Nmap network security scanner man page
nmap - Network exploration tool and security scanner
SYNOPSIS
nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>
DESCRIPTION
Nmap is designed to allow system administrators and curi-
ous individuals to scan large networks to determine which
hosts are up and what services they are offering. nmap
supports a large number of scanning techniques such as:
UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce
attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep,
Xmas Tree, SYN sweep, and Null scan. See the Scan Types
section for more details. nmap also offers a number of
advanced features such as remote OS detection via TCP/IP
fingerprinting, stealth scanning, dynamic delay and
retransmission calculations, parallel scanning, detection
of down hosts via parallel pings, decoy scanning, port
filtering detection, fragmentation scanning, and flexible
target and port specification.
Significant effort has been put into decent nmap perfor-
mance for non-root users. Unfortunately, many critical
kernal interfaces (such as raw sockets) require root priv-
ileges. nmap should be run as root whenever possible.
OPTIONS
Options that make sense together can generally be com-
bined. Some options are specific to certain scan modes.
nmap tries to catch and warn the user about psychotic or
unsupported option combinations.
If you are impatient, you can skip to the examples section
at the end, which demonstrates common usage. You can also
run nmap -h for a quick reference page listing all the
options.
Scan Types
-sT TCP connect() scan: This is the most basic form of
TCP scanning. The connect() system call provided by
your operating system is used to open a connection
to every interesting port on the machine. If the
port is listening, connect() will succeed, other-
wise the port isn't reachable. One strong advantage
to this technique is that you don't need any spe-
cial privileges. Any user on most UNIX boxes is
free to use this call.
This sort of scan is easily detectable as target
host logs will show a bunch of connection and error
-sS TCP SYN scan: This technique is often referred to
as "half-open" scanning, because you don't open a
full TCP connection. You send a SYN packet, as if
you are going to open a real connection and you
wait for a response. A SYN|ACK indicates the port
is listening. A RST is indicative of a non-lis-
tener. If a SYN|ACK is received, a RST is immedi-
ately sent to tear down the connection (actually
our OS kernel does this for us). The primary advan-
tage to this scanning technique is that fewer sites
will log it. Unfortunately you need root privi-
leges to build these custom SYN packets.
-sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes: There
are times when even SYN scanning isn't clandestine
enough. Some firewalls and packet filters watch for
SYNs to restricted ports, and programs like Synlog-
ger and Courtney are available to detect these
scans. These advanced scans, on the other hand, may
be able to pass through unmolested.
The idea is that closed ports are required to reply
to your probe packet with an RST, while open ports
must ignore the packets in question (see RFC 794 pp
64). The FIN scan uses a bare (surprise) FIN
packet as the probe, while the Xmas tree scan turns
on the FIN, URG, and PUSH flags. The Null scan
turns off all flags. Unfortunately Microsoft (like
usual) decided to completely ignore the standard
and do things their own way. Thus this scan type
will not work against systems running Windows95/NT.
On the positive side, this is a good way to distin-
guish between the two platforms. If the scan finds
closed ports, you probably have a UNIX machine,
whereas all ports open is indicative of Windows. A
few exceptions are that Cisco, BSDI, HP/UX, MVS,
and IRIX are also broken in that they send resets
when they should just drop the packet.
-sP Ping scanning: Sometimes you only want to know
which hosts on a network are up. Nmap can do this
by sending ICMP echo request packets to every IP
address on the networks you specify. Hosts that
respond are up. Unfortunately, some sites such as
microsoft.com block echo request packets. Thus
nmap can also send a TCP ack packet to (by default)
port 80. If we get an RST back, that machine is
up. A thirt technique involves sending a SYN
packet and waiting for a RST or a SYN/ACK. For
non-root users, a connect() method is used.
ICMP and ACK techniques in parallel. You can
change the -P option described later.
Note that pinging is done by default anyway, and
only hosts that respond are scanned. Only use this
option if you wish to ping sweep without doing any
actual port scans.
-sU UDP scans: This method is used to determine which
UDP (User Datagram Protocol, RFC 768) ports are
open on a host. The technique is to send 0 byte
udp packets to each port on the target machine. If
we receive an ICMP port unreachable message, then
the port is closed. Otherwise we assume it is
open.
Some people think UDP scanning is pointless. I usu-
ally remind them of the recent Solaris rcpbind
hole. Rpcbind can be found hiding on an undocu-
mented UDP port somewhere above 32770. So it
doesn't matter that 111 is blocked by the firewall.
But can you find which of the more than 30,000 high
ports it is listening on? With a UDP scanner you
can! There is also the cDc Back Orfice backdoor
program which hides on a configurable UDP port on
Windows machines. Not to mention the many com-
monly vulnerable services that utilize UDP such as
snmp, tftp, NFS, etc.
Unfortunately UDP scanning is sometimes painfully
slow since most hosts impliment a suggestion in RFC
1812 (section 4.3.2.8) of limiting the ICMP error
message rate. For example, the Linux kernel (in
net/ipv4/icmp.h) limits destination unreachable
message generation to 80 per 4 seconds, with a 1/4
second penalty if that is exceeded. Solaris has
much more strict limits (about 2 messages per sec-
ond) and thus takes even longer to scan. nmap
detects this rate limiting and slows down accord-
ingly, rather than flood the network with useless
packets that will be ignored by the target machine.
As is typical, Microsoft ignored the suggestion of
the RFC and does not seem to do any rate limiting
at all on Win95 and NT machines. Thus we can scan
all 65K ports of a Windows machine very quickly.
Woop!
-b <ftp relay host>
FTP bounce attack: An interesting "feature" of the
ftp protocol (RFC 959) is support for "proxy" ftp
connections. In other words, I should be able to
ANYWHERE on the internet! Now this may have worked
well in 1985 when the RFC was written. But in
today's Internet, we can't have people hijacking
ftp servers and requesting that data be spit out to
arbitrary points on the internet. As *Hobbit* wrote
back in 1995, this protocol flaw "can be used to
post virtually untraceable mail and news, hammer on
servers at various sites, fill up disks, try to hop
firewalls, and generally be annoying and hard to
track down at the same time." What we will exploit
this for is to (surprise, surprise) scan TCP ports
from a "proxy" ftp server. Thus you could connect
to an ftp server behind a firewall, and then scan
ports that are more likely to be blocked (139 is a
good one). If the ftp server allows reading from
and writing to some directory (such as /incoming),
you can send arbitrary data to ports that you do
find open (nmap doesn't do this for you though).
The argument passed to the 'b' option is the host
you want to use as a proxy, in standard URL nota-
tion. The format is: username:pass-
word@server:port. Everything but server is
optional. To determine what servers are vulnerable
to this attack, you can see my article in Phrack
51. And updated version is available at the nmap
URL (http://www.insecure.org/nmap).
General Options
None of these are required but some can be quite
useful.
-P0 Do not try and ping hosts at all before scanning
them. This allows the scanning of networks that
don't allow ICMP echo requests (or responses)
through their firewall. microsoft.com is an exam-
ple of such a network, and thus you should always
use -P0 or -PT80 when portscanning microsoft.com.
-PT Use TCP "ping" to determine what hosts are up.
Instead of sending ICMP echo request packets and
waiting for a response, we spew out TCP ACK packets
throughout the target network (or to a single
machine) and then watt for responses to trickle
back. Hosts that are up should respond with a RST.
This option preserves the efficiency of only scan-
ning hosts that are up while still allowing you to
scan networks/hosts that block ping packets. For
non root users, we use connect(). To set the des-
tination port of the probe packets use -PT<port
number>. The default port is 80, since this port
is often not filtered out. -PS This option uses
respond with a RST (or, rarely, a SYN|ACK).
-PI This option uses a true ping (ICMP echo request)
packet. It finds hosts that are up and also looks
for subnet-directed broadcast addresses on your
network. These are IP addresses which are exter-
nally reachable and translate to a broadcast of
incomming IP packets to a subnet of computers.
These should be eliminated if found as they allow
for numerous denial of service attacks (Smurf is
the most common).
-PB This is the default ping type. It uses both the
ACK ( -PT ) and ICMP ( -PI ) sweeps in parallel.
This way you can get firewalls that filter either
one (but not both).
-O This option activates remote host identification
via TCP/IP fingerprinting. In other words, it uses
a bunch of techniques to detect subtleties in the
underlying operating system network stack of the
computers you are scanning. It uses this informa-
tion to create a 'fingerprint' which it compares
with its database of known OS fingerprints (the
nmap-os-fingerprints file) to decide what type of
system you are scanning.
If you find a machine that is misdiagnosed and has
at least one port open, it would be useful if you
mail me the details (ie OS blah version foo was
detected as OS blah version bar). If you find a
machine with at least one port open for which nmap
says 'unknown operating system', then it would be
useful if you send me the IP address along with the
OS name and version number. If you can't send the
IP address, the next best thing is to run nmap with
the -d option and send me the three fingerprints
that should result along with the OS name and ver-
sion number. By doing this you contribute to the
pool of operating systems known to nmap and thus it
will be more accurate for everyone.
-I This turns on TCP reverse ident scanning. As noted
by Dave Goldsmith in a 1996 Bugtraq post, the ident
protocol (rfc 1413) allows for the disclosure of
the username that owns any process connected via
TCP, even if that process didn't initiate the con-
nection. So you can, for example, connect to the
http port and then use identd to find out whether
the server is running as root. This can only be
done with a full TCP connection to the target port
(i.e. the -sT scanning option). When -I is used,
is not running identd.
-f This option causes the requested SYN, FIN, XMAS, or
NULL scan to use tiny fragmented IP packets. The
idea is to split up the TCP header over several
packets to make it harder for packet filters,
intrusion detection systems, and other annoyances
to detect what you are doing. Be careful with this!
Some programs have trouble handling these tiny
packets. My favorite sniffer segmentation faulted
immediately upon receiving the first 36-byte frag-
ment. After that comes a 24 byte one! While this
method won't get by packet filters and firewalls
that queue all IP fragments (like the CON-
FIG_IP_ALWAYS_DEFRAG option in the Linux kernel),
some networks can't afford the performance hit this
causes and thus leave it disabled.
Note that I do not yet have this option working on
all systems. It works fine for my Linux, FreeBSD,
and OpenBSD boxes and some people have reported
success with other *NIX variants.
-v Verbose mode. This is a highly recommended option
and it gives out more information about what is
going on. You can use it twice for greater effect.
Use -d a couple of times if you really want to get
crazy with scrolling the screen!
-h This handy option display a quick reference screen
of nmap usage options. As you may have noticed,
this man page is not exactly a 'quick reference' :)
-o <logfilename>
This logs the results of your scans in a human
readable form into the file you specify as an argu-
ment.
-m <logfilename>
This logs the results of your scans in a machine
parseable form into the file you specify as an
argument.
-i <inputfilename>
Reads target specifications from the file specified
RATHER than from the command line. The file should
contain a list of host or network expressions
seperated by spaces, tabs, or newlines. Use a
hyphen (-) as inputfilename if you want nmap to
read host expressions from stdin (like at the end
of a pipe). See the section target specification
for more information on the expressions you fill
This option specifies what ports you want to spec-
ify. For example '-p 23' will only try port 23 of
the target host(s). ports greater than 60000. The
default is to scan all ports between 1 and 1024 as
well as any ports listed in your /etc/services.
-F Fast scan mode.
Specifies that you only wish to scan for ports
listed in /etc/services. This is obviously much
faster than scanning all 65535 ports on a host.
-D <decoy1 [,decoy2][,ME],...>
Causes a decoy scan to be performed which makes it
appear to the remote host that the host(s) you
specify as decoys are scanning the target network
too. Thus their IDS might report 5-10 port scans
from unique IP addresses, but they won't know which
IP was scanning them and which were innocent
decoys.
Separate each decoy host with commas, and you can
optionally use 'ME' as one of the decoys to repre-
sent the position you want your IP address to be
used. If your put 'ME' in the 6th position or
later, some common port scan detectors (such as
Solar Designer's excellent scanlogd) are unlikeley
to show your IP address at all. If you don't use
'ME', nmap will put you in a random position.
Note that the hosts you use as decoys should be up
or you might accidently SYN flood your targets.
Also it will be pretty easy to determine which host
is scanning if only one is actually up on the net-
work.
Also note that some (stupid) "port scan detectors"
will firewall/deny routing to hosts that attempt
port scans. Thus you might inadvertantly cause the
machine you scan to lose connectivity with the
decoy machines you are using. This could cause the
target machines major problems if the decoy is,
say, its internet gateway or even "localhost".
Thus you might want to be careful of this option.
The real moral of the story is that detectors of
spoofable port scans should not take action against
the machine that seems like it is port scanning
them. It could just be a decoy!
Decoys are used both in the initial ping scan
(using ICMP, SYN, ACK, or whatever) as well as the
actual port scanning phase. Decoys are also used
during remote OS detection ( -O ).
slow your scan and potentially even make it less
accurate. Also, some ISPs will filter out your
spoofed packets, although many (currently most) do
not restrict spoofed IP packets at all.
-S <IP_Address>
In some circumstances, nmap may not be able to
determine your source address ( nmap will tell you
if this is the case). In this situation, use -S
with your IP address (of the interface you wish to
send packets through).
Another possible use of this flag is to spoof the
scan to make the targets think that someone else is
scanning them. Imagine a company being repeatedly
port scanned by a competitor! This is not a sup-
ported usage (or the main purpose) of this flag. I
just think it raises an interesting possibility
that people should be aware of before they go
accusing others of port scanning them. -e would
generally be required for this sort of usage.
-e <interface>
Tells nmap what interface to send and receive pack-
ets on. Nmap should be able to detect this but it
will tell you if it cannot.
-g <portnumber>
Sets the source port number used in scans. Many
naive firewall and packet filter installations make
an exception in their ruleset to allow DNS (53) or
FTP-DATA (20) packets to come through and establish
a connection. Obviously this completely subverts
the security advantages of the firewall since
intruders can just masquerade as FTP or DNS by mod-
ifying their source port. Obviously for a UDP scan
you should try 53 first and TCP scans should try 20
before 53.
Be aware that there is a small performance penalty
on some scans for using this option, because I
sometimes store useful information in the source
port number.
Target specification
Everything that isn't an option (or option argu-
ment) in nmap is treated as a target host specifi-
cation. The simplest case is listing single host-
names or IP addresses on the command line. If you
want to scan a subnet of IP addresses, you can
append '/mask' to the hostname or IP address. mask
must be between 0 (scan the whole internet) and 32
Nmap also has a more powerful notation which lets
you specify an IP address using lists/ranges for
each element. Thus you can scan the whole class
'B' network 128.210.*.* by specifying '128.210.*.*'
or '128.210.0-255.0-255' or even
'128.210.1-50,51-255.1,2,3,4,5-255'. And of course
you can use the mask notation: '128.210.0.0/16'.
These are all equivalent. If you use astericts
('*'), remember that most shells require you to
escape them with back slashes or protect them with
quotes.
Another interesting thing to do is slice the Inter-
net the other way. Instead of scanning all the
hosts in a class 'B', scan '*.*.5.6-7' to scan
every IP address that ends in .5.6 or .5.7 Pick
your own numbers. For more information on specify-
ing hosts to scan, see the examples section.
EXAMPLES
Here are some examples of using nmap, from simple and nor-
mal to a little more complex/esoteric. Note that actual
numbers and some actual domain names are used to make
things more concrete. In their place you should substi-
tute addresses/names from your own network. I do not
think portscanning other networks is illegal; nor should
portscans be construed by others as an attack. I have
scanned hundreds of thousands of machines and have
received only one complaint. But I am not a lawyer and
some (anal) people may be annoyed by nmap probes. Get
permission first or use at your own risk.
nmap -v target.example.com
This option scans all reserved TCP ports on the machine
target.example.com . The -v means turn on verbose mode.
nmap -sS -O target.example.com/24
Launches a stealth SYN scan against each machine that is
up out of the 255 machines on class 'C' where target.exam-
ple.com resides. It also tries to determine what operat-
ing system is running on each host that is up and running.
This requires root privileges because of the SYN scan and
the OS detection.
nmap -sX -p 22,53,110,143 128.210.*.1-127
Sends an Xmas tree scan to the first half of each of the
255 possible 8 bit subnets in the 128.210 class 'B'
scan doesn't work on Microsoft boxes due to their defi-
cient TCP stack. Same goes with CISCO, IRIX, HP/UX, and
BSDI boxes.
nmap -v -p 80 '*.*.2.3-5'
Rather than focus on a specific IP range, it is sometimes
interesting to slice up the entire Internet and scan a
small sample from each slice. This command finds all web
servers on machines with IP addresses ending in .2.3,
.2.4, or .2.5 . If you are root you might as well add
-sS. Also you will find more interesting machines start-
ing at 127. so you might want to use '127-222' instead of
the first asterict because that section has a greater den-
sity of interesting machines (IMHO).
host -l company.com | cut '-d ' -f 4 | ./nmap -v -i -
Do a DNS zone transfer to find the hosts in company.com
and then feed the IP addresses to nmap. The above com-
mands are for my GNU/Linux box. You may need different
commands/options on other operating systems.
BUGS
Bugs? What bugs? Send me any that you find. Patches are
nice too :) Remember to also send in new OS fingerprints
so we can grow the database.
AUTHOR
Fyodor <fyodor@dhp.com>
DISTRIBUTION
The newest version of nmap can be obtained from
http://www.insecure.org/nmap
nmap is (C) 1997,1998 by Fyodor (fyodor@dhp.com, fyo-
dor@insecure.org)
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation; Ver-
sion 2.
This program is distributed in the hope that it will be
useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE. See the GNU General Public License for more
details (it is in the COPYING file of the nmap distribu-
tion).
Man(1) output converted with
man2html