| Nmap命令详解 | 您所在的位置:网站首页 › mac 487 › Nmap命令详解 |
|
NMAP命令用法 nmap [Scan Type(s)] [Options] {target specification}Linux下安装NMAP yum install nmap sudo apt-get install nmap参数大全 目标说明: 可以通过 主机名、IP地址、网络,等等。 例如:scanme.nmap.org,microsoft.com/24,192.168.0.1;10.0.0-255.1-254 -iL 从 主机/网络 列表输入 -iR 随机选择目标主机 --exclude 排除主机/网络 --excludefile 排除文件里的列表 主机发现 -sL 列表扫描-简单列表目标去扫描 -sn Ping 扫描 - 不进行端口扫描 -Pn 在线处理所有主机- 跳过主机发现 -PS/PA/PU/PY[portlist] 对给定的端口发现 TCP SYN/ACK, UDP or SCTP -PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list] IP Protocol Ping -n/-R 不做DNS解析/Always resolve [default: sometimes] --dns-servers 指定自定义DNS服务器 --system-dns 使用操作系统的DNS解析器 --traceroute 对每个主机跟踪跳跃路径(Trace hop path to each host) 扫描技术 -sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon scans -sU UDP Scan -sN/sF/sX TCP Null, FIN, and Xmas scans --scanflags 定制TCP 扫描标记 (Customize TCP scan flags) -sI 空闲扫描(Idle scan) -sY/sZ SCTP INIT/COOKIE-ECHO scans -sO IP protocol scan -b FTP 反弹扫描(FTP bounce scan) 端口详述和扫描指令 -p Only scan specified ports Ex -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 --exclude-ports 从扫描中排除指定的端口 ( Exclude the specified ports from scanning) -F 快速模式:扫描较少的端口,除默认端口以外 -r 扫描连续的端口-即 不随机进行的 --top-ports Scan most common ports --port-ratio Scan ports more common than 服务/版本 检测 -sV 探索开放的端口来确定服务/版本信息 --version-intensity 从0(低级)到 9(尝试所有探针) --version-light (扫描常用的版本)Limit to most likely probes (intensity 2) --version-all (扫描所有版本)Try every single probe (intensity 9) --version-trace (捕获扫描版本细节(调试)) Show detailed version scan activity (for debugging) 脚本扫描 -sC (等价于)equivalent to --script=default --script= 是一个以逗号分隔的列表,目录,脚本文件或脚本类 --script-args= 为脚本提供参数 --script-args-file=filename 在文件中提供 NSE script args --script-trace 显示所有的数据发送和接收 --script-updatedb Update the script database. --script-help= Show help about scripts. is a comma-separated list of script-files or script-categories. 操作系统检测 -O Enable OS detection --osscan-limit Limit OS detection to promising targets --osscan-guess Guess OS more aggressively 定时和性能 Options which take are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T Set timing template (higher is faster) --min-hostgroup/max-hostgroup Parallel host scan group sizes --min-parallelism/max-parallelism 检查并行( Probe parallelization) --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout 指定探针往返时间(Specifies probe round trip time. --max-retries 重发端口扫描数 --host-timeout 指定时间,超时则放弃目标扫描 --scan-delay/--max-scan-delay 调整探头间的延迟(Adjust delay between probes) --min-rate 发送数据包,每秒不比指定的值 慢 ( Send packets no slower than per second --max-rate 发送数据包,每秒不比指定的值 快 (Send packets no faster than per second 防火墙/IDS 逃避和欺骗 -f; --mtu : fragment packets (optionally w/given MTU) -D Cloak a scan with decoys -S 伪造源地址(Spoof source address) -e 使用指定的接口(Use specified interface) -g/--source-port 使用给定端口号(Use given port number) --proxies 传递连接通过HTTP/SOCKS4 代理 ( Relay connections through HTTP/SOCKS4 proxies) --data 添加一个自定义发送数据包的有效载荷 --data-string 添加一个自定义的ASCII字符串发送的数据包 --data-length 要发送的数据包添加随机数据 --ip-options 发送数据包指定IP选项 --ttl Set IP time-to-live field --spoof-mac 伪造MAC地址(Spoof your MAC address) --badsum 发送带一个伪造TCP/UDP/SCTP 校验 (Send packets with a bogus TCP/UDP/SCTP checksum) 输出 -oN/-oX/-oS/-oG 正常输出扫描结果,比如 normal/XML/s| -oA 同时在三个主要的格式文档输出 -v 增加详细程度 (use -vv or more for greater effect) -d 提高调试水平 (use -dd or more for greater effect) --reason 一个端口在特殊的状态下显示原因 --open 只显示打开(或可能是打开)的端口 --packet-trace 显示所有数据包,不管是发送还是接收 --iflist Print host interfaces and routes (for debugging) --append-output 在文件内容尾部,追加输出到文件里 --resume 恢复中止扫描( Resume an aborted scan --stylesheet 将XML输出转换为HTML的XSL样式表 --webxml 从Nmap引用样式表 Org,以获得更可移植的XML --no-stylesheet Prevent associating of XSL stylesheet w/XML output 杂项 -6 Enable IPv6 scanning -A 启用操作系统检测、版本检测、脚本扫描和traceroute --datadir Specify custom Nmap data file location --send-eth/--send-ip Send using raw ethernet frames or IP packets --privileged Assume that the user is fully privileged --unprivileged Assume the user lacks raw socket privileges -V 打印版本号 -h 打印此帮助摘要页面。 用主机名和IP地址扫描系统Nmap工具提供各种方法来扫描系统。在这个例子中,使用主机名和IP来扫描系统找出该系统上所有开放的端口,服务和MAC地址。 用主机名扫描系统 [root@localhost zzf]# nmap www.baidu.com Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 10:47 CST Nmap scan report for www.baidu.com (180.101.49.12) Host is up (0.0011s latency). Other addresses for www.baidu.com (not scanned): 180.101.49.11 Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 56.39 seconds 用IP扫描系统 [root@localhost zzf]# nmap 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 10:49 CST Nmap scan report for 192.168.100.65 Host is up (0.00067s latency). Not shown: 991 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 1947/tcp open sentinelsrm 3306/tcp open mysql 5357/tcp open wsdapi 5432/tcp open postgresql Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds 扫描使用"-v"选项使用 -v 选项后给出了远程机器更详细的信息。 [root@localhost zzf]# nmap -v 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 11:18 CST Initiating Ping Scan at 11:18 Scanning 192.168.100.65 [4 ports] Completed Ping Scan at 11:18, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:18 Completed Parallel DNS resolution of 1 host. at 11:18, 0.01s elapsed Initiating SYN Stealth Scan at 11:18 Scanning 192.168.100.65 [1000 ports] Discovered open port 3306/tcp on 192.168.100.65 Discovered open port 443/tcp on 192.168.100.65 Discovered open port 135/tcp on 192.168.100.65 Discovered open port 139/tcp on 192.168.100.65 Discovered open port 445/tcp on 192.168.100.65 Discovered open port 5432/tcp on 192.168.100.65 Discovered open port 12265/tcp on 192.168.100.65 Increasing send delay for 192.168.100.65 from 0 to 5 due to 11 out of 17 dropped probes since last increase. Discovered open port 5357/tcp on 192.168.100.65 Discovered open port 9001/tcp on 192.168.100.65 SYN Stealth Scan Timing: About 48.13% done; ETC: 11:19 (0:00:33 remaining) Increasing send delay for 192.168.100.65 from 5 to 10 due to 43 out of 142 dropped probes since last increase. SYN Stealth Scan Timing: About 59.13% done; ETC: 11:20 (0:00:46 remaining) Increasing send delay for 192.168.100.65 from 10 to 20 due to 11 out of 11 dropped probes since last increase. Increasing send delay for 192.168.100.65 from 20 to 40 due to 11 out of 11 dropped probes since last increase. Increasing send delay for 192.168.100.65 from 40 to 80 due to 11 out of 11 dropped probes since last increase. Discovered open port 902/tcp on 192.168.100.65 Discovered open port 1947/tcp on 192.168.100.65 SYN Stealth Scan Timing: About 74.03% done; ETC: 11:20 (0:00:40 remaining) Increasing send delay for 192.168.100.65 from 80 to 160 due to 11 out of 13 dropped probes since last increase. Discovered open port 912/tcp on 192.168.100.65 Increasing send delay for 192.168.100.65 from 160 to 320 due to 11 out of 12 dropped probes since last increase. SYN Stealth Scan Timing: About 81.33% done; ETC: 11:21 (0:00:36 remaining) Increasing send delay for 192.168.100.65 from 320 to 640 due to 11 out of 11 dropped probes since last increase. SYN Stealth Scan Timing: About 84.27% done; ETC: 11:22 (0:00:37 remaining) SYN Stealth Scan Timing: About 86.13% done; ETC: 11:22 (0:00:38 remaining) Increasing send delay for 192.168.100.65 from 640 to 1000 due to 11 out of 11 dropped probes since last increase. SYN Stealth Scan Timing: About 68.95% done; ETC: 11:24 (0:02:03 remaining) Discovered open port 8001/tcp on 192.168.100.65 Discovered open port 5002/tcp on 192.168.100.65 Completed SYN Stealth Scan at 11:23, 290.96s elapsed (1000 total ports) Nmap scan report for 192.168.100.65 Host is up (0.0011s latency). Not shown: 982 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 514/tcp filtered shell 902/tcp open iss-realsecure 912/tcp open apex-mesh 1947/tcp open sentinelsrm 2701/tcp filtered sms-rcinfo 3306/tcp open mysql 5002/tcp open rfe 5357/tcp open wsdapi 5432/tcp open postgresql 7025/tcp filtered vmsvc-2 8001/tcp open vcom-tunnel 8008/tcp filtered http 9001/tcp open tor-orport 12265/tcp open unknown Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 291.05 seconds Raw packets sent: 4131 (181.740KB) | Rcvd: 4120 (164.848KB) 扫描多台主机在Nmap命令后加上多个IP地址或主机名来扫描多台主机。 [root@localhost zzf]# nmap -v 192.168.100.65 127.0.0.1 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 13:27 CST Initiating Ping Scan at 13:27 Scanning 192.168.100.65 [4 ports] Completed Ping Scan at 13:27, 1.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:27 Completed Parallel DNS resolution of 1 host. at 13:27, 0.01s elapsed Initiating SYN Stealth Scan at 13:27 Scanning 192.168.100.65 [1000 ports] Discovered open port 3306/tcp on 192.168.100.65 Discovered open port 443/tcp on 192.168.100.65 Discovered open port 139/tcp on 192.168.100.65 Discovered open port 445/tcp on 192.168.100.65 Discovered open port 135/tcp on 192.168.100.65 Discovered open port 902/tcp on 192.168.100.65 Discovered open port 9001/tcp on 192.168.100.65 Discovered open port 5002/tcp on 192.168.100.65 Discovered open port 912/tcp on 192.168.100.65 Discovered open port 8001/tcp on 192.168.100.65 Discovered open port 5432/tcp on 192.168.100.65 Discovered open port 1947/tcp on 192.168.100.65 Discovered open port 5357/tcp on 192.168.100.65 Completed SYN Stealth Scan at 13:27, 22.78s elapsed (1000 total ports) Nmap scan report for 192.168.100.65 Host is up (2.1s latency). Not shown: 986 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 514/tcp filtered shell 902/tcp open iss-realsecure 912/tcp open apex-mesh 1947/tcp open sentinelsrm 3306/tcp open mysql 5002/tcp open rfe 5357/tcp open wsdapi 5432/tcp open postgresql 8001/tcp open vcom-tunnel 9001/tcp open tor-orport Initiating SYN Stealth Scan at 13:27 Scanning localhost (127.0.0.1) [1000 ports] Discovered open port 25/tcp on 127.0.0.1 Discovered open port 111/tcp on 127.0.0.1 Discovered open port 22/tcp on 127.0.0.1 Discovered open port 631/tcp on 127.0.0.1 Completed SYN Stealth Scan at 13:27, 0.04s elapsed (1000 total ports) Nmap scan report for localhost (127.0.0.1) Host is up (0.0000070s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 631/tcp open ipp Read data files from: /usr/bin/../share/nmap Nmap done: 2 IP addresses (2 hosts up) scanned in 23.93 seconds Raw packets sent: 2095 (92.156KB) | Rcvd: 3604 (148.362KB) 扫描整个子网可以使用*通配符来扫描整个子网或某个范围的IP地址。 [root@localhost zzf]# nmap -v 192.168.100.* Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 13:30 CST Initiating Ping Scan at 13:30 Scanning 256 hosts [4 ports/host] Completed Ping Scan at 13:30, 7.62s elapsed (256 total hosts) Initiating Parallel DNS resolution of 256 hosts. at 13:30 Completed Parallel DNS resolution of 256 hosts. at 13:30, 0.93s elapsed Initiating SYN Stealth Scan at 13:30 Scanning 64 hosts [1000 ports/host] Discovered open port 53/tcp on 192.168.100.17 Discovered open port 53/tcp on 192.168.100.29 Discovered open port 139/tcp on 192.168.100.33 Discovered open port 5900/tcp on 192.168.100.44 Discovered open port 139/tcp on 192.168.100.61 Discovered open port 5900/tcp on 192.168.100.29 Discovered open port 139/tcp on 192.168.100.37 Discovered open port 445/tcp on 192.168.100.37 Discovered open port 445/tcp on 192.168.100.61 Discovered open port 80/tcp on 192.168.100.17 Discovered open port 80/tcp on 192.168.100.7 使用IP地址的最后一个字节扫描多台服务器可以简单的指定IP地址的最后一个字节来对多个IP地址进行扫描。 nmap 192.168.100.101,102,103 从一个文件中扫描主机列表带 iL 选项的nmap命令来扫描文件中列出的所有IP地址。 [root@localhost zzf]# cat nmaptest.txt 192.168.100.65 192.168.100.66 [root@localhost zzf]# nmap -iL nmaptest.txt Nmap scan report for 192.168.100.65 Host is up (0.00050s latency). Not shown: 988 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1947/tcp open sentinelsrm 3306/tcp open mysql 5002/tcp open rfe 5357/tcp open wsdapi 5432/tcp open postgresql 9001/tcp open tor-orport Nmap scan report for 192.168.100.66 Host is up (0.00038s latency). All 1000 scanned ports on 192.168.100.66 are filtered Nmap done: 2 IP addresses (2 hosts up) scanned in 60.79 seconds 扫描一个IP地址范围 [root@localhost zzf]# nmap 192.168.100.65-67 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 13:44 CST Nmap scan report for 192.168.100.65 Host is up (0.00047s latency). Not shown: 989 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 912/tcp open apex-mesh 1947/tcp open sentinelsrm 3306/tcp open mysql 5002/tcp open rfe 5357/tcp open wsdapi 5432/tcp open postgresql 9001/tcp open tor-orport Nmap scan report for 192.168.100.66 Host is up (0.00035s latency). All 1000 scanned ports on 192.168.100.66 are filtered (933) or closed (67) Nmap scan report for 192.168.100.67 Host is up (0.00026s latency). All 1000 scanned ports on 192.168.100.67 are filtered (855) or closed (145) Nmap done: 3 IP addresses (3 hosts up) scanned in 195.64 seconds 排除一些远程主机后再扫描在执行全网扫描或用通配符扫描时你可以使用“-exclude”选项来排除某些你不想要扫描的主机。 [root@localhost zzf]# nmap 192.168.100.65-67 -exclude 192.168.100.66 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 14:02 CST Nmap scan report for 192.168.100.65 Host is up (0.00088s latency). Not shown: 964 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 513/tcp closed login 888/tcp closed accessbuilder 902/tcp open iss-realsecure 912/tcp open apex-mesh 1002/tcp closed windows-icfw 1009/tcp closed unknown 1055/tcp closed ansyslmd 1067/tcp closed instl_boots 1075/tcp closed rdrmshc 1082/tcp closed amt-esd-prot 1192/tcp closed caids-sensor 1721/tcp closed caicci 1839/tcp closed netopia-vo1 2179/tcp closed vmrdp 2251/tcp closed dif-port 2401/tcp closed cvspserver 3005/tcp closed deslogin 3071/tcp closed csd-mgmt-port 3306/tcp open mysql 3801/tcp closed ibm-mgr 5002/tcp open rfe 5357/tcp open wsdapi 5801/tcp closed vnc-http-1 7004/tcp closed afs3-kaserver 8001/tcp open vcom-tunnel 9001/tcp open tor-orport 9968/tcp closed unknown 32768/tcp closed filenet-tms 32783/tcp closed unknown 49156/tcp closed unknown 50500/tcp closed unknown 57797/tcp closed unknown Nmap scan report for 192.168.100.67 Host is up (0.00037s latency). All 1000 scanned ports on 192.168.100.67 are filtered Nmap done: 2 IP addresses (2 hosts up) scanned in 54.67 seconds 扫描操作系统信息和路由跟踪使用Nmap,你可以检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可以使用NMAP的 -A 选项。 [root@localhost zzf]# nmap -A 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 14:28 CST Nmap scan report for 192.168.100.65 Host is up (0.12s latency). Not shown: 779 filtered ports, 208 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? |_http-methods: No Allow or Public header in OPTIONS response (status code 501) |_http-title: Site doesn't have a title (text/plain; charset=utf-8). | ssl-cert: Subject: commonName=VMware/countryName=US | Not valid before: 2019-07-01T05:46:24+00:00 |_Not valid after: 2020-06-30T05:46:24+00:00 445/tcp open microsoft-ds? 902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP) 912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP) 1947/tcp open sentinelsrm? 3306/tcp open mysql MySQL (unauthorized) 5002/tcp open rfe? 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-methods: No Allow or Public header in OPTIONS response (status code 503) |_http-title: Service Unavailable 5432/tcp open postgresql? 8001/tcp open vcom-tunnel? 9001/tcp open tor-orport? 4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== ……………………………… Device type: general purpose Running (JUST GUESSING): Microsoft Windows XP|7 (97%), Linux 2.4.X|3.X (94%) OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7:::enterprise cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:3 Aggressive OS guesses: Microsoft Windows XP SP3 (97%), Microsoft Windows 7 Enterprise (96%), DD-WRT v24-sp2 (Linux 2.4.37) (94%), Linux 3.2 (94%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE (using port 1002/tcp) HOP RTT ADDRESS 1 0.57 ms 192.168.78.2 2 990.07 ms 192.168.100.65 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 270.02 seconds 启用Nmap的操作系统探测功能使用选项 -O 和 -osscan-guess 也帮助探测操作系统信息。 [root@localhost zzf]# nmap -O 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 15:42 CST Nmap scan report for 192.168.100.65 Host is up (0.00062s latency). Not shown: 989 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1947/tcp open sentinelsrm 3306/tcp open mysql 5002/tcp open rfe 5432/tcp open postgresql 8001/tcp open vcom-tunnel Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 7|XP OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3 OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.75 seconds 扫描主机侦测防火墙下面的命令将扫描远程主机以探测该主机是否使用了包过滤器或防火墙。 [root@localhost zzf]# nmap -sA 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 15:44 CST Nmap scan report for 192.168.100.65 Host is up (0.000085s latency). All 1000 scanned ports on 192.168.100.65 are unfiltered Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds 扫描主机检测是否有防火墙保护扫描主机检测其是否受到数据包过滤软件或防火墙的保护。 [root@localhost zzf]# nmap -PN 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 15:45 CST Nmap scan report for 192.168.100.65 Host is up (0.00091s latency). Not shown: 771 filtered ports, 216 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1947/tcp open sentinelsrm 3306/tcp open mysql 5002/tcp open rfe 5357/tcp open wsdapi 5432/tcp open postgresql 8001/tcp open vcom-tunnel 9001/tcp open tor-orport Nmap done: 1 IP address (1 host up) scanned in 151.10 seconds 找出网络中的在线主机使用 -sP 选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。 [root@localhost zzf]# nmap -PN 192.168.78.* Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:22 CST Nmap scan report for 192.168.78.1 Host is up (0.00025s latency). Not shown: 992 filtered ports PORT STATE SERVICE 443/tcp open https 902/tcp open iss-realsecure 912/tcp open apex-mesh 1947/tcp open sentinelsrm 5002/tcp open rfe 5357/tcp open wsdapi 8001/tcp open vcom-tunnel 9001/tcp open tor-orport MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.78.2 Host is up (0.00018s latency). Not shown: 999 closed ports PORT STATE SERVICE 53/tcp open domain MAC Address: 00:50:56:F3:1E:30 (VMware) Nmap scan report for 192.168.78.254 Host is up (0.000078s latency). All 1000 scanned ports on 192.168.78.254 are filtered MAC Address: 00:50:56:EA:B7:44 (VMware) Nmap scan report for 192.168.78.133 Host is up (0.0000070s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind Nmap done: 256 IP addresses (4 hosts up) scanned in 8.45 seconds 执行快速扫描可以使用 -F 选项执行一次快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其它的端口。 [root@localhost zzf]# nmap -F 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:25 CST Nmap scan report for 192.168.100.65 Host is up (0.00067s latency). Not shown: 93 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3306/tcp open mysql 5357/tcp open wsdapi 5432/tcp open postgresql Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds 打印主机接口和路由 [root@localhost zzf]# nmap --iflist Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:26 CST ************************INTERFACES************************ DEV (SHORT) IP/MASK TYPE UP MTU MAC lo (lo) 127.0.0.1/8 loopback up 65536 lo (lo) ::1/128 loopback up 65536 virbr0-nic (virbr0-nic) (null)/0 ethernet down 1500 52:54:00:DB:96:1E virbr0 (virbr0) 192.168.122.1/24 ethernet up 1500 52:54:00:DB:96:1E ens33 (ens33) 192.168.78.133/24 ethernet up 1500 00:0C:29:91:36:BC ens33 (ens33) fe80::4140:1020:e111:678b/64 ethernet up 1500 00:0C:29:91:36:BC **************************ROUTES************************** DST/MASK DEV METRIC GATEWAY 192.168.122.0/24 virbr0 0 192.168.78.0/24 ens33 100 0.0.0.0/0 ens33 100 192.168.78.2 ::1/128 lo 0 fe80::4140:1020:e111:678b/128 lo 0 fe80::/64 ens33 100 ff00::/8 ens33 256上面的输出你可以看到,nmap列举出了你系统上的接口以及它们各自的路由信息。 扫描特定的端口使用Nmap扫描远程机器的端口有各种选项,你可以使用 -P 选项指定你想要扫描的端口,默认情况下nmap只扫描TCP端口。 [root@localhost zzf]# nmap -p 3306 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:28 CST Nmap scan report for 192.168.100.65 Host is up (0.00074s latency). PORT STATE SERVICE 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds 扫描UDP端口 Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds [root@localhost zzf]# nmap -sU 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:41 CST Nmap scan report for 192.168.100.65 Host is up (0.00087s latency). All 1000 scanned ports on 192.168.100.65 are open|filtered Nmap done: 1 IP address (1 host up) scanned in 21.34 seconds 查找主机服务版本号 [root@localhost zzf]# nmap -sV 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:43 CST Stats: 0:01:24 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 71.30% done; ETC: 16:45 (0:00:34 remaining) Stats: 0:02:49 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 91.17% done; ETC: 16:46 (0:00:16 remaining) Stats: 0:03:25 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 93.87% done; ETC: 16:47 (0:00:13 remaining) Stats: 0:05:12 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 76.92% done; ETC: 16:48 (0:00:05 remaining) Stats: 0:05:14 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 76.92% done; ETC: 16:48 (0:00:06 remaining) Nmap scan report for 192.168.100.65 Host is up (0.0011s latency). Not shown: 984 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? 445/tcp open microsoft-ds? 514/tcp filtered shell 902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP) 912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP) 1947/tcp open sentinelsrm? 3269/tcp filtered globalcatLDAPssl 3306/tcp open mysql MySQL (unauthorized) 5002/tcp open rfe? 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 5432/tcp open postgresql? 8001/tcp open vcom-tunnel? 9001/tcp open tor-orport? 10617/tcp filtered unknown 4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port1947-TCP:V=6.40…………………… 使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机有时候包过滤防火墙会阻断标准的ICMP ping请求,在这种情况下,我们可以使用TCP ACK和TCP Syn方法来扫描远程主机。 [root@localhost zzf]# nmap -PS 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:54 CST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 2.06 seconds 执行一次隐蔽的扫描 [root@localhost zzf]# nmap -sS 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:56 CST Nmap scan report for 192.168.100.65 Host is up (0.00082s latency). Not shown: 983 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 161/tcp closed snmp 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 987/tcp closed unknown 1300/tcp closed h323hostcallsc 1805/tcp closed enl-name 1947/tcp open sentinelsrm 2381/tcp closed compaq-https 3306/tcp open mysql 5002/tcp open rfe 5432/tcp open postgresql 9001/tcp open tor-orport 9535/tcp closed man 19780/tcp closed unknown Nmap done: 1 IP address (1 host up) scanned in 46.20 seconds 执行TCP空扫描以骗过防火墙 [root@localhost zzf]# nmap -sN 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 16:57 CST Nmap scan report for 192.168.100.65 Host is up (0.00058s latency). All 1000 scanned ports on 192.168.100.65 are open|filtered Nmap done: 1 IP address (1 host up) scanned in 21.27 seconds 使用诱饵扫描方法来扫描主机端口 [root@localhost zzf]# nmap 192.168.100.65 -D 192.161.1.1 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 18:12 CST Nmap scan report for 192.168.100.65 Host is up (0.00091s latency). Not shown: 993 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 912/tcp open apex-mesh 1947/tcp open sentinelsrm 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds 总结 主机发现原理:发送探测包到目标主机,如果收到回复,那么说明目标主机是开启的。 选项功能-sLList Scan 列表扫描,仅将指定的目标的IP列举出来,不进行主机发现-snPing Scan 只进行主机发现,不进行端口扫描-Pn将所有指定的主机视作开启的,跳过主机发现过程-PS/PA/PU/PY[portlist]TCP SYN/ACK, UDP或SCTP发送到给定的端口-PE/PP/PMICMP echo、timestamp和netmask请求发现探测-PO[protocol list]使用IP协议包探测对方主机是否开启-n/-R-n表示不进行DNS解析;-R表示总是进行DNS解析–dns-servers指定DNS服务器--system-dns指定使用系统的DNS服务器--traceroute追踪每个路由节点 端口扫描 开放扫描:会产生大量的审计数据,容易被对方发现,但其可靠性高;例如:TCP Connect类。隐蔽扫描:能有效的避免入侵检测系统和防火墙的检测,但扫描使数据包容易被丢弃从而产生错误的探测信息;例如:TCP FIN类。半开放扫描:隐蔽性和可靠性介于前两者之间。例如:TCP SYN类。 扫描类型描述总结-sSTP SYN 扫描比较隐蔽,效率高,适用广泛-sTTCP Connect 扫描由于建立完整的TCP连接会在靶机上留下记录,不隐蔽-sATCP ACK 扫描只能用于确定防火墙是否屏蔽某个端口,可以辅助TCP SYN的方式来判断目标主机防火墙的状况-sFTCP FIN 扫描到达关闭的端口,数据包会被丢弃,并且返回一个RST数据包,到达打开的端口则没返回-sUUDP扫描收到回复说明端口关闭,没有收到回复则UDP端口可能开放 其他扫描选项功能-p 只扫描指定端口eg:-p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9-F扫描比默认扫描更少的端口-rdon’t randomize 版本侦测nmap -sV IP不是进行一个端口扫描,而是通过相应的端口对应相应的服务,根据服务指纹识别出相应的版本 [root@localhost zzf]# nmap -sV 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 18:34 CST Nmap scan report for 192.168.100.65 Host is up (0.00079s latency). Not shown: 992 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open https? 445/tcp open microsoft-ds? 1947/tcp open sentinelsrm? 3306/tcp open mysql MySQL (unauthorized) 5002/tcp open rfe? 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port1947-TCP:V=6.40%I=7%D=7/14%Time=5F0D8A4D%P=x86_64-redhat-linux-gnu% 操作系统侦测 常见的操作系统侦测 利用TTL(数据包的存活时间)来进行探测TCP数据包探测:根据不同OS对特定TCP的不同反应来进行识别区分(不同OS处理ACK序号时是不一样的)ICMP报文响应进行识别 选项含义-O设置nmap进行操作系统侦测--osscan-guess猜测目标主机的操作系统类型,nmap会给出可能性的比率,用户可以根据提供的比率综合判断操作系统类型nmap -O --osscan-guess 192.168.100.65 [root@localhost zzf]# nmap -O --osscan-guess 192.168.100.65 Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 18:43 CST Nmap scan report for 192.168.100.65 Host is up (0.0030s latency). Not shown: 992 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 912/tcp open apex-mesh 1947/tcp open sentinelsrm 3306/tcp open mysql 5432/tcp open postgresql Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Microsoft Windows 7|XP OS CPE: cpe:/o:microsoft:windows_7:::enterprise cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 7 Enterprise, Microsoft Windows XP SP3 OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.77 seconds
|
| CopyRight 2018-2019 实验室设备网 版权所有 |