语法:
$ nmap [扫描类型] [选项] {扫描目标}点击复制复制失败已复制
这个工具非常之强大,具有非常多的功能和命名,本笔记仅展示常用功能。
常见扫描类型
- -sS, TCP SYN 扫描(半开扫描)
只向目标发出 SYN 数据包,如果收到 SYN/ACK 响应包就认为目标端口正在监听,并立即断开连接;否则认为目标端口并未开放。
- -sT,TCP 连接扫描
这是完整的 TCP 扫描方式,用来建立一个 TCP 连接,如果成功则认为目标端口正在监听服务,否则认为目标端口并未开放。
- -sF,TCP FIN 扫描
开放的端口会忽略这种数据包,关闭的端口会响应 RST 数据包。许多防火墙只对 SYN 数据包进行简单过滤,而忽略其他形式的 TCP 攻击包。这种类型的扫描可间接检测防火墙的健壮性。
- -sU,UDP 扫描
探测目标主机提供哪些 UDP 服务,UDP 扫描的速度会比较慢。
- -sP,ICMP 扫描
类似 ping 检测,快速判断目标主机是否存活的,不做其他扫描。
- -P0,跳过 ping 检测
这种方式认为所有的目标主机是存活的,当对方不响应 ICMP 请求时,使用这种方式可以避免因无法 ping 通而放弃扫描。
常用示例
- 快速扫描某主机
$ nmap xxx.xxx.xxx.xxx Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-03 18:23 CST Nmap scan report for xxx.xxx.xxx.xxx Host is up (0.038s latency). Not shown: 950 filtered ports, 44 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 6000/tcp open X11 6666/tcp open irc 7000/tcp open afs3-fileserver点击复制复制失败已复制
- 检测特定主机的某些端口
$ nmap xxx.xxx.xxx.xxx -p 80,443,1883 Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-03 18:21 CST Nmap scan report for xxx.xxx.xxx.xxx Host is up (0.040s latency). PORT STATE SERVICE 80/tcp open http 443/tcp open https 1883/tcp open mqtt Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds点击复制复制失败已复制
- 指定端口范围
$ nmap xxx.xxx.xxx.xxx -p 1000-2000 Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-03 18:23 CST Nmap scan report for xxx.xxx.xxx.xxx Host is up (0.048s latency). Not shown: 1000 filtered ports PORT STATE SERVICE 1883/tcp open mqtt Nmap done: 1 IP address (1 host up) scanned in 6.10 seconds点击复制复制失败已复制
- 检测 192.168.1.0/24 网段中哪些主机提供FTP服务
$ nmap -p 21 192.168.1.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-03 18:26 CST Nmap scan report for 192.168.1.1 Host is up (0.0078s latency). PORT STATE SERVICE 21/tcp open ftp点击复制复制失败已复制
- 快速检测192.168.3.0/24网段中有哪些存活主机(能 ping 通)
$ nmap -n -sP 192.168.3.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-03 18:27 CST Nmap scan report for 192.168.3.1 Host is up (0.0076s latency). Nmap scan report for 192.168.3.100 Host is up (0.044s latency). Nmap scan report for 192.168.3.105 Host is up (0.013s latency). Nmap scan report for 192.168.3.106 Host is up (0.012s latency). Nmap scan report for 192.168.3.108 Host is up (0.038s latency). Nmap scan report for 192.168.3.110 Host is up (0.013s latency). Nmap scan report for 192.168.3.111 Host is up (0.0026s latency). Nmap scan report for 192.168.3.114 Host is up (0.085s latency). Nmap scan report for 192.168.3.116 Host is up (0.000084s latency). Nmap scan report for 192.168.3.117 Host is up (0.12s latency). Nmap scan report for 192.168.3.118 Host is up (0.0054s latency). Nmap scan report for 192.168.3.119 Host is up (0.016s latency). Nmap scan report for 192.168.3.120 Host is up (0.0091s latency). Nmap scan report for 192.168.3.129 Host is up (0.0056s latency). Nmap scan report for 192.168.3.145 Host is up (0.0044s latency). Nmap done: 256 IP addresses (15 hosts up) scanned in 5.38 seconds点击复制复制失败已复制
- 检测IP地址位于192.168.0.1~200 的主机是否开启文件共享
$ nmap -p 139,445 192.168.0.1-200 Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-03 19:04 CST Nmap scan report for 192.168.0.1 Host is up (0.0060s latency). PORT STATE SERVICE 139/tcp closed netbios-ssn 445/tcp closed microsoft-ds Nmap scan report for 192.168.0.102 Host is up (0.0032s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap scan report for 192.168.0.108 Host is up (0.0058s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 200 IP addresses (3 hosts up) sca
