Top 30 Nmap Command Examples For Sys/Network Admins_zs12344444的博客-程序员信息网

技术标签: linux  



Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing. However, nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users.

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.

nmap in action

nmap in action

More about nmap

From the man page:

Nmap ("Network Mapper") is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

It was originally written by Gordon Lyon and it can answer the following questions easily:

  1. What computers did you find running on the local network?
  2. What IP addresses did you find running on the local network?
  3. What is the operating system of your target machine?
  4. Find out what ports are open on the machine that you just scanned?
  5. Find out if the system is infected with malware or virus.
  6. Search for unauthorized servers or network service on your network.
  7. Find and remove computers which don't meet the organization's minimum level of security.

Sample setup (LAB)

Port scanning may be illegal in some jurisdictions. So setup a lab as follows:

        +---------+           | Network |         +--------+
        | server1 |-----------+ swtich  +---------|server2 |
        +---------+           | (sw0)   |         +--------+
                         | wks01 Linux/OSX    |


  • wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning your local network. The nmap command must be installed on this computer.
  • server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server. Feel free to install a few services such as a web-server, file server and so on.
  • server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server with firewall. Again, feel free to install few services such as a web-server, file server and so on.
  • All three systems are connected via switch.

How do I install nmap?


  1. Debian / Ubuntu Linux: Install nmap Software For Scanning Network
  2. CentOS / RHEL: Install nmap Network Security Scanner
  3. OpenBSD: Install nmap Network Security Scanner

#1: Scan a single host or an IP address (IPv4)

### Scan a single ip address ###
## Scan a host name ###
## Scan a host name with more info###
nmap -v

Sample outputs:

Fig.01: nmap output

Fig.01: nmap output

#2: Scan multiple IP address or subnet (IPv4)

## works with same subnet i.e.

You can scan a range of IP address too:


You can scan a range of IP address using a wildcard:

nmap 192.168.1.*

Finally, you scan an entire subnet:


#3: Read list of hosts/networks from a file (IPv4)

The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number of hosts/networks. Create a text file as follows:
cat > /tmp/test.txt
Sample outputs:

The syntax is:

nmap -iL /tmp/test.txt

#4: Excluding hosts/networks (IPv4)

When scanning a large number of hosts/networks you can exclude hosts from a scan:

nmap --exclude
nmap --exclude,

OR exclude list from a file called /tmp/exclude.txt

nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt

#5: Turn on OS and version detection scanning script (IPv4)

nmap -A
nmap -v -A
nmap -A -iL /tmp/scanlist.txt 

#6: Find out if a host/network is protected by a firewall

nmap -sA
nmap -sA

#7: Scan a host when protected by the firewall

nmap -PN
nmap -PN

#8: Scan an IPv6 host/address

The -6 option enable IPv6 scanning. The syntax is:

nmap -6 IPv6-Address-Here
nmap -6
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4

#9: Scan a network and find out which servers and devices are up and running

This is known as host discovery or ping scan:

nmap -sP

Sample outputs:

Host is up (0.00035s latency).
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Host is up (0.0038s latency).
MAC Address: 74:44:01:40:57:FB (Unknown)
Host is up.
Host nas03 ( is up (0.0091s latency).
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second

#10: How do I perform a fast scan?

nmap -F

#11: Display the reason a port is in a particular state

nmap --reason
nmap --reason

#12: Only show open (or possibly open) ports

nmap --open
nmap --open

#13: Show all packets sent and received

nmap --packet-trace
nmap --packet-trace

14#: Show host interfaces and routes

This is useful for debugging (ip command or route command or netstat command like output using nmap)

nmap --iflist

Sample outputs:

Starting Nmap 5.00 ( ) at 2012-11-27 02:01 IST
DEV    (SHORT)  IP/MASK          TYPE        UP MAC
lo     (lo)      loopback    up
eth0   (eth0)   ethernet    up B8:AC:6F:65:31:E5
vmnet1 (vmnet1) ethernet    up 00:50:56:C0:00:01
vmnet8 (vmnet8) ethernet    up 00:50:56:C0:00:08
ppp0   (ppp0)    point2point up
DST/MASK         DEV    GATEWAY   ppp0 eth0    eth0  vmnet1  vmnet8    eth0       ppp0        eth0

#15: How do I scan specific ports?

map -p [port] hostName
## Scan port 80
nmap -p 80
## Scan TCP port 80
nmap -p T:80
## Scan UDP port 53
nmap -p U:53
## Scan two ports ##
nmap -p 80,443
## Scan port ranges ##
nmap -p 80-200
## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080
nmap -p U:53,111,137,T:21-25,80,139,8080
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080
## Scan all ports with * wildcard ##
nmap -p "*"
## Scan top ports i.e. scan $number most common ports ##
nmap --top-ports 5
nmap --top-ports 10

Sample outputs:

Starting Nmap 5.00 ( ) at 2012-11-27 01:23 IST
Interesting ports on
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios-ssn
443/tcp  closed https
445/tcp  closed microsoft-ds
3389/tcp closed ms-term-serv
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

#16: The fastest way to scan all your devices/computers for open ports ever

nmap -T5

#17: How do I detect remote operating system?

You can identify a remote host apps and OS using the -O option:

nmap -O
nmap -O  --osscan-guess
nmap -v -O --osscan-guess

Sample outputs:

Starting Nmap 5.00 ( ) at 2012-11-27 01:29 IST
NSE: Loaded 0 scripts for scanning.
Initiating ARP Ping Scan at 01:29
Scanning [1 port]
Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsed
Initiating SYN Stealth Scan at 01:29
Scanning [1000 ports]
Discovered open port 80/tcp on
Discovered open port 22/tcp on
Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)
Initiating OS detection (try #1) against
Retrying OS detection (try #2) against
Retrying OS detection (try #3) against
Retrying OS detection (try #4) against
Retrying OS detection (try #5) against
Host is up (0.00049s latency).
Interesting ports on
Not shown: 998 closed ports
22/tcp open  ssh
80/tcp open  http
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Device type: WAP|general purpose|router|printer|broadband router
Running (JUST GUESSING) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (94%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.6.15 - 2.6.23 (embedded) (92%), Linux 2.6.15 - 2.6.24 (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22 (90%)
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:
Uptime guess: 12.990 days (since Wed Nov 14 01:44:40 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds
           Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)

See also: Fingerprinting a web-server and a dns server command line tools for more information.

#18: How do I detect remote services (server / daemon) version numbers?

nmap -sV

Sample outputs:

Starting Nmap 5.00 ( ) at 2012-11-27 01:34 IST
Interesting ports on
Not shown: 998 closed ports
22/tcp open  ssh     Dropbear sshd 0.52 (protocol 2.0)
80/tcp open  http?
1 service unrecognized despite returning data.

#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

If firewall is blocking standard ICMP pings, try the following host discovery methods:

nmap -PS
nmap -PS 80,21,443
nmap -PA
nmap -PA 80,21,200-512

#20: Scan a host using IP protocol ping

nmap -PO

#21: Scan a host using UDP ping

This scan bypasses firewalls and filters that only screen TCP:

nmap -PU
nmap -PU 2000.2001

#22: Find out the most commonly used TCP ports using TCP SYN Scan

### Stealthy scan ###
nmap -sS
### Find out the most commonly used TCP ports using  TCP connect scan (warning: no stealth scan)
###  OS Fingerprinting ###
nmap -sT
### Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA
### Find out the most commonly used TCP ports using TCP Window scan
nmap -sW
### Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM

#23: Scan a host for UDP services (UDP scan)

Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:

nmap -sU nas03
nmap -sU

Sample outputs:

Starting Nmap 5.00 ( ) at 2012-11-27 00:52 IST
Stats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 remaining)
Interesting ports on nas03 (
Not shown: 995 closed ports
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
161/udp  open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 1 IP address (1 host up) scanned in 1099.55 seconds

#24: Scan for IP protocol

This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:

nmap -sO

#25: Scan a firewall for security weakness

The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:

## TCP Null Scan to fool a firewall to generate a response ##
## Does not set any bits (TCP flag header is 0) ##
nmap -sN
## TCP Fin scan to check firewall ##
## Sets just the TCP FIN bit ##
nmap -sF
## TCP Xmas scan to check firewall ##
## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ##
nmap -sX

See how to block Xmas packkets, syn-floods and other conman attacks with iptables.

#26: Scan a firewall for packets fragments

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

<pre lang="bash" "="" style="padding: 0.667em 0.917em; margin-top: 0px; margin-bottom: 1.833em; background-color: rgb(238, 238, 238); border: 1px solid rgb(221, 221, 221); overflow: auto; clear: both; font-family: Consolas, 'Andale Mono', Monaco, Courier, 'Courier New', Verdana, sans-serif; font-size: 0.857em; line-height: 1.5em; ">nmap -f -f -f 15 Set your own offset size with the --mtu option ##nmap --mtu 32

#27: Cloak a scan with decoys

The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys:

nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,,,

#28: Scan a firewall for MAC address spoofing

### Spoof your MAC address ##
nmap --spoof-mac MAC-ADDRESS-HERE
### Add other options ###
nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE
### Use a random MAC address ###
### The number 0, means nmap chooses a completely random MAC address ###
nmap -v -sT -PN --spoof-mac 0

#29: How do I save output to a text file?

The syntax is:

nmap > output.txt
nmap -oN /path/to/filename
nmap -oN output.txt

#30: Not a fan of command line tools?

Try zenmap the official network mapper front end:

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

You can install zenmap using the following apt-get command:
$ sudo apt-get install zenmap
Sample outputs:

[sudo] password for vivek:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 11 not upgraded.
Need to get 616 kB of archives.
After this operation, 1,827 kB of additional disk space will be used.
Get:1 squeeze/main zenmap amd64 5.00-3 [616 kB]
Fetched 616 kB in 3s (199 kB/s)
Selecting previously deselected package zenmap.
(Reading database ... 281105 files and directories currently installed.)
Unpacking zenmap (from .../zenmap_5.00-3_amd64.deb) ...
Processing triggers for desktop-file-utils ...
Processing triggers for gnome-menus ...
Processing triggers for man-db ...
Setting up zenmap (5.00-3) ...
Processing triggers for python-central ...

Type the following command to start zenmap:
$ sudo zenmap
Sample outputs

Fig.02: zenmap in action
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。



关于axios发起post请求后端报400错误这是前端错误​ 这个问题困扰我很久,在网上查找解决的方法要么说利用qs 要么说利用URLSearchParams 传递参数 等等方法 我都试过了 但是还是解决不了 ,我用postman请求后端是可以的 但是用axios就不行。​ 最后我的解决问题方法是将前面的params 更改成data进来断点了,数据都正常重点在使用axios时,注意到配置选项中包含params和data两者,以为他们是相同的,实则不然。因为params是添加到




BSON 对象。数据类型的介绍可参考数据类型。语法BSONObj(&lt;json&gt;) / new BSONObj(&lt;json&gt;)BSONObj.toJson()BSONObj.toObj()BSONObj.toString()方法BSONObj(&lt;json&gt;) / new BSONObj(&lt;json&gt;)创建 BSONObj 对象参数名 参数类型 默认值 描述 是否必填 json JSON

智能聊天机器人的技术综述_Chatopera 研发团队的博客-程序员信息网

本文转载,原文地址。在转载过程中,资源和开放数据有更新,不代表原作者观点。目录摘要研究背景国内外研究现状对比工程要求及分类实现需求工程分类常见技术模型Encoder-decoder加解密模型Hierarchiacal Recurrent Encoder-Decoder分级卷积加解密模型Bidirectional HRED双向分级卷积加解密模型Word embedding词嵌入Attention注意力机制模型评估方法公开资源模型框架Dialogflow腾讯智能对话平台 TBPChatoperaLangua


ElasticSearch编程操作创建项目创建工程,导入坐标&lt;dependencies&gt; &lt;dependency&gt; &lt;groupId&gt;org.elasticsearch&lt;/groupId&gt; &lt;artifactId&gt;elasticsearch&lt;/artifactId&gt; &lt;version&gt;5.6.8&lt;/version&gt; &lt;/dependenc


说明:搭建netcore 使用efcore入门教程,跟着这个教程,傻瓜都可以成功!O(∩_∩)O哈哈~,咱们开始吧;首先介绍下环境:  vs2017,  netcore2.2,  EntityFramework6  测试场景:Mysql,SqlServer一、创建netcore模板项目这个就不用多说了,创建完成看下版本:二、引用EF Core有的博主写的这样引用:Install-Package Microsoft.EntityFrameworkCore.Sq.



20220705开发板BL602的SDK编译以及刷机2022/7/5 15:241、下载BL602的SDK的快速入门下载代码,使用 git clone [email protected]:bouffalolab/bl_iot_sdk.g


select t1.rolename from (select * from [email protected]) t1, (select * from [email protected]) t2 where t1.rolename = t2.username(+) and t2.username is null;  select t1.rol...

SQL 日期型函数_zoohouse的博客-程序员信息网

<br />1 SQL Server 有两种日期类型:DATETIME 和 SMALLDATETIME,<br />    <br />    DATETIME 的日期范围:1753-1-1到9999-12-31之间的日期值,精度为3.33毫秒,其类型的值在SQLServer内部用两个 4 字节的整数存储。<br />      第一个 4 字节存储“基础日期”(即 1900 年 1 月 1 日)之前或之后的天数。基础日期是系统参照日期。<br />            另外一个 4 字节存储天的时间(以

设计模式 - 模版方法_我爱看明朝的博客-程序员信息网

设计模式 - 模版方法场景小张的团队最近接受一个需求,实现实现一家咖啡店的冲泡咖啡和茶的冲泡自动化。之前这家咖啡店都是由咖啡师傅手动进行调制咖啡和茶。现在咖啡店需要引入自动化的点单和调制饮料的系统,小张负责实现调制饮料的功能。咖啡师傅手工冲泡咖啡和茶的流程:冲泡咖啡:把水煮沸用沸水冲泡咖啡把咖啡倒入杯子加糖和牛奶冲泡茶:把水煮沸用沸水冲泡茶叶把茶倒入...


简介“简单却不失优雅,小巧而不乏大匠”。2016年最火的前端框架当属Vue.js了,很多使用过vue的程序员这样评价它,“vue.js兼具angular.js和react.js的优点,并剔除了它们的缺点”。授予了这么高的评价的vue.js,也是开源世界华人的骄傲,因为它的作者是位中国人–尤雨溪(Evan You)。Vue.js 是一个JavaScriptMVVM库,是一套构建用户界面的渐进...

Python threading 多线程_Thinking_boy1992的博客-程序员信息网

threading通过对thread模块进行二次封装,提供了更方便的API来操作线程。threading.ThreadThread 是threading模块中最重要的类之一,可以使用它来创建线程。有两种方式来创建线程:一种是通过继承Thread类,重写它的run方法;另一种是创建一个threading.Thread对象,在它的初始化函数(init)中将可调用对象作为参数传入。下面分别举例说明。先来