NMAP(1)                      Nmap Reference Guide                      NMAP(1) NAME        nmap - Network exploration tool and security / port scanner SYNOPSIS        nmap [Scan Type...] [Options] {target specification} DESCRIPTION        Nmap (“Network Mapper”) is an open source tool for network exploration        and security auditing. It was designed to rapidly scan large networks,        although it works fine against single hosts. Nmap uses raw IP packets        in novel ways to determine what hosts are available on the network,        what services (application name and version) those hosts are offering,        what operating systems (and OS versions) they are running, what type of        packet filters/firewalls are in use, and dozens of other        characteristics. While Nmap is commonly used for security audits, many        systems and network administrators find it useful for routine tasks        such as network inventory, managing service upgrade schedules, and        monitoring host or service uptime.        The output from Nmap is a list of scanned targets, with supplemental        information on each depending on the options used. Key among that        information is the “interesting ports table”..  That table lists the        port number and protocol, service name, and state. The state is either        open, filtered, closed, or unfiltered.  Open.  means that an        application on the target machine is listening for connections/packets        on that port.  Filtered.  means that a firewall, filter, or other        network obstacle is blocking the port so that Nmap cannot tell whether        it is open or closed.  Closed.  ports have no application listening on        them, though they could open up at any time. Ports are classified as        unfiltered.  when they are responsive to Nmap´s probes, but Nmap cannot        determine whether they are open or closed. Nmap reports the state        combinations open|filtered.  and closed|filtered.  when it cannot        determine which of the two states describe a port. The port table may        also include software version details when version detection has been        requested. When an IP protocol scan is requested (-sO), Nmap provides        information on supported IP protocols rather than listening ports.        In addition to the interesting ports table, Nmap can provide further        information on targets, including reverse DNS names, operating system        guesses, device types, and MAC addresses.        A typical Nmap scan is shown in Example 1. The only Nmap arguments used        in this example are -A, to enable OS and version detection, script        scanning, and traceroute; -T4 for faster execution; and then the two        target hostnames.        Example 1. A representative Nmap scan            # nmap -A -T4 scanme.nmap.org            Starting Nmap ( http://nmap.org )            Interesting ports on scanme.nmap.org (64.13.134.52):            Not shown: 994 filtered ports            PORT    STATE  SERVICE VERSION            22/tcp  open   ssh     OpenSSH 4.3 (protocol 2.0)            25/tcp  closed smtp            53/tcp  open   domain  ISC BIND 9.3.4            70/tcp  closed gopher            80/tcp  open   http    Apache httpd 2.2.2 ((Fedora))            |_ HTML title: Go ahead and ScanMe!            113/tcp closed auth            Device type: general purpose            Running: Linux 2.6.X            OS details: Linux 2.6.20-1 (Fedora Core 5)            TRACEROUTE (using port 80/tcp)            HOP RTT   ADDRESS            [Cut first seven hops for brevity]            8   10.59 so-4-2-0.mpr3.pao1.us.above.net (64.125.28.142)            9   11.00 metro0.sv.svcolo.com (208.185.168.173)            10  9.93  scanme.nmap.org (64.13.134.52)            Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds        The newest version of Nmap can be obtained from http://nmap.org. The        newest version of this man page is available at        http://nmap.org/book/man.html.  It is also included as a chapter of        Nmap Network Scanning: The Official Nmap Project Guide to Network        Discovery and Security Scanning (see http://nmap.org/book/). OPTIONS SUMMARY        This options summary is printed when Nmap is run with no arguments, and        the latest version is always available at        http://nmap.org/data/nmap.usage.txt. It helps people remember the most        common options, but is no substitute for the in-depth documentation in        the rest of this manual. Some obscure options aren´t even included        here.            Nmap 5.21 ( http://nmap.org )            Usage: nmap [Scan Type(s)] [Options] {target specification}            TARGET SPECIFICATION:              Can pass hostnames, IP addresses, networks, etc.              Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254              -iL <inputfilename>: Input from list of hosts/networks              -iR <num hosts>: Choose random targets              --exclude <host1[,host2][,host3],...>: Exclude hosts/networks              --excludefile <exclude_file>: Exclude list from file            HOST DISCOVERY:              -sL: List Scan - simply list targets to scan              -sP: Ping Scan - go no further than determining if host is online              -PN: Treat all hosts as online -- skip host discovery              -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports              -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes              -PO[protocol list]: IP Protocol Ping              -n/-R: Never do DNS resolution/Always resolve [default: sometimes]              --dns-servers <serv1[,serv2],...>: Specify custom DNS servers              --system-dns: Use OS´s DNS resolver              --traceroute: Trace hop path to each host            SCAN TECHNIQUES:              -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans              -sU: UDP Scan              -sN/sF/sX: TCP Null, FIN, and Xmas scans              --scanflags <flags>: Customize TCP scan flags              -sI <zombie host[:probeport]>: Idle scan              -sY/sZ: SCTP INIT/COOKIE-ECHO scans              -sO: IP protocol scan              -b <FTP relay host>: FTP bounce scan            PORT SPECIFICATION AND SCAN ORDER:              -p <port ranges>: Only scan specified ports                Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080              -F: Fast mode - Scan fewer ports than the default scan              -r: Scan ports consecutively - don´t randomize              --top-ports <number>: Scan <number> most common ports              --port-ratio <ratio>: Scan ports more common than <ratio>            SERVICE/VERSION DETECTION:              -sV: Probe open ports to determine service/version info              --version-intensity <level>: Set from 0 (light) to 9 (try all probes)              --version-light: Limit to most likely probes (intensity 2)              --version-all: Try every single probe (intensity 9)              --version-trace: Show detailed version scan activity (for debugging)            SCRIPT SCAN:              -sC: equivalent to --script=default              --script=<Lua scripts>: <Lua scripts> is a comma separated list of                       directories, script-files or script-categories              --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts              --script-trace: Show all data sent and received              --script-updatedb: Update the script database.            OS DETECTION:              -O: Enable OS detection              --osscan-limit: Limit OS detection to promising targets              --osscan-guess: Guess OS more aggressively            TIMING AND PERFORMANCE:              Options which take <time> are in milliseconds, unless you append ´s´              (seconds), ´m´ (minutes), or ´h´ (hours) to the value (e.g. 30m).              -T<0-5>: Set timing template (higher is faster)              --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes              --min-parallelism/max-parallelism <time>: Probe parallelization              --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies                  probe round trip time.              --max-retries <tries>: Caps number of port scan probe retransmissions.              --host-timeout <time>: Give up on target after this long              --scan-delay/--max-scan-delay <time>: Adjust delay between probes              --min-rate <number>: Send packets no slower than <number> per second              --max-rate <number>: Send packets no faster than <number> per second            FIREWALL/IDS EVASION AND SPOOFING:              -f; --mtu <val>: fragment packets (optionally w/given MTU)              -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys              -S <IP_Address>: Spoof source address              -e <iface>: Use specified interface              -g/--source-port <portnum>: Use given port number              --data-length <num>: Append random data to sent packets              --ip-options <options>: Send packets with specified ip options              --ttl <val>: Set IP time-to-live field              --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address              --badsum: Send packets with a bogus TCP/UDP/SCTP checksum              --adler32: Use deprecated Adler32 instead of CRC32C for SCTP checksums            OUTPUT:              -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,                 and Grepable format, respectively, to the given filename.              -oA <basename>: Output in the three major formats at once              -v: Increase verbosity level (use twice or more for greater effect)              -d[level]: Set or increase debugging level (Up to 9 is meaningful)              --reason: Display the reason a port is in a particular state              --open: Only show open (or possibly open) ports              --packet-trace: Show all packets sent and received              --iflist: Print host interfaces and routes (for debugging)              --log-errors: Log errors/warnings to the normal-format output file              --append-output: Append to rather than clobber specified output files              --resume <filename>: Resume an aborted scan              --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML              --webxml: Reference stylesheet from Nmap.Org for more portable XML              --no-stylesheet: Prevent associating of XSL stylesheet w/XML output            MISC:              -6: Enable IPv6 scanning              -A: Enables OS detection and Version detection, Script scanning and Traceroute              --datadir <dirname>: Specify custom Nmap data file location              --send-eth/--send-ip: Send using raw ethernet frames or IP packets              --privileged: Assume that the user is fully privileged              --unprivileged: Assume the user lacks raw socket privileges              -V: Print version number              -h: Print this help summary page.            EXAMPLES:              nmap -v -A scanme.nmap.org              nmap -v -sP 192.168.0.0/16 10.0.0.0/8              nmap -v -iR 10000 -PN -p 80            SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES TARGET SPECIFICATION        Everything on the Nmap command-line that isn´t an option (or option        argument) is treated as a target host specification. The simplest case        is to specify a target IP address or hostname for scanning.        Sometimes you wish to scan a whole network of adjacent hosts. For this,        Nmap supports CIDR-style.  addressing. You can append /numbits to an        IPv4 address or hostname and Nmap will scan every IP address for which        the first numbits are the same as for the reference IP or hostname        given. For example, 192.168.10.0/24 would scan the 256 hosts between        192.168.10.0 (binary: 11000000 10101000 00001010 00000000) and        192.168.10.255 (binary: 11000000 10101000 00001010 11111111),        inclusive. 192.168.10.40/24 would scan exactly the same targets. Given        that the host scanme.nmap.org.  is at the IP address 64.13.134.52, the        specification scanme.nmap.org/16 would scan the 65,536 IP addresses        between 64.13.0.0 and 64.13.255.255. The smallest allowed value is /0,        which scans the whole Internet. The largest value is /32, which scans        just the named host or IP address because all address bits are fixed.        CIDR notation is short but not always flexible enough. For example, you        might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or        .255 because they may be used as subnet network and broadcast        addresses. Nmap supports this through octet range addressing. Rather        than specify a normal IP address, you can specify a comma-separated        list of numbers or ranges for each octet. For example,        192.168.0-255.1-254 will skip all addresses in the range that end in .0        or .255, and 192.168.3-5,7.1 will scan the four addresses 192.168.3.1,        192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of a range may        be omitted; the default values are 0 on the left and 255 on the right.        Using - by itself is the same as 0-255, but remember to use 0- in the        first octet so the target specification doesn´t look like a        command-line option. Ranges need not be limited to the final octets:        the specifier 0-255.0-255.13.37 will perform an Internet-wide scan for        all IP addresses ending in 13.37. This sort of broad sampling can be        useful for Internet surveys and research.        IPv6 addresses can only be specified by their fully qualified IPv6        address or hostname. CIDR and octet ranges aren´t supported for IPv6        because they are rarely useful.        Nmap accepts multiple host specifications on the command line, and they        don´t need to be the same type. The command nmap scanme.nmap.org        192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.        While targets are usually specified on the command lines, the following        options are also available to control target selection:        -iL inputfilename (Input from list) .            Reads target specifications from inputfilename. Passing a huge list            of hosts is often awkward on the command line, yet it is a common            desire. For example, your DHCP server might export a list of 10,000            current leases that you wish to scan. Or maybe you want to scan all            IP addresses except for those to locate hosts using unauthorized            static IP addresses. Simply generate the list of hosts to scan and            pass that filename to Nmap as an argument to the -iL option.            Entries can be in any of the formats accepted by Nmap on the            command line (IP address, hostname, CIDR, IPv6, or octet ranges).            Each entry must be separated by one or more spaces, tabs, or            newlines. You can specify a hyphen (-) as the filename if you want            Nmap to read hosts from standard input rather than an actual file.            The input file may contain comments that start with # and extend to            the end of the line.        -iR num hosts (Choose random targets) .            For Internet-wide surveys and other research, you may want to            choose targets at random. The num hosts argument tells Nmap how            many IPs to generate. Undesirable IPs such as those in certain            private, multicast, or unallocated address ranges are automatically            skipped. The argument 0 can be specified for a never-ending scan.            Keep in mind that some network administrators bristle at            unauthorized scans of their networks and may complain. Use this            option at your own risk! If you find yourself really bored one            rainy afternoon, try the command nmap -sS -PS80 -iR 0 -p 80 to            locate random web servers for browsing.        --exclude host1[,host2[,...]] (Exclude hosts/networks) .            Specifies a comma-separated list of targets to be excluded from the            scan even if they are part of the overall network range you            specify. The list you pass in uses normal Nmap syntax, so it can            include hostnames, CIDR netblocks, octet ranges, etc. This can be            useful when the network you wish to scan includes untouchable            mission-critical servers, systems that are known to react adversely            to port scans, or subnets administered by other people.        --excludefile exclude_file (Exclude list from file) .            This offers the same functionality as the --exclude option, except            that the excluded targets are provided in a newline, space, or tab            delimited exclude_file rather than on the command line.            The exclude file may contain comments that start with # and extend            to the end of the line. HOST DISCOVERY        One of the very first steps in any network reconnaissance mission is to        reduce a (sometimes huge) set of IP ranges into a list of active or        interesting hosts. Scanning every port of every single IP address is        slow and usually unnecessary. Of course what makes a host interesting        depends greatly on the scan purposes. Network administrators may only        be interested in hosts running a certain service, while security        auditors may care about every single device with an IP address. An        administrator may be comfortable using just an ICMP ping to locate        hosts on his internal network, while an external penetration tester may        use a diverse set of dozens of probes in an attempt to evade firewall        restrictions.        Because host discovery needs are so diverse, Nmap offers a wide variety        of options for customizing the techniques used. Host discovery is        sometimes called ping scan, but it goes well beyond the simple ICMP        echo request packets associated with the ubiquitous ping tool. Users        can skip the ping step entirely with a list scan (-sL) or by disabling        ping (-PN), or engage the network with arbitrary combinations of        multi-port TCP SYN/ACK, UDP, SCTP INIT and ICMP probes. The goal of        these probes is to solicit responses which demonstrate that an IP        address is actually active (is being used by a host or network device).        On many networks, only a small percentage of IP addresses are active at        any given time. This is particularly common with private address space        such as 10.0.0.0/8. That network has 16 million IPs, but I have seen it        used by companies with less than a thousand machines. Host discovery        can find those machines in a sparsely allocated sea of IP addresses.        If no host discovery options are given, Nmap sends an ICMP echo        request, a TCP SYN packet to port 443, and TCP ACK packet to port 80,        and an ICMP timestamp request. These defaults are equivalent to the -PE        -PS443 -PA80 -PP options. An exception to this is that an ARP scan is        used for any targets which are on a local ethernet network. For        unprivileged Unix shell users, the default probes are a SYN packet to        ports 80 and 443 using the connect system call..  This host discovery        is often sufficient when scanning local networks, but a more        comprehensive set of discovery probes is recommended for security        auditing.        The -P* options (which select ping types) can be combined. You can        increase your odds of penetrating strict firewalls by sending many        probe types using different TCP ports/flags and ICMP codes. Also note        that ARP discovery (-PR).  is done by default against targets on a        local ethernet network even if you specify other -P* options, because        it is almost always faster and more effective.        By default, Nmap does host discovery and then performs a port scan        against each host it determines is online. This is true even if you        specify non-default host discovery types such as UDP probes (-PU). Read        about the -sP option to learn how to perform only host discovery, or        use -PN to skip host discovery and port scan all target hosts. The        following options control host discovery:        -sL (List Scan) .            The list scan is a degenerate form of host discovery that simply            lists each host of the network(s) specified, without sending any            packets to the target hosts. By default, Nmap still does            reverse-DNS resolution on the hosts to learn their names. It is            often surprising how much useful information simple hostnames give            out. For example, fw.chi is the name of one company´s Chicago            firewall.  Nmap also reports the total number of IP addresses at            the end. The list scan is a good sanity check to ensure that you            have proper IP addresses for your targets. If the hosts sport            domain names you do not recognize, it is worth investigating            further to prevent scanning the wrong company´s network.            Since the idea is to simply print a list of target hosts, options            for higher level functionality such as port scanning, OS detection,            or ping scanning cannot be combined with this. If you wish to            disable ping scanning while still performing such higher level            functionality, read up on the -PN (skip ping) option.        -sP (Skip port scan) .            This option tells Nmap not to do a port scan after host discovery,            and only print out the available hosts that responded to the scan.            This is often known as a “ping scan”, but you can also request that            traceroute and NSE host scripts be run. This is by default one step            more intrusive than the list scan, and can often be used for the            same purposes. It allows light reconnaissance of a target network            without attracting much attention. Knowing how many hosts are up is            more valuable to attackers than the list provided by list scan of            every single IP and host name.            Systems administrators often find this option valuable as well. It            can easily be used to count available machines on a network or            monitor server availability. This is often called a ping sweep, and            is more reliable than pinging the broadcast address because many            hosts do not reply to broadcast queries.            The -sP option sends an ICMP echo request, TCP SYN to port 443, TCP            ACK to port 80, and an ICMP timestamp request by default. When            executed by an unprivileged user, only SYN packets are sent (using            a connect call) to ports 80 and 443 on the target. When a            privileged user tries to scan targets on a local ethernet network,            ARP requests are used unless --send-ip was specified. The -sP            option can be combined with any of the discovery probe types (the            -P* options, excluding -PN) for greater flexibility. If any of            those probe type and port number options are used, the default            probes are overridden. When strict firewalls are in place between            the source host running Nmap and the target network, using those            advanced techniques is recommended. Otherwise hosts could be missed            when the firewall drops probes or their responses.        -PN (No ping) .            This option skips the Nmap discovery stage altogether. Normally,            Nmap uses this stage to determine active machines for heavier            scanning. By default, Nmap only performs heavy probing such as port            scans, version detection, or OS detection against hosts that are            found to be up. Disabling host discovery with -PN causes Nmap to            attempt the requested scanning functions against every target IP            address specified. So if a class B sized target address space (/16)            is specified on the command line, all 65,536 IP addresses are            scanned. Proper host discovery is skipped as with the list scan,            but instead of stopping and printing the target list, Nmap            continues to perform requested functions as if each target IP is            active. To skip ping scan and port scan, while still allowing NSE            to run, use the two options -PN -sP together.            For machines on a local ethernet network, ARP scanning will still            be performed (unless --send-ip is specified) because Nmap needs MAC            addresses to further scan target hosts. This option flag used to be            P0 (uses zero), but was renamed to avoid confusion with protocol            ping´s PO (uses the letter O) flag.        -PS port list (TCP SYN Ping) .            This option sends an empty TCP packet with the SYN flag set. The            default destination port is 80 (configurable at compile time by            changing DEFAULT_TCP_PROBE_PORT_SPEC in nmap.h).  Alternate ports            can be specified as a parameter. The syntax is the same as for the            -p except that port type specifiers like T: are not allowed.            Examples are -PS22 and -PS22-25,80,113,1050,35000. Note that there            can be no space between -PS and the port list. If multiple probes            are specified they will be sent in parallel.            The SYN flag suggests to the remote system that you are attempting            to establish a connection. Normally the destination port will be            closed, and a RST (reset) packet sent back. If the port happens to            be open, the target will take the second step of a TCP            three-way-handshake.  by responding with a SYN/ACK TCP packet. The            machine running Nmap then tears down the nascent connection by            responding with a RST rather than sending an ACK packet which would            complete the three-way-handshake and establish a full connection.            The RST packet is sent by the kernel of the machine running Nmap in            response to the unexpected SYN/ACK, not by Nmap itself.            Nmap does not care whether the port is open or closed. Either the            RST or SYN/ACK response discussed previously tell Nmap that the            host is available and responsive.            On Unix boxes, only the privileged user root.  is generally able to            send and receive raw TCP packets..  For unprivileged users, a            workaround is automatically employed.  whereby the connect system            call is initiated against each target port. This has the effect of            sending a SYN packet to the target host, in an attempt to establish            a connection. If connect returns with a quick success or an            ECONNREFUSED failure, the underlying TCP stack must have received a            SYN/ACK or RST and the host is marked available. If the connection            attempt is left hanging until a timeout is reached, the host is            marked as down. This workaround is also used for IPv6 connections,            as raw IPv6 packet building support is not yet available in Nmap..        -PA port list (TCP ACK Ping) .            The TCP ACK ping is quite similar to the just-discussed SYN ping.            The difference, as you could likely guess, is that the TCP ACK flag            is set instead of the SYN flag. Such an ACK packet purports to be            acknowledging data over an established TCP connection, but no such            connection exists. So remote hosts should always respond with a RST            packet, disclosing their existence in the process.            The -PA option uses the same default port as the SYN probe (80) and            can also take a list of destination ports in the same format. If an            unprivileged user tries this, or an IPv6 target is specified, the            connect workaround discussed previously is used. This workaround is            imperfect because connect is actually sending a SYN packet rather            than an ACK.            The reason for offering both SYN and ACK ping probes is to maximize            the chances of bypassing firewalls. Many administrators configure            routers and other simple firewalls to block incoming SYN packets            except for those destined for public services like the company web            site or mail server. This prevents other incoming connections to            the organization, while allowing users to make unobstructed            outgoing connections to the Internet. This non-stateful approach            takes up few resources on the firewall/router and is widely            supported by hardware and software filters. The Linux            Netfilter/iptables.  firewall software offers the --syn convenience            option to implement this stateless approach. When stateless            firewall rules such as this are in place, SYN ping probes (-PS) are            likely to be blocked when sent to closed target ports. In such            cases, the ACK probe shines as it cuts right through these rules.            Another common type of firewall uses stateful rules that drop            unexpected packets. This feature was initially found mostly on            high-end firewalls, though it has become much more common over the            years. The Linux Netfilter/iptables system supports this through            the --state option, which categorizes packets based on connection            state. A SYN probe is more likely to work against such a system, as            unexpected ACK packets are generally recognized as bogus and            dropped. A solution to this quandary is to send both SYN and ACK            probes by specifying -PS and -PA.        -PU port list (UDP Ping) .            Another host discovery option is the UDP ping, which sends a UDP            packet to the given ports. For most ports, the packet will be            empty, though for a few a protocol-specific payload will be sent            that is more likely to get a response..  See the file payload.cc.            for exactly which ports have payloads. The --data-length.  option            sends a fixed-length random payload for all ports.            The port list takes the same format as with the previously            discussed -PS and -PA options. If no ports are specified, the            default is 40125. This default can be configured at compile-time by            changing DEFAULT_UDP_PROBE_PORT_SPEC.  in nmap.h..  A highly            uncommon port is used by default because sending to open ports is            often undesirable for this particular scan type.            Upon hitting a closed port on the target machine, the UDP probe            should elicit an ICMP port unreachable packet in return. This            signifies to Nmap that the machine is up and available. Many other            types of ICMP errors, such as host/network unreachables or TTL            exceeded are indicative of a down or unreachable host. A lack of            response is also interpreted this way. If an open port is reached,            most services simply ignore the empty packet and fail to return any            response. This is why the default probe port is 40125, which is            highly unlikely to be in use. A few services, such as the Character            Generator (chargen) protocol, will respond to an empty UDP packet,            and thus disclose to Nmap that the machine is available.            The primary advantage of this scan type is that it bypasses            firewalls and filters that only screen TCP. For example, I once            owned a Linksys BEFW11S4 wireless broadband router. The external            interface of this device filtered all TCP ports by default, but UDP            probes would still elicit port unreachable messages and thus give            away the device.        -PY port list (SCTP INIT Ping) .            This option sends an SCTP packet containing a minimal INIT chunk.            The default destination port is 80 (configurable at compile time by            changing DEFAULT_SCTP_PROBE_PORT_SPEC in nmap.h).  Alternate ports            can be specified as a parameter. The syntax is the same as for the            -p except that port type specifiers like S: are not allowed.            Examples are -PY22 and -PY22,80,179,5060. Note that there can be no            space between -PY and the port list. If multiple probes are            specified they will be sent in parallel.            The INIT chunk suggests to the remote system that you are            attempting to establish an association. Normally the destination            port will be closed, and an ABORT chunk will be sent back. If the            port happens to be open, the target will take the second step of an            SCTP four-way-handshake.  by responding with an INIT-ACK chunk. If            the machine running Nmap has a functional SCTP stack, then it tears            down the nascent association by responding with an ABORT chunk            rather than sending a COOKIE-ECHO chunk which would be the next            step in the four-way-handshake. The ABORT packet is sent by the            kernel of the machine running Nmap in response to the unexpected            INIT-ACK, not by Nmap itself.            Nmap does not care whether the port is open or closed. Either the            ABORT or INIT-ACK response discussed previously tell Nmap that the            host is available and responsive.            On Unix boxes, only the privileged user root.  is generally able to            send and receive raw SCTP packets..  Using SCTP INIT Pings is            currently not possible for unprivileged users..  The same            limitation applies to IPv6, which is currently not supported for            SCTP INIT Ping..        -PE; -PP; -PM (ICMP Ping Types) .            In addition to the unusual TCP, UDP and SCTP host discovery types            discussed previously, Nmap can send the standard packets sent by            the ubiquitous ping program. Nmap sends an ICMP type 8 (echo            request) packet to the target IP addresses, expecting a type 0            (echo reply) in return from available hosts..  Unfortunately for            network explorers, many hosts and firewalls now block these            packets, rather than responding as required by RFC 1122[2]. For            this reason, ICMP-only scans are rarely reliable enough against            unknown targets over the Internet. But for system administrators            monitoring an internal network, they can be a practical and            efficient approach. Use the -PE option to enable this echo request            behavior.            While echo request is the standard ICMP ping query, Nmap does not            stop there. The ICMP standards (RFC 792[3].  and RFC 950[4].  “a            host SHOULD NOT implement these messages”. Timestamp and address            mask queries can be sent with the -PP and -PM options,            respectively. A timestamp reply (ICMP code 14) or address mask            reply (code 18) discloses that the host is available. These two            queries can be valuable when administrators specifically block echo            request packets while forgetting that other ICMP queries can be            used for the same purpose.        -PO protocol list (IP Protocol Ping) .            The newest host discovery option is the IP protocol ping, which            sends IP packets with the specified protocol number set in their IP            header. The protocol list takes the same format as do port lists in            the previously discussed TCP, UDP and SCTP host discovery options.            If no protocols are specified, the default is to send multiple IP            packets for ICMP (protocol 1), IGMP (protocol 2), and IP-in-IP            (protocol 4). The default protocols can be configured at            compile-time by changing DEFAULT_PROTO_PROBE_PORT_SPEC.  in nmap.h.            Note that for the ICMP, IGMP, TCP (protocol 6), UDP (protocol 17)            and SCTP (protocol 132), the packets are sent with the proper            protocol headers.  while other protocols are sent with no            additional data beyond the IP header (unless the --data-length.            option is specified).            This host discovery method looks for either responses using the            same protocol as a probe, or ICMP protocol unreachable messages            which signify that the given protocol isn´t supported on the            destination host. Either type of response signifies that the target            host is alive.        -PR (ARP Ping) .            One of the most common Nmap usage scenarios is to scan an ethernet            LAN. On most LANs, especially those using private address ranges            specified by RFC 1918[5], the vast majority of IP addresses are            unused at any given time. When Nmap tries to send a raw IP packet            such as an ICMP echo request, the operating system must determine            the destination hardware (ARP) address corresponding to the target            IP so that it can properly address the ethernet frame. This is            often slow and problematic, since operating systems weren´t written            with the expectation that they would need to do millions of ARP            requests against unavailable hosts in a short time period.            ARP scan puts Nmap and its optimized algorithms in charge of ARP            requests. And if it gets a response back, Nmap doesn´t even need to            worry about the IP-based ping packets since it already knows the            host is up. This makes ARP scan much faster and more reliable than            IP-based scans. So it is done by default when scanning ethernet            hosts that Nmap detects are on a local ethernet network. Even if            different ping types (such as -PE or -PS) are specified, Nmap uses            ARP instead for any of the targets which are on the same LAN. If            you absolutely don´t want to do an ARP scan, specify --send-ip.        --traceroute (Trace path to host) .            Traceroutes are performed post-scan using information from the scan            results to determine the port and protocol most likely to reach the            target. It works with all scan types except connect scans (-sT) and            idle scans (-sI). All traces use Nmap´s dynamic timing model and            are performed in parallel.            Traceroute works by sending packets with a low TTL (time-to-live)            in an attempt to elicit ICMP Time Exceeded messages from            intermediate hops between the scanner and the target host. Standard            traceroute implementations start with a TTL of 1 and increment the            TTL until the destination host is reached. Nmap´s traceroute starts            with a high TTL and then decrements the TTL until it reaches zero.            Doing it backwards lets Nmap employ clever caching algorithms to            speed up traces over multiple hosts. On average Nmap sends 5–10            fewer packets per host, depending on network conditions. If a            single subnet is being scanned (i.e. 192.168.0.0/24) Nmap may only            have to send a single packet to most hosts.        -n (No DNS resolution) .            Tells Nmap to never do reverse DNS resolution on the active IP            addresses it finds. Since DNS can be slow even with Nmap´s built-in            parallel stub resolver, this option can slash scanning times.        -R (DNS resolution for all targets) .            Tells Nmap to always do reverse DNS resolution on the target IP            addresses. Normally reverse DNS is only performed against            responsive (online) hosts.        --system-dns (Use system DNS resolver) .            By default, Nmap resolves IP addresses by sending queries directly            to the name servers configured on your host and then listening for            responses. Many requests (often dozens) are performed in parallel            to improve performance. Specify this option to use your system            resolver instead (one IP at a time via the getnameinfo call). This            is slower and rarely useful unless you find a bug in the Nmap            parallel resolver (please let us know if you do). The system            resolver is always used for IPv6 scans.        --dns-servers server1[,server2[,...]]  (Servers to use for reverse DNS        queries) .            By default, Nmap determines your DNS servers (for rDNS resolution)            from your resolv.conf file (Unix) or the Registry (Win32).            Alternatively, you may use this option to specify alternate            servers. This option is not honored if you are using --system-dns            or an IPv6 scan. Using multiple DNS servers is often faster,            especially if you choose authoritative servers for your target IP            space. This option can also improve stealth, as your requests can            be bounced off just about any recursive DNS server on the Internet.            This option also comes in handy when scanning private networks.            Sometimes only a few name servers provide proper rDNS information,            and you may not even know where they are. You can scan the network            for port 53 (perhaps with version detection), then try Nmap list            scans (-sL) specifying each name server one at a time with            --dns-servers until you find one which works. PORT SCANNING BASICS        While Nmap has grown in functionality over the years, it began as an        efficient port scanner, and that remains its core function. The simple        command nmap target scans more than 1660 TCP ports on the host target.        While many port scanners have traditionally lumped all ports into the        open or closed states, Nmap is much more granular. It divides ports        into six states: open, closed, filtered, unfiltered, open|filtered, or        closed|filtered.        These states are not intrinsic properties of the port itself, but        describe how Nmap sees them. For example, an Nmap scan from the same        network as the target may show port 135/tcp as open, while a scan at        the same time with the same options from across the Internet might show        that port as filtered.        The six port states recognized by Nmap            An application is actively accepting TCP connections, UDP datagrams            or SCTP associations on this port. Finding these is often the            primary goal of port scanning. Security-minded people know that            each open port is an avenue for attack. Attackers and pen-testers            want to exploit the open ports, while administrators try to close            or protect them with firewalls without thwarting legitimate users.            Open ports are also interesting for non-security scans because they            show services available for use on the network.            A closed port is accessible (it receives and responds to Nmap probe            packets), but there is no application listening on it. They can be            helpful in showing that a host is up on an IP address (host            discovery, or ping scanning), and as part of OS detection. Because            closed ports are reachable, it may be worth scanning later in case            some open up. Administrators may want to consider blocking such            ports with a firewall. Then they would appear in the filtered            state, discussed next.            Nmap cannot determine whether the port is open because packet            filtering prevents its probes from reaching the port. The filtering            could be from a dedicated firewall device, router rules, or            host-based firewall software. These ports frustrate attackers            because they provide so little information. Sometimes they respond            with ICMP error messages such as type 3 code 13 (destination            unreachable: communication administratively prohibited), but            filters that simply drop probes without responding are far more            common. This forces Nmap to retry several times just in case the            probe was dropped due to network congestion rather than filtering.            This slows down the scan dramatically.            The unfiltered state means that a port is accessible, but Nmap is            unable to determine whether it is open or closed. Only the ACK            scan, which is used to map firewall rulesets, classifies ports into            this state. Scanning unfiltered ports with other scan types such as            Window scan, SYN scan, or FIN scan, may help resolve whether the            port is open.            Nmap places ports in this state when it is unable to determine            whether a port is open or filtered. This occurs for scan types in            which open ports give no response. The lack of response could also            mean that a packet filter dropped the probe or any response it            elicited. So Nmap does not know for sure whether the port is open            or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas scans            classify ports this way.            This state is used when Nmap is unable to determine whether a port            is closed or filtered. It is only used for the IP ID idle scan. PORT SCANNING TECHNIQUES        As a novice performing automotive repair, I can struggle for hours        trying to fit my rudimentary tools (hammer, duct tape, wrench, etc.) to        the task at hand. When I fail miserably and tow my jalopy to a real        mechanic, he invariably fishes around in a huge tool chest until        pulling out the perfect gizmo which makes the job seem effortless. The        art of port scanning is similar. Experts understand the dozens of scan        techniques and choose the appropriate one (or combination) for a given        task. Inexperienced users and script kiddies,.  on the other hand, try        to solve every problem with the default SYN scan. Since Nmap is free,        the only barrier to port scanning mastery is knowledge. That certainly        beats the automotive world, where it may take great skill to determine        that you need a strut spring compressor, then you still have to pay        thousands of dollars for it.        Most of the scan types are only available to privileged users..  This        is because they send and receive raw packets,.  which requires root        access on Unix systems. Using an administrator account on Windows is        recommended, though Nmap sometimes works for unprivileged users on that        platform when WinPcap has already been loaded into the OS. Requiring        root privileges was a serious limitation when Nmap was released in        1997, as many users only had access to shared shell accounts. Now, the        world is different. Computers are cheaper, far more people have        always-on direct Internet access, and desktop Unix systems (including        Linux and Mac OS X) are prevalent. A Windows version of Nmap is now        available, allowing it to run on even more desktops. For all these        reasons, users have less need to run Nmap from limited shared shell        accounts. This is fortunate, as the privileged options make Nmap far        more powerful and flexible.        While Nmap attempts to produce accurate results, keep in mind that all        of its insights are based on packets returned by the target machines        (or firewalls in front of them). Such hosts may be untrustworthy and        send responses intended to confuse or mislead Nmap. Much more common        are non-RFC-compliant hosts that do not respond as they should to Nmap        probes. FIN, NULL, and Xmas scans are particularly susceptible to this        problem. Such issues are specific to certain scan types and so are        discussed in the individual scan type entries.        This section documents the dozen or so port scan techniques supported        by Nmap. Only one method may be used at a time, except that UDP scan        (-sU) and any one of the SCTP scan types (-sY, -sZ) may be combined        with any one of the TCP scan types. As a memory aid, port scan type        options are of the form -sC, where C is a prominent character in the        scan name, usually the first. The one exception to this is the        deprecated FTP bounce scan (-b). By default, Nmap performs a SYN Scan,        though it substitutes a connect scan if the user does not have proper        privileges to send raw packets (requires root access on Unix) or if        IPv6 targets were specified. Of the scans listed in this section,        unprivileged users can only execute connect and FTP bounce scans.        -sS (TCP SYN scan) .            SYN scan is the default and most popular scan option for good            reasons. It can be performed quickly, scanning thousands of ports            per second on a fast network not hampered by restrictive firewalls.            SYN scan is relatively unobtrusive and stealthy, since it never            completes TCP connections. It also works against any compliant TCP            stack rather than depending on idiosyncrasies of specific platforms            as Nmap´s FIN/NULL/Xmas, Maimon and idle scans do. It also allows            clear, reliable differentiation between the open, closed, and            filtered states.            This technique is often referred to as half-open scanning, because            you don´t open a full TCP connection. You send a SYN packet, as if            you are going to open a real connection and then wait for a            response. A SYN/ACK indicates the port is listening (open), while a            RST (reset) is indicative of a non-listener. If no response is            received after several retransmissions, the port is marked as            filtered. The port is also marked filtered if an ICMP unreachable            error (type 3, code 1, 2, 3, 9, 10, or 13) is received.        -sT (TCP connect scan) .            TCP connect scan is the default TCP scan type when SYN scan is not            an option. This is the case when a user does not have raw packet            privileges or is scanning IPv6 networks. Instead of writing raw            packets as most other scan types do, Nmap asks the underlying            operating system to establish a connection with the target machine            and port by issuing the connect system call. This is the same            high-level system call that web browsers, P2P clients, and most            other network-enabled applications use to establish a connection.            It is part of a programming interface known as the Berkeley Sockets            API. Rather than read raw packet responses off the wire, Nmap uses            this API to obtain status information on each connection attempt.            When SYN scan is available, it is usually a better choice. Nmap has            less control over the high level connect call than with raw            packets, making it less efficient. The system call completes            connections to open target ports rather than performing the            half-open reset that SYN scan does. Not only does this