Nmap tutorial
You can directly use the nmap command in the kali command line , open a "terminal" , enter nmap and press Enter, you can see the version of nmap , which proves that nmap is available.
Nmap has four basic functions: "port scanning" , "host detection" , "service identification" and "system identification" .
1. Port scanning
Scan the "open ports" of the host , directly follow the host IP behind nmap (1000 ports are scanned by default)
nmap 192.168.31.180
As you can see from the above figure: it scans 1000 ports in 1.58 seconds, 991 of which are closed, and the 9 ports listed in the result are open ports.
1. Specify the port
Scan "designated ports" , use -pparameters , you can scan a single port, multiple ports, or scan a range of ports
nmap 192.168.31.180 -p 80
nmap 192.168.31.180 -p 1-80
nmap 192.168.31.180 -p 80,3389,22,21
nmap 192.168.31.180 -p 1-65535
nmap 192.168.31.180 -p- # -p- 等价于 -p 1-65535
2. Specify the scanning method
We use "wireshark" in Kali to analyze the request information of different scanning methods to judge the difference between these methods.
Click on the upper left corner of kali, enter wireshark and click Open, and select the network card for packet capture (I am eth0 here ).
After entering filter criteria ip.addr == 192.168.31.180 and tcp.port == 80, click the arrow to apply.
This filter condition means: the filter IP address is 192.168.31.180 and the port is TCP port 80.
After setting the filter conditions, we execute the scan command on the command line, and then view the request packet in "wireshark" .
2.1 TCP full connection scan
Use -sTthe parameter to perform a TCP full connection scan.
"Full Connection Scan" uses a complete three-way handshake to establish a link. If a link can be established, the port is determined to be open, otherwise the port is determined to be closed.
nmap 192.168.31.180 -p 80 -sT
1) If the port is open, a complete three-way handshake will be performed, and the connection will be successfully established. In the scan results, the STATE field will be displayed as open .
2) If the port is closed, only one handshake can be performed, and the connection cannot be established. In the scan result, the STATE field is displayed as closed .
2.2 SYN semi-link scanning
Use -sSthe parameter for SYN semi-link scanning.
"Semi-link scanning" only performs two handshakes, and the other party returns an acknowledgment frame (ACK=1) to determine that the port is open, otherwise it is determined that the port is closed.
nmap 192.168.31.180 -p 80 -sS
1) If the port is open, two handshakes will be performed. In the scan result, the STATE field is open .
2) If the port is closed, there is only one handshake, and in the scan result, the STATE field is closed .
2.3 Stealth scan
Stealth scan, only applicable to Linux system.
"Secret Scan" sends a TCP FIN packet or Xmas tree packet or Null packet to the port of the target host. If an RST response packet is received, the port is determined to be closed, otherwise, the port is determined to be open or blocked (open/filtered)
nmap 127.0.0.1 -p 80 -sF # Fin扫描
nmap 127.0.0.1 -p 80 -sN # Null扫描(所有flags都为0的TCP包)
nmap 127.0.0.1 -p 80 -sX # Xmas扫描(flags的FIN、URG、PUSH都为1的包)
2. Host detection
Scan which hosts are online in the network segment, use -sPthe parameter , do not scan ports, only scan "survival hosts" .
In essence, it is a Ping scan. If the Ping is successful and there is a reply packet, it is determined that the host is online.
nmap -sP 192.168.31.0/24
As can be seen from the above figure: it scans 256 IPs in this network segment in 2 seconds, and there are 3 surviving hosts, and the efficiency is quite good.
3. Service identification
When scanning ports, the service corresponding to the port is displayed by default, but the service version is not displayed.
To identify a specific "service version" , you can use -sVthe parameter .
nmap 192.168.31.180 -p 80 -sV
In the scan results, the VERSION field displays the detailed version of the service.
4. System identification
To identify the "operating system version" , you can use -Othe parameter .
nmap 192.168.31.180 -p 80 -O
hint:
- The system version scanned by Nmap is not completely accurate and is for reference only.
- When the specific version cannot be identified, Nmap will list the possible operating systems in the form of probability, as shown in the figure above.
5. Scan result export
The scanning results of Nmap can be saved to files, such as text format and XML format.
1) Export the scan result as "text format" , and save the result as it is.
nmap 192.168.31.180 -p 80 -oN result.txt
2) Export the scan result to "xml format" , the saving format of the result will change.
nmap 192.168.31.180 -p 80 -oX result.xml
