Nmap常用命令

注：本為是筆記，參考多人的文章，僅供大家學習參考。

原作者文章鏈接：

https://www.cnblogs.com/hanxiaobei/p/5603491.html

http://blog.jobbole.com/54595/

----------------------------------------------------------------------------

nmap是網絡掃描和主機檢測的工具。

用nmap進行信息收集和檢測漏洞，功能有：

　　檢測存活主機。

　　檢測主機開放端口（端口發現或枚舉）。

　　檢測端口對應的軟件和版本。

　　檢測操作系統類型、版本，硬件地址和軟件版本。

　　檢測脆弱性的漏洞。

nmap用不同的技術來掃描，有TCP的connect，TCP的反向ident,FTP的反彈掃描。

nmap要通過不同的掃描方式來繞過防火牆和IPS/IDS的防護，獲取主機的正確信息。

 

命令行：（顯示掃描過程 -v ）

掃描單個主機

#nmap www.hostName.com

C:\Users\YOONA>nmap 108.61.87.202
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 09:29 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.202.vultr.com (108.61.87.202)
Host is up (0.37s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
 
Nmap done: 1 IP address (1 host up) scanned in 256.57 seconds

#nmap ipAddress

C:\Users\YOONA>nmap 108.61.87.202
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 09:29 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.202.vultr.com (108.61.87.202)
Host is up (0.37s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 256.57 seconds

掃描整個ip段（子網）

#nmap 192.168.1.1/24　　//表示當前ip下的24位掩碼主機都要掃描，從192.168.1.1到192.168.1.254

C:\Users\YOONA>nmap 108.61.87.202/24

Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 09:37 ?D1ú±ê×?ê±??
Warning: 108.61.87.27 giving up on port because retransmission cap hit (10).
Stats: 0:32:27 elapsed; 10 hosts completed (64 up), 64 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.65% done; ETC: 10:10 (0:00:07 remaining)
Stats: 0:32:29 elapsed; 10 hosts completed (64 up), 64 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.65% done; ETC: 10:10 (0:00:07 remaining)
Stats: 0:32:29 elapsed; 10 hosts completed (64 up), 64 undergoing SYN Stealth Scan

#nmap 192.168.0.*　　　　//可以用*通配符代表范圍內的所有主機

[root@vultr ~]# nmap 108.61.87.*

Starting Nmap 5.51 ( http://nmap.org ) at 2018-07-04 15:01 CST
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 108.61.87.62, 16) => Operation not permitted
Offending packet: TCP 108.61.87.202:35647 > 108.61.87.62:1503 S ttl=57 id=46459 iplen=44  seq=3156521255 win=2048 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 108.61.87.34, 16) => Operation not permitted
Offending packet: TCP 108.61.87.202:35647 > 108.61.87.34:34571 S ttl=45 id=57342 iplen=44  seq=3156521255 win=2048 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 108.61.87.39, 16) => Operation not permitted

掃描多個目標

#nmap 192.168.1.1 192.168.5.6　　//加空格分隔，寫第二個ipAddress

C:\Users\YOONA>nmap 108.61.87.202 108.61.87.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 09:39 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.202.vultr.com (108.61.87.202)
Host is up (0.32s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh

Nmap scan report for 108.61.87.1.vultr.com (108.61.87.1)
Host is up (0.32s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
4444/tcp filtered krb524

Nmap done: 2 IP addresses (2 hosts up) scanned in 77.69 seconds

使用IP地址的最后一個字節掃描多台服務器

#nmap 192.168.0.101,102,103

[root@vultr ~]# nmap 108.61.87.202,203,204

Starting Nmap 5.51 ( http://nmap.org ) at 2018-07-04 15:00 CST
Nmap scan report for 108.61.87.202.vultr.com (108.61.87.202)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap scan report for 108.61.87.204.vultr.com (108.61.87.204)
Host is up (0.033s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: FE:00:01:89:5E:E9 (Unknown)

Nmap done: 3 IP addresses (2 hosts up) scanned in 14.07 seconds

 

掃描一個范圍內的目標

#nmap 192.168.1.1-100　　//表示掃描192.168.1.1開始的100台主機

把多個ip導出為一個ip地址表，.txt文件，通過nmap掃描文件內地所有主機

#nmap -iL target.txt

如果想在掃描的過程看到掃描的主機列表，用

#nmap -sL 192.168.1.1/24

C:\Users\YOONA>nmap -sL 108.61.87.202/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 10:12 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.0.vultr.com (108.61.87.0)
Nmap scan report for 108.61.87.1.vultr.com (108.61.87.1)
Nmap scan report for 108.61.87.2.vultr.com (108.61.87.2)
Nmap scan report for 108.61.87.3.vultr.com (108.61.87.3)
Nmap scan report for 108.61.87.4.vultr.com (108.61.87.4)
Nmap scan report for mon.kay.sh (108.61.87.5)
Nmap scan report for 108.61.87.6.vultr.com (108.61.87.6)
Nmap scan report for mx1.sayprepay.com (108.61.87.7)

 掃描除某個ip外的所有子網ip

#nmap 192.168.1.1/24 -e xclude 192.168.1.1

掃描除某一文件中的ip外的所有子網IP

#nmap 192.168.1.1/24 -e xclude file xx.txt

掃描特定主機上的某些端口

#nmap -p21,22,23,80,443 192.168.1.1

C:\Users\YOONA>nmap -p21,22,23,80,443 111.13.100.92
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 10:15 ?D1ú±ê×?ê±??
Nmap scan report for 111.13.100.92
Host is up (0.17s latency).

PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 24.62 seconds

--------------------------------------------------------------以上為nmap最常用的基礎命令

現在探討一下nmap的掃描技術

　　1.Tcp SYN Scan (sS)　　不會在目標主機產生日志信息

SYN攻擊的原理：

https://baike.baidu.com/item/SYN%E6%94%BB%E5%87%BB/14762413?fr=aladdin

通過TCP的SYN包獲取主機信息

#nmap -sS 192.168.1.1　　//命令參數的含義是：#nmap -scanSYN 192.168.1.1

如果不指定掃描類型，默認為TCP SYN，但需要掃描主機的root/administrator權限。

　　2.TCP connect() scan(sT)

但如果沒有指定掃描類型，也沒有管理員權限，默認掃描類型為TCP connect() scan(sT)，tcp connect()掃描需要完成三次握手，並且要調用系統的connect()。tcp connect()掃描只適用於找出TCP和UDP端口。

#nmap -sT192.168.1.1　　//命令參數的含義是：#nmap -scanTCP 192.168.1.1

C:\Users\YOONA>nmap -sT 108.61.87.7
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 10:34 ?D1ú±ê×?ê±??
Nmap scan report for mx1.sayprepay.com (108.61.87.7)
Host is up (0.32s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s


Nmap done: 1 IP address (1 host up) scanned in 237.92 seconds

　　3.Udp san(sU)

用來掃描主機打開的UDP端口，她不會發送syn包，通過發送udp數據包到目標主機，等待目標主機響應，返回ICMP不可達，代表端口關閉。

#nmap -sU 192.168.1.1　　//命令參數的含義是：#nmap -scanUDP 192.168.1.1

C:\Users\YOONA>nmap -sU 108.61.87.7 -v
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 11:12 ?D1ú±ê×?ê±??
Initiating Ping Scan at 11:12
Scanning 108.61.87.7 [4 ports]
Completed Ping Scan at 11:12, 3.55s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:12
Completed Parallel DNS resolution of 1 host. at 11:12, 6.17s elapsed
Initiating UDP Scan at 11:12
Scanning mx1.sayprepay.com (108.61.87.7) [1000 ports]
Increasing send delay for 108.61.87.7 from 0 to 50 due to max_successful_tryno increase to 4

　　4.FIN scan(sF)　　不會在目標主機產生日志信息

如果TCP SYN被防火牆攔截，用FIN標志的數據包獲取主機信息。（FIN重置位，用來代表斷開連

接）

#nmap -sF 192.168.1.1　　//命令參數的含義是：#nmap -scanFIN 192.168.1.1

C:\Users\YOONA>nmap -sF 108.61.87.7 -v
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 11:15 ?D1ú±ê×?ê±??
Initiating Ping Scan at 11:15
Scanning 108.61.87.7 [4 ports]
Completed Ping Scan at 11:15, 3.57s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:15

　　5.PING Scan (sP)

ping掃描只是判斷主機是否存活在網絡中。

#nmap -sP 192.168.1.1

C:\Users\YOONA>nmap -sP 108.61.87.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 10:29 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.0.vultr.com (108.61.87.0)
Host is up (0.29s latency).
Nmap scan report for 108.61.87.1.vultr.com (108.61.87.1)
Host is up (0.41s latency).
Nmap scan report for 108.61.87.2.vultr.com (108.61.87.2)
Host is up (0.31s latency).
Nmap scan report for 108.61.87.4.vultr.com (108.61.87.4)
Host is up (0.40s latency).
Nmap scan report for mon.kay.sh (108.61.87.5)
Host is up (0.40s latency).
Nmap scan report for mx1.sayprepay.com (108.61.87.7)
Host is up (0.40s latency).

　　6.版本檢測（sV）

掃描目標主機的端口上運行的軟件版本，它不是用於掃描目標主機開放的端口，但需要從開放的端口獲取信息來判斷軟件的版本，所以需要先進行端口掃描。

#nmap -sV 192.168.1.1

C:\Users\YOONA>nmap -sV 111.13.100.92
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 11:08 ?D1ú±ê×?ê±??
Nmap scan report for 111.13.100.92
Host is up (0.11s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd
443/tcp open  ssl/http Apache httpd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.11 seconds

　　7.ldle scan (sL)

偽裝一個主機的ip發送掃描數據包。

#nmap -sL 192.168.1.7　　192.168.1.1

C:\Users\YOONA>nmap -sL 108.61.87.1 108.61.87.7 -v
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 11:16 ?D1ú±ê×?ê±??
Initiating Parallel DNS resolution of 2 hosts. at 11:16
Completed Parallel DNS resolution of 2 hosts. at 11:16, 6.75s elapsed
Nmap scan report for 108.61.87.1.vultr.com (108.61.87.1)
Nmap scan report for mx1.sayprepay.com (108.61.87.7)
Nmap done: 2 IP addresses (0 hosts up) scanned in 20.39 seconds

------------------------------------------------------------以上為常用的掃描方式

還有的掃描技術有，FTP bounce(FTP 反彈)，fragmentation scan(碎片掃描)，IP protocol scan(IP協議掃描)

　　8.掃描操作系統信息和路由跟蹤

#nmap -A 192.168.1.1　　//檢測目標主機系統信息和路由信息

　　9.OS檢測（O）

檢測目標主機操作系統和軟件。

#nmap -O 192.168.1.1

C:\Users\YOONA>nmap -O 108.61.87.1 108.61.87.7 -v
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 11:17 ?D1ú±ê×?ê±??
Initiating Ping Scan at 11:17
Scanning 2 hosts [4 ports/host]
Completed Ping Scan at 11:17, 3.59s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 11:17
Completed Parallel DNS resolution of 2 hosts. at 11:18, 5.56s elapsed
Initiating SYN Stealth Scan at 11:18
Scanning 2 hosts [1000 ports/host]
Discovered open port 995/tcp on 108.61.87.7
Discovered open port 80/tcp on 108.61.87.7
Discovered open port 993/tcp on 108.61.87.7
Discovered open port 443/tcp on 108.61.87.7
Discovered open port 25/tcp on 108.61.87.7
Discovered open port 80/tcp on 108.61.87.1
Discovered open port 143/tcp on 108.61.87.7
Discovered open port 110/tcp on 108.61.87.7
Discovered open port 587/tcp on 108.61.87.7
Discovered open port 22/tcp on 108.61.87.1
SYN Stealth Scan Timing: About 24.20% done; ETC: 11:20 (0:01:37 remaining)
SYN Stealth Scan Timing: About 32.99% done; ETC: 11:21 (0:02:04 remaining)
SYN Stealth Scan Timing: About 45.62% done; ETC: 11:21 (0:01:48 remaining)
SYN Stealth Scan Timing: About 64.88% done; ETC: 11:23 (0:01:48 remaining)
SYN Stealth Scan Timing: About 71.54% done; ETC: 11:23 (0:01:31 remaining)
Stats: 0:04:17 elapsed; 0 hosts completed (2 up), 2 undergoing SYN Stealth Scan

Nmap的操作系統指紋識別技術：

設備類型（路由器，工作組等）
運行（運行的操作系統）
操作系統的詳細信息（操作系統的名稱和版本）
網絡距離（目標和攻擊者之間的距離跳）

　　10.如果遠程主機有防火牆，IDS和IPS系統，你可以使用-PN命令來確保不ping遠程主機。

# nmap -O -PN 192.168.1.1/24

Nmap的操作系統檢測的基礎是有開放和關閉的端口，如果OS scan無法檢測到至少一個開放或者關閉的端口，會返回以下錯誤：

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

OS Scan的結果是不可靠的，因為沒有發現至少一個開放或者關閉的端口.

　　11.想好通過Nmap准確的檢測到遠程操作系統是比較困難的，需要使用到Nmap的猜測功能選項, –osscan-guess 猜測認為最接近目標的匹配操作系統類型。

# nmap -O –osscan-guess 192.168.1.1　　//命令參數的含義是: nmap -OS -os掃描 -猜測  ip地址

　　12.掃描主機偵測防火牆

#nmap -sA 192.168.1.1

　　13.掃描主機是否有防火牆保護

#nmap -PN 192.168.1.1

　　14.快速掃描，僅掃描列在nmap-services文件中的端口而避開所有其他的端口。

#nmap -F 192.168.1.1

　　15.查看nmap版本　　-V

#nmap -V 

　　16.順序掃描端口

#nmap -r 192.168.1.1

　　17.打印本地主機接口和路由

nmap --iflist

　　18.掃描特定的端口，默認情況下nmap之掃描TCP端口

#nmap -p 80 www.baidu.com

　　19.掃描TCP端口

#nmap -p T:8888,80 www.baidu.com

　　20.掃描指定范圍內的端口

#nmap -p 80-160 192.168.0.101

　　21.PA(TCP ACK)　　PS(TCP SYN)

　　22.TCP空掃描

#nmap -sN 192.168.1.1