nmap_命令详解

1

使用主机名扫描

[root@wl020237 opt]# nmap www.baidu.com

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 16:52 CST

Nmap scan report for www.baidu.com (220.181.111.188)

Host is up (0.0025s latency).

Other addresses for www.baidu.com (not scanned): 220.181.112.244

Not shown: 998 filtered ports

PORT    STATE SERVICE

80/tcp  open  http

443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 5.01 seconds

2

使用IP地址扫描

[root@wl020237 opt]# nmap 192.168.20.237

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 16:53 CST

Nmap scan report for 192.168.20.237

Host is up (0.0000060s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

3

扫描使用“-v”选项

使用“ -v “选项后给出了远程机器更详细的信息。

[root@wl020237 opt]# nmap -v www.baidu.com

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 16:54 CST

Initiating Ping Scan at 16:54

Scanning www.baidu.com (220.181.111.188) [4 ports]

Completed Ping Scan at 16:54, 0.02s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 16:54

Completed Parallel DNS resolution of 1 host. at 16:54, 0.02s elapsed

Initiating SYN Stealth Scan at 16:54

Scanning www.baidu.com (220.181.111.188) [1000 ports]

Discovered open port 80/tcp on 220.181.111.188

Discovered open port 443/tcp on 220.181.111.188

Completed SYN Stealth Scan at 16:54, 4.53s elapsed (1000 total ports)

Nmap scan report for www.baidu.com (220.181.111.188)

Host is up (0.0019s latency).

Other addresses for www.baidu.com (not scanned): 220.181.112.244

Not shown: 998 filtered ports

PORT    STATE SERVICE

80/tcp  open  http

443/tcp open  https

Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 4.68 seconds

           Raw packets sent: 2004 (88.152KB) | Rcvd: 5 (204B)

           

4

扫描多台主机

Nmap命令后加上多个IP地址或主机名来扫描多台主机

[root@wl020237 opt]# nmap  www.baidu.com www.163.com

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 16:56 CST

Nmap scan report for www.baidu.com (220.181.112.244)

Host is up (0.0023s latency).

Other addresses for www.baidu.com (not scanned): 220.181.111.188

Not shown: 998 filtered ports

PORT    STATE SERVICE

80/tcp  open  http

443/tcp open  https

Nmap scan report for www.163.com (175.25.168.40)

Host is up (0.0028s latency).

Not shown: 984 closed ports

PORT      STATE SERVICE

80/tcp    open  http

81/tcp    open  hosts2-ns

88/tcp    open  kerberos-sec

443/tcp   open  https

2323/tcp  open  3d-nfsd

3030/tcp  open  arepa-cas

8080/tcp  open  http-proxy

8081/tcp  open  blackice-icecap

8082/tcp  open  blackice-alerts

8083/tcp  open  us-srv

8088/tcp  open  radan-http

8090/tcp  open  unknown

8888/tcp  open  sun-answerbook

9001/tcp  open  tor-orport

9500/tcp  open  ismserver

20000/tcp open  dnp

Nmap done: 2 IP addresses (2 hosts up) scanned in 17.15 seconds

5

扫描整个子网

使用*通配符来扫描整个子网或某个范围的IP地址

[root@wl020237 opt]# nmap 192.168.20.*

6

使用IP地址的最后一个字节扫描多台服务器

[root@wl020237 opt]# nmap 192.168.20.236,237,238

7

从一个文件中扫描主机列表

运行带“iL” 选项的nmap命令来扫描文件中列出的所有IP地址

[root@wl020237 opt]# more abc.txt

192.168.20.248

192.168.20.235

192.168.20.227

[root@wl020237 opt]# nmap -iL abc.txt

8

扫描一个IP地址范围

nmap 192.168.20.236-238

9

排除一些远程主机后再扫描

[root@wl020237 opt]# nmap 192.168.20.236-238 --exclude 192.168.20.237

10

扫描操作系统信息和路由跟踪

为了启用操作系统和版本检测，脚本扫描和路由跟踪功能，我们可以使用NMAP的“-A“选项。

从下面的输出你可以看到，Nmap显示出了远程主机操作系统的TCP/IP协议指纹，并且更加具体的显示出远程主机上的端口和服务

[root@wl020237 opt]# nmap -A 192.168.20.229

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:04 CST

Nmap scan report for 192.168.20.229

Host is up (0.00028s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 5.3 (protocol 2.0)

| ssh-hostkey: 

|   1024 59:14:67:7a:92:dc:30:76:e0:59:9c:f2:eb:d7:dc:77 (DSA)

|_  2048 3a:a8:73:5a:e7:02:34:5d:fe:1e:04:7d:5f:b3:ba:19 (RSA)

80/tcp   open  http    nginx

|_http-server-header: nginx

|_http-title: \xE5\xA5\xBD\xE6\x9C\xA8

8088/tcp open  http    Jetty 7.6.15.v20140411

|_http-server-header: Jetty(7.6.15.v20140411)

|_http-title: Error 404 Not Found

MAC Address: 00:0C:29:6C:03:6A (VMware)

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.40%E=4%D=3/29%OT=22%CT=1%CU=33617%PV=Y%DS=1%DC=D%G=Y%M=000C29%T

OS:M=58DB78C6%P=x86_64-redhat-linux-gnu)SEQ(SP=108%GCD=1%ISR=109%TI=Z%CI=Z%

OS:II=I%TS=U)OPS(O1=M5B4NNSNW9%O2=M5B4NNSNW9%O3=M5B4NW9%O4=M5B4NNSNW9%O5=M5

OS:B4NNSNW9%O6=M5B4NNS)WIN(W1=3908%W2=3908%W3=3908%W4=3908%W5=3908%W6=3908)

OS:ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW9%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%

OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T

OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=

OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF

OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40

OS:%CD=S)

Network Distance: 1 hop

TRACEROUTE

HOP RTT     ADDRESS

1   0.28 ms 192.168.20.229

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 20.09 seconds

11

启用Nmap的操作系统探测功能

使用选项“-O”和“-osscan-guess”也帮助探测操作系统信息

[root@wl020237 opt]# nmap -O 192.168.20.229

12

扫描主机侦测防火墙

扫描远程主机以探测该主机是否使用了包过滤器或防火墙

[root@wl020237 opt]# nmap -sA www.baidu.com

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:11 CST

Nmap scan report for www.baidu.com (220.181.112.244)

Host is up (0.0019s latency).

Other addresses for www.baidu.com (not scanned): 220.181.111.188

All 1000 scanned ports on www.baidu.com (220.181.112.244) are filtered     #可以判断出使用了防火墙

Nmap done: 1 IP address (1 host up) scanned in 21.22 seconds

[root@wl020237 opt]# nmap -sA 192.168.20.229

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:14 CST

Nmap scan report for 192.168.20.229

Host is up (0.00033s latency).

All 1000 scanned ports on 192.168.20.229 are unfiltered     #未使用防火墙

MAC Address: 00:0C:29:6C:03:6A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

13

扫描主机检测是否有防火墙保护

扫描主机检测其是否受到数据包过滤软件或防火墙的保护

[root@wl020237 opt]# nmap -PN www.baidu.com

14

找出网络中的在线主机

使用“-sP”选项，我们可以简单的检测网络中有哪些在线主机，该选项会跳过端口扫描和其他一些检测。

[root@wl020237 opt]# nmap -sP 192.168.20.*

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:18 CST

Nmap scan report for 192.168.20.1

Host is up (0.00068s latency).

MAC Address: 68:ED:A4:03:5A:65 (Shenzhen Seavo Technology)

Nmap scan report for 192.168.20.57

Host is up (0.00080s latency).

MAC Address: 14:18:77:27:34:DF (Dell)

Nmap scan report for 192.168.20.211

Host is up (0.00038s latency).

MAC Address: 14:18:77:4F:70:DC (Dell)

15

执行快速扫描

你可以使用“-F”选项执行一次快速扫描，仅扫描列在nmap-services文件中的端口而避开所有其它的端口

[root@wl020237 opt]# nmap -F www.baidu.com

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:24 CST

Nmap scan report for www.baidu.com (220.181.112.244)

Host is up (0.0019s latency).

Other addresses for www.baidu.com (not scanned): 220.181.111.188

Not shown: 98 filtered ports

PORT    STATE SERVICE

80/tcp  open  http

443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds

16

查看Nmap的版本

使用“-V”选项来检测你机子上Nmap的版本。

[root@wl020237 opt]# nmap -V

Nmap version 7.40 ( https://nmap.org )

Platform: x86_64-redhat-linux-gnu

Compiled with: liblua-5.3.3 openssl-1.0.1e libpcre-7.8 libpcap-1.4.0 nmap-libdnet-1.12 ipv6

Compiled without:

Available nsock engines: epoll poll select

17

顺序扫描端口

使用“-r”选项表示不会随机的选择端口扫描

[root@wl020237 opt]# nmap -r www.baidu.com

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:27 CST

Nmap scan report for www.baidu.com (220.181.111.188)

Host is up (0.0025s latency).

Other addresses for www.baidu.com (not scanned): 220.181.112.244

Not shown: 998 filtered ports

PORT    STATE SERVICE

80/tcp  open  http

443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 4.39 seconds

18

打印主机接口和路由

你可以使用nmap的"--iflist”选项检测主机接口和路由信息

从下面的输出你可以看到，nmap列举出了你系统上的接口以及它们各自的路由信息

[root@wl020237 opt]# nmap --iflist 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:28 CST

************************INTERFACES************************

DEV  (SHORT) IP/MASK                     TYPE     UP MTU   MAC

lo   (lo)    127.0.0.1/8                 loopback up 16436

lo   (lo)    ::1/128                     loopback up 16436

eth0 (eth0)  192.168.20.237/24           ethernet up 1500  00:0C:29:14:81:57

eth0 (eth0)  fe80::20c:29ff:fe14:8157/64 ethernet up 1500  00:0C:29:14:81:57

**************************ROUTES**************************

DST/MASK                     DEV  METRIC GATEWAY

192.168.20.0/24              eth0 0

169.254.0.0/16               eth0 1002

0.0.0.0/0                    eth0 0      192.168.20.1

::1/128                      lo   0

fe80::20c:29ff:fe14:8157/128 lo   0

fe80::/64                    eth0 256

ff00::/8                     eth0 256

19

扫描特定的端口

使用Nmap扫描远程机器的端口有各种选项，你可以使用“-P”选项指定你想要扫描的端口，默认情况下nmap只扫描TCP端口

[root@wl020237 opt]# nmap -p 80 www.baidu.com

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:34 CST

Nmap scan report for www.baidu.com (220.181.111.188)

Host is up (0.0018s latency).

Other addresses for www.baidu.com (not scanned): 220.181.112.244

PORT   STATE SERVICE

80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

20

扫描TCP端口

可以指定具体的端口类型和端口号来让nmap扫描

[root@wl020237 opt]# nmap -p T:80,8088 192.168.20.229 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:46 CST

Nmap scan report for 192.168.20.229

Host is up (0.00042s latency).

PORT     STATE SERVICE

80/tcp   open  http

8088/tcp open  radan-http

MAC Address: 00:0C:29:6C:03:6A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

21

扫描UDP端口

[root@wl020237 opt]# nmap -sU 192.168.20.229

22

扫描多个端口

还可以使用选项“-P”来扫描多个端口

[root@wl020237 opt]# nmap -p 80,8088 192.168.20.229

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:54 CST

Nmap scan report for 192.168.20.229

Host is up (0.0016s latency).

PORT     STATE SERVICE

80/tcp   open  http

8088/tcp open  radan-http

MAC Address: 00:0C:29:6C:03:6A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

23

扫描指定范围内的端口

可以使用表达式来扫描某个范围内的端口

[root@wl020237 opt]# nmap -p 80-8088 192.168.20.229 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:58 CST

Nmap scan report for 192.168.20.229

Host is up (0.00025s latency).

Not shown: 7999 closed ports

PORT     STATE SERVICE

80/tcp   open  http

5010/tcp open  telelpathstart

5011/tcp open  telelpathattack

5012/tcp open  nsp

5013/tcp open  fmpro-v6

5015/tcp open  fmwp

5016/tcp open  unknown

5017/tcp open  unknown

6379/tcp open  redis

8088/tcp open  radan-http

MAC Address: 00:0C:29:6C:03:6A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

24

查找主机服务版本号

我们可以使用“-sV”选项找出远程主机上运行的服务版本

[root@wl020237 opt]# nmap -sV 192.168.20.237

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:59 CST

Nmap scan report for 192.168.20.237

Host is up (0.0000060s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 5.3 (protocol 2.0)

80/tcp   open  http    Apache httpd 2.2.15 ((CentOS))

3306/tcp open  mysql   MySQL 5.6.35

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 6.80 seconds

25

使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机

有时候包过滤防火墙会阻断标准的ICMP ping请求，在这种情况下，我们可以使用TCP ACK和TCP Syn方法来扫描远程主机

[root@wl020237 opt]# nmap -PS www.baidu.com

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 18:01 CST

Nmap scan report for www.baidu.com (220.181.111.188)

Host is up (0.0040s latency).

Other addresses for www.baidu.com (not scanned): 220.181.112.244

Not shown: 998 filtered ports

PORT    STATE SERVICE

80/tcp  open  http

443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 5.99 seconds

26

使用TCP ACK扫描远程主机上特定的端口

[root@wl020237 opt]# nmap -PA -p 80,8088 192.168.20.229

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 18:04 CST

Nmap scan report for 192.168.20.229

Host is up (0.00040s latency).

PORT     STATE SERVICE

80/tcp   open  http

8088/tcp open  radan-http

MAC Address: 00:0C:29:6C:03:6A (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

27

执行一次隐蔽的扫描

[root@wl020237 opt]# nmap -sS www.baidu.com     

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 18:05 CST

Nmap scan report for www.baidu.com (220.181.112.244)

Host is up (0.0018s latency).

Other addresses for www.baidu.com (not scanned): 220.181.111.188

Not shown: 998 filtered ports

PORT    STATE SERVICE

80/tcp  open  http

443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 4.99 seconds

28

使用TCP Syn扫描最常用的端口

[root@wl020237 opt]# nmap -sT www.baidu.com

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 18:06 CST

Nmap scan report for www.baidu.com (220.181.112.244)

Host is up (0.0019s latency).

Other addresses for www.baidu.com (not scanned): 220.181.111.188

Not shown: 998 filtered ports

PORT    STATE SERVICE

80/tcp  open  http

443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 4.55 seconds

29

执行TCP空扫描以骗过防火墙

[root@wl020237 opt]# nmap -sN 192.168.20.237

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 18:08 CST

Nmap scan report for 192.168.20.237

Host is up (0.0000060s latency).

Not shown: 997 closed ports

PORT     STATE         SERVICE

22/tcp   open|filtered ssh

80/tcp   open|filtered http

3306/tcp open|filtered mysql

Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds