Nmap常用选项
-A: Enable OS detection, version detection, script scanning, and traceroute(扫描选项较多容易暴露)

root@bt:~# nmap -A 192.168.0.99  

Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 09:52 EDT

Nmap scan report for 192.168.0.99

Host is up (0.00045s latency).                  #########主机是否存活

Not shown: 992 filtered ports

PORT    STATE  SERVICE  VERSION

22/tcp  open   ssh      OpenSSH 5.3 (protocol 2.0)                          ######################端口及服务信息描述

| ssh-hostkey: 1024 fb:11:7d:63:2b:8f:26:50:24:b7:c3:5b:86:b0:79:84 (DSA)

|_2048 e8:db:be:cb:af:e9:e8:62:d3:bf:87:72:fd:f8:c9:a1 (RSA)

25/tcp  open   smtp     Postfix smtpd

|_smtp-commands: mail.hnyckj.f3322.org, PIPELINING, SIZE 10485760, VRFY, ETRN, STARTTLS, AUTH LOGIN PLAIN, AUTH=LOGIN PLAIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 

| ssl-cert: Subject: commonName=localhost/organizationName=ExtMail Server/stateOrProvinceName=GZ/countryName=CN

| Not valid before: 2015-06-15T14:06:27+00:00

|_Not valid after:  2016-06-14T14:06:27+00:00

|_ssl-date: 2015-06-19T21:53:10+00:00; +8h00m00s from local time.

80/tcp  open   http     Apache httpd 2.2.15 ((Scientific Linux))

| http-methods: Potentially risky methods: TRACE

|_See http://nmap.org/nsedoc/scripts/http-methods.html

|_http-title: Site doesn't have a title (text/html).

110/tcp open   pop3     Courier pop3d

|_pop3-capabilities: TOP STLS LOGIN-DELAY(10) UIDL USER PIPELINING IMPLEMENTATION(Courier Mail Server)

143/tcp open   imap     Courier Imapd (released 2010)

|_imap-capabilities: completed CHILDREN OK QUOTA STARTTLSA0001 IDLE UIDPLUS THREAD=REFERENCES ACL SORT ACL2=UNION THREAD=ORDEREDSUBJECT CAPABILITY NAMESPACE IMAP4rev1

443/tcp closed https

993/tcp open   ssl/imap Courier Imapd (released 2010)

|_imap-capabilities: completed CHILDREN AUTH=PLAIN QUOTA ACL2=UNIONA0001 OK UIDPLUS THREAD=REFERENCES ACL SORT IDLE THREAD=ORDEREDSUBJECT CAPABILITY NAMESPACE IMAP4rev1

| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US

| Not valid before: 2015-06-15T14:07:31+00:00

|_Not valid after:  2016-06-14T14:07:31+00:00

995/tcp open   ssl/pop3 Courier pop3d

|_pop3-capabilities: TOP LOGIN-DELAY(10) UIDL USER PIPELINING IMPLEMENTATION(Courier Mail Server)

| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US

| Not valid before: 2015-06-15T14:07:31+00:00

|_Not valid after:  2016-06-14T14:07:31+00:00

|_sslv2: server supports SSLv2 protocol, but no SSLv2 cyphers

MAC Address: 00:0C:29:79:E1:43 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6      #######操作系统及内核版本

OS details: Linux 2.6.22 - 2.6.36

Network Distance: 1 hop

Service Info: Host: mail.hnyckj.f3322.org; OS: Linux; CPE: cpe:/o:linux:linux_kernel


TRACEROUTE

HOP RTT     ADDRESS

1   0.45 ms 192.168.0.99


OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 27.89 seconds



-T  (0~5)  扫描速度:0最慢,最缓;5最快最猛(但容易被发现)

root@bt:~# nmap -T5  192.168.0.99


Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 10:02 EDT

Nmap scan report for 192.168.0.99

Host is up (0.00026s latency).

Not shown: 992 filtered ports

PORT    STATE  SERVICE

22/tcp  open   ssh

25/tcp  open   smtp

80/tcp  open   http

110/tcp open   pop3

143/tcp open   imap

443/tcp closed https

993/tcp open   imaps

995/tcp open   pop3s

MAC Address: 00:0C:29:79:E1:43 (VMware)

      Nmap done: 1 IP address (1 host up) scanned in 4.55 seconds



-p 端口范围


root@bt:~# nmap -p 1-1000 192.168.0.99

Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 10:07 EDT

Nmap scan report for 192.168.0.99

Host is up (0.00033s latency).

Not shown: 992 filtered ports

PORT    STATE  SERVICE

22/tcp  open   ssh

25/tcp  open   smtp

80/tcp  open   http

110/tcp open   pop3

143/tcp open   imap

443/tcp closed https

993/tcp open   imaps

995/tcp open   pop3s

MAC Address: 00:0C:29:79:E1:43 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.02 seconds


-O  识别操作系统



root@bt:~# nmap -O 192.168.0.99

。。。

Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (98%), HP embedded (94%), Ubiquiti Linux 2.6.X (93%), Check Point embedded (91%), Sony embedded (90%), Cisco Linux 2.6.X (89%)

OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:3 cpe:/o:ubiquiti:linux:2.6.32 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6.34 cpe:/o:sony:smp-n200 cpe:/o:cisco:linux:2.6

Aggressive OS guesses: Linux 2.6.22 - 2.6.36 (98%), Linux 2.6.32 (96%), Linux 2.6.23 - 2.6.38 (95%), Linux 2.6.31 - 2.6.35 (95%), Linux 2.6.9 - 2.6.27 (95%), Linux 2.6.39 (95%), HP P2000 G3 NAS device (94%), Linux 2.6.32 - 2.6.35 (93%), Linux 2.6.24 - 2.6.36 (93%), Linux 3.1 - 3.4 (93%)

No exact OS matches for host (test conditions non-ideal).



-sV   识别服务和版本信息


root@bt:~# nmap -sV 192.168.0.99


Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 10:19 EDT

Nmap scan report for 192.168.0.99

Host is up (0.00030s latency).

Not shown: 992 filtered ports

PORT    STATE  SERVICE  VERSION

22/tcp  open   ssh      OpenSSH 5.3 (protocol 2.0)

25/tcp  open   smtp     Postfix smtpd

80/tcp  open   http     Apache httpd 2.2.15 ((Scientific Linux))

110/tcp open   pop3     Courier pop3d

143/tcp open   imap     Courier Imapd (released 2010)

443/tcp closed https

993/tcp open   ssl/imap Courier Imapd (released 2010)

995/tcp open   ssl/pop3 Courier pop3d

MAC Address: 00:0C:29:79:E1:43 (VMware)

Service Info: Host: mail.hnyckj.f3322.org; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 23.96 seconds



-Pn 认为所有主机是在线状态来扫描;可以和其他选项来叠加使用
-sA ACK扫描:检测端口是否开放,可用于探测防火墙




root@bt:~# nmap -Pn -sA 192.168.0.99


Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 10:31 EDT

Nmap scan report for 192.168.0.99

Host is up (0.00028s latency).

Not shown: 992 filtered ports

PORT    STATE      SERVICE

22/tcp  unfiltered ssh   

25/tcp  unfiltered smtp    #####我们已经认为其在线

80/tcp  unfiltered http

110/tcp unfiltered pop3

143/tcp unfiltered imap

443/tcp unfiltered https

993/tcp unfiltered imaps

995/tcp unfiltered pop3s

MAC Address: 00:0C:29:79:E1:43 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.01 seconds

        

        

-sS     TCP  SYN扫描,快速和具有隐蔽性的扫描,建议扫描加此选项

root@bt:~# nmap -sS -Pn 192.168.0.99

Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 10:37 EDT

Nmap scan report for 192.168.0.99

Host is up (0.00026s latency).

Not shown: 992 filtered ports

PORT    STATE  SERVICE

22/tcp  open   ssh

25/tcp  open   smtp

80/tcp  open   http

110/tcp open   pop3

143/tcp open   imap

443/tcp closed https

993/tcp open   imaps

995/tcp open   pop3s

MAC Address: 00:0C:29:79:E1:43 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.02 seconds