nmap扫描

1. 只能探测到主机存活，即接入网络。服务端口看不到。
   默认是-sS扫描，TCP SYN Stealth Scan. 能减少网络流量，速度快。SYN scan is the default and most popular scan option. often referred to as half-open scanning, because you don’t open a full TCP connection.

[root@ecs-d589 ~]# nmap 10.0.0.100
Starting Nmap 7.70 ( https://nmap.org ) at 2022-07-04 16:49 CST
Nmap scan report for 10.0.0.100
Host is up (-0.20s latency).
All 1000 scanned ports on 10.0.0.100 are filtered
MAC Address: FA:16:3E:D3:D3:38 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 21.30 seconds

2. ping检测不到主机，但nmap可以检测到，因为除了ICMP，还用了TCP。

[root@ecs-d589 ~]# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
^C
--- 10.0.0.100 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 32ms

[root@ecs-d589 ~]# nmap -sP 10.0.0.100
Starting Nmap 7.70 ( https://nmap.org ) at 2022-07-04 17:22 CST
Nmap scan report for 10.0.0.100
Host is up (0.00027s latency).
MAC Address: FA:16:3E:D3:D3:38 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default.
In previous releases of Nmap, -sn was known as -sP. (No port scan)

激活不同的控制位扫描：

• ACK扫描 -sA
• FIN扫描 -sF
• Null扫描 -sN 所有控制位都为0
• MAX扫描 -sX 所以控制位都为1

都扫不出什么有意义的内容出来，没意思。
唯一的意思，知道有这台主机在那里存活着的。
因为不存活的主机，nmap还是检测的出来：

[root@ecs-d589 ~]# nmap  10.0.0.201
Starting Nmap 7.70 ( https://nmap.org ) at 2022-07-04 18:10 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.44 seconds
[root@ecs-d589 ~]# nmap  -Pn 10.0.0.201
Starting Nmap 7.70 ( https://nmap.org ) at 2022-07-04 18:10 CST
Nmap done: 1 IP address (0 hosts up) scanned in 0.45 seconds