nmap全开扫描,半开扫描_nmap扫描的阶段

最新推荐文章于 2025-05-14 14:25:26 发布

翻译最新推荐文章于 2025-05-14 14:25:26 发布 · 5.3k 阅读

4 ·

CC 4.0 BY-SA版权

原文链接：https://medium.com/@greyhatlinux/phases-of-an-nmap-scan-e6491e081707

文章标签：

#python #nmap

本文深入探讨了nmap扫描的两个关键类型：全开扫描和半开扫描。全开扫描涉及完整的TCP连接过程，而半开扫描则在建立连接之前停止，以提高扫描的隐蔽性。通过理解这些扫描阶段，网络安全专业人员可以更有效地进行网络发现和漏洞评估。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

nmap全开扫描,半开扫描

Hello readers, hope you all doing well.

各位读者好，希望大家一切都好。

For security researchers and hackers nmap must be their breakfast to start their day with. Well, given the diverse functionality and extreme flexibility, it certainly deserves its dominance.

对于安全研究人员和黑客来说，nmap必须作为早餐开始。好吧，鉴于其功能多样和极高的灵活性，它无疑应该占据主导地位。

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Nmap(“网络映射器”)是一个免费的开源实用程序，用于网络发现和安全审核。许多系统和网络管理员还发现它对于诸如网络清单，管理服务升级计划以及监视主机或服务正常运行时间之类的任务很有用。

There are a good number of blogs enumerating nmap usage, scan types and other utilities. I’ll personally list them at the end. But I didn’t find any reagrding the phases an NMAP scan goes through. This blog will just take you through nmap scan phases with its outcome on the terminal. For futher research and contribution, I recommend you to go through the official website of nmap.

有很多博客列举了nmap的用法，扫描类型和其他实用程序。我将在结尾处亲自列出。但是我没有发现NMAP扫描经历的任何阶段。该博客将带您完成nmap扫描阶段，并在终端上显示结果。为了进一步的研究和贡献，我建议您访问nmap的官方网站。

1.目标枚举 (1. Target Enumeration)

You must have been always scanning a particular IP, or single IP at a time. No offence, as 80% of the nmap users do so. But nmap is more to this. It can take combination of host DNS names, IP addresses, CIDR network notations. This is an essential step and cannot be skipped. But you make nmap’s task easy by simply providing an IP, so no further resolution is required.

您必须始终始终一次扫描特定IP或单个IP。没有违法行为，因为80％的nmap用户这样做。但是，nmap不仅如此。它可以结合使用主机DNS名称，IP地址，CIDR网络符号。这是必不可少的步骤，不能跳过。但是，只需提供IP，您就可以使nmap的工作变得容易，因此不需要进一步的解决方案。

Here, -sL switch comes very very handy to actually identify you targets. The stealth here is : It discovers its host without sending any packets to the target system, so this scan escapes IDS.

在这里， -sL开关非常有用，可以真正识别您的目标。这里的隐患是：它发现主机而不将任何数据包发送到目标系统，因此此扫描可以逃避IDS。

Supposing you need to pentest on Jharkhand government webiste(assuming you’ve all required written auth), mapping jharkhand.gov.in with -sL gives you a proper list of IPs under your jurisdiction.

假设您需要在Jharkhand政府网站上进行渗透测试(假设您都需要书面身份验证)， -sL jharkhand.gov.in与-sL映射可以为您所管辖的IP提供正确的列表。

nmap -sL jharkhand.gov.in/29

Image for post — -sL is very useful for planning targets and playing safe.

From the output, it is absolutely clear that you can only test on 112.133.209.139, because only that IP comes under jharkhand.gov.in with CIDR 29 (rest IPs are under some other organisations). Stay away from the other IP addresses as it may land you a handsome civil and criminal charge.

从输出中可以很清楚地看出，您只能在112.133.209.139上进行测试，因为只有IP属于jharkhand.gov.in的CIDR 29(其余IP属于其他组织)。 远离其他IP地址，因为它可能使您遭受民事和刑事指控。

Always perform -sL with CIDR 24 as it gives complete flexibility, though it may take very long time

始终对CIDR 24执行-sL，因为它可以提供完全的灵活性，尽管可能会花费很长时间

On further recon, I evaluated that 112.133.209.139 IP itself gives you acess to these sites :

在进一步调查中，我评估了112.133.209.139 IP本身为您提供了访问这些站点的权限：

2.主机发现 (2. Host Discovery)

Scans begin by discovering which hosts are actually up (active) and thus are worth deeper investigaton. Nmap offers various host discovery techniques. Nmap offers many host discovery techniques, ranging from quick ARP requests to elaborate combinations of TCP, ICMP, and other types of probes This phase is run by default, though you can skip it (simply assume all target IPs are online) using the -Pn (no ping) option. To quit after host discovery, specify -sn

扫描从发现哪些主机实际上处于活动状态(活动)开始，因此值得深入研究。 Nmap提供了各种主机发现技术。 Nmap提供了许多主机发现技术，从快速的ARP请求到TCP，ICMP和其他类型的探针的精心组合，从默认情况下运行此阶段，尽管您可以使用-Pn跳过它(仅假设所有目标IP都在线)。 (无ping)选项。要在发现主机后退出，请指定-sn

The -sn switch is very useful, it only specifies whether the host is active or not. It allows light reconnaissance of a target network without attracting much attention.

-sn开关非常有用，它仅指定主机是否处于活动状态。它允许对目标网络进行轻侦察，而不会引起太多关注。

Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name . As shown above form the given CIDR a total of 64 address are there, but only 1 is active rest hosts are down, so it saves time os scanning the inactive IPs for the particular network range.

与每个IP和主机名的列表扫描所提供的列表相比，知道启动了多少台主机对攻击者而言更有价值。如上图所示，给定的CIDR总共有64个地址，但是只有1个活动的休息主机处于关闭状态，因此可以节省扫描特定网络范围内的非活动IP的时间。

Not only can nmap scan IPs it can also do with the domain names. It is capable of reverse DNS lookups for the input provided. This feature makes it more human friendly, as we tend to remember domain names more than their IP addresses. This runs by default, but it may be skipped with the -n (no DNS resolution), DNS can be slow even with Nmap’s built-in parallel stub resolver, this option reduces scanning times.

nmap不仅可以扫描IP，还可以使用域名。它能够对提供的输入进行反向DNS查找。此功能使它更人性化，因为我们倾向于记住的域名多于IP地址。默认情况下会运行此命令，但使用-n (无DNS解析)可能会跳过它，即使使用Nmap的内置并行存根解析器，DNS也会变慢，此选项可减少扫描时间。

Prefer using -n option for speedy results.

最好使用-n选项以获得更快的结果。

3.端口扫描 (3. Port Scanning)

This is Nmap’s core operation. Probes are sent, and the responses (or non-responses) to those probes are used to classify remote ports into states such as open, closed, or filtered.

这是Nmap的核心操作。发送探测，对这些探测的响应(或非响应)用于将远程端口分类为open ， closed或已filtered 。

There are many mechanisms by which you can scan and confirm wich ports are open or closed. Sometimes, one scan technique can yield different results that the other due to various firewalls restrictions and filtering.

您可以通过多种机制扫描并确认哪个端口处于打开或关闭状态。有时，由于各种防火墙限制和筛选，一种扫描技术可能会产生与另一种扫描技术不同的结果。

-sSSYN Stealth port scan

-sS SYN隐形端口扫描

-sT TCP Connect port scan

-sT TCP Connect端口扫描

-sT UDP port scan

-sT UDP端口扫描

-sT TCP ACK port scan

-sT TCP ACK端口扫描

-p Port or port range (eg. -p1–10000)

-p端口或端口范围(例如-p1–10000)

-p- For scanning all 65535 ports

-p- 用于扫描所有65535端口

-F scanning first 100 ports

-F 扫描前100个端口

Its always better to perform successive scans with multiple ways. Scanning all 65535 ports but it takes very very long, instead break it down into batches of thousands and run all simultaneoulsy.

以多种方式执行连续扫描总是更好。扫描所有65535端口，但需要花费非常长的时间，而是将其分解为成千上万的批处理，并同时运行所有命令。

4.服务和版本检测 (4. Service and Version Detection)

If any ports are found to be open, Nmap may be able to determine what server software is running on the remote system. It does this by sending a variety of probes to the open ports and matching any responses against a database of thousands of more than 6,500 known service signatures. It is not a by-default service and is enabled with the -sV option.

如果发现有任何端口打开，则Nmap可以确定远程系统上正在运行的服务器软件。它通过将各种探测发送到打开的端口，并将任何响应与数千个超过6,500个已知服务签名的数据库进行匹配，来实现此目的。它不是默认服务，并通过-sV选项启用。

5.操作系统检测 (5. OS Detection)

If requested with the -O option, Nmap proceeds to Operating System (OS)detection. Different operating systems implement network standards in subtly different ways. By measuring these differences it is often possible to determine the operating system running on a remote host. Nmap matches responses to a standard set of probes against a database of more than a thousand known operating system responses.

如果要求使用-O选项，则Nmap继续进行操作系统(OS)检测。不同的操作系统以细微不同的方式实现网络标准。通过测量这些差异，通常可以确定在远程主机上运行的操作系统。 Nmap将对一组标准探针的响应与一千多个已知操作系统响应的数据库进行匹配。

Assigning -sV also does the job of OS Detection. Personally, I prefer -sV more than -O .

分配-sV也可以完成OS Detection的工作。就个人而言，我更喜欢-sV 而不是 -O 。

6. Traceroute (6. Traceroute)

Nmap contains an optimized traceroute implementation, enabled by the --traceroute option. It can find the network routes to many hosts in parallel, using the best available probe packets as determined by Nmap's previous discovery phases

Nmap包含一个优化的traceroute实现，由--traceroute选项启用。它可以使用Nmap先前发现阶段确定的最佳可用探测数据包，并行找到到许多主机的网络路由。

I work in virtual box, so my — traceroute doesn’t show up many nodes. But in main machine it should.

我在虚拟盒子中工作，所以我的traceroute不会显示很多节点。但是应该在主机上。

7.脚本扫描 (7. Script Scanning)

Most Nmap Scripting Engine (NSE) scripts run during this main script scanning phase, rather than the prescan and postscan phases. NSE is powered by the Lua programming language and a standard library designed for network information gathering. Scripts running during this phase generally run once for each target host and port number that they interact with. They commonly perform tasks such as detecting service vulnerabilities, malware discovery, collecting more information from databases and other network services, and advanced version detection. NSE is not an option by default. You request it by options switches such as --script or -sC.

大多数Nmap脚本引擎(NSE)脚本在此主脚本扫描阶段运行，而不是在预扫描和后扫描阶段运行。 NSE由Lua编程语言和旨在收集网络信息的标准库提供支持。在此阶段运行的脚本通常针对与其交互的每个目标主机和端口号运行一次。他们通常执行诸如检测服务漏洞，恶意软件发现，从数据库和其他网络服务收集更多信息以及高级版本检测之类的任务。默认情况下，不选择NSE。您可以通过--script或-sC之类的选项开关来请求它。

8.输出 (8. Output)

Nmap collects all the information it has gathered and writes it to the screen or to a file. Nmap can write output in several formats. Its default, human-readable format (interactive format) is usually presented in this book. Nmap also offers an XML-based output format, among others.

Nmap收集所有已收集的信息，并将其写入屏幕或文件。 Nmap可以几种格式写入输出。本书通常介绍其默认的人类可读格式(交互格式)。 Nmap还提供了一种基于XML的输出格式。

-O <filename> Produces output in normal format. No need of example, this is the format we’ve been following from the

-O <filename>以正常格式产生输出。无需举例，这是我们一直沿用的格式

-oX <filename>.xml This produces output in XML format.

-oX <filename>.xml这将产生XML格式的输出。

The output in XML can be coverted to html by xsltproc report.xml -o myreport.html and then opening the new report in any browser.

可以通过xsltproc report.xml -o myreport.html将XML的输出覆盖为html，然后在任何浏览器中打开新报告。

Disclaimer : Using Nmap against a target or network without explicit permission can be illegal under you jurisdiction and hence should therefore not be attempted. Please get authorisation before scanning any organisations network. Please read the following excerpt from nmap before hitting your terminal with nmap.

免责声明：在未经您明确许可的情况下，对目标或网络使用Nmap可能是非法的，因此不应尝试。扫描任何组织网络之前，请先获得授权。在使用nmap访问终端之前，请阅读nmap的以下摘录。

多谢 (Thanking)

Thanks for your time. I hope you now know to recon an a target better than you friends. Well, I promised you to give you refernce to other very elaborative nmap blogs. Those are :

谢谢你的时间。希望您现在比您的朋友更了解目标。好吧，我答应给您推荐其他非常详尽的nmap博客。那些是：