一、Nmap简介

nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统(这是亦称 fingerprinting)。它是网络管理员必用的软件之一,以及用以评估网络系统安全。
正如大多数被用于网络安全的工具,nmap 也是不少黑客及骇客爱用的工具 。系统管理员可以利用nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用nmap来搜集目标电脑的网络设定,从而计划攻击的方法。
Nmap 以隐秘的手法,避开闯入检测系统的监视,并尽可能不影响目标系统的日常操作。  --(来自百度)
 
环境介绍:
 
我将用两个不同的部分来涵盖大部分NMAP的使用方法,这是nmap关键的第一部分。在下面的设置中,我使用两台已关闭防火墙的服务器来测试Nmap命令的工作情况。
 
  • 192.168.0.100 – server1.tecmint.com
  • 192.168.0.101 – server2.tecmint.com

Nmap语法:

nmap [Scan Type(s)] [Options] {target specification}

二、Nmap常用操作

1:批量ping扫描

[root@localhost ~]# nmap -sP 192.168.1.0/

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:19 CST

Nmap scan report for192.168.1.

Host is up (.0043s latency).

Nmap scan report for 192.168.1.2

Host is up (.0040s latency).

Nmap scan report for 192.168.1.3

Host is up (.0036s latency).

Nmap scan report for 192.168.1.4

Host is up (.0042s latency).

Nmap scan report for 192.168.1.5

2:仅列出指定网络上的每台主机,不发送任何报文到目标主机(隐蔽探测)

[root@localhost ~]# nmap -sL 192.168.1.0/

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:22 CST

Nmap scan report for 192.168.1.0

Nmap scan report for 192.168.1.1

Nmap scan report for 192.168.1.2

Nmap scan report for 192.168.1.3

3:探测目标主机开放的端口,可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80)

[root@localhost ~]# nmap -PS 220.181.111.188

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:25 CST

Nmap scan report for 220.181.111.188

Host is up (.0043s latency).

Not shown:  filtered ports

PORT    STATE SERVICE

/tcp  open  http

/tcp open  https

Nmap done:  IP address ( host up) scanned in 4.06 seconds

4:使用UDP ping探测主机

[root@localhost ~]# nmap -PU 192.168.1.1

[root@localhost ~]# nmap -PU 192.168.1.0/

5:使用SYN半开放扫描

[root@localhost ~]# nmap -sS 220.181.111.188

[root@localhost ~]# nmap -sS 220.181.111.0/

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:29 CST

Nmap scan report for 220.181.111.188

Host is up (.0048s latency).

Not shown:  filtered ports

PORT    STATE SERVICE

/tcp  open  http

/tcp open  https

Nmap done:  IP address ( host up) scanned in 4.56 seconds

6:使用TCP扫描

[root@localhost ~]# nmap -sT 220.181.111.188

[root@localhost ~]# nmap -sT 220.181.111.0/

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:32 CST

Nmap scan report for 220.181.111.188

Host is up (.0044s latency).

Not shown:  filtered ports

PORT    STATE SERVICE

/tcp  open  http

/tcp open  https

Nmap done:  IP address ( host up) scanned in 4.24 seconds

7:使用UDP扫描

[root@localhost ~]# nmap -sU 220.181.111.188

[root@localhost ~]# nmap -sU 220.181.111.0/

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:34 CST

Nmap scan report for 220.181.111.188

Host is up (.0039s latency).

Not shown:  open|filtered ports

PORT    STATE    SERVICE

/udp filtered snmp

Nmap done:  IP address ( host up) scanned in 4.05 seconds

8:探测目标主机支持哪些IP协议

[root@localhost ~]# nmap -sO 220.181.111.188

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:35 CST

Nmap scan report for 220.181.111.188

Host is up (.0054s latency).

Not shown:  open|filtered protocols

PROTOCOL STATE SERVICE

        open  icmp

Nmap done:  IP address ( host up) scanned in 2.73 seconds

9:探测目标主机操作系统

[root@localhost ~]# nmap -O 220.181.111.188

[root@localhost ~]# nmap -A 220.181.111.188

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:36 CST

Nmap scan report for 220.181.111.188

Host is up (.0050s latency).

Not shown:  filtered ports

PORT    STATE SERVICE

/tcp  open  http

/tcp open  https

Warning: OSScan results may be unreliable because we could not find at least  open and  closed port

Device type: switch

Running (JUST GUESSING): HP embedded (%)

OS CPE: cpe:/h:hp:procurve_switch_4000m

Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (%)

No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done:  IP address ( host up) scanned in 8.44 seconds

10:用主机名和IP地址扫描系统

Nmap工具提供各种方法来扫描系统。在这个例子中,我使用server2.tecmint.com主机名来扫描系统找出该系统上所有开放的端口,服务和MAC地址。

a)用主机名扫描系统

[root@server1 ~]# nmap server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.415 seconds

You have new mail in /var/spool/mail/root

b)用IP地址扫描系统

[root@server1 ~]# nmap 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.465 seconds

You have new mail in /var/spool/mail/root

11:扫描时使用-v选项

可以看到下面的命令使用“ -“选项后给出了远程机器更详细的信息。

[root@server1 ~]# nmap -v server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST

Initiating ARP Ping Scan against 192.168.0.101 [ port] at :

The ARP Ping Scan took .01s to scan  total hosts.

Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [ ports] at :

Discovered open port /tcp on 192.168.0.101

Discovered open port /tcp on 192.168.0.101

Discovered open port /tcp on 192.168.0.101

Discovered open port /tcp on 192.168.0.101

Discovered open port /tcp on 192.168.0.101

Discovered open port /tcp on 192.168.0.101

The SYN Stealth Scan took .30s to scan  total ports.

Host server2.tecmint.com (192.168.0.101) appears to be up ... good.

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.485 seconds

12:扫描多台主机

简单的在Nmap命令后加上多个IP地址或主机名来扫描多台主机。

[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP addresses ( host up) scanned in 0.580 seconds

13:扫描整个子网

使用*通配符来扫描整个子网或某个范围的IP地址。

[root@server1 ~]# nmap 192.168..*

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST

Interesting ports on server1.tecmint.com (192.168.0.100):

Not shown:  closed ports

PORT    STATE SERVICE

/tcp  open  ssh

/tcp open  rpcbind

/tcp open  unknown

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP addresses ( hosts up) scanned in 5.550 seconds

14:使用IP地址的最后一个字节扫描多台服务器

简单的指定IP地址的最后一个字节来对多个IP地址进行扫描。例如,我在下面执行中扫描了IP地址192.168.0.101,192.168.0.102和192.168.0.103。

[root@server1 ~]# nmap 192.168.0.101,,

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP addresses ( host up) scanned in 0.552 seconds

15:从一个文件中扫描主机列表

如果你有多台主机需要扫描且所有主机信息都写在一个文件中,那么你可以直接让nmap读取该文件来执行扫描,让我们来看看如何做到这一点。

创建一个名为“nmaptest.txt ”的文本文件,并定义所有你想要扫描的服务器IP地址或主机名。

[root@server1 ~]# cat > nmaptest.txt

localhost

server2.tecmint.com

192.168.0.101

接下来运行带“iL” 选项的nmap命令来扫描文件中列出的所有IP地址

[root@server1 ~]# nmap -iL nmaptest.txt

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 EST

Interesting ports on localhost.localdomain (127.0.0.1):

Not shown:  closed ports

PORT    STATE SERVICE

/tcp  open  ssh

/tcp  open  smtp

/tcp open  rpcbind

/tcp open  ipp

/tcp open  unknown

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP addresses ( hosts up) scanned in 2.047 seconds

16:扫描一个IP地址范围

扫描一个IP地址范围

[root@server1 ~]# nmap 192.168.0.101-

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP addresses ( host up) scanned in 0.542 seconds

17:排除一些远程主机后再扫描

在执行全网扫描或用通配符扫描时你可以使用“-exclude”选项来排除某些你不想要扫描的主机。

[root@server1 ~]# nmap 192.168..* --exclude 192.168.0.100

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP addresses ( host up) scanned in 5.313 seconds

18:扫描操作系统信息和路由跟踪

使用Nmap,你可以检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可以使用NMAP的“-A“选项。

[root@server1 ~]# nmap -A 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE VERSION

/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)

/tcp   open  http    Apache httpd 2.2. ((CentOS))

/tcp  open  rpcbind   (rpc #)

/tcp  open  status    (rpc #)

/tcp open  mysql   MySQL (unauthorized)

/tcp open  http    lighttpd 1.4.

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

TCP/IP fingerprint:

SInfo(V=4.11%P=i686-redhat-linux-gnu%D=/%Tm=52814B66%O=%C=%M=)

TSeq(Class=TR%IPID=Z%TS=1000HZ)

T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)

T2(Resp=N)

T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)

T4(Resp=Y%DF=Y%W=%ACK=O%Flags=R%Ops=)

T5(Resp=Y%DF=Y%W=%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=Y%W=%ACK=O%Flags=R%Ops=)

T7(Resp=Y%DF=Y%W=%ACK=S++%Flags=AR%Ops=)

PU(Resp=Y%DF=N%TOS=C0%IPLEN=%RIPTL=%RID=E%RIPCK=E%UCK=E%ULEN=%DAT=E)

Uptime 0.169 days (since Mon Nov  :: )

Nmap finished:  IP address ( host up) scanned in 22.271 seconds

从上面的输出你可以看到,Nmap显示出了远程主机操作系统的TCP / IP协议指纹,并且更加具体的显示出远程主机上的端口和服务。

19:启用Nmap的操作系统探测功能

使用选项“-O”和“-osscan-guess”也帮助探测操作系统信息。

[root@server1 ~]# nmap -O server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

TCP/IP fingerprint:

SInfo(V=4.11%P=i686-redhat-linux-gnu%D=/%Tm=52815CF4%O=%C=%M=)

TSeq(Class=TR%IPID=Z%TS=1000HZ)

T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)

T2(Resp=N)

T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)

T4(Resp=Y%DF=Y%W=%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS

R%Ops=)

T5(Resp=Y%DF=Y%W=%ACK=S++%Flags=AR%Ops=)

T6(Resp=Y%DF=Y%W=%ACK=O%Flags=R%Ops=)

T7(Resp=Y%DF=Y%W=%ACK=S++%Flags=AR%Ops=)

PU(Resp=Y%DF=N%TOS=C0%IPLEN=%RIPTL=%RID=E%RIPCK=E%UCK=E%ULEN=%DAT=E)

Uptime 0.221 days (since Mon Nov  :: )

Nmap finished:  IP address ( host up) scanned in 11.064 seconds

20:扫描主机并侦测防火墙

扫描远程主机以探测该主机是否使用了包过滤器或防火墙。

[root@server1 ~]# nmap -sA 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:27 EST

All  scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.382 seconds

21:扫描主机检测是否有防火墙保护

扫描主机检测其是否受到数据包过滤软件或防火墙的保护。

[root@server1 ~]# nmap -PN 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.399 seconds

22:找出网络中的在线主机

使用“-sP”选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。

[root@server1 ~]# nmap -sP 192.168..*

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST

Host server1.tecmint.com (192.168.0.100) appears to be up.

Host server2.tecmint.com (192.168.0.101) appears to be up.

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP addresses ( hosts up) scanned in 5.109 seconds

23:执行快速扫面

你可以使用“-F”选项执行一次快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其它的端口。

[root@server1 ~]# nmap -F 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.322 seconds

24:顺序扫描端口

使用“-r”选项表示不会随机的选择端口扫描。

[root@server1 ~]# nmap -r 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.363 seconds

25:打印主机接口和路由

你可以使用nmap的“–iflist”选项检测主机接口和路由信息。

[root@server1 ~]# nmap --iflist

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST

************************INTERFACES************************

DEV  (SHORT) IP/MASK          TYPE     UP MAC

lo   (lo)    127.0.0.1/      loopback up

eth0 (eth0)  192.168.0.100/ ethernet up ::::C7:

**************************ROUTES**************************

DST/MASK      DEV  GATEWAY

192.168.0.0/ eth0

169.254.0.0/ eth0

从上面的输出你可以看到,nmap列举出了你系统上的接口以及它们各自的路由信息。

26:扫描特定的端口

使用Nmap扫描远程机器的端口有各种选项,你可以使用“-P”选项指定你想要扫描的端口,默认情况下nmap只扫描TCP端口。

[root@server1 ~]# nmap -p  server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

PORT   STATE SERVICE

/tcp open  http

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) sca

26:扫描TCP端口

指定具体的端口类型和端口号来让nmap扫描。

[root@server1 ~]# nmap -p T:, server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

PORT     STATE SERVICE

/tcp   open  http

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.157 seconds

27:扫描UDP端口

[root@server1 ~]# nmap -sU  server2.tecmint.com

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

PORT     STATE SERVICE

/udp   open  http

/udp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.157 seconds

28:扫描多个端口

使用选项“-P”来扫描多个端口。

[root@server1 ~]# nmap -p , 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:56 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

PORT    STATE  SERVICE

/tcp  open   http

/tcp closed https

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.190 seconds

29:扫描多个端口

使用表达式来扫描某个范围内的端口。

[root@server1 ~]#  nmap -p - 192.168.0.101

30:查找主机服务版本号

[root@server1 ~]# nmap -sV 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:48 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE VERSION

/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)

/tcp   open  http    Apache httpd 2.2. ((CentOS))

/tcp  open  rpcbind   (rpc #)

/tcp  open  status    (rpc #)

/tcp open  mysql   MySQL (unauthorized)

/tcp open  http    lighttpd 1.4.

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 12.624 seconds

31:使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机

有时候包过滤防火墙会阻断标准ICMP ping请求,在这种情况下,我们可以使用TCP ACKTCP Syn方法来扫描远程主机。

[root@server1 ~]# nmap -PS 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:51 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.360 seconds

32:使用TCP ACK扫描远程主机上特定的端口

[root@server1 ~]# nmap -PA -p , 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

PORT   STATE SERVICE

/tcp open  ssh

/tcp open  http

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.166 seconds

33:使用TCP Syn扫描远程主机上特定的端口

[root@server1 ~]# nmap -PS -p , 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:08 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

PORT   STATE SERVICE

/tcp open  ssh

/tcp open  http

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.165 seconds

34:执行一次隐蔽的扫描

[root@server1 ~]# nmap -sS 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:10 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ssh

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  unknown

/tcp open  mysql

/tcp open  sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 0.383 seconds

35:执行TCP空扫描规避防火墙

[root@server1 ~]# nmap -sN 192.168.0.101

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 19:01 EST

Interesting ports on server2.tecmint.com (192.168.0.101):

Not shown:  closed ports

PORT     STATE         SERVICE

/tcp   open|filtered ssh

/tcp   open|filtered http

/tcp  open|filtered rpcbind

/tcp  open|filtered unknown

/tcp open|filtered mysql

/tcp open|filtered sun-answerbook

MAC Address: :::D9:8E:D7 (Cadmus Computer Systems)

Nmap finished:  IP address ( host up) scanned in 1.584 seconds

参考文献:http://www.cnblogs.com/hongfei

参考文献:https://baike.baidu.com/item/nmap/1400075?fr=aladdin

Nmap命令的常用实例的更多相关文章

  1. linux下tar命令的常用实例

    语法:tar [主选项+辅选项] 文件或者目录 使用该命令时,主选项是必须要有的,它告诉tar要做什么事情,辅选项是辅助使用的,可以选用. 主选项:c 创建新的档案文件.如果用户想备份一个目录或是一些 ...

  2. 十条常用nmap命令行格式

    十条常用nmap命令行格式 ) 获取远程主机的系统类型及开放端口 nmap -sS -P0 -sV -O <target> 这里的 < target > 可以是单一 IP, 或 ...

  3. Nmap功能与常用命令

    Nmap功能与常用命令 其基本功能有三个,一是探测一组主机是否在线:其次是扫描主机端口,嗅探所提供的网络服务:还可以推断主机所用的操作系统. Nmap可用于扫描仅有两个节点的LAN,直至500个节点以 ...

  4. find一些常用参数的一些常用实例和一些具体用法和注意事项。

    find一些常用参数的一些常用实例和一些具体用法和注意事项. 1.使用name选项: 文件名选项是find命令最常用的选项,要么单独使用该选项,要么和其他选项一起使用.  可以使用某种文件名模式来匹配 ...

  5. Nmap命令的29个实用范例

    Nmap即网络映射器对Linux系统/网络管理员来说是一个开源且非常通用的工具.Nmap用于在远程机器上探测网络,执行安全扫描,网络审计和搜寻开放端口.它会扫描远程在线主机,该主机的操作系统,包过滤器 ...

  6. [转]给Linux系统管理员准备的Nmap命令的29个实用范例+ tsysv 系统服务器管理器

    原文链接:http://os.51cto.com/art/201401/428152.htm Nmap即网络映射器对Linux系统/网络管理员来说是一个开源且非常通用的工具.Nmap用于在远程机器上探 ...

  7. 给Linux系统/网络管理员准备的Nmap命令的29个实用范例

    我将用两个不同的部分来涵盖大部分NMAP的使用方法,这是nmap关键的第一部分.在下面的设置中,我使用两台已关闭防火墙的服务器来测试Nmap命令的工作情况. 192.168.0.100 – serve ...

  8. nmap命令总结

    一.nmap是什么 nmap是一款网络扫描和主机检测的非常有用的工具,不局限于仅仅收集信息和枚举,同时可以用来作为一个漏洞探测器或安全扫描器.它可以适用于winodws,linux,mac等操作系统. ...

  9. Nmap 命令操作详解

    首先在安装nmap 稳定版 https://nmap.org/download.html 选择安装目录 通过cmd  去使用也可以在 安装目录中找到 进行可视化操作 以下是nmap 命令 -sT TC ...

随机推荐

  1. Android音频系统之AudioFlinger(三)

    http://blog.csdn.net/xuesen_lin/article/details/8805091 1.1.1 PlaybackThread的循环主体 当一个PlaybackThread进 ...

  2. css过渡动画

    具体代码:1.水平翻转-moz-transform:scale(-1,1);-webkit-transform:scale(-1,1);-o-transform:scale(-1,1);transfo ...

  3. ubuntu安装rubyOnRails

    https://gorails.com/setup/ubuntu/16.04#ruby-rbenv 文章很详细

  4. Explain结果解读与实践

    MySQL的EXPLAIN命令用于SQL语句的查询执行计划(QEP).这条命令的输出结果能够让我们了解MySQL 优化器是如何执行SQL 语句的.这条命令并没有提供任何调整建议,但它能够提供重要的信息 ...

  5. java常用设计模式二:工厂模式

    1.简单工厂模式(静态工厂方法模式) 抽象实例: public interface People { void talk(); } 具体实例: public class Doctor implemen ...

  6. 检索 COM 类工厂中 CLSID 为 {10021F00-E260-11CF-AE68-00AA004A34D5} 的组件失败,原因是出现以下错误: 80040154 没有注册类 (异常来自 HRESULT:0x80040154 (REGDB_E_CLASSNOTREG))。

    ASP.NET利用SQLDMO可以实现在线备份.还原数据库等各种功能. 由于客户的数据库和WEB服务不再同一台服务器,把网站部署在服务器上以后,运行程序,提示如下错误 当使用Interop.SQLDM ...

  7. BUG 图片元素img下 高度超出 出现多余空白

    BUG 图片元素img下 高度超出 出现多余空白 1.将图片转换为块级对象 即,设置img为“display:block;”.   2.设置图片的垂直对齐方式 即设置图片的vertical-align ...

  8. 20155326 2016-2017-2 《Java程序设计》第十周学习总结

    20155326 2016-2017-2 <Java程序设计>第十周学习总结 教材学习内容总结 计算机网络基础 1.计算机网络概述 网络编程的实质就是两个(或多个)设备(例如计算机)之间的 ...

  9. 《it项目管理那些事》学习笔记

    此书适合:计算及相关专业的学生,想成为测试工程师.软件工程师.进入项目经理的人,或者经验丰富的it经理人. 之所以称为学习笔记,是加上我从百度搜到一些在看书过程中不明白的it语,作为菜鸟的我,得多看看 ...

  10. 关于cmp函数参数中的&符号

    关于cmp函数参数中的&符号 关于sort函数中的cmp函数有着不同的写法,以刚刚的整形元素比较为例 还有人是这么写的: bool cmp(const int &a, const in ...