Nmap/Optionen
Erscheinungsbild
Optionen
- Ziel-Spezifikation
- Host Entdeckung
- Scan Techniken
- [[#Port Spezifikation|Port Spezifikation Und Scan Befehl]]
- Service/Versions Erkennung
- Script Scan
- Os Erkennung
- Timing und Darstellung
- Firewall/Ids Umgehung Und -Täuschung
- Ausgabe
- Misc
Ziele
Argument | Parameter | Beispiel |
---|---|---|
Hostnames | IP addresses, Networks, ... | scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 |
-iL | <inputfilename> | Input from list of hosts/networks* -iR <num hosts>: Choose random targets |
--exclude | <host1[,host2][,host3],...> | Exclude hosts/networks |
--excludefile | <exclude_file> | Exclude list from file |
Host Entdeckung
Argument | Parameter | Beispiel |
---|---|---|
-sL | List Scan: simply list targets to scan | |
-sP | Ping Scan: go no further than determining if host is online | |
-PN | Treat all hosts as online -- skip host discovery | |
-PS/PA/PU | [portlist] | TCP SYN/ACK or UDP discovery to given ports |
-PE/PP/PM | ICMP echo, timestamp, and netmask request discovery probes | |
-PO | [protocol list] | IP Protocol Ping |
-n/-R | Never do DNS resolution/Always resolve [default: sometimes] | |
--dns-servers | <serv1[,serv2],...> | Specify custom DNS servers |
--system-dns | Use OS's DNS resolver | |
--traceroute | Trace hop path to each host |
Scan Techniken
Argument | Parameter | Beispiel |
---|---|---|
-sS/sT/sA/sW/sM | TCP SYN/Connect()/ACK/Window/Maimon scans | |
-sU | UDP Scan | |
-sN/sF/sX | TCP Null, FIN, and Xmas scans | |
--scanflags | <flags> | Customize TCP scan flags |
-sI | <zombie host[:probeport]> | Idle scan |
-sO | IP protocol scan | |
-b | <FTP relay host> | FTP bounce scan |
Port Spezifikation
Argument | Parameter | Beschreibung | Beispiel |
---|---|---|---|
-p | <port ranges> | Only scan specified ports | -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 |
-F | Fast mode - Scan fewer ports than the default scan | ||
-r | Scan ports consecutively - don't randomize | ||
--top-ports | <number> | Scan <number> most common ports | |
--port-ratio | <ratio> | Scan ports more common than <ratio> |
Service/Versions Erkennung
Argument | Parameter | Beschreibung | Beispiel |
---|---|---|---|
-sV | Probe open ports to determine service/version info | ||
--version-intensity | <level> | Set from 0 (light) to 9 (try all probes) | |
--version-light | Limit to most likely probes (intensity 2) | ||
--version-all | Try every single probe (intensity 9) | ||
--version-trace | Show detailed version scan activity (for debugging) |
Script Scan
Argument | Parameter | Beschreibung | Beispiel |
---|---|---|---|
-sC | equivalent to --script=default | ||
--script | <Lua scripts> | <Lua scripts> is a comma separated list of directories, script-files or script-categories | |
--script-args | =<n1=v1,[n2=v2,...]> | provide arguments to scripts | |
--script-trace | Show all data sent and received | ||
--script-updatedb | Update the script database |
OS Erkennung
Argument | Parameter | Beispiel |
---|---|---|
OS-Fingerprinting (engl. für "Betriebssystem-Fingerabdruck") | ||
-O: Enable OS detection | ||
--osscan-limit: Limit OS detection to promising targets | ||
--osscan-guess: Guess OS more aggressively |
Timing und Darstellung
Argument | Parameter | Beispiel |
---|---|---|
Options which take | ||
-T<0-5>: Set timing template (higher is faster) | ||
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes | ||
--min-parallelism/max-parallelism <numprobes>: Probe parallelization | ||
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout | ||
--max-retries <tries>: Caps number of port scan probe retransmissions. | ||
--host-timeout | ||
--scan-delay/--max-scan-delay | ||
--min-rate <number>: Send packets no slower than <number> per second | ||
--max-rate <number>: Send packets no faster than <number> per second |
Firewall/Ids Umgehung Und -Täuschung
Argument | Parameter | Beispiel |
---|---|---|
-f; --mtu <val>: fragment packets (optionally w/given MTU) | ||
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys | ||
-S <IP_Address>: Spoof source address | ||
-e <iface>: Use specified interface | ||
-g/--source-port <portnum>: Use given port number | ||
--data-length <num>: Append random data to sent packets | ||
--ip-options <options>: Send packets with specified ip options | ||
--ttl <val>: Set IP time-to-live field | ||
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address | ||
--badsum: Send packets with a bogus TCP/UDP checksum |
Ausgabe
Argument | Parameter | Beispiel |
---|---|---|
<rIpt kIddi3,and Grepable format, respectively, to the given filename. | ||
-oA <basename>: Output in the three major formats at once | ||
-v: Increase verbosity level (use twice or more for greater effect) | ||
-d[level]: Set or increase debugging level (Up to 9 is meaningful) | ||
--reason: Display the reason a port is in a particular state | ||
--open: Only show open (or possibly open) ports | ||
--packet-trace: Show all packets sent and received | ||
--iflist: Print host interfaces and routes (for debugging) | ||
--log-errors: Log errors/warnings to the normal-format output file | ||
--append-output: Append to rather than clobber specified output files | ||
--resume <filename>: Resume an aborted scan | ||
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML | ||
--webxml: Reference stylesheet from Nmap.Org for more portable XML | ||
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output |
MISC
Argument | Parameter | Beispiel |
---|---|---|
MISC ("Minimal instruction set computer" engl. für Computer mit minimalem Befehlssatz) | ||
-6: Enable IPv6 scanning | ||
-A: Enables OS detection and Version detection, Script scanning and Traceroute | ||
--datadir <dirname>: Specify custom Nmap data file location | ||
--send-eth/--send-ip: Send using raw ethernet frames or IP packets | ||
--privileged: Assume that the user is fully privileged | ||
--unprivileged: Assume the user lacks raw socket privileges | ||
-V: Print version number | ||
-h: Print this help summary page. |