |
|
|
| `--spoof-mac <mac address/prefix/vendor name>` | Spoof your MAC address |
|
|
| `--badsum` | Send packets with a bogus [TCP](../../../internet/TCP.md)/[UDP](../../../internet/UDP.md)/SCTP checksum |
|
|
|
|
#### OUTPUT
|
|
| Option | Description |
|
|
| ------------------------- | -------------------------------------------------------------------------------------------------------------------------- |
|
|
| `-oN/-oX/-oS/-oG <file>` | Output scan in normal, [XML](../../../files/XML.md), scrIpt kIddi3, and Grepable format, respectively, to the given filename. |
|
|
| `-oA <basename>` | Output in the three major formats at once |
|
|
| `-v` | Increase verbosity level (use `-vv` or more for greater effect) |
|
|
| `--open` | Only show open (or possibly open) ports |
|
|
| `--append-output` | Append to rather than clobber specified output files |
|
|
| `--resume <filename>` | Resume an aborted scan |
|
|
| `--stylesheet <path/URL>` | XSL stylesheet to transform [XML](../../../files/XML.md) output to [HTML](../../../internet/HTML.md) |
|
|
| `--webxml` | Reference stylesheet from Nmap.Org for more portable [XML](../../../files/XML.md) |
|
|
| `--no-stylesheet` | Prevent associating of XSL stylesheet w/[XML](../../../files/XML.md) output |
|
|
|
|
|
|
|
|
|