Reprinted from: http://drops.xmd5.com/static/drops/tips-4333.html
0x00: Description
It's just a quick query manual, no theoretical things are added, you are welcome to actively add your commonly used parameters in the comment area, O(∩_∩)O
0x01: nmap function introduction
1.主机存活检测
2.端口探测
3.服务识别
4.操作系统识别
5.硬件地址检测
6.服务版本识别
7.漏洞扫描,使用nmap自带脚本
0x02: Simple example
Use ping to detect the network segment 10.0.0.0/24
#!bash
nmap -sP 10.0.0.0/24
Use the SYN method to scan all ports, and identify the open ports at the same time under the time template of aggressive(4).
#!bash
nmap -p1-65535 -sV -sS -T4 target
PS: -T represents the collection of some control options (TCP delay time, interval between detection packets, etc.) when scanning, the specific man nmap will know it
Using SYN scan, under the time template of aggressive(4), detect the type and version of the operating system, and display the result of traceroute, the result output is more detailed
#!bash
nmap -v -sS -A -T4 target
Use SYN scan to detect the type and version of the operating system under the time template of insane(5), and display the results of traceroute. The result output is more detailed
#!bash
nmap -v -sS -A -T5 target
Use SYN scan to detect the type of operating system under the time template of insane(5), and display the result of traceroute, the type of operating system, and the result output is more detailed
#!bash
nmap -v -sV -O -sS -T5 target
Use the SYN method to scan all ports, and identify open ports at the same time. Under the time template of aggressive (4), the type of operating system is detected and the result of traceroute is displayed, and the result output is more detailed.
#!bash
nmap -v -p 1-65535 -sV -O -sS -T4 target
Use the SYN method to scan all ports, and identify the open ports at the same time. Under the time template of insane(5), the type of the operating system is detected, and the result of traceroute is displayed, and the result output is more detailed.
#!bash
nmap -v -p 1-65535 -sV -O -sS -T5 target
Read a list of IPs to scan from a file
#!bash
nmap -iL ip-address.txt
Nmap output format
The scan results are output to the screen, and a copy is stored in grep-output.txt
#!bash
nmap -sV -p 139,445 -oG grep-output.txt 10.0.1.0/24
The scan result is output as html
#!bash
nmap -sS -sV -T5 10.0.1.99 --webxml -oX - | xsltproc --output file.html
Nmap scans Netbios
Discovering IPs with open netbios in subnets
#!bash
nmap -sV -v -p139,445 10.0.0.1/24
Scan the name of the specified netbios
#!bash
nmap -sU --script nbstat.nse -p 137 target
Scan the specified targets and detect related vulnerabilities at the same time
#!bash
nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 target
Pass the scan results of nmap's port 80 to nikto for scanning through the pipeline
#!bash
Nmap Nikto Scan nmap -p80 10.0.1.0/24 -oG - | nikto.pl -h -
Pass the scan results of nmap's 80,443 ports to nikto for scanning through the pipeline
#!bash
nmap -p80,443 10.0.1.0/24 -oG - | nikto.pl -h -
0x03: Detailed explanation of Nmap parameters
Nmap supports the representation of hostname, ip, and network segment
For example: blah.highon.coffee, namp.org/24, 192.168.0.1;10.0.0-25.1-254
#!bash
-iL filename 从文件中读取待检测的目标,文件中的表示方法支持机名,ip,网段
-iR hostnum 随机选取,进行扫描.如果-iR指定为0,则是无休止的扫描
--exclude host1[, host2] 从扫描任务中需要排除的主机
--exculdefile exclude_file 排除文件中的IP,格式和-iL指定扫描文件的格式相同
host discovery
#!bash
-sL 仅仅是显示,扫描的IP数目,不会进行任何扫描
-sn ping扫描,即主机发现
-Pn 不检测主机存活
-PS/PA/PU/PY[portlist] TCP SYN Ping/TCP ACK Ping/UDP Ping发现
-PE/PP/PM 使用ICMP echo, timestamp and netmask 请求包发现主机
-PO[prococol list] 使用IP协议包探测对方主机是否开启
-n/-R 不对IP进行域名反向解析/为所有的IP都进行域名的反响解析
Scanning Tips
#!bash
-sS/sT/sA/sW/sM TCP SYN/TCP connect()/ACK/TCP窗口扫描/TCP Maimon扫描
-sU UDP扫描
-sN/sF/sX TCP Null,FIN,and Xmas扫描
--scanflags 自定义TCP包中的flags
-sI zombie host[:probeport] Idlescan
-sY/sZ SCTP INIT/COOKIE-ECHO 扫描
-sO 使用IP protocol 扫描确定目标机支持的协议类型
-b “FTP relay host” 使用FTP bounce scan
Specify ports and scan order
#!bash
-p 特定的端口 -p80,443 或者 -p1-65535
-p U:PORT 扫描udp的某个端口, -p U:53
-F 快速扫描模式,比默认的扫描端口还少
-r 不随机扫描端口,默认是随机扫描的
--top-ports "number" 扫描开放概率最高的number个端口,出现的概率需要参考nmap-services文件,ubuntu中该文件位于/usr/share/nmap.nmap默认扫前1000个
--port-ratio "ratio" 扫描指定频率以上的端口
Service version identification
#!bash
-sV 开放版本探测,可以直接使用-A同时打开操作系统探测和版本探测
--version-intensity "level" 设置版本扫描强度,强度水平说明了应该使用哪些探测报文。数值越高,服务越有可能被正确识别。默认是7
--version-light 打开轻量级模式,为--version-intensity 2的别名
--version-all 尝试所有探测,为--version-intensity 9的别名
--version-trace 显示出详细的版本侦测过程信息
Script scan
#!bash
-sC 根据端口识别的服务,调用默认脚本
--script=”Lua scripts” 调用的脚本名
--script-args=n1=v1,[n2=v2] 调用的脚本传递的参数
--script-args-file=filename 使用文本传递参数
--script-trace 显示所有发送和接收到的数据
--script-updatedb 更新脚本的数据库
--script-help=”Lua script” 显示指定脚本的帮助
OS identification
#!bash
-O 启用操作系统检测,-A来同时启用操作系统检测和版本检测
--osscan-limit 针对指定的目标进行操作系统检测(至少需确知该主机分别有一个open和closed的端口)
--osscan-guess 推测操作系统检测结果,当Nmap无法确定所检测的操作系统时,会尽可能地提供最相近的匹配,Nmap默认进行这种匹配
Firewall/IDS evasion and spoofing
#!bash
-f; --mtu value 指定使用分片、指定数据包的MTU.
-D decoy1,decoy2,ME 使用诱饵隐蔽扫描
-S IP-ADDRESS 源地址欺骗
-e interface 使用指定的接口
-g/ --source-port PROTNUM 使用指定源端口
--proxies url1,[url2],... 使用HTTP或者SOCKS4的代理
--data-length NUM 填充随机数据让数据包长度达到NUM
--ip-options OPTIONS 使用指定的IP选项来发送数据包
--ttl VALUE 设置IP time-to-live域
--spoof-mac ADDR/PREFIX/VEBDOR MAC地址伪装
--badsum 使用错误的checksum来发送数据包
Nmap output
#!bash
-oN 将标准输出直接写入指定的文件
-oX 输出xml文件
-oS 将所有的输出都改为大写
-oG 输出便于通过bash或者perl处理的格式,非xml
-oA BASENAME 可将扫描结果以标准格式、XML格式和Grep格式一次性输出
-v 提高输出信息的详细度
-d level 设置debug级别,最高是9
--reason 显示端口处于带确认状态的原因
--open 只输出端口状态为open的端口
--packet-trace 显示所有发送或者接收到的数据包
--iflist 显示路由信息和接口,便于调试
--log-errors 把日志等级为errors/warings的日志输出
--append-output 追加到指定的文件
--resume FILENAME 恢复已停止的扫描
--stylesheet PATH/URL 设置XSL样式表,转换XML输出
--webxml 从namp.org得到XML的样式
--no-sytlesheet 忽略XML声明的XSL样式表
Other nmap options
#!bash
-6 开启IPv6
-A OS识别,版本探测,脚本扫描和traceroute
--datedir DIRNAME 说明用户Nmap数据文件位置
--send-eth / --send-ip 使用原以太网帧发送/在原IP层发送
--privileged 假定用户具有全部权限
--unprovoleged 假定用户不具有全部权限,创建原始套接字需要root权限
-V 打印版本信息
-h 输出帮助
0x04: Example
Netbios for whole subnet detection
#!bash
Nmap -sV -v -p 139,445 10.0.1.0/24
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MEGATRON)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds
Nmap find Netbios name
#!bash
nmap -sU --script nbstat.nse -p 137 10.0.1.12
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-11 21:26 GMT
Nmap scan report for nas.decepticons 10.0.1.12
Host is up (0.014s latency).
PORT STATE SERVICE VERSION
137/udp open netbios-ns
Host script results:
|_nbstat: NetBIOS name: STARSCREAM, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown)
Nmap done: 256 IP addresses (1 hosts up) scanned in 28.74 seconds
If the Netbios service is enabled, check for vulnerabilities
#!bash
nmap --script-args=unsafe=1 --script smb-check-vulns.nse -p 445 10.0.0.1
Nmap scan report for ie6winxp.decepticons (10.0.1.1)
Host is up (0.00026s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: NOT VULNERABLE
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds
According to the scan results, the MS08-067 vulnerability was found
0x05 reference
original
http://highon.coffee/docs/nmap/
The complete manual on the Namp website
https://svn.nmap.org/nmap/docs/nmap.usage.txt
Nmap official Chinese manual
http://nmap.org/man/zh/
A domestic article about Nmap is very well written
http://blog.csdn.net/aspirationflow/article/details/7694274