--- /usr/share/doc/nmap-3.93/nmap_manpage.html 2005-09-12 20:11:41.000000000 +0930 +++ /home/c/knmap/src/nmap_manpage.html 2005-11-09 09:35:59.000000000 +0930 @@ -78,7 +78,7 @@ SCAN TYPES - -sS TCP SYN scan: This technique is often referred to as "half-open" + -sS TCP SYN scan: This technique is often referred to as "half-open" scanning, because you don’t open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and you wait for a response. A SYN|ACK indicates the port is listen- @@ -89,7 +89,7 @@ Unfortunately you need root privileges to build these custom SYN packets. This is the default scan type for privileged users. - -sT TCP connect() scan: This is the most basic form of TCP scanning. + -sT TCP connect() scan: This is the most basic form of TCP scanning. The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, oth- @@ -102,7 +102,7 @@ which accept() the connection just to have it immediately shut- down. This is the default scan type for unprivileged users. - -sF -sX -sN + -sF -sX -sN Stealth FIN, Xmas Tree, or Null scan modes: There are times when even SYN scanning isn’t clandestine enough. Some firewalls and packet filters watch for SYNs to restricted ports, and programs @@ -133,7 +133,7 @@ HP/UX, MVS, and IRIX. All of the above send resets from the open ports when they should just drop the packet. - -sP Ping scanning: Sometimes you only want to know which hosts on a + -sP Ping scanning: Sometimes you only want to know which hosts on a network are up. Nmap can do this by sending ICMP echo request packets to every IP address on the networks you specify. Hosts that respond are up. Unfortunately, some sites such as @@ -151,7 +151,7 @@ respond are scanned. Only use this option if you wish to ping sweep without doing any actual port scans. - -sV Version detection: After TCP and/or UDP ports are discovered + -sV Version detection: After TCP and/or UDP ports are discovered using one of the other scan methods, version detection communi- cates with those ports to try and determine more about what is actually running. A file called nmap-service-probes is used to @@ -177,7 +177,7 @@ version scanning is doing (this is a subset of what you would get with --packet_trace). - -sU UDP scans: This method is used to determine which UDP (User + -sU UDP scans: This method is used to determine which UDP (User Datagram Protocol, RFC 768) ports are open on a host. The tech- nique is to send 0 byte UDP packets to each port on the target machine. If we receive an ICMP port unreachable message, then @@ -215,7 +215,7 @@ very quickly. Whoop! - -sO IP protocol scans: This method is used to determine which IP + -sO IP protocol scans: This method is used to determine which IP protocols are supported on a host. The technique is to send raw IP packets without any further protocol header to each specified protocol on the target machine. If we receive an ICMP protocol @@ -229,7 +229,7 @@ field has only 8 bits, so at most 256 protocols can be probed which should be possible in reasonable time anyway. - -sI <zombie host[:probeport]> + -sI <zombie host[:probeport]> Idlescan: This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the tar- get from your real IP address). Instead, a unique side-channel @@ -257,7 +257,7 @@ Otherwise Nmap will use the port it uses by default for "tcp pings". - -sA ACK scan: This advanced method is usually used to map out fire- + -sA ACK scan: This advanced method is usually used to map out fire- wall rulesets. In particular, it can help determine whether a firewall is stateful or just a simple packet filter that blocks incoming SYN packets. @@ -272,7 +272,7 @@ RSTs). This scan will obviously never show ports in the "open" state. - -sW Window scan: This advanced scan is very similar to the ACK scan, + -sW Window scan: This advanced scan is very similar to the ACK scan, except that it can sometimes detect open ports as well as fil- tered/unfiltered due to an anomaly in the TCP window size reporting by some operating systems. Systems vulnerable to this @@ -282,7 +282,7 @@ 4.X, Ultrix, VAX, and VxWorks. See the nmap-hackers mailing list archive for a full list. - -sR RPC scan. This method works in combination with the various + -sR RPC scan. This method works in combination with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and then floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, @@ -294,11 +294,11 @@ matically enabled as part of version scan (-sV) if you request that. - -sL List scan. This method simply generates and prints a list of IP + -sL List scan. This method simply generates and prints a list of IP addresses or hostnames without actually pinging or port scanning them. DNS name resolution will be performed unless you use -n. - -b <ftp relay host> + -b <ftp relay host> FTP bounce attack: An interesting "feature" of the ftp protocol (RFC 959) is support for "proxy" ftp connections. In other words, I should be able to connect from evil.com to the FTP @@ -332,7 +332,7 @@ odds of penetrating strict firewalls by sending many probe types using different TCP ports/flags and ICMP codes. - -P0 Do not try to ping hosts at all before scanning them. This + -P0 Do not try to ping hosts at all before scanning them. This allows the scanning of networks that don’t allow ICMP echo requests (or responses) through their firewall. microsoft.com is an example of such a network, and thus you should always use @@ -342,7 +342,7 @@ trary combinations of TCP, UDP, and ICMP probes. By default, Nmap sends an ICMP echo request and a TCP ACK packet to port 80. - -PA [portlist] + -PA [portlist] Use TCP ACK "ping" to determine what hosts are up. Instead of sending ICMP echo request packets and waiting for a response, we spew out TCP ACK packets throughout the target network (or to a @@ -356,13 +356,13 @@ 80, since this port is often not filtered out. Note that this option now accepts multiple, comma-separated port numbers. - -PS [portlist] + -PS [portlist] This option uses SYN (connection request) packets instead of ACK packets for root users. Hosts that are up should respond with a RST (or, rarely, a SYN|ACK). You can set the destination ports in the same manner as -PA above. - -PR This option specifies a raw ethernet ARP ping. It cannot be + -PR This option specifies a raw ethernet ARP ping. It cannot be used in combination with any of the other ping types. When the target machines are on the same network you are scanning from, this is the fastest and most reliable (because it goes below IP- @@ -374,7 +374,7 @@ UDP services won’t reply to an empty packet, your best bet might be to send this to expected-closed ports rather than open ones. - -PE This option uses a true ping (ICMP echo request) packet. It + -PE This option uses a true ping (ICMP echo request) packet. It finds hosts that are up and also looks for subnet-directed broadcast addresses on your network. These are IP addresses which are externally reachable and translate to a broadcast of @@ -382,10 +382,10 @@ eliminated if found as they allow for numerous denial of service attacks (Smurf is the most common). - -PP Uses an ICMP timestamp request (type 13) packet to find listen- + -PP Uses an ICMP timestamp request (type 13) packet to find listen- ing hosts. - -PM Same as -PE and -PP except uses a netmask request (ICMP type + -PM Same as -PE and -PP except uses a netmask request (ICMP type 17). -PB This is the default ping type. It uses both the ACK ( -PA ) and @@ -397,7 +397,7 @@ "PA" (or rely on the default behavior) to achieve this same effect. - -O This option activates remote host identification via TCP/IP fin- + -O This option activates remote host identification via TCP/IP fin- gerprinting. In other words, it uses a bunch of techniques to detect subtleties in the underlying operating system network stack of the computers you are scanning. It uses this informa- @@ -436,7 +436,7 @@ for each packet they send. This makes them vulnerable to sev- eral advanced information gathering and spoofing attacks. - --osscan_limit + --osscan_limit OS detection is far more effective if at least one open and one closed TCP port are found. Set this option and Nmap will not even try OS detection against hosts that do not meet this crite- @@ -444,7 +444,7 @@ against many hosts. It only matters when OS detection is requested (-O or -A options). - -A This option enables _a_dditional _a_dvanced and _a_ggressive + -A This option enables _a_dditional _a_dvanced and _a_ggressive options. I haven’t decided exactly which it stands for yet :). Presently this enables OS Detection (-O) and version scanning (-sV). More features may be added in the future. The point is @@ -453,7 +453,7 @@ enables features, and not timing options (such as -T4) or ver- bosity options (-v) that you might wan’t as well. - -6 This options enables IPv6 support. All targets must be IPv6 if + -6 This options enables IPv6 support. All targets must be IPv6 if this option is used, and they can be specified via normal DNS name (AAAA record) or as a literal IP address such as 3ffe:501:4819:2000:210:f3ff:fe03:4d0 . Currently, connect() TCP @@ -461,7 +461,7 @@ or other scan types, have a look at http://nmap6.source- forge.net/ . - --send_eth + --send_eth Asks Nmap to send packets at the raw ethernet (data link) layer rather than the higher IP (network) layer. By default, Nmap chooses the one which is generally best for the platform it is @@ -471,12 +471,12 @@ port. Nmap still uses raw IP packets when there is no other choice (such as non-ethernet connections). - --send_ip + --send_ip Asks Nmap to send packets via raw IP sockets rather than sending lower level ethernet frames. It is the complement to the --send-eth option.discussed previously. - --spoof_mac [mac, prefix, or vendor substring] + --spoof_mac [mac, prefix, or vendor substring] Ask Nmap to use the given MAC address for all of the raw ether- net frames it sends. The MAC given can take several formats. If it is simply the string "0", Nmap chooses a completely random @@ -492,7 +492,7 @@ are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and "Cisco". - -f This option causes the requested scan (including ping scans) to + -f This option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet fil- ters, intrusion detection systems, and other annoyances to @@ -521,7 +521,7 @@ It works fine for my Linux, FreeBSD, and OpenBSD boxes and some people have reported success with other *NIX variants. - -v Verbose mode. This is a highly recommended option and it gives + -v Verbose mode. This is a highly recommended option and it gives out more information about what is going on. You can use it twice for greater effect. You can also use -d a few times if you really want to get crazy with scrolling the screen! @@ -530,11 +530,11 @@ options. As you may have noticed, this man page is not exactly a "quick reference" :) - -oN <logfilename> + -oN <logfilename> This logs the results of your scans in a normal human readable form into the file you specify as an argument. - -oX <logfilename> + -oX <logfilename> This logs the results of your scans in XML form into the file you specify as an argument. This allows programs to easily cap- ture and interpret Nmap results. You can give the argument "-" @@ -546,7 +546,7 @@ the XML output structure is available at http://www.inse- cure.org/nmap/data/nmap.dtd . - --stylesheet <filename> + --stylesheet <filename> Nmap ships with an XSL stylesheet named nmap.xsl for viewing or translating XML output to HTML. The XML output includes an xml- stylesheet directive which points to nmap.xml where it was ini- @@ -563,12 +563,12 @@ URL is often more useful, but the local filesystem locaton of nmap.xsl is used by default for privacy reasons. - --no_stylesheet + --no_stylesheet Specify this option to prevent Nmap from associating any XSL stylesheet with its XML output. The xml-stylesheet directive is omitted. - -oG <logfilename> + -oG <logfilename> This logs the results of your scans in a grepable form into the file you specify as an argument. This simple format provides all the information on one line (so you can easily grep for port @@ -582,17 +582,17 @@ will still go to stderr). Also note that "-v" will cause some extra information to be printed. - -oA <basefilename> + -oA <basefilename> This tells Nmap to log in ALL the major formats (normal, grepable, and XML). You give a base for the filename, and the output files will be base.nmap, base.gnmap, and base.xml. - -oS <logfilename> + -oS <logfilename> thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|<ipT kiDd|3 f0rM iNto THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument "-" (wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!! - --resume <logfilename> + --resume <logfilename> A network scan that is canceled due to control-C, network out- age, etc. can be resumed using this option. The logfilename must be either a normal (-oN) or grepable (-oG) log from the @@ -600,7 +600,7 @@ same as the aborted scan). Nmap will start on the machine after the last one successfully scanned in the log file. - --exclude <host1 [,host2][,host3],..."> + --exclude <host1 [,host2][,host3],..."> Specifies a list of targets (hosts, ranges, netblocks) that should be excluded from a scan. Useful to keep from scanning yourself, your ISP, particularly sensitive hosts, etc. @@ -610,16 +610,16 @@ targets are provided in an newline-delimited exclude_file rather than on the command line. - --allports + --allports Causes version detection (-sV) to scan all open ports found, including those excluded as dangerous (likely to cause crashes or other problems) in nmap-service-probes. - --append_output + --append_output Tells Nmap to append scan results to any output files you have specified rather than overwriting those files. - -iL <inputfilename> + -iL <inputfilename> Reads target specifications from the file specified RATHER than from the command line. The file should contain a list of host or network expressions separated by spaces, tabs, or newlines. @@ -628,7 +628,7 @@ section target specification for more information on the expres- sions you fill the file with. - -iR <num hosts> + -iR <num hosts> This option tells Nmap to generate its own hosts to scan by sim- ply picking random numbers :). It will never end after the given number of IPs has been scanned -- use 0 for a never-ending @@ -637,7 +637,7 @@ bored, try nmap -sS -PS80 -iR 0 -p 80 to find some web servers to look at. - -p <port ranges> + -p <port ranges> This option specifies what ports you want to specify. For exam- ple "-p 23" will only try port 23 of the target host(s). "-p 20-30,139,60000-" scans ports between 20 and 30, port 139, and @@ -656,13 +656,13 @@ tocol qualifier is given, the port numbers are added to all pro- tocol lists. - -F Fast scan mode. + -F Fast scan mode. Specifies that you only wish to scan for ports listed in the services file which comes with nmap (or the protocols file for -sO). This is obviously much faster than scanning all 65535 ports on a host. - -D <decoy1 [,decoy2][,ME],...> + -D <decoy1 [,decoy2][,ME],...> Causes a decoy scan to be performed which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port @@ -708,7 +708,7 @@ will filter out your spoofed packets, although many (currently most) do not restrict spoofed IP packets at all. - -S <IP_Address> + -S <IP_Address> In some circumstances, nmap may not be able to determine your source address ( nmap will tell you if this is the case). In this situation, use -S with your IP address (of the interface @@ -723,11 +723,11 @@ ning them. -e would generally be required for this sort of usage. - -e <interface> + -e <interface> Tells nmap what interface to send and receive packets on. Nmap should be able to detect this but it will tell you if it cannot. - --source_port <portnumber> + --source_port <portnumber> Sets the source port number used in scans. Many naive firewall and packet filter installations make an exception in their rule- set to allow DNS (53) or FTP-DATA (20) packets to come through @@ -746,7 +746,7 @@ for using this option, because I sometimes store useful informa- tion in the source port number. - --data_length <number> + --data_length <number> Normally Nmap sends minimalistic packets that only contain a header. So its TCP packets are generally 40 bytes and ICMP echo requests are just 28. This option tells Nmap to append the @@ -755,22 +755,22 @@ portscan packets are. This slows things down, but can be slightly less conspicuous. - -n Tells Nmap to NEVER do reverse DNS resolution on the active IP + -n Tells Nmap to NEVER do reverse DNS resolution on the active IP addresses it finds. Since DNS is often slow, this can help speed things up. - -R Tells Nmap to ALWAYS do reverse DNS resolution on the target IP + -R Tells Nmap to ALWAYS do reverse DNS resolution on the target IP addresses. Normally this is only done when a machine is found to be alive. - -r Tells Nmap NOT to randomize the order in which ports are + -r Tells Nmap NOT to randomize the order in which ports are scanned. - --ttl <value> + --ttl <value> Sets the IPv4 time to live field in sent packets to the given value. - --privileged + --privileged Tells Nmap to simply assume that it is privileged enough to per- form raw socket sends, packet sniffing, and similar operations that usually require root privileges on UNIX systems. By @@ -792,25 +792,25 @@ activate this mode and then type usually more familiar and fea- ture-complete. - --randomize_hosts + --randomize_hosts Tells Nmap to shuffle each group of up to 2048 hosts before it scans them. This can make the scans less obvious to various network monitoring systems, especially when you combine it with slow timing options (see below). - -M <max sockets> + -M <max sockets> Sets the maximum number of sockets that will be used in parallel for a TCP connect() scan (the default). This is useful to slow down the scan a little bit and avoid crashing remote machines. Another approach is to use -sS, which is generally easier for machines to handle. - --packet_trace + --packet_trace Tells Nmap to show all the packets it sends and receives in a tcpdump-like format. This can be tremendously useful for debug- ging, and is also a good learning tool. - --datadir [directoryname] + --datadir [directoryname] Nmap obtains some special data at runtime in files named nmap- service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap- mac-prefixes, and nmap-os-fingerprints. Nmap first searches @@ -830,7 +830,7 @@ meet your objectives. The following options provide a fine level of control over the scan timing: - -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> + -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> These are canned timing policies for conveniently expressing your priorities to Nmap. Paranoid mode scans very slowly in the hopes of avoiding detection by IDS systems. It serializes all @@ -859,17 +859,17 @@ line. Otherwise the defaults for the selected timing mode will override your choices. - --host_timeout <milliseconds> + --host_timeout <milliseconds> Specifies the amount of time Nmap is allowed to spend scanning a single host before giving up on that IP. The default timing mode has no host timeout. - --max_rtt_timeout <milliseconds> + --max_rtt_timeout <milliseconds> Specifies the maximum amount of time Nmap is allowed to wait for a probe response before retransmitting or timing out that par- ticular probe. The default mode sets this to about 9000. - --min_rtt_timeout <milliseconds> + --min_rtt_timeout <milliseconds> When the target hosts start to establish a pattern of responding very quickly, Nmap will shrink the amount of time given per probe. This speeds up the scan, but can lead to missed packets @@ -877,13 +877,13 @@ you can guarantee that Nmap will wait at least the given amount of time before giving up on a probe. - --initial_rtt_timeout <milliseconds> + --initial_rtt_timeout <milliseconds> Specifies the initial probe timeout. This is generally only useful when scanning firewalled hosts with -P0. Normally Nmap can obtain good RTT estimates from the ping and the first few probes. The default mode uses 6000. - --max_hostgroup <numhosts> + --max_hostgroup <numhosts> Specifies the maximum number of hosts that Nmap is allowed to scan in parallel. Most of the port scan techniques support multi-host operation, which makes them much quicker. Spreading @@ -894,7 +894,7 @@ at a time) Nmap behavior. Note that the ping scanner handles its own grouping, and ignores this value. - --min_hostgroup <numhosts> + --min_hostgroup <numhosts> Specifies the minimum host group size (see previous entry). Large values (such as 50) are often beneficial for unattended scans, though they do take up more memory. Nmap may override @@ -902,19 +902,19 @@ the same network interface, and some scan types can only handle one host at a time. - --max_parallelism <number> + --max_parallelism <number> Specifies the maximum number of scans Nmap is allowed to perform in parallel. Setting this to one means Nmap will never try to scan more than 1 port at a time. It also effects other parallel scans such as ping sweep, RPC scan, etc. - --min_parallelism <number> + --min_parallelism <number> Tells Nmap to scan at least the given number of ports in paral- lel. This can speed up scans against certain firewalled hosts by an order of magnitude. But be careful -- results will become unreliable if you push it too far. - --scan_delay <milliseconds> + --scan_delay <milliseconds> Specifies the minimum amount of time Nmap must wait between probes. This is mostly useful to reduce network load or to slow the scan way down to sneak under IDS thresholds. Nmap will @@ -924,7 +924,7 @@ So Nmap will try to detect this and lower its rate of UDP probes to one per second. - --max_scan_delay <milliseconds> + --max_scan_delay <milliseconds> As noted above, Nmap will sometimes enforce a special delay between sending packets. This can provide more accurate results while reducing network congestion, but it can slow the scans @@ -938,7 +938,7 @@ -

TARGET SPECIFICATION

+

TARGET SPECIFICATION

        Everything that isn’t an option (or option argument) in nmap is treated
        as  a  target  host specification.  The simplest case is listing single
        hostnames or IP addresses on the command line.  If you want to  scan  a