Index

Options

summary of options, Options Summary, Options Summary

--allports, Exclude Directive, Service and Version Detection

--append-output, Controlling Output Type, Output

--badsum, Firewall/IDS Evasion and Spoofing

--data-length, Firewall/IDS Evasion and Spoofing

no effect in OS detection, Sequence generation (SEQ, OPS, WIN, and T1), Firewall/IDS Evasion and Spoofing

--datadir, Well Known Port List: nmap-services, SunRPC Numbers: nmap-rpc, Using Customized Data Files, Miscellaneous Options

--defeat-rst-ratelimit, Timing and Performance

--dns-servers, Host Discovery

--exclude, Target Specification

--excludefile, Target Specification

--fuzzy (see --osscan-guess)

--help, Miscellaneous Options

--host-timeout, Timing and Performance

--iflist, Output

--initial-rtt-timeout, Timing and Performance

--interactive, Miscellaneous Options

--ip-options, Firewall/IDS Evasion and Spoofing

--log-errors, Handling Error and Warning Messages, Output

--max-hostgroup, Timing and Performance

--max-os-tries, Usage and Examples, OS Detection

--max-parallelism, Timing and Performance

--max-rate, Timing and Performance

--max-retries, Timing and Performance

--max-rtt-timeout, Timing and Performance

example of, Manipulating XML Output with Perl

--max-scan-delay, Timing and Performance

--min-hostgroup, Timing and Performance

--min-parallelism, Timing and Performance

--min-rate, Timing and Performance

--min-rtt-timeout, Timing and Performance

--mtu, Firewall/IDS Evasion and Spoofing

--no-stylesheet, Creating HTML Reports, Output

--open, Output

--osscan-guess, Usage and Examples, OS Matching Algorithms, Dealing with Misidentified and Unidentified Hosts, OS Detection

--osscan-limit, Usage and Examples, OS Detection

--packet-trace, Enabling Packet Tracing, Output

example of, Idle Scan Implementation Algorithms, Enabling Packet Tracing

--port-ratio, Port Specification and Scan Order

--privileged, Miscellaneous Options

--randomize-hosts, Firewall/IDS Evasion and Spoofing

--reason, Output

implied by -d, Output

--release-memory, Miscellaneous Options

--resume, Resuming Aborted Scans, Output

--scan-delay, Timing and Performance

--scanflags, Port Scanning Techniques

--script, Usage and Examples, Command-line Arguments, Initialization Phase, Nmap Scripting Engine (NSE)

example of, Usage Examples

--script-args, Usage and Examples, Command-line Arguments, Nmap Scripting Engine (NSE)

example of, Arguments to Scripts

--script-trace, Usage and Examples, Command-line Arguments, Nmap Scripting Engine (NSE)

example of, Usage Examples

--script-updatedb, Usage and Examples, Command-line Arguments, Files Related to Scripting, Nmap Scripting Engine (NSE)

--send-eth, Firewall/IDS Evasion and Spoofing, Miscellaneous Options

implied by --spoof-mac, Firewall/IDS Evasion and Spoofing

--send-ip, Miscellaneous Options

--servicedb, Well Known Port List: nmap-services, Miscellaneous Options

--source-port, Firewall/IDS Evasion and Spoofing

--spoof-mac, Information Passed to a Script, Firewall/IDS Evasion and Spoofing

--stylesheet, Creating HTML Reports, Output

--system-dns, Host Discovery

--top-ports, Port Specification and Scan Order

--traceroute, An Overview of the Topology Tab, Searching Saved Results, Host Discovery

--ttl, Firewall/IDS Evasion and Spoofing

--unprivileged, Miscellaneous Options

--verbose, Controlling Verbosity of Output

--version, Miscellaneous Options

example of, Testing Whether Nmap is Already Installed

--version-all, Technique Described, Probe Selection and Rarity, Service and Version Detection

--version-intensity, Technique Described, Probe Selection and Rarity, Service and Version Detection

--version-light, Technique Described, Probe Selection and Rarity, Service and Version Detection

--version-trace, Technique Demonstrated, Service and Version Detection

example of, Technique Demonstrated

--versiondb, Miscellaneous Options

--webxml, Creating HTML Reports, Output

-6, Miscellaneous Options

-A, Version Scanning DB: nmap-service-probes, Miscellaneous Options

example of, Avatar Online, Introduction, Usage and Examples, RPC Grinding, Description
features enabled by, Usage and Examples, Command-line Arguments, Miscellaneous Options

-b, Port Scanning Techniques

-D, TCP Idle Scan (-sI), Firewall/IDS Evasion and Spoofing

-d, Enabling Debugging Output, Output

example of, Technique Demonstrated, Enabling Debugging Output
giving more than once, Enabling Debugging Output, Enabling Packet Tracing, Output

-e, Firewall/IDS Evasion and Spoofing

-F, Port Specification and Scan Order

-f, Firewall/IDS Evasion and Spoofing

giving twice, Firewall/IDS Evasion and Spoofing

-g, Firewall/IDS Evasion and Spoofing

-h, Miscellaneous Options

-iL, Target Specification

randomizing hosts with, Firewall/IDS Evasion and Spoofing

-iR, Finding a Working Idle Scan Zombie Host, Target Specification

example of, Status field, Target Specification, Examples

-n, Host Discovery

-O, Usage and Examples, Seq Index field, Nmap OS Detection DB: nmap-os-db, OS Detection

example of, Usage and Examples, Examples
to identify idle scan zombie candidates, Finding a Working Idle Scan Zombie Host

-oA, Controlling Output Type, Output

example of, Avatar Online
in Zenmap, Output Files

-oG, MadHat in Wonderland, Grepable Output (-oG), Output

example of, Grepable Output (-oG), Status field, Examples
in Zenmap, Output Files

-oN, Handling Error and Warning Messages, Normal Output (-oN), Output

example of, Normal Output (-oN)
in Zenmap, Output Files

-oS, $crIpT kIddI3 0uTPut (-oS), Output

example of, $crIpT kIddI3 0uTPut (-oS)
in Zenmap, Output Files

-oX, XML Output (-oX), Output

example of, XML Output (-oX), Examples
in Zenmap, Output Files

-p, Port Specification and Scan Order

example of, Idle Scan Implementation Algorithms, Examples

-PA, Host Discovery

example of, Avatar Online

-PE, Host Discovery

example of, Avatar Online

-PM, Host Discovery

-PN, Host Discovery

example of, Idle Scan Implementation Algorithms, Examples
with idle scan, Executing an Idle Scan, Idle Scan Implementation Algorithms

-PO, Host Discovery

-PP, Host Discovery

-PR, Host Discovery

-PS, Host Discovery

example of, Avatar Online, Target Specification

-PU, Host Discovery

-r, Port Specification and Scan Order

example of, Idle Scan Implementation Algorithms

-R, Host Discovery

-S, Firewall/IDS Evasion and Spoofing

-sA, Port Scanning Techniques

-sC, Usage and Examples, Command-line Arguments, Nmap Scripting Engine (NSE)

example of, Introduction, Usage Examples

-sF, Port Scanning Techniques

-sI, TCP Idle Scan (-sI), Port Scanning Techniques

example of, Executing an Idle Scan, Idle Scan Implementation Algorithms

-sL, Grepable Output Fields, Host Discovery

example of, Avatar Online, Status field

-sM, Port Scanning Techniques

-sN, Port Scanning Techniques

-sO, Grepable Output Fields, Protocols field, Port Scanning Techniques

example of, Protocols field

-sP, Grepable Output Fields, Host Discovery

example of, Enabling Packet Tracing

-sR, RPC Grinding, Ports field, Service and Version Detection

-sS, Is Unauthorized Port Scanning a Crime?, Port Scanning Techniques

example of, Avatar Online, Target Specification, Examples

-sT, Is Unauthorized Port Scanning a Crime?, Port Scanning Techniques

example of, Manipulating XML Output with Perl

-sU, Port Scanning Techniques

-sV, Usage and Examples, Command-line Arguments, Version Scanning DB: nmap-service-probes, Service and Version Detection

example of, Technique Demonstrated, SSL Post-processor Notes

-sW, Port Scanning Techniques

-sX, Port Scanning Techniques

-T, Timing and Performance

-T0 (see paranoid timing template)

-T1 (see sneaky timing template)

-T2 (see polite timing template)

-T3 (see normal timing template)

-T4 (see aggressive timing template)

-T5 (see insane timing template)

-v, Finding a Working Idle Scan Zombie Host, Controlling Verbosity of Output, Output

example of, Usage and Examples, Controlling Verbosity of Output, Examples
extra output enabled by, Controlling Verbosity of Output, Controlling Verbosity of Output
giving more than once, Controlling Verbosity of Output, Output
implied by -d, Enabling Debugging Output

-V, Miscellaneous Options

“categories” script variable, categories Field, The Head

CC (OS detection response test), TCP explicit congestion notification (ECN), Explicit congestion notification (CC)

CD (OS detection response test), ICMP echo (IE), ICMP response code (CD)

cfp: (Zenmap search criterion, short for closed|filtered:), Searching Saved Results

changelog, The History and Future of Nmap, Testing Whether Nmap is Already Installed, Author

cheats (version detection), Cheats and Fallbacks

checksums, Firewall/IDS Evasion and Spoofing

and OS detection, Integrity of returned probe IP checksum value (RIPCK)
of RST data, TCP RST data checksum (RD)

Christensen, Steven, Sun Solaris

CIDR (Classless Inter-Domain Routing), Avatar Online, Is Unauthorized Port Scanning a Crime?, Target Specification

Classless Inter-Domain Routing (see CIDR)

closed port state, Avatar Online, Searching Saved Results, Description, Port Scanning Basics

closed: (Zenmap search criterion), Searching Saved Results

closed|filtered port state, Idle Scan Step by Step, Idle Scan Implementation Algorithms, Searching Saved Results, Description, Port Scanning Basics

closed|filtered: (Zenmap search criterion), Searching Saved Results

command constructor wizard (Zenmap), The Nmap Command Constructor Wizard

command-line options

of Nmap, Options Summary, Options Summary
of Zenmap, Command-line Options

comparing results (Zenmap), Comparing Results, Comparing Results

compilation, Unix Compilation and Installation from Source Code

problems with, If You Encounter Compilation Problems

Computer Fraud and Abuse Act, Is Unauthorized Port Scanning a Crime?

Computer Misuse Act, Is Unauthorized Port Scanning a Crime?

configure directives, Configure Directives

connect scan, Port Scanning Techniques

copyright, Introduction, Nmap Copyright, Nmap Copyright and Licensing

of scripts, license Field

cp: (Zenmap search criterion, short for closed:), Searching Saved Results

crashing targets, Can Port Scanning Crash the Target Computer/Networks?, No Warranty

CT (SCAN line test), Decoding the SCAN line of a subject fingerprint

CU (SCAN line test), Decoding the SCAN line of a subject fingerprint

Cygwin, Command-line Zip Binaries, Compile from Source Code

D

D (SCAN line test), Decoding the SCAN line of a subject fingerprint

d// (device type) version detection field, match Directive

d: (Zenmap search criterion, short for date:), Searching Saved Results

data files, Understanding and Customizing Nmap Data Files, Understanding and Customizing Nmap Data Files

customizing, Using Customized Data Files, Using Customized Data Files
directory search order, Command-line Arguments, Using Customized Data Files, Nmap Scripting Engine (NSE)
used by Zenmap, Files Used by Zenmap, Files Used by Zenmap

database, output to, Output to a Database

date: (Zenmap search criterion), Searching Saved Results

Debian, installing on, Debian Linux and Derivatives such as Ubuntu

debugging, Enabling Debugging Output, Output

(see also -d)
Zenmap, Error Output

decoys, TCP Idle Scan (-sI), Firewall/IDS Evasion and Spoofing

which scans use, Service and Version Detection

default ports, Port Specification and Scan Order

“default” script category, Script Categories, The Head

DEFAULT_PROTO_PROBE_PORT_SPEC, Host Discovery

DEFAULT_TCP_PROBE_PORT_SPEC, Host Discovery

DEFAULT_UDP_PROBE_PORT_SPEC, Host Discovery

defending against Nmap, Defenses Against Nmap

denial of service, Exploit Chronology

deny by default, Avatar Online

(see also filtered port state)

“description” script variable, description Field, The Head, Example Script: finger.nse

device type (OS detection), Device and OS classification (Class lines)

“Device type:”, Usage and Examples

DF (OS detection response test), IP don't fragment bit (DF)

DFI (OS detection response test), ICMP echo (IE), Don't fragment (ICMP) (DFI)

diff (see comparing results)

digests, cryptographic, Verifying the Integrity of Nmap Downloads

dir: (Zenmap search modifier), Searching Saved Results

“discovery” script category, Script Categories

disk image (Mac OS X), Executable Installer

DLI (OS detection response test), ICMP echo (IE), IP data length for ICMP responses (DLI)

.dmg (Mac OS X disk image), Executable Installer

DNS

records as source of information, Host Discovery

document type definition (DTD), XML Output (-oX), Purpose

downloading, Testing Whether Nmap is Already Installed, Downloading Nmap

DS (SCAN line test), Decoding the SCAN line of a subject fingerprint

DTD (see document type definition)

E

“Easy” TCP sequence generation class, Usage and Examples
ECN (see explicit congestion notification)
ECN (OS fingerprint category line), TCP explicit congestion notification (ECN)
egress filtering, TCP Idle Scan (-sI)
Ereet, Executing an Idle Scan
estimating scan time, Controlling Verbosity of Output
exceptions in NSE, Exception Handling, The Mechanism
Exclude directive (nmap-service-probes), Technique Described, Exclude Directive, Putting It All Together, Service and Version Detection
excluding targets, Target Specification
explicit congestion notification (ECN), TCP explicit congestion notification (ECN), Explicit congestion notification (CC), Enabling Packet Tracing
export control, United States Export Control Classification
“external” script category, Script Categories

F

F (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2–T7), TCP flags (F)

fallback directive (nmap-service-probes), fallback Directive

fallbacks (version detection), Technique Described, Cheats and Fallbacks

family (OS detection), Device and OS classification (Class lines)

fast scan (see -F)

Fedora (Linux distribution)

installing on, with RPM, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora)
installing on, with Yum, Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum

Felix (penetration tester), Avatar Online

filtered port state, Avatar Online, Searching Saved Results, Description, Port Scanning Basics

filtered: (Zenmap search criterion), Searching Saved Results

FIN scan, Port Scanning Techniques

finger script, Example Script: finger.nse

fingerprint (see OS fingerprint and service fingerprint)

Fingerprint (nmap-os-db), Free-form OS description (Fingerprint line), Device and OS classification (Class lines)

fingerprinting (see version detection, OS detection)

Fink, Third-party Packages

firewalls

bypassing, TCP Idle Scan (-sI), Detecting and Subverting Firewalls and Intrusion Detection Systems, Firewall/IDS Evasion and Spoofing, Firewall/IDS Evasion and Spoofing

fisheye, Fisheye controls

“Formidable” TCP sequence generation class, Usage and Examples

fp: (Zenmap search criterion, short for filtered:), Searching Saved Results

fragmentation

DF bit, IP don't fragment bit (DF)
not used in OS detection, IP Fragmentation

FreeBSD, installing on, FreeBSD Binary Package and Source Ports Instructions

FTP bounce scan, Port Scanning Techniques

G

G (SCAN line test), Decoding the SCAN line of a subject fingerprint

GCD (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP ISN greatest common divisor (GCD)

General Public License (see GNU General Public License)

generation (OS detection), Device and OS classification (Class lines)

.gnmap filename extension, Controlling Output Type

GNU General Public License, Introduction, The History and Future of Nmap, Nmap Copyright and Licensing

GomoR, Passive Fingerprinting

“Good luck!” TCP sequence generation class, Usage and Examples

Google Summer of Code, The History and Future of Nmap, History

GPL (see GNU General Public License)

graphical user interface (see Zenmap)

grepable output, MadHat in Wonderland, Grepable Output (-oG), Grepable Output (-oG), Output

comments in, Grepable Output (-oG), Output
deprecation of, XML Output (-oX), Grepable Output (-oG)
fields of, Grepable Output Fields
parsing, Parsing Grepable Output on the Command Line
resuming from, Resuming Aborted Scans

GUI (see Zenmap)

H

h// (hostname) version detection field, match Directive

hashes, cryptographic, Verifying the Integrity of Nmap Downloads

Hazel, Philip, Third-Party Software

“Host Details” scan results tab, The Host Details tab

host discovery, The Phases of an Nmap Scan, Host Discovery (Ping Scanning), Host Discovery (Ping Scanning), Host Discovery, Host Discovery

(see also -sP)

disabling, Host Discovery

with idle scan, Executing an Idle Scan, Idle Scan Implementation Algorithms

“hostrule” script variable, Port and Host Rules, Matching Scripts with Targets

HP-UX, installing on, Amiga, HP-UX, IRIX, and Other Platforms

hping2, TCP Idle Scan (-sI), Timing and Performance

HTML from XML output, Creating HTML Reports, Output

I

i// (info) version detection field, match Directive

ICMP destination unreachable, TCP/IP Fingerprinting Methods Supported by Nmap, Unused port unreachable field nonzero (UN)

ICMP echo, TCP/IP Fingerprinting Methods Supported by Nmap, ICMP echo (IE), IP data length for ICMP responses (DLI), Host Discovery

ICMP ping, Host Discovery

idle scan, TCP Idle Scan (-sI), TCP Idle Scan (-sI), Port Scanning Techniques

advantages of, TCP Idle Scan (-sI)
disadvantages of, TCP Idle Scan (-sI)
example, Executing an Idle Scan
finding zombies, TCP Idle Scan (-sI)
implementation, Idle Scan Implementation Algorithms

IE (OS fingerprint category line), ICMP echo (IE)

II (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), ICMP IP ID sequence generation algorithm (II)

inroute: (Zenmap search criterion), Searching Saved Results

insane (-T5) timing template, Timing and Performance

installation, Obtaining, Compiling, Installing, and Removing Nmap, Obtaining, Compiling, Installing, and Removing Nmap

from source code, Unix Compilation and Installation from Source Code

interactive mode, Miscellaneous Options

interactive output, Handling Error and Warning Messages, Interactive Output, Output

interface, Firewall/IDS Evasion and Spoofing

(see also -e)

Internet Assigned Numbers Authority (IANA)

assigned ports list, Well Known Port List: nmap-services

Internet service providers (ISPs)

acceptable use policy, Is Unauthorized Port Scanning a Crime?
and port scanning, Legal Issues, Is Unauthorized Port Scanning a Crime?
filtering, TCP Idle Scan (-sI)

intrusion detection systems

evading, Port Scanning Techniques, Timing and Performance, Firewall/IDS Evasion and Spoofing, Firewall/IDS Evasion and Spoofing

intrusion prevention systems, Firewall/IDS Evasion and Spoofing

(see also intrusion detection systems)

“intrusive” script category, Script Categories

IP ID, TCP Idle Scan (-sI), Returned probe IP ID value (RID)

IP ID sequence generation, Usage and Examples, TCP IP ID sequence generation algorithm (TI)

classes, Finding a Working Idle Scan Zombie Host

IP options, Firewall/IDS Evasion and Spoofing

IP protocol ping, Host Discovery

IP protocol scan, Port Scanning Techniques

IPL (OS detection response test), UDP (U1), IP total length (IPL)

iptables, Host Discovery, Firewall/IDS Evasion and Spoofing

IPv6, Miscellaneous Options

limitations of, Host Discovery

IPv6 tunnel broker, Miscellaneous Options

ir: (Zenmap search criterion, short for inroute:), Searching Saved Results

IRIX, installing on, Amiga, HP-UX, IRIX, and Other Platforms

ISPs (see Internet service providers)

ISR (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP ISN counter rate (ISR)

J

Jones, LaMont, Debian Linux and Derivatives such as Ubuntu
“(JUST GUESSING)”, Usage and Examples, When Nmap Guesses Wrong

K

Kaminsky, Dan, Introduction
keys, cryptographic, Verifying the Integrity of Nmap Downloads
keyword search in Zenmap, Searching Saved Results

L

legal advice, Is Unauthorized Port Scanning a Crime?

legal issues, Legal Issues, Can Port Scanning Crash the Target Computer/Networks?

Lei, Zhao, The History and Future of Nmap

libdnet, Information Passed to a Script, Raw packet network I/O, Third-Party Software

libpcap, Raw packet network I/O, Third-Party Software

license (see copyright)

“license” script variable, license Field , Example Script: finger.nse

Linux

compiling on, Unix Compilation and Installation from Source Code
installing on, with apt-get, Debian Linux and Derivatives such as Ubuntu
installing on, with RPM, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora)
installing on, with Yum, Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum

list scan, Avatar Online, The Phases of an Nmap Scan, Host Discovery

loading scan results, Saving and Loading Scan Results

loopback interface, Windows

.lua filename extension, Files Related to Scripting

Lua programming language, Introduction, Lua Base Language, Nmap Scripting Engine (NSE), Third-Party Software

(see also Nmap Scripting Engine)

LuaDoc, Writing Script Documentation (NSEDoc)

.luadoc filename extension, Writing Script Documentation (NSEDoc)

luaL_register, Adding C Modules to Nselib

Lutomirski, Andy, The History and Future of Nmap, Windows

M

M (SCAN line test), Decoding the SCAN line of a subject fingerprint

MAC address, Information Passed to a Script, MAC Address Vendor Prefixes: nmap-mac-prefixes, Firewall/IDS Evasion and Spoofing

Mac OS X, Apple Mac OS X, Apple Mac OS X

compiling on, Compile from Source Code
executable installer, Executable Installer
installing from third-party packages, Third-party Packages
running Nmap on, Executing Nmap on Mac OS X

machine output (see grepable output)

MacPorts, Third-party Packages

MadHat, MadHat in Wonderland, Grepable Output (-oG)

Maimon scan, Port Scanning Techniques

Maimon, Uriel, Port Scanning Techniques

“malware” script category, Script Categories

man page (see reference guide)

Mandrake (Linux distribution)

installing on, with RPM, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora)
installing on, with Yum, Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum

Marques, Adriano Monteiro, The History and Future of Nmap, History

match directive (nmap-service-probes), match Directive, Putting It All Together

MatchPoints (nmap-os-db), OS Matching Algorithms

Matrix, the, Saving the Human Race, The History and Future of Nmap

ME (decoy address), Firewall/IDS Evasion and Spoofing

Medeiros, Joãa Paulo S., An Overview of the Topology Tab

“Medium” TCP sequence generation class, Usage and Examples

Metasploit, Introduction

Microsoft Windows (see Windows)

Mitnick, Kevin, Usage and Examples

Mizrahi, Avi, Is Unauthorized Port Scanning a Crime?

Moran, Jay, Introduction

Moulton, Scott, Is Unauthorized Port Scanning a Crime?

mutexes in NSE, Thread Mutexes

MySQL, Output to a Database

N

Nessus, The History and Future of Nmap

NetBSD, installing on, NetBSD Binary Package Instructions

network distance, Usage and Examples, IP initial time-to-live (T), Decoding the SCAN line of a subject fingerprint

network inventory, Network inventory and support

network inventory (Zenmap), Scan Aggregation

Network Mapper (see Nmap)

Nmap

birthday of, Controlling Verbosity of Output
checking if installed, Testing Whether Nmap is Already Installed
description of, Description
history of, The History and Future of Nmap, The History and Future of Nmap
uses of, Introduction

.nmap directory, Command-line Arguments, Using Customized Data Files, Nmap Scripting Engine (NSE), Miscellaneous Options

.nmap filename extension, Controlling Output Type

nmap NSE module, Lua Base Language, Nmap API, Nmap API

“Nmap Output” scan results tab, The Nmap Output tab

Nmap Project Signing Key, Verifying the Integrity of Nmap Downloads

Nmap Scripting Engine (NSE), The Phases of an Nmap Scan, Nmap Scripting Engine, Nmap Scripting Engine, Nmap Scripting Engine (NSE), Nmap Scripting Engine (NSE)

API, Nmap API
C modules, Adding C Modules to Nselib
documentation in, Writing Script Documentation (NSEDoc), Writing Script Documentation (NSEDoc)
for version detection, Nmap Scripting Engine Integration
implementation, Implementation Details
library, Script Language
list of modules, NSE Libraries
list of scripts, NSE Scripts
modules, Files Related to Scripting
parts of, Script Language
sample scripts, Version Detection Using NSE, Example Script: finger.nse
tutorial, Script Writing Tutorial, Script Writing Tutorial

nmap-dev mailing list, The History and Future of Nmap, If You Encounter Compilation Problems, Amiga, HP-UX, IRIX, and Other Platforms, Fingerprinting Methods Avoided by Nmap, Enabling Debugging Output, Timing and Performance, Output, Bugs

nmap-diff, MadHat in Wonderland

nmap-hackers mailing list, Is Unauthorized Port Scanning a Crime?, The History and Future of Nmap, Port Scanning Techniques

nmap-mac-prefixes, MAC Address Vendor Prefixes: nmap-mac-prefixes, MAC Address Vendor Prefixes: nmap-mac-prefixes

excerpt, MAC Address Vendor Prefixes: nmap-mac-prefixes

nmap-os-db, Response Tests, Understanding an Nmap Fingerprint, Nmap OS Detection DB: nmap-os-db, Nmap OS Detection DB: nmap-os-db, OS Detection

custom modifications, Modifying the nmap-os-db Database Yourself
excerpts, Decoding the Reference Fingerprint Format, Device and OS classification (Class lines), OS Matching Algorithms, Nmap OS Detection DB: nmap-os-db

nmap-protocols, IP Protocol Number List: nmap-protocols

excerpt, IP Protocol Number List: nmap-protocols

nmap-report, MadHat in Wonderland

nmap-rpc, RPC Grinding, SunRPC Numbers: nmap-rpc

comments in, SunRPC Numbers: nmap-rpc
excerpt, SunRPC Numbers: nmap-rpc

nmap-service-probes, nmap-service-probes File Format, nmap-service-probes File Format, Version Scanning DB: nmap-service-probes, Version Scanning DB: nmap-service-probes, Service and Version Detection

comments in, nmap-service-probes File Format
complete example, Putting It All Together
excerpt, Version Scanning DB: nmap-service-probes

nmap-services, Introduction, Usage and Examples, Well Known Port List: nmap-services, Well Known Port List: nmap-services, Service and Version Detection

comments in, Well Known Port List: nmap-services
excerpt, Well Known Port List: nmap-services

nmap.h, Host Discovery, Firewall/IDS Evasion and Spoofing

nmap.xsl, Creating HTML Reports, Output

Nmap::Parser, Manipulating XML Output with Perl, Manipulating XML Output with Perl, Output

Nmap::Scanner, Manipulating XML Output with Perl, Manipulating XML Output with Perl, Output

NMAPDATADIR, Command-line Arguments, Using Customized Data Files, Nmap Scripting Engine (NSE)

NMAPDIR environment variable, Command-line Arguments, Using Customized Data Files, Nmap Scripting Engine (NSE), Miscellaneous Options

NmapFE, The History and Future of Nmap, Command-line and Graphical Interfaces

NMAP_PRIVILEGED environment variable, Miscellaneous Options

NMAP_UNPRIVILEGED environment variable, Miscellaneous Options

“No exact OS matches for host”, Usage and Examples

non-controversial scanning, Is Unauthorized Port Scanning a Crime?, Can Port Scanning Crash the Target Computer/Networks?

non-standard ports, Service and Version Detection

normal (-T3) timing template, Timing and Performance

normal output, Introduction, Normal Output (-oN), Normal Output (-oN), Output

differences from interactive output, Controlling Verbosity of Output, Handling Error and Warning Messages, Normal Output (-oN)
resuming from, Resuming Aborted Scans

NSE (see Nmap Scripting Engine)

.nse filename extension, Files Related to Scripting

NSEDoc, Writing Script Documentation (NSEDoc), Writing Script Documentation (NSEDoc)

for C modules, Writing Script Documentation (NSEDoc)

Nsock, Nmap API, Raw packet network I/O

NULL probe (version detection), Technique Described, Probe Directive

cheat, Cheats and Fallbacks
implicit fallback to, fallback Directive

NULL scan, Port Scanning Techniques

O

O (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP explicit congestion notification (ECN), TCP options (O, 01–06)

o// (OS) version detection field, match Directive

O1–O6 (OS detection response tests), Sequence generation (SEQ, OPS, WIN, and T1), TCP options (O, 01–06)

o: (Zenmap search criterion, short for option:), Searching Saved Results

ofp: (Zenmap search criterion, short for open|filtered:), Searching Saved Results

old releases, The History and Future of Nmap

op: (Zenmap search criterion, short for open:), Searching Saved Results

open port state, Avatar Online, Technique Described, Port and Host Rules, Matching Scripts with Targets, Searching Saved Results, Description, Port Scanning Basics

open source, Community Contributions, Source Code Availability and Community Contributions

Open Source Security Testing Methodology Manual (OSSTMM), Is Unauthorized Port Scanning a Crime?

open: (Zenmap search criterion), Searching Saved Results

OpenBSD, installing on, OpenBSD Binary Packages and Source Ports Instructions

OpenSSL, SSL Post-processor Notes, Third-Party Software

disabling, Configure Directives
linking exception, Nmap Copyright and Licensing

openssl NSE module, Adding C Modules to Nselib

open|filtered port state, Technique Described, Port and Host Rules, Matching Scripts with Targets, Searching Saved Results, Description, Port Scanning Basics

open|filtered: (Zenmap search criterion), Searching Saved Results

operating system detection (see OS detection)

OPS (OS fingerprint category line), Sequence generation (SEQ, OPS, WIN, and T1)

option: (Zenmap search criterion), Searching Saved Results

organizationally unique identifier (OUI), MAC Address Vendor Prefixes: nmap-mac-prefixes, Firewall/IDS Evasion and Spoofing

(see also nmap-mac-prefixes)

“OS details:”, Usage and Examples

OS detection, The Phases of an Nmap Scan, Remote OS Detection, Remote OS Detection, OS Detection, OS Detection

2nd generation, Introduction
category lines, Probes Sent, Probes Sent
classifications, Device and OS classification (Class lines)
effects of packet filters, Dealing with Misidentified and Unidentified Hosts
matching algorithms, OS Matching Algorithms
probes sent, Probes Sent, Probes Sent
reasons for, Reasons for OS Detection
response tests, Response Tests, Response Tests
using version detection, match Directive, Usage and Examples

OS fingerprint

displaying with -d, Usage and Examples

explained, Understanding an Nmap Fingerprint

reference fingerprint, Decoding the Reference Fingerprint Format, Nmap OS Detection DB: nmap-os-db

test expressions in, Test expressions

subject fingerprint, Usage and Examples, Decoding the Subject Fingerprint Format

submission of, When Nmap Fails to Find a Match and Prints a Fingerprint

os: (Zenmap search criterion), Searching Saved Results

OSSTMM (see Open Source Security Testing Methodology Manual)

OT (SCAN line test), Decoding the SCAN line of a subject fingerprint

OUI (see organizationally unique identifier)

output

redirecting, Handling Error and Warning Messages
to stdout with -, Controlling Output Type, Normal Output (-oN), $crIpT kIddI3 0uTPut (-oS), XML Output (-oX), Grepable Output (-oG), Output

output formats, Nmap Output Formats, Nmap Output Formats, Output, Output

grepable (see grepable output)
interactive (see interactive output)
normal (see normal output)
scR1pT kIddI3 (see scR1pT kIddI3 output)
summary of, Controlling Output Type
the importance of clear output, Introduction
XML (see XML output)

P

P (SCAN line test), Decoding the SCAN line of a subject fingerprint

$P() version detection helper function, match Directive

p// (product name) version detection field, match Directive

p0f, Passive Fingerprinting

packet tracing (see --packet-trace)

parallelism

in idle scan, Idle Scan Implementation Algorithms
in NSE, Script Execution

paranoid (-T0) timing template, Can Port Scanning Crash the Target Computer/Networks?, Timing and Performance

passive OS fingerprinting, Passive Fingerprinting

PATH environment variable, Testing Whether Nmap is Already Installed, The nmap Executable, Using Customized Data Files

additional directories searched by Zenmap, The nmap Executable
Path on Windows, Executing Nmap on Windows

PCRE (see Perl Compatible Regular Expressions)

penetration testing, Introduction, Output to a Database

Avatar Online example, Avatar Online, Avatar Online
permission for, Is Unauthorized Port Scanning a Crime?

performance, Optimizing Nmap Performance, Timing and Performance, Timing and Performance

Perl Compatible Regular Expressions (PCRE), match Directive, Third-Party Software

Permeh, Ryan, The History and Future of Nmap, Windows

Persaud, Anthony, Manipulating XML Output with Perl

PGP signatures, Verifying the Integrity of Nmap Downloads

Phrack, The History and Future of Nmap, Port Scanning Techniques

ping scan, Host Discovery

PING_GROUP_SZ, Firewall/IDS Evasion and Spoofing

polite (-T2) timing template, Can Port Scanning Crash the Target Computer/Networks?, Timing and Performance

PORT column, Well Known Port List: nmap-services

port frequency, Well Known Port List: nmap-services

port scanning, The Phases of an Nmap Scan

algorithms, Port Scanning Techniques and Algorithms

port specification, Port Specification and Scan Order

wildcards in, Port Specification and Scan Order

port states

closed (see closed port state)
closed|filtered (see closed|filtered port state)
filtered (see filtered port state)
ignored (not shown), Sorting by Service, Ignored State field
open (see open port state)
open|filtered (see open|filtered port state)
unfiltered (see unfiltered port state)

port zero, Port Specification and Scan Order

portmapper, RPC Grinding

“portrule” script variable, Port and Host Rules, The Rule, Example Script: finger.nse, Matching Scripts with Targets

ports

“interesting”, Description

“Ports / Hosts” scan results tab, The Ports / Hosts tab

ports directive (nmap-service-probes), ports and sslports Directives, Putting It All Together

pr: (Zenmap search criterion, short for profile:), Searching Saved Results

printers, version detection exclusion of, Exclude Directive

private addresses, Decoding the SCAN line of a subject fingerprint

privileged users, Executing Nmap on Windows, Executing Nmap on Mac OS X, Host Discovery, Port Scanning Techniques, Miscellaneous Options

proactive scanning, The Profile Editor

probable ports in version detection, Technique Described

Probe directive (nmap-service-probes), Probe Directive, Putting It All Together

probe string (version detection), Technique Described, Probe Directive

profile editor (Zenmap), The Profile Editor

profile: (Zenmap search criterion), Searching Saved Results

profiles (see Zenmap: scan profiles)

proxies

effect on OS detection, Usage and Examples
HTTP, Avatar Online

Q

Q (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP explicit congestion notification (ECN), TCP miscellaneous quirks (Q)

R

R (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2–T7), Responsiveness (R)

RadialNet, An Overview of the Topology Tab

random targets, Target Specification

randomization of hosts, Firewall/IDS Evasion and Spoofing

randomization of ports, Port Specification and Scan Order

rarity directive (nmap-service-probes), rarity Directive, Putting It All Together

rarity of version detection probes, Technique Described, Probe Selection and Rarity

rate limiting, Port Scanning Techniques, Timing and Performance

raw packets, Host Discovery, Port Scanning Techniques

in NSE, Raw packet network I/O

raw sockets, Miscellaneous Options

RD (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2–T7), TCP RST data checksum (RD)

reason reporting (see --reason)

recent scans database, The Recent Scans Database

record route IP option, Firewall/IDS Evasion and Spoofing

record timestamp IP option, Firewall/IDS Evasion and Spoofing

Red Hat (Linux distribution)

installing on, with RPM, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora)
installing on, with Yum, Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum

reference guide (man page), Nmap Reference Guide, Nmap Reference Guide

registry (NSE), The Registry, Initialization Phase

regular expressions, Technique Described, match Directive

(see also Perl Compatible Regular Expressions)
for syntax highlighting in Zenmap, Sections of zenmap.conf

removal, Removing Nmap

resuming scans, Resuming Aborted Scans, Output

retransmission, Timing and Performance

reverse DNS, Avatar Online, The Phases of an Nmap Scan, Introduction, Searching Saved Results

disabling with -n, Host Discovery

RID (OS detection response test), UDP (U1), Returned probe IP ID value (RID)

omission of, Returned probe IP ID value (RID), Decoding the Subject Fingerprint Format

Rieger, Gerhard, The History and Future of Nmap, Port Scanning Techniques

RIPCK (OS detection response test), UDP (U1), Integrity of returned probe IP checksum value (RIPCK)

RIPL (OS detection response test), UDP (U1), Returned probe IP total length value (RIPL)

RND (decoy address), Firewall/IDS Evasion and Spoofing

RPC, Technique Described

bypassing filtered portmapper port (see RPC grinder)

RPC grinder, Introduction, Usage and Examples, RPC Grinding, RPC Grinding, SunRPC Numbers: nmap-rpc, Service and Version Detection

RPC scan (see RPC grinder)

rpcbind, Usage and Examples, RPC Grinding

rpcinfo, RPC Grinding

RPM, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora), Removing Nmap

installing from, RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora)

RUCK (OS detection response test), UDP (U1), Integrity of returned probe UDP length and checksum (RUL and RUCK)

RUD (OS detection response test), UDP (U1), Integrity of returned UDP data (RUD)

RUL (OS detection response test), UDP (U1), Integrity of returned probe UDP length and checksum (RUL and RUCK)

rules in NSE (see “portrule” and “hostrule”)

run level of scripts, runlevel Field, The Registry

“runlevel” script variable, runlevel Field

“Running:”, Usage and Examples

runtime interaction, Runtime Interaction

S

S (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP (T2–T7), TCP sequence number (S)

“safe” script category, Script Categories, The Head

saving scan results, Saving and Loading Scan Results

Saxon, Saving a Permanent HTML Report

SCAN (subject OS fingerprint line), Decoding the Subject Fingerprint Format, Decoding the SCAN line of a subject fingerprint

scan profiles (see Zenmap: scan profiles)

Scanlogd, Firewall/IDS Evasion and Spoofing

scanme.nmap.org, Is Unauthorized Port Scanning a Crime?

Scanrand, Introduction

“Scans” scan results tab, The Scans tab

Schubert, Max, Manipulating XML Output with Perl

SCO Corporation, The History and Future of Nmap

script arguments, Arguments to Scripts, Nmap Scripting Engine (NSE)

(see also --script-args)

script categories, Script Categories

scR1pT kIddI3 output, $crIpT kIddI3 0uTPut (-oS), Output

script kiddies, Saving the Human Race, Controlling Output Type, Port Scanning Techniques

script names, examples of, Introduction

script.db, Command-line Arguments, Initialization Phase, Files Related to Scripting, Nmap Scripting Engine (NSE)

(see also --script-updatedb)

scripting (see Nmap Scripting Engine)

scripts, location of, Command-line Arguments, Files Related to Scripting, Nmap Scripting Engine (NSE)

SEQ (OS fingerprint category line), Sequence generation (SEQ, OPS, WIN, and T1)

SERVICE column, Well Known Port List: nmap-services

service detection (see version detection)

service fingerprint, Introduction, Technique Described

example of, Submit Service Fingerprints
submission of, Introduction, Community Contributions

“Service Info:”, Introduction, Usage and Examples

service: (Zenmap search criterion), Searching Saved Results

setuid, why Nmap shouldn't be, Miscellaneous Options, Inappropriate Usage

Shimomura, Tsutomu, Usage and Examples

SI (OS detection response test), ICMP echo (IE), ICMP sequence number(SI)

SinFP, Passive Fingerprinting

Smith, Zach, The History and Future of Nmap

sneaky (-T1) timing template, Can Port Scanning Crash the Target Computer/Networks?, Timing and Performance

social engineering, Social engineering

sockets in NSE, Connect-style network I/O

soft match (version detection), Technique Described

softmatch directive (nmap-service-probes), softmatch Directive, Putting It All Together

Solar Designer, Firewall/IDS Evasion and Spoofing

Solaris, installing on, Sun Solaris

Song, Dug, Third-Party Software

source address filtering, TCP Idle Scan (-sI)

source code, Unix Compilation and Installation from Source Code

advantages of, Unix Compilation and Installation from Source Code

source port number, Firewall/IDS Evasion and Spoofing

source routing, Firewall/IDS Evasion and Spoofing

SP (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), TCP ISN sequence predictability index (SP)

spoofed packets, Idle Scan Step by Step, Idle Scan Implementation Algorithms, Dealing with Misidentified and Unidentified Hosts

spoofing MAC address, Firewall/IDS Evasion and Spoofing

spoofing source address, Firewall/IDS Evasion and Spoofing

SS (OS detection response test), Sequence generation (SEQ, OPS, WIN, and T1), Shared IP ID sequence Boolean (SS)

SSL, ports and sslports Directives

(see also sslports directive)
in version detection, Usage and Examples, Technique Described, SSL Post-processor Notes,