Nmap(Network Mapper)是一款开放源代码的网络探测和安全审核工具。它用于快速扫描一个网络和一台主机开放的端口,还能使用TCP/IP协议栈特征探测远程主机的操作系统类型。nmap支持很多扫描技术,例如:UDP、TCP connect()、TCP SYN(半开扫描)、ftp代理(bounce攻击)、反向标志、ICMP、FIN、ACK扫描、圣诞树(Xmas Tree)、SYN扫描和null扫描。Nmap最初是用于unix系统的命令行应用程序。在2000年的时候,这个应用程序有了windows版本,可以直接安装使用。
Nmap命令的格式为:
Nmap [ 扫描类型 ... ] [ 通用选项 ] { 扫描目标说明 }
下面对Nmap命令的参数按分类进行说明:
1. 扫描类型
| -sT | TCP connect()扫描,这是最基本的TCP扫描方式。这种扫描很容易被检测到,在目标主机的日志中会记录大批的连接请求以及错误信息。 |
| -sS | TCP同步扫描(TCP SYN),因为不必全部打开一个TCP连接,所以这项技术通常称为半开扫描(half-open)。这项技术最大的好处是,很少有系统能够把这记入系统日志。不过,你需要root权限来定制SYN数据包。 |
| -sF,-sX,-sN | 秘密FIN数据包扫描、圣诞树(Xmas Tree)、空(Null)扫描模式。这些扫描方式的理论依据是:关闭的端口需要对你的探测包回应RST包,而打开的端口必需忽略有问题的包(参考RFC 793第64页)。 |
| -sP | ping扫描,用ping方式检查网络上哪些主机正在运行。当主机阻塞ICMP echo请求包是ping扫描是无效的。nmap在任何情况下都会进行ping扫描,只有目标主机处于运行状态,才会进行后续的扫描。 |
| -sU | 如果你想知道在某台主机上提供哪些UDP(用户数据报协议,RFC768)服务,可以使用此选项。 |
| -sA | ACK扫描,这项高级的扫描方法通常可以用来穿过防火墙。 |
| -sW | 滑动窗口扫描,非常类似于ACK的扫描。 |
| -sR | RPC扫描,和其它不同的端口扫描方法结合使用。 |
| -b | FTP反弹攻击(bounce attack),连接到防火墙后面的一台FTP服务器做代理,接着进行端口扫描。 |
2. 通用选项
| -P0 | 在扫描之前,不ping主机。 |
| -PT | 扫描之前,使用TCP ping确定哪些主机正在运行。 |
| -PS | 对于root用户,这个选项让nmap使用SYN包而不是ACK包来对目标主机进行扫描。 |
| -PI | 设置这个选项,让nmap使用真正的ping(ICMP echo请求)来扫描目标主机是否正在运行。 |
| -PB | 这是默认的ping扫描选项。它使用ACK(-PT)和ICMP(-PI)两种扫描类型并行扫描。如果防火墙能够过滤其中一种包,使用这种方法,你就能够穿过防火墙。 |
| -O | 这个选项激活对TCP/IP指纹特征(fingerprinting)的扫描,获得远程主机的标志,也就是操作系统类型。 |
| -I | 打开nmap的反向标志扫描功能。 |
| -f | 使用碎片IP数据包发送SYN、FIN、XMAS、NULL。包增加包过滤、入侵检测系统的难度,使其无法知道你的企图。 |
| -v | 冗余模式。强烈推荐使用这个选项,它会给出扫描过程中的详细信息。 |
| -S <IP> | 在一些情况下,nmap可能无法确定你的源地址(nmap会告诉你)。在这种情况使用这个选项给出你的IP地址。 |
| -g port | 设置扫描的源端口。一些天真的防火墙和包过滤器的规则集允许源端口为DNS(53)或者FTP-DATA(20)的包通过和实现连接。显然,如果攻击者把源端口修改为20或者53,就可以摧毁防火墙的防护。 |
| -oN | 把扫描结果重定向到一个可读的文件logfilename中。 |
| -oS | 扫描结果输出到标准输出。 |
| --host_timeout | 设置扫描一台主机的时间,以毫秒为单位。默认的情况下,没有超时限制。 |
| --max_rtt_timeout | 设置对每次探测的等待时间,以毫秒为单位。如果超过这个时间限制就重传或者超时。默认值是大约9000毫秒。 |
| --min_rtt_timeout | 设置nmap对每次探测至少等待你指定的时间,以毫秒为单位。 |
| -M count | 置进行TCP connect()扫描时,最多使用多少个套接字进行并行的扫描。 |
3. 扫描目标
| 目标地址 | 可以为IP地址,CIRD地址等。如192.168.1.2,222.247.54.5/24 |
| -iL filename | 从filename文件中读取扫描的目标。 |
| -iR | 让nmap自己随机挑选主机进行扫描。 |
| -p | 端口 这个选项让你选择要进行扫描的端口号的范围。如:-p 20-30,139,60000。 |
| -exclude | 排除指定主机。 |
| -excludefile | 排除指定文件中的主机。 |
举例:
- nmap -v www.hao123.com nmap -sS -O 192.168.1.23/24
- nmap -sX -p 22,53,110,143,4564 128.210.*.1-127
- nmap -v --randomize_hosts -p 80 *.*.2.3-5
- host -l company.com | cut -d -f 4 | ./nmap -v -iL -
1. 用主机名和IP地址扫描系统
Nmap工具提供各种方法来扫描系统。在这个例子中,我使用server2.tecmint.com主机名来扫描系统找出该系统上所有开放的端口,服务和MAC地址。
使用主机名扫描
- [root@server1 ~]# nmap server2.tecmint.com
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.415 seconds
- You have new mail in /var/spool/mail/root
使用IP地址扫描
- [root@server1 ~]# nmap 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 958/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.465 seconds
- You have new mail in /var/spool/mail/root
2.扫描使用“-v”选项
你可以看到下面的命令使用“ -v “选项后给出了远程机器更详细的信息。
- [root@server1 ~]# nmap -v server2.tecmint.com
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST
- Initiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43
- The ARP Ping Scan took 0.01s to scan 1 total hosts.
- Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43
- Discovered open port 22/tcp on 192.168.0.101
- Discovered open port 80/tcp on 192.168.0.101
- Discovered open port 8888/tcp on 192.168.0.101
- Discovered open port 111/tcp on 192.168.0.101
- Discovered open port 3306/tcp on 192.168.0.101
- Discovered open port 957/tcp on 192.168.0.101
- The SYN Stealth Scan took 0.30s to scan 1680 total ports.
- Host server2.tecmint.com (192.168.0.101) appears to be up ... good.
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds
- Raw packets sent: 1681 (73.962KB) | Rcvd: 1681 (77.322KB)
3.扫描多台主机
你可以简单的在Nmap命令后加上多个IP地址或主机名来扫描多台主机。
- [root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds
4.扫描整个子网
你可以使用*通配符来扫描整个子网或某个范围的IP地址。
- [root@server1 ~]# nmap 192.168.0.*
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST
- Interesting ports on server1.tecmint.com (192.168.0.100):
- Not shown: 1677 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 111/tcp open rpcbind
- 851/tcp open unknown
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds
- You have new mail in /var/spool/mail/root
从上面的输出可以看到,nmap扫描了整个子网,给出了网络中当前网络中在线主机的信息。
5.使用IP地址的最后一个字节扫描多台服务器
你可以简单的指定IP地址的最后一个字节来对多个IP地址进行扫描。例如,我在下面执行中扫描了IP地址192.168.0.101,192.168.0.102和192.168.0.103。
- [root@server1 ~]# nmap 192.168.0.101,102,103
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds
- You have new mail in /var/spool/mail/root
6. 从一个文件中扫描主机列表
如果你有多台主机需要扫描且所有主机信息都写在一个文件中,那么你可以直接让nmap读取该文件来执行扫描,让我们来看看如何做到这一点。
创建一个名为“nmaptest.txt ”的文本文件,并定义所有你想要扫描的服务器IP地址或主机名。
- [root@server1 ~]# cat > nmaptest.txt
- localhost
- server2.tecmint.com
- 192.168.0.101
接下来运行带“iL” 选项的nmap命令来扫描文件中列出的所有IP地址。
- [root@server1 ~]# nmap -iL nmaptest.txt
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 EST
- Interesting ports on localhost.localdomain (127.0.0.1):
- Not shown: 1675 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 25/tcp open smtp
- 111/tcp open rpcbind
- 631/tcp open ipp
- 857/tcp open unknown
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 958/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 958/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 3 IP addresses (3 hosts up) scanned in 2.047 seconds
7.扫描一个IP地址范围
你可以在nmap执行扫描时指定IP范围。
- [root@server1 ~]# nmap 192.168.0.101-110
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds
8.排除一些远程主机后再扫描
在执行全网扫描或用通配符扫描时你可以使用“-exclude”选项来排除某些你不想要扫描的主机。
- [root@server1 ~]# nmap 192.168.0.* --exclude 192.168.0.100
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 255 IP addresses (1 host up) scanned in 5.313 seconds
- You have new mail in /var/spool/mail/root
9.扫描操作系统信息和路由跟踪
使用Nmap,你可以检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可以使用NMAP的“-A“选项。
- [root@server1 ~]# nmap -A 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
- 80/tcp open http Apache httpd 2.2.3 ((CentOS))
- 111/tcp open rpcbind 2 (rpc #100000)
- 957/tcp open status 1 (rpc #100024)
- 3306/tcp open mysql MySQL (unauthorized)
- 8888/tcp open http lighttpd 1.4.32
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
- TCP/IP fingerprint:
- SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027)
- TSeq(Class=TR%IPID=Z%TS=1000HZ)
- T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
- T2(Resp=N)
- T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
- T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
- T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
- T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
- T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
- PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
- Uptime 0.169 days (since Mon Nov 11 12:22:15 2013)
- Nmap finished: 1 IP address (1 host up) scanned in 22.271 seconds
从上面的输出你可以看到,Nmap显示出了远程主机操作系统的TCP / IP协议指纹,并且更加具体的显示出远程主机上的端口和服务。
10.启用Nmap的操作系统探测功能
使用选项“-O”和“-osscan-guess”也帮助探测操作系统信息。
- [root@server1 ~]# nmap -O server2.tecmint.com
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
- TCP/IP fingerprint:
- SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027)
- TSeq(Class=TR%IPID=Z%TS=1000HZ)
- T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
- T2(Resp=N)
- T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
- T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS
- R%Ops=)
- T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
- T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
- T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
- PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
- Uptime 0.221 days (since Mon Nov 11 12:22:16 2013)
- Nmap finished: 1 IP address (1 host up) scanned in 11.064 seconds
- You have new mail in /var/spool/mail/root
11.扫描主机侦测防火墙
下面的命令将扫描远程主机以探测该主机是否使用了包过滤器或防火墙。
- [root@server1 ~]# nmap -sA 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:27 EST
- All 1680 scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.382 seconds
- You have new mail in /var/spool/mail/root
12.扫描主机检测是否有防火墙保护
扫描主机检测其是否受到数据包过滤软件或防火墙的保护。
- [root@server1 ~]# nmap -PN 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds
13.找出网络中的在线主机
使用“-sP”选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。
- [root@server1 ~]# nmap -sP 192.168.0.*
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST
- Host server1.tecmint.com (192.168.0.100) appears to be up.
- Host server2.tecmint.com (192.168.0.101) appears to be up.
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds
14.执行快速扫描
你可以使用“-F”选项执行一次快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其它的端口。
- [root@server1 ~]# nmap -F 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1234 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds
15.查看Nmap的版本
你可以使用“-V”选项来检测你机子上Nmap的版本。
- [root@server1 ~]# nmap -V
- Nmap version 4.11 ( http://www.insecure.org/nmap/ )
- You have new mail in /var/spool/mail/root
16.顺序扫描端口
使用“-r”选项表示不会随机的选择端口扫描。
- [root@server1 ~]# nmap -r 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds
17.打印主机接口和路由
你可以使用nmap的“–iflist”选项检测主机接口和路由信息。
- [root@server1 ~]# nmap --iflist
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST
- ************************INTERFACES************************
- DEV (SHORT) IP/MASK TYPE UP MAC
- lo (lo) 127.0.0.1/8 loopback up
- eth0 (eth0) 192.168.0.100/24 ethernet up 08:00:27:11:C7:89
- **************************ROUTES**************************
- DST/MASK DEV GATEWAY
- 192.168.0.0/0 eth0
- 169.254.0.0/0 eth0
从上面的输出你可以看到,nmap列举出了你系统上的接口以及它们各自的路由信息。
18.扫描特定的端口
使用Nmap扫描远程机器的端口有各种选项,你可以使用“-P”选项指定你想要扫描的端口,默认情况下nmap只扫描TCP端口。
- [root@server1 ~]# nmap -p 80 server2.tecmint.com
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- PORT STATE SERVICE
- 80/tcp open http
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) sca
19.扫描TCP端口
你可以指定具体的端口类型和端口号来让nmap扫描。
- [root@server1 ~]# nmap -p T:8888,80 server2.tecmint.com
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- PORT STATE SERVICE
- 80/tcp open http
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds
20.扫描UDP端口
- [root@server1 ~]# nmap -sU 53 server2.tecmint.com
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- PORT STATE SERVICE
- 53/udp open http
- 8888/udp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds
21.扫描多个端口
你还可以使用选项“-P”来扫描多个端口。
- [root@server1 ~]# nmap -p 80,443 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:56 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- PORT STATE SERVICE
- 80/tcp open http
- 443/tcp closed https
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.190 seconds
22.扫描指定范围内的端口
您可以使用表达式来扫描某个范围内的端口。
- [root@server1 ~]# nmap -p 80-160 192.168.0.101
23.查找主机服务版本号
我们可以使用“-sV”选项找出远程主机上运行的服务版本。
- [root@server1 ~]# nmap -sV 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:48 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
- 80/tcp open http Apache httpd 2.2.3 ((CentOS))
- 111/tcp open rpcbind 2 (rpc #100000)
- 957/tcp open status 1 (rpc #100024)
- 3306/tcp open mysql MySQL (unauthorized)
- 8888/tcp open http lighttpd 1.4.32
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 12.624 seconds
24.使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机
有时候包过滤防火墙会阻断标准的ICMP ping请求,在这种情况下,我们可以使用TCP ACK和TCP Syn方法来扫描远程主机。
- [root@server1 ~]# nmap -PS 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:51 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.360 seconds
- You have new mail in /var/spool/mail/root
25.使用TCP ACK扫描远程主机上特定的端口
- [root@server1 ~]# nmap -PA -p 22,80 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.166 seconds
- You have new mail in /var/spool/mail/root
26. 使用TCP Syn扫描远程主机上特定的端口
- [root@server1 ~]# nmap -PS -p 22,80 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:08 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.165 seconds
- You have new mail in /var/spool/mail/root
27.执行一次隐蔽的扫描
- [root@server1 ~]# nmap -sS 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:10 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.383 seconds
- You have new mail in /var/spool/mail/root
28.使用TCP Syn扫描最常用的端口
- [root@server1 ~]# nmap -sT 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:12 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- 80/tcp open http
- 111/tcp open rpcbind
- 957/tcp open unknown
- 3306/tcp open mysql
- 8888/tcp open sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 0.406 seconds
- You have new mail in /var/spool/mail/root
29.执行TCP空扫描以骗过防火墙
- [root@server1 ~]# nmap -sN 192.168.0.101
- Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 19:01 EST
- Interesting ports on server2.tecmint.com (192.168.0.101):
- Not shown: 1674 closed ports
- PORT STATE SERVICE
- 22/tcp open|filtered ssh
- 80/tcp open|filtered http
- 111/tcp open|filtered rpcbind
- 957/tcp open|filtered unknown
- 3306/tcp open|filtered mysql
- 8888/tcp open|filtered sun-answerbook
- MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
- Nmap finished: 1 IP address (1 host up) scanned in 1.584 seconds
- You have new mail in /var/spool/mail/root
nmap几个简单用法
1、ping扫描:扫描192.168.0.0/24网段上有哪些主机是存活的;
[root@laolinux ~]# nmap -sP 192.168.0.0/24
Starting Nmap 4.11 (
http://www.insecure.org/nmap/
) at 2009-04-25 06:59 CST
Host laolinux (192.168.0.3) appears to be up.
Host 192.168.0.20 appears to be up.
MAC Address: 00:1E:4F:CD:C6:0E (Unknown)
Host 192.168.0.108 appears to be up.
MAC Address: 00:E3:74:27:05:B7 (Unknown)
Host 192.168.0.109 appears to be up.
MAC Address: 00:E0:E4:A6:14:6F (Fanuc Robotics North America)
Host 192.168.0.111 appears to be up.
MAC Address: 00:E0:E4:A6:1C:91 (Fanuc Robotics North America)
Host 192.168.0.114 appears to be up.
MAC Address: 00:11:1A:35:38:65 (Motorola BCS)
Host 192.168.0.118 appears to be up.
MAC Address: 00:E0:2A:51:AC:5B (Tandberg Television AS)
Host 192.168.0.119 appears to be up.
MAC Address: 00:EA:E5:C1:21:D6 (Unknown)
Host 192.168.0.124 appears to be up.
MAC Address: 00:E0:4C:39:05:81 (Realtek Semiconductor)
Host 192.168.0.127 appears to be up.
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Host 192.168.0.128 appears to be up.
MAC Address: 00:E0:E4:A6:1C:96 (Fanuc Robotics North America)
Host 192.168.0.134 appears to be up.
MAC Address: 00:E0:2A:51:AC:5F (Tandberg Television AS)
Host 192.168.0.135 appears to be up.
MAC Address: 00:11:1A:35:38:60 (Motorola BCS)
Host 192.168.0.137 appears to be up.
MAC Address: 00:1F:06:D6:3E:BA (Unknown)
Host 192.168.0.139 appears to be up.
MAC Address: 00:E0:E4:A6:1C:92 (Fanuc Robotics North America)
Host 192.168.0.140 appears to be up.
MAC Address: 00:1F:1A:39:1B:8D (Unknown)
Host 192.168.0.155 appears to be up.
MAC Address: 00:1C:23:4C:DB:A0 (Unknown)
Host 192.168.0.211 appears to be up.
MAC Address: 00:1D:72:98:A2:8C (Unknown)
Host 192.168.0.220 appears to be up.
MAC Address: 00:40:45:20:8C:93 (Twinhead)
Host 192.168.0.221 appears to be up.
MAC Address: 00:09:6B:50:71:26 (IBM)
Nmap finished: 256 IP addresses (20 hosts up) scanned in 3.818 seconds
Host laolinux (192.168.0.3) appears to be up.
Host 192.168.0.20 appears to be up.
MAC Address: 00:1E:4F:CD:C6:0E (Unknown)
Host 192.168.0.108 appears to be up.
MAC Address: 00:E3:74:27:05:B7 (Unknown)
Host 192.168.0.109 appears to be up.
MAC Address: 00:E0:E4:A6:14:6F (Fanuc Robotics North America)
Host 192.168.0.111 appears to be up.
MAC Address: 00:E0:E4:A6:1C:91 (Fanuc Robotics North America)
Host 192.168.0.114 appears to be up.
MAC Address: 00:11:1A:35:38:65 (Motorola BCS)
Host 192.168.0.118 appears to be up.
MAC Address: 00:E0:2A:51:AC:5B (Tandberg Television AS)
Host 192.168.0.119 appears to be up.
MAC Address: 00:EA:E5:C1:21:D6 (Unknown)
Host 192.168.0.124 appears to be up.
MAC Address: 00:E0:4C:39:05:81 (Realtek Semiconductor)
Host 192.168.0.127 appears to be up.
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Host 192.168.0.128 appears to be up.
MAC Address: 00:E0:E4:A6:1C:96 (Fanuc Robotics North America)
Host 192.168.0.134 appears to be up.
MAC Address: 00:E0:2A:51:AC:5F (Tandberg Television AS)
Host 192.168.0.135 appears to be up.
MAC Address: 00:11:1A:35:38:60 (Motorola BCS)
Host 192.168.0.137 appears to be up.
MAC Address: 00:1F:06:D6:3E:BA (Unknown)
Host 192.168.0.139 appears to be up.
MAC Address: 00:E0:E4:A6:1C:92 (Fanuc Robotics North America)
Host 192.168.0.140 appears to be up.
MAC Address: 00:1F:1A:39:1B:8D (Unknown)
Host 192.168.0.155 appears to be up.
MAC Address: 00:1C:23:4C:DB:A0 (Unknown)
Host 192.168.0.211 appears to be up.
MAC Address: 00:1D:72:98:A2:8C (Unknown)
Host 192.168.0.220 appears to be up.
MAC Address: 00:40:45:20:8C:93 (Twinhead)
Host 192.168.0.221 appears to be up.
MAC Address: 00:09:6B:50:71:26 (IBM)
Nmap finished: 256 IP addresses (20 hosts up) scanned in 3.818 seconds
2、端口扫描:扫描192.168.0.3这台主机开放了哪些端口;
[root@laolinux ~]# nmap -sT 192.168.0.3
Starting Nmap 4.11 (
http://www.insecure.org/nmap/
) at 2009-04-25 07:02 CST
Interesting ports on laolinux (192.168.0.3):
Not shown: 1667 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
964/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt
Interesting ports on laolinux (192.168.0.3):
Not shown: 1667 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
964/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt
Nmap finished: 1 IP address (1 host up) scanned in 4.755 seconds
3、隐藏扫描,只在目标主机上留下很少的日志信息:隐藏扫描192.168.0.220
[root@laolinux ~]# nmap -sS 192.168.0.127
Starting Nmap 4.11 (
http://www.insecure.org/nmap/
) at 2009-04-25 07:08 CST
Interesting ports on 192.168.0.127:
Not shown: 1675 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
912/tcp open unknown
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Interesting ports on 192.168.0.127:
Not shown: 1675 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
912/tcp open unknown
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Nmap finished: 1 IP address (1 host up) scanned in 3.121 seconds
4、UDP端口扫描:扫描192.168.0.127开放了哪些UDP端口;
[root@laolinux ~]# nmap -sU 192.168.0.127
Starting Nmap 4.11 (
http://www.insecure.org/nmap/
) at 2009-04-25 07:08 CST
Interesting ports on 192.168.0.127:
Not shown: 1480 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1900/udp open|filtered UPnP
4500/udp open|filtered sae-urn
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Interesting ports on 192.168.0.127:
Not shown: 1480 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
1900/udp open|filtered UPnP
4500/udp open|filtered sae-urn
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Nmap finished: 1 IP address (1 host up) scanned in 2.947 seconds
5、操作系统识别:
[root@laolinux ~]# nmap -sS -O 192.168.0.127
Starting Nmap 4.11 (
http://www.insecure.org/nmap/
) at 2009-04-25 07:09 CST
Interesting ports on 192.168.0.127:
Not shown: 1675 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
912/tcp open unknown
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Device type: general purpose
Running: Microsoft Windows 2003/.NET|NT/2K/XP
OS details: Microsoft Windows 2003 Server or XP SP2
Interesting ports on 192.168.0.127:
Not shown: 1675 closed ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
912/tcp open unknown
MAC Address: 00:11:1A:35:38:62 (Motorola BCS)
Device type: general purpose
Running: Microsoft Windows 2003/.NET|NT/2K/XP
OS details: Microsoft Windows 2003 Server or XP SP2
Nmap finished: 1 IP address (1 host up) scanned in 5.687 seconds
参考文献:
http://www.aiezu.com/system/linux/linux_nmap_tutorial.html
http://blog.chinaunix.net/uid-20591796-id-1918895.html
http://os.51cto.com/art/201401/428152.htm