Nmap参数中英文对照

共计 10457 个字符，预计需要花费 27 分钟才能阅读完成。

实验平台

Windows
Linux

参考手册

命令详解

终端输入 nmap -h，查看帮助文档

Nmap 7.80 (https://nmap.org)
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

对照翻译如下

目标说明

参数	英文	中文
-iL <inputfilename>	Input from list of hosts/networks	从文件中读取待检测的目标
-iR <num hosts>	Choose random targets	随机选择目标, 如果 -iR 指定为 0, 则无休止的扫描
–exclude <host1[,host2][,host3],…>	Exclude hosts/networks	排除主机 / 网络
–excludefile <exclude_file>	Exclude list from file	排除文件中的列表

主机发现

参数	英文	中文
-sL	List Scan – simply list targets to scan	列表扫描，只扫描 IP 数目，不进行其他扫描
-sn	Ping Scan – disable port scan	Ping 扫描，
-Pn	Treat all hosts as online — skip host discovery	将所有主机视为联机 - 跳过主机发现，不检测主机存活
-PS/PA/PU/PY[portlist]	TCP SYN/ACK, UDP or SCTP discovery to given ports	TCP SYN Ping / TCP ACK Ping / UDP Ping 发现
-PE/PP/PM	ICMP echo, timestamp, and netmask request discovery probes	使用 ICMP echo, timestamp and netmask 请求包发现主机
-PO[protocol list]	IP Protocol Ping	使用 IP 协议包探测对方主机是否开启
-n/-R	Never do DNS resolution/Always resolve [default: sometimes]	不对 IP 进行域名反向解析 / 为所有目标 IP 进行反向域名解析
–dns-servers <serv1[,serv2],…>	Specify custom DNS servers	指定自定义 DNS 服务器
–system-dns	Use OS’s DNS resolver	使用系统域名解析器
–tracerout	Trace hop path to each host	跟踪到每个主机的跃点路径

扫描技术

参数	英文	中文
-sS/sT/sA/sW/sM	TCP SYN/Connect()/ACK/ Window/Maimon scans	TCP SYN/ TCP connect()/ACK/ TCP 窗口扫描 /TCP Maimon 扫描
-sU	UDP Scan	UDP 扫描
-sN/sF/sX	TCP Null, FIN, and Xmas scans	TCP Null，FIN，and Xmas 扫描
–scanflags <flags>	Customize TCP scan flags	定制的 TCP 扫描
-sI<zombie host[:probeport]>	Idle scan	空闲扫描
-sY/sZ	SCTP INIT/COOKIE-ECHO scans	SCTP INIT/COOKIE-ECHO 扫描
-sO	IP protocol scan	IP 协议扫描
-b	FTP bounce scan	FTP 弹跳扫描

端口说明和扫描顺序

参数	英文	中文
-p <port ranges>	Only scan specified ports	只扫描指定的端口
–exclude-ports <port ranges>	Exclude the specified ports from scanning	从扫描中排除指定的端口
-F	Fast mode – Scan fewer ports than the default scan	快速 (有限的端口) 扫描
-r	Scan ports consecutively – don’t randomize	不要按随机顺序扫描端口
–top-ports <number>	Scan most common ports	扫描常见端口
–port-ratio<ratio>	Scan ports more common than <ratio>	扫描常用端口中比重较高的端口

服务和版本探测

参数	英文	中文
-sV	Probe open ports to determine service/version info	探测打开的端口以确定服务 / 版本信息
–version-intensity <level>	Set from 0 (light) to 9 (try all probes)	设置版本扫描强度
–version-light	Limit to most likely probes (intensity 2)	打开轻量级模式
–version-all	Try every single probe (intensity 9)	尝试每个探测
–version-trace	Show detailed version scan activity (for debugging)	跟踪版本扫描活动

脚本扫描

参数	英文	中文
-sC	equivalent to –script=default	根据端口识别的服务, 调用默认脚本, 等效于 –script = default
–script=<Lua scripts>	<Lua scripts>is a comma separated list of directories, script-files or script-categories	调用的脚本名
–script-args=<n1=v1,[n2=v2,…>	provide arguments to scripts	调用的脚本传递的参数
–script-args-file=filename	provide NSE script args in a file	使用文本传递参数
–script-trace	Show all data sent and received	显示所有发送和接收到的数据
–script-updatedb	Update the script database	更新脚本的数据库
–script-help=<Lua scripts>	Show help about scripts.<Lua script> is a comma-separated list of script-files or script-categories.	显示指定 Lua 脚本的帮助

操作系统探测

参数	英文	中文
-O	Enable OS detection	启用操作系统检测
–osscan-limit	Limit OS detection to promising targets	针对指定的目标进行操作系统检测
–osscan-guess	Guess OS more aggressively	推测操作系统检测结果

时间与性能

参数	英文	中文
-T<0-5>	Set timing template (higher is faster)	设置时间模板 (越高越快)
–min-hostgroup/max-hostgroup <size>	Parallel host scan group sizes	调整并行扫描组的大小
–min-parallelism/max-parallelism<numprobes>	Probe parallelization	调整探测报文的并行度
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>	Specifies probe round trip time	调整探测报文超时
–max-retries	Caps number of port scan probe retransmissions	端口扫描探针重传的最大次数
–host-timeout	Give up on target after this long	放弃低速目标主机
–scan-delay/–max-scan-delay <time>	Adjust delay between probes	调整探测报文的时间间隔
–min-rate <number>	Send packets no slower than per second	每秒发送的数据包不低于指定数字
–max-rate <number>	Send packets no faster than per second	每秒发送的数据包的速度不超过指定数字

防火墙 / IDS 逃避和欺骗

参数	英文	中文
-f; –mtu <val>	fragment packets (optionally w/given MTU)	使用指定的 MTU
-D <decoy1,decoy2[,ME],…>	Cloak a scan with decoys	使用诱饵隐蔽扫描
-S <IP_Address>	Spoof source address	源地址欺骗
-e <iface>	Use specified interface	使用指定的接口
-g/–source-port <portnum>	Use given port number	使用指定源端口
–proxies <url1,[url2],…>	Relay connections through HTTP/SOCKS4 proxies	通过 HTTP / SOCKS4 代理中继连接
–data <hex string>	Append a custom payload to sent packets	向发送的数据包附加自定义有效载荷
–data-string <string>	Append a custom ASCII string to sent packets	将自定义 ASCII 字符串附加到已发送的数据包
–data-length <num>	Append random data to sent packets	发送报文时附加随机数据
–ip-options <options>	Send packets with specified ip options	发送具有指定 IP 选项的数据包
–ttl <val>	Set IP time-to-live field	设置 IP time-to-live 域
–spoof-mac <mac address/prefix/vendor name>	Spoof your MAC address	MAC 地址欺骗
–badsum	Send packets with a bogus TCP/UDP/SCTP checksum	发送带有虚假 TCP / UDP / SCTP 校验和的数据包

Nmap 输出

参数	英文	中文
-oN/-oX/-oS/-oG <file>	Output scan in normal, XML, s\|<rIpt kIddi3, and Grepable format, respectively, to the given filename	将标准输出直接写入指定的文件 / 输出 xml 文件 / 输出改为大写 / 输出通过 bash 或者 perl 处理的格式
-oA <basename>	Output in the three major formats at once	输出至所有格式
-v	Increase verbosity level (use -vv or more for greater effect)	提高输出信息的详细度
-d	Increase debugging level (use -dd or more for greater effect)	提高或设置调试级别
–reason	Display the reason a port is in a particular state	显示端口处于带确认状态的原因
–open	Only show open (or possibly open) ports	只输出端口状态为 open 的端口
–packet-trace	Show all packets sent and received	跟踪发送和接收的报文
–iflist	Print host interfaces and routes (for debugging)	列举接口和路由
–append-output	Append to rather than clobber specified output files	在输出文件中添加
–resume <filename>	Resume an aborted scan	继续中断的扫描
–stylesheet <path/URL>	XSL stylesheet to transform XML output to HTML	设置 XSL 样式表，转换 XML 输出
–webxml	Reference stylesheet from Nmap.Org for more portable XML	从 namp.org 得到 XML 的样式
–no-stylesheet	Prevent associating of XSL stylesheet w/XML output	忽略 XML 声明的 XSL 样式表

其它选项

参数	英文	中文
-6	Enable IPv6 scanning	启用 IPv6 扫描
-A	Enable OS detection, version detection, script scanning, and traceroute	OS 识别, 版本探测, 脚本扫描和 traceroute
–datadir <dirname>	Specify custom Nmap data file location	说明用户 Nmap 数据文件位置
–send-eth/–send-ip	Send using raw ethernet frames or IP packets	使用原以太网帧发送 / 在原 IP 层发送
–privileged	Assume that the user is fully privileged	假定用户具有全部权限
–unprivileged	Assume the user lacks raw socket privileges	假定用户不具有全部权限
-V	Print version number	打印版本信息
-h	Print this help summary page	打印帮助摘要面