nmap.1

Ubuntu packages of security software。 相当不错的源码

  \-\-scan\-delay/\-\-max\-scan\-delay <time>: Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
  \-f; \-\-mtu <val>: fragment packets (optionally w/given MTU)
  \-D <decoy1,decoy2[,ME],\.\.\.>: Cloak a scan with decoys
  \-S <IP_Address>: Spoof source address
  \-e <iface>: Use specified interface
  \-g/\-\-source\-port <portnum>: Use given port number
  \-\-data\-length <num>: Append random data to sent packets
  \-\-ip\-options <options>: Send packets with specified ip options
  \-\-ttl <val>: Set IP time\-to\-live field
  \-\-spoof\-mac <mac address/prefix/vendor name>: Spoof your MAC address
  \-\-badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
  \-oN/\-oX/\-oS/\-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename\.
  \-oA <basename>: Output in the three major formats at once
  \-v: Increase verbosity level (use twice for more effect)
  \-d[level]: Set or increase debugging level (Up to 9 is meaningful)
  \-\-open: Only show open (or possibly open) ports
  \-\-packet\-trace: Show all packets sent and received
  \-\-iflist: Print host interfaces and routes (for debugging)
  \-\-log\-errors: Log errors/warnings to the normal\-format output file
  \-\-append\-output: Append to rather than clobber specified output files
  \-\-resume <filename>: Resume an aborted scan
  \-\-stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  \-\-webxml: Reference stylesheet from Insecure\.Org for more portable XML
  \-\-no\-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  \-6: Enable IPv6 scanning
  \-A: Enables OS detection and Version detection, Script scanning and Traceroute
  \-\-datadir <dirname>: Specify custom Nmap data file location
  \-\-send\-eth/\-\-send\-ip: Send using raw ethernet frames or IP packets
  \-\-privileged: Assume that the user is fully privileged
  \-\-unprivileged: Assume the user lacks raw socket privileges
  \-V: Print version number
  \-h: Print this help summary page\.
EXAMPLES:
  nmap \-v \-A scanme\.nmap\.org
  nmap \-v \-sP 192\.168\.0\.0/16 10\.0\.0\.0/8
  nmap \-v \-iR 10000 \-PN \-p 80
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

.fi
.RE
.sp
.SH "TARGET SPECIFICATION"
.PP
Everything on the Nmap command\-line that isn\'t an option (or option argument) is treated as a target host specification\. The simplest case is to specify a target IP address or hostname for scanning\.
.PP
Sometimes you wish to scan a whole network of adjacent hosts\. For this, Nmap supports CIDR\-style addressing\. You can append
/\fInumbits\fR
to an IP address or hostname and Nmap will scan every IP address for which the first
\fInumbits\fR
are the same as for the reference IP or hostname given\. For example, 192\.168\.10\.0/24 would scan the 256 hosts between 192\.168\.10\.0 (binary:
11000000 10101000 00001010 00000000) and 192\.168\.10\.255 (binary:
11000000 10101000 00001010 11111111), inclusive\. 192\.168\.10\.40/24 would do exactly the same thing\. Given that the host scanme\.nmap\.org is at the IP address 205\.217\.153\.62, the specification scanme\.nmap\.org/16 would scan the 65,536 IP addresses between 205\.217\.0\.0 and 205\.217\.255\.255\. The smallest allowed value is /1, which scans half the Internet\. The largest value is 32, which scans just the named host or IP address because all address bits are fixed\.
.PP
CIDR notation is short but not always flexible enough\. For example, you might want to scan 192\.168\.0\.0/16 but skip any IPs ending with \.0 or \.255 because they are commonly broadcast addresses\. Nmap supports this through octet range addressing\. Rather than specify a normal IP address, you can specify a comma separated list of numbers or ranges for each octet\. For example, 192\.168\.0\-255\.1\-254 will skip all addresses in the range that end in \.0 and or \.255\. Ranges need not be limited to the final octets: the specifier 0\-255\.0\-255\.13\.37 will perform an Internet\-wide scan for all IP addresses ending in 13\.37\. This sort of broad sampling can be useful for Internet surveys and research\.
.PP
IPv6 addresses can only be specified by their fully qualified IPv6 address or hostname\. CIDR and octet ranges aren\'t supported for IPv6 because they are rarely useful\.
.PP
Nmap accepts multiple host specifications on the command line, and they don\'t need to be the same type\. The command
\fBnmap scanme\.nmap\.org 192\.168\.0\.0/16 10\.0\.0,1,3\-7\.0\-255\fR
does what you would expect\.
.PP
While targets are usually specified on the command lines, the following options are also available to control target selection:
.PP
\fB\-iL <inputfilename>\fR (Input from list)
.RS 4
Reads target specifications from
\fIinputfilename\fR\. Passing a huge list of hosts is often awkward on the command line, yet it is a common desire\. For example, your DHCP server might export a list of 10,000 current leases that you wish to scan\. Or maybe you want to scan all IP addresses
\fIexcept\fR
for those to locate hosts using unauthorized static IP addresses\. Simply generate the list of hosts to scan and pass that filename to Nmap as an argument to the
\fB\-iL\fR
option\. Entries can be in any of the formats accepted by Nmap on the command line (IP address, hostname, CIDR, IPv6, or octet ranges)\. Each entry must be separated by one or more spaces, tabs, or newlines\. You can specify a hyphen (\-) as the filename if you want Nmap to read hosts from standard input rather than an actual file\.
.RE
.PP
\fB\-iR <num hosts>\fR (Choose random targets)
.RS 4
For Internet\-wide surveys and other research, you may want to choose targets at random\. The
\fInum hosts\fR
argument tells Nmap how many IPs to generate\. Undesirable IPs such as those in certain private, multicast, or unallocated address ranges are automatically skipped\. The argument
0
can be specified for a never\-ending scan\. Keep in mind that some network administrators bristle at unauthorized scans of their networks and may complain\. Use this option at your own risk! If you find yourself really bored one rainy afternoon, try the command
\fBnmap \-sS \-PS80 \-iR 0 \-p 80\fR
to locate random web servers for browsing\.
.RE
.PP
\fB\-\-exclude <host1[,host2][,host3],\.\.\.>\fR (Exclude hosts/networks)
.RS 4
Specifies a comma\-separated list of targets to be excluded from the scan even if they are part of the overall network range you specify\. The list you pass in uses normal Nmap syntax, so it can include hostnames, CIDR netblocks, octet ranges, etc\. This can be useful when the network you wish to scan includes untouchable mission\-critical servers, systems that are known to react adversely to port scans, or subnetworks administered by other people\.
.RE
.PP
\fB\-\-excludefile <exclude_file>\fR (Exclude list from file)
.RS 4
This offers the same functionality as the
\fB\-\-exclude\fR
option, except that the excluded targets are provided in a newline, space, or tab delimited
\fIexclude_file\fR
rather than on the command line\.
.RE
.SH "HOST DISCOVERY"
.PP
One of the very first steps in any network reconnaissance mission is to reduce a (sometimes huge) set of IP ranges into a list of active or interesting hosts\. Scanning every port of every single IP address is slow and usually unnecessary\. Of course what makes a host interesting depends greatly on the scan purposes\. Network administrators may only be interested in hosts running a certain service, while security auditors may care about every single device with an IP address\. An administrator may be comfortable using just an ICMP ping to locate hosts on his internal network, while an external penetration tester may use a diverse set of dozens of probes in an attempt to evade firewall restrictions\.
.PP
Because host discovery needs are so diverse, Nmap offers a wide variety of options for customizing the techniques used\. Host discovery is sometimes called ping scan, but it goes well beyond the simple ICMP echo request packets associated with the ubiquitous
ping
tool\. Users can skip the ping step entirely with a list scan (\fB\-sL\fR) or by disabling ping (\fB\-PN\fR), or engage the network with arbitrary combinations of multi\-port TCP SYN/ACK, UDP, and ICMP probes\. The goal of these probes is to solicit responses which demonstrate that an IP address is actually active (is being used by a host or network device)\. On many networks, only a small percentage of IP addresses are active at any given time\. This is particularly common with RFC1918\-blessed private address space such as 10\.0\.0\.0/8\. That network has 16 million IPs, but I have seen it used by companies with less than a thousand machines\. Host discovery can find those machines in a sparsely allocated sea of IP addresses\.
.PP
If no host discovery options are given, Nmap sends a TCP ACK packet destined for port 80 and an ICMP echo request query to each target machine\. An exception to this is that an ARP scan is used for any targets which are on a local ethernet network\. For unprivileged Unix shell users, a SYN packet is sent instead of the ack using the
\fBconnect()\fR
system call\. These defaults are equivalent to the
\fB\-PA \-PE\fR
options\. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing\.
.PP
The
\fB\-P*\fR
options (which select ping types) can be combined\. You can increase your odds of penetrating strict firewalls by sending many probe types using different TCP ports/flags and ICMP codes\. Also note that ARP discovery (\fB\-PR\fR) is done by default against targets on a local ethernet network even if you specify other
\fB\-P*\fR
options, because it is almost always faster and more effective\.
.PP
By default, Nmap does host discovery and then performs a port scan against each host it determines is online\. This is true even if you specify non\-default host discovery types such as UDP probes (\fB\-PU\fR)\. Read about the
\fB\-sP\fR
option to learn how to perform
\fIonly\fR
host discovery, or use
\fB\-PN\fR
to skip host discovery and port scan all target hosts\. The following options control host discovery:
.PP
\fB\-sL\fR (List Scan)
.RS 4
The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts\. By default, Nmap still does reverse\-DNS resolution on the hosts to learn their names\. It is often surprising how much useful information simple hostnames give out\. For example,
fw\.chi
is the name of one company\'s Chicago firewall\. Nmap also reports the total number of IP addresses at the end\. The list scan is a good sanity check to ensure that you have proper IP addresses for your targets\. If the hosts sport domain names you do not recognize, it is worth investigating further to prevent scanning the wrong company\'s network\.
.sp
Since the idea is to simply print a list of target hosts, options for higher level functionality such as port scanning, OS detection, or ping scanning cannot be combined with this\. If you wish to disable ping scanning while still performing such higher level functionality, read up on the
\fB\-PN\fR
option\.
.RE
.PP
\fB\-sP\fR (Ping Scan)
.RS 4
This option tells Nmap to
\fIonly\fR
perform a ping scan (host discovery), then print out the available hosts that responded to the scan\. No further testing (such as port scanning or OS detection) is performed\. This is one step more intrusive than the list scan, and can often be used for the same purposes\. It allows light reconnaissance of a target network without attracting much attention\. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name\.
.sp
Systems administrators often find this option valuable as well\. It can easily be used to count available machines on a network or monitor server availability\. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries\.
.sp
The
\fB\-sP\fR
option sends an ICMP echo request and a TCP packet to port 80 by default\. When executed by an unprivileged user, only a SYN packet is sent (using a
\fBconnect()\fR
call) to port 80 on the target\. When a privileged user tries to scan targets on a local ethernet network, ARP requests (\fB\-PR\fR) are used unless
\fB\-\-send\-ip\fR
was specified\. The
\fB\-sP\fR
option can be combined with any of the discovery probe types (the
\fB\-P*\fR
options, excluding
\fB\-PN\fR) for greater flexibility\. If any of those probe type and port number options are used, the default probes (ACK and echo request) are overridden\. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended\. Otherwise hosts could be missed when the firewall drops probes or their responses\.
.RE
.PP
\fB\-PN\fR (No ping)
.RS 4
This option skips the Nmap discovery stage altogether\. Normally, Nmap uses this stage to determine active machines for heavier scanning\. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up\. Disabling host discovery with
\fB\-PN\fR
causes Nmap to attempt the requested scanning functions against