Network Scanning

Network exploration tool and security / port scanner

Much of the original documentation includes philosophy and reasoning for using particular options. Read that at nmap.org

This version is terse version with minial description.(DGG)

nmap [Scan Type...] [Options] target specification

"Network Mapper" is an tool for network exploration and security auditing.
Commonly used for security audits, useful for network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Uses special packets to determine host availablity, services (applications) offered, OS running, type of filters/firewalls , etc.

-A: enables OS and version detection, script scanning
-T4: traceroute

Aborted scans ( ^C) can be resumed with proper output option.

A representative scan

agressive detection (with traceroute) and timing,
TCP SYN, only checking most popular ports, starting with level 2 verbosity,
outputting to a normal file called scan… hosts within a small subnet:

sudo nmap -A -T4  -sS --top-ports 10  -v -oN scan-%T-%D  # .0-.7 

    Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-23 07:39 EDT
    NSE: Loaded 93 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating Ping Scan at 07:39
    Scanning 8 hosts [2 ports/host]
    Completed Ping Scan at 07:39, 1.21s elapsed (8 total hosts)
    Initiating Parallel DNS resolution of 8 hosts. at 07:39
    Completed Parallel DNS resolution of 8 hosts. at 07:39, 0.02s elapsed
    Nmap scan report for [host down]
    Nmap scan report for [host down]
    Nmap scan report for [host down]
    Initiating Connect Scan at 07:39
    Scanning 5 hosts [1000 ports/host]
    Discovered open port 80/tcp on
    Discovered open port 3306/tcp on
    Discovered open port 21/tcp on
    Discovered open port 80/tcp on
full file

sudo nmap -A -T4 scanme.nmap.org playground #scan 2 specific hosts Starting Nmap ( http://nmap.org ) Interesting ports on scanme.nmap.org ( (The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99) 53/tcp open domain 70/tcp closed gopher 80/tcp open http Apache httpd 2.0.52 ((Fedora)) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11 Interesting ports on playground.nmap.org ( (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1002/tcp open windows-icfw? 1025/tcp open msrpc Microsoft Windows RPC 1720/tcp open H.323/Q.931 CompTek AquaGateKeeper 5800/tcp open vnc-http RealVNC 4.0 (Resolution 400x250; VNC port: 5900) 5900/tcp open vnc VNC (protocol 3.8) MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications) Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP Pro RC1+ through final release Service Info: OSs: Windows, Windows XP Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds
nmap -sP `hostname`/24 |sed "/Nmap sc/N; s/\n//;s/Nmap scan report for//; s/Host is up//; s/(0\./\./;s/ latency)\.//"

Target Specification

next: Host Discovery
Everything on the command-line that isn't an option or option argument is treated as a target specification (
The simplest case is to specify a single target .

Multiple formats are permitted: nmap scanMe.nmap.org   10.0.0,1,17-63.0-255

-iL tfile Include List, Reads targets from tfile.
    Example uses:
  • A DHCP server exports various 837 current leases.
  • Scan addresses not leased locates hosts using unauthorized addresses.

-iL=- reads hosts from STDIN, like piped from some filters (ex: grep, grep -v).
Entries separated by spaces, tabs, or newlines.
-iR num_hosts include num_hosts Random targets.
Undesirable IPs such as those in certain private, multicast, or unallocated address ranges are not generated.
Specify 0 for a continuing scan.

--exclude host1[,host2[,…]],           net1[,net2[,…]] Comma-separated list of targets, hostnames, CIDR netblocks, octet ranges, etc.
When network includes untouchable mission-critical servers, systems that are known to react adversely to port scans, or subnets administered by others.
--excludefile file targets are newline, space, or tab delimited

Host Discovery

Develop a list of interesting hosts. nmap.org

Security auditors should care about every single device with an nerwork.
An external penetration tester may use a diverse set of probes in an attempt to locate possible exploits.

ARP discovery (-PR) is done on a local ethernet network.
For non-local targets, TCP ACK packet for port 80 and an ICMP echo request query is sent
(unprivileged users use a SYN packet using the connect system call ) Defaults are equivalent to -PA -PE.

Host discovery is followed by a port scan.

    Port states
  1. Open an application is listening for connections/packets
  2. Unfiltered responsive to probes, but cannot determine if they are open
  3. Filtered a firewall, filter, etc. is restricting access
  4. Closed ports have no application listening on them, now.
State combinations open.filtered and closed.filtered: it cannot be determined which describe a port best.
For IP protocol scan (-sO), information on supported protocols is provided.

Discussin on probe effectivness

-sL ScanList Lists each host of the network(s), without sending any packets to the target hosts!
Does reverse-DNS resolution on the hosts to look up their names.
Good sanity check to validate addresses specification for targets.

Example: List all hosts within the subnet as this host (and use sed to supress titles & addresses whithout hostnames):

 >nmap -sL cccu.us

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-10 07:33 EDT
 cccu.us (
rDNS record for ip-50-63-202-17.ip.secureserver.net
Nmap done: 1 IP address (0 hosts up) scanned in 4.04 seconds

> nmap -sL `hostname`/24 |sed "s/^Nmap scan report for//; /^ [[:digit:]]\{1,3\}./d" Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-13 18:26 EDT rtr.germans ( pi-0-roof.germans ( o4-etc-hosts ( smacpro ( rDNS record for smacpro.germans (running host) Denniss-iPhone.germans ( tammy-PC.germans ( sligiga.germans ( MarilynSsiPhone.germans ( dlinkap.germans ( raspberrypi.germans ( IP-STB1.germans ( Nmap done: 256 IP addresses (0 hosts up) scanned in 13.53 seconds
> nmap -sL |sed "s/Nmap scan report for// ; /^ [[:digit:]]/d "| column Starting Nmap 7.00 ( https://nmap.org ) at 2016-04-22 08:52 EDT (not best example (_) ) Nmap done: 32 IP addresses (0 hosts up) scanned in 0.24 seconds
Scan Ping
Scan No Port, ping scan aka ping sweep (supresses port scan).

  • Privileged user: sends an ICMP echo request, a TCP SYN to port 443, a TCP ACK to port 80 and an ICMP timestamp request.
    On a local ethernet network, ARP requests are used unless --send-ip was specified.
  • Unprivileged user: only a SYN packet is sent (using a connect call) to port 80 and 443.

When combined with other discovery probe types (-P*, except -PN (pingNot) ) , the default probes (ACK and echo request) are overridden.
Recommended when strict firewalls are in use, otherwise hosts will be missed if the firewall drops probes or responses.

Slightly intrusive, allows light reconnaissance of a target without attracting much attention.

Valuable as it counts available machines and checks server availability.
More reliable than pinging the broadcast address because many hosts do not reply to that.

Traceroute and NSE host scripts may be also requested, but no further testing (such as port scanning or OS detection) is performed.

 sudo nmap -sP   `hostname`/24 |sed "/Nmap/N; s/\n//;s/Nmap scan report for//; s/Host is up//; s/(0\./\./;s/ latency)\.//"
Starting Nmap 7.00 ( http://nmap.org ) at 2012-09-23 20:49 EDT .0059s
kitchen.germans ( .0073s .0080s
smackerPro ( .00022s
rDNS record for smackerPro.germans .016s 
IP-STB1.germans ( .015s 
Nmap done: 256 IP addresses (6 hosts up) scanned in 5.37 seconds

sudo nmap -sP   `hostname`/24 |sed "s/Nmap scan report for/\n/"

Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-23 19:17 EDT
Host is up (0.0038s latency).
MAC Address: 00:18:01:8F:23:ED (Actiontec Electronics)

 kitchen.germans (
Host is up (0.013s latency).
MAC Address: 00:1B:21:A4:32:BD (Intel Corporate)
Host is up (0.013s latency).
MAC Address: 00:50:FC:9C:E0:18 (Edimax Technology CO.)

 smackerPro (
Host is up.
Host is up (0.0036s latency).
MAC Address: 18:20:32:9F:54:75 (Apple)

 IP-STB1.germans (
Host is up (0.0047s latency).
MAC Address: 00:1F:C4:EF:5D:F1 (Motorola Mobility)
Nmap done: 256 IP addresses (6 hosts up) scanned in 3.71 seconds

-Pn Ping Not: skip discovery ping.
Warning: Causes scanning functions to be performed against every target specified. Normally, heavier probing such as port scans are only performed against hosts that were found to be up.

For machines on a local ethernet network, ARP scanning will still be performed (unless --send-ip is specified) because MAC addresses are needed to further scan targets .

-PR ARP Ping Any response means the host is up. Fastest.
Used when scanning ethernet hosts on a local ethernet network, even if different ping types are specified.
To avoid an ARP scan, specify --send-ip.
-PS ports TCP SYN Ping Sends an empty packet with the SYN flag set as if attempting to establish a connection.
Default port 80

Syntax is as for the -p except that port type specifiers like T: are not allowed.
Examples: -PS22 and -PS22-25,80,113,1050,35000 (No space between -PS and the ports )
Multiple probes are sent in parallel.

additional information at nmap.org
Use with TCP ACK ping probe to maximize the chances of bypassing firewalls.

-PA ports TCP ACK Ping Similar to SYN ping, ACK flag is set instead.
This acknowledges data over an established TCP connection, since no such connection exists, remote hosts should always respond with a RST packet, disclosing their existence.
Default 80. nmap.org
Use with TCP SYN Ping probe to maximize the chances of bypassing firewalls.
-PU ports UDP Ping Sends an empty (unless --data-length is specified) UDP packet. Default:31338, nmap.org
-PY ports SCTP INIT Ping SCTP ( Stream Control Transmission Protocol) packet containing a minimal INIT chunk. Default: 80
-PE ICMP echo request type 8 (frequently blocked)
-PP ICMP timestamp request code 13,
-PM ICMP address mask request code 17
-PO protos IP Protocol Ping Send packets with the specified protocol number .
The protos is in the format as port lists
Default: send multiple IP packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP (protocol 4).
For the ICMP, IGMP, TCP (protocol 6), and UDP (protocol 17), packets are sent with the proper protocol headers while other protocols are sent with no additional data (unless --data-length is specified).

Looks for either responses using the same protocol as a probe, or ICMP protocol unreachable message's signifing the protocol isn't supported on the destination host. Either response signifies the target is alive.

Additional options useful with scan options.
--traceroute Trace path to host performed post-scan. Works with all scan types except -sT and -sI.
--reason Host and port state reasons
Displays the type of the packet that determined a port or hosts state.
For example, A RST packet from a closed port or an echo reply from an alive host. The information provided is determined by the type of scan or ping. The SYN scan and SYN ping (-sS and -PS) are very detailed, but the TCP connect scan (-sT) is limited.
Enabled by the debug option (-d) and results are always stored in XML log.
-n No DNS resolution improve performance
-R Reverse DNS resolution for ALL targets Normally only against responsive hosts.
--system-dns Use system DNS resolver
Default: queries name servers configured on your host.
--dns-servers server1[,server2[,…]] Servers for reverse DNS
Default : determine DNS servers from the your host. Ignored with --system-dns or an IPv6 scan.
Multiple servers is faster, improves stealth.

Scan for port 53( DNS) then try list scans (-sL) specifying each name server one at a time with --dns-servers to find one which works correctly.

back to host discoverey, output control

Port Scanning

next:Service and Version

nmap target scans more than 1,660 TCP ports on target.

Port states are not intrinsic properties of the port itself, but describe how Nmap sees them.
For example, a scan from within the same network as the target may show port 135/tcp as open,
a scan with the same options from across the Internet might show that port as filtered.

The port states defined by Nmap:

  1. open An application is actively accepting TCP connections or UDP packets. Close or protect with firewall without thwarting legitimate users. also interesting for non-security scans because they show services available for use on the network.

  2. closed Accessible (receives and responds to packets), but no application is listening .
    May become open if a daemon starts and begins fielding queries.
    Control with a firewall causing it to appear filtered

  3. filtered Cannot determine if the port is open because packet filtering prevents probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. Sometimes respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common.
    Several probes are sent in case the probe was dropped due to network congestion rather than filtering. slowing down the scan dramatically.
  4. unfiltered port is accessible, but Nmap is unable to determine whether it is open or closed.
    Only the ACK scan, used to map firewall rulesets, classifies ports into this state.
    Scanning unfiltered ports with other scan types such as Window , SYN , or FIN scans, may resolve the port as open.
  5. open.filtered unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response which could also mean that a packet filter dropped the probe or any response it elicited. UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.
  6. closed|filtered Nmap is unable to determine whether a port is closed or filtered. It is only by the IP ID idle scan.

Port Scanning Techniques

Most are only available to privileged users. Nmap sometimes works for unprivileged users when WinPcap has been loaded.
Unprivileged users can execute connect and FTP bounce .

Only one method may be used at a time, except that UDP scan (-sU) may be combined with any one of the TCP scan types.
Form -sC.
Default: SYN, (or connect if the user does not have proper privileges to send raw packets or if IPv6 targets were specified.

-sS TCP SYN fast
Quickly, scanning thousands of ports per second, not hampered by restrictive firewalls.
Relatively unobtrusive and stealthy
Does not depend on idiosyncrasies of implementation.
Allows clear, reliable differentiation between the open, closed, and filtered

Sends SYN packet, as if going to open a connection.
A response of SYN/ACK indicates the port is listening (open), RST (reset) is indicative of a non-listener.
If no response is received after several retransmissions or if an ICMP unreachable error is received marked filtered .

-sT TCP connect not fast
Default when SYN is not specified, when no raw packet privileges or scanning IPv6 networks.
Does not write raw packets, rather asks the operating system to establish a connection with the target by issuing the connect system call. The same high-level system call that web browsers and other applications use to establish a connection.

Less efficient than SYN which is usually a better choice. Target machines are more likely to log the connection. Unix systems will add a note to syslog, for connects without sending data.

-sU UDP slow
Sends an empty (no data) UDP header to targeted ports.
A service may respond with a UDP packet, open.
If an ICMP port unreachable error is returned, the port is closed or filtered.
If no response is received after retransmissions, the port is classified as open.filtered.

Open and filtered ports rarely send any response, leaving time out and then conduct retransmissions just in case the probe or response were lost.
Closed ports may send back an ICMP port unreachable error. But hosts rate limit ICMP port unreachable messages by default.

Detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop.
A limit of one packet per second makes a 65,536-port scan take more than 18 hours!.

To speed up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using --host-timeout to skip slow hosts.

Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.
Can be combined with a TCP scan type such as SYN (-sS) to check both during the same run.

TCP NULL Does not set any bits (TCP flag header is 0)
FIN Sets only the TCP FIN bit.
Xmas Sets FIN, PSH, and URG , lighting the packet up like a Christmas tree.
(more are possible with --scanflags

Exploit subtle loopholes to differentiate between open and closed ports.
See nmap.org.

used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
Never determines open or open.filtered ports.
See nmap.org.
-sW TCP Window
Like ACK. Exploits an implementation detail to differentiate open from closed.
Rather than always displaying unfiltered when a RST is returned.
Examines the TCP Window field of the RST packets returned.
-sM TCP Maimon
As NULL, FIN, and Xmas scans, except that the probe is FIN/ACK.
--scanflags n |
Argument can be a numerical flag value such as 9 (PSH and FIN), or
symbolic name URG, ACK, PSH, RST, SYN, and FIN combinations . Example: --scanflags URGACKPSHRSTSYNFIN

Specify a TCP scan type (such as -sA or -sF) default: SYN.

-sI zombie host[:probeport] idle
advanced scan method allows a blind TCP port scan of the target (no packets are sent to the target from your real IP address).
zombie machine you specify must be up and meet certain criteria.
Too complex to fully describe here, see nmap.org/book/idlescan.html

Stealthy, permits mapping out IP-based trust relationships between machines. The port listing shows open ports from the perspective of the zombie host. So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules).

Use a colon and a port number to the zombie host to probe a particular port for IP ID changes. default for TCP pings (80).
Ports can be specified by name in nmap-services.. Use wildcards * and ? with the names.

For example, to scan ftp and all ports whose names begin with http, use -p ftp,http*. Avoid shell expansions and quote the argument to -p.

Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in nmap-services. For example, scan all ports in nmap-services equal to or below 1024: -p [-1024]. Avoid shell expansions and quote the argument to -p.

-sO IP protocol Determines protocols (TCP, ICMP, IGMP, etc.) supported
Uses -p to select scanned protocol.
 >sudo nmap -sO kitchen

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-11 12:44 EDT
 kitchen (
rDNS record for kitchen
1        open  icmp
17       open  udp

Nmap done: 1 IP address (1 host up) scanned in 19.16 seconds
-b FTP relay host (FTP bounce scan) FTP server to port scan other hosts. ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not.
Bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would.
FTP bounce scan with -b argument of the form [username:password]@server[:port].
Server is the name or IP address of a vulnerable FTP server.
Omit username:password anonymous login credentials (user: anonymous password:-wwwuser@) are used.
Port defaults to 21.

If bypassing a firewall is your goal, scan the target for open port 21 (or even for any FTP services if you scan all ports with version detection), then try a bounce scan using each. Nmap will tell you whether the host is vulnerable or not. If you are just trying to cover your tracks, you don't need to (and, in fact, shouldn't) limit yourself to hosts on the target . Before you go scanning random Internet addresses for vulnerable FTP servers, consider that sysadmins may not

Port Specification and Scan Order

Default: all ports up to and including 1024(priveledge ports) as well as higher numbered ports listed in nmap-services

--top-ports n Scans the n highest-ratio ports from nmap-services
-sS -top-ports 20
 21/tcp   ftp            22/tcp   ssh             23/tcp   telnet          25/tcp  smtp          
 53/tcp   domain         80/tcp   http           110/tcp   pop3           111/tcp  rpcbind       
135/tcp   msrpc         139/tcp   netbios-ssn    143/tcp   imap           443/tcp  https         
445/tcp   microsoft-ds  993/tcp   imaps          995/tcp   pop3s         1723/tcp  pptp          
3306/tcp  mysql         3389/tcp  ms-wbt-srvr   5900/tcp   vnc           8080/tcp  http-proxy    
-F Fast (limited port)
Only scan ports in /usr/local/share/nmap/nmap-services (or the protocols file for -sO).
Contains so many ports (more than 27,000!)
Fastest is with --top-ports 4
‑‑port‑ratio r Scans all ports in nmap-services with a ratio greater r
Selected examples:
domain  53/udp  .213496    dhcps   67/udp  .228010    dhcpc   68/udp  .140118    
finger  79/tcp  .006022    ftp     21/tcp  .197667 (control)    
http    80/tcp  .484143    https   443/tcp .208669    
ntp     123/udp .330879    pop3    110/tcp .077142    
route   520/udp .139376    smtp    25/tcp  .131314    ssh     22/tcp  .182286     
syslog  514/udp .119804    telnet  23/tcp  .221265    tftp    69/udp  .102835    
zeroconf 5353/udp.100166    
ipp     631/udp .450281    # Internet Printing Protocol    
-p port ranges Only scan specified ports
Individual ports , ranges (Default 1-65535). port zero is allowed if specifed explicitly.
For IP protocol scanning (-sO), specifies the protocol numbers (0-255).

When scanning both TCP and UDP ports, specify a particular protocol by preceding the port numbers by T: or U:. The qualifier lasts until another qualifier.
For example:
-p U:53,111,137,T:21-25,80,139,8080
To scan both UDP and TCP, specify -sU and at least one TCP scan type (such as -sS, -sF, or -sT).
If no protocol qualifier is given, the port numbers are added to all protocol lists.

Ports can also be specified by name according to what the port is referred to in the /usr/local/share/nmap/nmap-services including wildcards * and ? . For example, to scan FTP and all ports whose names begin with "http", use -p ftp,http*.
Ranges of ports can be enclosed in square brackets .
For example, scan all ports in /usr/local/share/nmap/nmap-services up to 1024:
"-p [-1024]".
Be careful about shell expansions and quote the argument if unsure.

-r Don't randomize, i.e. scan sequentially

Back to ports

Service and Version Detection

After ports are discovered, nmap.org target=nmap>version detection interrogates them interrogates them

Some UDP ports are open.filtered . Version detection elicits a response from these and changes them to open if successful. TCP open.filtered ports are treated the same way.

-sV Version detection, (-A also enables version detection, among other things).
--allports Don't exclude any ports
--version-intensity 0:9 Higher values are more accurate but take longer.
Default: 7.
--version-light --version-intensity 2. faster, but it is slightly less likely to identify services.
--version-all --version-intensity 9
--version-trace Output debugging info about version scanning, a subset of --packet-trace. additional output:
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
mass_rdns: Using DNS server
mass_rdns: 0.01s 0/15 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 11]
DNS resolution of 15 IPs took 0.04s. Mode: Async [#: 1, OK: 9, NX: 6, DR: 0, SF: 0, TR: 15, CN: 0]
No data files read.
-sR RPC scan When RPC services are discovered, addition interragation is automatically performed
in conjunction with the various port scans.
Takes all ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and what program and version number they serve up. Effectively obtain the same info as rpcinfo -p even if the target's portmapper is behind a firewall (or protected by TCP wrappers).
Decoys do not currently work with RPC scan.
Enabled as part of version scan (-sV) . Version detection includes this and is more comprehensive, -sR
is rarely needed.

OS Detection

See nmap.org target=nmap>nmap.org.

OS detection is enabled and controlled with :

-O Enable OS detection
Use Agressive( -A) to include version (-sV) and script scanning (-sC) and traceroute (--traceroute) .
--osscan-limit Limit OS detection to promising targets, Faster Only with -O or -A.
Guess OS when unable to detect a perfect match.
Sometimes displays near-matches as possibilities, imperfect match notice is output with confidence level .
--max-os-tries nmaximum number of detection tries when failing to find a perfect match.
Default:5 if conditions are favorable , 2 when conditions aren't good.
A lower value (1) speeds up, higher value rarely used.

NMAP Scripting engine (NSE)

Automate a wide variety of networking tasks. The scripts are executed in parallel.

Too funky to describe here.

See nmap.org/book/nse-usage.html#nse-categories.
Scripting details at nmap.org/book/nse.html

-sC Performs a script scan using the default set of scripts, equivalent to --script=default.
Scripts in this category are considered
intrusive and should not be run against a target without permission.
--script script-categories | directory | filename | all
--script-args name1=value1,name2={name3=value3},name4=value4
--script-trace all incoming and outgoing communication performed by a script is output.
--script-updatedb updates the script database

Timing and Performance

A default scan (nmap hostname) on the local network takes a 200 milliseconds.
UDP scanning and version detection can increase scan times substantially.
Time parameters are in milliseconds by default. Append s, m, or h to the value to specify seconds, minutes, or hours.
--host-timeout arguments 900000, 900s, and 15m are equivalent.
--min-hostgroup numhosts
--max-hostgroup numhosts
Adjust parallel scan group sizes.
--min-parallelism np
--max-parallelism np
Adjust probe parallelization
--min-rtt-timeout time
--max-rtt-timeout time
--initial-rtt-timeout time
Adjust probe timeouts
--max-retries numtries port scan probe retransmissions
--host-timeout time Give up on slow target hosts
--scan-delay time
--max-scan-delay time
Adjust delay between probes
--min-rate n> 300 means try to keep the sending rate at or above 300 packets per second.
--max-rate n 100 limits sending to 100 packets per second on a fast network.
0.1 for a slow scan of one packet every ten seconds.
--defeat-rst-ratelimit Using this option can reduce accuracy. With a SYN scan, the non-response results in the port being labeled filtered rather than the closed state we see when RST packets are received.

-T paranoid|

Timing template
   paranoid serializing the scan so only one port is scanned at a time, waits 5minutes between probes avoiding IntrusionDetectionSystem.
sneaky waits 15 seconds to avoid IDS, use less bandwidth and target machine resources.
Polite waits .4 seconds Normal is the default sends scans in parallel.
Aggressive mode speeds scans up expecting a reasonably fast and reliable network.
insane expects extraordinarily fast network or are willing to sacrifice some accuracy for speed.

Firewall/IDS Evasion and Spoofing

Network obstructions such as firewalls make mapping a network exceedingly difficult.
IDSs ship with rules designed to detect Nmap scans because scans are sometimes a precursor to attacks.
Intrusion Prevention Systems (IPS) that block traffic deemed malicious.
Deploying only modern, patched FTP servers is a far more powerful defense than trying to prevent the distribution of tools implementing the FTP bounce attack.

Too funky to describe here.

See nmap.org

-e interface Use specified interface
-f m
--mtu m
fragment packets using the specified MTU
-D decoy1
Cloak a scan with decoys
Makes it appear to the remote host that the decoys are scanning the target too.
-S IP_Address Spoof source address
--source-port p
-g p
Spoof source port number
A common misconception is to trust traffic based only on the source port number.
--data-length n Append random data to sent packets
Normally minimalist packets containing only a header are sent.
   S |
   T |
   U |
   R [hop hop …] |
   L [hop hop …]

--ip-options hex string

Send packets with specified IP options
IP protocol options are rarely seen and can be useful in some cases.
Use record route (R) to determine a path to a target when traceroute-style approaches fail.
Record-timestamp (T) or both (U)if packets are being dropped by a certain firewall.
Loose or strict source routing specified with an
L or S followed by a space and then a space-separated list of IP addresses, specify a different route.

--ip-options use \xdd hexadecimal format to specify option bits explicitly.
Repeat characters by following them with an asterisk and a repeat count.
Example: \x01\x07\x04\x00*36\x01 includes 36 NULLs.
Display options in packets specify --packet-trace.
see seclists.org/nmap-dev/2006/q3/0052.htm.l

--ttl value
--randomize-hosts May make the scans less obvious to network monitoring systems.
Combine it with slow (timing options . See nmap.org
--spoof-mac MAC address, prefix, or vendor name Address of 0 uses random MAC. See nmap.org
Examples: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco. Only affects raw packet scans such as SYN scan or OS detection, not connection-oriented features such as version detection
Implies --send-eth
--badsum Send packets with invalid checksums
Responses come from a firewall or IDS that didn't validate the checksum. See nmap.org/p60-12


Output files may be used to resume aborted scans.

  1. interactive output, to standard output (stdout), default .
  2. Normal output, displays less runtime information and warnings

interactive output is displayed in addition to file output.

filenames support strftime-like conversions: %H, %M, %S, %m, %d, %y, and %Y. %T is %H%M%S, %R is %H%M and %D is %m%d%y.
Example: -oX 'scan-%T-%D.xml' will output to scan-144840-121307.xml.

-oN fileNormal
-oX file XML
-oS file Script output, like interactive output, except it is post-processed
-oG file grepable output Deprecated.

Consists of comments and target lines wich include labeled fields, separated by tabs and followed with a colon:
Host, Ports, Protocols, Ignored State, OS, Seq Index, IP ID, and Status

Ports is a comma separated list of port entries. and of the form of seven slash (/) separated subfields.
Port number, State, Protocol, Owner, Service, SunRPC info, and Version

# Nmap 7.00 scan initiated Tue Mar  1 12:14:37 2016 as: nmap -v -v -sS --top-ports 10 -oA train_%T -A smackerpro.local/23
# Ports scanned: TCP(10;21-23,25,80,110,139,443,445,3389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: ()    Ports: 21/filtered/tcp//ftp///, 22/filtered/tcp//ssh///, 23/filtered/tcp//telnet///, 25/closed/tcp//smtp///, 
        80/open/tcp//http//lighttpd/, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 
        3389/closed/tcp//ms-wbt-server///    Seq Index: 195  IP I+D Seq: All zeros
Host: ()   Ports: 21/closed/tcp//ftp///, 22/closed/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 
        80/closed/tcp//http///, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 
Host: ()   Ports: 21/closed/tcp//ftp///, 22/closed/tcp//ssh///, 23/closed/tcp//telnet///, 25/closed/tcp//smtp///, 
        80/closed/tcp//http///, 110/closed/tcp//pop3///, 139/closed/tcp//netbios-ssn///, 443/closed/tcp//https///, 445/closed/tcp//microsoft-ds///, 

See nmap.org/book/output-formats-grepable-output.html.

-oA basename all formats to: basename.nmap, basename.xml, and basename.gnmap.

Verbosity and debugging options

-v verbosity.
Open ports shown as found and completion time estimates are provided.
Use it twice or more for more. While running, v increases verbosity, V decreases. See nmap.org
-d [level] debug output
While running, d increases, D decreases. See nmap.org
--packet-trace Trace packets and data
output summary of every packet sent or received. Used for debugging. See nmap.org

Packet Tracing enabled.
SENT (4.6944s) TCP >  S ttl=49 id=11069 iplen=44  seq=4254715915 win=1024 <mss 1460>
SENT (4.8018s) TCP > S ttl=41 id=53597 iplen=44  seq=4254650378 win=1024 <mss 1460>
RCVD (4.8057s) TCP > RA ttl=64 id=15801 iplen=40  seq=0 win=0
SENT (4.8243s) TCP >   S ttl=40 id=14479 iplen=44  seq=4237873418 win=1024 <mss 1460>
SENT (4.8244s) TCP >   S ttl=49 id=23356 iplen=44  seq=4254715915 win=1024 <mss 1460>
RCVD (4.8258s) TCP   > SA ttl=128 id=22102 iplen=44  seq=2168289427 win=8192 <mss 1460>
RCVD (4.8266s) TCP   > SA ttl=128 id=2213 iplen=44  seq=2599483217 win=8192 <mss 1460>
SENT (4.8462s) TCP >  S ttl=47 id=39457 iplen=44  seq=4254715915 win=1024 <mss 1460>
--open Show only open (or possibly open) ports. See nmap.org
--iflist (List interfaces and routes)
outputs interface list and system routes, useful for debugging. See nmap.org
--log-errors Log errors/warnings to normal mode output file
Usually go only to the screen (interactive output), leaving any normal-format output files (usually specified with -oN) uncluttered.
messages will appear in interactive mode too.
An alternative to --log-errors is redirecting interactive output (including the standard error stream) to a file. See nmap.org

Miscellaneous output options

--resume filename Resume aborted scan if normal (-oN) logs were kept, resume scanning.
No other arguments are permitted
--stylesheet path or URL XSL stylesheet to transform XML output. See nmap.org
--webxml Load stylesheet from Nmap.Org
--no-stylesheet Omit XSL stylesheet declaration from XML


-6 Enable IPv6 scanning
Ping scanning (TCP-only), connect scanning, and version detection .
Use IPv6 syntax to specify an address like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0.
Hostnames are recommended.
Output includes the IPv6 address on the "interesting ports" line
see nmap.org
-A Aggressive scan
enables OS detection (-O), version and (-sV) script scanning (-sC) and traceroute (--traceroute).
Do not use against target networks as it is considered intrusive.
Does not set timing options (such as -T4) or verbosity (-v) .

--datadir ddircustom data file location for: nmap-service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap-mac-prefixes, and nmap-os-db.
--servicedb or --versiondb may be used.
Files not found in ddir, are searched for in $NMAPDIR, then ~/.nmap, location of the Nmap executable and then a compiled-in location such as /usr/local/share/nmap or /usr/share/nmap

Causes a fast scan (-F) to be used.

--versiondb service probes file (Specify custom service probes file)
--send-eth send raw ethernet
Send data at link layeri rather then network layer. default, chooses the layer best for the platform it is on. See nmap.org
--send-ip Send at raw IP level
rather than lower level ethernet frames. complement of --send-eth
--privileged enough to perform raw socket sends, packet sniffing which require root privileges on *nix .
Must preceed flags requiring privileges
$NMAP_PRIVILEGED set as an equivalent
--unprivileged user lacks raw socket privileges, opposite of --privileged.
$NMAP_UNPRIVILEGED set as an alternative
--release-memory before quitting only useful for memory-leak debugging.
--interactive Start in interactive mode offers a prompt allowing launching multiple scans see nmap.org
output version number and exit.
Nmap version 7.40 ( https://nmap.org )
Platform: x86_64-apple-darwin13.4.0
Compiled with: liblua-5.3.3 openssl-1.0.2j nmap-libpcre-7.6 nmap-libpcap-1.7.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: kqueue poll select
help summary page
 Nmap 4.76 ( http://nmap.org )
           Usage: nmap [Scan Type(s)] [Options] {target specification}
             Can pass hostnames, IP addresses, networks, etc.
             Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
             -iL : Input from list of hosts/networks
             -iR : Choose random targets
             --exclude : Exclude hosts/networks
             --excludefile : Exclude list from file
           HOST DISCOVERY:
             -sL: List Scan - simply list targets to scan
             -sP: Ping Scan - go no further than determining if host is online
             -PN: Treat all hosts as online -- skip host discovery
             -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
             -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
             -PO [protocol list]: IP Protocol Ping
             -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
             --dns-servers : Specify custom DNS servers
             --system-dns: Use OS's DNS resolver
             -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
             -sU: UDP Scan
             -sN/sF/sX: TCP Null, FIN, and Xmas scans
             --scanflags : Customize TCP scan flags
             -sI : Idle scan
             -sO: IP protocol scan
             -b : FTP bounce scan
             --traceroute: Trace hop path to each host
             --reason: Display the reason a port is in a particular state
             -p : Only scan specified ports
               Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
             -F: Fast mode - Scan fewer ports than the default scan
             -r: Scan ports consecutively - don't randomize
             --top-ports : Scan  most common ports
             --port-ratio : Scan ports more common than 
             -sV: Probe open ports to determine service/version info
             --version-intensity : Set from 0 (light) to 9 (try all probes)
             --version-light: Limit to most likely probes (intensity 2)
             --version-all: Try every single probe (intensity 9)
             --version-trace: Show detailed version scan activity (for debugging)
           SCRIPT SCAN:
             -sC: equivalent to --script=default
             --script=:  is a comma separated list of
                      directories, script-files or script-categories
             --script-args=: provide arguments to scripts
             --script-trace: Show all data sent and received
             --script-updatedb: Update the script database.
           OS DETECTION:
             -O: Enable OS detection
             --osscan-limit: Limit OS detection to promising targets
             --osscan-guess: Guess OS more aggressively
             Options which take 


Keys pressed during execution change options, output status message .
lowercase increase the amount of output , Uppercase Decrease
v verbosity
d debugging
p packet tracing
? Output a runtime interaction help screen
Anything else, outputs a status message like :
   Stats: 0:00:08 elapsed; 111 hosts completed (5 up), 5 undergoing Service Scan
  Service scan Timing: About 28.00% done; ETC: 16:18 (0:00:15 remaining)


Some actual addresses and names are used to make things more concrete.
For testing purposes, you have permission to scan ScanMen.nmap.org, only via Nmap.


The Nmap Security Scanner is © Insecure.Com LLC. Nmap is also a registered trademark of Insecure.Com LLC.


Gordon "Fyodor" Lyon Insecure.Org Author. Copyright (C) 2008 Nmap Project


  1. wikipedia article on nmap
  2. RFC 1122 Requirements for Internet Hosts -- Communication Layers
  3. RFC 792 IMCP -internet control message protocoL
  4. RFC 1918
  5. UDP
  6. TCP RFC
  7. RFC 959
  8. RFC 1323
  9. IP protocol
  10. Nmap::Scanner
  11. Nmap::Parser
  12. tunnel brokers
  13. Creative Commons Attribution License
  14. Apache Software Foundation
  15. Libpcap portable packet capture library
  16. WinPcap library
  17. PCRE library
  18. Libdnet
  19. OpenSSL cryptography toolkit
  20. Lua programming language
Nmap can be obtained from nmap.org., man page http://nmap.org/book/man.html.