一、主機探測
1.指定DNS服務器解析域名
nmap --dns-servers 61.139.2.69 www.baidu.com
這樣可以手動指定使用的dns服務器來對域名進行解析。
2.不發送ICMP包(避免出發防火牆機制)
nmap -Pn www.baidu.com
使用"-Pn"Option可以在掃描之前不發送ICMP包,從而避免防火牆機制被觸發。
3.指定掃描的端口范圍
nmap -p 1-1000 www.baidu.com Nmap scan report for www.baidu.com (14.215.177.39) Host is up (0.12s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https
使用"-p"Option指定掃描端口范圍為1-1000。
4.端口狀態
| 狀態 |
說明 |
| open |
應用程序在該端口接收 TCP 連接或者 UDP 報文 |
| closed |
關閉的端口對於nmap也是可訪問的, 它接收nmap探測報文並作出響應。但沒有應用程序在其上監聽 |
| filtered |
由於包過濾阻止探測報文到達端口,nmap無法確定該端口是否開放。過濾可能來自專業的防火牆設備,路由規則 或者主機上的軟件防火牆 |
| unfiltered |
未被過濾狀態意味着端口可訪問,但是nmap無法確定它是開放還是關閉。 只有用於映射防火牆規則集的 ACK 掃描才會把端口分類到這個狀態 |
| open | filtered |
無法確定端口是開放還是被過濾, 開放的端口不響應就是一個例子。沒有響應也可能意味着報文過濾器丟棄了探測報文或者它引發的任何反應。UDP,IP協議, FIN, Null 等掃描會引起。 |
5.服務指紋識別
通過分區目標往nmap發送的數據包中某個協議標記、選項和數據,推斷目標服務器的操作系統信息、應用信息等,這就叫做操作系統指紋識別和服務指紋識別。
nmap -sV -p 1-1000 192.168.4.210
使用-sV選項進行應用指紋識別:
C:\Users\Administrator>nmap -sV -p 1-1000 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 11:07 ?D1ú±ê×?ê±?? Nmap scan report for 192.168.4.210 Host is up (0.00055s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) MAC Address: 00:0C:29:7E:61:77 (VMware)
可以看到,識別出了22端口的監聽應用的版本。
6.使用侵略性的探測
C:\Users\Administrator> nmap -A -v -T4 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 11:11 ?D1ú±ê×?ê±?? Nmap scan report for 192.168.4.210 Host is up (0.00012s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 02:d6:2b:ca:51:fe:50:02:90:64:49:45:04:2f:26:63 (RSA) | 256 e4:39:da:a0:ce:84:cc:2e:d5:57:70:98:de:9c:d2:a6 (ECDSA) |_ 256 bf:57:7d:fa:b4:7f:c3:76:e1:c6:97:4a:78:9a:10:e5 (ED25519) MAC Address: 00:0C:29:7E:61:77 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9 Uptime guess: 0.001 days (since Fri Apr 10 11:10:55 2020) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros TRACEROUTE HOP RTT ADDRESS 1 0.12 ms 192.168.4.210 ... ...
-A表示使用侵略性探測,-T<0-5>設置時間模板,數值越大越快,-v表示提高輸出的冗余級別(顯示更多信息,如果使用-vv可以顯示更多的信息)。
或者使用以下方式:
nmap -sC -sV -O 192.168.4.210
-sC表使用nmap腳本進行探測(NSE),-sV表示探測目標機器上的服務信息,-O表示探測目標操作系統信息。
7.局域網主機存活探測
使用CIDR(無類別域間路由,Classiess Inter-Domain Routing),快速表示一個網絡,比如192.168.4.0/24。
[root@centos7-test ~]# nmap -sP 192.168.4.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 01:19 EDT Nmap scan report for 192.168.4.1 Host is up (0.00063s latency). MAC Address: 4C:6E:6E:00:EF:E8 (Comnect Technology) Nmap scan report for 192.168.4.34 Host is up (0.00094s latency). MAC Address: B4:2E:99:EE:74:2D (Giga-byte Technology) Nmap scan report for 192.168.4.41 Host is up (0.00085s latency). MAC Address: 00:0C:29:53:B4:1D (VMware) Nmap scan report for 192.168.4.42 Host is up (0.00066s latency). MAC Address: B4:2E:99:EE:74:35 (Giga-byte Technology) Nmap scan report for 192.168.4.199 Host is up (0.000041s latency). MAC Address: B4:2E:99:EE:73:E0 (Giga-byte Technology) Nmap scan report for 192.168.4.210 Host is up (0.00021s latency). MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap scan report for 192.168.4.211 Host is up. Nmap done: 256 IP addresses (7 hosts up) scanned in 1.28 seconds
-sP表示對該CIDR中所有主機進行ping掃描,以探測主機存活性,掃描過程中使用了TCP SYN掃描、ICMP echo Request來探測主機存活。
另外也可以使用-sn:
nmap -sn 192.168.4.0/24
8.使用TCP(UDP)探測主機
[root@centos7-test ~]# nmap -sN 192.168.4.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 01:44 EDT Nmap scan report for 192.168.4.1 Host is up (0.0016s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open|filtered ssh 53/tcp open|filtered domain 80/tcp open|filtered http 443/tcp open|filtered https 1443/tcp open|filtered ies-lm MAC Address: 4C:6E:6E:00:EF:E8 (Comnect Technology) Nmap scan report for 192.168.4.34 Host is up (0.00072s latency). All 1000 scanned ports on 192.168.4.34 are open|filtered MAC Address: B4:2E:99:EE:74:2D (Giga-byte Technology) Nmap scan report for 192.168.4.41 Host is up (0.0035s latency). All 1000 scanned ports on 192.168.4.41 are closed MAC Address: 00:0C:29:53:B4:1D (VMware) Nmap scan report for 192.168.4.42 Host is up (0.00062s latency). All 1000 scanned ports on 192.168.4.42 are open|filtered MAC Address: B4:2E:99:EE:74:35 (Giga-byte Technology) Nmap scan report for 192.168.4.199 Host is up (0.00060s latency). All 1000 scanned ports on 192.168.4.199 are closed MAC Address: B4:2E:99:EE:73:E0 (Giga-byte Technology) Nmap scan report for 192.168.4.210 Host is up (0.00018s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open|filtered ssh 80/tcp open|filtered http 111/tcp open|filtered rpcbind MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap scan report for 192.168.4.211 Host is up (0.0000020s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open|filtered ssh Nmap done: 256 IP addresses (7 hosts up) scanned in 10.40 seconds
-sN表示使用TCP full來探測主機。
也可以使用TCP FIN包來探測主機(速度更快,因為不用建立連接):
nmap -sF 192.168.4.0/24
除了以上的-sN和-sF,還有-sA使用ACK包,-sS使用SYN包,-sU使用UDP等。
二、nmap結果輸出
輸出保存為xml文件:
nmap -sP 192.168.4.0/24 -oX test.xml
將結果保存為xml文件。
內容格式如下:
[root@centos7-test ~]# cat test.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE nmaprun> <?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?> <!-- Nmap 7.80 scan initiated Fri Apr 10 01:57:13 2020 as: nmap -sP -oX test.xml 192.168.4.0/24 --> <nmaprun scanner="nmap" args="nmap -sP -oX test.xml 192.168.4.0/24" start="1586498233" startstr="Fri Apr 10 01:57:13 2020" version="7.80" xmloutputversion="1.04"> <verbose level="0"/> <debugging level="0"/> <host><status state="up" reason="arp-response" reason_ttl="0"/> <address addr="192.168.4.1" addrtype="ipv4"/> <address addr="4C:6E:6E:00:EF:E8" addrtype="mac" vendor="Comnect Technology"/> <hostnames> </hostnames> <times srtt="575" rttvar="5000" to="100000"/> </host> <host><status state="up" reason="arp-response" reason_ttl="0"/> <address addr="192.168.4.34" addrtype="ipv4"/> <address addr="B4:2E:99:EE:74:2D" addrtype="mac" vendor="Giga-byte Technology"/> <hostnames> </hostnames> <times srtt="999" rttvar="5000" to="100000"/> </host> <host><status state="up" reason="arp-response" reason_ttl="0"/> <address addr="192.168.4.41" addrtype="ipv4"/> <address addr="00:0C:29:53:B4:1D" addrtype="mac" vendor="VMware"/> <hostnames> </hostnames> <times srtt="1236" rttvar="5000" to="100000"/> </host> <host><status state="up" reason="arp-response" reason_ttl="0"/> <address addr="192.168.4.42" addrtype="ipv4"/> <address addr="B4:2E:99:EE:74:35" addrtype="mac" vendor="Giga-byte Technology"/> <hostnames> </hostnames> <times srtt="811" rttvar="5000" to="100000"/> </host> <host><status state="up" reason="arp-response" reason_ttl="0"/> <address addr="192.168.4.66" addrtype="ipv4"/> <address addr="C8:3D:D4:A3:D9:AD" addrtype="mac" vendor="CyberTAN Technology"/> <hostnames> </hostnames> <times srtt="216078" rttvar="216078" to="1080390"/> </host> <host><status state="up" reason="arp-response" reason_ttl="0"/> <address addr="192.168.4.150" addrtype="ipv4"/> <address addr="A4:83:E7:1E:0A:90" addrtype="mac" vendor="Apple"/> <hostnames> </hostnames> <times srtt="524909" rttvar="524909" to="2624545"/> </host> <host><status state="up" reason="arp-response" reason_ttl="0"/> <address addr="192.168.4.199" addrtype="ipv4"/> <address addr="B4:2E:99:EE:73:E0" addrtype="mac" vendor="Giga-byte Technology"/> <hostnames> </hostnames> <times srtt="204" rttvar="3780" to="100000"/> </host> <host><status state="up" reason="arp-response" reason_ttl="0"/> <address addr="192.168.4.210" addrtype="ipv4"/> <address addr="00:0C:29:7E:61:77" addrtype="mac" vendor="VMware"/> <hostnames> </hostnames> <times srtt="457" rttvar="5000" to="100000"/> </host> <host><status state="up" reason="localhost-response" reason_ttl="0"/> <address addr="192.168.4.211" addrtype="ipv4"/> <hostnames> </hostnames> </host> <runstats><finished time="1586498236" timestr="Fri Apr 10 01:57:16 2020" elapsed="3.01" summary="Nmap done at Fri Apr 10 01:57:16 2020; 256 IP addresses (9 hosts up) scanned in 3.01 seconds" exit="success"/><hosts up="9" down="247" total="256"/> </runstats> </nmaprun>
三、端口探測
1.探測一個或多個端口
[root@centos7-test ~]# nmap -p 80 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:15 EDT Nmap scan report for 192.168.4.210 Host is up (0.00037s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
探測80端口。
[root@centos7-test ~]# nmap -p 22,80 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:16 EDT Nmap scan report for 192.168.4.210 Host is up (0.00040s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
探測22和80端口。
[root@centos7-test ~]# nmap -p 22-1000 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:16 EDT Nmap scan report for 192.168.4.210 Host is up (0.00051s latency). Not shown: 976 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
探測22-1000號端口。
[root@centos7-test ~]# nmap -p - 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:17 EDT Nmap scan report for 192.168.4.210 Host is up (0.00065s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.15 seconds
探測全部端口,1-65535。
2.使用不同方式探測不同端口
[root@centos7-test ~]# nmap -p T:22,T:80,U:111 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:18 EDT Nmap scan report for 192.168.4.210 Host is up (0.00033s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
T:22表示使用TCP探測22端口。U:111表示使用UDP探測111端口。
3.探測某個協議對應的端口
[root@centos7-test ~]# nmap -p ssh,h* 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:19 EDT Nmap scan report for 192.168.4.210 Host is up (0.000043s latency). Not shown: 166 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
可以探測ssh對應的端口(端口修改后的也可以探測),以及h開頭的協議對應的端口(這里的http)。
4.探測注冊在nmap中的端口
[root@centos7-test ~]# nmap -p [1-65535] 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:21 EDT Nmap scan report for 192.168.4.210 Host is up (0.000068s latency). Not shown: 8317 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
這里使用方括號括起來的范圍,和 -p 1-65535 不一樣,這里的1-65535范圍只探測注冊在nmap中的部分常用端口(8320個)。
四、NSE腳本
1.什么是NSE
NSE:Nmap Script Engine,Nmap腳本引擎,內置很多可以用來掃描的,針對特定任務的腳本。通過NSE可以不斷拓展Nmap的掃描策略,加強Nmap的功能。
2.NSE提供的腳本
在Windows默認提供的腳本存放在安裝路徑的script文件夾下。例如 D:\apps\Nmap\scripts 下有500多個nse腳本文件。用於不同的特定功能。
在Kali Linux中,存放在/usr/share/nmap/script下。
3.使用某個腳本
[root@centos7-test ~]# nmap --script http-title 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:29 EDT Nmap scan report for 192.168.4.210 Host is up (0.000060s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-title: Apache HTTP Server Test Page powered by CentOS 111/tcp open rpcbind MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
這里使用 --script http-title 來使用該腳本獲取http-title。即站點標簽中的文本:
[root@centos7-test ~]# nmap --script http-headers 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:48 EDT Nmap scan report for 192.168.4.210 Host is up (0.00018s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-headers: | Date: Fri, 10 Apr 2020 09:49:00 GMT | Server: Apache/2.4.6 (CentOS) | Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT | ETag: "1321-5058a1e728280" | Accept-Ranges: bytes | Content-Length: 4897 | Connection: close | Content-Type: text/html; charset=UTF-8 | |_ (Request type: GET) 111/tcp open rpcbind MAC Address: 00:0C:29:7E:61:77 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
使用http-headers腳本獲取http響應頭。
探測的時候同時制定瀏覽器型號:
root@kali:~# nmap --script http-headers --script-args http.useragent="Mozilla 999" 192.168.4.210
4.掃描弱點
[root@centos7-test ~]# nmap -sV --script vuln 192.168.4.210 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 05:50 EDT Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 192.168.4.210 Host is up (0.00090s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) |_clamav-exec: ERROR: Script execution failed (use -d to debug) | vulners: | cpe:/a:openbsd:openssh:7.4: | CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919 |_ CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906 80/tcp open http Apache httpd 2.4.6 ((CentOS)) |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: |_ /icons/: Potentially interesting folder w/ directory listing |_http-server-header: Apache/2.4.6 (CentOS) |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-trace: TRACE is enabled | vulners: | cpe:/a:apache:http_server:2.4.6: | CVE-2020-1934 7.5 https://vulners.com/cve/CVE-2020-1934 | CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679 | CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312 | CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715 | CVE-2014-0226 6.8 https://vulners.com/cve/CVE-2014-0226 | CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788 | CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217 | CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927 | CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098 | CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220 | CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199 | CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798 | CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710 | CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743 | CVE-2016-2161 5.0 https://vulners.com/cve/CVE-2016-2161 | CVE-2016-0736 5.0 https://vulners.com/cve/CVE-2016-0736 | CVE-2014-3523 5.0 https://vulners.com/cve/CVE-2014-3523 | CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231 | CVE-2014-0098 5.0 https://vulners.com/cve/CVE-2014-0098 | CVE-2013-6438 5.0 https://vulners.com/cve/CVE-2013-6438 | CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092 | CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975 | CVE-2015-3185 4.3 https://vulners.com/cve/CVE-2015-3185 | CVE-2014-8109 4.3 https://vulners.com/cve/CVE-2014-8109 | CVE-2014-0118 4.3 https://vulners.com/cve/CVE-2014-0118 | CVE-2014-0117 4.3 https://vulners.com/cve/CVE-2014-0117 | CVE-2013-4352 4.3 https://vulners.com/cve/CVE-2013-4352 | CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283 |_ CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612 111/tcp open rpcbind 2-4 (RPC #100000) |_clamav-exec: ERROR: Script execution failed (use -d to debug) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind |_ 100000 3,4 111/udp6 rpcbind MAC Address: 00:0C:29:7E:61:77 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 63.34 seconds
5.掃描所有子域名及IP地址
nmap --script dns-brute baidu.com
結果:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-16 03:01 EDT Nmap scan report for baidu.com (220.181.38.148) Host is up (0.13s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Host script results: | dns-brute: | DNS Brute-force hostnames: | mx.baidu.com - 61.135.163.61 | admin.baidu.com - 10.26.109.19 | svn.baidu.com - 10.65.211.174 | ads.baidu.com - 10.42.4.225 | mx1.baidu.com - 111.202.115.85 | mx1.baidu.com - 220.181.3.85 | id.baidu.com - 106.120.159.182 | id.baidu.com - 220.181.107.148 | test.baidu.com - 220.181.107.196 | images.baidu.com - 182.61.62.50 | news.baidu.com - 106.120.159.43 | news.baidu.com - 180.149.145.156 | info.baidu.com - 180.97.104.89 | ap.baidu.com - 180.149.132.182 | dns.baidu.com - 202.108.22.220 | ns1.baidu.com - 202.108.22.220 | app.baidu.com - 14.215.177.167 | ns2.baidu.com - 220.181.33.31 | dns1.baidu.com - 220.181.38.10 | ns3.baidu.com - 112.80.248.64 | ntp.baidu.com - 10.48.49.44 | ops.baidu.com - 10.26.3.240 | ops.baidu.com - 10.46.7.36 | ops.baidu.com - 10.91.160.44 | auth.baidu.com - 220.181.107.194 | backup.baidu.com - 10.143.145.28 | owa.baidu.com - 111.202.115.84 | vpn.baidu.com - 220.181.3.125 | vpn.baidu.com - 220.181.50.247 | beta.baidu.com - 111.206.37.130 | web.baidu.com - 10.48.30.87 | exchange.baidu.com - 10.26.109.19 | cdn.baidu.com - 10.169.43.10 | whois.baidu.com - 180.149.144.177 | secure.baidu.com - 180.97.34.120 | secure.baidu.com - 180.97.93.27 | www.baidu.com - 14.215.177.38 | www.baidu.com - 14.215.177.39 | forum.baidu.com - 10.26.109.19 | shop.baidu.com - 123.125.115.15 | www2.baidu.com - 180.149.144.64 | sip.baidu.com - 220.181.3.68 | crs.baidu.com - 180.101.49.112 | git.baidu.com - 10.42.4.104 | internet.baidu.com - 106.120.159.43 | internet.baidu.com - 180.149.145.156 | database.baidu.com - 10.26.109.19 | help.baidu.com - 112.34.111.18 | help.baidu.com - 112.34.111.183 | help.baidu.com - 112.80.255.39 | help.baidu.com - 112.80.255.43 | help.baidu.com - 117.185.16.213 | help.baidu.com - 117.185.16.230 | help.baidu.com - 180.149.144.165 | help.baidu.com - 180.149.144.166 | help.baidu.com - 180.97.33.42 | help.baidu.com - 202.106.2.77 | help.baidu.com - 202.106.2.78 | db.baidu.com - 10.26.109.19 | demo.baidu.com - 10.73.191.38 | ipv6.baidu.com - 14.215.177.38 | ipv6.baidu.com - 14.215.177.39 | dev.baidu.com - 220.181.107.143 | ssl.baidu.com - 10.58.121.74 | home.baidu.com - 180.101.49.156 | lab.baidu.com - 180.149.144.192 | linux.baidu.com - 10.99.31.43 | log.baidu.com - 10.26.39.14 | mail.baidu.com - 220.181.50.187 | mirror.baidu.com - 219.151.25.35 | mobile.baidu.com - 14.215.177.167 |_ monitor.baidu.com - 10.91.161.200
6.更新NSE腳本庫
root@kali:~# nmap --script-updatedb Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 13:31 EDT NSE: Updating rule database. NSE: Script Database updated successfully. Nmap done: 0 IP addresses (0 hosts up) scanned in 0.32 seconds
五、其他使用
1.指定使用哪個網卡
nmap -sV -e eth0 192.168.4.210
2.使用ndiff來查看結果的不同
當我們有多次的探測結果(保存到XML文件中),則可以使用ndiff來查看他們的不同。
這里我們對192.168.4.210服務器探測了兩次,第一次沒有開啟httpd服務,第二次開啟httpd服務。
C:\Users\Administrator\Desktop>ndiff res1.xml res2.xml -Nmap 7.80 scan initiated Sat Apr 11 02:14:41 2020 as: nmap -A -v -T4 -oX res1.xml 192.168.4.210 +Nmap 7.80 scan initiated Sat Apr 11 02:15:09 2020 as: nmap -A -v -T4 -oX res2.xml 192.168.4.210 192.168.4.210, 00:0C:29:7E:61:77: -Not shown: 998 closed ports +Not shown: 997 closed ports PORT STATE SERVICE VERSION +80/tcp open http Apache httpd 2.4.6 ((CentOS)) +| http-methods: +| Supported Methods: GET HEAD POST OPTIONS TRACE +|_ Potentially risky methods: TRACE +|_ http-server-header: Apache/2.4.6 (CentOS) +|_ http-title: Apache HTTP Server Test Page powered by CentOS
這里是在windows下進行的比對,在kali linux中默認沒有安裝ndiff,需要自己安裝。
=====