From 066bae76e94c21604fe4132c4ca26e5b2f0c6375 Mon Sep 17 00:00:00 2001 From: Timothy Pearson Date: Wed, 24 Jul 2013 11:29:03 -0500 Subject: Initial import of knmap 2.1 sources --- src/nmap_manpage.html.diff | 557 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 557 insertions(+) create mode 100644 src/nmap_manpage.html.diff (limited to 'src/nmap_manpage.html.diff') diff --git a/src/nmap_manpage.html.diff b/src/nmap_manpage.html.diff new file mode 100644 index 0000000..bcdf5a6 --- /dev/null +++ b/src/nmap_manpage.html.diff @@ -0,0 +1,557 @@ +--- /usr/share/doc/nmap-3.93/nmap_manpage.html 2005-09-12 20:11:41.000000000 +0930 ++++ /home/c/knmap/src/nmap_manpage.html 2005-11-09 09:35:59.000000000 +0930 +@@ -78,7 +78,7 @@ + + SCAN TYPES + +- -sS TCP SYN scan: This technique is often referred to as "half-open" ++ -sS TCP SYN scan: This technique is often referred to as "half-open" + scanning, because you don’t open a full TCP connection. You send + a SYN packet, as if you are going to open a real connection and + you wait for a response. A SYN|ACK indicates the port is listen- +@@ -89,7 +89,7 @@ + Unfortunately you need root privileges to build these custom SYN + packets. This is the default scan type for privileged users. + +- -sT TCP connect() scan: This is the most basic form of TCP scanning. ++ -sT TCP connect() scan: This is the most basic form of TCP scanning. + The connect() system call provided by your operating system is + used to open a connection to every interesting port on the + machine. If the port is listening, connect() will succeed, oth- +@@ -102,7 +102,7 @@ + which accept() the connection just to have it immediately shut- + down. This is the default scan type for unprivileged users. + +- -sF -sX -sN ++ -sF -sX -sN + Stealth FIN, Xmas Tree, or Null scan modes: There are times when + even SYN scanning isn’t clandestine enough. Some firewalls and + packet filters watch for SYNs to restricted ports, and programs +@@ -133,7 +133,7 @@ + HP/UX, MVS, and IRIX. All of the above send resets from the + open ports when they should just drop the packet. + +- -sP Ping scanning: Sometimes you only want to know which hosts on a ++ -sP Ping scanning: Sometimes you only want to know which hosts on a + network are up. Nmap can do this by sending ICMP echo request + packets to every IP address on the networks you specify. Hosts + that respond are up. Unfortunately, some sites such as +@@ -151,7 +151,7 @@ + respond are scanned. Only use this option if you wish to ping + sweep without doing any actual port scans. + +- -sV Version detection: After TCP and/or UDP ports are discovered ++ -sV Version detection: After TCP and/or UDP ports are discovered + using one of the other scan methods, version detection communi- + cates with those ports to try and determine more about what is + actually running. A file called nmap-service-probes is used to +@@ -177,7 +177,7 @@ + version scanning is doing (this is a subset of what you would + get with --packet_trace). + +- -sU UDP scans: This method is used to determine which UDP (User ++ -sU UDP scans: This method is used to determine which UDP (User + Datagram Protocol, RFC 768) ports are open on a host. The tech- + nique is to send 0 byte UDP packets to each port on the target + machine. If we receive an ICMP port unreachable message, then +@@ -215,7 +215,7 @@ + very quickly. Whoop! + + +- -sO IP protocol scans: This method is used to determine which IP ++ -sO IP protocol scans: This method is used to determine which IP + protocols are supported on a host. The technique is to send raw + IP packets without any further protocol header to each specified + protocol on the target machine. If we receive an ICMP protocol +@@ -229,7 +229,7 @@ + field has only 8 bits, so at most 256 protocols can be probed + which should be possible in reasonable time anyway. + +- -sI <zombie host[:probeport]> ++ -sI <zombie host[:probeport]> + Idlescan: This advanced scan method allows for a truly blind TCP + port scan of the target (meaning no packets are sent to the tar- + get from your real IP address). Instead, a unique side-channel +@@ -257,7 +257,7 @@ + Otherwise Nmap will use the port it uses by default for "tcp + pings". + +- -sA ACK scan: This advanced method is usually used to map out fire- ++ -sA ACK scan: This advanced method is usually used to map out fire- + wall rulesets. In particular, it can help determine whether a + firewall is stateful or just a simple packet filter that blocks + incoming SYN packets. +@@ -272,7 +272,7 @@ + RSTs). This scan will obviously never show ports in the "open" + state. + +- -sW Window scan: This advanced scan is very similar to the ACK scan, ++ -sW Window scan: This advanced scan is very similar to the ACK scan, + except that it can sometimes detect open ports as well as fil- + tered/unfiltered due to an anomaly in the TCP window size + reporting by some operating systems. Systems vulnerable to this +@@ -282,7 +282,7 @@ + 4.X, Ultrix, VAX, and VxWorks. See the nmap-hackers mailing + list archive for a full list. + +- -sR RPC scan. This method works in combination with the various ++ -sR RPC scan. This method works in combination with the various + port scan methods of Nmap. It takes all the TCP/UDP ports found + open and then floods them with SunRPC program NULL commands in + an attempt to determine whether they are RPC ports, and if so, +@@ -294,11 +294,11 @@ + matically enabled as part of version scan (-sV) if you request + that. + +- -sL List scan. This method simply generates and prints a list of IP ++ -sL List scan. This method simply generates and prints a list of IP + addresses or hostnames without actually pinging or port scanning + them. DNS name resolution will be performed unless you use -n. + +- -b <ftp relay host> ++ -b <ftp relay host> + FTP bounce attack: An interesting "feature" of the ftp protocol + (RFC 959) is support for "proxy" ftp connections. In other + words, I should be able to connect from evil.com to the FTP +@@ -332,7 +332,7 @@ + odds of penetrating strict firewalls by sending many probe types + using different TCP ports/flags and ICMP codes. + +- -P0 Do not try to ping hosts at all before scanning them. This ++ -P0 Do not try to ping hosts at all before scanning them. This + allows the scanning of networks that don’t allow ICMP echo + requests (or responses) through their firewall. microsoft.com + is an example of such a network, and thus you should always use +@@ -342,7 +342,7 @@ + trary combinations of TCP, UDP, and ICMP probes. By default, + Nmap sends an ICMP echo request and a TCP ACK packet to port 80. + +- -PA [portlist] ++ -PA [portlist] + Use TCP ACK "ping" to determine what hosts are up. Instead of + sending ICMP echo request packets and waiting for a response, we + spew out TCP ACK packets throughout the target network (or to a +@@ -356,13 +356,13 @@ + 80, since this port is often not filtered out. Note that this + option now accepts multiple, comma-separated port numbers. + +- -PS [portlist] ++ -PS [portlist] + This option uses SYN (connection request) packets instead of ACK + packets for root users. Hosts that are up should respond with a + RST (or, rarely, a SYN|ACK). You can set the destination ports + in the same manner as -PA above. + +- -PR This option specifies a raw ethernet ARP ping. It cannot be ++ -PR This option specifies a raw ethernet ARP ping. It cannot be + used in combination with any of the other ping types. When the + target machines are on the same network you are scanning from, + this is the fastest and most reliable (because it goes below IP- +@@ -374,7 +374,7 @@ + UDP services won’t reply to an empty packet, your best bet might + be to send this to expected-closed ports rather than open ones. + +- -PE This option uses a true ping (ICMP echo request) packet. It ++ -PE This option uses a true ping (ICMP echo request) packet. It + finds hosts that are up and also looks for subnet-directed + broadcast addresses on your network. These are IP addresses + which are externally reachable and translate to a broadcast of +@@ -382,10 +382,10 @@ + eliminated if found as they allow for numerous denial of service + attacks (Smurf is the most common). + +- -PP Uses an ICMP timestamp request (type 13) packet to find listen- ++ -PP Uses an ICMP timestamp request (type 13) packet to find listen- + ing hosts. + +- -PM Same as -PE and -PP except uses a netmask request (ICMP type ++ -PM Same as -PE and -PP except uses a netmask request (ICMP type + 17). + + -PB This is the default ping type. It uses both the ACK ( -PA ) and +@@ -397,7 +397,7 @@ + "PA" (or rely on the default behavior) to achieve this same + effect. + +- -O This option activates remote host identification via TCP/IP fin- ++ -O This option activates remote host identification via TCP/IP fin- + gerprinting. In other words, it uses a bunch of techniques to + detect subtleties in the underlying operating system network + stack of the computers you are scanning. It uses this informa- +@@ -436,7 +436,7 @@ + for each packet they send. This makes them vulnerable to sev- + eral advanced information gathering and spoofing attacks. + +- --osscan_limit ++ --osscan_limit + OS detection is far more effective if at least one open and one + closed TCP port are found. Set this option and Nmap will not + even try OS detection against hosts that do not meet this crite- +@@ -444,7 +444,7 @@ + against many hosts. It only matters when OS detection is + requested (-O or -A options). + +- -A This option enables _a_dditional _a_dvanced and _a_ggressive ++ -A This option enables _a_dditional _a_dvanced and _a_ggressive + options. I haven’t decided exactly which it stands for yet :). + Presently this enables OS Detection (-O) and version scanning + (-sV). More features may be added in the future. The point is +@@ -453,7 +453,7 @@ + enables features, and not timing options (such as -T4) or ver- + bosity options (-v) that you might wan’t as well. + +- -6 This options enables IPv6 support. All targets must be IPv6 if ++ -6 This options enables IPv6 support. All targets must be IPv6 if + this option is used, and they can be specified via normal DNS + name (AAAA record) or as a literal IP address such as + 3ffe:501:4819:2000:210:f3ff:fe03:4d0 . Currently, connect() TCP +@@ -461,7 +461,7 @@ + or other scan types, have a look at http://nmap6.source- + forge.net/ . + +- --send_eth ++ --send_eth + Asks Nmap to send packets at the raw ethernet (data link) layer + rather than the higher IP (network) layer. By default, Nmap + chooses the one which is generally best for the platform it is +@@ -471,12 +471,12 @@ + port. Nmap still uses raw IP packets when there is no other + choice (such as non-ethernet connections). + +- --send_ip ++ --send_ip + Asks Nmap to send packets via raw IP sockets rather than sending + lower level ethernet frames. It is the complement to the + --send-eth option.discussed previously. + +- --spoof_mac [mac, prefix, or vendor substring] ++ --spoof_mac [mac, prefix, or vendor substring] + Ask Nmap to use the given MAC address for all of the raw ether- + net frames it sends. The MAC given can take several formats. + If it is simply the string "0", Nmap chooses a completely random +@@ -492,7 +492,7 @@ + are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", + and "Cisco". + +- -f This option causes the requested scan (including ping scans) to ++ -f This option causes the requested scan (including ping scans) to + use tiny fragmented IP packets. The idea is to split up the TCP + header over several packets to make it harder for packet fil- + ters, intrusion detection systems, and other annoyances to +@@ -521,7 +521,7 @@ + It works fine for my Linux, FreeBSD, and OpenBSD boxes and some + people have reported success with other *NIX variants. + +- -v Verbose mode. This is a highly recommended option and it gives ++ -v Verbose mode. This is a highly recommended option and it gives + out more information about what is going on. You can use it + twice for greater effect. You can also use -d a few times if + you really want to get crazy with scrolling the screen! +@@ -530,11 +530,11 @@ + options. As you may have noticed, this man page is not exactly + a "quick reference" :) + +- -oN <logfilename> ++ -oN <logfilename> + This logs the results of your scans in a normal human readable + form into the file you specify as an argument. + +- -oX <logfilename> ++ -oX <logfilename> + This logs the results of your scans in XML form into the file + you specify as an argument. This allows programs to easily cap- + ture and interpret Nmap results. You can give the argument "-" +@@ -546,7 +546,7 @@ + the XML output structure is available at http://www.inse- + cure.org/nmap/data/nmap.dtd . + +- --stylesheet <filename> ++ --stylesheet <filename> + Nmap ships with an XSL stylesheet named nmap.xsl for viewing or + translating XML output to HTML. The XML output includes an xml- + stylesheet directive which points to nmap.xml where it was ini- +@@ -563,12 +563,12 @@ + URL is often more useful, but the local filesystem locaton of + nmap.xsl is used by default for privacy reasons. + +- --no_stylesheet ++ --no_stylesheet + Specify this option to prevent Nmap from associating any XSL + stylesheet with its XML output. The xml-stylesheet directive is + omitted. + +- -oG <logfilename> ++ -oG <logfilename> + This logs the results of your scans in a grepable form into the + file you specify as an argument. This simple format provides + all the information on one line (so you can easily grep for port +@@ -582,17 +582,17 @@ + will still go to stderr). Also note that "-v" will cause some + extra information to be printed. + +- -oA <basefilename> ++ -oA <basefilename> + This tells Nmap to log in ALL the major formats (normal, + grepable, and XML). You give a base for the filename, and the + output files will be base.nmap, base.gnmap, and base.xml. + +- -oS <logfilename> ++ -oS <logfilename> + thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|<ipT kiDd|3 f0rM iNto + THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument "-" + (wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!! + +- --resume <logfilename> ++ --resume <logfilename> + A network scan that is canceled due to control-C, network out- + age, etc. can be resumed using this option. The logfilename + must be either a normal (-oN) or grepable (-oG) log from the +@@ -600,7 +600,7 @@ + same as the aborted scan). Nmap will start on the machine after + the last one successfully scanned in the log file. + +- --exclude <host1 [,host2][,host3],..."> ++ --exclude <host1 [,host2][,host3],..."> + Specifies a list of targets (hosts, ranges, netblocks) that + should be excluded from a scan. Useful to keep from scanning + yourself, your ISP, particularly sensitive hosts, etc. +@@ -610,16 +610,16 @@ + targets are provided in an newline-delimited exclude_file rather + than on the command line. + +- --allports ++ --allports + Causes version detection (-sV) to scan all open ports found, + including those excluded as dangerous (likely to cause crashes + or other problems) in nmap-service-probes. + +- --append_output ++ --append_output + Tells Nmap to append scan results to any output files you have + specified rather than overwriting those files. + +- -iL <inputfilename> ++ -iL <inputfilename> + Reads target specifications from the file specified RATHER than + from the command line. The file should contain a list of host + or network expressions separated by spaces, tabs, or newlines. +@@ -628,7 +628,7 @@ + section target specification for more information on the expres- + sions you fill the file with. + +- -iR <num hosts> ++ -iR <num hosts> + This option tells Nmap to generate its own hosts to scan by sim- + ply picking random numbers :). It will never end after the + given number of IPs has been scanned -- use 0 for a never-ending +@@ -637,7 +637,7 @@ + bored, try nmap -sS -PS80 -iR 0 -p 80 to find some web servers + to look at. + +- -p <port ranges> ++ -p <port ranges> + This option specifies what ports you want to specify. For exam- + ple "-p 23" will only try port 23 of the target host(s). "-p + 20-30,139,60000-" scans ports between 20 and 30, port 139, and +@@ -656,13 +656,13 @@ + tocol qualifier is given, the port numbers are added to all pro- + tocol lists. + +- -F Fast scan mode. ++ -F Fast scan mode. + Specifies that you only wish to scan for ports listed in the + services file which comes with nmap (or the protocols file for + -sO). This is obviously much faster than scanning all 65535 + ports on a host. + +- -D <decoy1 [,decoy2][,ME],...> ++ -D <decoy1 [,decoy2][,ME],...> + Causes a decoy scan to be performed which makes it appear to the + remote host that the host(s) you specify as decoys are scanning + the target network too. Thus their IDS might report 5-10 port +@@ -708,7 +708,7 @@ + will filter out your spoofed packets, although many (currently + most) do not restrict spoofed IP packets at all. + +- -S <IP_Address> ++ -S <IP_Address> + In some circumstances, nmap may not be able to determine your + source address ( nmap will tell you if this is the case). In + this situation, use -S with your IP address (of the interface +@@ -723,11 +723,11 @@ + ning them. -e would generally be required for this sort of + usage. + +- -e <interface> ++ -e <interface> + Tells nmap what interface to send and receive packets on. Nmap + should be able to detect this but it will tell you if it cannot. + +- --source_port <portnumber> ++ --source_port <portnumber> + Sets the source port number used in scans. Many naive firewall + and packet filter installations make an exception in their rule- + set to allow DNS (53) or FTP-DATA (20) packets to come through +@@ -746,7 +746,7 @@ + for using this option, because I sometimes store useful informa- + tion in the source port number. + +- --data_length <number> ++ --data_length <number> + Normally Nmap sends minimalistic packets that only contain a + header. So its TCP packets are generally 40 bytes and ICMP echo + requests are just 28. This option tells Nmap to append the +@@ -755,22 +755,22 @@ + portscan packets are. This slows things down, but can be + slightly less conspicuous. + +- -n Tells Nmap to NEVER do reverse DNS resolution on the active IP ++ -n Tells Nmap to NEVER do reverse DNS resolution on the active IP + addresses it finds. Since DNS is often slow, this can help + speed things up. + +- -R Tells Nmap to ALWAYS do reverse DNS resolution on the target IP ++ -R Tells Nmap to ALWAYS do reverse DNS resolution on the target IP + addresses. Normally this is only done when a machine is found + to be alive. + +- -r Tells Nmap NOT to randomize the order in which ports are ++ -r Tells Nmap NOT to randomize the order in which ports are + scanned. + +- --ttl <value> ++ --ttl <value> + Sets the IPv4 time to live field in sent packets to the given + value. + +- --privileged ++ --privileged + Tells Nmap to simply assume that it is privileged enough to per- + form raw socket sends, packet sniffing, and similar operations + that usually require root privileges on UNIX systems. By +@@ -792,25 +792,25 @@ + activate this mode and then type usually more familiar and fea- + ture-complete. + +- --randomize_hosts ++ --randomize_hosts + Tells Nmap to shuffle each group of up to 2048 hosts before it + scans them. This can make the scans less obvious to various + network monitoring systems, especially when you combine it with + slow timing options (see below). + +- -M <max sockets> ++ -M <max sockets> + Sets the maximum number of sockets that will be used in parallel + for a TCP connect() scan (the default). This is useful to slow + down the scan a little bit and avoid crashing remote machines. + Another approach is to use -sS, which is generally easier for + machines to handle. + +- --packet_trace ++ --packet_trace + Tells Nmap to show all the packets it sends and receives in a + tcpdump-like format. This can be tremendously useful for debug- + ging, and is also a good learning tool. + +- --datadir [directoryname] ++ --datadir [directoryname] + Nmap obtains some special data at runtime in files named nmap- + service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap- + mac-prefixes, and nmap-os-fingerprints. Nmap first searches +@@ -830,7 +830,7 @@ + meet your objectives. The following options provide a fine + level of control over the scan timing: + +- -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> ++ -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> + These are canned timing policies for conveniently expressing + your priorities to Nmap. Paranoid mode scans very slowly in the + hopes of avoiding detection by IDS systems. It serializes all +@@ -859,17 +859,17 @@ + line. Otherwise the defaults for the selected timing mode will + override your choices. + +- --host_timeout <milliseconds> ++ --host_timeout <milliseconds> + Specifies the amount of time Nmap is allowed to spend scanning a + single host before giving up on that IP. The default timing + mode has no host timeout. + +- --max_rtt_timeout <milliseconds> ++ --max_rtt_timeout <milliseconds> + Specifies the maximum amount of time Nmap is allowed to wait for + a probe response before retransmitting or timing out that par- + ticular probe. The default mode sets this to about 9000. + +- --min_rtt_timeout <milliseconds> ++ --min_rtt_timeout <milliseconds> + When the target hosts start to establish a pattern of responding + very quickly, Nmap will shrink the amount of time given per + probe. This speeds up the scan, but can lead to missed packets +@@ -877,13 +877,13 @@ + you can guarantee that Nmap will wait at least the given amount + of time before giving up on a probe. + +- --initial_rtt_timeout <milliseconds> ++ --initial_rtt_timeout <milliseconds> + Specifies the initial probe timeout. This is generally only + useful when scanning firewalled hosts with -P0. Normally Nmap + can obtain good RTT estimates from the ping and the first few + probes. The default mode uses 6000. + +- --max_hostgroup <numhosts> ++ --max_hostgroup <numhosts> + Specifies the maximum number of hosts that Nmap is allowed to + scan in parallel. Most of the port scan techniques support + multi-host operation, which makes them much quicker. Spreading +@@ -894,7 +894,7 @@ + at a time) Nmap behavior. Note that the ping scanner handles + its own grouping, and ignores this value. + +- --min_hostgroup <numhosts> ++ --min_hostgroup <numhosts> + Specifies the minimum host group size (see previous entry). + Large values (such as 50) are often beneficial for unattended + scans, though they do take up more memory. Nmap may override +@@ -902,19 +902,19 @@ + the same network interface, and some scan types can only handle + one host at a time. + +- --max_parallelism <number> ++ --max_parallelism <number> + Specifies the maximum number of scans Nmap is allowed to perform + in parallel. Setting this to one means Nmap will never try to + scan more than 1 port at a time. It also effects other parallel + scans such as ping sweep, RPC scan, etc. + +- --min_parallelism <number> ++ --min_parallelism <number> + Tells Nmap to scan at least the given number of ports in paral- + lel. This can speed up scans against certain firewalled hosts + by an order of magnitude. But be careful -- results will become + unreliable if you push it too far. + +- --scan_delay <milliseconds> ++ --scan_delay <milliseconds> + Specifies the minimum amount of time Nmap must wait between + probes. This is mostly useful to reduce network load or to slow + the scan way down to sneak under IDS thresholds. Nmap will +@@ -924,7 +924,7 @@ + So Nmap will try to detect this and lower its rate of UDP probes + to one per second. + +- --max_scan_delay <milliseconds> ++ --max_scan_delay <milliseconds> + As noted above, Nmap will sometimes enforce a special delay + between sending packets. This can provide more accurate results + while reducing network congestion, but it can slow the scans +@@ -938,7 +938,7 @@ + + + +-

TARGET SPECIFICATION

++
TARGET SPECIFICATION
+        Everything that isn’t an option (or option argument) in nmap is treated
+        as  a  target  host specification.  The simplest case is listing single
+        hostnames or IP addresses on the command line.  If you want to  scan  a
-- 
cgit v1.2.1