一、Nmap簡介
nmap是一個網絡連接端掃描軟件,用來掃描網上電腦開放的網絡連接端。確定哪些服務運行在哪些連接端,并且推斷計算機運行哪個操作系統(這是亦稱 fingerprinting)。它是網絡管理員必用的軟件之一,以及用以評估網絡系統安全。
正如大多數被用于網絡安全的工具,nmap 也是不少黑客及駭客愛用的工具 。系統管理員可以利用nmap來探測工作環境中未經批準使用的服務器,但是黑客會利用nmap來搜集目標電腦的網絡設定,從而計劃攻擊的方法。
Nmap 以隱秘的手法,避開闖入檢測系統的監視,并盡可能不影響目標系統的日常操作。? --(來自百度)
環境介紹:
我將用兩個不同的部分來涵蓋大部分NMAP的使用方法,這是nmap關鍵的第一部分。在下面的設置中,我使用兩臺已關閉防火墻的服務器來測試Nmap命令的工作情況。
- 192.168.0.100 – server1.tecmint.com
- 192.168.0.101 – server2.tecmint.com
Nmap語法:
nmap [Scan Type(s)] [Options] {target specification} ?
二、Nmap常用操作
1:批量ping掃描
[root@localhost ~]# nmap -sP 192.168.1.0/24Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:19 CST Nmap scan report for192.168.1.1 Host is up (0.0043s latency). Nmap scan report for 192.168.1.2 Host is up (0.0040s latency). Nmap scan report for 192.168.1.3 Host is up (0.0036s latency). Nmap scan report for 192.168.1.4 Host is up (0.0042s latency). Nmap scan report for 192.168.1.5
2:僅列出指定網絡上的每臺主機,不發送任何報文到目標主機(隱蔽探測)
[root@localhost ~]# nmap -sL 192.168.1.0/24Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:22 CST Nmap scan report for 192.168.1.0 Nmap scan report for 192.168.1.1 Nmap scan report for 192.168.1.2 Nmap scan report for 192.168.1.3
3:探測目標主機開放的端口,可以指定一個以逗號分隔的端口列表(如-PS22,23,25,80)
[root@localhost ~]# nmap -PS 220.181.111.188Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:25 CST Nmap scan report for 220.181.111.188 Host is up (0.0043s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open httpsNmap done: 1 IP address (1 host up) scanned in 4.06 seconds
4:使用UDP ping探測主機
[root@localhost ~]# nmap -PU 192.168.1.1[root@localhost ~]# nmap -PU 192.168.1.0/24
5:使用SYN半開放掃描
[root@localhost ~]# nmap -sS 220.181.111.188 [root@localhost ~]# nmap -sS 220.181.111.0/24Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:29 CST Nmap scan report for 220.181.111.188 Host is up (0.0048s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open httpsNmap done: 1 IP address (1 host up) scanned in 4.56 seconds
6:使用TCP掃描
[root@localhost ~]# nmap -sT 220.181.111.188 [root@localhost ~]# nmap -sT 220.181.111.0/24Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:32 CST Nmap scan report for 220.181.111.188 Host is up (0.0044s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open httpsNmap done: 1 IP address (1 host up) scanned in 4.24 seconds
7:使用UDP掃描
[root@localhost ~]# nmap -sU 220.181.111.188 [root@localhost ~]# nmap -sU 220.181.111.0/24Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:34 CST Nmap scan report for 220.181.111.188 Host is up (0.0039s latency). Not shown: 999 open|filtered ports PORT STATE SERVICE 161/udp filtered snmpNmap done: 1 IP address (1 host up) scanned in 4.05 seconds
8:探測目標主機支持哪些IP協議
[root@localhost ~]# nmap -sO 220.181.111.188Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:35 CST Nmap scan report for 220.181.111.188 Host is up (0.0054s latency). Not shown: 255 open|filtered protocols PROTOCOL STATE SERVICE 1 open icmpNmap done: 1 IP address (1 host up) scanned in 2.73 seconds
9:探測目標主機操作系統
[root@localhost ~]# nmap -O 220.181.111.188 [root@localhost ~]# nmap -A 220.181.111.188Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:36 CST Nmap scan report for 220.181.111.188 Host is up (0.0050s latency). Not shown: 998 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: switch Running (JUST GUESSING): HP embedded (86%) OS CPE: cpe:/h:hp:procurve_switch_4000m Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%) No exact OS matches for host (test conditions non-ideal).OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds
10:用主機名和IP地址掃描系統
Nmap工具提供各種方法來掃描系統。在這個例子中,我使用server2.tecmint.com主機名來掃描系統找出該系統上所有開放的端口,服務和MAC地址。
a)用主機名掃描系統
[root@server1 ~]# nmap server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.415 seconds You have new mail in /var/spool/mail/root
b)用IP地址掃描系統
[root@server1 ~]# nmap 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 958/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.465 seconds You have new mail in /var/spool/mail/root
11:掃描時使用-v選項
可以看到下面的命令使用“?-v?“選項后給出了遠程機器更詳細的信息。
[root@server1 ~]# nmap -v server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST Initiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43 The ARP Ping Scan took 0.01s to scan 1 total hosts. Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43 Discovered open port 22/tcp on 192.168.0.101 Discovered open port 80/tcp on 192.168.0.101 Discovered open port 8888/tcp on 192.168.0.101 Discovered open port 111/tcp on 192.168.0.101 Discovered open port 3306/tcp on 192.168.0.101 Discovered open port 957/tcp on 192.168.0.101 The SYN Stealth Scan took 0.30s to scan 1680 total ports. Host server2.tecmint.com (192.168.0.101) appears to be up ... good. Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds
12:掃描多臺主機
?簡單的在Nmap命令后加上多個IP地址或主機名來掃描多臺主機。
[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds
13:掃描整個子網
使用*通配符來掃描整個子網或某個范圍的IP地址。
[root@server1 ~]# nmap 192.168.0.*Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST Interesting ports on server1.tecmint.com (192.168.0.100): Not shown: 1677 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 851/tcp open unknownInteresting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds
14:使用IP地址的最后一個字節掃描多臺服務器
簡單的指定IP地址的最后一個字節來對多個IP地址進行掃描。例如,我在下面執行中掃描了IP地址192.168.0.101,192.168.0.102和192.168.0.103。
[root@server1 ~]# nmap 192.168.0.101,102,103 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds
15:從一個文件中掃描主機列表
如果你有多臺主機需要掃描且所有主機信息都寫在一個文件中,那么你可以直接讓nmap讀取該文件來執行掃描,讓我們來看看如何做到這一點。
創建一個名為“nmaptest.txt?”的文本文件,并定義所有你想要掃描的服務器IP地址或主機名。
[root@server1 ~]# cat > nmaptest.txt localhost server2.tecmint.com 192.168.0.101
接下來運行帶“iL” 選項的nmap命令來掃描文件中列出的所有IP地址
[root@server1 ~]# nmap -iL nmaptest.txt Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 EST Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 1675 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 631/tcp open ipp 857/tcp open unknownInteresting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 958/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 958/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 3 IP addresses (3 hosts up) scanned in 2.047 seconds
16:掃描一個IP地址范圍
掃描一個IP地址范圍
[root@server1 ~]# nmap 192.168.0.101-110 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds
17:排除一些遠程主機后再掃描
在執行全網掃描或用通配符掃描時你可以使用“-exclude”選項來排除某些你不想要掃描的主機。
[root@server1 ~]# nmap 192.168.0.* --exclude 192.168.0.100Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 255 IP addresses (1 host up) scanned in 5.313 seconds
18:掃描操作系統信息和路由跟蹤
使用Nmap,你可以檢測遠程主機上運行的操作系統和版本。為了啟用操作系統和版本檢測,腳本掃描和路由跟蹤功能,我們可以使用NMAP的“-A“選項。
[root@server1 ~]# nmap -A 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 80/tcp open http Apache httpd 2.2.3 ((CentOS)) 111/tcp open rpcbind 2 (rpc #100000) 957/tcp open status 1 (rpc #100024) 3306/tcp open mysql MySQL (unauthorized) 8888/tcp open http lighttpd 1.4.32 MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027) TSeq(Class=TR%IPID=Z%TS=1000HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)Uptime 0.169 days (since Mon Nov 11 12:22:15 2013)Nmap finished: 1 IP address (1 host up) scanned in 22.271 seconds
從上面的輸出你可以看到,Nmap顯示出了遠程主機操作系統的TCP?/?IP協議指紋,并且更加具體的顯示出遠程主機上的端口和服務。
19:啟用Nmap的操作系統探測功能
使用選項“-O”和“-osscan-guess”也幫助探測操作系統信息。
[root@server1 ~]# nmap -O server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027) TSeq(Class=TR%IPID=Z%TS=1000HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)Uptime 0.221 days (since Mon Nov 11 12:22:16 2013)Nmap finished: 1 IP address (1 host up) scanned in 11.064 seconds
20:掃描主機并偵測防火墻
掃描遠程主機以探測該主機是否使用了包過濾器或防火墻。
[root@server1 ~]# nmap -sA 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:27 EST All 1680 scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.382 seconds
21:掃描主機檢測是否有防火墻保護
掃描主機檢測其是否受到數據包過濾軟件或防火墻的保護。
[root@server1 ~]# nmap -PN 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds
22:找出網絡中的在線主機
使用“-sP”選項,我們可以簡單的檢測網絡中有哪些在線主機,該選項會跳過端口掃描和其他一些檢測。
[root@server1 ~]# nmap -sP 192.168.0.*Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST Host server1.tecmint.com (192.168.0.100) appears to be up. Host server2.tecmint.com (192.168.0.101) appears to be up. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds
23:執行快速掃面
你可以使用“-F”選項執行一次快速掃描,僅掃描列在nmap-services文件中的端口而避開所有其它的端口。
[root@server1 ~]# nmap -F 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1234 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds
24:順序掃描端口
使用“-r”選項表示不會隨機的選擇端口掃描。
[root@server1 ~]# nmap -r 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds
25:打印主機接口和路由
你可以使用nmap的“–iflist”選項檢測主機接口和路由信息。
[root@server1 ~]# nmap --iflistStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST ************************INTERFACES************************ DEV (SHORT) IP/MASK TYPE UP MAC lo (lo) 127.0.0.1/8 loopback up eth0 (eth0) 192.168.0.100/24 ethernet up 08:00:27:11:C7:89**************************ROUTES************************** DST/MASK DEV GATEWAY 192.168.0.0/0 eth0 169.254.0.0/0 eth0
?從上面的輸出你可以看到,nmap列舉出了你系統上的接口以及它們各自的路由信息。
26:掃描特定的端口
使用Nmap掃描遠程機器的端口有各種選項,你可以使用“-P”選項指定你想要掃描的端口,默認情況下nmap只掃描TCP端口。
[root@server1 ~]# nmap -p 80 server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) sca
26:掃描TCP端口
指定具體的端口類型和端口號來讓nmap掃描。
[root@server1 ~]# nmap -p T:8888,80 server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 80/tcp open http 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds
27:掃描UDP端口
[root@server1 ~]# nmap -sU 53 server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 53/udp open http 8888/udp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds
28:掃描多個端口
使用選項“-P”來掃描多個端口。
[root@server1 ~]# nmap -p 80,443 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:56 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 80/tcp open http 443/tcp closed https MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.190 seconds
29:掃描多個端口
使用表達式來掃描某個范圍內的端口。
[root@server1 ~]# nmap -p 80-160 192.168.0.101
30:查找主機服務版本號
[root@server1 ~]# nmap -sV 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:48 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 80/tcp open http Apache httpd 2.2.3 ((CentOS)) 111/tcp open rpcbind 2 (rpc #100000) 957/tcp open status 1 (rpc #100024) 3306/tcp open mysql MySQL (unauthorized) 8888/tcp open http lighttpd 1.4.32 MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 12.624 seconds
31:使用TCP ACK (PA)和TCP Syn (PS)掃描遠程主機
有時候包過濾防火墻會阻斷標準的ICMP?ping請求,在這種情況下,我們可以使用TCP ACK和TCP Syn方法來掃描遠程主機。
[root@server1 ~]# nmap -PS 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:51 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.360 seconds
32:使用TCP ACK掃描遠程主機上特定的端口
[root@server1 ~]# nmap -PA -p 22,80 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.166 seconds
33:使用TCP Syn掃描遠程主機上特定的端口
[root@server1 ~]# nmap -PS -p 22,80 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:08 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.165 seconds
34:執行一次隱蔽的掃描
[root@server1 ~]# nmap -sS 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:10 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.383 seconds
35:執行TCP空掃描規避防火墻
[root@server1 ~]# nmap -sN 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 19:01 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open|filtered ssh 80/tcp open|filtered http 111/tcp open|filtered rpcbind 957/tcp open|filtered unknown 3306/tcp open|filtered mysql 8888/tcp open|filtered sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 1.584 seconds
?
參考文獻:http://www.cnblogs.com/hongfei
參考文獻:https://baike.baidu.com/item/nmap/1400075?fr=aladdin
![[程序設計語言] 堆和棧的全面總結](http://pic.xiahunao.cn/[程序設計語言] 堆和棧的全面總結)
 收藏...)
)
解決辦法)