基础知识
现在学习一些基本的扫描技术。请注意,网络中的防火墙可能会返回错误的扫描结果,因为它们会检测到扫描。
命令 | 解释 |
---|---|
nmap ip_address | 扫描单个目标 |
nmap ip_address ip_address | 扫描多个目标 |
nmap ip_address-ip_address | 扫描IP地址范围 |
nmap ip_address/netsub | 扫描子网 |
nmap -iL target.txt | 扫描目标列表 |
nmap ip_address/netsub --exclude ip_address | 排除目标扫描 |
nmap ip_address/netsub --excludefile target.txt | 排除目标列表扫描 |
nmap -A ip_address | 积极扫描 |
扫描单个目标
>nmap 192.168.31.138
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 22:05 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.31.138 (192.168.31.138)
Host is up (0.00042s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
3306/tcp open mysql
MAC Address: 00:0C:29:83:79:73 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds
结果中看到三列。端口 PORT、状态 STATE 和服务 SERVICE。PORT 列显示端口号和协议。STATE 列显示端口是打开还是关闭,SERVICE 列显示与端口关联的服务。
此默认扫描主要用于获取客户端的第一个概览。
扫描多个目标
>nmap 192.168.31.138 192.168.31.137
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 22:13 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.31.138 (192.168.31.138)
Host is up (0.0040s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
3306/tcp open mysql
MAC Address: 00:0C:29:83:79:73 (VMware)
Nmap scan report for 192.168.31.137 (192.168.31.137)
Host is up (0.00054s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:F2:B1:02 (VMware)
Nmap done: 2 IP addresses (2 hosts up) scanned in 7.43 seconds
这个命令很少使用,可以用下面更有效的命令代替。
扫描IP地址范围
>nmap 192.168.31.1-137
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 22:16 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.31.1 (192.168.31.1)
Host is up (0.0011s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
5357/tcp open wsdapi
15000/tcp open hydap
Nmap scan report for 192.168.31.137 (192.168.31.137)
Host is up (0.00060s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:F2:B1:02 (VMware)
Nmap done: 137 IP addresses (2 hosts up) scanned in 13.13 seconds
这会自动扫描此 IP 范围内的所有在线主机。
扫描子网
该命令被广泛使用。它允许您使用 CIDR 表示法扫描整个子网。
>nmap 192.168.31.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 22:18 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.31.137 (192.168.31.137)
Host is up (0.00034s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:F2:B1:02 (VMware)
Nmap scan report for 192.168.31.138 (192.168.31.138)
Host is up (0.0023s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
3306/tcp open mysql
MAC Address: 00:0C:29:83:79:73 (VMware)
Nmap scan report for 192.168.31.254 (192.168.31.254)
Host is up (0.00s latency).
All 1000 scanned ports on 192.168.31.254 (192.168.31.254) are filtered
MAC Address: 00:50:56:E9:6E:F6 (VMware)
Nmap scan report for 192.168.31.1 (192.168.31.1)
Host is up (0.0024s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
5357/tcp open wsdapi
15000/tcp open hydap
Nmap done: 256 IP addresses (4 hosts up) scanned in 18.20 seconds
该命令被广泛使用。它允许您使用 CIDR 表示法扫描整个子网。
扫描目标列表
targets.txt 包括两个主机,每行一个。
>more target.txt
192.168.31.1
192.168.31.138
如果我们运行以下命令,Nmap 会对列表中的这些目标运行默认扫描。
>nmap -iL target.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 22:21 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.31.1 (192.168.31.1)
Host is up (0.0024s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
5357/tcp open wsdapi
15000/tcp open hydap
Nmap scan report for 192.168.31.138 (192.168.31.138)
Host is up (0.0060s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
3306/tcp open mysql
MAC Address: 00:0C:29:83:79:73 (VMware)
Nmap done: 2 IP addresses (2 hosts up) scanned in 2.54 seconds
排除目标扫描
也可以从扫描中排除目标。例如,如果您知道 192.168.31.1 是路由器或网关,并且不想对其运行扫描,请使用以下命令。
>nmap 192.168.31.1/24 --exclude 192.168.31.1
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 22:30 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.31.137 (192.168.31.137)
Host is up (0.0017s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:F2:B1:02 (VMware)
Nmap scan report for 192.168.31.138 (192.168.31.138)
Host is up (0.0081s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
111/tcp open rpcbind
3306/tcp open mysql
MAC Address: 00:0C:29:83:79:73 (VMware)
Nmap scan report for 192.168.31.254 (192.168.31.254)
Host is up (0.00026s latency).
All 1000 scanned ports on 192.168.31.254 (192.168.31.254) are filtered
MAC Address: 00:50:56:E9:6E:F6 (VMware)
Nmap done: 255 IP addresses (3 hosts up) scanned in 18.90 seconds
例如,还可以使用 192.168.31.1-100 排除整个 IP 地址范围。
排除目标列表扫描
>nmap 192.168.31.1/24 --excludefile target.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 22:31 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.31.137 (192.168.31.137)
Host is up (0.0014s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:F2:B1:02 (VMware)
Nmap scan report for 192.168.31.254 (192.168.31.254)
Host is up (0.00s latency).
All 1000 scanned ports on 192.168.31.254 (192.168.31.254) are filtered
MAC Address: 00:50:56:E9:6E:F6 (VMware)
Nmap done: 254 IP addresses (2 hosts up) scanned in 19.45 seconds
积极扫描
小心这一点,因为它很容易被发现。此扫描使用单个参数中包含的各种扫描选项:-A
>nmap 192.168.31.137 -A
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 22:36 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.31.137 (192.168.31.137)
Host is up (0.00058s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 d8:15:8b:c2:71:ac:de:f0:9f:34:dc:85:ab:4e:8a:f0 (DSA)
|_ 2048 93:9d:8e:fd:70:36:7e:70:c1:9c:d0:58:57:00:2f:8e (RSA)
MAC Address: 00:0C:29:F2:B1:02 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13, Linux 3.10, Linux 3.4 - 3.10
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.58 ms 192.168.31.137 (192.168.31.137)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.37 seconds
如您所见,这会返回大量更多信息。