nmap网络探测工具

其他 2020-04-06 21:01:23 阅读次数: 0

简介

nmap是一款开源网络发现工具,可以找出网络上在线的主机,测试主机上监听了哪些端口,通过端口确定主机上运行的应用程序类型与版本信息,还能利用它检测出操作系统类型和版本。

基本功能

有四个基本功能:

(1)主机发现

(2)端口扫描

(3)应用程序版本侦测

(4)操作系统版本侦测

基本用法:

[root@master ~]# nmap -A -T4  10.0.0.53

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:31 EDT
Nmap scan report for 10.0.0.53
Host is up (0.00056s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0               6 Oct 30  2018 pub
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 2048 7c:53:25:b0:3d:72:e7:46:31:96:3d:b6:a9:19:c5:69 (RSA)
|_256 d4:22:2b:72:1b:3a:2d:18:3a:11:fb:5b:6a:69:fa:4e (ECDSA)
MAC Address: 00:0C:29:8F:D5:02 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=4/5%OT=21%CT=1%CU=42940%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
OS:=5E896D3B%P=x86_64-redhat-linux-gnu)SEQ(SP=100%GCD=1%ISR=108%TI=Z%TS=A)S
OS:EQ(SP=100%GCD=1%ISR=108%TI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7
OS:%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W
OS:2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NN
OS:SNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y
OS:%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G
OS:%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.56 ms 10.0.0.53

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds

结果说明:

-A:表示开启全面扫描

-T4:指定扫描过程中使用的时序版本,有6个等级(0-5),等级越高,扫描速度越快,但越容易被防火墙和入侵检测设备发现并干掉。一般使用T4

-v:显示扫描细节

通过上面的结果,可以看出整个扫描过程分为5部分:

第一部分:对主机是否在线进行检测

第二部分:对端口进行扫描,默认nmap会扫描1000个常用的端口。由于只扫描到1个端口,所以出现‘999 closed ports’

第三部分:对端口上运行的服务以及版本进行统计

第四部分:探测操作系统类型和版本

第五部分:目标主机的路由跟踪信息

nmap主机发现

原理类似于ping命令,通过发送数据包到目标主机,如果收到响应,那么认为目标主机在线。

语法:

    nmap  [选项或参数]   目标主机

常用选项

选项 含义
-sn 只进行主机发现,不进行端口扫描
-Pn 跳过主机发现扫描,将所有指定主机都视为在线状态,进行端口扫描
-sL 仅列出目标主机IP,不进行主机发现扫描
-PS/PA/PU/PY[portlist]

指定nmap使用TCP SYN、TCP ACK、UDP、SCTP方式进行发现,

例如 -PS80,22
-PE/PP/PM 指定nmap使用ICMP echo、timestamp 、netmask请求报文方式发现主机
-PO 使用IP协议包探测目标主机是否在线
-n/-R

是否使用DNS解析,

-n指不使用DNS解析,-R表示使用DNS解析

应用举例

1、仅主机探测

[root@master ~]# nmap -sn 10.0.0.53

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:34 EDT
Nmap scan report for 10.0.0.53
Host is up (0.00044s latency).
MAC Address: 00:0C:29:8F:D5:02 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

扫描网段

[root@master ~]# nmap -sn 10.0.0.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:39 EDT
Nmap scan report for 10.0.0.1
Host is up (0.00021s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.0.0.53
Host is up (0.00044s latency).
MAC Address: 00:0C:29:8F:D5:02 (VMware)
Nmap scan report for 10.0.0.226
Host is up (0.00013s latency).
MAC Address: 00:50:56:F8:14:BA (VMware)
Nmap scan report for 10.0.0.254
Host is up (0.000095s latency).
MAC Address: 00:50:56:E0:4C:FE (VMware)
Nmap scan report for 10.0.0.50
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.06 seconds

2、仅扫描端口

[root@master ~]# nmap -Pn 10.0.0.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:57 EDT
Nmap scan report for 10.0.0.1
Host is up (0.00015s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
443/tcp  open  https
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 10.0.0.53
Host is up (0.00055s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
MAC Address: 00:0C:29:8F:D5:02 (VMware)

Nmap scan report for 10.0.0.226
Host is up (0.000059s latency).
All 1000 scanned ports on 10.0.0.226 are closed
MAC Address: 00:50:56:F8:14:BA (VMware)

Nmap scan report for 10.0.0.254
Host is up (0.00013s latency).
All 1000 scanned ports on 10.0.0.254 are filtered
MAC Address: 00:50:56:E0:4C:FE (VMware)

Nmap scan report for 10.0.0.50
Host is up (0.0000080s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 256 IP addresses (5 hosts up) scanned in 7.43 seconds

结合tcpdump抓包

[root@master ~]# nmap -sn -PE -PS80,21 -PU53 www.abc.com

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 02:04 EDT
Nmap scan report for www.abc.com (99.84.133.98)
Host is up (0.087s latency).
Other addresses for www.abc.com (not scanned): 99.84.133.97 99.84.133.3 99.84.133.46
rDNS record for 99.84.133.98: server-99-84-133-98.nrt57.r.cloudfront.net
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

抓包显示

[root@master ~]# tcpdump -nnn host 10.0.0.50 and host www.abc.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:20:11.670936 IP 10.0.0.50 > 99.84.133.97: ICMP echo request, id 46737, seq 0, length 8
02:20:11.671034 IP 10.0.0.50.42511 > 99.84.133.97.21: Flags [S], seq 3863690238, win 1024, options [mss 1460], length 0
02:20:11.671074 IP 10.0.0.50.42511 > 99.84.133.97.80: Flags [S], seq 3863690238, win 1024, options [mss 1460], length 0
02:20:11.671127 IP 10.0.0.50.42511 > 99.84.133.97.53: 0 stat [0q] (12)
02:20:11.758253 IP 99.84.133.97.80 > 10.0.0.50.42511: Flags [S.], seq 501169078, ack 3863690239, win 64240, options [mss 1460], length 0
02:20:11.758286 IP 10.0.0.50.42511 > 99.84.133.97.80: Flags [R], seq 3863690239, win 0, length 0
02:20:11.758319 IP 99.84.133.97 > 10.0.0.50: ICMP echo reply, id 46737, seq 0, length 8
02:20:32.673678 IP 99.84.133.97.21 > 10.0.0.50.42511: Flags [R.], seq 2101084543, ack 3863690239, win 64240, length 0

结果说明了:发送的ICMP echo包收到了响应。21端口探测收到了R标识,说明21端口处于关闭状态,TCP的80端口也收到了回复,说明80端口也打开了

端口扫描

nmap检测到的端口分为6中状态:

open:标识开放的端口

closed:表示关闭的端口

filtered:表示被防火墙屏蔽

unfiltered:表示端口没有被屏蔽,但需要进一步确定是否处于开放状态

open|filtered:表示不确定状态,可能是开放的,也可能是屏蔽的

closed|filtered:表示不确定状态,可能是开放的,也可能是屏蔽的

常用选项

选项 含义
-sS/sT/sA/sW/sM 表示使用TCP SYN/Connect()/ACK/Window/Maimon scans对目标主机进行扫描
-sU 使用UDP扫描方式扫描目标主机的UDP端口状态
-sN/sF/sX 使用TCP null、FIN、Xmas scans方式扫描主机的TCP端口
-p<port list>

扫描指定范围的端口,

如:-p80,-p1-100,"-p T:80-88,8080,U:53,S:9",T表示TCP,U表示UDP协议,S表示SCTP协议
-F 快速扫描模式,仅扫描常用的100个端口
--top-ports<number> 仅扫描使用率最高的number个端口

 应用举例

[root@master ~]# nmap -sS -sU -F www.godaddy.com

Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 04:52 EDT
Nmap scan report for www.godaddy.com (104.94.41.48)
Host is up (0.025s latency).
rDNS record for 104.94.41.48: a104-94-41-48.deploy.static.akamaitechnologies.com
Not shown: 100 open|filtered ports, 98 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 50.89 seconds

猜你喜欢

转载自www.cnblogs.com/zh-dream/p/12597641.html
今日推荐
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
周排行
循环神经网络(rnn)讲解
Tigao教程四:单独的关节运动
金蝶K3WISE15.0-注册套打教程
如何在Mac上配置Kubernetes
Android应用结束自身进程的方法
SpringMVC学习 十三 拦截器栈
中国驻洛杉矶总领馆举行新春招待会
HttpClient get post 发送
11 - three.js 笔记 - 绘制三维字体模型
Mysql递归获取某个父节点下面的所有子节点和子节点上的所有父节点
每日归档
更多
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022