不多说,直接上干货!

  

  如下,是使用Nmap对主机202.193.58.13进行一次端口扫描的结果,其中使用

root@kali:~# nmap -sS -Pn 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:04 CST

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (.0014s latency).

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ftp

/tcp   open  ssh

/tcp   open  telnet

/tcp   open  smtp

/tcp   open  domain

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  netbios-ssn

/tcp  open  microsoft-ds

/tcp  open  exec

/tcp  open  login

/tcp  open  shell

/tcp open  rmiregistry

/tcp open  ingreslock

/tcp open  nfs

/tcp open  ccproxy-ftp

/tcp open  mysql

/tcp open  postgresql

/tcp open  vnc

/tcp open  X11

/tcp open  irc

/tcp open  ajp13

/tcp open  unknown

MAC Address: :AD::::5C (Unknown)

Nmap done:  IP address ( host up) scanned in 0.95 seconds

root@kali:~#

  默认参数下,nmap使用发送ICMP请求来探测存活主机(即-sP选项)

root@kali:~# nmap -sP 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:12 CST

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (.0017s latency).

MAC Address: :AD::::5C (Unknown)

Nmap done:  IP address ( host up) scanned in 0.18 seconds

root@kali:~#

  如果是在INTERNET环境中,则应该使用-Pn选项,不要使用ICMP ping扫描,因为ICMP数据包通常无法穿透Internet上的网络边界;

  还可以使用-PU通过对开放的UDP端口进行探测以确定存活的主机。

  可以使用-O选项辨识目标主机的操作系统

  再加以-sV选项辨识操作系统中运行的服务的类型信息,如下

  取更加详细的服务版本等信息,需要使用-sV选项,如下所示。

root@kali:~# nmap -sV -Pn 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:06 CST

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (0.0015s latency).

Not shown: 977 closed ports

PORT     STATE SERVICE       VERSION

21/tcp   open  ftp           vsftpd 2.3.4

22/tcp   open  ssh           OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

23/tcp   open  telnet        Linux telnetd

25/tcp   open  smtp          Postfix smtpd

53/tcp   open  domain?

80/tcp   open  http?

111/tcp  open  rpcbind?

139/tcp  open  netbios-ssn?

445/tcp  open  microsoft-ds?

512/tcp  open  exec          netkit-rsh rexecd

513/tcp  open  login?

514/tcp  open  shell         Netkit rshd

1099/tcp open  rmiregistry?

1524/tcp open  shell         Metasploitable root shell

2049/tcp open  nfs?

2121/tcp open  ccproxy-ftp?

3306/tcp open  mysql         MySQL 5.0.51a-3ubuntu5

5432/tcp open  postgresql?

5900/tcp open  vnc           VNC (protocol 3.3)

6000/tcp open  X11?

6667/tcp open  irc           Unreal ircd

8009/tcp open  ajp13?

8180/tcp open  unknown

MAC Address: 84:AD:58:82:49:5C (Unknown)

Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 23.64 seconds

root@kali:~#

  以补充Nmap工具的服务指纹数据库。

更多,其实,

msf > nmap -h

[*] exec: nmap -h

Nmap 7.31 ( https://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

  Can pass hostnames, IP addresses, networks, etc.

  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

  -iL <inputfilename>: Input from list of hosts/networks

  -iR <num hosts>: Choose random targets

  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks

  --excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:

  -sL: List Scan - simply list targets to scan

  -sn: Ping Scan - disable port scan

  -Pn: Treat all hosts as online -- skip host discovery

  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports

  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

  -PO[protocol list]: IP Protocol Ping

  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]

  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers

  --system-dns: Use OS's DNS resolver

  --traceroute: Trace hop path to each host

SCAN TECHNIQUES:

  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

  -sU: UDP Scan

  -sN/sF/sX: TCP Null, FIN, and Xmas scans

  --scanflags <flags>: Customize TCP scan flags

  -sI <zombie host[:probeport]>: Idle scan

  -sY/sZ: SCTP INIT/COOKIE-ECHO scans

  -sO: IP protocol scan

  -b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

  -p <port ranges>: Only scan specified ports

    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9

  --exclude-ports <port ranges>: Exclude the specified ports from scanning

  -F: Fast mode - Scan fewer ports than the default scan

  -r: Scan ports consecutively - don't randomize

  --top-ports <number>: Scan <number> most common ports

  --port-ratio <ratio>: Scan ports more common than <ratio>

SERVICE/VERSION DETECTION:

  -sV: Probe open ports to determine service/version info

  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)

  --version-light: Limit to most likely probes (intensity 2)

  --version-all: Try every single probe (intensity 9)

  --version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN:

  -sC: equivalent to --script=default

  --script=<Lua scripts>: <Lua scripts> is a comma separated list of

           directories, script-files or script-categories

  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts

  --script-args-file=filename: provide NSE script args in a file

  --script-trace: Show all data sent and received

  --script-updatedb: Update the script database.

  --script-help=<Lua scripts>: Show help about scripts.

           <Lua scripts> is a comma-separated list of script-files or

           script-categories.

OS DETECTION:

  -O: Enable OS detection

  --osscan-limit: Limit OS detection to promising targets

  --osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:

  Options which take <time> are in seconds, or append 'ms' (milliseconds),

  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

  -T<0-5>: Set timing template (higher is faster)

  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes

  --min-parallelism/max-parallelism <numprobes>: Probe parallelization

  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies

      probe round trip time.

  --max-retries <tries>: Caps number of port scan probe retransmissions.

  --host-timeout <time>: Give up on target after this long

  --scan-delay/--max-scan-delay <time>: Adjust delay between probes

  --min-rate <number>: Send packets no slower than <number> per second

  --max-rate <number>: Send packets no faster than <number> per second

FIREWALL/IDS EVASION AND SPOOFING:

  -f; --mtu <val>: fragment packets (optionally w/given MTU)

  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys

  -S <IP_Address>: Spoof source address

  -e <iface>: Use specified interface

  -g/--source-port <portnum>: Use given port number

  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies

  --data <hex string>: Append a custom payload to sent packets

  --data-string <string>: Append a custom ASCII string to sent packets

  --data-length <num>: Append random data to sent packets

  --ip-options <options>: Send packets with specified ip options

  --ttl <val>: Set IP time-to-live field

  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address

  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT:

  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,

     and Grepable format, respectively, to the given filename.

  -oA <basename>: Output in the three major formats at once

  -v: Increase verbosity level (use -vv or more for greater effect)

  -d: Increase debugging level (use -dd or more for greater effect)

  --reason: Display the reason a port is in a particular state

  --open: Only show open (or possibly open) ports

  --packet-trace: Show all packets sent and received

  --iflist: Print host interfaces and routes (for debugging)

  --append-output: Append to rather than clobber specified output files

  --resume <filename>: Resume an aborted scan

  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML

  --webxml: Reference stylesheet from Nmap.Org for more portable XML

  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:

  -6: Enable IPv6 scanning

  -A: Enable OS detection, version detection, script scanning, and traceroute

  --datadir <dirname>: Specify custom Nmap data file location

  --send-eth/--send-ip: Send using raw ethernet frames or IP packets

  --privileged: Assume that the user is fully privileged

  --unprivileged: Assume the user lacks raw socket privileges

  -V: Print version number

  -h: Print this help summary page.

EXAMPLES:

  nmap -v -A scanme.nmap.org

  nmap -v -sn 192.168.0.0/16 10.0.0.0/8

  nmap -v -iR 10000 -Pn -p 80

SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

msf >

Kali linux 2016.2(Rolling)中的Nmap的端口扫描功能的更多相关文章

  1. MetaSploit攻击实例讲解------Metasploit自动化攻击(包括kali linux 2016.2(rolling) 和 BT5)

    不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)里Metasploit连接(包括默认和自定义)的PostgreSQL数据库 Kali linux 2016.2(Ro ...

  2. MetaSploit攻击实例讲解------终端下PostgreSQL数据库的使用(包括kali linux 2016.2(rolling) 和 BT5)

    不多说,直接上干货! 配置msf连接postgresql数据库 我这里是使用kali linux 2016.2(rolling)   用过的博友们都知道,已经预安装好了PostgreSQL. 1. p ...

  3. MetaSploit攻击实例讲解------社会工程学set攻击(kali linux 2016.2(rolling))(详细)

    不多说,直接上干货! 首先,如果你是用的BT5,则set的配置文件是在 /pentest/exploits/set/set_config下. APACHE_SERVER=ONSELF_SIGNED_A ...

  4. MetaSploit攻击实例讲解------工具Meterpreter常用功能介绍(kali linux 2016.2(rolling))(详细)

    不多说,直接上干货! 说在前面的话 注意啦:Meterpreter的命令非常之多,本篇博客下面给出了所有,大家可以去看看.给出了详细的中文 由于篇幅原因,我只使用如下较常用的命令. 这篇博客,利用下面 ...

  5. kali 2.0 linux中的Nmap的操作系统扫描功能

    不多说,直接上干货! 可以使用-O选项,让Nmap对目标的操作系统进行识别. msf > nmap -O 202.193.58.13 [*] exec: nmap -O 202.193.58.1 ...

  6. MetaSploit攻击实例讲解------攻击445端口漏洞(kali linux 2016.2(rolling))(详细)

    不多说,直接上干货! 大家,相信最近的这个事件,对于445端口已经是非常的小心了.勒索病毒 445端口是一个毁誉参半的端口,有了它我们可以在局域网中轻松访问各种共享文件夹或共享打印机,但也正是因为有了 ...

  7. Kali linux 2016.2(Rolling)中metasploit的端口扫描

    目前常见的端口扫描技术一般有如下几类: TCP  Connect.TCP SYN.TCP ACK.TCP FIN. Metasploit中的端口扫描器 Metasploit的辅助模块中提供了几款实用的 ...

  8. Kali linux 2016.2 的 plyload模块之meterpreter plyload详解

    不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)中的payloads模块详解 当利用成功后尝试运行一个进程,它将在系统进程列表里显示,即使在木马中尝试执行系统命令, ...

  9. Kali linux 2016.2(Rolling)中的payloads模块详解

    不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)中的Exploits模块详解 payloads模块,也就是shellcode,就是在漏洞利用成功后所要做的事情.在M ...

随机推荐

  1. Android性能优化之ListView缓存机制

    要想优化ListView首先要了解它的工作原理,列表的显示须要三个元素:ListView.Adapter.显示的数据. 这里的Adapter就是用到了适配器模式,无论传入的是什么View在ListVi ...

  2. HDU 1040.As Easy As A+B【排序】【如题(水!水!水!)】【8月24】

    As Easy As A+B Problem Description These days, I am thinking about a question, how can I get a probl ...

  3. Forms authentication timeout vs sessionState timeout

    https://stackoverflow.com/questions/17812994/forms-authentication-timeout-vs-sessionstate-timeout Th ...

  4. 一个比NPM更快更安全可靠的JavaScript包管理工具——Yarn

    yarn安装: npm intall -g yarn 查看安装是否成功: yarn -v yarn常用的命令以及和npm的对照如下: 更详细的请查看官方文档

  5. 关于AJAX异步请求的那些事儿(1)

    1.什么事AJAX? Asynchronous Javascript And XML:异步的JS和XML,由Google2002年在GoogleSuggest应用提出,目标实现客户端和服务器“同时”运 ...

  6. 【原创】rman备份出现ORA-19625

    [oracle@sunny stage]$ rman target / Recovery Manager: Release 10.2.0.1.0 - Production on Sun Mar 18 ...

  7. hiho1041 - 树,遍历

    题目链接 给一棵树,给一个序列,问能不能按这个序列遍历这棵树,满足每条边最多经过两次. -------------------------------------------------------- ...

  8. 简洁的MVC思想框架——Nancy(Session的使用)

    前文提到关于Nancy中GET和POST以及外部引用图片,css和JS的文件等操作.今天所讲的是Nancy关于Session相关操作. Session作为web开发中极其重要的一部分,而Nancy中S ...

  9. JS自定义全局Error

    <script> ///自定义错误 onerror=handleErr; function handleErr(msg,url,l) { var txt=""; txt ...

  10. Ubuntu 16.04 Chrome浏览器安装flash player插件

    1:官网下载插件  flash palyer lash_player_npapi_linux_debug.x86_64.tar.gz 2:解压 提取 libpepflashplayer.so 3:手动 ...