Linux下nmap命令简单使用

前言

Nmap(Network Mapper)是一款开源的网络探测和安全审核工具,可以用来快速地扫描单个主机或大型网络。Nmap 使用原始IP报文来发现网络上有哪些主机,这些主机提供什么样的服务(应用程序名和版本)、运行什么版本的操作系统、使用何种类型的报文过滤器/防火墙等等。

基本用法

使用格式

nmap [扫描类型] [选项] {扫描目标}

扫描目标 可以是域名、IP地址、网段地址,多个目标以逗号分隔,连续范围以-分隔,比如:scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0-255.0-255.1-254

如何指定扫描类型

主机发现:

  • -sL:列表扫描,只是简单的列出扫描目标
  • -sP:ping扫描,检测目标主机是否在线/存活(响应ping请求)
  • -P0:跳过主机发现(ping检测),认为所有目标都是在线/存活的
  • -PS/PA/PU [端口列表]:针对给定端口执行TCP SYN/ACK/UDP类型的主机发现检测
  • -PR:基于ARP方式的扫描

扫描方式:

  • -sS/sT/sA:执行TCP SYN半开/全开扫描
  • -sA:执行TCP ACK扫描,用于检查目标防火墙是有状态还是无状态的
  • -sU:UDP扫描
  • -sO:执行IP协议扫描,确定目标支持哪些IP协议(TCP、ICMP、IGMP等等)
  • -n:不对目标地址做域名解析,可以减少扫描时间
  • -R:解析目标地址的域名

服务/版本检测

  • -A :启用操作系统检测和版本检测
  • -sV:检测开放端口对应的服务/版本相关信息
  • -O:启用操作系统检测
  • -O --osscan-guess:激进扫描,更积极猜测目标操作系统细节

nmap识别的端口状态

  • open:开放的
  • closed:关闭的
  • filtered:被过滤的
  • unfiltered:未被过滤的(无法确定开放还是关闭)
  • open|filtered:开放或者被过滤的
  • closed|filtered:关闭或者被过滤的

具体使用

扫描目标网络的常用TCP端口,显示详情

nmap -v 127.0.0.1 # 扫描本机

结果为

Starting Nmap 6.40 ( http://nmap.org ) at 2024-03-02 10:12 CST
Initiating SYN Stealth Scan at 10:12
Scanning VM-16-4-centos (127.0.0.1) [1000 ports]
Discovered open port 8888/tcp on 127.0.0.1
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 9091/tcp on 127.0.0.1
Discovered open port 9090/tcp on 127.0.0.1
Discovered open port 5432/tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:12, 1.56s elapsed (1000 total ports)
Nmap scan report for VM-16-4-centos (127.0.0.1)
Host is up (0.0000070s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
5432/tcp open  postgresql
8888/tcp open  sun-answerbook
9090/tcp open  zeus-admin
9091/tcp open  xmltec-xmlmail

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
           Raw packets sent: 1062 (46.728KB) | Rcvd: 2131 (89.516KB)

共扫描了1000个端口,994关闭的,6个打开的。

通过ping检测扫描目标网络中的活动主机(主机发现)

ping扫描,检测目标主机是否在线/存活(响应ping请求)

nmap -sP 127.0.0.1

结果为

Starting Nmap 6.40 ( http://nmap.org ) at 2024-03-02 10:18 CST
Nmap scan report for VM-16-4-centos (127.0.0.1)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds

检查目标主机的操作系统类型(OS指纹探测)

nmap -O 127.0.0.1

结果为

Starting Nmap 6.40 ( http://nmap.org ) at 2024-03-02 10:44 CST
Nmap scan report for VM-16-4-centos (127.0.0.1)
Host is up (0.000011s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
5432/tcp open  postgresql
8888/tcp open  sun-answerbook
9090/tcp open  zeus-admin
9091/tcp open  xmltec-xmlmail
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.89 seconds

检查目标主机上某个端口对应的服务程序版本

nmap -sV -p 22 127.0.0.1

结果为

Starting Nmap 6.40 ( http://nmap.org ) at 2024-03-02 10:52 CST
Nmap scan report for VM-16-4-centos (127.0.0.1)
Host is up (0.000059s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

扫描指定目标主机的指定端口

nmap -p 20,21,22,80,443 www.jd.com

结果为

Starting Nmap 6.40 ( http://nmap.org ) at 2024-03-02 10:55 CST
Nmap scan report for www.jd.com (121.226.246.3)
Host is up (0.013s latency).
PORT    STATE    SERVICE
20/tcp  filtered ftp-data
21/tcp  filtered ftp
22/tcp  filtered ssh
80/tcp  open     http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds

检测目标主机是否开放DNS、DHCP服务

nmap -sU -p 53,67 www.jd.com

结果为

Starting Nmap 6.40 ( http://nmap.org ) at 2024-03-02 10:58 CST
Nmap scan report for www.jd.com (121.226.246.3)
Host is up (0.016s latency).
PORT   STATE  SERVICE
53/udp open   domain
67/udp closed dhcps

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

检测目标主机是否启用防火墙过滤

nmap -sA 127.0.0.1

结果为

Starting Nmap 6.40 ( http://nmap.org ) at 2024-03-02 11:02 CST
Nmap scan report for VM-16-4-centos (127.0.0.1)
Host is up (0.0000070s latency).
All 1000 scanned ports on VM-16-4-centos (127.0.0.1) are unfiltered

Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds

参考

NMAP网络扫描工具
netcat/nmap: 网络工具中里的“瑞士军刀”
IP、网关、端口、网段、子网掩码概念区别

posted @ 2024-03-06 21:40  strongmore  阅读(688)  评论(0编辑  收藏  举报