Nmap 语法及示例
Nmap 语法及示例
基本语法
Nmap的基本语法结构如下:
nmap [scan types] [options] [target]
[scan types]: 标识扫描类型,如:TCP、UDP等。[options]: 表示各种扫描选项,用于定制扫描行为。[target]: 表示要扫描的目标,可以是单个IP地址、主机名、IP范围或子网。
示例
例1:使用nmap扫描一台服务器
默认情况下,Nmap回扫描1000个常用TCP端口。
┌──(root㉿kali)-[~] |
└─# nmap 127.0.0.1 | # 执行命令 nmap 127.0.0.1,默认扫描1000个常用TCP端口
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-28 16:57 CST | # 在2024-06-28 16:57,使用Nmap7.94扫描
Nmap scan report for localhost (127.0.0.1) | # 扫描的主机为 127.0.0.1
Host is up (0.0000050s latency). | # 主机状态为存活
Not shown: 997 closed tcp ports (reset) | # 没有显示:997个TCP端口是关闭状态的
PORT STATE SERVICE | # 端口、状态、服务
21/tcp open ftp |
22/tcp open ssh |
80/tcp open http |
|
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds | # 一共扫描了1个IP,花费了0.10秒
例2:扫描一台机器,查看它打开的端口及详细信息
参数说明:-v 表示显示冗余信息,在扫描过程中显示扫描的细节,从而让用户了解当前的扫描状态。
┌──(root㉿kali)-[~]
└─# nmap -v 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 10:45 CST
Initiating SYN Stealth Scan at 10:45
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 21/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:45, 0.08s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000031s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
Raw packets sent: 1000 (44.000KB) | Rcvd: 2003 (84.132KB)
例3:扫描一个范围:端口1-65535
┌──(root㉿kali)-[~]
└─# nmap -p 1-65535 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 10:51 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000041s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
8834/tcp open nessus-xmlrpc
Nmap done: 1 IP address (1 host up) scanned in 3.42 seconds
注:生产环境下,我们只需要开启正在提供服务的端口,其他端口都关闭
关闭不需要开放的服务有两种方法:
情景1:你认识这个服务,直接关闭服务
systemctl stop [service]
情景2:不认识这个服务,查看哪个进程使用了这个端口并找出进程的路径,然后kill进程,删除文件,接下来以22端口为例,操作思路如下
┌──(root㉿kali)-[~]
└─# lsof -i :22 # 根据端口号查22端口被哪个进程使用
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1038 root 3u IPv4 16010 0t0 TCP *:ssh (LISTEN)
sshd 1038 root 4u IPv6 16021 0t0 TCP *:ssh (LISTEN)
┌──(root㉿kali)-[~]
└─# ps aux | grep 1038 # 通过ps命令查找对应的进程文件
root 1038 0.0 0.4 13540 8064 ? Ss 10:40 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 14929 0.0 0.1 6584 2304 pts/0 S+ 11:03 0:00 grep --color=auto 1038
# 看到进程的文件的路径是 /usr/sbin/sshd 。如果没有看到此命令的具体执行路径,说明此木马进程可以在bash终端下直接执行,通过which和rpm -qf来查看命令的来源,如下:
┌──(root㉿kali)-[~]
└─# which ssh
/usr/bin/ssh
# 解决:
┌──(root㉿kali)-[~]
└─# kill -9 1038
# 总结:这个思路主要用于找出黑客监听的后门端口和木马存放的路径。
例4:扫描一台机器,查看此服务器开放的端口号和操作系统类型。
参数说明:
-O: 显示出操作系统的类型。每一种操作系统都有一个指纹。-sS: 半开扫描(half-open)
注意:-O 参数并不能100%确定目标操作系统版本,无法确认准确的操作系统版本时nmap会给出几个可能性比较高的建议。
┌──(root㉿kali)-[~]
└─# nmap -sS -O 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 11:12 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=6/29%OT=21%CT=1%CU=41109%PV=N%DS=0%DC=L%G=Y%TM=667F
OS:7B93%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5=
OS:MFFD7ST11NW7%O6=MFFD7ST11)WIN(W1=8200%W2=8200%W3=8200%W4=8200%W5=8200%W6
OS:=8200)ECN(R=Y%DF=Y%T=40%W=8200%O=MFFD7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=40%CD=S)
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.36 seconds
例5:扫描一个网段中所有机器是什么类型的操作系统。
┌──(root㉿kali)-[~]
└─# nmap -O 192.168.1.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 12:15 CST
Nmap scan report for 192.168.1.0
Host is up (0.00052s latency).
All 1000 scanned ports on 192.168.1.0 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP
Running (JUST GUESSING): Microsoft Windows XP|7|2012|2003 (92%), Actiontec embedded (88%), Linux 2.4.X (88%), Asus embedded (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/h:asus:wl-500gp cpe:/o:microsoft:windows_server_2003::sp2:enterprise cpe:/o:linux:linux_kernel:2.4.37
Aggressive OS guesses: Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (92%), Actiontec MI424WR-GEN3I WAP (88%), Asus WL-500gP wireless broadband router (86%), Microsoft Windows Server 2003 Enterprise Edition SP2 (86%), DD-WRT v24-sp2 (Linux 2.4.37) (85%), Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Nmap scan report for 192.168.1.5
Host is up (0.00060s latency).
All 1000 scanned ports on 192.168.1.5 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP
Running (JUST GUESSING): Microsoft Windows XP|7|2012|2003 (92%), Actiontec embedded (88%), Linux 2.4.X (88%), Asus embedded (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/h:asus:wl-500gp cpe:/o:microsoft:windows_server_2003::sp2:enterprise cpe:/o:linux:linux_kernel:2.4.37
Aggressive OS guesses: Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (92%), Actiontec MI424WR-GEN3I WAP (88%), Asus WL-500gP wireless broadband router (86%), Microsoft Windows Server 2003 Enterprise Edition SP2 (86%), DD-WRT v24-sp2 (Linux 2.4.37) (85%), Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
. . . . . .
例6:查找一些有特点的IP地址中,开启80端口的服务器。
┌──(root㉿kali)-[~]
└─# nmap -v -p 80 192.168.1.1-6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:08 CST
Initiating Ping Scan at 13:08
Scanning 6 hosts [4 ports/host]
Completed Ping Scan at 13:08, 0.05s elapsed (6 total hosts)
Initiating Parallel DNS resolution of 6 hosts. at 13:08
Completed Parallel DNS resolution of 6 hosts. at 13:08, 0.03s elapsed
Initiating SYN Stealth Scan at 13:08
Scanning 6 hosts [1 port/host]
Discovered open port 80/tcp on 192.168.1.6
Discovered open port 80/tcp on 192.168.1.1
Completed SYN Stealth Scan at 13:08, 0.23s elapsed (6 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.0062s latency).
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 192.168.1.2
Host is up (0.00051s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.3
Host is up (0.0056s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.4
Host is up (0.00038s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.5
Host is up (0.00018s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.6
Host is up (0.0035s latency).
PORT STATE SERVICE
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 6 IP addresses (6 hosts up) scanned in 0.56 seconds
Raw packets sent: 26 (1.024KB) | Rcvd: 8 (292B)
例7:如何更隐秘的去扫描,频繁扫描会被屏蔽或者锁定IP地址。
参数说明:
-
--randomize-hosts: 随机扫描,对目标主机的顺序随机划分 -
--scan-delay: 延时,单位秒,调整探针之间的延迟
┌──(root㉿kali)-[~]
└─# nmap -v --randomize-hosts --scan-delay 3000ms -p 80 192.168.1.1-6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:15 CST
Initiating Ping Scan at 13:15
Scanning 6 hosts [4 ports/host]
Completed Ping Scan at 13:15, 16.02s elapsed (6 total hosts)
Initiating Parallel DNS resolution of 6 hosts. at 13:15
Completed Parallel DNS resolution of 6 hosts. at 13:15, 0.03s elapsed
Initiating SYN Stealth Scan at 13:15
Scanning 6 hosts [1 port/host]
Discovered open port 80/tcp on 192.168.1.6
Discovered open port 80/tcp on 192.168.1.1
Completed SYN Stealth Scan at 13:15, 9.01s elapsed (6 total ports)
Nmap scan report for 192.168.1.4
Host is up (0.00022s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.5
Host is up (0.00041s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.2
Host is up (0.00043s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.3
Host is up (0.011s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.6
Host is up (0.0031s latency).
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 192.168.1.1
Host is up (0.0043s latency).
PORT STATE SERVICE
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 6 IP addresses (6 hosts up) scanned in 25.29 seconds
Raw packets sent: 28 (1.076KB) | Rcvd: 8 (292B)
例8:使用通配符指定IP地址
┌──(root㉿kali)-[~]
└─# nmap -p 80 192.168.1.*
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:18 CST
Nmap scan report for 192.168.1.0
Host is up (0.0011s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.1
Host is up (0.0051s latency).
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 192.168.1.2
Host is up (0.0093s latency).
PORT STATE SERVICE
80/tcp filtered http
. . . . . .
Nmap scan report for 192.168.1.254
Host is up (0.00022s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.255
Host is up (0.00084s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap done: 256 IP addresses (256 hosts up) scanned in 9.39 seconds
例9:TCP Connect 扫描
这种扫描方式和SYN扫描很像,只是这种扫描方式完成了TCP的三次握手。
┌──(root㉿kali)-[~]
└─# nmap -sT 192.168.1.6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:22 CST
Nmap scan report for 192.168.1.6
Host is up (0.011s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
52869/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 10.79 seconds
例10:报文分段扫描
使用-f选项可以对namp发送的探测数据包进行分段。这样将原来的数据包分成几个部分,目标网络的防御机制,例如:包过滤、防火墙等在对这些包进行检测的时候就会变得更加困难。
另外必须谨慎使用这个选项,一些老旧的系统在处理分段的包时经常会出现死机的情况。
┌──(root㉿kali)-[~]
└─# nmap -f 192.168.1.6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:29 CST
Nmap scan report for 192.168.1.6
Host is up (0.0022s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
52869/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 4.88 seconds
例11:使用诱饵主机隐蔽扫描
通常在对目标进行扫描时,有可能会被发现,一个比较巧妙的方法就是同时伪造大量的主机地址对目标进行扫描。这时目标主机即使发现了有人正在进行扫描,但是由于扫描数据包来自于多个主机,即使是IDS也只能知道目前正在受到扫描,并不知道到底是哪台主机在进行扫描。这是一种常用的隐藏自身IP的可靠技术。
在初始的ping扫描(ICMP、SYN、ACK等)阶段或真正的端口扫描,以及远程操作系统检测(-O)阶段都可以使用诱饵主机选项。但是在进行版本检测或TCP连接扫描时,诱饵主机选项是无效的。
(1)随机3个诱饵
└─# nmap -D RND:3 192.168.1.6
(2)使用自己IP作为诱饵
└─# nmap -D ME 192.168.1.6
(3)指定单个IP:192.168.1.14作为诱饵
└─# nmap -D 192.168.1.14 192.168.1.6
(4)指定多个IP作为诱饵对192.168.1.6探测
└─# nmap -D 192.168.1.14,192.168.1.15 192.168.1.6
例12:伪造源端口为8888对目标进行扫描
└─# nmap --source-port 8888 192.168.1.6
或
└─# nmap -g 8888 192.168.1.6
例13:从互联网上随机选择10台主机扫描是否允许Web服务器(开放80端口)
└─# nmap -v -iR 10 -p 80 192.168.1.6
例14:将所有主机视为联机,跳过主机发现,这种方式可以穿透防火墙,避免被防火墙发现
└─# nmap -Pn 192.168.1.6
