安装
1. 先安装nmap
yum install nmap
wget http://nmap.org/dist/nmap-7.40.tar.bz2
tar -xvf nmap-7.01.tar.bz2
cd nmap-7.01/
./configure
make
make install
2.再安装python-nmap
sudo pip install python-nmap
命令行使用
进行ping扫描,打印出对扫描做出响应的主机,不做进一步测试(如端口扫描或者操作系统探测):
nmap -sP 192.168.1.0/24
仅列出指定网络上的每台主机,不发送任何报文到目标主机:
nmap -sL 192.168.1.0/24
探测目标主机开放的端口,可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80):
nmap -PS 192.168.1.234
使用UDP ping探测主机:
nmap -PU 192.168.1.0/24
使用频率最高的扫描选项:SYN扫描,又称为半开放扫描,它不打开一个完全的TCP连接,执行得很快:
nmap -sS 192.168.1.0/24
选项 :
-sP :使用ping扫描,打印出对扫描做出响应的主机。
-Sn:只进行主机发现,不进行端口扫描
-sS:使用频率最高的扫描选项,sw扫描,他不打开一个完全的TCP连接,因此执行速度较快。
-sT:全连接扫描
-sU:UDP扫描
-sO:获取服务器支持哪些协议
-SV:探测开放端口的服务和版本信息
-Pn:深层次扫描
-A: 使用带有攻击性方式扫描
-O:操作系统识别
-T4:指定扫描过程中使用的时序
-v: 显示冗长信息
应用简单案例
import nmap
nm = nmap.PortScanner()
ret = nm.scan('115.239.210.26','20')
print ret
返回格式如下:
{'nmap': {'scanstats':
{'uphosts': '1', 'timestr': 'Tue Oct 25 11:30:47 2016', 'downhosts': '0', 'totalhosts': '1', 'elapsed': '1.11'},
'scaninfo': {'tcp': {'services': '20', 'method': 'connect'}}, 'command_line': 'nmap -oX - -p 20 -sV 115.239.210.26'},
'scan': {'115.239.210.26': {'status': {'state': 'up', 'reason': 'syn-ack'}, 'hostnames': [{'type': '', 'name': ''}],
'vendor': {}, 'addresses': {'ipv4': '115.239.210.26'},
'tcp': {20: {'product': '', 'state': 'filtered', 'version': '', 'name': 'ftp-data', 'conf': '3', 'extrainfo': '',
'reason': 'no-response', 'cpe': ''}
}
}
}
}
扫描存活ip及mac地址
def nmap_ping_scan(network_prefix):
# network_prefix '192.168.6.1-4'或者'192.168.6.1/24'
nm = nmap.PortScanner() # 设置为nmap扫描状态。
ping_scan_raw = nm.scan(hosts=network_prefix, arguments='-sn') # arguments就是运用什么方式扫描
host_list_ip = []
for result in ping_scan_raw['scan'].values(): # 将scan下面的数值赋值给result,并开始遍历
if result['status']['state'] == 'up': # 如果是up则表明对方主机是存活的
host_list_ip.append(result['addresses']) # 在addresses层下的ipv4,也就是IP地址添加到result字典中
return host_list_ip
使用图示
1.ping扫描:扫描192.168.0.0/24网段上有哪些主机是存活的;
[root@laolinux ~]# nmap -sP 192.168.0.0/24
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 06:59 CST
Host laolinux (192.168.0.3) appears to be up.
Host 192.168.0.20 appears to be up.
MAC Address: 00:1E:4F:CD:C6:0E (Unknown)
Host 192.168.0.108 appearxprobe2、 p0f
# 安装
使用说明
扫描存活ip及mac地址
def nmap_ping_scan(network_prefix):
# network_prefix '192.168.6.1-4'或者'192.168.6.1/24'
nm = nmap.PortScanner() # 设置为nmap扫描状态。
ping_scan_raw = nm.scan(hosts=network_prefix, arguments='-sn') # arguments就是运用什么方式扫描
host_list_ip = []
for result in ping_scan_raw['scan'].values(): # 将scan下面的数值赋值给result,并开始遍历
if result['status']['state'] == 'up': # 如果是up则表明对方主机是存活的
host_list_ip.append(result['addresses']) # 在addresses层下的ipv4,也就是IP地址添加到result字典中
return host_list_ip
1.ping扫描:扫描192.168.0.0/24网段上有哪些主机是存活的;
[root@laolinux ~]# nmap -sP 192.168.0.0/24
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 06:59 CST
Host laolinux (192.168.0.3) appears to be up.
Host 192.168.0.20 appears to be up.
MAC Address: 00:1E:4F:CD:C6:0E (Unknown)
Host 192.168.0.108 appears to be up.
MAC Address: 00:E3:74:27:05:B7 (Unknown)
Host 192.168.0.109 appears to be up.
MAC Address: 00:E0:E4:A6:14:6F (Fanuc Robotics North America)
2、端口扫描:扫描192.168.0.3这台主机开放了哪些端口;
[root@laolinux ~]# nmap -sT 192.168.0.3
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 07:02 CST
Interesting ports on laolinux (192.168.0.3):
Not shown: 1667 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
964/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt
Nmap finished: 1 IP address (1 host up) scanned in 4.755 seconds
3、隐藏扫描,只在目标主机上留下很少的日志信息:隐藏扫描
[root@laolinux ~]# nmap -sS 192.168.0.127
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 07:08 CST
Interesting ports on 192.168.0.127:
Not shown: 1675 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
912/tcp open unknown
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Nmap finished: 1 IP address (1 host up) scanned in 3.121 seconds
4、UDP端口扫描:扫描192.168.0.127开放了哪些UDP端口;
[root@laolinux ~]# nmap -sU 192.168.0.127
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 07:08 CST
Interesting ports on 192.168.0.127:
Not shown: 1480 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1900/udp open|filtered UPnP
4500/udp open|filtered sae-urn
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Nmap finished: 1 IP address (1 host up) scanned in 2.947 seconds
5、操作系统识别:
[root@laolinux ~]# nmap -sS -O 192.168.0.127
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 07:09 CST
Interesting ports on 192.168.0.127:
Not shown: 1675 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
912/tcp open unknown
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Device type: general purpose
Running: Microsoft Windows 2003/.NET|NT/2K/XP
OS details: Microsoft Windows 2003 Server or XP SP2
Nmap finished: 1 IP address (1 host up) scanned in 5.687 seconds