nmap syntax
-A full scan/comprehensive scan
For example:
nmap -A -T4 127.0.0.1
explore network
-T
-T timing options
nmap -T1 127.0.0.1
Same as above
Nmap use -T(0-5) to enable timing options) For timing, there are 0~5 different options here.
-T0 (paranoid): very slow scan, used for IDS evasion .
-T1 (Gui Chong): slow scan, used for IDS evasion.
-T2 (gentle): reduce speed to reduce bandwidth consumption, this option is generally not used.
-T3 (Normal): default, according to The response of the target automatically adjusts the time.
-T4 (brutal): fast scan, common scan method, needs to scan in a good network environment, requests may overwhelm
the target. -T5 (crazy): fast scan, this The scanning method increases scanning speed at the expense of accuracy.
host discovery
Nmap host discovery
-sP
-sP ping scan
ping scan, use ping to check which hosts are running on the network. A ping scan is invalid when the host blocks ICMP echo request packets. nmap does a ping scan in all cases, and subsequent scans are only performed if the target host is running.
E.g:
nmap -sP 127.0.0.1
-P0
-P0 No ping scan Note: [Protocol 1, Protocol 2] [target] scan
For example:
nmap -P0 127.0.0.1
If you want to know how these protocols determine whether the target host exists, you can use the --packet-trace option.
E.g:
nmap -p0 –packet-trace 127.0.0.1
-PS
-PS TCP SYN Ping
scan For root users, this option tells nmap to use SYN packets instead of ACK packets to scan the target host.
E.g:
nmap -PS -v 127.0.0.1
&& Specify the port: nmap -PS80,100-200 -v 127.0.0.1
-PA
-PA TCP ACK Ping scan
Example:
nmap -PA -v 127.0.0.1
-PU
-PU UDP Ping scan
Example:
nmap -PU -v 127.0.0.1
Host Discovery Common Combinations
Scan the number of hosts on a network segment:
Nmap –sP 10.0.0.0/24Skip ping scan
Nmap –P0 10.0.0.0/24
port scan
-p
-p Common scanning methods (-p specifies scanning ports such as 80, 1433, 1521, 3306, 3389, etc.)
For example:
nmap -p 3389 127.0.0.1
-sS
-sS TCP SYN scan TCP SYN scan (TCP SYN), because it is not necessary to open a TCP connection, so this technique is often called half-open scan (half-open). The biggest benefit of this technique is that very few systems can log this. However, you need root privileges to customize SYN packets.
E.g:
nmap -sS 127.0.0.1
-sT
-sT TCP connection scan
Example:
nmap -sT 127.0.0.1
-sU
-sU UDP scan
Example:
nmap -sU -p 80-500 127.0.0.1
-sN;-sF;-sX
-sN;-sF;-sX Stealth scan
-sN is Null scan, which detects computers by sending unconventional TCP communication packets.
nmap -sN 127.0.0.1
-sF is FIN scan. When we use TCP SYN scan, it may be discovered by the firewall of the target host, which will block SYN packets. At this time, we use TCP FIN scan method to have a good penetration effect.
nmap -sF 127.0. 0.1
-sX is Xmas scan
nmap -sX 127.0.0.1
-sA
-sA TCP ACK scan
Example:
nmap -sA -v 127.0.0.1
.Fingerprint identification and detection
-sV
-sV version detection
Example:
nmap -sV 127.0.0.1
Operating system detection and version detection can be performed with the help of the -A option. The result information is more detailed and intuitive.
For example:
nmap -sV -A 127.0.0.1
-O
-O Enable OS detection
For example:
nmap -O 127.0.0.1
The 6 port states identified by Nmap.
The open (open)
application is receiving TCP connections or UDP packets on this port. Finding this is often the primary goal of a port scan. Security-conscious people know that every open port is an entry point for an attack. Attackers or intrusion testers want to discover open ports. And administrators try to turn them off or protect them with firewalls so as not to interfere with legitimate users. Non-security scans may also be interested in open ports, as they show which services are available on the network.
closed A closed
port is also accessible to Nmap (it accepts Nmap's probes and responds), but no application is listening on it. They can show that the host on that IP address (host discovery, or ping scan) is running up Also helpful for some OS detection. Since closed gates are accessible, maybe it's worth scanning again later, maybe some are open again. System administrators may consider blocking such ports with a firewall. Then they will be displayed in a filtered state, discussed below.
filtered (filtered)
Since packet filtering prevents probe packets from reaching the port, Nmap cannot determine whether the port is open. Filtering may come from specialized firewall devices, router rules, or software firewalls on the host. Such ports are frustrating to attackers because they provide almost no information. Sometimes they respond to ICMP error messages like Type 3 code 13 (Unable to reach destination: communication forbidden by administrator), but more commonly the filter just drops the probe frame without doing anything. This forces Nmap to retry several times in case probe packets are dropped due to network congestion. This makes scanning significantly slower.
unfiltered The unfiltered
state means that the port is accessible, but Nmap cannot determine whether it is open or closed. Only ACK scans used to map firewall rule sets classify ports into this state. Scanning unfiltered ports with other types of scans such as window scans, SYN scans, or FIN scans can help determine if a port is open.
open|filtered (open or filtered)
When it cannot be determined whether the port is open or filtered, Nmap classifies the port into this state. An open port not responding is an example. No response may also mean that the packet filter dropped the probe packet or any response it elicited. So Nmap cannot determine whether the port is open or filtered. UDP, IP protocol, FIN, Null, and Xmas scans may put ports in this category.
closed|filtered (closed or filtered)
This state is used when Nmap cannot determine whether the port is closed or filtered. It may only appear in IPID Idle scans.
