nmap

一、nmap 安装

yum -y install nmap

二、nmap 使用

1、基本使用

综合扫描 127.0.0.1

# nmap  -A 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-25 16:29 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000014s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 1024 b0:74:52:e9:4f:78:be:67:0f:0f:c2:bd:71:5a:df:90 (DSA)
|_2048 1e:07:c5:b6:c5:92:48:c1:2a:4d:22:6c:fa:95:a7:62 (RSA)
80/tcp open  http    nginx 1.10.2
|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
|_http-title: Test Page for the Nginx HTTP Server on EPEL
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.51%D=2/25%OT=22%CT=1%CU=36830%PV=N%DS=0%DC=L%G=Y%TM=5C73A769%P=
OS:x86_64-redhat-linux-gnu)SEQ(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5=MFF
OS:D7ST11NW7%O6=MFFD7ST11)WIN(W1=FFCB%W2=FFCB%W3=FFCB%W4=FFCB%W5=FFCB%W6=FF
OS:CB)ECN(R=Y%DF=Y%T=40%W=FFD7%O=MFFD7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.74 seconds

综合扫描 www.baidu.com

#nmap -A www.baidu.com

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-25 16:21 CST
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.0020s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
Not shown: 998 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  upnp     Microsoft Windows UPnP
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-robots.txt: 9 disallowed entries 
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/ 
|_/homepage/ /cpro /
|_http-favicon: 
443/tcp open  ssl/upnp Microsoft Windows UPnP
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-robots.txt: 9 disallowed entries 
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/ 
|_/homepage/ /cpro /
|_http-favicon: 
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING): HP embedded (86%)
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 10 hops
Service Info: OS: Windows

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   4.65 ms  localhost (10.0.2.1)
2   1.86 ms  localhost (172.16.31.2)
3   4.53 ms  124.65.136.145
4   21.93 ms 124.65.217.249
5   ...
6   3.82 ms  bt-230-081.bta.net.cn (202.106.230.81)
7   2.02 ms  124.65.59.222
8   2.43 ms  202.106.43.30
9   ...
10  1.40 ms  61.135.169.121

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.80 seconds

指定多IP扫描

nmap 172.16.0.1-254
nmap 172.16.0.1/24

2、主机发现

-sP ping扫描

#nmap -sP 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:36 CST
Nmap scan report for localhost (127.0.0.1)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds

-P0 无ping扫描

#nmap -P0 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:38 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

-PS TCP SYN Ping 扫描

#nmap -PS80,22,100-200 -v 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:42 CST
Initiating SYN Stealth Scan at 16:42
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Completed SYN Stealth Scan at 16:42, 0.01s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
           Raw packets sent: 1000 (44.000KB) | Rcvd: 2002 (84.088KB)

-PA TCP ACK Ping 扫描

# nmap  -PA -v 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:57 CST
Initiating SYN Stealth Scan at 16:57
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Completed SYN Stealth Scan at 16:57, 0.01s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
           Raw packets sent: 1000 (44.000KB) | Rcvd: 2002 (84.088KB)

-PU UDP Ping 扫描

# nmap  -PU  127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:58 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

-PE;-PP;-PM

PE: ICMP Echo 扫描
PP: ICMP 时间戳ping 扫描
PM: ICMP 地址子网掩码Ping 扫描

#nmap -PE 127.0.0.1
#nmap -PP 127.0.0.1
#nmap -PM 127.0.0.1 

-PR ARP Ping 扫描

# nmap  -PR 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 17:06 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

-n 禁止DNS反向解析

#nmap  -n www.baidu.com

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:49 CST
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.0015s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

-R 反向解析域名

# nmap  -R -sL 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:54 CST
Nmap scan report for localhost (127.0.0.1)
Nmap done: 1 IP address (0 hosts up) scanned in 0.00 seconds

--system-dns 使用系统域名解析器

# nmap  --system-dns 127.0.0.1 127.0.0.2

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:55 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 2 IP addresses (1 host up) scanned in 3.04 seconds

--sL 列表扫描

# nmap -sL 127.0.0.1 10.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:56 CST
Nmap scan report for localhost (127.0.0.1)
Nmap scan report for localhost (10.0.0.1)
Nmap done: 2 IP addresses (0 hosts up) scanned in 0.00 seconds

-6 扫描IPV6地址

# nmap  -6 ::1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:51 CST
Nmap scan report for localhost (::1)
Host is up (0.00011s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

--traceroute 路由跟踪

# nmap  --traceroute 10.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:52 CST
Nmap scan report for localhost (10.0.0.1)
Host is up (0.042s latency).
Not shown: 995 closed ports
PORT    STATE    SERVICE
21/tcp  filtered ftp
22/tcp  open     ssh
23/tcp  filtered telnet
80/tcp  open     http
443/tcp open     https

TRACEROUTE (using port 1723/tcp)
HOP RTT      ADDRESS
1   79.48 ms localhost (10.0.0.1)

Nmap done: 1 IP address (1 host up) scanned in 9.77 seconds

-PY SCTP INIT Ping扫描

nmap  -PY -v 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-26 16:53 CST
Initiating SYN Stealth Scan at 16:53
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Completed SYN Stealth Scan at 16:53, 0.01s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
           Raw packets sent: 1000 (44.000KB) | Rcvd: 2002 (84.088KB)

3、探索网络

-T 时序选项

-T0(偏执的)非常慢的扫描,用于IDS逃避
-T1(鬼祟的)缓慢的扫描,用于IDS逃避
-T2(文雅的)降低速度以降低对带宽的消耗
-T3(普通的)默认,根据目标反自动调整时间
-T4(野蛮的)快速扫描,常用扫描方式,需要再很好的网络环境下
-T5(疯狂的)极速扫描,这种扫描方式以牺牲准确性来提升扫描速度
#nmap -T0 127.0.0.1
#nmap -T1 127.0.0.1

-p 端口扫描方式

 # nmap -p 22 127.0.0.1 

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-27 19:24 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000042s latency).
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

 # nmap -p 22,80,443 127.0.0.1 

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-27 19:25 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000033s latency).
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

#快速扫描常用端口
# nmap  -F 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-27 19:27 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Not shown: 98 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

# 扫描常用top10 端口
# nmap  --top-ports 10 127.0.0.1

Starting Nmap 5.51 ( http://nmap.org ) at 2019-02-27 19:27 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000013s latency).
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios-ssn
443/tcp  closed https
445/tcp  closed microsoft-ds
3389/tcp closed ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

-sS TCP SYN扫描

# nmap  -sS 127.0.0.1

-sT TCP连接扫描

# nmap  -sT 127.0.0.1

-sU UDP扫描

# nmap  -sU 127.0.0.1
# nmap  -sU -p 80-500 127.0.0.1

-sN;-sF;-sX

-sN NULL扫描
-sF 
-sX x

# nmap -sN 127.0.0.1
# nmap -sF 127.0.0.1
# nmap -sX 127.0.0.1

-sA -sW -sM --scanflags -sI -sO -b

4、指纹识别与探测 5、伺机而动 6、防火墙、IDS逃逸 7、信息收集 8、数据库渗透测试 9、渗透测试 10、nmap技巧 11、nmap保存和输出

results matching ""

    No results matching ""