1. Theory
Nmap is an open source network scanning and security audit tool developed based on C language. It can help security administrators assess network and host security and detect vulnerabilities by scanning the target host's port, protocol, application version and other information. Operating systems supported by Nmap: Linux, Windows, MacOSX and other operating systems. Open source and free
Nmap supports a variety of scanning technologies, including TCP SYN scanning, TCP connection scanning, UDP scanning, ICMP scanning, etc. It also supports scanning of specific ports or ranges, scanning across multiple subnets , script scanning, version detection , operating system detection, etc.
The implementation principle of Nmap is mainly based on the usage of TCP/IP protocol stack to study and detect various information and status of target hosts and network devices. TCP/IP protocol stack: Nmap is a network scanning tool based on the TCP/IP protocol stack. It can quickly scan the TCP/UDP ports of the target host and network equipment to detect the services and status of the target host and network equipment. Scanning strategy: Nmap's implementation strategy is mainly to scan the network through various scanning methods such as TCP SYN, TCP Connect, UDP and ACK, so as to quickly discover various statuses and information of network devices and hosts.
2. Scan IP address
nmap -sn 192.168.120.0/24 192.168.120.100-254
3. Scan port
nmap -sS 192.168.120.85 #Scan port scan SYN based on SYN nmap -sA 192.168.120.85 #Basic scan based on ACK packet scanning nmap -Pn 192.168.120.85 #The effect of scanning without ping is the same as sS nmap -sV 192.168. 120.85 #Important, scan the port and display the version information of the corresponding service nmap -p6370-6380 192.168.120.85 #Scan the corresponding port range
4. Scan the system
nmap -O 192.168.120.85 #Key points
5. Other commands
nmap -A 192.168.120.85 #More details nmap -F 192.168.120.85 #FAST scan nmap -sP 192.168.120.0/24 #scan ping network segment nmap --traceroute www.woniuxy.com #Trace routing and scan ports
6. Extended commands
Bypass firewall
IP spoofing: set the source IP address to another IP, nmap -S MTU fragmentation: split the packet into multiple fragments for sending, nmap -f MAC spoofing: --spoof-mac set delay: in order to bypass threshold verification , nmap -D RND:10 www.woniuxy.com nmap -D 192.168.17.23 www.woniuxy.com 192.168.17.23 #Disguise source address nmap -e Network interface nmap -f www.woniuxy.com nmap --mtu 8 www .csdn.net nmap --spoof-mac 0 www.woniuxy.com #mac deception, mac cannot write nmap casually --ttl 128 www.baidu.com nmap -T 4 47.108.235.197
7. Display of other port status information
1. open (open)
The application is receiving TCP connections or UDP packets on this port. Finding this is often the primary goal of port scanning. Security-conscious people know that every open port is an entry point for attack. An attacker or penetration tester wants to discover open ports. Administrators try to shut them down or firewall them so they don't impede legitimate users. Non-security scans may also be interested in open ports because they show which services are available on the network.
2. closed (closed)
The closed port is also accessible to Nmap (it accepts Nmap probe packets and responds), but no application is listening on it. They can show that the host at that IP address (host discovery, or ping scan) is running up and are also helpful for some operating system detection. Since the closed gates are accessible, it might be worth scanning again later, maybe some are open again. System administrators may consider blocking such ports with a firewall. That way they will be displayed in a filtered state, discussed below.
3. filtered (filtered)
Because packet filtering prevents probe packets from reaching the port, Nmap cannot determine whether the port is open. Filtering may come from specialized firewall devices, router rules, or software firewalls on the host. Such ports can be frustrating for attackers because they provide almost no information. Sometimes they respond with ICMP error messages such as Type 3 code 13 (Destination Unreachable: Communication Forbidden by Administrator), but more commonly the filters simply drop probe frames without responding in any way. This forces Nmap to retry several times in case the probe packet is dropped due to network congestion. This makes scanning significantly slower.
4. unfiltered (unfiltered)
The unfiltered state means the port is accessible, but Nmap cannot determine whether it is open or closed. Only ACK scans used to map firewall rule sets will classify ports into this state. Scanning unfiltered ports with other types of scans such as window scans, SYN scans, or FIN scans can help determine whether the ports are open.
5. open|filtered (open or filtered)
When it cannot be determined whether a port is open or filtered, Nmap classifies the port into this state. An open port not responding is an example. No response may also mean that the packet filter dropped the probe packet or any response it caused. Therefore Nmap cannot determine whether the port is open or filtered. UDP, IP, FIN, Null, and Xmas scans may put ports into this category.
6. closed|filtered (closed or filtered)
This status is used when Nmap cannot determine whether the port is closed or filtered. It may only appear in IPID Idle scans.
8. Other commonly used ports
| port | Serve | describe |
|---|---|---|
| 20/TCP, UDP | FTP [Default Data] | File Transfer Protocol - Default Data Port |
| 21/TCP, UDP | FTP [Control] | File Transfer Protocol - Control Port |
| 22 / TCP, UDP | SSH | SSH (Secure Shell) - Remote login protocol for secure login file transfer (SCP, SFTP) and port redirection |
| 23/TCP, UDP | Telnet | Telnet Terminal Emulation Protocol - Unencrypted text communication |
| 25/TCP, UDP | SMTP | SMTP (Simple Mail Transfer Protocol) - used for email delivery between mail servers |
| 43/TCP | WHOIS | WHOIS protocol |
| 53 / TCP, UDP | DNS | DNS (Domain Name Service System) |
| 67/UDP | BOOTPs | BOOTP (BootStrap Protocol) service; also used for dynamic host setup protocol |
| 68/UDP | BOOTPc | BOOTP client; also used for Dynamic Host Configuration Protocol |
| 69/UDP | TFTP | Small File Transfer Protocol (Small File Transfer Protocol) |
| 80/TCP | Http | Hypertext Transfer Protocol (Hypertext Transfer Protocol) - used to transfer web pages |
| 110/TCP | POP3 | Post Office Protocol, "Post Office Protocol", Version 3 - for receiving e-mail |
| 113/TCP | Windows Authentication Service | Ident - Old server identification system, still used by IRC servers to authenticate its users |
| 123/UDP | NTP | NTP (Network Time Protocol) - used for time synchronization |
| 137/TCP, UDP | NetBIOS Name Service | NetBIOS NetBIOS Name Service |
| 138/TCP, UDP | NetBIOS Datagram Service | NetBIOS NetBIOS Datagram Service |
| 139/TCP, UDP | NetBIOS Session Service | NetBIOS NetBIOS Session Service |
| 143 / TCP, UDP | IMAP | Internet Information Access Protocol (Internet Information Access Protocol 4) - used to retrieve email messages |
| 161/TCP, UDP | SNMP | Simple Network Management Protocol (Simple Network Management Protocol) |
| 179/TCP | Bgp | Border Gateway Protocol (Border Gateway Protocol) |
| 194/TCP | IRC (Internet Relay Chat) | |
| 220 / TCP, UDP | IMAP3 | Internet Information Access Protocol, Interactive Mail Access Protocol version 3 |
| 389 / TCP, UDP | LDAP | Lightweight Directory Access Protocol LDAP |
| 443/TCP | Https | Hypertext Transfer Security Protocol - Hypertext Transfer Protocol over TLS/SSL (encrypted transmission) |
| 546/TCP, UDP | DHCPv6 client | |
| 547/TCP, UDP | DHCPv6 server | |
| 631/TCP, UDP | CUPS | Internet Printing Protocol |
| 636/TCP, UDP | LDAPS | LDAP over SSL (encrypted transmission, also known as LDAPS) |
| 991/TCP, UDP | NAS (NetNews Admin System) | |
| 1080/tcp | SOCKS | SOCKS proxy |
| 1194/udp | OpenVPN | |
| 1433 /tcp,udp | SQL Server | Microsoft SQL database system |
| 1434/tcp, add | SQL Server monitor | Microsoft SQL Activity Monitor |
| 1521/tcp | Oracle | Oracle数据库 default listener, in future releases official port 2483 |
| 3306 /tcp,udp | MySQL | MySQL database system |
| 3389/tcp | RDP | 远程桌面协议(RDP) |
| 5432/tcp | PostgreSQL | PostgreSQL database system |
更多常用端口见:
https://www.cnblogs.com/lihaiyan/p/4356748.html
参考资料: