Nmap (“Network Mapper(网络映射器)”) 是一款开放源代码的 网络探测和安全审核的工具。它的设计目标是快速地扫描大型网络,当然用它扫描单个 主机也没有问题。Nmap以新颖的方式使用原始IP报文来发现网络上有哪些主机,那些 主机提供什么服务(应用程序名和版本),那些服务运行在什么操作系统(包括版本信息), 它们使用什么类型的报文过滤器/防火墙,以及一堆其它功能。虽然Nmap通常用于安全审核, 许多系统管理员和网络管理员也用它来做一些日常的工作,比如查看整个网络的信息, 管理服务升级计划,以及监视主机和服务的运行。
1. 参数
option | note |
---|---|
-sS | TCP SYN 扫描 (又称半开放,或隐身扫描) |
-P0 | 允许你关闭 ICMP pings. |
-sV | 打开系统版本检测 |
-O | 尝试识别远程操作系统 |
-A | 同时打开操作系统指纹和版本检测 |
-v | 详细输出扫描情况. |
2. 常用命令
nmap -PN -n -F -T4 -sV -A -oG temp.txt <target>
amap -i temp.txt
探测 | cmd |
---|---|
获取远程主机的系统类型及开放端口 | nmap -sS -P0 -sV -O <target> |
获取远程主机的系统类型及开放端口 | nmap -sS -P0 -A -v <target> |
检查特定端口是否开放 |
nmap -p <port> <target> nmap -p <port1>,<port2> <target>
|
3. Chapter 1 ~::~ Nmap Fundamentals
3.0.1. Listing open ports on a remote host
nmap hiren.com
3.0.2. Version detection
nmap -sV hiren.me
3.0.3. Aggressive detection
nmap -sC -sV -O <target>
3.0.4. Finding live hosts
nmap -sP 192.168.1.1/24
- Port list:
nmap -p80,443 localhost
- Port range:
nmap -p1-100 localhost
- All ports:
nmap -p- localhost
- Specific ports by protocols:
nmap -pT:25,U:53 <target>
- Service name:
nmap -p smtp <target>
- Service name wildcards:
nmap -p smtp* <target>
Only ports registered in Nmap services:
nmap -p[1-65535] <target>
3.0.5. Scan using script
nmap --script <script name> <host>
3.0.6. Scanning using a specified network interface
nmap -e <INTERFACE> scanme.nmap.org
Chapter 2 ~::~ Network Exploration
3.0.7. Discovering hosts with TCP SYN ping scans
nmap -sP -PS 192.168.1.1/24
3.0.8. Discovering hosts with TCP ACK ping scans
nmap -sP -PA <target>
3.0.9. Discovering hosts with UDP ping scans
nmap -sP -PU <target>
3.0.10. Discovering hosts with ICMP ping scans
nmap -sP -PE hiren.net
3.0.11. Discovering hosts with IP protocol ping scans
nmap -sP -PO <target>
3.0.12. Discovering hosts with ARP ping scans
Effective for LAN network
nmap -sP -PR 192.168.1.1/24
3.0.13. MAC address spoofing
Change your motherfking MAC adrs ~
nmap -sP -PR --spoof-mac 5C:4C:A9:F2:DC:7C
3.0.14. Hiding our traffic with additional random data
Generate Random Data
nmap -sS -PS --data-length 300 scanme.nmap.org
3.0.15. Forcing DNS resolution
Force DNS resulation even if host is offline 🙁
nmap -sS -PS -F -R XX.XXX.XXX.220-230
4. Chapter 3 ~::~ Gathering Additional Host Information
4.0.1. Getting information from WHOIS records
nmap --script whois <target>
4.0.2. Collecting valid e-mail accounts
The script http-google-email is not included in Nmap’s official repository. So you need to download it from http://seclists.org/nmap-dev/2011/q3/att-401/ http-google-email.nse and copy it to your local scripts directory. After copying http-google-email.nse , you should update the script database with:
nmap --script-updatedb
then
nmap -p80 --script http-google-email,http-email-harvest <target>
4.0.3. Discovering hostnames pointing to the same IP address
https://secwiki.org/w/Nmap/ External_Script_Library .
nmap --script-updatedb
nmap -p80 --script hostmap nmap.org
4.0.4. Brute forcing DNS records
nmap --script dns-brute <target>
4.0.5. Fingerprinting the operating system of a host
nmap -O <target>
4.0.6. Discovering UDP services
nmap -sU -p- <target>
4.0.7. Listing protocols supported by a remote host
nmap -sO <target>
4.0.8. Discovering stateful firewalls by using a TCP ACK scan
nmap -sA <target>
Port states
原创文章,作者:Y4er,未经授权禁止转载!如若转载,请联系作者:Y4er