2007 01 26 Nmap Quick Options Guide Professor Messer

Professor_Messer_Nmap_Quick_Reference_Guide

Professor_Messer_Nmap_Quick_Reference_Guide

Professor_Messer_Nmap_Quick_Reference_Guide

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 2

Download2007-01-26 - Nmap Quick Options Guide Professor-messer-nmap-guide
Open PDF In BrowserView PDF
Professor Messer’s Quick Reference Guide to

NMAP

SCAN OPTION SUMMARY

PING OPTIONS

Command
Syntax

Requires
Privileged
Access

Identifies
TCP
Ports

Identifies
UDP
Ports

TCP SYN Scan

-sS

YES

YES

NO

TCP connect() Scan

-sT

NO

YES

NO

Scan Name

FIN Stealth Scan

-sF

YES

YES

NO

Xmas Tree Stealth Scan

-sX

YES

YES

NO

Null Stealth Scan

-sN

YES

YES

NO

Ping Scan

-sP

NO

NO

NO

Version Detection

-sV

NO

NO

NO

UDP Scan

-sU

YES

NO

YES

IP Protocol Scan

-sO

YES

NO

NO

ACK Scan

-sA

YES

YES

NO

Window Scan

-sW

YES

YES

NO

RPC Scan

-sR

NO

NO

NO

List Scan

-sL

NO

NO

NO

Idlescan

-sI

YES

YES

NO

-b

FTP Bounce Attack

NO

YES

NO

ICMP Echo Request Ping

-PE, -PI

TCP ACK Ping

-PA[portlist], -PT[portlist]

TCP SYN Ping

-PS[portlist]

UDP Ping

-PU[portlist]

ICMP Timestamp Ping

-PP

ICMP Address Mask Ping

-PM

Don’t Ping

-P0, -PN, -PD

Require Reverse

-R

Disable Reverse DNS

-n

Specify DNS Servers

--dns-servers

REAL-TIME INFORMATION OPTIONS
Verbose Mode

--verbose, -v

Version Trace

--version-trace

Packet Trace

--packet-trace

Debug Mode

--debug, -d

Interactive Mode

--interactive

Noninteractive Mode

--noninteractive

OPERATING SYSTEM FINGERPRINTING

HOST AND PORT OPTIONS

OS Fingerprinting

-O

Limit System Scanning

--osscan-limit

More Guessing Flexibility

--osscan-guess, --fuzzy

Additional, Advanced, and Aggressive

-A

Exclude Targets

--exclude 

Exclude Targets in File

--excludefile 

Read Targets from File

-iL 

Pick Random Numbers for Targets

-iR 

Randomize Hosts

--randomize_hosts, -rH

Version Scan

-sV

No Random Ports

-r

Don’t Exclude Any Ports

--allports

Source Port

--source-port 

Set Version Intensity

--version-intensity

Specify Protocol or Port Numbers

-p 

Enable Version Scanning Light

--version-light

Fast Scan Mode

-F

Enable Version Scan All

--version-all

Create Decoys

-D 

Source Address

-S 

Display Run-Time Help

?

Interface

-e 

Increase / Decrease Verbosity

v / V

--iflist

Increase / Decrease Debugging

d / D

Increase / Decrease Packet Tracing

p / P

Any Other Key

Print Status

List Interfaces

VERSION DETECTION

TUNING AND TIMING OPTIONS

RUN-TIME INTERACTIONS

Time to Live

--ttl

Use Fragmented IP Packets

-f, -ff

Normal Format

-oN 

Maximum Transmission Unit

--mtu 

XML Format

-oX 

Data Length

--data-length 

Grepable Format

-oG 

Host Timeout

--host-timeout 

All Formats

-oA 

Script Kiddie Format

-oS 

Resume Scan

--resume 

Append Output

--append-output

LOGGING OPTIONS

Initial Round Trip Timeout

--initial-rtt-timeout 

Minimum Round Trip Timeout

--min-rtt-timeout 

Maximum Round Trip Timeout

--max-rtt-timeout 

Maximum Parallel Hosts per Scan

--max-hostgroup 

Quick Reference Screen

--help, -h

Minimum Parallel Hosts per Scan

--min-hostgroup 

Nmap Version

--version, -V

Maximum Parallel Port Scans

--max-parallelism 

Data Directory

--datadir 

Minimum Parallel Port Scans

--min-parallelism 

Quash Argument Vector

-q

Minimum Delay Between Probes

--scan-delay 

Define Custom Scan Flags

--scanflags 

(Uriel) Maimon Scan

-sM

Maximum Delay Between Probes

--max-scan-delay

IPv6 Support

-6

Timing Policies

--timing, -T<0|1|2|3|4|5>

Send Bad TCP or UDP Checksum

--badsum

http://www.ProfessorMesser.com

SNC-201

MISCELLANEOUS OPTIONS

Copyright © 2007 Professor Messer, LLC, All Rights Reserved

Professor Messer’s Quick Reference Guide to

NMAP

Identifying Open Ports with Nmap
TCP SYN SCAN (-sS)

TCP connect() SCAN (-sT)

TCP FIN SCAN (-sF)

TCP XMAS TREE SCAN (-sX)

TCP NULL SCAN (-sN)

TCP PING SCAN (-sP)

VERSION DETECTION SCAN (-sV)

UDP SCAN (-sU)

IP PROTOCOL SCAN (-sO)

TCP ACK SCAN (-sA)

TCP WINDOW SCAN (-sW)

Version scan identifies open ports with a TCP SYN scan...

...and then queries the port with a customized signature.

IDLESCAN (-sI )
Step 1: Nmap sends a SYN/ACK to the zombie workstation to
induce a RST in return. This RST frame contains the initial IPID
that nmap will remember for later.

Step 2: Nmap sends a SYN frame to the destination address,
but nmap spoofs the IP address to make it seem as if the SYN
frame was sent from the zombie workstation.

Step 3: Nmap repeats the original SYN/ACK probe of the zombie station. If the IPID has incremented, then the port that was
spoofed in the original SYN frame is open on the destination
device.

FTP BOUNCE ATTACK (-b )
A closed port will result with the FTP server informing the source station that the FTP server can’t build the connection.

An open port completes the transfer over the specified connection.
http://www.ProfessorMesser.com

SNC-201

Copyright © 2007 Professor Messer, LLC, All Rights Reserved
Source Exif Data: 
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : Yes
XMP Toolkit                     : 3.1-701
Producer                        : Acrobat Distiller 7.0.5 (Windows)
Creator Tool                    : PScript5.dll Version 5.2.2
Modify Date                     : 2007:01:27 00:03:59-05:00
Create Date                     : 2007:01:27 00:03:59-05:00
Format                          : application/pdf
Title                           : 2007-01-26 - Nmap Quick Options Guide.pub
Creator                         : James Messer
Document ID                     : uuid:0451d503-07ca-4323-bc7e-66ac7f602baf
Instance ID                     : uuid:e5410e16-5f56-4396-94bb-66e34801fd50
Page Count                      : 2
Author                          : James Messer
EXIF Metadata provided by EXIF.tools

Navigation menu