nmap 命令手册

NAME
       nmap - Network exploration tool and security scanner

 

# 注释 :nmap 是网络探测工具和安全扫描工具

 

namp 的 official 站点 :http://insecure.org/nmap

 

SYNOPSIS
       nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>

 

# 注释 :nmap 的语法比较简单 :

 

#     -)1、关键字 nmap

 

#     -)2、指定一个扫描类型

 

#     -)3、指定扫描选项

 

#     -)4、指定要扫描的主机或者网络

 

DESCRIPTION
       Nmap  is designed to allow system administrators and curious individu-
       als to scan large networks to determine which hosts are up  and  what
       services  they are offering.  nmap supports a large number of scanning
       techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy
       (bounce attack),  ICMP (ping  sweep), FIN, ACK sweep, Xmas Tree, SYN
       sweep, IP Protocol, and Null scan.  See the  Scan  Types  section  for
       more  details.  nmap also offers a number of advanced features such as
       remote OS  detection  via  TCP/IP  fingerprinting,  stealth  scanning,
       dynamic delay  and  retransmission  calculations,  parallel scanning,
       detection of down hosts via parallel pings, decoy scanning, port  fil-
       tering  detection, direct (non-portmapper) RPC scanning, fragmentation
       scanning, and flexible target and port specification.

 

# 注释 :nmap 是用于允许系统管理员来扫描大型网络,以探测有那些主机是 up 的,

 

# 它们上面都提供了什么服务。nmap 支持很多扫描技术 :UDP、TCP 连接、TCP SYN (half open)、

 

# ftp 代理(bounce attack)、IMCP (ping sweep)、FIN,ACK sweep、Xmas Tree、SYN sweep 、

 

# IP 协议、Null scan 。

 

# 注释 :nmap 同样提供了一系列的高级特性,例如远程操作系统探测(通过 TCP/IP 指纹)、

 

# stealth scan、动态延迟、重传计算、并行扫描、诱骗扫描、端口过滤检测、

 

# 直接 RPC 扫描、分片扫描、以及灵活的主机/端口扫描 


 

       Significant effort has been put into decent nmap performance for  non-
       root  users.   Unfortunately, many critical kernel interfaces (such as
       raw sockets) require root privileges.  nmap  should  be run  as  root
       whenever possible (not setuid root, of course).

 

# 注释 :尽可能地以 root 身份运行 nmap ,不过 nmap 不是 setUID 程序

 

 

       The  result  of running nmap is usually a list of interesting ports on
       the machine(s) being scanned (if any).  Nmap always gives  the  port’s
       "well  known" service name (if any), number, state, and protocol.  The
       state is either "open", "filtered", or "unfiltered".  Open means  that
       the  target  machine will accept() connections on that port.  Filtered
       means that a firewall, filter, or other network obstacle  is  covering
       the  port  and  preventing  nmap  from determining whether the port is
       open.  Unfiltered means that the port is known by nmap  to  be  closed
       and no firewall/filter seems to be interfering with nmap’s attempts to
       determine this. Unfiltered ports are the common  case  and  are  only
       shown when most of the scanned ports are in the filtered state.

 

# 注释 :运行 nmap 一般会得到目标主机上的端口列表。nmap 会自动识别出 well-known 端口、服务、协议

 

# 以及端口的状态 :open、filtered、unfiltered 。

 

# "open" 意味着目标主机可以在该端口上接受连接。

 

# "filtered" 意味着有一个防火墙存在,它禁止了 nmap 对该端口状态的探测

 

# "unfiltered" 意味着 nmap 知道该端口被关闭,且没有防火墙对 nmap 的行为进行阻止,应该就是真的关闭了。

 

# unfiltered 端口是很常见的状况,只有在被扫描的很多端口都是 filtered 状态时才会被显示

 

 

       Depending  on options used, nmap may also report the following charac-
       teristics of the remote host: OS in use, TCP sequentiality,  usernames
       running the  programs  which  have  bound to each port, the DNS name,
       whether the host is a smurf address, and a few others.

 

# 注释 :根据不同的选项,nmap 会自动报告远程主机的某些属性 :

 

#     -)1、正在使用的操作系统

 

#     -)2、TCP sequentiality

 

#     -)3、运行于每个端口上的程序的用户名

 

#     -)4、DNS 名称

 

OPTIONS
       Options that make sense together  can  generally  be  combined.  Some
       options are  specific to certain scan modes.  nmap tries to catch and
       warn the user about psychotic or unsupported option combinations.

 

       If you are impatient, you can skip to the examples section at the end,
       which demonstrates common usage.  You can also run nmap -h for a quick
       reference page listing all the options.

 

# 注释 :你可以执行 nmap -h 打印一个快速的参考用法

 

 

SCAN TYPES

 

# 注释 :下面的选项都是用于指定扫描选项的

 

       -sS    TCP SYN scan: This technique is often  referred  to  as  "half-
       open"  scanning, because you don’t open a full TCP connection.
       You send a SYN packet, as if you are going to open a real  con-
       nection  and  you  wait for a response. A SYN|ACK indicates the
       port is listening. A RST is indicative of a non-listener.  If a
       SYN|ACK is received, a RST is immediately sent to tear down the
       connection (actually our OS kernel does this for us). The  pri-
       mary  advantage  to this scanning technique is that fewer sites
       will log it.  Unfortunately you need root privileges  to build
       these  custom  SYN  packets.  This is the default scan type for
       privileged users.

 

# 注释 :-sS 指定采用 "TCP SYN scan" 的扫描模式。这个技术也常被称为 "half open scan" 。

 

# 因为该方法并不会打开一个完整的 TCP 连接,你只是发出一个 SYN 包,就象你要打开一个 TCP

 

# 连接一样,然后你就等待  SYN+ACK 包。

 

# 如果收到一个 SYN+ACK 的包,就表明该接口是处于监听的状态; 如果是 RST 则表示处于关闭的状态(inactive)

 

# 一旦收到了 SYN+ACK,nmap 就发送一个 RST 取消这次连接

 

# 这个方法的好处是很多站点不会记录这种类型的尝试,也就是不会留下痕迹。不过你需要有 root 权限才能构造一个 SYN 包

 

# 这也是对于 root 用户来说的默认扫描类型

 


 

       -sT    TCP connect() scan: This is the most basic form  of  TCP scan-
       ning. The connect() system call provided by your operating sys-
       tem is used to open a connection to every interesting  port  on
       the  machine. If the port is listening, connect() will succeed,
       otherwise the port isn’t reachable.  One strong advantage  to
       this  technique  is that you don’t need any special privileges.
       Any user on most UNIX boxes is free to use this call.

 

# 注释 :-sT 是 TCP connect()扫描模式。这是 TCP 扫描中最基本的形式。

 

# connect()系统调用用于打开一个到你想测试的端口的连接。

 

# 假如端口是处于 LISTENING 的状态,connect()会成功,否则表示端口不可达(port unreachable)

 

# 一个很大的好处就是使用这项技术时你不需要是特权用户(例如 root),

 

# 任何普通用户都可以自由使用该扫描模式

 

 

       This sort of scan is easily detectable as target host logs will
       show  a bunch of connection and error messages for the services
       which accept() the connection just to have it immediately shut-
       down.  This is the default scan type for unprivileged users.

 

# 注释 :这类扫描很容易被检测到并被目标主机检测到。

 

# 因为在日志中将会看到有很多的 inbound 的连接,而在服务接受连接后,又立刻中断连接

 

# 这是非特权用户的默认扫描模式

 

 

       -sF -sX -sN
       Stealth  FIN,  Xmas  Tree,  or Null scan modes: There are times
       when even SYN scanning isn’t clandestine enough. Some firewalls
       and packet filters watch for SYNs to restricted ports, and pro-
       grams like Synlogger and Courtney are available to detect these
       scans.  These advanced scans, on the other hand, may be able to
       pass through unmolested.

 

# 注释 :-sF,-sX,-sN 分别代表 Stealth FIN、Xmas Tree、Null scan 这三种模式。

 

# 有些情况即使使用 SYN 扫描也不够隐秘,某些防火墙会持续监控那些到受限端口的 SYN 连接。

 

# 还有一些象 synlogger 或者 Courtney 的工具可以检测出这些扫描(-sS)

 

# 而 Stealth FIN、Xmas Tree、Null scan 可能可以骗过这些检测工具

 

 

       The idea is that closed ports are required  to  reply  to  your
       probe  packet  with  an  RST,  while open ports must ignore the
       packets in question (see RFC 793 pp 64). The FIN scan  uses  a
       bare  (surprise) FIN  packet as the probe, while the Xmas tree
       scan turns on the FIN, URG, and  PUSH  flags.   The  Null  scan
       turns  off  all  flags. Unfortunately  Microsoft (like usual)
       decided to completely ignore the standard and do things their
       own  way.   Thus this  scan type will not work against systems
       running Windows95/NT.  On the positive side, this is a good way
       to  distinguish  between the two platforms.  If the scan finds
       open ports, you know the machine is not a Windows  box. If  a
       -sF,-sX,or  -sN  scan  shows  all ports closed, yet a SYN (-sS)
       scan shows ports being opened, you are probably  looking at  a
       Windows  box.   This is less useful now that nmap has proper OS
       detection built in.  There are also a few  other systems  that
       are  broken  in  the  same way Windows is.  They include Cisco,
       BSDI, HP/UX, MVS, and IRIX.  All of the above send resets  from
       the open ports when they should just drop the packet.

 

# 注释 :想法是 : 一个端口如果是被关闭的状态,则它需要对你的探测返回一个 RST 包。

 

# 而那些处于 open 状态的端口,应该忽略你的探测包,也就是直接 DROP 掉。

 

# 所以 Stealth FIN 就是 nmap 发送一个 FIN 包作为探测,而 Xmas Tree scan 则是使用 FIN、URG、PUSH

 

# 至于 Null scan 则关闭所有标记(什么标记都不设置)。

 

# 不幸的是,微软完全并不遵照标准,而是以它们的方式行事

 

# 所以这类型的扫描对于 Win95/NT 来说不其作用。

 

# 不过从另外一个角度来说,这也可以用于区分目标主机的操作系统类型是否为 Windows

 

#     -)1、如果扫描可以找到 open 的端口,则可以确定目标主机不是 Windows 主机

 

#     -)2、如果扫描显示所有端口都是关闭的状态,则可能目标主机是一台 Windows 主机

 

# 不过现在 nmap 已经有了 OS 探测功能,所以这个功能没有太大用途。

 

# 也有一些操作系统的行为和 windows 类似,包括 Cisco、HP/UX、IRIX 等。

 


# 补充 :TCP flags 中的 8 个控制位的含义 :

 

CWR �C Congestion Window Reduced (CWR) flag is set by the sending host to indicate that it received a TCP segment with the ECE flag set (added to header by RFC 3168). 
ECE (ECN-Echo) �C indicate that the TCP peer is ECN capable during 3-way handshake (added to header by RFC 3168). 
URG �C indicates that the URGent pointer field is significant                            # 注释 :表示这是一个紧急连接
ACK �C indicates that the ACKnowledgement field is significant                        # 注释 :响应包
PSH �C Push function                                                                                    # 注释 :PUSH 功能
RST �C Reset the connection                                                                         # 注释 :重置
SYN �C Synchronize sequence numbers 
FIN �C No more data from sender

 

       -sP    Ping scanning: Sometimes you only want to know which hosts on a
       network are up.  Nmap can do this by sending ICMP echo  request
       packets to every IP address on the networks you specify. Hosts
       that  respond  are  up. Unfortunately, some  sites  such  as
       microsoft.com  block  echo request packets.  Thus nmap can also
       send a TCP ack packet to (by default) port 80.  If  we  get  an
       RST back, that machine is up.  A third technique involves send-
       ing a SYN packet and waiting for a RST or a SYN/ACK.  For  non-
       root users, a connect() method is used.

 

# 注释 :-sP 代表 Ping scanning 模式。有时候你只是想知道目标主机是否处于运行状态。

 

# Nmap 通过发送 ICMP ECHO_REQUEST 包到你指定的每台主机上来扫描

 

# 不过很多站点都屏蔽了 ICMP ECHO_REQUEST ,所以 nmap 允许发送一个 TCP ack 包到 80 端口,

 

# 如果收到一个 RST 包,则表明机器是 up 的状态,否则它也不会返回 RST 包了

 


       By  default  (for  root users), nmap uses both the ICMP and ACK
       techniques in parallel.  You can change the -P option described
       later.

 

# 注释 :对于 root 用户来说,nmap 默认同时使用 ICMP 和 ACK ,

 


       Note  that  pinging  is  done by default anyway, and only hosts
       that respond are scanned.  Only use this option if you wish  to
       ping sweep without doing any actual port scans.

 

# 注释 :要注意,ping 是在什么情况下都会做的,只有回应的主机才会被扫描

 

# 所以该功能实际上不能做什么

 

       -sV    Version  detection:  Afer  TCP  and/or UDP ports are discovered
       using one of the other scan methods, version detection communi-
       cates  with those ports to try and determine more about what is
       actually running.  A file called nmap-service-probes is used to
       determine  the  best  probes for detecting various services and
       the match strings to expect.  Nmap tries to determine the  ser-
       vice  protocol  (e.g.  ftp, ssh, telnet, http), the application
       name (e.g. ISC Bind, Apache httpd, Solaris telnetd),  the  ver-
       sion  number,  and sometimes miscellaneous details like whether
       an X server is open to connections or  the  SSH  protocol  ver-
       sion).  If Nmap was compiled with OpenSSL support, it will con-
       nect to SSL servers to deduce the service listening behind  the
       encryption.   When  RPC  services  are discovered, the Nmap RPC
       grinder is used to determine the RPC program and version  num-
       bers.   Some  UDP  ports are left in the "open|filtered" state
       after a UDP scan is unable to determine  whether the  port  is
       open  or filtered.   Version  detection will  try to elicit a
       response from these ports (just as it does  with open  ports),
       and change the state to open if it succeeds. Note that the Nmap
       -A option also enables this feature.  For a much more  detailed
       description  of  Nmap  service  detection,  read our  paper at
       http://www.insecure.org/nmap/versionscan.html  .  There is  a
       related  --version_trace option which causes Nmap to print out
       extensive debugging info about what version scanning  is doing
       (this is a subset of what you would get with --packet_trace).

 

# 注释 :-sV 是 version 探测模式。它在端口状态探测后尝试做更多的探测。

 

# 例如上面都运行有那些服务?服务的进程名是什么?版本是多少?

 

# 还会探测其他有用的信息,例如是否启动了 X Window server ?

 

# 如果 Nmap 在编译时加入了 OpenSSL 支持,它还会尝试连接到 SSL 服务器

 

# 来推导出在 SSL 后面有那些隐藏的服务。

 

# Nmap 还可以探测 RPC 服务,例如 NFS 服务

 

# 注释 :不过 -sV 可能会导致某些 UDP 端口的状态是 "open|filtered" ,表示 nmap 无法判断是什么状态

 


       -sU    UDP  scans:  This  method  is used to determine which UDP (User
       Datagram Protocol, RFC 768) ports are  open  on  a  host.   The
       technique  is  to  send  0 byte UDP packets to each port on the
       target machine.  If we receive an ICMP  port  unreachable  mes-
       sage,  then  the port is closed. If a UDP response is received
       to the probe (unusual),  the  port  is  open.   If  we  get  no
       response at all, the state is "open|filtered", meaning that the
       port is either open or packet filters are blocking the communi-
       cation. Versions scan (-sV) can be used to help differentiate
       the truly open ports from the filtered ones.

 

# 注释 :-sU 表示 UDP scan 模式。它用于探测一台主机上有那些 UDP 端口是处于打开的状态。

 

# 该模式发送一个 0 字节的 UDP 包到目标主机的每个端口。

 

# 假如收到一个 ICMP port-unreachable 消息,则表示端口是关闭的状态。

 

# 如果收到一个响应,则表示是打开的状态。

 

# 这时使用 -sV 可以帮助你区分该端口是 open 还是被过滤的状态

 

 

       Some people think UDP scanning is pointless. I  usually  remind
       them  of the Solaris rpcbind hole. Rpcbind can be found hiding
       on an undocumented  UDP  port  somewhere above  32770.  So  it
       doesn’t matter that 111 is blocked by the firewall. But can you
       find which of the more than 30,000 high ports it is  listening
       on?  With  a  UDP  scanner you can!  There is also the cDc Back
       Orifice backdoor program which hides on a configurable UDP port
       on Windows machines.  Not to mention the many commonly vulnera-
       ble services that utilize UDP such as snmp, tftp, NFS, etc.

 

# 注释 :某些人认为 UDP scanning 没有什么用。但实际上它可以用于发现一些

 

# 不被注意的端口,尤其是 RPC 服务打开的 3xxxx 端口、或者 DNS 服务的 query 端口。

 

# 使用 UDP scanning 你可以发现这些被忽略的端口

 


       Unfortunately UDP scanning is sometimes  painfully  slow since
       most hosts implement a suggestion in RFC 1812 (section 4.3.2.8)
       of limiting the ICMP error  message  rate.   For example,  the
       Linux  kernel  (in net/ipv4/icmp.h) limits destination unreach-
       able message generation to 80 per 4 seconds, with a 1/4  second
       penalty if that is exceeded.  Solaris has much more strict lim-
       its (about 2 messages per second) and thus takes even longer to
       scan.   nmap  detects this rate limiting and slows down accord-
       ingly, rather than flood the network with useless packets  that
       will be ignored by the target machine.

 

# 注释 :不幸的是,UDP scanning 有时候会非常慢,

 

# 因为大部分主机都会按照 RFC 1812 标准,用于自动抑制 ICMP 消息的发送速率

 

# 例如 linux 内核会限制 ICMP destination unreachable 消息的速率为 80个/4秒,也就是1秒最多 20个。

 

# 而 Solaris 则更加严格了,每秒最多2个。

 

# 所以 UDP scanning 有时会很长时间

 

# 补充 :操作系统那里可以配置 ICMP 的发送速率

 

# linux 下允许配置的速率有 :

 

#     -)1、icmp_destunreach_rate

 

#     -)2、icmp_echoreply_rate

 

#     -)3、icmp_paramprob_rate

 

#     -)4、icmp_timeexceed_rate

 

 

       As  is typical, Microsoft ignored the suggestion of the RFC and
       does not seem to do any rate limiting at all on  Win95  and  NT
       machines.   Thus we can scan all 65K ports of a Windows machine
       very quickly.  Whoop!

 

# 注释 :不过 Win95/NT 不做该限制。所以在 windows 主机上可以非常快的扫描完 65535 个 UDP 端口

 


       -sO    IP protocol scans: This method is used to  determine  which  IP
       protocols  are  supported  on a host.  The technique is to send
       raw IP packets without any  further  protocol  header  to  each
       specified  protocol  on  the  target machine.  If we receive an
       ICMP protocol unreachable message, then the protocol is not  in
       use.   Otherwise we  assume  it is open.  Note that some hosts
       (AIX, HP-UX, Digital UNIX) and firewalls may not send  protocol
       unreachable  messages.   This  causes  all  of the protocols to
       appear "open".

 

# 注释 :-sO 是 "IP Protocol scan" 的含义。这个方法是用于判断目标主机上使用的是什么协议。

 


# 注释 :由于 -sO 也是依赖于 ICMP protocol unreachable 消息,所以也会收到 ICMP 消息速率限制的影响。

 

# 注释 :由于某些操作系统不返回 ICMP protocol unreachable ,所以可能造成探测错误

 

       Because the implemented technique is very similar to  UDP  port
       scanning,  ICMP rate limit might apply too. But the IP protocol
       field has only 8 bits, so at most 256 protocols can  be  probed
       which should be possible in reasonable time anyway.

 

# 注释 :由于 ip 包的 protocol 字段有8bit,所以最多可以探测 256 种协议

 

       -sI <zombie host[:probeport]>
       Idlescan:  This  advanced  scan method allows for a truly blind
       TCP port scan of the target (meaning no packets are sent to the
       target  from  your  real IP address).  Instead, a unique side-
       channel  attack  exploits  predictable  "IP  fragmentation  ID"
       sequence generation  on the  zombie host to glean information
       about the open ports on the target.  IDS systems will  display
       the  scan  as coming from the zombie machine you specify (which
       must be up and meet certain criteria).   I  wrote  an  informal
       paper about   this   technique    at    http://www.insecure.org/nmap/idlescan.html .

 

# 注释 :-sI 也叫 Idle scan 。这个高级扫描模式允许对目标主机的完全透明的 TCP 端口扫描。

 

# 也就是说不会有任何来自你的真正 ip 的包被发送到目标主机。

 

    Besides  being  extraordinarily  stealthy  (due  to  its blind

       nature), this  scan  type  permits  mapping out IP-based trust
       relationships between machines.  The port  listing  shows  open
       ports  from the perspective of the zombie host.  So you can try
       scanning a target using various zombies that you think might be
       trusted  (via  router/packet  filter rules).  Obviously this is
       crucial information when prioritizing attack  targets.   Other-
       wise, you penetration testers might have to expend considerable
       resources "owning" an intermediate system,  only to  find  out
       that  its  IP isn’t even trusted by the target host/network you
       are ultimately after.

 

       You can add a colon followed by a port number if you  wish  to
       probe  a particular  port on the zombie host for IPID changes.
       Otherwise Nmap will use the port it uses by  default  for  "tcp
       pings".

 

       -sA    ACK scan: This advanced method is usually used to map out fire-
       wall rulesets.  In particular, it can help determine whether  a
       firewall is stateful or just a simple packet filter that blocks
       incoming SYN packets.

 

    # 注释 :-sA 表示 ACK scan 。主要是用于映射出防火墙的规则集。

 

    # 也就是说,它可以帮助以判断是防火墙的原因还是只是 SYN 包被阻挡了而已

 

       This scan  type  sends  an  ACK  packet  (with  random  looking
       acknowledgment/sequence  numbers) to the ports specified.  If a
       RST comes back, the ports is classified  as  "unfiltered".   If
       nothing comes back (or if an ICMP unreachable is returned), the
       port is classified  as  "filtered".   Note  that nmap  usually
       doesn’t  print "unfiltered" ports, so getting no ports shown in
       the output is usually a sign that all the  probes  got  through
       (and  returned RSTs). This scan will obviously never show ports
       in the "open" state.

 

    # 注释 :这个类型的扫描会发送一个 ACK 包(带有随机的  ack/seq 编号) 到指定端口,

 

    # 假如返回一个 RST ,则端口被认为是 "unfiltered" 。

 

    # 假如什么都不返回(或者返回一个 ICMP 不可达消息),则认为是 "filter"

 

    # 注释 :要注意,nmap 通常不打印 “filtered" 状态的端口。所以返回的结果都是那些通过的端口(返回 RST )

 

    # 这个扫描永远不会出现处于 open 状态的端口

   


 

       -sW    Window scan: This advanced scan is  very similar  to  the  ACK
       scan, except that it can sometimes detect open ports as well as
       filtered/unfiltered due to an anomaly in the  TCP  window  size
       reporting  by  some  operating  systems. Systems vulnerable to
       this include at least some versions of AIX, Amiga, BeOS, BSDI,
       Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX,
       OS/2, IRIX, MacOS, NetBSD, OpenBSD,  OpenStep,  QNX,  Rhapsody,
       SunOS  4.X,  Ultrix,  VAX,  and  VxWorks.  See the nmap-hackers
       mailing list archive for a full list.

 

    # 注释 :-sW 表示 Window scan 。和它 ACK scan (-sA)很像,但它有时候可以探测

 

    # 出 open 状态的端口,而 -sA 只能探测出 filtered、unfiltered 状态的而已。

 

    # 主要是由于 -sW 发送的 ACK 包中有异常的 window size 值。

 

    # 受次探测类型影响的有很多。

 


       -sR    RPC scan.  This method works in combination  with  the  various
       port  scan  methods  of  Nmap.   It takes all the TCP/UDP ports
       found open and then floods them with SunRPC program  NULL  com-
       mands  in  an  attempt to determine whether they are RPC ports,
       and if so, what program and version number they serve up.  Thus
       you  can effectively obtain the same info as "rpcinfo -p" even
       if the target’s portmapper is behind a firewall  (or  protected
       by  TCP wrappers).  Decoys do not currently work with RPC scan,
       at some point I may add decoy support for UDP RPC scans.

 

    # 注释 :-sR 表示 RPC Scan 。该方法组合了 nmap 多种端口扫描方法,

 

    # 它找出所有 open 状态的 TCP/UDP 端口,然后用 SunRPC 的 NULL 命令

 

    # 进行测试,看是否它们是一个 RPC 端口。

 

    # 如果是的话,是什么程序运行在上面?版本是多少?

 

    # 所以你可以获得类似于 rpcinfo -p 的输出,即使目标主机在防火墙之后,或者被 Tcpwrapper 所保护

 


       -sL    List scan.  This method simply generates and prints a  list  of
       IP  addresses  or  hostnames  without  actually pinging or port
       scanning them.  DNS name resolution will be  performed  unless
       you use -n.

 

    # 注释 :-sL 表示 List scan 。该方法生成并打印一个 ip 地址/主机名列表

 

    # 但不 ping 或者扫描端口。你可以用 -n 禁止 DNS 解释

 

       -b <ftp relay host>
       FTP bounce attack: An interesting "feature" of the ftp protocol
       (RFC 959) is support for "proxy"  ftp  connections.  In other
       words,  I  should  be  able to connect from evil.com to the FTP
       server of target.com and request that the server send  a  file
       ANYWHERE on  the  Internet!   Now this may have worked well in
       1985 when the RFC was written.  But  in  today’s Internet,  we
       can’t  have  people  hijacking  ftp servers and requesting that
       data be spit out to arbitrary points on the Internet. As *Hob-
       bit*  wrote  back  in  1995, this protocol flaw "can be used to
       post virtually untraceable mail and news, hammer on servers  at
       various  sites, fill up disks, try to hop firewalls, and gener-
       ally be annoying and hard to track down at the same time." What
       we  will exploit  this for is to (surprise, surprise) scan TCP
       ports from a "proxy" ftp server. Thus you could connect  to  an
       ftp server behind a firewall, and then scan ports that are more
       likely to be blocked (139 is a good one).  If  the  ftp  server
       allows  reading  from  and  writing  to some directory (such as
       /incoming), you can send arbitrary data to ports that  you  do
       find open (nmap doesn’t do this for you though).

 

       The  argument  passed to the "b" option is the host you want to
       use as a proxy, in standard URL notation.  The format is: user-
       name:password@server:port.   Everything but server is optional.
       To determine what servers are vulnerable to  this  attack,  you
       can  see my article in Phrack 51.  An updated version is avail-
       able at the nmap URL (http://www.insecure.org/nmap).

 

GENERAL OPTIONS

# 注释 :下面介绍通用选项部分

 

       None of these are required but some can be quite useful.  Note
       that  the  -P  options  can now be combined -- you can increase
       your odds of penetrating strict firewalls by sending many probe
       types using different TCP ports/flags and ICMP codes.

 

# 注释 :下面这些选项都不是必须的,但都很有用。

 

# 要注意,-P 选项现在可以被组合,你可以使用不同的 TCP 端口/标记和 ICMP 消息

 

       -P0    Do  not  try  to ping hosts at all before scanning them.  This
       allows the scanning of networks  that  don’t  allow  ICMP  echo
       requests (or responses) through their firewall. microsoft.com
       is an example of such a network, and thus you should always use
       -P0  or -PS80 when portscanning microsoft.com.  Note tht "ping"
       in this context may involve more than the traditional ICMP echo
       request  packet.  Nmap  supports  many  such probes, including
       arbitrary combinations  of  TCP, UDP,  and  ICMP  probes.   By
       default, Nmap  sends an ICMP echo request and a TCP ACK packet
       to port 80.

 

# 注释 :-P0 表示在扫描主机前不先做 ping 操作。这样对那些不允许 ICMP ECHO_REQUEST

 

# 的主机也会进行扫描。要注意,在这里的 ping 不仅仅指 ICMP ping ,而是指前面的 -sP 操作

 

# 也就是 ICMP ping + 发送到 80 端口的 ACK

 

 

       -PA [portlist]
       Use TCP ACK "ping" to determine what hosts are up.  Instead  of
       sending  ICMP  echo request packets and waiting for a response,
       we spew out TCP ACK packets throughout the target  network  (or
       to  a  single  machine)  and then wait for responses to trickle
       back.  Hosts that are up should respond  with  a  RST.  This
       option preserves the efficiency of only scanning hosts that are
       up while still allowing you to scan networks/hosts  that block
       ping  packets.   For  non root UNIX users, we use connect() and
       thus a SYN is actually being  sent.   To set  the  destination
       ports  of  the  probe packets use -PA<port1>[,port2][...].  The
       default port is 80, since this port is often not filtered  out.
       Note  that  this option now accepts multiple, comma-separated
       port numbers.

 

# 注释 :-PA 表示使用 TCP ACK ping 来判断主机是否 up ,而不是使用 ICMP ping

 

# nmap 发送一个 TCP ACK 包到目的主机/网络,然后等待 RST 包的响应。

 

# 如果收到 RST 包,表示主机是 up 的。

 

# 所以你可以用功能得出那些主机是禁止了 PING 包。对于非 root 用户,nmap 使用 connect()而不是 TCP ACK

 

# 你可以指定目标端口,默认是 80 。因为这个端口一般不会被过滤掉。

 

# 多个端口可以使用逗号进行分隔。

 


       -PS [portlist]
       This option uses SYN (connection request)  packets  instead  of
       ACK  packets  for root users.  Hosts that are up should respond
       with a RST (or, rarely, a SYN|ACK).  You can set the  destina-
       tion ports in the same manner as -PA above.

 

# 注释 :-PS 表示对于 root 用户,使用 SYN (连接请求)来代替 ACK ping

 

# 如果是 up 的主机应该返回一个 RST 或者 SYN+ACK ,你也可以设置端口

 

       -PU [portlist]
       This  option sends UDP probes to the specified hosts, expecting
       an ICMP port unreachable packet (or possibly a UDP response  if
       the  port  is open) if the host is up.  Since many UDP services
       won’t reply to an empty packet, your best bet might be to  send
       this to expected-closed ports rather than open ones.

 

# 注释 :-PU 表示使用 UDP 来探测主机,

 

       -PE    This  option  uses  a true ping (ICMP echo request) packet.  It
       finds hosts that are up  and  also  looks  for  subnet-directed
       broadcast  addresses  on your network.  These are IP addresses
       which are externally reachable and translate to a broadcast  of
       incoming IP packets to a subnet of computers.  These should be
       eliminated if found as they allow for numerous denial  of  ser-
       vice attacks (Smurf is the most common).

 

# 注释 :-PE 表示使用真正的 ping 包 (ICMP ECHO_REQUEST)。、

 

 

       -PP    Uses an ICMP timestamp request (type 13) packet to find listening hosts.

 

# 注释 :-PP 表示使用一个 ICMP timestamp 请求(type=13)来探测

 

 

       -PM    Same as -PE and -PP except uses a netmask  request  (ICMP  type 17).

 

# 注释 :-PM 表示使用 ICMP NETMASK 请求(类型=17)

 

 

       -PB    This  is the  default ping type.  It uses both the ACK ( -PA )
       and ICMP echo request ( -PE ) sweeps in parallel.  This way you
       can  get firewalls that filter either one (but not both).  The
       TCP probe destination port can be set in the  same  manner  as
       with -PA above.  Note that this flag is now deprecated as ping-
       type flags can now be used in combination.  So you  should  use
       both "PE" and "PA" (or rely on the default behavior) to achieve
       this same effect.

 

# 注释 :-PB 是默认的 ping 类型。使用 TCP ACK ping 和 ICMP ping

 

# 现在不建议使用该项,使用 -PE 后者 -PA 更好

 

       -O     This option activates remote  host  identification  via  TCP/IP
       fingerprinting. In other words, it uses a bunch of techniques
       to detect subtleties in the underlying operating system network
       stack of the computers you are scanning. It uses this informa-
       tion to create a "fingerprint"  which  it  compares  with  its
       database of  known  OS  fingerprints (the nmap-os-fingerprints
       file) to decide what type of system you are scanning.

 

# 注释 :-O 选项通过 TCP/IP 指纹激活远程主机的身份认证。

 

# 也就是说,它使用一系列的技术来检测目标主机的操作系统的网络堆栈的信息,

 

# 然后和一些已知的“指纹”数据库比较,得出远程主机的操作系统类型

 

       If Nmap is unable to guess the OS of a machine, and  conditions
       are good (e.g. at least one open port), Nmap will provide a URL
       you can use to submit the fingerprint if you  know  (for sure)
       the OS running on the machine.  By doing this you contribute to
       the pool of operating systems known to nmap and thus it will be
       more  accurate  for  everyone.   Note  that  if you leave an IP
       address on the form, the machine may be scanned when we add the
       fingerprint (to validate that it works).

 

# 注释 :假如 nmap 无法获得一个主机的 OS 类型,但可以探测到一个打开的端口,

 

# 则 nmap 会提供一个 URL ,你可以用它来提交该指纹,前提是你知道目标主机的 OS

 

       The  -O  option  also  enables several other tests.  One is the
       "Uptime" measurement, which uses the TCP timestamp option  (RFC
       1323)  to guess when a machine was last rebooted.  This is only
       reported for machines which provide this information.

 

# 注释 :-O 选项允许其他的测试。其中一个就是 Uptime 的计算,它使用 TCP timestamp 选项

 

# 来猜测一台机器最近一次重启的时间。

 

       Another test enabled by -O is TCP Sequence Predictability Clas-
       sification.  This is a measure that describes approximately how
       hard it is to establish a forged TCP  connection  against  the
       remote  host.   This  is useful for exploiting source-IP based
       trust relationships (rlogin, firewall filters, etc) or for hid-
       ing  the source of an attack.  The actual difficulty number is
       based on statistical sampling and may fluctuate. It is  gener-
       ally  better  to use the English classification such as "worthy
       challenge" or "trivial joke".  This is only reported in  normal
       output with -v.

 

# 注释 :另外一个测试就是 TCP sequence 预测功能。

 

# 这其实是为了伪造 TCP 连接所用的,它可以猜出大概的 TCP 序号

 

# 这对于窃取基于ip信任关系的会话(rlogin、rsh 等)或者隐藏自己的 ip 都有用。

 

# 它并不能百分百的猜对,它是依靠统计和采样来计算的。

 

# 这个只有用 -v 时才会显示

 

    When  verbose mode (-v) is on with -O, IPID Sequence Generation

       is also reported.   Most machines  are  in  the "incremental"
       class, which means that they increment the "ID" field in the IP
       header for each packet they send.  This makes  them  vulnerable
       to several advanced information gathering and spoofing attacks.

 

# 注释 :当 -v 和 -O 一起使用时,IPID sequence Generation 会被报告

 

# 大部分主机是以升序的方式来生成它们所发送的每个 packet 的 ip header 中的ID 域的

 

# 这就造成了有攻击的可能性

 

       --osscan_limit

       OS detection is far more effective if at least one open and one
       closed  TCP  port are found.  Set this option and Nmap will not
       even try OS detection against hosts that do not meet this  cri-
       teria.   This  can  save substantial time, particularly on -P0
       scans against many hosts.  It only matters when OS detection is
       requested (-O or -A options).

 

# 注释 :如果至少找到一个 open 和 unfiltered 状态的端口,则 os 的探测的效率还是可以的。

 

# --osscan_limit 选项表示如果被探测的主机不符合上面的两个条件就不做 OS 的探测。

 

# 这可以省下不少时间,尤其是在使用 -p0 扫描每个主机时。

 

# 该选项只有在你使用了 -O 或者 -A 时才有意义

 


       -A     This  option  enables  _a_dditional _a_dvanced and _a_ggressive
       options. I haven’t decided exactly which it stands for yet :).
       Presently  this  enables OS Detection (-O) and version scanning
       (-sV).  More features may be added in the future.  The point is
       to  enable  a  comprehensive set of scan options without people
       having to remember a large set  of  flags.   This  option  only
       enables  features, and not timing options (such as -T4) or ver-
       bosity options (-v) that you might wan’t as well.

 

# 注释 :-A 选项允许操作系统检测和 Version scan ,也就是集合了 -O 和 -sV

 


       -6     This options enables IPv6 support.  All targets must be IPv6 if
       this  option  is used, and they can be specified via normal DNS
       name  (AAAA  record)  or as  a  literal IP  address  such  as
       3ffe:501:4819:2000:210:f3ff:fe03:4d0  . Currently,  connect()
       TCP scan and TCP connect() Ping scan  are  supported.   If  you
       need    UDP   or  other  scan types,  have a   look   at
       http://nmap6.sourceforge.net/ .

 

       -f     This option causes the requested SYN, FIN, XMAS, or  NULL  scan
       to use tiny fragmented IP packets.  The idea is to split up the
       TCP header over several packets to make it  harder  for  packet
       filters, intrusion  detection systems, and other annoyances to
       detect what you are doing. Be careful with this! Some  programs
       have  trouble  handling these tiny packets. My favorite sniffer
       segmentation  faulted  immediately  upon receiving  the first
       36-byte  fragment.  After  that comes a 24 byte one! While this
       method won’t get by packet filters and firewalls that queue all
       IP  fragments  (like  the CONFIG_IP_ALWAYS_DEFRAG option in the
       Linux kernel), some networks can’t afford the  performance  hit
       this causes and thus leave it disabled.

 

# 注释 :-f 表示 SYN scan、Stealth FIN、Xmas Tree、Null scan 都是很小的分段的 ip 报文

 

# 这么做主要是不让信息全部集中在一个 packet 中,这样可以逃过防火墙的检测。

 

# 不过要注意,很多的工具都无法检测/处理这些小的报文

 

# 注意,该方法对于那些会暂存报文的防火墙来说是无效的。

 

       Note that I do not yet have this option working on all systems.
       It works fine for my Linux, FreeBSD, and OpenBSD boxes and some
       people have reported success with other *NIX variants.

 

# 注释 :该选项在 linux / FreeBSD、OpenBSD 上可以使用

 

    -v     Verbose mode.  This is a highly recommended option and it gives

       out more information about what is going on.  You  can  use  it
       twice  for  greater effect.  You can also use -d a few times if
       you really want to get crazy with scrolling the screen!

 

# 注释 :-v 表示 verbose 模式。强烈建议使用该选项,不管你在做什么测试。

 

# 你可以使用多次已获得更多的信息。

 

      -h     This handy option display a  quick  reference  screen  of  nmap

       usage  options. As you may have noticed, this man page is not
       exactly a "quick reference" :)

 

# 注释 :-h 显示快速指引

 

       -oN <logfilename>
       This logs the results of your scans in a normal human  readable
       form into the file you specify as an argument.

 

# 注释 :-oN 表示把结果写入一个 human-readable 的文件

 


       -oX <logfilename>
       This  logs  the results of your scans in XML form into the file
       you specify as an argument.  This  allows  programs  to  easily
       capture  and interpret Nmap results.  You can give the argument
       "-" (without quotes) to shoot output  into  stdout  (for shell
       pipelines,  etc).   In  this  case  normal  output will be sup-
       pressed. Watch out for error messages if you  use  this (they
       will  still  go to stderr).  Also note that "-v" may cause some
       extra information to be printed. The Document Type  Definition
       (DTD)  defining  the  XML  output  structure  is available  at
       http://www.insecure.org/nmap/data/nmap.dtd .

 

# 注释 :-oX 表示以 XML 的格式输出结果到一个文件

 

       -oG <logfilename>
       This logs the results of your scans in a grepable form into the
       file  you  specify as an argument.  This simple format provides
       all the information on one line (so you  can  easily  grep  for
       port  or OS  information and see all the IPs.  This used to be
       the preferred mechanism for programs to interact with Nmap, but
       now  we recommend XML output (-oX instead).  This simple format
       may not contain as much information as the other formats.   You
       can give the argument "-" (without quotes) to shoot output into
       stdout (for shell pipelines, etc).  In this case normal  output
       will  be suppressed.   Watch out for error messages if you use
       this (they will still go to stderr).  Also note that "-v"  will
       cause some extra information to be printed.

 

# 注释 :-oG 以适用于 grep 的格式输出到指定文件。每个主机只有1行输出而已

 

# 不过该格式可能有些信息不会被输出

 

# 你可以用 - 作为指定文件名,表示输出到 stdout ,这样原来正常的输出就会被禁止。

 


       -oA <basefilename>
       This  tells  Nmap  to  log  in  ALL  the major formats (normal,
       grepable, and XML).  You give a base for the filename, and  the
       output files will be base.nmap, base.gnmap, and base.xml.

 

# 注释 :-oA 表示以全部的格式记录(normal、xml、grepable)。

 

# 你只需给出一个 basename ,nmap 会自动加上 .nmap , .gnmap , .xml 作为后缀名

 

 

       -oS <logfilename>
       thIs  l0gz  th3  r3suLtS of YouR ScanZ iN a s|<ipT kiDd|3 f0rM
       iNto THe fiL3 U sPecfy 4s an arGuMEnT!  U kAn gIv3 the 4rgument
       "-" (wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!!

 

 

       --resume <logfilename>
       A  network scan that is canceled due to control-C, network out-
       age, etc. can be resumed using this  option.   The  logfilename
       must  be either a normal (-oN) or grepable (-oG) log from the
       aborted scan.  No other options can be given (they will be  the
       same  as the  aborted  scan).   Nmap will start on the machine
       after the last one successfully scanned in the log file.

 

# 注释 :如果你因为某些原因用 CTRL-C 中断了扫描,你可以用 --resume 来恢复

 

# 不过指定的 log 必须是一个 normal 格式的(-oN)或者 grepable (-oG)文件,且该

 

# 文件是这次意味终止的扫描所输出的日志才可以恢复

 

# nmap 会自动从最后一个成功扫描的机器后开始继续

 


       --exclude <host1 [,host2][,host3],...">
       Specifies a list of targets  (hosts,  ranges,  netblocks)  that
       should  be  excluded  from a scan. Useful to keep from scanning
       yourself, your ISP, particularly sensitive hosts, etc.

 

# 注释 :--exclude 指定一个 target 列表,可以是由主机、ip 范围等组成。

 

# nmap 在扫描时将会跳过它们。

 


       --excludefile <exclude_file>
       Same functionality as the --exclude option, only the  excluded
       targets  are  provided  in  an  newline-delimited  exclude_file
       rather than on the command line.

 

# 注释 :--excludefile 和 --excluce 类似,不过是从文件读取

 

       --append_output
       Tells Nmap to append scan results to any output files you  have
       specified rather than overwriting those files.

 

# 注释 :--append_output 告诉 nmap 把扫描结果“追加”到输出文件

 

# 输出文件由上面的 -oN、-oX、-oG 指定

 


       -iL <inputfilename>
       Reads target specifications from the file specified RATHER than
       from the command line.  The file should contain a list of  host
       or  network expressions separated by spaces, tabs, or newlines.
       Use a hyphen (-) as inputfilename if you want nmap to read host
       expressions  from  stdin (like at the end of a pipe).  See the
       section  target  specification  for  more  information  on  the
       expressions you fill the file with.

 

# 注释 :-iL 表示从指定文件读入要扫描的主机

 

# 可以用空格、tab、newline 作为分行

 

# 也可以用 - 表示从 stdin 读取输入

 

       -iR <num hosts>
       This  option  tells  Nmap  to generate its own hosts to scan by
       simply picking random numbers :).  It will never end after  the
       given  number of IPs has been scanned -- use 0 for a never-end-
       ing scan.  This option can be useful for statistical  sampling
       of  the  Internet  to estimate various things.  If you are ever
       really bored, try nmap -sS -PS80 -iR 0 -p 80 to find  some  web
       servers to look at.

 

       -p <port ranges>
       This option specifies what ports you want to specify. For exam-
       ple "-p 23" will only try port 23 of the target  host(s).   "-p
       20-30,139,60000-"  scans ports between 20 and 30, port 139, and
       all ports greater than 60000.  The default is to scan all ports
       between  1 and 1024 as well as any ports listed in the services
       file which comes with nmap.  For IP  protocol  scanning  (-sO),
       this  specifies  the  protocol  number  you  wish  to  scan for
       (0-255).

 

# 注释 :-p 选项用于指定要扫描的目标端口。你可以指定端口范围,p1-p2。

 

# 也可已指定一个起始值,格式是 p1- 。 多个端口用逗号隔开。

 

# 默认是扫描所有端口(从 1- 1024),还有 /etc/services 文件中列出的所有端口。

 

# 对于 -sO 来说,由于协议位只有 8 bit ,所以只能从 0 -255 而已

 

       When scanning both TCP and UDP ports, you can specify a partic-
       ular  protocol  by  preceding the port numbers by "T:" or "U:".
       The qualifier lasts until you specify another  qualifier.   For
       example, the  argument  "-p  U:53,111,137,T:21-25,80,139,8080"
       would scan UDP ports 53,111,and 137, as well as the listed  TCP
       ports.   Note  that to scan both UDP & TCP, you have to specify
       -sU and at least one TCP scan type (such as -sS, -sF, or -sT).
       If  no  protocol qualifier is given, the port numbers are added
       to all protocol lists.

 

# 注释 :当同时扫描 TCP 和 UDP 端口时,你可以指定一个协议,例如 "T:" 后者 "U:" 。

 

# 它会一直起作用,直到你指定另外一个协议为止。

 

# 例如 -p U:53,111,T:22 表示扫描 UDP 53 和 111 以及 TCP 22 端口。

 

# 注释 :注意,如果要扫描两种协议,必须指定 -sU 和至少一种 TCP 扫描(-sS、-sF、-sT)

 

# 假如没有指定协议类型,则所有协议都会用

 


       -F Fast scan mode.
       Specifies that you only wish to scan for ports  listed  in  the
       services file which comes with nmap (or the protocols file for
       -sO).  This is obviously much faster than  scanning  all 65535
       ports on a host.

 

# 注释 :-F 表示快速扫描模式。表示只扫描 /etc/services 文件中的端口,

 

# 或者 -sO 指定的协议,这当然比扫描 65535 要快多了。

 


       -D <decoy1 [,decoy2][,ME],...>
       Causes  a  decoy scan to be performed which makes it appear to
       the remote host that the host(s) you  specify  as  decoys  are
       scanning the  target network too.  Thus their IDS might report
       5-10 port scans from unique IP addresses, but they  won’t  know
       which  IP  was  scanning them  and which were innocent decoys.
       While  this  can be  defeated  through  router  path  tracing,
       response-dropping,  and other "active" mechanisms, it is gener-
       ally an  extremely  effective  technique for  hiding  your  IP
       address.

 

# 注释 :-D 表示进行 decoy scan 可以对目标主机造成一种假象 : 有很多台主机都在扫描它

 

# 这样目标主机就会无法区分究竟那个是真正的扫描它们的 ip ,

 

# 不过这可以通过路由跟踪来发现最终的 ip

 

# 总而言之,decoy scan 是一种可以很好的隐藏你的 IP  的扫描方式

 


       Separate each  decoy  host with commas, and you can optionally
       use "ME" as one of the decoys to represent  the position  you
       want  your  IP  address to be used.  If you put "ME" in the 6th
       position or later, some common port  scan  detectors  (such  as
       Solar  Designer’s excellent scanlogd) are unlikely to show your
       IP address at all.  If you don’t use "ME", nmap will put you in
       a random position.

 

# 注释 :-D 允许你指定多个主机名,你可以用 'ME' 这个关键字来代表你的 ip

 

# 尽量把 'ME' 放在最后,因为有些检测软件无法列出很多的 ip

 

# 如果没有指定,nmap 将随机的插入到一个位置

 

       Note that the hosts you use as decoys should be up or you might
       accidentally SYN flood your targets.  Also it  will  be  pretty
       easy  to determine which host is scanning if only one is actu-
       ally up on the network.  You might want  to  use IP  addresses
       instead  of names (so the decoy networks don’t see you in their
       nameserver logs).

 

# 注释 :要注意,你用来做 Decoy 的主机应该是 up 状态的,

 

# 否则你可能会导致目标主机受到 SYN Flood 攻击(由于目标主机不是 up ,导致目标主机一直收不到 ACK ,造成 SYN Flood)

 

# 同样也很从一大堆的 down 状态的主机中找出唯一的 up 主机

 

 

       Also note that some "port scan  detectors"  will firewall/deny
       routing  to hosts that attempt port scans.  The problem is that
       many scan types can be forged (as  this  option  demonstrates).
       So  attackers  can  cause  such a machine to sever connectivity
       with important hosts such as  its  internet  gateway,  DNS  TLD
       servers, sites  like  Windows Update, etc.  Most such software
       offers  whitelist  capabilities, but  you  are unlikely   to
       enumerate  all  of  the  critical machines.  For this reason we
       never recommend taking action against port scans that  can  be
       forged,  including  SYN scans, UDP scans, etc.  The machine you
       block could just be a decoy
.

 

 

       Decoys are used both in the initial ping scan (using ICMP, SYN,
       ACK,  or whatever)  and during the actual port scanning phase.
       Decoys are also used during remote OS detection ( -O ).

 

# 注释 :Decoy 同样也用于 ping scan 和真正的端口扫描过程,也用于 -O (OS Scan)

 


       It is worth noting that using too many  decoys  may  slow  your
       scan  and  potentially  even make it less accurate.  Also, some
       ISPs will filter out your spoofed packets, although many (cur-
       rently most) do not restrict spoofed IP packets at all.

 

# 注释 :要注意,使用太多的 decoys 也会降低扫描的速度和精度

 


       -S <IP_Address>
       In  some circumstances, nmap may not be able to determine your
       source address ( nmap will tell you if this is the  case).   In
       this  situation, use -S with your IP address (of the interface
       you wish to send packets through).

 

# 注释 :某些情况下,nmap 无法判断你的ip 地址(这时它会告诉你该情况)

 

# 使用 -S 可以指定你的源 ip

 

       Another possible use of this flag is to spoof the scan to  make
       the  targets think that someone else is scanning them.  Imagine
       a company being repeatedly port scanned by a competitor!  This
       is not a supported usage (or the main purpose) of this flag.  I
       just think it raises an  interesting  possibility  that  people
       should be aware of before they go accusing others of port scan-
       ning them.  -e would generally be required  for  this  sort  of
       usage.

 

       -e <interface>
       Tells nmap what interface to send and receive packets on.  Nmap
       should be able to detect this but it will tell you if  it  can-
       not.

 

# 注释 :-e 告示 nmap 使用什么端口来发送/接收 packets 。

 

       --source_port <portnumber>
       Sets the source port number used in scans.  Many naive firewall
       and packet filter installations  make  an  exception  in their
       ruleset  to  allow  DNS  (53)  or FTP-DATA (20) packets to come
       through and establish a connection.  Obviously this  completely
       subverts the security advantages of the firewall since intrud-
       ers can just masquerade as FTP or DNS by modifying their source
       port.  Obviously for a UDP scan you should try 53 first and TCP
       scans should try 20 before  53. Note  that  this  is  only  a
       request  --  nmap will honor it only if and when it is able to.
       For example, you can’t  do  TCP ISN  sampling  all  from  one
       host:port  to  one  host:port,  so nmap changes the source port
       even if you used this  option. This  is  an  alias  for  the
       shorter, but harder to remember, -g option.

 

# 注释 :--source_port 指定探测包的源端口。有些防火墙会允许从 53 (DNS) 或者 20 (FTP-DATA)

 

# 的源端口的数据进入,所以这个时候你可以用 --source_port 来增加扫描成功的机率。

 

# 显而易见,在做 UDP 扫描时,你应该首先对  53 端口进行测试,而在做 TCP 端口扫描时,首选 20

 

# 不过要注意,这个选项并不是固定起作用,nmap 只是在可能的情况下才会这么做。

 

       Be  aware  that  there  is  a small performance penalty on some
       scans for using this option, because I sometimes store  useful
       information in the source port number.

 

       --data_length <number>
       Normally Nmap  sends  minimalistic packets that only contain a
       header.  So its TCP packets are generally  40  bytes  and  ICMP
       echo  requests  are  just 28.  This option tells Nmap to append
       the given number of random bytes to  most  of  the  packets  it
       sends.   OS  detection  (-O) packets are not affected, but most
       pinging and portscan packets are.  This slows things down,  but
       can be slightly less conspicuous.

 

       -n     Tells  Nmap to NEVER do reverse DNS resolution on the active IP
       addresses it finds.  Since DNS is often  slow,  this  can  help
       speed things up.

 

# 注释 :-n 告诉 nmap 不做 DNS 正向解释,这可以加快扫描的进度

 

       -R     Tells Nmap to ALWAYS do reverse DNS resolution on the target IP
       addresses.  Normally this is only done when a machine is found
       to be alive.

 

# 注释 :-R 表示对目标主机固定做 PTR 解释,找出其主机名。一般只有检测到目标主机是 up 时才做

 


       -r     Tells  Nmap  NOT to  randomize  the  order  in which ports are
       scanned.

 

# 注释 :-r 告诉 nmap 不要随机扫描端口,要按顺序扫描

 

       --ttl <value>
       Sets the IPv4 time to live field in sent packets to  the given
       value.

 

# 注释 :--ttl 设置发出去的扫描包的 TTL

 

       --randomize_hosts
       Tells  Nmap to shuffle each group of up to 2048 hosts before it
       scans them.  This can make the scans less  obvious  to  various
       network monitoring systems, especially when you combine it with
       slow timing options (see below).

 


       -M <max sockets>
       Sets the maximum number of sockets that will be used in  paral-
       lel  for a TCP connect() scan (the default).  This is useful to
       slow down the scan a  little  bit  and  avoid  crashing  remote
       machines.   Another  approach is to use -sS, which is generally
       easier for machines to handle.

 

# 注释 :-M 设置在做 TCP connect()scan 时同时允许使用的最多 sockets 数量。

 

# 它会稍微降低 scan 的速度,并防止远程主机的崩溃。另外一个方式是使用 -sS ,这样对于远程主机来说比较容易接受

 

       --packet_trace
       Tells Nmap to show all the packets it sends and receives in  a
       tcpdump-like  format.   This  can  be  tremendously  useful for
       debugging, and is also a good learning tool.

 

# 注释 :--packet_trace 告诉nmap按照 tcpdump 的格式输出它所发送/接收到的每个 packets

 


       --datadir [directoryname]
       Nmap obtains some special data at runtime in files named nmap-
       services,  nmap-protocols,  nmap-rpc, and nmap-os-fingerprints.
       Nmap first searches these files  in  the directory  option  to
       --nmapdir.   Any files not found there, are searched for in the
       directory specified  by  the  NMAPDIR  environmental  variable.
       Next  comes  ~/nmap,  and  then  a compiled-in location such as
       /usr/share/nmap .  As a last resort, Nmap will look in the cur-
       rent directory.

 

# 注释 :--datadir 指的是 nmap 一些静态数据的存放位置。默认是 /usr/share/nmap

 

# 这些数据包括 nmap-services、nmap-protocols、nmap-rpc、nmap-os-fingerprints

 

# nmap 首先搜索 --datadir 指定的目录,

 

# 其次搜索 NMAPDIR 环境变量指定的目录

 

# 再搜索 ~/nmap 目录

 

# 再搜索 /usr/share/nmap

 

# 如果还不行,最后是当前目录

 

TIMING OPTIONS

       Generally Nmap does a good job at adjusting for Network charac-
       teristics at runtime and scanning as  fast  as  possible while
       minimizing  that chances of hosts/ports going undetected.  How-
       ever, there are same cases where Nmap’s default  timing  policy
       may  not meet your objectives.  The following options provide a
       fine level of control over the scan timing:

 

# 注释 :一般情况下,nmap 在调整网络特性,

 

 

       -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
       These are canned timing policies for  conveniently  expressing
       your  priorities to  Nmap.  Paranoid mode scans very slowly in
       the hopes of avoiding detection by IDS systems.  It  serializes
       all scans (no parallel scanning) and generally waits at least 5
       minutes between sending packets. Sneaky is similar, except  it
       only waits 15 seconds between sending packets.  Polite is meant
       to ease load on the network and reduce the chances of  crashing
       machines.  It serializes the probes and waits at least 0.4 sec-
       onds between them.  Note that this is  generally at  least  an
       order  of  magnitude  slower than default scans, so only use it
       when you need to.  Normal is the default Nmap  behavior, which
       tries  to  run  as  quickly as possible without overloading the
       network or missing hosts/ports. Aggressive  This  option  can
       make  certain  scans (especially SYN scans against heavily fil-
       tered hosts) much faster.   It  is  recommended  for  impatient
       folks  with a fast net connection.  Insane is only suitable for
       very fast networks or where you don’t mind losing some informa-
       tion.   It  times  out  hosts in 15 minutes and won’t wait more
       than 0.3 seconds for individual probes.  It does allow for very
       quick network sweeps though :).

 

# 注释 :-T 用于控制 nmap 以什么速度探测,从最慢到最快分别是

 

#     -)1、Paranoid

 

#     -)2、Sneaky

 

#     -)3、Polite

 

#     -)4、Normal

 

#     -)5、Aggressive

 

#     -)6、Insane

 

       You  can also  reference  these by number (0-5).  For example,
       "-T0" gives you Paranoid mode and "-T5" is Insane mode.

 

       --host_timeout <milliseconds>
       Specifies the amount of time Nmap is allowed to spend  scanning
       a  single host before giving up on that IP.  The default timing
       mode has no host timeout.

 

# 注释 :--host_timeout 设置 nmap 在一台主机身上所消耗的最长时间,单位是毫秒。默认是无限

 

       --max_rtt_timeout <milliseconds>
       Specifies the maximum amount of time Nmap is  allowed  to  wait
       for  a  probe response before retransmitting or timing out that
       particular probe.  The default mode sets this to about 9000.

 

       --min_rtt_timeout <milliseconds>
       When the target hosts start to establish a pattern of  respond-
       ing very quickly, Nmap will shrink the amount of time given per
       probe.  This speeds up the scan, but can lead to missed packets
       when  a  response takes longer than usual.  With this parameter
       you can guarantee that Nmap will wait at least the given amount
       of time before giving up on a probe.

 

       --initial_rtt_timeout <milliseconds>
       Specifies  the  initial  probe timeout.  This is generally only
       useful when scanning firewalled hosts with -P0.  Normally  Nmap
       can  obtain  good RTT estimates from the ping and the first few
       probes.  The default mode uses 6000.

 

       --max_hostgroup <numhosts>
       Specifies the maximum number of hosts that Nmap is  allowed  to
       scan  in parallel.   Most  of the port scan techniques support
       multi-host operation, which makes them much quicker.  Spreading
       the  load  among multiple target hosts makes the scans gentler.
       The downside is increast results latency.  You need to wait for
       all  hosts in a group to finish, rather than having them pop up
       one by one.  Specify an argument of one for old-style (one host
       at  a  time) Nmap behavior.  Note that the ping scanner handles
       its own grouping, and ignores this value.

 

       --min_hostgroup <milliseconds>
       Specifies the minimum host group size  (see  previous  entry).
       Large  values  (such as 50) are often beneficial for unattended
       scans, though they do take up more memory.  Nmap may  override
       this  preference when it needs to, because a group must all use
       the same network interface, and some scan types can only handle
       one host at a time.

 

       --max_parallelism <number>
       Specifies  the  maximum number of scans Nmap is allowed to per-
       form in parallel.  Setting this to one means  Nmap  will never
       try  to scan more than 1 port at a time. It also effects other
       parallel scans such as ping sweep, RPC scan, etc.

 

       --min_parallelism <number>
       Tells Nmap to scan at least the given number of ports in paral-
       lel.   This can speed up scans against certain firewalled hosts
       by an order of magnitude.   But  be  careful  -- results  will
       become unreliable if you push it too far.

 

       --scan_delay <milliseconds>
       Specifies  the  minimum  amount  of time Nmap must wait between
       probes.  This is mostly useful to reduce network  load  or  to
       slow the scan way down to sneak under IDS thresholds.

 

# 注释 :--scan_delay 用于控制 nmap 在每次探测之间的

 

 

 

TARGET SPECIFICATION
       Everything that isn’t an option (or option argument) in nmap is
       treated as a target host specification.  The simplest  case  is
       listing  single  hostnames or IP addresses on the command line.
       If you want to scan a subnet of IP addresses,  you  can  append
       /mask  to  the  hostname or IP address.  mask must be between 0
       (scan the whole Internet) and 32 (scan the single  host  speci-
       fied).  Use /24 to scan a class "C" address and /16 for a class "B".

 

    # 注释 :任何不被 nmap 所识别的选项都被认为是目标主机的定义

 

    # 你可以一次列出多个主机或者 ip 地址。

 

    # 你可以用 <ip/mask> 的方式来指定子网掩码,mask 值是从 0 - 32

 

       Nmap also has a more powerful notation which lets  you  specify
       an  IP  address  using lists/ranges for each element.  Thus you
       can scan the whole class "B" network 192.168.*.* by  specifying
       "192.168.*.*"  or "192.168.0-255.0-255"   or  even
       "192.168.1-50,51-255.1,2,3,4,5-255".  And of course you can use
       the mask notation: "192.168.0.0/16".  These are all equivalent.
       If you use asterisks ("*"), remember that most  shells  require
       you  to  escape  them  with  back  slashes or protect them with
       quotes.

 

    # 注释 :nmap 也允许你指定一个范围,例如它支持 wildcard ,不过需要用括号括起来。

 

    #     -)1、主机名 :例如 mail.bob.com.

 

    #     -)2、ip/mask :例如 172.17.64.11/24

 

    #     -)3、ip1-ip2 :172.17.64.11-20

 

    #     -)4、wildcard :172.17.*.*

 

    #     -)5、综合 :mail.bob.com,172.17.64.11/24,172.17.64.12-20,30-40,172.17.65.*/24

 

       Another interesting thing to do is slice the Internet the other
       way.   Instead  of  scanning all the hosts in a class "B", scan
       "*.*.5.6-7" to scan every IP address that ends in .5.6 or  .5.7
       Pick  your  own  numbers.   For  more information on specifying
       hosts to scan, see the examples section.

 

    # 注释 ;有一个有趣的例子是 *.*.*.11 ,它可以扫描所有以 11 结尾的 ip

 

EXAMPLES
       Here are some examples of using nmap, from simple and normal to a lit-
       tle  more  complex/esoteric.  Note that actual numbers and some actual
       domain names are used to make things more concrete.   In  their place
       you should substitute addresses/names from your own network.  I do not
       think portscanning other networks is illegal; nor should portscans  be
       construed  by  others  as an attack.  I have scanned hundreds of thou-
       sands of machines and have received only one complaint. But I am  not
       a  lawyer  and  some (anal) people may be annoyed by nmap probes.  Get
       permission first or use at your own risk.

 

       nmap -v target.example.com

 

       This option scans all reserved TCP ports on the machine  target.exam-
       ple.com .  The -v means turn on verbose mode.

 

    # 注释 :上面的命令扫描 target.example.com 主机的 0-1024 端口,以及 /etc/services 中定义的端口

 

    # -v 表示 verbose 模式

 

       nmap -sS -O target.example.com/24

 

       Launches a stealth SYN scan against each machine that is up out of the
       255 machines on class "C" where target.example.com resides.   It  also
       tries  to determine what operating system is running on each host that
       is up and running.  This requires root privileges because of  the  SYN
       scan and the OS detection.

 

    # 注释 :上面的命令对 target.example.com/24 主机所在的 C 网的每个 up 主机进行 SYN scan 以及 OS scan

 

      # 由于使用了 -sS ,所以需要 root 权限

 

       nmap -sX -p 22,53,110,143,4564 198.116.*.1-127

 

       Sends  an Xmas tree scan to the first half of each of the 255 possible
       8 bit subnets in the 198.116 class "B" address space.  We are  testing
       whether the  systems run sshd, DNS, pop3d, imapd, or port 4564.  Note
       that Xmas scan doesn’t work on Microsoft boxes due to their  deficient
       TCP stack.  Same goes with CISCO, IRIX, HP/UX, and BSDI boxes.

 

    # 注释 :上面的命令使用 Xmas Tree scan 对 198.116 的所有以 1-127 结尾的主机进行扫描

 

    # 目的端口是 22,53,110,143,4564 。

 

    # 要注意,Xmas Tree 对 windows 主机不起作用

 

       nmap -v --randomize_hosts -p 80 *.*.2.3-5

 

       Rather  than focus on a specific IP range, it is sometimes interesting
       to slice up the entire Internet and scan  a  small  sample  from  each
       slice. This  command  finds  all  web servers  on  machines with IP
       addresses ending in .2.3, .2.4, or .2.5.  If you are root you might as
       well  add  -sS. Also you will find more interesting machines starting
       at 127. so you might want to use "127-222" instead of the first aster-
       isks  because  that  section  has  a  greater  density  of interesting
       machines (IMHO).

 

    # 注释 :

 

       host -l company.com | cut  -d  -f 4 | ./nmap -v -iL -

 

       Do a DNS zone transfer to find the hosts in company.com and then  feed
       the  IP addresses  to  nmap.  The above commands are for my GNU/Linux
       box.  You may need different commands/options on other operating  sys-
       tems.


你可能感兴趣的:(man,nmap)