Scribd
Upload
36 views

Nmap

Uploaded by

mohamed
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
36 views

Nmap

Uploaded by

mohamed
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

NMAP

Misc Target Specification

-6: Enable IPv6 scanning -iL <inputfilename>: Input from list of hosts/networks

-A: Enable OS detection, version detection, script scanning, and traceroute -iR <num hosts>: Choose random targets

--datadir <dirname>: Specify custom Nmap data file location --exclude <host1[,host2][,host3],...>: Exclude hosts/networks

--send-eth/--send-ip: Send using raw ethernet frames or IP packets --excludefile <exclude_file>: Exclude list from file

--privileged: Assume that the user is fully privileged

--unprivileged: Assume the user lacks raw socket privileges Host Discovery
-V: Print version number
-sL: List Scan - simply list targets to scan
-h: Print this help summary page.
-sn: Ping Scan - disable port scan

-Pn: Treat all hosts as online -- skip host discovery


Output -PS/PA/PU/PY: TCP SYN/ACK, UDP or SCTP discovery to given ports

-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
format, respectively, to the given filename.
-PO[protocol list]: IP Protocol Ping
-oA <basename>: Output in the three major formats at once
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
-v: Increase verbosity level (use -vv or more for greater effect)
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
-d: Increase debugging level (use -dd or more for greater effect)
--system-dns: Use OS's DNS resolver
--reason: Display the reason a port is in a particular state
--traceroute: Trace hop path to each host
--open: Only show open (or possibly open) ports

--packet-trace: Show all packets sent and received


Scan Techniques
--iflist: Print host interfaces and routes (for debugging)

--append-output: Append to rather than clobber specified output files -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

--resume <filename>: Resume an aborted scan -sU: UDP Scan

--noninteractive: Disable runtime interactions via keyboard -sN/sF/sX: TCP Null, FIN, and Xmas scans

--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --scanflags <flags>: Customize TCP scan flags

--webxml: Reference stylesheet from Nmap.Org for more portable XML -sI <zombie host[:probeport]>: Idle scan

--no-stylesheet: Prevent associating of XSL stylesheet w/XML output -sY/sZ: SCTP INIT/COOKIE-ECHO scans

-sO: IP protocol scan

Firewall/IDS Evasion & Spoofing -b <FTP relay host>: FTP bounce scan

-f; --mtu <val>: fragment packets (optionally w/given MTU)


Port Specification & Scan Order
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys

-S <IP_Address>: Spoof source address -p <port ranges>: Only scan specified ports

-e <iface>: Use specified interface --exclude-ports <port ranges>: Exclude the specified ports from scanning

-g/--source-port <portnum>: Use given port number -F: Fast mode - Scan fewer ports than the default scan

--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies -r: Scan ports sequentially - don't randomize

--data <hex string>: Append a custom payload to sent packets --top-ports <number>: Scan <number> most common ports

--data-string <string>: Append a custom ASCII string to sent packets --port-ratio <ratio>: Scan ports more common than <ratio>

--data-length <num>: Append random data to sent packets

--ip-options <options>: Send packets with specified ip options Service/Version Detection


--ttl <val>: Set IP time-to-live field
-sV: Probe open ports to determine service/version info
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
--version-light: Limit to most likely probes (intensity 2)

--version-all: Try every single probe (intensity 9)

Timing & Performance --version-trace: Show detailed version scan activity (for debugging)

-T<0-5>: Set timing template (higher is faster)

--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes Script Scan


--min-parallelism/max-parallelism <numprobes>: Probe parallelization
-sC: equivalent to --script=default
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe
--script=<Lua scripts>: <Lua scripts> is a comma separated list of directories,
round trip time.
script-files or script-categories.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--host-timeout <time>: Give up on target after this long
--script-args-file=filename: provide NSE script args in a file
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--script-trace: Show all data sent and received
--min-rate <number>: Send packets no slower than <number> per second
--script-updatedb: Update the script database.
--max-rate <number>: Send packets no faster than <number> per second
--script-help=<Lua scripts>: Show help about scripts. <Lua scripts> is a comma-
separated list of script-files or script-categories.

OS Detection
@hackinarticles
-O: Enable OS detection

--osscan-limit: Limit OS detection to promising targets


https://github.com/Ignitetechnologies
--osscan-guess: Guess OS more aggressively

https://in.linkedin.com/company/hackingarticles

You might also like