NMap detecting Service, OS, Timing, Performance, Firewall IDS and Spoofing


If any ports are found to be open, Nmap may be able to determine what server software is running on the remote system. It does this by sending a variety of probes to the open ports and matching any responses against a database of thousands of more than 6,500 known service signatures.

-sV : Probe open ports to determine service/version info
--version-intensity <level>   Set from 0 (light) to 9 (try all probes)
--version-light  Limit to most likely probes (intensity 2)
--version-all     Try every single probe (intensity 9)
--version-trace Show detailed version scan activity (for debugging)


-O        Enable OS detection

If requested with the -O option, Nmap proceeds to OS detection. Different operating systems implement network standards in subtly different ways. By measuring these differences it is often possible to determine the operating system running on a remote host. Nmap matches responses to a standard set of probes against a database of more than a thousand known operating system responses

--osscan-limit  Limit OS detection to promising targets
--osscan-guess           Guess OS more aggressively



Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T[0-5] Set timing template (higher is faster)
--min-hostgroup/max-hostgroup<size>          Parallel host scan group sizes
--min-parallelism/max-parallelism <time>      Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>     Specifies probe round trip time.
--max-retries <tries>   Caps number of port scan probe retransmissions.
--host-timeout <time> Give up on target after this long
--scan-delay/--max-scan-delay <time>          Adjust delay between probes


-f; --mtu<val> fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>           Cloak a scan with decoys
-S <IP_Address>       Spoof source address
-e <iface> :Use specified interface
-g/--source-port <portnum> :  Use given port number
--data-length <num> Append random data to sent packets
--ttl<val>         : Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name> :Spoof your MAC address
--badsum :Send packets with a bogus TCP/UDP checksum


Finally, Nmap collects all the information it has gathered and writes it to the screen or to a file. Nmap can write output in several formats. Its default, human-readable format (interactive format) is usually presented in this book. Nmap also offers an XML-based output format, among others.


-oN/-oX/-oS/-oG<file>           Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
-oA<basename>        Output in the three major formats at once
-v         Increase verbosity level (use twice for more effect)
-d[level]          Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist  Print host interfaces and routes (for debugging)
--log-errors    Log errors/warnings to the normal-format output file
--append-output        Append to rather than clobber specified output files
--resume <filename> :Resume an aborted scan
--stylesheet<path/URL> :XSL stylesheet to transform XML output to HTML
--webxml  :Reference stylesheet from Insecure.Org for more portable XML
--no-stylesheet          Prevent associating of XSL stylesheet w/XML output


-6         Enable IPv6 scanning
-A        Enables OS detection and Version detection
--datadir<dirname>   Specify custom Nmap data file location
--send-eth/--send-ip  Send using raw ethernet frames or IP packets
--privileged    Assume that the user is fully privileged
-V        Print version number