NAME
nmap - Network exploration tool and security scanner
# 注释 :nmap 是网络探测工具和安全扫描工具
namp 的 official 站点 :http://insecure.org/nmap
SYNOPSIS
nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>
# 注释 :nmap 的语法比较简单 :
# -)1、关键字 nmap
# -)2、指定一个扫描类型
# -)3、指定扫描选项
# -)4、指定要扫描的主机或者网络
DESCRIPTION
Nmap is designed to allow system administrators and curious individu-
als to scan large networks to determine which hosts are up and what
services they are offering. nmap supports a large number of scanning
techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy
(bounce attack), ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN
sweep, IP Protocol, and Null scan. See the Scan Types section for
more details. nmap also offers a number of advanced features such as
remote OS detection via TCP/IP fingerprinting, stealth scanning,
dynamic delay and retransmission calculations, parallel scanning,
detection of down hosts via parallel pings, decoy scanning, port fil-
tering detection, direct (non-portmapper) RPC scanning, fragmentation
scanning, and flexible target and port specification.
# 注释 :nmap 是用于允许系统管理员来扫描大型网络,以探测有那些主机是 up 的,
# 它们上面都提供了什么服务。nmap 支持很多扫描技术 :UDP、TCP 连接、TCP SYN (half open)、
# ftp 代理(bounce attack)、IMCP (ping sweep)、FIN,ACK sweep、Xmas Tree、SYN sweep 、
# IP 协议、Null scan 。
# 注释 :nmap 同样提供了一系列的高级特性,例如远程操作系统探测(通过 TCP/IP 指纹)、
# stealth scan、动态延迟、重传计算、并行扫描、诱骗扫描、端口过滤检测、
# 直接 RPC 扫描、分片扫描、以及灵活的主机/端口扫描
Significant effort has been put into decent nmap performance for non-
root users. Unfortunately, many critical kernel interfaces (such as
raw sockets) require root privileges. nmap should be run as root
whenever possible (not setuid root, of course).
# 注释 :尽可能地以 root 身份运行 nmap ,不过 nmap 不是 setUID 程序
The result of running nmap is usually a list of interesting ports on
the machine(s) being scanned (if any). Nmap always gives the port’s
"well known" service name (if any), number, state, and protocol. The
state is either "open", "filtered", or "unfiltered". Open means that
the target machine will accept() connections on that port. Filtered
means that a firewall, filter, or other network obstacle is covering
the port and preventing nmap from determining whether the port is
open. Unfiltered means that the port is known by nmap to be closed
and no firewall/filter seems to be interfering with nmap’s attempts to
determine this. Unfiltered ports are the common case and are only
shown when most of the scanned ports are in the filtered state.
# 注释 :运行 nmap 一般会得到目标主机上的端口列表。nmap 会自动识别出 well-known 端口、服务、协议
# 以及端口的状态 :open、filtered、unfiltered 。
# "open" 意味着目标主机可以在该端口上接受连接。
# "filtered" 意味着有一个防火墙存在,它禁止了 nmap 对该端口状态的探测
# "unfiltered" 意味着 nmap 知道该端口被关闭,且没有防火墙对 nmap 的行为进行阻止,应该就是真的关闭了。
# unfiltered 端口是很常见的状况,只有在被扫描的很多端口都是 filtered 状态时才会被显示
Depending on options used, nmap may also report the following charac-
teristics of the remote host: OS in use, TCP sequentiality, usernames
running the programs which have bound to each port, the DNS name,
whether the host is a smurf address, and a few others.
# 注释 :根据不同的选项,nmap 会自动报告远程主机的某些属性 :
# -)1、正在使用的操作系统
# -)2、TCP sequentiality
# -)3、运行于每个端口上的程序的用户名
# -)4、DNS 名称
OPTIONS
Options that make sense together can generally be combined. Some
options are specific to certain scan modes. nmap tries to catch and
warn the user about psychotic or unsupported option combinations.
If you are impatient, you can skip to the examples section at the end,
which demonstrates common usage. You can also run nmap -h for a quick
reference page listing all the options.
# 注释 :你可以执行 nmap -h 打印一个快速的参考用法
SCAN TYPES
# 注释 :下面的选项都是用于指定扫描选项的
-sS TCP SYN scan: This technique is often referred to as "half-
open" scanning, because you don’t open a full TCP connection.
You send a SYN packet, as if you are going to open a real con-
nection and you wait for a response. A SYN|ACK indicates the
port is listening. A RST is indicative of a non-listener. If a
SYN|ACK is received, a RST is immediately sent to tear down the
connection (actually our OS kernel does this for us). The pri-
mary advantage to this scanning technique is that fewer sites
will log it. Unfortunately you need root privileges to build
these custom SYN packets. This is the default scan type for
privileged users.
# 注释 :-sS 指定采用 "TCP SYN scan" 的扫描模式。这个技术也常被称为 "half open scan" 。
# 因为该方法并不会打开一个完整的 TCP 连接,你只是发出一个 SYN 包,就象你要打开一个 TCP
# 连接一样,然后你就等待 SYN+ACK 包。
# 如果收到一个 SYN+ACK 的包,就表明该接口是处于监听的状态; 如果是 RST 则表示处于关闭的状态(inactive)
# 一旦收到了 SYN+ACK,nmap 就发送一个 RST 取消这次连接
# 这个方法的好处是很多站点不会记录这种类型的尝试,也就是不会留下痕迹。不过你需要有 root 权限才能构造一个 SYN 包
# 这也是对于 root 用户来说的默认扫描类型
-sT TCP connect() scan: This is the most basic form of TCP scan-
ning. The connect() system call provided by your operating sys-
tem is used to open a connection to every interesting port on
the machine. If the port is listening, connect() will succeed,
otherwise the port isn’t reachable. One strong advantage to
this technique is that you don’t need any special privileges.
Any user on most UNIX boxes is free to use this call.
# 注释 :-sT 是 TCP connect()扫描模式。这是 TCP 扫描中最基本的形式。
# connect()系统调用用于打开一个到你想测试的端口的连接。
# 假如端口是处于 LISTENING 的状态,connect()会成功,否则表示端口不可达(port unreachable)
# 一个很大的好处就是使用这项技术时你不需要是特权用户(例如 root),
# 任何普通用户都可以自由使用该扫描模式
This sort of scan is easily detectable as target host logs will
show a bunch of connection and error messages for the services
which accept() the connection just to have it immediately shut-
down. This is the default scan type for unprivileged users.
# 注释 :这类扫描很容易被检测到并被目标主机检测到。
# 因为在日志中将会看到有很多的 inbound 的连接,而在服务接受连接后,又立刻中断连接
# 这是非特权用户的默认扫描模式
-sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes: There are times
when even SYN scanning isn’t clandestine enough. Some firewalls
and packet filters watch for SYNs to restricted ports, and pro-
grams like Synlogger and Courtney are available to detect these
scans. These advanced scans, on the other hand, may be able to
pass through unmolested.
# 注释 :-sF,-sX,-sN 分别代表 Stealth FIN、Xmas Tree、Null scan 这三种模式。
# 有些情况即使使用 SYN 扫描也不够隐秘,某些防火墙会持续监控那些到受限端口的 SYN 连接。
# 还有一些象 synlogger 或者 Courtney 的工具可以检测出这些扫描(-sS)
# 而 Stealth FIN、Xmas Tree、Null scan 可能可以骗过这些检测工具
The idea is that closed ports are required to reply to your
probe packet with an RST, while open ports must ignore the
packets in question (see RFC 793 pp 64). The FIN scan uses a
bare (surprise) FIN packet as the probe, while the Xmas tree
scan turns on the FIN, URG, and PUSH flags. The Null scan
turns off all flags. Unfortunately Microsoft (like usual)
decided to completely ignore the standard and do things their
own way. Thus this scan type will not work against systems
running Windows95/NT. On the positive side, this is a good way
to distinguish between the two platforms. If the scan finds
open ports, you know the machine is not a Windows box. If a
-sF,-sX,or -sN scan shows all ports closed, yet a SYN (-sS)
scan shows ports being opened, you are probably looking at a
Windows box. This is less useful now that nmap has proper OS
detection built in. There are also a few other systems that
are broken in the same way Windows is. They include Cisco,
BSDI, HP/UX, MVS, and IRIX. All of the above send resets from
the open ports when they should just drop the packet.
# 注释 :想法是 : 一个端口如果是被关闭的状态,则它需要对你的探测返回一个 RST 包。
# 而那些处于 open 状态的端口,应该忽略你的探测包,也就是直接 DROP 掉。
# 所以 Stealth FIN 就是 nmap 发送一个 FIN 包作为探测,而 Xmas Tree scan 则是使用 FIN、URG、PUSH
# 至于 Null scan 则关闭所有标记(什么标记都不设置)。
# 不幸的是,微软完全并不遵照标准,而是以它们的方式行事
# 所以这类型的扫描对于 Win95/NT 来说不其作用。
# 不过从另外一个角度来说,这也可以用于区分目标主机的操作系统类型是否为 Windows
# -)1、如果扫描可以找到 open 的端口,则可以确定目标主机不是 Windows 主机
# -)2、如果扫描显示所有端口都是关闭的状态,则可能目标主机是一台 Windows 主机
# 不过现在 nmap 已经有了 OS 探测功能,所以这个功能没有太大用途。
# 也有一些操作系统的行为和 windows 类似,包括 Cisco、HP/UX、IRIX 等。
# 补充 :TCP flags 中的 8 个控制位的含义 :
CWR – Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set (added to header by RFC 3168).
ECE (ECN-Echo) – indicate that the TCP peer is ECN capable during 3-way handshake (added to header by RFC 3168).
URG – indicates that the URGent pointer field is significant # 注释 :表示这是一个紧急连接
ACK – indicates that the ACKnowledgement field is significant # 注释 :响应包
PSH – Push function # 注释 :PUSH 功能
RST – Reset the connection # 注释 :重置
SYN – Synchronize sequence numbers
FIN – No more data from sender
-sP Ping scanning: Sometimes you only want to know which hosts on a
network are up. Nmap can do this by sending ICMP echo request
packets to every IP address on the networks you specify. Hosts
that respond are up. Unfortunately, some sites such as
microsoft.com block echo request packets. Thus nmap can also
send a TCP ack packet to (by default) port 80. If we get an
RST back, that machine is up. A third technique involves send-
ing a SYN packet and waiting for a RST or a SYN/ACK. For non-
root users, a connect() method is used.
# 注释 :-sP 代表 Ping scanning 模式。有时候你只是想知道目标主机是否处于运行状态。
# Nmap 通过发送 ICMP ECHO_REQUEST 包到你指定的每台主机上来扫描
# 不过很多站点都屏蔽了 ICMP ECHO_REQUEST ,所以 nmap 允许发送一个 TCP ack 包到 80 端口,
# 如果收到一个 RST 包,则表明机器是 up 的状态,否则它也不会返回 RST 包了
By default (for root users), nmap uses both the ICMP and ACK
techniques in parallel. You can change the -P option described
later.
# 注释 :对于 root 用户来说,nmap 默认同时使用 ICMP 和 ACK ,
Note that pinging is done by default anyway, and only hosts
that respond are scanned. Only use this option if you wish to
ping sweep without doing any actual port scans.
# 注释 :要注意,ping 是在什么情况下都会做的,只有回应的主机才会被扫描
# 所以该功能实际上不能做什么
-sV Version detection: Afer TCP and/or UDP ports are discovered
using one of the other scan methods, version detection communi-
cates with those ports to try and determine more about what is
actually running. A file called nmap-service-probes is used to
determine the best probes for detecting various services and
the match strings to expect. Nmap tries to determine the ser-
vice protocol (e.g. ftp, ssh, telnet, http), the application
name (e.g. ISC Bind, Apache httpd, Solaris telnetd), the ver-
sion number, and sometimes miscellaneous details like whether
an X server is open to connections or the SSH protocol ver-
sion). If Nmap was compiled with OpenSSL support, it will con-
nect to SSL servers to deduce the service listening behind the
encryption. When RPC services are discovered, the Nmap RPC
grinder is used to determine the RPC program and version num-
bers. Some UDP ports are left in the "open|filtered" state
after a UDP scan is unable to determine whether the port is
open or filtered. Version detection will try to elicit a
response from these ports (just as it does with open ports),
and change the state to open if it succeeds. Note that the Nmap
-A option also enables this feature. For a much more detailed
description of Nmap service detection, read our paper at
http://www.insecure.org/nmap/versionscan.html . There is a
related --version_trace option which causes Nmap to print out
extensive debugging info about what version scanning is doing
(this is a subset of what you would get with --packet_trace).
# 注释 :-sV 是 version 探测模式。它在端口状态探测后尝试做更多的探测。
# 例如上面都运行有那些服务?服务的进程名是什么?版本是多少?
# 还会探测其他有用的信息,例如是否启动了 X Window server ?
# 如果 Nmap 在编译时加入了 OpenSSL 支持,它还会尝试连接到 SSL 服务器
# 来推导出在 SSL 后面有那些隐藏的服务。
# Nmap 还可以探测 RPC 服务,例如 NFS 服务
# 注释 :不过 -sV 可能会导致某些 UDP 端口的状态是 "open|filtered" ,表示 nmap 无法判断是什么状态
-sU UDP scans: This method is used to determine which UDP (User
Datagram Protocol, RFC 768) ports are open on a host. The
technique is to send 0 byte UDP packets to each port on the
target machine. If we receive an ICMP port unreachable mes-
sage, then the port is closed. If a UDP response is received
to the probe (unusual), the port is open. If we get no
response at all, the state is "open|filtered", meaning that the
port is either open or packet filters are blocking the communi-
cation. Versions scan (-sV) can be used to help differentiate
the truly open ports from the filtered ones.
# 注释 :-sU 表示 UDP scan 模式。它用于探测一台主机上有那些 UDP 端口是处于打开的状态。
# 该模式发送一个 0 字节的 UDP 包到目标主机的每个端口。
# 假如收到一个 ICMP port-unreachable 消息,则表示端口是关闭的状态。
# 如果收到一个响应,则表示是打开的状态。
# 这时使用 -sV 可以帮助你区分该端口是 open 还是被过滤的状态
Some people think UDP scanning is pointless. I usually remind
them of the Solaris rpcbind hole. Rpcbind can be found hiding
on an undocumented UDP port somewhere above 32770. So it
doesn’t matter that 111 is blocked by the firewall. But can you
find which of the more than 30,000 high ports it is listening
on? With a UDP scanner you can! There is also the cDc Back
Orifice backdoor program which hides on a configurable UDP port
on Windows machines. Not to mention the many commonly vulnera-
ble services that utilize UDP such as snmp, tftp, NFS, etc.
# 注释 :某些人认为 UDP scanning 没有什么用。但实际上它可以用于发现一些
# 不被注意的端口,尤其是 RPC 服务打开的 3xxxx 端口、或者 DNS 服务的 query 端口。
# 使用 UDP scanning 你可以发现这些被忽略的端口
Unfortunately UDP scanning is sometimes painfully slow since
most hosts implement a suggestion in RFC 1812 (section 4.3.2.8)
of limiting the ICMP error message rate. For example, the
Linux kernel (in net/ipv4/icmp.h) limits destination unreach-
able message generation to 80 per 4 seconds, with a 1/4 second
penalty if that is exceeded. Solaris has much more strict lim-
its (about 2 messages per second) and thus takes even longer to
scan. nmap detects this rate limiting and slows down accord-
ingly, rather than flood the network with useless packets that
will be ignored by the target machine.
# 注释 :不幸的是,UDP scanning 有时候会非常慢,
# 因为大部分主机都会按照 RFC 1812 标准,用于自动抑制 ICMP 消息的发送速率
# 例如 linux 内核会限制 ICMP destination unreachable 消息的速率为 80个/4秒,也就是1秒最多 20个。
# 而 Solaris 则更加严格了,每秒最多2个。
# 所以 UDP scanning 有时会很长时间
# 补充 :操作系统那里可以配置 ICMP 的发送速率
# linux 下允许配置的速率有 :
# -)1、icmp_destunreach_rate
# -)2、icmp_echoreply_rate
# -)3、icmp_paramprob_rate
# -)4、icmp_timeexceed_rate
As is typical, Microsoft ignored the suggestion of the RFC and
does not seem to do any rate limiting at all on Win95 and NT
machines. Thus we can scan all 65K ports of a Windows machine
very quickly. Whoop!
# 注释 :不过 Win95/NT 不做该限制。所以在 windows 主机上可以非常快的扫描完 65535 个 UDP 端口
-sO IP protocol scans: This method is used to determine which IP
protocols are supported on a host. The technique is to send
raw IP packets without any further protocol header to each
specified protocol on the target machine. If we receive an
ICMP protocol unreachable message, then the protocol is not in
use. Otherwise we assume it is open. Note that some hosts
(AIX, HP-UX, Digital UNIX) and firewalls may not send protocol
unreachable messages. This causes all of the protocols to
appear "open".
# 注释 :-sO 是 "IP Protocol scan" 的含义。这个方法是用于判断目标主机上使用的是什么协议。
# 注释 :由于 -sO 也是依赖于 ICMP protocol unreachable 消息,所以也会收到 ICMP 消息速率限制的影响。
# 注释 :由于某些操作系统不返回 ICMP protocol unreachable ,所以可能造成探测错误
Because the implemented technique is very similar to UDP port
scanning, ICMP rate limit might apply too. But the IP protocol
field has only 8 bits, so at most 256 protocols can be probed
which should be possible in reasonable time anyway.
# 注释 :由于 ip 包的 protocol 字段有8bit,所以最多可以探测 256 种协议
-sI <zombie host[:probeport]>
Idlescan: This advanced scan method allows for a truly blind
TCP port scan of the target (meaning no packets are sent to the
target from your real IP address). Instead, a unique side-
channel attack exploits predictable "IP fragmentation ID"
sequence generation on the zombie host to glean information
about the open ports on the target. IDS systems will display
the scan as coming from the zombie machine you specify (which
must be up and meet certain criteria). I wrote an informal
paper about this technique at http://www.insecure.org/nmap/idlescan.html .
# 注释 :-sI 也叫 Idle scan 。这个高级扫描模式允许对目标主机的完全透明的 TCP 端口扫描。
# 也就是说不会有任何来自你的真正 ip 的包被发送到目标主机。
Besides being extraordinarily stealthy (due to its blind
nature), this scan type permits mapping out IP-based trust
relationships between machines. The port listing shows open
ports from the perspective of the zombie host. So you can try
scanning a target using various zombies that you think might be
trusted (via router/packet filter rules). Obviously this is
crucial information when prioritizing attack targets. Other-
wise, you penetration testers might have to expend considerable
resources "owning" an intermediate system, only to find out
that its IP isn’t even trusted by the target host/network you
are ultimately after.
You can add a colon followed by a port number if you wish to
probe a particular port on the zombie host for IPID changes.
Otherwise Nmap will use the port it uses by default for "tcp
pings".
-sA ACK scan: This advanced method is usually used to map out fire-
wall rulesets. In particular, it can help determine whether a
firewall is stateful or just a simple packet filter that blocks
incoming SYN packets.
# 注释 :-sA 表示 ACK scan 。主要是用于映射出防火墙的规则集。
# 也就是说,它可以帮助以判断是防火墙的原因还是只是 SYN 包被阻挡了而已
This scan type sends an ACK packet (with random looking
acknowledgment/sequence numbers) to the ports specified. If a
RST comes back, the ports is classified as "unfiltered". If
nothing comes back (or if an ICMP unreachable is returned), the
port is classified as "filtered". Note that nmap usually
doesn’t print "unfiltered" ports, so getting no ports shown in
the output is usually a sign that all the probes got through
(and returned RSTs). This scan will obviously never show ports
in the "open" state.
# 注释 :这个类型的扫描会发送一个 ACK 包(带有随机的 ack/seq 编号) 到指定端口,
# 假如返回一个 RST ,则端口被认为是 "unfiltered" 。
# 假如什么都不返回(或者返回一个 ICMP 不可达消息),则认为是 "filter"
# 注释 :要注意,nmap 通常不打印 “filtered" 状态的端口。所以返回的结果都是那些通过的端口(返回 RST )
# 这个扫描永远不会出现处于 open 状态的端口
-sW Window scan: This advanced scan is very similar to the ACK
scan, except that it can sometimes detect open ports as well as
filtered/unfiltered due to an anomaly in the TCP window size
reporting by some operating systems. Systems vulnerable to
this include at least some versions of AIX, Amiga, BeOS, BSDI,
Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX,
OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody,
SunOS 4.X, Ultrix, VAX, and VxWorks. See the nmap-hackers
mailing list archive for a full list.
# 注释 :-sW 表示 Window scan 。和它 ACK scan (-sA)很像,但它有时候可以探测
# 出 open 状态的端口,而 -sA 只能探测出 filtered、unfiltered 状态的而已。
# 主要是由于 -sW 发送的 ACK 包中有异常的 window size 值。
# 受次探测类型影响的有很多。
-sR RPC scan. This method works in combination with the various
port scan methods of Nmap. It takes all the TCP/UDP ports
found open and then floods them with SunRPC program NULL com-
mands in an attempt to determine whether they are RPC ports,
and if so, what program and version number they serve up. Thus
you can effectively obtain the same info as "rpcinfo -p" even
if the target’s portmapper is behind a firewall (or protected
by TCP wrappers). Decoys do not currently work with RPC scan,
at some point I may add decoy support for UDP RPC scans.
# 注释 :-sR 表示 RPC Scan 。该方法组合了 nmap 多种端口扫描方法,
# 它找出所有 open 状态的 TCP/UDP 端口,然后用 SunRPC 的 NULL 命令
# 进行测试,看是否它们是一个 RPC 端口。
# 如果是的话,是什么程序运行在上面?版本是多少?
# 所以你可以获得类似于 rpcinfo -p 的输出,即使目标主机在防火墙之后,或者被 Tcpwrapper 所保护
-sL List scan. This method simply generates and prints a list of
IP addresses or hostnames without actually pinging or port
scanning them. DNS name resolution will be performed unless
you use -n.
# 注释 :-sL 表示 List scan 。该方法生成并打印一个 ip 地址/主机名列表
# 但不 ping 或者扫描端口。你可以用 -n 禁止 DNS 解释
-b <ftp relay host>
FTP bounce attack: An interesting "feature" of the ftp protocol
(RFC 959) is support for "proxy" ftp connections. In other
words, I should be able to connect from evil.com to the FTP
server of target.com and request that the server send a file
ANYWHERE on the Internet! Now this may have worked well in
1985 when the RFC was written. But in today’s Internet, we
can’t have people hijacking ftp servers and requesting that
data be spit out to arbitrary points on the Internet. As *Hob-
bit* wrote back in 1995, this protocol flaw "can be used to
post virtually untraceable mail and news, hammer on servers at
various sites, fill up disks, try to hop firewalls, and gener-
ally be annoying and hard to track down at the same time." What
we will exploit this for is to (surprise, surprise) scan TCP
ports from a "proxy" ftp server. Thus you could connect to an
ftp server behind a firewall, and then scan ports that are more
likely to be blocked (139 is a good one). If the ftp server
allows reading from and writing to some directory (such as
/incoming), you can send arbitrary data to ports that you do
find open (nmap doesn’t do this for you though).
The argument passed to the "b" option is the host you want to
use as a proxy, in standard URL notation. The format is: user-
name:password@server:port. Everything but server is optional.
To determine what servers are vulnerable to this attack, you
can see my article in Phrack 51. An updated version is avail-
able at the nmap URL (http://www.insecure.org/nmap).
GENERAL OPTIONS
# 注释 :下面介绍通用选项部分
None of these are required but some can be quite useful. Note
that the -P options can now be combined -- you can increase
your odds of penetrating strict firewalls by sending many probe
types using different TCP ports/flags and ICMP codes.
# 注释 :下面这些选项都不是必须的,但都很有用。
# 要注意,-P 选项现在可以被组合,你可以使用不同的 TCP 端口/标记和 ICMP 消息
-P0 Do not try to ping hosts at all before scanning them. This
allows the scanning of networks that don’t allow ICMP echo
requests (or responses) through their firewall. microsoft.com
is an example of such a network, and thus you should always use
-P0 or -PS80 when portscanning microsoft.com. Note tht "ping"
in this context may involve more than the traditional ICMP echo
request packet. Nmap supports many such probes, including
arbitrary combinations of TCP, UDP, and ICMP probes. By
default, Nmap sends an ICMP echo request and a TCP ACK packet
to port 80.
# 注释 :-P0 表示在扫描主机前不先做 ping 操作。这样对那些不允许 ICMP ECHO_REQUEST
# 的主机也会进行扫描。要注意,在这里的 ping 不仅仅指 ICMP ping ,而是指前面的 -sP 操作
# 也就是 ICMP ping + 发送到 80 端口的 ACK
-PA [portlist]
Use TCP ACK "ping" to determine what hosts are up. Instead of
sending ICMP echo request packets and waiting for a response,
we spew out TCP ACK packets throughout the target network (or
to a single machine) and then wait for responses to trickle
back. Hosts that are up should respond with a RST. This
option preserves the efficiency of only scanning hosts that are
up while still allowing you to scan networks/hosts that block
ping packets. For non root UNIX users, we use connect() and
thus a SYN is actually being sent. To set the destination
ports of the probe packets use -PA<port1>[,port2][...]. The
default port is 80, since this port is often not filtered out.
Note that this option now accepts multiple, comma-separated
port numbers.
# 注释 :-PA 表示使用 TCP ACK ping 来判断主机是否 up ,而不是使用 ICMP ping
# nmap 发送一个 TCP ACK 包到目的主机/网络,然后等待 RST 包的响应。
# 如果收到 RST 包,表示主机是 up 的。
# 所以你可以用功能得出那些主机是禁止了 PING 包。对于非 root 用户,nmap 使用 connect()而不是 TCP ACK
# 你可以指定目标端口,默认是 80 。因为这个端口一般不会被过滤掉。
# 多个端口可以使用逗号进行分隔。
-PS [portlist]
This option uses SYN (connection request) packets instead of
ACK packets for root users. Hosts that are up should respond
with a RST (or, rarely, a SYN|ACK). You can set the destina-
tion ports in the same manner as -PA above.
# 注释 :-PS 表示对于 root 用户,使用 SYN (连接请求)来代替 ACK ping
# 如果是 up 的主机应该返回一个 RST 或者 SYN+ACK ,你也可以设置端口
-PU [portlist]
This option sends UDP probes to the specified hosts, expecting
an ICMP port unreachable packet (or possibly a UDP response if
the port is open) if the host is up. Since many UDP services
won’t reply to an empty packet, your best bet might be to send
this to expected-closed ports rather than open ones.
# 注释 :-PU 表示使用 UDP 来探测主机,
-PE This option uses a true ping (ICMP echo request) packet. It
finds hosts that are up and also looks for subnet-directed
broadcast addresses on your network. These are IP addresses
which are externally reachable and translate to a broadcast of
incoming IP packets to a subnet of computers. These should be
eliminated if found as they allow for numerous denial of ser-
vice attacks (Smurf is the most common).
# 注释 :-PE 表示使用真正的 ping 包 (ICMP ECHO_REQUEST)。、
-PP Uses an ICMP timestamp request (type 13) packet to find listening hosts.
# 注释 :-PP 表示使用一个 ICMP timestamp 请求(type=13)来探测
-PM Same as -PE and -PP except uses a netmask request (ICMP type 17).
# 注释 :-PM 表示使用 ICMP NETMASK 请求(类型=17)
-PB This is the default ping type. It uses both the ACK ( -PA )
and ICMP echo request ( -PE ) sweeps in parallel. This way you
can get firewalls that filter either one (but not both). The
TCP probe destination port can be set in the same manner as
with -PA above. Note that this flag is now deprecated as ping-
type flags can now be used in combination. So you should use
both "PE" and "PA" (or rely on the default behavior) to achieve
this same effect.
# 注释 :-PB 是默认的 ping 类型。使用 TCP ACK ping 和 ICMP ping
# 现在不建议使用该项,使用 -PE 后者 -PA 更好
-O This option activates remote host identification via TCP/IP
fingerprinting. In other words, it uses a bunch of techniques
to detect subtleties in the underlying operating system network
stack of the computers you are scanning. It uses this informa-
tion to create a "fingerprint" which it compares with its
database of known OS fingerprints (the nmap-os-fingerprints
file) to decide what type of system you are scanning.
# 注释 :-O 选项通过 TCP/IP 指纹激活远程主机的身份认证。
# 也就是说,它使用一系列的技术来检测目标主机的操作系统的网络堆栈的信息,
# 然后和一些已知的“指纹”数据库比较,得出远程主机的操作系统类型
If Nmap is unable to guess the OS of a machine, and conditions
are good (e.g. at least one open port), Nmap will provide a URL
you can use to submit the fingerprint if you know (for sure)
the OS running on the machine. By doing this you contribute to
the pool of operating systems known to nmap and thus it will be
more accurate for everyone. Note that if you leave an IP
address on the form, the machine may be scanned when we add the
fingerprint (to validate that it works).
# 注释 :假如 nmap 无法获得一个主机的 OS 类型,但可以探测到一个打开的端口,
# 则 nmap 会提供一个 URL ,你可以用它来提交该指纹,前提是你知道目标主机的 OS
The -O option also enables several other tests. One is the
"Uptime" measurement, which uses the TCP timestamp option (RFC
1323) to guess when a machine was last rebooted. This is only
reported for machines which provide this information.
# 注释 :-O 选项允许其他的测试。其中一个就是 Uptime 的计算,它使用 TCP timestamp 选项
# 来猜测一台机器最近一次重启的时间。
Another test enabled by -O is TCP Sequence Predictability Clas-
sification. This is a measure that describes approximately how
hard it is to establish a forged TCP connection against the
remote host. This is useful for exploiting source-IP based
trust relationships (rlogin, firewall filters, etc) or for hid-
ing the source of an attack. The actual difficulty number is
based on statistical sampling and may fluctuate. It is gener-
ally better to use the English classification such as "worthy
challenge" or "trivial joke". This is only reported in normal
output with -v.
# 注释 :另外一个测试就是 TCP sequence 预测功能。
# 这其实是为了伪造 TCP 连接所用的,它可以猜出大概的 TCP 序号
# 这对于窃取基于ip信任关系的会话(rlogin、rsh 等)或者隐藏自己的 ip 都有用。
# 它并不能百分百的猜对,它是依靠统计和采样来计算的。
# 这个只有用 -v 时才会显示
When verbose mode (-v) is on with -O, IPID Sequence Generation
is also reported. Most machines are in the "incremental"
class, which means that they increment the "ID" field in the IP
header for each packet they send. This makes them vulnerable
to several advanced information gathering and spoofing attacks.
# 注释 :当 -v 和 -O 一起使用时,IPID sequence Generation 会被报告
# 大部分主机是以升序的方式来生成它们所发送的每个 packet 的 ip header 中的ID 域的
# 这就造成了有***的可能性
--osscan_limit
OS detection is far more effective if at least one open and one
closed TCP port are found. Set this option and Nmap will not
even try OS detection against hosts that do not meet this cri-
teria. This can save substantial time, particularly on -P0
scans against many hosts. It only matters when OS detection is
requested (-O or -A options).
# 注释 :如果至少找到一个 open 和 unfiltered 状态的端口,则 os 的探测的效率还是可以的。
# --osscan_limit 选项表示如果被探测的主机不符合上面的两个条件就不做 OS 的探测。
# 这可以省下不少时间,尤其是在使用 -p0 扫描每个主机时。
# 该选项只有在你使用了 -O 或者 -A 时才有意义
-A This option enables _a_dditional _a_dvanced and _a_ggressive
options. I haven’t decided exactly which it stands for yet :).
Presently this enables OS Detection (-O) and version scanning
(-sV). More features may be added in the future. The point is
to enable a comprehensive set of scan options without people
having to remember a large set of flags. This option only
enables features, and not timing options (such as -T4) or ver-
bosity options (-v) that you might wan’t as well.
# 注释 :-A 选项允许操作系统检测和 Version scan ,也就是集合了 -O 和 -sV
-6 This options enables IPv6 support. All targets must be IPv6 if
this option is used, and they can be specified via normal DNS
name (AAAA record) or as a literal IP address such as
3ffe:501:4819:2000:210:f3ff:fe03:4d0 . Currently, connect()
TCP scan and TCP connect() Ping scan are supported. If you
need UDP or other scan types, have a look at
http://nmap6.sourceforge.net/ .
-f This option causes the requested SYN, FIN, XMAS, or NULL scan
to use tiny fragmented IP packets. The idea is to split up the
TCP header over several packets to make it harder for packet
filters, intrusion detection systems, and other annoyances to
detect what you are doing. Be careful with this! Some programs
have trouble handling these tiny packets. My favorite sniffer
segmentation faulted immediately upon receiving the first
36-byte fragment. After that comes a 24 byte one! While this
method won’t get by packet filters and firewalls that queue all
IP fragments (like the CONFIG_IP_ALWAYS_DEFRAG option in the
Linux kernel), some networks can’t afford the performance hit
this causes and thus leave it disabled.
# 注释 :-f 表示 SYN scan、Stealth FIN、Xmas Tree、Null scan 都是很小的分段的 ip 报文
# 这么做主要是不让信息全部集中在一个 packet 中,这样可以逃过防火墙的检测。
# 不过要注意,很多的工具都无法检测/处理这些小的报文
# 注意,该方法对于那些会暂存报文的防火墙来说是无效的。
Note that I do not yet have this option working on all systems.
It works fine for my Linux, FreeBSD, and OpenBSD boxes and some
people have reported success with other *NIX variants.
# 注释 :该选项在 linux / FreeBSD、OpenBSD 上可以使用
-v Verbose mode. This is a highly recommended option and it gives
out more information about what is going on. You can use it
twice for greater effect. You can also use -d a few times if
you really want to get crazy with scrolling the screen!
# 注释 :-v 表示 verbose 模式。强烈建议使用该选项,不管你在做什么测试。
# 你可以使用多次已获得更多的信息。
-h This handy option display a quick reference screen of nmap
usage options. As you may have noticed, this man page is not
exactly a "quick reference" :)
# 注释 :-h 显示快速指引
-oN <logfilename>
This logs the results of your scans in a normal human readable
form into the file you specify as an argument.
# 注释 :-oN 表示把结果写入一个 human-readable 的文件
-oX <logfilename>
This logs the results of your scans in XML form into the file
you specify as an argument. This allows programs to easily
capture and interpret Nmap results. You can give the argument
"-" (without quotes) to shoot output into stdout (for shell
pipelines, etc). In this case normal output will be sup-
pressed. Watch out for error messages if you use this (they
will still go to stderr). Also note that "-v" may cause some
extra information to be printed. The Document Type Definition
(DTD) defining the XML output structure is available at
http://www.insecure.org/nmap/data/nmap.dtd .
# 注释 :-oX 表示以 XML 的格式输出结果到一个文件
-oG <logfilename>
This logs the results of your scans in a grepable form into the
file you specify as an argument. This simple format provides
all the information on one line (so you can easily grep for
port or OS information and see all the IPs. This used to be
the preferred mechanism for programs to interact with Nmap, but
now we recommend XML output (-oX instead). This simple format
may not contain as much information as the other formats. You
can give the argument "-" (without quotes) to shoot output into
stdout (for shell pipelines, etc). In this case normal output
will be suppressed. Watch out for error messages if you use
this (they will still go to stderr). Also note that "-v" will
cause some extra information to be printed.
# 注释 :-oG 以适用于 grep 的格式输出到指定文件。每个主机只有1行输出而已
# 不过该格式可能有些信息不会被输出
# 你可以用 - 作为指定文件名,表示输出到 stdout ,这样原来正常的输出就会被禁止。
-oA <basefilename>
This tells Nmap to log in ALL the major formats (normal,
grepable, and XML). You give a base for the filename, and the
output files will be base.nmap, base.gnmap, and base.xml.
# 注释 :-oA 表示以全部的格式记录(normal、xml、grepable)。
# 你只需给出一个 basename ,nmap 会自动加上 .nmap , .gnmap , .xml 作为后缀名
-oS <logfilename>
thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|<ipT kiDd|3 f0rM
iNto THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument
"-" (wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!!
--resume <logfilename>
A network scan that is canceled due to control-C, network out-
age, etc. can be resumed using this option. The logfilename
must be either a normal (-oN) or grepable (-oG) log from the
aborted scan. No other options can be given (they will be the
same as the aborted scan). Nmap will start on the machine
after the last one successfully scanned in the log file.
# 注释 :如果你因为某些原因用 CTRL-C 中断了扫描,你可以用 --resume 来恢复
# 不过指定的 log 必须是一个 normal 格式的(-oN)或者 grepable (-oG)文件,且该
# 文件是这次意味终止的扫描所输出的日志才可以恢复
# nmap 会自动从最后一个成功扫描的机器后开始继续
--exclude <host1 [,host2][,host3],...">
Specifies a list of targets (hosts, ranges, netblocks) that
should be excluded from a scan. Useful to keep from scanning
yourself, your ISP, particularly sensitive hosts, etc.
# 注释 :--exclude 指定一个 target 列表,可以是由主机、ip 范围等组成。
# nmap 在扫描时将会跳过它们。
--excludefile <exclude_file>
Same functionality as the --exclude option, only the excluded
targets are provided in an newline-delimited exclude_file
rather than on the command line.
# 注释 :--excludefile 和 --excluce 类似,不过是从文件读取
--append_output
Tells Nmap to append scan results to any output files you have
specified rather than overwriting those files.
# 注释 :--append_output 告诉 nmap 把扫描结果“追加”到输出文件
# 输出文件由上面的 -oN、-oX、-oG 指定
-iL <inputfilename>
Reads target specifications from the file specified RATHER than
from the command line. The file should contain a list of host
or network expressions separated by spaces, tabs, or newlines.
Use a hyphen (-) as inputfilename if you want nmap to read host
expressions from stdin (like at the end of a pipe). See the
section target specification for more information on the
expressions you fill the file with.
# 注释 :-iL 表示从指定文件读入要扫描的主机
# 可以用空格、tab、newline 作为分行
# 也可以用 - 表示从 stdin 读取输入
-iR <num hosts>
This option tells Nmap to generate its own hosts to scan by
simply picking random numbers :). It will never end after the
given number of IPs has been scanned -- use 0 for a never-end-
ing scan. This option can be useful for statistical sampling
of the Internet to estimate various things. If you are ever
really bored, try nmap -sS -PS80 -iR 0 -p 80 to find some web
servers to look at.
-p <port ranges>
This option specifies what ports you want to specify. For exam-
ple "-p 23" will only try port 23 of the target host(s). "-p
20-30,139,60000-" scans ports between 20 and 30, port 139, and
all ports greater than 60000. The default is to scan all ports
between 1 and 1024 as well as any ports listed in the services
file which comes with nmap. For IP protocol scanning (-sO),
this specifies the protocol number you wish to scan for
(0-255).
# 注释 :-p 选项用于指定要扫描的目标端口。你可以指定端口范围,p1-p2。
# 也可已指定一个起始值,格式是 p1- 。 多个端口用逗号隔开。
# 默认是扫描所有端口(从 1- 1024),还有 /etc/services 文件中列出的所有端口。
# 对于 -sO 来说,由于协议位只有 8 bit ,所以只能从 0 -255 而已
When scanning both TCP and UDP ports, you can specify a partic-
ular protocol by preceding the port numbers by "T:" or "U:".
The qualifier lasts until you specify another qualifier. For
example, the argument "-p U:53,111,137,T:21-25,80,139,8080"
would scan UDP ports 53,111,and 137, as well as the listed TCP
ports. Note that to scan both UDP & TCP, you have to specify
-sU and at least one TCP scan type (such as -sS, -sF, or -sT).
If no protocol qualifier is given, the port numbers are added
to all protocol lists.
# 注释 :当同时扫描 TCP 和 UDP 端口时,你可以指定一个协议,例如 "T:" 后者 "U:" 。
# 它会一直起作用,直到你指定另外一个协议为止。
# 例如 -p U:53,111,T:22 表示扫描 UDP 53 和 111 以及 TCP 22 端口。
# 注释 :注意,如果要扫描两种协议,必须指定 -sU 和至少一种 TCP 扫描(-sS、-sF、-sT)
# 假如没有指定协议类型,则所有协议都会用
-F Fast scan mode.
Specifies that you only wish to scan for ports listed in the
services file which comes with nmap (or the protocols file for
-sO). This is obviously much faster than scanning all 65535
ports on a host.
# 注释 :-F 表示快速扫描模式。表示只扫描 /etc/services 文件中的端口,
# 或者 -sO 指定的协议,这当然比扫描 65535 要快多了。
-D <decoy1 [,decoy2][,ME],...>
Causes a decoy scan to be performed which makes it appear to
the remote host that the host(s) you specify as decoys are
scanning the target network too. Thus their IDS might report
5-10 port scans from unique IP addresses, but they won’t know
which IP was scanning them and which were innocent decoys.
While this can be defeated through router path tracing,
response-dropping, and other "active" mechanisms, it is gener-
ally an extremely effective technique for hiding your IP
address.
# 注释 :-D 表示进行 decoy scan 可以对目标主机造成一种假象 : 有很多台主机都在扫描它
# 这样目标主机就会无法区分究竟那个是真正的扫描它们的 ip ,
# 不过这可以通过路由跟踪来发现最终的 ip
# 总而言之,decoy scan 是一种可以很好的隐藏你的 IP 的扫描方式
Separate each decoy host with commas, and you can optionally
use "ME" as one of the decoys to represent the position you
want your IP address to be used. If you put "ME" in the 6th
position or later, some common port scan detectors (such as
Solar Designer’s excellent scanlogd) are unlikely to show your
IP address at all. If you don’t use "ME", nmap will put you in
a random position.
# 注释 :-D 允许你指定多个主机名,你可以用 'ME' 这个关键字来代表你的 ip
# 尽量把 'ME' 放在最后,因为有些检测软件无法列出很多的 ip
# 如果没有指定,nmap 将随机的插入到一个位置
Note that the hosts you use as decoys should be up or you might
accidentally SYN flood your targets. Also it will be pretty
easy to determine which host is scanning if only one is actu-
ally up on the network. You might want to use IP addresses
instead of names (so the decoy networks don’t see you in their
nameserver logs).
# 注释 :要注意,你用来做 Decoy 的主机应该是 up 状态的,
# 否则你可能会导致目标主机受到 SYN Flood ***(由于目标主机不是 up ,导致目标主机一直收不到 ACK ,造成 SYN Flood)
# 同样也很从一大堆的 down 状态的主机中找出唯一的 up 主机
Also note that some "port scan detectors" will firewall/deny
routing to hosts that attempt port scans. The problem is that
many scan types can be forged (as this option demonstrates).
So attackers can cause such a machine to sever connectivity
with important hosts such as its internet gateway, DNS TLD
servers, sites like Windows Update, etc. Most such software
offers whitelist capabilities, but you are unlikely to
enumerate all of the critical machines. For this reason we
never recommend taking action against port scans that can be
forged, including SYN scans, UDP scans, etc. The machine you
block could just be a decoy.
Decoys are used both in the initial ping scan (using ICMP, SYN,
ACK, or whatever) and during the actual port scanning phase.
Decoys are also used during remote OS detection ( -O ).
# 注释 :Decoy 同样也用于 ping scan 和真正的端口扫描过程,也用于 -O (OS Scan)
It is worth noting that using too many decoys may slow your
scan and potentially even make it less accurate. Also, some
ISPs will filter out your spoofed packets, although many (cur-
rently most) do not restrict spoofed IP packets at all.
# 注释 :要注意,使用太多的 decoys 也会降低扫描的速度和精度
-S <IP_Address>
In some circumstances, nmap may not be able to determine your
source address ( nmap will tell you if this is the case). In
this situation, use -S with your IP address (of the interface
you wish to send packets through).
# 注释 :某些情况下,nmap 无法判断你的ip 地址(这时它会告诉你该情况)
# 使用 -S 可以指定你的源 ip
Another possible use of this flag is to spoof the scan to make
the targets think that someone else is scanning them. Imagine
a company being repeatedly port scanned by a competitor! This
is not a supported usage (or the main purpose) of this flag. I
just think it raises an interesting possibility that people
should be aware of before they go accusing others of port scan-
ning them. -e would generally be required for this sort of
usage.
-e <interface>
Tells nmap what interface to send and receive packets on. Nmap
should be able to detect this but it will tell you if it can-
not.
# 注释 :-e 告示 nmap 使用什么端口来发送/接收 packets 。
--source_port <portnumber>
Sets the source port number used in scans. Many naive firewall
and packet filter installations make an exception in their
ruleset to allow DNS (53) or FTP-DATA (20) packets to come
through and establish a connection. Obviously this completely
subverts the security advantages of the firewall since intrud-
ers can just masquerade as FTP or DNS by modifying their source
port. Obviously for a UDP scan you should try 53 first and TCP
scans should try 20 before 53. Note that this is only a
request -- nmap will honor it only if and when it is able to.
For example, you can’t do TCP ISN sampling all from one
host:port to one host:port, so nmap changes the source port
even if you used this option. This is an alias for the
shorter, but harder to remember, -g option.
# 注释 :--source_port 指定探测包的源端口。有些防火墙会允许从 53 (DNS) 或者 20 (FTP-DATA)
# 的源端口的数据进入,所以这个时候你可以用 --source_port 来增加扫描成功的机率。
# 显而易见,在做 UDP 扫描时,你应该首先对 53 端口进行测试,而在做 TCP 端口扫描时,首选 20
# 不过要注意,这个选项并不是固定起作用,nmap 只是在可能的情况下才会这么做。
Be aware that there is a small performance penalty on some
scans for using this option, because I sometimes store useful
information in the source port number.
--data_length <number>
Normally Nmap sends minimalistic packets that only contain a
header. So its TCP packets are generally 40 bytes and ICMP
echo requests are just 28. This option tells Nmap to append
the given number of random bytes to most of the packets it
sends. OS detection (-O) packets are not affected, but most
pinging and portscan packets are. This slows things down, but
can be slightly less conspicuous.
-n Tells Nmap to NEVER do reverse DNS resolution on the active IP
addresses it finds. Since DNS is often slow, this can help
speed things up.
# 注释 :-n 告诉 nmap 不做 DNS 正向解释,这可以加快扫描的进度
-R Tells Nmap to ALWAYS do reverse DNS resolution on the target IP
addresses. Normally this is only done when a machine is found
to be alive.
# 注释 :-R 表示对目标主机固定做 PTR 解释,找出其主机名。一般只有检测到目标主机是 up 时才做
-r Tells Nmap NOT to randomize the order in which ports are
scanned.
# 注释 :-r 告诉 nmap 不要随机扫描端口,要按顺序扫描
--ttl <value>
Sets the IPv4 time to live field in sent packets to the given
value.
# 注释 :--ttl 设置发出去的扫描包的 TTL
--randomize_hosts
Tells Nmap to shuffle each group of up to 2048 hosts before it
scans them. This can make the scans less obvious to various
network monitoring systems, especially when you combine it with
slow timing options (see below).
-M <max sockets>
Sets the maximum number of sockets that will be used in paral-
lel for a TCP connect() scan (the default). This is useful to
slow down the scan a little bit and avoid crashing remote
machines. Another approach is to use -sS, which is generally
easier for machines to handle.
# 注释 :-M 设置在做 TCP connect()scan 时同时允许使用的最多 sockets 数量。
# 它会稍微降低 scan 的速度,并防止远程主机的崩溃。另外一个方式是使用 -sS ,这样对于远程主机来说比较容易接受
--packet_trace
Tells Nmap to show all the packets it sends and receives in a
tcpdump-like format. This can be tremendously useful for
debugging, and is also a good learning tool.
# 注释 :--packet_trace 告诉nmap按照 tcpdump 的格式输出它所发送/接收到的每个 packets
--datadir [directoryname]
Nmap obtains some special data at runtime in files named nmap-
services, nmap-protocols, nmap-rpc, and nmap-os-fingerprints.
Nmap first searches these files in the directory option to
--nmapdir. Any files not found there, are searched for in the
directory specified by the NMAPDIR environmental variable.
Next comes ~/nmap, and then a compiled-in location such as
/usr/share/nmap . As a last resort, Nmap will look in the cur-
rent directory.
# 注释 :--datadir 指的是 nmap 一些静态数据的存放位置。默认是 /usr/share/nmap
# 这些数据包括 nmap-services、nmap-protocols、nmap-rpc、nmap-os-fingerprints
# nmap 首先搜索 --datadir 指定的目录,
# 其次搜索 NMAPDIR 环境变量指定的目录
# 再搜索 ~/nmap 目录
# 再搜索 /usr/share/nmap
# 如果还不行,最后是当前目录
TIMING OPTIONS
Generally Nmap does a good job at adjusting for Network charac-
teristics at runtime and scanning as fast as possible while
minimizing that chances of hosts/ports going undetected. How-
ever, there are same cases where Nmap’s default timing policy
may not meet your objectives. The following options provide a
fine level of control over the scan timing:
# 注释 :一般情况下,nmap 在调整网络特性,
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
These are canned timing policies for conveniently expressing
your priorities to Nmap. Paranoid mode scans very slowly in
the hopes of avoiding detection by IDS systems. It serializes
all scans (no parallel scanning) and generally waits at least 5
minutes between sending packets. Sneaky is similar, except it
only waits 15 seconds between sending packets. Polite is meant
to ease load on the network and reduce the chances of crashing
machines. It serializes the probes and waits at least 0.4 sec-
onds between them. Note that this is generally at least an
order of magnitude slower than default scans, so only use it
when you need to. Normal is the default Nmap behavior, which
tries to run as quickly as possible without overloading the
network or missing hosts/ports. Aggressive This option can
make certain scans (especially SYN scans against heavily fil-
tered hosts) much faster. It is recommended for impatient
folks with a fast net connection. Insane is only suitable for
very fast networks or where you don’t mind losing some informa-
tion. It times out hosts in 15 minutes and won’t wait more
than 0.3 seconds for individual probes. It does allow for very
quick network sweeps though :).
# 注释 :-T 用于控制 nmap 以什么速度探测,从最慢到最快分别是
# -)1、Paranoid
# -)2、Sneaky
# -)3、Polite
# -)4、Normal
# -)5、Aggressive
# -)6、Insane
You can also reference these by number (0-5). For example,
"-T0" gives you Paranoid mode and "-T5" is Insane mode.
--host_timeout <milliseconds>
Specifies the amount of time Nmap is allowed to spend scanning
a single host before giving up on that IP. The default timing
mode has no host timeout.
# 注释 :--host_timeout 设置 nmap 在一台主机身上所消耗的最长时间,单位是毫秒。默认是无限
--max_rtt_timeout <milliseconds>
Specifies the maximum amount of time Nmap is allowed to wait
for a probe response before retransmitting or timing out that
particular probe. The default mode sets this to about 9000.
--min_rtt_timeout <milliseconds>
When the target hosts start to establish a pattern of respond-
ing very quickly, Nmap will shrink the amount of time given per
probe. This speeds up the scan, but can lead to missed packets
when a response takes longer than usual. With this parameter
you can guarantee that Nmap will wait at least the given amount
of time before giving up on a probe.
--initial_rtt_timeout <milliseconds>
Specifies the initial probe timeout. This is generally only
useful when scanning firewalled hosts with -P0. Normally Nmap
can obtain good RTT estimates from the ping and the first few
probes. The default mode uses 6000.
--max_hostgroup <numhosts>
Specifies the maximum number of hosts that Nmap is allowed to
scan in parallel. Most of the port scan techniques support
multi-host operation, which makes them much quicker. Spreading
the load among multiple target hosts makes the scans gentler.
The downside is increast results latency. You need to wait for
all hosts in a group to finish, rather than having them pop up
one by one. Specify an argument of one for old-style (one host
at a time) Nmap behavior. Note that the ping scanner handles
its own grouping, and ignores this value.
--min_hostgroup <milliseconds>
Specifies the minimum host group size (see previous entry).
Large values (such as 50) are often beneficial for unattended
scans, though they do take up more memory. Nmap may override
this preference when it needs to, because a group must all use
the same network interface, and some scan types can only handle
one host at a time.
--max_parallelism <number>
Specifies the maximum number of scans Nmap is allowed to per-
form in parallel. Setting this to one means Nmap will never
try to scan more than 1 port at a time. It also effects other
parallel scans such as ping sweep, RPC scan, etc.
--min_parallelism <number>
Tells Nmap to scan at least the given number of ports in paral-
lel. This can speed up scans against certain firewalled hosts
by an order of magnitude. But be careful -- results will
become unreliable if you push it too far.
--scan_delay <milliseconds>
Specifies the minimum amount of time Nmap must wait between
probes. This is mostly useful to reduce network load or to
slow the scan way down to sneak under IDS thresholds.
# 注释 :--scan_delay 用于控制 nmap 在每次探测之间的
TARGET SPECIFICATION
Everything that isn’t an option (or option argument) in nmap is
treated as a target host specification. The simplest case is
listing single hostnames or IP addresses on the command line.
If you want to scan a subnet of IP addresses, you can append
/mask to the hostname or IP address. mask must be between 0
(scan the whole Internet) and 32 (scan the single host speci-
fied). Use /24 to scan a class "C" address and /16 for a class "B".
# 注释 :任何不被 nmap 所识别的选项都被认为是目标主机的定义
# 你可以一次列出多个主机或者 ip 地址。
# 你可以用 <ip/mask> 的方式来指定子网掩码,mask 值是从 0 - 32
Nmap also has a more powerful notation which lets you specify
an IP address using lists/ranges for each element. Thus you
can scan the whole class "B" network 192.168.*.* by specifying
"192.168.*.*" or "192.168.0-255.0-255" or even
"192.168.1-50,51-255.1,2,3,4,5-255". And of course you can use
the mask notation: "192.168.0.0/16". These are all equivalent.
If you use asterisks ("*"), remember that most shells require
you to escape them with back slashes or protect them with
quotes.
# 注释 :nmap 也允许你指定一个范围,例如它支持 wildcard ,不过需要用括号括起来。
# -)1、主机名 :例如 mail.bob.com.
# -)2、ip/mask :例如 172.17.64.11/24
# -)3、ip1-ip2 :172.17.64.11-20
# -)4、wildcard :172.17.*.*
# -)5、综合 :mail.bob.com,172.17.64.11/24,172.17.64.12-20,30-40,172.17.65.*/24
Another interesting thing to do is slice the Internet the other
way. Instead of scanning all the hosts in a class "B", scan
"*.*.5.6-7" to scan every IP address that ends in .5.6 or .5.7
Pick your own numbers. For more information on specifying
hosts to scan, see the examples section.
# 注释 ;有一个有趣的例子是 *.*.*.11 ,它可以扫描所有以 11 结尾的 ip
EXAMPLES
Here are some examples of using nmap, from simple and normal to a lit-
tle more complex/esoteric. Note that actual numbers and some actual
domain names are used to make things more concrete. In their place
you should substitute addresses/names from your own network. I do not
think portscanning other networks is illegal; nor should portscans be
construed by others as an attack. I have scanned hundreds of thou-
sands of machines and have received only one complaint. But I am not
a lawyer and some (anal) people may be annoyed by nmap probes. Get
permission first or use at your own risk.
nmap -v target.example.com
This option scans all reserved TCP ports on the machine target.exam-
ple.com . The -v means turn on verbose mode.
# 注释 :上面的命令扫描 target.example.com 主机的 0-1024 端口,以及 /etc/services 中定义的端口
# -v 表示 verbose 模式
nmap -sS -O target.example.com/24
Launches a stealth SYN scan against each machine that is up out of the
255 machines on class "C" where target.example.com resides. It also
tries to determine what operating system is running on each host that
is up and running. This requires root privileges because of the SYN
scan and the OS detection.
# 注释 :上面的命令对 target.example.com/24 主机所在的 C 网的每个 up 主机进行 SYN scan 以及 OS scan
# 由于使用了 -sS ,所以需要 root 权限
nmap -sX -p 22,53,110,143,4564 198.116.*.1-127
Sends an Xmas tree scan to the first half of each of the 255 possible
8 bit subnets in the 198.116 class "B" address space. We are testing
whether the systems run sshd, DNS, pop3d, imapd, or port 4564. Note
that Xmas scan doesn’t work on Microsoft boxes due to their deficient
TCP stack. Same goes with CISCO, IRIX, HP/UX, and BSDI boxes.
# 注释 :上面的命令使用 Xmas Tree scan 对 198.116 的所有以 1-127 结尾的主机进行扫描
# 目的端口是 22,53,110,143,4564 。
# 要注意,Xmas Tree 对 windows 主机不起作用
nmap -v --randomize_hosts -p 80 *.*.2.3-5
Rather than focus on a specific IP range, it is sometimes interesting
to slice up the entire Internet and scan a small sample from each
slice. This command finds all web servers on machines with IP
addresses ending in .2.3, .2.4, or .2.5. If you are root you might as
well add -sS. Also you will find more interesting machines starting
at 127. so you might want to use "127-222" instead of the first aster-
isks because that section has a greater density of interesting
machines (IMHO).
# 注释 :
host -l company.com | cut -d -f 4 | ./nmap -v -iL -
Do a DNS zone transfer to find the hosts in company.com and then feed
the IP addresses to nmap. The above commands are for my GNU/Linux
box. You may need different commands/options on other operating sys-
tems.
