说明:这里主要介绍 Profile 相关扫描选项,其他部分的内容百度上已经有大神说的比较详细,参照nmap相关man说明整理

Target:需要扫描的IP地址和端口,支持多种形式,比如网段10.123.10.1-10.123.10.244 ,子网掩码方式:10.123.10.1/24,域名,单个IP和网段组合等形式。

 

Profile主要参数

1.Intense scan:强烈的扫描

nmap -T4 -A -v

-T4     -T option and their number (0–5) or their

           name. The template names areparanoid (0), sneaky (1), polite (2),

           normal (3), aggressive (4), andinsane (5). The first two are for

           IDS evasion. Polite mode slows downthe scan to use less bandwidth

           and target machine resources. Normalmode is the default and so -T3

           does nothing. Aggressive mode speedsscans up by making the

           assumption that you are on areasonably fast and reliable network.

           Finally insane mode.  assumes that you are on an extraordinarily

           fast network or are willing tosacrifice some accuracy for speed.

For example,

           -T4. prohibits the dynamic scan delay from exceeding 10 ms for TCP

           ports and -T5 caps that value at 5ms.

              -T4 for faster execution

由以上说明-T4参数是一种适用在局域网,可靠性网络进行扫描,略带侵略性,扫描一个tcp端口平均耗时10ms

-A:                  -A, to enable OS and versiondetection, script scanning, and traceroute;

三个作用:操作系统及版本检测,系统脚本运行,路由

-v:                    显示扫描过程中的详细信息

 

2.Intensescan plus UDP:强烈的扫描,加上udp协议扫描

nmap -sS -sU -T4-A -v

-sS:                   -sS (TCP SYN scan) .

           SYN scan is the default and mostpopular scan option for good

           reasons. It can be performedquickly, scanning thousands of ports

           per second on a fast network nothampered by restrictive firewalls.

           It is also relatively unobtrusiveand stealthy since it never

           completes TCP connections. SYN scanworks against any compliant TCP

           stack rather than depending onidiosyncrasies of specific platforms

           as Nmap's FIN/NULL/Xmas, Maimon andidle scans do. It also allows

           clear, reliable differentiationbetween the open, closed, and

           filtered states.

 

           This technique is often referred toas half-open scanning, because

           you don't open a full TCPconnection. You send a SYN packet, as if

           you are going to open a real connectionand then wait for a

           response. A SYN/ACK indicates theport is listening (open), while a

           RST (reset) is indicative of anon-listener. If no response is

           received after severalretransmissions, the port is marked as

           filtered. The port is also markedfiltered if an ICMP unreachable

           error (type 3, code 1, 2, 3, 9, 10,or 13) is received. The port is

           also considered open if a SYN packet(without the ACK flag) is

           received in response. This can bedue to an extremely rare TCP

           feature known as a simultaneous openor split handshake connection

           (seehttp://nmap.org/misc/split-handshake.pdf).

主要说明-sS参数是一个比较流行好用的,该参数运行扫描快,而且隐蔽,因为它是一种半开方式扫描,并没有完成一个完整真实的tcp连接,

发送SYN包,如果收到一个SYN/ACK(或SYN)响应包则说明对方该端口处于打开监听状态;如果是RST,则说明对方端口处于非监听状态;如果未收到任何响应包则标记该端口被过滤

 

-sU              -sU(UDP scans) .

           While most popular services on theInternet run over the TCP

           protocol, UDP[6] services are widelydeployed. DNS, SNMP, and DHCP

           (registered ports 53, 161/162, and67/68) are three of the most

           common. Because UDP scanning isgenerally slower and more difficult

           than TCP, some security auditorsignore these ports. This is a

           mistake, as exploitable UDP servicesare quite common and attackers

           certainly don't ignore the wholeprotocol. Fortunately, Nmap can

           help inventory UDP ports.

 

           UDP scan is activated with the -sUoption. It can be combined with

           a TCP scan type such as SYN scan(-sS) to check both protocols

           during the same run.

 

           UDP scan works by sending a UDPpacket to every targeted port. For

           some common ports such as 53 and161, a protocol-specific payload

           is sent, but for most ports the packet isempty..  The

           --data-length option can be used tosend a fixed-length random

           payload to every port or (if youspecify a value of 0) to disable

           payloads. If an ICMP port unreachableerror (type 3, code 3) is

           returned, the port is closed. OtherICMP unreachable errors (type

           3, codes 1, 2, 9, 10, or 13) markthe port as filtered.

           Occasionally, a service will respondwith a UDP packet, proving

           that it is open. If no response is receivedafter retransmissions,

           the port is classified asopen|filtered. This means that the port

           could be open, or perhaps packetfilters are blocking the

           communication. Version detection(-sV) can be used to help

           differentiate the truly open portsfrom the filtered ones.

 

           A big challenge with UDP scanning isdoing it quickly. Open and

           filtered ports rarely send anyresponse, leaving Nmap to time out

           and then conduct retransmissionsjust in case the probe or response

           were lost. Closed ports are often aneven bigger problem. They

           usually send back an ICMP portunreachable error. But unlike the

           RST packets sent by closed TCP portsin response to a SYN or

           connect scan, many hosts ratelimit.  ICMP port unreachable

           messages by default. Linux andSolaris are particularly strict

           about this. For example, the Linux2.4.20 kernel limits destination

           unreachable messages to one persecond (in net/ipv4/icmp.c).

 

           Nmap detects rate limiting and slowsdown accordingly to avoid

           flooding the network with uselesspackets that the target machine

           will drop. Unfortunately, aLinux-style limit of one packet per

           second makes a 65,536-port scan takemore than 18 hours. Ideas for

           speeding your UDP scans up includescanning more hosts in parallel,

           doing a quick scan of just the popularports first, scanning from

           behind the firewall, and using--host-timeout to skip slow hosts.

使用UDP协议的服务主要有DNS,SNMP,DHCP等,由于UDP扫描更困难和耗费时间因此一些审计的时候进行了省略,困难点在于linuxSolaris系统默认限制了每秒不可到达的信息数,Nmap为了避免造成服务器掉包的危害降低发包的速度,因此在扫描时将会耗费非常多的时间,建议先对常用UDP端口进行扫描,并且设置主机超时以跳过哪些扫描慢的主机

通常服务器响应一个UDP包,说明对方端口打开;当没有响应是nmap                                                                         

会将其定级为open|filtered,这是需要结合-sV参数来协助判断端口的状态。

 

3.Intense scan, all TCP ports:对目标的所有端口进行强烈的扫描

nmap -p 1-65535 -T4 -A -v

 

4.Intensescan, no ping:对目标进行强烈的扫描,不进行主机发现

nmap -T4 -A -v -Pn    

-Pn: Treat all hosts as online -- skip host discovery 

-Pn (No ping) .

           Thisoption skips the Nmap discovery stage altogether. Normally,

           Nmapuses this stage to determine active machines for heavier

          scanning. By default, Nmap only performs heavy probing such as port

          scans, version detection, or OS detection against hosts that are

           foundto be up. Disabling host discovery with -Pn causes Nmap to

          attempt the requested scanning functions against every target IP

          address specified. So if a class B target address space (/16) is

          specified on the command line, all 65,536 IP addresses are scanned.

          Proper host discovery is skipped as with the list scan, but instead

           ofstopping and printing the target list, Nmap continues to perform

          requested functions as if each target IP is active. To skip ping

           scanand port scan, while still allowing NSE to run, use the two

          options -Pn -sn together.

 

           Formachines on a local ethernet network, ARP scanning will still

           beperformed (unless --disable-arp-ping or --send-ip is specified)

          because Nmap needs MAC addresses to further scan target hosts. In

          previous versions of Nmap, -Pn was -P0. and -PN..

假设所有主机在线,跳过主机发现过程。

 

5.Ping scan  在发现主机后,不进行端口扫描

nmap -sn

sn: Ping Scan - disable port scan

-sn (No port scan) .

           Thisoption tells Nmap not to do a port scan after host discovery,

           andonly print out the available hosts that responded to the scan.

           Thisis often known as a “ping scan”, but you can also request that

          traceroute and NSE host scripts be run. This is by default one step

           moreintrusive than the list scan, and can often be used for the

           samepurposes. It allows light reconnaissance of a target network

          without attracting much attention. Knowing how many hosts are up is

           morevaluable to attackers than the list provided by list scan of

           everysingle IP and host name.

 

          Systems administrators often find this option valuable as well. It

           caneasily be used to count available machines on a network or

          monitor server availability. This is often called a ping sweep, and

           ismore reliable than pinging the broadcast address because many

           hostsdo not reply to broadcast queries.

 

           Thedefault host discovery done with -sn consists of an ICMP echo

          request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP

          timestamp request by default. When executed by an unprivileged

           user,only SYN packets are sent (using a connect call) to ports 80

           and443 on the target. When a privileged user tries to scan targets

           on alocal ethernet network, ARP requests are used unless --send-ip

           wasspecified. The -sn option can be combined with any of the

          discovery probe types (the -P* options, excluding -Pn) for greater

          flexibility. If any of those probe type and port number options are

           used,the default probes are overridden. When strict firewalls are

           inplace between the source host running Nmap and the target

           network, using those advanced techniquesis recommended. Otherwise

           hostscould be missed when the firewall drops probes or their

          responses.

 

           Inprevious releases of Nmap, -sn was known as -sP..

 

6.Quick scan:快速扫描

nmap -T4 -F

-F:         -F: Fast mode - Scan fewer ports than thedefault scan

           -F (Fast (limited port) scan) .

          Specifies that you wish to scan fewer ports than the default.

          Normally Nmap scans the most common 1,000 ports for each scanned

          protocol. With -F, this is reduced to 100.

 

           Nmapneeds an nmap-services file with frequency information in

           orderto know which ports are the most common. If port frequency

          information isn't available, perhaps because of the use of a custom

          nmap-services file, Nmap scans all named ports plus ports 1-1024.

           Inthat case, -F means to scan only ports that are named in the

          services file.

 

7.Quickscan plus:更快速的扫描

nmap -sV -T4 -O -F --version-light

-O:        EnableOS detection

--version-intensity intensity (Set version scanintensity) .

           Whenperforming a version scan (-sV), Nmap sends a series of

          probes, each of which is assigned a rarity value between one and

           nine.The lower-numbered probes are effective against a wide

          variety of common services, while the higher-numbered ones are

          rarely useful. The intensity level specifies which probes should be

          applied. The higher the number, the more likely it is the service

           willbe correctly identified. However, high intensity scans take

          longer. The intensity must be between 0 and 9..  The default is 7..

           Whena probe is registered to the target port via the

          nmap-service-probesports directive, that probe is tried regardless

           ofintensity level. This ensures that the DNS probes will always be

          attempted against any open port 53, the SSL probe will be done

          against 443, etc.

 

      --version-light (Enable light mode) .

           Thisis a convenience alias for --version-intensity 2. This light

           modemakes version scanning much faster, but it is slightly less

           likelyto identify services.

-sV   

       -sV(Version detection) .

          Enables version detection, as discussed above. Alternatively, you

           canuse -A, which enables version detection among other things.

 

          -sR.  is an alias for -sV. Priorto March 2011, it was used to

          active the RPC grinder separately from version detection, but now

           theseoptions are always combined.

 

8.Quick traceroute:快速扫描,不扫端口返回每一跳的主机ip

nmap -sn --traceroute

--traceroute Trace hop path to each host

 

9.Regular scan:常规扫描

nmap  

 

10.Slow comprehensive scan:慢速综合性扫描

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389-PU40125 -PY -g 53 --script "default or (discovery and safe)"

-PE/PPICMP echo, timestamp

-PS port list (TCP SYN Ping) .

           Thisoption sends an empty TCP packet with the SYN flag set. The

          default destination port is 80 (configurable at compile time by

          changing DEFAULT_TCP_PROBE_PORT_SPEC. in nmap.h)..  Alternate

           portscan be specified as a parameter. The syntax is the same as

           forthe -p except that port type specifiers like T: are not

          allowed. Examples are -PS22 and -PS22-25,80,113,1050,35000. Note

           thatthere can be no space between -PS and the port list. If

          multiple probes are specified they will be sent in parallel.

 

           TheSYN flag suggests to the remote system that you are attempting

           toestablish a connection. Normally the destination port will be

           closed,and a RST (reset) packet sent back. If the port happens to

           beopen, the target will take the second step of a TCP

          three-way-handshake.  byresponding with a SYN/ACK TCP packet. The

          machine running Nmap then tears down the nascent connection by

          responding with a RST rather than sending an ACK packet which would

          complete the three-way-handshake and establish a full connection.

           TheRST packet is sent by the kernel of the machine running Nmap in

          response to the unexpected SYN/ACK, not by Nmap itself.

 

           Nmapdoes not care whether the port is open or closed. Either the

           RSTor SYN/ACK response discussed previously tell Nmap that the

           hostis available and responsive.

 

           OnUnix boxes, only the privileged user root. is generally able to

           sendand receive raw TCP packets..  Forunprivileged users, a

          workaround is automatically employed. whereby the connect system

           callis initiated against each target port. This has the effect of

          sending a SYN packet to the target host, in an attempt to establish

           aconnection. If connect returns with a quick success or an

           ECONNREFUSED failure, the underlying TCPstack must have received a

          SYN/ACK or RST and the host is marked available. If the connection

          attempt is left hanging until a timeout is reached, the host is

          marked as down.

-PA        -PA port list (TCP ACK Ping) .

           TheTCP ACK ping is quite similar to the just-discussed SYN ping.

           Thedifference, as you could likely guess, is that the TCP ACK flag

           isset instead of the SYN flag. Such an ACK packet purports to be

          acknowledging data over an established TCP connection, but no such

          connection exists. So remote hosts should always respond with a RST

          packet, disclosing their existence in the process.

 

           The-PA option uses the same default port as the SYN probe (80) and

           canalso take a list of destination ports in the same format. If an

          unprivileged user tries this, the connect workaround discussed

          previously is used. This workaround is imperfect because connect is

          actually sending a SYN packet rather than an ACK.

 

           Thereason for offering both SYN and ACK ping probes is to maximize

           thechances of bypassing firewalls. Many administrators configure

          routers and other simple firewalls to block incoming SYN packets

          except for those destined for public services like the company web

           siteor mail server. This prevents other incoming connections to

           theorganization, while allowing users to make unobstructed

          outgoing connections to the Internet. This non-stateful approach

           takesup few resources on the firewall/router and is widely

          supported by hardware and software filters. The Linux

          Netfilter/iptables.  firewallsoftware offers the --syn convenience

          option to implement this stateless approach. When stateless

          firewall rules such as this are in place, SYN ping probes (-PS) are

          likely to be blocked when sent to closed target ports. In such

          cases, the ACK probe shines as it cuts right through these rules.

 

          Another common type of firewall uses stateful rules that drop

          unexpected packets. This feature was initially found mostly on

          high-end firewalls, though it has become much more common over the

          years. The Linux Netfilter/iptables system supports this through

           the--state option, which categorizes packets based on connection

           state. A SYN probe is more likely to workagainst such a system, as

          unexpected ACK packets are generally recognized as bogus and

          dropped. A solution to this quandary is to send both SYN and ACK

          probes by specifying -PS and -PA.

-PSPA一起使用来最大限度的避过防火墙等安全设备的检测

-g/--source-port : Use given portnumber

 

nmap --script "default or safe"

           Thisis functionally equivalent to nmap --script "default,safe". It

           loadsall scripts that are in the default category or the safe

          category or both.