Nmap Quick Reference Guide

nmap_quick_reference_guide

nmap_quick_reference_guide

nmap_quick_reference_guide

nmap_quick_reference_guide

Hacking%20-%20NMap%20Quick%20Reference%20Guide

User Manual: Pdf

Open the PDF directly: View PDF .
Page Count: 2

SCAN OPTION SUMMARY!

Scan Name!Command

Syntax!

Requires

Privileged

Access!

Identifies

TCP

Ports!

Identifies

UDP

Ports!

"#$!%&'!%()*! -sS &+%! &+%! ',!

"#$!(-**.(/01!%()*! -sT ',! &+%! ',!

23'!%/.)4/5!%()*! -sF &+%! &+%! ',!

67)8!"9..!%/.)4/5!%()*! -sX &+%! &+%! ',!

':44!%/.)4/5!%()*! -sN &+%! &+%! ',!

$;*<!%()*! -sP ',! ',! ',!

=.98;-*!>./.(/;-*! -sV ',! ',! ',!

?>$!%()*! -sU &+%! ',! &+%!

3$!$9-/-(-4!%()*! -sO &+%! ',! ',!

@#A!%()*! -sA &+%! &+%! ',!

B;*C-D!%()*! -sW &+%! &+%! ',!

E$#!%()*! -sR ',! ',! ',!

F;8/!%()*! -sL ',! ',! ',!

3C4.8()*! -sI &+%! &+%! ',!

2"$!G-:*(.!@//)(H! -b ',! &+%! ',!

PING OPTIONS!

3#I$!+(5-!E.J:.8/!$;*<! -PE, -PI

"#$!@#A!$;*<! -PA[portlist], -PT[portlist]

"#$!%&'!$;*<! -PS[portlist]

?>$!$;*<! -PU[portlist]

3#I$!";7.8/)7K!$;*<! -PP

3#I$!@CC9.88!I)8H!$;*<! -PM

>-*L/!$;*<! -P0, -PN, -PD

E.J:;9.!E.M.98.!! -R

>;8)N4.!E.M.98.!>'%! -n

%K.(;OP!>'%!%.9M.98! --dns-servers

HOST AND PORT OPTIONS!

+Q(4:C.!")9<./8! --exclude <host1 [,host2],...>

+Q(4:C.!")9<./8!;*!2;4.! --excludefile <exclude_file>

E.)C!")9<./8!O9-7!2;4.! -iL <inputfilename>

$;(H!E)*C-7!':7N.98!O-9!")9<./8! -iR <num_hosts>

E)*C-7;R.!S-8/8! --randomize_hosts, -rH

'-!E)*C-7!$-9/8! -r

%-:9(.!$-9/! --source-port <portnumber>

%K.(;OP!$9-/-(-4!-9!$-9/!':7N.98! -p <port_range>

2)8/!%()*!I-C.! -F

#9.)/.!>.(-P8! -D <decoy1 [,decoy2][,ME],...>

%-:9(.!@CC9.88! -S <IP_address>

3*/.9O)(.! -e <interface>

F;8/!3*/.9O)(.8! --iflist

LOGGING OPTIONS!

'-97)4!2-97)/! -oN <logfilename>

6IF!2-97)/! -oX <logfilename>

T9.K)N4.!2-97)/! -oG <logfilename>

@44!2-97)/8! -oA <basefilename>

%(9;K/!A;CC;.!2-97)/! -oS <logfilename>

E.8:7.!%()*! --resume <logfilename>

@KK.*C!,:/K:/! --append-output

REAL-TIME INFORMATION OPTIONS!

=.9N-8.!I-C.! --verbose, -v

=.98;-*!"9)(.! --version-trace

$)(H./!"9)(.! --packet-trace

>.N:<!I-C.! --debug, -d

3*/.9)(/;M.!I-C.! --interactive

'-*;*/.9)(/;M.!I-C.! --noninteractive

TUNING AND TIMING OPTIONS!

";7.!/-!F;M.! --ttl

?8.!29)<7.*/.C!3$!$)(H./8! -f, -ff

I)Q;7:7!"9)*87;88;-*!?*;/! --mtu <databytes>

>)/)!F.*</5! --data-length <databytes>

S-8/!";7.-:/! --host-timeout <milliseconds>

3*;/;)4!E-:*C!"9;K!";7.-:/! --initial-rtt-timeout <milliseconds>

I;*;7:7!E-:*C!"9;K!";7.-:/! --min-rtt-timeout <milliseconds>

I)Q;7:7!E-:*C!"9;K!";7.-:/! --max-rtt-timeout <milliseconds>

I)Q;7:7!$)9)44.4!S-8/8!K.9!%()*! --max-hostgroup <number>

I;*;7:7!$)9)44.4!S-8/8!K.9!%()*! --min-hostgroup <number>

I)Q;7:7!$)9)44.4!$-9/!%()*8! --max-parallelism <number>

I;*;7:7!$)9)44.4!$-9/!%()*8! --min-parallelism <number>

I;*;7:7!>.4)P!G./D..*!$9-N.8! --scan-delay <milliseconds>

I)Q;7:7!>.4)P!G./D..*!$9-N.8! --max-scan-delay

";7;*<!$-4;(;.8! --timing, -T<0|1|2|3|4|5>

MISCELLANEOUS OPTIONS!

U:;(H!E.O.9.*(.!%(9..*! --help, -h

'7)K!=.98;-*! --version, -V

>)/)!>;9.(/-9P! --datadir <directory_name>

U:)85!@9<:7.*/!=.(/-9! -q

>.O;*.!#:8/-7!%()*!24)<8! --scanflags <flagval>

0?9;.41!I);7-*!%()*! -sM

3$MV!%:KK-9/! -6

%.*C!G)C!"#$!-9!?>$!#5.(H8:7! --badsum

Copyright © 2007 Professor Messer, LLC, All Rights Reservedhttp://www.ProfessorMesser.com %'#WXYZ!

NMAP

Professor Messer+s Quick Reference Guide to

OPERATING SYSTEM FINGERPRINTING!

,%!2;*<.9K9;*/;*<! -O

F;7;/!%P8/.7!%()**;*<! --osscan-limit

I-9.!T:.88;*<!24.Q;N;4;/P! --osscan-guess, --fuzzy

@CC;/;-*)4[!@CM)*(.C[!)*C!@<<9.88;M.! -A

VERSION DETECTION

=.98;-*!%()*! -sV

>-*L/!+Q(4:C.!@*P!$-9/8! --allports

%./!=.98;-*!3*/.*8;/P! --version-intensity

+*)N4.!=.98;-*!%()**;*<!F;<5/! --version-light

+*)N4.!=.98;-*!%()*!@44! --version-all

RUN-TIME INTERACTIONS!

>;8K4)P!E:*W";7.!S.4K! ?

3*(9.)8.!\!>.(9.)8.!=.9N-8;/P! v / V

3*(9.)8.!\!>.(9.)8.!>.N:<<;*<! d / D

3*(9.)8.!\!>.(9.)8.!$)(H./!"9)(;*<! p / P

@*P!,/5.9!A.P! Print Status





Copyright © 2007 Professor Messer, LLC, All Rights Reservedhttp://www.ProfessorMesser.com SNC-201

TCP SYN SCAN (-sS)

!

Identifying Open Ports with Nmap

TCP connect() SCAN (-sT)

!

TCP FIN SCAN (-sF)

!

TCP XMAS TREE SCAN (-sX)

!

TCP NULL SCAN (-sN)

!

TCP PING SCAN (-sP)

!

VERSION DETECTION SCAN (-sV)

!

UDP SCAN (-sU)

!

TCP ACK SCAN (-sA)

!

IP PROTOCOL SCAN (-sO)

!

TCP WINDOW SCAN (-sW)

!

IDLESCAN (-sI <zombie host:[probeport]>)

!

FTP BOUNCE ATTACK (-b <ftp_relay_host>)

!!

=.98;-*!8()*!;C.*/;O;.8!-K.*!K-9/8!D;/5!)!"#$!%&'!8()*]]]!

]]])*C!/5.*!J:.9;.8!/5.!K-9/!D;/5!)!(:8/-7;R.C!8;<*)/:9.]!

Step 1: Nmap sends a SYN/ACK to the zombie workstation to

induce a RST in return. This RST frame contains the initial IPID

that nmap will remember for later.

Step 2: Nmap sends a SYN frame to the destination address,

but nmap spoofs the IP address to make it seem as if the SYN

frame was sent from the zombie workstation.

Step 3: Nmap repeats the original SYN/ACK probe of the zom-

bie station. If the IPID has incremented, then the port that was

spoofed in the original SYN frame is open on the destination

device.

A closed port will result with the FTP server informing the source station that the FTP server canMt build the connection.

An open port completes the transfer over the specified connection.

NMAP

Professor Messer+s Quick Reference Guide to



