NMAP命令用法
nmap [Scan Type(s)] [Options] {
target specification}
Linux下安装NMAP
yum install nmap
sudo apt-get install nmap
参数大全
目标说明:
可以通过 主机名、IP地址、网络,等等。
例如:scanme.nmap.org,microsoft.com/24,192.168.0.1;10.0.0-255.1-254
-iL 从 主机/网络 列表输入
-iR 随机选择目标主机
--exclude 排除主机/网络
--excludefile 排除文件里的列表
主机发现:
-sL 列表扫描-简单列表目标去扫描
-sn Ping 扫描 - 不进行端口扫描
-Pn 在线处理所有主机- 跳过主机发现
-PS/PA/PU/PY[portlist] 对给定的端口发现 TCP SYN/ACK, UDP or SCTP
-PE/PP/PM ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list] IP Protocol Ping
-n/-R 不做DNS解析/Always resolve [default: sometimes]
--dns-servers 指定自定义DNS服务器
--system-dns 使用操作系统的DNS解析器
--traceroute 对每个主机跟踪跳跃路径(Trace hop path to each host)
扫描技术:
-sS/sT/sA/sW/sM TCP SYN/Connect()/ACK/Window/Maimon scans
-sU UDP Scan
-sN/sF/sX TCP Null, FIN, and Xmas scans
--scanflags 定制TCP 扫描标记 (Customize TCP scan flags)
-sI 空闲扫描(Idle scan)
-sY/sZ SCTP INIT/COOKIE-ECHO scans
-sO IP protocol scan
-b FTP 反弹扫描(FTP bounce scan)
端口详述和扫描指令:
-p Only scan specified ports
Ex -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports 从扫描中排除指定的端口
( Exclude the specified ports from scanning)
-F 快速模式:扫描较少的端口,除默认端口以外
-r 扫描连续的端口-即 不随机进行的
--top-ports Scan most common ports
--port-ratio Scan ports more common than
服务/版本 检测:
-sV 探索开放的端口来确定服务/版本信息
--version-intensity 从0(低级)到 9(尝试所有探针)
--version-light (扫描常用的版本)Limit to most likely probes (intensity 2)
--version-all (扫描所有版本)Try every single probe (intensity 9)
--version-trace (捕获扫描版本细节(调试))
Show detailed version scan activity (for debugging)
脚本扫描:
-sC (等价于)equivalent to --script=default
--script= 是一个以逗号分隔的列表,目录,脚本文件或脚本类
--script-args= 为脚本提供参数
--script-args-file=filename 在文件中提供 NSE script args
--script-trace 显示所有的数据发送和接收
--script-updatedb Update the script database.
--script-help= Show help about scripts.
is a comma-separated list of script-files or
script-categories.
操作系统检测:
-O Enable OS detection
--osscan-limit Limit OS detection to promising targets
--osscan-guess Guess OS more aggressively
定时和性能:
Options which take are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5> Set timing template (higher is faster)
--min-hostgroup/max-hostgroup Parallel host scan group sizes
--min-parallelism/max-parallelism 检查并行( Probe parallelization)
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout 指定探针往返时间(Specifies probe round trip time.
--max-retries 重发端口扫描数
--host-timeout 指定时间,超时则放弃目标扫描
--scan-delay/--max-scan-delay 调整探头间的延迟(Adjust delay between probes)
--min-rate 发送数据包,每秒不比指定的值 慢 ( Send packets no slower than per second
--max-rate 发送数据包,每秒不比指定的值 快 (Send packets no faster than per second
防火墙/IDS 逃避和欺骗:
-f; --mtu : fragment packets (optionally w/given MTU)
-D Cloak a scan with decoys
-S 伪造源地址(Spoof source address)
-e 使用指定的接口(Use specified interface)
-g/--source-port 使用给定端口号(Use given port number)
--proxies 传递连接通过HTTP/SOCKS4 代理
( Relay connections through HTTP/SOCKS4 proxies)
--data 添加一个自定义发送数据包的有效载荷
--data-string 添加一个自定义的ASCII字符串发送的数据包
--data-length 要发送的数据包添加随机数据
--ip-options 发送数据包指定IP选项
--ttl Set IP time-to-live field
--spoof-mac 伪造MAC地址(Spoof your MAC address)
--badsum 发送带一个伪造TCP/UDP/SCTP 校验
(Send packets with a bogus TCP/UDP/SCTP checksum)
输出:
-oN/-oX/-oS/-oG 正常输出扫描结果,比如 normal/XML/s|
-oA 同时在三个主要的格式文档输出
-v 增加详细程度 (use -vv or more for greater effect)
-d 提高调试水平 (use -dd or more for greater effect)
--reason 一个端口在特殊的状态下显示原因
--open 只显示打开(或可能是打开)的端口
--packet-trace 显示所有数据包,不管是发送还是接收
--iflist Print host interfaces and routes (for debugging)
--append-output 在文件内容尾部,追加输出到文件里
--resume 恢复中止扫描( Resume an aborted scan
--stylesheet 将XML输出转换为HTML的XSL样式表
--webxml 从Nmap引用样式表 Org,以获得更可移植的XML
--no-stylesheet Prevent associating of XSL stylesheet w/XML output
杂项:
-6 Enable IPv6 scanning
-A 启用操作系统检测、版本检测、脚本扫描和traceroute
--datadir Specify custom Nmap data file location
--send-eth/--send-ip Send using raw ethernet frames or IP packets
--privileged Assume that the user is fully privileged
--unprivileged Assume the user lacks raw socket privileges
-V 打印版本号
-h 打印此帮助摘要页面。
用主机名和IP地址扫描系统
Nmap工具提供各种方法来扫描系统。在这个例子中,使用主机名和IP来扫描系统找出该系统上所有开放的端口,服务和MAC地址。
用主机名扫描系统
[root@localhost zzf]# nmap www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 10:47 CST
Nmap scan report for www.baidu.com (180.101.49.12)
Host is up (0.0011s latency).
Other addresses for www.baidu.com (not scanned): 180.101.49.11
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 56.39 seconds
用IP扫描系统
[root@localhost zzf]# nmap 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 10:49 CST
Nmap scan report for 192.168.100.65
Host is up (0.00067s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
1947/tcp open sentinelsrm
3306/tcp open mysql
5357/tcp open wsdapi
5432/tcp open postgresql
Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds
扫描使用"-v"选项
使用 -v 选项后给出了远程机器更详细的信息。
[root@localhost zzf]# nmap -v 192.168.100.65
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-14 11:18 CST
Initiating Ping Scan at 11:18
Scanning 192.168.100.65 [4 ports]
Completed Ping Scan at 11:18, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:18
Completed Parallel DNS resolution of 1 host. at 11:18, 0.01s elapsed
Initiating SYN Stealth Scan at 11:18
Scanning 192.168.100.65 [1000 ports]
Discovered open port 3306/tcp on 192.168.100.65
Discovered open port 443/tcp on 192.168.100.65
Discovered open port 135/tcp on 192.168.100.65
Discovered open port 139/tcp on 192.168.100.65
Discovered open port 445/tcp on 192.168.100.65
Discovered open port 5432/tcp on 192.168.100.65
Discovered open port 12265/tcp on 192.168.100.65
Increasing send delay for 192.168.100.65 from 0 to 5 due to 11 out of 17 dropped probes since last increase.
Discovered open port 5357/tcp on 192.168.100.65
Discovered open port 9001/tcp on 192.168.100.65
SYN Stealth Scan Timing: About 48.13% done; ETC: