nmap学习记录(未完待续)

声明！

请勿从事违法行为！

学习内容

一、端口查询

0. 原理
   

1. 常规扫描

nmap scanme.nmap.org

2. 指定DNS

nmap -Pn scanme.nmap.org

3. 停止探测之前的ICMP请求？

nmap.exe -Pn scanme.nmap.org

4. 设置端口范围

nmap.exe -p 1-1000 scanme.nmap.org

5. 端口状态

6. 查看帮助

nmap -h

E:\Program Files (x86)\Nmap>nmap -h
Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

二、服务指纹

1. 服务信息

nmap -sV scanme.nmap.org

Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.34s latency).
Not shown: 989 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open     ssl/http       Apache/2.4.7 (Ubuntu)
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
3389/tcp  filtered ms-wbt-server
4444/tcp  filtered krb524
4899/tcp  filtered radmin
9929/tcp  open     nping-echo     Nping echo
31337/tcp open     tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.27 seconds

2. 侵略性探测

在这里插入代码片

-A表示侵略性
-v表示持续输出
-T4表示速度（0-5）

E:\Program Files (x86)\Nmap>nmap.exe -A -v -T4 scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-02 19:07 ?D1ú±ê×?ê±??
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:07
Completed NSE at 19:07, 0.00s elapsed
Initiating NSE at 19:07
Completed NSE at 19:07, 0.00s elapsed
Initiating NSE at 19:07
Completed NSE at 19:07, 0.00s elapsed
Initiating Ping Scan at 19:07
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Completed Ping Scan at 19:07, 0.86s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:07
Completed Parallel DNS resolution of 1 host. at 19:07, 0.01s elapsed
Initiating SYN Stealth Scan at 19:07
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed SYN Stealth Scan at 19:08, 39.60s elapsed (1000 total ports)
Initiating Service scan at 19:08
Scanning 4 services on scanme.nmap.org (45.33.32.156)
Completed Service scan at 19:08, 6.63s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against scanme.nmap.org (45.33.32.156)
Retrying OS detection (try #2) against scanme.nmap.org (45.33.32.156)
Initiating Traceroute at 19:08
Stats: 0:00:57 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 19:08 (0:00:00 remaining)
Completed Traceroute at 19:08, 3.55s elapsed
Initiating Parallel DNS resolution of 20 hosts. at 19:09
Stats: 0:01:59 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Parallel DNS resolution of 20 hosts. Timing: About 78.95% done; ETC: 19:09 (0:00:01 remaining)
Stats: 0:02:00 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Parallel DNS resolution of 20 hosts. Timing: About 94.74% done; ETC: 19:09 (0:00:00 remaining)
Stats: 0:02:00 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Parallel DNS resolution of 20 hosts. Timing: About 94.74% done; ETC: 19:09 (0:00:00 remaining)
Completed Parallel DNS resolution of 20 hosts. at 19:09, 2.83s elapsed
NSE: Script scanning 45.33.32.156.
Initiating NSE at 19:09
Stats: 0:02:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 15 (15 waiting)
NSE Timing: About 97.21% done; ETC: 19:09 (0:00:00 remaining)
Stats: 0:02:02 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 14 (8 waiting)
NSE Timing: About 97.39% done; ETC: 19:09 (0:00:00 remaining)
Stats: 0:02:03 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 11 (7 waiting)
NSE Timing: About 97.95% done; ETC: 19:09 (0:00:00 remaining)
Stats: 0:02:03 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 6 (5 waiting)
NSE Timing: About 98.88% done; ETC: 19:09 (0:00:00 remaining)
Completed NSE at 19:09, 8.99s elapsed
Initiating NSE at 19:09
Completed NSE at 19:09, 1.26s elapsed
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.22s latency).
Not shown: 989 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
|   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
80/tcp    open     http           Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 156515DA3C0F7DC6B2493BD5CE43F795
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
3389/tcp  filtered ms-wbt-server
4444/tcp  filtered krb524
4899/tcp  filtered radmin
9929/tcp  open     nping-echo     Nping echo
31337/tcp open     tcpwrapped
Aggressive OS guesses: Linux 2.6.18 - 2.6.22 (88%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), Linux 3.10 - 4.11 (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Asus RT-AC66U router (Linux 2.6) (86%), Asus RT-N16 WAP (Linux 2.6) (86%), Asus RT-N66U WAP (Linux 2.6) (86%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 37.909 days (since Fri Mar 25 21:21:08 2022)
Network Distance: 24 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   ...
2   26.00 ms  10.255.252.21
3   33.00 ms  36.152.112.45
4   4.00 ms   181.4.65.223.static.js.chinamobile.com (223.65.4.181)
5   ... 6
7   71.00 ms  112.2.73.49
8   79.00 ms  183.207.204.89
9   96.00 ms  from-NJ-PK-1.js.chinamobile.com (183.207.26.134)
10  126.00 ms 121.55.207.183.static.js.chinamobile.com (183.207.55.121)
11  17.00 ms  111.24.6.93
12  173.00 ms 221.183.107.50
13  53.00 ms  111.24.5.174
14  69.00 ms  221.176.22.158
15  ... 16
17  227.00 ms 223.120.13.221
18  242.00 ms 223.120.6.70
19  196.00 ms 223.120.6.218
20  306.00 ms te0-10-0-6-4.ccr41.lax05.atlas.cogentco.com (38.104.85.161)
21  311.00 ms be3243.ccr41.lax01.atlas.cogentco.com (154.54.27.117)
22  312.00 ms be3176.ccr21.sjc01.atlas.cogentco.com (154.54.31.190)
23  322.00 ms be2095.rcr21.b001848-1.sjc01.atlas.cogentco.com (154.54.3.138)
24  233.00 ms scanme.nmap.org (45.33.32.156)

NSE: Script Post-scanning.
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Read data files from: E:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.35 seconds
           Raw packets sent: 1189 (54.504KB) | Rcvd: 1082 (45.561KB)

使用nmap -sc -sv -oIP地址
来探测目标机器的操作系统、服务等信息。
其中sc参数表示使用Nmap脚本进行探测，sV表示探测目标机器上的服务信息，o表示探测目标机器的操作系统信息。-sc: equivalent to --script=default

nmap.exe -sC -sV -O scanme.nmap.org

Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.22s latency).
Not shown: 989 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
|   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
80/tcp    open     http           Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
3389/tcp  filtered ms-wbt-server
4444/tcp  filtered krb524
4899/tcp  filtered radmin
9929/tcp  open     nping-echo     Nping echo
31337/tcp open     tcpwrapped
Aggressive OS guesses: Linux 2.6.18 - 2.6.22 (89%), Linux 3.10 - 4.11 (89%), Linux 4.4 (88%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), Asus RT-AC66U router (Linux 2.6) (87%), Linux 3.10 (87%), Linux 3.2 - 3.8 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 26 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.38 seconds

E:\Program Files (x86)\Nmap>

三、局域网探测

1. 主机发现
   
   

nmap.exe -sP 192.168.137.1/24

E:\Program Files (x86)\Nmap>nmap.exe -sP 192.168.137.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-02 19:37 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.137.200
Host is up (0.0020s latency).
MAC Address: 9C:28:F7:9B:AF:E4 (Unknown)
Nmap scan report for 192.168.137.1
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 297.31 seconds

2. 主机探测
   

E:\Program Files (x86)\Nmap>nmap -h | findstr "sn"
  -sn: Ping Scan - disable port scan
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8

3. 结果输出
   

reference

黑客工具—Nmap的使用

---

都看到这儿了，点个赞呗
||
\/