LinuxNmap网络扫描详细使用参数

    About nmap

    Short for network mapper, nmap is a network exploration tool and security / port scanner.

    Syntax

    nmap [Scan Type(s)] [Options] {target specification}

    TARGET SPECIFICATION:

    -iL Input from list of hosts/networks

    -iR Choose random targets

    --exclude Exclude hosts/networks

    --excludefile Exclude list from file

　　使用前提：
　
　　一般在本机上查看端口时，最好使用netstat，因为它安全又可靠，如果找不到端口，或不知道端口的作用是什么，尤其在/etc/services中没有提到的端口对应的服务，就可以使用nmap命令。这个命令是系统管理员用来管理系统安全性的工具，可以通过它了解我们主机端口到底有什么作用。
　
　　语法：
　
　　nmap <扫描类型> <扫描参数>
　
　　扫描类型：主要有以下几种。
　
　　-sT：扫描TCP数据包以建立的连接connect（）
　
　　-sS：扫描TCP数据包带有SYN数据的标记
　
　　-sP：以ping方式进行扫描
　
　　-sU：以UDP数据包格式进行扫描
　
　　-sO：以IP协议进行主机扫描
　
　　扫描参数：主要有以下几种。
　
　　-PT：使用TCP的ping方式进行扫描，可以获取当前已经启动几台计算机
　
　　-PI：使用实际的ping（带有ICMP数据包）进行扫描
　
　　-p：这个是端口范围，如：1024~，80~1023，30000~60000
　
　　IP地址与范围：有以下几种类型：
　
　　192.168.0.100：直接写入IP，仅检查一台主机
　
　　192.168.0.0/24：为C Class的网段
　
　　192.168.*.*：以B Class的网段，扫描范围更广
　
　　192.168.0.0~50，60~100，103，200：变形的主机范围
　
　　范例：
　
　　nmap localhost ：扫描本机
　
　　nmap -p 1024-65535 localhost ：扫描本机的一部分端口
　
　　nmap -PT 192.168.1.171-177 ：已ping方式扫描数台主机

    HOST DISCOVERY:

    -sL List Scan - simply list targets to scan

    -sP Ping Scan - go no further than determining if host is online

    -P0 Treat all hosts as online -- skip host discovery

    -PS/PA/PU [portlist] TCP SYN/ACK or UDP discovery to given ports

    -PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes

    -n/-R Never do DNS resolution/Always resolve [default: sometimes]

    --dns-servers Specify custom DNS servers

    --system-dns Use OS's DNS resolver

    SCAN TECHNIQUES:

    -sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon scans

    -sN/sF/sX TCP Null, FIN, and Xmas scans

    --scanflags Customize TCP scan flags

    -sI Idlescan

    -sO IP protocol scan

    -b FTP bounce scan

    PORT SPECIFICATION AND SCAN ORDER:

    -p Only scan specified ports

    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080

    -F Fast - Scan only the ports listed in the nmap-services file)

    -r Scan ports consecutively - don't randomize

    SERVICE/VERSION DETECTION:

    -sV Probe open ports to determine service/version info

    --version-intensity Set from 0 (light) to 9 (try all probes)

    --version-light Limit to most likely probes (intensity 2)

    --version-all Try every single probe (intensity 9)

    --version-trace Show detailed version scan activity (for debugging)

    OS DETECTION:

    -O Enable OS detection

    --osscan-limit Limit OS detection to promising targets

    --osscan-guess Guess OS more aggressively

    TIMING AND PERFORMANCE:

    Options which take are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

    -T[0-5] Set timing template (higher is faster)

    --min-hostgroup/max-hostgroup Parallel host scan group sizes

    --min-parallelism/max-parallelism Probe parallelization

    --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout Specifies probe round trip time.

    --max-retries Caps number of port scan probe retransmissions.

    --host-timeout Give up on target after this long

    --scan-delay/--max-scan-delay Adjust delay between probes

    FIREWALL/IDS EVASION AND SPOOFING:

    -f; --mtu fragment packets (optionally w/given MTU)

    -D Cloak a scan with decoys

    -S Spoof source address

    -e Use specified interface

    -g/--source-port Use given port number

    --data-length Append random data to sent packets

    --ttl Set IP time-to-live field

    --spoof-mac Spoof your MAC address

    --badsum Send packets with a bogus TCP/UDP checksum

    OUTPUT:

    -oN/-oX/-oS/-oG Output scan in normal, XML, s|

    -oA Output in the three major formats at once

    -v Increase verbosity level (use twice for more effect)

    -d[level] Set or increase debugging level (Up to 9 is meaningful)

    --packet-trace Show all packets sent and received

    --iflist Print host interfaces and routes (for debugging)

    --log-errors Log errors/warnings to the normal-format output file

    --append-output Append to rather than clobber specified output files

    --resume Resume an aborted scan

    --stylesheet XSL stylesheet to transform XML output to HTML

    --webxml Reference stylesheet from Insecure.Org for more portable XML

    --no-stylesheet Prevent associating of XSL stylesheet w/XML output

    MISC:

    -6 Enable IPv6 scanning

    -A Enables OS detection and Version detection

    --datadir Specify custom Nmap data file location

    --send-eth/--send-ip Send using raw ethernet frames or IP packets

    --privileged Assume that the user is fully privileged

    -V Print version number

    Examples

    nmap -P0 204.228.150.3

    Running the above port scan on the Computer Hope IP address would give information similar to the below example. Keep in mind that with the above command it's -P not the letter O.

    Interesting ports on www.computerhope.com (204.228.150.3):

    Not shown: 1019 filtered ports, 657 closed ports

    PORT STATE SERVICE

    21/tcp open ftp

    80/tcp open http

    113/tcp open auth

    443/tcp open https