不多说,直接上干货!

  

  如下,是使用Nmap对主机202.193.58.13进行一次端口扫描的结果,其中使用

root@kali:~# nmap -sS -Pn 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:04 CST

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (.0014s latency).

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ftp

/tcp   open  ssh

/tcp   open  telnet

/tcp   open  smtp

/tcp   open  domain

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  netbios-ssn

/tcp  open  microsoft-ds

/tcp  open  exec

/tcp  open  login

/tcp  open  shell

/tcp open  rmiregistry

/tcp open  ingreslock

/tcp open  nfs

/tcp open  ccproxy-ftp

/tcp open  mysql

/tcp open  postgresql

/tcp open  vnc

/tcp open  X11

/tcp open  irc

/tcp open  ajp13

/tcp open  unknown

MAC Address: :AD::::5C (Unknown)

Nmap done:  IP address ( host up) scanned in 0.95 seconds

root@kali:~#

  默认参数下,nmap使用发送ICMP请求来探测存活主机(即-sP选项)

root@kali:~# nmap -sP 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:12 CST

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (.0017s latency).

MAC Address: :AD::::5C (Unknown)

Nmap done:  IP address ( host up) scanned in 0.18 seconds

root@kali:~#

  如果是在INTERNET环境中,则应该使用-Pn选项,不要使用ICMP ping扫描,因为ICMP数据包通常无法穿透Internet上的网络边界;

  还可以使用-PU通过对开放的UDP端口进行探测以确定存活的主机。

  可以使用-O选项辨识目标主机的操作系统

  再加以-sV选项辨识操作系统中运行的服务的类型信息,如下

  取更加详细的服务版本等信息,需要使用-sV选项,如下所示。

root@kali:~# nmap -sV -Pn 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:06 CST

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (0.0015s latency).

Not shown: 977 closed ports

PORT     STATE SERVICE       VERSION

21/tcp   open  ftp           vsftpd 2.3.4

22/tcp   open  ssh           OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

23/tcp   open  telnet        Linux telnetd

25/tcp   open  smtp          Postfix smtpd

53/tcp   open  domain?

80/tcp   open  http?

111/tcp  open  rpcbind?

139/tcp  open  netbios-ssn?

445/tcp  open  microsoft-ds?

512/tcp  open  exec          netkit-rsh rexecd

513/tcp  open  login?

514/tcp  open  shell         Netkit rshd

1099/tcp open  rmiregistry?

1524/tcp open  shell         Metasploitable root shell

2049/tcp open  nfs?

2121/tcp open  ccproxy-ftp?

3306/tcp open  mysql         MySQL 5.0.51a-3ubuntu5

5432/tcp open  postgresql?

5900/tcp open  vnc           VNC (protocol 3.3)

6000/tcp open  X11?

6667/tcp open  irc           Unreal ircd

8009/tcp open  ajp13?

8180/tcp open  unknown

MAC Address: 84:AD:58:82:49:5C (Unknown)

Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 23.64 seconds

root@kali:~#

  以补充Nmap工具的服务指纹数据库。

更多,其实,

msf > nmap -h

[*] exec: nmap -h

Nmap 7.31 ( https://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

  Can pass hostnames, IP addresses, networks, etc.

  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

  -iL <inputfilename>: Input from list of hosts/networks

  -iR <num hosts>: Choose random targets

  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks

  --excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:

  -sL: List Scan - simply list targets to scan

  -sn: Ping Scan - disable port scan

  -Pn: Treat all hosts as online -- skip host discovery

  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports

  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

  -PO[protocol list]: IP Protocol Ping

  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]

  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers

  --system-dns: Use OS's DNS resolver

  --traceroute: Trace hop path to each host

SCAN TECHNIQUES:

  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

  -sU: UDP Scan

  -sN/sF/sX: TCP Null, FIN, and Xmas scans

  --scanflags <flags>: Customize TCP scan flags

  -sI <zombie host[:probeport]>: Idle scan

  -sY/sZ: SCTP INIT/COOKIE-ECHO scans

  -sO: IP protocol scan

  -b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

  -p <port ranges>: Only scan specified ports

    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9

  --exclude-ports <port ranges>: Exclude the specified ports from scanning

  -F: Fast mode - Scan fewer ports than the default scan

  -r: Scan ports consecutively - don't randomize

  --top-ports <number>: Scan <number> most common ports

  --port-ratio <ratio>: Scan ports more common than <ratio>

SERVICE/VERSION DETECTION:

  -sV: Probe open ports to determine service/version info

  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)

  --version-light: Limit to most likely probes (intensity 2)

  --version-all: Try every single probe (intensity 9)

  --version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN:

  -sC: equivalent to --script=default

  --script=<Lua scripts>: <Lua scripts> is a comma separated list of

           directories, script-files or script-categories

  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts

  --script-args-file=filename: provide NSE script args in a file

  --script-trace: Show all data sent and received

  --script-updatedb: Update the script database.

  --script-help=<Lua scripts>: Show help about scripts.

           <Lua scripts> is a comma-separated list of script-files or

           script-categories.

OS DETECTION:

  -O: Enable OS detection

  --osscan-limit: Limit OS detection to promising targets

  --osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:

  Options which take <time> are in seconds, or append 'ms' (milliseconds),

  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

  -T<0-5>: Set timing template (higher is faster)

  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes

  --min-parallelism/max-parallelism <numprobes>: Probe parallelization

  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies

      probe round trip time.

  --max-retries <tries>: Caps number of port scan probe retransmissions.

  --host-timeout <time>: Give up on target after this long

  --scan-delay/--max-scan-delay <time>: Adjust delay between probes

  --min-rate <number>: Send packets no slower than <number> per second

  --max-rate <number>: Send packets no faster than <number> per second

FIREWALL/IDS EVASION AND SPOOFING:

  -f; --mtu <val>: fragment packets (optionally w/given MTU)

  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys

  -S <IP_Address>: Spoof source address

  -e <iface>: Use specified interface

  -g/--source-port <portnum>: Use given port number

  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies

  --data <hex string>: Append a custom payload to sent packets

  --data-string <string>: Append a custom ASCII string to sent packets

  --data-length <num>: Append random data to sent packets

  --ip-options <options>: Send packets with specified ip options

  --ttl <val>: Set IP time-to-live field

  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address

  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT:

  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,

     and Grepable format, respectively, to the given filename.

  -oA <basename>: Output in the three major formats at once

  -v: Increase verbosity level (use -vv or more for greater effect)

  -d: Increase debugging level (use -dd or more for greater effect)

  --reason: Display the reason a port is in a particular state

  --open: Only show open (or possibly open) ports

  --packet-trace: Show all packets sent and received

  --iflist: Print host interfaces and routes (for debugging)

  --append-output: Append to rather than clobber specified output files

  --resume <filename>: Resume an aborted scan

  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML

  --webxml: Reference stylesheet from Nmap.Org for more portable XML

  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:

  -6: Enable IPv6 scanning

  -A: Enable OS detection, version detection, script scanning, and traceroute

  --datadir <dirname>: Specify custom Nmap data file location

  --send-eth/--send-ip: Send using raw ethernet frames or IP packets

  --privileged: Assume that the user is fully privileged

  --unprivileged: Assume the user lacks raw socket privileges

  -V: Print version number

  -h: Print this help summary page.

EXAMPLES:

  nmap -v -A scanme.nmap.org

  nmap -v -sn 192.168.0.0/16 10.0.0.0/8

  nmap -v -iR 10000 -Pn -p 80

SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

msf >

Kali linux 2016.2(Rolling)中的Nmap的端口扫描功能的更多相关文章

  1. MetaSploit攻击实例讲解------Metasploit自动化攻击(包括kali linux 2016.2(rolling) 和 BT5)

    不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)里Metasploit连接(包括默认和自定义)的PostgreSQL数据库 Kali linux 2016.2(Ro ...

  2. MetaSploit攻击实例讲解------终端下PostgreSQL数据库的使用(包括kali linux 2016.2(rolling) 和 BT5)

    不多说,直接上干货! 配置msf连接postgresql数据库 我这里是使用kali linux 2016.2(rolling)   用过的博友们都知道,已经预安装好了PostgreSQL. 1. p ...

  3. MetaSploit攻击实例讲解------社会工程学set攻击(kali linux 2016.2(rolling))(详细)

    不多说,直接上干货! 首先,如果你是用的BT5,则set的配置文件是在 /pentest/exploits/set/set_config下. APACHE_SERVER=ONSELF_SIGNED_A ...

  4. MetaSploit攻击实例讲解------工具Meterpreter常用功能介绍(kali linux 2016.2(rolling))(详细)

    不多说,直接上干货! 说在前面的话 注意啦:Meterpreter的命令非常之多,本篇博客下面给出了所有,大家可以去看看.给出了详细的中文 由于篇幅原因,我只使用如下较常用的命令. 这篇博客,利用下面 ...

  5. kali 2.0 linux中的Nmap的操作系统扫描功能

    不多说,直接上干货! 可以使用-O选项,让Nmap对目标的操作系统进行识别. msf > nmap -O 202.193.58.13 [*] exec: nmap -O 202.193.58.1 ...

  6. MetaSploit攻击实例讲解------攻击445端口漏洞(kali linux 2016.2(rolling))(详细)

    不多说,直接上干货! 大家,相信最近的这个事件,对于445端口已经是非常的小心了.勒索病毒 445端口是一个毁誉参半的端口,有了它我们可以在局域网中轻松访问各种共享文件夹或共享打印机,但也正是因为有了 ...

  7. Kali linux 2016.2(Rolling)中metasploit的端口扫描

    目前常见的端口扫描技术一般有如下几类: TCP  Connect.TCP SYN.TCP ACK.TCP FIN. Metasploit中的端口扫描器 Metasploit的辅助模块中提供了几款实用的 ...

  8. Kali linux 2016.2 的 plyload模块之meterpreter plyload详解

    不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)中的payloads模块详解 当利用成功后尝试运行一个进程,它将在系统进程列表里显示,即使在木马中尝试执行系统命令, ...

  9. Kali linux 2016.2(Rolling)中的payloads模块详解

    不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)中的Exploits模块详解 payloads模块,也就是shellcode,就是在漏洞利用成功后所要做的事情.在M ...

随机推荐

  1. java之IO处理

    File文件基础 文件与文件夹抽象路径名称的表示.其构造方法有四个 File(File parent,String child):从抽象父文件夹下创建一个File实例. File(String par ...

  2. C中操作文件的几种模式

    使用文件的方式共同拥有12种,以下给出了它们的符号和意义.  文件打开方式  意义 rt  仅仅读打开一个文本文件.仅仅同意读数据  wt  仅仅写打开或建立一个文本文件,仅仅同意写数据  at  追 ...

  3. ubuntu 休眠之后蓝牙鼠标无效果。

    ubuntu链接蓝牙鼠标之后.左上角蓝牙标志左下角应该有一个锁的标志. 可是休眠之后,蓝牙鼠标失效,锁没有了,点击按键,出来锁之后,立即消失. 运行两次例如以下命令能够解决: sudo hciconf ...

  4. 初始化的数值(int、double等)(一)

    首先考虑一个具有几个构造函数的MyClass类.如果我们决定在这个类的私有部分加入一个新的数据成员,称为int_data_: class MyClass { public: MyClass() : i ...

  5. ORA-01733: virtual column not allowed here

    基表: hr.tt  scott.tt  视图1: 基于 hr.tt  union all  scott.tt ---> scott.ttt  视图2: 基于 视图1->scott.ttt ...

  6. node18---Mongoose

    二.索引index 数据库中,根据一个字段的值,来寻找一个文档,是很常见的操作.比如根据学号来找一个学生. 这个学号,是唯一的,只要有学号,就能唯一确认一个学生的文档.学号这个属性,就非常适合建立索引 ...

  7. luogu 2308添加括号

    添加括号 传送门 题目大意 现在要添上n-1对括号,加法运算依括号顺序进行,得到n-1个中间和,求出使中间和之和最小的添括号方法. 这道题其实是一个很简单的区间dp,中间和的意思是括号里面的和,也就是 ...

  8. BZOJ 1101 莫比乌斯函数+分块

    思路: 题目中的gcd(x,y)=d (x<=a,y<=b)可以转化成 求:gcd(x,y)=1 (1<=x<=a/d 1<=y<=b/d) 设 G(x,y)表示x ...

  9. swift语言点评十七-Designated Initializers and Convenience Initializers

    Swift defines two kinds of initializers for class types to help ensure all stored properties receive ...

  10. nodejs 封装mysql连接池

    写在前面的 在nodejs后台代码中,我们总是会和数据库打交道 然而,每次都要写数据库的配置以及连接和断开,不胜其烦 我就封装了一个连接池模块,不足之处还请多多批评 上代码 一下是写在mysqls.j ...