1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
|
<!--
nmap.dtd
This is the DTD for Nmap's XML output (-oX) format.
$Id$
Originally written by:
William McVey <wam@cisco.com> <wam+nmap@wamber.net>
Now maintained by Fyodor <fyodor@nmap.org> as part of Nmap.
To validate using this file, simply add a DOCTYPE line similar to:
<!DOCTYPE nmaprun SYSTEM "nmap.dtd">
to the nmap output immediately below the prologue (the first line). This
should allow you to run a validating parser against the output (so long
as the DTD is in your parser's DTD search path).
Bugs:
Most of the elements are "locked" into the specific order that nmap
generates, when there really is no need for a specific ordering.
This is primarily because I don't know the xml DTD construct to
specify "one each of this list of elements, in any order". If there
is a construct similar to SGML's '&' operator, please let me know.
Portions Copyright (c) 2001-2022 Nmap Software LLC
Portions Copyright (c) 2001 by Cisco systems, Inc.
Permission to use, copy, modify, and distribute modified and
unmodified copies of this software for any purpose and without fee is
hereby granted, provided that (a) this copyright and permission notice
appear on all copies of the software and supporting documentation, (b)
the name of Cisco Systems, Inc. not be used in advertising or
publicity pertaining to distribution of the program without specific
prior permission, and (c) notice be given in supporting documentation
that use, modification, copying and distribution is by permission of
Cisco Systems, Inc.
Cisco Systems, Inc. makes no representations about the suitability
of this software for any purpose. THIS SOFTWARE IS PROVIDED ``AS
IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE.
-->
<!-- parameter entities to specify common "types" used elsewhere in the DTD -->
<!ENTITY % attr_alpha "CDATA" >
<!ENTITY % attr_numeric "CDATA" >
<!ENTITY % attr_ipaddr "CDATA" >
<!ENTITY % attr_percent "CDATA" >
<!ENTITY % attr_type "(ipv4 | ipv6 | mac)" >
<!ENTITY % attr_bool "(true | false)" >
<!ENTITY % host_states "(up|down|unknown|skipped)" >
<!-- see: nmap.c:statenum2str for list of port states -->
<!-- Maybe they should be enumerated as in scan_types below , but I -->
<!-- don't know how to escape states like open|filtered -->
<!ENTITY % port_states "CDATA" >
<!ENTITY % hostname_types "(user|PTR)" >
<!-- see output.c:output_xml_scaninfo_records for scan types -->
<!ENTITY % scan_types "(syn|ack|bounce|connect|null|xmas|window|maimon|fin|udp|sctpinit|sctpcookieecho|ipproto)" >
<!-- <!ENTITY % ip_versions "(ipv4)" > -->
<!ENTITY % port_protocols "(ip|tcp|udp|sctp)" >
<!-- Service detection confidence level (portlist.h:struct serviceDeductions)
-->
<!ENTITY % service_confs "( 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10)" >
<!-- This element was started in nmap.c:nmap_main().
It represents to the topmost element of the output document.
-->
<!ELEMENT nmaprun (scaninfo*, verbose, debugging,
( target | taskbegin | taskprogress | taskend | hosthint |
prescript | postscript | host | output)*,
runstats) >
<!ATTLIST nmaprun
scanner (nmap) #REQUIRED
args CDATA #IMPLIED
start %attr_numeric; #IMPLIED
startstr CDATA #IMPLIED
version CDATA #REQUIRED
profile_name CDATA #IMPLIED
xmloutputversion CDATA #REQUIRED
>
<!-- this element is written in output.c:doscaninfo() -->
<!ELEMENT scaninfo EMPTY >
<!ATTLIST scaninfo
type %scan_types; #REQUIRED
scanflags CDATA #IMPLIED
protocol %port_protocols; #REQUIRED
numservices %attr_numeric; #REQUIRED
services CDATA #REQUIRED
>
<!-- these elements are written in nmap.c:nmap_main() -->
<!ELEMENT verbose EMPTY >
<!ATTLIST verbose level %attr_numeric; #IMPLIED >
<!ELEMENT debugging EMPTY >
<!ATTLIST debugging level %attr_numeric; #IMPLIED >
<!ELEMENT target EMPTY >
<!ATTLIST target specification CDATA #REQUIRED
status (skipped) #IMPLIED
reason (invalid) #IMPLIED
>
<!-- this element is written in timing.c:beginOrEndTask() -->
<!ELEMENT taskbegin EMPTY >
<!ATTLIST taskbegin
task CDATA #REQUIRED
time %attr_numeric; #REQUIRED
extrainfo CDATA #IMPLIED
>
<!-- this element is written in timing.c:printStats() -->
<!ELEMENT taskprogress EMPTY >
<!ATTLIST taskprogress
task CDATA #REQUIRED
time %attr_numeric; #REQUIRED
percent %attr_percent; #REQUIRED
remaining %attr_numeric; #IMPLIED
etc %attr_numeric; #IMPLIED
>
<!-- this element is written in timing.c:beginOrEndTask() -->
<!ELEMENT taskend EMPTY >
<!ATTLIST taskend
task CDATA #REQUIRED
time %attr_numeric; #REQUIRED
extrainfo CDATA #IMPLIED
>
<!--
this element is started in nmap.c:nmap_main() and filled by
output.c:write_host_status(), output.c:printportoutput(), and
output.c:printosscanoutput()
-->
<!ELEMENT host ( status, address , (address | hostnames |
smurf | ports | os | distance | uptime |
tcpsequence | ipidsequence | tcptssequence |
hostscript | trace)*, times? ) >
<!ATTLIST host
starttime %attr_numeric; #IMPLIED
endtime %attr_numeric; #IMPLIED
timedout %attr_bool; #IMPLIED
comment CDATA #IMPLIED
>
<!-- these elements are written by scan_engine.c:ultrascan_host_pspec_update() -->
<!ELEMENT hosthint (status,address+,hostnames?) >
<!-- these elements are written by output.c:write_xml_initial_hostinfo() -->
<!ELEMENT status EMPTY >
<!ATTLIST status state %host_states; #REQUIRED
reason CDATA #REQUIRED
reason_ttl CDATA #REQUIRED
>
<!ELEMENT address EMPTY >
<!ATTLIST address
addr %attr_ipaddr; #REQUIRED
addrtype %attr_type; "ipv4"
vendor CDATA #IMPLIED
>
<!ELEMENT hostnames (hostname)* >
<!ELEMENT hostname EMPTY >
<!ATTLIST hostname
name CDATA #IMPLIED
type %hostname_types; #IMPLIED
>
<!-- this element is written by output.c:write_host_status() -->
<!ELEMENT smurf EMPTY >
<!ATTLIST smurf responses %attr_numeric; #REQUIRED >
<!-- these elements are written by output.c:printportoutput() -->
<!ELEMENT ports (extraports* , port*) >
<!ELEMENT extraports (extrareasons)* >
<!ATTLIST extraports
state %port_states; #REQUIRED
count %attr_numeric; #REQUIRED
>
<!ELEMENT extrareasons EMPTY >
<!ATTLIST extrareasons
reason CDATA #REQUIRED
count CDATA #REQUIRED
proto %port_protocols; #IMPLIED
ports CDATA #IMPLIED
>
<!ELEMENT port (state , owner? , service?, script*) >
<!ATTLIST port
protocol %port_protocols; #REQUIRED
portid %attr_numeric; #REQUIRED
>
<!ELEMENT state EMPTY >
<!ATTLIST state
state %port_states; #REQUIRED
reason CDATA #REQUIRED
reason_ttl CDATA #REQUIRED
reason_ip CDATA #IMPLIED
>
<!ELEMENT owner EMPTY >
<!ATTLIST owner name CDATA #REQUIRED >
<!ELEMENT service (cpe*) >
<!ATTLIST service
name CDATA #REQUIRED
conf %service_confs; #REQUIRED
method (table|probed) #REQUIRED
version CDATA #IMPLIED
product CDATA #IMPLIED
extrainfo CDATA #IMPLIED
tunnel (ssl) #IMPLIED
proto (rpc) #IMPLIED
rpcnum %attr_numeric; #IMPLIED
lowver %attr_numeric; #IMPLIED
highver %attr_numeric; #IMPLIED
hostname CDATA #IMPLIED
ostype CDATA #IMPLIED
devicetype CDATA #IMPLIED
servicefp CDATA #IMPLIED
>
<!ELEMENT cpe (#PCDATA)>
<!ELEMENT script (#PCDATA|table|elem)* >
<!ATTLIST script
id CDATA #REQUIRED
output CDATA #REQUIRED
>
<!ELEMENT table (table|elem)* >
<!ATTLIST table
key CDATA #IMPLIED
>
<!ELEMENT elem (#PCDATA)>
<!ATTLIST elem
key CDATA #IMPLIED
>
<!ELEMENT os ( portused* , osmatch*, osfingerprint* ) >
<!ELEMENT portused EMPTY >
<!ATTLIST portused
state %port_states; #REQUIRED
proto %port_protocols; #REQUIRED
portid %attr_numeric; #REQUIRED
>
<!ELEMENT osclass (cpe*) >
<!ATTLIST osclass
vendor CDATA #REQUIRED
osgen CDATA #IMPLIED
type CDATA #IMPLIED
accuracy CDATA #REQUIRED
osfamily CDATA #REQUIRED
>
<!ELEMENT osmatch (osclass*) >
<!ATTLIST osmatch
name CDATA #REQUIRED
accuracy %attr_numeric; #REQUIRED
line %attr_numeric; #REQUIRED
>
<!ELEMENT osfingerprint EMPTY >
<!ATTLIST osfingerprint
fingerprint CDATA #REQUIRED
>
<!ELEMENT distance EMPTY >
<!ATTLIST distance
value %attr_numeric; #REQUIRED
>
<!ELEMENT uptime EMPTY >
<!ATTLIST uptime
seconds %attr_numeric; #REQUIRED
lastboot CDATA #IMPLIED
>
<!ELEMENT tcpsequence EMPTY >
<!ATTLIST tcpsequence
index %attr_numeric; #REQUIRED
difficulty CDATA #REQUIRED
values CDATA #REQUIRED
>
<!ELEMENT ipidsequence EMPTY >
<!ATTLIST ipidsequence
class CDATA #REQUIRED
values CDATA #REQUIRED
>
<!ELEMENT tcptssequence EMPTY >
<!ATTLIST tcptssequence
class CDATA #REQUIRED
values CDATA #IMPLIED
>
<!ELEMENT trace (hop*) >
<!ATTLIST trace
proto CDATA #IMPLIED
port CDATA #IMPLIED
>
<!ELEMENT hop EMPTY>
<!ATTLIST hop
ttl CDATA #REQUIRED
rtt CDATA #IMPLIED
ipaddr CDATA #IMPLIED
host CDATA #IMPLIED
>
<!ELEMENT times EMPTY>
<!ATTLIST times
srtt CDATA #REQUIRED
rttvar CDATA #REQUIRED
to CDATA #REQUIRED
>
<!-- For embedding another type of output (screen output) like Zenmap does. -->
<!ELEMENT output (#PCDATA)>
<!ATTLIST output type (interactive) #IMPLIED>
<!-- these elements are generated in output.c:printfinaloutput() -->
<!ELEMENT runstats (finished, hosts)>
<!ELEMENT finished EMPTY >
<!ATTLIST finished time %attr_numeric; #REQUIRED
timestr CDATA #IMPLIED
elapsed %attr_numeric; #REQUIRED
summary CDATA #IMPLIED
exit (error|success) #IMPLIED
errormsg CDATA #IMPLIED
>
<!ELEMENT hosts EMPTY >
<!ATTLIST hosts
up %attr_numeric; "0"
down %attr_numeric; "0"
total %attr_numeric; #REQUIRED
>
<!ELEMENT hostscript ( script+ )>
<!ELEMENT prescript ( script+ )>
<!ELEMENT postscript ( script+ )>
|
