Nmap命令的常用实例
Posted LyShark
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Nmap命令的常用实例相关的知识,希望对你有一定的参考价值。
一、Nmap简介
- 192.168.0.100 – server1.tecmint.com
- 192.168.0.101 – server2.tecmint.com
Nmap语法:
nmap [Scan Type(s)] [Options] {target specification}
二、Nmap常用操作
1:批量ping扫描
[root@localhost ~]# nmap -sP 192.168.1.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:19 CST Nmap scan report for192.168.1.1 Host is up (0.0043s latency). Nmap scan report for 192.168.1.2 Host is up (0.0040s latency). Nmap scan report for 192.168.1.3 Host is up (0.0036s latency). Nmap scan report for 192.168.1.4 Host is up (0.0042s latency). Nmap scan report for 192.168.1.5
2:仅列出指定网络上的每台主机,不发送任何报文到目标主机(隐蔽探测)
[root@localhost ~]# nmap -sL 192.168.1.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:22 CST Nmap scan report for 192.168.1.0 Nmap scan report for 192.168.1.1 Nmap scan report for 192.168.1.2 Nmap scan report for 192.168.1.3
3:探测目标主机开放的端口,可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80)
[root@localhost ~]# nmap -PS 220.181.111.188 Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:25 CST Nmap scan report for 220.181.111.188 Host is up (0.0043s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 4.06 seconds
4:使用UDP ping探测主机
[root@localhost ~]# nmap -PU 192.168.1.1 [root@localhost ~]# nmap -PU 192.168.1.0/24
5:使用SYN半开放扫描
[root@localhost ~]# nmap -sS 220.181.111.188 [root@localhost ~]# nmap -sS 220.181.111.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:29 CST Nmap scan report for 220.181.111.188 Host is up (0.0048s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 4.56 seconds
6:使用TCP扫描
[root@localhost ~]# nmap -sT 220.181.111.188 [root@localhost ~]# nmap -sT 220.181.111.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:32 CST Nmap scan report for 220.181.111.188 Host is up (0.0044s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 4.24 seconds
7:使用UDP扫描
[root@localhost ~]# nmap -sU 220.181.111.188 [root@localhost ~]# nmap -sU 220.181.111.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:34 CST Nmap scan report for 220.181.111.188 Host is up (0.0039s latency). Not shown: 999 open|filtered ports PORT STATE SERVICE 161/udp filtered snmp Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds
8:探测目标主机支持哪些IP协议
[root@localhost ~]# nmap -sO 220.181.111.188 Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:35 CST Nmap scan report for 220.181.111.188 Host is up (0.0054s latency). Not shown: 255 open|filtered protocols PROTOCOL STATE SERVICE 1 open icmp Nmap done: 1 IP address (1 host up) scanned in 2.73 seconds
9:探测目标主机操作系统
[root@localhost ~]# nmap -O 220.181.111.188 [root@localhost ~]# nmap -A 220.181.111.188 Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:36 CST Nmap scan report for 220.181.111.188 Host is up (0.0050s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: switch Running (JUST GUESSING): HP embedded (86%) OS CPE: cpe:/h:hp:procurve_switch_4000m Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%) No exact OS matches for host (test conditions non-ideal). OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds
10:用主机名和IP地址扫描系统
Nmap工具提供各种方法来扫描系统。在这个例子中,我使用server2.tecmint.com主机名来扫描系统找出该系统上所有开放的端口,服务和MAC地址。
a)用主机名扫描系统
[root@server1 ~]# nmap server2.tecmint.com Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.415 seconds You have new mail in /var/spool/mail/root
b)用IP地址扫描系统
[root@server1 ~]# nmap 192.168.0.101 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 958/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.465 seconds You have new mail in /var/spool/mail/root
11:扫描时使用-v选项
可以看到下面的命令使用“ -v “选项后给出了远程机器更详细的信息。
[root@server1 ~]# nmap -v server2.tecmint.com Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST Initiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43 The ARP Ping Scan took 0.01s to scan 1 total hosts. Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43 Discovered open port 22/tcp on 192.168.0.101 Discovered open port 80/tcp on 192.168.0.101 Discovered open port 8888/tcp on 192.168.0.101 Discovered open port 111/tcp on 192.168.0.101 Discovered open port 3306/tcp on 192.168.0.101 Discovered open port 957/tcp on 192.168.0.101 The SYN Stealth Scan took 0.30s to scan 1680 total ports. Host server2.tecmint.com (192.168.0.101) appears to be up ... good. Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds
12:扫描多台主机
简单的在Nmap命令后加上多个IP地址或主机名来扫描多台主机。
[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds
13:扫描整个子网
使用*通配符来扫描整个子网或某个范围的IP地址。
[root@server1 ~]# nmap 192.168.0.* Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST Interesting ports on server1.tecmint.com (192.168.0.100): Not shown: 1677 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 851/tcp open unknown Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds
14:使用IP地址的最后一个字节扫描多台服务器
简单的指定IP地址的最后一个字节来对多个IP地址进行扫描。例如,我在下面执行中扫描了IP地址192.168.0.101,192.168.0.102和192.168.0.103。
[root@server1 ~]# nmap 192.168.0.101,102,103 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds
15:从一个文件中扫描主机列表
如果你有多台主机需要扫描且所有主机信息都写在一个文件中,那么你可以直接让nmap读取该文件来执行扫描,让我们来看看如何做到这一点。
创建一个名为“nmaptest.txt ”的文本文件,并定义所有你想要扫描的服务器IP地址或主机名。
[root@server1 ~]# cat > nmaptest.txt localhost server2.tecmint.com 192.168.0.101
接下来运行带“iL” 选项的nmap命令来扫描文件中列出的所有IP地址
[root@server1 ~]# nmap -iL nmaptest.txt Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 EST Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 1675 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 631/tcp open ipp 857/tcp open unknown Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 958/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 958/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 3 IP addresses (3 hosts up) scanned in 2.047 seconds
16:扫描一个IP地址范围
扫描一个IP地址范围
[root@server1 ~]# nmap 192.168.0.101-110 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds
17:排除一些远程主机后再扫描
在执行全网扫描或用通配符扫描时你可以使用“-exclude”选项来排除某些你不想要扫描的主机。
[root@server1 ~]# nmap 192.168.0.* --exclude 192.168.0.100 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 255 IP addresses (1 host up) scanned in 5.313 seconds
18:扫描操作系统信息和路由跟踪
使用Nmap,你可以检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可以使用NMAP的“-A“选项。
[root@server1 ~]# nmap -A 192.168.0.101 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 80/tcp open http Apache httpd 2.2.3 ((CentOS)) 111/tcp open rpcbind 2 (rpc #100000) 957/tcp open status 1 (rpc #100024) 3306/tcp open mysql MySQL (unauthorized) 8888/tcp open http lighttpd 1.4.32 MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027) TSeq(Class=TR%IPID=Z%TS=1000HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Uptime 0.169 days (since Mon Nov 11 12:22:15 2013) Nmap finished: 1 IP address (1 host up) scanned in 22.271 seconds
从上面的输出你可以看到,Nmap显示出了远程主机操作系统的TCP / IP协议指纹,并且更加具体的显示出远程主机上的端口和服务。
19:启用Nmap的操作系统探测功能
使用选项“-O”和“-osscan-guess”也帮助探测操作系统信息。
[root@server1 ~]# nmap -O server2.tecmint.com Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027) TSeq(Class=TR%IPID=Z%TS=1000HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Uptime 0.221 days (since Mon Nov 11 12:22:16 2013) Nmap finished: 1 IP address (1 host up) scanned in 11.064 seconds
20:扫描主机并侦测防火墙
扫描远程主机以探测该主机是否使用了包过滤器或防火墙。
[root@server1 ~]# nmap -sA 192.168.0.101 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:27 EST All 1680 scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.382 seconds
21:扫描主机检测是否有防火墙保护
扫描主机检测其是否受到数据包过滤软件或防火墙的保护。
[root@server1 ~]# nmap -PN 192.168.0.101 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds
22:找出网络中的在线主机
使用“-sP”选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。
[root@server1 ~]# nmap -sP 192.168.0.* Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST Host server1.tecmint.com (192.168.0.100) appears to be up. Host server2.tecmint.com (192.168.0.101) appears to be up. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds
23:执行快速扫面
你可以使用“-F”选项执行一次快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其它的端口。
[root@server1 ~]# nmap -F 192.168.0.101 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1234 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds
24:顺序扫描端口
使用“-r”选项表示不会随机的选择端口扫描。
[root@server1 ~]# nmap -r 192.168.0.101 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds
25:打印主机接口和路由
你可以使用nmap的“–iflist”选项检测主机接口和路由信息。
[root@server1 ~]# nmap --iflist Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST ************************INTERFACES************************ DEV (SHORT) IP/MASK TYPE UP MAC lo (lo) 127.0.0.1/8 loopback up eth0 (eth0) 192.168.0.100/24 ethernet up 08:00:27:11:C7:89 **************************ROUTES************************** DST/MASK DEV GATEWAY 192.168.0.0/0 eth0 169.254.0.0/0 eth0
从上面的输出你可以看到,nmap列举出了你系统上的接口以及它们各自的路由信息。
26:扫描特定的端口
使用Nmap扫描远程机器的端口有各种选项,你可以使用“-P”选项指定你想要扫描的端口,默认情况下nmap只扫描TCP端口。
[root@server1 ~]# nmap -p 80 server2.tecmint.com Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) sca
26:扫描TCP端口
指定具体的端口类型和端口号来让nmap扫描
以上是关于Nmap命令的常用实例的主要内容,如果未能解决你的问题,请参考以下文章