nmap.1

Ubuntu packages of security software。 相当不错的源码

.\"     Title: nmap
.\"    Author: Fyodor 
.\" Generator: DocBook XSL Stylesheets v1.73.2 <http://docbook.sf.net/>
.\"      Date: <pubdate>September 1, 2007</pubdate>
.\"    Manual: Nmap Network Scanning
.\"    Source: Insecure.Org Zero Day
.\"
.TH "NMAP" "1" "<pubdate>September 1, 2007</pubdate>" "Insecure.Org Zero Day" "Nmap Network Scanning"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
nmap - Network exploration tool and security / port scanner
.SH "SYNOPSIS"
.HP 5
\fBnmap\fR [\fIScan\ Type\fR...] [\fIOptions\fR] {\fItarget\ specification\fR}
.SH "DESCRIPTION"
.PP
Nmap (\(lqNetwork Mapper\(rq) is an open source tool for network exploration and security auditing\. It was designed to rapidly scan large networks, although it works fine against single hosts\. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics\. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime\.
.PP
The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used\. Key among that information is the
\(lqinteresting ports table\(rq\. That table lists the port number and protocol, service name, and state\. The state is either
open,
filtered,
closed, or
unfiltered\. Open means that an application on the target machine is listening for connections/packets on that port\.
Filtered
means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is
open
or
closed\.
Closed
ports have no application listening on them, though they could open up at any time\. Ports are classified as
unfiltered
when they are responsive to Nmap\'s probes, but Nmap cannot determine whether they are open or closed\. Nmap reports the state combinations
open|filtered
and
closed|filtered
when it cannot determine which of the two states describe a port\. The port table may also include software version details when version detection has been requested\. When an IP protocol scan is requested (\fB\-sO\fR), Nmap provides information on supported IP protocols rather than listening ports\.
.PP
In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses\.
.PP
A typical Nmap scan is shown in
Example\ 14.1, \(lqA representative Nmap scan\(rq\. The only Nmap arguments used in this example are
\fB\-A\fR, to enable OS and version detection, script scanning, and traceroute;
\fB\-T4\fR
for faster execution; and then the two target hostnames\.
.PP
\fBExample\ 14.1.\ A representative Nmap scan\fR
.sp
.RS 4
.nf
# nmap \-A \-T4 scanme\.nmap\.org playground

Starting nmap ( http://insecure\.org/nmap/ )
Interesting ports on scanme\.nmap\.org (205\.217\.153\.62):
(The 1663 ports scanned but not shown below are in state: filtered)
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 3\.9p1 (protocol 1\.99)
53/tcp  open   domain
70/tcp  closed gopher
80/tcp  open   http    Apache httpd 2\.0\.52 ((Fedora))
113/tcp closed auth
Device type: general purpose
Running: Linux 2\.4\.X|2\.5\.X|2\.6\.X
OS details: Linux 2\.4\.7 \- 2\.6\.11, Linux 2\.6\.0 \- 2\.6\.11
Uptime 33\.908 days (since Thu Jul 21 03:38:03 2005)

Interesting ports on playground\.nmap\.org (192\.168\.0\.40):
(The 1659 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios\-ssn
389/tcp  open  ldap?
445/tcp  open  microsoft\-ds  Microsoft Windows XP microsoft\-ds
1002/tcp open  windows\-icfw?
1025/tcp open  msrpc         Microsoft Windows RPC
1720/tcp open  H\.323/Q\.931   CompTek AquaGateKeeper
5800/tcp open  vnc\-http      RealVNC 4\.0 (Resolution 400x250; VNC port: 5900)
5900/tcp open  vnc           VNC (protocol 3\.8)
MAC Address: 00:A0:CC:63:85:4B (Lite\-on Communications)
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Pro RC1+ through final release
Service Info: OSs: Windows, Windows XP

Nmap finished: 2 IP addresses (2 hosts up) scanned in 88\.392 seconds
.fi
.RE
.PP
The newest version of Nmap can be obtained from
\fI\%http://insecure.org/nmap/\fR\. The newest version of the man page is available from
\fI\%http://insecure.org/nmap/man/\fR\.
.SH "OPTIONS SUMMARY"
.PP
This options summary is printed when Nmap is run with no arguments, and the latest version is always available at
\fI\%http://insecure.org/nmap/data/nmap.usage.txt\fR\. It helps people remember the most common options, but is no substitute for the in\-depth documentation in the rest of this manual\. Some obscure options aren\'t even included here\.
.PP


.sp
.RS 4
.nf
Nmap 4\.53 ( http://insecure\.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc\.
  Ex: scanme\.nmap\.org, microsoft\.com/24, 192\.168\.0\.1; 10\.0\.0\-255\.1\-254
  \-iL <inputfilename>: Input from list of hosts/networks
  \-iR <num hosts>: Choose random targets
  \-\-exclude <host1[,host2][,host3],\.\.\.>: Exclude hosts/networks
  \-\-excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  \-sL: List Scan \- simply list targets to scan
  \-sP: Ping Scan \- go no further than determining if host is online
  \-PN: Treat all hosts as online \-\- skip host discovery
  \-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
  \-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  \-PO [protocol list]: IP Protocol Ping
  \-n/\-R: Never do DNS resolution/Always resolve [default: sometimes]
  \-\-dns\-servers <serv1[,serv2],\.\.\.>: Specify custom DNS servers
  \-\-system\-dns: Use OS\'s DNS resolver
SCAN TECHNIQUES:
  \-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  \-sU: UDP Scan
  \-sN/sF/sX: TCP Null, FIN, and Xmas scans
  \-\-scanflags <flags>: Customize TCP scan flags
  \-sI <zombie host[:probeport]>: Idle scan
  \-sO: IP protocol scan
  \-b <FTP relay host>: FTP bounce scan
  \-\-traceroute: Trace hop path to each host
  \-\-reason: Display the reason a port is in a particular state
PORT SPECIFICATION AND SCAN ORDER:
  \-p <port ranges>: Only scan specified ports
    Ex: \-p22; \-p1\-65535; \-p U:53,111,137,T:21\-25,80,139,8080
  \-F: Fast mode \- Scan fewer ports than the default scan
  \-r: Scan ports consecutively \- don\'t randomize
  \-\-top\-ports <number>: Scan <number> most common ports
  \-\-port\-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  \-sV: Probe open ports to determine service/version info
  \-\-version\-intensity <level>: Set from 0 (light) to 9 (try all probes)
  \-\-version\-light: Limit to most likely probes (intensity 2)
  \-\-version\-all: Try every single probe (intensity 9)
  \-\-version\-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  \-sC: equivalent to \-\-script=safe,intrusive
  \-\-script=<Lua scripts>: <Lua scripts> is a comma separated list of 
           directories, script\-files or script\-categories
  \-\-script\-args=<n1=v1,[n2=v2,\.\.\.]>: provide arguments to scripts
  \-\-script\-trace: Show all data sent and received
  \-\-script\-updatedb: Update the script database\.
OS DETECTION:
  \-O: Enable OS detection
  \-\-osscan\-limit: Limit OS detection to promising targets
  \-\-osscan\-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in milliseconds, unless you append \'s\'
  (seconds), \'m\' (minutes), or \'h\' (hours) to the value (e\.g\. 30m)\.
  \-T[0\-5]: Set timing template (higher is faster)
  \-\-min\-hostgroup/max\-hostgroup <size>: Parallel host scan group sizes
  \-\-min\-parallelism/max\-parallelism <time>: Probe parallelization
  \-\-min\-rtt\-timeout/max\-rtt\-timeout/initial\-rtt\-timeout <time>: Specifies
      probe round trip time\.
  \-\-max\-retries <tries>: Caps number of port scan probe retransmissions\.
  \-\-host\-timeout <time>: Give up on target after this long