The full English name of nmap: Network Mapper, Network Mapper
Basic functions of nmap
Detect whether a group of hosts are online
Scan host ports, sniff the network services provided,
infer
the scan output of the operating system nmap used by the host
The output is a list of scanned targets and supplementary information for each target. The basic common parameters of the scan results are as follows:
Open means that the application on the target machine is listening for connections/messages on this port.
Filtered means that firewalls, filters or other network barriers prevent the port from being accessed. Nmap cannot confirm whether the port is open or closed.
Closed means that there is no program listening on the port, but they may release the
nmap script at any time.
In namp according to the directory share/nmap/scripts, there are a variety of scripts that have been written, and these scripts can be used to initiate penetration testing.
Some basic commands of nmap
Options explained
-A full scan, scan all ports and system information
-sP Ping scanning
-P0 no ping scan, ping firewall is disabled to prevent discovery
-PS TCP SYN Ping Scan,
-PA the Ping TCP ACK scan
-PU UDP Ping Scan
- PE;-PP;-PM ICMP Ping Types scan-
PR ARP Ping scan-
n prohibit DNS reverse resolution-
R reverse domain name resolution
-system-dns use system domain name resolver-
sL list scan-
6 scan IPV6 address-
traceroute route Tracking-
PY SCTP INIT Ping
scan A brief introduction to ping scan
The ping scan only performs ping, and then displays online hosts, and does not return too much information to satisfy the analysis of the results.
No ping scanning is used to scan hosts that are prohibited from pinging by the firewall. This can penetrate the firewall, and can also avoid being discovered by the firewall.
-PS and -PA options
The -PS option sends an empty TCP packet with the SYN flag bit set. The default destination port is 80 (which can be configured by changing the DEFAULT-TCP-PROBE-PORT value in the nmap.h file).
Normally, the default Ping scan of Nmap uses TCP ACK and ICMP Echo requests to respond to whether the target is alive.
-PA option performs TCP ACK Ping scanning. The difference to-PS is that the TCP flag is ACK instead of SYN.
You can use the -PS and -SA options to send SYN and ACK at the same time. Because some firewalls may block ACK or SYN requests. Use two options to increase the probability of passing through the firewall.
-PU option
-PU option is to send an empty UDP packet to the specified port. If you do not specify a port, the default port is 40125.
When scanning with UDP Ping, Nmap will send an empty UDP packet to the target host. If the target host responds, it will return an ICMP port unreachable error; if the target machine is not alive, it will return various ICMP error messages.
-PE; -PP; -PM option
These options can perform ICMP Ping scanning. ICMP is a sub-protocol of TCP/IP, used to transfer control messages between IP hosts and routers.
-PR option
ARP Ping scanning is a process in which namp performs an ARP Ping on the target. Intranet scanning is applicable, because the firewall will not prohibit ARP requests in the local area network.