1、nmap 介绍
nmap(Network Mapper)是一个开源的网络探测和安全扫描程序。
nmap 的设计目标是快速地扫描大型网络,当然用它扫描单个主机也没有问题。nmap 以新颖的方式使用原始 IP 报文来发现网络上有哪些主机,这些主机提供什么服务(应用程序名和版本),这些服务运行在什么操作系统(包括版本信息), 它们使用什么类型的报文过滤器/防火墙,以及一堆其它功能。虽然 nmap 通常用于安全审核,许多系统管理员和网络管理员也用它来做一些日常工作,比如查看整个网络的信息,管理服务升级计划,以及监视主机和服务的运行。
nmap 输出的是一个被扫描的目标列表,以及每个目标根据不同选项输出的不同补充信息。“interesting ports table”是这些信息中的关键,这张表列出端口号、协议、服务名称和状态,状态可能是 open(开放的),filtered(被过滤的), closed(关闭的),或者 unfiltered(未被过滤的)。 open 表示目标机器上的应用程序正在该端口监听连接/报文。 filtered 意味着防火墙,过滤器或者其它网络障碍阻止了该端口被访问,nmap 无法得知它的状态是 open 还是 closed。 closed 端口没有应用程序在它上面监听,但是他们随时可能开放。 当端口对 nmap 的探测做出响应,但是 nmap 无法确定它们是关闭还是开放时,这些端口就被认为是 unfiltered。如果 nmap 报告状态组合 open|filtered 和 closed|filtered 时,那说明 nmap 无法确定该端口处于两个状态中的哪一个状态。 当要求进行版本探测时,端口表也可以包含软件的版本信息。当要求进行 IP 协议扫描时 (-sO),nmap 提供关于所支持的 IP 协议而不是正在监听的端口的信息。
除了“interesting ports table”,nmap 还能提供关于目标的进一步信息,包括反向域名,操作系统猜测,设备类型,和 MAC 地址。
nmap 的常用功能有:
(1)探测一组主机是否在线;
(2)扫描主机端口,嗅探所提供的网络服务;
(3)推断主机所用的操作系统。
2、安装Nmap
[root@localhost /]# yum -y install nmap
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.ustc.edu.cn
* updates: mirrors.aliyun.com
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package nmap.x86_64 2:6.40-19.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================================================================================================================================================================== Package Arch Version Repository Size
==============================================================================================================================================================================================================================Installing:
nmap x86_64 2:6.40-19.el7 base 3.9 M
Transaction Summary
==============================================================================================================================================================================================================================Install 1 Package
Total download size: 3.9 M
Installed size: 16 M
Downloading packages:
nmap-6.40-19.el7.x86_64.rpm | 3.9 MB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2:nmap-6.40-19.el7.x86_64 1/1
Verifying : 2:nmap-6.40-19.el7.x86_64 1/1
Installed:
nmap.x86_64 2:6.40-19.el7
Complete!
3、nmap常用的扫描命令
最受欢迎的扫描选项是TCP SYN扫描(-sS),它比connect选项要快,并且可用于所有兼容的TCP堆栈。
[root@localhost /]# nmap -sS localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-19 16:47 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000032s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds
nmap -sT 目标ip //TCP连接扫描,不安全,慢
[root@localhost /]# nmap -sT localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-19 16:54 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0016s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
nmap -sU 目标ip //UDP扫描,慢,可得到有价值的服务器程序
[root@localhost /]# nmap -sU localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-19 16:55 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000080s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
111/udp open rpcbind
5353/udp open|filtered zeroconf
Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds
nmap -Pn 目标ip //目标机禁用ping,绕过ping扫描
[root@localhost /]# nmap -Pn 10.168.42.187
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-19 16:57 CST
Nmap scan report for 10.168.42.187
Host is up (0.13s latency).
All 1000 scanned ports on 10.168.42.187 are filtered
Nmap done: 1 IP address (1 host up) scanned in 41.63 seconds
nmap 目标ip -p <portnumber> //对指定端口扫描
[root@localhost /]# nmap localhost -p 22
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-19 17:06 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000053s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
查看本局域网内有多少台主机在运行
[root@localhost /]# nmap -sP 1.169.42.0/24 或者 nmap -sP 10.169.42.*
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-19 17:08 CST
Nmap scan report for 1-169-42-7.dynamic-ip.hinet.net (1.169.42.7)
Host is up (0.054s latency).
Nmap scan report for 1-169-42-8.dynamic-ip.hinet.net (1.169.42.8)
Host is up (0.047s latency).
Nmap scan report for 1-169-42-10.dynamic-ip.hinet.net (1.169.42.10)
Host is up (0.053s latency).
Nmap scan report for 1-169-42-17.dynamic-ip.hinet.net (1.169.42.17)
Host is up (0.083s latency).
Nmap scan report for 1-169-42-43.dynamic-ip.hinet.net (1.169.42.43)
Host is up (0.057s latency).
Nmap scan report for 1-169-42-44.dynamic-ip.hinet.net (1.169.42.44)
Host is up (0.077s latency).
Nmap scan report for 1-169-42-48.dynamic-ip.hinet.net (1.169.42.48)
Host is up (0.060s latency).
······
nmap -O 目标ip //对目标主机的操作系统进行扫描
[root@localhost /]# nmap -O localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-19 17:15 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000040s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds
nmap -sV 目标ip //对端口上的服务程序版本进行扫描
[root@localhost /]# nmap -sV localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-19 17:21 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000024s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
25/tcp open smtp Postfix smtpd
111/tcp open rpcbind 2-4 (RPC #100000)
631/tcp open ipp CUPS 1.6
Service Info: Host: localhost.localdomain
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.78 seconds
Segmentation fault (core dumped)
nmap -6 ipv6地址 //对ipv6地址的主机进行扫描
[root@localhost /]# nmap -6 fe80::dd59:6e0a:5fdc:3c2b
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-19 17:24 CST
Nmap scan report for localhost.localdomain (fe80::dd59:6e0a:5fdc:3c2b)
Host is up (0.000018s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 1.99 seconds
nmap -f 目标ip //使用小数据包发送,避免被识别出
[root@localhost /]# nmap -f 10.169.42.187
Starting Nmap 6.40 ( http://nmap.org ) at 2022-08-19 17:25 CST
Nmap scan report for DESKTOP-69AV7QL.INT.vertivco.com (10.169.42.187)
Host is up (0.00021s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
5357/tcp open wsdapi
MAC Address: 78:2B:CB:B8:D6:50 (Dell)
Nmap done: 1 IP address (1 host up) scanned in 10.10 seconds
nmap -sT 目标ip
nmap -sS 目标ip
nmap -Pn 目标ip
nmap -sU 目标ip
nmap -sI 僵尸ip 目标ip
nmap -sA 目标ip
nmap 目标ip -p <portnumber>
nmap 目标网段
nmap 目标ip -oX myscan.xml
nmap -T1~6 目标ip
nmap -sV 目标ip
nmap -O 目标ip
nmap -sC <scirptfile> 目标ip
nmap -A 目标ip
nmap -6 ipv6地址
nmap -f 目标ip
nmap –mtu <size> 目标ip
nmap -D <假ip> 目标ip
nmap --source-port <portnumber>
nmap –data-length: <length> 目标ip
nmap -v 目标ip
nmap -sn 目标ip
nmap -sP 目标ip
nmap -n/-p 目标ip
nmap --system-dns 目标ip
nmap –traceroute 目标ip
nmap -PE/PP/PM: 使用ICMP echo, timestamp, and netmask 请求包发现主机。
nmap -sP 目标ip
nmap -iR [number]
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)