Nmap | Kali Linux Tools

ncat ncat

is a reimplementation of Netcat by the NMAP project, providing most of the features present in the original implementations, along with some new features such as IPv6 and SSL support. Support for port scanning has been removed.

Installed size: 820 KBHow to install: sudo apt install ncat

Dependencies:ncat

Concatenate and redirect sockets

[email protected]:~# ncat -h Ncat 7.93 ( https://nmap.org/ncat ) Usage:

ncat

[options] [hostname] [port] Options that take a while take seconds. Add ‘ms’ for milliseconds, ‘s’ for seconds, ‘m’ for minutes, or ‘h’ for hours (for example, 500ms). -4 Use only IPv4 -6 Use only IPv6 -U, -unixsock Use only Unix domain sockets -vsock Use only sockets vsock -C, -crlf Use CRLF for EOL stream -c, -sh-exec <command> Executes given command via /bin/sh -e, -exec <command> Executes given command -lua-exec <filename> Run the Lua script given -g hop1[, hop2,…] Loose source routing jump points (8 max) -G <n> Loose source routing jump pointer (4, 8, 12, …) -m, -max-conns <n> Maximum <n> simultaneous connections -h, -help Show this help screen -d, -delay <time> Wait between read/write -or, -output <file name> Dump session data to a -x file, -hex-dump <file name> Dump session data as hexadecimals to a file -i, -idle-timeout <time> Idle read/write timeout -p, port -source-port Specify the source port to use -s, -source addr Specify the source address to use (does not affect -l) -l, -listen Link and listen for incoming connections -k, -keep-open Accept multiple connections in listener mode -n, -nodns Do not resolve host names through dns -t, -telnet Response Telnet negotiations -u, -udp Use UDP instead of default TCP -sctp Use SCTP instead of default TCP -v, -verbose Set verbosity level (can be used multiple times) -w, -wait <time> Connection timeout -z Zero I/O mode, report connection status only -append-output Append instead of clobber specified output files -send-only send data only, ignore what is received; exit in EOF -recv-only Only receive data, never send anything -no-shutdown Continue half-duplex when receiving EOF in stdin -allow Allow only given hosts to connect to Ncat -allowfile A file of hosts authorized to connect to Ncat -deny Deny given hosts to connect to Ncat -denyfile A file of denied hosts to connect to Ncat -broker Enable ncat -chat connection brokering mode Start a chat Ncat simple -proxy <addr[:port]> Specify the host address to the proxy using -proxy-type <type> Specify the proxy type (“http”, “socks4”, “socks5”) -proxy-auth <auth> Authenticate with the HTTP proxy server or SOCKS -proxy-dns <type> Specify where to resolve the -ssl proxy destination Connect or listen with SSL -ssl-cert Specify the SSL certificate file (PEM) to listen for -ssl-key Specify the SSL private key (PEM) for listen -ssl-verify Check the trust and domain name of certificates -ssl-trustfile PEM file containing trusted SSL certificates -ssl-ciphers Encryption list containing SSL ciphers to use -ssl-servername Request Different Server Name (SNI) -ssl-alpn List of ALPN protocols to use -version Display Ncat’s version information and exit See the ncat(1) manual page for complete options, Ndiff descriptions and usage examples

Ndiff

is a tool to assist in comparing Nmap scans. It takes two XML Nmap output files and prints out the differences between them: hosts going up and down, ports opening or closing, and things like that. It can produce results in human-readable text or machine-readable XML formats.

Installed Size: 423 KBHow to install: sudo apt install ndiff

Dependencies:ndiff

Utility to compare scan results

Nmap[email protected]:~# ndiff -h Usage: /usr/bin/

ndiff

[option] FILE1 FILE2 Compare two XML Nmap files and display a list of their differences. Differences include host state changes, port state changes, and changes in service and operating system discovery. -h, -help displays this help -v, -verbose also displays hosts and ports that have not changed. -Text display output in text format (default) -XML display output in XML format

Nmap Nmap

is a utility for network scanning or security audits. It supports ping scanning (determining which hosts are active), many port scanning techniques, version detection (determining service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host operating system or device identification). Nmap also offers flexible lens and port specifications, decoy/stealth scanning, sunRPC scanning, and more. Most Unix and Windows platforms support GUI and command-line modes. Several popular portable devices are also supported, including the Sharp Zaurus and iPAQ.

Installed Size: 4.85 MBHow to install: sudo apt install nmap

Dependencies:nmap

Network and Security Scan Tool / Port Scanner

[email protected]:~# nmap -h Nmap 7.93 ( https://nmap.org ) Usage:

nmap

[Scan Type(s)] [Options] {Destination Specification} TARGET SPECIFICATION: Can pass host names, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Hosts/networks list entry -iR <num hosts>: Choose random targets -exclude <host1[,host2][,host3],… >: Exclude hosts/networks -excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -SL: List analysis: simply list the targets you want to analyze -SN: Ping analysis – disable port scanning -Pn: Treat all hosts as online – skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp and netmask request discovery probes -PO[protocol list]: IP protocol Ping -n/-R: Never do DNS resolution/always resolve [default: sometimes] -dns-servers <serv1[,serv2],… >: Specify custom DNS servers -system-dns: Use the operating system’s DNS resolver -traceroute: Hop trace path to each host ANALYSIS TECHNIQUES: -SS/T/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN and Xmas scanflags <flags>: Customize TCP scan flags -sI <host zombie[: probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 -exclude-ports <port ranges>: Exclude specified ports from scanning -F: Quick Mode – Scan fewer ports than default scan -a: Scan ports sequentially – do not randomize -top-ports <number>: Scan <number> most common ports -port ratio <ratio>: Scan more common ports than <ratio> SERVICE/VERSION DETECTION: -sV: Poll open ports to determine service/version information -version-intensity <level>: Set from 0 (light) to 9 (test all probes) -version-light: Limit to the most likely probes (intensity 2) -version-all: Test each probe (intensity 9) -version-trace: Show detailed version scanning activity (for debugging) SCRIPT SCANNING: -sc: equivalent to -script=default -script=<Scripts Lua>: <Lua scripts> is a comma-separated list of directories, script-files or script-categories -script-args=<n1=v1,[n2=v2,…] >: provide arguments to scripts -script-args-file=filename: provide NSE script args in a file -script-trace: Show all data sent and received -script-updatedb: Update the script database. -script-help=<Lua scripts>: Displays help about scripts. <Lua scripts> is a comma-separated list of script files or script categories. OPERATING SYSTEM DETECTION: -O: Enable operating system detection -osscan-limit: Limit operating system detection to promising targets -osscan-guess: Guess the operating system more aggressively TIME AND PERFORMANCE: Options that take <time> are in seconds, or add ‘ms’ (milliseconds), ‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (for example, 30m). -T<0-5>: Set timing template (higher is faster) -min-hostgroup/max-hostgroup <size>: parallel host scan group sizes -min-parallelism/max-parallelism <numprobes>: parallelization of the probe -min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies the round-trip time of the probe. -max-retries <tries>: Limits the number of port scan sonar retransmissions. -host-timeout <time>: Abandon the target after this long -scan-delay/-max-scan-delay <time>: Adjust the delay between probes -min-rate <number>: Send packets no slower than <number> per second -max-rate <number>: Send packets no faster than <number> per second FIREWALL/IDS EVASION AND SPOOFING: -f; -mtu <val>: fragment packets (optionally with given MTU) -D <decoy1,decoy2[,ME],… >: Hide a scan with decoys -S <IP_Address>: Fake source address -e <iface>: Use specified interface -g/-source-port <portnum>: Use given port number -proxies <url1,[url2],… >: Relay connections via HTTP/SOCKS4 proxies -data <hexadecimal string>: Append a custom payload to sent packets -data-string <string>: Append a custom ASCII string to sent packets -data-length <num>: Append random data to sent packets -ip-options <options>: Send packets with specified ip options -ttl <val>: Set the IP -spoof-mac time-to-live field <mac address/prefix/provider name>: Impersonate your MAC address -badsum: Send packets with a false TCP/UDP/SCTP checksum OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal format, XML, s|<rIpt kIddi3 and Grepable, respectively, to the given filename. -oA <basename>: Output in all three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) -reason: Show the reason why a port is in a particular state -open: only shows open (or possibly open) ports -packet-trace: Show all packets sent and received -iflist: Print host interfaces and routes (for debugging) -append-output: Append to specified output files instead of clobber -summarizes <file name>: Resume a decommissioned scan -non-interactive: disable run-time interactions via keyboard -stylesheet <path/URL>: XSL style sheet to transform XML output to HTML -webxml: Nmap.Org reference style sheet for more portable XML -no-stylesheet: Prevent association of XSL style sheet with MISC XML output: -6: Enable IPv6 scanning -A: Enable operating system detection, version detection, script analysis, and traceroute -datadir <dirname>: specify the custom location of the data file Nmap -send-eth/-send-ip: Send using raw Ethernet frames or IP packets -privileged: Assume the user has full privileges -unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sn 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -Pn -p 80 SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

nping

Network packet generation tool / ping utility

[email protected]:~# nping -h Nping 0.7.93 ( https://nmap.org/nping ) Usage: nping [Probe Mode] [Options] {Target Specification} TARGET SPECIFICATION: Targets can be specified as host names, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.*.1-24 Probe Modes: -tcp-connect : Unprivileged TCP connection probe mode. -tcp: TCP probe mode. -udp : UDP probe mode. -icmp : ICMP probe mode. -arp : ARP/RALP probe mode. -TR, -TRACEROUTE : Traceroute mode (can only be used with TCP/UDP/ICMP modes). TCP CONNECTION MODE: -p, -dest-port <port specification> : Set destination port(s). -g, -source-port <portnumber> – Try to use a custom source port. TCP PROBE MODE: -g, -source-port <portnumber> : Set source port. -p, -dest-port <port specification> : Set destination port(s). -seq <seqnumber> : Set sequence number. -flags <list of flags> : Set TCP flags (ACK, PSH, RST, SYN, FIN…) -ack <acknumber> : Set the ACK number. -win <size> : Set the size of the window. -badsum : Use an invalid random checksum. UDP PROBE MODE: -g, -source-port <portnumber> : Set source port. -p, -dest-port <port specification> : Set destination port(s). -badsum : Use an invalid random checksum. ICMP PROBE MODE: -ICMP type <type> : ICMP type. -icmp-code <code> : ICMP code. -icmp-id <id> : Set identifier. -icmp-seq <n> : Set sequence number. -icmp-redirect-addr <addr> : Set redirect address. -icmp-param-pointer <pnt> : Set parameter pointer problem. -icmp-advert-lifetime <time> : Set the advertisement lifetime of the router. -icmp-advert-entry <IP,pref> : Add router advertisement entry. -icmp-orig-time <timestamp> : Set originate timestamp. -icmp-recv-time <timestamp> : Set the receive timestamp. -icmp-trans-time <timestamp> : Set transmission timestamp. ARP/RARP PROBE MODE: -type arp <type> : Type: ARP, ARP-reply, RARP, RARP-reply. -arp-sender-mac <mac> : Set the sender’s MAC address. -arp-sender-ip <addr> : Set the sender’s IP address. -arp-target-mac <mac> : Set the destination MAC address. -arp-target-ip <addr> : Set destination IP address. IPv4 OPTIONS: -S, -source-ip : Set source IP address. -dest-ip <addr> : Set the destination IP address (used as an alternative to {target specification} ). -tos <tos> : Set the type of service field (8bits). -id <id> : Set identification field (16 bits). -df : Set Don’t Fragment flag. -mf : Set flag of more fragments. -evil : Set Reserved / Evil flag. -ttl <hops> : Set lifetime [0-255]. -badsum-ip : Use an invalid random checksum. -ip-options <S| R [route]| L [route]| T| Or… > : Set IP options -ip-options <hex string> : Set IP options -mtu <size> : Set MTU. Packets become fragmented if MTU is small enough. IPv6 OPTIONS: -6, -IPv6 : Use IP version 6. -dest-ip : Set the destination IP address (used as an alternative to {target specification}). -hop-limit : Set hop limit (same as IPv4 TTL). -traffic-class <class> : Set traffic class. -flow <label> : Set flow label. ETHERNET OPTIONS: -dest-mac <mac> : Set destination mac address. (Disable ARP resolution) -source-mac <mac> : Sets the source MAC address. -ether-type <type> : Set the value of EtherType. PAYLOAD OPTIONS: -DATA <hexadecimal string> : Includes a custom payload. -data-string <text> : Includes custom ASCII text. -data-length <len> : Includes random bytes as payload. ECHO CLIENT/SERVER: -echo-client <passphrase> : Run Nping in client mode. -echo-server <passphrase> : Run Nping in server mode. -echo-port <port> : Use custom <port> to listen or connect. -no-crypto: Disables encryption and authentication. -eleven : Stop the server after a connection. -safe-payloads: Clear application data in repeated packets. TIME AND THROUGHPUT: Options that take <time> are in seconds, or add ‘ms’ (milliseconds), ‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g., 30m, 0.25h). -delay <time> : Adjust delay between probes. -rate <rate> : Send num packets per second. MISC: -h, -help : Show help information. -V, -version : Displays the current version number. -c, -count <n> : Stop after <n> rounds. -e, -interface <name> : Use the supplied network interface. -H, -hide-sent : Do not display sent packets. -N, -no-capture : Do not attempt to capture responses. -privileged : Assume that the user has full privileges. -unprivileged: Suppose the user lacks raw socket privileges. -send-eth : Sends packets to the Ethernet layer raw. -send-ip : Sends packets using raw IP sockets. -bpf-filter <filter specification> – Specify the custom BPF filter. OUTPUT: -v : Increase the verbosity level by one. -v[level] : Set verbosity level. For example: -v4 -d: Increase the debug level by one. -d[level] : Set debug level. For example: -d3 -q : Decrease the level of verbosity by one. -q[N] : Decrease verbosity level N times -quiet : Set verbosity and debug level to minimum. -debug : Set the verbosity and debug to the maximum level. EXAMPLES: nping scanme.nmap.org nping -tcp -p 80 -flags rst -ttl 2 192.168.1.1 nping -icmp -icmp-type time -delay 500ms 192.168.254.254 nping -echo-server “public” -e wlan0 -vvv nping -echo-client “public” echo.nmap.org -tcp -p1-1024 -flags ack SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

nmap-common

Nmap is a utility for network scanning or security auditing. It supports ping scanning (determining which hosts are active), many port scanning techniques, version detection (determining service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host operating system or device identification). Nmap also offers flexible lens and port specifications, decoy/stealth scanning, sunRPC scanning, and more. Most Unix and Windows platforms support GUI and command-line modes. Several popular portable devices are also supported, including the Sharp Zaurus and iPAQ.

This package contains the nmap files shared by all architectures.

Installed size: 20.74 MBHow to install: sudo apt install nmap-common