Parameter Description Nmap (including scanning principle of parameters)

• Syntax structure: nmap [Scan Type (s)] [Options] {target specification}
• Port States Description
  • open: identify the ports open up
  • closed: closed port is accessible for nmap, nmap probe packets it receives and responds. But there is no application listening on it.
  • filtered: Because packet filtering to block a probe packet reaches the port, Nmap can not determine whether the port is open. Filtering firewall may come from professional equipment, routing rules or firewall software on the host.
  • unfiltered: unfiltered state means that a port is accessible, but Nmap can not determine whether it is open or closed. Only the firewall rule set for mapping ACK scan the port will be classified to this state.
  • open | filtered: unable to determine the port is open or filtered, open ports do not respond is an example. It may also mean that there is no response message filter discards any packets probe or its reaction initiated. UDP, IP protocol, FIN, Null scans and other causes.
  • closed | filtered :( closed or filtered): Unable to determine the port is closed or filtered
• Scanning the target format
  • Example: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  • -iL: load the target from a file
  • -iR: random scan
  • --exclude <host or network>: negative host address or network segment
  • --excledefile: exclude address file
• Host found
  • -sL: lists the target to be scanned, not scanned
  • -sn: ping scan only, not port scan
  • -Pn: skip host discovery, depending on all hosts online
  • -PS / PA / PU / PY [portlist]: discovery based host port specified TCP (SYN, ACK), UDP, SCTP is
  • -PE / PP / PM: host-based ICMP's echo, timestamp, network request found
  • -PO [Protocol list]: ping scan based IP protocol field
  • -n / -R: -n does not represent the most objective DNS resolution, -R represents the DNS resolution, DNS resolution is the default when necessary
  • --dns-servers <serv1 [, serv2], ...>: specify a DNS server
  • --system-dns: call the system's DNS server
  • --traceroute: displays trace the path to the target
• Scanning Technology
  • -sS / sT / sA / sW / sM: TCP scan
    • S is the scanning SYN, semi-connected to the scan, nmap SYN packet transmission only, whether the SYN + ACK from the server in response to determining whether the corresponding port is open
    • T is fully connected and the server scan will create a complete three-way handshake, inefficient
    • A sends an ACK message, the server response to determine whether open, some do not meet the server replies with an ICMP port unreachable, represents may be intercepted or when replying to the RST port open, is not an accurate determination condition
    • The window W is scanned, and the same ACK packet sent, is utilized in some systems will respond with a non-zero window RST packet if the port is open, the ACK packet is received
    • M is Maimon scan, using a discoverer named. The principle is to send to the target server FIN / ACK packet, in some systems, if the open port discards the packet will not respond, if the ports are closed or RST reply ICMP, Nmap situation whereby determination can be opened server port . Forbid
  • -sU: UDP scanning, some systems if UDP port is not open will return ICMP error message (which is the Linux system traceroute implementation principle). The power of Nmap UDP port scan is that it will be well-known port for construction initial interactive messages, such as UDP 500 would be negotiated for the construction a main mode IKE packets
  • -sN / sF / sX: scan a specific TCP flag bits, N is the empty flag; F. FIN is set; X is a Xmas scan FIN, PSH, URG set simultaneously. Description RST receive port is closed, no response is described filtration or port is open, are not allowed.
  • --scanflags <flags>: the realization of the above with several similar, allowing users to customize TCP flags.
  • -sI <zombie host [: probeport]>: Idle scanning requires a bots no traffic, the principle of such scanning is realized at a certain time, the same data the IP host which sent the packet header identification ip field is cumulative. Detecting three steps: 1, Nmap contract to host zombies by zombies probe response packet which ID; 2, Nmap host zombies forged source addresses sending a SYN packet to a specific port of the server; 3, again detecting zombie host Nmap ip.id. machine If the target server ports open, then bound to send SYN / ACK to the zombies, since somehow received a SYN / ACK packet, zombies opportunity to send RST packets to the target server, the message is the first step of ip.id + 1, the third step Nmap host detected ip.id should be the first step to +2, indicating that the target host open port. Conversely, if the target host ports are not open, then the second step after receiving the RST packet will return to the zombie machine or directly discards the packet does not respond, no matter what the situation, will not trigger a zombie machine contract, then zombies the ip.id does not change, the third step Nmap detected id should be the first step to +1.
  • -sY / sZ: SCTP INIT agreement or cookie-echo scan
  • -sO: scan IP based protocol, the server performs the detection value by the conversion Protocol IP packet header
  • -b <FTP relay host> :: FTP bounce scan, using FTP features that enable stealth connection to the host via FTP server you want to scan the purpose of
• Port-related parameters
  • -p: Specifies port scan range, such as: -p22; -p1-65535; -p U: 53,111,137, T: 21-25,80,139,8080, S: 9
  • --exclude-ports <port ranges>: negative port
  • -F: scanning less than the default port (default 1000, plus -F100)
  • -r: sequential scanning port, the default scan is randomized
  • --top-ports <number>: Sort by top scan known port
  • --port-ratio <ratio>: scale well-known port scan, a value between 0 and 1, more smaller sweep
• System / version detection
  • -sV: detection system port opening / service information
  • --version-intensity <level>: set the version level of the detected level of detail, 0-9, the higher the more detailed
  • --version-light: the output of most probable version, the default is 2
  • --version-all: all versions of the probing conditions / detection system
  • --version-trace: print detailed version scan
• Script scanning
  • --script = <Lua scripts>: Specifies the name of the script
  • --script-args = <n1 = v1, [n2 = v2, ...]>: specify parameters for the script
  • --script-help = <Lua scripts>: View Script Help
  • --script-updatedb: database update script
• Detection system
  • -O: detecting activation system
  • --osscan-limit: only valid host open ports detection system
  • --osscan-guess: guess System Information
• other
  • -T <0-5>: Time template, the greater the faster
  • -6: Enable IPV6 probe
  • -A: enable system detection, version detection, script scanning, trace route
  • -V: print version number
  • -v: to increase the level of detail of output