Introduction to nmap

 

Target specification:

You can use host names, IP addresses, and networks.

Example: scanme.nmap.org, dream4.org/24, 192.168.0.1; 10.0.0-255.1-254

-IL <inputfilename>: obtains the host or network from the specified file.

-IR <num hosts>: select a host randomly (0 does not limit the number of scanned hosts)

-- Exclude

-- Excludefile <exclude_file>: obtains the excluded host or network from the specified file.

 

Host discovery:

-SL: List scan-a simple list of targets to be scanned (No packets are sent to the target host)

-SP: Ping scan-only ping scan is performed to find the target host. No other operations are performed.

-PN: Set all hosts to online status -- Skip host status detection

-PS/PA/PU [portlist]: Specify SYN (tcp syn Ping)/ACK (tcp ack Ping)/UPD (UDP Ping) to scan the specified port

-PE/PP/PM: detects ICMP echo, time mark, and network mask

-PO [protocol list]: detects network protocols supported by hosts.

-N/-R: DNS resolution is never performed. [Default: sometimes]

-- Dns-servers <serv1 [, serv2],...>: Custom DNS Server

-- System-dns: Operating system DNS resolution

 

Port Scanning Technology:

-SS/sT/sA/sW/sM: tcp syn/Connect ()/ACK/Window/Maimon Scan

-SU: UDP Scan

-SN/sF/sX: TCP null does not set any flag bit (tcp flag header is 0), FIN (only tcp fin flag bit), Xmas (set FIN, PSH, and URG flag) scan

-- Scanflags <flags>: Custom scan flag

-SI <zombie host [: probeport]>: idle Scan

-SO: IP protocol scan to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by the target machine)

-B <FTP relay host>: FTP transit Scan

-- Traceroute: Route tracing to track the jump address of each host

-- Reason: displays the specific status of each port.

 

Port description and scan instance:

-P <port ranges>: scans only the specified port.

Example:-p22;-p1-65535;-p U: 53,111,137, T: 21-25, 80

-F: Quick Mode-scan common ports

-R: ports are not scanned randomly.

-- Top-ports <number>: scan the most common ports

-- Port-ratio <ratio>: scan the most common port <ratio>

 

Service/Version Detection:

-SV: detects service/version information from open ports

-- Version-intensity <level>: Set scan intensity to 0 (high) to 9 (all probes are attempted)

-- Version-light: Enable lightweight mode (intensity 2)

-- Version-all: ensure that all test methods are attempted on each port.

-- Version-trace: displays debugging information about a scanning task.

 

Script scan:

-SC: equivalent to using the default script -- script = default

-- Script = <Lua scripts>: <Lua scripts> list, directory list, script file, or script class separated by commas

-- Script-args = <n1 = v1, [n2 = v2,...]>: Provides script parameters.

-- Script-trace: displays all sent and received data.

-- Script-updatedb: updates the script database.

 

Operating system detection:

-O: Enable OS Detection

-- Osscan-limit: detects the specified target operating system.

-- Osscan-guess: the OS that best matches the prediction

 

Time and performance:

The option is in milliseconds, unless you append 'S' (seconds), 'M' (minutes), or 'H' (hours)

-T [0-5]: set the time template (the faster the process)

-- Min-hostgroup/max-hostgroup <size>: Adjust the parallel scan group size.

-- Min-parallelism/max-parallelism <time>: Adjust the concurrency of the test packets.

-- Min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies the probe timeout.

-- Max-retries <tries>: specifies the maximum number of retries.

-- Host-timeout <time>: if the target does not respond within the specified time, It is abandoned.

-- Scan-delay/-- max-scan-delay <time>: Adjust the detection latency.

-- Min-rate <number>: the number of packets sent per second is no less than <number>.

-- Max-rate <number>: the number of data packets sent per second is no higher than <number>.

 

Firewall/IDS avoidance and spoofing:

-F; -- mtu <val>: packet segmentation (using the specified MTU)

-D <decoy1, decoy2 [, ME],...>: use bait for hidden Scanning

-S <IP_Address>: Source Address Spoofing

-E <iface>: Use the specified interface.

-G/-- source-port <portnum>: source port Spoofing

-- Data-length <num>: random packet attached and sent

-- Ip-options <options>: sends data packets and Specifies IP options.

-- Ttl <val>: sets the IP time-to-live domain.

-- Spoof-mac <mac address/prefix/vendor name>: MAC address Spoofing

-- Badsum: Send forged TCP/UDP Packets

 

Output:

-ON/-oX/-OS/-oG <file>

-OA <basename>: output to all formats

-V: Improves the details of output information.

-D [level]: Raise or set the debugging level (9 is recommended)

-- Open: only open ports are displayed.

-- Packet-trace: displays all sent and received packets.

-- Iflist: Lists interfaces and routes (debugging)

-- Log-errors: saves error records/warnings to specified files.

-- Append-output: append to the specified output file.

-- Resume <filename>: continues to suspend scanning.

-- Stylesheet <path/URL>: sets the XSL style sheet and converts the XML output.

-- Webxml: see the WEBXML style sheet provided by Nmap. Org.

-- No-stylesheet: Ignore the XSL style sheet declared in XML

 

Miscellaneous:

-6: Enable IPv6 Scanning

-A: high-intensity scan mode options

-- Datadir <dirname>: Specifies the Nmap data file location.

-- Send-eth/-- send-ip: use the original Ethernet frame or the original IP address to send data packets.

-- Privileged: assume that the user has all permissions.

-- Unprivileged: assume that the user does not have the original socket privilege.

-V: displays the version number.

-H: Output help information

 

Instance:

Nmap-v-A scanme.dream4.org

Nmap-v-sP 192.168.0.0/16 10.0.0.0/8

Nmap-v-iR 10000-PN-p 80