一、切记
不要随意扫描正常网页!
Nmap官方有测试用的网站:Go ahead and ScanMe!
官网地址:Nmap: the Network Mapper - Free Security Scanner
二、开玩
1、使用ping命令获取域名IP地址(如果返回是ipv6,则使用命令:ping -4 域名)
└─$ ping -4 scanme.nmap.org
PING (45.33.32.156) 56(84) bytes of data.
64 bytes from scanme.nmap.org (45.33.32.156): icmp_seq=1 ttl=52 time=190 ms
64 bytes from 156.32.33.45.in-addr.arpa (45.33.32.156): icmp_seq=2 ttl=52 time=190 ms
64 bytes from 156.32.33.45.in-addr.arpa (45.33.32.156): icmp_seq=3 ttl=52 time=190 ms
^C
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 189.538/189.822/190.085/0.223 ms
2、扫描端口并显示详细信息 nmap -vv IP地址(使用测试网站,不要扫描正常网站!)
─$ nmap -vv 45.33.32.156
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-20 18:44 CST
Initiating Ping Scan at 18:44
Scanning 45.33.32.156 [2 ports]
Completed Ping Scan at 18:44, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:44
Completed Parallel DNS resolution of 1 host. at 18:44, 0.57s elapsed
Initiating Connect Scan at 18:44
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 80/tcp on 45.33.32.156
Increasing send delay for 45.33.32.156 from 0 to 5 due to 45 out of 148 dropped probes since last increase.
Discovered open port 31337/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Completed Connect Scan at 18:44, 39.04s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received conn-refused (0.19s latency).
Scanned at 2022-10-20 18:44:00 CST for 39s
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
445/tcp filtered microsoft-ds no-response
4444/tcp filtered krb524 no-response
9929/tcp open nping-echo syn-ack
31337/tcp open Elite syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 39.86 seconds
3、半开放扫描端口,没有形成会话,不会在目标主机上产生日志记录,需要root权限(-sT同样是TCP扫描)
提示需要root权限
└─$ nmap -sS scanme.nmap.org
You requested a scan type which requires root privileges.
QUITTING!
更改root用户后
└─# nmap -sS scanme.nmap.org
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-21 15:21 CST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
445/tcp filtered microsoft-ds
4444/tcp filtered krb524
9929/tcp open nping-echo
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 30.96 seconds
4、寻找目标主机打开的UDP端口(贴心Tips:扫描过程中可以按回车查看扫描进度)
└─# nmap -sU scanme.nmap.org
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-21 15:23 CST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
rDNS record for 45.33.32.156: 156.32.33.45.in-addr.arpa
Not shown: 988 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
123/udp open ntp
135/udp open|filtered msrpc
136/udp open|filtered profile
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
445/udp open|filtered microsoft-ds
1027/udp open|filtered unknown
1028/udp open|filtered ms-lsa
1433/udp open|filtered ms-sql-s
1434/udp open|filtered ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 1034.00 seconds
5、扫描目标主机和端口上运行的软件版本
└─# nmap -sV 45.33.32.156
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-21 15:35 CST
Nmap scan report for 156.32.33.45.in-addr.arpa (45.33.32.156)
Host is up (0.19s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
445/tcp filtered microsoft-ds
4444/tcp filtered krb524
9929/tcp open nping-echo Nping echo
31337/tcp open tcpwrapped
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.59 seconds
6、扫描目标主机的操作系统信息,可以利用相关已知漏洞
└─# nmap -O 45.33.32.156
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-21 15:37 CST
Nmap scan report for 156.32.33.45.in-addr.arpa (45.33.32.156)
Host is up (0.19s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
445/tcp filtered microsoft-ds
4444/tcp filtered krb524
9929/tcp open nping-echo
31337/tcp open Elite
Aggressive OS guesses: Linux 2.6.32 (92%), Linux 2.6.32 or 3.10 (91%), Linux 3.4 (91%), Linux 3.5 (91%), Linux 4.2 (91%), Linux 4.4 (91%), Synology DiskStation Manager 5.1 (91%), WatchGuard Fireware 11.8 (91%), Linux 2.6.35 (90%), Linux 4.9 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.90 seconds
7、猜测目标最接近的操作系统类型
└─# nmap -O --osscan-guess 45.33.32.156
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-21 16:03 CST
Nmap scan report for 156.32.33.45.in-addr.arpa (45.33.32.156)
Host is up (0.19s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
445/tcp filtered microsoft-ds
4444/tcp filtered krb524
9929/tcp open nping-echo
31337/tcp open Elite
Aggressive OS guesses: Linux 2.6.32 (92%), Linux 2.6.39 (91%), Linux 3.10 - 3.12 (91%), Linux 3.4 (91%), Linux 4.4 (91%), Synology DiskStation Manager 5.1 (91%), Linux 2.6.35 (90%), Linux 2.6.32 or 3.10 (90%), Linux 3.5 (90%), Linux 4.2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.42 seconds
8、目标主机有防火墙,IDS、IPS系统,使用-PN命令来确保不ping远程主机,同时不影响系统扫描
└─# nmap -O -PN 45.33.32.156
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-21 16:06 CST
Nmap scan report for 156.32.33.45.in-addr.arpa (45.33.32.156)
Host is up (0.18s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
445/tcp filtered microsoft-ds
4444/tcp filtered krb524
9929/tcp open nping-echo
31337/tcp open Elite
Aggressive OS guesses: Linux 2.6.32 (92%), Linux 2.6.39 (91%), Linux 3.10 - 3.12 (91%), Linux 3.4 (91%), Linux 3.5 (91%), Linux 4.4 (91%), Synology DiskStation Manager 5.1 (91%), Linux 2.6.35 (90%), Linux 3.10 (90%), Linux 2.6.32 or 3.10 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.47 seconds
9、Nmap提供了简单方法使用优化的扫描时间,共6个模板,举例:nmap -sS -T<0-5> 45.33.32.156。模板如下:
paranoid(0)、sneaky(1)模式用于IDS躲避
Polite(2)模式降低了扫描 速度以使用更少的带宽和目标主机资源。
Normal(3)为默认模式,因此-T3 实际上是未做任何优化。
Aggressive(4)模式假设用户具有合适及可靠的网络从而加速 扫描.
insane(5)模式假设用户具有特别快的网络或者愿意为获得速度而牺牲准确性。
10、扫描一个网段内的主机在线状况
└─# nmap -sP 45.33.32.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-21 16:13 CST
Nmap scan report for li982-4.members.linode.com (45.33.32.4)
Host is up (0.17s latency).
Nmap scan report for li982-6.members.linode.com (45.33.32.6)
Host is up (0.17s latency).
Nmap scan report for li982-9.members.linode.com (45.33.32.9)
11、读取文件内的IP列表并扫描
└─# nmap -iL ip-address.txt
12、路由器追踪可以查找从本地到目标地之间的所有网络节点及通过节点花费的时间
└─# nmap -traceroute scanme.nmap.org
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-21 16:18 CST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
445/tcp filtered microsoft-ds
4444/tcp filtered krb524
9929/tcp open nping-echo
31337/tcp open Elite
TRACEROUTE (using port 199/tcp)
HOP RTT ADDRESS
1 1.68 ms 192.168.1.1 (192.168.1.1)
2 7.17 ms 100.77.128.1
3 14.45 ms 58.221.112.137
4 ... 7
8 143.04 ms 202.97.42.166
9 ... 12
13 189.83 ms scanme.nmap.org (45.33.32.156)
Nmap done: 1 IP address (1 host up) scanned in 27.51 seconds
13、使用Nmap的脚本扫描常见漏洞是否存在
nmap --script 类别
例:nmap --script vuln 45.33.32.156
代码语言 :ruby
- auth: 负责处理鉴权证书(绕开鉴权)的脚本
- broadcast: 在局域网内探查更多服务开启状况,如dhcp/dns/sqlserver等服务
- brute: 提供暴力破解方式,针对常见的应用如http/snmp等
- default: 使用-sC或-A选项扫描时候默认的脚本,提供基本脚本扫描能力
- discovery: 对网络进行更多的信息,如SMB枚举、SNMP查询等
- dos: 用于进行拒绝服务攻击
- exploit: 利用已知的漏洞入侵系统
- external: 利用第三方的数据库或资源,例如进行whois解析
- fuzzer: 模糊测试的脚本,发送异常的包到目标机,探测出潜在漏洞
- intrusive: 入侵性的脚本,此类脚本可能引发对方的IDS/IPS的记录或屏蔽
- malware: 探测目标机是否感染了病毒、开启了后门等信息
- safe: 此类与intrusive相反,属于安全性脚本
- version: 负责增强服务与版本扫描(Version Detection)功能的脚本
- vuln: 负责检查目标机是否有常见的漏洞(Vulnerability),如是否有MS08_067
14、接13,可细化类别到具体脚本的扫描使用
(官方脚本文档:NSEDoc Reference Portal — Nmap Scripting Engine documentation)
nmap --script 具体的脚本 scanme.nmap.org
#######################################
####@以下仅举例,请勿肆意攻击Nmap官网@####
#######################################
检查FTP是否开启匿名登录
nmap --script ftp-anon scanme.nmap.org
暴力破解MySQL
nmap --script=mysql-brute <target>
暴力破解SQL Server
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt <host>
暴力破解Oracle
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL <host>
暴力破解SSH
nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst --script-args ssh-brute.timeout=4s <target>
利用DNS的子域名爆破
nmap --script dns-brute scanme.nmap.org