nmap是网络扫描和主机检测的工具。
用nmap进行信息收集和检测漏洞,功能有:
检测存活主机。
检测主机开放端口(端口发现或枚举)。
检测端口对应的软件和版本。
检测操作系统类型、版本,硬件地址和软件版本。
检测脆弱性的漏洞。
nmap用不同的技术来扫描,有TCP的connect,TCP的反向ident,FTP的反弹扫描。
nmap要通过不同的扫描方式来绕过防火墙和IPS/IDS的防护,获取主机的正确信息。
nmap安装
Mac安装nmap
brew install nmap
举例:
<1>扫描指定单机的IP:
nmap 192.168.3.3
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-08 20:14 PDT
Nmap scan report for 192.168.3.3
Host is up (0.0084s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
912/tcp open apex-mesh
5357/tcp open wsdapi
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 15.94 seconds
<2>查看指定端口是否开启:
nmap -n --open -p 1008 192.168.3.3/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-08 20:19 PDT
Nmap scan report for 192.168.3.3 Host is up (0.0040s latency).
PORT STATE SERVICE
1008/tcp open ufsd
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.99 seconds
nmap使用
命令行:(显示扫描过程 -v )
扫描单个主机
#nmap www.hostName.com
C:\Users\YOONA>nmap 108.61.87.202
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 09:29 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.202.vultr.com (108.61.87.202)
Host is up (0.37s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 256.57 seconds#nmap ipAddress
C:\Users\YOONA>nmap 108.61.87.202
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 09:29 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.202.vultr.com (108.61.87.202)
Host is up (0.37s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 256.57 seconds扫描整个ip段(子网)
#nmap 192.168.1.1/24 //表示当前ip下的24位掩码主机都要扫描,从192.168.1.1到192.168.1.254
C:\Users\YOONA>nmap 108.61.87.202/24Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 09:37 ?D1ú±ê×?ê±??
Warning: 108.61.87.27 giving up on port because retransmission cap hit (10).
Stats: 0:32:27 elapsed; 10 hosts completed (64 up), 64 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.65% done; ETC: 10:10 (0:00:07 remaining)
Stats: 0:32:29 elapsed; 10 hosts completed (64 up), 64 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.65% done; ETC: 10:10 (0:00:07 remaining)
Stats: 0:32:29 elapsed; 10 hosts completed (64 up), 64 undergoing SYN Stealth Scan
#nmap 192.168.0.* //可以用*通配符代表范围内的所有主机
[root@vultr ~]# nmap 108.61.87.*
Starting Nmap 5.51 ( http://nmap.org ) at 2018-07-04 15:01 CST
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 108.61.87.62, 16) => Operation not permitted
Offending packet: TCP 108.61.87.202:35647 > 108.61.87.62:1503 S ttl=57 id=46459 iplen=44 seq=3156521255 win=2048 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 108.61.87.34, 16) => Operation not permitted
Offending packet: TCP 108.61.87.202:35647 > 108.61.87.34:34571 S ttl=45 id=57342 iplen=44 seq=3156521255 win=2048 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 108.61.87.39, 16) => Operation not permitted扫描多个目标
#nmap 192.168.1.1 192.168.5.6 //加空格分隔,写第二个ipAddress
C:\Users\YOONA>nmap 108.61.87.202 108.61.87.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 09:39 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.202.vultr.com (108.61.87.202)
Host is up (0.32s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
Nmap scan report for 108.61.87.1.vultr.com (108.61.87.1)
Host is up (0.32s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
4444/tcp filtered krb524
Nmap done: 2 IP addresses (2 hosts up) scanned in 77.69 seconds使用IP地址的最后一个字节扫描多台服务器
#nmap 192.168.0.101,102,103
[root@vultr ~]# nmap 108.61.87.202,203,204
Starting Nmap 5.51 ( http://nmap.org ) at 2018-07-04 15:00 CST
Nmap scan report for 108.61.87.202.vultr.com (108.61.87.202)
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap scan report for 108.61.87.204.vultr.com (108.61.87.204)
Host is up (0.033s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: FE:00:01:89:5E:E9 (Unknown)
Nmap done: 3 IP addresses (2 hosts up) scanned in 14.07 seconds扫描一个范围内的目标
#nmap 192.168.1.1-100 //表示扫描192.168.1.1开始的100台主机
把多个ip导出为一个ip地址表,.txt文件,通过nmap扫描文件内地所有主机
#nmap -iL target.txt
如果想在扫描的过程看到扫描的主机列表,用
#nmap -sL 192.168.1.1/24
C:\Users\YOONA>nmap -sL 108.61.87.202/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 10:12 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.0.vultr.com (108.61.87.0)
Nmap scan report for 108.61.87.1.vultr.com (108.61.87.1)
Nmap scan report for 108.61.87.2.vultr.com (108.61.87.2)
Nmap scan report for 108.61.87.3.vultr.com (108.61.87.3)
Nmap scan report for 108.61.87.4.vultr.com (108.61.87.4)
Nmap scan report for mon.kay.sh (108.61.87.5)
Nmap scan report for 108.61.87.6.vultr.com (108.61.87.6)
Nmap scan report for mx1.sayprepay.com (108.61.87.7)扫描除某个ip外的所有子网ip
#nmap 192.168.1.1/24 -e xclude 192.168.1.1
扫描除某一文件中的ip外的所有子网IP
#nmap 192.168.1.1/24 -e xclude file xx.txt
扫描特定主机上的某些端口
#nmap -p21,22,23,80,443 192.168.1.1
C:\Users\YOONA>nmap -p21,22,23,80,443 111.13.100.92
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 10:15 ?D1ú±ê×?ê±??
Nmap scan report for 111.13.100.92
Host is up (0.17s latency).
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 24.62 seconds--------------------------------------------------------------以上为nmap最常用的基础命令
现在探讨一下nmap的扫描技术
1.Tcp SYN Scan (sS) 不会在目标主机产生日志信息
SYN攻击的原理:
https://baike.baidu.com/item/SYN%E6%94%BB%E5%87%BB/14762413?fr=aladdin通过TCP的SYN包获取主机信息
#nmap -sS 192.168.1.1 //命令参数的含义是:#nmap -scanSYN 192.168.1.1
如果不指定扫描类型,默认为TCP SYN,但需要扫描主机的root/administrator权限。
2.TCP connect() scan(sT)
但如果没有指定扫描类型,也没有管理员权限,默认扫描类型为TCP connect() scan(sT),tcp connect()扫描需要完成三次握手,并且要调用系统的connect()。tcp connect()扫描只适用于找出TCP和UDP端口。
#nmap -sT192.168.1.1 //命令参数的含义是:#nmap -scanTCP 192.168.1.1
C:\Users\YOONA>nmap -sT 108.61.87.7
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 10:34 ?D1ú±ê×?ê±??
Nmap scan report for mx1.sayprepay.com (108.61.87.7)
Host is up (0.32s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
Nmap done: 1 IP address (1 host up) scanned in 237.92 seconds3.Udp san(sU)
用来扫描主机打开的UDP端口,她不会发送syn包,通过发送udp数据包到目标主机,等待目标主机响应,返回ICMP不可达,代表端口关闭。
#nmap -sU 192.168.1.1 //命令参数的含义是:#nmap -scanUDP 192.168.1.1
C:\Users\YOONA>nmap -sU 108.61.87.7 -v
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 11:12 ?D1ú±ê×?ê±??
Initiating Ping Scan at 11:12
Scanning 108.61.87.7 [4 ports]
Completed Ping Scan at 11:12, 3.55s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:12
Completed Parallel DNS resolution of 1 host. at 11:12, 6.17s elapsed
Initiating UDP Scan at 11:12
Scanning mx1.sayprepay.com (108.61.87.7) [1000 ports]
Increasing send delay for 108.61.87.7 from 0 to 50 due to max_successful_tryno increase to 44.FIN scan(sF) 不会在目标主机产生日志信息
如果TCP SYN被防火墙拦截,用FIN标志的数据包获取主机信息。(FIN重置位,用来代表断开连
接)
#nmap -sF 192.168.1.1 //命令参数的含义是:#nmap -scanFIN 192.168.1.1
C:\Users\YOONA>nmap -sF 108.61.87.7 -v
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 11:15 ?D1ú±ê×?ê±??
Initiating Ping Scan at 11:15
Scanning 108.61.87.7 [4 ports]
Completed Ping Scan at 11:15, 3.57s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:155.PING Scan (sP)
ping扫描只是判断主机是否存活在网络中。
#nmap -sP 192.168.1.1
C:\Users\YOONA>nmap -sP 108.61.87.1/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 10:29 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.0.vultr.com (108.61.87.0)
Host is up (0.29s latency).
Nmap scan report for 108.61.87.1.vultr.com (108.61.87.1)
Host is up (0.41s latency).
Nmap scan report for 108.61.87.2.vultr.com (108.61.87.2)
Host is up (0.31s latency).
Nmap scan report for 108.61.87.4.vultr.com (108.61.87.4)
Host is up (0.40s latency).
Nmap scan report for mon.kay.sh (108.61.87.5)
Host is up (0.40s latency).
Nmap scan report for mx1.sayprepay.com (108.61.87.7)
Host is up (0.40s latency).6.版本检测(sV)
扫描目标主机的端口上运行的软件版本,它不是用于扫描目标主机开放的端口,但需要从开放的端口获取信息来判断软件的版本,所以需要先进行端口扫描。
#nmap -sV 192.168.1.1
C:\Users\YOONA>nmap -sV 111.13.100.92
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 11:08 ?D1ú±ê×?ê±??
Nmap scan report for 111.13.100.92
Host is up (0.11s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.11 seconds7.ldle scan (sL)
伪装一个主机的ip发送扫描数据包。
#nmap -sL 192.168.1.7 192.168.1.1
C:\Users\YOONA>nmap -sL 108.61.87.1 108.61.87.7 -v
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 11:16 ?D1ú±ê×?ê±??
Initiating Parallel DNS resolution of 2 hosts. at 11:16
Completed Parallel DNS resolution of 2 hosts. at 11:16, 6.75s elapsed
Nmap scan report for 108.61.87.1.vultr.com (108.61.87.1)
Nmap scan report for mx1.sayprepay.com (108.61.87.7)
Nmap done: 2 IP addresses (0 hosts up) scanned in 20.39 seconds------------------------------------------------------------以上为常用的扫描方式
还有的扫描技术有,FTP bounce(FTP 反弹),fragmentation scan(碎片扫描),IP protocol scan(IP协议扫描)
8.扫描操作系统信息和路由跟踪
#nmap -A 192.168.1.1 //检测目标主机系统信息和路由信息
9.OS检测(O)
检测目标主机操作系统和软件。
#nmap -O 192.168.1.1
C:\Users\YOONA>nmap -O 108.61.87.1 108.61.87.7 -v
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 11:17 ?D1ú±ê×?ê±??
Initiating Ping Scan at 11:17
Scanning 2 hosts [4 ports/host]
Completed Ping Scan at 11:17, 3.59s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 11:17
Completed Parallel DNS resolution of 2 hosts. at 11:18, 5.56s elapsed
Initiating SYN Stealth Scan at 11:18
Scanning 2 hosts [1000 ports/host]
Discovered open port 995/tcp on 108.61.87.7
Discovered open port 80/tcp on 108.61.87.7
Discovered open port 993/tcp on 108.61.87.7
Discovered open port 443/tcp on 108.61.87.7
Discovered open port 25/tcp on 108.61.87.7
Discovered open port 80/tcp on 108.61.87.1
Discovered open port 143/tcp on 108.61.87.7
Discovered open port 110/tcp on 108.61.87.7
Discovered open port 587/tcp on 108.61.87.7
Discovered open port 22/tcp on 108.61.87.1
SYN Stealth Scan Timing: About 24.20% done; ETC: 11:20 (0:01:37 remaining)
SYN Stealth Scan Timing: About 32.99% done; ETC: 11:21 (0:02:04 remaining)
SYN Stealth Scan Timing: About 45.62% done; ETC: 11:21 (0:01:48 remaining)
SYN Stealth Scan Timing: About 64.88% done; ETC: 11:23 (0:01:48 remaining)
SYN Stealth Scan Timing: About 71.54% done; ETC: 11:23 (0:01:31 remaining)
Stats: 0:04:17 elapsed; 0 hosts completed (2 up), 2 undergoing SYN Stealth ScanNmap的操作系统指纹识别技术:
设备类型(路由器,工作组等)
运行(运行的操作系统)
操作系统的详细信息(操作系统的名称和版本)
网络距离(目标和攻击者之间的距离跳)
10.如果远程主机有防火墙,IDS和IPS系统,你可以使用-PN命令来确保不ping远程主机。
# nmap -O -PN 192.168.1.1/24
Nmap的操作系统检测的基础是有开放和关闭的端口,如果OS scan无法检测到至少一个开放或者关闭的端口,会返回以下错误:
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS Scan的结果是不可靠的,因为没有发现至少一个开放或者关闭的端口.
11.想好通过Nmap准确的检测到远程操作系统是比较困难的,需要使用到Nmap的猜测功能选项, –osscan-guess 猜测认为最接近目标的匹配操作系统类型。
# nmap -O –osscan-guess 192.168.1.1 //命令参数的含义是: nmap -OS -os扫描 -猜测 ip地址
12.扫描主机侦测防火墙
#nmap -sA 192.168.1.1
13.扫描主机是否有防火墙保护
#nmap -PN 192.168.1.1
14.快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其他的端口。
#nmap -F 192.168.1.1
15.查看nmap版本 -V
#nmap -V
16.顺序扫描端口
#nmap -r 192.168.1.1
17.打印本地主机接口和路由
nmap --iflist
18.扫描特定的端口,默认情况下nmap之扫描TCP端口
#nmap -p 80 www.baidu.com
19.扫描TCP端口
#nmap -p T:8888,80 www.baidu.com
20.扫描指定范围内的端口
#nmap -p 80-160 192.168.0.101
21.PA(TCP ACK) PS(TCP SYN)
22.TCP空扫描
#nmap -sN 192.168.1.1