Nmap help document
What is nmap?
Nmap (Network ER) is an open-source Network detection and security audit tool. Its design goal is to quickly scan a large network. Of course, it is no problem to scan a single host with it.
We recommend that you use ctrl + f for search.
In fact, it is also convenient for you to remember at the same time
For more information, see the official documents.
nmap -h
-H is only the most commonly used option. For more details, see the official documentation. You can also directly use man namp.
-T4 can speed up scanning
Nmap 6.47 (http://nmap.org) Usage: nmap [Scan Type (s)] [Options] {target specification} // Usage: nmap Scan Type parameter Scan target specification: // how Can I enter the target? Can pass hostnames, IP addresses, networks, etc. // available domain name, IP address or network Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 // example-iL
: Input from list of hosts/networks // read from file scan target-iR
: Choose random targets // randomly select the target (add a number to indicate the number of targets to be scanned), for example, nmap-iR 5 // scan five targets randomly -- exclude
: Exclude hosts/networks // Exclude certain targets and enter excludefile after exclusion.
: Exclude list from file // read the target HOST to be excluded from the file DISCOVERY: // host discovery-sL: List Scan-simply list targets to scan // list Scan: only list the ip addresses of Hosts. No Scan-sn: Ping scan-disable port Scan // ping scan is performed, and no port Scan-Pn: treat all hosts as online -- skip host discovery // skip host discovery, directly when it is online-PS/PA/PU/PY [portlist]: tcp syn/ACK, UDP or SCTP discovery to given ports // tcp syn, tcp ack, UDP, and SCTP are used to scan the port and check whether the host is online-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes // ping echo scan, timestamp request scan, Address Mask request scan-PO [protocol list]: IP Protocol Ping // That is 0, no ping, skip Nmap discovery phase-n/-R: Never do DNS resolution/Always resolve [default: sometimes] //-n Never use domain name resolution-R: Always domain name resolution-dns-servers
: Specify custom DNS servers // Specify the DNS server -- system-dns: Use OS's DNS resolver // Use the DNS server set by the system -- traceroute: trace hop path to each host // data packet tracking (to see which nodes have passed) scan techniques: // SCAN technology-sS/sT/sA/sW/sM: tcp syn/Connect ()/ACK/Window/Maimon scans // SYN scan, connection scan (three handshakes if enabled), ACK scan, TCP window scan (Open Port uses positive numbers to indicate the window size (or even for RST packets) and the window size of the closed port is 0), Maimon scan and Null, FIN, and Xmas Scan is exactly the same-sU: UDP Scan // UDP Scan-sN/sF/sX: TCP Null, FIN, and Xmas scans // Null, FIN, and Xmas scan (XMAS scan opens the FIN, URG, PUSH tag) -- scanflags
: Customize TCP scan flags // custom TCP scan (design your own scan by specifying any TCP flag)-sI
: Idle scan // Idle scan? This can counterfeit ip-sY/sZ: sctp init/COOKIE-ECHO scans // sctp init scan (sctp init packet will be sent) COOKIE-ECHO scan (sctp cookie-ECHO packet will be sent)-sO: IP protocol scan // IP protocol scan-B
: FTP bounce scan // FTP bounce scan port specification and scan ORDER: // PORT description and scan sequence-p
: Only scan specified ports // The scanning port range Ex:-p22;-p1-65535;-p U: 53,111,137, T: 21-25, 80, 139,8080, S: 9 // example-F: Fast mode-Scan fewer ports than the default scan // Fast mode: Scan ports with fewer ports-r: scan ports consecutively-don't randomize // The port is continuously scanned (that is, incremental). Do not randomize -- top-ports
: Scan
Most common ports // scan the most common port number-port-ratio
: Scan ports more common
// Scan more common ports (more than ratio) SERVICE/version detection: // SERVICE and version detection-sV: probe open ports to determine service/version info // test the open port and determine the service and version information -- version-intensity
: Set from 0 (light) to 9 (try all probes) // Set version scan emphasis (default value: 7). The higher the value, the more likely the service to be correctly recognized. However, high-intensity scanning takes more time. The official documentation says that it is too high to emphasize that it is generally useless, and the version test may be similar) -- version-light: limit to most likely probes (intensity 2) // lightweight scan, that is, strength 2 -- version-all: Try every single probe (intensity 9) // Try each probe, make sure that the version-trace: Show detailed version scan activity (for debugging) alias of strength 9 is used to attempt each test packet on each port. // you can trace the version scan activity, print out detailed debugging information about ongoing scans. script scan: // script SCAN-SC: equivalent to -- SCRIPT = default // default script SCAN, just to test some more detailed information -- script =
:
Is a comma separated list of // use a script or a script to scan. You can also use a comma-separated list (such as vuln, malware, dos) directories, script-files or script-categories -- script-args =
: Provide arguments to scripts // pass the parameter -- script-args-file = filename to the script: provide neuron script args in a file // specify the script Parameters in the file -- script-trace: show all data sent and received ed // display all data sent and received -- script-updatedb: Update the script database. // update the script database -- script-help =
: Show help about scripts. // display the help of the script, which script or which script is added later
Is a comma-separated list of script-files or script-categories. OS DETECTION: // OS probe-O: Enable OS detection // Enable OS probe -- osscan-limit: limit OS detection to promising targets // perform OS detection TIMING AND PERFORMANCE for specified targets: // time AND PERFORMANCE Options which take
Are in seconds, or append 'Ms '(milliseconds), 'S' (seconds), 'M' (minutes), or 'H' (hours) to the value (e.g. 30 m ). -T <0-5>: Set timing template (higher is faster) // Set the time template. The higher the template is, the faster the template is -- min-hostgroup/max-hostgroup
: Parallel host scan group sizes // adjust the Parallel scan group size, that is, the number of host ports or versions scanned at the same time (the minimum value here is the maximum value) -- min-parallelism/max-parallelism
: Probe parallelization // adjust the concurrency of the test packets-min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout
: Specifies probe round trip time. // adjust the degree of parallelism of the test packets-max-retries
: Caps number of port scan probe retransmissions. // adjust the number of retries -- host-timeout
: Give up on target after this long // adjust the timeout value -- scan-delay/-- max-scan-delay
: Adjust delay between probes // Adjust the time interval of the probe packet, or call the delay between each packet. The next one is to set the maximum detection packet interval-min-rate
: Send packets no slower
Per second // adjust the minimum value of the packet sent per second -- max-rate
: Send packets no faster
Per second // adjust the maximum value of sent packets per second: FIREWALL/ids evasion and spoofing: // FIREWALL/IDS Dodge AND scam-f; -- mtu
: Fragment packets (optionally w/given MTU) // segment the packet. This packet should be an ip address, which is to reduce the size of each packet sent, the idea is to segment the TCP Header in several packets, making it more difficult to detect packet filters, IDS, and other tools. -D
: Cloak a scan with decoys // use bait for hidden scanning (that is, some fake IP addresses can be added later)-S
: Spoof source address // counterfeit source address, which must be used with-e below.
: Use specified interface // specify the network interface (such as eth0)-g/-- source-port
: Use given port number // source port spoofing --- specify the source port -- proxies
: Relay connections through HTTP/SOCKS4 proxies // set HTTP or SOCKS4 proxy -- data-length
: Append random data to sent packets // Append random data when sending packets (additional quantity is added later) -- ip-options
: Send packets with specified ip options // specify the Special ip protocol option-ttl
: Set IP time-to-live field // Set the TTL value -- spoof-mac
: Spoof your MAC address // mac address Spoofing -- badsum: Send packets with a bogus TCP/UDP/SCTP checksum // Send an error checksum packet OUTPUT: // output-oN/-oX/-OS/-oG
: Output scan in normal, XML, s |
% 3 Cbasename % 3E: Output in the three major formats at once // the scan results can be Output in standard format, XML format, and Grep format at a time. Stored in
. Nmap,
. Xml and
. Gnmap file. -V: Increase verbosity level (use-vv or more for greater effect) // Increase the output details to make the scanned information more detailed-d: increase debugging level (use-dd or more for greater effect) // you can use debugging to obtain more information when the verbose mode does not provide sufficient data. -- Reason: Display the reason a port is in a particle state // Display the reason (why is the status of the port scanned?) -- open: only show open (or possibly open) ports // Only show open or possibly open ports -- packet-trace: show all packets sent and received ed // display all sent and received packets -- iflist: Print host interfaces and routes (for debugging) // output interface and route -- log-errors: log errors/warnings to the normal-format output file // output errors and warnings to the file in standard format -- append-output: append to rather than clobber specified output files // Add it to the output file (equivalent to appending content to the file). In this way, you can put the scan results in one file multiple times -- resume
: Resume an aborted scan // restore a terminated scan-stylesheet
: XSL stylesheet to transform XML output to HTML // use the XSL style sheet to convert XML and output HTML -- webxml: Reference stylesheet from Nmap. org for more portable XML // create a lightweight XML file from the namp website? -- No-stylesheet: Prevent associating of XSL stylesheet w/XML output // disable Nmap's XML output from joining any XSL style table MISC: // comprehensive, others, various-6: Enable IPv6 scanning // Enable IPv6 scan-A: Enable OS detection, version detection, script scanning, and traceroute // Enable system detection, (service) version detection, script scanning and route tracing-datadir
: Specify custom Nmap data file location // specifies the Nmap data file location of the user. If you do not know the usage, tell me (these files include nmap-service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap-mac-prefixes, and nmap-OS-fingerprints. Nmap first searches for these files in the directory described by the -- datadir option. Files Not found will be searched in the directory of the BMAPDIR environment variable description .) -- Send-eth/-- send-ip: Send using raw ethernet frames or IP packets // use the original ethernet frame for sending, followed by a packet sent using the original IP socket -- privileged: assume that the user is fully privileged // Assume that the user has all permissions -- unprivileged: Assume the user lacks raw socket privileges // Assume that the user has no permission to use the original socket-V: print version number // Print the nmap version-h: Print this help summary page. // print the help information. EXAMPLES: // example: nmap-v-A scanme.nmap.org nmap-v-sn 192.168.0.0/16 10.0.0.0/8 nmap-v-iR 10000-Pn-p 80
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
