最基本的扫描

# nmap 192.168.0.149         
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:26 CST
Nmap scan report for 192.168.0.149
Host is up (0.0000090s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

扫描活跃的主机 -sn

#nmap -sn 192.168.0.149
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:28 CST
Nmap scan report for 192.168.0.149
Host is up.
Nmap done: 1 IP address (1 host up)

扫描多台机器

#map 192.169.0.149 192.168.0.106 192.168.0.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00071s latency).
Not shown: 985 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.152
Host is up (0.010s latency).
Not shown: 999 closed tcp ports (reset)
PORT      STATE SERVICE
62078/tcp open  iphone-sync
MAC Address: 76:49:5D:88:B6:35 (Unknown)
Nmap done: 3 IP addresses (2 hosts up) scanned in 14.73 seconds

#map 192.169.0.100-160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:34 CST
…

#nmap192.169.0.0/24 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:38 CST
Nmap done: 256 IP addresses (0 hosts up) scanned in 210.76 seconds

使用ICMP对设备进行扫描

使用ICMP类似Ping的请求响应扫描 -PE

#nmap -PE 192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:31 CST
Nmap scan report for 192.168.0.106
Host is up (0.00093s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

使用ICMP时间戳响应扫描 -PE

#nmap -PP 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00088s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)

使用ICMP使用ICMP掩码扫描 -PM

#nmap -PM 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00018s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

使用TCP对设备进行扫描

使用TCP SYN对设备进行扫描 - PS

nmap -sn -PS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:28 CST
Nmap scan report for 192.168.0.106
Host is up (0.00049s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

使用TCP ACK对设备进行扫描 -PA

#nmap -sn -PA 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00054s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

使用UDP对设备进行扫描 -PU

UDP更简单，但是不如TCP方便，且慢。

#nmap -sn -PU 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST
Nmap scan report for 192.168.0.106
Host is up (0.00076s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

对端口进行扫描

端口种类

公有端口（WellKnow Port）：0-1024
注册端口（RegisteredPort）：1025-49,151
动态/私有端口（Dynamic/Private Port）：49,152-65,535

端口状态

Open：开放状态。nmap 发起两个 SYN 的请求，服务器上监听在此端口的进程会进行应答，会返回 SYN/ACK， nmap 收到服务端返还回来的应答后会发送两个 RST ，并不会和服务端建立通信连接，完成端口的探测。
Closed：关闭状态。nmap 发起两个 SYN 的请求，服务器上由于没有进程监听该端口，内核会返回 RST， nmap 收到服务端返还回来的 RST 报文，将探测结果定义为 closed 。
Filtered：过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃，不进行应答，由于 nmap 直接发送了两个 SYN 报文，都没有收到应答，所以认定服务端开启了防火墙，将 SYN 报文丢弃。
Unfiltered：未过滤状态。nmap 默认进行的是 SYN 扫描，当用 -sA 选项（ TCP ACK 扫描），连续发送两个同样的 ACK 报文，由于 snmp 确认收到了一个服务端根本没有发送的报文，所以服务端会发送一个 RST 报文， snmp 收到服务端发送来的 RST 报文后，确认服务端没有对报文进行丢弃处理，注意本探测不能发现端口是开放还是关闭状态，只能确认探测的报文服务端已收到，并回复给了 snmp RST报文。
open|filtered：Open|filtered 开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口，参考后续 UDP 中的解释。
closed|filtered：关闭或者过滤状态。

扫描技术

SYN扫描 -sS

SNMP机器àSYNà机器

机器àSYN+ACKà SNMP机器

SNMP机器àRSTà机器（连接断开）

返回Open、Closed、filtered

#nmap -sS 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:53 CST
Nmap scan report for 192.168.0.106
Host is up (0.00042s latency).
Not shown: 987 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)

Connect扫描 -sT

完成3次握手

SNMP机器SYN机器

机器SYN+ACK SNMP机器

SNMP机器ACK机器（连接建立）

#nmap -sT 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00081s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds

UDP扫描 -sU

返回Open Open|filtered,速度很慢，filtered可能是Open，可能是Closed

#nmap -sU 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:12 CST
Nmap scan report for 192.168.0.106
Host is up (0.00070s latency).
Not shown: 999 open|filtered udp ports (no-response)
PORT    STATE SERVICE
137/udp open  netbios-ns
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds

扫描全部端口 -p "*"

#nmap -p "*" 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:18 CST
Nmap scan report for 192.168.0.106
Host is up (0.00082s latency).
Not shown: 8330 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
1536/tcp open  ampr-inter
1537/tcp open  sdsc-lm
1538/tcp open  3ds-lm
1539/tcp open  intellistor-lm
1550/tcp open  3m-image-lm
1551/tcp open  hecmtl-db
1653/tcp open  alphatech-lm
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5040/tcp open  unknown
5555/tcp open  freeciv
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)

扫描频率最高的n个端口 –top-ports n

# nmap -top-ports 10 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:20 CST
Nmap scan report for 192.168.0.106
Host is up (0.00022s latency).
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   closed ssh
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http
110/tcp  closed pop3
139/tcp  open   netbios-ssn
443/tcp  open   https
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 2 IP addresses (1 host up) scanned in 3.17 seconds

扫描指定端口 -p port

# nmap -p 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:21 CST
Nmap scan report for 192.168.0.106
Host is up (0.00053s latency).
PORT     STATE SERVICE
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

扫描操作系统

Nmap扫描操作系统采用主动方式，15个探针，不能正确发现，仅做推测。

最基本的扫描 -O

# nmap -O 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00061s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.50 seconds

尽对“具有Open和Closed的端口”进行扫描 -O --osscan-limit

# nmap -O --osscan-limit 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:57 CST
Nmap scan report for 192.168.0.106
Host is up (0.00057s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (95%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.68 seconds

猜测最接近目标端口的操作系统 -O --osscan-guest

需要root权限

# nmap -O --osscan-guess 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00061s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_vista::sp2
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 or 8.1 R1 or Server 2008 R2 SP1 (92%), Microsoft Windows 7 or Windows Server 2008 (92%), Microsoft Windows 10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.73 seconds

nmap及其他扫描（上）