From 066bae76e94c21604fe4132c4ca26e5b2f0c6375 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Wed, 24 Jul 2013 11:29:03 -0500 Subject: Initial import of knmap 2.1 sources --- src/nmap_manpage.html | 1176 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1176 insertions(+) create mode 100644 src/nmap_manpage.html (limited to 'src/nmap_manpage.html') diff --git a/src/nmap_manpage.html b/src/nmap_manpage.html new file mode 100644 index 0000000..9fa59cf --- /dev/null +++ b/src/nmap_manpage.html @@ -0,0 +1,1176 @@ + + +Nmap network security scanner man page + + +

Nmap network security scanner man page

+
+
+
+NMAP(1)                                                                NMAP(1)
+
+
+
+
+
+

NAME

+       nmap - Network exploration tool and security scanner
+
+
+
+

SYNOPSIS

+       nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>
+
+
+
+

DESCRIPTION

+       Nmap is designed to allow system administrators and curious individuals
+       to scan large networks to determine which hosts are up  and  what  ser-
+       vices  they  are  offering.   nmap  supports a large number of scanning
+       techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp  proxy
+       (bounce  attack),  ICMP  (ping  sweep),  FIN, ACK sweep, Xmas Tree, SYN
+       sweep, IP Protocol, and Null scan.  See the Scan Types section for more
+       details.  nmap also offers a number of advanced features such as remote
+       OS detection via TCP/IP fingerprinting, stealth scanning, dynamic delay
+       and  retransmission  calculations, parallel scanning, detection of down
+       hosts via parallel pings, decoy  scanning,  port  filtering  detection,
+       direct (non-portmapper) RPC scanning, fragmentation scanning, and flex-
+       ible target and port specification.
+
+       Significant effort has been put into decent nmap performance  for  non-
+       root  users.   Unfortunately,  many critical kernel interfaces (such as
+       raw sockets) require root privileges.  nmap should be run as root when-
+       ever possible (not setuid root, of course).
+
+       The  result  of  running nmap is usually a list of interesting ports on
+       the machine(s) being scanned (if any).  Nmap always  gives  the  port’s
+       "well  known"  service name (if any), number, state, and protocol.  The
+       state is either "open", "closed"  "filtered",  or  "unfiltered".   Open
+       means  that  the target machine will accept() connections on that port.
+       Closed ports are not listening for connections (they have  no  applica-
+       tion associated with them).  Filtered means that a firewall, filter, or
+       other network obstacle is covering the port and  preventing  nmap  from
+       determining  whether  the port is open.  Unfiltered means that the port
+       is known by nmap to be closed and no firewall/filter seems to be inter-
+       fering  with  nmap’s  attempts to determine this.  Unfiltered ports are
+       the common case and are only shown when most of the scanned  ports  are
+       in  the filtered state.  In some cases, Nmap cannot distinguish between
+       filtered ports and those that are either open or closed.  For  example,
+       a port that does not respond to a FIN Scan could be either open or fil-
+       tered.   In  these  cases,  Nmap  lists  ports  as  "open|filtered"  or
+       "closed|filtered".
+
+       Depending  on  options used, nmap may also report the following charac-
+       teristics of the remote host: OS in use, TCP  sequentiality,  usernames
+       running  the  programs  which  have  bound  to each port, the DNS name,
+       whether the host is a smurf address, and a few others.
+
+
+
+

OPTIONS

+       Options that make sense  together  can  generally  be  combined.   Some
+       options  are  specific  to certain scan modes.  nmap tries to catch and
+       warn the user about psychotic or unsupported option combinations.
+
+       If you are impatient, you can skip to the examples section at the  end,
+       which  demonstrates common usage.  You can also run nmap -h for a quick
+       reference page listing all the options.
+
+       SCAN TYPES
+
+       -sS    TCP SYN scan: This technique is often referred to as "half-open"
+              scanning, because you don’t open a full TCP connection. You send
+              a SYN packet, as if you are going to open a real connection  and
+              you wait for a response. A SYN|ACK indicates the port is listen-
+              ing. A RST is indicative of a non-listener.   If  a  SYN|ACK  is
+              received,  a RST is immediately sent to tear down the connection
+              (actually our OS kernel does this for us). The primary advantage
+              to  this  scanning  technique  is  that fewer sites will log it.
+              Unfortunately you need root privileges to build these custom SYN
+              packets.  This is the default scan type for privileged users.
+
+       -sT    TCP connect() scan: This is the most basic form of TCP scanning.
+              The connect() system call provided by your operating  system  is
+              used  to  open  a  connection  to  every interesting port on the
+              machine. If the port is listening, connect() will succeed,  oth-
+              erwise  the  port  isn’t reachable. One strong advantage to this
+              technique is that you don’t need  any  special  privileges.  Any
+              user on most UNIX boxes is free to use this call.
+
+              This  sort of scan is easily detectable as target host logs will
+              show a bunch of connection and error messages for  the  services
+              which  accept() the connection just to have it immediately shut-
+              down.  This is the default scan type for unprivileged users.
+
+       -sF -sX -sN
+              Stealth FIN, Xmas Tree, or Null scan modes: There are times when
+              even  SYN  scanning isn’t clandestine enough. Some firewalls and
+              packet filters watch for SYNs to restricted ports, and  programs
+              like Synlogger and Courtney are available to detect these scans.
+              These advanced scans, on the other hand, may  be  able  to  pass
+              through unmolested.
+
+              The  idea  is  that  closed  ports are required to reply to your
+              probe packet with an RST, while open ports must ignore the pack-
+              ets in question (see RFC 793 pp 64).  Filered ports also tend to
+              drop  probes  without  a  response,  so  Nmap  considers   ports
+              "open|filtered"  when  it  fails to elicit any response.  If you
+              add version detection (-sV), it will try to verify  whether  the
+              ports  are  actually  open  and change the state as appropriate.
+              The FIN scan uses a bare (surprise) FIN  packet  as  the  probe,
+              while  the Xmas tree scan turns on the FIN, URG, and PUSH flags.
+              The Null scan turns  off  all  flags.   Unfortunately  Microsoft
+              (like  usual)  decided  to completely ignore the standard and do
+              things their own way.  Thus this scan type will not work against
+              systems  running  Windows95/NT.  On the positive side, this is a
+              good way to distinguish between the two platforms.  If the  scan
+              finds open ports, you know the machine is not a Windows box.  If
+              a -sF,-sX,or -sN scan shows all ports closed, yet  a  SYN  (-sS)
+              scan  shows  ports  being  opened, you are probably looking at a
+              Windows box.  This is less useful now that nmap  has  proper  OS
+              detection built in.  There are also a few other systems that are
+              broken in the same way Windows is.  They  include  Cisco,  BSDI,
+              HP/UX,  MVS,  and  IRIX.   All of the above send resets from the
+              open ports when they should just drop the packet.
+
+       -sP    Ping scanning: Sometimes you only want to know which hosts on  a
+              network  are  up.  Nmap can do this by sending ICMP echo request
+              packets to every IP address on the networks you specify.   Hosts
+              that   respond  are  up.   Unfortunately,  some  sites  such  as
+              microsoft.com block echo request packets.  Thus  nmap  can  also
+              send a TCP ack packet to (by default) port 80.  If we get an RST
+              back, that machine is up.  A third technique involves sending  a
+              SYN  packet  and  waiting  for a RST or a SYN/ACK.  For non-root
+              users, a connect() method is used.
+
+              By default (for root users), nmap uses both  the  ICMP  and  ACK
+              techniques  in  parallel.   You  can  change  these  with the -P
+              options described later.
+
+              Note that pinging is done by default anyway, and only hosts that
+              respond  are  scanned.  Only use this option if you wish to ping
+              sweep without doing any actual port scans.
+
+       -sV    Version detection: After TCP and/or  UDP  ports  are  discovered
+              using  one of the other scan methods, version detection communi-
+              cates with those ports to try and determine more about  what  is
+              actually  running.  A file called nmap-service-probes is used to
+              determine the best probes for detecting various services and the
+              match  strings  to  expect.  Nmap tries to determine the service
+              protocol (e.g. ftp, ssh, telnet,  http),  the  application  name
+              (e.g. ISC Bind, Apache httpd, Solaris telnetd), the version num-
+              ber, and sometimes  miscellaneous  details  like  whether  an  X
+              server  is open to connections or the SSH protocol version).  If
+              Nmap was compiled with OpenSSL support, it will connect  to  SSL
+              servers  to  deduce the service listening behind the encryption.
+              When RPC services are discovered, the Nmap RPC grinder  is  used
+              to  determine  the  RPC  program  and version numbers.  Some UDP
+              ports are left in the "open|filtered" state after a UDP scan  is
+              unable  to determine whether the port is open or filtered.  Ver-
+              sion detection will try to elicit a response  from  these  ports
+              (just  as it does with open ports), and change the state to open
+              if it succeeds. Note that the Nmap -A option also  enables  this
+              feature.   For  a much more detailed description of Nmap service
+              detection, read our paper  at  http://www.insecure.org/nmap/ver-
+              sionscan.html .  There is a related --version_trace option which
+              causes Nmap to print out extensive  debugging  info  about  what
+              version  scanning  is  doing (this is a subset of what you would
+              get with --packet_trace).
+
+       -sU    UDP scans: This method is used  to  determine  which  UDP  (User
+              Datagram Protocol, RFC 768) ports are open on a host.  The tech-
+              nique is to send 0 byte UDP packets to each port on  the  target
+              machine.   If  we receive an ICMP port unreachable message, then
+              the port is closed.  If a UDP response is received to the  probe
+              (unusual),  the port is open.  If we get no response at all, the
+              state is "open|filtered", meaning that the port is  either  open
+              or packet filters are blocking the communication.  Versions scan
+              (-sV) can be used to help differentiate  the  truly  open  ports
+              from the filtered ones.
+
+              Some  people  think  UDP scanning is pointless. I usually remind
+              them of the Solaris rpcbind hole. Rpcbind can be found hiding on
+              an  undocumented  UDP  port somewhere above 32770. So it doesn’t
+              matter that 111 is blocked by the firewall.  But  can  you  find
+              which  of  the  more  than 30,000 high ports it is listening on?
+              With a UDP scanner you can!  There is also the cDc Back  Orifice
+              backdoor  program which hides on a configurable UDP port on Win-
+              dows machines.  Not to mention the many commonly vulnerable ser-
+              vices that utilize UDP such as snmp, tftp, NFS, etc.
+
+              Unfortunately  UDP  scanning  is  sometimes painfully slow since
+              most hosts implement a suggestion in RFC 1812 (section  4.3.2.8)
+              of limiting the ICMP error message rate.  For example, the Linux
+              kernel (in net/ipv4/icmp.h) limits destination unreachable  mes-
+              sage  generation  to 80 per 4 seconds, with a 1/4 second penalty
+              if that is exceeded.  Solaris has much more strict limits (about
+              2 messages per second) and thus takes even longer to scan.  nmap
+              detects this rate limiting and slows  down  accordingly,  rather
+              than flood the network with useless packets that will be ignored
+              by the target machine.
+
+              As is typical, Microsoft ignored the suggestion of the  RFC  and
+              does  not  seem  to  do any rate limiting at all on Win95 and NT
+              machines.  Thus we can scan all 65K ports of a  Windows  machine
+              very quickly.  Whoop!
+
+
+       -sO    IP  protocol  scans:  This  method is used to determine which IP
+              protocols are supported on a host.  The technique is to send raw
+              IP packets without any further protocol header to each specified
+              protocol on the target machine.  If we receive an ICMP  protocol
+              unreachable message, then the protocol is not in use.  Otherwise
+              we assume it is open.  Note that some hosts (AIX, HP-UX, Digital
+              UNIX)  and firewalls may not send protocol unreachable messages.
+              This causes all of the protocols to appear "open".
+
+              Because the implemented technique is very similar  to  UDP  port
+              scanning,  ICMP  rate limit might apply too. But the IP protocol
+              field has only 8 bits, so at most 256 protocols  can  be  probed
+              which should be possible in reasonable time anyway.
+
+       -sI <zombie host[:probeport]>
+              Idlescan: This advanced scan method allows for a truly blind TCP
+              port scan of the target (meaning no packets are sent to the tar-
+              get  from your real IP address).  Instead, a unique side-channel
+              attack exploits predictable "IP fragmentation ID" sequence  gen-
+              eration  on  the zombie host to glean information about the open
+              ports on the target.  IDS systems will display the scan as  com-
+              ing  from  the  zombie machine you specify (which must be up and
+              meet certain criteria).  I wrote an informal  paper  about  this
+              technique at http://www.insecure.org/nmap/idlescan.html .
+
+              Besides   being  extraordinarily  stealthy  (due  to  its  blind
+              nature), this scan type permits mapping out IP-based trust rela-
+              tionships  between  machines.  The port listing shows open ports
+              from the perspective of the zombie host.  So you can  try  scan-
+              ning  a  target  using  various  zombies that you think might be
+              trusted (via router/packet filter  rules).   Obviously  this  is
+              crucial  information  when  prioritizing attack targets.  Other-
+              wise, you penetration testers might have to expend  considerable
+              resources "owning" an intermediate system, only to find out that
+              its IP isn’t even trusted by the  target  host/network  you  are
+              ultimately after.
+
+              You  can  add  a  colon followed by a port number if you wish to
+              probe a particular port on the zombie  host  for  IPID  changes.
+              Otherwise  Nmap  will  use  the port it uses by default for "tcp
+              pings".
+
+       -sA    ACK scan: This advanced method is usually used to map out  fire-
+              wall  rulesets.   In particular, it can help determine whether a
+              firewall is stateful or just a simple packet filter that  blocks
+              incoming SYN packets.
+
+              This scan type sends an ACK packet (with random looking acknowl-
+              edgment/sequence numbers) to the  ports  specified.   If  a  RST
+              comes back, the ports is classified as "unfiltered".  If nothing
+              comes back (or if an ICMP unreachable is returned), the port  is
+              classified  as "filtered".  Note that nmap usually doesn’t print
+              "unfiltered" ports, so getting no ports shown in the  output  is
+              usually  a  sign  that  all the probes got through (and returned
+              RSTs). This scan will obviously never show ports in  the  "open"
+              state.
+
+       -sW    Window scan: This advanced scan is very similar to the ACK scan,
+              except that it can sometimes detect open ports as well  as  fil-
+              tered/unfiltered  due  to  an  anomaly  in  the  TCP window size
+              reporting by some operating systems.  Systems vulnerable to this
+              include  at least some versions of AIX, Amiga, BeOS, BSDI, Cray,
+              Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX,  OS/2,
+              IRIX,  MacOS,  NetBSD,  OpenBSD,  OpenStep, QNX, Rhapsody, SunOS
+              4.X, Ultrix, VAX, and VxWorks.   See  the  nmap-hackers  mailing
+              list archive for a full list.
+
+       -sR    RPC  scan.   This  method  works in combination with the various
+              port scan methods of Nmap.  It takes all the TCP/UDP ports found
+              open  and  then floods them with SunRPC program NULL commands in
+              an attempt to determine whether they are RPC ports, and  if  so,
+              what  program  and  version  number they serve up.  Thus you can
+              effectively obtain the same info as "rpcinfo  -p"  even  if  the
+              target’s  portmapper  is  behind a firewall (or protected by TCP
+              wrappers).  Decoys do not currently work with RPC scan, at  some
+              point  I may add decoy support for UDP RPC scans.  This is auto-
+              matically enabled as part of version scan (-sV) if  you  request
+              that.
+
+       -sL    List scan.  This method simply generates and prints a list of IP
+              addresses or hostnames without actually pinging or port scanning
+              them.   DNS name resolution will be performed unless you use -n.
+
+       -b <ftp relay host>
+              FTP bounce attack: An interesting "feature" of the ftp  protocol
+              (RFC  959)  is  support  for  "proxy"  ftp connections. In other
+              words, I should be able to connect  from  evil.com  to  the  FTP
+              server  of  target.com  and  request that the server send a file
+              ANYWHERE on the Internet!  Now this may have worked well in 1985
+              when the RFC was written. But in today’s Internet, we can’t have
+              people hijacking ftp servers and requesting that  data  be  spit
+              out  to arbitrary points on the Internet. As *Hobbit* wrote back
+              in 1995, this protocol flaw  "can  be  used  to  post  virtually
+              untraceable  mail  and news, hammer on servers at various sites,
+              fill up disks, try to hop firewalls, and generally  be  annoying
+              and  hard  to track down at the same time." What we will exploit
+              this for is to  (surprise,  surprise)  scan  TCP  ports  from  a
+              "proxy"  ftp  server.  Thus  you  could connect to an ftp server
+              behind a firewall, and then scan ports that are more  likely  to
+              be blocked (139 is a good one). If the ftp server allows reading
+              from and writing to some directory (such as /incoming), you  can
+              send arbitrary data to ports that you do find open (nmap doesn’t
+              do this for you though).
+
+              The argument passed to the "b" option is the host  you  want  to
+              use  as a proxy, in standard URL notation.  The format is: user-
+              name:password@server:port.  Everything but server  is  optional.
+              To determine what servers are vulnerable to this attack, you can
+              see my article in Phrack 51.  An updated version is available at
+              the nmap URL (http://www.insecure.org/nmap).
+
+       GENERAL OPTIONS
+              None  of  these are required but some can be quite useful.  Note
+              that the -P options can now be combined -- you can increase your
+              odds of penetrating strict firewalls by sending many probe types
+              using different TCP ports/flags and ICMP codes.
+
+       -P0    Do not try to ping hosts at  all  before  scanning  them.   This
+              allows  the  scanning  of  networks  that  don’t allow ICMP echo
+              requests (or responses) through their  firewall.   microsoft.com
+              is  an example of such a network, and thus you should always use
+              -P0 or -PS80 when portscanning microsoft.com.  Note that  "ping"
+              in  this context may involve more than the traditional ICMP echo
+              request packet.  Nmap supports many such probes, including arbi-
+              trary  combinations  of  TCP, UDP, and ICMP probes.  By default,
+              Nmap sends an ICMP echo request and a TCP ACK packet to port 80.
+
+       -PA [portlist]
+              Use  TCP  ACK "ping" to determine what hosts are up.  Instead of
+              sending ICMP echo request packets and waiting for a response, we
+              spew  out TCP ACK packets throughout the target network (or to a
+              single machine) and then wait for  responses  to  trickle  back.
+              Hosts  that  are up should respond with a RST.  This option pre-
+              serves the efficiency of only scanning hosts that are  up  while
+              still  allowing you to scan networks/hosts that block ping pack-
+              ets.  For non root UNIX users, we use connect() and thus  a  SYN
+              is  actually  being  sent.   To set the destination ports of the
+              probe packets use -PA<port1>[,port2][...].  The default port  is
+              80,  since  this port is often not filtered out.  Note that this
+              option now accepts multiple, comma-separated port numbers.
+
+       -PS [portlist]
+              This option uses SYN (connection request) packets instead of ACK
+              packets for root users.  Hosts that are up should respond with a
+              RST (or, rarely, a SYN|ACK).  You can set the destination  ports
+              in the same manner as -PA above.
+
+       -PR    This  option  specifies  a  raw ethernet ARP ping.  It cannot be
+              used in combination with any of the other ping types.  When  the
+              target  machines  are on the same network you are scanning from,
+              this is the fastest and most reliable (because it goes below IP-
+              level  filters) ping method.  Nmap sends an IPv4-to-Ethernet ARP
+              request for each target IP, and watches for  any  ARP  response.
+              -PU  [portlist]  This  option  sends UDP probes to the specified
+              hosts, expecting an ICMP port unreachable packet (or possibly  a
+              UDP response if the port is open) if the host is up.  Since many
+              UDP services won’t reply to an empty packet, your best bet might
+              be  to send this to expected-closed ports rather than open ones.
+
+       -PE    This option uses a true ping (ICMP  echo  request)  packet.   It
+              finds  hosts  that  are  up  and  also looks for subnet-directed
+              broadcast addresses on your network.   These  are  IP  addresses
+              which  are  externally reachable and translate to a broadcast of
+              incoming IP packets to a subnet of computers.  These  should  be
+              eliminated if found as they allow for numerous denial of service
+              attacks (Smurf is the most common).
+
+       -PP    Uses an ICMP timestamp request (type 13) packet to find  listen-
+              ing hosts.
+
+       -PM    Same  as  -PE  and  -PP except uses a netmask request (ICMP type
+              17).
+
+       -PB    This is the default ping type.  It uses both the ACK ( -PA ) and
+              ICMP  echo request ( -PE ) sweeps in parallel.  This way you can
+              get firewalls that filter either one (but not  both).   The  TCP
+              probe destination port can be set in the same manner as with -PA
+              above.  Note that this flag is now deprecated as pingtype  flags
+              can now be used in combination.  So you should use both "PE" and
+              "PA" (or rely on the default  behavior)  to  achieve  this  same
+              effect.
+
+       -O     This option activates remote host identification via TCP/IP fin-
+              gerprinting.  In other words, it uses a bunch of  techniques  to
+              detect  subtleties  in  the  underlying operating system network
+              stack of the computers you are scanning.  It uses this  informa-
+              tion  to  create  a  "fingerprint"  which  it  compares with its
+              database of  known  OS  fingerprints  (the  nmap-os-fingerprints
+              file) to decide what type of system you are scanning.
+
+              If  Nmap  is unable to guess the OS of a machine, and conditions
+              are good (e.g. at least one open port), Nmap will provide a  URL
+              you can use to submit the fingerprint if you know (for sure) the
+              OS running on the machine.  By doing this you contribute to  the
+              pool of operating systems known to nmap and thus it will be more
+              accurate for everyone.  Note that if you leave an IP address  on
+              the form, the machine may be scanned when we add the fingerprint
+              (to validate that it works).
+
+              The -O option also enables several  other  tests.   One  is  the
+              "Uptime"  measurement,  which uses the TCP timestamp option (RFC
+              1323) to guess when a machine was last rebooted.  This  is  only
+              reported for machines which provide this information.
+
+              Another  test enabled by -O is TCP Sequence Predictability Clas-
+              sification.  This is a measure that describes approximately  how
+              hard  it  is  to  establish  a forged TCP connection against the
+              remote host.  This is  useful  for  exploiting  source-IP  based
+              trust  relationships (rlogin, firewall filters, etc) or for hid-
+              ing the source of an attack.  The actual  difficulty  number  is
+              based  on  statistical sampling and may fluctuate.  It is gener-
+              ally better to use the English classification  such  as  "worthy
+              challenge"  or  "trivial joke".  This is only reported in normal
+              output with -v.
+
+              When verbose mode (-v) is on with -O, IPID  Sequence  Generation
+              is also reported.  Most machines are in the "incremental" class,
+              which means that they increment the "ID" field in the IP  header
+              for  each  packet they send.  This makes them vulnerable to sev-
+              eral advanced information gathering and spoofing attacks.
+
+       --osscan_limit
+              OS detection is far more effective if at least one open and  one
+              closed  TCP  port  are found.  Set this option and Nmap will not
+              even try OS detection against hosts that do not meet this crite-
+              ria.   This can save substantial time, particularly on -P0 scans
+              against many hosts.   It  only  matters  when  OS  detection  is
+              requested (-O or -A options).
+
+       -A     This  option  enables  _a_dditional  _a_dvanced and _a_ggressive
+              options.  I haven’t decided exactly which it stands for yet  :).
+              Presently  this  enables  OS Detection (-O) and version scanning
+              (-sV).  More features may be added in the future.  The point  is
+              to  enable  a  comprehensive  set of scan options without people
+              having to remember a large  set  of  flags.   This  option  only
+              enables  features,  and not timing options (such as -T4) or ver-
+              bosity options (-v) that you might wan’t as well.
+
+       -6     This options enables IPv6 support.  All targets must be IPv6  if
+              this  option  is  used, and they can be specified via normal DNS
+              name  (AAAA  record)  or  as  a  literal  IP  address  such   as
+              3ffe:501:4819:2000:210:f3ff:fe03:4d0 .  Currently, connect() TCP
+              scan and TCP connect() Ping scan are supported.  If you need UDP
+              or  other  scan  types,  have  a  look  at  http://nmap6.source-
+              forge.net/ .
+
+       --send_eth
+              Asks Nmap to send packets at the raw ethernet (data link)  layer
+              rather  than  the  higher  IP (network) layer.  By default, Nmap
+              chooses the one which is generally best for the platform  it  is
+              running on.  Raw sockets (IP layer) are generally most efficient
+              for UNIX machines, while ethernet frames work best on  the  many
+              Windows  versions  where Microsoft has disabled raw sockets sup-
+              port.  Nmap still uses raw IP packets when  there  is  no  other
+              choice (such as non-ethernet connections).
+
+       --send_ip
+              Asks Nmap to send packets via raw IP sockets rather than sending
+              lower level ethernet  frames.   It  is  the  complement  to  the
+              --send-eth option.discussed previously.
+
+       --spoof_mac [mac, prefix, or vendor substring]
+              Ask  Nmap to use the given MAC address for all of the raw ether-
+              net frames it sends.  The MAC given can  take  several  formats.
+              If it is simply the string "0", Nmap chooses a completely random
+              MAC for the session.  If the given string is an even  number  of
+              hex  digits  (with  the  pairs optionally separated by a colon),
+              Nmap will use those as the MAC.  If less than 12 hex digits  are
+              provided, Nmap fills in the remainder of the 6 bytes with random
+              values.  If the argument isn’t a 0 or  hex  string,  Nmap  looks
+              through  the  nmap-mac-prefixes to find a vendor name containing
+              the given string (it is case insensitive).  If a match is found,
+              Nmap  uses  the  vendor’s  OUI (3-byte prefix) and fills out the
+              remaining 3 bytes randomly.  Valid --spoof_mac argument examples
+              are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2",
+              and "Cisco".
+
+       -f     This option causes the requested scan (including ping scans)  to
+              use tiny fragmented IP packets.  The idea is to split up the TCP
+              header over several packets to make it harder  for  packet  fil-
+              ters,  intrusion  detection  systems,  and  other  annoyances to
+              detect what you are doing. Be careful with this!  Some  programs
+              have trouble handling these tiny packets. The old-school sniffer
+              named Sniffit segmentation faulted  immediately  upon  receiving
+              the  first  fragment.  Specify this option once, and Nmap splits
+              the packets into 8 bytes or less after  the  IP  header.   So  a
+              20-byte TCP header would be split into 3 packets.
+               Two  with eight bytes of the TCP header, and one with the final
+              four.  Of course each fragment also has an IP  header.   Specify
+              -f  again  to  use 16 bytes per fragment (reducing the number of
+              fragments).  Or you can specify your own offset  size  with  the
+              --mtu option.  Don’t also specify -f if you use --mtu.  The off-
+              set must be a multiple of 8.  While fragmented packets won’t get
+              by  packet  filters  and  firewalls that queue all IP fragments,
+              such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux  kernel,
+              some  networks  can’t afford the performance hit this causes and
+              thus leave it disabled.  Some source systems defragment outgoing
+              packets  in  the  kernel.   Linux  with the ip tables connection
+              tracking module is one such example.  Do a scan with  a  sniffer
+              such  as  ethereal running to ensure that sent packets are frag-
+              mented.
+
+              Note that I do not yet have this option working on all  systems.
+              It  works fine for my Linux, FreeBSD, and OpenBSD boxes and some
+              people have reported success with other *NIX variants.
+
+       -v     Verbose mode.  This is a highly recommended option and it  gives
+              out  more  information  about  what is going on.  You can use it
+              twice for greater effect.  You can also use -d a  few  times  if
+              you really want to get crazy with scrolling the screen!
+
+       -h     This handy option display a quick reference screen of nmap usage
+              options.  As you may have noticed, this man page is not  exactly
+              a "quick reference" :)
+
+       -oN <logfilename>
+              This  logs  the results of your scans in a normal human readable
+              form into the file you specify as an argument.
+
+       -oX <logfilename>
+              This logs the results of your scans in XML form  into  the  file
+              you specify as an argument.  This allows programs to easily cap-
+              ture and interpret Nmap results.  You can give the argument  "-"
+              (without   quotes)  to  shoot  output  into  stdout  (for  shell
+              pipelines, etc).  In this case normal output will be suppressed.
+              Watch out for error messages if you use this (they will still go
+              to stderr).  Also note that "-v" may cause some  extra  informa-
+              tion to be printed.  The Document Type Definition (DTD) defining
+              the  XML  output  structure  is  available  at  http://www.inse-
+              cure.org/nmap/data/nmap.dtd .
+
+       --stylesheet <filename>
+              Nmap  ships with an XSL stylesheet named nmap.xsl for viewing or
+              translating XML output to HTML.  The XML output includes an xml-
+              stylesheet  directive which points to nmap.xml where it was ini-
+              tially installed by Nmap (or in the current working directory on
+              Windows).  Simply load Nmap’s XML output in a modern web browser
+              and it should retrieve nmap.xsl from the filesystem and  use  it
+              to  render  results.  If you wish to use a different stylesheet,
+              specify it as the argument to --stylesheet.  You must  pass  the
+              full  pathname  or  URL.   One common invocation is --stylesheet
+              http://www.insecure.org/nmap/data/nmap.xsl  .   This   tells   a
+              browser  to load the latest version of the stylesheet from Inse-
+              cure.Org.  This makes it easier to view  results  on  a  machine
+              that  doesn’t  have  Nmap (and thus nmap.xsl) installed.  So the
+              URL is often more useful, but the local  filesystem  locaton  of
+              nmap.xsl is used by default for privacy reasons.
+
+       --no_stylesheet
+              Specify  this  option  to  prevent Nmap from associating any XSL
+              stylesheet with its XML output.  The xml-stylesheet directive is
+              omitted.
+
+       -oG <logfilename>
+              This  logs the results of your scans in a grepable form into the
+              file you specify as an argument.  This  simple  format  provides
+              all the information on one line (so you can easily grep for port
+              or OS information and see all the IPs.  This used to be the pre-
+              ferred  mechanism for programs to interact with Nmap, but now we
+              recommend XML output (-oX instead).  This simple format may  not
+              contain  as much information as the other formats.  You can give
+              the argument "-" (without quotes) to shoot  output  into  stdout
+              (for  shell pipelines, etc).  In this case normal output will be
+              suppressed.  Watch out for error messages if you use this  (they
+              will  still  go to stderr).  Also note that "-v" will cause some
+              extra information to be printed.
+
+       -oA <basefilename>
+              This tells Nmap  to  log  in  ALL  the  major  formats  (normal,
+              grepable,  and  XML).  You give a base for the filename, and the
+              output files will be base.nmap, base.gnmap, and base.xml.
+
+       -oS <logfilename>
+              thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|<ipT kiDd|3 f0rM iNto
+              THe  fiL3  U sPecfy 4s an arGuMEnT!  U kAn gIv3 the 4rgument "-"
+              (wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!!
+
+       --resume <logfilename>
+              A network scan that is canceled due to control-C,  network  out-
+              age,  etc.  can  be  resumed using this option.  The logfilename
+              must be either a normal (-oN) or grepable  (-oG)  log  from  the
+              aborted  scan.   No other options can be given (they will be the
+              same as the aborted scan).  Nmap will start on the machine after
+              the last one successfully scanned in the log file.
+
+       --exclude <host1 [,host2][,host3],...">
+              Specifies  a  list  of  targets  (hosts, ranges, netblocks) that
+              should be excluded from a scan. Useful  to  keep  from  scanning
+              yourself, your ISP, particularly sensitive hosts, etc.
+
+       --excludefile <exclude_file>
+              Same  functionality  as  the --exclude option, only the excluded
+              targets are provided in an newline-delimited exclude_file rather
+              than on the command line.
+
+       --allports
+              Causes  version  detection  (-sV)  to scan all open ports found,
+              including those excluded as dangerous (likely to  cause  crashes
+              or other problems) in nmap-service-probes.
+
+       --append_output
+              Tells  Nmap  to append scan results to any output files you have
+              specified rather than overwriting those files.
+
+       -iL <inputfilename>
+              Reads target specifications from the file specified RATHER  than
+              from  the  command line.  The file should contain a list of host
+              or network expressions separated by spaces, tabs,  or  newlines.
+              Use  a hyphen (-) as inputfilename if you want nmap to read host
+              expressions from stdin (like at the end of  a  pipe).   See  the
+              section target specification for more information on the expres-
+              sions you fill the file with.
+
+       -iR <num hosts>
+              This option tells Nmap to generate its own hosts to scan by sim-
+              ply  picking  random  numbers  :).   It will never end after the
+              given number of IPs has been scanned -- use 0 for a never-ending
+              scan.  This option can be useful for statistical sampling of the
+              Internet to estimate various things.  If  you  are  ever  really
+              bored,  try  nmap -sS -PS80 -iR 0 -p 80 to find some web servers
+              to look at.
+
+       -p <port ranges>
+              This option specifies what ports you want to specify. For  exam-
+              ple  "-p  23"  will only try port 23 of the target host(s).  "-p
+              20-30,139,60000-" scans ports between 20 and 30, port  139,  and
+              all  ports greater than 60000.  The default is to scan all ports
+              between 1 and 1024 as well as any ports listed in  the  services
+              file  which  comes  with  nmap.  For IP protocol scanning (-sO),
+              this specifies the protocol number you wish to scan for (0-255).
+
+              When scanning both TCP and UDP ports, you can specify a particu-
+              lar protocol by preceding the port numbers by "T:" or "U:".  The
+              qualifier  lasts until you specify another qualifier.  For exam-
+              ple, the argument  "-p  U:53,111,137,T:21-25,80,139,8080"  would
+              scan  UDP ports 53,111,and 137, as well as the listed TCP ports.
+              Note that to scan both UDP & TCP, you have to specify -sU and at
+              least  one TCP scan type (such as -sS, -sF, or -sT).  If no pro-
+              tocol qualifier is given, the port numbers are added to all pro-
+              tocol lists.
+
+       -F Fast scan mode.
+              Specifies  that  you  only  wish to scan for ports listed in the
+              services file which comes with nmap (or the protocols  file  for
+              -sO).   This  is  obviously  much faster than scanning all 65535
+              ports on a host.
+
+       -D <decoy1 [,decoy2][,ME],...>
+              Causes a decoy scan to be performed which makes it appear to the
+              remote  host that the host(s) you specify as decoys are scanning
+              the target network too.  Thus their IDS might report  5-10  port
+              scans from unique IP addresses, but they won’t know which IP was
+              scanning them and which were innocent decoys.  While this can be
+              defeated  through  router  path  tracing, response-dropping, and
+              other "active" mechanisms, it is generally an  extremely  effec-
+              tive technique for hiding your IP address.
+
+              Separate each decoy host with commas, and you can optionally use
+              "ME" as one of the decoys to represent  the  position  you  want
+              your IP address to be used.  If you put "ME" in the 6th position
+              or later,  some  common  port  scan  detectors  (such  as  Solar
+              Designer’s  excellent  scanlogd)  are  unlikely  to show your IP
+              address at all.  If you don’t use "ME", nmap will put you  in  a
+              random position.
+
+              Note  that the hosts you use as decoys should be up or you might
+              accidentally SYN flood your targets.  Also  it  will  be  pretty
+              easy to determine which host is scanning if only one is actually
+              up on the network.  You might want to use IP  addresses  instead
+              of  names  (so  the  decoy networks don’t see you in their name-
+              server logs).
+
+              Also note that some "port  scan  detectors"  will  firewall/deny
+              routing  to  hosts that attempt port scans.  The problem is that
+              many scan types can be forged (as this option demonstrates).  So
+              attackers  can  cause  such a machine to sever connectivity with
+              important hosts such as its internet gateway, DNS  TLD  servers,
+              sites  like  Windows  Update,  etc.   Most  such software offers
+              whitelist capabilities, but you are unlikely to enumerate all of
+              the  critical machines.  For this reason we never recommend tak-
+              ing action against port scans that can be forged, including  SYN
+              scans,  UDP  scans,  etc.  The machine you block could just be a
+              decoy.
+
+              Decoys are used both in the initial ping scan (using ICMP,  SYN,
+              ACK,  or  whatever)  and  during the actual port scanning phase.
+              Decoys are also used during remote OS detection ( -O ).
+
+              It is worth noting that using too many decoys may slow your scan
+              and  potentially  even  make  it less accurate.  Also, some ISPs
+              will filter out your spoofed packets, although  many  (currently
+              most) do not restrict spoofed IP packets at all.
+
+       -S <IP_Address>
+              In  some  circumstances,  nmap may not be able to determine your
+              source address ( nmap will tell you if this is  the  case).   In
+              this  situation,  use  -S with your IP address (of the interface
+              you wish to send packets through).
+
+              Another possible use of this flag is to spoof the scan  to  make
+              the targets think that someone else is scanning them.  Imagine a
+              company being repeatedly port scanned by a competitor!  This  is
+              not  a  supported  usage  (or the main purpose) of this flag.  I
+              just think it raises  an  interesting  possibility  that  people
+              should  be aware of before they go accusing others of port scan-
+              ning them.  -e would generally be  required  for  this  sort  of
+              usage.
+
+       -e <interface>
+              Tells  nmap what interface to send and receive packets on.  Nmap
+              should be able to detect this but it will tell you if it cannot.
+
+       --source_port <portnumber>
+              Sets  the source port number used in scans.  Many naive firewall
+              and packet filter installations make an exception in their rule-
+              set  to  allow DNS (53) or FTP-DATA (20) packets to come through
+              and establish a connection.  Obviously this completely  subverts
+              the security advantages of the firewall since intruders can just
+              masquerade as FTP or DNS by modifying their source port.   Obvi-
+              ously  for  a  UDP  scan  you  should try 53 first and TCP scans
+              should try 20 before 53.  Note that this is only  a  request  --
+              nmap will honor it only if and when it is able to.  For example,
+              you can’t do TCP ISN sampling all  from  one  host:port  to  one
+              host:port, so nmap changes the source port even if you used this
+              option.  This is an alias for the shorter, but harder to  remem-
+              ber, -g option.
+
+              Be aware that there is a small performance penalty on some scans
+              for using this option, because I sometimes store useful informa-
+              tion in the source port number.
+
+       --data_length <number>
+              Normally  Nmap  sends  minimalistic  packets that only contain a
+              header.  So its TCP packets are generally 40 bytes and ICMP echo
+              requests  are  just  28.   This  option tells Nmap to append the
+              given number of random bytes to most of the  packets  it  sends.
+              OS detection (-O) packets are not affected, but most pinging and
+              portscan packets are.   This  slows  things  down,  but  can  be
+              slightly less conspicuous.
+
+       -n     Tells  Nmap  to NEVER do reverse DNS resolution on the active IP
+              addresses it finds.  Since DNS is  often  slow,  this  can  help
+              speed things up.
+
+       -R     Tells  Nmap to ALWAYS do reverse DNS resolution on the target IP
+              addresses.  Normally this is only done when a machine  is  found
+              to be alive.
+
+       -r     Tells  Nmap  NOT  to  randomize  the  order  in  which ports are
+              scanned.
+
+       --ttl <value>
+              Sets the IPv4 time to live field in sent packets  to  the  given
+              value.
+
+       --privileged
+              Tells Nmap to simply assume that it is privileged enough to per-
+              form raw socket sends, packet sniffing, and  similar  operations
+              that  usually  require  root  privileges  on  UNIX  systems.  By
+              default  Nmap  bails  if  such  operations  are  requested   but
+              geteuid() is not zero.  --privileged is useful with Linux kernel
+              capabilities and similar systems that may be configured to allow
+              unprivileged users to perform raw-packet scans.  Be sure to pro-
+              vide this option flag before any flags for options that  require
+              privileges  (SYN scan, OS detection, etc.).  The NMAP_PRIVILEGED
+              variable may be set as an equivalent alternative --privileged.
+
+       --interactive
+              Starts Nmap in interactive mode,  which  offers  an  interactive
+              Nmap  prompt  allowing  easy launching of multiple scans (either
+              synchronously or in the background). This is useful  for  people
+              who  scan  from  multi-user  systems  -- they often want to test
+              their security without letting everyone else on the system  know
+              exactly  which  systems  they are scanning. Use --interactive to
+              activate this mode and then type usually more familiar and  fea-
+              ture-complete.
+
+       --randomize_hosts
+              Tells  Nmap  to shuffle each group of up to 2048 hosts before it
+              scans them.  This can make the scans  less  obvious  to  various
+              network  monitoring systems, especially when you combine it with
+              slow timing options (see below).
+
+       -M <max sockets>
+              Sets the maximum number of sockets that will be used in parallel
+              for  a TCP connect() scan (the default).  This is useful to slow
+              down the scan a little bit and avoid crashing  remote  machines.
+              Another  approach  is  to use -sS, which is generally easier for
+              machines to handle.
+
+       --packet_trace
+              Tells Nmap to show all the packets it sends and  receives  in  a
+              tcpdump-like format.  This can be tremendously useful for debug-
+              ging, and is also a good learning tool.
+
+       --datadir [directoryname]
+              Nmap obtains some special data at runtime in files  named  nmap-
+              service-probes,  nmap-services,  nmap-protocols, nmap-rpc, nmap-
+              mac-prefixes, and  nmap-os-fingerprints.   Nmap  first  searches
+              these files in the directory option to --datadir.  Any files not
+              found there, are searched for in the directory specified by  the
+              NMAPDIR environmental variable.  Next comes ~/.nmap for real and
+              effective UIDs (POSIX systems only) or location of the Nmap exe-
+              cutable  (Win32  only),  and then a compiled-in location such as
+              /usr/local/share/nmap or /usr/share/nmap .  As  a  last  resort,
+              Nmap will look in the current directory.
+
+       TIMING OPTIONS
+              Generally  Nmap does a good job at adjusting for Network charac-
+              teristics at runtime and scanning as fast as possible while min-
+              imizing  that chances of hosts/ports going undetected.  However,
+              there are same cases where Nmap’s default timing policy may  not
+              meet  your  objectives.   The  following  options provide a fine
+              level of control over the scan timing:
+
+       -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
+              These are canned timing  policies  for  conveniently  expressing
+              your priorities to Nmap.  Paranoid mode scans very slowly in the
+              hopes of avoiding detection by IDS systems.  It  serializes  all
+              scans (no parallel scanning) and generally waits at least 5 min-
+              utes between sending packets.  Sneaky is similar, except it only
+              waits  15  seconds  between sending packets.  Polite is meant to
+              ease load on the network and  reduce  the  chances  of  crashing
+              machines.   It serializes the probes and waits at least 0.4 sec-
+              onds between them.  Note that this  is  generally  at  least  an
+              order  of  magnitude  slower  than default scans, so only use it
+              when you need to.  Normal is the default  Nmap  behavior,  which
+              tries to run as quickly as possible without overloading the net-
+              work or missing hosts/ports.  Aggressive This  option  can  make
+              certain  scans  (especially  SYN  scans against heavily filtered
+              hosts) much faster.  It is recommended for impatient folks  with
+              a  fast  net  connection.  Insane is only suitable for very fast
+              networks or where you don’t mind losing  some  information.   It
+              times  out hosts in 15 minutes and won’t wait more than 0.3 sec-
+              onds for individual probes.  It does allow for very  quick  net-
+              work sweeps though :).
+
+              You  can  also  reference  these  by number (0-5).  For example,
+              "-T0" gives you Paranoid mode and "-T5" is Insane mode.  If  you
+              wish  to set specific timing values such as --max_rtt_timeout or
+              --host_timeout, place them after any -T option  on  the  command
+              line.   Otherwise the defaults for the selected timing mode will
+              override your choices.
+
+       --host_timeout <milliseconds>
+              Specifies the amount of time Nmap is allowed to spend scanning a
+              single  host  before  giving  up on that IP.  The default timing
+              mode has no host timeout.
+
+       --max_rtt_timeout <milliseconds>
+              Specifies the maximum amount of time Nmap is allowed to wait for
+              a  probe  response before retransmitting or timing out that par-
+              ticular probe.  The default mode sets this to about 9000.
+
+       --min_rtt_timeout <milliseconds>
+              When the target hosts start to establish a pattern of responding
+              very  quickly,  Nmap  will  shrink  the amount of time given per
+              probe.  This speeds up the scan, but can lead to missed  packets
+              when  a  response  takes longer than usual.  With this parameter
+              you can guarantee that Nmap will wait at least the given  amount
+              of time before giving up on a probe.
+
+       --initial_rtt_timeout <milliseconds>
+              Specifies  the  initial  probe  timeout.  This is generally only
+              useful when scanning firewalled hosts with -P0.   Normally  Nmap
+              can  obtain  good  RTT estimates from the ping and the first few
+              probes.  The default mode uses 6000.
+
+       --max_hostgroup <numhosts>
+              Specifies the maximum number of hosts that Nmap  is  allowed  to
+              scan  in  parallel.   Most  of  the port scan techniques support
+              multi-host operation, which makes them much quicker.   Spreading
+              the  load  among  multiple target hosts makes the scans gentler.
+              The downside is increased results latency.  You need to wait for
+              all  hosts  in a group to finish, rather than having them pop up
+              one by one.  Specify an argument of one for old-style (one  host
+              at  a  time)  Nmap behavior.  Note that the ping scanner handles
+              its own grouping, and ignores this value.
+
+       --min_hostgroup <numhosts>
+              Specifies the minimum host  group  size  (see  previous  entry).
+              Large  values  (such  as 50) are often beneficial for unattended
+              scans, though they do take up more memory.   Nmap  may  override
+              this  preference  when it needs to, because a group must all use
+              the same network interface, and some scan types can only  handle
+              one host at a time.
+
+       --max_parallelism <number>
+              Specifies the maximum number of scans Nmap is allowed to perform
+              in parallel.  Setting this to one means Nmap will never  try  to
+              scan more than 1 port at a time.  It also effects other parallel
+              scans such as ping sweep, RPC scan, etc.
+
+       --min_parallelism <number>
+              Tells Nmap to scan at least the given number of ports in  paral-
+              lel.   This  can speed up scans against certain firewalled hosts
+              by an order of magnitude.  But be careful -- results will become
+              unreliable if you push it too far.
+
+       --scan_delay <milliseconds>
+              Specifies  the  minimum  amount  of  time Nmap must wait between
+              probes.  This is mostly useful to reduce network load or to slow
+              the  scan  way  down  to  sneak under IDS thresholds.  Nmap will
+              sometimes increase the delay itself when it detects many dropped
+              packets.  For example, Solaris systems tend to respond with only
+              one ICMP port unreachable packet per second during a  UDP  scan.
+              So Nmap will try to detect this and lower its rate of UDP probes
+              to one per second.
+
+       --max_scan_delay <milliseconds>
+              As noted above, Nmap will  sometimes  enforce  a  special  delay
+              between sending packets.  This can provide more accurate results
+              while reducing network congestion, but it  can  slow  the  scans
+              down  substantially.  By default (with no -T options specified),
+              Nmap allows this delay to grow to one second  per  probe.   This
+              option allows you to set a lower or higher maximum.  Even if you
+              set it to zero, Nmap will have some delay between  packet  sends
+              so that it can wait for responses and avoid having too many out-
+              standing probes in parallel.
+
+
+
+
+

TARGET SPECIFICATION

+       Everything that isn’t an option (or option argument) in nmap is treated
+       as  a  target  host specification.  The simplest case is listing single
+       hostnames or IP addresses on the command line.  If you want to  scan  a
+       subnet  of  IP  addresses,  you  can append /mask to the hostname or IP
+       address.  mask must be between 0 (scan the whole Internet) and 32 (scan
+       the  single  host  specified).  Use /24 to scan a class "C" address and
+       /16 for a class "B".
+
+       Nmap also has a more powerful notation which lets  you  specify  an  IP
+       address  using  lists/ranges  for  each element.  Thus you can scan the
+       whole class "B" network  192.168.*.*  by  specifying  "192.168.*.*"  or
+       "192.168.0-255.0-255" or even "192.168.1-50,51-255.1,2,3,4,5-255".  And
+       of course you can use the mask notation: "192.168.0.0/16".   These  are
+       all  equivalent.  If you use asterisks ("*"), remember that most shells
+       require you to escape them with  back  slashes  or  protect  them  with
+       quotes.
+
+       Another  interesting  thing  to do is slice the Internet the other way.
+       Instead of scanning all the hosts in a class "B", scan  "*.*.5.6-7"  to
+       scan  every IP address that ends in .5.6 or .5.7 Pick your own numbers.
+       For more information on specifying hosts to scan, see the examples sec-
+       tion.
+
+
+
+

EXAMPLES

+       Here  are some examples of using nmap, from simple and normal to a lit-
+       tle more complex/esoteric.  Note that actual numbers  and  some  actual
+       domain names are used to make things more concrete.  In their place you
+       should substitute addresses/names from your  own  network.   I  do  not
+       think  portscanning  other networks is illegal; nor should portscans be
+       construed by others as an attack.  I have scanned hundreds of thousands
+       of  machines  and  have  received  only  one complaint.  But I am not a
+       lawyer and some (anal) people may  be  annoyed  by  nmap  probes.   Get
+       permission first or use at your own risk.
+
+       nmap -v target.example.com
+
+       This  option  scans  all reserved TCP ports on the machine target.exam-
+       ple.com .  The -v means turn on verbose mode.
+
+       nmap -sS -O target.example.com/24
+
+       Launches a stealth SYN scan against each machine that is up out of  the
+       255  machines  on  class "C" where target.example.com resides.  It also
+       tries to determine what operating system is running on each  host  that
+       is  up  and  running.  This requires root privileges because of the SYN
+       scan and the OS detection.
+
+       nmap -sX -p 22,53,110,143,4564 198.116.*.1-127
+
+       Sends an Xmas tree scan to the first half of each of the 255 possible 8
+       bit  subnets  in  the  198.116 class "B" address space.  We are testing
+       whether the systems run sshd, DNS, pop3d, imapd, or  port  4564.   Note
+       that  Xmas  scan doesn’t work on Microsoft boxes due to their deficient
+       TCP stack.  Same goes with CISCO, IRIX, HP/UX, and BSDI boxes.
+
+       nmap -v --randomize_hosts -p 80 *.*.2.3-5
+
+       Rather than focus on a specific IP range, it is  sometimes  interesting
+       to  slice  up  the  entire  Internet  and scan a small sample from each
+       slice.  This  command  finds  all  web  servers  on  machines  with  IP
+       addresses  ending in .2.3, .2.4, or .2.5.  If you are root you might as
+       well add -sS.  Also you will find more interesting machines starting at
+       127.  so you might want to use "127-222" instead of the first asterisks
+       because that section has a  greater  density  of  interesting  machines
+       (IMHO).
+
+       host -l company.com | cut  -d  -f 4 | ./nmap -v -iL -
+
+       Do  a  DNS zone transfer to find the hosts in company.com and then feed
+       the IP addresses to nmap.  The above commands are for my GNU/Linux box.
+       You may need different commands/options on other operating systems.
+
+
+
+

BUGS

+       Bugs?   What bugs?  Send me any that you find.  Patches are nice too :)
+       Remember to also send in  new  OS  fingerprints  so  we  can  grow  the
+       database.  Nmap will give you a submission URL when an appropriate fin-
+       gerprint is found.
+
+
+
+

AUTHOR

+       Fyodor <fyodor@insecure.org>
+
+
+
+

DISTRIBUTION

+       The newest version  of  nmap  can  be  obtained  from  http://www.inse-
+       cure.org/nmap/
+
+       The  Nmap  Security  Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap is
+       also a registered trademark of Insecure.Com LLC.  This program is  free
+       software;  you may redistribute and/or modify it under the terms of the
+       GNU General Public License as published by the  Free  Software  Founda-
+       tion; Version 2.  This guarantees your right to use, modify, and redis-
+       tribute this software under certain conditions.  If you wish  to  embed
+       Nmap  technology  into  proprietary software, we may be willing to sell
+       alternative licenses (contact sales@insecure.com).  Many security scan-
+       ner  vendors already license Nmap technology such as our remote OS fin-
+       gerprinting database and code, service/version  detection  system,  and
+       port scanning code.
+
+       Note that the GPL places important restrictions on "derived works", yet
+       it does not provide a detailed definition of that term.  To avoid  mis-
+       understandings,  we consider an application to constitute a "derivative
+       work" for the purpose of this license if it does any of the following:
+
+       o Integrates source code from Nmap
+
+       o Reads or includes Nmap copyrighted data files, such  as  nmap-os-fin-
+       gerprints or nmap-service-probes.
+
+       o  Executes Nmap and parses the results (as opposed to typical shell or
+       execution-menu apps, which simply display raw Nmap output  and  so  are
+       not derivative works.)
+
+       o  Integrates/includes/aggregates  Nmap  into  a proprietary executable
+       installer, such as those produced by InstallShield.
+
+       o Links to a library or executes a program that does any of the above
+
+       The term "Nmap" should be taken to also include any portions or derived
+       works  of Nmap.  This list is not exclusive, but is just meant to clar-
+       ify our interpretation of derived  works  with  some  common  examples.
+       These restrictions only apply when you actually redistribute Nmap.  For
+       example, nothing stops you  from  writing  and  selling  a  proprietary
+       front-end  to  Nmap.  Just distribute it by itself, and point people to
+       http://www.insecure.org/nmap/ to download Nmap.
+
+       We don’t consider these to be added restrictions on top of the GPL, but
+       just  a clarification of how we interpret "derived works" as it applies
+       to our GPL-licensed Nmap product.  This is similar  to  the  way  Linus
+       Torvalds  has  announced  his  interpretation  of  how  "derived works"
+       applies to Linux kernel modules.  Our  interpretation  refers  only  to
+       Nmap - we don’t speak for any other GPL products.
+
+       If you have any questions about the GPL licensing restrictions on using
+       Nmap in non-GPL works, we would be happy to help.  As mentioned  above,
+       we  also  offer  alternative license to integrate Nmap into proprietary
+       applications and appliances.  These contracts have been  sold  to  many
+       security  vendors, and generally include a perpetual license as well as
+       providing for priority support and updates as well as helping  to  fund
+       the continued development of Nmap technology.  Please email sales@inse-
+       cure.com for further information.
+
+       As a special exception to the GPL terms, Insecure.Com LLC  grants  per-
+       mission  to  link  the  code  of  this  program with any version of the
+       OpenSSL library which is distributed under a license identical to  that
+       listed in the included Copying.OpenSSL file, and distribute linked com-
+       binations including the two. You must obey the GNU GPL in all  respects
+       for  all of the code used other than OpenSSL.  If you modify this file,
+       you may extend this exception to your version of the file, but you  are
+       not obligated to do so.
+
+       If  you  received  these files with a written license agreement or con-
+       tract stating terms other than the terms above, then  that  alternative
+       license agreement takes precedence over these comments.
+
+       Source  is  provided  to  this software because we believe users have a
+       right to know exactly what a program is going to do before they run it.
+       This  also  allows  you  to audit the software for security holes (none
+       have been found so far).
+
+       Source code also allows you to port Nmap to new  platforms,  fix  bugs,
+       and  add  new features.  You are highly encouraged to send your changes
+       to fyodor@insecure.org for possible incorporation into the main distri-
+       bution.   By  sending  these  changes to Fyodor or one the Insecure.Org
+       development mailing lists, it is assumed that you are  offering  Fyodor
+       and  Insecure.Com LLC the unlimited, non-exclusive right to reuse, mod-
+       ify, and relicense the  code.   Nmap  will  always  be  available  Open
+       Source,  but  this is important because the inability to relicense code
+       has caused devastating problems for other Free Software projects  (such
+       as  KDE  and  NASM).   We also occasionally relicense the code to third
+       parties as discussed above.  If you wish  to  specify  special  license
+       conditions of your contributions, just say so when you send them.
+
+       This  program  is  distributed  in the hope that it will be useful, but
+       WITHOUT ANY  WARRANTY;  without  even  the  implied  warranty  of  MER-
+       CHANTABILITY  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+       Public License for more details at http://www.gnu.org/copyleft/gpl.html
+       , or in the COPYING file included with Nmap.
+
+       It  should  also  be  noted  that  Nmap has been known to crash certain
+       poorly written applications, TCP/IP stacks, and even operating systems.
+       Nmap  should  never  be run against mission critical systems unless you
+       are prepared to suffer downtime.  We acknowledge  here  that  Nmap  may
+       crash  your  systems  or networks and we disclaim all liability for any
+       damage or problems Nmap could cause.
+
+       Because of the slight risk of crashes and because a few black hats like
+       to  use  Nmap  for reconnaissance prior to attacking systems, there are
+       administrators who become upset and may complain when their  system  is
+       scanned.   Thus,  it  is  often  advisable to request permission before
+       doing even a light scan of a network.
+
+       Nmap should never be installed with special privileges (eg  suid  root)
+       for security reasons.
+
+       This product includes software developed by the Apache Software Founda-
+       tion (http://www.apache.org/).  The  Libpcap  portable  packet  capture
+       library  is  distributed along with nmap.  Libpcap was originally copy-
+       righted by Van Jacobson, Craig Leres and Steven  McCanne,  all  of  the
+       Lawrence Berkeley National Laboratory, University of California, Berke-
+       ley, CA.  It is now maintained by http://www.tcpdump.org .
+
+       Regular expression support is provided by  the  PCRE  library  package,
+       which  is  open source software, written by Philip Hazel, and copyright
+       by the University of Cambridge, England.  See http://www.pcre.org/ .
+
+       Nmap can optionally link to the OpenSSL cryptography toolkit, which  is
+       available from http://www.openssl.org/ .
+
+       US  Export  Control: Insecure.Com LLC believes that Nmap falls under US
+       ECCN (export control classification number) 5D992.   This  category  is
+       called  ’"Information  Security"  "software"  not controlled by 5D002’.
+       The only restriction of this  classification  is  AT  (anti-terrorism),
+       which  applies  to  almost  all goods and denies export to a handful of
+       rogue nations such as Iran and North Korea.  Thus exporting  Nmap  does
+       not  require  any special license, permit, or other governmental autho-
+       rization.
+
+
+
+                                                                       NMAP(1)
+
+
+
+Man(1) output converted with +man2html +
+ + -- cgit v1.2.1