Nmap是一个非常强大的工具，今天我们来看一下这30个常用的例子：

Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing. However, nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users.

Nmap是Network Mapper的缩写,他是一个开源的网络检测，扫描，审计工具，然而，nmap有非常多的选项，这让nmap非常的功能强大和健壮，当然这也给新用户造成了一定的困难

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.

这篇文章的目的是介绍如何使用nmap来扫描一个主机或者网络，以发现可能被攻击的地方。你将从本文章中学会如何使用Nmap，无论是用于攻击或者防御

More about nmap

Nmap的更多信息：

From the man page:

从Nmap的说明文档中我们得到：

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Nmap(“Network Mapper”)是一个开源的，用来检测网络和审计安全的。它被设计为快速扫描比较大的网络，当然，它在扫描单台主机上表现的也非常号。Nmap使用原始的IP包通过一个中新颖的方式来判断主机是否存活在指定网络，这些主机提供了那些服务及具体服务的版本，以及操作系统的版本，防火墙的版本，还有其它一大堆的东西。虽然nmap是用来做安全审计的，但是很多网络管理员发现nmap在网络的日常任务上也非常又用，例如 管理服务的升级规划，监控主机和服务的启动时间等。

It was originally written by Gordon Lyon and it can answer the following questions easily:

这个是Gordon Lyon写的，这些内容可以很容易的回答如下的问题：

1. What computers did you find running on the local network? 本地局域网中的计算器？
2. What IP addresses did you find running on the local network?本地局域网中使用的IP？
3. What is the operating system of your target machine?目标主机使用的操作系统？
4. Find out what ports are open on the machine that you just scanned?目标主机对外开放的端口？
5. Find out if the system is infected with malware or virus.目标主机是否被病毒感染
6. Search for unauthorized servers or network service on your network.查找未被授权的主机或者服务
7. Find and remove computers which don’t meet the organization’s minimum level of security.查找那些没有符合最低安全标准的远程主机

Sample setup (LAB)

测试环境撘建

Port scanning may be illegal in some jurisdictions. So setup a lab as follows:、

端口扫描在某些地区是违规的，所以我们按照下图设置我们的实验环境

Where,

• wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning your local network. The nmap command must be installed on this computer.（wks01是你的主机，安装的系统是linux或者Unix系列的开源系统，这台主机用来扫描本地网络，所以Nmap需要在这台机器上安装好）
• server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server. Feel free to install a few services such as a web-server, file server and so on.（server1是目标主机，没有任何的防御开放，你可以随便安装及个服务，例如httpd或者文件服务）
• server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server with firewall. Again, feel free to install few services such as a web-server, file server and so on.（server2目标主机2，被防火墙保护，和server1一样，随意安装及个服务）
• All three systems are connected via switch.（所有的机器通过交换器链接）

How do I install nmap?

如何安装Nmap?

See:

具体根据不同版本选择不同大安装方式：

1. Debian / Ubuntu Linux: Install nmap Software For Scanning Network
2. CentOS / RHEL: Install nmap Network Security Scanner
3. OpenBSD: Install nmap Network Security Scanner

#1: Scan a single host or an IP address (IPv4)

#1:扫描一个单独的主机或者一个单独的IP地址（IPv4）

Sample outputs:

输出如下：

#2: Scan multiple IP address or subnet (IPv4)

#2:扫描多个IP或者一个子网：

You can scan a range of IP address too:

你可以扫描一个ip段

You can scan a range of IP address using a wildcard:

你可以使用统配符来指定ip

Finally, you scan an entire subnet:

你也可以扫描整个子网段

#3: Read list of hosts/networks from a file (IPv4)

从一个文件中读取主机列表或者网络列表

The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number of hosts/networks. Create a text file as follows:
cat > /tmp/test.txt
Sample outputs:

The syntax is:、

具体的命令：

#4: Excluding hosts/networks (IPv4)

#4排除某些主机或者网段（IPv4）

When scanning a large number of hosts/networks you can exclude hosts from a scan:

当我们扫描一个很大的网段的时候，我们可以排除一些主机

OR exclude list from a file called /tmp/exclude.txt

我们也可以通过一个文件来读取我们需要排除的主机

#5: Turn on OS and version detection scanning script (IPv4)

#5打开系统版本检测

#6: Find out if a host/network is protected by a firewall

#6确定主机或者网络是否被防火墙保护

#7: Scan a host when protected by the firewall

#7：扫描一个主机如果这个主机被防火墙保护

#8: Scan an IPv6 host/address

#8：扫描IPv6主机/地址

The -6 option enable IPv6 scanning. The syntax is:

-6 选项让我们开启了IPv6的扫描

#9: Scan a network and find out which servers and devices are up and running

#9:扫描一个网络并查找所有存活的设备

This is known as host discovery or ping scan:

通过ping来检查

Sample outputs:

输出接过：

#10: How do I perform a fast scan?

#10：如何进行一个快速的扫描？

#11: Display the reason a port is in a particular state

#11：显示端口处于特殊状态的原因（这个有点奇怪，翻译的感觉有点怪）

#12: Only show open (or possibly open) ports

#12：紧紧显示开启的端口（可能开启的）

#13: Show all packets sent and received

显示所有的发送和接受的包

14#: Show host interfaces and routes

显示主机的接口和路由

This is useful for debugging (ip command or route command or netstat command like output using nmap)

这个用来debug非常有效

Sample outputs:

#15: How do I scan specific ports?

如何扫描特殊端口

Sample outputs:

输出结果

#16: The fastest way to scan all your devices/computers for open ports ever

最快的方式来扫描所有的设备打开的端口

#17: How do I detect remote operating system?

如何检测一个远端操作系统

You can identify a remote host apps and OS using the -O option:

我们可以通过-O这个选项来检测远端操作系统

Sample outputs:

输出：

See also: Fingerprinting a web-server and a dns server command line tools for more information.

#18: How do I detect remote services (server / daemon) version numbers?

如何检测服务的版本号：

Sample outputs:

#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

通过TCP ACK 和 TCP syn来扫描一个主机

If firewall is blocking standard ICMP pings, try the following host discovery methods:

如果防火墙屏蔽了ICMP ping，我们可以通过下面的方法来发现主机

#20: Scan a host using IP protocol ping

通过IP协议ping来扫墓一个主机

#21: Scan a host using UDP ping

通过UDP ping来扫描一个主机

This scan bypasses firewalls and filters that only screen TCP:

#22: Find out the most commonly used TCP ports using TCP SYN Scan

通过TCP syn 来查找最常用的TCP端口

#23: Scan a host for UDP services (UDP scan)

扫描一个主机的UDP服务（UDP scan）

Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:

最流行的互联网服务都是通过TCP协议，DNS，SNMP，DHCP是三个最常见的UDP服务，通过下面的命令查找UDP服务：

Sample outputs:

#24: Scan for IP protocol

扫描IP协议

This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:

如下的命令让你可以知道目标主机支持的协议（TCP，ICMP，IGMP）

#25: Scan a firewall for security weakness

查找防火墙的安全漏洞

The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:

如下的命令使用了一个Tcp微秒的漏洞来检测安全登记通过这种普通攻击

See how to block Xmas packkets, syn-floods and other conman attacks with iptables.

#26: Scan a firewall for packets fragments

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

#27: Cloak a scan with decoys

The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:

#28: Scan a firewall for MAC address spoofing

#29: How do I save output to a text file?

将扫描接过导出到文件中

The syntax is:

#30: Not a fan of command line tools?

不喜欢命令行？

试试zenmap
$ sudo apt-get install zenmap
Sample outputs:

Type the following command to start zenmap:
$ sudo zenmap
Sample outputs

 

 

原文地址：http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/