Nmap Help Documentation

Source: Internet
Author: User


What is Nmap?

Nmap ("Network Mapper") is a tool for open source network probing and security audits. It is designed to scan large networks quickly, but it is also no problem to scan a single host with it.

Recommended to use CTRL+F when searching

In fact, the main is to facilitate their own, while memory

The following is a reference to the official translation of the document


-H is just the most common option, see Official documents in more detail, direct man namp.

-T4 can speed up scanning

Nmap 6.47 (http://nmap.org) Usage:nmap [Scan type (s)] [Options] {target specification}//Usage: NMAP Scan type parameter scan target targets SPE Cification://How can I input the target? Can pass hostnames, IP addresses, networks, etc.//Available domain name, IP address or a network Ex:scanme.nmap.org, Microsoft . com/24,; 10.0.0-255.1-254//Example-il <inputfilename>: Input from List of Hosts/networks//read from file scan target-ir <num hosts>: Ch Oose random targets//randomly select the target (after which you want to add a number to indicate how many targets to scan) such as: Nmap-ir 5//Random scan 5 targets--exclude <host1[,host2][,host3],...;: Exc Lude Hosts/networks//Exclude certain targets, exclude what is entered at the back of what--excludefile <exclude_file>: Exclude list from File//read from files target host D to exclude Iscovery://Host Discovery-sl:list scan-simply list targets to scan//list scan: List host IP only, do not scan-sn:ping scan-disable port scan Ping Scan, no port scan-pn:treat all hosts as online--skip host Discovery//Skip host discovery, directly when it is online-ps/pa/pu/py[portlist]: TCP SYN /ack, UDP or SCTP discovery to given ports//tcp syn,tcp ack,udp, and SCTP to scan the port to confirm that the host is online-pe/pp/pm:icmp echo, timestamp, a ndNetmask Request Discovery Probes//ping echo scan, timestamp request scan, address Mask request scan-po[protocol List]: IP protocol ping//that is 0, no Ping, skip Nmap Discovery Order Segment-n/-r:never do DNS resolution/always resolve [default:sometimes]//-n never use domain name Resolution-r: Always domain name resolution--dns-servers <serv1[,se RV2],...;: Specify custom DNS servers//Specify DNS server--system-dns:use OS ' s DNS resolver//DNS server using System settings--TRACEROUTE:TR Ace Hop Path to each host//packet trace (see which nodes were passed) scan techniques://Scan Technology-ss/st/sa/sw/sm:tcp Syn/connect ()/ack/window/maimon Scans//syn scan, connect scan (open session will be 3 handshake), ACK Scan, TCP window scan (open port with positive number for window size (even for RST message) and close port window size of 0), Maimon Scan and Null,fin, And Xmas scans exactly the same-SU:UDP scan//UDP scans-sn/sf/sx:tcp Null, FIN, and Xmas scans//null,fin, and Xmas scan (Xmas scan opens Fin,urg,push tag) </span>--scanflags <flags>: Customize TCP Scan Flags//Custom TCP scans (design your own scans by specifying any TCP flag bit)-si <zombie host[ :p robeport]>: Idle scan//idle scanning?  This can be forged IP-SY/SZ:SCTP Init/cookie-echo scans//&NBSP;SCTP init scan (will send SCTP init package) Cookie-echo Scan (will send SCTP Cookie-echo package)-so: IP protocol Scan//IP Protocol Scanning-B <ftp relay Host>: FTP bounce scan//ftp Bounce Scan Port specification and Scan Order://Port description and Scan sequence-P &lt ;p ort ranges>: only scan specified ports//pointing scanning port range Ex:-p22; -p1-65535; -P u:53,111,137,t:21-25,80,139,8080,s:9//example-f:fast Mode-scan fewer ports than the default scan//Quick mode: Scan is less than the Port-r: Scan ports Consecutively-don ' t randomize//port is continuously scanned (that is, incremented), do not randomize--top-ports <number>: Scan <number> most Common ports//scan number of the most common ports--port-ratio <ratio>: Scan ports more common than <ratio>//scans more common ports than ratio multiple) Service/version DETECTION://Services and version probing-sv:probe open ports to determine service/version info//probing open ports and determining service and version information--vers Ion-intensity <level>: Set from 0 (light) to 9 (try all probes)//Set version scanning emphasis (default is 7, the higher the value, the more likely the service is to be recognized correctly.)  However, high-intensity scanning takes more time, official documents say too high to emphasize generally no big use, probably the effect of version detection is similar)--version-light:limit to most likely probes (intensity 2)//lightweight scanning, is strength 2 --version-all:try every single probe (intensity 9)//try each probe to ensure that each probe packet is attempted on each port, the alias of Strength 9  --version-trace:show detailed version scan activity (for debugging)//Track versions scan activities, print out detailed debugging information about in-progress scans script scan://Scripts Scanning -sc:equivalent to--script=default//default script scan, just detect some more detailed information--script=<lua scripts>: <lua scripts> is a comma s  eparated List of//scans with one or a class of scripts and can also be comma-delimited lists (such as Vuln,malware,dos) directories, script-files or script-categories --script-args=<n1=v1,[n2=v2,...]  : Provide arguments to scripts//script parameter--script-args-file=filename:provide NSE script args in a file//Specify script parameters in file --script-trace:show all data sent and received//displays all the information sent and received--script-updatedb:update the script database. Update script Database--script-help=<lua scripts>: Show Help about scripts. Show help for the script, which script to add later, or what kind of script <lua scripts> is a comma-separated list of script-files or script-cate Gories. OS DETECTION://OS probe-o:enable OS DETECTION//Open OS probe--osscan-limit:limit OS DETECTION to promising targets//for specified  Target for operating system detection timing and performance://Time and performanceOptions which take <time> is in seconds, or append ' ms ' (milliseconds), ' s ' (seconds), ' m ' (minutes), or ' H ' (hour  s) to the value (e.g. 30m).  -T&LT;0-5&GT: Set timing template (higher is faster)//Set time template, the higher the faster--min-hostgroup/max-hostgroup <size>: Parallel Host Scan Group sizes//Adjusts the size of parallel scan groups, that is, how many host ports or versions are scanned at the same time (here a minimum value, a maximum value)--min-parallelism/max-parallelism <numprobes : Probe parallelization//Adjust the parallelism of the detection message--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout &LT;TIME&GT;: Specifies probe round trip time. Adjust the parallelism of the detection packet--max-retries &LT;TRIES&GT;: Caps number of port scan probe retransmissions. Adjust the number of retries--host-timeout <time>: Give up the target after this long//<span style= "font-family:arial, Helvetica, Sans-serif; " > Adjust the timeout value </span>--scan-delay/--max-scan-delay <time>: Adjust delay between probes//adjust the time interval of the probe message, or call the delay between each message, the one behind it is set the maximum detection message interval--min-rate <number>: Send packets no slower than <number> per second//adjust the number of sends per second  The minimum value of the packet--max-rate <number>: Send packets no faster than <number> per second//adjust maximum sent packets per second Firewall/ids EVASION and S Poofing://Firewall/ids Dodge and coax-F; --MTU <val>: Fragment packets (optionally W/given MTU)//packet segmentation, this message should be IP, is to reduce the size of each packet sent, the idea is to segment the TCP header in several packets, so that packet filter,  Detection of IDs and other tools is more difficult. -D <decoy1,decoy2[,me],...;: Cloak a scan with decoys//Use decoy covert scan (that is, you can add some fake IP address)-S <ip_address>: spoof sour CE address//Forged source addresses, this must be used with the following-E, pro-test-e <iface>: Use specified interface//specify network interface (e.g. eth0)-g/--source-port <port NUM&GT: Use given port number//Source port Spoofing---Specify Source port--proxies <url1,[url2],...;: Relay connections through HTTP/SOCKS4 p Roxies//Set HTTP or SOCKS4 proxy--data-length <num>: Append random data to sent packets//Send the message with the additional stochastic (followed by additional quantity)--ip-opt Ions <options>: Send packets with specified IP options//Specify options for special IP protocol--ttl <val>: Set IP time-to-live Field Set TTL value--spoof-mac <mac Address/prefix/vendor name>: spoof your MAC address//mac addresses spoofing--badsUm:send packets with a bogus TCP/UDP/SCTP checksum//Send error checksum for packet output://Output-on/-ox/-os/-og <file>: Output Scan I n Normal, XML, S|<ript kIddi3,//is standard output, XML output,-os this seems to be saved in a file, I test,-og is the grep output (it is a simple format, one host per line, you can use the Unix tool ( such as grep, awk, Cut, sed, diff) and Perl to easily find and decompose.   ) and grepable format, respectively, to the given filename. -oa <basename>: Output in the three major formats at once//you can export the scan results in standard format, XML format, and grep format at once.  stored in the <basename>.nmap,<basename>.xml and <basename>.gnmap files, respectively. -v:increase verbosity level (USE-VV or greater for greater effect)//improve the detail of the output information to make the scanned information more detailed-d:increase debugging level (  Use-dd or more for greater effect)//When verbose mode does not provide enough data for the user, use debugging to get more information. --reason:display The reason a port is in a particular state//display reason (why the status of the scanned port is like this)--open:only show open (or Possib  LY open) ports//show only open or possibly open ports--packet-trace:show all packets sent and received//show all sent and received packets--iflist:print host Interfaces and routes (for debugging)//output interface and routing --log-errors:log errors/warnings to the Normal-format output file//Send errors and warnings to file in standard format--append-output:append to rather than clobber specified output files//Add (equivalent to append content to a file) in a file, so that the results of multiple scans can be placed in a document--resume <filename>: Resume an A borted Scan//restore a terminated scanning--stylesheet <path/url>: XSL stylesheet to transform XML output to HTML//transform XML via XSL style sheet, output h  TML--webxml:reference stylesheet from nmap.org to more portable XML//Get a lightweight XML from the Namp website? --no-stylesheet:prevent associating of XSL stylesheet w/xml output//disallow Nmap XML outputs to be associated with any XSL stylesheet Misc://integrated, others, assorted -6:enab Le IPV6 scanning//Open IPV6 scan-a:enable OS detection, version detection, script scanning, and traceroute//Open system probe, (service) version probe , script scanning, and route tracking--datadir <dirname>: Specify custom Nmap Data file location//Specify the user nmap files position, do not know what the use, know to tell me (these files have NMA P-service-probes, Nmap-services, Nmap-protocols, Nmap-rpc, Nmap-mac-prefixes and nmap-os-fingerprints. Nmap first looks for these files in the directory of the--datadir option description. Files that are not found will be looked up in the directory of the BMAPDIR environment variable description. )--send-eth/--The Send-ip:send using raw Ethernet frames or IP packets//is sent using the original Ethernet frame, followed by sending the message with the original IP socket--privileged:assume the user is F Ully Privileged//Assume the user has full permissions--unprivileged:assume the the user lacks raw socket privileges//Assume the user is not using the original socket permission-v:print ver Sion number//print version of Nmap-h:print this Help summary page. Print Help information examples://Example Nmap-v-A scanme.nmap.org nmap-v-sn nmap-v-ir 10000-pn-p 80

Nmap Help Documentation

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: