zenmap（nmap的window版）工具参数说明

wr21321

                      说明：这里主要介绍 Profile 相关扫描选项，其他部分的内容百度上已经有大神说的比较详细，参照nmap相关man说明整理
Target:需要扫描的IP地址和端口，支持多种形式，比如网段10.123.10.1-10.123.10.244 ，子网掩码方式：10.123.10.1/24，域名，单个IP和网段组合等形式。

Profile主要参数
1.Intense scan:强烈的扫描
nmap -T4 -A -v
-T4：     -T option and their number (0–5) or their
           name. The template names areparanoid (0), sneaky (1), polite (2),
           normal (3), aggressive (4), andinsane (5). The first two are for
           IDS evasion. Polite mode slows downthe scan to use less bandwidth
           and target machine resources. Normalmode is the default and so -T3
           does nothing. Aggressive mode speedsscans up by making the
           assumption that you are on areasonably fast and reliable network.
           Finally insane mode.  assumes that you are on an extraordinarily
           fast network or are willing tosacrifice some accuracy for speed.
For example,
           -T4. prohibits the dynamic scan delay from exceeding 10 ms for TCP
           ports and -T5 caps that value at 5ms.
              -T4 for faster execution
由以上说明-T4参数是一种适用在局域网，可靠性网络进行扫描，略带侵略性，扫描一个tcp端口平均耗时10ms
-A:                  -A, to enable OS and versiondetection, script scanning, and traceroute;
三个作用：操作系统及版本检测，系统脚本运行，路由
-v:                    显示扫描过程中的详细信息

2.Intensescan plus UDP:强烈的扫描,加上udp协议扫描
nmap -sS -sU -T4-A -v
-sS:                   -sS (TCP SYN scan) .
           SYN scan is the default and mostpopular scan option for good
           reasons. It can be performedquickly, scanning thousands of ports
           per second on a fast network nothampered by restrictive firewalls.
           It is also relatively unobtrusiveand stealthy since it never
           completes TCP connections. SYN scanworks against any compliant TCP
           stack rather than depending onidiosyncrasies of specific platforms
           as Nmap's FIN/NULL/Xmas, Maimon andidle scans do. It also allows
           clear, reliable differentiationbetween the open, closed, and
           filtered states.

           This technique is often referred toas half-open scanning, because
           you don't open a full TCPconnection. You send a SYN packet, as if
           you are going to open a real connectionand then wait for a
           response. A SYN/ACK indicates theport is listening (open), while a
           RST (reset) is indicative of anon-listener. If no response is
           received after severalretransmissions, the port is marked as
           filtered. The port is also markedfiltered if an ICMP unreachable
           error (type 3, code 1, 2, 3, 9, 10,or 13) is received. The port is
           also considered open if a SYN packet(without the ACK flag) is
           received in response. This can bedue to an extremely rare TCP
           feature known as a simultaneous openor split handshake connection
           (seehttp://nmap.org/misc/split-handshake.pdf).
主要说明-sS参数是一个比较流行好用的，该参数运行扫描快，而且隐蔽，因为它是一种半开方式扫描，并没有完成一个完整真实的tcp连接，
发送SYN包，如果收到一个SYN/ACK（或SYN）响应包则说明对方该端口处于打开监听状态；如果是RST,则说明对方端口处于非监听状态；如果未收到任何响应包则标记该端口被过滤

-sU：              -sU(UDP scans) .
           While most popular services on theInternet run over the TCP
           protocol, UDP[6] services are widelydeployed. DNS, SNMP, and DHCP
           (registered ports 53, 161/162, and67/68) are three of the most
           common. Because UDP scanning isgenerally slower and more difficult
           than TCP, some security auditorsignore these ports. This is a
           mistake, as exploitable UDP servicesare quite common and attackers
           certainly don't ignore the wholeprotocol. Fortunately, Nmap can
           help inventory UDP ports.

           UDP scan is activated with the -sUoption. It can be combined with
           a TCP scan type such as SYN scan(-sS) to check both protocols
           during the same run.

           UDP scan works by sending a UDPpacket to every targeted port. For
           some common ports such as 53 and161, a protocol-specific payload
           is sent, but for most ports the packet isempty..  The
           --data-length option can be used tosend a fixed-length random
           payload to every port or (if youspecify a value of 0) to disable
           payloads. If an ICMP port unreachableerror (type 3, code 3) is
           returned, the port is closed. OtherICMP unreachable errors (type
           3, codes 1, 2, 9, 10, or 13) markthe port as filtered.
           Occasionally, a service will respondwith a UDP packet, proving
           that it is open. If no response is receivedafter retransmissions,
           the port is classified asopen|filtered. This means that the port
           could be open, or perhaps packetfilters are blocking the
           communication. Version detection(-sV) can be used to help
           differentiate the truly open portsfrom the filtered ones.

           A big challenge with UDP scanning isdoing it quickly. Open and
           filtered ports rarely send anyresponse, leaving Nmap to time out
           and then conduct retransmissionsjust in case the probe or response
           were lost. Closed ports are often aneven bigger problem. They
           usually send back an ICMP portunreachable error. But unlike the
           RST packets sent by closed TCP portsin response to a SYN or
           connect scan, many hosts ratelimit.  ICMP port unreachable
           messages by default. Linux andSolaris are particularly strict
           about this. For example, the Linux2.4.20 kernel limits destination
           unreachable messages to one persecond (in net/ipv4/icmp.c).

           Nmap detects rate limiting and slowsdown accordingly to avoid
           flooding the network with uselesspackets that the target machine
           will drop. Unfortunately, aLinux-style limit of one packet per
           second makes a 65,536-port scan takemore than 18 hours. Ideas for
           speeding your UDP scans up includescanning more hosts in parallel,
           doing a quick scan of just the popularports first, scanning from
           behind the firewall, and using--host-timeout to skip slow hosts.
使用UDP协议的服务主要有DNS,SNMP,DHCP等，由于UDP扫描更困难和耗费时间因此一些审计的时候进行了省略，困难点在于linux和Solaris系统默认限制了每秒不可到达的信息数，Nmap为了避免造成服务器掉包的危害降低发包的速度，因此在扫描时将会耗费非常多的时间，建议先对常用UDP端口进行扫描，并且设置主机超时以跳过哪些扫描慢的主机
通常服务器响应一个UDP包，说明对方端口打开；当没有响应是nmap                                                                          
会将其定级为open|filtered,这是需要结合-sV参数来协助判断端口的状态。

3.Intense scan, all TCP ports：对目标的所有端口进行强烈的扫描
nmap -p 1-65535 -T4 -A -v

4.Intensescan, no ping：对目标进行强烈的扫描，不进行主机发现
nmap -T4 -A -v -Pn   
-Pn: Treat all hosts as online -- skip host discovery  
-Pn (No ping) .
           Thisoption skips the Nmap discovery stage altogether. Normally,
           Nmapuses this stage to determine active machines for heavier
          scanning. By default, Nmap only performs heavy probing such as port
          scans, version detection, or OS detection against hosts that are
           foundto be up. Disabling host discovery with -Pn causes Nmap to
          attempt the requested scanning functions against every target IP
          address specified. So if a class B target address space (/16) is
          specified on the command line, all 65,536 IP addresses are scanned.
          Proper host discovery is skipped as with the list scan, but instead
           ofstopping and printing the target list, Nmap continues to perform
          requested functions as if each target IP is active. To skip ping
           scanand port scan, while still allowing NSE to run, use the two
          options -Pn -sn together.

           Formachines on a local ethernet network, ARP scanning will still
           beperformed (unless --disable-arp-ping or --send-ip is specified)
          because Nmap needs MAC addresses to further scan target hosts. In
          previous versions of Nmap, -Pn was -P0. and -PN..
假设所有主机在线，跳过主机发现过程。

5.Ping scan  在发现主机后，不进行端口扫描
nmap -sn：
sn: Ping Scan - disable port scan
-sn (No port scan) .
           Thisoption tells Nmap not to do a port scan after host discovery,
           andonly print out the available hosts that responded to the scan.
           Thisis often known as a “ping scan”, but you can also request that
          traceroute and NSE host scripts be run. This is by default one step
           moreintrusive than the list scan, and can often be used for the
           samepurposes. It allows light reconnaissance of a target network
          without attracting much attention. Knowing how many hosts are up is
           morevaluable to attackers than the list provided by list scan of
           everysingle IP and host name.

          Systems administrators often find this option valuable as well. It
           caneasily be used to count available machines on a network or
          monitor server availability. This is often called a ping sweep, and
           ismore reliable than pinging the broadcast address because many
           hostsdo not reply to broadcast queries.

           Thedefault host discovery done with -sn consists of an ICMP echo
          request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP
          timestamp request by default. When executed by an unprivileged
           user,only SYN packets are sent (using a connect call) to ports 80
           and443 on the target. When a privileged user tries to scan targets
           on alocal ethernet network, ARP requests are used unless --send-ip
           wasspecified. The -sn option can be combined with any of the
          discovery probe types (the -P* options, excluding -Pn) for greater
          flexibility. If any of those probe type and port number options are
           used,the default probes are overridden. When strict firewalls are
           inplace between the source host running Nmap and the target
           network, using those advanced techniquesis recommended. Otherwise
           hostscould be missed when the firewall drops probes or their
          responses.

           Inprevious releases of Nmap, -sn was known as -sP..

6.Quick scan：快速扫描
nmap -T4 -F
-F:         -F: Fast mode - Scan fewer ports than thedefault scan
           -F (Fast (limited port) scan) .
          Specifies that you wish to scan fewer ports than the default.
          Normally Nmap scans the most common 1,000 ports for each scanned
          protocol. With -F, this is reduced to 100.

           Nmapneeds an nmap-services file with frequency information in
           orderto know which ports are the most common. If port frequency
          information isn't available, perhaps because of the use of a custom
          nmap-services file, Nmap scans all named ports plus ports 1-1024.
           Inthat case, -F means to scan only ports that are named in the
          services file.

7.Quickscan plus:更快速的扫描
nmap -sV -T4 -O -F --version-light
-O:        EnableOS detection
--version-intensity intensity (Set version scanintensity) .
           Whenperforming a version scan (-sV), Nmap sends a series of
          probes, each of which is assigned a rarity value between one and
           nine.The lower-numbered probes are effective against a wide
          variety of common services, while the higher-numbered ones are
          rarely useful. The intensity level specifies which probes should be
          applied. The higher the number, the more likely it is the service
           willbe correctly identified. However, high intensity scans take
          longer. The intensity must be between 0 and 9..  The default is 7..
           Whena probe is registered to the target port via the
          nmap-service-probesports directive, that probe is tried regardless
           ofintensity level. This ensures that the DNS probes will always be
          attempted against any open port 53, the SSL probe will be done
          against 443, etc.

      --version-light (Enable light mode) .
           Thisis a convenience alias for --version-intensity 2. This light
           modemakes version scanning much faster, but it is slightly less
           likelyto identify services.
-sV：   
       -sV(Version detection) .
          Enables version detection, as discussed above. Alternatively, you
           canuse -A, which enables version detection among other things.

          -sR.  is an alias for -sV. Priorto March 2011, it was used to
          active the RPC grinder separately from version detection, but now
           theseoptions are always combined.

8.Quick traceroute：快速扫描，不扫端口返回每一跳的主机ip
nmap -sn --traceroute ：
--traceroute： Trace hop path to each host

9.Regular scan:常规扫描
nmap   

10.Slow comprehensive scan：慢速综合性扫描
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389-PU40125 -PY -g 53 --script "default or (discovery and safe)"
-PE/PP：ICMP echo, timestamp
-PS port list (TCP SYN Ping) .
           Thisoption sends an empty TCP packet with the SYN flag set. The
          default destination port is 80 (configurable at compile time by
          changing DEFAULT_TCP_PROBE_PORT_SPEC. in nmap.h)..  Alternate
           portscan be specified as a parameter. The syntax is the same as
           forthe -p except that port type specifiers like T: are not
          allowed. Examples are -PS22 and -PS22-25,80,113,1050,35000. Note
           thatthere can be no space between -PS and the port list. If
          multiple probes are specified they will be sent in parallel.

           TheSYN flag suggests to the remote system that you are attempting
           toestablish a connection. Normally the destination port will be
           closed,and a RST (reset) packet sent back. If the port happens to
           beopen, the target will take the second step of a TCP
          three-way-handshake.  byresponding with a SYN/ACK TCP packet. The
          machine running Nmap then tears down the nascent connection by
          responding with a RST rather than sending an ACK packet which would
          complete the three-way-handshake and establish a full connection.
           TheRST packet is sent by the kernel of the machine running Nmap in
          response to the unexpected SYN/ACK, not by Nmap itself.

           Nmapdoes not care whether the port is open or closed. Either the
           RSTor SYN/ACK response discussed previously tell Nmap that the
           hostis available and responsive.

           OnUnix boxes, only the privileged user root. is generally able to
           sendand receive raw TCP packets..  Forunprivileged users, a
          workaround is automatically employed. whereby the connect system
           callis initiated against each target port. This has the effect of
          sending a SYN packet to the target host, in an attempt to establish
           aconnection. If connect returns with a quick success or an
           ECONNREFUSED failure, the underlying TCPstack must have received a
          SYN/ACK or RST and the host is marked available. If the connection
          attempt is left hanging until a timeout is reached, the host is
          marked as down.
-PA        -PA port list (TCP ACK Ping) .
           TheTCP ACK ping is quite similar to the just-discussed SYN ping.
           Thedifference, as you could likely guess, is that the TCP ACK flag
           isset instead of the SYN flag. Such an ACK packet purports to be
          acknowledging data over an established TCP connection, but no such
          connection exists. So remote hosts should always respond with a RST
          packet, disclosing their existence in the process.

           The-PA option uses the same default port as the SYN probe (80) and
           canalso take a list of destination ports in the same format. If an
          unprivileged user tries this, the connect workaround discussed
          previously is used. This workaround is imperfect because connect is
          actually sending a SYN packet rather than an ACK.

           Thereason for offering both SYN and ACK ping probes is to maximize
           thechances of bypassing firewalls. Many administrators configure
          routers and other simple firewalls to block incoming SYN packets
          except for those destined for public services like the company web
           siteor mail server. This prevents other incoming connections to
           theorganization, while allowing users to make unobstructed
          outgoing connections to the Internet. This non-stateful approach
           takesup few resources on the firewall/router and is widely
          supported by hardware and software filters. The Linux
          Netfilter/iptables.  firewallsoftware offers the --syn convenience
          option to implement this stateless approach. When stateless
          firewall rules such as this are in place, SYN ping probes (-PS) are
          likely to be blocked when sent to closed target ports. In such
          cases, the ACK probe shines as it cuts right through these rules.

          Another common type of firewall uses stateful rules that drop
          unexpected packets. This feature was initially found mostly on
          high-end firewalls, though it has become much more common over the
          years. The Linux Netfilter/iptables system supports this through
           the--state option, which categorizes packets based on connection
           state. A SYN probe is more likely to workagainst such a system, as
          unexpected ACK packets are generally recognized as bogus and
          dropped. A solution to this quandary is to send both SYN and ACK
          probes by specifying -PS and -PA.
-PS和PA一起使用来最大限度的避过防火墙等安全设备的检测
-g/--source-port <portnum>: Use given portnumber

nmap --script "default or safe"
           Thisis functionally equivalent to nmap --script "default,safe". It
           loadsall scripts that are in the default category or the safe
          category or both.