一.软件下载
https://nmap.org/download.html
二.扫描ip
nmap 192.168.1.10                       #扫描单ip
nmap 192.168.1.10-100                #扫描ip段
nmap 192.168.1.10 192.168.1.11   #扫描单独的多ip
nmap 192.168.1.1/24                    #扫描整个网段
nmap  -il  list.txt                          #根据文件列表扫描
#list.txt
192.168.1.20
192.168.1.21  
nmap -ir 3                                   # 随机扫描3个ip
nmap 192.168.1.10-100 --exclude 192.168.1.20      #排除指定ip 
nmap 192.168.1.1/24 --excludefile list.txt          #从文件中取出排除ip
nmap -a 192.168.1.10       #-ａ将绝大多数有用的扫描命令集成在一起   
－ｏ　用来识别远程操作系统 
－ｓｃ　用来运行默认的脚本扫描
-pn         #ping no不用ping 扫描
-sp          #simple ping 简单嗅探一个网络里面的在线主机
-ps          #用ping 进行扫描  
-pu         #嗅控udp
-p            # 0-65535  #指定端口
-pa         # ack协议
-py          #ctp协议
-pe         #不带参数默认的方式  icmp
-pp         #icmp时间戳嗅控命令，用来嗅探被防火墙保护的目标
-po1，2，3      #选择不同协议扫描1是icmp  2 igmp  4 ip
--traceroute ip      #路由过程
-r     #dns反向查的
nmap --system-dns 192.168.1.10   #使用主机系统各dns自己的解析器
nmap --dns-servers 202.103.24.68 192.168.1.10    #指定dns服务器
nmap -sl 192.168.1/24        #快速得到主机列表
-ss      #tcp syn 扫描
-st      #
nmap 7.70 ( https://nmap.org )
usage: nmap [scan type(s)] [options] {target specification}
target specification:
  can pass hostnames, ip addresses, networks, etc.
  ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -il <inputfilename>: input from list of hosts/networks
  -ir <num hosts>: choose random targets
  --exclude <host1[,host2][,host3],...>: exclude hosts/networks
  --excludefile <exclude_file>: exclude list from file
host discovery:
  -sl: list scan - simply list targets to scan
  -sn: ping scan - disable port scan
  -pn: treat all hosts as online -- skip host discovery
  -ps/pa/pu/py[portlist]: tcp syn/ack, udp or sctp discovery to given ports
  -pe/pp/pm: icmp echo, timestamp, and netmask request discovery probes
  -po[protocol list]: ip protocol ping
  -n/-r: never do dns resolution/always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: specify custom dns servers
  --system-dns: use os's dns resolver
  --traceroute: trace hop path to each host
scan techniques:
  -ss/st/sa/sw/sm: tcp syn/connect()/ack/window/maimon scans
  -su: udp scan
  -sn/sf/sx: tcp null, fin, and xmas scans
  --scanflags <flags>: customize tcp scan flags
  -si <zombie host[:probeport]>: idle scan
  -sy/sz: sctp init/cookie-echo scans
  -so: ip protocol scan   开通协议扫描
  -b <ftp relay host>: ftp bounce scan
port specification and scan order:
  -p <port ranges>: only scan specified ports 指定扫描的端口
    ex: -p22; -p1-65535; -p u:53,111,137,t:21-25,80,139,8080,s:9
  --exclude-ports <port ranges>: exclude the specified ports from scanning
  -f: fast mode - scan fewer ports than the default scan 快速扫描1000多个常用端口
  -r: scan ports consecutively - don't randomize
  --top-ports <number>: scan <number> most common ports
  --port-ratio <ratio>: scan ports more common than <ratio>
service/version detection:
  -sv: probe open ports to determine service/version info
  --version-intensity <level>: set from 0 (light) to 9 (try all probes)
  --version-light: limit to most likely probes (intensity 2)
  --version-all: try every single probe (intensity 9)
  --version-trace: show detailed version scan activity (for debugging)
script scan:
  -sc: equivalent to --script=default
  --script=<lua scripts>: <lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide nse script args in a file
  --script-trace: show all data sent and received
  --script-updatedb: update the script database.
  --script-help=<lua scripts>: show help about scripts.
           <lua scripts> is a comma-separated list of script-files or
           script-categories.
os detection:
  -o: enable os detection
  --osscan-limit: limit os detection to promising targets
  --osscan-guess: guess os more aggressively
timing and performance:
  options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -t<0-5>: set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: specifies
      probe round trip time.
  --max-retries <tries>: caps number of port scan probe retransmissions.
  --host-timeout <time>: give up on target after this long
  --scan-delay/--max-scan-delay <time>: adjust delay between probes
  --min-rate <number>: send packets no slower than <number> per second
  --max-rate <number>: send packets no faster than <number> per second
firewall/ids evasion and spoofing:
  -f; --mtu <val>: fragment packets (optionally w/given mtu)
  -d <decoy1,decoy2[,me],...>: cloak a scan with decoys
  -s <ip_address>: spoof source address
  -e <iface>: use specified interface
  -g/--source-port <portnum>: use given port number
  --proxies <url1,[url2],...>: relay connections through http/socks4 proxies
  --data <hex string>: append a custom payload to sent packets
  --data-string <string>: append a custom ascii string to sent packets
  --data-length <num>: append random data to sent packets
  --ip-options <options>: send packets with specified ip options
  --ttl <val>: set ip time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: spoof your mac address
  --badsum: send packets with a bogus tcp/udp/sctp checksum
output:
  -on/-ox/-os/-og <file>: output scan in normal, xml, s|<ript kiddi3,
and grepable format, respectively, to the given filename.
-oa <basename>: output in the three major formats at once
  -v: increase verbosity level (use -vv or more for greater effect)
  -d: increase debugging level (use -dd or more for greater effect)
  --reason: display the reason a port is in a particular state
  --open: only show open (or possibly open) ports
  --packet-trace: show all packets sent and received
  --iflist: print host interfaces and routes (for debugging)
  --append-output: append to rather than clobber specified output files
  --resume <filename>: resume an aborted scan
  --stylesheet <path/url>: xsl stylesheet to transform xml output to html
  --webxml: reference stylesheet from nmap.org for more portable xml
  --no-stylesheet: prevent associating of xsl stylesheet w/xml output
misc:
  -6: enable ipv6 scanning
  -a: enable os detection, version detection, script scanning, and traceroute
  --datadir <dirname>: specify custom nmap data file location
  --send-eth/--send-ip: send using raw ethernet frames or ip packets  隐藏ip
  --privileged: assume that the user is fully privileged
  --unprivileged: assume the user lacks raw socket privileges
  -v: print version number
  -h: print this help summary page.
examples:
  nmap -v -a scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -ir 10000 -pn -p 80
以上就是网络安全审计工具nmap如何使用的详细内容。