Optionen
Ziele
| Argument |
Parameter |
Beispiel
|
| Hostnames |
IP addresses, Networks, ... |
scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
|
| -iL |
<inputfilename> |
Input from list of hosts/networks* -iR <num hosts>: Choose random targets
|
| --exclude |
<host1[,host2][,host3],...> |
Exclude hosts/networks
|
| --excludefile |
<exclude_file> |
Exclude list from file
|
Host Entdeckung
| Argument |
Parameter |
Beispiel
|
| -sL |
|
List Scan: simply list targets to scan
|
| -sP |
|
Ping Scan: go no further than determining if host is online
|
| -PN |
|
Treat all hosts as online -- skip host discovery
|
| -PS/PA/PU |
[portlist] |
TCP SYN/ACK or UDP discovery to given ports
|
| -PE/PP/PM |
|
ICMP echo, timestamp, and netmask request discovery probes
|
| -PO |
[protocol list] |
IP Protocol Ping
|
| -n/-R |
|
Never do DNS resolution/Always resolve [default: sometimes]
|
| --dns-servers |
<serv1[,serv2],...> |
Specify custom DNS servers
|
| --system-dns |
|
Use OS's DNS resolver
|
| --traceroute |
|
Trace hop path to each host
|
Scan Techniken
| Argument |
Parameter |
Beispiel
|
| -sS/sT/sA/sW/sM |
|
TCP SYN/Connect()/ACK/Window/Maimon scans
|
| -sU |
|
UDP Scan
|
| -sN/sF/sX |
|
TCP Null, FIN, and Xmas scans
|
| --scanflags |
<flags> |
Customize TCP scan flags
|
| -sI |
<zombie host[:probeport]> |
Idle scan
|
| -sO |
|
IP protocol scan
|
| -b |
<FTP relay host> |
FTP bounce scan
|
Port Spezifikation
| Argument |
Parameter |
Beschreibung |
Beispiel
|
| -p |
<port ranges> |
Only scan specified ports |
-p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
|
| -F |
|
Fast mode - Scan fewer ports than the default scan |
|
| -r |
|
Scan ports consecutively - don't randomize |
|
| --top-ports |
<number> |
Scan <number> most common ports |
|
| --port-ratio |
<ratio> |
Scan ports more common than <ratio> |
|
Service/Versions Erkennung
| Argument |
Parameter |
Beschreibung |
Beispiel
|
| -sV |
|
Probe open ports to determine service/version info |
|
| --version-intensity |
<level> |
Set from 0 (light) to 9 (try all probes) |
|
| --version-light |
|
Limit to most likely probes (intensity 2) |
|
| --version-all |
|
Try every single probe (intensity 9) |
|
| --version-trace |
|
Show detailed version scan activity (for debugging) |
|
Script Scan
| Argument |
Parameter |
Beschreibung |
Beispiel
|
| -sC |
|
equivalent to --script=default |
|
| --script |
<Lua scripts> |
<Lua scripts> is a comma separated list of directories, script-files or script-categories |
|
| --script-args |
=<n1=v1,[n2=v2,...]> |
provide arguments to scripts |
|
| --script-trace |
|
Show all data sent and received |
|
| --script-updatedb |
|
Update the script database |
|
OS Erkennung
| Argument |
Parameter |
Beispiel
|
| OS-Fingerprinting (engl. für "Betriebssystem-Fingerabdruck")
|
| -O: Enable OS detection
|
| --osscan-limit: Limit OS detection to promising targets
|
| --osscan-guess: Guess OS more aggressively
|
Timing und Darstellung
| Argument |
Parameter |
Beispiel
|
| Options which take |
| -T<0-5>: Set timing template (higher is faster)
|
| --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
|
| --min-parallelism/max-parallelism <numprobes>: Probe parallelization
|
| --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout |
| --max-retries <tries>: Caps number of port scan probe retransmissions.
|
| --host-timeout |
| --scan-delay/--max-scan-delay |
| --min-rate <number>: Send packets no slower than <number> per second
|
| --max-rate <number>: Send packets no faster than <number> per second
|
Firewall/Ids Umgehung Und -Täuschung
| Argument |
Parameter |
Beispiel
|
| -f; --mtu <val>: fragment packets (optionally w/given MTU)
|
| -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
|
| -S <IP_Address>: Spoof source address
|
| -e <iface>: Use specified interface
|
| -g/--source-port <portnum>: Use given port number
|
| --data-length <num>: Append random data to sent packets
|
| --ip-options <options>: Send packets with specified ip options
|
| --ttl <val>: Set IP time-to-live field
|
| --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
|
| --badsum: Send packets with a bogus TCP/UDP checksum
|
Ausgabe
| Argument |
Parameter |
Beispiel
|
| <rIpt kIddi3,and Grepable format, respectively, to the given filename.
|
| -oA <basename>: Output in the three major formats at once
|
| -v: Increase verbosity level (use twice or more for greater effect)
|
| -d[level]: Set or increase debugging level (Up to 9 is meaningful)
|
| --reason: Display the reason a port is in a particular state
|
| --open: Only show open (or possibly open) ports
|
| --packet-trace: Show all packets sent and received
|
| --iflist: Print host interfaces and routes (for debugging)
|
| --log-errors: Log errors/warnings to the normal-format output file
|
| --append-output: Append to rather than clobber specified output files
|
| --resume <filename>: Resume an aborted scan
|
| --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
|
| --webxml: Reference stylesheet from Nmap.Org for more portable XML
|
| --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
|
MISC
| Argument |
Parameter |
Beispiel
|
| MISC ("Minimal instruction set computer" engl. für Computer mit minimalem Befehlssatz)
|
| -6: Enable IPv6 scanning
|
| -A: Enables OS detection and Version detection, Script scanning and Traceroute
|
| --datadir <dirname>: Specify custom Nmap data file location
|
| --send-eth/--send-ip: Send using raw ethernet frames or IP packets
|
| --privileged: Assume that the user is fully privileged
|
| --unprivileged: Assume the user lacks raw socket privileges
|
| -V: Print version number
|
| -h: Print this help summary page.
|