Nmap 主机发现

简介

在网络收集中最重要的发现主机，也就是筛选出活跃的主机或主机列表。举个例子 ： 主机发现就像是去别人家拜访一样，总是要敲门询问家中主任是否在家，如果得到回应则说明家中有人，如果经过一段时间没有回应，则表示家中没有人。Nmap提供了丰富的主机发现选项，例如进行Ping扫描、TCP/ACK扫描、UDP扫描等诸多主机发现的扫面描选项。以下内容详细介绍每个扫描选项的操作

关于Nmap 简介与安装 就不多说了 可以点击链接看此篇文章。

操作

一、简单的扫描

[root@localhost ~]# nmap 192.168.52.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 10:36 CST
Nmap scan report for 192.168.52.1
Host is up (0.00068s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.52.2
Host is up (0.00014s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 00:50:56:E9:C0:55 (VMware)

Nmap scan report for 192.168.52.66
Host is up (0.00061s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
MAC Address: 00:0C:29:13:E4:0D (VMware)

Nmap scan report for 192.168.52.132
Host is up (0.00022s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap scan report for 192.168.52.254
Host is up (0.00028s latency).
All 1000 scanned ports on 192.168.52.254 are filtered
MAC Address: 00:50:56:E9:F2:A8 (VMware)

Nmap scan report for 192.168.52.133
Host is up (0.000012s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind

Nmap done: 256 IP addresses (6 hosts up) scanned in 14.26 seconds

使用Nmap通过14.26s的时间对192.168.52.1~192.168.52.254进行了一次主机发现一共发现了6台活跃主机，在对这些主机扫描的时候，Nmap还对目标端口进行了一次简单的扫描，并打印出了对外开放的端口号及其服务。使用“nmap IP”

二、Ping扫描

[root@localhost ~]# nmap -sP 192.168.52.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 10:43 CST
Nmap scan report for 192.168.52.1
Host is up (0.00079s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.52.2
Host is up (0.00019s latency).
MAC Address: 00:50:56:E9:C0:55 (VMware)
Nmap scan report for 192.168.52.66
Host is up (0.00037s latency).
MAC Address: 00:0C:29:13:E4:0D (VMware)
Nmap scan report for 192.168.52.132
Host is up (0.00035s latency).
MAC Address: 00:0C:29:A2:B4:44 (VMware)
Nmap scan report for 192.168.52.254
Host is up (0.00019s latency).
MAC Address: 00:50:56:E9:F2:A8 (VMware)
Nmap scan report for 192.168.52.133
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 14.92 seconds

Ping扫描是大多数情况下优先选择使用的扫描方式。在使用Ping扫描的时候，Nmap会发送一个ICMP请求和一个TCP报文到目标主机，从而轻松获取目标信息而不会被轻易发现。使用“nmap -sP IP”

三、无Ping扫描

[root@localhost ~]# nmap -P0 192.168.52.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 11:03 CST
Nmap scan report for 192.168.52.133
Host is up (0.0000070s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind

Nmap done: 1 IP address (1 host up) scanned in 6.82 seconds

Ping扫描的方式可以胜任大多数主机发现任务，但是很多安全人员为了保证主机安全往往会禁止Ping扫描的设置，使用Ping扫描的无法扫描到主机的，可查看上一步Ping扫描操作。此时就需要使用无Ping的扫描方式 ，使用“nmap -P0 IP”

四、TCP SYN Ping扫描

[root@localhost ~]# nmap -PS 192.168.52.133
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 11:14 CST
Nmap scan report for 192.168.52.133
Host is up (0.0000080s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

使用TCP SYN Ping扫描会让Nmap发送一个SYN包给目标主机，然后监听目标主机的相应从而判断目标主机是否在线。使用“nmap -PS IP”

五、ICMP Ping扫描

ICMP Ping提供了三个选项“-PE” “-PP” “-PM”

-PE ---------ICMP回声应答Ping扫描
-PP ---------ICMP时间戳扫描
-PM ---------ICMP地址掩码扫描

• ICMP回声应答Ping适用于扫描探测系统对ICMP没有或较少传输限制的情况。
• ICMP时间戳扫描的作用是确定某台主机是否在线
• ICMP地址掩码Ping可以很好的穿透封锁回声请求的防火墙限制

[root@localhost ~]# nmap -PE 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 11:32 CST
Nmap scan report for 192.168.52.132
Host is up (0.00038s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.19 seconds
[root@localhost ~]# nmap -PP 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 11:33 CST
Nmap scan report for 192.168.52.132
Host is up (0.00033s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.60 seconds
[root@localhost ~]# nmap -PM 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 11:33 CST
Nmap scan report for 192.168.52.132
Host is up (0.00049s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds

由于我的测试机是没有任何服务的 所以显示结果大致一样，但是扫描方式是不同的。使用“nmap -PE IP” 使用“nmap -PP IP” 使用“nmap -PM IP”

六、TCP ACK Ping扫描

[root@localhost ~]# nmap -PA 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 11:38 CST
Nmap scan report for 192.168.52.132
Host is up (0.00030s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.18 seconds

TCP ACK Ping扫描方式与TCP SYN Ping扫描方式非常接近，区别在于设置的标志位置是ACK而不是SYN。这有利于绕过封锁SYN报文的目标主机。使用“nmap -PA IP”

七、UDP Ping扫描

[root@localhost ~]# nmap -PU 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 11:41 CST
Nmap scan report for 192.168.52.132
Host is up (0.00056s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 12.95 seconds

UDP Ping扫描是发送一个空的UDP报文到目标主机，这种扫描方式适用于寻找目标主机开放的UDP端口，当发送UDP报文到目标主机时，如果返回ICMP不可达的错误消息，就说明目标并没有开放UDP端口服务。使用“nmap -PU IP”

八、ARP Ping扫描

[root@localhost ~]# nmap -PR 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 12:29 CST
Nmap scan report for 192.168.52.132
Host is up (0.00037s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:0C:29:A2:B4:44 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 11.70 seconds

ARP Ping扫描方式主要用于内网的主机发现扫描。这种方式会发送一个ARP请求用于探测目标，当收到目标主机相应时判断目标主机在线状态。这种扫描方式比基于IP的扫描方式更加可靠、快速。使用“nmap -PR IP”