目录导航
nmap常用功能介绍
nmap常用功能介绍
nmap 主要功能:
- 主机探测
- 端口扫描
- 版本检测
- 系统检测
- 支持探测脚本的编写
nmap 实际应用场合
- 通过对设备或或者防火墙的探测来审计它的安全性
- 探测目标主机所开放的端口
- 通过识别新的服务器审计网络的安全性
- 探测网络上的主机
使用
ping scan 只进行主机发现,不进行端口扫描
#nmap -sn <target>
例1、
(ics) python@ubuntu:~/ics/pt/ics-server2.1$ nmap -sn 192.168.10.7
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 11:49 CST
Nmap scan report for 192.168.10.7
Host is up (0.0015s latency).
检测某网段内正使用的ip及mac
#nmap -sn --script broadcast-ping <target>
例2、
root@ubuntu:~# nmap -sn --script broadcast-ping 192.168.0.1/24
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 13:59 CST
Pre-scan script results:
.......
Nmap done: 256 IP addresses (0 hosts up) scanned in 209.82 seconds
跟踪目标路由器信息 使用参数 –traceroute
#nmap -sn --traceroute <target>
例3、
root@ubuntu:/home/python/ics/pt/ics-server2.1# nmap -sn --traceroute google.com microsoft.com
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 13:48 CST
Nmap scan report for microsoft.com (191.239.213.197)
.......
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 ... 2
3 1.64 ms 124.205.209.9
4 ... 30
Nmap done: 2 IP addresses (1 host up) scanned in 26.66 seconds
扫描目标主机所有的信息比如ipv4、 反向dns名字、网络服务端口及运行状态等
#nmap scanme.nmap.org
例4、
root@ubuntu:~# nmap scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
.......
31337/tcp open Elite
Nmap done: 1 IP address (1 host up) scanned in 582.61 seconds
端口状态:
- open 表示服务正在监听这个端口上的连接
- close 表示已经收到探测,但是这个端口没有服务运行
- filterd 表示没有收到探测信息,无法建立连接,同时表明探针可能被一些过滤器(防火墙)终止了
- unfiltered 表示端口对探测做出相应,但是nmap无法确定它们是关闭还是开发。
- open/filtered 端口被过滤或者开放的,nmap无法做出判断。
- close/filtered 端口被过滤或者是关闭,nmap无法做判断。
端口扫描
# nmap -p <port/name> <target>
例5、
root@ubuntu:~# nmap -p smtp 127.0.0.1
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 17:07 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000031s latency).
PORT STATE SERVICE
25/tcp closed smtp
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
root@ubuntu:~# nmap nmap -p 80 127.0.0.1
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 17:05 CST
Failed to resolve "nmap".
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000089s latency).
PORT STATE SERVICE
80/tcp closed http
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
root@ubuntu:~# nmap nmap -pT:25,U:53 127.0.0.1
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 17:10 CST
Failed to resolve "nmap".
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000038s latency).
PORT STATE SERVICE
25/tcp closed smtp
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
nmap -p- localhost# 全部端口
nmap -p[1-65535] <target># 只扫在nmap中注册的端口
版本探测
#nmap -sV <target>
例6、
root@ubuntu:~# nmap -sV scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
.......
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 507.51 seconds
-sV: 指定让Nmap进行版本侦测
–version-intensity <level>: 指定版本侦测强度(0-9),默认为7。数值越高,探测出的服务越准确,但是运行时间会比较长。
–version-light: 指定使用轻量侦测方式 (intensity 2)
–version-all: 尝试使用所有的probes进行侦测 (intensity 9)
–version-trace: 显示出详细的版本侦测过程信息。
操作系统检测
# nmap -O <target>
例7、
root@ubuntu:~# nmap -O 127.0.0.1
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 17:56 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000020s latency).
.......
OS details: Linux 3.12 - 3.19, Linux 3.8 - 3.19
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.20 seconds
-O: 指定Nmap进行OS侦测。
–osscan-limit: 限制Nmap只对确定的主机的进行OS探测(至少需确知该主机分别有一个open和closed的端口)。
–osscan-guess: 大胆猜测对方的主机的系统类型。由此准确性会下降不少,但会尽可能多为用户提供潜在的操作系统。
详细模式的系统查询
# nmap -O -v <target>
例8、
root@ubuntu:/home/python/ics/pt/ics-server2.1# nmap -O -v 127.0.0.1
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-05 09:39 CST
Initiating SYN Stealth Scan at 09:39
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 21/tcp on 127.0.0.1
.......
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.25 seconds
Raw packets sent: 1108 (51.328KB) | Rcvd: 2239 (99.112KB)
使用NSE脚本扫描目标主机检测漏洞
# nmap -sC <target>
例9、
root@ubuntu:~# nmap -sC 127.0.0.1
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-05 09:49 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000070s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
.......
|_ Salt: aC\x1DK\x0C{Upr\x0CFM\x16\x013t\x06 4
5432/tcp open postgresql
Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds
读取文件中的目标 #nmap -il <file>
例 10、
python@ubuntu:~$ nmap -iL target.txt
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-06 18:07 CST
Nmap scan report for 192.168.100.7
.......
Nmap done: 2 IP addresses (2 hosts up) scanned in 13.48 seconds
扫描随机数目互联网主机
# nmap -iR 数目
例11、
python@ubuntu:~$ nmap -iR 100
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-06 18:09 CST
Stats: 0:00:31 elapsed; 100 hosts completed (2 up), 2 undergoing Connect Scan
Connect Scan Timing: About 36.64% done; ETC: 18:10 (0:00:12 remaining)
Nmap scan report for 118.56.39.58
.......
17877/tcp open unknown
Nmap done: 102 IP addresses (2 hosts up) scanned in 45.27 seconds
强烈扫描
#nmap -A <target>
例12、
root@ubuntu:~# nmap -A 192.168.1.7
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-06 18:48 CST
Stats: 0:00:14 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.100.7
Host is up (0.00058s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
.......
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.23 seconds
组合查询:
- 精准查询:nmap -T4 -A -v
- UDP 强烈扫描: nmap -sS -sU -T4 -A -v
- 强烈扫描所有tcp端口:nmap -p 1-65535 -T4 -A -v
- 强烈扫描不ping :nmap -T4 -A -v -Pn
- ping 扫描:nmap -sn
- 快速扫描:nmap -T4 -F
- 快速路由追踪:nmap -sn -traceroute