Nmap-基础介绍与使用
NMAP介绍
Nmap(“Network Mapper”)是一个用于网络发现和安全审计的免费开源实用程序。许多系统和网络管理员还发现它对于诸如网络资源清册、管理服务升级计划、监视主机或服务正常运行时间等任务非常有用。Nmap以新颖的方式使用原始IP包来确定网络上可用的主机、这些主机提供的服务(应用程序名称和版本)、它们运行的操作系统(和操作系统版本)、正在使用的包过滤器/防火墙的类型以及许多其他特征。它设计用于快速扫描大型网络,但对单个主机运行良好。Nmap运行在所有主要的计算机操作系统上,官方二进制软件包可用于Linux、Windows和Mac OS X。除了经典的命令行Nmap可执行文件外,Nmap套件还包括一个高级GUI和结果查看器(Zenmap)、一个灵活的数据传输、重定向和调试工具(Ncat)、一个用于比较扫描的实用程序结果(Ndiff)和包生成和响应分析工具(Nping)。
NMAP安装
Ubuntu
apt-get install nmap
Centos
yum install nmap
Windows
前往官网下载最新安装包
https://nmap.org/download.html
NMAP语法
nmap -参数 -参数 IP/域名
nmap -参数 -参数 网段
NMAP常用命令
nmap -A
Nmap全面扫描
nmap -A 目标IP
root@localhost:~# nmap -A 192.168.2.81 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 15:53 CST Service scan Timing: About 40.00% done; ETC: 15:55 (0:01:05 remaining) Nmap scan report for 192.168.2.81 Host is up (0.00043s latency). Not shown: 990 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC MAC Address: 00:0C:29:7B:42:52 (VMware) Device type: general purpose Running: Microsoft Windows 7|2008|8.1 OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 Network Distance: 1 hop Service Info: Host: ADMIN-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -2s |_nbstat: NetBIOS name: ADMIN-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:7b:42:52 (VMware) | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: admin-PC | NetBIOS computer name: ADMIN-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-05-09T15:54:53+08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-09T07:54:53 |_ start_date: 2020-05-09T07:51:16 TRACEROUTE HOP RTT ADDRESS 1 0.43 ms 192.168.2.81 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 71.68 seconds
nmap -v -sS -A -T4
Nmap详细扫描,运行同步隐身,T4定时(在局域网上应该可以),操作系统和服务版本信息,针对服务的traceroute和脚本
nmap -v -sS -A -T4 目标IP
root@localhost:~# nmap -v -sS -A -T4 192.168.2.81 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 15:57 CST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 15:57 Completed NSE at 15:57, 0.00s elapsed Initiating NSE at 15:57 Completed NSE at 15:57, 0.00s elapsed Initiating NSE at 15:57 Completed NSE at 15:57, 0.00s elapsed Initiating ARP Ping Scan at 15:57 Scanning 192.168.2.81 [1 port] Completed ARP Ping Scan at 15:57, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:57 Completed Parallel DNS resolution of 1 host. at 15:57, 2.56s elapsed Initiating SYN Stealth Scan at 15:57 Scanning 192.168.2.81 [1000 ports] Discovered open port 445/tcp on 192.168.2.81 Discovered open port 49156/tcp on 192.168.2.81 Discovered open port 49155/tcp on 192.168.2.81 Discovered open port 49154/tcp on 192.168.2.81 Discovered open port 139/tcp on 192.168.2.81 Discovered open port 135/tcp on 192.168.2.81 Discovered open port 49158/tcp on 192.168.2.81 Discovered open port 5357/tcp on 192.168.2.81 Discovered open port 49153/tcp on 192.168.2.81 Discovered open port 49152/tcp on 192.168.2.81 Completed SYN Stealth Scan at 15:57, 1.40s elapsed (1000 total ports) Initiating Service scan at 15:57 Scanning 10 services on 192.168.2.81 Service scan Timing: About 50.00% done; ETC: 15:58 (0:00:53 remaining) Completed Service scan at 15:58, 58.56s elapsed (10 services on 1 host) Initiating OS detection (try #1) against 192.168.2.81 NSE: Script scanning 192.168.2.81. Initiating NSE at 15:58 Completed NSE at 15:58, 5.69s elapsed Initiating NSE at 15:58 Completed NSE at 15:58, 0.01s elapsed Initiating NSE at 15:58 Completed NSE at 15:58, 0.00s elapsed Nmap scan report for 192.168.2.81 Host is up (0.00037s latency). Not shown: 990 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC MAC Address: 00:0C:29:7B:42:52 (VMware) Device type: general purpose Running: Microsoft Windows 7|2008|8.1 OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 Uptime guess: 0.005 days (since Sat May 9 15:51:01 2020) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=257 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: ADMIN-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -2s | nbstat: NetBIOS name: ADMIN-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:7b:42:52 (VMware) | Names: | ADMIN-PC<20> Flags: <unique><active> | ADMIN-PC<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ WORKGROUP<1e> Flags: <group><active> | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: admin-PC | NetBIOS computer name: ADMIN-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2020-05-09T15:58:07+08:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-09T07:58:07 |_ start_date: 2020-05-09T07:51:16 TRACEROUTE HOP RTT ADDRESS 1 0.37 ms 192.168.2.81 NSE: Script Post-scanning. Initiating NSE at 15:58 Completed NSE at 15:58, 0.00s elapsed Initiating NSE at 15:58 Completed NSE at 15:58, 0.00s elapsed Initiating NSE at 15:58 Completed NSE at 15:58, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 69.82 seconds Raw packets sent: 1135 (50.638KB) | Rcvd: 1017 (41.398KB)
nmap -v -sS -p–A -T4
扫描信息如上,但是扫描所有TCP端口(花费更长的时间)
nmap -v -sS -p –A -T4 目标IP
nmap -v -sU -sS -p- -A -T4
扫描信息如上,但是扫描所有TCP端口和UDP扫描(需要更长的时间)
nmap -v -sU -sS -p- -A -T4 目标IP