NMAP命令用法
nmap [Scan Type(s)] [Options] {target specification}Linux下安装NMAP
yum install nmap
sudo apt-get install nmap参数大全
目标说明:
可以通过 主机名、IP地址、网络,等等。
例如:scanme.nmap.org,microsoft.com/24,192.168.0.1;10.0.0-255.1-254
-iL 从 主机/网络 列表输入
-iR 随机选择目标主机
--exclude 排除主机/网络
--excludefile 排除文件里的列表
主机发现
-sL 列表扫描-简单列表目标去扫描
-sn Ping 扫描 - 不进行端口扫描
-Pn 在线处理所有主机- 跳过主机发现
-PS/PA/PU/PY[portlist] 对给定的端口发现 TCP SYN/ACK, UDP or SCTP
-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list] IP Protocol Ping
-n/-R 不做DNS解析/Always resolve [default: sometimes]
--dns-servers 指定自定义DNS服务器
--system-dns 使用操作系统的DNS解析器
--traceroute 对每个主机跟踪跳跃路径(Trace hop path to each host)
扫描技术
-sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon scans
-sU UDP Scan
-sN/sF/sX TCP Null, FIN, and Xmas scans
--scanflags 定制TCP 扫描标记 (Customize TCP scan flags)
-sI 空闲扫描(Idle scan)
-sY/sZ SCTP INIT/COOKIE-ECHO scans
-sO IP protocol scan
-b FTP 反弹扫描(FTP bounce scan)
端口详述和扫描指令
-p Only scan specified ports
Ex -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports 从扫描中排除指定的端口
( Exclude the specified ports from scanning)
-F 快速模式:扫描较少的端口,除默认端口以外
-r 扫描连续的端口-即 不随机进行的
--top-ports Scan most common ports
--port-ratio Scan ports more common than
服务/版本 检测
-sV 探索开放的端口来确定服务/版本信息
--version-intensity 从0(低级)到 9(尝试所有探针)
--version-light (扫描常用的版本)Limit to most likely probes (intensity 2)
--version-all (扫描所有版本)Try every single probe (intensity 9)
--version-trace (捕获扫描版本细节(调试))
Show detailed version scan activity (for debugging)
脚本扫描
-sC (等价于)equivalent to --script=default
--script= 是一个以逗号分隔的列表,目录,脚本文件或脚本类
--script-args= 为脚本提供参数
--script-args-file=filename 在文件中提供 NSE script args
--script-trace 显示所有的数据发送和接收
--script-updatedb Update the script database.
--script-help= Show help about scripts.
is a comma-separated list of script-files or
script-categories.
操作系统检测
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
定时和性能
Options which take are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5> Set timing template (higher is faster)
--min-hostgroup/max-hostgroup Parallel host scan group sizes
--min-parallelism/max-parallelism 检查并行( Probe parallelization)
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout 指定探针往返时间(Specifies probe round trip time.
--max-retries 重发端口扫描数
--host-timeout 指定时间,超时则放弃目标扫描
--scan-delay/--max-scan-delay 调整探头间的延迟(Adjust delay between probes)
--min-rate 发送数据包,每秒不比指定的值 慢 ( Send packets no slower than per second
--max-rate 发送数据包,每秒不比指定的值 快 (Send packets no faster than per second
防火墙/IDS 逃避和欺骗
-f; --mtu : fragment packets (optionally w/given MTU)
-D Cloak a scan with decoys
-S 伪造源地址(Spoof source address)
-e 使用指定的接口(Use specified interface)
-g/--source-port 使用给定端口号(Use given port number)
--proxies 传递连接通过HTTP/SOCKS4 代理
( Relay connections through HTTP/SOCKS4 proxies)
--data 添加一个自定义发送数据包的有效载荷
--data-string 添加一个自定义的ASCII字符串发送的数据包
--data-length 要发送的数据包添加随机数据
--ip-options 发送数据包指定IP选项
--ttl Set IP time-to-live field
--spoof-mac 伪造MAC地址(Spoof your MAC address)
--badsum 发送带一个伪造TCP/UDP/SCTP 校验
(Send packets with a bogus TCP/UDP/SCTP checksum)
输出
-oN/-oX/-oS/-oG 正常输出扫描结果,比如 normal/XML/s|
-oA 同时在三个主要的格式文档输出
-v 增加详细程度 (use -vv or more for greater effect)
-d 提高调试水平 (use -dd or more for greater effect)
--reason 一个端口在特殊的状态下显示原因
--open 只显示打开(或可能是打开)的端口
--packet-trace 显示所有数据包,不管是发送还是接收
--iflist Print host interfaces and routes (for debugging)
--append-output 在文件内容尾部,追加输出到文件里
--resume 恢复中止扫描( Resume an aborted scan
--stylesheet 将XML输出转换为HTML的XSL样式表
--webxml 从Nmap引用样式表 Org,以获得更可移植的XML
--no-stylesheet Prevent associating of XSL stylesheet w/XML output
杂项
-6 Enable IPv6 scanning
-A 启用操作系统检测、版本检测、脚本扫描和traceroute
--datadir Specify custom Nmap data file location
--send-eth/--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
--unprivileged Assume the user lacks raw socket privileges
-V 打印版本号
-h 打印此帮助摘要页面。用主机名和IP地址扫描系统
Nmap工具提供各种方法来扫描系统。在这个例子中,使用主机名和IP来扫描系统找出该系统上所有开放的端口,服务和MAC地址。
用主机名扫描系统
[root@localhost zzf]# nmap www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 10:47 CST
Nmap scan report for www.baidu.com (180.101.49.12)
Host is up (0.0011s latency).
Other addresses for www.baidu.com (not scanned): 180.101.49.11
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 56.39 seconds
用IP扫描系统
[root@localhost zzf]# nmap 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 10:49 CST
Nmap scan report for 192.168.100.65
Host is up (0.00067s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
1947/tcp open sentinelsrm
3306/tcp open mysql
5357/tcp open wsdapi
5432/tcp open postgresql
Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds
扫描使用"-v"选项
使用 -v 选项后给出了远程机器更详细的信息。
[root@localhost zzf]# nmap -v 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 11:18 CST
Initiating Ping Scan at 11:18
Scanning 192.168.100.65 [4 ports]
Completed Ping Scan at 11:18, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:18
Completed Parallel DNS resolution of 1 host. at 11:18, 0.01s elapsed
Initiating SYN Stealth Scan at 11:18
Scanning 192.168.100.65 [1000 ports]
Discovered open port 3306/tcp on 192.168.100.65
Discovered open port 443/tcp on 192.168.100.65
Discovered open port 135/tcp on 192.168.100.65
Discovered open port 139/tcp on 192.168.100.65
Discovered open port 445/tcp on 192.168.100.65
Discovered open port 5432/tcp on 192.168.100.65
Discovered open port 12265/tcp on 192.168.100.65
Increasing send delay for 192.168.100.65 from 0 to 5 due to 11 out of 17 dropped probes since last increase.
Discovered open port 5357/tcp on 192.168.100.65
Discovered open port 9001/tcp on 192.168.100.65
SYN Stealth Scan Timing: About 48.13% done; ETC: 11:19 (0:00:33 remaining)
Increasing send delay for 192.168.100.65 from 5 to 10 due to 43 out of 142 dropped probes since last increase.
SYN Stealth Scan Timing: About 59.13% done; ETC: 11:20 (0:00:46 remaining)
Increasing send delay for 192.168.100.65 from 10 to 20 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.100.65 from 20 to 40 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 192.168.100.65 from 40 to 80 due to 11 out of 11 dropped probes since last increase.
Discovered open port 902/tcp on 192.168.100.65
Discovered open port 1947/tcp on 192.168.100.65
SYN Stealth Scan Timing: About 74.03% done; ETC: 11:20 (0:00:40 remaining)
Increasing send delay for 192.168.100.65 from 80 to 160 due to 11 out of 13 dropped probes since last increase.
Discovered open port 912/tcp on 192.168.100.65
Increasing send delay for 192.168.100.65 from 160 to 320 due to 11 out of 12 dropped probes since last increase.
SYN Stealth Scan Timing: About 81.33% done; ETC: 11:21 (0:00:36 remaining)
Increasing send delay for 192.168.100.65 from 320 to 640 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 84.27% done; ETC: 11:22 (0:00:37 remaining)
SYN Stealth Scan Timing: About 86.13% done; ETC: 11:22 (0:00:38 remaining)
Increasing send delay for 192.168.100.65 from 640 to 1000 due to 11 out of 11 dropped probes since last increase.
SYN Stealth Scan Timing: About 68.95% done; ETC: 11:24 (0:02:03 remaining)
Discovered open port 8001/tcp on 192.168.100.65
Discovered open port 5002/tcp on 192.168.100.65
Completed SYN Stealth Scan at 11:23, 290.96s elapsed (1000 total ports)
Nmap scan report for 192.168.100.65
Host is up (0.0011s latency).
Not shown: 982 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
514/tcp filtered shell
902/tcp open iss-realsecure
912/tcp open apex-mesh
1947/tcp open sentinelsrm
2701/tcp filtered sms-rcinfo
3306/tcp open mysql
5002/tcp open rfe
5357/tcp open wsdapi
5432/tcp open postgresql
7025/tcp filtered vmsvc-2
8001/tcp open vcom-tunnel
8008/tcp filtered http
9001/tcp open tor-orport
12265/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 291.05 seconds
Raw packets sent: 4131 (181.740KB) | Rcvd: 4120 (164.848KB)
扫描多台主机
在Nmap命令后加上多个IP地址或主机名来扫描多台主机。
[root@localhost zzf]# nmap -v 192.168.100.65 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 13:27 CST
Initiating Ping Scan at 13:27
Scanning 192.168.100.65 [4 ports]
Completed Ping Scan at 13:27, 1.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:27
Completed Parallel DNS resolution of 1 host. at 13:27, 0.01s elapsed
Initiating SYN Stealth Scan at 13:27
Scanning 192.168.100.65 [1000 ports]
Discovered open port 3306/tcp on 192.168.100.65
Discovered open port 443/tcp on 192.168.100.65
Discovered open port 139/tcp on 192.168.100.65
Discovered open port 445/tcp on 192.168.100.65
Discovered open port 135/tcp on 192.168.100.65
Discovered open port 902/tcp on 192.168.100.65
Discovered open port 9001/tcp on 192.168.100.65
Discovered open port 5002/tcp on 192.168.100.65
Discovered open port 912/tcp on 192.168.100.65
Discovered open port 8001/tcp on 192.168.100.65
Discovered open port 5432/tcp on 192.168.100.65
Discovered open port 1947/tcp on 192.168.100.65
Discovered open port 5357/tcp on 192.168.100.65
Completed SYN Stealth Scan at 13:27, 22.78s elapsed (1000 total ports)
Nmap scan report for 192.168.100.65
Host is up (2.1s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
514/tcp filtered shell
902/tcp open iss-realsecure
912/tcp open apex-mesh
1947/tcp open sentinelsrm
3306/tcp open mysql
5002/tcp open rfe
5357/tcp open wsdapi
5432/tcp open postgresql
8001/tcp open vcom-tunnel
9001/tcp open tor-orport
Initiating SYN Stealth Scan at 13:27
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 111/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 631/tcp on 127.0.0.1
Completed SYN Stealth Scan at 13:27, 0.04s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000070s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
Read data files from: /usr/bin/../share/nmap
Nmap done: 2 IP addresses (2 hosts up) scanned in 23.93 seconds
Raw packets sent: 2095 (92.156KB) | Rcvd: 3604 (148.362KB)
扫描整个子网
可以使用*通配符来扫描整个子网或某个范围的IP地址。
[root@localhost zzf]# nmap -v 192.168.100.*
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 13:30 CST
Initiating Ping Scan at 13:30
Scanning 256 hosts [4 ports/host]
Completed Ping Scan at 13:30, 7.62s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 13:30
Completed Parallel DNS resolution of 256 hosts. at 13:30, 0.93s elapsed
Initiating SYN Stealth Scan at 13:30
Scanning 64 hosts [1000 ports/host]
Discovered open port 53/tcp on 192.168.100.17
Discovered open port 53/tcp on 192.168.100.29
Discovered open port 139/tcp on 192.168.100.33
Discovered open port 5900/tcp on 192.168.100.44
Discovered open port 139/tcp on 192.168.100.61
Discovered open port 5900/tcp on 192.168.100.29
Discovered open port 139/tcp on 192.168.100.37
Discovered open port 445/tcp on 192.168.100.37
Discovered open port 445/tcp on 192.168.100.61
Discovered open port 80/tcp on 192.168.100.17
Discovered open port 80/tcp on 192.168.100.7
使用IP地址的最后一个字节扫描多台服务器
可以简单的指定IP地址的最后一个字节来对多个IP地址进行扫描。
nmap 192.168.100.101,102,103
从一个文件中扫描主机列表
带 iL 选项的nmap命令来扫描文件中列出的所有IP地址。
[root@localhost zzf]# cat nmaptest.txt
192.168.100.65
192.168.100.66
[root@localhost zzf]# nmap -iL nmaptest.txt
Nmap scan report for 192.168.100.65
Host is up (0.00050s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1947/tcp open sentinelsrm
3306/tcp open mysql
5002/tcp open rfe
5357/tcp open wsdapi
5432/tcp open postgresql
9001/tcp open tor-orport
Nmap scan report for 192.168.100.66
Host is up (0.00038s latency).
All 1000 scanned ports on 192.168.100.66 are filtered
Nmap done: 2 IP addresses (2 hosts up) scanned in 60.79 seconds
扫描一个IP地址范围
[root@localhost zzf]# nmap 192.168.100.65-67
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 13:44 CST
Nmap scan report for 192.168.100.65
Host is up (0.00047s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
912/tcp open apex-mesh
1947/tcp open sentinelsrm
3306/tcp open mysql
5002/tcp open rfe
5357/tcp open wsdapi
5432/tcp open postgresql
9001/tcp open tor-orport
Nmap scan report for 192.168.100.66
Host is up (0.00035s latency).
All 1000 scanned ports on 192.168.100.66 are filtered (933) or closed (67)
Nmap scan report for 192.168.100.67
Host is up (0.00026s latency).
All 1000 scanned ports on 192.168.100.67 are filtered (855) or closed (145)
Nmap done: 3 IP addresses (3 hosts up) scanned in 195.64 seconds
排除一些远程主机后再扫描
在执行全网扫描或用通配符扫描时你可以使用“-exclude”选项来排除某些你不想要扫描的主机。
[root@localhost zzf]# nmap 192.168.100.65-67 -exclude 192.168.100.66
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 14:02 CST
Nmap scan report for 192.168.100.65
Host is up (0.00088s latency).
Not shown: 964 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
513/tcp closed login
888/tcp closed accessbuilder
902/tcp open iss-realsecure
912/tcp open apex-mesh
1002/tcp closed windows-icfw
1009/tcp closed unknown
1055/tcp closed ansyslmd
1067/tcp closed instl_boots
1075/tcp closed rdrmshc
1082/tcp closed amt-esd-prot
1192/tcp closed caids-sensor
1721/tcp closed caicci
1839/tcp closed netopia-vo1
2179/tcp closed vmrdp
2251/tcp closed dif-port
2401/tcp closed cvspserver
3005/tcp closed deslogin
3071/tcp closed csd-mgmt-port
3306/tcp open mysql
3801/tcp closed ibm-mgr
5002/tcp open rfe
5357/tcp open wsdapi
5801/tcp closed vnc-http-1
7004/tcp closed afs3-kaserver
8001/tcp open vcom-tunnel
9001/tcp open tor-orport
9968/tcp closed unknown
32768/tcp closed filenet-tms
32783/tcp closed unknown
49156/tcp closed unknown
50500/tcp closed unknown
57797/tcp closed unknown
Nmap scan report for 192.168.100.67
Host is up (0.00037s latency).
All 1000 scanned ports on 192.168.100.67 are filtered
Nmap done: 2 IP addresses (2 hosts up) scanned in 54.67 seconds
扫描操作系统信息和路由跟踪
使用Nmap,你可以检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可以使用NMAP的 -A 选项。
[root@localhost zzf]# nmap -A 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 14:28 CST
Nmap scan report for 192.168.100.65
Host is up (0.12s latency).
Not shown: 779 filtered ports, 208 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| ssl-cert: Subject: commonName=VMware/countryName=US
| Not valid before: 2019-07-01T05:46:24+00:00
|_Not valid after: 2020-06-30T05:46:24+00:00
445/tcp open microsoft-ds?
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1947/tcp open sentinelsrm?
3306/tcp open mysql MySQL (unauthorized)
5002/tcp open rfe?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-methods: No Allow or Public header in OPTIONS response (status code 503)
|_http-title: Service Unavailable
5432/tcp open postgresql?
8001/tcp open vcom-tunnel?
9001/tcp open tor-orport?
4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
………………………………
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (97%), Linux 2.4.X|3.X (94%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7:::enterprise cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:3
Aggressive OS guesses: Microsoft Windows XP SP3 (97%), Microsoft Windows 7 Enterprise (96%), DD-WRT v24-sp2 (Linux 2.4.37) (94%), Linux 3.2 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE (using port 1002/tcp)
HOP RTT ADDRESS
1 0.57 ms 192.168.78.2
2 990.07 ms 192.168.100.65
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 270.02 seconds
启用Nmap的操作系统探测功能
使用选项 -O 和 -osscan-guess 也帮助探测操作系统信息。
[root@localhost zzf]# nmap -O 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 15:42 CST
Nmap scan report for 192.168.100.65
Host is up (0.00062s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1947/tcp open sentinelsrm
3306/tcp open mysql
5002/tcp open rfe
5432/tcp open postgresql
8001/tcp open vcom-tunnel
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|XP
OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.75 seconds
扫描主机侦测防火墙
下面的命令将扫描远程主机以探测该主机是否使用了包过滤器或防火墙。
[root@localhost zzf]# nmap -sA 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 15:44 CST
Nmap scan report for 192.168.100.65
Host is up (0.000085s latency).
All 1000 scanned ports on 192.168.100.65 are unfiltered
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
扫描主机检测是否有防火墙保护
扫描主机检测其是否受到数据包过滤软件或防火墙的保护。
[root@localhost zzf]# nmap -PN 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 15:45 CST
Nmap scan report for 192.168.100.65
Host is up (0.00091s latency).
Not shown: 771 filtered ports, 216 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1947/tcp open sentinelsrm
3306/tcp open mysql
5002/tcp open rfe
5357/tcp open wsdapi
5432/tcp open postgresql
8001/tcp open vcom-tunnel
9001/tcp open tor-orport
Nmap done: 1 IP address (1 host up) scanned in 151.10 seconds
找出网络中的在线主机
使用 -sP 选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。
[root@localhost zzf]# nmap -PN 192.168.78.*
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:22 CST
Nmap scan report for 192.168.78.1
Host is up (0.00025s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
443/tcp open https
902/tcp open iss-realsecure
912/tcp open apex-mesh
1947/tcp open sentinelsrm
5002/tcp open rfe
5357/tcp open wsdapi
8001/tcp open vcom-tunnel
9001/tcp open tor-orport
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.78.2
Host is up (0.00018s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:F3:1E:30 (VMware)
Nmap scan report for 192.168.78.254
Host is up (0.000078s latency).
All 1000 scanned ports on 192.168.78.254 are filtered
MAC Address: 00:50:56:EA:B7:44 (VMware)
Nmap scan report for 192.168.78.133
Host is up (0.0000070s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
Nmap done: 256 IP addresses (4 hosts up) scanned in 8.45 seconds
执行快速扫描
可以使用 -F 选项执行一次快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其它的端口。
[root@localhost zzf]# nmap -F 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:25 CST
Nmap scan report for 192.168.100.65
Host is up (0.00067s latency).
Not shown: 93 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5357/tcp open wsdapi
5432/tcp open postgresql
Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds
打印主机接口和路由
[root@localhost zzf]# nmap --iflist
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:26 CST
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo (lo) 127.0.0.1/8 loopback up 65536
lo (lo) ::1/128 loopback up 65536
virbr0-nic (virbr0-nic) (null)/0 ethernet down 1500 52:54:00:DB:96:1E
virbr0 (virbr0) 192.168.122.1/24 ethernet up 1500 52:54:00:DB:96:1E
ens33 (ens33) 192.168.78.133/24 ethernet up 1500 00:0C:29:91:36:BC
ens33 (ens33) fe80::4140:1020:e111:678b/64 ethernet up 1500 00:0C:29:91:36:BC
**************************ROUTES**************************
DST/MASK DEV METRIC GATEWAY
192.168.122.0/24 virbr0 0
192.168.78.0/24 ens33 100
0.0.0.0/0 ens33 100 192.168.78.2
::1/128 lo 0
fe80::4140:1020:e111:678b/128 lo 0
fe80::/64 ens33 100
ff00::/8 ens33 256
上面的输出你可以看到,nmap列举出了你系统上的接口以及它们各自的路由信息。
扫描特定的端口
使用Nmap扫描远程机器的端口有各种选项,你可以使用 -P 选项指定你想要扫描的端口,默认情况下nmap只扫描TCP端口。
[root@localhost zzf]# nmap -p 3306 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:28 CST
Nmap scan report for 192.168.100.65
Host is up (0.00074s latency).
PORT STATE SERVICE
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
扫描UDP端口
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
[root@localhost zzf]# nmap -sU 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:41 CST
Nmap scan report for 192.168.100.65
Host is up (0.00087s latency).
All 1000 scanned ports on 192.168.100.65 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 21.34 seconds
查找主机服务版本号
[root@localhost zzf]# nmap -sV 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:43 CST
Stats: 0:01:24 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 71.30% done; ETC: 16:45 (0:00:34 remaining)
Stats: 0:02:49 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 91.17% done; ETC: 16:46 (0:00:16 remaining)
Stats: 0:03:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.87% done; ETC: 16:47 (0:00:13 remaining)
Stats: 0:05:12 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 76.92% done; ETC: 16:48 (0:00:05 remaining)
Stats: 0:05:14 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 76.92% done; ETC: 16:48 (0:00:06 remaining)
Nmap scan report for 192.168.100.65
Host is up (0.0011s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds?
514/tcp filtered shell
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1947/tcp open sentinelsrm?
3269/tcp filtered globalcatLDAPssl
3306/tcp open mysql MySQL (unauthorized)
5002/tcp open rfe?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5432/tcp open postgresql?
8001/tcp open vcom-tunnel?
9001/tcp open tor-orport?
10617/tcp filtered unknown
4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1947-TCP:V=6.40……………………
使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机
有时候包过滤防火墙会阻断标准的ICMP ping请求,在这种情况下,我们可以使用TCP ACK和TCP Syn方法来扫描远程主机。
[root@localhost zzf]# nmap -PS 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:54 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.06 seconds
执行一次隐蔽的扫描
[root@localhost zzf]# nmap -sS 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:56 CST
Nmap scan report for 192.168.100.65
Host is up (0.00082s latency).
Not shown: 983 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
161/tcp closed snmp
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
987/tcp closed unknown
1300/tcp closed h323hostcallsc
1805/tcp closed enl-name
1947/tcp open sentinelsrm
2381/tcp closed compaq-https
3306/tcp open mysql
5002/tcp open rfe
5432/tcp open postgresql
9001/tcp open tor-orport
9535/tcp closed man
19780/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 46.20 seconds
执行TCP空扫描以骗过防火墙
[root@localhost zzf]# nmap -sN 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:57 CST
Nmap scan report for 192.168.100.65
Host is up (0.00058s latency).
All 1000 scanned ports on 192.168.100.65 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 21.27 seconds
使用诱饵扫描方法来扫描主机端口
[root@localhost zzf]# nmap 192.168.100.65 -D 192.161.1.1
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 18:12 CST
Nmap scan report for 192.168.100.65
Host is up (0.00091s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
912/tcp open apex-mesh
1947/tcp open sentinelsrm
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds
总结
主机发现
原理:发送探测包到目标主机,如果收到回复,那么说明目标主机是开启的。
| 选项 | 功能 |
|---|---|
| -sL | List Scan 列表扫描,仅将指定的目标的IP列举出来,不进行主机发现 |
| -sn | Ping Scan 只进行主机发现,不进行端口扫描 |
| -Pn | 将所有指定的主机视作开启的,跳过主机发现过程 |
| -PS/PA/PU/PY[portlist] | TCP SYN/ACK, UDP或SCTP发送到给定的端口 |
| -PE/PP/PM | ICMP echo、timestamp和netmask请求发现探测 |
| -PO[protocol list] | 使用IP协议包探测对方主机是否开启 |
| -n/-R | -n表示不进行DNS解析;-R表示总是进行DNS解析 |
| –dns-servers<serv1[,serv2],…> | 指定DNS服务器 |
| --system-dns | 指定使用系统的DNS服务器 |
| --traceroute | 追踪每个路由节点 |
端口扫描
- 开放扫描:会产生大量的审计数据,容易被对方发现,但其可靠性高;例如:TCP Connect类。
- 隐蔽扫描:能有效的避免入侵检测系统和防火墙的检测,但扫描使数据包容易被丢弃从而产生错误的探测信息;例如:TCP FIN类。
- 半开放扫描:隐蔽性和可靠性介于前两者之间。例如:TCP SYN类。
| 扫描类型 | 描述 | 总结 |
|---|---|---|
| -sS | TP SYN 扫描 | 比较隐蔽,效率高,适用广泛 |
| -sT | TCP Connect 扫描 | 由于建立完整的TCP连接会在靶机上留下记录,不隐蔽 |
| -sA | TCP ACK 扫描 | 只能用于确定防火墙是否屏蔽某个端口,可以辅助TCP SYN的方式来判断目标主机防火墙的状况 |
| -sF | TCP FIN 扫描 | 到达关闭的端口,数据包会被丢弃,并且返回一个RST数据包,到达打开的端口则没返回 |
| -sU | UDP扫描 | 收到回复说明端口关闭,没有收到回复则UDP端口可能开放 |
| 其他扫描选项 | 功能 |
|---|---|
| -p <port ranges> | 只扫描指定端口eg:-p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 |
| -F | 扫描比默认扫描更少的端口 |
| -r | don’t randomize |
版本侦测
nmap -sV IP
不是进行一个端口扫描,而是通过相应的端口对应相应的服务,根据服务指纹识别出相应的版本
[root@localhost zzf]# nmap -sV 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 18:34 CST
Nmap scan report for 192.168.100.65
Host is up (0.00079s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds?
1947/tcp open sentinelsrm?
3306/tcp open mysql MySQL (unauthorized)
5002/tcp open rfe?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1947-TCP:V=6.40%I=7%D=7/14%Time=5F0D8A4D%P=x86_64-redhat-linux-gnu%
操作系统侦测
常见的操作系统侦测
- 利用TTL(数据包的存活时间)来进行探测
- TCP数据包探测:根据不同OS对特定TCP的不同反应来进行识别区分(不同OS处理ACK序号时是不一样的)
- ICMP报文响应进行识别
| 选项 | 含义 |
|---|---|
| -O | 设置nmap进行操作系统侦测 |
| --osscan-guess | 猜测目标主机的操作系统类型,nmap会给出可能性的比率,用户可以根据提供的比率综合判断操作系统类型 |
nmap -O --osscan-guess 192.168.100.65
[root@localhost zzf]# nmap -O --osscan-guess 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 18:43 CST
Nmap scan report for 192.168.100.65
Host is up (0.0030s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
912/tcp open apex-mesh
1947/tcp open sentinelsrm
3306/tcp open mysql
5432/tcp open postgresql
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|XP
OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.77 seconds
863
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
