Posted inScanning and Analysis

nmap quick notes

Posted inScanning and Analysis

Nmap (short for “Network Mapper”) is a free and open-source utility designed for network discovery and security auditing. Created by Gordon Lyon (also known as Fyodor Vaskovich), Nmap is widely used by cybersecurity professionals, network administrators, and system administrators to map out networks, discover hosts and services, and assess network security.

Key Features

• Host Discovery: Identifies which devices are active on a network.
• Port Scanning: Enumerates open ports on target hosts, revealing which services are accessible.
• Service and Version Detection: Determines the application name and version running on open ports.
• Operating System Detection: Uses TCP/IP stack fingerprinting to infer the operating system and hardware characteristics of network devices.
• Scriptable Interaction: The Nmap Scripting Engine (NSE) allows users to write or use existing scripts for advanced service detection, vulnerability scanning, and automation.
• Network Inventory and Mapping: Helps maintain an up-to-date inventory of devices and services on a network.
Firewall and Security Auditing: Assesses firewall configurations and identifies potential vulnerabilities.

nmap overview

There are 3 private IP ranges. Anything else is public.

  • 10.0.0.0 – 10.255.255.255
  • 172.16.0.0 – 172.31.255.255
  • 192.1680.0. – 192.168.255.255

There are a total of 6 different states for a scanned port we can obtain:

StateDescription
openThis indicates that the connection to the scanned port has been established. These connections can be TCP connectionsUDP datagrams as well as SCTP associations.
closedWhen the port is shown as closed, the TCP protocol indicates that the packet we received back contains an RST flag. This scanning method can also be used to determine if our target is alive or not.
filteredNmap cannot correctly identify whether the scanned port is open or closed because either no response is returned from the target for the port or we get an error code from the target.
unfilteredThis state of a port only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined whether it is open or closed.
open|filteredIf we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.
closed|filteredThis state only occurs in the IP ID idle scans and indicates that it was impossible to determine if the scanned port is closed or filtered by a firewall.

Note that the default SYN scan is only set if nmap is run as root. Otherwise, the TCP scan (-sT) becomes the default.

Also note that only a partial TCP connection is opened and thus, can cause instability in the target system.

It is recommended to perform a quick port scan first. This causes significantly less traffic, which is advantageous for us because otherwise we can be discovered and blocked by the security mechanisms. First run a port scan, which shows all open ports (-p-). We can use the version scan to scan the specific ports for services and their versions (-sV).

Note that during long-running scans, you can press the space bar to cause nmap to show you the scan status. Another option (--stats-every=5s) that we can use is defining how periods of time the status should be shown. We can also increase the verbosity level (-v / -vv), which will show us the open ports directly when Nmap detects them.

Selecting the port

–top-ports=10Scan most frequent ports
-pScan all ports
-FScan top 100 ports (fast port scan)

nmap sendto in send_packet operation not permitted

TCP and segmentation offloading looks to have been the problem, and you can disable it by installing “ethtool” and running:

ethtool -K  eth0  rx off  tx off gso off tso off

Might be worth reviewing what options have changed with this command:

ethtool --show-offload  eth0

Any features you see there can be enabled/disabled by specifying them as an acronym (e.g. “generic-segmentation-offload” = “gso”).

Special note about Nmap, DNmap, Metasploit, and output options

dnmap can be used inside Metasploit to automatically insert results into the MSF database. However, even with the -oA option, nmap XML output is not generated. It is better to use nmap (within MSF) with -oA to generate all three output types, then import the results into MSF from the XML file.

Convert Nmap XML to html report

xsltproc <nmap-output.xml> -o <nmap-output.html>

Nmap command reference

db_nmap -sSUY -O -v -f -oA 212.164.0.0-255 -p 1-65535 --spoof-mac 0 -g 53 --data-length 0 -D RND -T2 212.164.0.0-255

-sSUY

Syn, UDP, SCTP

-sS

The default Syn scan (fast and fairly unobtrusive)

-sC

Script scan. Same as —script=default.

-sV

Prove open ports to determine service/version info. You can set –version-intensity <level>: to 0 (light) through 9 (all probes).

-sA

ACK scan – little bit harder for firewalls to filter. Nmap’s TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag. Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

-0

Scan for OS

-v

verbose output

-f

Fragment the packet

-oA

Output all formats, XML, Nmap, and Grepable

IP ADDRESS

The output file name

-p 1-65535

Port range to scan

-p-

Scan ports 1 – 65535

–spoof-mac

Spoof the mac address

-g 53

Use source port 53 (dns)

–data_length

-D

Spray with decoy packets. Remove if you think the scan is too noisy.

-T2

Normal scan speed. Use T1 to slow it down.

-Pn

Skip the ping step. Normally nmap pings the target first and if it gets a response it continues the scan for that target. This option tells nmap to skip the ping step and scan the target anyway.

IP ADDRESS

IP address to scan

Nmap examples

Scan a single port

nmap -p 22 192.168.1.1

Scan using TCP connect

nmap -sT 192.168.1.1

Scan using TCP SYN scan (default)

nmap -sS 192.168.1.1

Detect OS and services

nmap -A 192.168.1.1

DNS bruteforce

nmap -p 80 --script dns-brute.nse vulnweb.com

Traceroute Geolocation

nmap --traceroute --script traceroute-geolocation.nse -p 80 hackertarget.com

Standard service detection

nmap -sV 192.168.1.1

More aggressive service detection

nmap -sV --version-intensity 5 192.168.1.1

Scan using safe scripts

nmap -sV -sC 192.168.1.1

Scan with set of scripts

nmap -sV --script=smb* 192.168.1.1

Get HTTP headers of web services

nmap --script=http-headers 192.168.1.0/24

HTTP enumeration

nmap --script http-enum 192.168.10.55

Get information about IP address

nmap --script=asn-query,whois,ip-geolocation-maxmind 192.168.1.0/24

Windows SMB OS discovery

nmap -p 445 --script smb-os-discovery 192.168.1.0/24

Windows SMB brute force

nmap -sV -p 445 --script smb-brute 192.168.1.101

Sample Nmap session

Scan tcp ports

 db_nmap -Pn -sT -p- -oA 77.88.0.0x18 --min-rate 10000 77.88.0.0/18

or (save output, scan fast (-T4 – obtrusive), spoof mac)

db_nmap -Pn -sT -p- -O -v -f -oA 5.1.48.0x24 --spoof-mac 0 -g 53 -D RND -T4 5.1.48.0/24

Scan UDP ports

Note that since UDP is a stateless protocol and does not require the three-way handshake like TCP, it does not receive any acknowledgement. This makes UDP scans (-sU) much slower than a TCP scan (-sS).

db_nmap --privileged -Pn -sU -p- --min-rate 10000 $IP

or (save output, scan fast (-T4 – obtrusive), spoof mac)

db_nmap -Pn -sU -p- -O -v -f -oA 5.1.48.0x24 --spoof-mac 0 -g 53 -D RND -T2 5.1.48.0/24

Perform service enumeration, version detection, and script scan on the ports that were found.

db_nmap -Pn -sT -A -p 22,5000,50627 $IP

Or Scan TCP and UDP at the same time

db_nmap -sTU -O -v -f -oA 5.1.48.0x24 --spoof-mac 0 -g 53 -D RND -T2 5.1.48.0/24

Then conduct vulnerability assessment

searchsploit openssh 7.2

Let’s say for example, we found a website running on one of the ports.

Check for common directories:

ffuf -u http://213.108.134.156:1027/FUZZ -w /home/XXXX/XXXX/XXXX/PasswordLists/directory-list-1.0.txt -e .php,.txt,.html -t 500 -ic -rate 1000 -r -c &> ffuf_213.108.134.156.txt

Nmap Vulnerability scans

You can view a description of a script with the –script-help option. Additionally, you can pass arguments to some scripts via the –script-args and –script-args-file options, the later is used to provide a filename rather than a command-line arg.

To perform a scan with most of the default scripts, use the -sC flag or alternatively use –script=default.

vulscan

git clone https://github.com/scipag/vulscan scipag_vulscan
ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan
nmap -sV --script=vulscan/vulscan.nse www.example.com

Nmap-vulners

cd /usr/share/nmap/scripts/
git clone https://github.com/vulnersCom/nmap-vulners.git
nmap --script nmap-vulners/ -sV 11.22.33.44
nmap --script nmap-vulners/ -sV www.securitytrails.com
nmap --script nmap-vulners/,vulscan/ -sV yourwebsite.com

Nmap vuln

Scans a variety of vulns based on predefined categories…

nmap -Pn --script vuln 192.168.1.105

Bitcoin server scan

nmap -p 8333 --script bitcoin-getaddr 172.65.217.174

Vulnerable PHP versions

nmap -sV --script=http-php-version testphp.vulnweb.com
nmap -sV --script http-vuln-cve2012-1823 testphp.vulnweb.com or nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php testphp.vulnweb.com

Nmap scan by category

You can also load scripts from one category or from a comma-separated list of categories. In this example, we are using all scripts in the default and broadcast category to carry out a scan on the host 192.168.56.1.

$ nmap --script default,broadcast 192.168.56.1

The following list describes each category.auth

These scripts deal with authentication credentials such as include x11-access, ftp-anon, and oracle-enum-users. Scripts which use brute force attacks to determine credentials are placed in the brute category instead.broadcast

Scripts in this category typically do discovery of hosts not listed on the command line by broadcasting on the local network. Use the newtargets script argument to allow these scripts to automatically add the hosts they discover to the Nmap scanning queue.brute

These scripts use brute force attacks to guess authentication credentials of a remote server. Nmap contains scripts for brute forcing dozens of protocols, including http-brute, oracle-brute, snmp-brute, etc.default

These scripts are the default set and are run when using the -sC or -A options rather than listing scripts with –script.discovery

These scripts try to actively discover more about the network by querying public registries, SNMP-enabled devices, directory services, and the like. Examples include html-title (obtains the title of the root path of web sites), smb-enum-shares (enumerates Windows shares), and snmp-sysdescr (extracts system details via SNMP).dos

Scripts in this category may cause a denial of service. Sometimes this is done to test vulnerability to a denial of service method, but more commonly it is an undesired by necessary side effect of testing for a traditional vulnerability. These tests sometimes crash vulnerable services.exploit

These scripts aim to actively exploit some vulnerability. Examples include jdwp-exec and http-shellshock.external

Scripts in this category may send data to a third-party database or other network resource. An example of this is whois-ip, which makes a connection to whois servers to learn about the address of the target.fuzzer

This category contains scripts which are designed to send server software unexpected or randomized fields in each packet. While this technique can useful for finding undiscovered bugs and vulnerabilities in software, it is both a slow process and bandwidth intensive. An example of a script in this category is dns-fuzz, which bombards a DNS server with slightly flawed domain requests until either the server crashes or a user specified time limit elapses.intrusive

These are scripts that cannot be classified in the safe category because the risks are too high that they will crash the target system, use up significant resources on the target host (such as bandwidth or CPU time), or otherwise be perceived as malicious by the target’s system administrators. Examples are http-open-proxy (which attempts to use the target server as an HTTP proxy) and snmp-brute (which tries to guess a device’s SNMP community string by sending common values such as public, private, and cisco).malware

These scripts test whether the target platform is infected by malware or backdoors. Examples include smtp-strangeport, which watches for SMTP servers running on unusual port numbers, and auth-spoof, which detects identd spoofing daemons which provide a fake answer before even receiving a query.safe

Scripts which weren’t designed to crash services, use large amounts of network bandwidth or other resources, or exploit security holes are categorized as safe. These are less likely to offend remote administrators. Most of these perform general network discovery. Examples are ssh-hostkey (retrieves an SSH host key) and html-title (grabs the title from a web page).version

The scripts in this special category are an extension to the version detection feature and cannot be selected explicitly. They are selected to run only if version detection (-sV) was requested. Their output cannot be distinguished from version detection output and they do not produce service or host script results. Examples are skypev2-version, pptp-version, and iax2-version.vuln

These scripts check for specific known vulnerabilities and generally only report results if they are found. Examples include realvnc-auth-bypass and afp-path-vuln.

Running scripts with nmap

First, use locate to get a list of available nmap scripts.

locate scripts/citrix

Then run the script using:

nmap --script <script name> -p<port> <host>

You can run the default scripts like this:

nmap <target> -sC

or by category:

nmap <target> --script <category>

Grabbing banners with nmap

Of course, you can use netcat to grab banners like this:

nc -nv 10.129.42.253 21

But you can also use this nmap command to do the same:

nmap -sV --script=banner <target>

Host discovery

Discovery servers that are online using ICMP echo requests. The grep for | cut -d" " -f5 removes all the extraneous text leaving only the IP address.

nmap 10.129.2.0/24 -sn | grep for | cut -d" " -f5

Scan using a server list

You can also scan using a list of servers, one server per line.

cat hosts.lst

10.129.2.4
10.129.2.10
10.129.2.11
10.129.2.18
10.129.2.19
10.129.2.20
10.129.2.28

Then feed this list to nmap like this:

nmap -sn -iL hosts.lst | grep for | cut -d" " -f5

10.129.2.18
10.129.2.19
10.129.2.20

Automatic host discovery

Here’s another method for host discovery. This simply helps determine if the host is alive. -sn disables port scan which causes nmap to automatically ping scan with ICMP Echo requests (-PE).

nmap 10.129.2.18 -sn

Display all packets send and received by nmap

You can use –packet-trace to display all packets sent and received.

nmap 10.129.2.18 -sn -oA host -PE --packet-trace 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:08 CEST
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
Nmap scan report for 10.129.2.18
Host is up (0.023s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

Here’s another example.

nmap 10.129.2.28 -p 21 --packet-trace -Pn -n --disable-arp-ping

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 15:39 CEST
SENT (0.0429s) TCP 10.10.14.2:63090 > 10.129.2.28:21 S ttl=56 id=57322 iplen=44  seq=1699105818 win=1024 <mss 1460>
RCVD (0.0573s) TCP 10.129.2.28:21 > 10.10.14.2:63090 RA ttl=64 id=0 iplen=40  seq=0 win=0
Nmap scan report for 10.11.1.28
Host is up (0.014s latency).

PORT   STATE  SERVICE
21/tcp closed ftp
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

We can see from the SENT line that we (10.10.14.2) sent a TCP packet with the SYN flag (S) to our target (10.129.2.28). In the next RCVD line, we can see that the target responds with a TCP packet containing the RST and ACK flags (RA). RST and ACK flags are used to acknowledge receipt of the TCP packet (ACK) and to end the TCP session (RST).

Determine why nmap said a host was alive

Use the —reason flag to display why nmap reported the host as alive.

nmap 10.129.2.18 -sn -oA host -PE --reason 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:10 CEST
SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
Nmap scan report for 10.129.2.18
Host is up, received arp-response (0.028s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

ttl hints at the OS

Different operating systems use different default TTL (Time to Live) values, which are used to prevent packets from endlessly circulating through a network. Windows typically defaults to 128, while Linux and other Unix-like systems often use 64. This difference in TTL can be used to identify the operating system of a responding device.

nmap 10.129.2.18 -sn -oA host -PE --packet-trace --disable-arp-ping 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:12 CEST
SENT (0.0107s) ICMP [10.10.14.2 > 10.129.2.18 Echo request (type=8/code=0) id=13607 seq=0] IP [ttl=255 id=23541 iplen=28 ]
RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]
Nmap scan report for 10.129.2.18
Host is up (0.086s latency).
MAC Address: DE:AD:00:00:BE:EF
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

Highly accurate Connect Scan (full TCP connect scan)

The option -sT reqests a full TCP three-way handshake (SYN -> SYN-ACK -> RST) and is considered to be highly accurate. However, it creates logs on most systems and is easily detected by IDS/IPS solutions. It is also useful for personal firewalls that typically drop all incoming connections (but allow all outgoing packets).

nmap 10.129.2.28 -p 443 --packet-trace --disable-arp-ping -Pn -n --reason -sT 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 16:26 CET
CONN (0.0385s) TCP localhost > 10.129.2.28:443 => Operation now in progress
CONN (0.0396s) TCP localhost > 10.129.2.28:443 => Connected
Nmap scan report for 10.129.2.28
Host is up, received user-set (0.013s latency).

PORT    STATE SERVICE REASON
443/tcp open  https   syn-ack

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Nmap performance

Scanning performance plays a significant role when we need to scan an extensive network or are dealing with low network bandwidth. We can use various options to tell Nmap how fast (-T <0-5>), with which frequency (--min-parallelism <number>), which timeouts (--max-rtt-timeout <time>) the test packets should have, how many packets should be sent simultaneously (--min-rate <number>), and with the number of retries (--max-retries <number>) for the scanned ports the targets should be scanned.

Timeouts

The initial timeout setting is 100ms. By tweaking, you can reduce the scan time. Note that this comes at the expense of accuracy though.

Original request

sudo nmap 10.129.2.0/24 -F

<SNIP>
Nmap done: 256 IP addresses (10 hosts up) scanned in 39.44 seconds

Tuned request

sudo nmap 10.129.2.0/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

<SNIP>
Nmap done: 256 IP addresses (8 hosts up) scanned in 12.29 seconds

Retries

Retries default is 10 but you can reduce it to 1 or even 0 to reduce scan time. Note that this comes at the expense of accuracy though.

Evading firewalls and IDS/IPS

Nmap’s TCP ACK scan (-sA) method is much harder to filter for firewalls and IDS/IPS systems than regular SYN (-sS) or Connect scans (sT) because they only send a TCP packet with only the ACK flag. When a port is closed or open, the host must respond with an RST flag. Unlike outgoing connections, all connection attempts (with the SYN flag) from external networks are usually blocked by firewalls. However, the packets with the ACK flag are often passed by the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network.

ACK scan

sudo nmap 10.129.2.28 -p 21,22,25 -sA -Pn -n --disable-arp-ping --packet-trace

Using different source IP address

You can scan using different source IP addresses to see if you can get better results.

sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

DNS proxying

DNS proxying may also help bypass detection.

sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53

Similarly, if you find port 53 is allowed (because the admins did not filter it), you can specify that port in a NCat connection to test it out.

ncat -nv --source-port 53 10.129.2.28 50000

Complete options reference

Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN, TCP ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports sequentially - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --noninteractive: Disable runtime interactions via keyboard
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80