Quick ?s
Cheat Sheets
Man Pages
The Lynx
NMAP(1) 		     Nmap Reference Guide		       NMAP(1)

       nmap - Network exploration tool and security / port scanner

       nmap [Scan Type...] [Options] {target specification}

       Nmap (Network Mapper) is an open source tool for network exploration
       and security auditing. It was designed to rapidly scan large networks,
       although it works fine against single hosts. Nmap uses raw IP packets
       in novel ways to determine what hosts are available on the network,
       what services (application name and version) those hosts are offering,
       what operating systems (and OS versions) they are running, what type of
       packet filters/firewalls are in use, and dozens of other
       characteristics. While Nmap is commonly used for security audits, many
       systems and network administrators find it useful for routine tasks
       such as network inventory, managing service upgrade schedules, and
       monitoring host or service uptime.

       The output from Nmap is a list of scanned targets, with supplemental
       information on each depending on the options used. Key among that
       information is the interesting ports table. That table lists the port
       number and protocol, service name, and state. The state is either open,
       filtered, closed, or unfiltered. Open means that an application on the
       target machine is listening for connections/packets on that port.
       Filtered means that a firewall, filter, or other network obstacle is
       blocking the port so that Nmap cannot tell whether it is open or
       closed.	Closed ports have no application listening on them, though
       they could open up at any time. Ports are classified as unfiltered when
       they are responsive to Nmaps probes, but Nmap cannot determine whether
       they are open or closed. Nmap reports the state combinations
       open|filtered and closed|filtered when it cannot determine which of the
       two states describe a port. The port table may also include software
       version details when version detection has been requested. When an IP
       protocol scan is requested (-sO), Nmap provides information on
       supported IP protocols rather than listening ports.

       In addition to the interesting ports table, Nmap can provide further
       information on targets, including reverse DNS names, operating system
       guesses, device types, and MAC addresses.

       A typical Nmap scan is shown in Example 13.1, A representative Nmap
       scan. The only Nmap arguments used in this example are -A, to enable
       OS and version detection, -T4 for faster execution, and then the two
       target hostnames.  Example 13.1. A representative Nmap scan.sp
       # nmap -A -T4 scanme.nmap.org playground

       Starting nmap ( http://www.insecure.org/nmap/ )
       Interesting ports on scanme.nmap.org (
       (The 1663 ports scanned but not shown below are in state: filtered)
       22/tcp  open   ssh     OpenSSH 3.9p1 (protocol 1.99)
       53/tcp  open   domain
       70/tcp  closed gopher
       80/tcp  open   http    Apache httpd 2.0.52 ((Fedora))
       113/tcp closed auth
       Device type: general purpose
       Running: Linux 2.4.X|2.5.X|2.6.X
       OS details: Linux 2.4.7 - 2.6.11, Linux 2.6.0 - 2.6.11
       Uptime 33.908 days (since Thu Jul 21 03:38:03 2005)

       Interesting ports on playground.nmap.org (
       (The 1659 ports scanned but not shown below are in state: closed)
       135/tcp	open  msrpc	    Microsoft Windows RPC
       139/tcp	open  netbios-ssn
       389/tcp	open  ldap?
       445/tcp	open  microsoft-ds  Microsoft Windows XP microsoft-ds
       1002/tcp open  windows-icfw?
       1025/tcp open  msrpc	    Microsoft Windows RPC
       1720/tcp open  H.323/Q.931   CompTek AquaGateKeeper
       5800/tcp open  vnc-http	    RealVNC 4.0 (Resolution 400x250; VNC TCP port: 5900)
       5900/tcp open  vnc	    VNC (protocol 3.8)
       MAC Address: 00:A0:CC:63:85:4B (Lite-on Communications)
       Device type: general purpose
       Running: Microsoft Windows NT/2K/XP
       OS details: Microsoft Windows XP Pro RC1+ through final release
       Service Info: OSs: Windows, Windows XP

       Nmap finished: 2 IP addresses (2 hosts up) scanned in 88.392 seconds

       The newest version of Nmap can be obtained from
       http://www.insecure.org/nmap/. The newest version of the man page is
       available from http://www.insecure.org/nmap/man/.

       This options summary is printed when Nmap is run with no arguments, and
       the latest version is always available at
       http://www.insecure.org/nmap/data/nmap.usage.txt. It helps people
       remember the most common options, but is no substitute for the in-depth
       documentation in the rest of this manual. Some obscure options arent
       even included here.

       Usage: nmap [Scan Type(s)] [Options] {target specification}
	 Can pass hostnames, IP addresses, networks, etc.
	 Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
	 -iL : Input from list of hosts/networks
	 -iR : Choose random targets
	 --exclude : Exclude hosts/networks
	 --excludefile : Exclude list from file
	 -sL: List Scan - simply list targets to scan
	 -sP: Ping Scan - go no further than determining if host is online
	 -P0: Treat all hosts as online -- skip host discovery
	 -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
	 -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
	 -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
	 --dns-servers : Specify custom DNS servers
	 --system-dns: Use OSs DNS resolver
	 -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
	 -sN/sF/sX: TCP Null, FIN, and Xmas scans
	 --scanflags : Customize TCP scan flags
	 -sI : Idlescan
	 -sO: IP protocol scan
	 -b : FTP bounce scan
	 -p : Only scan specified ports
	   Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
	 -F: Fast - Scan only the ports listed in the nmap-services file)
	 -r: Scan ports consecutively - dont randomize
	 -sV: Probe open ports to determine service/version info
	 --version-intensity : Set from 0 (light) to 9 (try all probes)
	 --version-light: Limit to most likely probes (intensity 2)
	 --version-all: Try every single probe (intensity 9)
	 --version-trace: Show detailed version scan activity (for debugging)
	 -O: Enable OS detection
	 --osscan-limit: Limit OS detection to promising targets
	 --osscan-guess: Guess OS more aggressively
	 Options which take 

Yals.net is © 1999-2009 Crescendo Communications
Sharing tech info on the web for more than a decade!
This page was generated Thu Apr 30 17:05:20 2009