--- /usr/share/doc/nmap-3.93/nmap_manpage.html 2005-09-12 20:11:41.000000000 +0930
+++ /home/c/knmap/src/nmap_manpage.html 2005-11-09 09:35:59.000000000 +0930
@@ -78,7 +78,7 @@
SCAN TYPES
- -sS TCP SYN scan: This technique is often referred to as "half-open"
+ -sS TCP SYN scan: This technique is often referred to as "half-open"
scanning, because you don’t open a full TCP connection. You send
a SYN packet, as if you are going to open a real connection and
you wait for a response. A SYN|ACK indicates the port is listen-
@@ -89,7 +89,7 @@
Unfortunately you need root privileges to build these custom SYN
packets. This is the default scan type for privileged users.
- -sT TCP connect() scan: This is the most basic form of TCP scanning.
+ -sT TCP connect() scan: This is the most basic form of TCP scanning.
The connect() system call provided by your operating system is
used to open a connection to every interesting port on the
machine. If the port is listening, connect() will succeed, oth-
@@ -102,7 +102,7 @@
which accept() the connection just to have it immediately shut-
down. This is the default scan type for unprivileged users.
- -sF -sX -sN
+ -sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes: There are times when
even SYN scanning isn’t clandestine enough. Some firewalls and
packet filters watch for SYNs to restricted ports, and programs
@@ -133,7 +133,7 @@
HP/UX, MVS, and IRIX. All of the above send resets from the
open ports when they should just drop the packet.
- -sP Ping scanning: Sometimes you only want to know which hosts on a
+ -sP Ping scanning: Sometimes you only want to know which hosts on a
network are up. Nmap can do this by sending ICMP echo request
packets to every IP address on the networks you specify. Hosts
that respond are up. Unfortunately, some sites such as
@@ -151,7 +151,7 @@
respond are scanned. Only use this option if you wish to ping
sweep without doing any actual port scans.
- -sV Version detection: After TCP and/or UDP ports are discovered
+ -sV Version detection: After TCP and/or UDP ports are discovered
using one of the other scan methods, version detection communi-
cates with those ports to try and determine more about what is
actually running. A file called nmap-service-probes is used to
@@ -177,7 +177,7 @@
version scanning is doing (this is a subset of what you would
get with --packet_trace).
- -sU UDP scans: This method is used to determine which UDP (User
+ -sU UDP scans: This method is used to determine which UDP (User
Datagram Protocol, RFC 768) ports are open on a host. The tech-
nique is to send 0 byte UDP packets to each port on the target
machine. If we receive an ICMP port unreachable message, then
@@ -215,7 +215,7 @@
very quickly. Whoop!
- -sO IP protocol scans: This method is used to determine which IP
+ -sO IP protocol scans: This method is used to determine which IP
protocols are supported on a host. The technique is to send raw
IP packets without any further protocol header to each specified
protocol on the target machine. If we receive an ICMP protocol
@@ -229,7 +229,7 @@
field has only 8 bits, so at most 256 protocols can be probed
which should be possible in reasonable time anyway.
- -sI <zombie host[:probeport]>
+ -sI <zombie host[:probeport]>
Idlescan: This advanced scan method allows for a truly blind TCP
port scan of the target (meaning no packets are sent to the tar-
get from your real IP address). Instead, a unique side-channel
@@ -257,7 +257,7 @@
Otherwise Nmap will use the port it uses by default for "tcp
pings".
- -sA ACK scan: This advanced method is usually used to map out fire-
+ -sA ACK scan: This advanced method is usually used to map out fire-
wall rulesets. In particular, it can help determine whether a
firewall is stateful or just a simple packet filter that blocks
incoming SYN packets.
@@ -272,7 +272,7 @@
RSTs). This scan will obviously never show ports in the "open"
state.
- -sW Window scan: This advanced scan is very similar to the ACK scan,
+ -sW Window scan: This advanced scan is very similar to the ACK scan,
except that it can sometimes detect open ports as well as fil-
tered/unfiltered due to an anomaly in the TCP window size
reporting by some operating systems. Systems vulnerable to this
@@ -282,7 +282,7 @@
4.X, Ultrix, VAX, and VxWorks. See the nmap-hackers mailing
list archive for a full list.
- -sR RPC scan. This method works in combination with the various
+ -sR RPC scan. This method works in combination with the various
port scan methods of Nmap. It takes all the TCP/UDP ports found
open and then floods them with SunRPC program NULL commands in
an attempt to determine whether they are RPC ports, and if so,
@@ -294,11 +294,11 @@
matically enabled as part of version scan (-sV) if you request
that.
- -sL List scan. This method simply generates and prints a list of IP
+ -sL List scan. This method simply generates and prints a list of IP
addresses or hostnames without actually pinging or port scanning
them. DNS name resolution will be performed unless you use -n.
- -b <ftp relay host>
+ -b <ftp relay host>
FTP bounce attack: An interesting "feature" of the ftp protocol
(RFC 959) is support for "proxy" ftp connections. In other
words, I should be able to connect from evil.com to the FTP
@@ -332,7 +332,7 @@
odds of penetrating strict firewalls by sending many probe types
using different TCP ports/flags and ICMP codes.
- -P0 Do not try to ping hosts at all before scanning them. This
+ -P0 Do not try to ping hosts at all before scanning them. This
allows the scanning of networks that don’t allow ICMP echo
requests (or responses) through their firewall. microsoft.com
is an example of such a network, and thus you should always use
@@ -342,7 +342,7 @@
trary combinations of TCP, UDP, and ICMP probes. By default,
Nmap sends an ICMP echo request and a TCP ACK packet to port 80.
- -PA [portlist]
+ -PA [portlist]
Use TCP ACK "ping" to determine what hosts are up. Instead of
sending ICMP echo request packets and waiting for a response, we
spew out TCP ACK packets throughout the target network (or to a
@@ -356,13 +356,13 @@
80, since this port is often not filtered out. Note that this
option now accepts multiple, comma-separated port numbers.
- -PS [portlist]
+ -PS [portlist]
This option uses SYN (connection request) packets instead of ACK
packets for root users. Hosts that are up should respond with a
RST (or, rarely, a SYN|ACK). You can set the destination ports
in the same manner as -PA above.
- -PR This option specifies a raw ethernet ARP ping. It cannot be
+ -PR This option specifies a raw ethernet ARP ping. It cannot be
used in combination with any of the other ping types. When the
target machines are on the same network you are scanning from,
this is the fastest and most reliable (because it goes below IP-
@@ -374,7 +374,7 @@
UDP services won’t reply to an empty packet, your best bet might
be to send this to expected-closed ports rather than open ones.
- -PE This option uses a true ping (ICMP echo request) packet. It
+ -PE This option uses a true ping (ICMP echo request) packet. It
finds hosts that are up and also looks for subnet-directed
broadcast addresses on your network. These are IP addresses
which are externally reachable and translate to a broadcast of
@@ -382,10 +382,10 @@
eliminated if found as they allow for numerous denial of service
attacks (Smurf is the most common).
- -PP Uses an ICMP timestamp request (type 13) packet to find listen-
+ -PP Uses an ICMP timestamp request (type 13) packet to find listen-
ing hosts.
- -PM Same as -PE and -PP except uses a netmask request (ICMP type
+ -PM Same as -PE and -PP except uses a netmask request (ICMP type
17).
-PB This is the default ping type. It uses both the ACK ( -PA ) and
@@ -397,7 +397,7 @@
"PA" (or rely on the default behavior) to achieve this same
effect.
- -O This option activates remote host identification via TCP/IP fin-
+ -O This option activates remote host identification via TCP/IP fin-
gerprinting. In other words, it uses a bunch of techniques to
detect subtleties in the underlying operating system network
stack of the computers you are scanning. It uses this informa-
@@ -436,7 +436,7 @@
for each packet they send. This makes them vulnerable to sev-
eral advanced information gathering and spoofing attacks.
- --osscan_limit
+ --osscan_limit
OS detection is far more effective if at least one open and one
closed TCP port are found. Set this option and Nmap will not
even try OS detection against hosts that do not meet this crite-
@@ -444,7 +444,7 @@
against many hosts. It only matters when OS detection is
requested (-O or -A options).
- -A This option enables _a_dditional _a_dvanced and _a_ggressive
+ -A This option enables _a_dditional _a_dvanced and _a_ggressive
options. I haven’t decided exactly which it stands for yet :).
Presently this enables OS Detection (-O) and version scanning
(-sV). More features may be added in the future. The point is
@@ -453,7 +453,7 @@
enables features, and not timing options (such as -T4) or ver-
bosity options (-v) that you might wan’t as well.
- -6 This options enables IPv6 support. All targets must be IPv6 if
+ -6 This options enables IPv6 support. All targets must be IPv6 if
this option is used, and they can be specified via normal DNS
name (AAAA record) or as a literal IP address such as
3ffe:501:4819:2000:210:f3ff:fe03:4d0 . Currently, connect() TCP
@@ -461,7 +461,7 @@
or other scan types, have a look at http://nmap6.source-
forge.net/ .
- --send_eth
+ --send_eth
Asks Nmap to send packets at the raw ethernet (data link) layer
rather than the higher IP (network) layer. By default, Nmap
chooses the one which is generally best for the platform it is
@@ -471,12 +471,12 @@
port. Nmap still uses raw IP packets when there is no other
choice (such as non-ethernet connections).
- --send_ip
+ --send_ip
Asks Nmap to send packets via raw IP sockets rather than sending
lower level ethernet frames. It is the complement to the
--send-eth option.discussed previously.
- --spoof_mac [mac, prefix, or vendor substring]
+ --spoof_mac [mac, prefix, or vendor substring]
Ask Nmap to use the given MAC address for all of the raw ether-
net frames it sends. The MAC given can take several formats.
If it is simply the string "0", Nmap chooses a completely random
@@ -492,7 +492,7 @@
are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2",
and "Cisco".
- -f This option causes the requested scan (including ping scans) to
+ -f This option causes the requested scan (including ping scans) to
use tiny fragmented IP packets. The idea is to split up the TCP
header over several packets to make it harder for packet fil-
ters, intrusion detection systems, and other annoyances to
@@ -521,7 +521,7 @@
It works fine for my Linux, FreeBSD, and OpenBSD boxes and some
people have reported success with other *NIX variants.
- -v Verbose mode. This is a highly recommended option and it gives
+ -v Verbose mode. This is a highly recommended option and it gives
out more information about what is going on. You can use it
twice for greater effect. You can also use -d a few times if
you really want to get crazy with scrolling the screen!
@@ -530,11 +530,11 @@
options. As you may have noticed, this man page is not exactly
a "quick reference" :)
- -oN <logfilename>
+ -oN <logfilename>
This logs the results of your scans in a normal human readable
form into the file you specify as an argument.
- -oX <logfilename>
+ -oX <logfilename>
This logs the results of your scans in XML form into the file
you specify as an argument. This allows programs to easily cap-
ture and interpret Nmap results. You can give the argument "-"
@@ -546,7 +546,7 @@
the XML output structure is available at http://www.inse-
cure.org/nmap/data/nmap.dtd .
- --stylesheet <filename>
+ --stylesheet <filename>
Nmap ships with an XSL stylesheet named nmap.xsl for viewing or
translating XML output to HTML. The XML output includes an xml-
stylesheet directive which points to nmap.xml where it was ini-
@@ -563,12 +563,12 @@
URL is often more useful, but the local filesystem locaton of
nmap.xsl is used by default for privacy reasons.
- --no_stylesheet
+ --no_stylesheet
Specify this option to prevent Nmap from associating any XSL
stylesheet with its XML output. The xml-stylesheet directive is
omitted.
- -oG <logfilename>
+ -oG <logfilename>
This logs the results of your scans in a grepable form into the
file you specify as an argument. This simple format provides
all the information on one line (so you can easily grep for port
@@ -582,17 +582,17 @@
will still go to stderr). Also note that "-v" will cause some
extra information to be printed.
- -oA <basefilename>
+ -oA <basefilename>
This tells Nmap to log in ALL the major formats (normal,
grepable, and XML). You give a base for the filename, and the
output files will be base.nmap, base.gnmap, and base.xml.
- -oS <logfilename>
+ -oS <logfilename>
thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|<ipT kiDd|3 f0rM iNto
THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument "-"
(wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!!
- --resume <logfilename>
+ --resume <logfilename>
A network scan that is canceled due to control-C, network out-
age, etc. can be resumed using this option. The logfilename
must be either a normal (-oN) or grepable (-oG) log from the
@@ -600,7 +600,7 @@
same as the aborted scan). Nmap will start on the machine after
the last one successfully scanned in the log file.
- --exclude <host1 [,host2][,host3],...">
+ --exclude <host1 [,host2][,host3],...">
Specifies a list of targets (hosts, ranges, netblocks) that
should be excluded from a scan. Useful to keep from scanning
yourself, your ISP, particularly sensitive hosts, etc.
@@ -610,16 +610,16 @@
targets are provided in an newline-delimited exclude_file rather
than on the command line.
- --allports
+ --allports
Causes version detection (-sV) to scan all open ports found,
including those excluded as dangerous (likely to cause crashes
or other problems) in nmap-service-probes.
- --append_output
+ --append_output
Tells Nmap to append scan results to any output files you have
specified rather than overwriting those files.
- -iL <inputfilename>
+ -iL <inputfilename>
Reads target specifications from the file specified RATHER than
from the command line. The file should contain a list of host
or network expressions separated by spaces, tabs, or newlines.
@@ -628,7 +628,7 @@
section target specification for more information on the expres-
sions you fill the file with.
- -iR <num hosts>
+ -iR <num hosts>
This option tells Nmap to generate its own hosts to scan by sim-
ply picking random numbers :). It will never end after the
given number of IPs has been scanned -- use 0 for a never-ending
@@ -637,7 +637,7 @@
bored, try nmap -sS -PS80 -iR 0 -p 80 to find some web servers
to look at.
- -p <port ranges>
+ -p <port ranges>
This option specifies what ports you want to specify. For exam-
ple "-p 23" will only try port 23 of the target host(s). "-p
20-30,139,60000-" scans ports between 20 and 30, port 139, and
@@ -656,13 +656,13 @@
tocol qualifier is given, the port numbers are added to all pro-
tocol lists.
- -F Fast scan mode.
+ -F Fast scan mode.
Specifies that you only wish to scan for ports listed in the
services file which comes with nmap (or the protocols file for
-sO). This is obviously much faster than scanning all 65535
ports on a host.
- -D <decoy1 [,decoy2][,ME],...>
+ -D <decoy1 [,decoy2][,ME],...>
Causes a decoy scan to be performed which makes it appear to the
remote host that the host(s) you specify as decoys are scanning
the target network too. Thus their IDS might report 5-10 port
@@ -708,7 +708,7 @@
will filter out your spoofed packets, although many (currently
most) do not restrict spoofed IP packets at all.
- -S <IP_Address>
+ -S <IP_Address>
In some circumstances, nmap may not be able to determine your
source address ( nmap will tell you if this is the case). In
this situation, use -S with your IP address (of the interface
@@ -723,11 +723,11 @@
ning them. -e would generally be required for this sort of
usage.
- -e <interface>
+ -e <interface>
Tells nmap what interface to send and receive packets on. Nmap
should be able to detect this but it will tell you if it cannot.
- --source_port <portnumber>
+ --source_port <portnumber>
Sets the source port number used in scans. Many naive firewall
and packet filter installations make an exception in their rule-
set to allow DNS (53) or FTP-DATA (20) packets to come through
@@ -746,7 +746,7 @@
for using this option, because I sometimes store useful informa-
tion in the source port number.
- --data_length <number>
+ --data_length <number>
Normally Nmap sends minimalistic packets that only contain a
header. So its TCP packets are generally 40 bytes and ICMP echo
requests are just 28. This option tells Nmap to append the
@@ -755,22 +755,22 @@
portscan packets are. This slows things down, but can be
slightly less conspicuous.
- -n Tells Nmap to NEVER do reverse DNS resolution on the active IP
+ -n Tells Nmap to NEVER do reverse DNS resolution on the active IP
addresses it finds. Since DNS is often slow, this can help
speed things up.
- -R Tells Nmap to ALWAYS do reverse DNS resolution on the target IP
+ -R Tells Nmap to ALWAYS do reverse DNS resolution on the target IP
addresses. Normally this is only done when a machine is found
to be alive.
- -r Tells Nmap NOT to randomize the order in which ports are
+ -r Tells Nmap NOT to randomize the order in which ports are
scanned.
- --ttl <value>
+ --ttl <value>
Sets the IPv4 time to live field in sent packets to the given
value.
- --privileged
+ --privileged
Tells Nmap to simply assume that it is privileged enough to per-
form raw socket sends, packet sniffing, and similar operations
that usually require root privileges on UNIX systems. By
@@ -792,25 +792,25 @@
activate this mode and then type usually more familiar and fea-
ture-complete.
- --randomize_hosts
+ --randomize_hosts
Tells Nmap to shuffle each group of up to 2048 hosts before it
scans them. This can make the scans less obvious to various
network monitoring systems, especially when you combine it with
slow timing options (see below).
- -M <max sockets>
+ -M <max sockets>
Sets the maximum number of sockets that will be used in parallel
for a TCP connect() scan (the default). This is useful to slow
down the scan a little bit and avoid crashing remote machines.
Another approach is to use -sS, which is generally easier for
machines to handle.
- --packet_trace
+ --packet_trace
Tells Nmap to show all the packets it sends and receives in a
tcpdump-like format. This can be tremendously useful for debug-
ging, and is also a good learning tool.
- --datadir [directoryname]
+ --datadir [directoryname]
Nmap obtains some special data at runtime in files named nmap-
service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap-
mac-prefixes, and nmap-os-fingerprints. Nmap first searches
@@ -830,7 +830,7 @@
meet your objectives. The following options provide a fine
level of control over the scan timing:
- -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
+ -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
These are canned timing policies for conveniently expressing
your priorities to Nmap. Paranoid mode scans very slowly in the
hopes of avoiding detection by IDS systems. It serializes all
@@ -859,17 +859,17 @@
line. Otherwise the defaults for the selected timing mode will
override your choices.
- --host_timeout <milliseconds>
+ --host_timeout <milliseconds>
Specifies the amount of time Nmap is allowed to spend scanning a
single host before giving up on that IP. The default timing
mode has no host timeout.
- --max_rtt_timeout <milliseconds>
+ --max_rtt_timeout <milliseconds>
Specifies the maximum amount of time Nmap is allowed to wait for
a probe response before retransmitting or timing out that par-
ticular probe. The default mode sets this to about 9000.
- --min_rtt_timeout <milliseconds>
+ --min_rtt_timeout <milliseconds>
When the target hosts start to establish a pattern of responding
very quickly, Nmap will shrink the amount of time given per
probe. This speeds up the scan, but can lead to missed packets
@@ -877,13 +877,13 @@
you can guarantee that Nmap will wait at least the given amount
of time before giving up on a probe.
- --initial_rtt_timeout <milliseconds>
+ --initial_rtt_timeout <milliseconds>
Specifies the initial probe timeout. This is generally only
useful when scanning firewalled hosts with -P0. Normally Nmap
can obtain good RTT estimates from the ping and the first few
probes. The default mode uses 6000.
- --max_hostgroup <numhosts>
+ --max_hostgroup <numhosts>
Specifies the maximum number of hosts that Nmap is allowed to
scan in parallel. Most of the port scan techniques support
multi-host operation, which makes them much quicker. Spreading
@@ -894,7 +894,7 @@
at a time) Nmap behavior. Note that the ping scanner handles
its own grouping, and ignores this value.
- --min_hostgroup <numhosts>
+ --min_hostgroup <numhosts>
Specifies the minimum host group size (see previous entry).
Large values (such as 50) are often beneficial for unattended
scans, though they do take up more memory. Nmap may override
@@ -902,19 +902,19 @@
the same network interface, and some scan types can only handle
one host at a time.
- --max_parallelism <number>
+ --max_parallelism <number>
Specifies the maximum number of scans Nmap is allowed to perform
in parallel. Setting this to one means Nmap will never try to
scan more than 1 port at a time. It also effects other parallel
scans such as ping sweep, RPC scan, etc.
- --min_parallelism <number>
+ --min_parallelism <number>
Tells Nmap to scan at least the given number of ports in paral-
lel. This can speed up scans against certain firewalled hosts
by an order of magnitude. But be careful -- results will become
unreliable if you push it too far.
- --scan_delay <milliseconds>
+ --scan_delay <milliseconds>
Specifies the minimum amount of time Nmap must wait between
probes. This is mostly useful to reduce network load or to slow
the scan way down to sneak under IDS thresholds. Nmap will
@@ -924,7 +924,7 @@
So Nmap will try to detect this and lower its rate of UDP probes
to one per second.
- --max_scan_delay <milliseconds>
+ --max_scan_delay <milliseconds>
As noted above, Nmap will sometimes enforce a special delay
between sending packets. This can provide more accurate results
while reducing network congestion, but it can slow the scans
@@ -938,7 +938,7 @@
-TARGET SPECIFICATION
+TARGET SPECIFICATION
Everything that isn’t an option (or option argument) in nmap is treated
as a target host specification. The simplest case is listing single
hostnames or IP addresses on the command line. If you want to scan a