Home page logo
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

Nmap Network Scanning

Nmap Network Scanning

The Official Nmap Project Guide to Network Discovery and Security Scanning

Gordon “Fyodor” Lyon

Book URL: http://nmap.org/book/
ISBN: 978-0-9799587-1-7
ISBN-10: 0-9799587-1-7

Copyright © 2011 by Insecure.Com LLC. All rights reserved, except where noted.

Nmap Network Scanning is the official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. The reference guide documents every Nmap feature and option, while the remainder demonstrates how to apply them to quickly solve real-world tasks. Examples and diagrams show actual communication on the wire. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine.

This free Web edition contains only about half of the content available in the complete book.

Table of Contents

Intended Audience and Organization
Other Resources
Request for Comments
Technology Used to Create This Book
TCP/IP Reference
1. Getting Started with Nmap
Nmap Overview and Demonstration
Avatar Online
Saving the Human Race
MadHat in Wonderland
The Phases of an Nmap Scan
Legal Issues
Is Unauthorized Port Scanning a Crime?
Can Port Scanning Crash the Target Computer/Networks?
Nmap Copyright
The History and Future of Nmap
The History of Nmap
The Future of Nmap
2. Obtaining, Compiling, Installing, and Removing Nmap
Testing Whether Nmap is Already Installed
Command-line and Graphical Interfaces
Downloading Nmap
Verifying the Integrity of Nmap Downloads
Obtaining Nmap from the Subversion (SVN) Repository
Linux/Unix Compilation and Installation from Source Code
Configure Directives
Environment Variables
If You Encounter Compilation Problems
Linux Distributions
RPM-based Distributions (Red Hat, Mandrake, SUSE, Fedora)
Updating Red Hat, Fedora, Mandrake, and Yellow Dog Linux with Yum
Debian Linux and Derivatives such as Ubuntu
Other Linux Distributions
Windows Self-installer
Command-line Zip Binaries
Installing the Nmap zip binaries
Compile from Source Code
Executing Nmap on Windows
Apple Mac OS X
Executable Installer
Compile from Source Code
Compile Nmap from source code
Compile Zenmap from source code
Third-party Packages
Executing Nmap on Mac OS X
Other Platforms (BSD, Solaris, AIX, AmigaOS)
FreeBSD / OpenBSD / NetBSD
OpenBSD Binary Packages and Source Ports Instructions
FreeBSD Binary Package and Source Ports Instructions
NetBSD Binary Package Instructions
Oracle/Sun Solaris
Other proprietary UNIX (HP-UX, IRIX, etc.)
Removing Nmap
3. Host Discovery (Ping Scanning)
4. Port Scanning Overview
5. Port Scanning Techniques and Algorithms
A Few Blank Sections
Idle Scan Implementation Algorithms
Round Trip Time Estimation
IP Protocol Scan (-sO)
Disambiguating Open from Filtered UDP Ports
Adaptive Retransmission
TCP Idle Scan (-sI)
Idle Scan Step by Step
Finding a Working Idle Scan Zombie Host
Executing an Idle Scan
Idle Scan Implementation Algorithms
6. Optimizing Nmap Performance
7. Service and Application Version Detection
Usage and Examples
Technique Described
Cheats and Fallbacks
Probe Selection and Rarity
Technique Demonstrated
Nmap Scripting Engine Integration
RPC Grinding
SSL Post-processor Notes
nmap-service-probes File Format
Exclude Directive
Probe Directive
match Directive
softmatch Directive
ports and sslports Directives
totalwaitms Directive
tcpwrappedms Directive
rarity Directive
fallback Directive
Putting It All Together
Community Contributions
Submit Service Fingerprints
Submit Database Corrections
Submit New Probes
SOLUTION: Hack Version Detection to Suit Custom Needs, such as Open Proxy Detection
SOLUTION: Find All Servers Running an Insecure or Nonstandard Application Version
8. Remote OS Detection
Reasons for OS Detection
Determining vulnerability of target hosts
Tailoring exploits
Network inventory and support
Detecting unauthorized and dangerous devices
Social engineering
Usage and Examples
TCP/IP Fingerprinting Methods Supported by Nmap
Probes Sent
Sequence generation (SEQ, OPS, WIN, and T1)
ICMP echo (IE)
TCP explicit congestion notification (ECN)
TCP (T2T7)
UDP (U1)
Response Tests
TCP ISN greatest common divisor (GCD)
TCP ISN counter rate (ISR)
TCP ISN sequence predictability index (SP)
IP ID sequence generation algorithm (TI, CI, II)
Shared IP ID sequence Boolean (SS)
TCP timestamp option algorithm (TS)
TCP options (O, O1–O6)
TCP initial window size (W, W1W6)
Responsiveness (R)
IP don't fragment bit (DF)
Don't fragment (ICMP) (DFI)
IP initial time-to-live (T)
IP initial time-to-live guess (TG)
Explicit congestion notification (CC)
TCP miscellaneous quirks (Q)
TCP sequence number (S)
TCP acknowledgment number (A)
TCP flags (F)
TCP RST data checksum (RD)
IP total length (IPL)
Unused port unreachable field nonzero (UN)
Returned probe IP total length value (RIPL)
Returned probe IP ID value (RID)
Integrity of returned probe IP checksum value (RIPCK)
Integrity of returned probe UDP checksum (RUCK)
Integrity of returned UDP data (RUD)
ICMP response code (CD)
IPv6 fingerprinting
Probes Sent
Sequence generation (S1S6)
ICMPv6 echo (IE1)
ICMPv6 echo (IE2)
Node Information Query (NI)
Neighbor Solicitation (NS)
UDP (U1)
TCP explicit congestion notification (TECN)
TCP (T2T7)
Feature extraction
List of all features
Differences from IPv4
Fingerprinting Methods Avoided by Nmap
Passive Fingerprinting
Exploit Chronology
Retransmission Times
IP Fragmentation
Open Port Patterns
Retired Tests
Understanding an Nmap Fingerprint
Decoding the Subject Fingerprint Format
Decoding the SCAN line of a subject fingerprint
Decoding the Reference Fingerprint Format
Free-form OS description (Fingerprint line)
Device and OS classification (Class lines)
CPE name (CPE lines)
Test expressions
IPv6 fingerprints
Device Types
OS Matching Algorithms
IPv4 matching
IPv6 matching
Dealing with Misidentified and Unidentified Hosts
When Nmap Guesses Wrong
When Nmap Fails to Find a Match and Prints a Fingerprint
Modifying the nmap-os-db Database Yourself
9. Nmap Scripting Engine
Usage and Examples
Script Categories
Script Types and Phases
Command-line Arguments
Script Selection
Arguments to Scripts
Complete Examples
Script Format
description Field
categories Field
author Field
license Field
dependencies Field
Environment Variables
Script Language
Lua Base Language
NSE Scripts
NSE Libraries
List of All Libraries
Hacking NSE Libraries
Adding C Modules to Nselib
Nmap API
Information Passed to a Script
Network I/O API
Connect-style network I/O
Raw packet network I/O
Structured and Unstructured Output
Exception Handling
The Registry
Script Writing Tutorial
The Head
The Rule
The Action
Writing Script Documentation (NSEDoc)
NSE Documentation Tags
Script Parallelism in NSE
Worker Threads
Condition Variables
Collaborative Multithreading
The base thread
Version Detection Using NSE
Example Script: finger
Implementation Details
Initialization Phase
Script Scanning
10. Detecting and Subverting Firewalls and Intrusion Detection Systems
11. Defenses Against Nmap
12. Zenmap GUI Users' Guide
The Purpose of a Graphical Frontend for Nmap
Scan Aggregation
Interpreting Scan Results
Scan Results Tabs
The Nmap Output tab
The Ports / Hosts tab
The Topology tab
The Host Details tab
The Scans tab
Sorting by Host
Sorting by Service
Saving and Loading Scan Results
The Recent Scans Database
Surfing the Network Topology
An Overview of the Topology Tab
Action controls
Interpolation controls
Layout controls
View controls
Fisheye controls
Keyboard Shortcuts
The Hosts Viewer
The Profile Editor
Editing a Command
Script selection
Creating a New Profile
Editing or Deleting a Profile
Host Filtering
Searching Saved Results
Comparing Results
Zenmap in Your Language
Creating a new translation
Files Used by Zenmap
The nmap Executable
System Configuration Files
Per-user Configuration Files
Output Files
Description of zenmap.conf
Sections of zenmap.conf
Command-line Options
Options Summary
Error Output
13. Nmap Output Formats
Command-line Flags
Controlling Output Type
Controlling Verbosity of Output
Enabling Debugging Output
Enabling Packet Tracing
Resuming Aborted Scans
Interactive Output
Normal Output (-oN)
$crIpT kIddI3 0uTPut (-oS)
XML Output (-oX)
Using XML Output
Manipulating XML Output with Perl
Common Platform Enumeration (CPE)
Structure of a CPE Name
Output to a Database
Creating HTML Reports
Saving a Permanent HTML Report
Grepable Output (-oG)
Grepable Output Fields
Host field
Status field
Ports field
Protocols field
Ignored State field
OS field
Seq Index field
IP ID Seq field
Parsing Grepable Output on the Command Line
14. Understanding and Customizing Nmap Data Files
Well Known Port List: nmap-services
Version Scanning DB: nmap-service-probes
SunRPC Numbers: nmap-rpc
Nmap OS Detection DB: nmap-os-db
UDP payloads: nmap-payloads
MAC Address Vendor Prefixes: nmap-mac-prefixes
IP Protocol Number List: nmap-protocols
Files Related to Scripting
Using Customized Data Files
15. Nmap Reference Guide
Options Summary
Target Specification
Host Discovery
Port Scanning Basics
Port Scanning Techniques
Port Specification and Scan Order
Service and Version Detection
OS Detection
Nmap Scripting Engine (NSE)
Timing and Performance
Firewall/IDS Evasion and Spoofing
Miscellaneous Options
Runtime Interaction
Nmap Book
Legal Notices
Nmap Copyright and Licensing
Creative Commons License for this Nmap Guide
Source Code Availability and Community Contributions
No Warranty
Inappropriate Usage
Third-Party Software and Funding Notices
United States Export Control
16. Ndiff Reference Guide
Options Summary
Periodic Diffs
Exit Code
Web site
17. Ncat Reference Guide
Options Summary
Connect Mode and Listen Mode
Protocol Options
Connect Mode Options
Listen Mode Options
SSL Options
Proxy Options
Command Execution Options
Access Control Options
Timing Options
Output Options
Misc Options
Unix Domain Sockets
Exit Code
Legal Notices
Ncat Copyright and Licensing
Creative Commons License for this Ncat Guide
Source Code Availability and Community Contributions
No Warranty
Inappropriate Usage
Third-Party Software
18. Nping Reference Guide
Options Summary
Target Specification
Option Specification
General Operation
Probe Modes
TCP Connect Mode
TCP Mode
UDP Mode
ICMP Types
ICMP Codes
ARP Mode
ARP Types
IPv4 Options
IPv6 Options
Ethernet Options
Ethernet Types
Payload Options
Echo Mode
Timing and Performance Options
Miscellaneous Options
Output Options
A. Nmap XML Output DTD
The Full DTD

List of Examples

1. A typical Nmap scan
1.1. Nmap list scan against Avatar Online IP addresses
1.2. Nmap results against an AO firewall
1.3. Another interesting AO machine
1.4. nmap-diff typical output
1.5. nmap-report execution
2.1. Checking for Nmap and determining its version number
2.2. Verifying the Nmap and Fyodor PGP Key Fingerprints
2.3. Verifying PGP key fingerprints (Successful)
2.4. Detecting a bogus file
2.5. A typical Nmap release digest file
2.6. Verifying Nmap hashes
2.7. Successful configuration screen
2.8. Installing Nmap from binary RPMs
2.9. Building and installing Nmap from source RPMs
2.10. Installing Nmap from a system Yum repository
5.1. An idle scan against the RIAA
7.1. Simple usage of version detection
7.2. Version detection against www.microsoft.com
7.3. Complex version detection
7.4. NULL probe cheat example output
7.5. Enumerating RPC services with rpcinfo
7.6. Nmap direct RPC scan
7.7. Version scanning through SSL
8.1. OS detection with verbosity (-O -v)
8.2. Using version scan to detect the OS
8.3. A typical subject fingerprint
8.4. A cleaned-up subject fingerprint
8.5. A typical reference fingerprint
8.6. Some typical fingerprint descriptions and corresponding classifications
8.7. Typical CPE classifications
8.8. An IPv6 fingerprint
8.9. A cleaned-up IPv6 fingerprint
8.10. The MatchPoints structure
9.1. Typical NSE output
9.2. Script help
9.3. Connect-style I/O
9.4. Automatic formatting of NSE structured output
9.5. NSE structured output in XML
9.6. Exception handling example
9.7. An NSEDoc comment for a function
9.8. An NSEDoc comment for a module
9.9. An NSEDoc comment for a script
9.10. Worker threads
9.11. Mutex manipulation
9.12. Basic Coroutine Use
9.13. Link Generator
9.14. A typical version detection script (Skype version 2 detection)
13.1. Scanrand output against a local network
13.2. Grepping for verbosity conditionals
13.3. Interactive output without verbosity enabled
13.4. Interactive output with verbosity enabled
13.5. Some representative debugging lines
13.6. Using --packet-trace to detail a ping scan of Scanme
13.7. A typical example of normal output
13.8. A typical example of $crIpt KiDDi3 0utPut
13.9. An example of Nmap XML output
13.10. Nmap XML port elements
13.11. Nmap::Parser sample code
13.12. Nmap::Scanner sample code
13.13. Normal output with CPE highlighted
13.14. A typical example of grepable output
13.15. Ping scan grepable output
13.16. List scan grepable output
13.17. Grepable output for IP protocol scan
13.18. Parsing grepable output on the command line
14.1. Excerpt from nmap-services
14.2. Excerpt from nmap-service-probes
14.3. Excerpt from nmap-rpc
14.4. Excerpt from nmap-os-db
14.5. Excerpt from nmap-payloads
14.6. Excerpt from nmap-mac-prefixes
14.7. Excerpt from nmap-protocols
15.1. A representative Nmap scan
16.1. Ndiff text output
16.2. Ndiff XML output
16.3. Scanning a network periodically with Ndiff and cron
18.1. A representative Nping execution
18.2. Discovering NAT devices
18.3. Discovering a transparent proxy
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]