Home page logo
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

Nmap Network Scanning

Nmap Network Scanning

The Official Nmap Project Guide to Network Discovery and Security Scanning

Gordon “Fyodor” Lyon

Book URL: http://nmap.org/book/
ISBN: 978-0-9799587-1-7
ISBN-10: 0-9799587-1-7

Copyright © 2011 by Insecure.Com LLC. All rights reserved, except where noted.

Nmap Network Scanning is the official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. The reference guide documents every Nmap feature and option, while the remainder demonstrates how to apply them to quickly solve real-world tasks. Examples and diagrams show actual communication on the wire. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine.

Table of Contents

Intended Audience and Organization
Other Resources
Request for Comments
Technology Used to Create This Book
TCP/IP Reference
1. Getting Started with Nmap
Nmap Overview and Demonstration
Avatar Online
Saving the Human Race
MadHat in Wonderland
The Phases of an Nmap Scan
Legal Issues
Is Unauthorized Port Scanning a Crime?
Can Port Scanning Crash the Target Computer/Networks?
Nmap Copyright
The History and Future of Nmap
The History of Nmap
The Future of Nmap
2. Obtaining, Compiling, Installing, and Removing Nmap
Testing Whether Nmap is Already Installed
Command-line and Graphical Interfaces
Downloading Nmap
Verifying the Integrity of Nmap Downloads
Obtaining Nmap from the Subversion (SVN) Repository
Linux/Unix Compilation and Installation from Source Code
Configure Directives
Environment Variables
If You Encounter Compilation Problems
Linux Distributions
RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora)
Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum
Debian Linux and Derivatives such as Ubuntu
Other Linux Distributions
Windows Self-installer
Command-line Zip Binaries
Installing the Nmap zip binaries
Compile from Source Code
Executing Nmap on Windows
Apple Mac OS X
Executable Installer
Compile from Source Code
Compile Nmap from source code
Compile Zenmap from source code
Third-party Packages
Executing Nmap on Mac OS X
Other Platforms (BSD, Solaris, AIX, AmigaOS)
FreeBSD / OpenBSD / NetBSD
OpenBSD Binary Packages and Source Ports Instructions
FreeBSD Binary Package and Source Ports Instructions
NetBSD Binary Package Instructions
Oracle/Sun Solaris
Other proprietary UNIX (HP-UX, IRIX, etc.)
Removing Nmap
3. Host Discovery (Ping Scanning)
Specifying Target Hosts and Networks
Input From List (-iL)
Choose Targets at Random (-iR <numtargets>)
Excluding Targets (--exclude, --excludefile <filename>)
Practical Examples
Finding an Organization's IP Addresses
DNS Tricks
Whois Queries Against IP Registries
Internet Routing Information
DNS Resolution
Host Discovery Controls
List Scan (-sL)
Disable Port Scan (-sn)
Disable Ping (-Pn)
Host Discovery Techniques
TCP SYN Ping (-PS<port list>)
TCP ACK Ping (-PA<port list>)
UDP Ping (-PU<port list>)
ICMP Ping Types (-PE, -PP, and -PM)
IP Protocol Ping (-PO<protocol list>)
ARP Scan (-PR)
Default Combination
Putting It All Together: Host Discovery Strategies
Related Options
Choosing and Combining Ping Options
Most valuable probes
TCP probe and port selection
UDP port selection
ICMP probe selection
Designing the ideal combinations of probes
Host Discovery Code Algorithms
4. Port Scanning Overview
Introduction to Port Scanning
What Exactly is a Port?
What Are the Most Popular Ports?
What is Port Scanning?
Why Scan Ports?
A Quick Port Scanning Tutorial
Command-line Flags
Selecting Scan Techniques
Selecting Ports to Scan
Timing-related Options
Output Format and Verbosity Options
Firewall and IDS Evasion Options
Specifying Targets
Miscellaneous Options
IPv6 Scanning (-6)
SOLUTION: Scan a Large Network for a Certain Open TCP Port
See Also
5. Port Scanning Techniques and Algorithms
TCP SYN (Stealth) Scan (-sS)
TCP Connect Scan (-sT)
UDP Scan (-sU)
Distinguishing Open from Filtered UDP Ports
Speeding Up UDP Scans
TCP FIN, NULL, and Xmas Scans (-sF, -sN, -sX)
Custom Scan Types with --scanflags
Custom SYN/FIN Scan
PSH Scan
TCP ACK Scan (-sA)
TCP Window Scan (-sW)
TCP Maimon Scan (-sM)
TCP Idle Scan (-sI)
Idle Scan Step by Step
Finding a Working Idle Scan Zombie Host
Executing an Idle Scan
Idle Scan Implementation Algorithms
IP Protocol Scan (-sO)
TCP FTP Bounce Scan (-b)
Scan Code and Algorithms
Network Condition Monitoring
Host and Port Parallelization
Round Trip Time Estimation
Congestion Control
Timing probes
Inferred Neighbor Times
Adaptive Retransmission
Scan Delay
6. Optimizing Nmap Performance
Scan Time Reduction Techniques
Omit Non-critical Tests
Optimize Timing Parameters
Separate and Optimize UDP Scans
Upgrade Nmap
Execute Concurrent Nmap Instances
Scan From a Favorable Network Location
Increase Available Bandwidth and CPU Time
Coping Strategies for Long Scans
Use a Multi-stage Approach
Estimate and Plan for Scan Time
Port Selection Data and Strategies
Low-Level Timing Controls
Timing Templates (-T)
Scanning 676,352 IP Addresses in 46 Hours
7. Service and Application Version Detection
Usage and Examples
Technique Described
Cheats and Fallbacks
Probe Selection and Rarity
Technique Demonstrated
Nmap Scripting Engine Integration
RPC Grinding
SSL Post-processor Notes
nmap-service-probes File Format
Exclude Directive
Probe Directive
match Directive
softmatch Directive
ports and sslports Directives
totalwaitms Directive
tcpwrappedms Directive
rarity Directive
fallback Directive
Putting It All Together
Community Contributions
Submit Service Fingerprints
Submit Database Corrections
Submit New Probes
SOLUTION: Find All Servers Running an Insecure or Nonstandard Application Version
SOLUTION: Hack Version Detection to Suit Custom Needs, such as Open Proxy Detection
8. Remote OS Detection
Reasons for OS Detection
Determining vulnerability of target hosts
Tailoring exploits
Network inventory and support
Detecting unauthorized and dangerous devices
Social engineering
Usage and Examples
TCP/IP Fingerprinting Methods Supported by Nmap
Probes Sent
Sequence generation (SEQ, OPS, WIN, and T1)
ICMP echo (IE)
TCP explicit congestion notification (ECN)
TCP (T2T7)
UDP (U1)
Response Tests
TCP ISN greatest common divisor (GCD)
TCP ISN counter rate (ISR)
TCP ISN sequence predictability index (SP)
IP ID sequence generation algorithm (TI, CI, II)
Shared IP ID sequence Boolean (SS)
TCP timestamp option algorithm (TS)
TCP options (O, O1–O6)
TCP initial window size (W, W1W6)
Responsiveness (R)
IP don't fragment bit (DF)
Don't fragment (ICMP) (DFI)
IP initial time-to-live (T)
IP initial time-to-live guess (TG)
Explicit congestion notification (CC)
TCP miscellaneous quirks (Q)
TCP sequence number (S)
TCP acknowledgment number (A)
TCP flags (F)
TCP RST data checksum (RD)
IP total length (IPL)
Unused port unreachable field nonzero (UN)
Returned probe IP total length value (RIPL)
Returned probe IP ID value (RID)
Integrity of returned probe IP checksum value (RIPCK)
Integrity of returned probe UDP checksum (RUCK)
Integrity of returned UDP data (RUD)
ICMP response code (CD)
IPv6 fingerprinting
Probes Sent
Sequence generation (S1S6)
ICMPv6 echo (IE1)
ICMPv6 echo (IE2)
Node Information Query (NI)
Neighbor Solicitation (NS)
UDP (U1)
TCP explicit congestion notification (TECN)
TCP (T2T7)
Feature extraction
List of all features
Differences from IPv4
Fingerprinting Methods Avoided by Nmap
Passive Fingerprinting
Exploit Chronology
Retransmission Times
IP Fragmentation
Open Port Patterns
Retired Tests
Understanding an Nmap Fingerprint
Decoding the Subject Fingerprint Format
Decoding the SCAN line of a subject fingerprint
Decoding the Reference Fingerprint Format
Free-form OS description (Fingerprint line)
Device and OS classification (Class lines)
CPE name (CPE lines)
Test expressions
IPv6 fingerprints
Device Types
OS Matching Algorithms
IPv4 matching
IPv6 matching
Dealing with Misidentified and Unidentified Hosts
When Nmap Guesses Wrong
When Nmap Fails to Find a Match and Prints a Fingerprint
Modifying the nmap-os-db Database Yourself
SOLUTION: Detect Rogue Wireless Access Points on an Enterprise Network
WAP Characteristics
9. Nmap Scripting Engine
Usage and Examples
Script Categories
Script Types and Phases
Command-line Arguments
Script Selection
Arguments to Scripts
Complete Examples
Script Format
description Field
categories Field
author Field
license Field
dependencies Field
Environment Variables
Script Language
Lua Base Language
NSE Scripts
NSE Libraries
List of All Libraries
Hacking NSE Libraries
Adding C Modules to Nselib
Nmap API
Information Passed to a Script
Network I/O API
Connect-style network I/O
Raw packet network I/O
Structured and Unstructured Output
Exception Handling
The Registry
Script Writing Tutorial
The Head
The Rule
The Action
Writing Script Documentation (NSEDoc)
NSE Documentation Tags
Script Parallelism in NSE
Worker Threads
Condition Variables
Collaborative Multithreading
The base thread
Version Detection Using NSE
Example Script: finger
Implementation Details
Initialization Phase
Script Scanning
10. Detecting and Subverting Firewalls and Intrusion Detection Systems
Why Would Ethical Professionals (White-hats) Ever Do This?
Determining Firewall Rules
Standard SYN Scan
Sneaky firewalls that return RST
ACK Scan
IP ID Tricks
UDP Version Scanning
Bypassing Firewall Rules
Exotic Scan Flags
Source Port Manipulation
IPv6 Attacks
IP ID Idle Scanning
Multiple Ping Probes
MAC Address Spoofing
Source Routing
FTP Bounce Scan
Take an Alternative Path
A Practical Real-life Example of Firewall Subversion
Subverting Intrusion Detection Systems
Intrusion Detection System Detection
Reverse probes
Sudden firewall changes and suspicious packets
Naming conventions
Unexplained TTL jumps
Avoiding Intrusion Detection Systems
Slow down
Scatter probes across networks rather than scanning hosts consecutively
Fragment packets
Evade specific rules
Avoid easily detected Nmap features
Misleading Intrusion Detection Systems
Port scan spoofing
Idle scan
DNS proxying
DoS Attacks Against Reactive Systems
Exploiting Intrusion Detection Systems
Ignoring Intrusion Detection Systems
Detecting Packet Forgery by Firewall and Intrusion Detection Systems
Look for TTL Consistency
Look for IP ID and Sequence Number Consistency
The Bogus TCP Checksum Trick
Round Trip Times
Close Analysis of Packet Headers and Contents
Unusual Network Uniformity
11. Defenses Against Nmap
Scan Proactively, Then Close or Block Ports and Fix Vulnerabilities
Block and Slow Nmap with Firewalls
Detect Nmap Scans
Clever Trickery
Hiding Services on Obscure Ports
Port Knocking
Honeypots and Honeynets
OS Spoofing
Tar Pits
Reactive Port Scan Detection
Escalating Arms Race
12. Zenmap GUI Users' Guide
The Purpose of a Graphical Frontend for Nmap
Scan Aggregation
Interpreting Scan Results
Scan Results Tabs
The Nmap Output tab
The Ports / Hosts tab
The Topology tab
The Host Details tab
The Scans tab
Sorting by Host
Sorting by Service
Saving and Loading Scan Results
The Recent Scans Database
Surfing the Network Topology
An Overview of the Topology Tab
Action controls
Interpolation controls
Layout controls
View controls
Fisheye controls
Keyboard Shortcuts
The Hosts Viewer
The Profile Editor
Editing a Command
Script selection
Creating a New Profile
Editing or Deleting a Profile
Host Filtering
Searching Saved Results
Comparing Results
Zenmap in Your Language
Creating a new translation
Files Used by Zenmap
The nmap Executable
System Configuration Files
Per-user Configuration Files
Output Files
Description of zenmap.conf
Sections of zenmap.conf
Command-line Options
Options Summary
Error Output
13. Nmap Output Formats
Command-line Flags
Controlling Output Type
Controlling Verbosity of Output
Enabling Debugging Output
Enabling Packet Tracing
Resuming Aborted Scans
Interactive Output
Normal Output (-oN)
$crIpT kIddI3 0uTPut (-oS)
XML Output (-oX)
Using XML Output
Manipulating XML Output with Perl
Common Platform Enumeration (CPE)
Structure of a CPE Name
Output to a Database
Creating HTML Reports
Saving a Permanent HTML Report
Grepable Output (-oG)
Grepable Output Fields
Host field
Status field
Ports field
Protocols field
Ignored State field
OS field
Seq Index field
IP ID Seq field
Parsing Grepable Output on the Command Line
14. Understanding and Customizing Nmap Data Files
Well Known Port List: nmap-services
Version Scanning DB: nmap-service-probes
SunRPC Numbers: nmap-rpc
Nmap OS Detection DB: nmap-os-db
UDP payloads: nmap-payloads
MAC Address Vendor Prefixes: nmap-mac-prefixes
IP Protocol Number List: nmap-protocols
Files Related to Scripting
Using Customized Data Files
15. Nmap Reference Guide
Options Summary
Target Specification
Host Discovery
Port Scanning Basics
Port Scanning Techniques
Port Specification and Scan Order
Service and Version Detection
OS Detection
Nmap Scripting Engine (NSE)
Timing and Performance
Firewall/IDS Evasion and Spoofing
Miscellaneous Options
Runtime Interaction
Nmap Book
Legal Notices
Nmap Copyright and Licensing
Creative Commons License for this Nmap Guide
Source Code Availability and Community Contributions
No Warranty
Inappropriate Usage
Third-Party Software and Funding Notices
United States Export Control
16. Ndiff Reference Guide
Options Summary
Periodic Diffs
Exit Code
Web site
17. Ncat Reference Guide
Options Summary
Connect Mode and Listen Mode
Protocol Options
Connect Mode Options
Listen Mode Options
SSL Options
Proxy Options
Command Execution Options
Access Control Options
Timing Options
Output Options
Misc Options
Unix Domain Sockets
AF_VSOCK Sockets
Exit Code
Legal Notices
Ncat Copyright and Licensing
Creative Commons License for this Ncat Guide
Source Code Availability and Community Contributions
No Warranty
Inappropriate Usage
Third-Party Software
18. Nping Reference Guide
Options Summary
Target Specification
Option Specification
General Operation
Probe Modes
TCP Connect Mode
TCP Mode
UDP Mode
ICMP Types
ICMP Codes
ARP Mode
ARP Types
IPv4 Options
IPv6 Options
Ethernet Options
Ethernet Types
Payload Options
Echo Mode
Timing and Performance Options
Miscellaneous Options
Output Options
A. Nmap XML Output DTD
The Full DTD

List of Figures

1. IPv4 header
2. TCP header
3. UDP header
4. ICMP header
1.1. Trinity begins her assault
1.2. Trinity scans the Matrix
1.3. Strong opinions on port scanning legality and morality
2.1. Executing Nmap from a Windows command shell
2.2. Apple Gatekeeper block screen
2.3. Apple Gatekeeper Open menu
2.4. Apple Gatekeeper Open screen
3.1. A business card explains everything
3.2. Netcraft finds 36 Target web servers
5.1. ICMPv4 destination unreachable header layout
5.2. SYN scan of open port 22
5.3. SYN scan of closed port 113
5.4. SYN scan of filtered port 139
5.5. Connect scan of open port 22
5.6. Idle scan of an open port
5.7. Idle scan of a closed port
5.8. Idle scan of a filtered port
5.9. Congestion window and threshold
5.10. Scan rate as affected by scan delay
8.1. ICMP echo request or reply header layout
8.2. ICMP destination unreachable header layout
10.1. BlackICE discovers an unusual intruder
10.2. An attacker masked by dozens of decoys
12.1. Typical Zenmap screen shot
12.2. Zenmap's main window
12.3. Target and profile selection
12.4. Host selection
12.5. OS icons
12.6. Service selection
12.7. Grouping a host's children
12.8. Highlighting regions of the topology
12.9. Choosing a profile
12.10. The profile editor
12.11. The Scripting profile editor tab
12.12. Host filter
12.13. The search dialog
12.14. Keyword search
12.15. Expressions search
12.16. Comparison tool
12.17. Comparison output
12.18. Zenmap in German
12.19. Setting the LANG environment variable on Windows XP
12.20. Setting the LANG environment variable on Mac OS X
13.1. HTML from XML output in a web browser

List of Examples

1. A typical Nmap scan
1.1. Nmap list scan against Avatar Online IP addresses
1.2. Nmap results against an AO firewall
1.3. Another interesting AO machine
1.4. nmap-diff typical output
1.5. nmap-report execution
2.1. Checking for Nmap and determining its version number
2.2. Verifying the Nmap and Fyodor PGP Key Fingerprints
2.3. Verifying PGP key fingerprints (Successful)
2.4. Detecting a bogus file
2.5. A typical Nmap release digest file
2.6. Verifying Nmap hashes
2.7. Successful configuration screen
2.8. Installing Nmap from binary RPMs
2.9. Building and installing Nmap from source RPMs
2.10. Installing Nmap from a system Yum repository
3.1. Using the host command to query common DNS record types
3.2. Zone transfer failure and success
3.3. Nmap reverse-DNS and traceroute scan against www.target.com
3.4. Using whois to find owner of www.target.com IP address
3.5. Using whois to find netblock containing
3.6. Enumerating hosts surrounding www.stanford.edu with list scan
3.7. Discovering hosts surrounding www.lwn.net with a ping scan
3.8. Attempts to ping popular Internet hosts
3.9. Retry host discovery using port 80 SYN probes
3.10. Attempted ACK ping against Microsoft
3.11. Raw IP ping scan of an offline target
3.12. ARP ping scan of an offline target
3.13. Generating 50,000 IP addresses, then ping scanning with default options
3.14. Repeating ping scan with extra probes
4.1. Viewing and increasing the ephemeral port range on Linux
4.2. Simple scan: nmap scanme.nmap.org
4.3. More complex: nmap -p0- -v -A -T4 scanme.nmap.org
4.4. A simple IPv6 scan
4.5. Discovering Playboy's IP space
4.6. Pinging Playboy's web server for a latency estimate
4.7. Digging through Playboy's DNS records
4.8. Pinging the MX servers
4.9. TCP pinging the MX servers
4.10. Launching the scan
4.11. Egrep for open ports
5.1. A SYN scan showing three port states
5.2. Using --packet-trace to understand a SYN scan
5.3. Connect scan example
5.4. UDP scan example
5.5. UDP scan example
5.6. Improving Felix's UDP scan results with version detection
5.7. Improving Scanme's UDP scan results with version detection
5.8. Attempting to disambiguate UDP ports with TTL discrepancies
5.9. Optimizing UDP Scan Time
5.10. Example FIN and Xmas scans
5.11. SYN scan of Docsrv
5.12. FIN scan of Docsrv
5.13. A SYN/FIN scan of Google
5.14. A custom PSH scan
5.15. A typical ACK Scan
5.16. An ACK scan of Docsrv
5.17. Window scan of docsrv.caldera.com
5.18. A failed Maimon scan
5.19. An idle scan against the RIAA
5.20. IP protocol scan of a router and a typical Linux 2.4 box
5.21. Attempting an FTP bounce scan
5.22. Successful FTP bounce scan
6.1. Bandwidth usage over local 100 Mbps ethernet network
6.2. Estimating scan time
7.1. Simple usage of version detection
7.2. Version detection against www.microsoft.com
7.3. Complex version detection
7.4. NULL probe cheat example output
7.5. Enumerating RPC services with rpcinfo
7.6. Nmap direct RPC scan
7.7. Version scanning through SSL
8.1. OS detection with verbosity (-O -v)
8.2. Using version scan to detect the OS
8.3. A typical subject fingerprint
8.4. A cleaned-up subject fingerprint
8.5. A typical reference fingerprint
8.6. Some typical fingerprint descriptions and corresponding classifications
8.7. Typical CPE classifications
8.8. An IPv6 fingerprint
8.9. A cleaned-up IPv6 fingerprint
8.10. The MatchPoints structure
8.11. Scan results against a consumer WAP
9.1. Typical NSE output
9.2. Script help
9.3. Connect-style I/O
9.4. Automatic formatting of NSE structured output
9.5. NSE structured output in XML
9.6. Exception handling example
9.7. An NSEDoc comment for a function
9.8. An NSEDoc comment for a module
9.9. An NSEDoc comment for a script
9.10. Worker threads
9.11. Mutex manipulation
9.12. Basic Coroutine Use
9.13. Link Generator
9.14. A typical version detection script (Skype version 2 detection)
10.1. Detection of closed and filtered TCP ports
10.2. ACK scan against Scanme
10.3. Contrasting SYN and ACK scans against Para
10.4. UDP scan against firewalled host
10.5. UDP version scan against firewalled host
10.6. FIN scan against stateless firewall
10.7. Bypassing Windows IPsec filter using source port 88
10.8. Comparing IPv4 and IPv6 scans
10.9. Exploiting a printer with the FTP bounce scan
10.10. Some interesting hosts and networks at Megacorp
10.11. Ping scan against the target network
10.12. Packet trace against a single IP
10.13. Testing an idle scan
10.14. Testing source routing
10.15. Success at last
10.16. Host names can be deceiving
10.17. Noting TTL gaps with traceroute
10.18. Using the IP record route option
10.19. Slow scan to bypass the default Snort 2.2.0 Flow-portscan fixed time scan detection method
10.20. Default Snort rules referencing Nmap
10.21. Using DNS Proxies (Recursive DNS) for a Stealth List Scan of SecurityFocus
10.22. Detection of closed and filtered TCP ports
10.23. Testing IP ID sequence number consistency
10.24. Finding a firewall with bad TCP checksums
11.1. An all-TCP-port version scan
11.2. Deceiving Nmap with IP Personality
13.1. Scanrand output against a local network
13.2. Grepping for verbosity conditionals
13.3. Interactive output without verbosity enabled
13.4. Interactive output with verbosity enabled
13.5. Some representative debugging lines
13.6. Using --packet-trace to detail a ping scan of Scanme
13.7. A typical example of normal output
13.8. A typical example of $crIpt KiDDi3 0utPut
13.9. An example of Nmap XML output
13.10. Nmap XML port elements
13.11. Nmap::Parser sample code
13.12. Nmap::Scanner sample code
13.13. Normal output with CPE highlighted
13.14. A typical example of grepable output
13.15. Ping scan grepable output
13.16. List scan grepable output
13.17. Grepable output for IP protocol scan
13.18. Parsing grepable output on the command line
14.1. Excerpt from nmap-services
14.2. Excerpt from nmap-service-probes
14.3. Excerpt from nmap-rpc
14.4. Excerpt from nmap-os-db
14.5. Excerpt from nmap-payloads
14.6. Excerpt from nmap-mac-prefixes
14.7. Excerpt from nmap-protocols
15.1. A representative Nmap scan
16.1. Ndiff text output
16.2. Ndiff XML output
16.3. Scanning a network periodically with Ndiff and cron
18.1. A representative Nping execution
18.2. Discovering NAT devices
18.3. Discovering a transparent proxy
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]