[20190221]使用nmap扫描端口的问题.txt
--//链接https://www.cnblogs.com/kerrycode/p/10384895.html提到一个问题,nmap扫描端口遗漏一些端口.
--//我个人很少使用nmap,主要我们许多服务器都不给安装这个软件.今天测试看看.
1.安装nmap:
--//我个人喜欢rpm包安装,最好选择官方站点下载,从iso盘里面拷贝nmap rpm包文件.
# rpm -ivh nmap-4.11-2.0.1.x86_64.rpm
warning: nmap-4.11-2.0.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 1e5e0159
Preparing... ########################################### [100%]
1:nmap ########################################### [100%]
2.测试:
# nmap 192.168.100.40
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2019-02-21 09:33 CST
Interesting ports on hisdg (192.168.100.40):
Not shown: 1673 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
443/tcp open https
1521/tcp open oracle
3306/tcp open mysql
MAC Address: 00:14:22:23:9A:7A (Dell)
Nmap finished: 1 IP address (1 host up) scanned in 0.300 seconds
--//测试发现确实少一些端口.我看了一些文档:
https://nmap.org/book/man-port-specification.html
Port Specification and Scan Order
In addition to all of the scan methods discussed previously, Nmap offers options for specifying which ports are scanned
and whether the scan order is randomized or sequential. By default, Nmap scans the most common 1,000 ports for each
protocol.
-p (Only scan specified ports)
This option specifies which ports you want to scan and overrides the default. Individual port numbers are OK, as are
ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values of a range may be omitted, causing Nmap
to use 1 and 65535, respectively. So you can specify -p- to scan ports from 1 through 65535. Scanning port zero is
allowed if you specify it explicitly. For IP protocol scanning (-sO), this option specifies the protocol numbers you
wish to scan for (0–255).
When scanning a combination of protocols (e.g. TCP and UDP), you can specify a particular protocol by preceding the
port numbers by T: for TCP, U: for UDP, S: for SCTP, or P: for IP Protocol. The qualifier lasts until you specify
another qualifier. For example, the argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and
137, as well as the listed TCP ports. Note that to scan both UDP and TCP, you have to specify -sU and at least one
TCP scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added to all
protocol lists.
Ports can also be specified by name according to what the port is referred to in the nmap-services. You can even use
the wildcards * and ? with the names. For example, to scan FTP and all ports whose names begin with “http”, use -p
ftp,http*. Be careful about shell expansions and quote the argument to -p if unsure.
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in
nmap-services. For example, the following will scan all ports in nmap-services equal to or below 1024: -p [-1024].
Be careful with shell expansions and quote the argument to -p if unsure.
--//很明显nmap为了加快扫描速度,选择"most common 1,000 ports"扫描,这样会遗漏一些端口.
--//2^16 -1 = 65535 ,我总是记不住后面3位,打入65000.
# nmap -p 1-65535 192.168.100.40
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2019-02-21 09:40 CST
Interesting ports on hisdg (192.168.100.40):
Not shown: 65526 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
443/tcp open https
1521/tcp open oracle
3306/tcp open mysql
32768/tcp open unknown
39063/tcp open unknown
MAC Address: 00:14:22:23:9A:7A (Dell)
Nmap finished: 1 IP address (1 host up) scanned in 1.375 seconds
--//这样一些端口就可以发现.