Nmap Chinese Manual


Summary of options
This option summary is output when Nmap is run without options, it helps people remember the most commonly used options, but is not a substitute for the rest of the manual's in-depth documentation, and some obscure options are not even here.

Usage: nmap [Scan Type(s)] [Options] {target specification}
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24,; 10.0-255.0-255.1-254
-iL : Input from list of hosts/networks
-iR : Choose random targets
–exclude : Exclude hosts/networks
–excludefile : Exclude list from file
-sL: List Scan – simply list targets to scan
-sP: Ping Scan – go no further than determining if host is online
-P0: Treat all hosts as online — skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery probes to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-n/-R: Never do DNS resolution/Always resolve [default: sometimes resolve]
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX: TCP Null, FIN, and Xmas scans
–scanflags : Customize TCP scan flags
-sI : Idlescan
-sO: IP protocol scan
-b : FTP bounce scan
-p : Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast – Scan only the ports listed in the nmap-services file)
-r: Scan ports consecutively – don’t randomize
-sV: Probe open ports to determine service/version info
–version-light: Limit to most likely probes for faster identification
–version-all: Try every single probe for version detection
–version-trace: Show detailed version scan activity (for debugging)
-O: Enable OS detection
–osscan-limit: Limit OS detection to promising targets
–osscan-guess: Guess OS more aggressively
-T[0-6]: Set timing template (higher is faster)
–min-hostgroup/max-hostgroup : Parallel host scan group sizes
–min-parallelism/max-parallelism : Probe parallelization
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies
probe round trip time.
–host-timeout : Give up on target after this long
–scan-delay/–max-scan-delay : Adjust delay between probes
-f; –mtu : fragment packets (optionally w/given MTU)
-D : Cloak a scan with decoys
-S : Spoof source address
-e : Use specified interface
-g/–source-port : Use given port number
–data-length : Append random data to sent packets
–ttl : Set IP time-to-live field
–spoof-mac : Spoof your MAC address
-oN/-oX/-oS/-oG : Output scan results in normal, XML, s|
and Grepable format, respectively, to the given filename.
-oA : Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
–packet-trace: Show all packets sent and received
–iflist: Print host interfaces and routes (for debugging)
–append-output: Append to rather than clobber specified output files
–resume : Resume an aborted scan
–stylesheet : XSL stylesheet to transform XML output to HTML
–no-stylesheet: Prevent Nmap from associating XSL stylesheet w/XML output
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection
–datadir : Specify custom Nmap data file location
–send-eth/–send-ip: Send packets using raw ethernet frames or IP packets
–privileged: Assume that the user is fully privileged
-V: Print version number
-h: Print this help summary page.
nmap -v -A scanme.nmap.org
nmap -v -sP
nmap -v -iR 10000 -P0 -p 80

goal statement

Except for options, everything that appears on the Nmap command line is considered a description of the target host. The simplest case is to specify a target IP address or hostname.

Sometimes you want to scan the entire network for neighboring hosts. For this, Nmap supports CIDR-style addresses. You can append a /Following an IP address or hostname, Nmap will scan for all IP addresses with the referenceAll IP addresses or hosts with the same bits. For example, will scan 256 hosts between (binary format: 11000000 10101000 00001010 00000000) and (binary format: 11000000 10101000 00001010). will do the same. Assuming the IP address of the host scanme.nmap.org is, scanme.nmap.org/16 will scan 65,536 IP addresses between and The minimum allowed is /1, which will scan half the Internet. The maximum value is /32, which will scan the host or IP address because all bits are fixed.

The CIDR flag is neat but sometimes inflexible. For example, you might want to scan for, but skip any IP addresses ending in .0 or .255, as these are usually broadcast addresses. Nmap supports such scans through octet address ranges. You can specify its range for each octet of an IP address as a comma-separated list of numbers or ranges. For example, 192.168.0-255.1-254 will skip addresses ending in .0 and .255 in that range. The range doesn't have to be limited to the last 8 bits: 0-255.0-255.13.37 will scan the entire internet range for all addresses ending in 13.37. Such extensive scans may be useful for Internet research.

IPv6 addresses can only be specified with canonical IPv6 addresses or hostnames. CIDR and octet ranges do not support IPv6 because they are of little use for IPv6.

The Nmap command line accepts multiple host specifications, they do not have to be of the same type. The command nmap scanme.nmap.org 10.0.0,1,3-7.0-255 will execute as you would expect.

Although targets are usually specified on the command line, the following options can also be used to control target selection:

-iL (enter from list)
fromRead the target description in . Typing a bunch of hostnames on the command line is clumsy, but it's often needed. For example, your DHCP server might export a list of 10,000 current leases, and you want to scan them. If you are not using unauthorized static IPs to locate hosts, perhaps you want to scan all IP addresses. To generate a list of hosts to scan, pass the filename as an option to Nmap with -iL. Items in the list can be in any format that Nmap accepts on the command line (IP address, hostname, CIDR, IPv6, or octet range). Each item must be separated by one or more spaces, tabs or newlines. If you want Nmap to read the list from standard input instead of the actual file, you can use a hyphen (-) as the filename.

-iR (target randomly selected)
For Internet-wide surveys and research, you may want to randomly select targets.The option tells Nmap how many IPs to generate. Undesirable IPs such as specific private, multicast or unassigned addresses are automatically skipped. Option 0 means never-ending scanning. Keep in mind that some webmasters may get cold and complain about unauthorized scans. Use this option at your own risk! If you are really bored on a rainy afternoon, try this command nmap -sS -PS80 -iR 0 -p 80 to find some random sites to browse.

–exclude (exclude host/network)
If there are some hosts or networks in the scan scope you specified that are not your target, use this option with a comma-separated list to exclude them. The list is in normal Nmap syntax, so it can include hostnames, CIDRs, octet ranges, etc. This may be useful when the network you wish to scan contains mission-critical servers, systems known to be highly reactive to port scans, or subnets that are looked after by others.

–excludefile (exclude list in file)
This is the same as the –exclude option, except that excluded targets are separated by newlines, spaces, or tabsprovided rather than entered on the command line.

host discovery

One of the first steps in any network probing task is to narrow down a set of IP ranges (sometimes huge) to a list of active or interesting hosts. Scanning every port for every IP is slow and usually unnecessary. Of course, what kind of hosts interest you depends largely on the purpose of the scan. A webmaster might only be interested in a host running a specific service, while a security person might be interested in a toilet as long as it has an IP address :-). A system administrator might just use Ping to locate hosts on the intranet, while an external intrusion tester might rack his brains in various ways to try to break through the firewall.

Due to the variety of host discovery needs, Nmap provides a slew of options to customize your needs. Host discovery is sometimes called a ping scan, but it goes far beyond sending a simple ICMP echo request message with the well-known ping tool. Users can skip the ping step by using list scan (-sL) or by turning off ping (-P0), or use multiple ports to play with any combination of TPC SYN/ACK, UDP and ICMP. The purpose of these probes is to get a response to show whether an IP address is active (in use by a host or network device). On many networks, often only a small fraction of IP addresses are active at a given time. This situation is especially prevalent in RFC1918-based private address spaces such as That network has 16,000,000 IPs, but I've seen companies using it that don't even have 1000 machines. Host discovery can find those machines that are scattered across a sea of ​​IP addresses.

If no host discovery option is given, Nmap sends a TCP ACK message to port 80 and an ICMP echo request to each target machine. One exception is ARP scanning for any target machine on the LAN. For unprivileged UNIX shell users, using the connect() system call will send a SYN packet instead of an ACK These default behaviors are the same as using the -PA -PE options. This kind of host discovery is generally sufficient when scanning a LAN, but for security audits, a more comprehensive probe is recommended.

-POptions (for selecting the type of ping) can be used in combination. You can increase your chances of penetrating a well-guarded firewall by sending many probes with different TCP ports/flags and ICMP codes. Also note that even if you specify other -Poption, ARP discovery (-PR) is the default behavior for targets on the LAN as it is always faster and more efficient.

The following options control host discovery.

-sL (list scan)
List scanning is a degenerate form of host discovery, which simply lists every host on the specified network without sending any packets to the target host. By default, Nmap still does reverse domain name resolution of hosts to get their names. The useful information that simple hostnames can give is often surprising. For example, fw.chi.playboy.com is the firewall for Playboy's Chicago office. Nmap also reports the total number of IP addresses at the end. A list scan is a great way to make sure you have the correct target IP. If the host's domain name is not what you expected, it's worth checking further to prevent falsely scanning other organizations' networks.

Since it just prints a list of target hosts, there are no options for other advanced features such as port scanning, OS detection or ping scanning. If you wish to turn off ping scanning and still perform such advanced functions, read on for an introduction to the -P0 option.

-sP (Ping scan)
This option tells Nmap to only do a ping scan (host discovery) and then print out those hosts that responded to the scan. There are no further tests (such as port scans or OS probes). This is more aggressive than a list scan and is often used for the same purpose as a list scan. It can get some information about the target network without being particularly noticed. Knowing how many hosts are running is often more valuable to an attacker than a list of IPs and hostnames provided by a list scan.

System administrators tend to like this option too. It makes it easy to figure out how many machines are running on the network or monitor whether a server is up or not. Often referred to as a blanket ping, it is more reliable than pinging a broadcast address because many hosts do not respond to broadcast requests.

The -sP option, by default, sends an ICMP echo request and a TCP packet to port 80. If executed by an unprivileged user, a SYN message is sent (using the connect() system call) to port 80 of the target machine. ARP requests (-PR) are sent when a privileged user scans a LAN for targets, unless the –send-ip option is used. The -sP option can be combined with the -P* option for any discovery probe type except -P0) for greater flexibility. Once any probe type and port options are used, the default probes (ACK and echo requests) are overridden. Those advanced options are recommended when a well-guarded firewall is located between the source host running Nmap and the destination network. Otherwise, some hosts cannot be detected when the firewall captures and discards probe or response packets.

-P0 (no ping)
This option skips the Nmap discovery phase entirely. Usually Nmap uses it to determine which machines are running when doing a high-intensity scan. By default, Nmap only performs high-intensity probes such as port scans, version probes, or OS probes on running hosts. Disabling host discovery with -P0 causes Nmap to perform the required scan for each specified target IP address. So if you specify a class B target address space (/16) on the command line, all 65,536 IP addresses will be scanned. The second character of -P0 is the number 0 instead of the letter O. As with list scans, normal host discovery is skipped, but instead of printing a target list, it continues to perform the requested function as if each IP were active.

-PS [portlist] (TCP SYN Ping)
This option sends an empty TCP packet with the SYN flag set. The default destination port is 80 (can be configured by changing the DEFAULT-TCP-PROBE-PORT value in the nmap.h) file, but a different port can also be specified as an option. You can even specify a comma-separated list of ports (eg -PS22, 23, 25, 80, 113, 1050, 35000), in which case each port will be scanned concurrently.

The SYN flag tells the other party that you are trying to establish a connection. Usually the destination port is closed and an RST (reset) packet is sent back. If the port happens to be open, the target will perform the second step of the TCP three-way handshake and respond with a SYN/ACK TCP packet. The machine running Nmap will then kill the connection being established and send an RST instead of an ACK, otherwise a full connection will be established. The RST message is responded by the machine running Nmap rather than Nmap itself, because it is surprised by the SYN/ACK received.

Nmap doesn't care if the port is open or closed. Either the RST or the SYN/ACK response tells Nmap that the host is running.

On UNIX machines, usually only the privileged user root can send and receive raw TCP packets. So as a workaround, for unprivileged users, Nmap will make a system call connect() for each target host, and it will also send a SYN message to try to establish a connection. If connect() returns quickly with success or an ECONNREFUSED fails, the underlying TCP stack must have received a SYN/ACK or RST, and the host will be flagged as running. If the connection times out, the host flag is down. This method is also used for IPv6 connections, since Nmap does not currently support raw IPv6 packets.

-PA [portlist] (TCP ACK Ping)
The TCP ACK ping is quite similar to the SYN ping just discussed. As you may have guessed, the difference is that TCP's ACK flag is set instead of the SYN flag. An ACK message indicates an acknowledgment of an attempt to establish a connection, but the connection has not been fully established. So remote hosts should always respond with an RST message, since they have never issued a connection request to the machine running Nmap if they were running.

The -PA option uses the same default port (80) as the SYN probe, and a list of target ports can also be specified in the same format. If an unprivileged user attempts this feature, or an IPv6 target is specified, the connect() method described earlier will be used. This method is not perfect because it actually sends a SYN message, not an ACK message.

The reason for providing both SYN and ACK ping probes is to maximize the chances of getting through the firewall. Many administrators configure their routers or other simple firewalls to block SYN packets unless the connection is to a public server like a corporate website or mail server. This blocks other connections from entering the organization, while also allowing users to access the Internet. This stateless approach uses few firewall/router resources and is widely supported by hardware and software filters. The Linux Netfilter/iptables firewall software provides the convenient –syn option to implement this stateless approach. When such stateless firewall rules exist, SYN ping probes (-PS) sent to closed target ports are likely to be blocked. In this case, ACK detection shines especially because it takes advantage of such a rule.

Another common firewall uses stateful rules to block unexpected packets. This feature has started to exist only in high-end firewalls, but it has become more common over the years. Linux Netfilter/iptables supports this feature with the –state option, which classifies packets according to the connection state. SYN probes are more likely to be used in such systems, since unintentional ACK packets are often identified as bogus and discarded. The solution to this dilemma is to send both a SYN and an ACK by specifying both -PS and -PA.

-PU [portlist] (UDP Ping)
Another host discovery option is UDP ping, which sends an empty (unless –data-length UDP packet is specified) to a given port. The format of the port list is the same as the -PS and -PA options discussed earlier. The same. If you don't specify a port, the default is 31338. The default value can be configured by changing the DEFAULT-UDP-PROBE-PORT value in the nmap.h file at compile time. The default use of such a strange port is because of the open port Such scans are generally unpopular.

If the port on the target machine is closed, the UDP probe should immediately get an ICMP port unreachable response. This means to Nmap that the machine is running. Many other types of ICMP errors like host/network unreachable or TTL timeouts indicate down or unreachable hosts. No response was also explained as such. If an open port is reached, most services simply ignore the empty packet without any response. That's why the default probe port is 31338, an extremely unlikely port to be used. A few services such as chargen will respond with an empty UDP packet, indicating to Nmap that the machine is running.

The main advantage of this scan type is that it can traverse firewalls and filters that only filter TCP. E.g. I used to have a Linksys BEFW11S4 wireless broadband router. By default, the device's outgoing NIC filters all TCP ports, but the UDP probe still exposes itself by throwing a port unreachable message.

-PE; -PP; -PM (ICMP Ping Types)
In addition to the less common types of TCP and UDP host discovery discussed earlier, Nmap can also send packets sent by the well-known ping program. Nmap sends an ICMP type 8 (echo request) packet to the target IP address, expecting a type 0 (echo response) packet from the running host. Unfortunately for web explorers, many hosts and firewalls now block these packets, rather than responding as expected, see RFC 1122. Therefore, ICMP scanning alone is often not enough for targets on the Internet. But for system administrators to monitor an internal network, they can be a practical and effective way. Use the -PE option to turn on the echo request feature.

While echo requests are standard ICMP ping queries, Nmap doesn't stop there. The ICMP standard (RFC 792) also specifies timestamp requests, information requests, and address mask requests, with codes 13, 15, and 17, respectively. Although the ostensible purpose of these queries is to obtain information such as address masks and current time, they can also be easily used for host discovery. Quite simply, the responding system is the operating system. Nmap currently does not implement info-request messages because they are not yet widely supported. RFC 1122 insists that "hosts SHOULD NOT implement these messages". Timestamp and address mask queries can be sent with the -PP and -PM options, respectively. A timestamp response (ICMP code 14) or an address mask response (code 18) indicates that the host is running. These two queries can be valuable when administrators specifically block echo request messages, forgetting that other ICMP queries might serve the same purpose.

-PR (ARP Ping)
One of the most common Nmap usage scenarios is scanning an Ethernet LAN. On most LANs, especially those using RFC1918-based private address ranges, the vast majority of IP addresses are not in use at a given time. When Nmap attempts to send a raw IP packet such as an ICMP echo request, the operating system must determine the hardware address (ARP) corresponding to the destination IP so that it can send the Ethernet frame to the correct address. This is generally slow and problematic, since operating system designers don't expect to make millions of ARP requests in a short period of time to machines that are not running.

When doing ARP scanning, Nmap manages ARP requests with its optimized algorithm. When it receives a response, Nmap doesn't even need to worry about IP-based pings, since it already knows the host is running. This makes ARP scanning faster and more reliable than IP-based scanning. So by default, if Nmap finds that the target host is on the same LAN it is on, it will do an ARP scan. Even if a different ping type (like -PI or -PS) is specified, Nmap will use ARP for any target on the same LAN. If you really don't want ARP scanning, specify –send-ip.

-n (no domain name resolution)
Tells Nmap to never do reverse name resolution for active IP addresses it finds. Since DNS is generally slow, this can make things faster.

-R (resolve domain names for all targets)
Tell Nmap to always do reverse domain name resolution for the target IP address. Typically this is done only when the machine is found to be running.

–system-dns (use system DNS resolver)
By default, Nmap resolves domain names by sending queries directly to the nameservers configured on your host. To improve performance, many requests (typically dozens) are executed concurrently. Specify this option if you wish to use the system's own resolver (resolve one IP at a time with getnameinfo() calls). Unless there is a bug in Nmap's DNS code – if so, please contact us. This option is generally not used because it is much slower. The system resolver is always used for IPv6 scanning.

Port Scan Basics

While Nmap has grown in functionality over the years, it also started out as an efficient port scanner, and that remains its core functionality. nmapThis simple command scans hostsover 1660 TCP ports on the . Many traditional port scanners just list whether all ports are open or closed, Nmap's information granularity is much finer than them. It divides the port into six states: open (open), closed (closed), filtered (filtered), unfiltered (not filtered), open|filtered (open or filtered), or closed|filtered (off or filtered).

These states are not properties of the ports themselves, but describe how Nmap sees them. For example, for the same target machine's 135/tcp port, a scan from the same network shows it as open, while doing the exact same scan across the network may show it as filtered.

The 6 port states identified by Nmap.

open (open)
The application is receiving TCP connections or UDP packets on this port. Finding this is often the primary goal of a port scan. Security-conscious people know that every open port is an entry point for an attack. Attackers or intrusion testers want to discover open ports. And administrators try to turn them off or protect them with firewalls so as not to hinder legitimate users. Non-security scans may also be interested in open ports, as they show which services are available on the network.

A closed port is also accessible to Nmap (it accepts Nmap probes and responds), but no application is listening on it. They can show that the host on that IP address (host discovery, or ping scan) is running up Also helpful for some OS probes. Since closed gates are accessible, it may be worth scanning again later, maybe some are open again. System administrators may consider blocking such ports with a firewall. Then they will be displayed in a filtered state, discussed below.

filtered (filtered)
Since packet filtering prevents probe packets from reaching the port, Nmap cannot determine whether the port is open. Filtering may come from specialized firewall devices, router rules, or a software firewall on the host. Such ports are frustrating to attackers because they provide almost no information. Sometimes they respond to ICMP error messages like Type 3 code 13 (Unable to reach destination: communication forbidden by administrator), but more commonly the filter just drops the probe frame without doing anything. This forces Nmap to retry several times in case probe packets are dropped due to network congestion. This makes scanning significantly slower.

The unfiltered state means that the port is accessible, but Nmap cannot determine whether it is open or closed. Only ACK scans used to map firewall rule sets classify ports into this state. Scanning unfiltered ports with other types of scans such as window scans, SYN scans, or FIN scans can help determine if a port is open.

open|filtered (open or filtered)
When it cannot be determined whether a port is open or filtered, Nmap classifies the port into this state. An open port not responding is an example. No response could also mean that the packet filter dropped the probe packet or any response it elicited. So Nmap cannot determine whether the port is open or filtered. UDP, IP protocol, FIN, Null, and Xmas scans may put ports in this category.

closed|filtered (closed or filtered)
This state is used when Nmap cannot determine whether the port is closed or filtered. It may only appear in IPID Idle scans.

port scanning technology

As a novice car mechanic, I can spend hours trying to figure out how to use the basic tools (hammer, tape, wrench, etc.) for the task at hand. When I failed miserably and towed my classic car to a real mechanic, he was always rummaging in his toolbox until he pulled out a perfect tool and seemed to get it done with no effort. The art of port scanning is similar to this one. Experts understand dozens of scanning techniques and choose the most suitable one (or combination) to accomplish a given task. On the other hand, inexperienced users and newbies always solve every problem with the default SYN scan. Since Nmap is free, the only barrier to mastering port scanning is knowledge. That's certainly unmatched in the automotive world, where it can take great skill to determine that you need a strut spring compressor, and then you have to pay thousands of dollars for it.

Most scan types are only available to privileged users. This is because they send and receive raw messages, which on Unix systems require root privileges. The administrator account is recommended on Windows, but unprivileged users can also use Nmap normally when WinPcap has been loaded into the operating system. When Nmap was released in 1997, the need for root privileges was a serious limitation, as many users only had shared shell accounts. Now, the world has changed, computers are cheaper, more people have an internet connection, and desktop UNIX systems (including Linux and MAC OS X) are common. A Windows version of Nmap is also now available, which allows it to run on more desktops. For all these reasons, users no longer need to run Nmap with limited shared shell accounts. This is fortunate, because privileged options make Nmap much more powerful and flexible.

While Nmap strives to produce correct results, keep in mind that all results are based on the packets returned by the target machine (or the firewall in front of them). . These hosts may be untrustworthy, and they may respond to messages that confuse or mislead Nmap. It is more common for non-RFC compliant hosts to respond to Nmap probes in an incorrect manner. FIN, Null and Xmas scans are particularly prone to this problem. These are scan type specific issues, so we discuss them in individual scan types.

This section discusses about a dozen scanning techniques supported by Nmap. Typically only one method is used at a time, except UDP scan (-sU) which may be used in combination with any of the TCP scan types. Friendly reminder, the option format of port scan type is -s, inis a prominent character, usually the first character. An exception is deprecated FTP bounce scans (-b). By default, Nmap performs a SYN scan, but if the user does not have permission to send raw packets (root privileges are required on UNIX) or if an IPv6 target is specified, Nmap calls connect(). In the scans listed in this section, unprivileged users can only perform connect() and ftp bounce scans.

-sS (TCP SYN scan)
SYN scanning is the default and most popular scanning option for good reason. It performs fast, scanning thousands of ports per second on a fast network with no intrusion firewalls. SYN scanning is relatively unobtrusive and less noticeable because it never completes a TCP connection. It is also not platform-specific like Fin/Null/Xmas, Maimon and Idle scans, but can deal with any compatible TCP stack. It also clearly and reliably distinguishes between open, closed, and filtered states

It is often called a half-open scan because it does not open a full TCP connection. It sends a SYN message as if you were really going to open a connection and wait for a response. SYN/ACK means the port is listening (open), while RST (reset) means there is no listener. If there is no response after several retransmissions, the port is marked as filtered. If an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received, the port is also marked as filtered.

-sT (TCP connect() scan)
When SYN scanning is not available, CP Connect() scanning is the default TCP scanning. This is the case when the user does not have permission to send raw packets or scan the IPv6 network. Instead of writing raw packets as most other scan types do, Nmap requires the operating system to establish a connection with the target machine and port by creating the connect() system call, rather than sending raw packets directly like other scan types. This is the same high-level system call that web browsers, P2P clients, and most other web applications use to establish connections. It is part of a programming interface called Berkeley Sockets API. Nmap uses this API to obtain status information for each connection attempt, rather than reading the raw message of the response.

When a SYN scan is available, it's usually a better choice. Because Nmap has less control over the high-level connect() call than the original message, the former is less efficient. This system call is fully connected to an open target port rather than a half-open reset like a SYN scan. Not only does this take longer and requires more packets to get the same information, the target machine is also more likely to record the connection. An IDS (Intrusion Detection System) can catch both, but most machines don't have such an alert system. When Nmap connects, then closes the connection without sending data, many services on common UNIX systems leave a log in syslog, sometimes an encrypted error message. At this point, some really poor services will crash, although this doesn't happen very often. If an administrator sees a bunch of connection attempts from the same system in the logs, she should know her system was scanned.

-sU (UDP scan)
While many popular services on the Internet run over the TCP protocol, there are also quite a few UDP services. DNS, SNMP, and DHCP (registered ports are 53, 161/162, and 67/68) are the three most common. Because UDP scans are generally slower and more difficult than TCP, some security auditors ignore these ports. This is a bug, since detectable UDP services are fairly common, and attackers certainly don't ignore the entire protocol. Fortunately, Nmap can help log and report UDP ports.

UDP scanning is activated with the -sU option. It can be used in conjunction with TCP scans such as SYN scan (-sS) to check both protocols simultaneously.

UDP scan sends empty (no data) UDP headers to each destination port. If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13) indicate that the port is filtered. Occasionally, a service will respond with a UDP packet proving that the port is open. If there is no response after several retries, the port is considered open|filtered. This means that the port may be open, or a packet filter may be blocking traffic. A version scan (-sV) can be used to help distinguish between truly open ports and filtered ports.

The big challenge with UDP scanning is how to make it faster. Open and filtered ports rarely respond, let Nmap timeout before probing, in case probe frames or responses are lost. Closed ports are often the bigger problem. They generally send back an ICMP port unreachable error. But unlike closed TCP ports in response to SYN or RST messages sent by Connect scans, many hosts limit ICMP port unreachable messages by default. Linux and Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits sending only one destination unreachable message per second (see net/ipv4/icmp.c).

Nmap detects rate limits and slows down accordingly to avoid blocking the network with useless packets that the target might drop. Unfortunately, the Linux-style one-packet-per-second limit made scanning 65,536 ports more than 18 hours. Ways to speed up UDP scans include scanning more hosts concurrently, doing fast scans only on major ports first, scanning from behind firewalls, and using –host-timeout to skip slow hosts.

-sN; -sF; -sX (TCP Null, FIN, and Xmas scan)
These three scan types (and even more with the –scanflags option described in the next section) discover a subtle way of distinguishing between open and closed ports in the TCP RFC. Page 65 says "If the [destination] port state is down…. an incoming packet without RST results in an RST response." The next page discusses packets with no SYN, RST, or ACK bits set Send to an open port: "In theory, this shouldn't happen, if you do receive it, drop the packet and return."

If the scanning system follows this RFC, any packet that does not contain a SYN, RST, or ACK bit will cause an RST to be returned when the port is closed, and there should be no response when the port is open. Any combination of the other three (FIN, PSH, and URG) will do as long as it does not contain SYN, RST, or ACK. Nmap has three scan types to take advantage of this:

Null scan (-sN)
Do not set any flags (tcp flag header is 0)

FIN scan (-sF)
Only the TCP FIN flag is set.

Xmas scan (-sX)
Setting the FIN, PSH, and URG flags is like turning on all the lights on a Christmas tree.

Except for the different flag bits of the probe packets, the behaviors of these three scans are exactly the same. If a RST message is received, the port is considered closed, and no response means the port is open|filtered (open or filtered). If an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received, the port is marked as filtered.

The key advantage of these scans is that they evade some stateless firewalls and packet filtering routers. Another advantage is that these scan types are even more stealthy than SYN scans. But don't rely on it — most modern IDS products can spot them. A big shortcoming is that not all systems strictly follow RFC 793. Many systems respond to RST regardless of whether the port is open or closed. This results in all ports being marked closed. Such operating systems are primarily Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. But this scan will work on most UNIX systems. Another disadvantage of these scans is that they cannot distinguish between open (open) ports and some specific filtered (filtered) ports, and thus return open|filtered (open or filtered).

-sA (TCP ACK scan)
This scan differs from the other scans discussed so far in that it cannot determine open (open) or open|filtered (open or filtered) ports. It is used to discover firewall rules, determine whether they are stateful or stateless, and which ports are filtered.

ACK scan probes only set the ACK flag (unless you use –scanflags). When scanning for unfiltered systems, both open (open) and closed (closed) ports will return RST packets. Nmap marks them as unfiltered, which means that ACK packets cannot arrive, but whether they are open (open) or closed (closed) cannot be determined. Ports that do not respond or send specific ICMP error messages (type 3, code 1, 2, 3, 9, 10, or 13) are marked as filtered.

-sW (TCP window scan)
Window scans are exactly the same as ACK scans, except that the system-specific implementation details are used to distinguish open ports from closed ports, not always printing unfiltered when an RST is received. It does this by checking the TCP window field of the returned RST message. On some systems, open ports have a positive window size (even for RST packets) and closed ports have a window size of 0. Therefore, when an RST is received, the window scan does not always mark the port as unfiltered, but marks the port as open or closed, respectively, depending on whether the TCP window value is positive or 0

This scan relies on implementation details of a few systems on the Internet, so you can't trust it forever. Systems that do not support it will usually return all ports closed. Of course, it is also possible that a machine has no open ports. If most of the scanned ports are closed, and some common ports (eg 22, 25, 53) are filtered, the system is very suspicious. Occasionally, the system will even exhibit the exact opposite behavior. If your scan shows 1000 open ports and 3 closed or filtered ports, then those 3 are most likely open ports too.

-sM (TCP Maimon scan)
The Maimon scan is named after its discoverer, Uriel Maimon. He describes this technique in Phrack Magazine issue #49 (November 1996). Nmap added this technology two issues later. This technique is exactly the same as Null, FIN, and Xmas scans, except that the probe packets are FIN/ACK. According to RFC 793 (TCP), no matter whether the port is open or closed, a RST packet should be responded to such a probe. However, Uriel noticed that many BSD-based systems simply drop the probe if the port is open.

–scanflags (custom TCP scan)
True Nmap power users don't need to be bound by these ready-made scan types. The –scanflags option allows you to design your own scans by specifying arbitrary TCP flags. Let your creativity flow and evade intrusion detection systems that add rules to this manual alone!

The –scanflags option can be a numeric flag value such as 9 (PSH and FIN), but it is easier to use character names. Any combination of URG, ACK, PSH, RST, SYN, and FIN will do. For example, –scanflags URGACKPSHRSTSYNFIN sets all flags, but this is not very useful for scanning. The order of the flag bits is not important.

In addition to setting the required flags, you can also set the TCP scan type (eg -sA or -sF). That base type tells Nmap how to interpret the response. For example, a SYN scan considers no response to mean a filtered port, while a FIN scan considers it open|filtered. Nmap will work the same as the basic scan type, except that it uses the TCP flag bits you specify. If you don't specify a base type, a SYN scan is used.

-sI (Idlescan)
This advanced scanning method allows true TCP port blind scanning of the target (meaning no packets are sent to the target from your real IP address). Instead, a side-channel attack exploits a known IP segment ID sequence generation algorithm on the zombie host to spy on open ports on the target. The IDS system will show that the scan came from the zombie machine you specified (must be running and meet certain criteria). This wonderful type of scan is too complex to fully describe here, so I wrote an informal paper and posted it at http://nmap.org/book/idlescan.html.

In addition to being extremely stealthy (since it doesn't send any packets from real IP addresses), this scan type can establish IP-based trust relationships between machines. The port list is from the perspective of the zombie host. Show open ports. So you can try to scan the target with zombies that you think (via router/packet filter rules) might be trusted.

If you want to probe a specific port on the zombie due to an IPID change, you can append a colon and the port number after the zombie host. Otherwise Nmap will use the default port (80).

-sO (IP protocol scan)
IP Protocol Scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by the target. Technically, this is not a port scan, since it traverses IP protocol numbers rather than TCP or UDP port numbers. But it still uses the -p option to select the protocol number to scan, reports the results in the normal port table format, and even uses the same scan engine as a real port scan. So it is very close to port scanning and is also discussed here.

Besides being useful in and of themselves, protocol scanning shows the power of open source software. Although the basic idea is very simple, I have never thought of adding this feature in the past nor received any requests for it. In the summer of 2000, Gerhard Rieger conceived the idea, wrote a great patch, and sent it to the nmap-hackers mailing list. I added that patch to Nmap and released a new version the next day. Few commercial software will have users who are enthusiastic enough to design and contribute their improvements.

Protocol scanning works in a similar way to UDP scanning. Instead of looping over the port field of the UDP packet, it loops over the 8 bits of the IP protocol field, sending the IP header. The header is usually empty and contains no data or even the correct header for the declared protocol TCP, UDP, and ICMP are three exceptions. All three will use normal protocol headers, because otherwise some systems refuse to send them, and Nmap has functions to create them. The protocol scan is not looking for ICMP port unreachable messages, but ICMP protocol unreachable messages. If Nmap receives any response from the target host for any protocol, Nmap marks that protocol as open. ICMP protocol unreachable errors (type 3, code 2) cause the protocol to be marked closed. Other ICMP unreachable protocols (type 3, codes 1, 3, 9, 10, or 13) cause the protocol to be marked as filtered (although at the same time they prove that ICMP is open). If no response is received after retries, the protocol is marked as open|filtered

-b (FTP bounce scan)
An interesting feature of the FTP protocol (RFC 959) is support for so-called proxy ftp connections. It allows users to connect to an FTP server and then request files to be sent to a third-party server. This feature has been abused on many levels, so many servers have stopped supporting it. One of them is to cause the FTP server to port scan other hosts. Just request the FTP server in turn to send a file to the port of interest on the target host. The error message will describe whether the port is open or closed. This is a great way to bypass firewalls, because FTP servers are often placed in locations that have access to more internal hosts than web hosts. Nmap supports ftp bounce scanning with the -b option. The parameter format is:@:。 Is the name or IP address of a vulnerable FTP server. you may be able to omit:, if an anonymous user (user:anonymous password:[email protected]) is opened on the server. The port number (and the preceding colon) can also be omitted, ifUse the default FTP port (21).

This weakness was widely exploited when Nmap was released in 1997, but has now been mostly fixed. Vulnerable servers still exist, so if all else fails, this is also worth a shot. If your goal is to bypass the firewall, scan the target network for open port 21 (or even any ftp service, if you scan all ports with version probe), then bounce scan for each attempt. Nmap will tell you if the host is vulnerable or not. If you're just trying to play with Nmap, you don't have to (in fact, shouldn't) limit yourself. While you're randomly scouring the internet for vulnerable FTP servers, consider that sysadmins don't like you abusing their servers like this.

Port Description and Scan Order

In addition to all the previously discussed scanning methods, Nmap provides options for which ports are scanned and whether the scanning is done randomly or sequentially. By default, Nmap scans ports 1 to 1024 and higher ports listed in the nmap-services file using the specified protocol.

-p (Only scan specified ports)
This option specifies the ports you want to scan, overriding the default. Both single ports and hyphenated port ranges (such as 1-1023) are fine. The start and/or end values ​​of the range can be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan from port 1 to 65535. Port 0 can also be scanned if you specify otherwise. For IP protocol scans (-sO), this option specifies the protocol number (0-255) you wish to scan.

When scanning both TCP and UDP ports, you can specify the protocol by prefixing the port number with T: or U:. A protocol qualifier is in effect until you specify another one. For example, the parameter -p U:53, 111, 137, T:21-25, 80, 139, 8080 will scan UDP ports 53, 111, and 137, as well as the listed TCP ports. Note that to scan both UDP and TCP, you must specify -sU, and at least one TCP scan type (eg -sS, -sF, or -sT). If no protocol qualifier is given, the port number is added to the list of all protocols.

-F (fast (limited port) scan)
Specify the ports you want to scan in nmap's nmap-services file (for -sO, the protocol file). This is much faster than scanning all 65535 ports. Because the list contains so many TCP ports (over 1200), this is not very different from the default TCP scan scan (about 1600 ports). If you specify your own little nmap-services file with the –datadir option, the difference can be dramatic.

-r (do not scan ports in random order)
By default, Nmap scans ports in random order (except for common port forwarding for efficiency reasons). This randomization is usually welcome, but you can also specify -r for sequential port scans.

Service and version detection

Point Nmap to a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using the nmap-services database of about 2,200 well-known services, Nmap can report which ports may correspond to a mail server (SMTP), web server (HTTP), and domain name server (DNS), respectively. This query is usually correct — in fact, the vast majority of daemons listening on TCP port 25 are mail servers. However, you shouldn't bet on this! It's perfectly fine for people to run services on some weird port.

Even if Nmap is right, assuming that the services running are indeed SMTP, HTTP, and DNS, that's not particularly informative. When doing a security assessment (or even a simple network inventory) for your company or clients, you really want to know what mail and name servers are running and their versions. Having an exact version number is a huge help in knowing what vulnerabilities your server has. Version detection can help you get this information.

After discovering TCP and/or UDP ports using some other type of scanning method, version probes interrogate those ports to determine what services are running. The nmap-service-probes database contains probe messages for querying different services and matching expressions for parsing and identifying responses. Nmap tries to determine service protocol (eg ftp, ssh, telnet, http), application name (eg ISC Bind, Apache httpd, Solaris telnetd), version number, host name, device type (eg printer, router), OS family ( e.g. Windows, Linux) and other details like if X server can be connected, SSH protocol version, or KaZaA username). Of course, not all services provide all of this information. If Nmap is compiled to support OpenSSL, it will connect to the SSL server and speculate what service is listening behind the encryption layer. When discovering an RPC service, the Nmap RPC grinder (-sR) is automatically used to determine the RPC program and its version number. If after scanning a UDP port it is still not possible to determine whether the port is open or filtered, the port status is marked as open|filtered. Version detection will attempt to raise a response from these ports (as it does for open ports), and if successful, change the state to open. open|filtered TCP ports are treated in the same way. Note that the Nmap -A option turns on version detection in other cases. There is an article on the principle, usage and customization of version detection athttp://www.insecure.org/nmap/vscan/。

When Nmap receives a response from a service, but can't find a match in the database, it prints a special fingerprint and a URL for you to submit, if you really know what service is running on the port. Please take two minutes to submit your findings for the benefit of everyone. As a result of these commits, Nmap has about 3,000 pattern matches for more than 350 protocols like smtp, ftp, http, etc.

Use the following options to turn on and control version detection.

-sV (version detection)
Turn on version detection. You can also use -A to turn on both OS detection and version detection.

–allports (do not exclude any ports for version detection)
By default, the Nmap version probe skips the 9100 TCP port because some printers simply print any data sent to that port, which in turn results in dozens of pages of HTTP get requests, binary SSL session requests, etc. being printed. This behavior can be changed by modifying or removing the Exclude directive in nmap-service-probes. You can also ignore any Exclude directive and specify –allports to scan all ports

–version-intensity (set version scan strength)
When doing a version scan (-sV), nmap sends a series of probe packets, each of which is assigned a value between 1 and 9. Probe packets assigned lower values ​​are effective for a wide range of common services, while packets assigned higher values ​​are generally not useful. The strength level dictates which probes should be used. The higher the number, the more likely the service will be correctly identified. However, high-intensity scans take more time. The intensity value must be between 0 and 9. Default is 7. When a probe packet is registered to a target port via the nmap-service-probes ports indicator, the probe packet is attempted regardless of the intensity level. This guarantees that DNS probes will always try on any open port 53, SSL probes will try on port 443, etc.

–version-light (turn on lightweight mode)
This is a convenient alias for –version-intensity 2. Lightweight mode makes version scans much faster, but it is also slightly less likely to identify services.

–version-all (try every probe)
An alias for –version-intensity 9, which ensures that every probe packet is tried on every port.

–version-trace (trace version scan activity)
This causes Nmap to print detailed debug information about the scan in progress. It is a subset of the information you get with –packet-trace.

-sR (RPC scan)
This method is used in conjunction with many port scanning methods. It executes the SunRPC program NULL command on all TCP/UDP ports found to be open, trying to determine if they are RPC ports, and if so, what program and version number. So you can effectively get the same information as rpcinfo -p, even if the target's port is mapped behind a firewall (or protected by a TCP wrapper). Decoys does not currently work with RPC scan. This is turned on automatically as part of a version scan (-sV). Since version detection includes it and is much more comprehensive, -sR is rarely needed.

OS detection

One of Nmap's best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host, checking every bit in the response. After conducting a dozen tests such as TCP ISN sampling, TCP option support and ordering, IPID sampling, and initial window size checking, Nmap compares the results with over 1500 known operating system fingerprints in the database nmap-os-fingerprints, If there is a match, print out the details of the operating system. Each fingerprint includes a free-form descriptive text about the OS, and a category information that provides the vendor name (eg, Sun), the operating system below (eg, Solaris), the OS version (eg, 10), and the device type (generic). devices, routers, switches, game consoles, etc.).

If Nmap can't guess the OS, and there are some good known conditions (like at least one open port and one closed port found), Nmap will provide a URL, and if you know the running OS, you can submit the fingerprint to that URL. This way you expand Nmap's operating system knowledge base for the benefit of every Nmap user.

Operating system detection can perform other tests that make use of information gathered during processing. For example, runtime detection, which uses the TCP timestamp option (RFC 1323) to estimate when a host was last restarted, is only available for hosts that provide such information. The other is the TCP sequence number prediction classification, which is used to test the possible difficulty of establishing a fake TCP connection to a remote host. This is important for attacks that exploit source IP address-based trust relationships (rlogin, firewall filtering, etc.) or imply source addresses. This type of spoofing attack is now rare, but some hosts still have vulnerabilities in this area. The actual difficulty value is based on statistical sampling, so there may be some fluctuations. It is usually better to use the British classification, such as "worthy challenge" or "trivial joke". In verbose mode (-v) only output is normal, if -O is also used, the IPID sequence generation number is also reported. The serial number of many hosts is of the "increment" category, that is, the ID field value is added to the IP header of each sent packet, which is a vulnerability for some advanced information gathering and spoofing attacks.

http://nmap.org/book/osdetect.htmlDocumentation describes the way, use, and customization of version detection in several languages.

Enable and control OS detection with the following options:

-O (enable OS detection)
You can also use -A to enable both OS detection and version detection.

–osscan-limit (operating system detection for specified target)
OS detection is more efficient if an open and closed TCP port is found. With this option, Nmap only performs OS detection on hosts that meet this condition, which saves time, especially when scanning multiple hosts with -P0. This option only works when using -O or -A for OS detection.

–osscan-guess; –fuzzy (guess OS detection result)
When Nmap cannot determine the detected operating system, it will provide the closest match as possible. Nmap does this by default. Using any of the above options makes Nmap's guess more efficient.

time and performance

The highest priority for Nmap development is performance. Default scan of a host on the local network (nmap) takes 1/5 of a second. In the blink of an eye, tens of thousands or even hundreds of thousands of hosts need to be scanned. Additionally, some specific scan options, such as UDP scan and version detection, can significantly increase scan time. Also, firewall configuration and special response speed limits can increase the time. Nmap uses parallel algorithms and many advanced algorithms to speed up scanning, and the user has ultimate control over how Nmap works. Advanced users can fine-tune the Nmap command to get the information they care about while meeting the timing requirements.

Techniques to improve scan time are: ignore non-critical detections, upgrade to the latest version of Nmap (performance enhancements continue to improve). Substantial changes are also brought about by optimizing the time parameters, which are listed below.

–min-hostgroup ; –max-hostgroup (resize parallel scan group)
Nmap has the ability to scan multiple host ports or versions in parallel. Nmap divides multiple target IP address spaces into groups, and then scans a group at the same time. Generally, larger groups are more effective. The downside is that scan results for hosts are only available when the entire group scan is complete. If the group size is defined as 50, the report will only be available after the current 50 host scans are over (except for supplementary information in verbose mode).

By default, Nmap takes a compromise approach. Start the scan with small groups, a minimum of 5, to produce results as quickly as possible; then increase the group size to a maximum of 1024. The exact size depends on the options given. To ensure efficiency, Nmap uses large groups for UDP or TCP scans of a small number of ports.

The –max-hostgroup option is used to specify the largest group to be used, and Nmap will not exceed this size. The –min-hostgroup option specifies the smallest group, Nmap will keep groups larger than this value. If there are not enough target hosts on the specified interface to satisfy the specified minimum, Nmap may take a smaller group than the specified value. These two parameters, although rarely used, are used to keep the group size within a specified range.

The main purpose of these options is to specify a minimum group size to make the entire scan faster. Usually 256 is chosen to scan class C network segments. For scans with a large number of ports, exceeding this value is meaningless. For scans with low port counts, a group size of 2048 or greater is helpful.

–min-parallelism ; –max-parallelism (Adjust the parallelism of detection packets)
These options control the number of probe packets used for host groups, which can be used for port scanning and host discovery. By default, Nmap calculates an ideal degree of parallelism based on network performance, and this value changes frequently. If packets are discarded, Nmap slows down and the number of probe packets decreases. As network performance improves, the ideal number of probe packets will slowly increase. These options determine the size range of this variable. By default, the ideal parallelism value may be 1 when the network is unreliable, and may grow to several hundred under good conditions.

The most common application is for –min-parallelism values ​​greater than 1 to speed up scanning of poorly performing hosts or networks. This option is risky, affecting accuracy if too high, and also reducing Nmap's ability to dynamically control parallelism based on network conditions. It is more appropriate to set this value to 10, and the adjustment of this value is often used as a last resort.

The –max-parallelism option is usually set to 1, to prevent Nmap from sending multiple probes to the host at the same time, and it is very useful to use the –scan-delay option at the same time, although this option itself is already very useful.

–min-rtt-timeout , –max-rtt-timeout , –initial-rtt-timeout (Adjusting the probe packet timeout)
Nmap uses a runtime timeout value to determine how long to wait for a probe packet response before giving up or resending probe packets. Nmap calculates the timeout value based on the response time of the last probe packet. If the network delay is significant and uncertain, the timeout value will increase by a few seconds. The initial value is conservative (high), and when Nmap scans for unresponsive hosts, this conservative value remains for a period of time.

These options are in milliseconds and take a small –max-rtt-timeout value, making –initial-rtt-timeout greater than the default can significantly reduce scan time, especially for unpingable scans (-P0) and Network with strict filtering. Using a value that is too small will cause many probe packets to time out and be resent while response messages may be being sent, which increases the overall scan time.

If all hosts are on the local network, 100ms is appropriate for the –max-rtt-timeout value. If there is a route, first use the ICMP ping tool to ping the host, or use other packet tools such as hpings, which can better penetrate the firewall. Look at the maximum round-trip time for about 10 packets, then set –initial-rtt-timeout to 2 times this time, and –max-rtt-timeout can be set to 3 or 4 times this time value. Generally, regardless of the ping time, the maximum rtt value should not be less than 100ms and cannot exceed 1000ms.

–min-rtt-timeout This option is rarely used, when the network is unreliable, the default value of Nmap is too strong, then this option can be used. Nmap only reduces the timeout to a minimum when the network appears unreliable, which is not normal and needs to be reported to the nmap-dev mailing list.

–host-timeout (abandon slow target host)
Some hosts take a long time to scan due to poor or unreliable network hardware or software, bandwidth limitations, strict firewalls, etc. These very few host scans tend to take up most of the scan time. Therefore, the best way is to reduce the time consumption and ignore these hosts, use the –host-timeout option to specify the time (milliseconds) to wait. Usually 1800000 is used to guarantee that Nmap will not be used for more than half an hour on a single host. It should be noted that Nmap can scan other hosts at the same time during this half hour, so it does not completely give up scanning. A host that times out is ignored, so there is no output of the port table, OS detection, or version detection results for that host.

–scan-delay ; –max-scan-delay (Adjust the time interval of detection packets)
This option is used by Nmap to control the waiting time (milliseconds) for sending probe packets to a host. This option is very effective in the case of bandwidth control. Solaris hosts only send one ICMP message per second when responding to UDP scan probe packets, so many probe packets sent by Nmap are wasted. –scan-delay Set to 1000 to make Nmap run at low speed. Nmap attempts to detect bandwidth controls and adjust the scan's latency accordingly, but it doesn't affect specifying what speed works best.

Another use of –scan-delay is to evade threshold-based intrusion detection and prevention systems (IDS/IPS).

-T (Set Time Template)
The above optimization time control options are powerful and effective, but some users can be confused. In addition, the time to select the appropriate parameters often exceeds the scan time required for optimization. Therefore, Nmap provides some simple ways to use 6 time templates, which are used with the -T option and a number (0 – 5) or a name. Template names are paranoid (0), sneaky (1), polite (2), normal(3), aggressive (4), and insane (5). The first two modes are used for IDS evasion, and Polite mode reduces the scan speed to use less bandwidth and target host resources. The default mode is Normal, so -T3 doesn't actually do any optimizations. Aggressive mode assumes that the user has a suitable and reliable network to speed up scanning. Insane mode assumes the user has a particularly fast network or is willing to sacrifice accuracy for speed.

Users can choose different templates according to their needs, and Nmap is responsible for choosing the actual time value. Templates are also fine-tuned for speed for other optimization controls. For example, -T4 disables dynamic scan delays over 10ms for TCP ports, and -T5 corresponds to 5ms. Templates can be used in combination with optimization tuning controls, but the template must be specified first, otherwise the template's standard value will override the user-specified value. It is recommended to use -T4 when scanning for reliable networks, even if you want to increase optimization control options yourself (at the beginning of the command line) to benefit from these additional smaller optimizations.

The -T4 option is still recommended if used with sufficient bandwidth or an Ethernet connection. Some users like the -T5 option, but this one is too strong. Sometimes users use the -T2 option to avoid crashing the host or to be more polite. They didn't realize how slow the -T Polite option was, scanning in this mode actually took 10 times longer than the default. The default time option (-T3) has few host crashes and bandwidth problems and is more suitable for cautious users. These problems can be solved more effectively without version detection than with timing adjustments.

While the -T0 and -T1 options may help avoid IDS alerts, it can significantly increase the time when doing thousands of host or port scans. For such long scans, it is preferable to set the exact time value instead of relying on the -T0 and -T1 options of the package.

The main effect of the T0 option is that for continuous scanning, only one port can be scanned at a time, and the sending interval of each probe packet is 5 minutes. The T1 and T2 options are similar, and the detection packet interval is 15 seconds and 0.4 seconds respectively. T3 is the default option for Nmap and includes parallel scans. The T4 option is equivalent to –max-rtt-timeout 1250 –initial-rtt-timeout 500, and the maximum TCP scan delay is 10ms. T5 is equivalent to –max-rtt-timeout 300 –min-rtt-timeout 50 –initial-rtt-timeout 250 –host-timeout 900000, and the maximum TCP scan delay is 5ms.

Firewall/IDS evasion and spoofing

Many Internet pioneers envisioned a global open network, using a global IP address space, allowing a virtual connection between any two nodes. This allows hosts to act as true peers, providing services and obtaining information from each other. People can access all the systems in the home, adjust the temperature of the air conditioner, and open the door for early arrivals at work. Subsequently, the vision of these global connections was limited by address space shortages and security concerns. In the early 1990s, organizations began deploying firewalls to reduce connections, with large networks isolated from the unfiltered Internet by proxies, NATs, and packet filters. Unrestricted flow of information is replaced by tightly controlled flow of trusted communication channel information.

Firewall-like network isolation makes searching the network more difficult, and random searches are no longer easy. However, Nmap provides many features for understanding these complex networks and verifying that these filters are working properly. Additionally, Nmap provides a means to bypass some weaker defense mechanisms. One of the most effective ways to verify the security state of a network is to try to trick the network into imagining itself as an attacker, using the techniques presented in this section to attack its own network. Such as using FTP bounce scanning, idle scanning, fragmentation attacks or trying to penetrate your own proxy.

In addition to restricting the behavior of the network, the number of companies using intrusion detection systems (IDS) is also increasing. Since Nmap is often used for pre-attack scans, all mainstream IDSs include rules for detecting Nmap scans. These products are now morphed into intrusion prevention systems (IPS) that proactively block suspected malicious behavior. Unfortunately, it is hard work for network administrators and IDS vendors to detect malicious behavior by analyzing packets, and attackers with patience and skill can often go undetected by IDS with the help of specific Nmap options. At the same time, administrators have to deal with a large number of false positive results, where normal behavior is misjudged and altered or prevented.

It is sometimes suggested that Nmap should not provide features to evade firewall rules or spoof IDS, features that can be abused by attackers, yet administrators can take advantage of to enhance security. In fact, the method of attack can still be exploited by attackers who can discover other tools or patches for Nmap. At the same time, administrators find it harder for attackers to deploy advanced, patched FTP servers than tools that take steps to prevent FTP Bounce attacks.

Nmap does not provide a magic bullet (or Nmap option) to detect and destroy firewalls and IDS systems, it uses techniques and experience that are beyond the scope of this reference manual, the relevant options and the work done are described below.

-f (packet fragmentation); –mtu (use specified MTU)
The -f option requires the use of small IP packet fragments when scanning (packet ping scanning). The idea is to segment the TCP header into several packets, making detection more difficult for packet filters, IDS, and other tools. This option must be used with care, some systems have problems handling these small packets, for example the old network sniffer Sniffit will give a segmentation fault as soon as it receives the first fragment. Using this option once, Nmap divides the packet into 8 bytes or less after the IP header. Therefore, a 20-byte TCP header will be divided into 3 packets, 2 of which have 8 bytes of the TCP header respectively, and the other packet has the remaining 4 bytes of the TCP header. Of course, every packet has an IP header. Use -f again to use 16-byte segments (reduce the number of segments). Use the –mtu option to customize the size of the offset. You do not need -f when using it, and the offset must be a multiple of 8. Packet filters and firewalls queue all IP fragments, such as the CONFIG-IP-ALWAYS-DEFRAG configuration item in the Linux kernel, and fragmented packets are not used directly. Some networks cannot withstand the performance impact of this and will disable this configuration. Other reasons for prohibition are that fragmented packets enter the network through different routes. Some source systems segment sent packets in the kernel, Linux using the iptables connection tracking module is an example. When using a sniffer like Ethereal, the scan must ensure that the packets sent are fragmented. If the host OS is causing problems, try using the –send-eth option to bypass the IP layer and send raw Ethernet frames directly.

-D (Use decoy covert scan)
For decoy scanning to work, the remote host needs to be made to think that the decoy is scanning the target network. IDS may report 5-10 port scans of a certain IP, but it doesn't know which IP is being scanned and which are not decoys. But this way can be solved through route trace, response drop and other active mechanisms. This is a commonly used and effective technique for hiding one's own IP address.

Use a comma to separate each decoy host, or you can use your own real IP as a decoy, in which case you can use the ME option. Some common port scan detectors (such as Solar Designer's excellent scanlogd) will not report this real IP if the ME option is used in the 6th position or later. If the ME option is not used, Nmap puts the real IP in a random location

Note that the host used as a decoy must be in a working state, otherwise it will cause a SYN flood attack on the target host. If only one host is working on the network, it is easy to determine which host is scanning. It is also possible to use IP addresses instead of hostnames (the spoofed network is unlikely to be found in name server logs).

Decoys can be used in the initial ping scan (ICMP, SYN, ACK, etc.) phase or the real port scan phase. Decoys can also be used for remote OS detection (-O). Decoys are ineffective when doing version detection or TCP connection scanning.

There is no value in using too many baits, and instead results in slower scans and inaccurate results. Also, some ISPs filter spoofed packets, but many don't have any restrictions on spoofed IP packets.

-S (source address spoofing)
In some cases Nmap may not be able to determine your source address (if so, Nmap will give a hint). In this case, use the -S option and specify the IP address of the interface to which the packets are to be sent.

Another use of this flag is to deceive scanning, making the target think another address is scanning. Imagine a competitor constantly scanning a company! The -e option is often used in this case, and the -P0 option can also be used.

-e (using the specified interface)
Tell Nmap which interface to use to send and receive packets, Nmap can perform automatic detection, and will give a prompt if it cannot be detected.

–source-port ; -g (source port spoofing)
Trusting a data flow solely on the source port number is a common misconfiguration, and the problem is well understood. For example, an administrator deploys a new firewall, but many users are dissatisfied because their applications stop working. The DNS crash may be caused by the failure of the external UDP DNS server response to enter the network. FTP is another common example. During FTP transfers, the remote server attempts to establish a connection with the internal user to transfer data.

There are security solutions to these problems, usually application-level proxies or protocol analysis firewall modules. But there are also some unsafe schemes. Noting that DNS responses come from port 53 and FTP connections come from port 20, many administrators fall into the trap of allowing data from these ports into the network. They don't think there will be notable attacks and exploits in these ports. Additionally, administrators may see this as a short-term measure until they take a more secure approach. But they ignored safe upgrades.

It's not just overworked network administrators who fall into this trap. Many products, even Microsoft's, have such insecurities themselves. The IPsec filters included in Windows 2000 and Windows XP also contain some implicit rules that allow all TCP and UDP traffic from port 88 (Kerberos). Another common example is Zone Alarm Personal Firewall up to version 2.1.25 still allowing incoming UDP packets with source port 53 (DNS) or 67 (DHCP).

Nmap provides the -g and –source-port options (which are equivalent) for exploiting the above weaknesses. Just provide a port number and Nmap can send data from those ports. For a specific operating system to work properly, Nmap must use a different port number. DNS requests ignore the –source-port option because Nmap relies on system libraries to handle it. Most TCP scans, including SYN scans, fully support these options, as do UDP scans.

–data-length (Add random data when sending message)
Normally, Nmap sends the fewest packets with only one header. So TCP packets are usually 40 bytes, and ICMP ECHO requests are only 28 bytes. This option tells Nmap to append the specified number of random bytes to the sent packets. OS detection (-O) packets are not affected, but most ping and port scan packets are affected, which makes processing slower but has less impact on scanning.

–ttl (Set IP time-to-live domain)
Set the time-to-live field of IPv4 packets to the specified value.

–randomize-hosts (randomize the order of target hosts)
Tells Nmap to randomize the hosts in each group, up to a maximum of 8096 hosts, before scanning the hosts. This can make scanning less obvious for different network monitoring systems, especially when used with smaller time options. If you need to randomize a larger group, you need to increase the value of PING-GROUP-SZ in the nmap.h file and recompile. Another way is to use a list scan (-sL -n -oN), produces a list of target IPs, randomizes them using a Perl script, and then feeds them to Nmap using -iL.

–spoof-mac (MAC address spoofing)
Requires Nmap to use the specified MAC address when sending original Ethernet frames. This option implies the –send-eth option to ensure that Nmap actually sends Ethernet packets. There are several formats for MAC addresses. If you simply use the string "0", Nmap chooses a completely random MAC address. If the given character is an even hexadecimal number (separated with : ), Nmap will use this MAC address. If it is a hexadecimal number less than 12, Nmap will randomly fill the remaining 6 bytes. If the parameter is not 0 or a hexadecimal string, Nmap will look up the manufacturer's name (case sensitive) through nmap-mac-prefixes, if a match is found, Nmap will use the manufacturer's OUI (3-byte prefix), and then randomly fill the rest of 3 bytes. The correct –spoof-mac parameters are, Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco.


Any security tool is only valuable if it outputs results, and complex tests and algorithms make little sense if not expressed in an organized and understandable way. Nmap provides several ways for users and other software to use, in fact, there is no one way that will please everyone. Therefore, Nmap provides some formats, including an interactive mode that is convenient for direct viewing and an XML format that is convenient for software processing.

In addition to providing the output format, Nmap also provides options to control the details of the output as well as debugging information. Output can be sent to standard output or to a named file, which can be appended or overwritten. The output file can also be used to continue an interrupted scan.

Nmap provides 5 different output formats. The default method is interactive output, which is sent to standard output (stdout). The normal output method is similar to interactive, but displays less runtime information and warning information, because these information are used for analysis after the scan is completely completed, rather than interactive.

XML output is the most important output type and can be converted to HTML, which is very convenient for program processing, such as for Nmap GUI or importing into databases.

The other two output types are relatively simple. The grepable output format contains the most information about the target host in one line; the sCRiPt KiDDi3 0utPUt format is used to consider your own users |

Interactive output is the default, and there is no corresponding command-line option. The other four format options use the same syntax and take one parameter, which is the file name where the results are stored. Multiple formats can be used at the same time, but a format can only be used once. For example, to save the results to an XML file for program analysis while standard output is used for viewing, the options -oX myscan.xml -oN myscan.nmap can be used. For simplicity of description, this chapter uses a simple filename similar to myscan.xml, and a more descriptive filename is recommended. The choice of file name is related to personal preference. It is recommended to add the scan date and one or two words to describe and place it in a directory.

While outputting the results to a file, Nmap still sends the results to standard output. For example, the command nmap -oX myscan.xml target will output XML to myscan.xml and print the same interactive result on stdout without the -oX option. This can be changed using a hyphen as an option, which causes Nmap to suppress interactive output and instead print the result to the specified standard output stream. Therefore, the command nmap -oX -target only outputs XML to stdout. Fatal errors are still output to the standard error stream stderr.

Unlike other Nmap parameters, spaces (such as -oX) and filenames or hyphens for log file options are required. If flags such as -oG- or -oXscan.xml are omitted, Nmap's backward compatibility feature will create standard format output files, corresponding to G- and Xscan.xml.

Nmap also provides options to control scan details and addition or overwrite of output files, which are described below.

Nmap output format

-oN (standard output)
Asks standard output to be written directly to the specified file. As mentioned above, this format is slightly different from interactive output.

-oX (XML output)
Requires XML output to be written directly to the specified file. Nmap includes a Document Type Definition (DTD) that enables XML parsers to efficiently output XML. This is mainly for program applications, but also assists in human interpretation of Nmap's XML output. The DTD defines the legal format elements, enumerating the attributes and values ​​that can be used. The latest version is available atAvailable at http://www.insecure.org/nmap/data/nmap.dtd.

XML provides output in a stable format that can be parsed by software, and free XML parsers are available for major computer languages ​​such as C/C++, Perl, Python, and Java. There is some bundled code for these languages ​​for processing Nmap output and specific executors. For example Nmap::Scanner and Nmap::Parser in perl CPAN. XML is the format of choice for almost all major applications that interface with Nmap.

The XML output references an XSL stylesheet, which is used to format the output, similar to HTML. The most convenient way is to load the XML output into a web browser such as Firefox or IE. Because of the absolute path to the nmap.xsl file, it usually only works on a machine running Nmap (or a similarly configured machine). Similar to any HTML file that supports web machines, the –stylesheet option can be used to create portable XML files.

-oS (ScRipT KIdd|3 oUTpuT)
The script kiddie output is similar to the interactive tool output, which is a post-processing, suitable for 'l33t HaXXorZ, since the original all-caps Nmap output. This option is joking with script kiddies and appears to be meant to "help them".

-oG (Grep output)
This method is introduced last because it is not recommended. The XML input format is powerful and easy for experienced users to use. XML is a standard made up of many parsers, and Grep is more simplified. XML is extensible to support newly released Nmap features. The purpose of using Grep output is to ignore these features because there is not enough space.

However, Grep output is still commonly used. It's a simple format, one host per line, that can be easily looked up and broken down by UNIX tools (like grep, awk, cut, sed, diff) and Perl. Often used for one-off tests on the command line. To find hosts with ssh ports open or running Sloaris, all it takes is a simple grep for the host description, using the channel and printing the desired domain via the awk or cut command.

Grep output can contain comments (each line starts with a # sign). Each line consists of 6 marked fields, separated by tabs and colons. These fields are host, port, protocol, ignore state, operating system, serial number, IPID and state.

The most important of these fields is Ports, which provides details of the ports of interest, with port entries separated by commas. Each port entry represents a port of interest, and each subdomain is separated by /. These subfields are: port number, state, protocol, owner, service, SunRPCinfo and version information.

For XML output, this manual cannot list all formats, more details about Nmap Grep output can be found at http://www.unspecific.com/nmap-oG-output.

-oA (output to all formats)
For ease of use, the -oA option can be used to output the scan results in standard format, XML format and Grep format at one time. Stored in .nmap, .xml and .gnmap files respectively. You can also specify a directory name before the filename, eg, in UNIX, use ~/nmaplogs/foocorp/, and in Windows, use c:\hacking\sco on Windows.

Details and debugging options

-v (increase verbosity of output)
By increasing the verbosity, Nmap can output more information about the scanning process. Output the open ports found, and display the estimated end time if Nmap thinks the scan will take more time. This option is used twice and provides more detailed information. Using this option more than twice has no effect.

Most of the changes only affect interactive output, some also affect standard and script kiddie output. Other output types are handled by the machine, in which case Nmap provides detailed information by default and does not require human intervention. However, there are some variations in other modes, and omitting some details can reduce the output size. For example, a commented line in Grep output provides a list of all scan ports, but since this information is too long, it can only be output in detail mode.

-d [level] (increase or set debug level)
When verbose mode also does not provide enough data for the user, use debugging to get more information. When using the verbose option (-v), a command-line parameter (-d) can be enabled, used multiple times to increase the debug level. The debug level can also be set with an argument after -d. For example, -d9 sets level 9. This is the highest level and will produce thousands of lines of output unless a simple scan is performed on a few ports and targets.

Debug output is very useful if Nmap hangs because of a bug or if you have doubts about how Nmap works and how it works. Mainly developers use this option, debug lines are not self-explanatory. For example, Timeoutvals: srtt: -1 rttvar: -1 to: 1000000 delta 14987 ==> srtt: 14987 rttvar: 14987 to: 100000. If you don't understand a line of output, you can ignore it, look at the source code, or ask the dev list (nmap-dev) for help. Some output lines will be self-explanatory, but will become more and more ambiguous as the debug level increases.

–packet-trace (trace sent and received packets)
Asking Nmap to print a summary of every packet sent and received, usually for debugging, helps new users better understand what Nmap really does. To avoid outputting too many lines, you can limit the number of ports scanned, such as -p20-30. If only version detection is required, use –version-trace.

–iflist (list interfaces and routes)
Outputs a list of interfaces and system routes detected by Nmap, useful for debugging routing problems or device description errors (eg Nmap treats PPP connections as Ethernet).

Other output options

–append-output (append in output file)
When using a file as the output format, such as -oX or -oN, the file is overwritten by default. If you want the file to keep its existing contents, append the result to the existing file, use the –append-output option. All specified output files are added. However, it is invalid for XML (-oX) scan output files and cannot be parsed normally, and needs to be modified manually.

–resume (continue the interrupted scan)
Some extended Nmap runs take a long time — in days, such scans often don't end. Restrictions can be made that prohibit Nmap from running during business hours, causing network outages, scheduled or unscheduled restarts of the host running Nmap, or Nmap itself outages. Administrators running Nmap can cancel the run for other reasons by pressing ctrl-C. Starting a scan from scratch can be unpleasant, fortunately, if the standard scan (-oN) or Grep scan (-oG) logs are preserved, the user can ask Nmap to resume a terminated scan by simply using the option –resume and Description Standard/Grep scans the output file, other parameters are not allowed, Nmap will parse the output file and use the original format to output. Use such as nmap –resume. Nmap will add the new results to the file, which does not support the XML output format because it is difficult to combine the results of two runs into one XML file.

–stylesheet (Setting up XSL stylesheets, transforming XML output)
Nmap extracts the XSL stylesheet nmap.xsl for viewing or converting XML output to HTML. The XML output contains an xml-stylesheet that points directly to the nmap.xml file installed by Nmap (or in the current working directory on Windows). When Nmap's XML output is opened in a web browser, it will look for the nmap.xsl file in the file system and use it to output the results. If you want to use a different stylesheet, use it as the parameter of –stylesheet, and specify the complete path or URL. The common way to call is –stylesheethttp://www.insecure.org/nmap/data/nmap.xsl。This tells the browser to load the latest stylesheet from Insecire.Org. This makes it easy to view the results on machines without Nmap (and nmap.xsl) installed. Therefore, URLs are more convenient to use, and the local filesystem's nmap.xsl is used by default.

–no-stylesheet (ignore XSL stylesheet for XML declarations)
Use this option to disable any XSL stylesheets associated with Nmap's XML output. xml-stylesheet directives are ignored.

Other options

This section describes some important (and unimportant) options that don't fit anywhere else.

-6 (enable IPv6 scanning)
Since 2002, Nmap provides support for some of the main features of IPv6. IPv6 is supported for ping scan (TCP-only), connection scan, and version detection. Except for the addition of the -6 option, other command syntaxes are the same. Of course, the hostname must be replaced with an IPv6 address, like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0. The address portion of the line except "Port of Interest" is an IPv6 address.

IPv6 is not widely used in the world at present, but is widely used in some countries (Asia), and some advanced operating systems support IPv6. To use the IPv6 function of Nmap, both the source and destination of the scan need to be configured with IPv6. If ISPs (mostly) don't assign IPv6 addresses, Nmap can use a free tunnel proxy. A better option is BT Exact, located at https://tb.ipv6.btexact.com/. In addition, there is Hurricane Electric, located at http://ipv6tb.he.net/. 6to4 tunneling is another commonly used free method.

-A (Intense scan mode option)
This option enables additional advanced and high-intensity options, which are currently undetermined. Currently, this option enables OS detection (-O) and version scanning (-sV), more features will be added in the future. The goal is to enable a comprehensive set of scanning options without requiring the user to memorize a large number of options. This option only enables functionality and does not contain time options (eg -T4) or verbose options (-v) that may be required.

–datadir (indicates the location of the user's Nmap data file)
Nmap gets special data at runtime from files such as nmap-service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap-mac-prefixes and nmap-os-fingerprints. Nmap first looks for these files in the directory specified by the –datadir option. For files not found, look in the directory specified by the BMAPDIR environment variable. Next is the location of ~/.nmap or Nmap executable code for real and valid UIDs (Win32 only); then comes the compile location, such as /usr/local/share/nmap or /usr/share/nmap. The last location Nmap looks for is the current directory.

–send-eth (send using raw ethernet frames)
Nmap is required to send packets at the Ethernet (data link) layer instead of the IP (network layer). By default, Nmap chooses the one that best suits the platform on which it runs, raw sockets (IP layer) are the most efficient for UNIX hosts, and ethernet frames are best for Windows OS because Microsoft disabled raw socket support. In UNIX, if there is no other option (such as no Ethernet connection), Nmap uses the original IP packet with or without the option.

–send-ip (send at the original IP layer)
Ask Nmap to send packets over raw IP sockets, rather than low-level Ethernet frames. This is in addition to the –send-eth option.

–privileged (assuming user has full privileges)
Tells Nmap to assume that it has sufficient privileges for source socket packet sending, packet capture, and root-like operations on UNIX systems. By default, Nmap will exit if a similar operation requested by getuid() is not 0. –privileged is useful in similar systems with Linux kernel capabilities that allow unprivileged users to scan raw packets. To be clear, use these options that require permissions (SYN scan, OS detection, etc.) before other options. The Nmap-PRIVILEGED variable setting is equivalent to the –privileged option.

–interactive (start in interactive mode)
Starts Nmap in interactive mode, providing an interactive Nmap prompt for multiple scans (synchronous or background mode). Very useful for users scanning from multi-user systems who often need to test their security but do not want other users of the system to know which systems they are scanning. Use –interactive to activate this mode, then type h for help. This option is rarely used due to the need for familiarity with the correct shell program and overall functionality. This option includes a ! operator for executing shell commands, which is one of several reasons not to install Nmap setuid root.

-V; –version (print version info)
Print the Nmap version number and exit.

-h; –help (print help summary page)
Prints a short help screen listing most of the common command options, which is the same as running Nmap with no arguments.

Some examples are given below, from simple to complex to esoteric. To be more specific, some examples use actual IP addresses and domain names. In these places, you can substitute the address/domain name of your own network. Note that scanning other networks is not necessarily legal. Some network administrators do not want to see scans that have not been applied for, and will complain. Therefore, it is best to get permission first.

If it is for testing, scanme.nmap.org is allowed to be scanned. But only scans with Nmap are allowed and testing for vulnerabilities or DoS attacks is prohibited. To preserve bandwidth, scan the host no more than 12 times per day. If this free scanning service is abused, the system will crash and Nmap will report a failure to resolve the specified hostname/IP address: scanme.nmap.org. These free scan requirements also apply to scanme2.nmap.org, scanme3.nmap.org, etc., although these hosts do not currently exist.

nmap -v scanme.nmap.org

This option scans the host scanme.nmap.org for all reserved TCP ports. Option -v enables verbose mode.

nmap -sS -O scanme.nmap.org/24

A secret SYN scan is performed on 255 hosts on the "C class" network segment where the host Saznme is located. Also try to determine the OS type of each worker host. Because of the SYN scan and OS detection, this scan requires root privileges.

nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

Perform host enumeration and TCP scan for 255 8-bit subnets in class B 188.116 network segment. This test is used to determine if the system is running sshd, DNS, imapd or port 4564. If these ports are open, version detection is used to determine which application is running.

nmap -v -iR 100000 -P0 -p 80

Randomly select 100,000 hosts to scan whether to run a web server (port 80). It is very time consuming to send probe packets to determine whether the host is working or not, and it only needs to probe one port of the host, so use -P0 to prohibit the list of hosts.

nmap -P0 -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap

Scans 4096 IP addresses, finds web servers (not pings), saves results in Grep and XML format.

host -l company.com | cut -d -f 4 | nmap -v -iL –

Do a DNS zone transfer to discover hosts in company.com, then provide the IP address to Nmap. The above command is for GNU/Linux — other systems have different commands for zone transfers.

Recommended Today

[What is Istio? ] If you don't know, you're out, a 40-minute text can be quickly understood

@[toc] foreword This article is purely theoretical and contains the following content, read it as needed: Istio concepts, service mesh, traffic management, istio architecture (Envoy, Sidecar, Istiod) Virtual Service (VirtualService), Routing Rules, Destination Rules (DestinationRule) Gateway, network resiliency and testing (timeouts, retries, circuit breakers, fault injection) What is Istio? Istio is an open sourceservice mesh, […]