nmap: basic/advanced usages

most common cases:

# Detect 22 port is opened or not on localhost
nmap localhost -p22
# If host disables icmp reply, use -Pn or -P0 to ignore ping (Ping)
nmap localhost -p22 -Pn
# Do several host scanning with port 22~23
nmap 192.168.0-3.1-253 -p22-23

Very important knowledge:

-sS: default if using root/admin with nmap (Syn scan)

-sT: default if using normal user with nmap (TCP connect scan)

Note that: 

• If without any of the above -s[X] option specified, the nmap default scans 4 times: [icmp ping, tcp80/443 and the port specified by -p];
• If specified with -s[X], then scan 2 times: [icmp ping, port specified];
• if specified with both -s[X] and -Pn, then only scan the port specified.

Some normal options:

-T[0-5]: specifies timing of the scan per host, 0-2 uses serial scan, 3-5 uses parallel scan. Using higher number if you know the host is capable of survive such a DOS.

-O: get a line start as Aggressive OS guesses, make probable guess on system type and version.

-sV: return port with service version

-A: -O -sV [more other flags]

-D<ip1,ip2,ip3...>: send nmap detection packets with copies of src ip1,ip2,ip3...

-PS/A/U: send TCP+ sync/ack, or udp packet

--reason: some results may be confusing, using --reason to give a full-view of the nmap test. (also try -vvv)

-----below is updated at 18 Thu Mar.08 15:37-----

zmap -p 80 -o a.txt(scan the whole net for port 80)