NMAP 基础扫描

· Frytea · 5 分钟 · 技术笔记
NMAP 基础扫描

以下几个示例带领你快速了解nmap的基本扫描方法,更多详情请查阅nmap手册。

1、Nmap 简单扫描

$ nmap <target ip address>
$ nmap 192.168.41.41

直接指定需要扫描的主机IP开始扫描,返回详细描述。

2、Nmap 扫描并输出详细信息

$ nmap <target ip address> -vv
$ nmap 192.168.41.41 -vv

3、Nmap 指定端口范围扫描

$ nmap -p(range) <target IP>
# (rangge)为要扫描的端口(范围),端口大小不能超过65535

# nmap 192.168.41.41 -p1-50
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 16:37 CST
Nmap scan report for bogon (192.168.41.41)
Host is up (0.0038s latency).
Not shown: 46 closed ports
PORT   STATE    SERVICE
5/tcp  filtered rje
21/tcp filtered ftp
23/tcp open     telnet
27/tcp filtered nsw-fe
MAC Address: 00:11:22:33:44:41 (Cimsys)

Nmap done: 1 IP address (1 host up) scanned in 7.99 seconds

4、Nmap 指定端口扫描

$ nmap -p(port1,port2,port3,...) <target ip> 

$ nmap -p23 192.168.41.41
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 16:44 CST
Nmap scan report for bogon (192.168.41.41)
Host is up (0.0083s latency).

PORT   STATE SERVICE
23/tcp open  telnet
MAC Address: 00:11:22:33:44:41 (Cimsys)

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

5、Nmap Ping 扫描

$ nmap -sP <target ip> 
$ nmap -sP 192.168.41.41
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 16:45 CST
Nmap scan report for bogon (192.168.41.41)
Host is up (0.0064s latency).
MAC Address: 00:11:22:33:44:41 (Cimsys)
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

6、Nmap路由跟踪

$ nmap --traceroute <target ip> 
$  nmap --traceroute 119.29.29.29
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 16:50 CST
Nmap scan report for pdns.dnspod.cn (119.29.29.29)
Host is up (0.019s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
53/tcp open  domain
80/tcp open  http

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   1.99 ms  bogon (192.168.6.1)
2   2.71 ms  bogon (192.168.169.9)
3   2.71 ms  bogon (192.168.169.1)
4   19.82 ms hn.kd.ny.adsl (123.14.80.1)
5   4.74 ms  hn.kd.ny.adsl (125.40.240.77)
6   6.17 ms  pc93.zz.ha.cn (61.168.37.93)
7   ... 8
9   44.19 ms no-data (125.39.198.178)
10  ... 19
20  19.46 ms pdns.dnspod.cn (119.29.29.29)

Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds

7 Nmap 扫描某网段IP

$ nmap -sP <network address > </CIDR >
$ nmap -sP 192.168.8.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 16:53 CST
Nmap scan report for bogon (192.168.8.129)
Host is up (0.00084s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 19.87 seconds

8、Nmap 探测操作系统类别

$ nmap -O <target ip> 
$  nmap -O 119.29.29.29
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 16:59 CST
Nmap scan report for pdns.dnspod.cn (119.29.29.29)
Host is up (0.021s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
53/tcp open  domain
80/tcp open  http
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|media device|WAP
Running (JUST GUESSING): Linux 2.6.X|3.X (88%), Hikvision embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.10 cpe:/h:hikvision:ds-7600 cpe:/o:linux:linux_kernel:3.0 cpe:/o:linux:linux_kernel:3.10
Aggressive OS guesses: HIKVISION DS-7600 Linux Embedded NVR (Linux 2.6.10) (88%), Linux 3.0 (88%), DD-WRT v24-sp2 (Linux 3.10) (87%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds

9、Nmap 万能扫描

此选项设置包含了1-10000的端口ping扫描,操作系统扫描,脚本扫描,路由跟踪,服务探测。

命令语法:

$ nmap -A <target ip>
$ nmap -A 119.29.29.29
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 17:08 CST
Nmap scan report for pdns.dnspod.cn (119.29.29.29)
Host is up (0.020s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
53/tcp open  domain  ISC BIND 9.11.3
| dns-nsid:
|_  bind.version: 9.11.3
80/tcp open  http    Http Server
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.0 404 Not Found
|     Connection: close
|     Server: Http Server
|     Content-Type: text/html
|     Content-Length: 174
|     <html>
|     <head><title>Server error message</title></head>
|     <body>
|     <h1>Error 404: Not Found</h1>
|     request could not be completed because:
|     Document not found!
|     </body>
|_    </html>
|_http-server-header: Http Server
|_http-title: Server error message
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.80%I=7%D=1/26%Time=600FDC05%P=x86_64-redhat-linux-gnu%r(
SF:GetRequest,11E,"HTTP/1\.0\x20404\x20Not\x20Found\r\nConnection:\x20clos
SF:e\r\nServer:\x20Http\x20Server\r\nContent-Type:\x20text/html\r\nContent
SF:-Length:\x20174\r\n\r\n<html>\n<head><title>Server\x20error\x20message<
SF:/title></head>\n<body>\n<h1>Error\x20404:\x20Not\x20Found</h1>\nThe\x20
SF:request\x20could\x20not\x20be\x20completed\x20because:\n\x20Document\x2
SF:0not\x20found!\n</body>\n</html>\n")%r(FourOhFourRequest,11E,"HTTP/1\.0
SF:\x20404\x20Not\x20Found\r\nConnection:\x20close\r\nServer:\x20Http\x20S
SF:erver\r\nContent-Type:\x20text/html\r\nContent-Length:\x20174\r\n\r\n<h
SF:tml>\n<head><title>Server\x20error\x20message</title></head>\n<body>\n<
SF:h1>Error\x20404:\x20Not\x20Found</h1>\nThe\x20request\x20could\x20not\x
SF:20be\x20completed\x20because:\n\x20Document\x20not\x20found!\n</body>\n
SF:</html>\n");
Warning: OSScan results may be unre

10、Nmap 命令混合式扫描

$ nmap -vv -p1-1000 -O <target ip>
$ nmap -vv -p1-50 -O 192.168.41.41
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-26 17:12 CST
Initiating ARP Ping Scan at 17:12
Scanning 192.168.41.41 [1 port]
Completed ARP Ping Scan at 17:12, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:12
Completed Parallel DNS resolution of 1 host. at 17:12, 0.00s elapsed
Initiating SYN Stealth Scan at 17:12
Scanning bogon (192.168.41.41) [50 ports]
Discovered open port 23/tcp on 192.168.41.41
Increasing send delay for 192.168.41.41 from 0 to 5 due to 13 out of 43 dropped probes since last increase.
Completed SYN Stealth Scan at 17:12, 4.52s elapsed (50 total ports)
Initiating OS detection (try #1) against bogon (192.168.41.41)
Retrying OS detection (try #2) against bogon (192.168.41.41)
Retrying OS detection (try #3) against bogon (192.168.41.41)
Retrying OS detection (try #4) against bogon (192.168.41.41)
Retrying OS detection (try #5) against bogon (192.168.41.41)
Nmap scan report for bogon (192.168.41.41)
Host is up, received arp-response (0.0030s latency).
Scanned at 2021-01-26 17:12:37 CST for 16s

PORT   STATE    SERVICE     REASON
1/tcp  closed   tcpmux      reset ttl 64
2/tcp  filtered compressnet no-response
3/tcp  closed   compressnet reset ttl 64
4/tcp  closed   unknown     reset ttl 64
5/tcp  closed   rje         reset ttl 64
6/tcp  closed   unknown     reset ttl 64
7/tcp  closed   echo        reset ttl 64
8/tcp  closed   unknown     reset ttl 64
9/tcp  closed   discard     reset ttl 64
10/tcp closed   unknown     reset ttl 64
11/tcp closed   systat      reset ttl 64
12/tcp closed   unknown     reset ttl 64
13/tcp closed   daytime     reset ttl 64
14/tcp closed   unknown     reset ttl 64
15/tcp closed   netstat     reset ttl 64
16/tcp closed   unknown     reset ttl 64
17/tcp closed   qotd        reset ttl 64
18/tcp closed   msp         reset ttl 64
19/tcp closed   chargen     reset ttl 64
20/tcp clo

参考文献

返回文章列表