Introduction to nmap function
1 Overview
As we all know, the nmap function we use is very powerful, from discovering hosts, to port detection, to service discovery, vulnerability exploitation, etc., it can do everything. Nmap scan mainly includes four aspects of scanning functions: Host Discovery, Port Scanning, Application and Version Detection, and Operating System Detection.
2.Easy to use
Simple Scan: Host Detection
nmap 192.168.1.1
Detailed output of the results:
nmap -vv 192.168.1.1
Scan the entire subnet:
nmap 192.168.1.1/24
Scan multiple targets:
nmap 192.168.1.1,192.168.2.1
Scan a range of targets:
nmap 192.168.1.1-254
Scan a file for a list of IPs:
nmap -iL file.txt
Nmap performs a complete and comprehensive scan
nmap –T4 –A –v 192.168.1.1
The -A option is used to scan in an aggressive way; -T4 specifies the timing used in the scanning process. There are always 6 levels (0-5). The higher the level, the faster the scanning speed, but also It is easy to be detected and blocked by firewalls or IDS. It is recommended to use T4 when the network communication condition is good; -v means to display redundant (verbosity) information and display the details of the scan during the scanning process, so that the user can understand the current scanning status.
3. Host discovery
List of all hosts scanned:
nmap -sL 192.168.1.1/24
Scan all subnet IPs except every IP:
nmap 192.168.1.1/24 -exclude 192.168.1.2
Scan the subnet IPs except the IPs in each file:
nmap 192.168.1.1/24 -exclude file.txt
-sL: List Scan 列表扫描,仅将指定的目标的IP列举出来,不进行主机发现。
-sn: Ping Scan 只进行主机发现,不进行端口扫描。
-sP: Ping Scan 只进行主机发现,不进行端口扫描。
-Pn: 将所有指定的主机视作开启的,跳过主机发现的过程。
-PS[portlist]: 使用TCP SYN Ping扫描方式进行发现。
-PA[portlist]: 使用TCP ACK Ping扫描方式进行发现。
-PU[portlist]: 使用TCP UDP Ping扫描方式进行发现。
-PY[portlist]: 使用SCTP INIT Ping扫描方式进行发现。
-PR: ARP Ping Scan
-PE: 使用ICMP echo Ping扫描方式发现主机。
-PP: 使用ICMP timestamp Ping扫描方式发现主机。
-PM: 使用ICMP netmask Ping扫描方式发现主机。
-PO[protocollist]: 使用IP协议包探测对方主机是否开启(非ping扫)。
-n:表示不进行DNS反向解析(使用该选项的时候Nmap永远不对目标ip地址作反向域名解析)
-R:表示总是进行DNS解析(使用该选项的时候Nmap永远对目标ip地址作反向域名解析)。
-6: 扫描IPv6地址
—dns-servers : 指定DNS服务器。
—system-dns: 指定使用系统的DNS服务器
—traceroute: 路由跟踪(使用—traceroute选项即可进行路由追踪.)使用路由追踪功能可以帮助用户了解网络的同行情况,通过此选项可以轻松地查出从计算机到目标之间所经过的网络节点,并可以看到通过各个节点的时间.
Among them, the more commonly used ones are -sn, which means that only the host discovery process is performed separately; -Pn means that the host discovery process is skipped directly and port scanning is performed. and other advanced operations (if it is known that the target host is turned on, this option can be used);-n, if you do not want to use DNS or reverse DNS resolution, you can use this option.
4.Port scanning
Skip Ping Scan Phase (No Ping Scan)
nmap -PN 192.168.1.1
By default, Nmap will perform a Ping scan on the target before performing other scans. If the target disables ping, then the ping scan issued by Nmap will not respond. If no results are returned, Nmap will directly end the entire scanning process. If this is the case, the scanning results will be inaccurate. If we encounter this situation, we can use the -PN parameter to enable Ping-less scanning and skip the Ping scanning process.
Scan using ARP protocol
nmap -PR 192.168.1.1
ARP protocol scanning is only applicable within the LAN. Using ARP is not only fast, but also the results will be more accurate.
半开扫描:nmap -sS 192.168.1.1
全开扫描:nmap -sT 192.168.1.1
All drawings at the end:
nmap -p "*" 192.168.1.1
Scan the specified port
nmap -p 80 192.168.152.154
扫描方式选项
-sS/sT/sA/sW/sM:指定使用 TCP SYN/Connect()/ACK/Window/Maimon scans的方式来对目标主机进行扫描。
-sU: 指定使用UDP扫描方式确定目标主机的UDP端口状况。
-sN/sF/sX: 指定使用TCP Null, FIN, and Xmas scans秘密扫描方式来协助探测对方的TCP端口状态。
--scanflags <flags>: 定制TCP包的flags。
-sI <zombiehost[:probeport]>: 指定使用idle scan方式来扫描目标主机(前提需要找到合适的zombie host)
-sY/sZ: 使用SCTP INIT/COOKIE-ECHO来扫描SCTP协议端口的开放的情况。
-sO: 使用IP protocol 扫描确定目标机支持的协议类型。
-b <FTP relay host>: 使用FTP bounce scan扫描方式
Port parameters and scan order
[plain] view plain copy
-p <port ranges>: 扫描指定的端口
实例: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9(其中T代表TCP协议、U代表UDP协议、S代表SCTP协议)
-F: Fast mode – 快速模式,仅扫描TOP 100的端口
-r: 不进行端口随机打乱的操作(如无该参数,nmap会将要扫描的端口以随机顺序方式扫描,以让nmap的扫描不易被对方防火墙检测到)。
--top-ports <number>:扫描开放概率最高的number个端口(nmap的作者曾经做过大规模地互联网扫描,以此统计出网络上各种端口可能开放的概率。以此排列出最有可能开放端口的列表,具体可以参见文件:nmap-services。默认情况下,nmap会扫描最有可能的1000个TCP端口)
--port-ratio <ratio>: 扫描指定频率以上的端口。与上述--top-ports类似,这里以概率作为参数,让概率大于--port-ratio的端口才被扫描。显然参数必须在在0到1之间,具体范围概率情况可以查看nmap-services文件。
5. Service version detection
-sV (版本检测)
Turn on version detection. At the same time, you can use -A to turn on system detection and version detection.
--allports(不为版本探测排除任何端口)
By default, Nmap version detection will skip 9100 TCP port. You can also ignore any Exclude directive and specify –allports to scan all ports.
--version-intensity <intensity> (设置 版本扫描强度)
The higher the number, the more likely the service is correctly identified. However, high-intensity scanning takes more time. Strength must be between 0 and 9. The default is 7.
--version-light (打开轻量级模式)
This is a convenience alias for --version-intensity 2. Lightweight mode makes version scanning much faster, but it is also slightly less likely to identify services.
--version-all (尝试每个探测)
Alias for --version-intensity 9, ensuring that every probe packet is tried on every port.
--version-trace (跟踪版本扫描活动)
This causes Nmap to print out detailed debugging information about the ongoing scan. It is a subset of the information obtained with --packet-trace.
-sR (RPC扫描)
这种方法和许多端口扫描方法联合使用。 它对所有被发现开放的TCP/UDP端口执行SunRPC程序NULL命令,来试图 确定它们是否RPC端口,如果是, 是什么程序和版本号。因此您可以有效地获得和rpcinfo -p一样的信息, 即使目标的端口映射在防火墙后面(或者被TCP包装器保护)。Decoys目前不能和RPC scan一起工作。 这作为版本扫描(-sV)的一部分自动打开。 由于版本探测包括它并且全面得多,-sR很少被需要。
6. Host system fingerprint identification
Identify operating system
nmap -O 192.168.1.1
Nmap can not only scan IP but also scan ports. Nmap can also identify the type of operating system. Why do we need to identify the type of operating system? Because the systems are different, the penetration methods are different. There are differences between Linux systems and Windows systems, and there are differences between Android systems and Apple systems, so it is very important to identify which system it is.
nmap -A 192.168.1.1
7.Other common commands
Output command
-oN 文件名 输出普通文件
-oX 文件名 输出xml文件
Error debugging:
--log-errors 输出错误日志
--packet-trace 获取从当前主机到目标主机的所有节
8. Vulnerability Scanning
nmap extended vulnerability scanning module
1.vulscan
#获取vulscan漏洞库
git clone https://github.com/scipag/vulscan scipag_vulscan
#创建链接
ln -s `pwd`/scipag_vulscan /usr/share/nmap/scripts/vulscan
If you access the download directly
Please install the files into the following folder of your Nmap installation
Nmap\scripts\vulscan\*
usage:
The following minimal command must be run to start a simple vulnerability scan:
nmap -sV --script=vulscan/vulscan.nse www.example.com
The vulnerability database is regularly updated and assembled. To support the latest disclosed vulnerabilities, keep your local vulnerability database up to date.
To automatically update the database, just set execute permissions on the file and run it:update.sh
chmod 744 update.sh
./update.sh
If you want to update the database manually, go to the following website and download these files:
- https://www.computec.ch/projekte/vulscan/download/cve.csv
- https://www.computec.ch/projekte/vulscan/download/exploitdb.csv
- https://www.computec.ch/projekte/vulscan/download/openvas.csv
- https://www.computec.ch/projekte/vulscan/download/osvdb.csv
- https://www.computec.ch/projekte/vulscan/download/scipvuldb.csv
- https://www.computec.ch/projekte/vulscan/download/securityfocus.csv
- https://www.computec.ch/projekte/vulscan/download/securitytracker.csv
- https://www.computec.ch/projekte/vulscan/download/xforce.csv
Copy the files into your vulscan folder:
2.nmap-vulners
cd /usr/share/nmap/scripts/
git clone https://github.com/vulnersCom/nmap-vulners.git
usage:
nmap -sV --script=nmap-vulners/vulners.nse 192.168.1.1
3. Mix it up
nmap -sV --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv 192.168.1.1