nmap命令基礎(chǔ)用法

發(fā)布時(shí)間：2024-02-14

nmap系統(tǒng)漏洞掃描之王，也就是network mapper，是linux下常用的網(wǎng)絡(luò)掃描和嗅探工具包，現(xiàn)在支持多個(gè)平臺(tái)。
其基本功能有三個(gè)：
（1）是掃描主機(jī)端口，嗅探所提供的網(wǎng)絡(luò)服務(wù)（2）是探測一組主機(jī)是否在線（3）還可以推斷主機(jī)所用的操作系統(tǒng)，到達(dá)主機(jī)經(jīng)過的路由，系統(tǒng)已開放端口的軟件版本nmap端口狀態(tài)解析
open ： 應(yīng)用程序在該端口接收 tcp 連接或者 udp 報(bào)文。 closed ：關(guān)閉的端口對(duì)于nmap也是可訪問的， 它接收nmap探測報(bào)文并作出響應(yīng)。但沒有應(yīng)用程序在其上監(jiān)聽。 filtered ：由于包過濾阻止探測報(bào)文到達(dá)端口，nmap無法確定該端口是否開放。過濾可能來自專業(yè)的防火墻設(shè)備，路由規(guī)則 或者主機(jī)上的軟件防火墻。 unfiltered ：未被過濾狀態(tài)意味著端口可訪問，但是nmap無法確定它是開放還是關(guān)閉。 只有用于映射防火墻規(guī)則集的 ack 掃描才會(huì)把端口分類到這個(gè)狀態(tài)。 open | filtered ：無法確定端口是開放還是被過濾， 開放的端口不響應(yīng)就是一個(gè)例子。沒有響應(yīng)也可能意味著報(bào)文過濾器丟棄了探測報(bào)文或者它引發(fā)的任何反應(yīng)。udp，ip協(xié)議,fin, null 等掃描會(huì)引起。 closed|filtered：（關(guān)閉或者被過濾的）：無法確定端口是關(guān)閉的還是被過濾的nmap有windows和linux
nmap是一款網(wǎng)絡(luò)掃描和主機(jī)檢測的非常有用的工具。nmap是不局限于僅僅收集信息和枚舉，同時(shí)可以用來作為一個(gè)漏洞探測器或安全掃描器。它可以適用于winodws,linux,mac等操作系統(tǒng)
從下面官網(wǎng)可以下載exe程序包和zip包
https://nmap.org/download.html#windows
nmap常用參數(shù)
nmap掃描速度要比nc快
面是一些基本的命令和它們的用法的例子：掃描單一的一個(gè)主機(jī)，命令如下：
前期準(zhǔn)備
準(zhǔn)備兩臺(tái)機(jī)器
主機(jī)a：ip地址 10.0.1.161主機(jī)b：ip地址 10.0.1.162b機(jī)器安裝nmap的包（這個(gè)工具比較強(qiáng)大，習(xí)慣上每臺(tái)機(jī)器都安裝）
yum install nmap -y
端口掃描部分
前期準(zhǔn)備
b機(jī)器使用nmap去掃描a機(jī)器，掃描之前，a機(jī)器先查看自己上面有哪些端口在被占用
a機(jī)器上查看本地ipv4的監(jiān)聽端口
netstat參數(shù)解釋：
-l (listen) 僅列出 listen (監(jiān)聽) 的服務(wù) -t (tcp) 僅顯示tcp相關(guān)內(nèi)容 -n (numeric) 直接顯示ip地址以及端口，不解析為服務(wù)名或者主機(jī)名 -p (pid) 顯示出socket所屬的進(jìn)程pid 以及進(jìn)程名字 --inet 顯示ipv4相關(guān)協(xié)議的監(jiān)聽查看ipv4端口上的tcp的監(jiān)聽
netstat -lntp --inet
[root@a ~]# netstat -lntp --inet active internet connections (only servers) proto recv-q send-q local address foreign address state pid/program name tcp 0 0 0.0.0.0:22 0.0.0.0:* listen 2157/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* listen 1930/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* listen 2365/master tcp 0 0 0.0.0.0:13306 0.0.0.0:* listen 21699/mysqld tcp 0 0 0.0.0.0:873 0.0.0.0:* listen 2640/rsync tcp 0 0 0.0.0.0:111 0.0.0.0:* listen 21505/rpcbind [root@a ~]#過濾掉監(jiān)控在127.0.0.1的端口
[root@a ~]# netstat -lntp --inet | grep -v 127.0.0.1 active internet connections (only servers) proto recv-q send-q local address foreign address state pid/program name tcp 0 0 0.0.0.0:22 0.0.0.0:* listen 2157/sshd tcp 0 0 0.0.0.0:13306 0.0.0.0:* listen 21699/mysqld tcp 0 0 0.0.0.0:873 0.0.0.0:* listen 2640/rsync tcp 0 0 0.0.0.0:111 0.0.0.0:* listen 21505/rpcbind [root@a ~]#掃描tcp端口
b機(jī)器上使用nmap掃描a機(jī)器所有端口（-p后面也可以跟空格）
下面表示掃描a機(jī)器的1到65535所有在監(jiān)聽的tcp端口。
nmap 10.0.1.161 -p1-65535
指定端口范圍使用-p參數(shù)，如果不指定要掃描的端口，nmap默認(rèn)掃描從1到1024再加上nmap-services列出的端口
nmap-services是一個(gè)包含大約2200個(gè)著名的服務(wù)的數(shù)據(jù)庫，nmap通過查詢?cè)摂?shù)據(jù)庫可以報(bào)告那些端口可能對(duì)應(yīng)于什么服務(wù)器，但不一定正確。
所以正確掃描一個(gè)機(jī)器開放端口的方法是上面命令。-p1-65535
注意，nmap有自己的庫，存放一些已知的服務(wù)和對(duì)應(yīng)端口號(hào)，假如有的服務(wù)不在nmap-services，可能nmap就不會(huì)去掃描，這就是明明一些端口已經(jīng)是處于監(jiān)聽狀態(tài)，nmap默認(rèn)沒掃描出來的原因，需要加入-p參數(shù)讓其掃描所有端口。
雖然直接使用nmap 10.0.1.161也可以掃描出開放的端口，但是使用-p1-65535 能顯示出最多的端口
區(qū)別在于不加-p 時(shí)，顯示的都是已知協(xié)議的端口，對(duì)于未知協(xié)議的端口沒顯示
[root@b ~]# nmap 10.0.1.161 -p1-65535 starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:11 cst nmap scan report for 10.0.1.161 host is up (0.00017s latency). not shown: 65531 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind 873/tcp open rsync 13306/tcp open unknown mac address: 00:0c:29:56:de:46 (vmware) nmap done: 1 ip address (1 host up) scanned in 2.49 seconds [root@b ~]#如果不加-p1-65535，對(duì)于未知服務(wù)的端口（a機(jī)器的13306端口）就沒法掃描到
[root@b ~]# nmap 10.0.1.161 starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:12 cst nmap scan report for 10.0.1.161 host is up (0.000089s latency). not shown: 997 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind 873/tcp open rsync mac address: 00:0c:29:56:de:46 (vmware) nmap done: 1 ip address (1 host up) scanned in 0.43 seconds [root@b ~]#掃描一個(gè)ip的多個(gè)端口
連續(xù)的端口可以使用橫線連起來，端口之間可以使用逗號(hào)隔開
a機(jī)器上再啟動(dòng)兩個(gè)tcp的監(jiān)聽，分別占用7777和8888端口，用于測試，加入&符號(hào)可以放入后臺(tái)
[root@a ~]# nc -l 7777& [1] 21779 [root@a ~]# nc -l 8888& [2] 21780 [root@a ~]#[root@b ~]# nmap 10.0.1.161 -p20-200,7777,8888 starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:32 cst nmap scan report for 10.0.1.161 host is up (0.00038s latency). not shown: 179 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind 7777/tcp open cbt 8888/tcp open sun-answerbook mac address: 00:0c:29:56:de:46 (vmware) nmap done: 1 ip address (1 host up) scanned in 0.17 seconds [root@b ~]#掃描udp端口
先查看哪些ipv4的監(jiān)聽，使用grep -v排除回環(huán)接口上的監(jiān)聽
netstat -lnup --inet |grep -v 127.0.0.1
[root@a ~]# netstat -lnup --inet |grep -v 127.0.0.1 active internet connections (only servers) proto recv-q send-q local address foreign address state pid/program name udp 0 0 0.0.0.0:111 0.0.0.0:* 21505/rpcbind udp 0 0 0.0.0.0:631 0.0.0.0:* 1930/cupsd udp 0 0 10.0.1.161:123 0.0.0.0:* 2261/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 2261/ntpd udp 0 0 0.0.0.0:904 0.0.0.0:* 21505/rpcbind [root@a ~]#-su：表示udp scan ， udp端口掃描-pn：不對(duì)目標(biāo)進(jìn)行ping探測（不判斷主機(jī)是否在線）（直接掃描端口）對(duì)于udp端口掃描比較慢，掃描完6萬多個(gè)端口需要20分鐘左右
[root@b ~]# nmap -su 10.0.1.161 -pn starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:16 cst stats: 0:12:54 elapsed; 0 hosts completed (1 up), 1 undergoing udp scan udp scan timing: about 75.19% done; etc: 10:33 (0:04:16 remaining) stats: 0:12:55 elapsed; 0 hosts completed (1 up), 1 undergoing udp scan udp scan timing: about 75.29% done; etc: 10:33 (0:04:15 remaining) nmap scan report for 10.0.1.161 host is up (0.0011s latency). not shown: 997 closed ports port state service 111/udp open rpcbind 123/udp open ntp 631/udp open|filtered ipp mac address: 00:0c:29:56:de:46 (vmware) nmap done: 1 ip address (1 host up) scanned in 1081.27 seconds [root@b ~]#掃描多個(gè)ip用法
中間用空格分開
[root@b ~]# nmap 10.0.1.161 10.0.1.162 starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:18 cst nmap scan report for 10.0.1.161 host is up (0.000060s latency). not shown: 997 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind 873/tcp open rsync mac address: 00:0c:29:56:de:46 (vmware) nmap scan report for 10.0.1.162 host is up (0.0000070s latency). not shown: 998 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind nmap done: 2 ip addresses (2 hosts up) scanned in 0.26 seconds [root@b ~]#也可以采用下面方式逗號(hào)隔開
nmap 10.0.1.161,162
[root@b ~]# nmap 10.0.1.161,162 starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:19 cst nmap scan report for 10.0.1.161 host is up (0.00025s latency). not shown: 997 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind 873/tcp open rsync mac address: 00:0c:29:56:de:46 (vmware) nmap scan report for 10.0.1.162 host is up (0.0000080s latency). not shown: 998 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind nmap done: 2 ip addresses (2 hosts up) scanned in 0.81 seconds [root@b ~]#掃描連續(xù)的ip地址
[root@b ~]# nmap 10.0.1.161-162 starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:20 cst nmap scan report for 10.0.1.161 host is up (0.00011s latency). not shown: 997 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind 873/tcp open rsync mac address: 00:0c:29:56:de:46 (vmware) nmap scan report for 10.0.1.162 host is up (0.0000030s latency). not shown: 998 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind nmap done: 2 ip addresses (2 hosts up) scanned in 0.25 seconds [root@b ~]#掃描一個(gè)子網(wǎng)網(wǎng)段所有ip
[root@b ~]# nmap 10.0.3.0/24 starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:21 cst nmap scan report for 10.0.3.1 host is up (0.020s latency). not shown: 997 closed ports port state service 23/tcp open telnet 6666/tcp open irc 8888/tcp open sun-answerbook nmap scan report for 10.0.3.2 host is up (0.012s latency). not shown: 997 closed ports port state service 21/tcp filtered ftp 22/tcp filtered ssh 23/tcp open telnet nmap scan report for 10.0.3.3 host is up (0.018s latency). not shown: 997 closed ports port state service 21/tcp filtered ftp 22/tcp filtered ssh 23/tcp open telnet nmap done: 256 ip addresses (3 hosts up) scanned in 14.91 seconds [root@b ~]#掃描文件里的ip
如果你有一個(gè)ip地址列表，將這個(gè)保存為一個(gè)txt文件，和namp在同一目錄下,掃描這個(gè)txt內(nèi)的所有主機(jī)，用法如下
[root@b ~]# cat ip.txt 10.0.1.161 10.0.1.162 [root@b ~]# nmap -il ip.txt starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:23 cst nmap scan report for 10.0.1.161 host is up (0.00030s latency). not shown: 997 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind 873/tcp open rsync mac address: 00:0c:29:56:de:46 (vmware) nmap scan report for 10.0.1.162 host is up (0.0000070s latency). not shown: 998 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind nmap done: 2 ip addresses (2 hosts up) scanned in 0.68 seconds [root@b ~]#掃描地址段是排除某個(gè)ip地址
nmap 10.0.1.161-162 --exclude 10.0.1.162
用法如下
[root@b ~]# nmap 10.0.1.161-162 --exclude 10.0.1.162 starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:24 cst nmap scan report for 10.0.1.161 host is up (0.0022s latency). not shown: 997 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind 873/tcp open rsync mac address: 00:0c:29:56:de:46 (vmware) nmap done: 1 ip address (1 host up) scanned in 0.53 seconds [root@b ~]#掃描時(shí)排除多個(gè)ip地址
排除連續(xù)的，可以使用橫線連接起來
nmap 10.0.1.161-163 --exclude 10.0.1.162-163
[root@b ~]# nmap 10.0.1.161-163 --exclude 10.0.1.162-163 starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:25 cst nmap scan report for 10.0.1.161 host is up (0.00023s latency). not shown: 997 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind 873/tcp open rsync mac address: 00:0c:29:56:de:46 (vmware) nmap done: 1 ip address (1 host up) scanned in 0.56 seconds [root@b ~]#排除分散的，使用逗號(hào)隔開
nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163
[root@b ~]# nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163 starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:27 cst nmap scan report for 10.0.1.162 host is up (0.0000030s latency). not shown: 998 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind nmap done: 1 ip address (1 host up) scanned in 0.12 seconds [root@b ~]#掃描多個(gè)地址時(shí)排除文件里的ip地址
（可以用來排除不連續(xù)的ip地址）
把10.0.1.161和10.0.1.163添加到一個(gè)文件里，文件名可以隨意取
下面掃描10.0.1.161到10.0.1.163 這3個(gè)ip地址，排除10.0.1.161和10.0.1.163這兩個(gè)ip
nmap 10.0.1.161-163 --excludefile ex.txt
[root@b ~]# cat ex.txt 10.0.1.161 10.0.1.163 [root@b ~]# nmap 10.0.1.161-163 --excludefile ex.txt starting nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:29 cst nmap scan report for 10.0.1.162 host is up (0.0000050s latency). not shown: 998 closed ports port state service 22/tcp open ssh 111/tcp open rpcbind nmap done: 1 ip address (1 host up) scanned in 0.18 seconds [root@b ~]#