nmap 常用语法简介

最新推荐文章于 2024-08-14 11:00:00 发布

u014704893

最新推荐文章于 2024-08-14 11:00:00 发布

阅读量2.9k

点赞数

分类专栏：信息安全文章标签： nmap

本文链接：https://blog.csdn.net/u014704893/article/details/52848219

版权

信息安全专栏收录该内容

7 篇文章 0 订阅

订阅专栏

nmap xx.xx.x.x
Host is up (0.0012s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 3306/tcp open mysql 8009/tcp open ajp13 8080/tcp open http-proxy
1. 一次性的扫描多个网站

nmap 192.168.1.1 192.168.1.2,192.168.1.3
nmap 192.168.1.1,2,3,4
nmap 192.168.1.1-3

PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49160/tcp open  unknown

Nmap scan report for 119.29.166.39
Host is up (0.0018s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql

3.扫描整个网络：

nmap 192.168.1.1/24


80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
8800/tcp  open  sunwebadmin
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown

Nmap scan report for 119.29.166.15
Host is up (0.00076s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
111/tcp  open     rpcbind
1723/tcp open     pptp
3306/tcp filtered mysql

4.将要扫描的ip，全部写入到一个文件中，使用nmap，一次性扫描
我们这次要扫描的网站是119.29.166.15；119.29.166.10；119.29.166.13

nmap -iL list.txt

扫描完成后的信息：
tarting Nmap 6.40 ( http://nmap.org ) at 2016-10-18 11:42 CST
Nmap scan report for 119.29.166.15
Host is up (0.00093s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
111/tcp  open     rpcbind
1723/tcp open     pptp
3306/tcp filtered mysql

Nmap scan report for 119.29.166.13
Host is up (0.00068s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

Nmap scan report for 119.29.166.19
Host is up (0.00056s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql
8080/tcp open  http-proxy

5.描网络并排除特定的目标

nmap 119.29.166.1/24 --exclude 119.29.166.39

 scan report for 119.29.166.40
Host is up (0.00037s latency).
Not shown: 986 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49161/tcp open  unknown
49167/tcp open  unknown

Nmap scan report for 119.29.166.42
Host is up (0.00030s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown

Nmap scan report for 119.29.166.43
Host is up (0.00043s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE
22/tcp closed ssh
80/tcp open   http

Nmap scan report for 119.29.166.44
Host is up (0.00039s latency).
Not shown: 989 closed ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server




使用第二种方法，排除不想要扫描的ip
list.txt 中写入119.29.166.39，因此结果中只有一个ip被扫描

nmap 119.29.166.39-41 --excludefile list.txt
[root@VM_185_235_centos ~]# nmap 119.29.166.39-40 --excludefile list.txt 

Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-18 12:10 CST
Nmap scan report for 119.29.166.40
Host is up (0.00040s latency).
Not shown: 986 closed ports
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3389/tcp  open  ms-wbt-server
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49161/tcp open  unknown
49167/tcp open  unknown

6.使用nmap随机扫描

使用nmap随机扫描3个网络
nmap -iR 3
但是自己感觉这个现在并没有什么卵用

7.扫描开放的网络端口

使用nmap扫描开放的网络端口,使用这个参数将得到非常详细的结果
nmap -A 119.29.166.39

Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-18 13:32 CST
Nmap scan report for 119.29.166.39
Host is up (0.00037s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey: 2048 a6:8d:6f:f2:b5:a9:49:34:07:18:cd:73:49:84:a0:c4 (RSA)
|_256 22:49:b2:5c:7c:8f:73:56:89:29:8a:bd:56:49:74:66 (ECDSA)
80/tcp   open  http        Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 mod_perl/2.0.9dev Perl/v5.16.3)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Apache HTTP Server Test Page powered by CentOS
443/tcp  open  ssl/http    Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 mod_perl/2.0.9dev Perl/v5.16.3)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Apache HTTP Server Test Page powered by CentOS
| ssl-cert: Subject: commonName=VM_185_235_centos/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2016-10-07T07:06:54+00:00
|_Not valid after:  2017-10-07T07:06:54+00:00
|_ssl-date: 2016-10-18T05:33:09+00:00; 0s from local time.
3306/tcp open  mysql       MySQL (unauthorized)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open  http-proxy?
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/8.5.6
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port8080-TCP:V=6.40%I=7%D=10/18%Time=5805B401%P=x86_64-redhat-linux-gnu
SF:%r(GetRequest,2C4C,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;
SF:charset=UTF-8\r\nDate:\x20Tue,\x2018\x20Oct\x202016\x2005:32:49\x20GMT\
SF:r\nConnection:\x20close\r\n\r\n\n\n\n<!DOCTYPE\x20html>\n<html\x20lang=
SF:\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\
SF:x20charset=\"UTF-8\"\x20/>\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Apac
SF:he\x20Tomcat/8\.5\.6</title>\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20
SF:href=\"favicon\.ico\"\x20rel=\"icon\"\x20type=\"image/x-icon\"\x20/>\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20<link\x20href=\"favicon\.ico\"\x20rel=\"
SF:shortcut\x20icon\"\x20type=\"image/x-icon\"\x20/>\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20<link\x20href=\"tomcat\.css\"\x20rel=\"stylesheet\"\x20type
SF:=\"text/css\"\x20/>\n\x20\x20\x20\x20</head>\n\n\x20\x20\x20\x20<body>\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20<div\x20id=\"wrapper\">\n\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20<div\x20id=\"navigation\"\x20class=\
SF:"curved\x20container\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20<span\x20id=\"nav-home\"><a\x20href=\"http://tomcat\.
SF:apache\.org/\">Home</a></span>\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20<span\x20id=\"nav-hosts\"><a\x20href=\"/docs/\
SF:">Documentation</a></span>\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20<span\x20id=\"nav-config\"><a\x20href=\"/docs/conf
SF:ig/\">Configuration</a></span>\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20<span\x20id=\"nav-examples\"><a\x20href=\"/exa
SF:mples/\">Examples</a></span>\n\x20\x20\x20\x20\x20\x20\x20\x20\x20")%r(
SF:HTTPOptions,4D8,"HTTP/1\.1\x20405\x20\r\nContent-Type:\x20text/html;cha
SF:rset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x201084\r\nDat
SF:e:\x20Tue,\x2018\x20Oct\x202016\x2005:32:49\x20GMT\r\nConnection:\x20cl
SF:ose\r\n\r\n<!DOCTYPE\x20html><html><head><title>Apache\x20Tomcat/8\.5\.
SF:6\x20-\x20Error\x20report</title><style\x20type=\"text/css\">H1\x20{fon
SF:t-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;f
SF:ont-size:22px;}\x20H2\x20{font-family:Tahoma,Arial,sans-serif;color:whi
SF:te;background-color:#525D76;font-size:16px;}\x20H3\x20{font-family:Taho
SF:ma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px
SF:;}\x20BODY\x20{font-family:Tahoma,Arial,sans-serif;color:black;backgrou
SF:nd-color:white;}\x20B\x20{font-family:Tahoma,Arial,sans-serif;color:whi
SF:te;background-color:#525D76;}\x20P\x20{font-family:Tahoma,Arial,sans-se
SF:rif;background:white;color:black;font-size:12px;}A\x20{color\x20:\x20bl
SF:ack;}A\.name\x20{color\x20:\x20black;}\.line\x20{height:\x201px;\x20bac
SF:kground-color:\x20#525D76;\x20border:\x20none;}</style>\x20</head><bod"
SF:);
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=10/18%OT=22%CT=1%CU=36658%PV=N%DS=2%DC=T%G=Y%TM=5805B4
OS:16%P=x86_64-redhat-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=I%II=I%TS=
OS:A)OPS(O1=M590ST11NW7%O2=M590ST11NW7%O3=M590NNT11NW7%O4=M590ST11NW7%O5=M5
OS:90ST11NW7%O6=M590ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=712
OS:0)ECN(R=Y%DF=Y%T=40%W=7210%O=M590NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%
OS:A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%
OS:DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=
OS:40%CD=S)

Network Distance: 2 hops

TRACEROUTE (using port 587/tcp)
HOP RTT     ADDRESS
1   ...
2   0.44 ms 119.29.166.39

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.31 seconds

8.扫描一个网络中在线的主机：

nmap -sP 192.168.20.0/24


Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-19 12:44 CST
Nmap scan report for 192.168.20.3
Host is up (0.00048s latency).
Nmap scan report for 192.168.20.4
Host is up (0.0018s latency).
Nmap scan report for 192.168.20.6
Host is up (0.0011s latency).
Nmap scan report for 192.168.20.7
Host is up (0.0018s latency).
Nmap scan report for 192.168.20.18
Host is up (0.00086s latency).
Nmap scan report for 192.168.20.22
Host is up (0.00068s latency).
Nmap scan report for 192.168.20.24
Host is up (0.00062s latency).
Nmap scan report for 192.168.20.35
Host is up (0.0022s latency).
Nmap scan report for 192.168.20.39
Host is up (0.00092s latency).
Nmap scan report for 192.168.20.43
Host is up (0.00067s latency).
Nmap scan report for 192.168.20.44
Host is up (0.00064s latency).
Nmap scan report for 192.168.20.52
Host is up (0.0019s latency).
Nmap scan report for 192.168.20.53
Host is up (0.00051s latency).
Nmap scan report for 192.168.20.54
Host is up (0.00098s latency).
Nmap scan report for 192.168.20.63
Host is up (0.00066s latency).
Nmap scan report for 192.168.20.67
Host is up (0.0061s latency).
Nmap scan report for 192.168.20.71
Host is up (0.00055s latency).
Nmap scan report for 192.168.20.79
Host is up (0.00050s latency).
Nmap scan report for 192.168.20.84
Host is up (0.00081s latency).
Nmap scan report for 192.168.20.92
Host is up (0.0011s latency).
Nmap scan report for 192.168.20.94
Host is up (0.00051s latency).
Nmap scan report for 192.168.20.111
Host is up (0.011s latency).
Nmap scan report for 192.168.20.112
Host is up (0.00095s latency).
Nmap scan report for 192.168.20.113
Host is up (0.000062s latency).
Nmap scan report for 192.168.20.116
Host is up (0.0014s latency).
Nmap scan report for 192.168.20.129
Host is up (0.0016s latency).
Nmap scan report for 192.168.20.130
Host is up (0.00084s latency).
Nmap scan report for 192.168.20.132
Host is up (0.00042s latency).
Nmap scan report for 192.168.20.133
Host is up (0.00057s latency).
Nmap scan report for 192.168.20.135
Host is up (0.0015s latency).
Nmap scan report for 192.168.20.138
Host is up (0.00080s latency).
Nmap scan report for 192.168.20.142
Host is up (0.0015s latency).
Nmap scan report for 192.168.20.143
Host is up (0.00023s latency).
Nmap scan report for 192.168.20.149
Host is up (0.0017s latency).
Nmap scan report for 192.168.20.151
Host is up (0.00040s latency).
Nmap scan report for 192.168.20.153
Host is up (0.0051s latency).
Nmap scan report for 192.168.20.189
Host is up (0.0012s latency).
Nmap scan report for 192.168.20.213
Host is up (0.0010s latency).
Nmap scan report for 192.168.20.219
Host is up (0.00030s latency).
Nmap scan report for 192.168.20.224
Host is up (0.00041s latency).
Nmap scan report for 192.168.20.228
Host is up (0.00031s latency).
Nmap scan report for 192.168.20.234
Host is up (0.00052s latency).
Nmap scan report for 192.168.20.241
Host is up (0.00097s latency).
Nmap scan report for 192.168.20.242
Host is up (0.00094s latency).
Nmap scan report for 192.168.20.247
Host is up (0.0014s latency).
Nmap scan report for 192.168.20.254
Host is up (0.0011s latency).
Nmap done: 256 IP addresses (46 hosts up) scanned in 1.94 seconds

在1.94 秒中扫完，存活的主机有46个

9.使用可选包扫描网络

HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host

nmap -PO1,2,4 xxx.xxx.xx.xx
nmap -sP xxx.xxx.xxx.xxx 有多少主机存活