Linux学习-网络工具使用(nmap)

Posted 丢爸

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux学习-网络工具使用(nmap)相关的知识,希望对你有一定的参考价值。

nmap网络探测工具

Nmap(Network Mapper,Linux下的网络扫描和嗅探工具包)是一个网络连接端扫描软件,用来确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统(这是亦称 fingerprinting)。它是网络管理员必用的软件之一,以及用以评估网络系统安全。
Nmap中文文档

使用方法
Usage: nmap [Scan Type(s)] [Options] target specification
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0-255.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sP: Ping Scan - go no further than determining if host is online
  -P0: Treat all hosts as online -- skip host discovery
  -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery probes to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes resolve]
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idlescan
  -sO: IP protocol scan
  -b <ftp relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
  -F: Fast - Scan only the ports listed in the nmap-services file)
  -r: Scan ports consecutively - don't randomize
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-light: Limit to most likely probes for faster identification
  --version-all: Try every single probe for version detection
  --version-trace: Show detailed version scan activity (for debugging)
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  -T[0-6]: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <msec>: Specifies
      probe round trip time.
  --host-timeout <msec>: Give up on target after this long
  --scan-delay/--max-scan-delay <msec>: Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --data-length <num>: Append random data to sent packets
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address, prefix, or vendor name>: Spoof your MAC address
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan results in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use twice for more effect)
  -d[level]: Set or increase debugging level (Up to 9 is meaningful)
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to html
  --no-stylesheet: Prevent Nmap from associating XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enables OS detection and Version detection
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send packets using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sP 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -P0 -p 80
Nmap所识别的6个端口状态
open(开放的)
应用程序正在该端口接收TCP 连接或者UDP报文。发现这一点常常是端口扫描 的主要目标。安全意识强的人们知道每个开放的端口 都是攻击的入口。攻击者或者入侵测试者想要发现开放的端口。 而管理员则试图关闭它们或者用防火墙保护它们以免妨碍了合法用户。 非安全扫描可能对开放的端口也感兴趣,因为它们显示了网络上那些服务可供使用。

closed(关闭的)
关闭的端口对于Nmap也是可访问的(它接受Nmap的探测报文并作出响应), 但没有应用程序在其上监听。 它们可以显示该IP地址上(主机发现,或者ping扫描)的主机正在运行up 也对部分操作系统探测有所帮助。 因为关闭的关口是可访问的,也许过会儿值得再扫描一下,可能一些又开放了。 系统管理员可能会考虑用防火墙封锁这样的端口。 那样他们就会被显示为被过滤的状态,下面讨论。

filtered(被过滤的)
由于包过滤阻止探测报文到达端口, Nmap无法确定该端口是否开放。过滤可能来自专业的防火墙设备,路由器规则 或者主机上的软件防火墙。这样的端口让攻击者感觉很挫折,因为它们几乎不提供 任何信息。有时候它们响应ICMP错误消息如类型3代码13 (无法到达目标: 通信被管理员禁止),但更普遍的是过滤器只是丢弃探测帧, 不做任何响应。 这迫使Nmap重试若干次以访万一探测包是由于网络阻塞丢弃的。 这使得扫描速度明显变慢。

unfiltered(未被过滤的)
未被过滤状态意味着端口可访问,但Nmap不能确定它是开放还是关闭。 只有用于映射防火墙规则集的ACK扫描才会把端口分类到这种状态。 用其它类型的扫描如窗口扫描,SYN扫描,或者FIN扫描来扫描未被过滤的端口可以帮助确定 端口是否开放。

open|filtered(开放或者被过滤的)
当无法确定端口是开放还是被过滤的,Nmap就把该端口划分成 这种状态。开放的端口不响应就是一个例子。没有响应也可能意味着报文过滤器丢弃 了探测报文或者它引发的任何响应。因此Nmap无法确定该端口是开放的还是被过滤的。 UDP,IP协议, FIN,Null,和Xmas扫描可能把端口归入此类。

closed|filtered(关闭或者被过滤的)
该状态用于Nmap不能确定端口是关闭的还是被过滤的。 它只可能出现在IPID Idle扫描中。
示例
#下图显示nmap的版本,进行扫描的时间,扫描花费了1.71秒
#这个主机是打开的,且在1-1000之间开放了22和80端口,用来提供ssh和http服务,其他端口都是关闭的。
[root@nginx01 ~]# nmap 192.168.88.102

Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-30 06:22 CST
Nmap scan report for 192.168.88.102
Host is up (0.00016s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:D5:20:EC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.71 seconds
#查看哪些主机在线,扫描提供服务的版本号
[root@nginx01 ~]# nmap -sV 192.168.88.102

Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-30 06:30 CST
Nmap scan report for 192.168.88.102
Host is up (0.00013s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp open  http    nginx 1.20.1
MAC Address: 00:0C:29:D5:20:EC (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.75 seconds

#探测网络中哪些主机在线
[root@nginx01 ~]# nmap -sP 192.168.88.0/24
#查看主机上都开放了哪些端口
[root@nginx01 ~]# nmap -PS 192.168.88.1

Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-29 23:03 CST
Nmap scan report for 192.168.88.1
Host is up (0.00031s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
903/tcp  open  iss-console-mgr
1688/tcp open  nsjtp-data
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 24.11 seconds
#探测目标主机操作系统
[root@nginx01 ~]# nmap -O 192.168.88.1
#扫描指定端口
[root@nginx01 ~]# nmap -p 80 192.168.88.102

Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-30 06:35 CST
Nmap scan report for 192.168.88.102
Host is up (0.00035s latency).
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:D5:20:EC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
#探测防火墙,T4针对TCP端口禁止动态扫描延迟超过10ms
[root@nginx01 ~]# nmap -sF -T4 192.168.88.102

Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-30 06:36 CST
Nmap scan report for 192.168.88.102
Host is up (0.00059s latency).
Not shown: 998 closed ports
PORT   STATE         SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
MAC Address: 00:0C:29:D5:20:EC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.89 seconds

以上是关于Linux学习-网络工具使用(nmap)的主要内容,如果未能解决你的问题,请参考以下文章

2017-2018-2 20179317 卿爽 《网络攻防技术》第十周学习总结

Linux学习-网络工具使用(nmap)

Linux学习-网络工具使用(nmap)

Linux下安装及简单使用nmap/zenmap

Nmap简单扫描

如何在Linux上使用Nmap安全扫描工具