1. Scan Types
    1. -sI <zombie host[:probeport]> Idel Scan
    2. -sL List/DNS Scan
    3. -sO IP Protocol Scan
    4. -sP Ping Scan
    5. -sR RPC Scan
    6. -sU UDP Scan
    7. -b<ftp relay host>: FTP bounce Scan
    8. TCP Scan
      1. -sT TCP Connect(default) Scan
      2. -sM TCP Maimon Scan FIN/ACK
      3. -sW TCP Window Scan
      4. -sA TCP ACK Scan
      5. -sS TCP SYN Scan
      6. -sN TCP Null Scan
      7. -sF TCP FIN Scan
      8. -sX TCP XMAS Scan
  2. Scan Options
    1. -p <port range>
    2. --scanflags <TCP flags>
    3. -F Fast Scan
    4. -r Ports Consecutively
    5. -e <interface>
  3. Ping Options (主机发现)
    1. -R DNS resolution for all targets
    2. -n No DNS resolution
    3. --system-dns
    4. -PN No Ping
    5. -PO IP Protocol Ping
    6. -PU [port list] UDP discovery probes to give ports
    7. -PR ARP Ping
    8. ICMP Ping
      1. -PE ICMP echo request discovery probes
      2. -PM ICMP Netmask request discovery probes
      3. -PP ICMP timestamp request discovery probes
    9. TCP Ping
      1. -PS [port list] TCP SYN discovery probes to given ports (default: port 80)
      2. -PA [port list] TCP ACK discovery probes to given ports (default: port 80)
  4. MISC
    1. Other Options
      1. -6 Enable IPv6
      2. --datadir custom NMAP data dir
      3. --send-eth Use raw ethernet sending
      4. --send-ip Send at raw IP level
      5. --privilieged User is full privilieged(root/admin)
      6. --interactive
      7. -V Print version number
      8. -h Help
    2. Evade firewall/IDS/IPS
      1. -f Use fragmented IP packages --mtu <VAL> Using the specified MTU
      2. -D decoy1[,decoy2][,ME][,...]
      3. -S <Spoof Source IP>
      4. --data-length <val> Append random data to sent packets
      5. -g/--source-port <port number>
      6. --ttl <val> Set IPv4 TTL field in send packets
      7. --randomize_hosts
      8. --spoof_mac <MAC/prefix/vendor>
  5. Timing
    1. -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
      1. -T0 Paranoid, serial 300 sec wait (Avoiding IDS alerts)
      2. -T1 Sneaky serial 15 sec wait (Avoiding IDS alerts)
      3. -T2 Polite (serial 0.4 sec wait)
      4. -T3 Parallel scan
      5. -T4 Aggressive 300 sec timeout, 1.25sec/probe
      6. -T5 Insane(Parallel, 75 sec timeout and 0.3 sec/probe)
      7. --scan-delay <msec> Adjust delay between probes (evade IDS/IPS) --max-scan-delay <msec> Ajust delay between probes (evade IDS/IPS)
    2. --initial_rtt_timeout (6000 msec default) --min_rtt_timeout (6000 msec default) --max_rtt_timeout (9000 msec default)
    3. --host-timeout <milliseconds> Give up on target after this long
    4. --min-hostgroup <numhosts> --max-hostgroup <numhosts>
    5. --min-parallelism <numprobes> --max-parallelism <numprobes>
  6. Input Options
    1. --execludefile <filename>
    2. --execlude <host1 [,host2]...>
    3. -iR <num hosts> Choose random targets in NUM hosts
    4. -iL [filename] Input from list
  7. OS detection
    1. -A OS version Detection
    2. -O OS scan
    3. --osscan-guess/--fuzzy
    4. --osscan-limit
  8. Service/Version Detection
    1. -sV Version/Service Info Scanning
    2. --version-intensity <level> set from 0(light) to 9(try all probes)
    3. --version-light Limit to most likely probes (intensity 2)
    4. --version_all Try every single probe (intensity 9)
    5. --version_trace Show detailed version scan activity (for debugging)
    6. --allports
  9. Output Options
    1. Output Layout
      1. -oS Script kiddies
      2. -oX XML
      3. -oN Normal
      4. -oA On three major formats
      5. -oG Grepable
    2. Detail and Debug
      1. -d debug 1-9
      2. --packet_trace
      3. --iflist interface list
      4. -v verbose output
    3. Other
      1. --stylesheet <path URL>
      2. --resume
      3. --append_output
      4. --no_stylesheet
  10. NMAP识别的6个端口状态
    1. open(开放的)
    2. closed(关闭的)
    3. filtered(被过滤的)
    4. unfiltered(未被过滤的)
    5. open|filtered(开放或者被过滤的)
    6. closed|filtered(关闭或者被过滤的)