首页 » 翻译 » 正文



Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing. However, nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users.

Nmap是Network Mapper的缩写,他是一个开源的网络检测,扫描,审计工具,然而,nmap有非常多的选项,这让nmap非常的功能强大和健壮,当然这也给新用户造成了一定的困难

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.


nmap in action

More about nmap


From the man page:


Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Nmap(“Network Mapper”)是一个开源的,用来检测网络和审计安全的。它被设计为快速扫描比较大的网络,当然,它在扫描单台主机上表现的也非常号。Nmap使用原始的IP包通过一个中新颖的方式来判断主机是否存活在指定网络,这些主机提供了那些服务及具体服务的版本,以及操作系统的版本,防火墙的版本,还有其它一大堆的东西。虽然nmap是用来做安全审计的,但是很多网络管理员发现nmap在网络的日常任务上也非常又用,例如 管理服务的升级规划,监控主机和服务的启动时间等。

It was originally written by Gordon Lyon and it can answer the following questions easily:

这个是Gordon Lyon写的,这些内容可以很容易的回答如下的问题:

  1. What computers did you find running on the local network? 本地局域网中的计算器?
  2. What IP addresses did you find running on the local network?本地局域网中使用的IP?
  3. What is the operating system of your target machine?目标主机使用的操作系统?
  4. Find out what ports are open on the machine that you just scanned?目标主机对外开放的端口?
  5. Find out if the system is infected with malware or virus.目标主机是否被病毒感染
  6. Search for unauthorized servers or network service on your network.查找未被授权的主机或者服务
  7. Find and remove computers which don’t meet the organization’s minimum level of security.查找那些没有符合最低安全标准的远程主机

Sample setup (LAB)


Port scanning may be illegal in some jurisdictions. So setup a lab as follows:、



  • wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning your local network. The nmap command must be installed on this computer.(wks01是你的主机,安装的系统是linux或者Unix系列的开源系统,这台主机用来扫描本地网络,所以Nmap需要在这台机器上安装好)
  • server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server. Feel free to install a few services such as a web-server, file server and so on.(server1是目标主机,没有任何的防御开放,你可以随便安装及个服务,例如httpd或者文件服务)
  • server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server with firewall. Again, feel free to install few services such as a web-server, file server and so on.(server2目标主机2,被防火墙保护,和server1一样,随意安装及个服务)
  • All three systems are connected via switch.(所有的机器通过交换器链接)

How do I install nmap?




  1. Debian / Ubuntu Linux: Install nmap Software For Scanning Network
  2. CentOS / RHEL: Install nmap Network Security Scanner
  3. OpenBSD: Install nmap Network Security Scanner

#1: Scan a single host or an IP address (IPv4)


Sample outputs:


Fig.01: nmap output

Fig.01: nmap output

#2: Scan multiple IP address or subnet (IPv4)


You can scan a range of IP address too:


You can scan a range of IP address using a wildcard:


Finally, you scan an entire subnet:


#3: Read list of hosts/networks from a file (IPv4)


The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number of hosts/networks. Create a text file as follows:
cat > /tmp/test.txt
Sample outputs:

The syntax is:、


#4: Excluding hosts/networks (IPv4)


When scanning a large number of hosts/networks you can exclude hosts from a scan:


OR exclude list from a file called /tmp/exclude.txt


#5: Turn on OS and version detection scanning script (IPv4)


#6: Find out if a host/network is protected by a firewall


#7: Scan a host when protected by the firewall


#8: Scan an IPv6 host/address


The -6 option enable IPv6 scanning. The syntax is:

-6 选项让我们开启了IPv6的扫描

#9: Scan a network and find out which servers and devices are up and running


This is known as host discovery or ping scan:


Sample outputs:


#10: How do I perform a fast scan?


#11: Display the reason a port is in a particular state


#12: Only show open (or possibly open) ports


#13: Show all packets sent and received


14#: Show host interfaces and routes


This is useful for debugging (ip command or route command or netstat command like output using nmap)


Sample outputs:

#15: How do I scan specific ports?


Sample outputs:


#16: The fastest way to scan all your devices/computers for open ports ever


#17: How do I detect remote operating system?


You can identify a remote host apps and OS using the -O option:


Sample outputs:


See also: Fingerprinting a web-server and a dns server command line tools for more information.

#18: How do I detect remote services (server / daemon) version numbers?


Sample outputs:

#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

通过TCP ACK 和 TCP syn来扫描一个主机

If firewall is blocking standard ICMP pings, try the following host discovery methods:

如果防火墙屏蔽了ICMP ping,我们可以通过下面的方法来发现主机

#20: Scan a host using IP protocol ping


#21: Scan a host using UDP ping

通过UDP ping来扫描一个主机

This scan bypasses firewalls and filters that only screen TCP:

#22: Find out the most commonly used TCP ports using TCP SYN Scan

通过TCP syn 来查找最常用的TCP端口

#23: Scan a host for UDP services (UDP scan)

扫描一个主机的UDP服务(UDP scan)

Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:


Sample outputs:

#24: Scan for IP protocol


This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:


#25: Scan a firewall for security weakness


The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:


See how to block Xmas packkets, syn-floods and other conman attacks with iptables.

#26: Scan a firewall for packets fragments

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

#27: Cloak a scan with decoys

The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:

#28: Scan a firewall for MAC address spoofing

#29: How do I save output to a text file?


The syntax is:

#30: Not a fan of command line tools?


$ sudo apt-get install zenmap
Sample outputs:

Type the following command to start zenmap:
$ sudo zenmap
Sample outputs

Fig.02: zenmap in action





Zhiming Zhang

Senior devops at Appannie
Zhiming Zhang

Latest posts by Zhiming Zhang (see all)