nmap命令的用法
Nmap简介
Nmap是一款非常强大的主机发现和端口扫描工具,而且nmap运用自带的脚本,还能完成漏洞检测,同时支持多平台。
一般情况下,Nmap用于列举网络主机清单、管理服务升级调度、监控主机或服务运行状况。
Nmap可以检测目标机是否在线、端口开放情况、侦测运行的服务类型及版本信息、侦测操作系统与设备类型等信息。
Nmap的优点:
- 灵活。支持数十种不同的扫描方式,支持多种目标对象的扫描
- 强大。Nmap可以用于扫描互联网上大规模的计算机
- 可移植。支持主流操作系统:Windows/Linux/Unix/MacOS等等;源码开放,方便移植
- 简单。提供默认的操作能覆盖大部分功能,基本端口扫描nmap targetip,全面的扫描nmap –A targetip
- 自由。Nmap作为开源软件,在GPL License的范围内可以自由的使用
- 文档丰富。Nmap官网提供了详细的文档描述。Nmap作者及其他安全专家编写了多部Nmap参考书籍
- 社区支持。Nmap背后有强大的社区团队支持
Nmap包含四项基本功能:
- 端口扫描 (Port Scanning)
- 主机发现 (Host Discovery)
- 版本侦测 (Version Detection)
- 操作系统侦测 (Operating System Detection)
而这四项功能之间,又存在大致的依赖关系(通常情况下的顺序关系,但特殊应用另外考虑)
首先需要进行主机发现,随后确定端口状态,然后确定端口上运行的具体应用程序和版本信息,然后可以进行操作系统的侦测。
而在这四项功能的基础上,nmap还提供防火墙和 IDS 的规避技巧,可以综合运用到四个基本功能的各个阶段。
另外nmap还提供强大的NSE(Nmap Scripting Language)脚本引擎功能,脚本可以对基本功能进行补充和扩展。
nmap端口状态解析
open: 应用程序在该端口接收 TCP 连接或者 UDP 报文。closed:关闭的端口对于nmap也是可访问的, 它接收nmap探测报文并作出响应。但没有应用程序在其上监听。filtered:由于包过滤阻止探测报文到达端口,nmap无法确定该端口是否开放。过滤可能来自专业的防火墙设备,路由规则 或者主机上的软件防火墙。unfiltered:未被过滤状态意味着端口可访问,但是nmap无法确定它是开放还是关闭。 只有用于映射防火墙规则集的 ACK 扫描才会把端口分类到这个状态。open|filtered:无法确定端口是开放还是被过滤, 开放的端口不响应就是一个例子。没有响应也可能意味着报文过滤器丢弃了探测报文或者它引发的任何反应。UDP,IP协议,FIN, Null 等扫描会引起。closed|filtered:(关闭或者被过滤的):无法确定端口是关闭的还是被过滤的
用法介绍
端口扫描
扫描主机的「开放端口」,在nmap后面直接跟主机IP(默认扫描1024个端口)
$ nmap 192.168.140.3
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-25 14:01 中国标准时间
Nmap scan report for 192.168.140.3
Host is up (0.000085s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
111/tcp open rpcbind
443/tcp open https
MAC Address: 00:0C:29:EB:8B:A5 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
指定端口
使用 -p 参数,可以一次扫描单个端口、多个端口、或扫描一个范围的端口
nmap 192.168.140.3 -p 80
nmap 192.168.140.3 -p 1-80
nmap 192.168.140.3 -p 80,443,3306,22,21
nmap 192.168.140.3 -p 1-65535
nmap 192.168.140.3 -p- # -p- 等价于 -p 1-65535
指定扫描方式
效果可通过「wireshark」来抓包看下
这里扫描22端口来测试
所以这里的抓包过滤条件为
ip.addr == 192.168.140.3 and tcp.port==22
TCP全链接扫描
需要使用 -sT 参数来进行TCP全链接扫描
全连接扫描: 使用完整的三次握手建立链接,能够建立链接就判定端口开放,否则判定端口关闭。
nmap -sT 192.168.140.3 -p 22
-
如果端口开放,就会进行完整的三次握手,成功建立链接,扫描结果中,STATE字段显示为 open 。
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-25 17:10 中国标准时间 Nmap scan report for 192.168.140.3 Host is up (0.0030s latency). PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds
-
如果端口关闭,就只能进行一次握手,无法建立链接,扫描结果中,STATE字段显示为 closed。
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-25 17:15 中国标准时间 Nmap scan report for 192.168.140.3 Host is up (0.0030s latency). PORT STATE SERVICE 220/tcp filtered imap3 Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
SYN半链接扫描
需要使用 -sS 参数来进行SYN半链接扫描
半链接扫描: 只进行两次握手,对方返回确认帧(ACK=1)就判定端口开放,否则判定端口关闭。
nmap -sS 192.168.140.3 -p 22
-
如果端口开放,就会进行两次握手,扫描结果中,STATE字段为 open 。
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-25 17:17 中国标准时间 Nmap scan report for 192.168.140.3 Host is up (0.0020s latency). PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.94 seconds
-
如果端口关闭,就只有一次握手,扫描结果中,STATE字段为 closed。
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-25 17:21 中国标准时间 Nmap scan report for 192.168.140.3 Host is up (0.0029s latency). PORT STATE SERVICE 220/tcp closed imap3 Nmap done: 1 IP address (1 host up) scanned in 0.96 seconds
隐秘扫描
隐秘扫描,只适用于Linux系统。
隐秘扫描:向目标主机的端口发送TCP FIN包 或 Xmas tree包 或 Null包,如果收到RST响应包,就判定端口关闭,否则就判定端口开放或被屏蔽(open/filtered)
-
Fin扫描
nmap -sF 192.168.140.3 -p 2217:28:08.795400 IP 192.168.140.139.39051 > 192.168.140.3.22: Flags [F], seq 4178880894, win 1024, length 0 17:28:08.895546 IP 192.168.140.139.39052 > 192.168.140.3.22: Flags [F], seq 4178946431, win 1024, length 0 -
Null扫描
nmap -sN 192.168.140.3 -p 2217:28:58.783348 IP 192.168.140.139.53355 > 192.168.140.3.22: Flags [none], win 1024, length 0 17:28:58.883547 IP 192.168.140.139.53356 > 192.168.140.3.22: Flags [none], win 1024, length 0 -
Xmas扫描
nmap -sX 192.168.140.3 -p 2217:29:45.187480 IP 192.168.140.139.47807 > 192.168.140.3.22: Flags [FPU], seq 311250085, win 1024, urg 0, length 0 17:29:45.287627 IP 192.168.140.139.47808 > 192.168.140.3.22: Flags [FPU], seq 311184548, win 1024, urg 0, length 0
UDP扫描
使用 -sU 参数来进行UDP端口扫描
$ nmap -sU 192.168.140.3 -p 53
Starting Nmap 7.01 ( https://nmap.org ) at 2024-01-25 17:31 CST
Nmap scan report for 192.168.140.3
Host is up (0.00041s latency).
PORT STATE SERVICE
53/udp open domain
MAC Address: 00:0C:29:EB:xx:xx (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
其他选项
排除IP
使用 --exclude 参数
nmap 192.168.140.0/24 --exclude 192.168.140.3
nmap 192.168.140.0/24 --exclude 192.168.140.3-5
nmap 192.168.140.0/24 --exclude 192.168.140.3,192.168.140.5
排除端口
使用 --exclude-ports 参数
nmap 192.168.140.3 --exclude-ports 22
nmap 192.168.140.3 --exclude-ports 22-1000
nmap 192.168.140.3 --exclude-ports 22,3306,53
扫描的最常用端口
使用 --top-ports 选项可以指定要扫描的端口数量,从而提高扫描速度。
nmap 192.168.140.3 --top-ports=100
# 扫描最常见的100个端口
仅显示状态为"open"的端口
nmap 192.168.140.3 --open
主机探测
-
通过ping扫描主机,不扫描端口
使用
-sP参数时,Nmap 会发送 ICMP ECHO 请求报文(ping 请求)到目标主机,以检查它们是否在线。
如果目标主机响应了 ping 请求,Nmap 会报告该主机是 “open” 的。然而,这种扫描方法不会提供有关目标主机端口和服务的任何信息。$ nmap -sP 192.168.140.1-5 Starting Nmap 7.01 ( https://nmap.org ) at 2024-01-25 17:34 CST Nmap scan report for 192.168.140.1 Host is up (0.0033s latency). MAC Address: 4C:E9:E4:B6:xx:xx (Unknown) Nmap scan report for 192.168.140.3 Host is up (0.00038s latency). MAC Address: 00:0C:29:EB:xx:xx (VMware) Nmap scan report for 192.168.140.4 Host is up (0.00039s latency). MAC Address: 44:A8:42:14:xx:xx (Dell) Nmap scan report for 192.168.140.5 Host is up (0.00038s latency). MAC Address: 00:0C:29:08:xx:xx (VMware) Nmap done: 5 IP addresses (4 hosts up) scanned in 0.53 seconds -
只扫描目标主机的 IP 地址和主机名
使用
-sn参数时,Nmap 只会扫描目标主机的 IP 地址和主机名,而不会检查开放的端口或服务。这对于快速检查目标主机是否在线以及获取其基本信息非常有用。$ nmap -sn 192.168.140.1-5 Starting Nmap 7.01 ( https://nmap.org ) at 2024-01-25 17:34 CST Nmap scan report for 192.168.140.1 Host is up (0.0033s latency). MAC Address: 4C:E9:E4:B6:xx:xx (Unknown) Nmap scan report for 192.168.140.3 Host is up (0.00038s latency). MAC Address: 00:0C:29:EB:xx:xx (VMware) Nmap scan report for 192.168.140.4 Host is up (0.00039s latency). MAC Address: 44:A8:42:14:xx:xx (Dell) Nmap scan report for 192.168.140.5 Host is up (0.00038s latency). MAC Address: 00:0C:29:08:xx:xx (VMware) Nmap done: 5 IP addresses (4 hosts up) scanned in 0.53 seconds -
跳过 ICMP 主机发现,直接进行端口扫描
在 Nmap 命令中,-Pn 选项用于禁用 ICMP 主机发现(Host Discovery)。
在执行网络扫描时,Nmap 默认会发送 ICMP ECHO 请求报文(ping 请求)到目标主机,以确定它们是否在线。
然而,在某些情况下,你可能不希望发送 ICMP 请求,例如在防火墙或 IDS 系统严格限制 ICMP 流量的网络环境中。使用 -Pn 选项可以告诉 Nmap 跳过 ICMP 主机发现,直接进行端口扫描。
这样,Nmap 将不会发送 ping 请求,而是直接扫描目标主机的端口。
这可以在受限制的网络环境中提高扫描效率,但请注意,这样做可能导致扫描结果不准确,因为 Nmap 无法确定目标主机是否在线。$ nmap -Pn 192.168.140.1-5 Starting Nmap 7.01 ( https://nmap.org ) at 2024-01-25 17:43 CST Nmap scan report for 192.168.140.1 Host is up (0.00024s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 443/tcp open https MAC Address: 4C:E9:E4:B6:xx:xx (Unknown) Nmap scan report for 192.168.140.3 Host is up (0.00025s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 111/tcp open rpcbind 443/tcp open https MAC Address: 00:0C:29:EB:xx:xx (VMware) Nmap scan report for 192.168.140.4 Host is up (0.00033s latency). Not shown: 990 filtered ports PORT STATE SERVICE 22/tcp closed ssh 80/tcp open http 427/tcp open svrloc 443/tcp open https MAC Address: 44:A8:42:14:xx:xx (Dell) Nmap scan report for 192.168.140.5 Host is up (0.00022s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:08:xx:xx (VMware) Nmap done: 5 IP addresses (4 hosts up) scanned in 202.85 seconds
服务识别
扫描端口时,默认显示端口对应的服务,但不显示服务版本。
想要识别具体的「服务版本」,可以使用 -sV 参数。
$ nmap -sV 192.168.140.3 -p 22
Starting Nmap 7.01 ( https://nmap.org ) at 2024-01-25 17:50 CST
Nmap scan report for 192.168.140.3
Host is up (0.00039s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
MAC Address: 00:0C:29:EB:xx:xx (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
扫描结果中,VERSION字段显示服务的详细版本。
系统识别
想要识别「操作系统版本」,可以使用 -O 参数。
$ nmap -O 192.168.140.3 -p 22
Starting Nmap 7.01 ( https://nmap.org ) at 2024-01-25 17:52 CST
Nmap scan report for 192.168.140.3
Host is up (0.00034s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:EB:xx:xx (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.49 seconds
提示:
- Nmap扫描出的系统版本并完全准确,仅供参考。
- 当识别不出具体版本时,Nmap会以概率的形式列举出可能的操作系统。
扫描结果导出
Nmap的扫描结果可以保存到文件中,比如文本格式、XML格式。
- 将扫描结果导出为「文本格式」,结果原样保存。
$ nmap 192.168.140.3 -p 22 -oN res.txt
Starting Nmap 7.01 ( https://nmap.org ) at 2024-01-25 17:55 CST
Nmap scan report for 192.168.140.3
Host is up (0.00039s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:EB:8B:A5 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
$ cat res.txt
# Nmap 7.01 scan initiated Thu Jan 25 17:55:03 2024 as: nmap -p 22 -oN res.txt 192.168.140.3
Nmap scan report for 192.168.140.3
Host is up (0.00039s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:EB:8B:A5 (VMware)
# Nmap done at Thu Jan 25 17:55:03 2024 -- 1 IP address (1 host up) scanned in 0.55 seconds
- 将扫描结果导出为「xml格式」,结果的保存格式会发生变化。
$ nmap 192.168.140.3 -p 22 -oX res.xml
Starting Nmap 7.01 ( https://nmap.org ) at 2024-01-25 17:56 CST
Nmap scan report for 192.168.140.3
Host is up (0.00040s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:EB:8B:A5 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
$ cat res.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.01 scan initiated Thu Jan 25 17:56:24 2024 as: nmap -p 22 -oX res.xml 192.168.140.3 -->
<nmaprun scanner="nmap" args="nmap -p 22 -oX res.xml 192.168.140.3" start="1706176584" startstr="Thu Jan 25 17:56:24 2024" version="7.01" xmloutputversion="1.04">
<scaninfo type="syn" protocol="tcp" numservices="1" services="22"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="1706176584" endtime="1706176585"><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.140.3" addrtype="ipv4"/>
<address addr="00:0C:29:EB:8B:A5" addrtype="mac" vendor="VMware"/>
<hostnames>
</hostnames>
<ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" method="table" conf="3"/></port>
</ports>
<times srtt="395" rttvar="2837" to="100000"/>
</host>
<runstats><finished time="1706176585" timestr="Thu Jan 25 17:56:25 2024" elapsed="0.55" summary="Nmap done at Thu Jan 25 17:56:25 2024; 1 IP address (1 host up) scanned in 0.55 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
杂项
输出追踪路由
$ nmap 8.8.8.8 --traceroute
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-26 14:49 中国标准时间
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.17s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 ...
2 3.00 ms 183.6.18.137
3 3.00 ms 14.147.4.138
4 13.00 ms 177.176.37.59.broad.dg.gd.dynamic.163data.com.cn (59.37.176.177)
5 5.00 ms 121.8.134.105
6 ...
7 7.00 ms 202.97.65.61
8 168.00 ms 202.97.63.30
9 164.00 ms ix-ae-14-0.tcore2.lvw-losangeles.as6453.net (64.86.252.62)
10 156.00 ms if-be-44-2.ecore1.lvw-losangeles.as6453.net (64.86.252.13)
11 160.00 ms 142.250.164.40
12 167.00 ms 142.251.226.191
13 164.00 ms 142.251.60.133
14 167.00 ms dns.google (8.8.8.8)
Nmap done: 1 IP address (1 host up) scanned in 19.08 seconds
扫描IPv6
nmap -6 240f:ffff::3
时间与性能
--host-timeout: 设置超时时间--scan-delay: 设置探测之间的时间间隔-T<0-5>: 模板设置时间,-T4 是最快的模板,它会尽可能快地发送探测包,以便在最短的时间内完成扫描。这对于需要快速扫描大量目标的情况非常有用。需要注意的是,使用最快的时间模板可能会导致扫描更容易被目标系统检测到。此外,在扫描过程中,可能会遇到网络延迟或丢包等问题,这可能会影响扫描的准确性和速度。因此,在实际使用中,需要根据具体情况选择合适的时间模板等级。
本文来自博客园,作者:厚礼蝎,转载请注明原文链接:https://www.cnblogs.com/guangdelw/p/17986967
