centos 6.5下安装nmap工具及简单用法

[root@lamp01 scripts]# nmap -h
nmap 5.51 ( http://nmap.org )
usage: nmap [scan type(s)] [options] {target specification}
target specification:
  can pass hostnames, ip addresses, networks, etc.
  ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -il <inputfilename>: input from list of hosts/networks
  -ir <num hosts>: choose random targets
  --exclude <host1[,host2][,host3],...>: exclude hosts/networks
  --excludefile <exclude_file>: exclude list from file
host discovery:
  -sl: list scan - simply list targets to scan
  -sn: ping scan - disable port scan
  -pn: treat all hosts as online -- skip host discovery
  -ps/pa/pu/py[portlist]: tcp syn/ack, udp or sctp discovery to given ports
  -pe/pp/pm: icmp echo, timestamp, and netmask request discovery probes
  -po[protocol list]: ip protocol ping
  -pr: arp ping - does not need hw address -> ip translation
  -n/-r: never do dns resolution/always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: specify custom dns servers
  --system-dns: use os's dns resolver
  --traceroute: trace hop path to each host
scan techniques:
  -ss/st/sa/sw/sm: tcp syn/connect()/ack/window/maimon scans
  -su: udp scan
  -sn/sf/sx: tcp null, fin, and xmas scans
  --scanflags <flags>: customize tcp scan flags
  -si <zombie host[:probeport]>: idle scan
  -sy/sz: sctp init/cookie-echo scans
  -so: ip protocol scan
  -b <ftp relay host>: ftp bounce scan
port specification and scan order:
  -p <port ranges>: only scan specified ports
    ex: -p22; -p1-65535; -p u:53,111,137,t:21-25,80,139,8080,s:9
  -f: fast mode - scan fewer ports than the default scan
  -r: scan ports consecutively - don't randomize
  --top-ports <number>: scan <number> most common ports
  --port-ratio <ratio>: scan ports more common than <ratio>
service/version detection:
  -sv: probe open ports to determine service/version info
  -sr: check what service uses opened ports using rpc scan
  --version-intensity <level>: set from 0 (light) to 9 (try all probes)
  --version-light: limit to most likely probes (intensity 2)
  --version-all: try every single probe (intensity 9)
  --version-trace: show detailed version scan activity (for debugging)
script scan:
  -sc: equivalent to --script=default
  --script=<lua scripts>: <lua scripts> is a comma separated list of 
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-trace: show all data sent and received
  --script-updatedb: update the script database.
os detection:
  -o: enable os detection
  --osscan-limit: limit os detection to promising targets
  --osscan-guess: guess os more aggressively
timing and performance:
  options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -t<0-5>: set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: specifies
      probe round trip time.
  --max-retries <tries>: caps number of port scan probe retransmissions.
  --host-timeout <time>: give up on target after this long
  --scan-delay/--max-scan-delay <time>: adjust delay between probes
  --min-rate <number>: send packets no slower than <number> per second
  --max-rate <number>: send packets no faster than <number> per second
firewall/ids evasion and spoofing:
  -f; --mtu <val>: fragment packets (optionally w/given mtu)
  -d <decoy1,decoy2[,me],...>: cloak a scan with decoys
  -s <ip_address>: spoof source address
  -e <iface>: use specified interface
  -g/--source-port <portnum>: use given port number
  --data-length <num>: append random data to sent packets
  --ip-options <options>: send packets with specified ip options
  --ttl <val>: set ip time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: spoof your mac address
  --badsum: send packets with a bogus tcp/udp/sctp checksum
output:
  -on/-ox/-os/-og <file>: output scan in normal, xml, s|<ript kiddi3,
     and grepable format, respectively, to the given filename.
  -oa <basename>: output in the three major formats at once
  -v: increase verbosity level (use -vv or more for greater effect)
  -d: increase debugging level (use -dd or more for greater effect)
  --reason: display the reason a port is in a particular state
  --open: only show open (or possibly open) ports
  --packet-trace: show all packets sent and received
  --iflist: print host interfaces and routes (for debugging)
  --log-errors: log errors/warnings to the normal-format output file
  --append-output: append to rather than clobber specified output files
  --resume <filename>: resume an aborted scan
  --stylesheet <path/url>: xsl stylesheet to transform xml output to html
  --webxml: reference stylesheet from nmap.org for more portable xml
  --no-stylesheet: prevent associating of xsl stylesheet w/xml output
misc:
  -6: enable ipv6 scanning
  -a: enable os detection, version detection, script scanning, and traceroute
  --datadir <dirname>: specify custom nmap data file location
  --send-eth/--send-ip: send using raw ethernet frames or ip packets
  --privileged: assume that the user is fully privileged
  --unprivileged: assume the user lacks raw socket privileges
  -v: print version number
  -h: print this help summary page.
examples:
  nmap -v -a scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -ir 10000 -pn -p 80
see the man page (http://nmap.org/book/man.html) for more options and examples