Nmap入门

Nmap

目录

[TOC]

名词解释

  • open:端口开放(有程序监听报文)
  • filtered:被过滤的(防火墙、过滤器等网络障碍)
  • closed:关闭的(无应用程序,但可能开放)
  • unfiltered:未被过滤的(无法确定)

基础快速扫描

-v:输出详细扫描过程

-vv :更加详细一点

使用的是ICMPping获取目标主机的端口

1
nmap -v ***.***.***.***
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-13 14:59 ?D1ú±ê×?ê±??
Initiating Parallel DNS resolution of 1 host. at 15:00
Completed Parallel DNS resolution of 1 host. at 15:00, 5.51s elapsed
Initiating SYN Stealth Scan at 15:00
Scanning ***.***.***.*** [1000 ports]
Discovered open port 3389/tcp on ***.***.***.***
Discovered open port 443/tcp on ***.***.***.***
Discovered open port 445/tcp on ***.***.***.***
Discovered open port 135/tcp on ***.***.***.***
Discovered open port 139/tcp on ***.***.***.***
Discovered open port 912/tcp on ***.***.***.***
Discovered open port 902/tcp on ***.***.***.***
Completed SYN Stealth Scan at 15:00, 0.13s elapsed (1000 total ports)
Nmap scan report for ***.***.***.***
Host is up (0.00085s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
3389/tcp open ms-wbt-server

Read data files from: *:\***\***\***\Nmap
Nmap done: 1 IP address (1 host up) scanned in 6.88 seconds
Raw packets sent: 1000 (44.000KB) | Rcvd: 2007 (84.308KB)

快速多目标扫描

1
nmap <ip_1> <ip_2>
1
nmap -vv 192.168.0.1 10.136.16.194
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-13 15:40 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.0.1
Host is up (0.018s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
50300/tcp filtered unknown
50389/tcp filtered unknown
50500/tcp filtered unknown

Nmap scan report for 10.136.16.194
Host is up (0.00076s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
3389/tcp open ms-wbt-server

Nmap done: 2 IP addresses (2 hosts up) scanned in 19.38 seconds

指定端口扫描

-p:指定扫描端口

1
nmap -p 3389,20-100 192.168.0.1
1
2
3
4
5
6
7
8
9
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-13 15:50 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.0.1
Host is up (0.030s latency).
Not shown: 80 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 7.28 seconds

除去特定IP扫描

-exclude:除去一个IP

-excludefile:除去文件内所有IP

1
2
nmap 192.168.0.1/24 -exclude 192.168.0.1
nmap 192.168.0.1/24 -excludefile gov.txt

主机发现

sP Ping扫描

通常用于做主机发现,能够方便得知道网络上的主机及其运行的服务,不会轻易被注意到。

默认情况下发送一个ICMP(echo)请求和一个TCP报文到80端口,非特权用户发送SYN报文到80端口。

可以加上高级选项-P*增强作用。

-sP:使用Ping扫描

1
nmap -sP 10.136.16.1-255
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-13 15:54 ?D1ú±ê×?ê±??
Nmap scan report for 10.136.16.1
Host is up (0.020s latency).
MAC Address: BC:3F:8F:92:AA:2A (Huawei Technologies)
......
......
Nmap scan report for 10.136.16.183
Host is up (0.13s latency).
MAC Address: 8C:FE:57:C4:DD:16 (Apple)
......
......
Nmap scan report for 10.136.16.255
Host is up (0.0020s latency).
MAC Address: BC:3F:8F:92:AA:2A (Huawei Technologies)
Nmap done: 255 IP addresses (234 hosts up) scanned in 16.84 seconds

sL 列表扫描

简单主机发现

对网络中的主机进行反向域名解析获取名字,不发送任何报文

-sL:打印目标主机的列表

1
nmap -sL 10.136.16.1/24
1
2
3
4
5
6
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-13 16:16 ?D1ú±ê×?ê±??
Nmap scan report for 10.136.16.0
......
......
Nmap scan report for 10.136.16.255
Nmap done: 256 IP addresses (0 hosts up) scanned in 6.64 seconds

高级参数

参数 作用
-P0 跳过主机发现阶段(无Ping)直接对每一个主机扫描
-PS TCP SYN Ping,发送连接请求,关闭则收到RST复位包,开放则发送RST复位包
-PA TCP ACK Ping,发送连接确认包
-PU
-PY
-PE/PP/PM 使用ICMP echo, timestamp and netmask 请求包发现主机
-PR
-n 不对IP进行域名反向解析
-R 为所有的IP都进行域名的反响解析
--system_dns 使用系统域名解析器
--dns-servers <serv1[,serv2],...> 设置DNS服务器
--traceroute 跟踪每个主机的路径
1
2
3
4
-sn                     ping扫描,即主机发现
-Pn 不检测主机存活
-PS/PA/PU/PY[portlist] TCP SYN Ping/TCP ACK Ping/UDP Ping发现
-PO[prococol list] 使用IP协议包探测对方主机是否开启