Linux命令之nmap端口扫描工具
介绍
https://nmap.org/man/zh/
Nmap (“Network Mapper(网络映射器)”) 是一款开放源代码的 网络探测和安全审核的工具。
它的设计目标是快速地扫描大型网络,当然用它扫描单个主机也没有问题。
Nmap以新颖的方式使用原始IP报文:
- 来发现网络上有哪些主机
- 那些主机提供什么服务(应用程序名和版本)
- 那些服务运行在什么操作系统(包括版本信息)
- 它们使用什么类型的报文过滤器/防火墙
- 以及一堆其它功能
虽然Nmap通常用于安全审核, 许多系统管理员和网络管理员也用它来做一些日常的工作,比如查看整个网络的信息, 管理服务升级计划,以及监视主机和服务的运行。
Nmap输出的是扫描目标的列表,以及每个目标的补充信息,至于是哪些信息则依赖于所使用的选项。 “所感兴趣的端口表格”是其中的关键。那张表列出端口号,协议,服务名称和状态。
nmap的状态有4种
可能是 open(开放的),filtered(被过滤的), closed(关闭的),或者unfiltered(未被过滤的)。
- Open(开放的)意味着目标机器上的应用程序正在该端口监听连接/报文。
- filtered(被过滤的) 意味着防火墙,过滤器或者其它网络障碍阻止了该端口被访问,Nmap无法得知 它是 open(开放的) 还是 closed(关闭的)。
- closed(关闭的) 端口没有应用程序在它上面监听,但是他们随时可能开放。
- unfiltered(未被过滤的)端口对Nmap的探测做出响应,但是Nmap无法确定它们是关闭还是开放。
如果Nmap报告状态组合 open|filtered 和 closed|filtered时,那说明Nmap无法确定该端口处于两个状态中的哪一个状态。
当要求进行版本探测时,端口表也可以包含软件的版本信息。
当要求进行IP协议扫描时 (-sO),Nmap提供关于所支持的IP协议而不是正在监听的端口的信息。
除了所感兴趣的端口表,Nmap还能提供关于目标机的进一步信息,包括反向域名,操作系统猜测,设备类型,和MAC地址。
安装nmap
yum install -y nmap
nmap帮助
[root@localhost ~]# nmap -h
== TARGET SPECIFICATION 目标说明
可用: 主机名, Ipv4, IPv6, CIDR, 八位字节范围, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks //从<文件>列表中读取目标
-iR <num hosts>: Choose random targets //随机选择目标
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks //排除主机/网络
--excludefile <exclude_file>: Exclude list from file //排除<文件>中的列表
== HOST DISCOVERY 主机发现
-sL: List Scan - simply list targets to scan //列表扫描,仅列出网络上的主机,不发送任何报文。
-sn: Ping Scan - disable port scan //ping,不扫描端口。
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes] //不用域名解析
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver //使用系统域名解析器
--traceroute: Trace hop path to each host
== SCAN TECHNIQUES[https://nmap.org/man/zh/man-port-scanning-techniques.html](https://nmap.org/man/zh/man-port-scanning-techniques.html)
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags //定制的TCP扫描
-sI <zombie host[:probeport]>: Idle scan //[https://nmap.org/book/idlescan.html](https://nmap.org/book/idlescan.html)
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan //IP协议扫描
-b <FTP relay host>: FTP bounce scan //FTP弹跳扫描
== PORT SPECIFICATION AND SCAN ORDER //端口说明和扫描顺序
-p <port ranges>: Only scan specified ports //只扫描指定端口
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan //快速扫描:nmap-services约1200个
-r: Scan ports consecutively - don't randomize //不要按随机顺序扫描端口
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
== SERVICE/VERSION DETECTION 服务和版本探测
nmap-service-probes 数据库包含查询不同服务的探测报文 和解析识别响应的匹配表达式。
-sV: Probe open ports to determine service/version info //版本探测(-A的一部分)
--version-intensity <level>: Set from 0 (light) to 9 (try all probes) //设置版本扫描强度,默认7
--version-light: Limit to most likely probes (intensity 2) //轻量级模式
--version-all: Try every single probe (intensity 9) //尝试每个探测
--version-trace: Show detailed version scan activity (for debugging) //跟踪版本扫描活动,--packet-trace的子集
== SCRIPT SCAN
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or script-categories.
== OS DETECTION 操作系统探测
-O: Enable OS detection //启用操作系统检测(-A的一部分)
--osscan-limit: Limit OS detection to promising targets //针对指定的目标进行操作系统检测
--osscan-guess: Guess OS more aggressively //推测操作系统检测结果
== TIMING AND PERFORMANCE 时间和性能
改善扫描时间的技术有:忽略非关键的检测。优化时间参数也会带来实质性的变化,这些参数如下。
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster) //设置时间模板,T4 可以加快执行速度
paranoid (0)、sneaky (1)、polite (2)、normal(3)、 aggressive (4)和insane (5)。
- -T0: paranoid (0)模式用于IDS躲避,在一个时间只能扫描一个端口, 每个探测报文的发送间隔为5分钟。
- -T1: sneaky (1) 模式用于IDS躲避,T1和T2选项比较类似, 探测报文间隔分别为15秒和0.4秒。
- -T2: Polite (2) 模式降低了扫描 速度以使用更少的带宽和目标主机资源。
- -T3: Normal (3) (默认模式),因此-T3 实际上是未做任何优化。包含了并行扫描。
- -T4: Aggressive (4) 模式假设用户具有合适及可靠的网络从而加速 扫描。最大TCP扫描延迟为10ms。
- -T5: Insane (5) 模式假设用户具有特别快的网络或者愿意为获得速度而牺牲准确性。最大延迟为5ms。
T4选项与 --max-rtt-timeout 1250 --initial-rtt-timeout 500 等价,
T5等价于 --max-rtt-timeout 300 --min-rtt-timeout 50 --initial-rtt-timeout 250 --host-timeout 900000,
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes //调整并行扫描组大小
--min-parallelism/max-parallelism <numprobes>: Probe parallelization //调整探测报文的并行度
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long //放弃低速目标主机
--scan-delay/--max-scan-delay <time>: Adjust delay between probes //调整探测报文的时间间隔
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
== FIREWALL/IDS EVASION AND SPOOFING 防火墙/IDS躲避和哄骗
-f; --mtu <val>: fragment packets (optionally w/given MTU) //报文分段,--mtu,使用指定MTU
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys //使用诱饵隐蔽扫描
-S <IP_Address>: Spoof source address //源地址哄骗
-e <iface>: Use specified interface //使用指定的接口
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets //发送报文时,附加随机数据
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field //设置IP time-to-live域
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address //MAC地址哄骗
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
== OUTPUT 输出
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. //oN,标准输出; oX,XML输出; oS,脚本输出; oG,Grep输出
-oA <basename>: Output in the three major formats at once //标准.nmap, .xml, .gnamp文件中
-v: Increase verbosity level (use -vv or more for greater effect) //更详细信息,
-d: Increase debugging level (use -dd or more for greater effect) //提高或设置调试级别
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received //跟踪发送和接收的报文
--iflist: Print host interfaces and routes (for debugging) //列举接口和路由
--append-output: Append to rather than clobber specified output files //在输出文件中添加
--resume <filename>: Resume an aborted scan //继续中断的扫描
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML //设置XSL样式
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output //忽略XML声明的XSL样式
== MISC 杂项
-6: Enable IPv6 scanning //启用IPv6扫描
-A: Enable OS detection, version detection, script scanning, and traceroute //激烈扫描模式选项
--datadir <dirname>: Specify custom Nmap data file location //说明用户Nmap数据文件位置
--send-eth/--send-ip: Send using raw ethernet frames or IP packets //使用原以太网帧发送或IP包
--privileged: Assume that the user is fully privileged //假定用户具有全部权限
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
== EXAMPLES 示例
nmap -v -A scanme.nmap.org:
这个选项扫描主机scanme.nmap.org中 所有的保留TCP端口。选项-v启用细节模式。
[root@localhost ~]# nmap -v -A scanme.nmap.org
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 16:29 CST
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 16:29
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Completed Ping Scan at 16:29, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:29
Completed Parallel DNS resolution of 1 host. at 16:29, 0.19s elapsed
Initiating SYN Stealth Scan at 16:29
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
nmap -v -sn 192.168.0.0/16 10.0.0.0/8:
nmap -v -iR 10000 -Pn -p 80:
SEE THE MAN PAGE: [nmap.org/book/man.html](https://www.cnblogs.com/sztom/p/nmap.org/book/man.html)
npam实例
1.nmap localhost #查看主机当前开放的端口
[root@localhost ~]# nmap localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 16:41 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000050s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: VM_0_3_centos
Not shown: 999 closed ports
PORT STATE SERVICE
81/tcp open hosts2-ns
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
2.-vv详细输出
[root@localhost ~]# nmap -vv 192.168.59.128
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 04:13 EST
Initiating ARP Ping Scan at 04:13
Scanning 192.168.59.128 [1 port]
Completed ARP Ping Scan at 04:13, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:13
Completed Parallel DNS resolution of 1 host. at 04:13, 0.00s elapsed
Initiating SYN Stealth Scan at 04:13
Scanning 192.168.59.128 [1000 ports]
Discovered open port 22/tcp on 192.168.59.128
Discovered open port 111/tcp on 192.168.59.128
Discovered open port 9002/tcp on 192.168.59.128
Discovered open port 6000/tcp on 192.168.59.128
Discovered open port 5432/tcp on 192.168.59.128
Completed SYN Stealth Scan at 04:13, 0.03s elapsed (1000 total ports)
Nmap scan report for 192.168.59.128
Host is up (0.00011s latency).
Scanned at 2019-12-17 04:13:46 EST for 0s
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
5432/tcp open postgresql
6000/tcp open X11
9002/tcp open dynamid
MAC Address: 00:0C:29:F1:DD:9C (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.048KB)
3.nmap -p 1024-65535 localhost #查看主机端口(1024-65535)中开放的端口
[root@localhost ~]# nmap -p 1024-65535 localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 16:42 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: VM_0_3_centos
Not shown: 64511 closed ports
PORT STATE SERVICE
7011/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.86 seconds
4.nmap -PS 192.168.59.130 #探测目标主机开放的端口
[root@localhost ~]# nmap -PS 192.168.59.130
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 03:56 EST
Nmap scan report for localhost (192.168.59.130)
Host is up (0.0000020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
9090/tcp open zeus-admin
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
5.nmap -p22,80,3306 192.168.59.128 #探测所列出的目标主机端口
[root@localhost ~]# nmap -p22,80,3306 192.168.59.128
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 04:11 EST
Nmap scan report for 192.168.59.128
Host is up (0.00036s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
3306/tcp closed mysql
MAC Address: 00:0C:29:F1:DD:9C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
6.nmap -O 192.168.59.130 #探测目标主机操作系统类型 (-O 是-A的一部分)
[root@localhost ~]# nmap -O 192.168.59.130
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 04:14 EST
Nmap scan report for localhost (192.168.59.130)
Host is up (0.000023s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
9090/tcp open zeus-admin
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds
7.nmap -sP 192.168.59.130 #探测目标主机在线状况(ping检测)
[root@localhost ~]# nmap -sP 192.168.59.130
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 04:19 EST
Nmap scan report for localhost (192.168.59.130)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds
8.nmap -sV -O localhost #探测目标主机操作系统类型、端口服务名称、版本信息
[root@localhost ~]# nmap -sV -O localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 17:21 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000048s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: VM_0_3_centos
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
81/tcp open http nginx 1.16.1
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.72 seconds
9.路由跟踪
nmap -traceroute <target ip>
[root@localhost ~]# nmap -traceroute 192.168.59.128
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 04:24 EST
Nmap scan report for 192.168.59.128
Host is up (0.000074s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
5432/tcp open postgresql
6000/tcp open X11
9002/tcp open dynamid
MAC Address: 00:0C:29:F1:DD:9C (VMware)
TRACEROUTE
HOP RTT ADDRESS
1 0.07 ms 192.168.59.128
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
常见服务端口
| 服务 | 端口号 |
|---|---|
| HTTP | 80 |
| HTTPS | 443 |
| Telnet | 23 |
| FTP | 21 |
| SSH(安全登录)、SCP(文件传输)、端口重定向 | 22 |
| SMTP | 25 |
| POP3 | 110 |
| WebLogic | 7001 |
| TOMCAT | 8080 |
| WIN2003远程登录 | 3389 |
| Oracle数据库 | 1521 |
| MS SQL* SEVER数据库sever | 1433 |
| MySQL 数据库sever | 3306 |
nmap –T4 –A –v
其中-A选项用于使用进攻性(Aggressive)方式扫描;-T4指定扫描过程使用的时序(Timing),总有6个级别(0-5),级别越高,扫描速度越快,但也容易被防火墙或IDS检测并屏蔽掉,在网络通讯状况良好的情况推荐使用T4;-v表示显示冗余(verbosity)信息,在扫描过程中显示扫描的细节,从而让用户了解当前的扫描状态。
1141
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
