Nmap Network Scanning
The Official Nmap Project Guide to Network Discovery and Security Scanning
Copyright © 2008-2022 by Nmap Software LLC. All rights reserved, except where noted.
Nmap Network Scanning is the official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. The reference guide documents every Nmap feature and option, while the remainder demonstrates how to apply them to quickly solve real-world tasks. Examples and diagrams show actual communication on the wire. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine.
- Preface
- 1. Getting Started with Nmap
- 2. Obtaining, Compiling, Installing, and Removing Nmap
- 3. Host Discovery (“Ping Scanning”)
- 4. Port Scanning Overview
- 5. Port Scanning Techniques and Algorithms
- Introduction
- TCP SYN (Stealth) Scan (
-sS
) - TCP Connect Scan (
-sT
) - UDP Scan (
-sU
) - TCP FIN, NULL, and Xmas Scans (
-sF
,-sN
,-sX
) - Custom Scan Types with
--scanflags
- TCP ACK Scan (
-sA
) - TCP Window Scan (
-sW
) - TCP Maimon Scan (
-sM
) - TCP Idle Scan (
-sI
) - IP Protocol Scan (
-sO
) - TCP FTP Bounce Scan (
-b
) - Scan Code and Algorithms
- 6. Optimizing Nmap Performance
- 7. Service and Application Version Detection
- Introduction
- Usage and Examples
- Technique Described
- Technique Demonstrated
- Post-processors
nmap-service-probes
File Format- Community Contributions
- SOLUTION: Find All Servers Running an Insecure or Nonstandard Application Version
- SOLUTION: Hack Version Detection to Suit Custom Needs, such as Open Proxy Detection
- 8. Remote OS Detection
- Introduction
- Usage and Examples
- TCP/IP Fingerprinting Methods Supported by Nmap
- Probes Sent
- Response Tests
- TCP ISN greatest common divisor (
GCD
) - TCP ISN counter rate (
ISR
) - TCP ISN sequence predictability index (
SP
) - IP ID sequence generation algorithm (
TI
,CI
,II
) - Shared IP ID sequence Boolean (
SS
) - TCP timestamp option algorithm (
TS
) - TCP options (
O
,O1–O6
) - TCP initial window size (
W
,W1
–W6
) - Responsiveness (
R
) - IP don't fragment bit (
DF
) - Don't fragment (ICMP) (
DFI
) - IP initial time-to-live (
T
) - IP initial time-to-live guess (
TG
) - Explicit congestion notification (
CC
) - TCP miscellaneous quirks (
Q
) - TCP sequence number (
S
) - TCP acknowledgment number (
A
) - TCP flags (
F
) - TCP RST data checksum (
RD
) - IP total length (
IPL
) - Unused port unreachable field nonzero (
UN
) - Returned probe IP total length value (
RIPL
) - Returned probe IP ID value (
RID
) - Integrity of returned probe IP checksum value (
RIPCK
) - Integrity of returned probe UDP checksum (
RUCK
) - Integrity of returned UDP data (
RUD
) - ICMP response code (
CD
)
- TCP ISN greatest common divisor (
- IPv6 fingerprinting
- Fingerprinting Methods Avoided by Nmap
- Understanding an Nmap Fingerprint
- Device Types
- OS Matching Algorithms
- Dealing with Misidentified and Unidentified Hosts
- SOLUTION: Detect Rogue Wireless Access Points on an Enterprise Network
- 9. Nmap Scripting Engine
- 10. Detecting and Subverting Firewalls and Intrusion Detection Systems
- Introduction
- Why Would Ethical Professionals (White-hats) Ever Do This?
- Determining Firewall Rules
- Bypassing Firewall Rules
- Subverting Intrusion Detection Systems
- Detecting Packet Forgery by Firewall and Intrusion Detection Systems
- 11. Defenses Against Nmap
- 12. Zenmap GUI Users' Guide
- 13. Nmap Output Formats
- 14. Understanding and Customizing Nmap Data Files
- 15. Nmap Reference Guide
- Description
- Options Summary
- Target Specification
- Host Discovery
- Port Scanning Basics
- Port Scanning Techniques
- Port Specification and Scan Order
- Service and Version Detection
- OS Detection
- Nmap Scripting Engine (NSE)
- Timing and Performance
- Firewall/IDS Evasion and Spoofing
- Output
- Miscellaneous Options
- Runtime Interaction
- Examples
- Nmap Book
- Bugs
- Authors
- Legal Notices
- 16. Ndiff Reference Guide
- 17. Ncat Reference Guide
- 18. Nping Reference Guide
- A. Nmap XML Output DTD
- Index
- 1. IPv4 header
- 2. TCP header
- 3. UDP header
- 4. ICMP header
- 1.1. Trinity begins her assault
- 1.2. Trinity scans the Matrix
- 1.3. Strong opinions on port scanning legality and morality
- 2.1. Executing Nmap from a Windows command shell
- 2.2. Apple Gatekeeper block screen
- 2.3. Apple Gatekeeper Open menu
- 2.4. Apple Gatekeeper Open screen
- 3.1. A business card explains everything
- 3.2. Netcraft finds 36 Target web servers
- 5.1. ICMPv4 destination unreachable header layout
- 5.2. SYN scan of open port 22
- 5.3. SYN scan of closed port 113
- 5.4. SYN scan of filtered port 139
- 5.5. Connect scan of open port 22
- 5.6. Idle scan of an open port
- 5.7. Idle scan of a closed port
- 5.8. Idle scan of a filtered port
- 5.9. Congestion window and threshold
- 5.10. Scan rate as affected by scan delay
- 8.1. ICMP echo request or reply header layout
- 8.2. ICMP destination unreachable header layout
- 10.1. BlackICE discovers an unusual intruder
- 10.2. An attacker masked by dozens of decoys
- 12.1. Typical Zenmap screen shot
- 12.2. Zenmap's main window
- 12.3. Target and profile selection
- 12.4. Host selection
- 12.5. OS icons
- 12.6. Service selection
- 12.7. Grouping a host's children
- 12.8. Highlighting regions of the topology
- 12.9. Choosing a profile
- 12.10. The profile editor
- 12.11. The “Scripting” profile editor tab
- 12.12. Host filter
- 12.13. The search dialog
- 12.14. Keyword search
- 12.15. Expressions search
- 12.16. Comparison tool
- 12.17. Comparison output
- 12.18. Zenmap in German
- 12.19. Setting the
LANG
environment variable on Windows XP - 12.20. Setting the
LANG
environment variable on Mac OS X - 13.1. HTML from XML output in a web browser
- 1. Formatting style conventions
- 3.1. First pass at listing target.com IPs
- 3.2. Best host discovery probes
- 3.3. Best host discovery probe combinations
- 3.4. Most valuable TCP probe ports, in descending order of accessibility.
- 5.1. ICMP destination unreachable (type 3) code values
- 5.2. How Nmap interprets responses to a SYN probe
- 5.3. How Nmap interprets responses to a UDP probe
- 5.4. How Nmap interprets responses to a NULL, FIN, or Xmas scan probe
- 5.5. How Nmap interprets responses to an ACK scan probe
- 5.6. How Nmap interprets responses to a Window scan ACK probe
- 5.7. How Nmap interprets responses to a Maimon scan probe
- 5.8. How Nmap interprets responses to an IP protocol probe
- 6.1. Required
--top-ports
values for reaching various effectiveness levels - 6.2. Low-level timing controls by function
- 6.3. Timing templates and their effects
- 7.1.
versioninfo
field formats and values - 7.2.
versioninfo
helper functions - 8.1.
O
test values - 8.2.
DFI
test values - 8.3.
CC
test values - 8.4.
S
test values - 8.5.
A
test values - 8.6.
F
test values - 8.7.
CD
test values - 8.8. Reference fingerprint test expression operators
- 8.9. OS guesses against Mac OS X
- 9.1.
port.version
values
- 1. A typical Nmap scan
- 1.1. Nmap list scan against Avatar Online IP addresses
- 1.2. Nmap results against an AO firewall
- 1.3. Another interesting AO machine
- 1.4. nmap-diff typical output
- 1.5. nmap-report execution
- 2.1. Checking for Nmap and determining its version number
- 2.2. Verifying the Nmap and Fyodor PGP Key Fingerprints
- 2.3. Verifying PGP key fingerprints (Successful)
- 2.4. Detecting a bogus file
- 2.5. A typical Nmap release digest file
- 2.6. Verifying Nmap hashes
- 2.7. Successful configuration screen
- 2.8. Installing Nmap from binary RPMs
- 2.9. Building and installing Nmap from source RPMs
- 2.10. Installing Nmap from a system Yum repository
- 3.1. Using the host command to query common DNS record types
- 3.2. Zone transfer failure and success
- 3.3. Nmap reverse-DNS and traceroute scan against www.target.com
- 3.4. Using whois to find owner of www.target.com IP address
- 3.5. Using whois to find netblock containing 161.225.130.163
- 3.6. Enumerating hosts surrounding www.stanford.edu with list scan
- 3.7. Discovering hosts surrounding
www.lwn.net
with a ping scan - 3.8. Attempts to ping popular Internet hosts
- 3.9. Retry host discovery using port 80 SYN probes
- 3.10. Attempted ACK ping against Microsoft
- 3.11. Raw IP ping scan of an offline target
- 3.12. ARP ping scan of an offline target
- 3.13. Generating 50,000 IP addresses, then ping scanning with default options
- 3.14. Repeating ping scan with extra probes
- 4.1. Viewing and increasing the ephemeral port range on Linux
- 4.2. Simple scan: nmap scanme.nmap.org
- 4.3. More complex: nmap -p0- -v -A -T4 scanme.nmap.org
- 4.4. A simple IPv6 scan
- 4.5. Discovering Playboy's IP space
- 4.6. Pinging Playboy's web server for a latency estimate
- 4.7. Digging through Playboy's DNS records
- 4.8. Pinging the MX servers
- 4.9. TCP pinging the MX servers
- 4.10. Launching the scan
- 4.11. Egrep for open ports
- 5.1. A SYN scan showing three port states
- 5.2. Using
--packet-trace
to understand a SYN scan - 5.3. Connect scan example
- 5.4. UDP scan example
- 5.5. UDP scan example
- 5.6. Improving Felix's UDP scan results with version detection
- 5.7. Improving Scanme's UDP scan results with version detection
- 5.8. Attempting to disambiguate UDP ports with TTL discrepancies
- 5.9. Optimizing UDP Scan Time
- 5.10. Example FIN and Xmas scans
- 5.11. SYN scan of Docsrv
- 5.12. FIN scan of Docsrv
- 5.13. A SYN/FIN scan of Google
- 5.14. A custom PSH scan
- 5.15. A typical ACK Scan
- 5.16. An ACK scan of Docsrv
- 5.17. Window scan of docsrv.caldera.com
- 5.18. A failed Maimon scan
- 5.19. An idle scan against the RIAA
- 5.20. IP protocol scan of a router and a typical Linux 2.4 box
- 5.21. Attempting an FTP bounce scan
- 5.22. Successful FTP bounce scan
- 6.1. Bandwidth usage over local 100 Mbps ethernet network
- 6.2. Estimating scan time
- 7.1. Simple usage of version detection
- 7.2. Version detection against www.microsoft.com
- 7.3. Complex version detection
- 7.4. NULL probe cheat example output
- 7.5. Enumerating RPC services with rpcinfo
- 7.6. Nmap direct RPC scan
- 7.7. Version scanning through SSL
- 8.1. OS detection with verbosity (
-O
-v
) - 8.2. Using version scan to detect the OS
- 8.3. A typical subject fingerprint
- 8.4. A cleaned-up subject fingerprint
- 8.5. A typical reference fingerprint
- 8.6. Some typical fingerprint descriptions and corresponding classifications
- 8.7. Typical CPE classifications
- 8.8. An IPv6 fingerprint
- 8.9. A cleaned-up IPv6 fingerprint
- 8.10. The
MatchPoints
structure - 8.11. Scan results against a consumer WAP
- 9.1. Typical NSE output
- 9.2. Script help
- 9.3. Connect-style I/O
- 9.4. Automatic formatting of NSE structured output
- 9.5. NSE structured output in XML
- 9.6. Exception handling example
- 9.7. An NSEDoc comment for a function
- 9.8. An NSEDoc comment for a module
- 9.9. An NSEDoc comment for a script
- 9.10. Worker threads
- 9.11. Mutex manipulation
- 9.12. Basic Coroutine Use
- 9.13. Link Generator
- 9.14. A typical version detection script (Skype version 2 detection)
- 10.1. Detection of closed and filtered TCP ports
- 10.2. ACK scan against Scanme
- 10.3. Contrasting SYN and ACK scans against Para
- 10.4. UDP scan against firewalled host
- 10.5. UDP version scan against firewalled host
- 10.6. FIN scan against stateless firewall
- 10.7. Bypassing Windows IPsec filter using source port 88
- 10.8. Comparing IPv4 and IPv6 scans
- 10.9. Exploiting a printer with the FTP bounce scan
- 10.10. Some interesting hosts and networks at Megacorp
- 10.11. Ping scan against the target network
- 10.12. Packet trace against a single IP
- 10.13. Testing an idle scan
- 10.14. Testing source routing
- 10.15. Success at last
- 10.16. Host names can be deceiving
- 10.17. Noting TTL gaps with traceroute
- 10.18. Using the IP record route option
- 10.19. Slow scan to bypass the default Snort 2.2.0 Flow-portscan fixed time scan detection method
- 10.20. Default Snort rules referencing Nmap
- 10.21. Using DNS Proxies (Recursive DNS) for a Stealth List Scan of SecurityFocus
- 10.22. Detection of closed and filtered TCP ports
- 10.23. Testing IP ID sequence number consistency
- 10.24. Finding a firewall with bad TCP checksums
- 11.1. An all-TCP-port version scan
- 11.2. Deceiving Nmap with IP Personality
- 13.1. Scanrand output against a local network
- 13.2. Grepping for verbosity conditionals
- 13.3. Interactive output without verbosity enabled
- 13.4. Interactive output with verbosity enabled
- 13.5. Some representative debugging lines
- 13.6. Using
--packet-trace
to detail a ping scan of Scanme - 13.7. A typical example of normal output
- 13.8. A typical example of $crIpt KiDDi3 0utPut
- 13.9. An example of Nmap XML output
- 13.10. Nmap XML port elements
- 13.11. Nmap::Parser sample code
- 13.12. Nmap::Scanner sample code
- 13.13. Normal output with CPE highlighted
- 13.14. A typical example of grepable output
- 13.15. Ping scan grepable output
- 13.16. List scan grepable output
- 13.17. Grepable output for IP protocol scan
- 13.18. Parsing grepable output on the command line
- 14.1. Excerpt from
nmap-services
- 14.2. Excerpt from
nmap-service-probes
- 14.3. Excerpt from
nmap-rpc
- 14.4. Excerpt from
nmap-os-db
- 14.5. Excerpt from
nmap-mac-prefixes
- 14.6. Excerpt from
nmap-protocols
- 15.1. A representative Nmap scan
- 16.1. Ndiff text output
- 16.2. Ndiff XML output
- 16.3. Scanning a network periodically with Ndiff and cron
- 18.1. A representative Nping execution
- 18.2. Discovering NAT devices
- 18.3. Discovering a transparent proxy