NMAP - A Stealth Port Scanner--reference

Disabling pings has two advantages: First,it adds extra stealth if you’re running one of the more stealthy attacks,and secondly it allows Nmap to scan hosts which don’t reply to pings (ordinarily,Nmap would report those hosts as being "down" and not scan them).

In conjunction with -PT,you can use -PS to send SYN packets instead of ACK packets for your TCP Ping.

The -PU option (with optional port list after) sends UDP packets for your "ping". This may be best to send to suspected-closed ports rather than open ones,since open UDP ports tend not to respond to zero-length UDP packets.

Other ping types are -PE (Standard ICMP Echo Request),-PP (ICMP Timestamp Request),-PM (Netmask Request) and -PB (default,uses both ICMP Echo Request and TCP ping,with ACK packets)

The -f option splits the IP packet into tiny fragments when used with -sS,-sF,-sX or -sN. This makes it more difficult for a firewall or packet filter to determine the packet type. Note that many modern packet filters and firewalls (including iptables) feature optional defragmenters for such fragmented packets,and will thus reassemble the packet to check its type before sending it on. Less complex firewalls will not be able to cope with fragmented packets this small and will most likely let the OS reassemble them and send them to the port they were intended to reach. Using this option could crash some less stable software and hardware since packet sizes get pretty small with this option!

See the section on -sI for information about idle scans.

The -O option turns on Nmap’s OS fingerprinting system. Used alongside the -v verbosity options,you can gain information about the remote operating system and about its TCP Sequenmce Number generation (useful for planning Idle scans).

An article on OS detection is available at?http://www.insecure.org/nmap/nmap-fingerprinting-article.html

Logging in Nmap can be provided by the -oN,-oX or -oG options. Each one is followed by the name of the logfile. -oN outputs a human readable log,-oX outputs an XML log and -oG outputs a grepable log. The -oA option outputs in all 3 formats,and -oS outputs in a format I’m sure none of you would ever want to use (try it; you’ll see what I mean!)

The –append-output option appends scan results to the output files you specified instead of overwriting their contents.

The -6 option enables IPv6 in Nmap (provided your OS has IPv6 support). Currently only TCP connect,and TCP connect ping scan are supported. For other scantypes,see?http://nmap6.sourceforge.net

Highly recommended,-v

Use -v twice for more verbosity. The option -d can also be used (once or twice) to generate more verbose output.

Scans cancelled with Ctrl+C can be resumed with the?--resume ?option. The logfile must be a Normal or Grepable logfile (-oN or -oG).

-iL ?reads targets from inputfilename rather than from the command-line.

The file should contain a hostlist or list of network expressions separated by spaces,tabs or newlines. Using a hyphen as inputfile makes Nmap read from standard input.

The -F option scans only those ports listed in the nmap_services file (or the protocols file if the scan type is -sO). This is far faster than scanning all 65,535 ports!!

The?-ttl ?option sets the IPv4 packets time-to-live. The usefulness of this is in mapping paths through networks and determining ACL’s on firewalls (setting the ttl to one past the packet filter can help to determine information about the filtering rules themselves). Repeated Nmap scans to a single port using differing ttl values will emulate a traceroute style network path map (Try it,its great fun for a while,until you get bored and realise traceroute does it all for you automatically!).

（编辑：温州站长网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!