Port Scanner NMAP User Manual

1. Name

NMAP-network detection and security scanning tools

2. Syntax

NMAP [scan type (s)] [Options]

3. Description

NMAP is a network detection and security scanning program. System Administrators and individuals can use this software to scan a large network and obtain information about the host running and what services it provides. NMAP supports many scanning technologies, such as UDP, TCP connect (), tcp syn (half-open scan), and FTP Proxy (Bounce Attack), reverse flag, ICMP, FIN, Ack Scan, Christmas tree (Xmas tree), Syn scan, and null scan. Details can be obtained from the scan type section. NMAP also provides some advanced features, such as detecting operating system types, secretly scanning, dynamic latency and retransmission computing, and parallel scanning through TCP/IP protocol stack features, detects closed hosts by Using Ping scanning in parallel, and uses bait scanning to avoid port filtering detection, direct RPC scanning (no need for port injection), fragment scanning, and flexible target and port settings.

To improve NMAP performance in the non-root state, software designers have made great efforts. Unfortunately, some kernel interfaces (such as raw socket) need to be used in the root state. Therefore, try to use NMAP as root.

Run NMAP to obtain the list of host ports to be scanned. NMAP always provides the service name (if possible), port number, status, and Protocol of the well known port. Each port has the following statuses: open, filtered, and unfiltered. The open state means that the target host can use the accept () system call on this port to accept the connection. The filtered status indicates that the firewall, packet filtering, and other network security software mask the port and disable NMAP to detect whether it is enabled. Unfiltered indicates that the port is disabled and no firewall/package filtering software is available to isolate NMAP detection attempts. Generally, the port is in the unfiltered state. Only when most of the ports being scanned are in the filtered state will the port in the unfiltered State be displayed.

NMAP can also report the following features of a remote host based on the function options used: the operating system used, the TCP sequence, and the user name, DNS name, host address, and other things of the application bound to each port.

4. Function options

Function options can be used in combination. Some feature options can only be used in some scan mode. NMAP automatically identifies invalid or unsupported combinations of function options and sends a warning to the user.

If you are an experienced user, you can skip the example section at the end. You can use NMAP-h to quickly list feature options.

4.1 scan type

-St
TCP connect () scan: This is the most basic TCP scan method. Connect () is a system call provided by the operating system to open a connection. If the target port has a program listener, connect () will return a successful result; otherwise, this port is inaccessible. The biggest advantage of this technology is that you do not need root permissions. Any UNIX user can use this system for calling. This kind of scan can easily be detected. A large number of connection requests and error messages are recorded in the logs of the target host.
-SS
TCP Synchronous Scan (tcp syn): Because you do not need to open a TCP connection, this technology is generally called half-open scan ). You can send a TCP synchronization packet (SYN) and wait for a response. If the other party returns SYN | ACK (response) packet, it indicates that the target port is listening; If RST packet is returned, it indicates that the target port does not have a listener; if it receives a SYN | ACK packet, the source host will immediately issue an RST (reset) packet to disconnect from the target host, which is actually automatically completed by our operating system kernel. The biggest benefit of this technology is that few systems are able to record this in system logs. However, you need the root permission to customize Syn packets.
-SF-Sn
Private FIN packet scanning, Christmas tree (Xmas tree), null scan mode: used even if SYN scan is uncertain. Some firewall and packet filtering software can monitor Syn packets sent to restricted ports, and some programs such as synlogger and Courtney can detect those scans. These advanced scanning methods can escape these interference. The Theoretical Basis of These scanning methods is: the closed port needs to respond to your test package to the RST package, and the opened port must ignore the problematic package (refer to RFC 793 64th page ). Fin scan uses exposed fin data packets for detection, while Christmas tree scan opens the fin, URG, and push flag of the data packets. Unfortunately, Microsoft decided to completely ignore this standard and set it up again. Therefore, this scan method is invalid for Windows95/NT. However, from another perspective, you can use this method to separate two different platforms. If you use this scan method to find the opened port, you can determine that the target is not running Windows. If-SF,-Sx, or-Sn scan is used to show that all ports are closed, and SYN scan is used to display opened ports, you can determine that the target host may run the windwos system. This method is not very useful because NMAP has embedded operating system detection functions. Several other systems use the same processing methods as windows, including Cisco, bsdi, HP/UX, MYS, and IRIX. When data packets should be discarded, all the above systems send reset data packets from open ports.
-SP
Ping scan: Sometimes you just want to know which hosts on the network are running at this time. By sending an ICMP echo request packet to each IP address in your specified network, NMAP can complete this task. If the host is running, it will respond. Unfortunately, some sites such as Microsoft.com Block ICMP echo request packets. However, by default, NMAP can also send tcp ack packets to port 80. If you receive an RST packet, it indicates that the host is running. The third technique used by NMAP is to send a SYN Packet and wait for an RST or SYN/ACK packet. For non-root users, NMAP uses the connect () method.
By default, NMAP uses ICMP and ACK technologies in parallel.
Note that NMAP performs Ping scanning under any circumstances. Only when the target host is running will it perform subsequent scanning. This option is only used if you want to know whether the target host is running and do not want to perform other scans.
-Su
UDP scan: If you want to know which UDP (User Datagram Protocol, rfc768) services are provided on a host, you can use this scan method. NMAP first sends a 0-byte UDP packet to each port of the target host. If we receive an ICMP message that is inaccessible to the port, the port is closed. Otherwise, we assume it is open.
Some may think that UDP scanning is meaningless. However, I often think of the recent Solaris rpcbind defect. Rpcbind is hidden on an undisclosed UDP port. The port number is greater than 32770. Therefore, even if port 111 is blocked by the firewall. But can you find that a program is listening on any port over 30000? Use UDP scan! The CDC Back Orifice backdoor program is hidden in a configurable UDP port on a Windows host. Some common security defects are not considered. Some services such as SNMP, TFTP, and NFS use UDP protocol. Unfortunately, UDP scanning is sometimes very slow because most hosts limit the proportion of ICMP error messages (recommended in rfc1812 ). For example, in the Linux kernel (in net/IPv4/ICMP. in h文) only 80 ICMP messages that cannot be reached by the target can be displayed every 4 seconds. If this proportion is exceeded, a penalty of 1/4 seconds will be given. Solaris is more restrictive. Only about two ICMP inaccessibility messages are allowed per second, which slows down scanning. NMAP detects the proportion of this limit and slows down the sending speed, instead of sending a large number of useless data packets discarded by the target host.
However, micro $ oft ignores the rfc1812 suggestion and does not impose any restrictions on this ratio. Therefore, we can quickly scan all the 65k ports on the host running Win95/NT.
-Sa
Ack Scan: This advanced scan method is usually used to pass through the firewall rule set. In general, this helps determine whether a firewall is fully functional or a simple package filtering program, just blocking the SYN packets that enter.
This scan sends an ACK packet to a specific port (using a Random Response/serial number ). If an RST packet is returned, the port is marked as unfiltered. If nothing is returned, or a non-reachable ICMP message is returned, this port is classified into the filtered class. Note: NMAP usually does not output the unfiltered port, so it usually does not display all the ports to be tested in the output. Obviously, this scan method cannot find the port in the open state.
-SW
Scan a sliding window: This advanced scan technique is very similar to ACK scan, except that it can sometimes detect open ports because the size of the sliding window is irregular, some operating systems can report its size. These systems include at least: some versions of Aix, amiga, BEOs, bsdi, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, OpenBSD, openstep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, and VxWorks. You can obtain the complete list from the documents in the Nmap-hackers mail 3 list.
-Sr
RPC scan. This method is used in combination with other Nmap port scanning methods. Select all open ports and issue the SunRPC program's NULL command to them to determine whether they are RPC ports. If so, determine the software and version number. Therefore, you can obtain some information about the firewall. Bait scanning cannot be used with RPC scanning now.
-B
FTP Bounce Attack (Bounce Attack): the FTP protocol (RFC 959) has an interesting feature that supports proxy FTP connections. That is to say, I can connect to the FTP server target.com from evil.com, And I can ask this FTP server to send files anywhere on the Internet for myself! This feature worked well when rfc959 was completed in 1985. However, in today's Internet, we cannot allow people to hijack the FTP server and send data to any node on the Internet. As hobbit said in an article written in 1995, this Protocol "can be used to deliver virtual inaccessibility emails and news, enter the servers of various sites, fill the hard disk, and skip the firewall, and other harassment activities, and it is difficult to track ". We can use this feature to scan TCP ports on a proxy FTP server. Therefore, you need to connect to an FTP server behind the firewall and then perform port scanning. If there is a readable directory on this FTP server, you can also send data to the target port (but NMAP cannot do this for you ).
The parameter passed to the-B function option is the FTP server you want to act as the proxy. Syntax format:
-B Username: password @ server: port.
Except server, the rest are optional. If you want to know which server has such defects, refer to my article on phrack 51. You can also get the latest version of this article at the Nmap site.

4.2 general options

These contents are not required, but are useful.

-P0
You do not need to ping the host before scanning. Some network firewalls Do Not Allow ICMP echo requests to pass through. You can use this option to scan these networks. Microsoft.com is an example. Therefore, you should always use the-P0 or-Pt 80 option when scanning this site.
-Pt
Before scanning, use TCP ping to determine which hosts are running. NMAP does not implement this function by sending an ICMP echo request packet and then waiting for a response. Instead, it sends a tcp ack packet to the target network (or a single host) and waits for a response. If the host is running, the RST package is returned. This option is valid only when the target network/host blocks the ping packet and still allows you to scan it. For non-root users, we use the connect () system call to implement this function. Use-Pt <port number> to set the target port. The default port number is 80, because this port is usually not filtered.
-Ps
For root users, this option allows NMAP to use Syn packets instead of ACK packets to scan the target host. If the host is running, an rst package (or a SYN/ack package) is returned ).
-Pi
Set this option to enable NMAP to use the real Ping (ICMP echo request) to scan whether the target host is running. If you use this option to enable NMAP to discover a running host, NMAP will also observe your direct subnet broadcast address. Direct subnet broadcast address some externally accessible IP addresses, convert the external package into an inner IP address broadcast package, and send it to a computer subnet. These IP broadcast packages should be deleted because they may cause DoS attacks (such as Smurf ).
-PB
This is the default Ping scan option. It uses ack (-Pt) and ICMP (-Pi) Scanning types for parallel scanning. If the firewall can filter one of the packages, you can use this method to pass through the firewall.
-O
This option enables scanning of the TCP/IP fingerprint feature (fingerprinting) to obtain the remote host flag. In other words, NMAP uses some techniques to detect the characteristics of the network protocol stack of the target host operating system. NMAP uses this information to establish the fingerprint feature of the remote host, and compares it with the known operating system fingerprint feature database to know the type of the target host's operating system.
-I
This option enables NMAP reverse flag scanning. Dave Goldsmith noted this protocol in an email sent to the bugtap on April 9, 1996. The IDENT protocol (RFC 1413) allows the user name of any process owner to be given using a TCP connection even if the process has not initialized the connection. For example, you can connect to the http port and use identd to determine whether the server is run by the root user. This scan can be successful only when a full TCP connection is established with the target port (for example, the-ST scan option. With the-I option, the identd genie process of the remote host queries the owner of the process listening on each opened port. Apparently, this scan method is ineffective if the remote host does not run the identd program.
-F
This option enables NMAP to send SYN, FIN, Xmas, and NULL packets using fragmented IP packets. Using fragmented data packets increases the difficulty of packet filtering and intrusion detection systems so that they do not know your attempt. However, use this option with caution! Some programs may have trouble processing these fragment packets. When my favorite sniffer receives the first 36 bytes of the fragment packet, segmentation faulted occurs. Therefore, 24 bytes of fragmented data packets are used in NMAP. Although the packet filter and firewall cannot prevent this method, many networks disable packet sharding for performance considerations.
Note that this option cannot be used on all platforms. It works well in Linux, FreeBSD, OpenBSD, and other UNIX systems.
-V
Redundancy mode. We strongly recommend that you use this option to provide detailed information during the scan process. With this option, you can get twice the result with half the effort. Use the-D option to obtain more detailed information.
-H
Quick Reference options.
-On
Redirects the scan result to a readable file logfilename.
-Om
Redirects the scan result to the logfilename file, which uses the host-ready parsing syntax. You can use-om-to replace logfilename, so that the output is redirected to the standard output stdout. In this case, the normal output will be overwritten, and the error message "stderr" can be output to the standard error stderr. Note that if the-V option is used at the same time, other information will be printed on the screen.
-OS this l0gz th3 r3sults of your scanz IN A S | the fil3 U specfy 4S an argument! U Kan giv3 the 4 rgument-
(Without quotez) to sh00t output int0 stdout! @!! Inexplicably, the following is what I guess is translated. What is the phase character?
Redirects the scan result to the logfilename file. This file uses a "hacker dialect" syntax (the author's joke ?). Similarly, the-OS-will redirect the result to the standard output.
-Resume
A network scan may be interrupted due to control-C or network loss. This option can be used for subsequent scans. Logfilename is a log file that is unscanned. It must be in the readable form or the form that can be parsed by machines. In addition, you cannot add new options for subsequent scans. You can only use the same options as the interrupted scans. NMAP then performs the last successful scan in the log file for a new scan.
-Il
Read the scan target from the inputfilename file. In this file, you must have a host or network list. The space key, tabulation key, or enter key is used as the delimiter. If-il-is used, NMAP reads the host name from the standard input stdin. You can get more detailed information from the specified target section.
-IR
Enable NMAP to randomly select hosts for scanning.
-P <port range>
This option allows you to select the range of port numbers to be scanned. For example,-P 23 indicates that only port 23 of the target host is scanned. -P 20-30,139,600 00-scan Port 20 to port 30, port 139, and all ports greater than 60000. By default, NMAP scans the files from 1 to 1024 and NMAP-services (if RPM packages are used, they are generally in the/usr/share/NMAP/directory).
-F
In quick scan mode, only the ports listed in the Nmap-services file are scanned. It is faster than scanning all 65535 ports.
-D
Use the bait scan method to scan the target network/host. If NMAP uses this method to scan the target network, from the perspective of the target host/network, the scan is sent from other hosts (such as decoy1. Therefore, even if the IDS (Intrusion Detection System) of the target host sends an alarm to the port scan, it is impossible for them to know which address actually initiates the scan and which one is innocent. This scanning method can effectively deal with active defense mechanisms, such as route tracking and response-dropping, to effectively hide your IP address.
Each bait host name is separated by commas. You can also use the me option, which represents your own host and is mixed with the bait host name. If you place me in the sixth or back-to-back position, some port scan detection software will hardly display your IP address. If you do not use the me option, NMAP will randomly include your IP address in the bait host.
Note: The host you use as bait should be running or you only occasionally send Syn packets to the target. Obviously, if only one host runs on the network, the target will easily determine which host to scan. Maybe you need to directly use the IP address of the bait instead of its domain name, so that the logs on the domain name server of the bait network will not leave records about you.
Note: Some silly Port Scan detection software will reject the host that the route attempts to perform port scan. Therefore, you need to disconnect the target host from some bait. If the bait is the gateway of the target host or it is its own, it will cause a great problem to the target host. Therefore, you must use this option with caution.
Bait scanning can be used either in the initial Ping scan or in the real scan status. It can also be used in combination with the-O option.
Using too many bait scans can slow down your scan speed and even cause incorrect scan results. At the same time, some ISPs will filter out your spoofing packets. Although most ISPs do not limit this currently.
-S <ip_address>
In some cases, NMAP may not be able to determine your source address (NMAP will tell you ). In this case, you can use this option to give your IP address.
This option is also used for spoofing scanning. This option allows the target host to scan itself.
-E
The interface used by NMAP to send and receive data packets. NMAP can automatically detect this interface. If it is invalid, it will tell you.
-G
Set the source port for the scan. The rule set for some naive firewalls and package filters allows source ports to be connected through and to packages for DNS (53) or FTP-DATA (20. Apparently, if attackers modify the source port to 20 or 53, they can destroy firewall protection. When using UDP scanning, use port 53 first; when using TCP scanning, use port 20 first. Note that NMAP only uses this port for scanning. For example, if you cannot perform a TCP scan, NMAP automatically changes the source port even if you use the-G option.
For some scans, using this option can cause minor performance losses, because I sometimes save some useful information about a specific source port.
-R
Tell NMAP not to disrupt the order of ports being scanned.
-- Randomize_hosts
Enable NMAP to disrupt the host sequence in each group before scanning. Each group of NMAP can scan up to 2048 hosts. In this way, scanning is more difficult to be detected by network monitors, especially when combined with the -- scan_delay option, which can effectively avoid being detected.
-M
Sets the maximum number of sockets used for parallel scanning during TCP connect () scanning. This option can reduce the scanning speed and avoid remote target downtime.

4.3 Timely Options

Generally, NMAP can be well adjusted according to network characteristics during runtime. During scanning, NMAP will minimize the chances of being detected by the target and speed up scanning as much as possible. However, NMAP's default timing policy is sometimes not suitable for your goals. Use the following options to control NMAP scanning timing:

-T
Set NMAP's timely policy. Paranoid: in order to avoid IDS detection, the scanning speed is extremely slow. NMAP sends a packet every five minutes for all the scans; SNEAKY: similar, but the packet sending interval is 15 seconds; polite: does not add too much network load to avoid downtime of the target host, serial each probe, and each probe has a 0.4-second interval; normal: NMAP default option, scan as quickly as possible without network overload or host/port loss; Aggressive: Set a 5-minute timeout limit so that the scanning time for each host cannot exceed 5 minutes, in addition, the waiting time for each detection response should not exceed 1.5 seconds. B> insane: only suitable for fast networks or you don't care about losing some information. The timeout limit for each host is 75 seconds, wait for only 0.3 seconds for each test. You can also use numbers to replace these modes. For example,-T 0 equals-T paranoid and-T 5 equals-T insane.
These timely modes cannot be combined with the following timely options.
-- Host_timeout
Sets the time for scanning a host in milliseconds. By default, there is no timeout limit.
-- Max_rtt_timeout
Sets the wait time for each test, in milliseconds. If the time limit is exceeded, retransmission or timeout occurs. The default value is about 9000 milliseconds.
-- Min_rtt_timeout
When the target host responds quickly, NMAP shortens the time-out time for each test. This will increase the scanning speed, but may lose some packets with long response time. With this option, NMAP can wait for at least the specified time for each test, in milliseconds.
-- Initial_rtt_timeout
Set the timeout value for the initial test. Generally, this option is only useful when the-P0 option is used to scan hosts with firewall protection. The default value is 6000 milliseconds.
-- Max_parallelism
Set the maximum number of parallel scans. -- Max_parallelism 1 indicates that only one port is scanned at the same time. This option is also valid for other parallel scans, such as ping sweep and RPC scan.
-- Scan_delay
Set the time that NMAP must wait between the two probes. This option is mainly used to reduce the network load.

4.4 target setting

Among all NMAP parameters, only the target parameter is required. The simplest form is to directly enter a host name or an IP address in the command line. If you want to scan a subnet of an IP address, you can add a/mask to the host name or IP address. The mask ranges from 0 (scanning the entire network) to 32 (only scanning this host ). Use/24 to scan for Class C addresses and/16 to scan for Class B addresses.

In addition, NMAP provides a more powerful representation that allows you to specify IP addresses more flexibly. For example, if you want to scan the Class B network 128. 210. *. * You can use the following three methods to specify these addresses: 128. 210. *. * 128.21 -. 0-00000-255 or 128.210.0.0/16 are equivalent.

5. Example

This section provides an example of how to use NMAP.

NMAP-V target.example.com
Scan all TCP ports of the host target.example.com. -V enables the redundancy mode.

NMAP-SS-O target.example.com/24
Initiates a secret SYN scan for all 255 IP addresses on the network where target.example.com is located. It also detects the fingerprint features of the operating system of each host. Root permission is required.

NMAP-SX-P 110,143,456, 128 4 210. 127. *. 1-
Launch a Christmas tree scan for the first half of the 128.210 possible 8-bit subnet in Class B IP address 255. Check whether ports sshd, DNS, PoP3D, imapd, and 4564 are enabled for these systems. Note that the Christmas tree scan is invalid for the micro $ oft system because the TCP layer of its Protocol Stack has a defect.

NMAP-V -- randomize_hosts-P 80 *. *. 2.3-5
Scan only the specified IP address range. Sometimes it is used for sampling and analysis on this internet. NMAP will look for the Web servers on the Internet with the IP addresses of. 2.3,. 2.4, and. 2.5 in the last two bytes. If you want to find more interesting hosts, you can use 127-222, because the interesting host density in this range is greater.

Host-l company.com | cut-D-F 4 |./NMAP-v-il-
Lists All hosts in the company.com network and enables NMAP to scan. Note: This command is used in GNU/Linux. If you are on another platform, you may need to use other commands/options.