1、nmap簡單掃描
nmap預設傳送一個ARP的PING資料包，來探測目標主機1-10000範圍內所開放的所有埠
命令語法： 
nmap <target ip address>
其中：target ip address是掃描的目標主機的ip地址
例子:nmap 173.22.90.10
[root@docker-node4 ~]# nmap 173.22.90.10
PORT    STATE SERVICE
22/tcp  open  ssh 
80/tcp  open  http
111/tcp open  rpcbind
掃描出開放的埠

2、nmap簡單掃描，並對結果返回詳細的描述輸出
命令語法：namp 
 
-vv <target ip address>
介紹：-vv引數設定對結果的詳細輸出
例子：nmap -vv    173.22.90.10
效果如下：
[root@docker-node4 ~]# nmap -vv 173.22.90.10
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 04:48 CST
Initiating ARP Ping Scan at 04:48
Scanning 173.22.90.10 [1 port]
Completed ARP Ping Scan at 04:48, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 
 
1 host. at 04:48
Completed Parallel DNS resolution of 1 host. at 04:48, 6.53s elapsed
Initiating SYN Stealth Scan at 04:48
Scanning 173-22-90-10.client.mchsi.com (173.22.90.10) [1000 ports]
Discovered open port 111/tcp on 173.22.90.10
Discovered open port 80/tcp on 173.22.90.10
Discovered open port 22/tcp on 173.22.90.10
 

3、nmap自定義掃描
命令語法：nmap -p(range) <target IP>
介紹：（range）為要掃描的埠範圍，埠大小不能超過65535
例子：掃描目標主機的20-120號埠
 nmap -p20-120 173.22.90.10

5、nmap ping 掃描
nmap可以利用類似windows/linux系統下的ping 方式進行掃描
命令語法： nmap -sP <target ip>
例子：nmap sP 10.1.112.89
[root@docker-node4 ~]# nmap -sP 173.22.90.10  掃描存活的主機,這個機器存活
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 05:00 CST
Nmap scan report for 173-22-90-10.client.mchsi.com (173.22.90.10)
Host is up (0.00048s latency).
MAC Address: 00:0C:29:CF:A7:30 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds

[root@docker-node4 ~]# nmap -sP 173.22.90.16  
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 05:00 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.43 seconds
這個就是顯示不是存活狀態的主機,沒有ping成功

6、nmap 路由跟蹤
路由器追蹤功能，能夠幫助網路管理員瞭解網路通行情況，同時也是網路管理人員很好的輔助工具，通過路由器追蹤可以輕鬆的查處從我們電腦所在地到目的地之間所經常的網路節點，並可以看到通過各個結點所花費的時間
命令語法： 
nmap –traceroute <target IP>
例子:namp –traceroute 8.8.8.8(geogle dns伺服器ip)
[root@docker-node4 ~]# nmap --traceroute 8.8.8.8
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 05:04 CST
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.045s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
53/tcp open  domain
TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   2.77 ms  192.168.1.1
2   5.63 ms  113.45.32.1
3   6.26 ms  124.205.97.50
4   6.31 ms  124.205.97.50
5   6.41 ms  218.241.165.41
6   8.75 ms  124.205.98.41
7   6.52 ms  202.99.1.173
8   6.58 ms  218.241.244.98

7、nmap設定掃描一個網段下的ip
命令語法： 
nmap -sP <network address> </CIDR>
介紹：CIDR為設定的子網掩碼（/24,/16,/8等）
例子：nmap -sP 10.1.1.0 /24
[root@docker-node4 ~]# nmap -sP 192.168.1.1 /24
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 05:11 CST
Failed to resolve "".
Nmap scan report for 192.168.1.1
Host is up (0.0061s latency).
MAC Address: B0:95:8E:5F:98:85 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 13.04 seconds

8、nmap 作業系統型別的探測
命令語法： 
nmap -0 <target IP>
例子：nmap -O(大寫的o) 10.1.112.89
效果： 
[root@docker-node4 ~]#  nmap -O 192.168.1.103
Running (JUST GUESSING): AVtech embedded (87%), FreeBSD 6.X (86%), Microsoft Windows XP (85%)
掃描出是windows的系統
不過不準確我的這個是windows10的系統

9、nmap萬能開關
包含了1-10000埠ping掃描，作業系統掃描，指令碼掃描，路由跟蹤，服務探測
命令語法： 
nmap -A <target ip>
例子：nmap -A 10.1.112.89
[root@docker-node4 ~]#  nmap -A 192.168.1.105
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 05:23 CST
Stats: 0:01:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 86.40% done; ETC: 05:24 (0:00:09 remaining)
Nmap scan report for 192.168.1.105
Host is up (0.064s latency).
All 1000 scanned ports on 192.168.1.105 are filtered
MAC Address: F4:D1:08:BE:1C:CA (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT      ADDRESS
1   63.61 ms 192.168.1.105
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.40 seconds

10、nmap命令混合式掃描
可以做到類似引數-A所完成的功能，但又能細化我們的需求要求
命令語法： 
nmap -vv -p1-100 -O <target ip>
例子： 
nmap -vv -p1-100 -O 10.1.112.89
[root@docker-node4 ~]#  nmap -vv -p1-100 -o 173.22.90.10
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:CF:A7:30 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=8/18%OT=22%CT=1%CU=39398%PV=N%DS=1%DC=D%G=Y%M=000C29%T
OS:M=5D58714F%P=x86_64-redhat-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%TS=A)

4、nmap 指定埠掃描
命令語法：nmap -p(port1,port2,…) <target IP>
介紹：port1,port2…為想要掃描的埠號
例子：掃描目標主機的80，22埠
[root@docker-node4 ~]# nmap -p22,80 173.22.90.10
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 04:57 CST
Nmap scan report for 173-22-90-10.client.mchsi.com (173.22.90.10)
Host is up (0.00032s latency).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:CF:A7:30 (VMware)