Article Directory
Module features
Nmap modules currently has the following various functions.
- Host discovery. To send information to the target computer, and to determine whether it is switched on and networked state according to the target reaction.
- Port scanning. Designated port to send information to the target computer, then it is determined whether the destination port opening in accordance with the reaction.
- Services and version detection. Specify the target computer port to send a special message, and then serve to detect the type and version it is running services according to the reaction of the goal.
- OS detection.
In addition to these basic functions, Nmap also achieved some advanced auditing techniques such as fake initiate identity scanning side, covert scanning, to circumvent the target of defense equipment (such as firewalls), the system security vulnerability detection, and to provide comprehensive reporting options. Later in constant development, with the introduction of Nmap NSE's powerful scripting engine, anyone can add their own new modules to the Nmap.
Install Nmap and its modules
Nmap installation of Windows go on the official website to download it, problems encountered author has made a special note, this is the note link
here need to emphasize that we want to install a module python-nmap instead of nmap , remember remember! If you installed wrong module, behind it is unable to complete instantiation!
pip install python-nmap #安装模块命令
Basic Usage
- python-nmap module instantiates
The most commonly used PortScanner class that implement the package Nmap tool functionality. Instantiate this class is very simple, just the following statement can be realized.
import nmap
nm=nmap.PortScanner()
PortScannerAsync classes and class PortScanner similar functions, but this class can implement asynchronous scanning instantiation statements of this class are as follows.
import nmap
nm=nmap.PortScannerAsync()
- python-nmap function in
First look at PortScanner class that contains the following several functions.
scan () function: the function is complete form scan (self, hosts = '127.0.0.1 ', ports = None, arguments = '- sV', sudo = False), targeting is used to scan.
hosts parameter values inside this string type, indicates to scan the host, the IP address may be in the form of, for example, "192.168.1.1", a domain name may be, for example, "www.nmap.org"
Value of the parameter is a string type of ports, the port to be scanned. If you want to scan a single port, it can form "80." If a plurality of ports, can be separated by commas, such as "80, 443." If the scan is continuous to port range, with a line can be, for example, "1-5000."
Value of the parameter is a string type of the arguments, this parameter is actually used Nmap scan parameters.
| parameter | effect |
|---|---|
| -O | Scanning System |
| -V,-v,-D,-d,-p | debug information |
| –fuzzy | Speculate OS detection results |
| -sT | TCP port scan (complete three-way handshake) |
| -his | UDP port scan (do not respond may be open, in response to the close) |
| -sL | Reverse DNS |
| -sS | Hidden scan (half-open SYN) |
| -sP | We found alive hosts (direct arp, are not directly connected TCP80, ICMP) |
| -sO | Scan to determine the host agreement |
| -sW | Sliding window scanning |
| -to | TCP ACK scan |
| -sN | Turn off the host scanning (whether direct survival scanning) |
| -sF | fin scan |
| -sX | Xmas scan (fin psh urg is set) |
| -and | Completely hidden (with a springboard for the host (no flow) scan another host) |
| -en | Server version |
| -sC | Script associated with security |
| -PN | Scan your own |
These are my favorite command == parameters, there are many, many, not list them.
If you want to 192.168.1.101 port 1 to 500 to conduct a TCP scan, you can use the following command.
import nmap
nm = nmap.PortScanner()
nm.scan('192.168.1.101','1-500','-sS')
all_hosts () function: returns a list of all the hosts being scanned.
command_line () function: a return command used in the current scan line.
CSV () function: The return value is the output of a CSV (comma separated file format).
If you want to see more clearly that can print output CSV () content.
has_host (self, host) function: Check the results of the scan host, if it returns True, otherwise False.
scaninfo () function: the structure of a scan lists information.
There are some common operations you can not themselves practice it, do not do too much description here.
The PortScannerAsync class is the most important function of scan (), usage and scan PortScanner class () basically the same, but more than a callback function. Full scan () function format scan (self, hosts = '127.0.0.1', ports = None, arguments = '- sV', callback = None, sudo = False) there is a callback (host, scan_data) as a function of the parameters, that is, scanning the entire network segment.
import nmap
nm = nmap.PortScannerAsync()
nm.scan(hosts = '192.168.1.0/24',arguments = '-sP')
This class provides the following three functions used to implement asynchronous.
still_scanning (): If the scan is in progress Ture is returned, otherwise it returns False.
wait (self, timeout = None): latency represents a function.
stop (): stop scanning.
Write a port scanner
Well, now we understand the use python-nmap, and then you can use this module to write a simple port scanner up.
import nmap #导入模块
nm = nmap.PortScanner() #导入函数
nm.scan('192.168.1.104','1-1000') #输入你要扫描的ip与道口
for host in nm.all_hosts(): #返回被扫描的主机列表给host
print('---------------------------------------------------------')
print('Host : %s (%s)' % (host,nm[host].hostname())) #nm[host].hostname()获取目标主机的主机名
print('State : %s' % nm[host].state()) #nm[host].state()获取主机的状态 |up|down|unknow|skipped|
for proto in nm[host].all_protocols(): #nm[host].all_protocols获取执行的协议['tcp','udp']
print('-----------------------------------------------------')
print('protocol : %s' % proto ) #输出执行的协议
lport = nm[host][proto].keys() #获取目标主机所开放的端口赋值给lport
# lport.sort()
for port in lport: #将lport赋值给port并遍历
print('port : %s\tstate : %s' % (port,nm[host][proto][port]['state'])) #输出扫描结果
- operation result:
Writing a host survival scanner
In fact, here a new name, a good experience the two pieces of code will find that they are in fact very much the same.
import nmap #导入模块
nm = nmap.PortScanner() #导入函数
nm.scan('192.168.1.0/24',arguments='-sP') #绑定网段与扫描模式
hosts_list = [(x, nm[x]['status']['state']) for x in nm.all_hosts()] #定义字典
for host, status in hosts_list: #将字典里的状态赋值给host,status
print(host+" is "+status) #输出扫描结果
- operation result
