Scanning the machine on the LAN with my laptop, I got this: gabriele @ osiris { ~ } [ Tue Oct 07 ] [ 08:49 PM] nmap -sP 192.168.1.236 Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-07 20:50 CEST Nmap scan report for ---.homenet.telecomitalia.it (192.168.1.236) Host is up (0.0044s latency). Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds nmap won't recognize the nostname, putting—in place of "mercury" and I assume is not a problem of nmap because it doesn't even access in this way: root@mercury when I changed the hostname I follow these steps sudo nano /etc/hostname and I wrote a single line with "mercury", then: sudo nano /etc/hosts with this configuration: 127.0.0.1 localhost 127.0.1.1 mercury localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters and finally: sudo /etc/init.d/hostname.sh start am I doing something wrong?

OS is Debian on both servers. I found some examples showing how to measure TCP latency with nmap: nmap --packet-trace -p 22 192.168.0.10 But I'm getting some negative results for latency. ie, it will print some output like: Host is up (-0.0023s latency) at the end. What is nmap doing? Is it measuring the time difference between SYN and SYN-ACK? If so, how is it getting a negative result sometimes? Does it require clocks to be very precisely synced between the two servers? And in addition, can I use ssh as a good TCP test server or should I use a different service? Is there another tool I can use to measure TCP latency? I don't know if I trust nmap due to the negative results for the latency measurement.

How to use nmap and dns resolution of nmap over proxy? I tried proxychains, but for dns resolution it doesn't work, it's known bug as I read on some forums. It works well without dns_proxy feature in proxychains config. But I need to proxy dns resolution requests. sudo proxychains nmap -T4 -sV -Pn -A --reason -v scanme.nmap.org I tried proxychains4 (or proxychains-ng), but with nmap it does scanning and send all the packets synchronously, so for example for scan of one host it's needed to wait for 30 min or ever longer. So it's not the option, but it works well. sudo proxychains4 nmap -T4 -sV -Pn -A --reason -v scanme.nmap.org I tried just like this with inside nmap proxy function: sudo nmap --proxy socks4://127.0.0.1:9050 -T4 -sV -Pn -A --reason -v scanme.nmap.org But does it dns resolution requests over the tor proxy 127.0.0.1:9050 or only scan? It seems it doesn't. What is the solution?

I am trying to check for the offered ciphers with

:

$ nmap -Pn --script ssl-enum-ciphers host1.example.org -p 443
Starting Nmap 7.92 ( https://nmap.org  ) at 2021-12-13 14:52 CET
Nmap scan report for host1.example.org (129.132.65.51)
Host is up (0.0070s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds

It's working fine but for a single case: * Fedora 35 (host1.example.org) from macOS

$ nmap -Pn --script ssl-enum-ciphers host1.example.org -p 443
Starting Nmap 7.92 ( https://nmap.org  ) at 2021-12-13 14:52 CET
Nmap scan report for host1.example.org (129.132.65.51)
Host is up (0.0070s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds

* Fedora 35 (host1.example.org) from Fedora 35 (host2.example.org)

$ nmap -Pn --script ssl-enum-ciphers host1.example.org -p 443
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org  ) at 2021-12-13 14:55 CET
Nmap scan report for host1.example.org (129.132.65.51)
Host is up (0.013s latency).

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

* Same machines other direction. Fedora 35 (host2.example.org) from Fedora 35 (host1.example.org)

$ nmap -Pn --script ssl-enum-ciphers host2.example.org -p 443
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org  ) at 2021-12-13 14:56 CET
Nmap scan report for host2.example.org (138.201.94.172)
Host is up (0.013s latency).
Other addresses for host2.example.org (not scanned): 2a01:4f8:c17:cbd8::2

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds

I don't really get why both Fedora machines give a result from macOS but not when scanning from

.example.org

to

.example.org

when both should be configured in the same way. How can I debug the proble

I've installed nmap on macOS. I'm not on Linux, I couldn't find the script directory. I ran

sudo nmap -sV --script vulners 69.164.220.111

I kept getting the following error:

Starting Nmap 6.49BETA4 ( https://nmap.org  ) at 2020-01-07 14:35 EST
NSE: failed to initialize the script engine:
/usr/local/bin/../share/nmap/nse_main.lua:801: 'vulners' did not match a category, filename, or directory
stack traceback:

        /usr/local/bin/../share/nmap/nse_main.lua:801: in function 'get_chosen_scripts'
        /usr/local/bin/../share/nmap/nse_main.lua:1249: in main chunk


QUITTING!

Do you know what I did wrong?

OS: CentOS 7 This is a question that is bordering on two issues. I have a docker machine running where I recently installed the PLEX container from linuxserver/plex. The current problem is that I cannot access the site to configure PLEX https://localhost:32400/web. In my attempts to determine why this is occurring, I noticed that port 32400 appeared to be closed even though it should've been opened when the container was created, I am using the host network. I attempted to see if I could access the site using curl curl -i http://localhost:32400 curl -i http://10.0.1.200:32400 I then verified open ports with NMAP #nmap 10.0.1.200 Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-18 12:52 CST Nmap scan report for 10.0.1.200 Host is up (0.00049s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds So clearly port 32400 is not open, so I went to firewall-cmd #sudo firewall-cmd --get-active-zones public interfaces: eno1 #sudo firewall-cmd --zone=public --add-port=32400/tcp --permanent success #sudo firewall-cmd --reload success I also checked to see if it was open #sudo firewall-cmd --zone=public --list-ports 32400/tcp However, NMAP still shows its closed. Any idea why firewalld would show an open port on the docker host machine but it is actually closed? I'm not even sure this will get the site working for Plex. ---------- Verification of what Kramer had suggested that it was possible my interface was not setup # ip addr 3: eno1: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 inet 10.0.1.200/24 brd 10.0.1.255 scope global noprefixroute dynamic eno1 #firewall-cmd --zone=public --list-interfaces eno1

Can nmap list all hosts on the local network that have both SSH and HTTP open? To do so, I can run something like: nmap 192.168.1.1-254 -p22,80 --open However, this lists hosts that have ANY of the list ports open, whereas I would like hosts that have ALL of the ports open. In addition, the output is quite verbose: # nmap 192.168.1.1-254 -p22,80 --open Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-31 10:14 EST Nmap scan report for Wireless_Broadband_Router.home (192.168.1.1) Host is up (0.0016s latency). Not shown: 1 closed port PORT STATE SERVICE 80/tcp open http Nmap scan report for new-host-2.home (192.168.1.16) Host is up (0.013s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 254 IP addresses (7 hosts up) scanned in 3.78 seconds What I'm looking for is output simply like: 192.168.1.16 as the above host is the only one with ALL the ports open. I certainly can post-process the output, but I don't want to rely on the output format of nmap, I'd rather have nmap do it, if there is a way.

I have installed nmap using the guidance on nmap.org [here](https://nmap.org/book/inst-linux.html) nmap --version yields

Nmap version 7.95 ( https://nmap.org  )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.4.6 openssl-3.0.13 nmap-libssh2-1.11.0 nmap-libz-1.3.1 nmap-libpcre2-10.43 nmap-libpcap-1.10.4 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

I end up with the follwing files in /usr/share/nmap

-rw-r--r-- 1 root root   10829 Oct 17 18:59 nmap.dtd
-rw-r--r-- 1 root root 1218140 Oct 17 18:59 nmap-mac-prefixes
-rw-r--r-- 1 root root 5306593 Oct 17 18:59 nmap-os-db
-rw-r--r-- 1 root root    6845 Oct 17 18:59 nmap-protocols
-rw-r--r-- 1 root root   43529 Oct 17 18:59 nmap-rpc
-rw-r--r-- 1 root root 2573533 Oct 17 18:59 nmap-service-probes
-rw-r--r-- 1 root root  997433 Oct 17 18:59 nmap-services
-rw-r--r-- 1 root root   31936 Oct 17 18:59 nmap.xsl
drwxr-xr-x 3 root root   20480 Feb 14 14:01 nselib
-rw-r--r-- 1 root root   49961 Oct 17 18:59 nse_main.lua
drwxr-xr-x 2 root root   90112 Feb 14 14:01 scripts

However the scripts in the ./scripts directory are dated 2024-10-17 If I run nmap --script-updatedb the timestamp on scripts.db updates to now but none of the scripts change. I know that in nmap githib [repo](https://github.com/nmap/nmap) their is, e.g. a change to [ssl-cert.nse](https://github.com/nmap/nmap/blob/master/scripts/ssl-cert.nse) So my question is why does my local set of scripts update with latest github master and how can I achieve that?

On a fresh Debian 12 install, I have the following nftables configuration that I believe does the following when activated: - traffic from localhost accepted - established/related traffic accepted - TCP traffic via port 22 accepted

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;

                # accept any localhost traffic
                iifname lo accept

                # accept traffic originated from us
                ct state established,related accept

                tcp dport 22 accept
        }

        chain forward {
                # Drop everything (assumes this device is not a router)                  
                type filter hook forward priority 0; policy drop;
        }
}

Note that to switch from configuration with rules to the one without rules, I first systemctl restart nftables, and then verify the rules being applied with nft list ruleset. Consider the case with rules applied, I expect nmap to show only port 22 to be open. However, I get the following:

$ nmap 
Starting Nmap 7.92 ( https://nmap.org  ) at 2024-10-17 10:46 CEST
Nmap scan report for  ()
Host is up (0.043s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
82/tcp   open  xfer
84/tcp   open  ctf
85/tcp   open  mit-ml-dev
443/tcp  open  https
554/tcp  open  rtsp
1723/tcp open  pptp
5060/tcp open  sip

Nmap done: 1 IP address (1 host up) scanned in 8.25 seconds

Is the nftables configuration not doing what I think it does? Is it me not understanding what nmap outputs?

A few days ago I started to care a lot about my data security, I end up nmaping myself with: nmap 127.0.0.1 Surprise, surprise, I have lots of active services listen to localhost: $ nmap 127.0.0.1 Starting Nmap 5.21 ( http://nmap.org ) at 2013-05-05 00:19 WEST Nmap scan report for localhost (127.0.0.1) Host is up (0.00025s latency). Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds The only one that I *might* use is ssh (although it is probably not well configured, I will keep this matter to another question). As far as I know ipp protocol is used by CUPS to share my printers, I don't need to share them, just access printers from a server. This is the output of netstat -lntup by the root user, removing the localhost addresses: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 497/sshd tcp 0 0 0.0.0.0:17500 0.0.0.0:* LISTEN 2217/dropbox tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 892/smbd tcp 0 0 0.0.0.0:50022 0.0.0.0:* LISTEN 1021/rpc.statd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 892/smbd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 906/rpcbind tcp6 0 0 :::22 :::* LISTEN 497/sshd tcp6 0 0 :::42712 :::* LISTEN 1021/rpc.statd tcp6 0 0 :::445 :::* LISTEN 892/smbd tcp6 0 0 :::139 :::* LISTEN 892/smbd tcp6 0 0 :::111 :::* LISTEN 906/rpcbind udp 0 0 0.0.0.0:51566 0.0.0.0:* 615/avahi-daemon: r udp 0 0 0.0.0.0:68 0.0.0.0:* 7362/dhclient udp 0 0 0.0.0.0:111 0.0.0.0:* 906/rpcbind udp 0 0 192.168.1.255:137 0.0.0.0:* 1782/nmbd udp 0 0 192.168.1.67:137 0.0.0.0:* 1782/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 1782/nmbd udp 0 0 192.168.1.255:138 0.0.0.0:* 1782/nmbd udp 0 0 192.168.1.67:138 0.0.0.0:* 1782/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 1782/nmbd udp 0 0 0.0.0.0:655 0.0.0.0:* 906/rpcbind udp 0 0 0.0.0.0:17500 0.0.0.0:* 2217/dropbox udp 0 0 0.0.0.0:5353 0.0.0.0:* 615/avahi-daemon: r udp 0 0 0.0.0.0:34805 0.0.0.0:* 1021/rpc.statd udp6 0 0 :::40192 :::* 1021/rpc.statd udp6 0 0 :::111 :::* 906/rpcbind udp6 0 0 :::655 :::* 906/rpcbind udp6 0 0 :::5353 :::* 615/avahi-daemon: r udp6 0 0 :::42629 :::* 615/avahi-daemon: r How do I configure those services so they only listen to the outside world when I'm actually using them?

I know that i can use nmap to see which ports are open on specific machine. But what i need is a way to get it from the host side itself. Currently, if i use nmap on one of my machines to check the other one, i get for an example: smb:~# nmap 192.168.1.4 PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 113/tcp closed ident 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps Is there a way to do this on the host itself? Not from a remote machine to a specific host. I know that i can do nmap localhost But that is not what i want to do as i will be putting the command into a script that goes through all the machines. EDIT: This way, nmap showed 22 5000 5001 5432 6002 7103 7106 7201 9200 but lsof command showed me 22 5000 5001 5432 5601 6002 7102 7103 7104 7105 7106 7107 7108 7109 7110 7111 7112 7201 7210 11211 27017

I have a VServer, in which I installed the firewall UFW. I scanned the Server with NMAP but I it showed a lot open Ports, which I didnt open. Is it a Bug? Or did I installed UFW false? Thank you ufw status: http://prntscr.com/pgp5db nmap: nmap -T4 -A -v ********* //edit I solved the problem. The Problem was I just used the wrong nmap command. So the ports where already closed.

I'm trying to get nmap output as a table or at least straight columns. I'm using this command:

$ sudo nmap -sn 192.168.103.0/24 \
    | awk '/Nmap scan report for/{printf $5;}/MAC Address:/{print ","substr($0, index($0,$3)) }' \
    | sort -t . -k 4,4n

However, I want it to show me:

ip    mac address     hostname

without () around the ip or hostname, but I can't manage to do it.

I'm using Nmap in Kali Linux & trying to scan the top 100 ports for the given IP. When entered the below command, it does not display any open ports. But gives the 'Compiled without: Available nsock engines: epoll poll select' message. nmap -A -F -T1 ip_address -V How to resolve this?

When I run nmap 192.168.1.*, I get a print out of all devices on my network. The hostnames are not what I expect. For example, the hostname of the Linux desktop (192.168.1.203) I am currently on is home. On nmap, I see:

Nmap scan report for DESKTOP-DDDV4PO.localdomain (192.168.1.203)
Host is up (0.000012s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

My Raspberry Pi hostname is rp4 but for nmap I see:

Nmap scan report for raspberrypi.localdomain (192.168.1.99)
Host is up (0.000063s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
8080/tcp open  http-proxy
8083/tcp open  us-srv
8181/tcp open  intermapper

The strangest one is my Sonos speaker (192.168.1.199) which is listed as being my father's iPhone. I assume he was here at some point and was assigned that IP address by my DHCP server. It was then reassigned to the Sonos speaker but the name persists.

Nmap scan report for Johns-iPhone.localdomain (192.168.1.199)
Host is up (0.056s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
1443/tcp open  ies-lm

Interestingly, I have also changed the domain name of my local network to home in my DHCP settings. However, nmap is still reporting a .localdomain domain name for all of these hosts. I have a Unifi USG-3P router that is also my DHCP server. My DHCP is configured to hand out my Raspberry Pi as the DNS server (Pi-Hole is set up in a Docker container). Within Pi-Hole, my router is then set up as the upstream DNS server in order to resolve local hostnames. This set up was taken directly from [this guide, method 2](https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245) . I'm not sure how to force the hostnames my DHCP/local DNS is mapping to IP addresses (and thus being reported by nmap) to come in line with their actual host names and the new domain name, home.

Is it possible to prevent nmap from observing my machine entirely? After dropping all incoming connections with iptables port scans return as "filtered". **It'd prefer if nmap couldn't see what ports existed at all**. Is this possible? The below solutions don't seem to work: http://sharadchhetri.com/2013/06/15/how-to-protect-from-port-scanning-and-smurf-attack-in-linux-server-by-iptables/ https://dangertux.wordpress.com/2011/09/18/defeating-port-scans-using-iptables/ http://prithak.blogspot.de/2011/12/blocking-nmap-scans-with-pf-and.html If it's not possible to keep nmap from seeing my device, would it be possible to rate-limit so that nmap takes a REALLY long time to fully scan my IP?

ultimately I am looking to insert some info into a database. So I'm trying to output a file from something (probably nmap) that is formatted like this: 10.1.150.1,Up,1/3/2012,host.domain.lan 10.1.150.2,Down,1,3/2012,host2.domain.lan I do not HAVE to get the date from the nmap scan but it would be helpful. I can add it when I insert the data into the DB. I'm pretty sure that nmap can do this along with some grep, awk, and sed foo, but those things aren't my strongest points. EDIT: I'm open to suggestions about output formats.. XML? I need to run this daily (give or take) and import the results to MySQL EDIT2: I've gotten this far; nmap -sn -oG - 192.168.0.50-100 | grep Host | awk '{print $2","$5","$3}' Which gives me this: 192.168.0.75,Up,() 192.168.0.76,Up,(server01.domain.com) 192.168.0.77,Up,(server02.domain.com) 192.168.0.78,Up,(server03.domain.com) Next; Can I remove the parens? add the date? Nmap always says what time it starts and finishes but it doesn't include that on each line... so I can't grab it w/ the awk statement.

#!/usr/bin/bash
echo "Give me your private IP and its mask";read given
if [[ "$given" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/{0,1}[0-9]{1,3} ]]; then
    echo "version 4"
    doas nmap -sn "$given"
    arp
else
    echo "version 6"
    prefix=${given::6}
    mask=$(echo "$given"|sed -E 's|.*(/[0-9]{1,3})|\1|')
    echo "$mask"
    echo "$prefix"
    doas nmap -6 -sn "$given" #halts, I have to press Ctrl-C
    doas nmap -6 --script=neighbors "$given" #does not work
    doas nmap -6 --script=neighbors "$prefix$mask" #does not work
    doas ip -6 neighbour #empty line, no results
fi

Give me your private IP and its mask
fe80::xxxx:xxxx:xxxx:xxxx/64
version 6
/64
fe80::
doas (j@j-AERO-17-KC) password: 
Starting Nmap 7.80 ( https://nmap.org  ) at 2023-11-26 12:55 CET
Interrupt
doas (j@j-AERO-17-KC) password: 
Starting Nmap 7.80 ( https://nmap.org  ) at 2023-11-26 12:59 CET
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:818: 'neighbors' did not match a category, filename, or directory
stack traceback:

	/usr/bin/../share/nmap/nse_main.lua:818: in local 'get_chosen_scripts'
	/usr/bin/../share/nmap/nse_main.lua:1310: in main chunk


QUITTING!
doas (j@j-AERO-17-KC) password: 
Starting Nmap 7.80 ( https://nmap.org  ) at 2023-11-26 12:59 CET
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:818: 'neighbors' did not match a category, filename, or directory
stack traceback:

	/usr/bin/../share/nmap/nse_main.lua:818: in local 'get_chosen_scripts'
	/usr/bin/../share/nmap/nse_main.lua:1310: in main chunk


QUITTING!

I replaced with x some of the digits of my address - for the sake of preserving my privacy. **1.** Why does my script halt on doas nmap -6 -sn "$given" when an IPv6 address is given **2.** doas nmap -6 --script=neighbors "$prefix$mask" was suggested by ChatGPT to me - why doesn't it work? **3.** Why doesn't doas ip -6 neighbour work?

I check for a listening port on a service prior to running a script using this : until nc -z $HOST $PORT do echo "waiting for service to be available..." sleep 0.5 done exec "/my/script" It used to work with gnu-netcat, but now, I've upgraded the Linux distribution, and it uses nmap-ncat for the /usr/bin/nc command. I'd like to know an equivalent solution to use with nmap-ncat package.

Sniffing with wireshark, I see a bunch of ARP and DNS requests. So why in the official doc it's written this: > The list scan is a degenerate form of host discovery that simply lists > each host of the network(s) specified, without sending any packets to > the target hosts. By default, Nmap still does reverse-DNS resolution > on the hosts to learn their names. It is often surprising how much > useful information simple hostnames give out. For example, fw.chi is > the name of one company's Chicago firewall. Nmap also reports the > total number of IP addresses at the end. The list scan is a good > sanity check to ensure that you have proper IP addresses for your > targets. If the hosts sport domain names you do not recognize, it is > worth investigating further to prevent scanning the wrong company's > network. > > Since the idea is to simply print a list of target hosts, options for higher level functionality such as port scanning, OS detection, or > host discovery cannot be combined with this. If you wish to disable > host discovery while still performing such higher level functionality, > read up on the -Pn (skip host discovery) option.