nmap常用功能介绍-基础操作

nmap常用功能介绍

nmap常用功能介绍

nmap 主要功能:

  • 主机探测
  • 端口扫描
  • 版本检测
  • 系统检测
  • 支持探测脚本的编写

nmap 实际应用场合

  • 通过对设备或或者防火墙的探测来审计它的安全性
  • 探测目标主机所开放的端口
  • 通过识别新的服务器审计网络的安全性
  • 探测网络上的主机

使用

ping scan 只进行主机发现,不进行端口扫描
#nmap -sn <target>
例1、

(ics) python@ubuntu:~/ics/pt/ics-server2.1$ nmap -sn 192.168.10.7
 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 11:49 CST
Nmap scan report for 192.168.10.7
Host is up (0.0015s latency).

检测某网段内正使用的ip及mac

#nmap -sn --script broadcast-ping <target>
例2、

root@ubuntu:~# nmap -sn --script broadcast-ping 192.168.0.1/24
 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 13:59 CST
Pre-scan script results:
.......
Nmap done: 256 IP addresses (0 hosts up) scanned in 209.82 seconds

跟踪目标路由器信息 使用参数 –traceroute

#nmap -sn --traceroute <target>
例3、

root@ubuntu:/home/python/ics/pt/ics-server2.1# nmap -sn --traceroute google.com microsoft.com
 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 13:48 CST
Nmap scan report for microsoft.com (191.239.213.197)
.......
TRACEROUTE (using port 443/tcp)
HOP RTT     ADDRESS
1   ... 2
3   1.64 ms 124.205.209.9
4   ... 30
 
Nmap done: 2 IP addresses (1 host up) scanned in 26.66 seconds

扫描目标主机所有的信息比如ipv4、 反向dns名字、网络服务端口及运行状态等

#nmap scanme.nmap.org
例4、

root@ubuntu:~# nmap scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 991 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
.......
31337/tcp open     Elite
 
Nmap done: 1 IP address (1 host up) scanned in 582.61 seconds

端口状态:

  • open 表示服务正在监听这个端口上的连接
  • close 表示已经收到探测,但是这个端口没有服务运行
  • filterd 表示没有收到探测信息,无法建立连接,同时表明探针可能被一些过滤器(防火墙)终止了
  • unfiltered 表示端口对探测做出相应,但是nmap无法确定它们是关闭还是开发。
  • open/filtered 端口被过滤或者开放的,nmap无法做出判断。
  • close/filtered 端口被过滤或者是关闭,nmap无法做判断。
端口扫描
# nmap -p <port/name> <target>
例5、

root@ubuntu:~# nmap -p smtp 127.0.0.1
 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 17:07 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000031s latency).
PORT   STATE  SERVICE
25/tcp closed smtp
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
 
root@ubuntu:~# nmap nmap -p 80 127.0.0.1
 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 17:05 CST
Failed to resolve "nmap".
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000089s latency).
PORT   STATE  SERVICE
80/tcp closed http
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
 
root@ubuntu:~# nmap nmap -pT:25,U:53 127.0.0.1
 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 17:10 CST
Failed to resolve "nmap".
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000038s latency).
PORT   STATE  SERVICE
25/tcp closed smtp
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
nmap -p- localhost# 全部端口
nmap -p[1-65535] <target># 只扫在nmap中注册的端口
版本探测

#nmap -sV <target>

例6、

root@ubuntu:~# nmap -sV scanme.nmap.org
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.19s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 991 closed ports
PORT      STATE    SERVICE        VERSION
.......
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 507.51 seconds

-sV: 指定让Nmap进行版本侦测
–version-intensity <level>: 指定版本侦测强度(0-9),默认为7。数值越高,探测出的服务越准确,但是运行时间会比较长。
–version-light: 指定使用轻量侦测方式 (intensity 2)
–version-all: 尝试使用所有的probes进行侦测 (intensity 9)
–version-trace: 显示出详细的版本侦测过程信息。

操作系统检测

# nmap -O <target>

例7、

root@ubuntu:~# nmap -O 127.0.0.1
 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-02 17:56 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000020s latency).
.......
OS details: Linux 3.12 - 3.19, Linux 3.8 - 3.19
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.20 seconds

-O: 指定Nmap进行OS侦测。
–osscan-limit: 限制Nmap只对确定的主机的进行OS探测(至少需确知该主机分别有一个open和closed的端口)。
–osscan-guess: 大胆猜测对方的主机的系统类型。由此准确性会下降不少,但会尽可能多为用户提供潜在的操作系统。

详细模式的系统查询
# nmap -O -v <target>

例8、

root@ubuntu:/home/python/ics/pt/ics-server2.1# nmap -O -v 127.0.0.1
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-05 09:39 CST
Initiating SYN Stealth Scan at 09:39
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 21/tcp on 127.0.0.1
.......
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.25 seconds
           Raw packets sent: 1108 (51.328KB) | Rcvd: 2239 (99.112KB)

使用NSE脚本扫描目标主机检测漏洞

# nmap -sC <target>

例9、

root@ubuntu:~# nmap -sC 127.0.0.1
 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-05 09:49 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000070s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
.......
|_  Salt: aC\x1DK\x0C{Upr\x0CFM\x16\x013t\x06		4
5432/tcp open  postgresql
 
Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds

读取文件中的目标 #nmap -il <file>

例 10、

 
python@ubuntu:~$ nmap -iL target.txt 
 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-06 18:07 CST
Nmap scan report for 192.168.100.7
.......
 
Nmap done: 2 IP addresses (2 hosts up) scanned in 13.48 seconds

扫描随机数目互联网主机
# nmap -iR 数目

例11、

python@ubuntu:~$ nmap -iR 100
 
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-06 18:09 CST
Stats: 0:00:31 elapsed; 100 hosts completed (2 up), 2 undergoing Connect Scan
Connect Scan Timing: About 36.64% done; ETC: 18:10 (0:00:12 remaining)
Nmap scan report for 118.56.39.58
.......
17877/tcp open     unknown
 
Nmap done: 102 IP addresses (2 hosts up) scanned in 45.27 seconds

强烈扫描

#nmap -A <target>

例12、

root@ubuntu:~# nmap -A 192.168.1.7
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-06 18:48 CST
Stats: 0:00:14 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.100.7
Host is up (0.00058s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
.......
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.23 seconds

 

组合查询:

  • 精准查询:nmap -T4 -A -v
  • UDP 强烈扫描: nmap -sS -sU -T4 -A -v
  • 强烈扫描所有tcp端口:nmap -p 1-65535 -T4 -A -v
  • 强烈扫描不ping :nmap -T4 -A -v -Pn
  • ping 扫描:nmap -sn
  • 快速扫描:nmap -T4 -F
  • 快速路由追踪:nmap -sn -traceroute

from