[关闭]
@cdmonkey 2017-04-18T07:31:38.000000Z 字数 11110 阅读 1944

nmap

命令总结

Logo
135412xdoqcppgx2zdwx2g.png-742.7kB                                                                              

https://nmap.org/man/zh/index.html
https://wizardforcel.gitbooks.io/nmap-man-page/content

一、简介

 Nmap: Network Mapper

即网络映射器,是网络探测工具和安全及端口扫描器。它的设计目标是快速地扫描大型网络,当然用它扫描单个主机也没有问题。它以新颖的方式使用原始IP报文来发现网络上有哪些主机,那些主机提供什么服务(应用程序名和版本),那些服务运行在什么操作系统(包括版本信息),它们使用什么类型的报文过滤器或防火墙,以及一堆其它功能。

指令输出的结果是扫描目标的列表,以及每个目标的补充信息,至于是哪些信息则依赖于所使用的选项。“所感兴趣的端口表格”是其中的关键。那张表列出端口号,协议,服务名称和状态。

指令会向每个目标主机发送特定的报文,从而从目标主机返回报文(或者无返回报文)来判断目标主机的属性,例如:开放的端口,所使用的操作系统,操作系统的类型等信息。

即网络映射器,对系统及网络管理员来说是一个开源且非常通用的工具。Nmap用于在远程机器上探测网络,执行安全扫描,网络审计和搜寻开放端口。它会扫描远程在线主机,该主机的操作系统,包过滤器和开放的端口。

  1. # Install nmap:
  2. [root@WEB-A1 ~]# yum install -y nmap

二、语法

Format

  1. nmap [Scan Type...] [Options] {target specification}

Options

TARGET SPECIFICATION

Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0-255.0-255.1-254

Option Explain
-iL <inputfilename> Input from list of hosts/networks
-iR <num hosts> Choose random targets
--exclude <host1[,host2][,host3],...> Exclude hosts/networks
--excludefile <exclude_file> Exclude list from file

HOST DISCOVERY

Option Explain
-sL List Scan - simply list targets to scan
-sP Ping Scan - go no further than determining if host is online
-P0 Treat all hosts as online -- skip host discovery
-PS/PA/PU [portlist] TCP SYN/ACK or UDP discovery probes to given ports
-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]

SCAN TECHNIQUES

Option Explain
-sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon scans
-sN/sF/sX TCP Null, FIN, and Xmas scans
--scanflags <flags> Customize TCP scan flags
-sI <zombie host[:probeport]> Idlescan
-sO IP protocol scan
-b <ftp relay host> FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER

Option Explain
-p <port ranges> Only scan specified ports. Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F Fast - Scan only the ports listed in the nmap-services file)
-r Scan ports consecutively - don´t randomize

SERVICE/VERSION DETECTION

Option Explain
-sV Probe open ports to determine service/version info
--version-light Limit to most likely probes for faster identification
--version-all Try every single probe for version detection
--version-trace Show detailed version scan activity (for debugging)

OS DETECTION

Option Explain
-O 启用操作系统检测。
--osscan-limit 针对指定的目标进行操作系统检测。
--osscan-guess 推测操作系统检测结果。

TIMING AND PERFORMANCE

Option Explain
-T[0-6] Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <msec> Parallel host scan group sizes
--min-parallelism/max-parallelism <msec> Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <msec> Specifies probe round trip time.
--host-timeout <msec> Give up on target after this long
--scan-delay/--max-scan-delay <msec> Adjust delay between probes

FIREWALL/IDS EVASION AND SPOOFING

Option Explain
-f; --mtu <val> fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...> Cloak a scan with decoys
-S <IP_Address> Spoof source address
-e <iface> Use specified interface
-g/--source-port <portnum> Use given port number
--data-length <num> Append random data to sent packets
--ttl <val> Set IP time-to-live field
--spoof-mac <mac address, prefix, or vendor name> Spoof your MAC address

OUTPUT

Option Explain
-oN/-oX/-oS/-oG <file>
-oA <basename> Output in the three major formats at once
-v Increase verbosity level (use twice for more effect)
-d[level] Set or increase debugging level (Up to 9 is meaningful)
--packet-trace Show all packets sent and received
--iflist Print host interfaces and routes (for debugging)
--append-output Append to rather than clobber specified output files
--resume <filename> Resume an aborted scan
--stylesheet <path/URL> XSL stylesheet to transform XML output to HTML
--no-stylesheet Prevent Nmap from associating XSL stylesheet w/XML output

MISC

Options Explain
-6 Enable IPv6 scanning
-A Enables OS detection and Version detection
--datadir <dirname> Specify custom Nmap data file location
--send-eth/--send-ip Send packets using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
-V Print version number
-h Print this help summary page.

三、使用

在下面的操作中所有的主机防火墙是被关闭的,特此说明。

此处输入图片的描述

1. 扫描主机

扫描主机名

该工具提供各种方法来扫描系统。在这里,我使用主机名来扫描对端系统,并找出该系统上所有开放的端口,服务以及物理地址。当指令不带选项运行时,该选项概要会被输出。

  1. [root@WEB-A1 ~]# nmap WEB-A2
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 09:35 CST
  4. Nmap scan report for WEB-A2 (172.16.1.12)
  5. Host is up (0.00031s latency).
  6. Not shown: 999 closed ports
  7. PORT   STATE SERVICE
  8. 22/tcp open  ssh
  9. MAC Address: 00:0C:29:44:7E:84 (VMware)
  11. Nmap done: 1 IP address (1 host up) scanned in 1.35 second

扫描网络地址

当然也可以使用网络地址进行扫描,扫面结果同上面相同。

  1. [root@WEB-A1 ~]# nmap 172.16.1.12
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 09:39 CST
  4. Nmap scan report for WEB-A2 (172.16.1.12)
  5. Host is up (0.00030s latency).
  6. Not shown: 999 closed ports
  7. PORT   STATE SERVICE
  8. 22/tcp open  ssh
  9. MAC Address: 00:0C:29:44:7E:84 (VMware)
  11. Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

我们当然也可以同时扫描多台主机,只要将多个主机名或地址用空格隔开即可。

获得更详细的信息

我们可以使用“-v”选项,选项后给出了远程主机更加详细的信息。

  1. [root@WEB-A1 ~]# nmap -v WEB-A2  
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 09:43 CST
  4. Initiating ARP Ping Scan at 09:43
  5. Scanning WEB-A2 (172.16.1.12) [1 port]
  6. Completed ARP Ping Scan at 09:43, 0.01s elapsed (1 total hosts)
  7. Initiating SYN Stealth Scan at 09:43
  8. Scanning WEB-A2 (172.16.1.12) [1000 ports]
  9. Discovered open port 22/tcp on 172.16.1.12
  10. Completed SYN Stealth Scan at 09:43, 0.12s elapsed (1000 total ports)
  11. Nmap scan report for WEB-A2 (172.16.1.12)
  12. Host is up (0.00031s latency).
  13. Not shown: 999 closed ports
  14. PORT   STATE SERVICE
  15. 22/tcp open  ssh
  16. MAC Address: 00:0C:29:44:7E:84 (VMware)
  18. Read data files from: /usr/share/nmap
  19. Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
  20.            Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.032KB)

扫描整个子网

可以使用通配符“*”来扫描整个子网或某个范围的网络地址。该操作将会扫描了整个子网,并给出网络中当前在线主机的信息。

  1. [root@WEB-A1 ~]# nmap 172.16.1.*

除此之外还可以使用网络地址的最后一个字节扫描多台主机,你可以简单的指定网络地址的最后一个字节来对多个地址进行扫描。也可以指定一个地址范围进行扫描,如下所示:

  1. [root@WEB-A1 ~]# nmap 172.16.1.12,13,14,15
  2. #或者是:
  3. [root@WEB-A1 ~]# nmap 172.16.1.12-15

如果你有多台主机需要扫描且所有主机信息都写在一个文本文件中,那么就可以直接让指令读取该文件来执行扫描。例如创建一个名为“list.txt”的文本文件,并定义所有你想要扫描的服务器网络地址或主机名。

  1. [root@WEB-A1 ~]# cat list.txt 
  2. localhost
  3. WEB-A2
  4. 172.16.1.60
  5. ------------------
  6. #接下来通过使用“-iL”选项来扫描文件中列出的所有主机:
  7. [root@WEB-A1 ~]# nmap -iL ~/list.txt
  9. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 10:18 CST
  10. Nmap scan report for localhost (127.0.0.1)
  11. Host is up (0.0000060s latency).
  12. Other addresses for localhost (not scanned): 127.0.0.1
  13. Not shown: 999 closed ports
  14. PORT   STATE SERVICE
  15. 22/tcp open  ssh
  17. Nmap scan report for WEB-A2 (172.16.1.12)
  18. Host is up (0.00041s latency).
  19. Not shown: 999 closed ports
  20. PORT   STATE SERVICE
  21. 22/tcp open  ssh
  22. MAC Address: 00:0C:29:44:7E:84 (VMware)
  24. Nmap scan report for 172.16.1.60
  25. Host is up (0.00024s latency).
  26. Not shown: 998 closed ports
  27. PORT    STATE SERVICE
  28. 22/tcp  open  ssh
  29. 111/tcp open  rpcbind
  30. MAC Address: 00:0C:29:8C:99:E4 (VMware)
  32. Nmap done: 3 IP addresses (3 hosts up) scanned in 1.52 seconds

端口状态:
http://blog.csdn.net/novicecoder/article/details/52177234

状态 说明
open 应用程序在该端口接收TCP连接或者UDP报文。
closed 关闭的端口对于nmap也是可访问的,它接收探测报文并作出响应。但没有应用程序在其上监听。
filtered 由于包过滤阻止探测报文到达端口,nmap无法确定该端口是否开放。过滤可能来自专业的防火墙设备,路由规则或者主机上的软件防火墙。
unfiltered 未被过滤状态意味着端口可访问,但是nmap无法确定它是开放的还是关闭的。只有用于映射防火墙规则集的ACK扫描才会把端口分类到这个状态。
open\filtered 无法确定端口是开放还是被过滤,开放的端口不响应就是一个例子。
Closed\filtered 这种状态主要出现于nmap无法区分端口处于关闭还是过滤时。对该状态还不太清楚。

注意:上面这六种状态只是namp认为的端口状态,例如有些主机或者防火墙会返回一些不可靠的报文从而妨碍对端口开放问题的确认。

排除主机

于执行全网扫描或用通配符扫描时你可以使用“-exclude”选项来排除某些你不想要扫描的主机。

  1. [root@WEB-A1 ~]# nmap 172.16.1.* --exclude 172.16.1.12

扫描操作系统信息和路由跟踪

你能够检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可使用“-A“选项:

  1. [root@WEB-A1 ~]# nmap -A 172.16.1.12
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 10:31 CST
  4. Nmap scan report for WEB-A2 (172.16.1.12)
  5. Host is up (0.00060s latency).
  6. Not shown: 999 closed ports
  7. PORT   STATE SERVICE VERSION
  8. 22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
  9. | ssh-hostkey: 1024 3b:14:17:69:21:43:95:89:09:c5:90:fa:a7:fa:69:cb (DSA)
  10. |_2048 1a:ee:21:52:76:c3:23:9e:99:0e:27:17:7e:c1:1a:8d (RSA)
  11. MAC Address: 00:0C:29:44:7E:84 (VMware)
  12. No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/).
  13. TCP/IP fingerprint:
  14. OS:SCAN(V=5.51%D=4/27%OT=22%CT=1%CU=40171%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM=55
  15. ...
  16. OS:%T=40%CD=S)
  18. Network Distance: 1 hop
  19. #显示出网络距离,即路由跳数:
  20. TRACEROUTE
  21. HOP RTT     ADDRESS
  22. 1   0.60 ms WEB-A2 (172.16.1.12)
  24. OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit
  25. Nmap done: 1 IP address (1 host up) scanned in 14.28 seconds

从上面的输出你能够看到,结果显示出了远程主机操作系统的TCP/IP协议指纹,并且更加具体的显示出远程主机上的端口和服务。

扫描主机防火墙

下面的命令将扫描远程主机以探测该主机是否使用了包过滤器或防火墙。

  1. [root@WEB-A1 ~]# nmap -sA 172.16.1.12
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 10:43 CST
  4. Nmap scan report for WEB-A2 (172.16.1.12)
  5. Host is up (0.00030s latency).
  6. All 1000 scanned ports on WEB-A2 (172.16.1.12) are unfiltered
  7. MAC Address: 00:0C:29:44:7E:84 (VMware)
  9. Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

下面的命令将扫描主机,并检测其是否受到数据包过滤软件或防火墙的保护。

  1. [root@WEB-A1 ~]# nmap -PN 172.16.1.12
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 10:46 CST
  4. Nmap scan report for WEB-A2 (172.16.1.12)
  5. Host is up (0.00025s latency).
  6. Not shown: 999 closed ports
  7. PORT   STATE SERVICE
  8. 22/tcp open  ssh
  9. MAC Address: 00:0C:29:44:7E:84 (VMware)
  11. Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

找出网络中的在线主机

使用“-sP”选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。

  1. [root@WEB-A1 ~]# nmap -sP 172.16.1.*
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 10:48 CST
  4. Nmap scan report for 172.16.1.1
  5. Host is up (0.0012s latency).
  6. MAC Address: 00:50:56:C0:00:08 (VMware)
  7. Nmap scan report for 172.16.1.2
  8. Host is up (0.00014s latency).
  9. MAC Address: 00:50:56:F9:6F:CC (VMware)
  10. Nmap scan report for WEB-A1 (172.16.1.10)
  11. Host is up.
  12. Nmap scan report for WEB-A2 (172.16.1.12)
  13. Host is up (0.00045s latency).
  14. MAC Address: 00:0C:29:44:7E:84 (VMware)
  15. Nmap scan report for 172.16.1.60
  16. Host is up (0.00033s latency).
  17. MAC Address: 00:0C:29:8C:99:E4 (VMware)
  18. Nmap scan report for 172.16.1.61
  19. Host is up (0.00059s latency).
  20. MAC Address: 00:0C:29:72:36:C3 (VMware)
  21. Nmap done: 256 IP addresses (6 hosts up) scanned in 1.66 seconds

执行快速扫描

你可以使用“-F”选项执行一次快速扫描,仅扫描列在“nmap-services”文件中的端口而避开所有其它的端口。

  1. [root@WEB-A1 ~]# nmap -F 172.16.1.12 
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 10:56 CST
  4. Nmap scan report for WEB-A2 (172.16.1.12)
  5. Host is up (0.00049s latency).
  6. Not shown: 99 closed ports
  7. PORT   STATE SERVICE
  8. 22/tcp open  ssh
  9. MAC Address: 00:0C:29:44:7E:84 (VMware)
  11. Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds

顺序扫描端口

使用“-r”选项表示不会随机的选择端口扫描。

  1. [root@WEB-A1 ~]# nmap -r 172.16.1.12

打印主机接口和路由

可以使用“–iflist”选项检测主机接口和路由信息:

  1. [root@WEB-A1 ~]# nmap --iflist
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 11:01 CST
  4. ************************INTERFACES************************
  5. DEV  (SHORT) IP/MASK        TYPE     UP MTU   MAC
  6. lo   (lo)    127.0.0.1/8    loopback up 16436
  7. eth0 (eth0)  172.16.1.10/24 ethernet up 1500  00:0C:29:6A:B3:C8
  9. **************************ROUTES**************************
  10. DST/MASK       DEV  GATEWAY
  11. 172.16.1.0/24  eth0
  12. 169.254.0.0/16 eth0
  13. 0.0.0.0/0      eth0 172.16.1.2

从上面的输出你可以看到,执行结果列举出了你系统上的接口以及它们各自的路由信息。

扫描特定的端口

使用它扫描远程机器的端口有各种选项,你可以使用“-P”选项指定你想要扫描的端口,默认情况下只会扫描TCP端口。

  1. [root@WEB-A1 ~]# nmap -p 80 172.16.1.12
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 11:07 CST
  4. Nmap scan report for WEB-A2 (172.16.1.12)
  5. Host is up (0.00062s latency).
  6. PORT   STATE  SERVICE
  7. 80/tcp closed http
  8. MAC Address: 00:0C:29:44:7E:84 (VMware)
  10. Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

可以指定扫描TCP端口还是UDP端口:

可以同时扫描多个指定端口或者是某个范围内的端口:

  1. [root@WEB-A1 ~]# nmap -p 22,80,443 172.16.1.12
  2. #指定扫描端口的范围:
  3. [root@WEB-A1 ~]# nmap -p 1024-8080 172.16.1.12

查找主机服务版本号

我们可以使用“-sV”选项找出远程主机上运行的服务版本。

  1. [root@WEB-A1 ~]# nmap -sV 172.16.1.12
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 11:30 CST
  4. Nmap scan report for WEB-A2 (172.16.1.12)
  5. Host is up (0.00038s latency).
  6. Not shown: 998 closed ports
  7. PORT   STATE SERVICE VERSION
  8. 22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
  9. 80/tcp open  http    Apache httpd 2.2.15 ((CentOS))
  10. MAC Address: 00:0C:29:44:7E:84 (VMware)
  12. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  13. Nmap done: 1 IP address (1 host up) scanned in 7.37 seconds

隐蔽扫描

  1. [root@WEB-A1 ~]# nmap -sS 172.16.1.12
  3. Starting Nmap 5.51 ( http://nmap.org ) at 2015-04-27 11:31 CST
  4. Nmap scan report for WEB-A2 (172.16.1.12)
  5. Host is up (0.00020s latency).
  6. Not shown: 998 closed ports
  7. PORT   STATE SERVICE
  8. 22/tcp open  ssh
  9. 80/tcp open  http
  10. MAC Address: 00:0C:29:44:7E:84 (VMware)
  12. Nmap done: 1 IP address (1 host up) scanned in 1.25 seconds

http://blog.jobbole.com/54595/

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注