Target:需要扫描的IP地址和端口，支持多种形式，比如网段10.123.10.1-10.123.10.244 ，子网掩码方式：10.123.10.1/24，域名，单个IP和网段组合等形式。

Profile主要参数

1.Intense scan:强烈的扫描

nmap -T4 -A -v

-T4：     -T option and their number (0–5) or their

           name. The template names areparanoid (0), sneaky (1), polite (2),

           normal (3), aggressive (4), andinsane (5). The first two are for

           IDS evasion. Polite mode slows downthe scan to use less bandwidth

           and target machine resources. Normalmode is the default and so -T3

           does nothing. Aggressive mode speedsscans up by making the

           assumption that you are on areasonably fast and reliable network.

           Finally insane mode.  assumes that you are on an extraordinarily

           fast network or are willing tosacrifice some accuracy for speed.

For example,

           -T4. prohibits the dynamic scan delay from exceeding 10 ms for TCP

           ports and -T5 caps that value at 5ms.

              -T4 for faster execution

由以上说明-T4参数是一种适用在局域网，可靠性网络进行扫描，略带侵略性，扫描一个tcp端口平均耗时10ms

-A:                  -A, to enable OS and versiondetection, script scanning, and traceroute;

三个作用：操作系统及版本检测，系统脚本运行，路由

-v:                    显示扫描过程中的详细信息

2.Intensescan plus UDP:强烈的扫描,加上udp协议扫描

nmap -sS -sU -T4-A -v

-sS:                   -sS (TCP SYN scan) .

           SYN scan is the default and mostpopular scan option for good

           reasons. It can be performedquickly, scanning thousands of ports

           per second on a fast network nothampered by restrictive firewalls.

           It is also relatively unobtrusiveand stealthy since it never

           completes TCP connections. SYN scanworks against any compliant TCP

           stack rather than depending onidiosyncrasies of specific platforms

           as Nmap‘s FIN/NULL/Xmas, Maimon andidle scans do. It also allows

           clear, reliable differentiationbetween the open, closed, and

           filtered states.

           This technique is often referred toas half-open scanning, because

           you don‘t open a full TCPconnection. You send a SYN packet, as if

           you are going to open a real connectionand then wait for a

           response. A SYN/ACK indicates theport is listening (open), while a

           RST (reset) is indicative of anon-listener. If no response is

           received after severalretransmissions, the port is marked as

           filtered. The port is also markedfiltered if an ICMP unreachable

           error (type 3, code 1, 2, 3, 9, 10,or 13) is received. The port is

           also considered open if a SYN packet(without the ACK flag) is

           received in response. This can bedue to an extremely rare TCP

           feature known as a simultaneous openor split handshake connection

           (see).