map即網絡映射器對Linux系統/網絡管理員來說是一個開源且非常通用的工具。Nmap用於在遠程機器上探測網絡，執行安全掃描，網絡審計和搜尋開放端口。它會掃描遠程在線主機，該主機的操作系統，包過濾器和開放的端口。

我將用兩個不同的部分來涵蓋大部分NMAP的使用方法，這是nmap關鍵的第一部分。在下面的設置中，我使用兩臺已關閉防火墻的服務器來測試Nmap命令的工作情況。

1. 192.168.0.100 – server1.tecmint.com
2. 192.168.0.101 – server2.tecmint.com

NMAP命令用法

1. # nmap [Scan Type(s)] [Options] {target specification}

如何在Linux下安裝NMAP

現在大部分Linux的發行版本像Red Hat，CentOS，Fedoro，Debian和Ubuntu在其默認的軟件包管理庫（即Yum 和 APT）中都自帶了Nmap，這兩種工具都用於安裝和管理軟件包和更新。在發行版上安裝Nmap具體使用如下命令。

1. # yum install nmap [on Red Hat based systems]
2. $ sudo apt-get install nmap [on Debian based systems]

一旦你安裝了最新的nmap應用程序，你就可以按照本文中提供的示例說明來操作。

1. 用主機名和IP地址掃描系統

Nmap工具提供各種方法來掃描系統。在這個例子中，我使用server2.tecmint.com主機名來掃描系統找出該系統上所有開放的端口，服務和MAC地址。

使用主機名掃描

1. [[email protected] ~]# nmap server2.tecmint.com
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 1 IP address (1 host up) scanned in 0.415 seconds
14. You have new mail in /var/spool/mail/root

使用IP地址掃描

1. [[email protected] ~]# nmap 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 958/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 1 IP address (1 host up) scanned in 0.465 seconds
14. You have new mail in /var/spool/mail/root

2.掃描使用“-v”選項

你可以看到下面的命令使用“ -v “選項後給出了遠程機器更詳細的信息。

1. [[email protected] ~]# nmap -v server2.tecmint.com
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST
3. Initiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43
4. The ARP Ping Scan took 0.01s to scan 1 total hosts.
5. Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43
6. Discovered open port 22/tcp on 192.168.0.101
7. Discovered open port 80/tcp on 192.168.0.101
8. Discovered open port 8888/tcp on 192.168.0.101
9. Discovered open port 111/tcp on 192.168.0.101
10. Discovered open port 3306/tcp on 192.168.0.101
11. Discovered open port 957/tcp on 192.168.0.101
12. The SYN Stealth Scan took 0.30s to scan 1680 total ports.
13. Host server2.tecmint.com (192.168.0.101) appears to be up ... good.
14. Interesting ports on server2.tecmint.com (192.168.0.101):
15. Not shown: 1674 closed ports
16. PORT STATE SERVICE
17. 22/tcp open ssh
18. 80/tcp open http
19. 111/tcp open rpcbind
20. 957/tcp open unknown
21. 3306/tcp open mysql
22. 8888/tcp open sun-answerbook
23. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
24. Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds
25. Raw packets sent: 1681 (73.962KB) | Rcvd: 1681 (77.322KB)

3.掃描多臺主機

你可以簡單的在Nmap命令後加上多個IP地址或主機名來掃描多臺主機。

1. [[email protected] ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds

4.掃描整個子網

你可以使用*通配符來掃描整個子網或某個範圍的IP地址。

1. [[email protected] ~]# nmap 192.168.0.*
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST
3. Interesting ports on server1.tecmint.com (192.168.0.100):
4. Not shown: 1677 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 111/tcp open rpcbind
8. 851/tcp open unknown
9. Interesting ports on server2.tecmint.com (192.168.0.101):
10. Not shown: 1674 closed ports
11. PORT STATE SERVICE
12. 22/tcp open ssh
13. 80/tcp open http
14. 111/tcp open rpcbind
15. 957/tcp open unknown
16. 3306/tcp open mysql
17. 8888/tcp open sun-answerbook
18. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
19. Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds
20. You have new mail in /var/spool/mail/root

從上面的輸出可以看到，nmap掃描了整個子網，給出了網絡中當前網絡中在線主機的信息。

5.使用IP地址的最後一個字節掃描多臺服務器

你可以簡單的指定IP地址的最後一個字節來對多個IP地址進行掃描。例如，我在下面執行中掃描了IP地址192.168.0.101，192.168.0.102和192.168.0.103。

1. [[email protected] ~]# nmap 192.168.0.101,102,103
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds
14. You have new mail in /var/spool/mail/root

6. 從一個文件中掃描主機列表

如果你有多臺主機需要掃描且所有主機信息都寫在一個文件中，那麽你可以直接讓nmap讀取該文件來執行掃描，讓我們來看看如何做到這一點。

創建一個名為“nmaptest.txt ”的文本文件，並定義所有你想要掃描的服務器IP地址或主機名。

1. [[email protected] ~]# cat > nmaptest.txt
2. localhost
3. server2.tecmint.com
4. 192.168.0.101

接下來運行帶“iL” 選項的nmap命令來掃描文件中列出的所有IP地址。

1. [[email protected] ~]# nmap -iL nmaptest.txt
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 EST
3. Interesting ports on localhost.localdomain (127.0.0.1):
4. Not shown: 1675 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 25/tcp open smtp
8. 111/tcp open rpcbind
9. 631/tcp open ipp
10. 857/tcp open unknown
11. Interesting ports on server2.tecmint.com (192.168.0.101):
12. Not shown: 1674 closed ports
13. PORT STATE SERVICE
14. 22/tcp open ssh
15. 80/tcp open http
16. 111/tcp open rpcbind
17. 958/tcp open unknown
18. 3306/tcp open mysql
19. 8888/tcp open sun-answerbook
20. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
21. Interesting ports on server2.tecmint.com (192.168.0.101):
22. Not shown: 1674 closed ports
23. PORT STATE SERVICE
24. 22/tcp open ssh
25. 80/tcp open http
26. 111/tcp open rpcbind
27. 958/tcp open unknown
28. 3306/tcp open mysql
29. 8888/tcp open sun-answerbook
30. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
31. Nmap finished: 3 IP addresses (3 hosts up) scanned in 2.047 seconds

7.掃描一個IP地址範圍

你可以在nmap執行掃描時指定IP範圍。

1. [[email protected] ~]# nmap 192.168.0.101-110
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds

8.排除一些遠程主機後再掃描

在執行全網掃描或用通配符掃描時你可以使用“-exclude”選項來排除某些你不想要掃描的主機。

1. [[email protected] ~]# nmap 192.168.0.* --exclude 192.168.0.100
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 255 IP addresses (1 host up) scanned in 5.313 seconds
14. You have new mail in /var/spool/mail/root

9.掃描操作系統信息和路由跟蹤

使用Nmap，你可以檢測遠程主機上運行的操作系統和版本。為了啟用操作系統和版本檢測，腳本掃描和路由跟蹤功能，我們可以使用NMAP的“-A“選項。

1. [[email protected] ~]# nmap -A 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE VERSION
6. 22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
7. 80/tcp open http Apache httpd 2.2.3 ((CentOS))
8. 111/tcp open rpcbind 2 (rpc #100000)
9. 957/tcp open status 1 (rpc #100024)
10. 3306/tcp open mysql MySQL (unauthorized)
11. 8888/tcp open http lighttpd 1.4.32
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
14. TCP/IP fingerprint:
15. SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027)
16. TSeq(Class=TR%IPID=Z%TS=1000HZ)
17. T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
18. T2(Resp=N)
19. T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
20. T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
21. T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
22. T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
23. T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
24. PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
25. Uptime 0.169 days (since Mon Nov 11 12:22:15 2013)
26. Nmap finished: 1 IP address (1 host up) scanned in 22.271 seconds

從上面的輸出你可以看到，Nmap顯示出了遠程主機操作系統的TCP / IP協議指紋，並且更加具體的顯示出遠程主機上的端口和服務。

10.啟用Nmap的操作系統探測功能

使用選項“-O”和“-osscan-guess”也幫助探測操作系統信息。

1. [[email protected] ~]# nmap -O server2.tecmint.com
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
14. TCP/IP fingerprint:
15. SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027)
16. TSeq(Class=TR%IPID=Z%TS=1000HZ)
17. T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
18. T2(Resp=N)
19. T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
20. T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS
21. R%Ops=)
22. T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
23. T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
24. T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
25. PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
26. Uptime 0.221 days (since Mon Nov 11 12:22:16 2013)
27. Nmap finished: 1 IP address (1 host up) scanned in 11.064 seconds
28. You have new mail in /var/spool/mail/root

11.掃描主機偵測防火墻

下面的命令將掃描遠程主機以探測該主機是否使用了包過濾器或防火墻。

1. [[email protected] ~]# nmap -sA 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:27 EST
3. All 1680 scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered
4. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
5. Nmap finished: 1 IP address (1 host up) scanned in 0.382 seconds
6. You have new mail in /var/spool/mail/root

12.掃描主機檢測是否有防火墻保護

掃描主機檢測其是否受到數據包過濾軟件或防火墻的保護。

1. [[email protected] ~]# nmap -PN 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds

13.找出網絡中的在線主機

使用“-sP”選項，我們可以簡單的檢測網絡中有哪些在線主機，該選項會跳過端口掃描和其他一些檢測。

1. [[email protected] ~]# nmap -sP 192.168.0.*
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST
3. Host server1.tecmint.com (192.168.0.100) appears to be up.
4. Host server2.tecmint.com (192.168.0.101) appears to be up.
5. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
6. Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds

14.執行快速掃描

你可以使用“-F”選項執行一次快速掃描，僅掃描列在nmap-services文件中的端口而避開所有其它的端口。

1. [[email protected] ~]# nmap -F 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1234 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 3306/tcp open mysql
10. 8888/tcp open sun-answerbook
11. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
12. Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds

15.查看Nmap的版本

你可以使用“-V”選項來檢測你機子上Nmap的版本。

1. [[email protected] ~]# nmap -V
2. Nmap version 4.11 ( http://www.insecure.org/nmap/ )
3. You have new mail in /var/spool/mail/root

16.順序掃描端口

使用“-r”選項表示不會隨機的選擇端口掃描。

1. [[email protected] ~]# nmap -r 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds

17.打印主機接口和路由

你可以使用nmap的“–iflist”選項檢測主機接口和路由信息。

1. [[email protected] ~]# nmap --iflist
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST
3. ************************INTERFACES************************
4. DEV (SHORT) IP/MASK TYPE UP MAC
5. lo (lo) 127.0.0.1/8 loopback up
6. eth0 (eth0) 192.168.0.100/24 ethernet up 08:00:27:11:C7:89
7. **************************ROUTES**************************
8. DST/MASK DEV GATEWAY
9. 192.168.0.0/0 eth0
10. 169.254.0.0/0 eth0

從上面的輸出你可以看到，nmap列舉出了你系統上的接口以及它們各自的路由信息。

18.掃描特定的端口

使用Nmap掃描遠程機器的端口有各種選項，你可以使用“-P”選項指定你想要掃描的端口，默認情況下nmap只掃描TCP端口。

1. [[email protected] ~]# nmap -p 80 server2.tecmint.com
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. PORT STATE SERVICE
5. 80/tcp open http
6. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
7. Nmap finished: 1 IP address (1 host up) sca

19.掃描TCP端口

你可以指定具體的端口類型和端口號來讓nmap掃描。

1. [[email protected] ~]# nmap -p T:8888,80 server2.tecmint.com
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. PORT STATE SERVICE
5. 80/tcp open http
6. 8888/tcp open sun-answerbook
7. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
8. Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds

20.掃描UDP端口

1. [[email protected] ~]# nmap -sU 53 server2.tecmint.com
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. PORT STATE SERVICE
5. 53/udp open http
6. 8888/udp open sun-answerbook
7. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
8. Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds

21.掃描多個端口

你還可以使用選項“-P”來掃描多個端口。

1. [[email protected] ~]# nmap -p 80,443 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:56 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. PORT STATE SERVICE
5. 80/tcp open http
6. 443/tcp closed https
7. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
8. Nmap finished: 1 IP address (1 host up) scanned in 0.190 seconds

22.掃描指定範圍內的端口

您可以使用表達式來掃描某個範圍內的端口。

1. [[email protected] ~]# nmap -p 80-160 192.168.0.101

23.查找主機服務版本號

我們可以使用“-sV”選項找出遠程主機上運行的服務版本。

1. [[email protected] ~]# nmap -sV 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:48 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE VERSION
6. 22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
7. 80/tcp open http Apache httpd 2.2.3 ((CentOS))
8. 111/tcp open rpcbind 2 (rpc #100000)
9. 957/tcp open status 1 (rpc #100024)
10. 3306/tcp open mysql MySQL (unauthorized)
11. 8888/tcp open http lighttpd 1.4.32
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 1 IP address (1 host up) scanned in 12.624 seconds

24.使用TCP ACK (PA)和TCP Syn (PS)掃描遠程主機

有時候包過濾防火墻會阻斷標準的ICMP ping請求，在這種情況下，我們可以使用TCP ACK和TCP Syn方法來掃描遠程主機。

1. [[email protected] ~]# nmap -PS 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:51 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 1 IP address (1 host up) scanned in 0.360 seconds
14. You have new mail in /var/spool/mail/root

25.使用TCP ACK掃描遠程主機上特定的端口

1. [[email protected] ~]# nmap -PA -p 22,80 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. PORT STATE SERVICE
5. 22/tcp open ssh
6. 80/tcp open http
7. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
8. Nmap finished: 1 IP address (1 host up) scanned in 0.166 seconds
9. You have new mail in /var/spool/mail/root

26. 使用TCP Syn掃描遠程主機上特定的端口

1. [[email protected] ~]# nmap -PS -p 22,80 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:08 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. PORT STATE SERVICE
5. 22/tcp open ssh
6. 80/tcp open http
7. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
8. Nmap finished: 1 IP address (1 host up) scanned in 0.165 seconds
9. You have new mail in /var/spool/mail/root

27.執行一次隱蔽的掃描

1. [[email protected] ~]# nmap -sS 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:10 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 1 IP address (1 host up) scanned in 0.383 seconds
14. You have new mail in /var/spool/mail/root

28.使用TCP Syn掃描最常用的端口

1. [[email protected] ~]# nmap -sT 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:12 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open ssh
7. 80/tcp open http
8. 111/tcp open rpcbind
9. 957/tcp open unknown
10. 3306/tcp open mysql
11. 8888/tcp open sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 1 IP address (1 host up) scanned in 0.406 seconds
14. You have new mail in /var/spool/mail/root

29.執行TCP空掃描以騙過防火墻

1. [[email protected] ~]# nmap -sN 192.168.0.101
2. Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 19:01 EST
3. Interesting ports on server2.tecmint.com (192.168.0.101):
4. Not shown: 1674 closed ports
5. PORT STATE SERVICE
6. 22/tcp open|filtered ssh
7. 80/tcp open|filtered http
8. 111/tcp open|filtered rpcbind
9. 957/tcp open|filtered unknown
10. 3306/tcp open|filtered mysql
11. 8888/tcp open|filtered sun-answerbook
12. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
13. Nmap finished: 1 IP address (1 host up) scanned in 1.584 seconds
14. You have new mail in /var/spool/mail/root

以上就是NMAP的基本使用，我會在第二部分帶來NMAP更多的創意選項。至此，敬請關註我們，不要忘記分享您的寶貴意見。

給Linux系統管理員準備的Nmap命令的29個實用範例