Cardboard Iguana Security

Search

SearchSearch

Common Nmap long flags

July 31, 20243 min read

Many of Nmap’s long flags are intended to aid in firewall and IDS evasion.

  • --badsum — Produce packets with an invalid checksum. These should be dropped by normal hosts, but many IDS solutions respond to these. This can be useful for reconnaissance.
  • --data-length — Append random data to Nmap TCP packets to ensure that all packets are the same length. By default, Nmap appends no data after the TCP header; padding this out can make scans look more innocuous. Values < 24 only affect fragmented packets (since the TCP header is already 24 bytes). Disables protocol-specific payloads, which can decrease scan accuracy, particularly for UDP scans.
  • --dns-servers — Specify DNS server(s) to use for hostname resolution and reverse lookups.
  • --ip-options — Specify the IP “Options” field as either a string of hex-encoded bytes (\x00, etc.) or one of the shortcut options R (record-route), T (record-timestamp), U (R and T), L (loose source routing), and S (strict source routing). Both L and S must be followed by a space-separated list of IP addresses to route the packet through (the entire sting must be quoted), and are used to route around security appliances.
  • --max-parallelism — The maximum number of probes to run in parallel. Overrides -T.
  • --max-rate — The maximum number of packets/second to send. Overrides -T.
  • --min-parallelism — The minimum number of probes to run in parallel. Overrides -T.
  • --min-rate — The minimum number of packets/second to send. Overrides -T.
  • --mtu — Fragment packets into a chosen multiple of 8. Setting --mtu 8 is equivalent to -f, and --mtu 16 is the same as -ff.
  • --open — Only report back machines with open ports (most useful when used in conjunction with -p).
  • --proxies — Use an HTTP or SOCKS4 proxy. Specify a comma-separated list to chain proxies together.
  • --reason — Show the reason that Nmap made a particular identification. Kinda fun.
  • --scan-delay — Add a delay (in milliseconds) between ports/hosts. Helpful for IDS evasion, but makes things slow.
  • --scanflags — Specify the TCP flags used to probe ports during a scan using URG, PSH, RST, SYN, ACK, FIN (e.g., --scanflags URGPSHFIN is the same as -sX). Overrides the explicit scanning options in the following sections.
  • --script — Run specified scripts, or all scripts in a specified category (as applicable). Also accepts wildcard matches (e.g., ftp*). See next section for script category breakdown.
  • --script-help — Return the “help” comment block at the top of a script file.
  • --source-port — Specify the source port for a scan. possibly useful to evade some firewall rules?
  • --spoof-mac — Use a spoofed MAC address for the scan. Obviously only matters when you’re on the same subnet as the target; otherwise has the same caveats as IP spoofing.
  • --top-ports — Scan only the X most common ports. Nmap’s default is --top-ports 1000. Can be useful for detecting locked-down hosts (use --top-ports 10 -Pn). Overridden when using -p.
  • --traceroute — Perform a traceroute between the attacker and target systems. Note that Nmap’s traceroute works in the opposite fashion (high TTL to low TTL) than traceroute/tracert. Note that most routers will not send ICMP TTL exceeded packets, and will thus show up as *.
  • --ttl — Set a custom TTL. Does not always work as you’d expect in my experience!
  • --version-intensity — Determine how much service information to collect (and thus how noisy the associated probes will be) with -sV. Ranges from 0 – 9; --version-light is equivalent to 2, --version-all is equivalent to 9.

Nmap has a ton of flags. Be sure to check the man page and official documentation!

Graph View

Backlinks