NMAP(1)                                                                NMAP(1)

       nmap - Network exploration tool and security scanner

       nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>

       Nmap is designed to allow system administrators and curious individuals
       to scan large networks to determine which hosts are up  and  what  ser-
       vices  they  are  offering.   nmap  supports a large number of scanning
       techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp  proxy
       (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas
       Tree, SYN sweep, IP Protocol, and Null scan.  See the Scan  Types  sec-
       tion  for more details.  nmap also offers a number of advanced features
       such as remote OS detection via TCP/IP  fingerprinting,  stealth  scan-
       ning, dynamic delay and retransmission calculations, parallel scanning,
       detection of down hosts via parallel pings, decoy scanning,  port  fil-
       tering  detection,  direct (non-portmapper) RPC scanning, fragmentation
       scanning, and flexible target and port specification.

       Significant effort has been put into decent nmap performance  for  non-
       root  users.   Unfortunately,  many critical kernel interfaces (such as
       raw sockets) require root privileges.  nmap should be run as root when-
       ever possible (not setuid root, of course).

       The  result  of  running nmap is usually a list of interesting ports on
       the machine(s) being scanned (if any).  Nmap always  gives  the  port's
       "well  known"  service name (if any), number, state, and protocol.  The
       state is either 'open', 'filtered', or 'unfiltered'.  Open  means  that
       the  target  machine  will accept() connections on that port.  Filtered
       means that a firewall, filter, or other network  obstacle  is  covering
       the port and preventing nmap from determining whether the port is open.
       Unfiltered means that the port is known by nmap to  be  closed  and  no
       firewall/filter  seems to be interfering with nmap's attempts to deter-
       mine this.  Unfiltered ports are the common case  and  are  only  shown
       when most of the scanned ports are in the filtered state.

       Depending  on  options used, nmap may also report the following charac-
       teristics of the remote host: OS in use, TCP sequencability,  usernames
       running  the  programs  which  have  bound  to each port, the DNS name,
       whether the host is a smurf address, and a few others.

       Options that make sense  together  can  generally  be  combined.   Some
       options  are  specific  to certain scan modes.  nmap tries to catch and
       warn the user about psychotic or unsupported option combinations.

       If you are impatient, you can skip to the examples section at the  end,
       which  demonstrates common usage.  You can also run nmap -h for a quick
       reference page listing all the options.


       -sS    TCP SYN scan: This technique is often referred to as "half-open"
              scanning, because you don't open a full TCP connection. You send
              a SYN packet, as if you are going to open a real connection  and
              you wait for a response. A SYN|ACK indicates the port is listen-
              ing. A RST is indicative of a non-listener.   If  a  SYN|ACK  is
              received,  a RST is immediately sent to tear down the connection
              (actually our OS kernel does this for us). The primary advantage
              to  this  scanning  technique  is  that fewer sites will log it.
              Unfortunately you need root privileges to build these custom SYN
              packets.  This is the default scan type for privileged users.

       -sT    TCP connect() scan: This is the most basic form of TCP scanning.
              The connect() system call provided by your operating  system  is
              used  to  open  a  connection  to  every interesting port on the
              machine. If the port is listening, connect() will succeed,  oth-
              erwise  the  port  isn't reachable. One strong advantage to this
              technique is that you don't need  any  special  privileges.  Any
              user on most UNIX boxes is free to use this call.

              This  sort of scan is easily detectable as target host logs will
              show a bunch of connection and error messages for  the  services
              which  accept() the connection just to have it immediately shut-
              down.  This is the default scan type for unprivileged users.

       -sF -sX -sN
              Stealth FIN, Xmas Tree, or Null scan modes: There are times when
              even  SYN  scanning isn't clandestine enough. Some firewalls and
              packet filters watch for SYNs to restricted ports, and  programs
              like Synlogger and Courtney are available to detect these scans.
              These advanced scans, on the other hand, may  be  able  to  pass
              through unmolested.

              The  idea  is  that  closed  ports are required to reply to your
              probe packet with an RST, while open ports must ignore the pack-
              ets  in  question (see RFC 793 pp 64).  The FIN scan uses a bare
              (surprise) FIN packet as the probe, while  the  Xmas  tree  scan
              turns  on the FIN, URG, and PUSH flags.  The Null scan turns off
              all flags.  Unfortunately Microsoft (like usual) decided to com-
              pletely  ignore  the standard and do things their own way.  Thus
              this scan type  will  not  work  against  systems  running  Win-
              dows95/NT.   On the positive side, this is a good way to distin-
              guish between the two platforms.  If the scan finds open  ports,
              you  know the machine is not a Windows box.  If a -sF,-sX,or -sN
              scan shows all ports closed, yet a SYN (-sS)  scan  shows  ports
              being  opened,  you are probably looking at a Windows box.  This
              is less useful now that nmap has proper OS detection  built  in.
              There  are  also a few other systems that are broken in the same
              way Windows is.  They include Cisco, BSDI, HP/UX, MVS, and IRIX.
              All  of  the  above  send  resets  from the open ports when they
              should just drop the packet.

       -sP    Ping scanning: Sometimes you only want to know which hosts on  a
              network  are  up.  Nmap can do this by sending ICMP echo request
              packets to every IP address on the networks you specify.   Hosts
              that   respond  are  up.   Unfortunately,  some  sites  such  as
     block echo request packets.  Thus  nmap  can  also
              send a TCP ack packet to (by default) port 80.  If we get an RST
              back, that machine is up.  A third technique involves sending  a
              SYN  packet  and  waiting  for a RST or a SYN/ACK.  For non-root
              users, a connect() method is used.

              By default (for root users), nmap uses both  the  ICMP  and  ACK
              techniques  in parallel.  You can change the -P option described

              Note that pinging is done by default anyway, and only hosts that
              respond  are  scanned.  Only use this option if you wish to ping
              sweep without doing any actual port scans.

       -sU    UDP scans: This method is used  to  determine  which  UDP  (User
              Datagram Protocol, RFC 768) ports are open on a host.  The tech-
              nique is to send 0 byte udp packets to each port on  the  target
              machine.   If  we receive an ICMP port unreachable message, then
              the port is closed.  Otherwise we assume it is open.

              Some people think UDP scanning is pointless.  I  usually  remind
              them  of  the  recent Solaris rcpbind hole. Rpcbind can be found
              hiding on an undocumented UDP port somewhere above 32770. So  it
              doesn't  matter that 111 is blocked by the firewall. But can you
              find which of the more than 30,000 high ports  it  is  listening
              on? With a UDP scanner you can!  There is also the cDc Back Ori-
              fice backdoor program which hides on a configurable UDP port  on
              Windows  machines.   Not to mention the many commonly vulnerable
              services that utilize UDP such as snmp, tftp, NFS, etc.

              Unfortunately UDP scanning is  sometimes  painfully  slow  since
              most  hosts implement a suggestion in RFC 1812 (section
              of limiting the ICMP error message rate.  For example, the Linux
              kernel  (in net/ipv4/icmp.h) limits destination unreachable mes-
              sage generation to 80 per 4 seconds, with a 1/4  second  penalty
              if that is exceeded.  Solaris has much more strict limits (about
              2 messages per second) and thus takes even longer to scan.  nmap
              detects  this  rate  limiting and slows down accordingly, rather
              than flood the network with useless packets that will be ignored
              by the target machine.

              As  is  typical, Microsoft ignored the suggestion of the RFC and
              does not seem to do any rate limiting at all  on  Win95  and  NT
              machines.   Thus  we can scan all 65K ports of a Windows machine
              very quickly.  Woop!

       -sO    IP protocol scans: This method is used  to  determine  which  IP
              protocols are supported on a host.  The technique is to send raw
              IP packets without any further protocol header to each specified
              protocol  on the target machine.  If we receive an ICMP protocol
              unreachable message, then the protocol is not in use.  Otherwise
              we assume it is open.  Note that some hosts (AIX, HP-UX, Digital
              UNIX) and firewalls may not send protocol unreachable  messages.
              This causes all of the protocols to appear "open".

              Because  the  implemented  technique is very similar to UDP port
              scanning, ICMP rate limit might apply too. But the  IP  protocol
              field  has  only  8 bits, so at most 256 protocols can be probed
              which should be possible in reasonable time anyway.

       -sI <zombie host[:probeport]>
              Idlescan: This advanced scan method allows for a truly blind TCP
              port scan of the target (meaning no packets are sent to the tar-
              get from your real IP address).  Instead, a unique  side-channel
              attack  exploits predictable "IP fragmentation ID" sequence gen-
              eration on the zombie host to glean information about  the  open
              ports  on the target.  IDS systems will display the scan as com-
              ing from the zombie machine you specify (which must  be  up  and
              meet  certain  criteria).   I am planning to put a more detailed
              explanation up  at
              tion.html in the near future.

              Besides   being  extraordinarily  stealthy  (due  to  its  blind
              nature), this scan type permits mapping out IP-based trust rela-
              tionships  between  machines.  The port listing shows open ports
              from the perspective of the zombie host.  So you can  try  scan-
              ning  a  target  using  various  zombies that you think might be
              trusted (via router/packet filter  rules).   Obviously  this  is
              crucial  information  when  prioritizing attack targets.  Other-
              wise, you penetration testers might have to expend  considerable
              resources "owning" an intermediate system, only to find out that
              its IP isn't even trusted by the  target  host/network  you  are
              ultimately after.

              You  can  add  a  colon followed by a port number if you wish to
              probe a particular port on the zombie  host  for  IPID  changes.
              Otherwise  Nmap  will  use  the port it uses by default for "tcp

       -sA    ACK scan: This advanced method is usually used to map out  fire-
              wall  rulesets.   In particular, it can help determine whether a
              firewall is stateful or just a simple packet filter that  blocks
              incoming SYN packets.

              This scan type sends an ACK packet (with random looking acknowl-
              edgement/sequence numbers) to the ports  specified.   If  a  RST
              comes back, the ports is classified as "unfiltered".  If nothing
              comes back (or if an ICMP unreachable is returned), the port  is
              classified  as "filtered".  Note that nmap usually doesn't print
              "unfiltered" ports, so getting no ports shown in the  output  is
              usually  a  sign  that  all the probes got through (and returned
              RSTs). This scan will obviously never show ports in  the  "open"

       -sW    Window scan: This advanced scan is very similar to the ACK scan,
              except that it can sometimes detect open ports as well  as  fil-
              tered/nonfiltered  due  to  an  anomaly  in  the TCP window size
              reporting by some operating systems.  Systems vulnerable to this
              include  at least some versions of AIX, Amiga, BeOS, BSDI, Cray,
              Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX,  OS/2,
              IRIX,  MacOS,  NetBSD,  OpenBSD,  OpenStep, QNX, Rhapsody, SunOS
              4.X, Ultrix, VAX, and VxWorks.   See  the  nmap-hackers  mailing
              list archive for a full list.

       -sR    RPC  scan.   This  method  works in combination with the various
              port scan methods of Nmap.  It takes all the TCP/UDP ports found
              open  and  then floods them with SunRPC program NULL commands in
              an attempt to determine whether they are RPC ports, and  if  so,
              what  program  and  version  number they serve up.  Thus you can
              effectively obtain the same info as firewall  (or  protected  by
              TCP  wrappers).   Decoys do not currently work with RPC scan, at
              some point I may add decoy support for UDP RPC scans.

       -sL    List scan.  This method simply generates and prints  a  list  of
              IPs/Names  without  actually pinging or port scanning them.  DNS
              name resolution will be performed unless you use -n.

       -b <ftp relay host>
              FTP bounce attack: An interesting "feature" of the ftp  protocol
              (RFC  959)  is  support  for  "proxy"  ftp connections. In other
              words, I should be able to connect  from  to  the  FTP
              server  of  and  request that the server send a file
              ANYWHERE on the internet!  Now this may have worked well in 1985
              when the RFC was written. But in today's Internet, we can't have
              people hijacking ftp servers and requesting that  data  be  spit
              out  to arbitrary points on the internet. As *Hobbit* wrote back
              in 1995, this protocol flaw  "can  be  used  to  post  virtually
              untraceable  mail  and news, hammer on servers at various sites,
              fill up disks, try to hop firewalls, and generally  be  annoying
              and  hard  to track down at the same time." What we will exploit
              this for is to  (surprise,  surprise)  scan  TCP  ports  from  a
              "proxy"  ftp  server.  Thus  you  could connect to an ftp server
              behind a firewall, and then scan ports that are more  likely  to
              be blocked (139 is a good one). If the ftp server allows reading
              from and writing to some directory (such as /incoming), you  can
              send arbitrary data to ports that you do find open (nmap doesn't
              do this for you though).

              The argument passed to the 'b' option is the host  you  want  to
              use  as a proxy, in standard URL notation.  The format is: user-
              name:password@server:port.  Everything but server  is  optional.
              To determine what servers are vulnerable to this attack, you can
              see my article in Phrack 51.  And updated version  is  available
              at the nmap URL (

              None of these are required but some can be quite useful.

       -P0    Do  not  try  and  ping hosts at all before scanning them.  This
              allows the scanning of  networks  that  don't  allow  ICMP  echo
              requests  (or  responses) through their firewall.
              is an example of such a network, and thus you should always  use
              -P0 or -PT80 when portscanning

       -PT    Use TCP "ping" to determine what hosts are up.  Instead of send-
              ing ICMP echo request packets and waiting  for  a  response,  we
              spew  out TCP ACK packets throughout the target network (or to a
              single machine) and then wait for  responses  to  trickle  back.
              Hosts  that  are up should respond with a RST.  This option pre-
              serves the efficiency of only scanning hosts that are  up  while
              still  allowing you to scan networks/hosts that block ping pack-
              ets.  For non root users, we use connect().  To set the destina-
              tion  port  of  the  probe  packets  use  -PT<port number>.  The
              default port is 80, since this port is often not filtered out.

       -PS    This option uses SYN (connection request) packets instead of ACK
              packets for root users.  Hosts that are up should respond with a
              RST (or, rarely, a SYN|ACK).  You can set the  destination  port
              in the same manner as -PT above.

       -PI    This  option  uses  a  true ping (ICMP echo request) packet.  It
              finds hosts that are  up  and  also  looks  for  subnet-directed
              broadcast  addresses  on  your  network.  These are IP addresses
              which are externally reachable and translate to a  broadcast  of
              incomming  IP packets to a subnet of computers.  These should be
              eliminated if found as they allow for numerous denial of service
              attacks (Smurf is the most common).

       -PP    Uses  an ICMP timestamp request (code 13) packet to find listen-
              ing hosts.

       -PM    Same as -PI and -PP except uses a  netmask  request  (ICMP  code

       -PB    This is the default ping type.  It uses both the ACK ( -PT ) and
              ICMP echo request ( -PI ) sweeps in parallel.  This way you  can
              get  firewalls  that  filter either one (but not both).  The TCP
              probe destination port can be set in the same manner as with -PT

       -O     This option activates remote host identification via TCP/IP fin-
              gerprinting.  In other words, it uses a bunch of  techniques  to
              detect  subtleties  in  the  underlying operating system network
              stack of the computers you are scanning.  It uses this  informa-
              tion  to  create  a  'fingerprint'  which  it  compares with its
              database of  known  OS  fingerprints  (the  nmap-os-fingerprints
              file) to decide what type of system you are scanning.

              If  Nmap  is unable to guess the OS of a machine, and conditions
              are good (eg at least one open port), Nmap will  provide  a  URL
              you can use to submit the fingerprint if you know (for sure) the
              OS running on the machine.  By doing this you contribute to  the
              pool of operating systems known to nmap and thus it will be more
              accurate for everyone.  Note that if you leave an IP address  on
              the form, the machine may be scanned when we add the fingerprint
              (to validate that it works).

              The -O option also enables several  other  tests.   One  is  the
              "Uptime"  measurement,  which uses the TCP timestamp option (RFC
              1323) to guess when a machine was last rebooted.  This  is  only
              reported for machines which provide this information.

              Another  test enabled by -O is TCP Sequence Predictability Clas-
              sification.  This is a measure that describes approximately  how
              hard  it  is  to  establish  a forged TCP connection against the
              remote host.  This is  useful  for  exploiting  source-IP  based
              trust  relationships (rlogin, firewall filters, etc) or for hid-
              ing the source of an attack.  The actual  difficulty  number  is
              based  on  statistical sampling and may fluctuate.  It is gener-
              ally better to use the English classification  such  as  "worthy
              challenge"  or  "trivial joke".  This is only reported in normal
              output with -v.

              When verbose mode (-v) is on with -O, IPID  Sequence  Generation
              is also reported.  Most machines are in the "incremental" class,
              which means that they increment the "ID" field in the IP  header
              for  each  packet they send.  This makes them vulnerable to sev-
              eral advanced information gathering and spoofing attacks.

       -I     This turns on TCP reverse ident scanning. As noted by Dave Gold-
              smith  in  a  1996  Bugtraq  post, the ident protocol (rfc 1413)
              allows for the disclosure of the username that owns any  process
              connected via TCP, even if that process didn't initiate the con-
              nection. So you can, for example, connect to the http  port  and
              then  use  identd  to  find out whether the server is running as
              root. This can only be done with a full TCP  connection  to  the
              target  port  (i.e.  the -sT scanning option).  When -I is used,
              the remote host's identd is queried for each  open  port  found.
              Obviously this won't work if the host is not running identd.

       -f     This option causes the requested SYN, FIN, XMAS, or NULL scan to
              use tiny fragmented IP packets.  The idea is to split up the TCP
              header  over  several  packets to make it harder for packet fil-
              ters, intrusion  detection  systems,  and  other  annoyances  to
              detect  what  you are doing. Be careful with this! Some programs
              have trouble handling these tiny packets.  My  favorite  sniffer
              segmentation   faulted  immediately  upon  receiving  the  first
              36-byte fragment. After that comes a 24  byte  one!  While  this
              method  won't get by packet filters and firewalls that queue all
              IP fragments (like the  CONFIG_IP_ALWAYS_DEFRAG  option  in  the
              Linux  kernel),  some  networks can't afford the performance hit
              this causes and thus leave it disabled.

              Note that I do not yet have this option working on all  systems.
              It  works fine for my Linux, FreeBSD, and OpenBSD boxes and some
              people have reported success with other *NIX variants.

       -v     Verbose mode.  This is a highly recommended option and it  gives
              out  more  information  about  what is going on.  You can use it
              twice for greater effect.  You can also use -d a few of times if
              you really want to get crazy with scrolling the screen!

       -h     This handy option display a quick reference screen of nmap usage
              options.  As you may have noticed, this man page is not  exactly
              a 'quick reference' :)

       -oN <logfilename>
              This  logs  the results of your scans in a normal human readable
              form into the file you specify as an argument.

       -oX <logfilename>
              This logs the results of your scans in XML form  into  the  file
              you specify as an argument.  This allows programs to easily cap-
              ture and interpret Nmap results.  You can give the argument  '-'
              (without   quotes)  to  shoot  output  into  stdout  (for  shell
              pipelines, etc).  In this case normal output will be suppressed.
              Watch out for error messages if you use this (they will still go
              to stderr).  Also note that '-v' may cause some  extra  informa-
              tion to be printed.  The Document Type Definition (DTD) defining
              the  XML  output  structure  is  available  at  http://www.inse-

       -oG <logfilename>
              This  logs the results of your scans in a grepable form into the
              file you specify as an argument.  This  simple  format  provides
              all the information on one line (so you can easily grep for port
              or OS information and see all the IPs.  This used to be the pre-
              ferred  mechanism for programs to interact with Nmap, but now we
              recommend XML output (-oX instead).  This simple format may  not
              contain  as much information as the other formats.  You can give
              the argument '-' (without quotes) to shoot  output  into  stdout
              (for  shell pipelines, etc).  In this case normal output will be
              suppressed.  Watch out for error messages if you use this  (they
              will  still  go to stderr).  Also note that '-v' will cause some
              extra information to be printed.

       -oA <basefilename>
              This tells Nmap to  log  in  ALL  the  majore  formats  (normal,
              grepable,  and  XML).  You give a base for the filename, and the
              output files will be base.nmap, base.gnmap, and base.xml.

       -oS <logfilename>
              thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|<ipT kiDd|3 f0rM iNto
              THe  fiL3  U sPecfy 4s an arGuMEnT!  U kAn gIv3 the 4rgument '-'
              (wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!!

       --resume <logfilename>
              A network scan that is cancelled due to control-C, network  out-
              age,  etc.  can  be  resumed using this option.  The logfilename
              must be either a normal (-oN) or machine parsable (-oM) log from
              the  aborted  scan.  No other options can be given (they will be
              the same as the aborted scan).  Nmap will start on  the  machine
              after the last one successfully scanned in the log file.

              Tells  Nmap  to append scan results to any output files you have
              specified rather than overwriting those files.

       -iL <inputfilename>
              Reads target specifications from the file specified RATHER  than
              from  the  command line.  The file should contain a list of host
              or network expressions seperated by spaces, tabs,  or  newlines.
              Use  a hyphen (-) as inputfilename if you want nmap to read host
              expressions from stdin (like at the end of  a  pipe).   See  the
              section target specification for more information on the expres-
              sions you fill the file with.

       -iR    This option tells Nmap to generate its own hosts to scan by sim-
              ply  picking random numbers :).  It will never end.  This can be
              useful for statistical sampling of the Internet to estimate var-
              ious  things.  If you are ever really bored, try nmap -sS -iR -p
              80 to find some web servers to look at.

       -p <port ranges>
              This option specifies what ports you want to specify. For  exam-
              ple  '-p  23'  will only try port 23 of the target host(s).  '-p
              20-30,139,60000-' scans ports between 20 and 30, port  139,  and
              all  ports greater than 60000.  The default is to scan all ports
              between 1 and 1024 as well as any ports listed in  the  services
              file  which  comes  with  nmap.  For IP protocol scanning (-sO),
              this specifies the protocol number you wish to scan for (0-255).

              When scanning both TCP and UDP ports, you can specify a particu-
              lar protocol by preceding the port numbers by "T:" or "U:".  The
              qualifier  lasts until you specify another qualifier.  For exam-
              ple, the argument  "-p  U:53,111,137,T:21-25,80,139,8080"  would
              scan  UDP ports 53,111,and 137, as well as the listed TCP ports.
              Note that to scan both UDP & TCP, you have to specify -sU and at
              least  one TCP scan type (such as -sS, -sF, or -sT).  If no pro-
              tocol qualifier is given, the port numbers are added to all pro-
              tocol lists.

       -F Fast scan mode.
              Specifies  that  you  only  wish to scan for ports listed in the
              services file which comes with nmap (or the protocols  file  for
              -sO).   This  is  obviously  much faster than scanning all 65535
              ports on a host.

       -D <decoy1 [,decoy2][,ME],...>
              Causes a decoy scan to be performed which makes it appear to the
              remote  host that the host(s) you specify as decoys are scanning
              the target network too.  Thus their IDS might report  5-10  port
              scans from unique IP addresses, but they won't know which IP was
              scanning them and which were innocent decoys.  While this can be
              defeated  through  router  path  tracing, response-dropping, and
              other "active" mechanisms, it is generally an  extremely  effec-
              tive technique for hiding your IP address.

              Separate each decoy host with commas, and you can optionally use
              'ME' as one of the decoys to represent  the  position  you  want
              your  IP  address to be used.  If your put 'ME' in the 6th posi-
              tion or later, some common port scan detectors  (such  as  Solar
              Designer's  excellent  scanlogd)  are  unlikeley to show your IP
              address at all.  If you don't use 'ME', nmap will put you  in  a
              random position.

              Note  that the hosts you use as decoys should be up or you might
              accidently SYN flood your targets.  Also it will be pretty  easy
              to  determine  which host is scanning if only one is actually up
              on the network.  You might want to use IP addresses  instead  of
              names  (so  the decoy networks don't see you in their nameserver

              Also note that some (stupid) "port scan  detectors"  will  fire-
              wall/deny  routing  to  hosts that attempt port scans.  Thus you
              might inadvertantly cause the machine you scan to  lose  connec-
              tivity  with the decoy machines you are using.  This could cause
              the target machines major problems if the  decoy  is,  say,  its
              internet gateway or even "localhost".  Thus you might want to be
              careful of this option.  The real moral of  the  story  is  that
              detectors of spoofable port scans should not take action against
              the machine that seems like it is port scanning them.  It  could
              just be a decoy!

              Decoys  are used both in the initial ping scan (using ICMP, SYN,
              ACK, or whatever) and during the  actual  port  scanning  phase.
              Decoys are also used during remote OS detection ( -O ).

              It is worth noting that using too many decoys may slow your scan
              and potentially even make it less  accurate.   Also,  some  ISPs
              will  filter  out your spoofed packets, although many (currently
              most) do not restrict spoofed IP packets at all.

       -S <IP_Address>
              In some circumstances, nmap may not be able  to  determine  your
              source  address  (  nmap will tell you if this is the case).  In
              this situation, use -S with your IP address  (of  the  interface
              you wish to send packets through).

              Another  possible  use of this flag is to spoof the scan to make
              the targets think that someone else is scanning them.  Imagine a
              company  being repeatedly port scanned by a competitor!  This is
              not a supported usage (or the main purpose)  of  this  flag.   I
              just  think  it  raises  an  interesting possibility that people
              should be aware of before they go accusing others of port  scan-
              ning  them.   -e  would  generally  be required for this sort of

       -e <interface>
              Tells nmap what interface to send and receive packets on.   Nmap
              should be able to detect this but it will tell you if it cannot.

       -g <portnumber>
              Sets the source port number used in scans.  Many naive  firewall
              and packet filter installations make an exception in their rule-
              set to allow DNS (53) or FTP-DATA (20) packets to  come  through
              and  establish a connection.  Obviously this completely subverts
              the security advantages of the firewall since intruders can just
              masquerade  as FTP or DNS by modifying their source port.  Obvi-
              ously for a UDP scan you should  try  53  first  and  TCP  scans
              should  try  20  before 53.  Note that this is only a request --
              nmap will honor it only if and when it is able to.  For example,
              you  can't  do  TCP  ISN  sampling all from one host:port to one
              host:port, so nmap changes the source port even if you used  -g.

              Be aware that there is a small performance penalty on some scans
              for using this option, because I sometimes store useful informa-
              tion in the source port number.

       --data_length <number>
              Normally  Nmap  sends  minimalistic  packets that only contain a
              header.  So its TCP packets are generally 40 bytes and ICMP echo
              requests  are  just  28.   This  option tells Nmap to append the
              given number of zero-filled bytes to  most  of  the  packets  it
              sends.   OS  detection  (-O)  packets are not affected, but most
              pinging and portscan packets are.  This slows things  down,  but
              can be slightly less conspicuous.

       -n     Tells  Nmap  to NEVER do reverse DNS resolution on the active IP
              addresses it finds.  Since DNS is  often  slow,  this  can  help
              speed things up.

       -R     Tells  Nmap to ALWAYS do reverse DNS resolution on the target IP
              addresses.  Normally this is only done when a machine  is  found
              to be alive.

       -r     Tells  Nmap  NOT  to  randomize  the  order  in  which ports are

              Tells Nmap to shuffle each group of up to 2048 hosts  before  it
              scans  them.   This  can  make the scans less obvious to various
              network monitoring systems, especially when you combine it  with
              slow timing options (see below).

       -M <max sockets>
              Sets the maximum number of sockets that will be used in parallel
              for a TCP connect() scan (the default).  This is useful to  slow
              down  the  scan a little bit and avoid crashing remote machines.
              Another approach is to use -sS, which is  generally  easier  for
              machines to handle.

              Generally  Nmap does a good job at adjusting for Network charac-
              teristics at runtime and scanning as fast as possible while min-
              imizing  that chances of hosts/ports going undetected.  However,
              there are same cases where Nmap's default timing policy may  not
              meet  your  objectives.   The  following  options provide a fine
              level of control over the scan timing:

       -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
              These are canned timing  policies  for  conveniently  expressing
              your priorities to Nmap.  Paranoid mode scans very slowly in the
              hopes of avoiding detection by IDS systems.  It  serializes  all
              scans (no parallel scanning) and generally waits at least 5 min-
              utes between sending packets.  Sneaky is similar, except it only
              waits  15  seconds  between sending packets.  Polite is meant to
              ease load on the network and  reduce  the  chances  of  crashing
              machines.   It serializes the probes and waits at least 0.4 sec-
              onds between them.  Normal is the default Nmap behaviour,  which
              tries to run as quickly as possible without overloading the net-
              work or missing hosts/ports.  Aggressive mode adds  a  5  minute
              timeout  per  host and it never waits more than 1.25 seconds for
              probe responses.  Insane is only suitable for very fast networks
              or  where  you don't mind losing some information.  It times out
              hosts in 75 seconds and only waits 0.3  seconds  for  individual
              probes.   It does allow for very quick network sweeps though :).
              You can also reference these by number (0-5).  For example,  '-T
              0' gives you Paranoid mode and '-T 5' is Insane mode.

              These canned timing modes should NOT be used in combination with
              the lower level controls given below.

       --host_timeout <milliseconds>
              Specifies the amount of time Nmap is allowed to spend scanning a
              single  host  before  giving  up on that IP.  The default timing
              mode has no host timeout.

       --max_rtt_timeout <milliseconds>
              Specifies the maximum amount of time Nmap is allowed to wait for
              a  probe  response before retransmitting or timing out that par-
              ticular probe.  The default mode sets this to about 9000.

       --min_rtt_timeout <milliseconds>
              When the target hosts start to establish a pattern of responding
              very  quickly,  Nmap  will  shrink  the amount of time given per
              probe.  This speeds up the scan, but can lead to missed  packets
              when  a  response  takes longer than usual.  With this parameter
              you can guarantee that Nmap will wait at least the given  amount
              of time before giving up on a probe.

       --initial_rtt_timeout <milliseconds>
              Specifies  the  initial  probe  timeout.  This is generally only
              useful when scanning firwalled hosts with  -P0.   Normally  Nmap
              can  obtain  good  RTT estimates from the ping and the first few
              probes.  The default mode uses 6000.

       --max_parallelism <number>
              Specifies the maximum number of scans Nmap is allowed to perform
              in  parallel.   Setting this to one means Nmap will never try to
              scan more than 1 port at a time.  It also effects other parallel
              scans such as ping sweep, RPC scan, etc.

       --scan_delay <milliseconds>
              Specifies  the  minimum  amount  of  time Nmap must wait between
              probes.  This is mostly useful to reduce network load or to slow
              the scan way down to sneak under IDS thresholds.

       Everything that isn't an option (or option argument) in nmap is treated
       as a target host specification.  The simplest case  is  listing  single
       hostnames  or  IP addresses on the command line.  If you want to scan a
       subnet of IP addresses, you can append '/mask' to the  hostname  or  IP
       address.  mask must be between 0 (scan the whole internet) and 32 (scan
       the single host specified).  Use /24 to scan a class  'C'  address  and
       /16 for a class 'B'.

       Nmap  also  has  a  more powerful notation which lets you specify an IP
       address using lists/ranges for each element.  Thus  you  can  scan  the
       whole  class  'B'  network  192.168.*.*  by specifying '192.168.*.*' or
       '192.168.0-255.0-255' or even '192.168.1-50,51-255.1,2,3,4,5-255'.  And
       of  course  you can use the mask notation: ''.  These are
       all equivalent.  If you use asterisks ('*'), remember that most  shells
       require  you  to  escape  them  with  back slashes or protect them with

       Another interesting thing to do is slice the Internet  the  other  way.
       Instead  of scanning all the hosts in a class specifying hosts to scan,
       see the examples section.

       Here are some examples of using nmap, from simple and normal to a  lit-
       tle  more  complex/esoteric.   Note that actual numbers and some actual
       domain names are used to make things more concrete.  In their place you
       should  substitute  addresses/names  from  your  own network.  I do not
       think portscanning other networks is illegal; nor should  portscans  be
       construed by others as an attack.  I have scanned hundreds of thousands
       of machines and have received only one  complaint.   But  I  am  not  a
       lawyer  and some (anal) people may be annoyed by nmap probes.  Get per-
       mission first or use at your own risk.

       nmap -v

       This option scans all reserved TCP ports on  the  machine  target.exam- .  The -v means turn on verbose mode.

       nmap -sS -O

       Launches  a stealth SYN scan against each machine that is up out of the
       255 machines on class 'C' where  resides.   It  also
       tries  to  determine what operating system is running on each host that
       is up and running.  This requires root privileges because  of  the  SYN
       scan and the OS detection.

       nmap -sX -p 22,53,110,143,4564 198.116.*.1-127

       Sends an Xmas tree scan to the first half of each of the 255 possible 8
       bit subnets in the 198.116 class 'B' address  space.   We  are  testing
       whether  the  systems  run sshd, DNS, pop3d, imapd, or port 4564.  Note
       that Xmas scan doesn't work on Microsoft boxes due to  their  deficient
       TCP stack.  Same goes with CISCO, IRIX, HP/UX, and BSDI boxes.

       nmap -v --randomize_hosts -p 80 '*.*.2.3-5'

       Rather  than  focus on a specific IP range, it is sometimes interesting
       to slice up the entire Internet and  scan  a  small  sample  from  each
       slice.   This  command  finds  all  web  servers  on  machines  with IP
       addresses ending in .2.3, .2.4, or .2.5 find more interesting  machines
       starting  at  127.  so  you  might want to use '127-222' instead of the
       first asterisks because that section has a greater density of interest-
       ing machines (IMHO).

       host -l | cut '-d ' -f 4 | ./nmap -v -iL -

       Do  a  DNS zone transfer to find the hosts in and then feed
       the IP addresses to nmap.  The above commands are for my GNU/Linux box.
       You may need different commands/options on other operating systems.

       Bugs?   What bugs?  Send me any that you find.  Patches are nice too :)
       Remember to also send in  new  OS  fingerprints  so  we  can  grow  the
       database.  Nmap will give you a submission URL when an appropriate fin-
       gerprint is found.

       Fyodor <>

       The newest version  of  nmap  can  be  obtained  from  http://www.inse-

       nmap is (C) 1995-2001 by Insecure.Com LLC

       libpcap  is also distributed along with nmap.  It is copyrighted by Van
       Jacobson, Craig Leres and Steven McCanne, all of the Lawrence  Berkeley
       National  Laboratory, University of California, Berkeley, CA.  The ver-
       sion distributed with nmap may be modified, pristine sources are avail-
       able from .

       This program is free software; you can redistribute it and/or modify it
       under the terms of the GNU General Public License as published  by  the
       Free  Software  Foundation;  Version  2.  This guarantees your right to
       use, modify, and redistribute Nmap under certain conditions.   If  this
       license  is  unacceptable  to  you, Insecure.Org may be willing to sell
       alternative licenses (contact

       Source is provided to this software because we  believe  users  have  a
       right to know exactly what a program is going to do before they run it.
       This also allows you to audit the software  for  security  holes  (none
       have been found so far).

       Source  code  also  allows you to port Nmap to new platforms, fix bugs,
       and add new features.  You are highly encouraged to send  your  changes
       to for possible incorporation into the main distri-
       bution.  By sending these changes to Fyodor  or  one  the
       development  mailing  lists, it is assumed that you are offering Fyodor
       the unlimited, non-exclusive right to reuse, modify, and relicense  the
       code.   This  is  important because the inability to relicense code has
       caused devastating problems for other Free Software projects  (such  as
       KDE and NASM).  Nmap will always be available Open Source.  If you wish
       to specify special license conditions of your contributions,  just  say
       so when you send them.

       This  program  is  distributed  in the hope that it will be useful, but
       WITHOUT ANY  WARRANTY;  without  even  the  implied  warranty  of  MER-
       Public License for more details (it is in the COPYING file of the  nmap

       It  should  also  be  noted  that  Nmap has been known to crash certain
       poorly written applications, TCP/IP stacks, and even operating systems.
       Nmap  should  never  be run against mission critical systems unless you
       are prepared to suffer downtime.  We acknowledge  here  that  Nmap  may
       crash  your  systems  or networks and we disclaim all liability for any
       damage or problems Nmap could cause.

       Because of the slight risk of crashes and because a few black hats like
       to  use  Nmap  for reconnaissance prior to attacking systems, there are
       administrators who become upset and may complain when their  system  is
       scanned.   Thus,  it  is  often  advisable to request permission before
       doing even a light scan of a network.

       Nmap should never be run with privileges (eg suid  root)  for  security

       All  versions  of  Nmap equal to or greater than 2.0 are believed to be
       Year 2000 (Y2K) compliant in all  respects.   There  is  no  reason  to
       believe  versions  earlier than 2.0 are susceptible to problems, but we
       have not tested them.