NMAP Command Line Options
{LANG_NAVORIGIN} Reference
Description
Nmap is designed to allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering. nmap supports a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol, and Null scan. See the Scan Types section for more details. nmap also offers a number of advanced features such as remote OS detection via TCP/IP fingerprinting, stealth scanning, dynamic delay and retransmission calculations, parallel scanning, detection of down hosts via parallel pings, decoy scanning, port filtering detection, direct (non-portmapper) RPC scanning, fragmentation scanning, and flexible target and port specification.
Arguments Cheat Sheet
The following are the most useful uses of nmap. Use nmap –v to view some of this information for yourself:
Nmap V. 2.54BETA31 Usage: nmap [Scan Type(s)] [Options]
Some Common Scan Types ('*' options require root privileges)
-sT TCP connect() port scan (default)
This option is the most simple and straightforward. It performs a simple connect() system call on any interesting port on the target machine. This type of scan is easily detected by intrusion detection software.
* -sS TCP SYN stealth port scan (best all-around TCP scan)
This technique is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and you wait for a response. A SYN|ACK indicates the port is listening. A RST is indicative of a non-listener. If a SYN|ACK is received, a RST is immediately sent to tear down the connection. The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build these custom SYN packets.
* -sU UDP port scan
UDP scans: This method is used to determine which UDP (User Datagram Protocol, RFC 768) ports are open on a host. The technique is to send 0 byte udp packets to each port on the target machine. If we receive an ICMP port unreachable message, then the port is closed. Otherwise we assume it is open.
-sP ping scan (Find any reachable machines)
This option will simply attempt to ping any machine or range of machines listed.
* -O Use TCP/IP fingerprinting to guess remote operating system
This option activates remote host identification via TCP/IP fingerprinting. In other words, it uses a bunch of techniques to detect subtleties in the underlying operating system network stack of the computers you are scanning. It uses this information to create a 'fingerprint' which it compares with its database of known OS fingerprints (the nmap-os-fingerprints file) to decide what type of system you are scanning.
-p ports to scan. Example range: '1-1024,1080,6666,31337'
Specify a range of ports to scan
-F Only scans ports listed in nmap-services
Pretty self explainatory!
-v Verbose. Its use is recommended. Use twice for greater effect.
Print more useful information to stdout.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
Some hosts don’t respond to ICMP Ping requests, even though they are still alive. You will need to use this option for this type of host.
-T General timing policy
General timing policy is basically the rate at which packets are sent out. Main question here, is do you care if the network administrator for the IP or block you are scanning knows you are scanning it?
-oN/-oX/-oG Output normal/XML/grepable scan logs to
-iL Get targets from file; Use '-' for stdin
* -S /-e Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
Usage Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
E-Mail Link
Your IP address will be sent with this e-mail
