Nmap (“Network Mapper(网络映射器)”) 是一款开放源代码的 网络探测和安全审核的工具。它的设计目标是快速地扫描大型网络,当然用它扫描单个 主机也没有问题。Nmap以新颖的方式使用原始IP报文来发现网络上有哪些主机,那些 主机提供什么服务(应用程序名和版本),那些服务运行在什么操作系统(包括版本信息), 它们使用什么类型的报文过滤器/防火墙,以及一堆其它功能。虽然Nmap通常用于安全审核, 许多系统管理员和网络管理员也用它来做一些日常的工作,比如查看整个网络的信息, 管理服务升级计划,以及监视主机和服务的运行。

1. 参数

option note
-sS TCP SYN 扫描 (又称半开放,或隐身扫描)
-P0 允许你关闭 ICMP pings.
-sV 打开系统版本检测
-O 尝试识别远程操作系统
-A 同时打开操作系统指纹和版本检测
-v 详细输出扫描情况.

2. 常用命令

nmap -PN -n -F -T4 -sV -A -oG temp.txt <target>
amap -i temp.txt
探测 cmd
获取远程主机的系统类型及开放端口 nmap -sS -P0 -sV -O <target>
获取远程主机的系统类型及开放端口 nmap -sS -P0 -A -v <target>
检查特定端口是否开放 nmap -p <port> <target> nmap -p <port1>,<port2> <target>

3. Chapter 1 ~::~ Nmap Fundamentals

3.0.1. Listing open ports on a remote host

nmap hiren.com

3.0.2. Version detection

nmap -sV hiren.me

3.0.3. Aggressive detection

nmap -sC -sV -O <target>

3.0.4. Finding live hosts

nmap -sP 192.168.1.1/24
  • Port list:
    nmap -p80,443 localhost
    
  • Port range:
    nmap -p1-100 localhost
    
  • All ports:
    nmap -p- localhost
    
  • Specific ports by protocols:
    nmap -pT:25,U:53 <target>
    
  • Service name:
    nmap -p smtp <target>
    
  • Service name wildcards:
    nmap -p smtp* <target>
    

Only ports registered in Nmap services:

nmap -p[1-65535] <target>

3.0.5. Scan using script

nmap --script <script name> <host>

3.0.6. Scanning using a specified network interface

nmap -e <INTERFACE> scanme.nmap.org


Chapter 2 ~::~ Network Exploration

3.0.7. Discovering hosts with TCP SYN ping scans

nmap -sP -PS 192.168.1.1/24

3.0.8. Discovering hosts with TCP ACK ping scans

nmap -sP -PA <target>

3.0.9. Discovering hosts with UDP ping scans

nmap -sP -PU <target>

3.0.10. Discovering hosts with ICMP ping scans

nmap -sP -PE hiren.net

3.0.11. Discovering hosts with IP protocol ping scans

nmap -sP -PO <target>

3.0.12. Discovering hosts with ARP ping scans

Effective for LAN network

nmap -sP -PR 192.168.1.1/24

3.0.13. MAC address spoofing

Change your motherfking MAC adrs ~

nmap -sP -PR --spoof-mac 5C:4C:A9:F2:DC:7C

3.0.14. Hiding our traffic with additional random data

Generate Random Data

nmap -sS -PS --data-length 300 scanme.nmap.org

3.0.15. Forcing DNS resolution

Force DNS resulation even if host is offline 🙁

nmap -sS -PS -F -R XX.XXX.XXX.220-230

4. Chapter 3 ~::~ Gathering Additional Host Information

4.0.1. Getting information from WHOIS records

nmap --script whois <target>

4.0.2. Collecting valid e-mail accounts

The script http-google-email is not included in Nmap’s official repository. So you need to download it from http://seclists.org/nmap-dev/2011/q3/att-401/ http-google-email.nse and copy it to your local scripts directory. After copying http-google-email.nse , you should update the script database with:

nmap --script-updatedb

then

nmap -p80 --script http-google-email,http-email-harvest <target>

4.0.3. Discovering hostnames pointing to the same IP address

https://secwiki.org/w/Nmap/ External_Script_Library .

nmap --script-updatedb
nmap -p80 --script hostmap nmap.org

4.0.4. Brute forcing DNS records

nmap --script dns-brute <target>

4.0.5. Fingerprinting the operating system of a host

nmap -O <target>

4.0.6. Discovering UDP services

nmap -sU -p- <target>

4.0.7. Listing protocols supported by a remote host

nmap -sO <target>

4.0.8. Discovering stateful firewalls by using a TCP ACK scan

nmap -sA <target>
Port states