设为首页收藏本站
开启辅助访问

Nmap命令

 您所在的位置:网站首页 nmap sp命令 Nmap命令

Nmap命令

2023-07-12 22:10| 来源: 网络整理| 查看: 265

Nmap 是免费开放源代码实用程序,用于网络发现和安全审核。许多系统和网络管理员还发现它对于诸如网络清单,管理服务升级计划以及监视主机或服务正常运行时间之类的任务很有用。Nmap以新颖的方式使用原始IP数据包来确定网络上可用的主机,这些主机提供的服务,它们正在运行的操作系统,包过滤器/防火墙的类型。正在使用中,还有许多其他特性。它旨在快速扫描大型网络,但可以在单个主机上正常运行。

Nmap 主机发现扫描

主机发现有时候也叫做 Ping 扫描,但它远远超越用世人皆知的 Ping 工具发送简单的 IcMp 回声请求报文,这些探测的目的是获得响应以显示某个 lP 地址是否是活动的(正在被某主机或者网络设备使用).主机发现能够找到零星分布于 lP 地址海洋上的那些机器.

Nmap 命令参数解析 扫描之前先来看一下参数解析.

-sT TCP connect() 扫描,这是最基本的 TCP 扫描方式。这种扫描很容易被检测到,在目标主机的日志中会记录大批的连接请求以及错误信息。 -sS TCP 同步扫描 (TCP SYN),因为不必全部打开一个 TCP 连接,所以这项技术通常称为半开扫描 (half-open)。这项技术最大的好处是,很少有系统能够把这记入系统日志。不过,你需要 root 权限来定制 SYN 数据包。 -sF,-sX,-sN 秘密 FIN 数据包扫描、圣诞树 (Xmas Tree)、空 (Null) 扫描模式。这些扫描方式的理论依据是:关闭的端口需要对你的探测包回应 RST 包,而打开的端口必需忽略有问题的包(参考 RFC 793 第 64 页)。 -sP ping 扫描,用 ping 方式检查网络上哪些主机正在运行。当主机阻塞 ICMP echo 请求包是 ping 扫描是无效的。nmap 在任何情况下都会进行 ping 扫描,只有目标主机处于运行状态,才会进行后续的扫描。 -sU UDP 的数据包进行扫描,如果你想知道在某台主机上提供哪些 UDP(用户数据报协议,RFC768) 服务,可以使用此选项。 -sA ACK 扫描,这项高级的扫描方法通常可以用来穿过防火墙。 -sW 滑动窗口扫描,非常类似于 ACK 的扫描。 -sR RPC 扫描,和其它不同的端口扫描方法结合使用。 -b FTP 反弹攻击 (bounce attack),连接到防火墙后面的一台 FTP 服务器做代理,接着进行端口扫描。 -P0 在扫描之前,不 ping 主机。 -PT 扫描之前,使用 TCP ping 确定哪些主机正在运行。 -PS 对于 root 用户,这个选项让 nmap 使用 SYN 包而不是 ACK 包来对目标主机进行扫描。 -PI 设置这个选项,让 nmap 使用真正的 ping(ICMP echo 请求)来扫描目标主机是否正在运行。 -PB 这是默认的 ping 扫描选项。它使用 ACK(-PT) 和 ICMP(-PI) 两种扫描类型并行扫描。如果防火墙能够过滤其中一种包,使用这种方法,你就能够穿过防火墙。 -O 这个选项激活对 TCP/IP 指纹特征 (fingerprinting) 的扫描,获得远程主机的标志,也就是操作系统类型。 -I 打开 nmap 的反向标志扫描功能。 -f 使用碎片 IP 数据包发送 SYN、FIN、XMAS、NULL。包增加包过滤、入侵检测系统的难度,使其无法知道你的企图。 -v 冗余模式。强烈推荐使用这个选项,它会给出扫描过程中的详细信息。 -S 在一些情况下,nmap 可能无法确定你的源地址 (nmap 会告诉你)。在这种情况使用这个选项给出你的 IP 地址。 -g port 设置扫描的源端口。一些天真的防火墙和包过滤器的规则集允许源端口为 DNS(53) 或者 FTP-DATA(20) 的包通过和实现连接。显然,如果攻击者把源端口修改为 20 或者 53,就可以摧毁防火墙的防护。 -oN 把扫描结果重定向到一个可读的文件 logfilename 中。 -oS 扫描结果输出到标准输出。 --host_timeout 设置扫描一台主机的时间,以毫秒为单位。默认的情况下,没有超时限制。 --max_rtt_timeout 设置对每次探测的等待时间,以毫秒为单位。如果超过这个时间限制就重传或者超时。默认值是大约 9000 毫秒。 --min_rtt_timeout 设置 nmap 对每次探测至少等待你指定的时间,以毫秒为单位。 -M count 置进行 TCP connect() 扫描时,最多使用多少个套接字进行并行的扫描。

批量Ping扫描: 批量扫描一个网段的主机存活数.

[root@localhost ~]# nmap -sP 192.168.1.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:41 EDT Nmap scan report for 192.168.1.1 Host is up (0.0011s latency). MAC Address: 44:7D:3F:07:2C:A1 (Unknown) Nmap scan report for 192.168.1.2 Host is up (0.000095s latency). MAC Address: FF:8E:BB:EE:AA:B4 (Unknown) Nmap scan report for 192.168.1.3 Host is up (0.051s latency). MAC Address: CC:C0:AC:22:DD:07 (Unknown) Nmap scan report for 192.168.1.7 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 50.15 seconds

跳过Ping探测: 有些主机关闭了ping检测,所以可以使用-P0跳过ping的探测,可以加快扫描速度.

[root@localhost ~]# nmap -P0 192.168.1.7 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:52 EDT Nmap scan report for 192.168.1.7 Host is up (0.0000090s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

计算网段主机IP: 仅列出指定网段上的每台主机,不发送任何报文到目标主机.

[root@localhost ~]# nmap -sL 192.168.1.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:43 EDT Nmap scan report for 192.168.1.0 Nmap scan report for 192.168.1.1 Nmap scan report for 192.168.1.2 Nmap scan report for 192.168.1.3 Nmap scan report for 192.168.1.4 Nmap scan report for 192.168.1.5 ...省略... Nmap done: 256 IP addresses (0 hosts up) scanned in 4.03 seconds

扫描IP地址范围: 可以指定一个IP地址范围

[root@localhost ~]# nmap -sP 192.168.1.1-10 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:17 EDT Nmap scan report for 192.168.1.1 Host is up (0.00087s latency). MAC Address: 1A:7D:2E:AC:6E:1A (Unknown) Nmap scan report for 192.168.1.2 Host is up (0.00016s latency). MAC Address: 81:8E:38:BC:7C:8E (Unknown) Nmap scan report for 192.168.1.4 Host is up (0.061s latency). MAC Address: 81:29:81:64:81:A3 (Unknown) Nmap scan report for 192.168.1.5 Host is up (0.060s latency). MAC Address: EA:3A:EA:EA:81:EA (Unknown) Nmap scan report for 192.168.1.7 Host is up. Nmap done: 10 IP addresses (5 hosts up) scanned in 0.26 seconds

探测开放端口(SYN): 探测目标主机开放的端口,可指定一个以逗号分隔的端口列表(如-PS22,443,80).

[root@localhost ~]# nmap -PS22,80,443 192.168.1.7 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:15 EDT Nmap scan report for 192.168.1.7 Host is up (0.0000090s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

探测开放端口(UDP): 探测目标主机开放的端口,可指定一个以逗号分隔的端口列表(如-PS22,443,80).

[root@localhost ~]# nmap -PU 192.168.1.7 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:55 EDT Nmap scan report for 192.168.1.7 Host is up (0.0000090s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

SYN扫描: 使用SYN半开放扫描

[root@localhost ~]# nmap -sS 192.168.1.7 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:01 EDT Nmap scan report for 192.168.1.7 Host is up (0.0000090s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

TCP扫描: 扫描开放了TCP端口的设备.

[root@localhost ~]# nmap -sT 192.168.1.7 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:01 EDT Nmap scan report for 192.168.1.7 Host is up (0.0012s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

UDP扫描: 扫描开放了UDP端口的设备.

[root@localhost ~]# nmap -sU 192.168.1.7 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:02 EDT Nmap scan report for 192.168.1.7 Host is up (0.0010s latency). Not shown: 999 closed ports PORT STATE SERVICE 68/udp open|filtered dhcpc Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds

协议探测: 探测目标主机支持哪些IP协议

[root@localhost ~]# nmap -sO 192.168.1.7 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:04 EDT Nmap scan report for 192.168.1.7 Host is up (0.000016s latency). Not shown: 249 closed protocols PROTOCOL STATE SERVICE 1 open icmp 2 open|filtered igmp 6 open tcp 17 open udp 103 open|filtered pim 136 open|filtered udplite 255 open|filtered unknown Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds

探测目标系统: 扫描探测目标主机操作系统,这里结果仅供参考.

[root@localhost ~]# nmap -O 192.168.1.7 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:06 EDT Nmap scan report for 192.168.1.7 Host is up (0.000056s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.7 - 3.9 Network Distance: 0 hops OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds

探测服务版本: 用于扫描目标主机服务版本号.

[root@localhost ~]# nmap -sV 192.168.1.7 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:08 EDT Nmap scan report for 192.168.1.7 Host is up (0.0000090s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) 3306/tcp open mysql ? Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.43 seconds

扫描多台主机: 一次性扫描多台目标主机.

[root@localhost ~]# nmap 192.168.1.2 192.168.1.7 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:11 EDT Nmap scan report for 192.168.1.2 Host is up (0.00052s latency). Not shown: 997 filtered ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: F4:8E:38:EE:7C:B4 (Unknown) Nmap scan report for 192.168.1.7 Host is up (0.000010s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql Nmap done: 2 IP addresses (2 hosts up) scanned in 4.26 seconds

导入扫描文件: 从一个文件中导入IP地址,并进行扫描.

[root@localhost ~]# cat lyshark.log localhost www.baidu.com 192.168.1.7 [root@localhost ~]# nmap -iL lyshark.log Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:13 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.0000090s latency). Other addresses for localhost (not scanned): 127.0.0.1 Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 3306/tcp open mysql Nmap scan report for 192.168.1.7 Host is up (0.0000090s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql Nmap done: 3 IP addresses (2 hosts up) scanned in 3.09 seconds

绕过防火墙: 在扫描时通过使用-f参数以及使用--mtu 4/8/16使用分片、指定数据包的MTU,来绕过防火墙.

[root@localhost ~]# nmap -f 127.0.0.1 Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 03:12 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.000012s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

其他基本:

nmap localhost #查看主机当前开放的端口 nmap -p 1024-65535 localhost #查看主机端口(1024-65535)中开放的端口 nmap -PS 192.168.21.163 #探测目标主机开放的端口 nmap -PS22,80,3306 192.168.21.163 #探测所列出的目标主机端口 nmap -O 192.168.21.163 #探测目标主机操作系统类型 nmap -A 192.168.21.163 #探测目标主机操作系统类型

Nmap 使用扫描脚本

Nmap不仅用于端口扫描,服务检测,其还具有强大的脚本功能,利用Nmap Script可以快速探测服务器,一般情况下,常用的扫描脚本会放在/usr/share/nmap/script目录下,并且脚本扩招名为*.nse后缀的,接下来将介绍最常用的扫描脚本.

扫描WEB敏感目录: 通过使用--script=http-enum.nse可以扫描网站的敏感目录.

[root@localhost ~]# nmap -p 80 --script=http-enum.nse www.mkdirs.com Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 01:49 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.000010s latency). Not shown: 995 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http | http-enum: | /login.php: Possible admin folder | /robots.txt: Robots file | /config/: Potentially interesting folder w/ directory listing | /docs/: Potentially interesting folder w/ directory listing | /external/: Potentially interesting folder w/ directory listing |_ /icons/: Potentially interesting folder w/ directory listing 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds

绕开鉴权: 负责处理鉴权证书(绕开鉴权)的脚本,也可以作为检测部分应用弱口令.

[root@localhost ~]# nmap --script=auth www.mkdirs.com Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:16 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.0000090s latency). Not shown: 995 closed ports PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub 22/tcp open ssh 25/tcp open smtp | smtp-enum-users: |_ root 80/tcp open http | http-domino-enum-passwords: |_ ERROR: No valid credentials were found 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds

默认脚本扫描: 脚本扫描,主要是搜集各种应用服务的信息,收集到后可再针对具体服务进行攻击.

[root@localhost ~]# nmap --script=default www.mkdirs.com Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:21 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.000010s latency). Not shown: 995 closed ports PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub 22/tcp open ssh | ssh-hostkey: 2048 c2:89:44:fc:e3:1b:5a:65:a1:6e:11:34:73:6d:d5:04 (RSA) |_256 54:0e:d4:47:2f:b2:d4:2b:33:b6:d8:35:66:2d:a2:aa (ECDSA) 3306/tcp open mysql | mysql-info: Protocol: 10 | Version: 5.5.60-MariaDB | Thread ID: 10408 | Status: Autocommit |_Salt:


【本文地址】


今日新闻

推荐新闻

CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3