Nmap——networkmapper,网络探测工具和安全/端口扫描器 nmap[扫描类型…] [选项] [扫描目标说明]Usage: nmap [Scan Type(s)] [Options] {target specification}TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, 192.168.0.1; 10.0-255.0-255.1-254 -iL : Input from list of hosts/networks -iR : Choose random targets --exclude : Exclude hosts/networks --excludefile : Exclude list from fileHOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -P0: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery probes to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -n/-R: Never do DNS resolution/Always resolve [default: sometimes resolve]SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags : Customize TCP scan flags -sI : Idlescan -sO: IP protocol scan -b : FTP bounce scanPORT SPECIFICATION AND SCAN ORDER: -p : Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast - Scan only the ports listed in the nmap-services file) -r: Scan ports consecutively - don't randomizeSERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-light: Limit to most likely probes for faster identification --version-all: Try every single probe for version detection --version-trace: Show detailed version scan activity (for debugging)OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressivelyTIMING AND PERFORMANCE: -T[0-6]: Set timing template (higher is faster) --min-hostgroup/max-hostgroup : Parallel host scan group sizes --min-parallelism/max-parallelism : Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies probe round trip time. --host-timeout : Give up on target after this long --scan-delay/--max-scan-delay : Adjust delay between probesFIREWALL/IDS EVASION AND SPOOFING: -f; --mtu : fragment packets (optionally w/given MTU) -D : Cloak a scan with decoys -S : Spoof source address -e : Use specified interface -g/--source-port : Use given port number --data-length : Append random data to sent packets --ttl : Set IP time-to-live field --spoof-mac : Spoof your MAC addressOUTPUT: -oN/-oX/-oS/-oG : Output scan results in normal, XML, s|: Output in the three major formats at once -v: Increase verbosity level (use twice for more effect) -d[level]: Set or increase debugging level (Up to 9 is meaningful) --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --append-output: Append to rather than clobber specified output files --resume : Resume an aborted scan --stylesheet : XSL stylesheet to transform XML output to HTML --no-stylesheet: Prevent Nmap from associating XSL stylesheet w/XML outputMISC: -6: Enable IPv6 scanning -A: Enables OS detection and Version detection --datadir : Specify custom Nmap data file location --send-eth/--send-ip: Send packets using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged -V: Print version number -h: Print this help summary page.EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sP 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -P0 -p 80 目标说明:1) CIDR风格地址,附加一个/在一个IP或主机名后面,则扫描与该IP具有相同比特的所有IP地址或主机,支持的numbit值为1-322) 可以对IP的各个段使用范围列表来指定扫描对象,即0-255.0-255.0-255.0-255;或使用逗号隔开,即192.168.1.1,3,53) IPv6地址只能用规范的IPv6地址或主机名指定,上面两种方式对IPv6都不支持4) 接受多个主机说明,不必是相同类型5) -iL : 从列表中输入6) -iR : 随机选择目标,hostnum表示目标数目,0意味着永无休止的扫描7) --exclude 排除主机/网络8) --excludefile 排除文件中的列表主机发现 发送探测包到目标追究,若收到回复,则说明目标主机是开启的。
Nmap支持十多种不同的主机探测方式;默认发送四种a) ICMP echo requestb) a TCP SYN packet to port 443c) a TCP ACK packet to port 80d) an ICMP timestamp request参数形式l -sL:List Scan 列表扫描,仅将指定的目标IP列举出来,不进行主机发现l -sP:Ping Scan 只利用ping扫描进行主机发现,不进行端口扫描n 默认情况下发送ICMP回声请求和一个TCP报文到80端口,非特权用户发送一个SYN报文到80端口n 可以和除-P0之外的任何发现探测类型-P*选项结合使用以达到更高的灵活性l -Pn/-P0:将所有指定的主机视作开启的,跳过主机发现的过程l -PS [portlist]:TCP SYN Ping,发送一个设置了SYN标志位的空TCP报文n 默认端口为80(可设置),也可指定端口n 目标主机端口。
