探测工具nmap简介及使用说明

1. 前言:

在前一篇Jmeter模拟多IP访问中,提到当前网络中可用ip,如何查找查看当前可用ip,nmap就是一个不错的开源免费的探测主机是否在网的工具。

另外当我们在构建环境或排查问题时,常常是先确定环境是否正常,首要确定的就是当前ip是否可用,或是是否在使用,将要使用的端口是否已配置等进行,除了我们常用的ping或是telnet工具外,nmap也是不个不错的工具,可以说是扫描神器。接下来就让我简单的给大家介绍一下nmap吧。

2. nmap简介:

本人使用的mac,就以在mac上操作为实例进行介绍。不同的系统可以去官网进行下载安装https://nmap.org/download.html。
nmap不是系统自带的工具,所以得先进行安装才能使用。

brew install nmap #brew 神器一个命令行搞定安装nmap

安装完成后,我们就先来看看他的介绍吧:

man nmap #使用此命令进行查询nmap详情

man命令还是很好用的一个说明文档帮助查看命令,就是非常详细的说明使用文档,就是这个一般是英文,估计也有人跟我一样一看英文就头大,但为了能更好的了解它,只能硬着头皮来读一遍了。为了方便我把里面主要的部分做了翻译。

man nmap #使用此命令进行查询nmap详情

NMAP(1)                            Nmap Reference Guide                            NMAP(1)



NAME
       nmap - Network exploration tool and security / port scanner
       #nmap - 网络探测工具和安全端口扫描工具

SYNOPSIS
       nmap [Scan Type...] [Options] {target specification}

DESCRIPTION
       Nmap (“Network Mapper”) is an open source tool for network exploration and security
       auditing. It was designed to rapidly scan large networks, although it works fine
       against single hosts. Nmap uses raw IP packets in novel ways to determine what
       hosts are available on the network, what services (application name and version)
       those hosts are offering, what operating systems (and OS versions) they are
       running, what type of packet filters/firewalls are in use, and dozens of other
       characteristics. While Nmap is commonly used for security audits, many systems and
       network administrators find it useful for routine tasks such as network inventory,
       managing service upgrade schedules, and monitoring host or service uptime.
       #Nmap(Nmap是"Network Mapper"的缩写)是一款免费开源的网络探测和安全审核工具,不但在单个主机里也是很好用的,在大型网络中也是很好用的,其实它设计的目标就是快速地扫描大型网络。nmap以新颖的方式使用原始IP包来确定主机在网络上可用,什么服务(应用程序名称和版本),正在运行的主机提供什么操作系统(和操作系统的版本) ,过滤/防火墙正在使用什么类型的数据包等等其他特点。虽然nmap通常用于安全审计,但许多系统和网络管理员发现在日常工作中使用它也是非常好用的,如:网络清点、管理服务升级计划以及监控主机或服务正常运行时间等。

       The output from Nmap is a list of scanned targets, with supplemental information on
       each depending on the options used. Key among that information is the “interesting
       ports table”.  That table lists the port number and protocol, service name, and
       state. The state is either open, filtered, closed, or unfiltered.  Open means that
       an application on the target machine is listening for connections/packets on that
       port.  Filtered means that a firewall, filter, or other network obstacle is
       blocking the port so that Nmap cannot tell whether it is open or closed.  Closed
       ports have no application listening on them, though they could open up at any time.
       Ports are classified as unfiltered when they are responsive to Nmap's probes, but
       Nmap cannot determine whether they are open or closed. Nmap reports the state
       combinations open|filtered and closed|filtered when it cannot determine which of
       the two states describe a port. The port table may also include software version
       details when version detection has been requested. When an IP protocol scan is
       requested (-sO), Nmap provides information on supported IP protocols rather than
       listening ports.
       #nmap根据不同的输入选项,输出不同的扫描结果列表。列表列出了端口、协议、服务名称和状态,状态有开放、过滤、已关闭、未过滤,其中开放意味着目标计算机上的应用程序正在侦听其上连接/数据包。已过滤意味着防火墙、过滤器或是其他网络障碍阻塞的端口,使得nmap无法判断端口是打开或是关闭的。关闭状态的端口是指尽管端口是打开的但没有应用程序监听的端口。对于有nmap响应,但不能确定是打开还是关闭的端口,归类为未过滤状态。Nmap报告状态组合open|filtered closed|filterd,当无法确定哪一个时,这两种状态描述了一个端口。当请求带有参数(-sO)即请求版本检测的详细信息时,nmap的扫描结果列表还可以包括软件版本请求版本检测时的详细信息,nmap提供有关支持IP协议的信息,但不是监听端口。

       In addition to the interesting ports table, Nmap can provide further information on
       targets, including reverse DNS names, operating system guesses, device types, and
       MAC addresses.
       #除了关注的端口列表外,nmap还会输出更详细的信息,包括反向DSN名称、推测操作系统、设备类型和MAC地址。

       A typical Nmap scan is shown in Example 1. The only Nmap arguments used in this
       example are -A, to enable OS and version detection, script scanning, and
       traceroute; -T4 for faster execution; and then the hostname.
       Example 1. A representative Nmap scan

           # nmap -A -T4 scanme.nmap.org
        # nmap有个典型参数实例"raw IP packets",参数"-A",用于启用操作系统和版本检测,脚本扫描、和追踪路线,参数"-T4"是指快速执行;参数"raw IP packets" 是要扫描的主机名。

根据上面的说明总结出nmap主要使用功能有四项:主机存活检测、端口探测、服务识别、操作系统识别

3. nmap使用实例

nmap常用的命令:

命令作用
nmap localhost查看当前开放的端口
nmap -p 1024-65535 localhost查看主机端口(1024-65535)中开放的端口
nmap -p22,80,3306 ip地址探测所列出的目标主机端口
nmap -sV -O localhost探测目标主机操作系统类型、端口服务名称、版本信息

以下是执行命令实例及结果
操作实例:

➜  /Users/zhh sudo nmap -A -T4 IP地名/域名

操作实例输出结果:

➜  /Users/zhh sudo nmap -A -T4 scanme.namp.org
Password:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 07:44 CST
Failed to resolve "scanme.namp.org".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.18 seconds
➜  /Users/zhh sudo nmap -A -T4 www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 07:45 CST
Nmap scan report for www.baidu.com (110.242.68.4)
Host is up (0.020s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.3
Not shown: 996 filtered tcp ports (no-response), 2 filtered tcp ports (port-unreach)
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd
| http-robots.txt: 10 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /bh /shifen/
|_/homepage/ /cpro /
|_http-server-header: BWS/1.1
|_http-title: \xE7\x99\xBE\xE5\xBA\xA6\xE4\xB8\x80\xE4\xB8\x8B\xEF\xBC\x8C\xE4\xBD\xA0\xE5\xB0\xB1\xE7\x9F\xA5\xE9\x81\x93
443/tcp open  ssl/http Apache httpd
| tls-alpn:
|_  http/1.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: BWS/1.1
| http-robots.txt: 10 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /bh /shifen/
|_/homepage/ /cpro /
|_ssl-date: 2022-11-06T23:45:34+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=baidu.com/organizationName=Beijing Baidu Netcom Science Technology Co., Ltd/stateOrProvinceName=beijing/countryName=CN
| Subject Alternative Name: DNS:baidu.com, DNS:baifubao.com, DNS:www.baidu.cn, DNS:www.baidu.com.cn, DNS:mct.y.nuomi.com, DNS:apollo.auto, DNS:dwz.cn, DNS:*.baidu.com, DNS:*.baifubao.com, DNS:*.baidustatic.com, DNS:*.bdstatic.com, DNS:*.bdimg.com, DNS:*.hao123.com, DNS:*.nuomi.com, DNS:*.chuanke.com, DNS:*.trustgo.com, DNS:*.bce.baidu.com, DNS:*.eyun.baidu.com, DNS:*.map.baidu.com, DNS:*.mbd.baidu.com, DNS:*.fanyi.baidu.com, DNS:*.baidubce.com, DNS:*.mipcdn.com, DNS:*.news.baidu.com, DNS:*.baidupcs.com, DNS:*.aipage.com, DNS:*.aipage.cn, DNS:*.bcehost.com, DNS:*.safe.baidu.com, DNS:*.im.baidu.com, DNS:*.baiducontent.com, DNS:*.dlnel.com, DNS:*.dlnel.org, DNS:*.dueros.baidu.com, DNS:*.su.baidu.com, DNS:*.91.com, DNS:*.hao123.baidu.com, DNS:*.apollo.auto, DNS:*.xueshu.baidu.com, DNS:*.bj.baidubce.com, DNS:*.gz.baidubce.com, DNS:*.smartapps.cn, DNS:*.bdtjrcv.com, DNS:*.hao222.com, DNS:*.haokan.com, DNS:*.pae.baidu.com, DNS:*.vd.bdstatic.com, DNS:*.cloud.baidu.com, DNS:click.hm.baidu.com, DNS:log.hm.baidu.com, DNS:cm.pos.baidu.com, DNS:wn.pos.baidu.com, DNS:update.pan.baidu.com
| Not valid before: 2022-07-05T05:16:02
|_Not valid after:  2023-08-06T05:16:01
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 12 hops

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   3.59 ms  192.168.1.1
2   9.55 ms  10.70.0.1
3   13.59 ms 125.34.175.81
4   ... 11
12  13.87 ms 110.242.68.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.84 seconds

操作实例:

sudo nmap -sV -O  www.baidu.com

操作实例输出结果:

➜  /Users/zhh sudo nmap -sV -O  www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 11:28 CST
Nmap scan report for www.baidu.com (110.242.68.4)
Host is up (0.015s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.3
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd
443/tcp open  ssl/http Apache httpd
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.57 seconds

以下是按其四大功能项分类进行操作实例及输出结果说明

3.1. 主机存活检测

常见的扫描方式参数及说明:

参数说明
-sS/sT/sA/sW/sM TCPSYN/TCPconnect()/ACK/TCP窗口扫描/TCPMaimon扫描sS称为半开扫描,因为sS扫描并不需要完成三次握手,发送syn包后,对端回syn、ack包就认为是存活,结束本次连接,不会再回ack包。最大的好处是很少有系统能够把这记入系统日志,有隐蔽性.
-sUUDP扫描
-sN/sF/sXTCPNULL,FIN,and Xmas扫描
-scanflags自定义TCP包中的flags
-sY/sZSCTP INIT/COOKIE-ECHO扫描
-sO使用IPprotocol扫描确定目标机支持的协议类型
b"FTPrelayhost"使用FTPbouncescan

操作实例:

sudo nmap -sn 192.168.01.0/24

实例输出结果:

/Users/zhh sudo nmap -sn 192.168.01.0/24
Password:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 10:51 CST
Nmap scan report for 192.168.10.1
Host is up (0.012s latency).
MAC Address: 90:23:B4:38:56:0A (New H3C Technologies)
Nmap scan report for 192.168.10.3
Host is up (0.013s latency).
MAC Address: B6:9A:33:CE:69:BB (Unknown)
..........

Nmap scan report for 192.168.10.164
Host is up.
Nmap done: 256 IP addresses (112 hosts up) scanned in 2.69 seconds
➜  /Users/zhh

3.2. 端口探测

参数说明
-p特定的端口,如–p 80,443 或者全端口–p 1-65535
-pU:PORT扫描udp的某个端口,如-p U:53-F 快速扫描模式,比默认的扫描端口还少-r 不随机扫描端口,nmap默认是随机扫描的
–top-ports"number"扫描开放概率最高的number个端口

操作实例1:

sudo nmap -p22,80,3306 www.baidu.com

操作实例1输出结果:

  /Users/zhh sudo nmap -p22,80,3306 www.baidu.com
Password:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 11:03 CST
Nmap scan report for www.baidu.com (110.242.68.3)
Host is up (0.011s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.4

PORT     STATE    SERVICE
22/tcp   filtered ssh
80/tcp   open     http
3306/tcp filtered mysql

Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds

操作实例2:

sudo nmap -p22-30 www.baidu.com

操作实例2输出结果:

 /Users/zhh sudo nmap -p22-30 www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 11:05 CST
Nmap scan report for www.baidu.com (110.242.68.3)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.4

PORT   STATE    SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp filtered smtp
26/tcp filtered rsftp
27/tcp filtered nsw-fe
28/tcp filtered unknown
29/tcp filtered msg-icp
30/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.34 seconds

3.3. 服务识别

参数说明
-sV开放版本探测,可以直接使用-A同时打开操作系统探测和版本探测
–version-intensity"level"设置版本扫描强度,强度水平说明了应该使用哪些探测报文。数值越高,服务越有可能被正确识别。默认是7
–version-light打开轻量级模式,为–version-intensity 2 的别名
–version-all尝试所有探测,为–version-intensity 9 的别名
–version-trace显示出详细的版本侦测过程信息

3.4. 操作系统识别

参数说明
-O启用操作系统检测,-A来同时启用操作系统检测和版本检测
–osscan-limit针对指定的目标进行操作系统检测(至少需确知该主机分别有一个open和closed的端口)
–osscan-guess推测操作系统检测结果,当Nmap无法确定所检测的操作系统时,会尽可能地提供最相近的匹配,Nmap默认进行这种匹配

一般来说服务器与操作系统是一起识别的,即参数“-sO”
操作实例:

sudo nmap -sO www.baidu.com

操作实例结果:

➜  /Users/zhh sudo nmap -sO www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 11:25 CST
Nmap scan report for www.baidu.com (110.242.68.4)
Host is up (0.011s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.3
Not shown: 255 open|filtered n/a protocols (no-response)
PROTOCOL STATE SERVICE
1        open  icmp

Nmap done: 1 IP address (1 host up) scanned in 3.85 seconds

其他操作实例:

nmap -PS ip地址

操作实例结果:

➜  /Users/zhh sudo nmap -PS www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 11:25 CST
Nmap scan report for www.baidu.com (110.242.68.4)
Host is up (0.018s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.3
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds

4.注意事项:

在上面的操作实例中,是否已经注意到了,在执行的命令前都会有“sudo”,获取管理员权限。没错nmap在执行时一般是需要管理员权限操作,否则输出不了相关的查询信息。

5.其他:

除了nmap工具外,如果我们只是查看主机在是否在当前网络存在,还有其他工具,如:arp(address resoloutin display and control) 、ping、nc(netcat,注意此工具不同的操作系统版本使用的命令还不一样如CentOS7与CentOS6操作命令就不一样)等,在此不一一做详细介绍与举例说明了,使用时可以使用man命令查看对应的详情。再说一遍,man命令真的是很好的帮助文档使用说明查看的好方法,最快捷方便的,就是需要有英文功底。不过没有关系,慢慢练习,看多了也就习惯了。

arp -a    #查看当前在线主机ip地址
for i in {1..254}; do ping -c 1 -t 1 192.168.1.$i;done     #查看当前网段可用的ip

如果您觉得此文对您有帮忙就顺手点个,给予我继续写作下去的精神支持;
如果您对此文有疑问需要讨论或是解答的问题,请留言,我们一起探讨学习;
如果您对性能想有更多、更深入的了解也可参加“7DGroup”组织的由在性能领域专家高楼主讲的正在招生中的高级性能班培训课,详情请点击“7DGroup性能工程高级班招生简章-第三期”;

  • 0
    点赞
  • 5
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值