Nmap（Network Mapper）是一款安全开源的扫描工具。可以用于扫描目标网络或主机所有的开放端口，也可以探测远程主机的操作系统类型。Nmap支持很多扫描技术，是楼主所知功能最强大的扫描工具，没有之一，虽然楼主平时仅仅用来扫描端口而已。Linux 和 Windows 都可以安装使用。

安装

 yum install nmap -y  

命令格式

 nmap [扫描类型] [通用选项] [扫描目标]

常用参数说明

 -sT #是最基本的TCP扫描方式。很容易被检测到，会在目标主机的日志中记录大批的连接请求以及错误信息。
 -sS #TCP同步扫描(TCP SYN)，因为不必全部打开一个TCP连接，所以这项技术通常称为半开扫描(half-open)。这项技术最大的好处是，很少有系统能够把这记入系统日志。
 -sU #使用此选项获取某台主机上提供哪些UDP(用户数据报协议,RFC768)服务。
 -O  #获得远程主机的操作系统类型。
 -v  #显示扫描过程中的详细信息。
 -p  #待扫描的端口号范围。

** 注： **
1. 详见 http://nmap.org
2. 端口取值范围是0 - 65535(即2的16次方），其中0 - 1024 是系统保留

使用示例及说明

# nmap 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-18 13:39 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql
8088/tcp open  radan-http

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

# nmap -p0-65535 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-18 13:42 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE
80/tcp    open  http
3306/tcp  open  mysql
6379/tcp  open  unknown
8088/tcp  open  radan-http
8125/tcp  open  unknown
9053/tcp  open  unknown
9056/tcp  open  unknown
19999/tcp open  unknown
21111/tcp open  unknown
39880/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds

# nmap -sS -O 180.00.00.xxx

Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-18 13:42 CST
Nmap scan report for 180.00.00.xxx
Host is up (0.025s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING): HP embedded (86%)
OS CPE: cpe:/h:hp:procurve_switch_4000m
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds

# nmap -sS -O -v 180.00.00.xxx

Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-18 13:49 CST
Initiating Ping Scan at 13:49
Scanning 180.00.00.xxx [4 ports]
Completed Ping Scan at 13:49, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:49
Completed Parallel DNS resolution of 1 host. at 13:49, 0.03s elapsed
Initiating SYN Stealth Scan at 13:49
Scanning 180.00.00.xxx [1000 ports]
Discovered open port 443/tcp on 180.00.00.xxx
Discovered open port 80/tcp on 180.00.00.xxx
Completed SYN Stealth Scan at 13:49, 4.58s elapsed (1000 total ports)
Initiating OS detection (try #1) against 180.00.00.xxx
Retrying OS detection (try #2) against 180.00.00.xxx
Nmap scan report for 180.00.00.xxx
Host is up (0.024s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING): HP embedded (86%)
OS CPE: cpe:/h:hp:procurve_switch_4000m
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Randomized

Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.01 seconds
           Raw packets sent: 2078 (95.116KB) | Rcvd: 23 (1.680KB)

** 编译安装: **
# wget http://nmap.org/dist/nmap-7.01.tar.bz2
# tar -xvf nmap-x.x.x. tar.bz2
# cd nmap-x.x.x
# ./configure --prefix=/usr/local/nmap
# make && make install