nmap: basic/advanced usages
most common cases:
# Detect 22 port is opened or not on localhost nmap localhost -p22 # If host disables icmp reply, use -Pn or -P0 to ignore ping (Ping) nmap localhost -p22 -Pn # Do several host scanning with port 22~23 nmap 192.168.0-3.1-253 -p22-23
Very important knowledge:
-sS: default if using root/admin with nmap (Syn scan)
-sT: default if using normal user with nmap (TCP connect scan)
Note that:
- If without any of the above -s[X] option specified, the nmap default scans 4 times: [icmp ping, tcp80/443 and the port specified by -p];
- If specified with -s[X], then scan 2 times: [icmp ping, port specified];
- if specified with both -s[X] and -Pn, then only scan the port specified.
Some normal options:
-T[0-5]: specifies timing of the scan per host, 0-2 uses serial scan, 3-5 uses parallel scan. Using higher number if you know the host is capable of survive such a DOS.
-O: get a line start as Aggressive OS guesses, make probable guess on system type and version.
-sV: return port with service version
-A: -O -sV [more other flags]
-D<ip1,ip2,ip3...>: send nmap detection packets with copies of src ip1,ip2,ip3...
-PS/A/U: send TCP+ sync/ack, or udp packet
--reason: some results may be confusing, using --reason to give a full-view of the nmap test. (also try -vvv)
-----below is updated at 18 Thu Mar.08 15:37-----
zmap -p 80 -o a.txt(scan the whole net for port 80)