最基本的扫描
# nmap 192.168.0.149 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:26 CST Nmap scan report for 192.168.0.149 Host is up (0.0000090s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
扫描活跃的主机 -sn
#nmap -sn 192.168.0.149 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:28 CST Nmap scan report for 192.168.0.149 Host is up. Nmap done: 1 IP address (1 host up)
扫描多台机器
#map 192.169.0.149 192.168.0.106 192.168.0.152 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:32 CST Nmap scan report for 192.168.0.106 Host is up (0.00071s latency). Not shown: 985 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 3306/tcp open mysql 5555/tcp open freeciv 8009/tcp open ajp13 8080/tcp open http-proxy 8100/tcp open xprint-server MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap scan report for 192.168.0.152 Host is up (0.010s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE 62078/tcp open iphone-sync MAC Address: 76:49:5D:88:B6:35 (Unknown) Nmap done: 3 IP addresses (2 hosts up) scanned in 14.73 seconds
#map 192.169.0.100-160 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:34 CST …
#nmap192.169.0.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:38 CST Nmap done: 256 IP addresses (0 hosts up) scanned in 210.76 seconds
使用ICMP对设备进行扫描
使用ICMP类似Ping的请求响应扫描 -PE
#nmap -PE 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:31 CST Nmap scan report for 192.168.0.106 Host is up (0.00093s latency). Not shown: 990 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 5555/tcp open freeciv MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
使用ICMP时间戳响应扫描 -PE
#nmap -PP 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST Nmap scan report for 192.168.0.106 Host is up (0.00088s latency). Not shown: 990 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 5555/tcp open freeciv MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
使用ICMP使用ICMP掩码扫描 -PM
#nmap -PM 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST Nmap scan report for 192.168.0.106 Host is up (0.00018s latency). Not shown: 990 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 5555/tcp open freeciv MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
使用TCP对设备进行扫描
使用TCP SYN对设备进行扫描 - PS
nmap -sn -PS 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:28 CST Nmap scan report for 192.168.0.106 Host is up (0.00049s latency). MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
使用TCP ACK对设备进行扫描 -PA
#nmap -sn -PA 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:32 CST Nmap scan report for 192.168.0.106 Host is up (0.00054s latency). MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
使用UDP对设备进行扫描 -PU
UDP更简单,但是不如TCP方便,且慢。
#nmap -sn -PU 192.168.0.106 tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST Nmap scan report for 192.168.0.106 Host is up (0.00076s latency). MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
对端口进行扫描
端口种类
- 公有端口(WellKnow Port):0-1024
- 注册端口(RegisteredPort):1025-49,151
- 动态/私有端口(Dynamic/Private Port):49,152-65,535
端口状态
- Open:开放状态。nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK, nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。
- Closed:关闭状态。nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST, nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed 。
- Filtered:过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答, 由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。
- Unfiltered:未过滤状态。nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。
- open|filtered:Open|filtered 开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口,参考后续 UDP 中的解释。
- closed|filtered:关闭或者过滤状态。
扫描技术
SYN扫描 -sS
SNMP机器àSYNà机器
机器àSYN+ACKà SNMP机器
SNMP机器àRSTà机器(连接断开)
返回Open、Closed、filtered
#nmap -sS 192.168.0.106 tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:53 CST Nmap scan report for 192.168.0.106 Host is up (0.00042s latency). Not shown: 987 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 3306/tcp open mysql 5555/tcp open freeciv 8100/tcp open xprint-server MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Connect扫描 -sT
完成3次握手
SNMP机器SYN机器
机器SYN+ACK SNMP机器
SNMP机器ACK机器(连接建立)
#nmap -sT 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:56 CST Nmap scan report for 192.168.0.106 Host is up (0.00081s latency). Not shown: 987 closed tcp ports (conn-refused) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 3306/tcp open mysql 5555/tcp open freeciv 8100/tcp open xprint-server MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
UDP扫描 -sU
返回Open Open|filtered,速度很慢,filtered可能是Open,可能是Closed
#nmap -sU 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:12 CST Nmap scan report for 192.168.0.106 Host is up (0.00070s latency). Not shown: 999 open|filtered udp ports (no-response) PORT STATE SERVICE 137/udp open netbios-ns MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds
扫描全部端口 -p "*"
#nmap -p "*" 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:18 CST Nmap scan report for 192.168.0.106 Host is up (0.00082s latency). Not shown: 8330 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 1536/tcp open ampr-inter 1537/tcp open sdsc-lm 1538/tcp open 3ds-lm 1539/tcp open intellistor-lm 1550/tcp open 3m-image-lm 1551/tcp open hecmtl-db 1653/tcp open alphatech-lm 2383/tcp open ms-olap4 3000/tcp open ppp 3306/tcp open mysql 5040/tcp open unknown 5555/tcp open freeciv 8100/tcp open xprint-server MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
扫描频率最高的n个端口 –top-ports n
# nmap -top-ports 10 8100 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:20 CST Nmap scan report for 192.168.0.106 Host is up (0.00022s latency). PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 25/tcp closed smtp 80/tcp open http 110/tcp closed pop3 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3389/tcp closed ms-wbt-server MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 2 IP addresses (1 host up) scanned in 3.17 seconds
扫描指定端口 -p port
# nmap -p 8100 192.168.0.106 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:21 CST Nmap scan report for 192.168.0.106 Host is up (0.00053s latency). PORT STATE SERVICE 8100/tcp open xprint-server MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
扫描操作系统
Nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。
最基本的扫描 -O
# nmap -O 192.168.0.106 192.168.0.155 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST Nmap scan report for 192.168.0.106 Host is up (0.00061s latency). Not shown: 990 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 5555/tcp open freeciv MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Device type: general purpose Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%) OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7 Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (1 host up) scanned in 6.50 seconds
尽对“具有Open和Closed的端口”进行扫描 -O --osscan-limit
# nmap -O --osscan-limit 192.168.0.106 192.168.0.155 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:57 CST Nmap scan report for 192.168.0.106 Host is up (0.00057s latency). Not shown: 990 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 5555/tcp open freeciv MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Device type: general purpose Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%) OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7 Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (95%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (1 host up) scanned in 6.68 seconds
猜测最接近目标端口的操作系统 -O --osscan-guest
需要root权限
# nmap -O --osscan-guess 192.168.0.106 192.168.0.155 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST Nmap scan report for 192.168.0.106 Host is up (0.00061s latency). Not shown: 990 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 902/tcp open iss-realsecure 912/tcp open apex-mesh 1433/tcp open ms-sql-s 2383/tcp open ms-olap4 3000/tcp open ppp 5555/tcp open freeciv MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology) Device type: general purpose Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista (96%) OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_vista::sp2 Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 or 8.1 R1 or Server 2008 R2 SP1 (92%), Microsoft Windows 7 or Windows Server 2008 (92%), Microsoft Windows 10 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (1 host up) scanned in 6.73 seconds
