nmap

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Nmap Scan - Professional Network Reconnaissance

Nmap扫描 - 专业网络侦察

You are helping the user perform professional network reconnaissance and port scanning using nmap. This skill provides guidance for various scan types, output formats, and result analysis.

你将协助用户使用nmap执行专业的网络侦察和端口扫描。本技能提供多种扫描类型、输出格式以及结果分析的指导。

Output Directory

输出目录

Directory Structure

目录结构

bash

nmap-output/
├── nmap-portscan.nmap      # Initial fast port discovery
├── nmap-portscan.xml
├── nmap-portscan.gnmap
├── nmap-services.nmap      # Detailed service detection on open ports
├── nmap-services.xml
└── nmap-services.gnmap

IMPORTANT: Always save nmap output to an organized directory structure. By default, use

./nmap-output/

or specify a custom directory.

bash

nmap-output/
├── nmap-portscan.nmap      # 初始快速端口发现
├── nmap-portscan.xml
├── nmap-portscan.gnmap
├── nmap-services.nmap      # 针对开放端口的详细服务探测
├── nmap-services.xml
└── nmap-services.gnmap

重要提示：请始终将nmap的输出保存到结构化的目录中。默认使用

./nmap-output/

，也可以指定自定义目录。

Default Scanning Strategy

默认扫描策略

IMPORTANT: Unless the user explicitly requests a different scan type, ALWAYS use this two-phase approach:

重要提示：除非用户明确要求其他扫描类型，否则请始终使用以下两阶段扫描方法：

Phase 1: Fast Port Discovery (Root SYN Scan)

阶段1：快速端口发现（Root权限SYN扫描）

bash

sudo nmap -p- <target> -oA <output-dir>/nmap-portscan

Why sudo: Running as root enables fast SYN scan (-sS is implicit)
Why -p-: Scans all 65535 ports quickly
Duration: Typically 1-3 minutes for SYN scan
Output: List of all open ports

Host Down Detection: If the scan output contains "Note: Host seems down", automatically retry with:

bash

sudo nmap -p- -Pn <target> -oA <output-dir>/nmap-portscan

```
-Pn
```
: Skip host discovery, treat host as online
Use this when firewalls block ping probes

bash

sudo nmap -p- <target> -oA <output-dir>/nmap-portscan

为什么使用sudo：以root身份运行可启用快速SYN扫描（-sS为隐式参数）
为什么使用-p-：快速扫描全部65535个端口
耗时：SYN扫描通常需要1-3分钟
输出：所有开放端口的列表

主机不可达检测: 如果扫描输出中包含"Note: Host seems down"，请自动重试以下命令：

bash

sudo nmap -p- -Pn <target> -oA <output-dir>/nmap-portscan

```
-Pn
```
：跳过主机发现，将主机视为在线状态
当防火墙阻止ping探测时使用此参数

Phase 2: Targeted Service Detection

阶段2：针对性服务探测

After Phase 1 completes, parse the open ports and run:

bash

nmap -p <OPEN_PORT_LIST> -sV -sC <target> -oA <output-dir>/nmap-services

```
-p <OPEN_PORT_LIST>
```
: Only scan the ports found to be open (e.g.,
```
-p 23,80,443,554,8000
```
)
```
-sV
```
: Service version detection
```
-sC
```
: Run default NSE scripts for additional enumeration
Duration: Usually 1-3 minutes since only scanning known open ports

阶段1完成后，解析开放端口并运行以下命令：

bash

nmap -p <OPEN_PORT_LIST> -sV -sC <target> -oA <output-dir>/nmap-services

```
-p <OPEN_PORT_LIST>
```
：仅扫描已发现的开放端口（例如：
```
-p 23,80,443,554,8000
```
）
```
-sV
```
：服务版本探测
```
-sC
```
：运行默认NSE脚本以进行额外枚举
耗时：由于仅扫描已知开放端口，通常需要1-3分钟

Why This Strategy?

为什么选择此策略？

Speed: Fast SYN scan finds all open ports in 1-3 minutes
Thoroughness: Covers all 65535 ports, not just top 1000
Efficiency: Service detection only runs on confirmed open ports
Accuracy: Two-phase approach reduces false negatives

速度快：快速SYN扫描可在1-3分钟内找到所有开放端口
覆盖全面：覆盖全部65535个端口，而非仅前1000个常用端口
效率高：仅在确认开放的端口上运行服务探测
准确性高：两阶段方法减少误报

Parsing Open Ports

解析开放端口

After Phase 1, extract open ports using:

bash

undefined

阶段1完成后，使用以下命令提取开放端口：

bash

undefined

Extract open ports from .gnmap file

从.gnmap文件提取开放端口


Or parse from .nmap file:
```bash
grep "^[0-9]" <output-dir>/nmap-portscan.nmap | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//'


或者从.nmap文件解析：
```bash
grep "^[0-9]" <output-dir>/nmap-portscan.nmap | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//'

Implementation Workflow

执行流程

When the nmap-scan skill is invoked:

Create output directory

bash

OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"

Run Phase 1: Fast port discovery

bash

sudo nmap -p- <target> -oA "$OUTPUT_DIR/nmap-portscan"

Check for "Host seems down" error

bash

if grep -q "Host seems down" "$OUTPUT_DIR/nmap-portscan.nmap"; then
    echo "Host appears down, retrying with -Pn flag..."
    sudo nmap -p- -Pn <target> -oA "$OUTPUT_DIR/nmap-portscan"
fi

Parse open ports from results

bash

OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')

Run Phase 2: Service detection on open ports

bash

if [ -n "$OPEN_PORTS" ]; then
    nmap -p "$OPEN_PORTS" -sV -sC <target> -oA "$OUTPUT_DIR/nmap-services"
else
    echo "No open ports found, skipping service detection."
fi

Report results location

bash

echo "Scan complete. Results saved to: $OUTPUT_DIR"

当调用nmap-scan技能时：

创建输出目录

bash

OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"

运行阶段1：快速端口发现

bash

sudo nmap -p- <target> -oA "$OUTPUT_DIR/nmap-portscan"

检查"Host seems down"错误

bash

if grep -q "Host seems down" "$OUTPUT_DIR/nmap-portscan.nmap"; then
    echo "主机似乎不可达，使用-Pn参数重试..."
    sudo nmap -p- -Pn <target> -oA "$OUTPUT_DIR/nmap-portscan"
fi

从结果中解析开放端口

bash

OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')

运行阶段2：针对开放端口的服务探测

bash

if [ -n "$OPEN_PORTS" ]; then
    nmap -p "$OPEN_PORTS" -sV -sC <target> -oA "$OUTPUT_DIR/nmap-services"
else
    echo "未发现开放端口，跳过服务探测。"
fi

报告结果位置

bash

echo "扫描完成。结果已保存至: $OUTPUT_DIR"

Scan Types

扫描类型

Quick Scan (Top 1000 Ports)

快速扫描（前1000个端口）

Use for initial reconnaissance or when time is limited:

bash

nmap -sV -sC <target> -oA <output-prefix>

```
-sV
```
: Service version detection
```
-sC
```
: Run default NSE scripts
```
-oA
```
: Output in all formats (normal, XML, grepable)
Scans top 1000 most common ports
Typical duration: 1-3 minutes

适用于初始侦察或时间有限的场景：

bash

nmap -sV -sC <target> -oA <output-prefix>

```
-sV
```
：服务版本探测
```
-sC
```
：运行默认NSE脚本
```
-oA
```
：生成所有格式的输出（普通格式、XML格式、可 grep 格式）
扫描前1000个最常用端口
典型耗时：1-3分钟

Comprehensive Scan (All Ports)

全面扫描（所有端口）

Use for thorough assessment when all ports must be checked:

bash

nmap -sV -sC -p- <target> -oA <output-prefix>

```
-p-
```
: Scan all 65535 ports
Significantly longer duration (5-30+ minutes depending on target)
Use only when comprehensive coverage is required

当需要检查所有端口以进行彻底评估时使用：

bash

nmap -sV -sC -p- <target> -oA <output-prefix>

```
-p-
```
：扫描全部65535个端口
耗时显著更长（根据目标不同，需要5-30+分钟）
仅在需要全面覆盖时使用

Stealth SYN Scan

隐蔽SYN扫描

Use when trying to avoid detection (requires root/sudo):

bash

sudo nmap -sS -sV -sC <target> -oA <output-prefix>

```
-sS
```
: SYN stealth scan (doesn't complete TCP handshake)
Less likely to be logged by target
Requires root privileges

当试图避免被检测时使用（需要root/sudo权限）：

bash

sudo nmap -sS -sV -sC <target> -oA <output-prefix>

```
-sS
```
：SYN隐蔽扫描（不完成TCP握手）
被目标记录的可能性较低
需要root权限

UDP Scan

UDP扫描

Use when UDP services need to be enumerated:

bash

sudo nmap -sU --top-ports 100 <target> -oA <output-prefix>

```
-sU
```
: UDP scan
```
--top-ports 100
```
: Scan top 100 UDP ports (UDP scanning is slow)
Common UDP services: DNS (53), SNMP (161), DHCP (67/68)
Very slow - use top-ports to limit scope

当需要枚举UDP服务时使用：

bash

sudo nmap -sU --top-ports 100 <target> -oA <output-prefix>

```
-sU
```
：UDP扫描
```
--top-ports 100
```
：扫描前100个UDP端口（UDP扫描速度较慢）
常见UDP服务：DNS(53)、SNMP(161)、DHCP(67/68)
速度非常慢 - 使用top-ports参数限制范围

Aggressive Scan

激进扫描

Use for maximum information gathering (noisy):

bash

nmap -A -T4 <target> -oA <output-prefix>

```
-A
```
: Enable OS detection, version detection, script scanning, traceroute
```
-T4
```
: Aggressive timing template (faster but more detectable)
Very noisy - will be detected by IDS/IPS
Use only with authorization

用于最大化信息收集（噪音大）：

bash

nmap -A -T4 <target> -oA <output-prefix>

```
-A
```
：启用操作系统探测、版本探测、脚本扫描和路由跟踪
```
-T4
```
：激进计时模板（速度更快但更容易被检测到）
噪音非常大 - 会被IDS/IPS检测到
仅在获得授权后使用

Vulnerability Scan

漏洞扫描

Use to check for known vulnerabilities:

bash

nmap -sV --script vuln <target> -oA <output-prefix>

```
--script vuln
```
: Run NSE vulnerability detection scripts
Checks for common CVEs and misconfigurations
Can be noisy and trigger alerts

用于检查已知漏洞：

bash

nmap -sV --script vuln <target> -oA <output-prefix>

```
--script vuln
```
：运行NSE漏洞检测脚本
检查常见CVE和配置错误
噪音大，可能触发警报

OS Detection

操作系统探测

Use to identify operating system:

bash

sudo nmap -O <target> -oA <output-prefix>

```
-O
```
: Enable OS detection
Requires root privileges
Uses TCP/IP stack fingerprinting

用于识别操作系统：

bash

sudo nmap -O <target> -oA <output-prefix>

```
-O
```
：启用操作系统探测
需要root权限
使用TCP/IP栈指纹识别技术

Alternative Scan Types

其他扫描类型

The following scan types are available if the user explicitly requests them instead of the default two-phase strategy:

如果用户明确要求替代默认两阶段策略，可使用以下扫描类型：

Quick Scan (Top 1000 Ports Only)

快速扫描（仅前1000个端口）

Use ONLY if user explicitly requests a quick/fast scan:

bash

nmap -sV -sC <target> -oA <output-dir>/nmap-quick

```
-sV
```
: Service version detection
```
-sC
```
: Run default NSE scripts
```
-oA
```
: Output in all formats (normal, XML, grepable)
Scans top 1000 most common ports ONLY
Typical duration: 1-3 minutes
Limitation: May miss services on non-standard ports

仅当用户明确要求快速扫描时使用：

bash

nmap -sV -sC <target> -oA <output-dir>/nmap-quick

```
-sV
```
：服务版本探测
```
-sC
```
：运行默认NSE脚本
```
-oA
```
：生成所有格式的输出（普通格式、XML格式、可 grep 格式）
仅扫描前1000个最常用端口
典型耗时：1-3分钟
局限性：可能会遗漏非标准端口上的服务

Scan Workflow

扫描流程

Default Workflow (Two-Phase Strategy)

默认流程（两阶段策略）

Phase 1: Port Discovery

Run fast SYN scan:

sudo nmap -p- <target> -oA <output-dir>/nmap-portscan

Check for "Host seems down" and retry with
```
-Pn
```
if needed
Wait for scan to complete (typically 1-3 minutes)

Phase 2: Service Detection 4. Parse open ports from Phase 1 results 5. Run targeted service detection:

nmap -p <OPEN_PORTS> -sV -sC <target> -oA <output-dir>/nmap-services

6. Wait for scan to complete (typically 1-3 minutes)

Phase 3: Analysis 7. Review the service detection results to determine:

What services are running?
What versions are detected?
Are there any interesting services (web, SSH, database, IoT protocols)?
Do NSE scripts reveal any issues?

阶段1：端口发现

运行快速SYN扫描：

sudo nmap -p- <target> -oA <output-dir>/nmap-portscan

检查是否出现"Host seems down"，如果需要则使用
```
-Pn
```
参数重试
等待扫描完成（通常1-3分钟）

阶段2：服务探测 4. 从阶段1的结果中解析开放端口 5. 运行针对性服务探测：

nmap -p <OPEN_PORTS> -sV -sC <target> -oA <output-dir>/nmap-services

6. 等待扫描完成（通常1-3分钟）

阶段3：分析 7. 查看服务探测结果以确定：

运行了哪些服务？
探测到的版本是什么？
是否存在有趣的服务（Web、SSH、数据库、IoT协议）？
NSE脚本是否发现了任何问题？

Additional Targeted Scans (Optional)

额外针对性扫描（可选）

Based on service detection results, run specialized scans:

If web services found (80, 443, 8080, etc.):

bash

nmap -p 80,443,8080,8443 --script http-* <target> -oA <output-dir>/nmap-web

If SSH found:

bash

nmap -p 22 --script ssh-* <target> -oA <output-dir>/nmap-ssh

If RTSP found (554):

bash

nmap -p 554 --script rtsp-* <target> -oA <output-dir>/nmap-rtsp

If ONVIF/camera suspected:

bash

nmap -p 80,554,8000,8080 --script http-methods,http-headers <target> -oA <output-dir>/nmap-onvif

根据服务探测结果，运行专门的扫描：

如果发现Web服务（80、443、8080等）:

bash

nmap -p 80,443,8080,8443 --script http-* <target> -oA <output-dir>/nmap-web

如果发现SSH:

bash

nmap -p 22 --script ssh-* <target> -oA <output-dir>/nmap-ssh

如果发现RTSP（554）:

bash

nmap -p 554 --script rtsp-* <target> -oA <output-dir>/nmap-rtsp

如果怀疑存在ONVIF/摄像头:

bash

nmap -p 80,554,8000,8080 --script http-methods,http-headers <target> -oA <output-dir>/nmap-onvif

Output Management

输出管理

Output Formats

输出格式

Always use

-oA <prefix>

to generate all three formats:

```
.nmap
```
- Normal human-readable format
```
.xml
```
- XML format for parsing/importing into tools
```
.gnmap
```
- Grepable format for command-line processing

始终使用

-oA <prefix>

参数生成以下三种格式的输出：

```
.nmap
```
- 人类可读的普通格式
```
.xml
```
- 用于解析/导入工具的XML格式
```
.gnmap
```
- 用于命令行处理的可 grep 格式

Timing and Performance

计时与性能

Timing Templates

计时模板

Use

-T<0-5>

to control scan speed:

```
-T0
```
(Paranoid): Extremely slow, for IDS evasion
```
-T1
```
(Sneaky): Very slow, for IDS evasion
```
-T2
```
(Polite): Slow, less bandwidth intensive
```
-T3
```
(Normal): Default, balanced speed
```
-T4
```
(Aggressive): Fast, recommended for modern networks
```
-T5
```
(Insane): Very fast, may miss results

Default: Use

-T3

or omit (default is T3) Fast scans: Use

-T4

when speed is important and network can handle it Stealth: Use

-T1

-T2

for evasion

使用

-T<0-5>

参数控制扫描速度：

```
-T0
```
（偏执模式）：极慢，用于规避IDS
```
-T1
```
（隐秘模式）：非常慢，用于规避IDS
```
-T2
```
（礼貌模式）：慢，带宽消耗低
```
-T3
```
（正常模式）：默认值，速度均衡
```
-T4
```
（激进模式）：快，推荐用于现代网络
```
-T5
```
（疯狂模式）：非常快，可能遗漏结果

默认：使用

-T3

或省略（默认值为T3） 快速扫描：当速度重要且网络可承受时使用

-T4

隐蔽扫描：使用

-T1

或

-T2

进行规避

Timeout Considerations

超时考虑

Phase 1 Port Discovery (sudo nmap -p-): 180-300 seconds timeout (3-5 minutes)
Phase 2 Service Detection (nmap -p <ports> -sV -sC): 120-180 seconds timeout (2-3 minutes)
UDP scan: 600+ seconds timeout (very slow)

阶段1端口发现（sudo nmap -p-）：180-300秒超时（3-5分钟）
阶段2服务探测（nmap -p <ports> -sV -sC）：120-180秒超时（2-3分钟）
UDP扫描：600+秒超时（非常慢）

Network Ranges

网络范围

Single Host

单个主机

bash

nmap <ip-address>

bash

nmap <ip-address>

CIDR Notation

CIDR表示法

bash

nmap 192.168.1.0/24

bash

nmap 192.168.1.0/24

IP Range

IP范围

bash

nmap 192.168.1.1-254

bash

nmap 192.168.1.1-254

Multiple Hosts

多个主机

bash

nmap 192.168.1.1 192.168.1.10 192.168.1.100

bash

nmap 192.168.1.1 192.168.1.10 192.168.1.100

Exclude Hosts

排除主机

bash

nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.254

bash

nmap 192.168.1.0/24 --exclude 192.168.1.1,192.168.1.254

NSE Scripts

NSE脚本

Common Script Categories

常见脚本类别

bash

undefined

bash

undefined

Authentication scripts

认证脚本

nmap --script auth <target>

Brute force scripts

暴力破解脚本

nmap --script brute <target>

Default safe scripts

默认安全脚本

nmap -sC <target> # equivalent to --script default

nmap -sC <target> # 等同于--script default

Discovery scripts

发现脚本

nmap --script discovery <target>

Vulnerability scripts

漏洞脚本

nmap --script vuln <target>

All HTTP scripts

所有HTTP脚本

nmap --script "http-*" <target>

undefined

nmap --script "http-*" <target>

undefined

IoT-Specific Scripts

IoT专用脚本

bash

undefined

bash

undefined

RTSP enumeration

RTSP枚举

nmap -p 554 --script rtsp-methods,rtsp-url-brute <target>

UPnP discovery

UPnP发现

nmap -p 1900 --script upnp-info <target>

MQTT discovery

MQTT发现

nmap -p 1883,8883 --script mqtt-subscribe <target>

Modbus enumeration

Modbus枚举

nmap -p 502 --script modbus-discover <target>

undefined

nmap -p 502 --script modbus-discover <target>

undefined

Result Analysis

结果分析

Key Information to Extract

需要提取的关键信息

Open Ports and Services
- What ports are open?
- What services are running?
- What versions are detected?
Service Fingerprints
- Does version detection reveal outdated software?
- Are there known vulnerabilities for detected versions?
NSE Script Results
- Authentication issues?
- Information disclosure?
- Misconfigurations?
Operating System
- What OS is running?
- What OS version?

开放端口与服务
- 哪些端口是开放的？
- 运行了哪些服务？
- 探测到的版本是什么？
服务指纹
- 版本探测是否发现了过时的软件？
- 探测到的版本是否存在已知漏洞？
NSE脚本结果
- 是否存在认证问题？
- 是否存在信息泄露？
- 是否存在配置错误？
操作系统
- 运行的是什么操作系统？
- 操作系统版本是什么？

Parsing Nmap Output

解析Nmap输出

Extract open ports:

bash

grep "^[0-9]" nmap-output.nmap | grep "open"

Extract service versions:

bash

grep -E "^[0-9]+/tcp.*open" nmap-output.nmap

Check for vulnerabilities in NSE output:

bash

grep -i "vuln\|cve\|exploit" nmap-output.nmap

提取开放端口:

bash

grep "^[0-9]" nmap-output.nmap | grep "open"

提取服务版本:

bash

grep -E "^[0-9]+/tcp.*open" nmap-output.nmap

检查NSE输出中的漏洞:

bash

grep -i "vuln\|cve\|exploit" nmap-output.nmap

Common IoT Service Ports

常见IoT服务端口

When scanning IoT devices, pay special attention to:

Port	Service	Description
21	FTP	File transfer (often misconfigured)
22	SSH	Remote administration
23	Telnet	Insecure remote access
80	HTTP	Web interface
443	HTTPS	Secure web interface
554	RTSP	Video streaming
1883	MQTT	IoT messaging protocol
3702	WS-Discovery	ONVIF device discovery
5000	UPnP	Universal Plug and Play
8000	HTTP Alt	Alternative HTTP port
8080	HTTP Proxy	Alternative HTTP port
8883	MQTT/TLS	Secure MQTT

扫描IoT设备时，请特别关注以下端口：

端口	服务	描述
21	FTP	文件传输（通常配置不当）
22	SSH	远程管理
23	Telnet	不安全的远程访问
80	HTTP	Web界面
443	HTTPS	安全Web界面
554	RTSP	视频流
1883	MQTT	IoT消息协议
3702	WS-Discovery	ONVIF设备发现
5000	UPnP	通用即插即用
8000	HTTP Alt	备用HTTP端口
8080	HTTP Proxy	备用HTTP端口
8883	MQTT/TLS	安全MQTT

Best Practices

最佳实践

1. Always Save Output

1. 始终保存输出

Never run nmap without saving output:

bash

undefined

运行nmap时务必保存输出：

bash

undefined

GOOD

正确做法

nmap -p <ports> -sV -sC <target> -oA output/nmap-services

BAD

错误做法

nmap -sV -sC <target>

undefined

nmap -sV -sC <target>

undefined

2. Always Use Two-Phase Strategy

2. 始终使用两阶段策略

Always use the default two-phase strategy unless explicitly told otherwise:

bash

undefined

除非明确被告知，否则始终使用默认的两阶段策略：

bash

undefined

Phase 1: Fast port discovery

阶段1：快速端口发现

sudo nmap -p- <target> -oA nmap-portscan

Phase 2: Service detection on open ports

阶段2：针对开放端口的服务探测

nmap -p <OPEN_PORTS> -sV -sC <target> -oA nmap-services

undefined

nmap -p <OPEN_PORTS> -sV -sC <target> -oA nmap-services

undefined

3. Use Appropriate Timing

3. 使用合适的计时

Match timing to your needs:

bash

undefined

根据需求选择计时参数：

bash

undefined

Pentest with authorization: Fast

获得授权的渗透测试：快速扫描

nmap -sV -sC -T4 <target>

Red team/stealth: Slow

红队/隐蔽扫描：慢速扫描

nmap -sV -sC -T2 <target>

undefined

nmap -sV -sC -T2 <target>

undefined

4. Document Scan Parameters

4. 记录扫描参数

Always document:

What scan type was used?
What date/time was scan performed?
What were the scan results?
Any anomalies or errors?

始终记录以下信息：

使用了哪种扫描类型？
扫描的日期/时间？
扫描结果是什么？
是否存在任何异常或错误？

5. Respect Authorization

5. 遵守授权

Only scan systems you have permission to scan
Respect scope limitations
Be aware of scan impact on production systems
Use appropriate timing to avoid DoS

仅扫描你获得授权的系统
遵守范围限制
注意扫描对生产系统的影响
使用合适的计时以避免DoS

Integration with IoT Testing Workflow

与IoT测试流程的集成

For IoT Pentests

针对IoT渗透测试

Run default two-phase scan (port discovery + service detection)
Run wsdiscovery if ONVIF suspected based on open ports
Run onvifscan if port 80/554 open on camera
Run targeted HTTP scripts if web interface found

运行默认的两阶段扫描（端口发现 + 服务探测）
如果根据开放端口怀疑存在ONVIF设备，运行wsdiscovery
如果摄像头的80/554端口开放，运行onvifscan
如果发现Web界面，运行针对性的HTTP脚本

Output Directory Usage

输出目录使用

Always save to an organized output directory:

bash

OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"

始终将结果保存到结构化的输出目录中：

bash

OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"

Phase 1: Port discovery

阶段1：端口发现

sudo nmap -p- <target> -oA "$OUTPUT_DIR/nmap-portscan"

Phase 2: Service detection

阶段2：服务探测

nmap -p <OPEN_PORTS> -sV -sC <target> -oA "$OUTPUT_DIR/nmap-services"

undefined

nmap -p <OPEN_PORTS> -sV -sC <target> -oA "$OUTPUT_DIR/nmap-services"

undefined

Troubleshooting

故障排除

Scan Taking Too Long

扫描耗时过长

Use
```
-T4
```
for faster scanning
Limit port range:
```
-p 1-1000
```
instead of
```
-p-
```
Use
```
--top-ports 100
```
instead of all ports

使用
```
-T4
```
加快扫描速度
限制端口范围：使用
```
-p 1-1000
```
而非
```
-p-
```
使用
```
--top-ports 100
```
而非扫描所有端口

No Results / Firewalled

无结果/被防火墙拦截

Try different scan types:
```
-sS
```
,
```
-sT
```
,
```
-sA
```
Use
```
-Pn
```
to skip host discovery
Try
```
-f
```
for fragmented packets
Consider using
```
--source-port 53
```
or other trusted ports

尝试不同的扫描类型：
```
-sS
```
、
```
-sT
```
、
```
-sA
```
使用
```
-Pn
```
跳过主机发现
尝试
```
-f
```
参数使用分片数据包
考虑使用
```
--source-port 53
```
或其他可信端口

Requires Root/Sudo

需要Root/Sudo权限

These scan types require root:

```
-sS
```
(SYN scan)
```
-sU
```
(UDP scan)
```
-O
```
(OS detection)
Raw packet features

以下扫描类型需要root权限：

```
-sS
```
（SYN扫描）
```
-sU
```
（UDP扫描）
```
-O
```
（操作系统探测）
原始数据包功能

Permission Denied Errors

权限被拒绝错误

If you see "Permission denied" or "Operation not permitted":

bash

undefined

如果看到"Permission denied"或"Operation not permitted"：

bash

undefined

Run with sudo

使用sudo运行

sudo nmap <options> <target>

undefined

sudo nmap <options> <target>

undefined

Example Workflows

示例流程

Workflow 1: Standard Single Target Scan (Default)

流程1：标准单目标扫描（默认）

bash

TARGET="192.168.1.100"
OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"

bash

TARGET="192.168.1.100"
OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"

Phase 1: Fast port discovery

阶段1：快速端口发现

sudo nmap -p- $TARGET -oA "$OUTPUT_DIR/nmap-portscan"

Check for "Host seems down"

检查"Host seems down"

if grep -q "Host seems down" "$OUTPUT_DIR/nmap-portscan.nmap"; then sudo nmap -p- -Pn $TARGET -oA "$OUTPUT_DIR/nmap-portscan" fi

Parse open ports

解析开放端口

OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')

Phase 2: Service detection

阶段2：服务探测

if [ -n "$OPEN_PORTS" ]; then nmap -p "$OPEN_PORTS" -sV -sC $TARGET -oA "$OUTPUT_DIR/nmap-services" fi

undefined

if [ -n "$OPEN_PORTS" ]; then nmap -p "$OPEN_PORTS" -sV -sC $TARGET -oA "$OUTPUT_DIR/nmap-services" fi

undefined

Workflow 2: IoT Camera Testing

流程2：IoT摄像头测试

bash

OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"

bash

OUTPUT_DIR="./nmap-output"
mkdir -p "$OUTPUT_DIR"

1. Run default two-phase scan

1. 运行默认的两阶段扫描

sudo nmap -p- 192.168.1.100 -oA "$OUTPUT_DIR/nmap-portscan" OPEN_PORTS=$(grep "^[0-9]" "$OUTPUT_DIR/nmap-portscan.nmap" | grep "open" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//') nmap -p "$OPEN_PORTS" -sV -sC 192.168.1.100 -oA "$OUTPUT_DIR/nmap-services"

2. If ONVIF camera detected, check HTTP methods

2. 如果检测到ONVIF摄像头，检查HTTP方法

nmap -p 80 --script http-methods 192.168.1.100 -oA "$OUTPUT_DIR/nmap-http"

3. Check RTSP service

3. 检查RTSP服务

nmap -p 554 --script rtsp-methods 192.168.1.100 -oA "$OUTPUT_DIR/nmap-rtsp"

undefined

nmap -p 554 --script rtsp-methods 192.168.1.100 -oA "$OUTPUT_DIR/nmap-rtsp"

undefined

Workflow 3: Additional UDP/OS Detection

流程3：额外UDP/操作系统探测

bash

OUTPUT_DIR="./nmap-output"

bash

OUTPUT_DIR="./nmap-output"

After completing default two-phase scan, optionally add:

完成默认两阶段扫描后，可选择添加：

UDP scan (top ports)

UDP扫描（常用端口）

sudo nmap -sU --top-ports 100 <target> -oA "$OUTPUT_DIR/nmap-udp"

OS detection

操作系统探测

sudo nmap -O <target> -oA "$OUTPUT_DIR/nmap-os"

Vulnerability scan

漏洞扫描

nmap -sV --script vuln <target> -oA "$OUTPUT_DIR/nmap-vuln"

undefined

nmap -sV --script vuln <target> -oA "$OUTPUT_DIR/nmap-vuln"

undefined

Questions to Ask User

需要向用户确认的问题

Before starting scans, clarify:

Target: What is the IP address or network range?
Scope: Single host or network range?
Scan Type: Use default two-phase strategy or user has specific requirements?
Authorization: Do you have permission to scan this target?
Special interests: Any specific services or ports to focus on after initial scan?

Note: Output is saved to

./nmap-output/

by default.

开始扫描前，请明确以下信息：

目标：IP地址或网络范围是什么？
范围：单个主机还是网络范围？
扫描类型：使用默认的两阶段策略还是有特定要求？
授权：你是否获得了扫描此目标的权限？
重点关注：初始扫描后是否有需要重点关注的特定服务或端口？

注意：输出默认保存至

./nmap-output/

。

Success Criteria

成功标准

A successful nmap scan includes:

Phase 1 port discovery completed without errors
Phase 2 service detection completed on all open ports
Results saved in all formats (-oA) in output directory
Open ports identified with service versions
NSE scripts executed successfully
Results documented and ready for analysis
Clear summary provided showing:
- Number of open ports found
- Key services detected
- Location of output files

一次成功的nmap扫描需满足：

阶段1端口发现无错误完成
阶段2服务探测在所有开放端口上完成
结果以所有格式（-oA）保存至输出目录
识别出开放端口及对应服务版本
NSE脚本成功执行
结果已记录并可用于分析
提供清晰的摘要，包括：
- 发现的开放端口数量
- 检测到的关键服务
- 输出文件的位置