Command-line Flags

Nmap Network Scanning
Chapter4.Port Scanning Overview
Command-line Flags

While the tutorial showed how simple executing an Nmap port scancan be, dozens of command-line flags are available to make the systemmore powerful and flexible. This section covers only options thatrelate to port scans, and often describes only theport-scanning-related functionality of those options. See Chapter15, Nmap Reference Guide for a comprehensive list of option flags andeverything they do.

Selecting Scan Techniques

One of the first considerations when contemplating a port scanis deciding what techniques to use. Nmap offers about a dozen suchmethods and this section provides a brief summary of them. Fullcoverage comes in the next chapter. Only one scan method may be usedat a time, except that UDP scan (-sU) may be combinedwith any one of the TCP scan types. As a memory aid, port scan typeoptions are of the form-s<C>, where<C> is a prominent character in the scanname, usually the first. The one exception to this is the deprecatedFTP bounce scan (-b).By default, Nmap performs aSYN Scan, though it substitutes a connect scan if the user does nothave proper privileges to sendraw packets(requires root accesson Unix) or ifIPv6targets were specified.

Port scanning methods supported by Nmap

the section called “TCP SYN (Stealth) Scan (-sS)” (-sS)

This is far and away the most popular scan type because it the fastest way to scan ports of the most popular protocol (TCP). It is stealthier than connect scan, and it works against all functional TCP stacks (unlike some special-purpose scans such as FIN scan).

the section called “TCP Connect Scan (-sT)” (-sT)

Connect scan uses the system call of the same name to scan machines, rather than relying on raw packets as most of the other methods do. It is usually used by unprivileged Unix users and against IPv6 targets because SYN scan doesn't work in those cases.

the section called “UDP Scan (-sU)” (-sU)

Don't forget UDP ports—they offer plenty ofsecurity holes too.

the section called “TCP FIN, NULL, and Xmas Scans (-sF, -sN, -sX)” (-sF, -sX, -sN)

These special purpose scan types are adept at sneaking past firewalls to explore the systems behind them. Unfortunately they rely on target behavior that some systems (particularly Windows variants) don't exhibit.

the section called “TCP ACK Scan (-sA)” (-sA)

ACK scan is commonly used to map out firewall rulesets. In particular, it helps understand whether firewall rules are stateful or not. The downside is that it cannot distinguish open from closed ports.

the section called “TCP Window Scan (-sW)” (-sW)

Window scan is like ACK scan, except that it is able to detect open versus closed ports against certain machines.

the section called “TCP Maimon Scan (-sM)” (-sM)

This obscure firewall-evading scan type issimilar to a FIN scan, but includes the ACK flag as well. This allowsit to get by more packet filtering firewalls, with the downside thatit works against even fewer systems than FIN scan does.

the section called “TCP Idle Scan (-sI)” (-sI <zombie host>)

Idle scan is the stealthiest scan type of all, and can sometimes exploit trusted IP address relationships. Unfortunately, it is also slow and complex.

Selecting Ports to Scan

Nmap's port registration file(nmap-services)contains empirical data about howfrequently each TCP or UDP port is found to be open. This data wascollected by scanning tens of millions of Internet addresses, thencombining those results with internal scan data contributed by largeenterprises. By default, Nmap scans the 1,000 most popular ports ofeach protocol it is asked to scan. Alternatively, you can specifythe -F (fast)option to scan only the 100 most common ports in each protocolor --top-ports to specify an arbitrary number of ports toscan.

When none of these canned port sets suit your needs, an arbitrary list of port numbers can be specified on the command-line with the-p option. The syntax of the -poption can be complex, and is best described with examples.

Port selection examples with the -p option

-p 22: Scan a single port (in this case port 22) byspecifying just that number as the -pargument.
-p ssh: Port names may be specified rather than numbers. Note that a name may match multiple ports.
-p 22,25,80: Multiple ports may be separated with commas. Notethat no protocol is specified, so these same port numbers will be used for whatever scan methods are specified on the command-line. If a TCP scan such asSYN scan (-sS) is specified, TCP ports 22, 25, and 80are scanned. Those correspond to the services SSH, SMTP, andHTTP, respectively. If a UDP scan is selected (-sU),those three UDP ports are scanned. If both are specified, thosethree ports are scanned for each protocol, for a total of sixscanned ports. With IP protocol scan (-sO), thosethree IP protocols (corresponding to XNS IDP, Leaf-1, and ISO-IP) arescanned.
-p80-85,443,8000-8005,8080-8085: Port ranges may be specified by separating thebeginning and end port with a hyphen. Multiple ranges or individualports can be specified with commas. This option scans ports 80, 81,82, 83, 84, 85, 443, 8000, etc. Based on the port numbers, this user isprobably scanning TCP and looking for webservers.
-p-100,60000-: You can omit the beginning of a range to imply port one, or the end to imply the last port possible (65535 for TCP and UDP, 255 for protocol scan). This example scans ports one through 100, and all ports greater or equal to 60,000.
-p-: Omit beginning and end numbers to scan the whole range (excluding zero).
-pT:21,23,110,U:53,111,137,161: Separate lists of TCP and UDP ports can be given bypreceding the lists with T: (for TCP) or U:. This example scansthree TCP ports (FTP, Telnet, and POP3), and four UDP services (DNS,rpcbind, NetBIOS, and SNMP). Specifying both TCP and UDP ports onlymatters if you also tell Nmap to do a UDP scan (-sU)and one of the TCP scan methods, such as -sS,-sA, or-sF.
-p http*: Wildcardsmay be used to match ports with similar names. This expression matches eight port numbers, including http (80), http-mgmt (280), https (443), and http-proxy (8080). Depending on your command shell, you may need to escape the asterisk so it isn't treated as a filename glob.
-p 1-1023,[1024-]: Enclosing a range in brackets causes those port numbersto be scanned only if they are registeredin nmap-services. In this example, all thereserved ports (1–1,023), plus all the higher ports registeredin nmap-services. That was Nmap's defaultbehavior before nmap-services was augmented withopen port frequency data for more preciseselection.

Timing-related Options

Port scanning is often the most time consuming part of an Nmapscan (which might also include OS detection, version detection, andNSE scripts). While Nmap tries to be quick and efficient by default,manual optimization often helps. Nmap offers dozens of options fortailoring scan intensity and speed to match your exact needs. Thissection lists the most important options for optimizing port scantimes. Options which take an amount of time are in seconds by default, or you may append ms (milliseconds), s (seconds), m (minutes), or h (hours) to the value. For further details on any of these options, seethe section called “Timing and Performance”. A much more thorough treatment,with examples and best-practices for improving Nmap performance isavailable in Chapter6, Optimizing Nmap Performance.

Output Format and Verbosity Options

Nmap offers the ability to write its reports in its standardformat, a simple line-oriented “grepable” format, or XML.These reports are enabled with the -oN (normal),-oG (grepable), and -oX (XML)options. Each option takes a filename, and they may be combined tooutput in several formats at once. Several options are also available toincrease output verbosity. This section lists the most important output-related options and how they apply to port scanning. For further details on any of these options, seethe section called “Output”. A much more thorough treatment of output options and formats, with many examples, is available in Chapter13, Nmap Output Formats.

Top Nmap output options applicable to port scans

-v: Increases the verbosity level, causing Nmap to print more information about the scan in progress. Open ports are shown as they are found and completion time estimates are provided when Nmap thinks a scan will take more than a few minutes. Use it twice or more for even greater verbosity.
-d: Increases the debugging level, causing Nmap to print out details about its operation that can be useful for tracking down bugs or simply understanding how it works. Higher levels result in massive amounts of data. Using the option once sets the debugging level to one, and it is incremented for each additional -d. Or you may follow the -d with the desired level, as in -d5. If you don't see enough information, try a higher level. The maximum effective level is nine. If your screen is flooded with too much debugging data, reduce the level. Reducing scan intensity, such as the number of ports or targets scanned and the features used, can also help to isolate only the debug messages you want.
--packet-trace: Causes Nmap to print a summary of every packet sent or received. This is often used for debugging, but is also a valuable way for new users to understand exactly what Nmap is doing under the covers. To avoid printing thousands of lines, you may want to specify a limited number of ports to scan, such as -p20-30.
-oN <filename> (normal output): Write output in Nmap's normal format to <filename>. This format is roughly the same as the standard interactive output printed by Nmap at runtime.
-oX <filename> (XML output): Write output in Nmap's XML format to <filename>. Normal (human readable) output will still be printed to stdout unless you ask for XML to be directed there by specifying - as <filename>. This is the preferred format for use by scripts and programs that process Nmap results.
-oG <filename> (grepable format output): Write output in Nmap's so-called grepable format to <filename>. This tabular format fits the output of each host on a single line, making it easy to grep for open ports, certain operating systems, application names, or other data. Normal output will still be printed to stdout unless you ask for the grepable output to be directed there by specifying - as <filename>. While this format works well for parsing with simple grep and awk command-lines, significant scripts and programs should use the XML output instead. The XML format contains substantial information that grepable format has no place for, and extensibility makes XML easier to update with new information without breaking tools that rely on it.
-oA <basename> (output to all formats): As a convenience, you may specify -oA <basename> to store scan results in normal, XML, and grepable formats at once. They are stored in <basename>.nmap, <basename>.xml, and <basename>.gnmap, respectively. As with most programs, you can prefix the filenames with a directory path, such as ~/nmaplogs/foocorp/ on Unix or c:\hacking\sco on Windows.
--resume <filename>: Resume an aborted scan by specifying the normal (-oN) or grepable (-oG) output file which was created during the ill-fated scan. Don't use any options other than --resume, as Nmap will use the ones specified in the output file. It then parses the file and resumes scanning (and logging to the file) at the host which the previous Nmap execution was working on when it ceased.
--append-output: Tells Nmap to append scan results to any output files specified (with arguments such as -oN or -oX) rather than overwriting them.
--open: Only show hosts that have open ports, and only show the open ports for those. Here, “open ports” are any ports that have the possibility of being open, which includes open, open|filtered, and unfiltered.

Firewall and IDS Evasion Options

Nmap offers many options for sneaking past IDSs undetected orevading firewall rules. For an overview, seethe section called “Firewall/IDS Evasion and Spoofing”. For a comprehensive lookat firewall and IDS evasion techniques, along with practical examples,see Chapter10, Detecting and Subverting Firewalls and Intrusion Detection Systems.

Specifying Targets

To scan a single host (or a few of them), simply add their namesor IP addresses to the end of your Nmap command line. Nmap also has astructured syntax to make scanning large networks easy. You can giveNmap a file listing targets, or even ask Nmap to generate themrandomly. This is all described in the section called “Specifying Target Hosts and Networks”.

Miscellaneous Options

Here are some options that can be quite handy even though theydon't fit into specific categories. The descriptions focus on howeach option relates to port scanning. See the Chapter15, Nmap Reference Guidefor more comprehensive coverage of each option.

-6: Asks Nmap to scan the target using the IPv6 protocol. This process is described in the section called “IPv6 Scanning (-6)”.
-r: Nmap randomizes the port scan order by default to make detection slightly harder. The -r option causes them to be scanned in numerical order instead.
-Pn: Tells Nmap to skip the ping test and simply scan every target host provided. Other options for controlling host discovery are described in Chapter3, Host Discovery (“Ping Scanning”).
--reason: Adds a column to the interesting ports table which describes why Nmap classified a port as it did.

Command-line Flags | Nmap Network Scanning (2024)

FAQs

What are flags in Nmap scan? ›

Quite simply, Nmap flags are simply the parameters that Nmap uses to accomplish certain objectives. What isn't so simple is how to use them. There are many variations of Nmap commands, and the parameters or flags will help you to tell Nmap exactly what you are trying to do.

Read On ›

Is using Nmap illegal? ›

When used properly, Nmap helps protect your network from invaders. But when used improperly, Nmap can (in rare cases) get you sued, fired, expelled, jailed, or banned by your ISP.

Discover More Details ›

How do you find the 6 digit flag in Nmap scans? ›

Since a normal scan will not work as mentioned, you'll have to use techniques such as banner grabbing to find the 6-digit flag in nmap scans. This can be done by using the command nmap -sV --script=banner target_ip. For finding the second flag on the web server, you can use the command curl http://target_ip.

What is the flag for a UDP scan? ›

UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan ( -sS ) to check both protocols during the same run. UDP scan works by sending a UDP packet to every targeted port.

See Details ›

What are flags in CMD? ›

Flags modify the operation of a command and are sometimes called options. A flag is set off by spaces or tabs and usually starts with a dash (-). Exceptions are ps, tar, and ar, which do not require a dash in front of some of the flags.

Find Out More ›

Which of the following command-line flags sets a stealth scan for Nmap? ›

Using the -sS flag will initiate a stealth scan with TCP SYN. The -sS flag can be used in conjunction with other types of Nmap commands.

Tell Me More ›

Do real hackers use Nmap? ›

Inexperienced hackers will often use the default settings of Nmap and end up getting their IP blocked by the target IDS or their packets dropped by the network firewall. An experienced hacker will be patient and probe the target using different MAC/IP addresses to gain information about the targets system.

Show Me More ›

Can Nmap be traced? ›

Log monitoring tools such as Logwatch and Swatch can certainly help, but the reality is that system logs are only marginally effective at detecting Nmap activity. Special purpose port scan detectors are a more effective approach to detecting Nmap activity. Two common examples are PortSentry and Scanlogd.

Explore More ›

Is port sniffing legal? ›

Fundamentally, it is not a crime to conduct a port scan in the United States or the European Union. This means that it isn't criminalized at the state, federal, or local levels. However, the issue of consent can still cause legal problems for unauthorized port scans and vulnerability scans.

What is an Nmap stealth scan? ›

A stealth scan is a scanning technique in Nmap that seeks to minimize the detection of scanning activity by the target host's firewalls and other security measures. The default SYN scan is also known as a stealth scan. This is due to the SYN scan failing to complete the TCP handshake.

Show Me More ›

What is an aggressive scan in Nmap? ›

An aggressive scan provides far better information than a regular scan, but is more likely to be detected. It is performed by using the -A option and enables the following: OS detection ( -O ) Version detection ( -sV ) Script scanning ( -sC )

Read The Full Story ›

What is the T flag in Nmap? ›

The -T flag is used to perform the default SYN scan or stealth scan on the target. We can either add the server's name or the server's IP address. The parameter <Number> defines the type of timing templates which we will discuss next. We should replace the parameter <Number> with a number ranging from 0 to 5.

See Details ›

What is a Xmas scan? ›

What is Xmas scan in cybersecurity? Xmas scan is a type of port scan used to identify open ports on a system. It is also known as a Christmas tree scan because it sets several TCP flags high to resemble a lit-up Christmas tree. It is often used by attackers to identify potential vulnerabilities in a system.

Get More Info Here ›

How to check if port is open in cmd? ›

To find open ports on a computer and to check what application is using specified port, use the netstat command line: Open the command prompt (Start > Run > cmd) and use netstat -ano | find /i "<port_number>". It will show you all processes that use the specified port. Notice the PID (process id) in the right column.

How do you tell Nmap to scan all ports? ›

-p0- asks Nmap to scan every possible TCP port, -v asks Nmap to be verbose about it, -A enables aggressive tests such as remote OS detection, service/version detection, and the Nmap Scripting Engine (NSE).

What means the flag oX in a Nmap scan? ›

XML output ( -oX ) XML offers a stable format that is easily parsed by software. Free XML parsers are available for all major computer languages, including C/C++, Perl, Python, and Java. In almost all cases that a non-trivial application interfaces with Nmap, XML is the preferred format.

View Details ›

What is the flag of TCP null scan? ›

A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn't contain a flag.

What is the flag to perform aggressive scanning in Nmap? ›

Nmap has a special flag to activate aggressive detection, namely -A . Aggressive mode enables OS detection ( -O ), version detection ( -sV ), script scanning ( -sC ), and traceroute ( --traceroute ).

Learn More ›