Detailed explanation of command usage of nmap network scan tool in Linux system


1. name

Nmap network detection and security scanning tool

2. grammar


3. description

Nmap is a network detection and security scanning program, which can be used by system managers and individuals to scan large-scale networks and obtain information about which host is running and what services it provides. Nmap supports many scanning technologies, such as UDP, TCP connect(), TCP syn (half open scan), FTP agent (bounce attack), reverse flag, ICMP, fin, ACK scan, Xmas tree, syn scan and null scan. Details can be found in the scan types section. Nmap also provides some advanced features, such as: detection of operating system type through TCP / IP stack features, secret scanning, dynamic delay and retransmission computing, parallel scanning, detection of closed hosts through parallel Ping scanning, decoy scanning, avoidance of port filter detection, direct RPC scanning (no port mapping), fragment scanning, and flexible target and port settings.

In order to improve the performance of nmap in the non root state, the software designers have made great efforts. Unfortunately, some kernel interfaces (such as raw socket) need to be used in root state. So you should use nmap at root as much as possible.

Nmap running usually gets a list of scanned host ports. Nmap always gives the service name (if possible), port number, status and protocol of the well known port. The status of each port is: open, filtered, unfiltered. The open state means that the target host can accept the connection using the accept () system call on this port. The filtered state indicates that the firewall, packet filtering and other network security software cover the port and prohibit nmap from detecting whether it is open or not. Unfiltered said: this port is closed, and there is no firewall / packet filter software to isolate the nmap detection attempt. In general, the status of ports is basically unfiltered. Only when most of the scanned ports are in filtered status, the ports in unfiltered status will be displayed.

Depending on the functional options used, nmap can also report the following characteristics of a remote host: the operating system used, the TCP sequence, the user name running the application bound to each port, the DNS name, whether the host address is a spoofing address, and so on.

4. Function options

Function options can be combined. Some function options can only be used in some scanning mode. Nmap automatically identifies invalid or unsupported combinations of feature options and issues a warning message to the user.

If you are an experienced user, skip the example section at the end. You can use nmap – h to quickly list the list of feature options.

4.1 scan type


TCP connect() scan: This is the most basic TCP scan mode. Connect() is a system call provided by the operating system to open a connection. If the target port has program listening, connect() will return successfully, otherwise the port is not reachable. The great advantage of this technology is that you don’t need root privileges. Any UNIX user is free to use this system call. This kind of scan can be easily detected, and a large number of connection requests and error messages will be recorded in the logs of the target host.


TCP syn: because you don’t have to open all the TCP connections, this technique is often called half open. You can send a TCP sync packet (SYN) and wait for a response. If the other party returns a syn|ack packet, it means that the target port is listening; if it returns an RST packet, it means that there is no listener on the target port; if it receives a syn|ack packet, the source host will immediately send an RST (reset) packet to disconnect from the target host, which is actually done automatically by our operating system kernel. The biggest benefit of this technology is that very few systems can log this. However, you need root privileges to customize syn packets.

  -sF -sF -sN

Secret fin packet scan, Xmas tree, null scan mode: used even when syn scan cannot be determined. Some firewalls and packet filtering software can monitor syn packets sent to restricted ports, and some programs such as synlogger and Courtney can detect those scans. These advanced scanning methods can avoid these interferences.
The theoretical basis of these scanning methods is that the closed port needs to respond to the rst packet for your detection packet, while the open port must ignore the problematic packet (refer to page 64 of RFC 793). The fin scan uses exposed fin packets to detect, while the Christmas tree scan opens the fin, urg, and push flags of the packets. Unfortunately, Microsoft decided to completely ignore this standard and start a new business. So this scanning method is not valid for Windows 95 / NT. However, from another point of view, you can use this approach to separate two different platforms. If you use this scanning method to find open ports, you can make sure that the target is not running a Windows system. If you use – SF, – SX, or – Sn scan to show that all ports are closed, and syn scan to show that there are open ports, you can make sure that the target host may be running a Windows system. Now this method is not very useful, because nmap has embedded operating system detection function. There are several other systems that use the same processing methods as windows, including Cisco, bsdi, HP / UX, mys, IRIX. When a packet should be discarded, the above systems will send a reset packet from the open port.  


Ping scan: sometimes you just want to know which hosts are running on the network at this time. Nmap can do this by sending ICMP echo request packets to each IP address in the network you specify. It responds if the host is running. Unfortunately, some sites, such as, block ICMP echo request packets. However, by default, nmap can also send TCP ACK packets to port 80. If you receive an RST packet, it means that the host is running. The third technique used by nmap is to send a syn packet and wait for an RST or syn / ACK packet. For non root users, nmap uses the connect () method.

By default (root), nmap uses ICMP and ACK technologies in parallel.

Note that in any case, nmap will ping scan, and only when the target host is running will subsequent scans be performed. This option is only used if you want to know if the target host is running and you don’t want to do other scans.


UDP scanning: if you want to know which UDP (user datagram protocol, rfc768) services are available on a host, you can use this scanning method. Nmap first sends a 0-byte UDP packet to each port of the target host. If we receive ICMP messages that are not reachable by the port, the port is closed. Otherwise, we assume that it is open.

Some people may think that UDP scanning is meaningless. However, I often think of the recent Solaris rpcbind defect. Rpcbind is hidden on an unpublished UDP port with a port number greater than 32770. So even if port 111 (the well-known slogan for portmap) is blocked by a firewall, it matters. But can you find a program listening on any port larger than 30000? You can use UDP scanning! The backdoor of CDC back origin is hidden in a configurable UDP port of the windows host. Regardless of some common security flaws, some services, such as SNMP, TFTP, NFS, use UDP protocol. Unfortunately, UDP scanning is sometimes very slow because most hosts limit the proportion of ICMP error messages (recommended in rfc1812). For example, in the Linux kernel (in the net / IPv4 / ICMP. H file), it is limited to 80 target NCP messages every 4 seconds. If the ratio is exceeded, a penalty of 1 / 4 second will be given. The limitation of Solaris is more strict. Only about two ICMP unreachable messages are allowed per second, which makes the scanning more slow. Nmap will detect the proportion of this limit and slow down the sending speed, instead of sending a large number of useless packets that will be discarded by the target host.

However, micro $oft ignores the rfc1812 proposal and does not limit the proportion. So we can quickly scan all 65K ports on the host running Win95 / NT.


ACK scanning: this advanced scanning method is usually used to pass through the rule set of firewall. In general, this helps to determine whether a firewall is more functional or a simple packet filter that blocks incoming syn packets.

This scan sends ACK packets (using random answer / serial numbers) to specific ports. If an RST packet is returned, the port is marked unfiltered. If nothing is returned, or an unreachable ICMP message is returned, the port is classified into the filtered class. Note that nmap usually does not output unfiltered ports, so it does not display all detected ports in the output. Obviously, this scanning mode can’t find the open port.


Scan for sliding window: this advanced scanning technology is very similar to ack scanning, except that it can sometimes detect the open port, because the size of sliding window is irregular, and some operating systems can report its size. These systems include at least some versions of Aix, Amiga, beos, bsdi, Cray, tru64 UNIX, DG / UX, OpenVMS, digital UNIX, OpenBSD, openstep, QNX, Rhapsody, SunOS 4. X, ULTRIX, VAX, VxWorks. A complete list can be obtained from the document in the nmap hackers mailing 3 list.


RPC scan. This method is used in combination with other different port scanning methods of nmap. Select all open ports to issue null commands to sunrpc programs to determine whether they are RPC ports, and if so, which software and its version number.
So you can get some information about the firewall. Decoy scanning cannot now be used in conjunction with RPC scanning.


FTP bounce attack: the FTP protocol (RFC 959) has an interesting feature that supports proxy FTP connections. That is to say, I can connect to FTP server from, and I can ask this FTP server to send files anywhere on the Internet for myself! When rfc959 was completed in 1985, this feature worked well. However, in today’s Internet, we can’t let people hijack the FTP server to send data to any node on the Internet. As hobbit wrote in 1995, the protocol “can be used to deliver virtual unreachable mail and news, enter servers at various sites, fill hard disks, skip firewalls, and other harassment activities, and it is difficult to track.”. We can use this feature to scan TCP ports in a proxy FTP server. Therefore, you need to connect to an FTP server behind the firewall, and then do a port scan. If you have a read-write directory in this FTP server, you can also send data to the target port at will (but nmap can’t do this for you).

The parameter passed to the – B function option is the FTP server you want to proxy. The syntax format is:

  -b username:[email protected]:port。

Except for the server, the rest are optional. If you want to know what server has this defect, please refer to my article published in phrack 51. You can also get the latest version of this article on the nmap site.

4.2 general options

These are not required, but they are useful.


Before scanning, you do not have to Ping the host. Some network firewalls do not allow ICMP echo requests to pass through. Use this option to scan these networks. is an example, so you should always use the – P0 or – Pt 80 option when scanning this site.


Before scanning, use TCP Ping to determine which hosts are running. Nmap does not achieve this function by sending ICMP echo request packets and waiting for the response, but by sending TCP ACK packets to the target network (or a single host) and waiting for the response. The rst package is returned if the host is running. This option is only valid if the target network / host blocks the Ping packet and still allows you to scan it. For non root users, we use the connect () system call to do this. Use – PT to set the target port. The default port number is 80, because this port is not usually filtered.


For root, this option lets nmap scan the target host using syn packets instead of ACK packets. If the host is running, an RST package (or a syn / ack package) is returned.


Set this option to have nmap use the real Ping (ICMP echo request) to scan whether the target host is running. Use this option to let nmap discover the running hosts, while nmap will also observe your direct subnet broadcast address. Direct subnet broadcast address some external reachable IP address, the external packet is converted into an internal IP broadcast packet, which is sent to a computer subnet. These IP broadcast packets should be removed because of a denial of service attack (such as Smurf).


This is the default Ping scan option. It uses both ack (- PT) and ICMP (- PI) scan types for parallel scanning. If the firewall can filter one of the packets, use this method and you can go through the firewall.


This option activates the scanning of TCP / IP fingerprint to obtain the flag of the remote host. In other words, nmap uses some techniques to detect the characteristics of the network protocol stack of the target host operating system. Nmap uses this information to establish the fingerprint characteristics of the remote host, compares it with the known operating system fingerprint characteristics database, and then it can know the type of the target host operating system.


This option turns on the reverse flag scanning feature of nmap. Dave Goldsmith’s 1996 email to bugtap noted that this protocol, the ident protocol (RFC 1413), allows the user name of any process owner to be given using a TCP connection, even if the process does not initiate a connection. For example, you can connect to the HTTP port and then use identd to determine if the server is running by root. This scan can only succeed if a full TCP connection to the target port is established (for example: – St scan option). With the – I option, the remote host’s identd wizard process will query the owner of the process listening on each open port. Obviously, this scanning method is invalid if the remote host does not run the identd program.


This option enables nmap to send syn, fin, Xmas, null using fragmented IP packets. The use of fragmented packets increases the difficulty of packet filtering and intrusion detection systems, making them unable to know your attempt. However, use this option carefully! Some programs have trouble processing these fragmented packets. When my favorite sniffer receives the first 36 bytes of fragmented packets, segmentation fault will occur. As a result, 24 bytes of fragmented packets are used in nmap. Although packet filters and firewalls cannot prevent this method, many networks prohibit packet fragmentation for performance reasons.
Note that this option is not available on all platforms. It works well on Linux, FreeBSD, OpenBSD and other UNIX systems.  


Redundancy mode. This option is highly recommended and gives details of the scanning process. With this option, you can get twice the result with half the effort. Use the – D option for more details.


Quick reference options.


Redirect the scan results to a readable file, logfilename.


Redirect the scan results to the logfilename file, which uses the syntax that the host can parse. You can use – om – instead of logfilename, so that the output is redirected to standard output stdout. In this case, the normal output will be overwritten, and error information can be output to standard error stderr over time. Note that if the – V option is used at the same time, other information will be printed out on the screen.

 -oS    thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|   THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument –  

(waithout quotez) to sh00t output INT0 stdout! @!!! I don’t know why, here is my guess translation, Xiangzi?

Redirect the scan results to a file called logfilename, which uses a “hack dialect” syntax (the author’s joke?). Similarly, using – OS – redirects the results to standard output.


A network scan may be interrupted due to Control-C or network loss. Use this option to make the scan follow the previous scan. Logfilename is the log file that has been cancelled scanning. It must be readable or machine parsed. And the next scan cannot add new options, only the same options as the interrupted scan can be used. Nmap then performs a new scan following the last successful scan in the log file.


Read the target of the scan from the inputfilename file. In this file, there should be a list of hosts or networks, with the space bar, tab key or enter key as the separator. If you use – IL -, nmap will read the hostname from the standard input stdin. You can get more detailed information from the specify goals section.


Let nmap randomly select the host to scan.


This option allows you to select the range of port numbers to scan. For example, – P 23 means: only port 23 of the target host is scanned. -P 20-3013960000 – indicates: scan ports 20 to 30, 139 and all ports larger than 60000. By default, nmap scans the list of ports defined in numbers 1 through 1024 and in the nmap services file (typically in the / usr / share / nmap / directory if using RPM packages).


Fast scan mode, only the ports listed in the nmap services file are scanned. Obviously faster than scanning all 65535 ports.


The target network / host is scanned by the decoy scanning method. If nmap uses this method to scan the target network, then from the perspective of the target host / network, the scan is just like from other hosts (decoy1, etc.). Thus, even if the IDS (Intrusion Detection System) of the target host sends an alarm to the port scanning, they can not know which is the real scanning address and which is innocent. This scanning method can effectively deal with active defense mechanisms such as route tracking, response dropping, etc., and can well hide your IP address.

Each bait host name is separated by commas, and you can also use the me option, which represents your own host, mixed with the bait host name. If you put me in the sixth or later position, some port scanning and detection software will hardly show your IP address at all. If you do not use the me option, nmap will randomly mix your IP address with the decoy host.

Note: the host you use as a decoy should be running or you just occasionally send syn packets to the target. Obviously, if there is only one host running on the network, the target will easily determine which host did the scan. Maybe you need to use the bait’s IP address instead of its domain name directly, so that the logs of the bait network’s domain name server will not leave any records about you.

Also note: some stupid port scanning detection software will refuse to route hosts trying to do port scanning. Therefore, you need to disconnect the target host from some decoys. If the decoy is the gateway or itself of the target host, it will cause a lot of problems to the target host. So you need to use this option carefully.

Decoy scanning can be used in both the initial Ping scanning and the real scanning state. It can also be used in combination with the – O option.

Using too many bait scans can slow down your scan and may even cause incorrect results. At the same time, some ISPs will filter out your spoofing packets. Although now most ISPs will not limit this.


In some cases, nmap may not be able to determine your source address (nmap will tell you).
In this case, you can use this option to give your IP address.

This option is also used when spoofing a scan. Use this option to let the target think that it is another host to scan itself.


Tells nmap which interface to use to send and receive packets. Nmap can automatically detect this interface and tell you if it is invalid.


Set the source port for the scan. Some naive rule sets of firewalls and packet filters allow packets with a source port of DNS (53) or ftp-data (20) to connect through and. Obviously, if the attacker changes the source port to 20 or 53, the firewall protection can be destroyed. When using UDP scan, use port 53 first; when using TCP scan, use port 20 first. Note that nmap will use this port only if it can be used for scanning. For example, if you cannot perform a TCP scan, nmap automatically changes the source port, even if you use the – G option.

For some scans, using this option can cause a small performance penalty because I sometimes save useful information about a particular source port.


Tell nmap not to disturb the order of the scanned ports.


Before the nmap scanning, the order of hosts in each group of scanning is scrambled. Each group of nmap can scan up to 2048 hosts. In this way, it can make the scan more difficult to be found by the network monitor, especially in combination with the — scan? Delay option, which can effectively avoid being found.


Set the maximum number of sockets to be used for parallel scanning when scanning TCP connect(). Use this option to reduce scan speed and avoid remote target downtime.

4.3 timely options

Generally, when nmap is running, it can be well adjusted according to the characteristics of the network. During scanning, nmap will minimize the chance of being detected by the target and accelerate the scanning speed as much as possible. However, nmap’s default timely strategy sometimes doesn’t fit your goal. Use these options to control the scan timing of nmap:


Set up a timely policy for nmap. Paranoid: in order to avoid IDS detection and make scanning speed extremely slow, nmap serial scans send a packet every 5 minutes at least; sneaky: almost the same, but the sending interval of data packets is 15 seconds; polite: do not increase too much network load, avoid target host downtime, serial each probe, and make each probe have 0.4 second interval; normal: nmap default option Scan as fast as possible without network overload or host / port loss; aggressive: set the timeout limit of 5 minutes, so that the scan time for each host does not exceed 5 minutes, and the waiting time for each probe response does not exceed 1.5 seconds; b > insane: only suitable for fast networks or you do not care about losing some information, the timeout limit of each host It’s 75 seconds, only 0.3 seconds for each probe. You can also use numbers instead of these patterns, for example: – t 0 equals – t paranoid, – t 5 equals – t insane.

These timely modes cannot be combined with the following timely options.


Sets the time, in milliseconds, to scan a host. By default, there is no timeout limit.


Sets the wait time for each probe in milliseconds. If the time limit is exceeded, retransmission or timeout will occur. The default is about 9000 milliseconds.


When the target host responds quickly, nmap shortens the timeout of each probe. This will increase the speed of scanning, but some packets with longer response time may be lost. With this option, you can let nmap wait at least a specified amount of time, in milliseconds, for each probe.


Sets the timeout value for the initial probe. Generally, this option is only useful when you use the – P0 option to scan for hosts with firewall protection. The default is 6000 milliseconds.


Set the maximum number of parallel scans. –Max? Parallelism 1 means that only one port is scanned at the same time. This option is also valid for other parallel scans, such as ping sweep and RPC scan.


Set the time that nmap must wait between probes. This option is mainly used to reduce the load of the network.

4.4 goal setting

Of all the parameters of nmap, only the target parameter must be given. The simplest form is to enter a host name or an IP address directly on the command line. If you want to scan a subnet of an IP address, you can add / mask after the host name or IP address. The mask is from 0 (scan the entire network) to 32 (scan only this host). Use / 24 to scan class C addresses and / 16 to scan class B addresses.

In addition, nmap has a more powerful representation that allows you to specify IP addresses more flexibly. For example, if you want to scan the class B network 128.210. * *, you can specify these addresses in the following three ways: 128.210. * *, 128.21 -. 0-255.0-255 or, which are equivalent.

5. example

Copy code

The code is as follows:

# nmap -sP
#Ping scan to print out the host responding to the scan without further testing (such as port scan or operating system detection)
Copy code

The code is as follows:

# nmap -sL
#Only each host on the specified network is listed, and no message is sent to the target host
Copy code

The code is as follows:

# nmap -PS
#Probe the open ports of the target host, and specify a comma separated port list (such as – ps22, 23, 25, 80)
Copy code

The code is as follows:

# nmap -PU
#Probe the host using UDP Ping
Copy code

The code is as follows:

# nmap -sS
#The most frequently used scan option: syn scan, also known as semi open scan, does not open a full TCP connection and executes quickly
Copy code

The code is as follows:

# nmap -sT
#When syn scan is not available, TCP connect() scan is the default TCP scan
Copy code

The code is as follows:

# nmap -sU
#The – Su option is used for UDP scanning. UDP scanning sends empty (no data) UDP headers to each target port
Copy code

The code is as follows:

# nmap -sO
#Determine which IP protocols the target supports (TCP, ICMP, IGMP, etc.)
Copy code

The code is as follows:

# nmap -O
#Operating system of detecting target host
Copy code

The code is as follows:

# nmap -A
#Operating system of detecting target host
Copy code

The code is as follows:

# nmap -v
#This option scans the host for all reserved TCP ports. Option – V enables detail mode.
Copy code

The code is as follows:

# nmap -sS -O
#Perform secret syn scanning, and the object is 255 hosts of the “class C” network segment where the host saznme is located. Also try to determine the operating system type of each worker. Because of syn scanning and operating system detection, this scan requires root permission.
Copy code

The code is as follows:

# nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
#The object is 255 8-bit subnets in class B 188.116 network segment. This test is used to determine if the system is running sshd, DNS, imapd, or 4564 ports. If these ports are open, version detection is used to determine which application is running.
Copy code

The code is as follows:

# nmap -v -iR 100000 -P0 -p 80
#Randomly select 100000 hosts to scan whether to run the web server (port 80). It is a waste of time to send a detection message from the initial stage to determine whether the host is working, and only one port of the host needs to be detected, so – P0 is used to prohibit the list of hosts.
Copy code

The code is as follows:

# nmap -P0 -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap
#Scan 4096 IP addresses, find the web server (not Ping), and save the results in grep and XML format.
Copy code

The code is as follows:

# host -l | cut -d -f 4 | nmap -v -iL –
#Perform DNS zone transfer to discover hosts in and then provide the IP address to nmap. The above commands are used for GNU / Linux — there are different commands for area transfer in other systems