Home page logo
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

Nmap Network Scanning

SSL Options

--ssl (Use SSL)

In connect mode, this option transparently negotiates an SSL session with an SSL server to securely encrypt the connection. This is particularly handy for talking to SSL enabled HTTP servers, etc.

In server mode, this option listens for incoming SSL connections, rather than plain untunneled traffic.

In UDP connect mode, this option enables Datagram TLS (DTLS). This is not supported in server mode.

--ssl-verify (Verify server certificates)

In client mode, --ssl-verify is like --ssl except that it also requires verification of the server certificate. Ncat comes with a default set of trusted certificates in the file ca-bundle.crt. Some operating systems provide a default list of trusted certificates; these will also be used if available. Use --ssl-trustfile to give a custom list. Use -v one or more times to get details about verification failures.

Ncat does not check for revoked certificates.

This option has no effect in server mode.

--ssl-cert <certfile.pem> (Specify SSL certificate)

This option gives the location of a PEM-encoded certificate files used to authenticate the server (in listen mode) or the client (in connect mode). Use it in combination with --ssl-key.

--ssl-key <keyfile.pem> (Specify SSL private key)

This option gives the location of the PEM-encoded private key file that goes with the certificate named with --ssl-cert.

--ssl-trustfile <cert.pem> (List trusted certificates)

This option sets a list of certificates that are trusted for purposes of certificate verification. It has no effect unless combined with --ssl-verify. The argument to this option is the name of a PEM file containing trusted certificates. Typically, the file will contain certificates of certification authorities, though it may also contain server certificates directly. When this option is used, Ncat does not use its default certificates.

--ssl-ciphers <cipherlist> (Specify SSL ciphersuites)

This option sets the list of ciphersuites that Ncat will use when connecting to servers or when accepting SSL connections from clients. The syntax is described in the OpenSSL ciphers(1) man page, and defaults to ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!MD5:@STRENGTH

--ssl-servername <name> (Request distinct server name)

In client mode, this option sets the TLS SNI (Server Name Indication) extension, which tells the server the name of the logical server Ncat is contacting. This is important when the target server hosts multiple virtual servers at a single underlying network address. If the option is not provided, the TLS SNI extension will be populated with the target server hostname.

--ssl-alpn <ALPN list> (Specify ALPN protocol list)

This option allows you to specify a comma-separated list of protocols to send via the Application-Layer Protocol Negotiation (ALPN) TLS extension. Not supported by all versions of OpenSSL.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]