前言
上一个文件已经写了基本算是非常的详细的关于nmap所有的命令的基本上的用法,但是我们平时做一个基本上的使用,不去做非常精确的使用的话,是用不到那么多的参数的,所以我们总结一下日常生活中常用的一些。
常用参数总结
ping扫描
nmap < 要扫描的目标ip地址>
justice@hexo-ubuntu:~$ nmap 10.9.121.245
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-01 09:37 UTC
Nmap scan report for bogon (10.9.121.245)
Host is up (0.0019s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
443/tcp open https
912/tcp open apex-mesh
5357/tcp open wsdapi
15000/tcp open hydap
Nmap done: 1 IP address (1 host up) scanned in 4.56 seconds这种方式以及 -sP 扫描,检测网络上哪些主机在线,通过向指定的IP地址发送ICMP echo请求数据包,收到一个RST包,就表示主机正在运行。
注意:一般当扫描主机防火墙打开时,是无法直接扫描的。
TCP SYN Ping扫描
nmap -sP -PS < 要扫描的目标ip地址>
justice@hexo-ubuntu:~$ nmap -sP -PS 10.9.121.245
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-01 09:39 UTC
Nmap scan report for localhost (10.9.121.245)
Host is up (0.0035s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds对于justice用户,-PS 让
nmap使用SYN包而不是ACK包来对目标主机进行扫描。如果主机正在运行就返回一个RST包(或者一个SYN/ACK包)。-PS默认在80端口发送TCP SYN数据包;我们还可以指定端口,例如-PS 135(指定135)端口。当管理员对TCP SYN数据包中的SYN数据包没有过滤时可绕过
-PA TCP ACK Ping扫描
nmap -sP -PA < 要扫描的目标ip地址>
justice@hexo-ubuntu:~$ nmap -sP -PA 10.9.121.245
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-01 09:42 UTC
Nmap scan report for bogon (10.9.121.245)
Host is up (0.0020s latency).
Nmap done: 1 IP address (1 host up) scanned in 2.01 seconds类比TCP SYN Ping扫描
半开扫描-TCP SYN扫描
nmap -sS < 要扫描的目标ip地址>需要root
justice@hexo-ubuntu:~$ nmap -sS 10.9.121.245
You requested a scan type which requires root privileges.
QUITTING!
justice@hexo-ubuntu:~$ sudo -i
[sudo] password for justice:
root@hexo-ubuntu:~# nmap -sS 10.9.121.245
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-01 09:44 UTC
Nmap scan report for bogon (10.9.121.245)
Host is up (0.0074s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
443/tcp open https
902/tcp open iss-realsecure
912/tcp open apex-mesh
5357/tcp open wsdapi
Nmap done: 1 IP address (1 host up) scanned in 57.88 secondsTCP SYN扫描,意思是,半开式扫描。用户可以发出一个TCP同步包(SYN),然后等待回应。如果对方返回SYN|ACK(响应)包就表示目标端口正在监听;如果返回RST数据包,就表示目标端口没有监听程序;如果收到一个SYN|ACK包,源主机就会马上发出一个RST(复位)数据包断开和目标主机的连接。该选项扫描的最大好处是,扫描动作极少会被记录,更具有隐蔽性!
自定义端口扫描
nmap -p (扫描范围) <要扫描的目标ip地址>
justice@hexo-ubuntu:~$ nmap -p 1-1000 10.9.121.245
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-01 09:47 UTC
Nmap scan report for bogon (10.9.121.245)
Host is up (0.0018s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
443/tcp open https
515/tcp open printer
902/tcp open iss-realsecure
912/tcp open apex-mesh
Nmap done: 1 IP address (1 host up) scanned in 57.45 seconds-Pn 非ping扫描,不执行主机发现,可以跳过防火墙 ( 常用)
nmap -Pn < 要扫描的目标ip地址>常与其他命令联合使用
-sV 探测打开端口对应服务的版本信息
nmap -sV < 要扫描的目标ip地址>
justice@hexo-ubuntu:~$ nmap -sV 10.9.121.245
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-01 10:56 UTC
Nmap scan report for localhost (10.9.121.245)
Host is up (0.0021s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
25/tcp open tcpwrapped
80/tcp open tcpwrapped
110/tcp open tcpwrapped
443/tcp open tcpwrapped
5357/tcp open tcpwrapped
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.19 seconds-vv 对扫描结果详细输出(vv小写)
nmap -vv < 要扫描的目标ip地址>
justice@hexo-ubuntu:~$ nmap -vv 10.9.121.245
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-01 10:57 UTC
Initiating Ping Scan at 10:57
Scanning 10.9.121.245 [2 ports]
Completed Ping Scan at 10:57, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:57
Completed Parallel DNS resolution of 1 host. at 10:57, 2.02s elapsed
Initiating Connect Scan at 10:57
Scanning bogon (10.9.121.245) [1000 ports]
Discovered open port 443/tcp on 10.9.121.245
Discovered open port 80/tcp on 10.9.121.245
Discovered open port 110/tcp on 10.9.121.245
Discovered open port 25/tcp on 10.9.121.245
Increasing send delay for 10.9.121.245 from 0 to 5 due to 11 out of 15 dropped probes since last increase.
Increasing send delay for 10.9.121.245 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Connect Scan Timing: About 34.00% done; ETC: 10:58 (0:01:00 remaining)
Discovered open port 902/tcp on 10.9.121.245
Discovered open port 15000/tcp on 10.9.121.245
Discovered open port 912/tcp on 10.9.121.245
Completed Connect Scan at 10:58, 57.49s elapsed (1000 total ports)
Nmap scan report for bogon (10.9.121.245)
Host is up, received syn-ack (0.0015s latency).
Scanned at 2022-05-01 10:57:26 UTC for 60s
Not shown: 993 filtered ports
Reason: 993 no-responses
PORT STATE SERVICE REASON
25/tcp open smtp syn-ack
80/tcp open http syn-ack
110/tcp open pop3 syn-ack
443/tcp open https syn-ack
902/tcp open iss-realsecure syn-ack
912/tcp open apex-mesh syn-ack
15000/tcp open hydap syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 59.53 seconds输出结果里包含了开放端口,扫描方法,端口对应服务协议等
路由追踪扫描
nmap -traceroute < 要扫描的目标ip地址>
justice@hexo-ubuntu:~$ nmap -traceroute 10.9.121.245
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-01 11:01 UTC
Traceroute has to be run as root
QUITTING!
justice@hexo-ubuntu:~$ sudo nmap -traceroute 10.9.121.245
[sudo] password for justice:
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-01 11:01 UTC
Nmap scan report for localhost (10.9.121.245)
Host is up (0.0050s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
443/tcp open https
515/tcp open printer
912/tcp open apex-mesh
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.28 ms localhost (192.168.17.2)
2 0.31 ms localhost (10.9.121.245)
Nmap done: 1 IP address (1 host up) scanned in 55.89 seconds路由器追踪功能,能够帮助网络管理员了解网络通行情况
通过路由器追踪可以查找从我们电脑所在地到目的地之间所经常的网络节点, 并可以看到通过各个结点所花费的时间。
操作系统检测 -O
nmap -O < 要扫描的目标ip地址>
justice@hexo-ubuntu:~$ sudo nmap -O 10.9.121.245
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-01 11:08 UTC
Nmap scan report for bogon (10.9.121.245)
Host is up (0.0016s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
443/tcp open https
902/tcp open iss-realsecure
5357/tcp open wsdapi
15000/tcp open hydap
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|WAP|phone
Running: iPXE 1.X, Linux 2.4.X|2.6.X, Sony Ericsson embedded
OS CPE: cpe:/o:ipxe:ipxe:1.0.0%2b cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
OS details: iPXE 1.0.0+, Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.88 seconds万能扫描
包含了1-10000端口ping扫描,操作系统扫描,脚本扫描,路由跟踪,服务探测 (花费时间长)
nmap -A < 要扫描的目标ip地址>
扫描当前网段
nmap ip/24
其他扫描方法(不常用)
-sR
RPC扫描。这种方法和nmap的其它不同的端口扫描方法结合使用。选择所有处于打开状态的端口向它们发出SunRPC程序的NULL命令,以确定它们是否是RPC端口,如果是,就确定是哪种软件及其版本号。因此你能够获得防火墙的一些信息。诱饵扫描现在还不能和RPC扫描结合使用。-sU UDP扫描
使用UDP扫描可以知道某台主机上提供哪些UDP(用户数据报协议,RFC768)服务,nmap首先向目标主机的每个端口发出一个0字节的UDP包,如果我们收到端口不可达的ICMP消息,端口就是关闭的,否则我们就假设它是打开的。-sF -sF -sN : 秘密FIN数据包扫描、圣诞树(Xmas Tree)、空(Null)扫描模式:即使SYN扫描都无法确定的情况下使用。一些防火墙和包过滤软件能够对发送到被限制端口的SYN数据包进行监视,而且有些程序比如synlogger和courtney能够检测那些扫描。这些高级的扫描方式可以逃过这些干扰。这些扫描方式的理论依据是:关闭的端口需要对你的探测包回应RST包,而打开的端口必需忽略有问题的包(参考RFC 793第64页)。FIN扫描使用暴露的FIN数据包来探测,而圣诞树扫描打开数据包的FIN、URG和PUSH标志。不幸的是,微软决定完全忽略这个标准,另起炉灶。所以这种扫描方式对Windows95/NT无效。不过,从另外的角度讲,可以使用这种方式来分别两种不同的平台。如果使用这种扫描方式可以发现打开的端口,你就可以确定目标注意运行的不是Windows系统。如果使用-sF、-sX或者-sN扫描显示所有的端口都是关闭的,而使用SYN扫描显示有打开的端口,你可以确定目标主机可能运行的是Windwos系统。现在这种方式没有什么太大的用处,因为nmap有内嵌的操作系统检测功能。还有其它几个系统使用和windows同样的处理方式,包括Cisco、BSDI、HP/UX、MYS、IRIX。在应该抛弃数据包时,以上这些系统都会从打开的端口发出复位数据包。
