Linux Security Scan Tool NMAP usage and parameter detailed

Source: Internet
Author: User
Tags ack ftp system log time limit

A scanner is a program that can automatically detect the vulnerabilities of a host's security. The scanner collects all kinds of information about the target host by sending a specific network packet, recording the response message of the target host. At present, there are many scanning software on the network, more famous scanners have Sss,x-scan,superscan and so on, the function is most powerful of course is nmap.

Nmap (Network Mapper) is an open source network detection and security Audit tool.

It is used to quickly scan a network and a host of open ports, but also use the TCP/IP protocol stack feature to detect the remote host operating system type. Nmap supports a wide range of scanning technologies, such as UDP, TCP Connect (), TCP syn (Half-open scan), FTP agent (Bounce attack), reverse flag, ICMP, FIN, ACK Scan, Christmas tree (xmas), SYN Scan, and NULL scan. Nmap was originally a command-line application for UNIX systems. In 2000, the application had a version of Windows that could be installed directly.

The format of the Nmap command is:

Nmap [Scan Type ...] [General Options] {Scan Target description}

The parameters for the Nmap command are described below by Category:

1. Scan type

-st tcp Connect () scan, which is the most basic method of TCP scanning. This scan is easily detected and a large number of connection requests and error messages are logged in the target host's log.
-ss tcp synchronous scan (TCP SY N) because it is not necessary to have all of the TCP connections open, this technique is often referred to as a half-open scan (half-open). The best thing about this technique is that few systems can put this into the system log. However, you need root permissions to customize the SYN packet.
-sf,-sx,-sn secret fin number According to package scanning, Christmas tree (Xmas trees), empty (NULL) scan mode. The rationale for these scans is that a closed port requires a response to your probe packet, while an open port must ignore the problematic package (refer to page 64th of RFC 793).
ping Scan, Ping Check which hosts are running on the network. When the host blocks the ICMP echo Request packet is ping scan is invalid. Nmap in any case will be ping scan, only the target host is in the running state, will be a follow-up scan.
-su > If you want to know on a host that provides which UDP (User Datagram Protocol, RFC768) service, you can use this option.
-sa ack scan, this advanced scanning method can often be used to traverse the firewall.
-SW > sliding window scan, very similar to AC Scan of K.
-SR RPC scan, and other different ports Scanning methods are used in combination.
-b ftp Bounce Attack (bounce Attack), connect to an FTP server behind the firewall as an agent, and then port scan.

2. General Options

-p0 Do not ping the host before scanning.
-pt Before scanning, use the TCP ping to determine which hosts are running.
-ps For root, this option lets NMAP scan the target host using a SYN package instead of an ACK packet.
-pi Set this option to have nmap use a real ping (ICMP echo request) to scan the target host for running.
-pb This is the default Ping scan option. It uses both ACK (-PT) and ICMP (-PI) scan types for parallel scans. If a firewall can filter one of these packets, you can go through the firewall using this method.
-O This option activates the scan of the TCP/IP fingerprint feature (fingerprinting) and obtains the remote host's flag, which is the operating system type.
-I. Turn on Nmap's reverse flag scan feature.
-F Use fragmented IP packets to send SYN, FIN, Xmas, NULL. Packet filtering, intrusion detection system to increase the difficulty, so that it can not know your intentions.
-V Redundant mode. This option is strongly recommended and will give you detailed information during the scan.
-S <IP> In some cases, nmap may not be able to determine your source address (Nmap will tell you). Use this option in this case to give your IP address.
-G Port Sets the source port for the scan. Some naïve firewall and packet filter rule sets allow the source port to be a DNS (53) or Ftp-data (20) packet through and implement the connection. Obviously, if an attacker modifies the source port to 20 or 53, it can destroy the firewall's defenses.
-on Redirect the scan results to a readable file logfilename.
-os The scan results are output to standard output.
–host_timeout Sets the time, in milliseconds, to scan a host computer. By default, there is no time-out limit.
–max_rtt_timeout Sets the wait time, in milliseconds, for each probe. Retransmission or timeout if the time limit is exceeded. The default value is approximately 9000 milliseconds.
–min_rtt_timeout Set Nmap the time, in milliseconds, to wait at least for each probe to be specified.
-M count When a TCP connect () scan is performed, a maximum number of sockets are used for parallel scans.

3. Scan target

Destination Address Can be IP address, cird address, etc. such as,
-il filename Reads the target of the scan from the filename file.
-ir Let Nmap own randomly selected host to scan.
-P Port This option allows you to select the range of port numbers to scan. such as:-P 20-30,139,60000.
-exclude Excludes the specified host.
-excludefile Excludes hosts in the specified file.


The code is as follows:

Nmap-v Nmap-ss-o

Nmap-sx-p 22,53,110,143,4564 128.210.*.1-127

Nmap-v–randomize_hosts-p 80 *.*.2.3-5

Host-l | Cut-d-F 4 |./nmap-v-il–

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.