Nmap (“Network Mapper(网络映射器)”) 是一款开放源代码的 网络探测和安全审核的工具。它的设计目标是快速地扫描大型网络,当然用它扫描单个 主机也没有问题。Nmap以新颖的方式使用原始IP报文来发现网络上有哪些主机,那些 主机提供什么服务(应用程序名和版本),那些服务运行在什么操作系统(包括版本信息), 它们使用什么类型的报文过滤器/防火墙,以及一堆其它功能。虽然Nmap通常用于安全审核, 许多系统管理员和网络管理员也用它来做一些日常的工作,比如查看整个网络的信息, 管理服务升级计划,以及监视主机和服务的运行。

1. 参数

option note
-sS TCP SYN 扫描 (又称半开放,或隐身扫描)
-P0 允许你关闭 ICMP pings.
-sV 打开系统版本检测
-O 尝试识别远程操作系统
-A 同时打开操作系统指纹和版本检测
-v 详细输出扫描情况.

2. 常用命令

探测 cmd
获取远程主机的系统类型及开放端口 nmap -sS -P0 -sV -O <target>
获取远程主机的系统类型及开放端口 nmap -sS -P0 -A -v <target>
检查特定端口是否开放 nmap -p <port> <target> nmap -p <port1>,<port2> <target>

3. Chapter 1 ~::~ Nmap Fundamentals

3.0.1. Listing open ports on a remote host

3.0.2. Version detection

3.0.3. Aggressive detection

3.0.4. Finding live hosts

  • Port list:
  • Port range:
  • All ports:
  • Specific ports by protocols:
  • Service name:
  • Service name wildcards:

Only ports registered in Nmap services:

3.0.5. Scan using script

3.0.6. Scanning using a specified network interface

Chapter 2 ~::~ Network Exploration

3.0.7. Discovering hosts with TCP SYN ping scans

3.0.8. Discovering hosts with TCP ACK ping scans

3.0.9. Discovering hosts with UDP ping scans

3.0.10. Discovering hosts with ICMP ping scans

3.0.11. Discovering hosts with IP protocol ping scans

3.0.12. Discovering hosts with ARP ping scans

Effective for LAN network

3.0.13. MAC address spoofing

Change your motherfking MAC adrs ~

3.0.14. Hiding our traffic with additional random data

Generate Random Data

3.0.15. Forcing DNS resolution

Force DNS resulation even if host is offline Nmap使用及常用命令解析-ChaBug安全

4. Chapter 3 ~::~ Gathering Additional Host Information

4.0.1. Getting information from WHOIS records

4.0.2. Collecting valid e-mail accounts

The script http-google-email is not included in Nmap's official repository. So you need to download it from http://seclists.org/nmap-dev/2011/q3/att-401/ http-google-email.nse and copy it to your local scripts directory. After copying http-google-email.nse , you should update the script database with:


4.0.3. Discovering hostnames pointing to the same IP address

https://secwiki.org/w/Nmap/ External_Script_Library .

4.0.4. Brute forcing DNS records

4.0.5. Fingerprinting the operating system of a host

4.0.6. Discovering UDP services

4.0.7. Listing protocols supported by a remote host

4.0.8. Discovering stateful firewalls by using a TCP ACK scan

Port states