簡介
nmap是一款開源網絡發現工具,可以找出網絡上在線的主機,測試主機上監聽了哪些端口,通過端口確定主機上運行的應用程序類型與版本信息,還能利用它檢測出操作系統類型和版本。
基本功能
有四個基本功能:
(1)主機發現
(2)端口掃描
(3)應用程序版本偵測
(4)操作系統版本偵測
基本用法:
[root@master ~]# nmap -A -T4 10.0.0.53 Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:31 EDT Nmap scan report for 10.0.0.53 Host is up (0.00056s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 6 Oct 30 2018 pub 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: 2048 7c:53:25:b0:3d:72:e7:46:31:96:3d:b6:a9:19:c5:69 (RSA) |_256 d4:22:2b:72:1b:3a:2d:18:3a:11:fb:5b:6a:69:fa:4e (ECDSA) MAC Address: 00:0C:29:8F:D5:02 (VMware) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=6.40%E=4%D=4/5%OT=21%CT=1%CU=42940%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM OS:=5E896D3B%P=x86_64-redhat-linux-gnu)SEQ(SP=100%GCD=1%ISR=108%TI=Z%TS=A)S OS:EQ(SP=100%GCD=1%ISR=108%TI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7 OS:%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W OS:2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NN OS:SNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y OS:%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR OS:%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40 OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G OS:%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 1 hop Service Info: OS: Unix TRACEROUTE HOP RTT ADDRESS 1 0.56 ms 10.0.0.53 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds
結果說明:
-A:表示開啟全面掃描
-T4:指定掃描過程中使用的時序版本,有6個等級(0-5),等級越高,掃描速度越快,但越容易被防火牆和入侵檢測設備發現並干掉。一般使用T4
-v:顯示掃描細節
通過上面的結果,可以看出整個掃描過程分為5部分:
第一部分:對主機是否在線進行檢測
第二部分:對端口進行掃描,默認nmap會掃描1000個常用的端口。由於只掃描到1個端口,所以出現‘999 closed ports’
第三部分:對端口上運行的服務以及版本進行統計
第四部分:探測操作系統類型和版本
第五部分:目標主機的路由跟蹤信息
nmap主機發現
原理類似於ping命令,通過發送數據包到目標主機,如果收到響應,那么認為目標主機在線。
語法:
nmap [選項或參數] 目標主機
常用選項
| 選項 | 含義 |
| -sn | 只進行主機發現,不進行端口掃描 |
| -Pn | 跳過主機發現掃描,將所有指定主機都視為在線狀態,進行端口掃描 |
| -sL | 僅列出目標主機IP,不進行主機發現掃描 |
| -PS/PA/PU/PY[portlist] | 指定nmap使用TCP SYN、TCP ACK、UDP、SCTP方式進行發現, 例如 -PS80,22 |
| -PE/PP/PM | 指定nmap使用ICMP echo、timestamp 、netmask請求報文方式發現主機 |
| -PO | 使用IP協議包探測目標主機是否在線 |
| -n/-R | 是否使用DNS解析, -n指不使用DNS解析,-R表示使用DNS解析 |
應用舉例
1、僅主機探測
[root@master ~]# nmap -sn 10.0.0.53 Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:34 EDT Nmap scan report for 10.0.0.53 Host is up (0.00044s latency). MAC Address: 00:0C:29:8F:D5:02 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
掃描網段
[root@master ~]# nmap -sn 10.0.0.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:39 EDT Nmap scan report for 10.0.0.1 Host is up (0.00021s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.0.0.53 Host is up (0.00044s latency). MAC Address: 00:0C:29:8F:D5:02 (VMware) Nmap scan report for 10.0.0.226 Host is up (0.00013s latency). MAC Address: 00:50:56:F8:14:BA (VMware) Nmap scan report for 10.0.0.254 Host is up (0.000095s latency). MAC Address: 00:50:56:E0:4C:FE (VMware) Nmap scan report for 10.0.0.50 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.06 seconds
2、僅掃描端口
[root@master ~]# nmap -Pn 10.0.0.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:57 EDT Nmap scan report for 10.0.0.1 Host is up (0.00015s latency). Not shown: 996 filtered ports PORT STATE SERVICE 443/tcp open https 902/tcp open iss-realsecure 912/tcp open apex-mesh 5357/tcp open wsdapi MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.0.0.53 Host is up (0.00055s latency). Not shown: 998 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh MAC Address: 00:0C:29:8F:D5:02 (VMware) Nmap scan report for 10.0.0.226 Host is up (0.000059s latency). All 1000 scanned ports on 10.0.0.226 are closed MAC Address: 00:50:56:F8:14:BA (VMware) Nmap scan report for 10.0.0.254 Host is up (0.00013s latency). All 1000 scanned ports on 10.0.0.254 are filtered MAC Address: 00:50:56:E0:4C:FE (VMware) Nmap scan report for 10.0.0.50 Host is up (0.0000080s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 256 IP addresses (5 hosts up) scanned in 7.43 seconds
結合tcpdump抓包
[root@master ~]# nmap -sn -PE -PS80,21 -PU53 www.abc.com Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 02:04 EDT Nmap scan report for www.abc.com (99.84.133.98) Host is up (0.087s latency). Other addresses for www.abc.com (not scanned): 99.84.133.97 99.84.133.3 99.84.133.46 rDNS record for 99.84.133.98: server-99-84-133-98.nrt57.r.cloudfront.net Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
抓包顯示
[root@master ~]# tcpdump -nnn host 10.0.0.50 and host www.abc.com tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:20:11.670936 IP 10.0.0.50 > 99.84.133.97: ICMP echo request, id 46737, seq 0, length 8 02:20:11.671034 IP 10.0.0.50.42511 > 99.84.133.97.21: Flags [S], seq 3863690238, win 1024, options [mss 1460], length 0 02:20:11.671074 IP 10.0.0.50.42511 > 99.84.133.97.80: Flags [S], seq 3863690238, win 1024, options [mss 1460], length 0 02:20:11.671127 IP 10.0.0.50.42511 > 99.84.133.97.53: 0 stat [0q] (12) 02:20:11.758253 IP 99.84.133.97.80 > 10.0.0.50.42511: Flags [S.], seq 501169078, ack 3863690239, win 64240, options [mss 1460], length 0 02:20:11.758286 IP 10.0.0.50.42511 > 99.84.133.97.80: Flags [R], seq 3863690239, win 0, length 0 02:20:11.758319 IP 99.84.133.97 > 10.0.0.50: ICMP echo reply, id 46737, seq 0, length 8 02:20:32.673678 IP 99.84.133.97.21 > 10.0.0.50.42511: Flags [R.], seq 2101084543, ack 3863690239, win 64240, length 0
結果說明了:發送的ICMP echo包收到了響應。21端口探測收到了R標識,說明21端口處於關閉狀態,TCP的80端口也收到了回復,說明80端口也打開了
端口掃描
nmap檢測到的端口分為6中狀態:
open:標識開放的端口
closed:表示關閉的端口
filtered:表示被防火牆屏蔽
unfiltered:表示端口沒有被屏蔽,但需要進一步確定是否處於開放狀態
open|filtered:表示不確定狀態,可能是開放的,也可能是屏蔽的
closed|filtered:表示不確定狀態,可能是開放的,也可能是屏蔽的
常用選項
| 選項 | 含義 |
| -sS/sT/sA/sW/sM | 表示使用TCP SYN/Connect()/ACK/Window/Maimon scans對目標主機進行掃描 |
| -sU | 使用UDP掃描方式掃描目標主機的UDP端口狀態 |
| -sN/sF/sX | 使用TCP null、FIN、Xmas scans方式掃描主機的TCP端口 |
| -p<port list> | 掃描指定范圍的端口, 如:-p80,-p1-100,"-p T:80-88,8080,U:53,S:9",T表示TCP,U表示UDP協議,S表示SCTP協議 |
| -F | 快速掃描模式,僅掃描常用的100個端口 |
| --top-ports<number> | 僅掃描使用率最高的number個端口 |
應用舉例
[root@master ~]# nmap -sS -sU -F www.godaddy.com Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 04:52 EDT Nmap scan report for www.godaddy.com (104.94.41.48) Host is up (0.025s latency). rDNS record for 104.94.41.48: a104-94-41-48.deploy.static.akamaitechnologies.com Not shown: 100 open|filtered ports, 98 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 50.89 seconds