Nmap Scan For Mac Address

broken image


Nmap supports MAC address spoofing with the -spoof-mac option. The argument given can take several forms. If it is simply the number 0, Nmap chooses a completely random MAC address for the session. If the given string is an even number of hex digits (with the pairs optionally separated by a colon), Nmap will use those as the MAC.

In this tutorial you'll fined 20 basic examples of Nmap command usage.

You'll see how to use Nmap from the Linux command line to find active hosts on a network and scan for the opened ports.

You'll learn how to determine a remote operation system using TCP/IP stack fingerprinting and how to discover what version of software is running on a remote host.

I'll also show how to use Nmap for stealthy scanning, how to detect firewalls and spoof MAC address.

Cool Tip: Want to stay anonymous? Learn how to use PROXY on the Linux command line. Read more →

Nmap Package Description. Nmap ('Network Mapper') is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade. Use nmap to scan every item in the subnet to populate the arp cache. Use the /usr/sbin/arp tool to dump the arp cache. Parse the arp-cache to get (IP-address, MAC-address) pairs of everything on the subnet. This has generally worked rather well but I'm in a case now where this is not working.

1. Scan a Single Host or an IP Address

Scan a Single IP Address:

Scan a Host Name:

Increase Verbosity Level:

2. Scan Multiply IP Addresses

Scan Multiple IP Addresses:

Scan a Subnet:

Nmap Scan For Mac Address

Scan a Range of IP Addresses (192.168.1.0 – 192.168.1.200):

3. Scan Network for Active Computers

Cool Tip: Scan the network with the ping command only! Discover all the active computers in your LAN! Read more →

Scan for Active Hosts on a network:

4. Scan a List of Hosts From Input File

Scan hosts/networks from the Input File:

Format of the input file:

5. Exclude IP/Hosts/Networks From Nmap Scan

Exclude Targets from Nmap scan:

Exclude List of hosts from a file:

Format of the exclude file is the same as format of the input file shown above.

6. Scan For Specific Ports

Scan for a Single Port:

Scan for Several Ports:

Scan for a Port Range:

Scan for All Ports:

Scan for top most Common Ports:

7. Determine Supported IP Protocols

Determine which IP Protocols (TCP, UDP, ICMP, etc.) are supported by target host:

8. Scan For TCP/UDP Ports

Scan for All TCP Ports:

Scan for Particular TCP Ports:

Scan for All UDP Ports:

Scan for Particular UDP Ports:

Combine scanning of different ports:

9. Perform a Fast Scan

Enable Fast Mode:

* Scan fewer ports than the default scan.

10. Display the Reason a Port is in a Particular State

Display the Reason why Nmap thinks that a port is in a particular state:

11. Show Only Open Ports

Show Only Open Ports (or possibly open):

12. OS Detection

One of Nmap's best-known features is remote OS detection using TCP/IP stack fingerprinting.

Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.

After performing dozens of tests, Nmap compares the results to its database and prints out the OS details if there is a match.

Turn on OS Detection:

13. Service Version Detection

Turn on Version Detection:

* Discover what version of software is running on a remote host.

14. Firewall Detection

Find out if a host is protected by any Packet Filters or Firewall:

15. MAC Address Spoofing

Nmap scan for specific mac address

Spoof your MAC Address:

Spoof your MAC Address with a Random MAC:

16. Scan a Firewall For Security Vulnerabilities

These three scan types exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports.

When scanning systems compliant with this RFC, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open.

Cmd mac address lookup

As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK.

TCP Null Scan:

* Don't set any bits (TCP flag header is 0).

TCP Fin Scan:

* Set just the TCP FIN bit.

TCP Xmas Scan:

* Set the FIN, PSH and URG flags (lighting the packet up like a Christmas tree).

17. Stealthy Scan

Cool Tip: Stay anonymous during port scanning! Use Nmap + Tor + ProxyChains! Safe and easy penetration testing! Read more →

TCP SYN Scan:

* Well known as a half-open scanning, as it doesn't open a full TCP connection.

18. Disable Host Discovery (No Ping)

Don't ping host before scanning:

19. Disable DNS Resolution

Cool Tip: Need to improve security of the Linux system? Encrypt DNS traffic and get the protection from DNS spoofing! Read more →

Never do reverse DNS Resolution on the active IP addresses it finds:

20. Save Output of Nmap Scan to a File

Save output of Nmap scan to a TEXT File:

Save output of Nmap scan to an XML File:

Many Internet pioneers envisioned a global open network with auniversal IP address space allowing virtual connections between anytwo nodes. This allows hosts to act as true peers, serving andretrieving information from each other. People could access all oftheir home systems from work, changing the climate control settings orunlocking the doors for early guests. This vision of universalconnectivity has been stifled by address space shortages and securityconcerns. In the early 1990s, organizations began deployingfirewalls for the express purpose of reducing connectivity. Hugenetworks were cordoned off from the unfiltered Internet by applicationproxies, network address translation, and packet filters. Theunrestricted flow of information gave way to tight regulation ofapproved communication channels and the content that passes overthem.

Network obstructions such as firewalls can make mapping anetwork exceedingly difficult. It will not get any easier, asstifling casual reconnaissance is often a key goal of implementing thedevices. Nevertheless, Nmap offers many features to help understand thesecomplex networks, and to verify that filters are working as intended.It even supports mechanisms for bypassing poorly implementeddefenses. One of the best methods of understanding yournetwork security posture is to try to defeat it. Place yourself inthe mind-set of an attacker, and deploy techniques from this sectionagainst your networks. Launch an FTP bounce scan, idle scan,fragmentation attack, or try to tunnel through one of your ownproxies.

In addition to restricting network activity, companies areincreasingly monitoring traffic with intrusion detection systems(IDS). All of the major IDSs ship with rules designed to detect Nmapscans because scans are sometimes a precursor to attacks. Many ofthese products have recently morphed into intrusionprevention systems(IPS)that actively blocktraffic deemed malicious. Unfortunately for network administratorsand IDS vendors, reliably detecting bad intentions by analyzing packetdata is a tough problem. Attackers with patience, skill, and the helpof certain Nmap options can usually pass by IDSs undetected.Meanwhile, administrators must cope with large numbers of falsepositive results where innocent activity is misdiagnosed and alertedon or blocked.

Occasionally people suggest that Nmap should not offer featuresfor evading firewall rules or sneaking past IDSs. They arguethat these features are just as likely to be misused by attackers asused by administrators to enhance security. The problem with thislogic is that these methods would still be used by attackers, whowould just find other tools or patch the functionality into Nmap.Meanwhile, administrators would find it that much harder to do theirjobs. Deploying only modern, patched FTP servers is a far morepowerful defense than trying to prevent the distribution of toolsimplementing the FTP bounce attack.

There is no magic bullet (or Nmap option) for detecting andsubverting firewalls and IDS systems. It takes skill and experience.A tutorial is beyond the scope of this reference guide, which onlylists the relevant options and describes what they do.

-f (fragment packets); --mtu (using the specified MTU)

The -f option causes the requested scan (including host discovery scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny packets. The old-school sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option once, and Nmap splits the packets into eight bytes or less after the IP header. So a 20-byte TCP header would be split into three packets. Two with eight bytes of the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify -f again to use 16 bytes per fragment (reducing the number of fragments). Or you can specify your own offset size with the --mtu option. Don't also specify -f if you use --mtu. The offset must be a multiple of eight. While fragmented packets won't get by packet filters and firewalls that queue all IP fragments, such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, some networks can't afford the performance hit this causes and thus leave it disabled. Others can't enable this because fragments may take different routes into their networks. Some source systems defragment outgoing packets in the kernel. Linux with the iptables connection tracking module is one such example. Do a scan while a sniffer such as Wireshark is running to ensure that sent packets are fragmented. If your host OS is causing problems, try the --send-eth option to bypass the IP layer and send raw ethernet frames.

Fragmentation is only supported for Nmap's raw packet features,which includes TCP and UDP port scans (except connect scan and FTPbounce scan) and OS detection. Features such as version detection andthe Nmap Scripting Engine generally don't support fragmentationbecause they rely on your host's TCP stack to communicate with targetservices.

-D [,][,ME][,...] (Cloak a scan with decoys)

Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5–10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address.

Separate each decoy host with commas, and you can optionally use ME as one of the decoys to represent the position for your real IP address. If you put ME in the sixth position or later, some common port scan detectors (such as Solar Designer's excellent Scanlogd) are unlikely to show your IP address at all. If you don't use ME, Nmap will put you in a random position. You can also use RND to generate a random, non-reserved IP address, or RND: to generate addresses.

Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets. Also it will be pretty easy to determine which host is scanning if only one is actually up on the network. You might want to use IP addresses instead of names (so the decoy networks don't see you in their nameserver logs). Right now random IP address generation is only supported with IPv4

Decoys are used both in the initial host discovery scan (using ICMP, SYN, ACK, or whatever) and during the actual port scanning phase. Decoys are also used during remote OS detection (-O). Decoys do not work with version detection or TCP connect scan. When a scan delay is in effect, the delay is enforced between each batch of spoofed probes, not between each individual probe. Because decoys are sent as a batch all at once, they may temporarily violate congestion control limits.

It is worth noting that using too many decoys may slow your scan and potentially even make it less accurate. Also, some ISPs will filter out your spoofed packets, but many do not restrict spoofed IP packets at all.

-S (Spoof source address)

In some circumstances, Nmap may not be able to determine your source address (Nmap will tell you if this is the case). In this situation, use -S with the IP address of the interface you wish to send packets through.

Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a company being repeatedly port scanned by a competitor! The -e option and -Pn are generally required for this sort of usage. Note that you usually won't receive reply packets back (they will be addressed to the IP you are spoofing), so Nmap won't produce useful reports.

-e (Use specified interface)
Nmap scan get mac address

Scan a Range of IP Addresses (192.168.1.0 – 192.168.1.200):

3. Scan Network for Active Computers

Cool Tip: Scan the network with the ping command only! Discover all the active computers in your LAN! Read more →

Scan for Active Hosts on a network:

4. Scan a List of Hosts From Input File

Scan hosts/networks from the Input File:

Format of the input file:

5. Exclude IP/Hosts/Networks From Nmap Scan

Exclude Targets from Nmap scan:

Exclude List of hosts from a file:

Format of the exclude file is the same as format of the input file shown above.

6. Scan For Specific Ports

Scan for a Single Port:

Scan for Several Ports:

Scan for a Port Range:

Scan for All Ports:

Scan for top most Common Ports:

7. Determine Supported IP Protocols

Determine which IP Protocols (TCP, UDP, ICMP, etc.) are supported by target host:

8. Scan For TCP/UDP Ports

Scan for All TCP Ports:

Scan for Particular TCP Ports:

Scan for All UDP Ports:

Scan for Particular UDP Ports:

Combine scanning of different ports:

9. Perform a Fast Scan

Enable Fast Mode:

* Scan fewer ports than the default scan.

10. Display the Reason a Port is in a Particular State

Display the Reason why Nmap thinks that a port is in a particular state:

11. Show Only Open Ports

Show Only Open Ports (or possibly open):

12. OS Detection

One of Nmap's best-known features is remote OS detection using TCP/IP stack fingerprinting.

Nmap sends a series of TCP and UDP packets to the remote host and examines the responses.

After performing dozens of tests, Nmap compares the results to its database and prints out the OS details if there is a match.

Turn on OS Detection:

13. Service Version Detection

Turn on Version Detection:

* Discover what version of software is running on a remote host.

14. Firewall Detection

Find out if a host is protected by any Packet Filters or Firewall:

15. MAC Address Spoofing

Spoof your MAC Address:

Spoof your MAC Address with a Random MAC:

16. Scan a Firewall For Security Vulnerabilities

These three scan types exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports.

When scanning systems compliant with this RFC, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open.

As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK.

TCP Null Scan:

* Don't set any bits (TCP flag header is 0).

TCP Fin Scan:

* Set just the TCP FIN bit.

TCP Xmas Scan:

* Set the FIN, PSH and URG flags (lighting the packet up like a Christmas tree).

17. Stealthy Scan

Cool Tip: Stay anonymous during port scanning! Use Nmap + Tor + ProxyChains! Safe and easy penetration testing! Read more →

TCP SYN Scan:

* Well known as a half-open scanning, as it doesn't open a full TCP connection.

18. Disable Host Discovery (No Ping)

Don't ping host before scanning:

19. Disable DNS Resolution

Cool Tip: Need to improve security of the Linux system? Encrypt DNS traffic and get the protection from DNS spoofing! Read more →

Never do reverse DNS Resolution on the active IP addresses it finds:

20. Save Output of Nmap Scan to a File

Save output of Nmap scan to a TEXT File:

Save output of Nmap scan to an XML File:

Many Internet pioneers envisioned a global open network with auniversal IP address space allowing virtual connections between anytwo nodes. This allows hosts to act as true peers, serving andretrieving information from each other. People could access all oftheir home systems from work, changing the climate control settings orunlocking the doors for early guests. This vision of universalconnectivity has been stifled by address space shortages and securityconcerns. In the early 1990s, organizations began deployingfirewalls for the express purpose of reducing connectivity. Hugenetworks were cordoned off from the unfiltered Internet by applicationproxies, network address translation, and packet filters. Theunrestricted flow of information gave way to tight regulation ofapproved communication channels and the content that passes overthem.

Network obstructions such as firewalls can make mapping anetwork exceedingly difficult. It will not get any easier, asstifling casual reconnaissance is often a key goal of implementing thedevices. Nevertheless, Nmap offers many features to help understand thesecomplex networks, and to verify that filters are working as intended.It even supports mechanisms for bypassing poorly implementeddefenses. One of the best methods of understanding yournetwork security posture is to try to defeat it. Place yourself inthe mind-set of an attacker, and deploy techniques from this sectionagainst your networks. Launch an FTP bounce scan, idle scan,fragmentation attack, or try to tunnel through one of your ownproxies.

In addition to restricting network activity, companies areincreasingly monitoring traffic with intrusion detection systems(IDS). All of the major IDSs ship with rules designed to detect Nmapscans because scans are sometimes a precursor to attacks. Many ofthese products have recently morphed into intrusionprevention systems(IPS)that actively blocktraffic deemed malicious. Unfortunately for network administratorsand IDS vendors, reliably detecting bad intentions by analyzing packetdata is a tough problem. Attackers with patience, skill, and the helpof certain Nmap options can usually pass by IDSs undetected.Meanwhile, administrators must cope with large numbers of falsepositive results where innocent activity is misdiagnosed and alertedon or blocked.

Occasionally people suggest that Nmap should not offer featuresfor evading firewall rules or sneaking past IDSs. They arguethat these features are just as likely to be misused by attackers asused by administrators to enhance security. The problem with thislogic is that these methods would still be used by attackers, whowould just find other tools or patch the functionality into Nmap.Meanwhile, administrators would find it that much harder to do theirjobs. Deploying only modern, patched FTP servers is a far morepowerful defense than trying to prevent the distribution of toolsimplementing the FTP bounce attack.

There is no magic bullet (or Nmap option) for detecting andsubverting firewalls and IDS systems. It takes skill and experience.A tutorial is beyond the scope of this reference guide, which onlylists the relevant options and describes what they do.

-f (fragment packets); --mtu (using the specified MTU)

The -f option causes the requested scan (including host discovery scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny packets. The old-school sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option once, and Nmap splits the packets into eight bytes or less after the IP header. So a 20-byte TCP header would be split into three packets. Two with eight bytes of the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify -f again to use 16 bytes per fragment (reducing the number of fragments). Or you can specify your own offset size with the --mtu option. Don't also specify -f if you use --mtu. The offset must be a multiple of eight. While fragmented packets won't get by packet filters and firewalls that queue all IP fragments, such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, some networks can't afford the performance hit this causes and thus leave it disabled. Others can't enable this because fragments may take different routes into their networks. Some source systems defragment outgoing packets in the kernel. Linux with the iptables connection tracking module is one such example. Do a scan while a sniffer such as Wireshark is running to ensure that sent packets are fragmented. If your host OS is causing problems, try the --send-eth option to bypass the IP layer and send raw ethernet frames.

Fragmentation is only supported for Nmap's raw packet features,which includes TCP and UDP port scans (except connect scan and FTPbounce scan) and OS detection. Features such as version detection andthe Nmap Scripting Engine generally don't support fragmentationbecause they rely on your host's TCP stack to communicate with targetservices.

-D [,][,ME][,...] (Cloak a scan with decoys)

Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5–10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other active mechanisms, it is generally an effective technique for hiding your IP address.

Separate each decoy host with commas, and you can optionally use ME as one of the decoys to represent the position for your real IP address. If you put ME in the sixth position or later, some common port scan detectors (such as Solar Designer's excellent Scanlogd) are unlikely to show your IP address at all. If you don't use ME, Nmap will put you in a random position. You can also use RND to generate a random, non-reserved IP address, or RND: to generate addresses.

Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets. Also it will be pretty easy to determine which host is scanning if only one is actually up on the network. You might want to use IP addresses instead of names (so the decoy networks don't see you in their nameserver logs). Right now random IP address generation is only supported with IPv4

Decoys are used both in the initial host discovery scan (using ICMP, SYN, ACK, or whatever) and during the actual port scanning phase. Decoys are also used during remote OS detection (-O). Decoys do not work with version detection or TCP connect scan. When a scan delay is in effect, the delay is enforced between each batch of spoofed probes, not between each individual probe. Because decoys are sent as a batch all at once, they may temporarily violate congestion control limits.

It is worth noting that using too many decoys may slow your scan and potentially even make it less accurate. Also, some ISPs will filter out your spoofed packets, but many do not restrict spoofed IP packets at all.

-S (Spoof source address)

In some circumstances, Nmap may not be able to determine your source address (Nmap will tell you if this is the case). In this situation, use -S with the IP address of the interface you wish to send packets through.

Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a company being repeatedly port scanned by a competitor! The -e option and -Pn are generally required for this sort of usage. Note that you usually won't receive reply packets back (they will be addressed to the IP you are spoofing), so Nmap won't produce useful reports.

-e (Use specified interface)

Tells Nmap what interface to send and receive packets on. Nmap should be able to detect this automatically, but it will tell you if it cannot.

--source-port ;-g (Spoof source port number)

One surprisingly common misconfiguration is to trust trafficbased only on the source port number. It is easy to understand howthis comes about. An administrator will set up a shiny new firewall,only to be flooded with complaints from ungrateful users whoseapplications stopped working. In particular, DNS may be brokenbecause the UDP DNS replies from external servers can no longer enterthe network. FTP is another common example. In active FTP transfers,the remote server tries to establish a connection back to the clientto transfer the requested file.

Secure solutions to these problems exist, often in the form ofapplication-level proxies or protocol-parsing firewall modules.Unfortunately there are also easier, insecure solutions. Noting thatDNS replies come from port 53 and active FTP from port 20, many administratorshave fallen into the trap of simply allowing incoming traffic fromthose ports. They often assume that no attacker would notice andexploit such firewall holes. In other cases, administrators consider this ashort-term stop-gap measure until they can implement a more securesolution. Then they forget the security upgrade.

Overworked network administrators are not the only ones to fallinto this trap. Numerous products have shipped with these insecurerules. Even Microsoft has been guilty. The IPsec filters thatshipped with Windows 2000 and Windows XP contain an implicit rule thatallows all TCP or UDP traffic from port 88 (Kerberos). In another well-knowncase, versions of the Zone Alarm personal firewall up to 2.1.25allowed any incoming UDP packets with the source port 53 (DNS) or 67(DHCP).

Nmap offers the -g and--source-port options (they are equivalent) to exploit theseweaknesses. Simply provide a port number and Nmap will send packetsfrom that port where possible. Most scanning operations that use raw sockets,including SYN and UDP scans, support the option completely. The option notablydoesn't have an effect for any operations that use normal operating systemsockets, including DNS requests, TCP connectscan, version detection,and script scanning. Setting the source port also doesn't work for OS detection,because Nmap must use different port numbers for certain OS detection tests towork properly.

--data (Append custom binary data to sent packets)

This option lets you include binary data as payload in sent packets. may be specified in any of the following formats: 0xAABBCCDDEEFF<...>, AABBCCDDEEFF<...> or xAAxBBxCCxDDxEExFF<...>. Examples of use are --data 0xdeadbeef and --data xCAxFEx09. Note that if you specify a number like 0x00ff no byte-order conversion is performed. Make sure you specify the information in the byte order expected by the receiver.

--data-string (Append custom string to sent packets)

This option lets you include a regular string as payload in sent packets. can contain any string. However, note that some characters may depend on your system's locale and the receiver may not see the same information. Also, make sure you enclose the string in double quotes and escape any special characters from the shell. Examples: --data-string 'Scan conducted by Security Ops, extension 7192' or --data-string 'Ph34r my l33t skills'. Keep in mind that nobody is likely to actually see any comments left by this option unless they are carefully monitoring the network with a sniffer or custom IDS rules.

--data-length (Append random data to sent packets)

Normally Nmap sends minimalist packets containing only a header. So its TCP packets are generally 40 bytes and ICMP echo requests are just 28. Some UDP ports and IP protocols get a custom payload by default. This option tells Nmap to append the given number of random bytes to most of the packets it sends, and not to use any protocol-specific payloads. (Use --data-length 0 for no random or protocol-specific payloads. OS detection (-O) packets are not affected because accuracy there requires probe consistency, but most pinging and portscan packets support this. It slows things down a little, but can make a scan slightly less conspicuous.

--ip-options ;--ip-options (Send packets with specified ip options)

The IP protocol offers several options which may be placed in packet headers. Unlike the ubiquitous TCP options, IP options are rarely seen due to practicality and security concerns. In fact, many Internet routers block the most dangerous options such as source routing. Yet options can still be useful in some cases for determining and manipulating the network route to target machines. For example, you may be able to use the record route option to determine a path to a target even when more traditional traceroute-style approaches fail. Or if your packets are being dropped by a certain firewall, you may be able to specify a different route with the strict or loose source routing options.

The most powerful way to specify IP options is to simply pass in values as the argument to --ip-options. Precede each hex number with x then the two digits. You may repeat certain characters by following them with an asterisk and then the number of times you wish them to repeat. For example, x01x07x04x00*36x01 is a hex string containing 36 NUL bytes.

Nmap also offers a shortcut mechanism for specifying options. Simply pass the letter R, T, or U to request record-route, record-timestamp, or both options together, respectively. Loose or strict source routing may be specified with an L or S followed by a space and then a space-separated list of IP addresses.

If you wish to see the options in packets sent and received, specify --packet-trace. For more information and examples of using IP options with Nmap, see http://seclists.org/nmap-dev/2006/q3/52.

--ttl (Set IP time-to-live field)

Sets the IPv4 time-to-live field in sent packets to the given value.

--randomize-hosts (Randomize target host order)

Tells Nmap to shuffle each group of up to 16384 hosts before it scans them. This can make the scans less obvious to various network monitoring systems, especially when you combine it with slow timing options. If you want to randomize over larger group sizes, increase PING_GROUP_SZ in nmap.h and recompile. An alternative solution is to generate the target IP list with a list scan (-sL -n -oN ), randomize it with a Perl script, then provide the whole list to Nmap with -iL.

--spoof-mac (Spoof MAC address)

Asks Nmap to use the given MAC address for all of the raw ethernet frames it sends. This option implies --send-eth to ensure that Nmap actually sends ethernet-level packets. The MAC given can take several formats. If it is simply the number 0, Nmap chooses a completely random MAC address for the session. If the given string is an even number of hex digits (with the pairs optionally separated by a colon), Nmap will use those as the MAC. If fewer than 12 hex digits are provided, Nmap fills in the remainder of the six bytes with random values. If the argument isn't a zero or hex string, Nmap looks through nmap-mac-prefixes to find a vendor name containing the given string (it is case insensitive). If a match is found, Nmap uses the vendor's OUI (three-byte prefix) and fills out the remaining three bytes randomly. Valid --spoof-mac argument examples are Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco. This option only affects raw packet scans such as SYN scan or OS detection, not connection-oriented features such as version detection or the Nmap Scripting Engine.

--proxies (Relay TCP connections through a chain of proxies)

Nmap Scan For Mac Addresses

Asks Nmap to establish TCP connections with a final target through supplied chain of one or more HTTP or SOCKS4 proxies. Proxies can help hide the true source of a scan or evade certain firewall restrictions, but they can hamper scan performance by increasing latency. Users may need to adjust Nmap timeouts and other scan parameters accordingly. In particular, a lower --max-parallelism may help because some proxies refuse to handle as many concurrent connections as Nmap opens by default.

This option takes a list of proxies as argument, expressed as URLs in the format proto://host:port. Use commas to separate node URLs in a chain. No authentication is supported yet. Valid protocols are HTTP and SOCKS4.

Warning: this feature is still under development and has limitations. It is implemented within the nsock library and thus has no effect on the ping, port scanning and OS discovery phases of a scan. Only NSE and version scan benefit from this option so far—other features may disclose your true address. SSL connections are not yet supported, nor is proxy-side DNS resolution (hostnames are always resolved by Nmap).

--badsum (Send packets with bogus TCP/UDP checksums)

Asks Nmap to use an invalid TCP, UDP or SCTP checksum for packets sent to target hosts. Since virtually all host IP stacks properly drop these packets, any responses received are likely coming from a firewall or IDS that didn't bother to verify the checksum. For more details on this technique, see https://nmap.org/p60-12.html

--adler32 (Use deprecated Adler32 instead of CRC32C for SCTP checksums)

Cmd Mac Address Lookup

Asks Nmap to use the deprecated Adler32 algorithm for calculating the SCTP checksum. If --adler32 is not given, CRC-32C (Castagnoli) is used. RFC 2960 originally defined Adler32 as checksum algorithm for SCTP; RFC 4960 later redefined the SCTP checksums to use CRC-32C. Current SCTP implementations should be using CRC-32C, but in order to elicit responses from old, legacy SCTP implementations, it may be preferable to use Adler32.





broken image