不多说,直接上干货!

  可以使用-O选项,让Nmap对目标的操作系统进行识别

msf > nmap -O 202.193.58.13

[*] exec: nmap -O 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 23:18 CST

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (.0024s latency).

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ftp

/tcp   open  ssh

/tcp   open  telnet

/tcp   open  smtp

/tcp   open  domain

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  netbios-ssn

/tcp  open  microsoft-ds

/tcp  open  exec

/tcp  open  login

/tcp  open  shell

/tcp open  rmiregistry

/tcp open  ingreslock

/tcp open  nfs

/tcp open  ccproxy-ftp

/tcp open  mysql

/tcp open  postgresql

/tcp open  vnc

/tcp open  X11

/tcp open  irc

/tcp open  ajp13

/tcp open  unknown

MAC Address: :AD::::5C (Unknown)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6. - 2.6.

Network Distance:  hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done:  IP address ( host up) scanned in 4.72 seconds

msf >

或者

root@kali:~# nmap -O 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 23:21 CST

Stats: :: elapsed;  hosts completed ( up),  undergoing ARP Ping Scan

ARP Ping Scan Timing: About 100.00% done; ETC: : (:: remaining)

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (.0025s latency).

Not shown:  closed ports

PORT     STATE SERVICE

/tcp   open  ftp

/tcp   open  ssh

/tcp   open  telnet

/tcp   open  smtp

/tcp   open  domain

/tcp   open  http

/tcp  open  rpcbind

/tcp  open  netbios-ssn

/tcp  open  microsoft-ds

/tcp  open  exec

/tcp  open  login

/tcp  open  shell

/tcp open  rmiregistry

/tcp open  ingreslock

/tcp open  nfs

/tcp open  ccproxy-ftp

/tcp open  mysql

/tcp open  postgresql

/tcp open  vnc

/tcp open  X11

/tcp open  irc

/tcp open  ajp13

/tcp open  unknown

MAC Address: :AD::::5C (Unknown)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6. - 2.6.

Network Distance:  hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done:  IP address ( host up) scanned in 5.51 seconds

root@kali:~#

  大家,也可以拿下面的主机,来扫描

msf > nmap -A 202.193.58.13

[*] exec: nmap -A 202.193.58.13

Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-23 11:46 CST

Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)

Host is up (.0021s latency).

Not shown:  closed ports

PORT     STATE SERVICE      VERSION

/tcp   open  ftp          vsftpd 2.3.

|_ftp-anon: ERROR: Script execution failed (use -d to debug)

|_ftp-bounce: no banner

/tcp   open  ssh          OpenSSH .7p1 Debian 8ubuntu1 (protocol 2.0)

/tcp   open  telnet       Linux telnetd

/tcp   open  smtp         Postfix smtpd

|_smtp-commands: Couldn't establish connection on port 25

/tcp   open  domain?

/tcp   open  http?

/tcp  open  rpcbind?

/tcp  open  netbios-ssn?

/tcp  open  microsoft-ds Windows  Ultimate  Service Pack  microsoft-ds

/tcp  open  exec         netkit-rsh rexecd

/tcp  open  login?

/tcp  open  shell        Netkit rshd

/tcp open  rmiregistry?

/tcp open  shell        Metasploitable root shell

/tcp open  nfs?

/tcp open  ccproxy-ftp?

/tcp open  mysql        MySQL 5.0.51a-3ubuntu5

/tcp open  postgresql?

/tcp open  vnc          VNC (protocol 3.3)

/tcp open  X11?

|_x11-access: ERROR: Script execution failed (use -d to debug)

/tcp open  irc          Unreal ircd

|_irc-info: Unable to open connection

/tcp open  ajp13?

/tcp open  unknown

MAC Address: :AD::::5C (Unknown)

Device type: firewall

Running (JUST GUESSING): Fortinet embedded (%)

OS CPE: cpe:/h:fortinet:fortigate_100d

Aggressive OS guesses: Fortinet FortiGate 100D firewall (%)

No exact OS matches for host (test conditions non-ideal).

Network Distance:  hop

Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_clock-skew: mean: -24s, deviation: 0s, median: -24s

| smb-os-discovery:

|   OS: Windows  Ultimate  Service Pack  (Windows  Ultimate 6.1)

|   OS CPE: cpe:/o:microsoft:windows_7::sp1

|   Computer name: PH-PC

|   NetBIOS computer name: PH-PC

|   Workgroup: WORKGROUP

|_  System time: --23T11::+:

| smb-security-mode:

|   account_used: guest

|   authentication_level: user

|   challenge_response: supported

|_  message_signing: disabled (dangerous, but default)

|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE

HOP RTT     ADDRESS

   2.09 ms 13.58.193.202.in-addr.arpa (202.193.58.13)

Post-scan script results:

| clock-skew:

|_  -24s: Majority of systems scanned

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done:  IP address ( host up) scanned in 72.94 seconds

msf >

  更多,其实,

msf > nmap -h

[*] exec: nmap -h

Nmap 7.31 ( https://nmap.org )

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

  Can pass hostnames, IP addresses, networks, etc.

  Ex: scanme.nmap.org, microsoft.com/, 192.168.0.1; 10.0.-255.1-

  -iL <inputfilename>: Input from list of hosts/networks

  -iR <num hosts>: Choose random targets

  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks

  --excludefile <exclude_file>: Exclude list from file

HOST DISCOVERY:

  -sL: List Scan - simply list targets to scan

  -sn: Ping Scan - disable port scan

  -Pn: Treat all hosts as online -- skip host discovery

  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports

  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

  -PO[protocol list]: IP Protocol Ping

  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]

  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers

  --system-dns: Use OS's DNS resolver

  --traceroute: Trace hop path to each host

SCAN TECHNIQUES:

  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

  -sU: UDP Scan

  -sN/sF/sX: TCP Null, FIN, and Xmas scans

  --scanflags <flags>: Customize TCP scan flags

  -sI <zombie host[:probeport]>: Idle scan

  -sY/sZ: SCTP INIT/COOKIE-ECHO scans

  -sO: IP protocol scan

  -b <FTP relay host>: FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

  -p <port ranges>: Only scan specified ports

    Ex: -p22; -p1-; -p U:,,,T:-,,,,S:

  --exclude-ports <port ranges>: Exclude the specified ports from scanning

  -F: Fast mode - Scan fewer ports than the default scan

  -r: Scan ports consecutively - don't randomize

  --top-ports <number>: Scan <number> most common ports

  --port-ratio <ratio>: Scan ports more common than <ratio>

SERVICE/VERSION DETECTION:

  -sV: Probe open ports to determine service/version info

  --version-intensity <level>: Set from  (light) to  (try all probes)

  --version-light: Limit to most likely probes (intensity )

  --version-all: Try every single probe (intensity )

  --version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN:

  -sC: equivalent to --script=default

  --script=<Lua scripts>: <Lua scripts> is a comma separated list of

           directories, script-files or script-categories

  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts

  --script-args-file=filename: provide NSE script args in a file

  --script-trace: Show all data sent and received

  --script-updatedb: Update the script database.

  --script-help=<Lua scripts>: Show help about scripts.

           <Lua scripts> is a comma-separated list of script-files or

           script-categories.

OS DETECTION:

  -O: Enable OS detection

  --osscan-limit: Limit OS detection to promising targets

  --osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:

  Options which take <time> are in seconds, or append 'ms' (milliseconds),

  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

  -T<->: Set timing template (higher is faster)

  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes

  --min-parallelism/max-parallelism <numprobes>: Probe parallelization

  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies

      probe round trip time.

  --max-retries <tries>: Caps number of port scan probe retransmissions.

  --host-timeout <time>: Give up on target after this long

  --scan-delay/--max-scan-delay <time>: Adjust delay between probes

  --min-rate <number>: Send packets no slower than <number> per second

  --max-rate <number>: Send packets no faster than <number> per second

FIREWALL/IDS EVASION AND SPOOFING:

  -f; --mtu <val>: fragment packets (optionally w/given MTU)

  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys

  -S <IP_Address>: Spoof source address

  -e <iface>: Use specified interface

  -g/--source-port <portnum>: Use given port number

  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies

  --data <hex string>: Append a custom payload to sent packets

  --data-string <string>: Append a custom ASCII string to sent packets

  --data-length <num>: Append random data to sent packets

  --ip-options <options>: Send packets with specified ip options

  --ttl <val>: Set IP time-to-live field

  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address

  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT:

  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,

     and Grepable format, respectively, to the given filename.

  -oA <basename>: Output in the three major formats at once

  -v: Increase verbosity level (use -vv or more for greater effect)

  -d: Increase debugging level (use -dd or more for greater effect)

  --reason: Display the reason a port is in a particular state

  --open: Only show open (or possibly open) ports

  --packet-trace: Show all packets sent and received

  --iflist: Print host interfaces and routes (for debugging)

  --append-output: Append to rather than clobber specified output files

  --resume <filename>: Resume an aborted scan

  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML

  --webxml: Reference stylesheet from Nmap.Org for more portable XML

  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:

  -: Enable IPv6 scanning

  -A: Enable OS detection, version detection, script scanning, and traceroute

  --datadir <dirname>: Specify custom Nmap data file location

  --send-eth/--send-ip: Send using raw ethernet frames or IP packets

  --privileged: Assume that the user is fully privileged

  --unprivileged: Assume the user lacks raw socket privileges

  -V: Print version number

  -h: Print this help summary page.

EXAMPLES:

  nmap -v -A scanme.nmap.org

  nmap -v -sn 192.168.0.0/ 10.0.0.0/

  nmap -v -iR  -Pn -p

SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

msf >

kali 2.0 linux中的Nmap的操作系统扫描功能的更多相关文章

  1. kali 2.0 linux中的Nmap的主机探测

    不多说,直接上干货! 如果是第一次接触Nmap,推荐在MSF终端中输入不加任何参数的Nmap命令,以查看其使用方法. 更多,其实, msf > nmap -h [*] exec: nmap -h ...

  2. Kali linux 2016.2(Rolling)中的Nmap的端口扫描功能

    不多说,直接上干货! 如下,是使用Nmap对主机202.193.58.13进行一次端口扫描的结果,其中使用 root@kali:~# nmap -sS -Pn 202.193.58.13 Starti ...

  3. 如何在Kali Linux中搭建钓鱼热点

    文中提及的部分技术可能带有一定攻击性,仅供安全学习和教学用途,禁止非法使用! 0×00 实验环境 操作系统:Kali 1.0 (VM) FackAP: easy-creds 硬件:NETGEAR wg ...

  4. Linux中W与Who命令的使用

    踢掉一个从某个终端连上的用户pkill -kill  -t pts/0 ---------------------------------------------------------------- ...

  5. linux中vi和vim编辑工具

    linux中知名的还有emacs,功能比vim还要强大 vim 如果文件存在vim是打开这个文件,若果不存在,则先新建再打开 命令模式:任何模式都可以通过Esc回到命令模式,命令模式可以通过命令进行选 ...

  6. linux中shell变量$#,$@,$0,$1,$2的含义解释

    linux中shell变量$#,$@,$0,$1,$2的含义解释: 变量说明: $$ Shell本身的PID(ProcessID) $! Shell最后运行的后台Process的PID $? 最后运行 ...

  7. Kali Linux中MySQL重置root密码

    参考:使用mysqladmin命令修改MySQL密码与忘记密码 前言:(在Windows的DOS命令行下和在kali Linux下修改方法是一样的)在kali Linux中默认安装了MySQL的最新版 ...

  8. linux中shell变量$#,$@,$0,$1,$2的含义解释

    linux中shell变量$#,$@,$0,$1,$2的含义解释 linux中shell变量$#,$@,$0,$1,$2的含义解释:  变量说明:  $$  Shell本身的PID(ProcessID ...

  9. kali 2.0中msf连接postgres数据库

    装好kali 2.0后直接运行msfconsole msf> db_status postgres selected, no connection 百度到的解决方法多是针对BT和kali 1.0 ...

随机推荐

  1. OpenMp之reduction求和

    // OpenMP1.cpp : 定义控制台应用程序的入口点. // #include "stdafx.h" #include"omp.h" #include& ...

  2. 根据数据表自动生成javaBean

    package fanshe; import java.io.File; import java.io.FileWriter; import java.io.IOException; import j ...

  3. 【跟我一步一步学Struts2】——拦截器

    前言 前面提到过拦截器.而且说拦截器仅仅能拦截Action.这里拦截器的调用体现了责任链模式.为什么说体现了责任链模式呢? 以下的一段话说的非常明确: Struts2将整个运行划分成若干同样类型的元素 ...

  4. JAVA设计模式之【外观模式】

    通过引入一个外观角色来简化客户端与子系统之间的交互. 顾客无需直接和茶叶.茶具.开水等交互,整个泡茶过程由服务员来完成,顾客只需与服务员交互即可. 通过引入一个外观角色可以降低原有系统的复杂度,同时降 ...

  5. luogu 1941 飞扬的小鸟

    这道题对于第13个数据点,不知为什么f数组第二位开到2000以下就不能过,求指教 飞扬的小鸟 传送门 题目大意 一个小鸟在\(n*m\)的方阵里,然后有许多管道你们玩过就不多介绍了,然后每一个位置,点 ...

  6. UISrcoll控件简单介绍

    UISrcoll控件,简单的说就是让界面滑动 当使用uiimageview的时候,给控件设置图片素材时,图片的大小会根据控件的大小,自动做缩放 当使用uibutton的时候,如果是设置背景图,name ...

  7. Django之ORM数据库增删改查

    总结:ORM的 查.增.删.改 - 查 - client - 有一个展示页面(xxx_show.html) - 这一个页面一输入执行后,get请求向server端发送 - 这个展示页面有添加按钮.删除 ...

  8. BZOJ 2127 二元关系

    题意: 思路: 先把所有的值加起来 最小割割哪儿 就代表那个地方不选 一减 剩下的就是 最大值了 //By SiriusRen #include <cstdio> #include < ...

  9. SQL 的stuff函数

    1.作用 删除指定长度的字符,并在指定的起点处插入另一组字符. 2.语法 STUFF ( character_expression , start , length ,character_expres ...

  10. php——get与post方法(转)

    file_get_contents版本: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 <?php /**  * 发送p ...