[安全] nmap工具的使用

一、主机探测

1.指定DNS服务器解析域名

nmap --dns-servers 61.139.2.69 www.baidu.com

这样可以手动指定使用的dns服务器来对域名进行解析。

2.不发送ICMP包(避免出发防火墙机制)

nmap -Pn www.baidu.com

使用"-Pn"Option可以在扫描之前不发送ICMP包,从而避免防火墙机制被触发。

3.指定扫描的端口范围

nmap -p 1-1000 www.baidu.com

Nmap scan report for www.baidu.com (14.215.177.39)
Host is up (0.12s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

使用"-p"Option指定扫描端口范围为1-1000。

4.端口状态

状态

说明

open

应用程序在该端口接收 TCP 连接或者 UDP 报文

closed

关闭的端口对于nmap也是可访问的, 它接收nmap探测报文并作出响应。但没有应用程序在其上监听

filtered

由于包过滤阻止探测报文到达端口,nmap无法确定该端口是否开放。过滤可能来自专业的防火墙设备,路由规则 或者主机上的软件防火墙

unfiltered

未被过滤状态意味着端口可访问,但是nmap无法确定它是开放还是关闭。 只有用于映射防火墙规则集的 ACK 扫描才会把端口分类到这个状态

open | filtered

无法确定端口是开放还是被过滤, 开放的端口不响应就是一个例子。没有响应也可能意味着报文过滤器丢弃了探测报文或者它引发的任何反应。UDP,IP协议, FIN, Null 等扫描会引起。

5.服务指纹识别

通过分区目标往nmap发送的数据包中某个协议标记、选项和数据,推断目标服务器的操作系统信息、应用信息等,这就叫做操作系统指纹识别和服务指纹识别。

nmap -sV -p 1-1000 192.168.4.210

使用-sV选项进行应用指纹识别:

C:\Users\Administrator>nmap -sV -p 1-1000 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 11:07 ?D1ú±ê×?ê±??

Nmap scan report for 192.168.4.210
Host is up (0.00055s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
MAC Address: 00:0C:29:7E:61:77 (VMware)

可以看到,识别出了22端口的监听应用的版本。

6.使用侵略性的探测

C:\Users\Administrator> nmap -A -v -T4 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 11:11 ?D1ú±ê×?ê±??

Nmap scan report for 192.168.4.210
Host is up (0.00012s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 02:d6:2b:ca:51:fe:50:02:90:64:49:45:04:2f:26:63 (RSA)
|   256 e4:39:da:a0:ce:84:cc:2e:d5:57:70:98:de:9c:d2:a6 (ECDSA)
|_  256 bf:57:7d:fa:b4:7f:c3:76:e1:c6:97:4a:78:9a:10:e5 (ED25519)
MAC Address: 00:0C:29:7E:61:77 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Uptime guess: 0.001 days (since Fri Apr 10 11:10:55 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.12 ms 192.168.4.210
...
...

-A表示使用侵略性探测,-T<0-5>设置时间模板,数值越大越快,-v表示提高输出的冗余级别(显示更多信息,如果使用-vv可以显示更多的信息)。

或者使用以下方式:

nmap -sC -sV -O 192.168.4.210

-sC表使用nmap脚本进行探测(NSE),-sV表示探测目标机器上的服务信息,-O表示探测目标操作系统信息。

7.局域网主机存活探测

使用CIDR(无类别域间路由,Classiess Inter-Domain Routing),快速表示一个网络,比如192.168.4.0/24。

[root@centos7-test ~]# nmap -sP 192.168.4.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 01:19 EDT
Nmap scan report for 192.168.4.1
Host is up (0.00063s latency).
MAC Address: 4C:6E:6E:00:EF:E8 (Comnect Technology)
Nmap scan report for 192.168.4.34
Host is up (0.00094s latency).
MAC Address: B4:2E:99:EE:74:2D (Giga-byte Technology)
Nmap scan report for 192.168.4.41
Host is up (0.00085s latency).
MAC Address: 00:0C:29:53:B4:1D (VMware)
Nmap scan report for 192.168.4.42
Host is up (0.00066s latency).
MAC Address: B4:2E:99:EE:74:35 (Giga-byte Technology)
Nmap scan report for 192.168.4.199
Host is up (0.000041s latency).
MAC Address: B4:2E:99:EE:73:E0 (Giga-byte Technology)
Nmap scan report for 192.168.4.210
Host is up (0.00021s latency).
MAC Address: 00:0C:29:7E:61:77 (VMware)
Nmap scan report for 192.168.4.211
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 1.28 seconds

-sP表示对该CIDR中所有主机进行ping扫描,以探测主机存活性,扫描过程中使用了TCP SYN扫描、ICMP echo Request来探测主机存活。

另外也可以使用-sn:

nmap -sn 192.168.4.0/24

8.使用TCP(UDP)探测主机

[root@centos7-test ~]# nmap -sN 192.168.4.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 01:44 EDT
Nmap scan report for 192.168.4.1
Host is up (0.0016s latency).
Not shown: 995 closed ports
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
53/tcp   open|filtered domain
80/tcp   open|filtered http
443/tcp  open|filtered https
1443/tcp open|filtered ies-lm
MAC Address: 4C:6E:6E:00:EF:E8 (Comnect Technology)

Nmap scan report for 192.168.4.34
Host is up (0.00072s latency).
All 1000 scanned ports on 192.168.4.34 are open|filtered
MAC Address: B4:2E:99:EE:74:2D (Giga-byte Technology)

Nmap scan report for 192.168.4.41
Host is up (0.0035s latency).
All 1000 scanned ports on 192.168.4.41 are closed
MAC Address: 00:0C:29:53:B4:1D (VMware)

Nmap scan report for 192.168.4.42
Host is up (0.00062s latency).
All 1000 scanned ports on 192.168.4.42 are open|filtered
MAC Address: B4:2E:99:EE:74:35 (Giga-byte Technology)

Nmap scan report for 192.168.4.199
Host is up (0.00060s latency).
All 1000 scanned ports on 192.168.4.199 are closed
MAC Address: B4:2E:99:EE:73:E0 (Giga-byte Technology)

Nmap scan report for 192.168.4.210
Host is up (0.00018s latency).
Not shown: 997 closed ports
PORT    STATE         SERVICE
22/tcp  open|filtered ssh
80/tcp  open|filtered http
111/tcp open|filtered rpcbind
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap scan report for 192.168.4.211
Host is up (0.0000020s latency).
Not shown: 999 closed ports
PORT   STATE         SERVICE
22/tcp open|filtered ssh

Nmap done: 256 IP addresses (7 hosts up) scanned in 10.40 seconds

-sN表示使用TCP full来探测主机。

也可以使用TCP FIN包来探测主机(速度更快,因为不用建立连接):

nmap -sF 192.168.4.0/24

除了以上的-sN和-sF,还有-sA使用ACK包,-sS使用SYN包,-sU使用UDP等。

二、nmap结果输出

输出保存为xml文件:

nmap -sP 192.168.4.0/24 -oX test.xml

将结果保存为xml文件。

内容格式如下:

[root@centos7-test ~]# cat test.xml 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.80 scan initiated Fri Apr 10 01:57:13 2020 as: nmap -sP -oX test.xml 192.168.4.0/24 -->
<nmaprun scanner="nmap" args="nmap -sP -oX test.xml 192.168.4.0/24" start="1586498233" startstr="Fri Apr 10 01:57:13 2020" version="7.80" xmloutputversion="1.04">
<verbose level="0"/>
<debugging level="0"/>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.1" addrtype="ipv4"/>
<address addr="4C:6E:6E:00:EF:E8" addrtype="mac" vendor="Comnect Technology"/>
<hostnames>
</hostnames>
<times srtt="575" rttvar="5000" to="100000"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.34" addrtype="ipv4"/>
<address addr="B4:2E:99:EE:74:2D" addrtype="mac" vendor="Giga-byte Technology"/>
<hostnames>
</hostnames>
<times srtt="999" rttvar="5000" to="100000"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.41" addrtype="ipv4"/>
<address addr="00:0C:29:53:B4:1D" addrtype="mac" vendor="VMware"/>
<hostnames>
</hostnames>
<times srtt="1236" rttvar="5000" to="100000"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.42" addrtype="ipv4"/>
<address addr="B4:2E:99:EE:74:35" addrtype="mac" vendor="Giga-byte Technology"/>
<hostnames>
</hostnames>
<times srtt="811" rttvar="5000" to="100000"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.66" addrtype="ipv4"/>
<address addr="C8:3D:D4:A3:D9:AD" addrtype="mac" vendor="CyberTAN Technology"/>
<hostnames>
</hostnames>
<times srtt="216078" rttvar="216078" to="1080390"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.150" addrtype="ipv4"/>
<address addr="A4:83:E7:1E:0A:90" addrtype="mac" vendor="Apple"/>
<hostnames>
</hostnames>
<times srtt="524909" rttvar="524909" to="2624545"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.199" addrtype="ipv4"/>
<address addr="B4:2E:99:EE:73:E0" addrtype="mac" vendor="Giga-byte Technology"/>
<hostnames>
</hostnames>
<times srtt="204" rttvar="3780" to="100000"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.210" addrtype="ipv4"/>
<address addr="00:0C:29:7E:61:77" addrtype="mac" vendor="VMware"/>
<hostnames>
</hostnames>
<times srtt="457" rttvar="5000" to="100000"/>
</host>
<host><status state="up" reason="localhost-response" reason_ttl="0"/>
<address addr="192.168.4.211" addrtype="ipv4"/>
<hostnames>
</hostnames>
</host>
<runstats><finished time="1586498236" timestr="Fri Apr 10 01:57:16 2020" elapsed="3.01" summary="Nmap done at Fri Apr 10 01:57:16 2020; 256 IP addresses (9 hosts up) scanned in 3.01 seconds" exit="success"/><hosts up="9" down="247" total="256"/>
</runstats>
</nmaprun>
View Code

三、端口探测

1.探测一个或多个端口

[root@centos7-test ~]# nmap -p 80 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:15 EDT
Nmap scan report for 192.168.4.210
Host is up (0.00037s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

探测80端口。

[root@centos7-test ~]# nmap -p 22,80 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:16 EDT
Nmap scan report for 192.168.4.210
Host is up (0.00040s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

探测22和80端口。

[root@centos7-test ~]# nmap -p 22-1000 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:16 EDT
Nmap scan report for 192.168.4.210
Host is up (0.00051s latency).
Not shown: 976 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

探测22-1000号端口。

[root@centos7-test ~]# nmap -p - 192.168.4.210      
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:17 EDT
Nmap scan report for 192.168.4.210
Host is up (0.00065s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.15 seconds

探测全部端口,1-65535。

2.使用不同方式探测不同端口

[root@centos7-test ~]# nmap -p T:22,T:80,U:111 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:18 EDT
Nmap scan report for 192.168.4.210
Host is up (0.00033s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

T:22表示使用TCP探测22端口。U:111表示使用UDP探测111端口。

3.探测某个协议对应的端口

[root@centos7-test ~]# nmap -p ssh,h* 192.168.4.210         
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:19 EDT
Nmap scan report for 192.168.4.210
Host is up (0.000043s latency).
Not shown: 166 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

可以探测ssh对应的端口(端口修改后的也可以探测),以及h开头的协议对应的端口(这里的http)。

4.探测注册在nmap中的端口

[root@centos7-test ~]# nmap -p [1-65535] 192.168.4.210    
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:21 EDT
Nmap scan report for 192.168.4.210
Host is up (0.000068s latency).
Not shown: 8317 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

这里使用方括号括起来的范围,和 -p 1-65535 不一样,这里的1-65535范围只探测注册在nmap中的部分常用端口(8320个)。

四、NSE脚本

1.什么是NSE

NSE:Nmap Script Engine,Nmap脚本引擎,内置很多可以用来扫描的,针对特定任务的脚本。通过NSE可以不断拓展Nmap的扫描策略,加强Nmap的功能。

2.NSE提供的脚本

在Windows默认提供的脚本存放在安装路径的script文件夹下。例如 D:\apps\Nmap\scripts 下有500多个nse脚本文件。用于不同的特定功能。

在Kali Linux中,存放在/usr/share/nmap/script下。

3.使用某个脚本

[root@centos7-test ~]# nmap --script http-title 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:29 EDT
Nmap scan report for 192.168.4.210
Host is up (0.000060s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
|_http-title: Apache HTTP Server Test Page powered by CentOS
111/tcp open  rpcbind
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

这里使用 --script http-title 来使用该脚本获取http-title。即站点标签中的文本:

[root@centos7-test ~]# nmap --script http-headers 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:48 EDT
Nmap scan report for 192.168.4.210
Host is up (0.00018s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
| http-headers: 
|   Date: Fri, 10 Apr 2020 09:49:00 GMT
|   Server: Apache/2.4.6 (CentOS)
|   Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
|   ETag: "1321-5058a1e728280"
|   Accept-Ranges: bytes
|   Content-Length: 4897
|   Connection: close
|   Content-Type: text/html; charset=UTF-8
|   
|_  (Request type: GET)
111/tcp open  rpcbind
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

使用http-headers脚本获取http响应头。

探测的时候同时制定浏览器型号:

root@kali:~# nmap --script http-headers --script-args http.useragent="Mozilla 999" 192.168.4.210

4.扫描弱点

[root@centos7-test ~]# nmap -sV --script vuln 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:50 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.4.210
Host is up (0.00090s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.4 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:openbsd:openssh:7.4: 
|       CVE-2018-15919  5.0     https://vulners.com/cve/CVE-2018-15919
|_      CVE-2017-15906  5.0     https://vulners.com/cve/CVE-2017-15906
80/tcp  open  http    Apache httpd 2.4.6 ((CentOS))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.4.6 (CentOS)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
| vulners: 
|   cpe:/a:apache:http_server:2.4.6: 
|       CVE-2020-1934   7.5     https://vulners.com/cve/CVE-2020-1934
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2014-0226   6.8     https://vulners.com/cve/CVE-2014-0226
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2020-1927   5.8     https://vulners.com/cve/CVE-2020-1927
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743
|       CVE-2016-2161   5.0     https://vulners.com/cve/CVE-2016-2161
|       CVE-2016-0736   5.0     https://vulners.com/cve/CVE-2016-0736
|       CVE-2014-3523   5.0     https://vulners.com/cve/CVE-2014-3523
|       CVE-2014-0231   5.0     https://vulners.com/cve/CVE-2014-0231
|       CVE-2014-0098   5.0     https://vulners.com/cve/CVE-2014-0098
|       CVE-2013-6438   5.0     https://vulners.com/cve/CVE-2013-6438
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975
|       CVE-2015-3185   4.3     https://vulners.com/cve/CVE-2015-3185
|       CVE-2014-8109   4.3     https://vulners.com/cve/CVE-2014-8109
|       CVE-2014-0118   4.3     https://vulners.com/cve/CVE-2014-0118
|       CVE-2014-0117   4.3     https://vulners.com/cve/CVE-2014-0117
|       CVE-2013-4352   4.3     https://vulners.com/cve/CVE-2013-4352
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612
111/tcp open  rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
MAC Address: 00:0C:29:7E:61:77 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.34 seconds

5.扫描所有子域名及IP地址

nmap --script dns-brute baidu.com

结果:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-16 03:01 EDT
Nmap scan report for baidu.com (220.181.38.148)
Host is up (0.13s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     mx.baidu.com - 61.135.163.61
|     admin.baidu.com - 10.26.109.19
|     svn.baidu.com - 10.65.211.174
|     ads.baidu.com - 10.42.4.225
|     mx1.baidu.com - 111.202.115.85
|     mx1.baidu.com - 220.181.3.85
|     id.baidu.com - 106.120.159.182
|     id.baidu.com - 220.181.107.148
|     test.baidu.com - 220.181.107.196
|     images.baidu.com - 182.61.62.50
|     news.baidu.com - 106.120.159.43
|     news.baidu.com - 180.149.145.156
|     info.baidu.com - 180.97.104.89
|     ap.baidu.com - 180.149.132.182
|     dns.baidu.com - 202.108.22.220
|     ns1.baidu.com - 202.108.22.220
|     app.baidu.com - 14.215.177.167
|     ns2.baidu.com - 220.181.33.31
|     dns1.baidu.com - 220.181.38.10
|     ns3.baidu.com - 112.80.248.64
|     ntp.baidu.com - 10.48.49.44
|     ops.baidu.com - 10.26.3.240
|     ops.baidu.com - 10.46.7.36
|     ops.baidu.com - 10.91.160.44
|     auth.baidu.com - 220.181.107.194
|     backup.baidu.com - 10.143.145.28
|     owa.baidu.com - 111.202.115.84
|     vpn.baidu.com - 220.181.3.125
|     vpn.baidu.com - 220.181.50.247
|     beta.baidu.com - 111.206.37.130
|     web.baidu.com - 10.48.30.87
|     exchange.baidu.com - 10.26.109.19
|     cdn.baidu.com - 10.169.43.10
|     whois.baidu.com - 180.149.144.177
|     secure.baidu.com - 180.97.34.120
|     secure.baidu.com - 180.97.93.27
|     www.baidu.com - 14.215.177.38
|     www.baidu.com - 14.215.177.39
|     forum.baidu.com - 10.26.109.19
|     shop.baidu.com - 123.125.115.15
|     www2.baidu.com - 180.149.144.64
|     sip.baidu.com - 220.181.3.68
|     crs.baidu.com - 180.101.49.112
|     git.baidu.com - 10.42.4.104
|     internet.baidu.com - 106.120.159.43
|     internet.baidu.com - 180.149.145.156
|     database.baidu.com - 10.26.109.19
|     help.baidu.com - 112.34.111.18
|     help.baidu.com - 112.34.111.183
|     help.baidu.com - 112.80.255.39
|     help.baidu.com - 112.80.255.43
|     help.baidu.com - 117.185.16.213
|     help.baidu.com - 117.185.16.230
|     help.baidu.com - 180.149.144.165
|     help.baidu.com - 180.149.144.166
|     help.baidu.com - 180.97.33.42
|     help.baidu.com - 202.106.2.77
|     help.baidu.com - 202.106.2.78
|     db.baidu.com - 10.26.109.19
|     demo.baidu.com - 10.73.191.38
|     ipv6.baidu.com - 14.215.177.38
|     ipv6.baidu.com - 14.215.177.39
|     dev.baidu.com - 220.181.107.143
|     ssl.baidu.com - 10.58.121.74
|     home.baidu.com - 180.101.49.156
|     lab.baidu.com - 180.149.144.192
|     linux.baidu.com - 10.99.31.43
|     log.baidu.com - 10.26.39.14
|     mail.baidu.com - 220.181.50.187
|     mirror.baidu.com - 219.151.25.35
|     mobile.baidu.com - 14.215.177.167
|_    monitor.baidu.com - 10.91.161.200
View Code

6.更新NSE脚本库

root@kali:~# nmap --script-updatedb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 13:31 EDT
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.32 seconds

五、其他使用

1.指定使用哪个网卡

nmap -sV -e eth0 192.168.4.210

2.使用ndiff来查看结果的不同

当我们有多次的探测结果(保存到XML文件中),则可以使用ndiff来查看他们的不同。

这里我们对192.168.4.210服务器探测了两次,第一次没有开启httpd服务,第二次开启httpd服务。

C:\Users\Administrator\Desktop>ndiff res1.xml res2.xml
-Nmap 7.80 scan initiated Sat Apr 11 02:14:41 2020 as: nmap -A -v -T4 -oX res1.xml 192.168.4.210
+Nmap 7.80 scan initiated Sat Apr 11 02:15:09 2020 as: nmap -A -v -T4 -oX res2.xml 192.168.4.210

 192.168.4.210, 00:0C:29:7E:61:77:
-Not shown: 998 closed ports
+Not shown: 997 closed ports
 PORT   STATE SERVICE VERSION
+80/tcp open  http    Apache httpd 2.4.6 ((CentOS))
+|  http-methods:
+|    Supported Methods: GET HEAD POST OPTIONS TRACE
+|_   Potentially risky methods: TRACE
+|_ http-server-header: Apache/2.4.6 (CentOS)
+|_ http-title: Apache HTTP Server Test Page powered by CentOS

这里是在windows下进行的比对,在kali linux中默认没有安装ndiff,需要自己安装。

 

 

 

 

 

 

 

 

 

 

 

 

 

=====

posted @ 2020-04-10 10:42  风间悠香  阅读(1448)  评论(0编辑  收藏  举报