Nmap Quick Reference Guide

nmap_quick_reference_guide

nmap_quick_reference_guide

nmap_quick_reference_guide

nmap_quick_reference_guide

Hacking%20-%20NMap%20Quick%20Reference%20Guide

User Manual: Pdf

Open the PDF directly: View PDF PDF.
Page Count: 2

DownloadNmap Quick Reference Guide
Open PDF In BrowserView PDF
Professor Messer’’s Quick Reference Guide to

NMAP

   


SCAN OPTION SUMMARY
Command
Syntax

Scan Name

Identifies
TCP
Ports

Identifies
UDP
Ports

YES

YES

NO

-sS

TCP SYN Scan

-sT

TCP connect() Scan

NO

-sF

FIN Stealth Scan

YES

-sX

Xmas Tree Stealth Scan

YES

-sN

Null Stealth Scan

YES

-sP

Ping Scan

NO

-sV

Version Detection

PING OPTIONS

Requires
Privileged
Access

NO

YES

NO

YES

NO

YES

NO

YES

NO

NO

NO

NO

NO

UDP Scan

-sU

YES

NO

YES

IP Protocol Scan

-sO

YES

NO

NO

-sA

ACK Scan

YES

-sW

Window Scan

YES

-sR

RPC Scan

NO

-sL

List Scan

NO

-sI

Idlescan

YES

-b

FTP Bounce Attack

NO

YES

NO

YES

NO

NO

NO

NO

NO

YES

NO

YES

NO

ICMP Echo Request Ping

-PE, -PI

TCP ACK Ping

-PA[portlist], -PT[portlist]

TCP SYN Ping

-PS[portlist]

UDP Ping

-PU[portlist]

ICMP Timestamp Ping

-PP

ICMP Address Mask Ping

-PM

Don’’t Ping

-P0, -PN, -PD

Require Reverse

-R

Disable Reverse DNS

-n

Specify DNS Servers

--dns-servers

REAL-TIME INFORMATION OPTIONS
Verbose Mode

--verbose, -v

Version Trace

--version-trace

Packet Trace

--packet-trace

Debug Mode

--debug, -d

Interactive Mode

--interactive

Noninteractive Mode

--noninteractive

OPERATING SYSTEM FINGERPRINTING

HOST AND PORT OPTIONS
Exclude Targets

--exclude 

Exclude Targets in File

--excludefile 

Read Targets from File

-iL 

Pick Random Numbers for Targets

-iR 

Randomize Hosts

--randomize_hosts, -rH

No Random Ports

OS Fingerprinting

-O

Limit System Scanning

--osscan-limit

More Guessing Flexibility

--osscan-guess, --fuzzy

Additional, Advanced, and Aggressive

-A

VERSION DETECTION
Version Scan

-sV

-r

Don’’t Exclude Any Ports

--allports

Source Port

--source-port 

Set Version Intensity

--version-intensity

Specify Protocol or Port Numbers

-p 

Enable Version Scanning Light

--version-light

Fast Scan Mode

-F

Enable Version Scan All

--version-all

Create Decoys

-D 

Source Address

-S 

Display Run-Time Help

?

Interface

-e 

Increase / Decrease Verbosity

v / V

--iflist

Increase / Decrease Debugging

d / D

Increase / Decrease Packet Tracing

p / P

Any Other Key

Print Status

List Interfaces

TUNING AND TIMING OPTIONS

RUN-TIME INTERACTIONS

Time to Live

--ttl

Use Fragmented IP Packets

-f, -ff

Normal Format

-oN 

Maximum Transmission Unit

--mtu 

XML Format

-oX 

Data Length

--data-length 

Grepable Format

-oG 

Host Timeout

--host-timeout 

All Formats

-oA 

Initial Round Trip Timeout

--initial-rtt-timeout 

Script Kiddie Format

-oS 
--resume 

Minimum Round Trip Timeout

--min-rtt-timeout 

Resume Scan

Maximum Round Trip Timeout

--max-rtt-timeout 

Maximum Parallel Hosts per Scan

--max-hostgroup 

Quick Reference Screen

--help, -h

Minimum Parallel Hosts per Scan

--min-hostgroup 

Nmap Version

--version, -V

--max-parallelism 

Data Directory

--datadir 

Quash Argument Vector

-q

Define Custom Scan Flags

--scanflags 

(Uriel) Maimon Scan

-sM

Maximum Parallel Port Scans

LOGGING OPTIONS

--append-output

Append Output

MISCELLANEOUS OPTIONS

Minimum Parallel Port Scans

--min-parallelism 

Minimum Delay Between Probes

--scan-delay 

Maximum Delay Between Probes

--max-scan-delay

IPv6 Support

-6

Timing Policies

--timing, -T<0|1|2|3|4|5>

Send Bad TCP or UDP Checksum

--badsum

http://www.ProfessorMesser.com

SNC-201

Copyright © 2007 Professor Messer, LLC, All Rights Reserved

Professor Messer’’s Quick Reference Guide to

NMAP

   


Identifying Open Ports with Nmap
TCP SYN SCAN (-sS)

TCP connect() SCAN (-sT)

TCP FIN SCAN (-sF)

TCP XMAS TREE SCAN (-sX)

TCP NULL SCAN (-sN)

TCP PING SCAN (-sP)

VERSION DETECTION SCAN (-sV)

UDP SCAN (-sU)

IP PROTOCOL SCAN (-sO)

TCP ACK SCAN (-sA)

TCP WINDOW SCAN (-sW)

Version scan identifies open ports with a TCP SYN scan...

...and then queries the port with a customized signature.

IDLESCAN (-sI )
Step 1: Nmap sends a SYN/ACK to the zombie workstation to
induce a RST in return. This RST frame contains the initial IPID
that nmap will remember for later.

Step 2: Nmap sends a SYN frame to the destination address,
but nmap spoofs the IP address to make it seem as if the SYN
frame was sent from the zombie workstation.

Step 3: Nmap repeats the original SYN/ACK probe of the zombie station. If the IPID has incremented, then the port that was
spoofed in the original SYN frame is open on the destination
device.

FTP BOUNCE ATTACK (-b )
A closed port will result with the FTP server informing the source station that the FTP server can’’t build the connection.

An open port completes the transfer over the specified connection.
http://www.ProfessorMesser.com

SNC-201

Copyright © 2007 Professor Messer, LLC, All Rights Reserved
Source Exif Data: 
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
Linearized                      : No
Page Count                      : 2
PDF Version                     : 1.4
Title                           : NMap Quick Reference Guide
Author                          : 
Subject                         : 
Producer                        : Mac OS X 10.6.8 Quartz PDFContext
Creator                         : Preview
Create Date                     : 2011:08:09 11:13:11Z
Modify Date                     : 2011:08:09 11:13:11Z
Apple Keywords                  :
EXIF Metadata provided by EXIF.tools

Navigation menu