nmap使用

使用命令“nmap -sn --script hostmap-ip2hosts 目标”进行IP反查，IP反查可以将所有绑定到该IP的域名显示出来，这样我们就可以很清楚地知道有几个站点在同一个服务器上

root@Wing:~# nmap -sn --script hostmap-ip2hosts 10.6.135.192

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-12 17:22 CST
Nmap scan report for www.0day.co (210.209.122.11)
Host is up (0.00090s latency).

Host script results:
|　 hosts:
|　　 xxx.org
|　　 xxx.com
|　　 xxx.com
|　　 xxx.net
|　　 xxxx.cc
|_　filename: output_nmap.orgip=210.209.122.11

Nmap done: 1 IP address (1 host up) scanned in 18.24 seconds

密钥信息探测

root@Wing:~# nmap -p 22 --script ssh-hostkey --script-args ssh_hostkey=full  10.6.135.192
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 16:54 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (-2000s latency).
PORT　 STATE SERVICE
22/tcp open　ssh
| ssh-hostkey:
|　 ssh-dss AAAAB3NzaC1kc3MAAACBANaDh41IQb9ZDrAbyoteJ35K5km2+HBNgdIcRchq8B2nwJpb2U4LYI fQckxwCrR5/KnPbH3qjrtBPFJEAkNVt45fihpr0u2dAauBXmhvI52ik94Tv3IBWngqeNd8bGDN/hGSbTwYHZ+VeeoEs2AvB6TZTwSN6eSJGEGb+XyKj9EhAAAAFQCBJ5KKNO7sx6AspWvgUCxRzxNfFwAAAIAZtaRgXfrkOjJ22k8ab4Jzo8fjqbSNOSnHcTL+KUM5ZwJqa3ZoBJ9eJH9GMbon+JZq9K6OG7/sYYlSjyTOKHQOh4aMtTmg9gLkuXS/c5//sYILKCojQx1FSsBGP+w0qdlYEtp3K8EC6ugl0+i6X8aVyPXeFYK1aGvWovOlhVS35AAAAIAvaYGAw4nxk2fRNoq6RVdufAXg7CtSxvOKxge15BtTb2KSmdOV2gC+XIOF5805Ii0jgUWpeG3adhl+BAzXJGrqyEJ+pNCTkEzBpbfufra17xoDWv9e17lHwlVyq3tXdR4485QOThGmuH/Av49LBDd5vlC9ubzlsRWGKqRZi8iVPQ==
|　 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoSVYjeN/KGlhD8YnHvVPC5NoA/Kc5bR9o59jpdDYhl E/LydODrz1Er928t0zxPIUAIA79nQqRYnSPMX6rslc/+POi1an+c/aVqIZwnqnAoB1doztCE8gTh+6D8JlTavvJmAmH0acanwlFJum2/LA3925EmXBoWz0MGgXj71K5u8fpH3EI30SqlT4S4PiyKLcJ8fZrt3bEmSfSDF2aXA712UddrMxvfAM632c7//3zNS0JTgFWlf9gjqBBWPm5PYAiuldC5WitEWylq/CJ5fySTdB/uPUHH7lVw8MF8ax4lsCsBrd62Yr33Zw0LnjZN9pSDrbxaQJIyFdwI2ndl/Vx
|_　ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMHxS5qBA 7hSQOOSRyXz5nXYpLZaTWtZcFeDbcvDPut+FZgJ2Dmy0b6IluVgF0YX9cfawoILIWgWpyP8feH9QC0=

 使用命令“nmap -p 80 --script=http-headers 目标地址”即可对目标地址进行HTTP头信息探测