Introduction to nmap

Target Specification: the host name, IP address, network, and other examples can be used: scanme.nmap.org, region, (0 is not limited...

 

Target specification:

You can use host names, IP addresses, and networks.

Example: scanme.nmap.org, dream4.org/24, 192.168.0.1; 10.0.0-255.1-254

-IL : Obtain the host or network from a specified file

-IR : Select a host randomly (0 does not limit the number of scan hosts)

-- Exclude : Exclude the specified host or network

-- Excludefile : Obtain excluded hosts or networks from a specified file

 

Host discovery:

-SL: list scan-a simple list of targets to be scanned (no packets are sent to the target host)

-SP: Ping scan-only ping scan is performed to find the target host. No other operations are performed.

-PN: set all hosts to online status -- skip host status detection

-PS/PA/PU [portlist]: specify SYN (tcp syn Ping)/ACK (tcp ack Ping)/UPD (UDP Ping) to scan the specified port

-PE/PP/PM: detects ICMP echo, time mark, and network mask

-PO [protocol list]: detects network protocols supported by hosts.

-N/-R: DNS resolution is never performed. [default: sometimes]

-- Dns-servers : Custom DNS server

-- System-dns: Operating system DNS resolution

 

Port scanning technology:

-SS/sT/sA/sW/sM: tcp syn/Connect ()/ACK/Window/Maimon scan

-SU: UDP scan

-SN/sF/sX: TCP null does not set any flag bit (tcp flag header is 0), FIN (only tcp fin flag bit), Xmas (set FIN, PSH, and URG flag) scan

-- Scanflags : Custom scan flag

-SI : Idle scan

-SO: IP protocol scan to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by the target machine)

-B : FTP transfer scan

-- Traceroute: route tracing to track the jump address of each host

-- Reason: displays the specific status of each port.

 

Port description and scan instance:

-P : Scan only the specified port

Example:-p22;-p1-65535;-p U: 53,111,137, T: 21-25, 80

-F: quick mode-scan common ports

-R: ports are not scanned randomly.

-- Top-ports : Scan <数量> The most common port

-- Port-ratio : Scan the most common port <比率>

 

Service/Version detection:

-SV: detects service/version information from open ports

-- Version-intensity : Set scan intensity 0 (high) to 9 (try all probes)

-- Version-light: enable lightweight mode (intensity 2)

-- Version-all: ensure that all test methods are attempted on each port.

-- Version-trace: displays debugging information about a scanning task.

 

Script scan:

-SC: equivalent to using the default script -- script = default

-- Script = : Use commas to separate the list, directory list, script file, or script class

-- Script-args = : Provide script parameters

-- Script-trace: displays all sent and received data.

-- Script-updatedb: updates the script database.

 

Operating system detection:

-O: enable OS detection

-- Osscan-limit: detects the specified target operating system.

-- Osscan-guess: the OS that best matches the prediction

 

Time and performance:

The option is in milliseconds, unless you append 's' (seconds), 'M' (minutes), or 'H' (hours)

-T [0-5]: Set the time template (the faster the process)

-- Min-hostgroup/max-hostgroup : Adjust the parallel scan group size

-- Min-parallelism/max-parallelism: Adjust the concurrency of the test packets.

-- Min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout: Specify the probe timeout.

-- Max-retries : Specify the maximum number of retries

-- Host-timeout: Give up if the target does not respond within the specified time

-- Scan-delay/-- max-scan-delay: Adjust the detection latency

-- Min-rate : The number of sent data packets is not lower Per second

-- Max-rate : The number of sent data packets is no higher Per second

 

Firewall/IDS avoidance and spoofing:

-F; -- mtu : Packet segmentation (using the specified MTU)

-D : Use bait for hidden scanning

-S : Source address spoofing

-E : Use the specified interface

-G/-- source-port : Source port spoofing

-- Data-length : Random packet attachment and send

-- Ip-options : Send data packets with the specified IP option

-- Ttl : Set the IP time-to-live domain

-- Spoof-mac : MAC address spoofing

-- Badsum: send forged TCP/UDP packets

 

Output:

-ON/-oX/-OS/-oG : Standard output of scan reports, XML output, s |

-OA : Output to all formats

-V: improves the details of output information.

-D [level]: raise or set the debugging level (9 is recommended)

-- Open: only open ports are displayed.

-- Packet-trace: displays all sent and received packets.

-- Iflist: lists interfaces and routes (debugging)

-- Log-errors: saves Error Records/warnings to specified files.

-- Append-output: append to the specified output file.

-- Resume : Continue to suspend scanning

-- Stylesheet : Set the XSL style sheet and convert the XML output

-- Webxml: See the WEBXML style sheet provided by Nmap. Org.

-- No-stylesheet: ignore the XSL style sheet declared in XML

 

Miscellaneous:

-6: enable IPv6 scanning

-A: High-intensity scan mode options

-- Datadir : Specifies the Nmap data file location.

-- Send-eth/-- send-ip: use the original Ethernet frame or the original IP address to send data packets.

-- Privileged: assume that the user has all permissions.

-- Unprivileged: assume that the user does not have the original socket privilege.

-V: displays the version number.

-H: output help information

 

Instance:

Nmap-v-A scanme.dream4.org

Nmap-v-sP 192.168.0.0/16 10.0.0.0/8

Nmap-v-iR 10000-PN-p 80