Nmap 语法及示例
Nmap 语法及示例
基本语法
Nmap的基本语法结构如下:
nmap [scan types] [options] [target]
[scan types]: 标识扫描类型,如:TCP、UDP等。[options]: 表示各种扫描选项,用于定制扫描行为。[target]: 表示要扫描的目标,可以是单个IP地址、主机名、IP范围或子网。
示例
例1:使用nmap扫描一台服务器
默认情况下,Nmap回扫描1000个常用TCP端口。
┌──(root㉿kali)-[~] |
└─# nmap 127.0.0.1 | # 执行命令 nmap 127.0.0.1,默认扫描1000个常用TCP端口
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-28 16:57 CST | # 在2024-06-28 16:57,使用Nmap7.94扫描
Nmap scan report for localhost (127.0.0.1) | # 扫描的主机为 127.0.0.1
Host is up (0.0000050s latency). | # 主机状态为存活
Not shown: 997 closed tcp ports (reset) | # 没有显示:997个TCP端口是关闭状态的
PORT STATE SERVICE | # 端口、状态、服务
21/tcp open ftp |
22/tcp open ssh |
80/tcp open http |
|
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds | # 一共扫描了1个IP,花费了0.10秒
例2:扫描一台机器,查看它打开的端口及详细信息
参数说明:-v 表示显示冗余信息,在扫描过程中显示扫描的细节,从而让用户了解当前的扫描状态。
┌──(root㉿kali)-[~]
└─# nmap -v 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 10:45 CST
Initiating SYN Stealth Scan at 10:45
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 21/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Completed SYN Stealth Scan at 10:45, 0.08s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000031s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
Raw packets sent: 1000 (44.000KB) | Rcvd: 2003 (84.132KB)
例3:扫描一个范围:端口1-65535
┌──(root㉿kali)-[~]
└─# nmap -p 1-65535 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 10:51 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000041s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
8834/tcp open nessus-xmlrpc
Nmap done: 1 IP address (1 host up) scanned in 3.42 seconds
注:生产环境下,我们只需要开启正在提供服务的端口,其他端口都关闭
关闭不需要开放的服务有两种方法:
情景1:你认识这个服务,直接关闭服务
systemctl stop [service]
情景2:不认识这个服务,查看哪个进程使用了这个端口并找出进程的路径,然后kill进程,删除文件,接下来以22端口为例,操作思路如下
┌──(root㉿kali)-[~]
└─# lsof -i :22 # 根据端口号查22端口被哪个进程使用
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1038 root 3u IPv4 16010 0t0 TCP *:ssh (LISTEN)
sshd 1038 root 4u IPv6 16021 0t0 TCP *:ssh (LISTEN)
┌──(root㉿kali)-[~]
└─# ps aux | grep 1038 # 通过ps命令查找对应的进程文件
root 1038 0.0 0.4 13540 8064 ? Ss 10:40 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 14929 0.0 0.1 6584 2304 pts/0 S+ 11:03 0:00 grep --color=auto 1038
# 看到进程的文件的路径是 /usr/sbin/sshd 。如果没有看到此命令的具体执行路径,说明此木马进程可以在bash终端下直接执行,通过which和rpm -qf来查看命令的来源,如下:
┌──(root㉿kali)-[~]
└─# which ssh
/usr/bin/ssh
# 解决:
┌──(root㉿kali)-[~]
└─# kill -9 1038
# 总结:这个思路主要用于找出黑客监听的后门端口和木马存放的路径。
例4:扫描一台机器,查看此服务器开放的端口号和操作系统类型。
参数说明:
-O: 显示出操作系统的类型。每一种操作系统都有一个指纹。-sS: 半开扫描(half-open)
注意:-O 参数并不能100%确定目标操作系统版本,无法确认准确的操作系统版本时nmap会给出几个可能性比较高的建议。
┌──(root㉿kali)-[~]
└─# nmap -sS -O 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 11:12 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=6/29%OT=21%CT=1%CU=41109%PV=N%DS=0%DC=L%G=Y%TM=667F
OS:7B93%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5=
OS:MFFD7ST11NW7%O6=MFFD7ST11)WIN(W1=8200%W2=8200%W3=8200%W4=8200%W5=8200%W6
OS:=8200)ECN(R=Y%DF=Y%T=40%W=8200%O=MFFD7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=
OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=40%CD=S)
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.36 seconds
例5:扫描一个网段中所有机器是什么类型的操作系统。
┌──(root㉿kali)-[~]
└─# nmap -O 192.168.1.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 12:15 CST
Nmap scan report for 192.168.1.0
Host is up (0.00052s latency).
All 1000 scanned ports on 192.168.1.0 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP
Running (JUST GUESSING): Microsoft Windows XP|7|2012|2003 (92%), Actiontec embedded (88%), Linux 2.4.X (88%), Asus embedded (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/h:asus:wl-500gp cpe:/o:microsoft:windows_server_2003::sp2:enterprise cpe:/o:linux:linux_kernel:2.4.37
Aggressive OS guesses: Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (92%), Actiontec MI424WR-GEN3I WAP (88%), Asus WL-500gP wireless broadband router (86%), Microsoft Windows Server 2003 Enterprise Edition SP2 (86%), DD-WRT v24-sp2 (Linux 2.4.37) (85%), Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
Nmap scan report for 192.168.1.5
Host is up (0.00060s latency).
All 1000 scanned ports on 192.168.1.5 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP
Running (JUST GUESSING): Microsoft Windows XP|7|2012|2003 (92%), Actiontec embedded (88%), Linux 2.4.X (88%), Asus embedded (86%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/h:asus:wl-500gp cpe:/o:microsoft:windows_server_2003::sp2:enterprise cpe:/o:linux:linux_kernel:2.4.37
Aggressive OS guesses: Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (92%), Actiontec MI424WR-GEN3I WAP (88%), Asus WL-500gP wireless broadband router (86%), Microsoft Windows Server 2003 Enterprise Edition SP2 (86%), DD-WRT v24-sp2 (Linux 2.4.37) (85%), Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
. . . . . .
例6:查找一些有特点的IP地址中,开启80端口的服务器。
┌──(root㉿kali)-[~]
└─# nmap -v -p 80 192.168.1.1-6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:08 CST
Initiating Ping Scan at 13:08
Scanning 6 hosts [4 ports/host]
Completed Ping Scan at 13:08, 0.05s elapsed (6 total hosts)
Initiating Parallel DNS resolution of 6 hosts. at 13:08
Completed Parallel DNS resolution of 6 hosts. at 13:08, 0.03s elapsed
Initiating SYN Stealth Scan at 13:08
Scanning 6 hosts [1 port/host]
Discovered open port 80/tcp on 192.168.1.6
Discovered open port 80/tcp on 192.168.1.1
Completed SYN Stealth Scan at 13:08, 0.23s elapsed (6 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.0062s latency).
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 192.168.1.2
Host is up (0.00051s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.3
Host is up (0.0056s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.4
Host is up (0.00038s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.5
Host is up (0.00018s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.6
Host is up (0.0035s latency).
PORT STATE SERVICE
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 6 IP addresses (6 hosts up) scanned in 0.56 seconds
Raw packets sent: 26 (1.024KB) | Rcvd: 8 (292B)
例7:如何更隐秘的去扫描,频繁扫描会被屏蔽或者锁定IP地址。
参数说明:
--randomize-hosts: 随机扫描,对目标主机的顺序随机划分--scan-delay: 延时,单位秒,调整探针之间的延迟
┌──(root㉿kali)-[~]
└─# nmap -v --randomize-hosts --scan-delay 3000ms -p 80 192.168.1.1-6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:15 CST
Initiating Ping Scan at 13:15
Scanning 6 hosts [4 ports/host]
Completed Ping Scan at 13:15, 16.02s elapsed (6 total hosts)
Initiating Parallel DNS resolution of 6 hosts. at 13:15
Completed Parallel DNS resolution of 6 hosts. at 13:15, 0.03s elapsed
Initiating SYN Stealth Scan at 13:15
Scanning 6 hosts [1 port/host]
Discovered open port 80/tcp on 192.168.1.6
Discovered open port 80/tcp on 192.168.1.1
Completed SYN Stealth Scan at 13:15, 9.01s elapsed (6 total ports)
Nmap scan report for 192.168.1.4
Host is up (0.00022s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.5
Host is up (0.00041s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.2
Host is up (0.00043s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.3
Host is up (0.011s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.6
Host is up (0.0031s latency).
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 192.168.1.1
Host is up (0.0043s latency).
PORT STATE SERVICE
80/tcp open http
Read data files from: /usr/bin/../share/nmap
Nmap done: 6 IP addresses (6 hosts up) scanned in 25.29 seconds
Raw packets sent: 28 (1.076KB) | Rcvd: 8 (292B)
例8:使用通配符指定IP地址
┌──(root㉿kali)-[~]
└─# nmap -p 80 192.168.1.*
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:18 CST
Nmap scan report for 192.168.1.0
Host is up (0.0011s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.1
Host is up (0.0051s latency).
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 192.168.1.2
Host is up (0.0093s latency).
PORT STATE SERVICE
80/tcp filtered http
. . . . . .
Nmap scan report for 192.168.1.254
Host is up (0.00022s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.255
Host is up (0.00084s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap done: 256 IP addresses (256 hosts up) scanned in 9.39 seconds
例9:TCP Connect 扫描
这种扫描方式和SYN扫描很像,只是这种扫描方式完成了TCP的三次握手。
┌──(root㉿kali)-[~]
└─# nmap -sT 192.168.1.6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:22 CST
Nmap scan report for 192.168.1.6
Host is up (0.011s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
52869/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 10.79 seconds
例10:报文分段扫描
使用-f选项可以对namp发送的探测数据包进行分段。这样将原来的数据包分成几个部分,目标网络的防御机制,例如:包过滤、防火墙等在对这些包进行检测的时候就会变得更加困难。
另外必须谨慎使用这个选项,一些老旧的系统在处理分段的包时经常会出现死机的情况。
┌──(root㉿kali)-[~]
└─# nmap -f 192.168.1.6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:29 CST
Nmap scan report for 192.168.1.6
Host is up (0.0022s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
23/tcp open telnet
53/tcp open domain
80/tcp open http
52869/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 4.88 seconds
例11:使用诱饵主机隐蔽扫描
通常在对目标进行扫描时,有可能会被发现,一个比较巧妙的方法就是同时伪造大量的主机地址对目标进行扫描。这时目标主机即使发现了有人正在进行扫描,但是由于扫描数据包来自于多个主机,即使是IDS也只能知道目前正在受到扫描,并不知道到底是哪台主机在进行扫描。这是一种常用的隐藏自身IP的可靠技术。
在初始的ping扫描(ICMP、SYN、ACK等)阶段或真正的端口扫描,以及远程操作系统检测(-O)阶段都可以使用诱饵主机选项。但是在进行版本检测或TCP连接扫描时,诱饵主机选项是无效的。
(1)随机3个诱饵
└─# nmap -D RND:3 192.168.1.6
(2)使用自己IP作为诱饵
└─# nmap -D ME 192.168.1.6
(3)指定单个IP:192.168.1.14作为诱饵
└─# nmap -D 192.168.1.14 192.168.1.6
(4)指定多个IP作为诱饵对192.168.1.6探测
└─# nmap -D 192.168.1.14,192.168.1.15 192.168.1.6
例12:伪造源端口为8888对目标进行扫描
└─# nmap --source-port 8888 192.168.1.6
或
└─# nmap -g 8888 192.168.1.6
例13:从互联网上随机选择10台主机扫描是否允许Web服务器(开放80端口)
└─# nmap -v -iR 10 -p 80 192.168.1.6
例14:将所有主机视为联机,跳过主机发现,这种方式可以穿透防火墙,避免被防火墙发现
└─# nmap -Pn 192.168.1.6
Nmap 语法及示例的更多相关文章
- iblog语法高亮示例
-------------------------------------------------------------------------------------- iblog 是一款 Sub ...
- Java正则表达式的语法与示例
Java正则表达式的语法与示例 java 正则表达式 正则表达式语法 java正则表达式语法 java正则表达式 概要: Java正则表达式的语法与示例 | |目录 1匹配验证-验证Email是否正确 ...
- gzip 与 gunzip 语法与示例
gzip 与 gunzip 语法与示例 语法: gunzip -c 被压缩的文件 > 已解压的文件示例: 将 catalina.out.gz 文件解压到 catalina.out 文件中: gu ...
- (转)Java正则表达式的语法与示例
转自:http://www.cnblogs.com/lzq198754/p/5780340.html 概要: Java正则表达式的语法与示例 | |目录 1匹配验证-验证Email是否正确 2在字符串 ...
- [转帖]编写shell脚本所需的语法和示例
编写shell脚本所需的语法和示例 https://blog.csdn.net/CSDN___LYY/article/details/100584638 在说什么是shell脚本之前,先说说什么是sh ...
- PHP条件语句语法与示例
一.if…else语句 语法: 1 if(条件){ …… } else{ …… } 2 if(条件){ …… } elseif(条件){ …… } else{ …… } 示例1: <?php & ...
- DQL完整语法及示例
DQL:Data Query Language,数据查询语言,其实它也是DML(数据库操作语言的一种),下面看一看完整的语法: 注意,关键字建议大写,不带[ ]是必需的,带[ ]是可选的. SELEC ...
- Json -- 语法和示例,javascript 解析Json
1. 语法 JSON(JavaScriptObject Notation)一种简单的数据格式,比xml更轻巧.JSON是JavaScript原生格式,这意味着在JavaScript中处理JSON数据不 ...
- mysql索引语法及示例
注:本篇文章是对菜鸟教程中的mysql索引(http://www.runoob.com/mysql/mysql-index.html)的翻译版本:添加了示例,便于理解: 索引分单列索引和组合索引.单列 ...
- 【知识库】-数据库_MySQL常用SQL语句语法大全示例
简书作者:seay 文章出处: 关系数据库常用SQL语句语法大全 Learn [已经过测试校验] 一.创建数据库 二.创建表 三.删除表 四.清空表 五.修改表 六.SQL查询语句 七.SQL插入语句 ...
随机推荐
- 一条语句查看web日志排名前十的IP/URL页面及总数
查看 Nginx web 访问日志访问量前十的ip 以及访问的网站页面地址 ,可以分析网站哪些页面受欢迎,以及访问量大的ip在干什么! 标签: <无> 代码片段(3)[全屏查看所有代码] ...
- Java中的对象池模式
Java中的对象池模式 Java对象的生命周期分析: Java对象的生命周期大致包括三个阶段: 对象的创建,对象的使用, 对象的清除. 因此,对象的生命周期长度可用如下的表达式表示: T = T1 + ...
- 反编译工具之Jadx
jadx 是一款功能强大的反编译工具,使用起来简单方便(拖拽式操作),不光提供了命令行程序,还提供了 GUI 程序.一般情况下,我们直接使用 GUI 程序就可以了. jadx 支持 Windows.L ...
- 终端工具之Tabby
我工作中用的最多的工具之一就是「终端连接工具」了,因为经常和 Linux 服务器打交道,经常在上面跑代码.排查系统问题等等. Windows 系统最常用的就是 Xshell 这款终端工具了,但是它只能 ...
- Educational Codeforces Round 132 (Rated for Div
Educational Codeforces Round 132 (Rated for Div. 2) Recover an RBS 给你一个括号序列,里面存在?号,题目保证至少有一种方案使得该括号序 ...
- JPAAS整合宝蓝德
现在软件国产化的需求成了刚需了,因此在实施的过程中,我们整合了宝蓝德,我将过程写一下. 1.宝蓝德提供的程序包. 包名 说明 bes-actuator-spring-boot-2.x-starter- ...
- zz 为什么我更喜欢 Python 的 Storm ORM
为什么我更喜欢 Python 的 Storm ORM - @emacsway 的博客 很有意思的讨论.可能还是 mapping 比较实用. 另外,文中称赞有加的 Identity Map 并不适合并发 ...
- Redis应用—9.简单应用汇总
大纲 1.基于Redis实现的简单缓存机制(String数据结构) 2.实现一个最简单的分布式锁(String数据结构) 3.博客网站的文章发布与查看(String数据结构) 4.博客字数统计与文章预 ...
- 【bug记录】AttributeError: 'CollectReport' object has no attribute 'description'
问题截图 问题原因 有完全重复用例,因为写用例的时候,为了图方便,直接复制的,还没来得及改,然后,用pytest运行的时候,就报这个错误了. 问题解决 去掉重复就行了
- Jackson ObjectMapper - 指定对象属性的序列化顺序
注释很有用,但在任何地方应用起来都会很痛苦.您可以配置整个 ObjectMapper 以这种方式工作 当前杰克逊版本: objectMapper.configure(MapperFeature.SOR ...