Web User Interface¶
This web interface presents results of the
view purpose (see
Purposes) that can be filtered with
keywords (for some of them, shortcuts are available in the menus).
Keep in mind that the information available in this interface highly depends on the options used to run Nmap.
The left side bar¶
The first part allows to navigate within the results. Be careful with the last button that goes to the last result page, as it can be very slow when a lot of results are available.
The progress bar shows where the currently displayed results are within the whole results set.
The second part allows to add, modify or remove filter, sort or display commands.
The third part allows to explore the results by generating graphs displayed in the rightmost part of the screen.
The first field displays a graph with the 15 most common values of a variable in the filtered results. This can be slow when the number of results to scan is important. Here is a list of (sometimes) interesting values to try here:
cpe.product:a:microsoftwill show top product names in CPEs from vendor
cpe.vendor:o:/^m/will show top vendor names in CPEs that start with an
The Address space button displays a graphical representation of the filtered addresses. The abscissa axis represents the two high bytes (or the three when the results belong to the same /16 network), and the ordinate axis represents the two low bytes (or the low byte).
The Map button displays the locations of the results on a world map.
The Timeline and Timeline 24h buttons display time-lines where the abscissa axis represents the time and the ordinate axis represents the IP addresses.
Ten results (maximum) are displayed per page by default.
Each result has its own frame. In the default display mode, it displays a summary for the host. Long-clicking a result frame toggles between the summary display and the full display for the result.
The pencil icon in the upper-right corner opens the notepad page for the current host (see below) in the rightmost part of the screen.
Each blue element in the results can be clicked to add a filter.
The commands might require a parameter, provided after the colon sign
:. Some commands can be used negatively, by prefixing them with
The commands can be entered in the input boxes in the second part of the left side bar or added by clicking on a shortcut in the top bar menus.
In the following list, a
[!] before the command shows it can be used
negatively, and a
: after the command indicates it requires a
When a parameter is required the full value must be specified, or when
appropriate, a regular expression can be used, with the
/[expression]/[flags] syntax (e.g.:
If your command includes spaces, you need to protect it by using single or double quotes.
[!]host:[IP address]filter a specific IP address. Using the IP address directly (without
host:) is equivalent.
[!]net:[IP address/netmask]filter a specific network (CIDR notation). Using the CIDR notation directly (without
net:) is equivalent.
[!]range:[IP address]-[IP address]filter a specific IP address range
[!]hostname:[FQDN]look for results with a matching hostname.
[!]domain:[FQDN]look for results with a hostname within a matching domain name.
[!]category:filter a category.
[!]country:[two letters code]filter a country.
[!]city:filter a city (use with
[!]asnum:filter by AS number (lists allowed).
[!]asname:filter by AS name (regular expressions allowed).
[!]source:filter a source (specify the source name).
[!]timerange:[timestamp]-[timestamp]filter results within a specific time range.
[!]timeago:filter recent enough results; the value can be specified in seconds or with the appropriate suffix in minutes (
m), hours (
h), days (
d) or years (
service:[expression]:[port number]look for an expression in the name of a service.
product:[service]:[product]:[port number]look for a product.
product:[service]:[product]:[version]:[port number]look for a specific version of a product.
script:[scriptid]:[output]look for a specific script.
anonftpfilter results with anonymous FTP allowed.
anonldaplook for LDAP servers with anonymous bind working.
authbypassvnclook for VNC servers with authentication that can be bypassed.
authhttplook for HTTP servers with authentication and a default (e.g.,
admin) login/password working. The Nmap script seems to get a lot a false positives.
banner:look for a specific banner of a service.
cookie:look for HTTP servers setting a specific cookie.
file:[scriptid],[scriptid],...:[pattern]look for a pattern in the shared files (FTP, SMB, …).
geovisionlook for GeoVision web-cams.
httptitle:look for a specific HTML title value of the homepage of a web site.
nfslook for NFS servers.
yplook for NIS servers.
mssqlemptypwdlook for MS-SQL servers with an empty password for the
mysqlemptypwdlook for MySQL servers with an empty password for the
httphdr:[header]:[value]look for HTTP headers.
owalook for OWA (Outlook Web App) servers.
phpmyadminlook for phpMyAdmin servers.
smb.dnsdomain:[FQDN]search results with SMB service in a specific DNS domain.
smb.domain:[NetBIOS]search results with SMB service in a specific NetBIOS domain.
smb.fqdn:[NetBIOS]search results with SMB service in a specific host name (FQDN).
smb.forest:[FQDN]search results with SMB service in a specific forest (DNS name).
smb.lanmanager:[LAN Manager]search results with SMB service with a specific LAN Manager.
smb.os:[OS]search results with SMB service with a specific OS.
smb.server:[NetBIOS]search results with SMB service in a specific host name (NetBIOS).
smb.workgroup:[NetBIOS]search results with SMB service in a specific workgroup (NetBIOS).
smbshare:[access mode]search results with SMB shares with anonymous access. Access can be ‘r’, ‘w’ or ‘rw’ (default is read or write).
sshkey:look for a particular SSH key.
cert.sha256:look for a particular certificate.
torcertlook for Tor certificates.
webfileslook for “typical” web files in the shared folders.
webminlook for Webmin servers.
x11openlook for open X11 servers.
x11srvlook for X11 servers.
xp445look for Windows XP machines with TCP/445 port open.
[!]ssl-ja3-client[:JA3]look for hosts with a JA3 client or with the given JA3 client.
[!]ssl-ja3-server[:[JA3S][:JA3C]]look for hosts with a JA3 server, with the given JA3 server (optionally corresponding to the given JA3 client).
[!]useragent[:USERAGENT]look for hosts with a User-Agent.
os:look for a specific value in the OS discovery results.
devicetype:look for a type of devices.
networkdevicelook for network devices (firewalls, routers, …).
phonedevlook for telephony devices.
cpe(:[type](:[vendor](:[product](:[version]))))look for a given cpe. Each field can be a /regex/.
[!]hop:[IP]:[TTL]look for a particular IP address in the traceroute results.
[!]hopname:look for a matching hostname in the traceroute results.
[!]hopdomain:look for a hostname within a matching domain name in the traceroute results.
[!]udp/[port number], look for an open TCP or UDP port (using
[!][port number]directly is equivalent to
[!]openportlook for hosts with at least one open port.
otheropenport:[port number],[port number],...look for hosts with at least one open port other than those specified.
notessearch results with an associated note.
[!]sortby:[field name]sort according to a field value. Be careful with this setting as consequences on the performances can be terrible.
display:hostset the default display mode.
display:cpeonly display CPEs.
display:script:[script id],[script id],...only display (a particular) script outputs.
display:screenshotonly display screenshots.
display:vulnerabilityonly display vulnerabilities.