linux一般不会自动安装nmap命令需要使用yum -y install nmap安装nmap命令,前提是您已经配置好了yum源。
nmap特点:
主机探测
端口扫描
版本检测
系统检测
支持探测脚本的编写
-
nmap命令详解
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
nmap ip_address
#nmap默认发送一个arp的ping数据包,来探测目标主机1-10000范围内所有开放的端口
[root@controller scanport]
# nmap 10.132.71.1
Starting Nmap 6.40 ( http:
//nmap
.org ) at 2017-11-17 10:20 CST
Nmap scan report
for
10.132.71.1
Host is up (0.00030s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
21
/tcp
open
ftp
135
/tcp
open
msrpc
139
/tcp
open
netbios-ssn
1027
/tcp
open
IIS
1028
/tcp
open
unknown
1029
/tcp
open
ms-lsa
1031
/tcp
open
iad2
2638
/tcp
open
sybase
3389
/tcp
open
ms-wbt-server
6059
/tcp
open
X11:59
7001
/tcp
open
afs3-callback
8001
/tcp
open
vcom-tunnel
8089
/tcp
open
unknown
MAC Address: 5C:F3:FC:E4:81:40 (IBM)
Nmap
done
: 1 IP address (1 host up) scanned
in
1.27 seconds
[root@controller scanport]
#
|
-vv 参数表示结果详细输出
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
[root@controller scanport]
# nmap -vv 10.132.71.1
Starting Nmap 6.40 ( http:
//nmap
.org ) at 2017-11-17 10:21 CST
Initiating ARP Ping Scan at 10:21
Scanning 10.132.71.1 [1 port]
Completed ARP Ping Scan at 10:21, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:21
Completed Parallel DNS resolution of 1 host. at 10:21, 0.00s elapsed
Initiating SYN Stealth Scan at 10:21
Scanning 10.132.71.1 [1000 ports]
Discovered
open
port 21
/tcp
on 10.132.71.1
Discovered
open
port 139
/tcp
on 10.132.71.1
Discovered
open
port 3389
/tcp
on 10.132.71.1
Discovered
open
port 135
/tcp
on 10.132.71.1
Discovered
open
port 1029
/tcp
on 10.132.71.1
Discovered
open
port 1028
/tcp
on 10.132.71.1
Discovered
open
port 1031
/tcp
on 10.132.71.1
Discovered
open
port 8001
/tcp
on 10.132.71.1
Discovered
open
port 1027
/tcp
on 10.132.71.1
Discovered
open
port 7001
/tcp
on 10.132.71.1
Discovered
open
port 8089
/tcp
on 10.132.71.1
Discovered
open
port 6059
/tcp
on 10.132.71.1
Discovered
open
port 2638
/tcp
on 10.132.71.1
Completed SYN Stealth Scan at 10:21, 1.15s elapsed (1000 total ports)
Nmap scan report
for
10.132.71.1
Host is up (0.00029s latency).
Scanned at 2017-11-17 10:21:43 CST
for
2s
Not shown: 987 closed ports
PORT STATE SERVICE
21
/tcp
open
ftp
135
/tcp
open
msrpc
139
/tcp
open
netbios-ssn
1027
/tcp
open
IIS
1028
/tcp
open
unknown
1029
/tcp
open
ms-lsa
1031
/tcp
open
iad2
2638
/tcp
open
sybase
3389
/tcp
open
ms-wbt-server
6059
/tcp
open
X11:59
7001
/tcp
open
afs3-callback
8001
/tcp
open
vcom-tunnel
8089
/tcp
open
unknown
MAC Address: 5C:F3:FC:E4:81:40 (IBM)
Read data files from:
/usr/bin/
..
/share/nmap
Nmap
done
: 1 IP address (1 host up) scanned
in
1.26 seconds
Raw packets sent: 1082 (47.592KB) | Rcvd: 1001 (40.080KB)
[root@controller scanport]
#
|
-p自定义扫描的端口
例如:扫描1-200号端口
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@controller scanport]
# nmap -p1-200 10.128.71.1
Starting Nmap 6.40 ( http:
//nmap
.org ) at 2017-11-17 10:26 CST
Nmap scan report
for
10.128.71.1
Host is up (0.00030s latency).
Not shown: 197 closed ports
PORT STATE SERVICE
21
/tcp
open
ftp
135
/tcp
open
msrpc
139
/tcp
open
netbios-ssn
MAC Address: 5C:F3:FC:E4:81:40 (IBM)
Nmap
done
: 1 IP address (1 host up) scanned
in
0.15 seconds
[root@controller scanport]
#
|
例如:指定特定端口
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@controller scanport]
# nmap -p135,136,137,139 10.128.71.1
Starting Nmap 6.40 ( http:
//nmap
.org ) at 2017-11-17 10:28 CST
Nmap scan report
for
10.128.71.1
Host is up (0.0045s latency).
PORT STATE SERVICE
135
/tcp
open
msrpc
136
/tcp
closed profile
137
/tcp
closed netbios-ns
139
/tcp
open
netbios-ssn
MAC Address: 5C:F3:FC:E4:81:40 (IBM)
Nmap
done
: 1 IP address (1 host up) scanned
in
0.14 seconds
[root@controller scanport]
#
|
-sP指定扫描方式为ping(不扫描端口)
nmap -sP ip_address #使用ping方式扫描(不扫描端口)
nmap --traceroute ip_address #路由跟踪
nmap -sP xx.xx.xx.xx/24 #扫描一个网段(使用ping)
nmap -sP 10.1.1.1-255 #也可以扫描一个网段(使用ping)
nmap -sT ip_address #TCP contect()端口扫描
nmap -sU ip_address #UDP端口扫描
nmap -sS ip_address #TCP同步(SYN)端口扫描
nmap 10.1.1.1/24 #扫描一个网段使用默认端口扫描,结果同下面脚本
|
1
2
3
4
5
|
#!/bin/bash
for
i
in
{1..254}
do
nmap 10.128.71.$i >>scan.port
done
|
nmap探测操作系统类型
nmap -O ip_address #扫描操作系统类型
nmap -A ip_address #使用默认扫描,ping扫描,操作系统扫描,脚本扫描,路由跟踪,服务探测等
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
[root@controller scanport]
# nmap -A 10.128.71.1
Starting Nmap 6.40 ( http:
//nmap
.org ) at 2017-11-17 10:46 CST
Nmap scan report
for
10.128.71.1
Host is up (0.00028s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
21
/tcp
open
ftp
Microsoft ftpd
|
ftp
-anon: Anonymous FTP login allowed (FTP code 230)
| 07-21-12 03:03AM <DIR> aspnet_client
| 11-17-17 07:35AM <DIR> download
|_12-13-12 10:31AM 105984 \xD2\xBD\xB1\xA3\xB2\xBF\xC3\xC5\xC8\xCB\xD4\xB1.xls
135
/tcp
open
msrpc Microsoft Windows RPC
139
/tcp
open
netbios-ssn
1027
/tcp
open
msrpc Microsoft Windows RPC
1028
/tcp
open
msrpc Microsoft Windows RPC
1029
/tcp
open
msrpc Microsoft Windows RPC
1031
/tcp
open
tcpwrapped
2638
/tcp
open
sybase?
3389
/tcp
open
ms-wbt-server Microsoft Terminal Service
6059
/tcp
open
tcpwrapped
7001
/tcp
open
http Oracle WebLogic Server (Servlet 2.5; JSP 2.1)
|_http-generator: WebLogic Server
|_http-methods: No Allow or Public header
in
OPTIONS response (status code 404)
|_http-title: Error 404--Not Found
8001
/tcp
open
http Oracle WebLogic Server (Servlet 2.5; JSP 2.1)
|_http-generator: WebLogic Server
|_http-methods: No Allow or Public header
in
OPTIONS response (status code 404)
|_http-title: Error 404--Not Found
8089
/tcp
open
http Microsoft IIS httpd 6.0
| http-methods: Potentially risky methods: TRACE DELETE COPY MOVE PROPFIND PROPPATCH SEARCH MKCOL LOCK UNLOCK PUT
|_See http:
//nmap
.org
/nsedoc/scripts/http-methods
.html
|_http-title: 10.128.71.1 - /
MAC Address: 5C:F3:FC:E4:81:40 (IBM)
Device
type
: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:
/o
:microsoft:windows_xp::sp2
OS details: Microsoft Windows XP SP2
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:
/o
:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: LD, NetBIOS user: <unknown>, NetBIOS MAC: 5c:f3:fc:e4:81:40 (IBM)
| smb-os-discovery:
| OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2)
| OS CPE: cpe:
/o
:microsoft:windows_server_2003::sp2
| Computer name: LD
| NetBIOS computer name: LD
| Workgroup: WORKGROUP
|_ System
time
: 2017-11-17T10:50:02+08:00
| smb-security-mode:
| Account that was used
for
smb scripts: <blank>
| User-level authentication
| SMB Security: Challenge
/response
passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.28 ms 10.128.71.1
OS and Service detection performed. Please report any incorrect results at http:
//nmap
.org
/submit/
.
Nmap
done
: 1 IP address (1 host up) scanned
in
89.36 seconds
[root@controller scanport]
#
|
本文转自lq201151CTO博客,原文链接:http://blog.51cto.com/liuqun/1982726 ,如需转载请自行联系原作者
