系統漏洞掃描之王-nmap
NMap,也就是Network Mapper,是Linux下的網絡掃描和嗅探工具包。
其基本功能有三個:
(1)是掃描主機端口,嗅探所提供的網絡服務
(2)是探測一組主機是否在線
(3)還可以推斷主機所用的操作系統,到達主機經過的路由,系統已開放端口的軟件版本
nmap端口狀態解析 open : 應用程序在該端口接收 TCP 連接或者 UDP 報文。 closed :關閉的端口對於nmap也是可訪問的, 它接收nmap探測報文並作出響應。但沒有應用程序在其上監聽。 filtered :由於包過濾阻止探測報文到達端口,nmap無法確定該端口是否開放。過濾可能來自專業的防火牆設備,路由規則 或者主機上的軟件防火牆。 unfiltered :未被過濾狀態意味着端口可訪問,但是nmap無法確定它是開放還是關閉。 只有用於映射防火牆規則集的 ACK 掃描才會把端口分類到這個狀態。 open | filtered :無法確定端口是開放還是被過濾, 開放的端口不響應就是一個例子。沒有響應也可能意味着報文過濾器丟棄了探測報文或者它引發的任何反應。UDP,IP協議,FIN, Null 等掃描會引起。 closed|filtered:(關閉或者被過濾的):無法確定端口是關閉的還是被過濾的
nmap有windows和linux
Nmap是一款網絡掃描和主機檢測的非常有用的工具。Nmap是不局限於僅僅收集信息和枚舉,同時可以用來作為一個漏洞探測器或安全掃描器。它可以適用於winodws,linux,mac等操作系統
從下面官網可以下載exe程序包和zip包
nmap常用參數
nmap掃描速度要比nc快
面是一些基本的命令和它們的用法的例子:掃描單一的一個主機,命令如下:
前期准備
准備兩台機器
主機A:ip地址 10.0.1.161
主機B:ip地址 10.0.1.162
B機器安裝nmap的包(這個工具比較強大,習慣上每台機器都安裝)
yum install nmap -y
端口掃描部分
前期准備
B機器使用nmap去掃描A機器,掃描之前,A機器先查看自己上面有哪些端口在被占用
A機器上查看本地ipv4的監聽端口
netstat參數解釋:
-l (listen) 僅列出 Listen (監聽) 的服務
-t (tcp) 僅顯示tcp相關內容
-n (numeric) 直接顯示ip地址以及端口,不解析為服務名或者主機名
-p (pid) 顯示出socket所屬的進程PID 以及進程名字
--inet 顯示ipv4相關協議的監聽
查看IPV4端口上的tcp的監聽
netstat -lntp --inet
[root@A ~]# netstat -lntp --inet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2157/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1930/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2365/master
tcp 0 0 0.0.0.0:13306 0.0.0.0:* LISTEN 21699/mysqld
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 2640/rsync
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 21505/rpcbind
[root@A ~]#
過濾掉監控在127.0.0.1的端口
[root@A ~]# netstat -lntp --inet | grep -v 127.0.0.1
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2157/sshd
tcp 0 0 0.0.0.0:13306 0.0.0.0:* LISTEN 21699/mysqld
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 2640/rsync
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 21505/rpcbind
[root@A ~]#
掃描tcp端口
B機器上使用nmap掃描A機器所有端口(-p后面也可以跟空格)
下面表示掃描A機器的1到65535所有在監聽的tcp端口。
nmap 10.0.1.161 -p1-65535
指定端口范圍使用-p參數,如果不指定要掃描的端口,Nmap默認掃描從1到1024再加上nmap-services列出的端口
nmap-services是一個包含大約2200個著名的服務的數據庫,Nmap通過查詢該數據庫可以報告那些端口可能對應於什么服務器,但不一定正確。
所以正確掃描一個機器開放端口的方法是上面命令。-p1-65535
注意,nmap有自己的庫,存放一些已知的服務和對應端口號,假如有的服務不在nmap-services,可能nmap就不會去掃描,這就是明明一些端口已經是處於監聽狀態,nmap默認沒掃描出來的原因,需要加入-p參數讓其掃描所有端口。
雖然直接使用nmap 10.0.1.161也可以掃描出開放的端口,但是使用-p1-65535 能顯示出最多的端口
區別在於不加-p 時,顯示的都是已知協議的端口,對於未知協議的端口沒顯示
[root@B ~]# nmap 10.0.1.161 -p1-65535
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:11 CST
Nmap scan report for 10.0.1.161
Host is up (0.00017s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
13306/tcp open unknown
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.49 seconds
[root@B ~]#
如果不加-p1-65535,對於未知服務的端口(A機器的13306端口)就沒法掃描到
[root@B ~]# nmap 10.0.1.161
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:12 CST
Nmap scan report for 10.0.1.161
Host is up (0.000089s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
[root@B ~]#
掃描一個IP的多個端口
連續的端口可以使用橫線連起來,端口之間可以使用逗號隔開
A機器上再啟動兩個tcp的監聽,分別占用7777和8888端口,用於測試,加入&符號可以放入后台
[root@A ~]# nc -l 7777& [1] 21779 [root@A ~]# nc -l 8888& [2] 21780 [root@A ~]#
[root@B ~]# nmap 10.0.1.161 -p20-200,7777,8888
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:32 CST
Nmap scan report for 10.0.1.161
Host is up (0.00038s latency).
Not shown: 179 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
7777/tcp open cbt
8888/tcp open sun-answerbook
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
[root@B ~]#
掃描udp端口
先查看哪些ipv4的監聽,使用grep -v排除回環接口上的監聽
netstat -lnup --inet |grep -v 127.0.0.1
[root@A ~]# netstat -lnup --inet |grep -v 127.0.0.1
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:111 0.0.0.0:* 21505/rpcbind
udp 0 0 0.0.0.0:631 0.0.0.0:* 1930/cupsd
udp 0 0 10.0.1.161:123 0.0.0.0:* 2261/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2261/ntpd
udp 0 0 0.0.0.0:904 0.0.0.0:* 21505/rpcbind
[root@A ~]#
-sU:表示udp scan , udp端口掃描
-Pn:不對目標進行ping探測(不判斷主機是否在線)(直接掃描端口)
對於udp端口掃描比較慢,掃描完6萬多個端口需要20分鍾左右
[root@B ~]# nmap -sU 10.0.1.161 -Pn
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:16 CST
Stats: 0:12:54 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 75.19% done; ETC: 10:33 (0:04:16 remaining)
Stats: 0:12:55 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 75.29% done; ETC: 10:33 (0:04:15 remaining)
Nmap scan report for 10.0.1.161
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
111/udp open rpcbind
123/udp open ntp
631/udp open|filtered ipp
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1081.27 seconds
[root@B ~]#
掃描多個IP用法
中間用空格分開
[root@B ~]# nmap 10.0.1.161 10.0.1.162 Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:18 CST Nmap scan report for 10.0.1.161 Host is up (0.000060s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 873/tcp open rsync MAC Address: 00:0C:29:56:DE:46 (VMware) Nmap scan report for 10.0.1.162 Host is up (0.0000070s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind Nmap done: 2 IP addresses (2 hosts up) scanned in 0.26 seconds [root@B ~]#
也可以采用下面方式逗號隔開
nmap 10.0.1.161,162
[root@B ~]# nmap 10.0.1.161,162
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:19 CST
Nmap scan report for 10.0.1.161
Host is up (0.00025s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap scan report for 10.0.1.162
Host is up (0.0000080s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
Nmap done: 2 IP addresses (2 hosts up) scanned in 0.81 seconds
[root@B ~]#
掃描連續的ip地址
[root@B ~]# nmap 10.0.1.161-162
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:20 CST
Nmap scan report for 10.0.1.161
Host is up (0.00011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap scan report for 10.0.1.162
Host is up (0.0000030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
Nmap done: 2 IP addresses (2 hosts up) scanned in 0.25 seconds
[root@B ~]#
掃描一個子網網段所有IP
[root@B ~]# nmap 10.0.3.0/24
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:21 CST
Nmap scan report for 10.0.3.1
Host is up (0.020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
6666/tcp open irc
8888/tcp open sun-answerbook
Nmap scan report for 10.0.3.2
Host is up (0.012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp open telnet
Nmap scan report for 10.0.3.3
Host is up (0.018s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp open telnet
Nmap done: 256 IP addresses (3 hosts up) scanned in 14.91 seconds
[root@B ~]#
掃描文件里的IP
如果你有一個ip地址列表,將這個保存為一個txt文件,和namp在同一目錄下,掃描這個txt內的所有主機,用法如下
[root@B ~]# cat ip.txt 10.0.1.161 10.0.1.162 [root@B ~]# nmap -iL ip.txt Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:23 CST Nmap scan report for 10.0.1.161 Host is up (0.00030s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 873/tcp open rsync MAC Address: 00:0C:29:56:DE:46 (VMware) Nmap scan report for 10.0.1.162 Host is up (0.0000070s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind Nmap done: 2 IP addresses (2 hosts up) scanned in 0.68 seconds [root@B ~]#
掃描地址段是排除某個IP地址
nmap 10.0.1.161-162 --exclude 10.0.1.162
用法如下
[root@B ~]# nmap 10.0.1.161-162 --exclude 10.0.1.162
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:24 CST
Nmap scan report for 10.0.1.161
Host is up (0.0022s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
[root@B ~]#
掃描時排除多個IP地址
排除連續的,可以使用橫線連接起來
nmap 10.0.1.161-163 --exclude 10.0.1.162-163
[root@B ~]# nmap 10.0.1.161-163 --exclude 10.0.1.162-163
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:25 CST
Nmap scan report for 10.0.1.161
Host is up (0.00023s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
[root@B ~]#
排除分散的,使用逗號隔開
nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163
[root@B ~]# nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:27 CST
Nmap scan report for 10.0.1.162
Host is up (0.0000030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
[root@B ~]#
掃描多個地址時排除文件里的IP地址
(可以用來排除不連續的IP地址)
把10.0.1.161和10.0.1.163添加到一個文件里,文件名可以隨意取
下面掃描10.0.1.161到10.0.1.163 這3個IP地址,排除10.0.1.161和10.0.1.163這兩個IP
nmap 10.0.1.161-163 --excludefile ex.txt
[root@B ~]# cat ex.txt
10.0.1.161
10.0.1.163
[root@B ~]# nmap 10.0.1.161-163 --excludefile ex.txt
Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:29 CST
Nmap scan report for 10.0.1.162
Host is up (0.0000050s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
[root@B ~]#