nmap是什么以及使用教程

前言：

Nmap如今是每个黑客必备的漏洞扫描神器,这期出一次扫描之王Nmap最详细的使用教程.

Nmap的安装：

windows：请到nmap.org下载对应的版本
linux：apt install nmap

一、NMAP是什么？

Nmap，也就是Network Mapper，最早是Linux下的网络扫描和嗅探工具包.
Nmap是一款开放源代码的网络探测和安全审核工具，它的设计目标是快速地扫描大型网络.
Nmap官网：https://nmap.org/

Nmap扫描出来的状态:

状态-----------------------详细的参数说明
Open----------------------端口开启，数据有到达主机，有程序在端口上监控
Closed-------------------端口关闭，数据有到达主机，没有程序在端口上监控
Filtered------------------数据没有到达主机，返回的结果为空，数据被防火墙或者是IDS过滤
UnFiltered--------------数据有到达主机，但是不能识别端口的当前状态
Open|Filtered---------端口没有返回值，主要发生在UDP、IP、FIN、NULL和Xmas扫描中
Closed|Filtered-------只发生在IP ID idle扫描

二、使用步骤:

1.nmap语法

nmap (选项)(参数):
参数：ip地址

选项如下：

-O：激活操作探测；
-P0：值进行扫描，不ping主机；
-PT：是同TCP的ping；
-sV：探测服务版本信息；
-sP：ping扫描，仅发现目标主机是否存活；
-ps：发送同步（SYN）报文；
-PU：发送udp ping；
-PE：强制执行直接的ICMPping；
-PB：默认模式，可以使用ICMPping和TCPping；
-6：使用IPv6地址；
-v：得到更多选项信息；
-d：增加调试信息地输出；
-oN：以人们可阅读的格式输出；
-oX：以xml格式向指定文件输出信息；
-oM：以机器可阅读的格式输出；
-A：使用所有高级扫描选项；
--resume：继续上次执行完的扫描；
-P：指定要扫描的端口，可以是一个单独的端口，用逗号隔开多个端口，使用“-”表示端口范围；
-e：在多网络接口Linux系统中，指定扫描使用的网络接口；
-g：将指定的端口作为源端口进行扫描；
--ttl：指定发送的扫描报文的生存期；
--packet-trace：显示扫描过程中收发报文统计；
--scanflags：设置在扫描报文中的TCP标志。
--send-eth/--send-ip  使用原始以太网发送/构造指定IP发送

2.举例：

例子如下（示例）：

E:\zm>nmap -sV -Pn --script=vuln 192.168.10.103
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 20:55 中国标准时间
Stats: 0:02:36 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 77.78% done; ETC: 20:58 (0:00:41 remaining)
Stats: 0:02:39 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 77.78% done; ETC: 20:58 (0:00:42 remaining)
Nmap scan report for 192.168.10.103
Host is up (0.0013s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE    SERVICE          VERSION
25/tcp   filtered smtp
110/tcp  filtered pop3
135/tcp  open     msrpc            Microsoft Windows RPC
139/tcp  open     netbios-ssn      Microsoft Windows netbios-ssn
443/tcp  open     ssl/https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404 Not Found
|     Date: Wed, 30 Mar 2022 12:55:34 GMT
|     Connection: close
|     Content-Security-Policy: block-all-mixed-content
|     Content-Type: text/plain; charset=utf-8
|     Strict-Transport-Security: max-age=31536000
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: DENY
|     X-XSS-Protection: 1
|     Content-Length: 0
|   GetRequest:
|     HTTP/1.1 403 Forbidden
|     Date: Wed, 30 Mar 2022 12:55:34 GMT
|     Connection: close
|     Content-Security-Policy: block-all-mixed-content
|     Content-Type: text/plain; charset=utf-8
|     Strict-Transport-Security: max-age=31536000
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: DENY
|     X-XSS-Protection: 1
|     Content-Length: 0
|   HTTPOptions:
|     HTTP/1.1 501 Not Implemented
|     Date: Wed, 30 Mar 2022 12:55:34 GMT
|     Connection: close
|     Content-Security-Policy: block-all-mixed-content
|     Content-Type: text/plain; charset=utf-8
|     Strict-Transport-Security: max-age=31536000
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: DENY
|     X-XSS-Protection: 1
|     Content-Length: 0
|   RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Date: Wed, 30 Mar 2022 12:55:45 GMT
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 50
|     <HTML><BODY><H1>400 Bad Request</H1></BODY></HTML>
|   SIPOptions:
|     HTTP/1.1 400 Bad Request
|     Date: Wed, 30 Mar 2022 12:56:52 GMT
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 50
|_    <HTML><BODY><H1>400 Bad Request</H1></BODY></HTML>
445/tcp  open     microsoft-ds?
548/tcp  filtered afp
902/tcp  open     ssl/vmware-auth  VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
|_ssl-ccs-injection: No reply from server (TIMEOUT)
912/tcp  open     vmware-auth      VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
5357/tcp open     http             Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: Microsoft-HTTPAPI/2.0
7000/tcp open     afs3-fileserver?
8000/tcp open     http-alt?
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 353.40 seconds

Script脚本的用法举例：

nmap -sV --script=afp-path-vuln <目标>   
nmap -sV -sC <目标>
nmap --script firewall-bypass <目标> 

更加详细的可以参考nmap的文档：

https://nmap.org/nsedoc/categories/vuln.html

总结：

例如：以上就是nmap的内容，本文仅仅简单介绍了nmap是什么和使用.
希望对大家学习有帮助.博客的QQ：189127007
本作者只是学生，喜欢的话请点个赞❤️❤️❤️❤️.