不多说,直接上干货!

  可以使用-O选项,让Nmap对目标的操作系统进行识别

msf > nmap -O 202.193.58.13

[*] exec: nmap -O 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 23:18 CST

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (.0024s latency).

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ftp

/tcp   open  ssh

/tcp   open  telnet

/tcp   open  smtp

/tcp   open  domain

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  netbios-ssn

/tcp  open  microsoft-ds

/tcp  open  exec

/tcp  open  login

/tcp  open  shell

/tcp open  rmiregistry

/tcp open  ingreslock

/tcp open  nfs

/tcp open  ccproxy-ftp

/tcp open  mysql

/tcp open  postgresql

/tcp open  vnc

/tcp open  X11

/tcp open  irc

/tcp open  ajp13

/tcp open  unknown

MAC Address: :AD::::5C (Unknown)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6. - 2.6.

Network Distance:  hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done:  IP address ( host up) scanned in 4.72 seconds

msf >

或者

root@kali:~# nmap -O 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 23:21 CST

Stats: :: elapsed;  hosts completed ( up),  undergoing ARP Ping Scan

ARP Ping Scan Timing: About 100.00% done; ETC: : (:: remaining)

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (.0025s latency).

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ftp

/tcp   open  ssh

/tcp   open  telnet

/tcp   open  smtp

/tcp   open  domain

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  netbios-ssn

/tcp  open  microsoft-ds

/tcp  open  exec

/tcp  open  login

/tcp  open  shell

/tcp open  rmiregistry

/tcp open  ingreslock

/tcp open  nfs

/tcp open  ccproxy-ftp

/tcp open  mysql

/tcp open  postgresql

/tcp open  vnc

/tcp open  X11

/tcp open  irc

/tcp open  ajp13

/tcp open  unknown

MAC Address: :AD::::5C (Unknown)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6. - 2.6.

Network Distance:  hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done:  IP address ( host up) scanned in 5.51 seconds

root@kali:~#

  大家,也可以拿下面的主机,来扫描

msf > nmap -A 202.193.58.13

[*] exec: nmap -A 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-23 11:46 CST

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (.0021s latency).

Not shown:  closed ports

PORT     STATE SERVICE      VERSION

/tcp   open  ftp          vsftpd 2.3.

|_ftp-anon: ERROR: Script execution failed (use -d to debug)

|_ftp-bounce: no banner

/tcp   open  ssh          OpenSSH .7p1 Debian 8ubuntu1 (protocol 2.0)

/tcp   open  telnet       Linux telnetd

/tcp   open  smtp         Postfix smtpd

|_smtp-commands: Couldn't establish connection on port 25

/tcp   open  domain?

/tcp   open  http?

/tcp  open  rpcbind?

/tcp  open  netbios-ssn?

/tcp  open  microsoft-ds Windows  Ultimate  Service Pack  microsoft-ds

/tcp  open  exec         netkit-rsh rexecd

/tcp  open  login?

/tcp  open  shell        Netkit rshd

/tcp open  rmiregistry?

/tcp open  shell        Metasploitable root shell

/tcp open  nfs?

/tcp open  ccproxy-ftp?

/tcp open  mysql        MySQL 5.0.51a-3ubuntu5

/tcp open  postgresql?

/tcp open  vnc          VNC (protocol 3.3)

/tcp open  X11?

|_x11-access: ERROR: Script execution failed (use -d to debug)

/tcp open  irc          Unreal ircd

|_irc-info: Unable to open connection

/tcp open  ajp13?

/tcp open  unknown

MAC Address: :AD::::5C (Unknown)

Device type: firewall

Running (JUST GUESSING): Fortinet embedded (%)

OS CPE: cpe:/h:fortinet:fortigate_100d

Aggressive OS guesses: Fortinet FortiGate 100D firewall (%)

No exact OS matches for host (test conditions non-ideal).

Network Distance:  hop

Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_clock-skew: mean: -24s, deviation: 0s, median: -24s

| smb-os-discovery:

|   OS: Windows  Ultimate  Service Pack  (Windows  Ultimate 6.1)

|   OS CPE: cpe:/o:microsoft:windows_7::sp1

|   Computer name: PH-PC

|   NetBIOS computer name: PH-PC

|   Workgroup: WORKGROUP

|_  System time: --23T11::+:

| smb-security-mode:

|   account_used: guest

|   authentication_level: user

|   challenge_response: supported

|_  message_signing: disabled (dangerous, but default)

|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE

HOP RTT     ADDRESS

   2.09 ms 13.58.193.202.in-addr.arpa (202.193.58.13)

Post-scan script results:

| clock-skew:

|_  -24s: Majority of systems scanned

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done:  IP address ( host up) scanned in 72.94 seconds

msf >

  更多,其实,

msf > nmap -h

[*] exec: nmap -h

Nmap 7.31 ( https://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

  Can pass hostnames, IP addresses, networks, etc.

  Ex: scanme.nmap.org, microsoft.com/, 192.168.0.1; 10.0.-255.1-

  -iL <inputfilename>: Input from list of hosts/networks

  -iR <num hosts>: Choose random targets

  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks

  --excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:

  -sL: List Scan - simply list targets to scan

  -sn: Ping Scan - disable port scan

  -Pn: Treat all hosts as online -- skip host discovery

  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports

  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

  -PO[protocol list]: IP Protocol Ping

  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]

  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers

  --system-dns: Use OS's DNS resolver

  --traceroute: Trace hop path to each host

SCAN TECHNIQUES:

  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

  -sU: UDP Scan

  -sN/sF/sX: TCP Null, FIN, and Xmas scans

  --scanflags <flags>: Customize TCP scan flags

  -sI <zombie host[:probeport]>: Idle scan

  -sY/sZ: SCTP INIT/COOKIE-ECHO scans

  -sO: IP protocol scan

  -b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

  -p <port ranges>: Only scan specified ports

    Ex: -p22; -p1-; -p U:,,,T:-,,,,S:

  --exclude-ports <port ranges>: Exclude the specified ports from scanning

  -F: Fast mode - Scan fewer ports than the default scan

  -r: Scan ports consecutively - don't randomize

  --top-ports <number>: Scan <number> most common ports

  --port-ratio <ratio>: Scan ports more common than <ratio>

SERVICE/VERSION DETECTION:

  -sV: Probe open ports to determine service/version info

  --version-intensity <level>: Set from  (light) to  (try all probes)

  --version-light: Limit to most likely probes (intensity )

  --version-all: Try every single probe (intensity )

  --version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN:

  -sC: equivalent to --script=default

  --script=<Lua scripts>: <Lua scripts> is a comma separated list of

           directories, script-files or script-categories

  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts

  --script-args-file=filename: provide NSE script args in a file

  --script-trace: Show all data sent and received

  --script-updatedb: Update the script database.

  --script-help=<Lua scripts>: Show help about scripts.

           <Lua scripts> is a comma-separated list of script-files or

           script-categories.

OS DETECTION:

  -O: Enable OS detection

  --osscan-limit: Limit OS detection to promising targets

  --osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:

  Options which take <time> are in seconds, or append 'ms' (milliseconds),

  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

  -T<->: Set timing template (higher is faster)

  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes

  --min-parallelism/max-parallelism <numprobes>: Probe parallelization

  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies

      probe round trip time.

  --max-retries <tries>: Caps number of port scan probe retransmissions.

  --host-timeout <time>: Give up on target after this long

  --scan-delay/--max-scan-delay <time>: Adjust delay between probes

  --min-rate <number>: Send packets no slower than <number> per second

  --max-rate <number>: Send packets no faster than <number> per second

FIREWALL/IDS EVASION AND SPOOFING:

  -f; --mtu <val>: fragment packets (optionally w/given MTU)

  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys

  -S <IP_Address>: Spoof source address

  -e <iface>: Use specified interface

  -g/--source-port <portnum>: Use given port number

  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies

  --data <hex string>: Append a custom payload to sent packets

  --data-string <string>: Append a custom ASCII string to sent packets

  --data-length <num>: Append random data to sent packets

  --ip-options <options>: Send packets with specified ip options

  --ttl <val>: Set IP time-to-live field

  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address

  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT:

  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,

     and Grepable format, respectively, to the given filename.

  -oA <basename>: Output in the three major formats at once

  -v: Increase verbosity level (use -vv or more for greater effect)

  -d: Increase debugging level (use -dd or more for greater effect)

  --reason: Display the reason a port is in a particular state

  --open: Only show open (or possibly open) ports

  --packet-trace: Show all packets sent and received

  --iflist: Print host interfaces and routes (for debugging)

  --append-output: Append to rather than clobber specified output files

  --resume <filename>: Resume an aborted scan

  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML

  --webxml: Reference stylesheet from Nmap.Org for more portable XML

  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:

  -: Enable IPv6 scanning

  -A: Enable OS detection, version detection, script scanning, and traceroute

  --datadir <dirname>: Specify custom Nmap data file location

  --send-eth/--send-ip: Send using raw ethernet frames or IP packets

  --privileged: Assume that the user is fully privileged

  --unprivileged: Assume the user lacks raw socket privileges

  -V: Print version number

  -h: Print this help summary page.

EXAMPLES:

  nmap -v -A scanme.nmap.org

  nmap -v -sn 192.168.0.0/ 10.0.0.0/

  nmap -v -iR  -Pn -p

SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

msf >

kali 2.0 linux中的Nmap的操作系统扫描功能的更多相关文章

  1. kali 2.0 linux中的Nmap的主机探测

    不多说,直接上干货! 如果是第一次接触Nmap,推荐在MSF终端中输入不加任何参数的Nmap命令,以查看其使用方法. 更多,其实, msf > nmap -h [*] exec: nmap -h ...

  2. Kali linux 2016.2(Rolling)中的Nmap的端口扫描功能

    不多说,直接上干货! 如下,是使用Nmap对主机202.193.58.13进行一次端口扫描的结果,其中使用 root@kali:~# nmap -sS -Pn 202.193.58.13 Starti ...

  3. 如何在Kali Linux中搭建钓鱼热点

    文中提及的部分技术可能带有一定攻击性,仅供安全学习和教学用途,禁止非法使用! 0×00 实验环境 操作系统:Kali 1.0 (VM) FackAP: easy-creds 硬件:NETGEAR wg ...

  4. Linux中W与Who命令的使用

    踢掉一个从某个终端连上的用户pkill -kill  -t pts/0 ---------------------------------------------------------------- ...

  5. linux中vi和vim编辑工具

    linux中知名的还有emacs,功能比vim还要强大 vim 如果文件存在vim是打开这个文件,若果不存在,则先新建再打开 命令模式:任何模式都可以通过Esc回到命令模式,命令模式可以通过命令进行选 ...

  6. linux中shell变量$#,$@,$0,$1,$2的含义解释

    linux中shell变量$#,$@,$0,$1,$2的含义解释: 变量说明: $$ Shell本身的PID(ProcessID) $! Shell最后运行的后台Process的PID $? 最后运行 ...

  7. Kali Linux中MySQL重置root密码

    参考:使用mysqladmin命令修改MySQL密码与忘记密码 前言:(在Windows的DOS命令行下和在kali Linux下修改方法是一样的)在kali Linux中默认安装了MySQL的最新版 ...

  8. linux中shell变量$#,$@,$0,$1,$2的含义解释

    linux中shell变量$#,$@,$0,$1,$2的含义解释 linux中shell变量$#,$@,$0,$1,$2的含义解释:  变量说明:  $$  Shell本身的PID(ProcessID ...

  9. kali 2.0中msf连接postgres数据库

    装好kali 2.0后直接运行msfconsole msf> db_status postgres selected, no connection 百度到的解决方法多是针对BT和kali 1.0 ...

随机推荐

  1. poj3352Road Construction 边双连通+伪缩点

    /* 对于边双连通分支,求法更为简单. 仅仅需在求出全部的桥以后,把桥边删除.\ 原图变成了多个连通块,则每一个连通块就是一个边双连通分支. 桥不属于不论什么 一个边双连通分支,其余的边和每一个顶点都 ...

  2. QStandardItemModel的data线程安全(在插入数据时,临时禁止sizeHint去读model中的data)

    版权声明:本文为博主原创文章,欢迎转载,转载请注明出处 https://blog.csdn.net/MatchYang/article/details/52988257 在直接使用QStandardI ...

  3. 内存文件系统:tachyon(现在叫Alluxio)

    此文于2015 年 8 月 10 日发布 Tachyon 是什么 Tachyon 是 AMPLab 开发的一款内存分布式文件系统.它介于计算层和存储层之间,可以简单的理解为存储层在内存内的一个 Cac ...

  4. 编 写高性能的 SQL 语句注意事项

    1. IS NULL 与 IS NOT NULL不能用 null 作索引, 任何包含 null 值的列都将不会被包含在索引中. 即使索引有多列这样的情况下,只要这些列中有一列含有 null,该列就会从 ...

  5. shell简单监控脚本模板

    #!/bin/bash host=127.0.0.1user=adminpassword='xx'port=6032x=0check_proxy(){v=$(mysql -N -u$user -p$p ...

  6. vue.js---methods中一个方法调用另一个方法

    new Vue({ el: '#app', data: { test:111, }, methods: { test1:function(){ alert(this.test) }, test2:fu ...

  7. kissy延迟加载demo

    <!doctype html><html><head>    <meta charset="gbk"/>    <title& ...

  8. HDU-5693 D Game 动态规划 两次动规

    题目链接:https://cn.vjudge.net/problem/HDU-5693 题意 中文题 这个游戏是这样的,首先度度熊拥有一个公差集合{D},然后它依次写下N个数字排成一行.游戏规则很简单 ...

  9. [UVa10188]Automated Judge Script

    题目大意:叫你写一个判断答案的系统. 解题思路:模拟即可.AC条件为,答案条数相等,所有字符相等.PE条件为,答案条数可能不等,所有数字字符相等.其他为WA. UVa现在的C++已经不支持gets了, ...

  10. crontab执行脚本和手动执行脚本输出结果不一致的问题处理

    背景:huskiesir最近用公司给分配的账户写了脚本去检测某应用状态并发送到企业邮箱,写完脚本之后去执行了一下,发现效果还不错,在邮箱显示效果如下: 10.11.116.6  检查结果OK,检查时间 ...