Web信息收集-目标扫描-Nmap

一、Nmap简介
二、扫描示例

使用主机名扫描：
使用IP地址扫描：
扫描多台主机：
扫描整个子网
使用IP地址的最后一个字节扫描多台服务器
从一个文件中扫描主机列表
扫描一个IP地址范围
排除一些远程主机后再扫描
扫描操作系统信息和路由跟踪
启用Nmap的操作系统探测功能
扫描主机侦测防火墙
扫描主机检测是否有防火墙保护
找出网络中的在线主机
执行快速扫描
顺序扫描端口：

扫描特定的端口：
扫描TCP端口：
扫描UDP端口：
扫描多个端口：
扫描指定范围内的端口：
使用TCP Syn扫描最常用的端口：

打印主机接口和路由
版本扫描
使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机
使用TCP ACK扫描远程主机上特定的端口
使用TCP Syn扫描远程主机上特定的端口
执行一次隐蔽的扫描
执行TCP空扫描以骗过防火墙
扫描使用“-v”选项
脚本扫描

三、Nmap图形化界面-Zenmap

3.1 Intense scan
3.2 Intense scan plus UDP
3.3 Intense scan,all TCP ports
3.4 Intense scan no ping
3.5 ping scan
3.6 quick scan
3.7 quick scan plus
3.8 Quick traceroute
3.9 Regular scan
3.10 slow comprehensive scan

Nmap相关优质博文：

NOSEC（安全讯息平台）：iso60001：Nmap中一些常用的NSE脚本
博客园：lyshark：Nmap基础命令
博客园：曾是土木人：Nmap命令的29个实用范例

一、Nmap简介

Nmap是安全渗透领域最强大的开源端口扫描器，能跨平台支持运行。
官网：Https://nmap.org/
官网：http://sectools.org/

二、扫描示例

使用主机名扫描：

[root@server1 ~]# nmap server2.tecmint.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.415 seconds
You have new mail in /var/spool/mail/root

使用IP地址扫描：

[root@server1 ~]# nmap 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
958/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.465 seconds
You have new mail in /var/spool/mail/root

扫描多台主机：

在Nmap命令后加上多个IP地址或主机名来扫描多台主机。

[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds

扫描整个子网

可以使用*通配符来扫描整个子网或某个范围的IP地址。

[root@server1 ~]# nmap 192.168.0.*
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST
Interesting ports on server1.tecmint.com (192.168.0.100):
Not shown: 1677 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
851/tcp open  unknown
 
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds
You have new mail in /var/spool/mail/root

使用IP地址的最后一个字节扫描多台服务器

可以简单的指定IP地址的最后一个字节来对多个IP地址进行扫描。例如，我在下面执行中扫描了IP地址192.168.0.101，192.168.0.102和192.168.0.103。

[root@server1 ~]# nmap 192.168.0.101,102,103 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds
You have new mail in /var/spool/mail/root

从一个文件中扫描主机列表

如果你有多台主机需要扫描且所有主机信息都写在一个文件中，那么你可以直接让nmap读取该文件来执行扫描，让我们来看看如何做到这一点。

创建一个名为“nmaptest.txt ”的文本文件，并定义所有你想要扫描的服务器IP地址或主机名。

[root@server1 ~]# cat > nmaptest.txt 
localhost
server2.tecmint.com
192.168.0.101

接下来运行带“iL” 选项的nmap命令来扫描文件中列出的所有IP地址：

[root@server1 ~]# nmap -iL nmaptest.txt 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 EST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1675 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
111/tcp open  rpcbind
631/tcp open  ipp
857/tcp open  unknown
 
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
958/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) 
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
958/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) 
Nmap finished: 3 IP addresses (3 hosts up) scanned in 2.047 seconds

扫描一个IP地址范围

以在nmap执行扫描时指定IP范围。

[root@server1 ~]# nmap 192.168.0.101-110 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) 
Nmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds

排除一些远程主机后再扫描

在执行全网扫描或用通配符扫描时你可以使用“-exclude”选项来排除某些你不想要扫描的主机。

[root@server1 ~]# nmap 192.168.0.* --exclude 192.168.0.100
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 255 IP addresses (1 host up) scanned in 5.313 seconds
You have new mail in /var/spool/mail/root

扫描操作系统信息和路由跟踪

使用Nmap，你可以检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测，脚本扫描和路由跟踪功能，我们可以使用NMAP的“-A“选项。

[root@server1 ~]# nmap -A 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.3 ((CentOS))
111/tcp  open  rpcbind  2 (rpc #100000)
957/tcp  open  status   1 (rpc #100024)
3306/tcp open  mysql   MySQL (unauthorized)
8888/tcp open  http    lighttpd 1.4.32
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
Uptime 0.169 days (since Mon Nov 11 12:22:15 2013)
 
Nmap finished: 1 IP address (1 host up) scanned in 22.271 seconds

从上面的输出你可以看到，Nmap显示出了远程主机操作系统的TCP / IP协议指纹，并且更加具体的显示出远程主机上的端口和服务。

启用Nmap的操作系统探测功能

使用选项“-O”和“-osscan-guess”也帮助探测操作系统信息。

[root@server1 ~]# nmap -O server2.tecmint.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS
R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
Uptime 0.221 days (since Mon Nov 11 12:22:16 2013)
 
Nmap finished: 1 IP address (1 host up) scanned in 11.064 seconds
You have new mail in /var/spool/mail/root

扫描主机侦测防火墙

扫描远程主机以探测该主机是否使用了包过滤器或防火墙。

[root@server1 ~]# nmap -sA 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:27 EST
All 1680 scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.382 seconds
You have new mail in /var/spool/mail/root

扫描主机检测是否有防火墙保护

[root@server1 ~]# nmap -PN 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds

找出网络中的在线主机

使用“-sP”选项，我们可以简单的检测网络中有哪些在线主机，该选项会跳过端口扫描和其他一些检测。

[root@server1 ~]# nmap -sP 192.168.0.*
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST
Host server1.tecmint.com (192.168.0.100) appears to be up.
Host server2.tecmint.com (192.168.0.101) appears to be up.
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds

执行快速扫描

使用“-F”选项执行一次快速扫描，仅扫描列在nmap-services文件中的端口而避开所有其它的端口。

[root@server1 ~]# nmap -F 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1234 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds

顺序扫描端口：

[root@server1 ~]# nmap -r 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds

扫描特定的端口：

使用Nmap扫描远程机器的端口有各种选项，你可以使用“-P”选项指定你想要扫描的端口，默认情况下nmap只扫描TCP端口。

[root@server1 ~]# nmap -p 80 server2.tecmint.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) sca

扫描TCP端口：

[root@server1 ~]# nmap -p T:8888,80 server2.tecmint.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT     STATE SERVICE
80/tcp   open  http
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds

扫描UDP端口：

[root@server1 ~]# nmap -sU 53 server2.tecmint.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT     STATE SERVICE
53/udp   open  http
8888/udp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds

扫描多个端口：

可以使用选项“-P”来扫描多个端口。

[root@server1 ~]# nmap -p 80,443 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:56 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.190 seconds

扫描指定范围内的端口：

可以使用表达式来扫描某个范围内的端口。

[root@server1 ~]#  nmap -p 80-160 192.168.0.101

使用TCP Syn扫描最常用的端口：

[root@server1 ~]# nmap -sT 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:12 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.406 seconds
You have new mail in /var/spool/mail/root

打印主机接口和路由

使用nmap的“–iflist”选项检测主机接口和路由信息。

[root@server1 ~]# nmap --iflist
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST
************************INTERFACES************************
DEV  (SHORT) IP/MASK          TYPE     UP MAC
lo   (lo)    127.0.0.1/8      loopback up
eth0 (eth0)  192.168.0.100/24 ethernet up 08:00:27:11:C7:89
 
**************************ROUTES**************************
DST/MASK      DEV  GATEWAY
192.168.0.0/0 eth0
169.254.0.0/0 eth0

版本扫描

查找主机服务版本号：

[root@server1 ~]# nmap -sV 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:48 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.3 ((CentOS))
111/tcp  open  rpcbind  2 (rpc #100000)
957/tcp  open  status   1 (rpc #100024)
3306/tcp open  mysql   MySQL (unauthorized)
8888/tcp open  http    lighttpd 1.4.32
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 12.624 seconds

使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机

有时候包过滤防火墙会阻断标准的ICMP ping请求，在这种情况下，我们可以使用TCP ACK和TCP Syn方法来扫描远程主机。

[root@server1 ~]# nmap -PS 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:51 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.360 seconds
You have new mail in /var/spool/mail/root

使用TCP ACK扫描远程主机上特定的端口

[root@server1 ~]# nmap -PA -p 22,80 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.166 seconds
You have new mail in /var/spool/mail/root

使用TCP Syn扫描远程主机上特定的端口

[root@server1 ~]# nmap -PS -p 22,80 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:08 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.165 seconds
You have new mail in /var/spool/mail/root

执行一次隐蔽的扫描

[root@server1 ~]# nmap -sS 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:10 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.383 seconds
You have new mail in /var/spool/mail/root

执行TCP空扫描以骗过防火墙

[root@server1 ~]# nmap -sN 192.168.0.101
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 19:01 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
80/tcp   open|filtered http
111/tcp  open|filtered rpcbind
957/tcp  open|filtered unknown
3306/tcp open|filtered mysql
8888/tcp open|filtered sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 1.584 seconds
You have new mail in /var/spool/mail/root

扫描使用“-v”选项

[root@server1 ~]# nmap -v server2.tecmint.com
 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST
Initiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43
The ARP Ping Scan took 0.01s to scan 1 total hosts.
Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43
Discovered open port 22/tcp on 192.168.0.101
Discovered open port 80/tcp on 192.168.0.101
Discovered open port 8888/tcp on 192.168.0.101
Discovered open port 111/tcp on 192.168.0.101
Discovered open port 3306/tcp on 192.168.0.101
Discovered open port 957/tcp on 192.168.0.101
The SYN Stealth Scan took 0.30s to scan 1680 total ports.
Host server2.tecmint.com (192.168.0.101) appears to be up ... good.
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 
Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds
               Raw packets sent: 1681 (73.962KB) | Rcvd: 1681 (77.322KB)

脚本扫描

/usr/shar/nmap/scripts#
nmap --script=default 192.168.106.1
nmap --script=auth 192.168.106.1
nmap --script=brute 192.168.106.1
nmap --script=vuln 192.168.106.1
nmap --script=broadcast 192.168.106.1
nmap --script=smb-brute.nse 192.168.106.1
nmap --script=smb-check-vulns.nse --script-args=unsafe=1 192.168.106.1
nmap --script=smb-vuln-conficker.nse --script-args=unsafe=1 192.168.106.1
nmap -p3306 --script=mysql-empty-password.nse 192.168.106.1

三、Nmap图形化界面-Zenmap

3.1 Intense scan

Nmap -T4 -A -v 192.168.106.1

-T 设置速度登记，1到5级，数字越大，速度越快
-A 综合扫描
-v 输出扫描过程

3.2 Intense scan plus UDP

Nmap -sS -sU -T4 -A -v 192.168.106.1

-sS TCP全连接扫描
-sU UDP扫描

3.3 Intense scan,all TCP ports

Nmap -p 65535 -T4 -A -v 192.168.106.1

-p 指定端口范围，默认扫描1000个端口

3.4 Intense scan no ping

Nmap -T4 -A -v -Pn 192.168.106.1/24

-Pn 不做ping扫描，例如针对防火墙等安全产品

3.5 ping scan

Nmap -sn 192.168.106.1/24
Nmap -sn -T4 -v 192.168.106.1/24

-sn 只做ping扫描，不做端口扫描

3.6 quick scan

Nmap -T4 -F 192.168.106.1

-F fast模式，只扫描常见服务端口，比默认端口（1000个）还少

3.7 quick scan plus

Nmap -sV -T4 -O -F --version-light 192.168.106.1

-sV 扫描系统和服务版本
-O 扫描操作系统版本

3.8 Quick traceroute

Nmap -sn --traceroute www.baidu.com

3.9 Regular scan

Nmap www.baidu.com

3.10 slow comprehensive scan

Nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script “default or (discovery and safe)” www.baidu.com

相关阅读:
测量标准体重
 bytearray和file的后端上传方式
 jdbc in postgres
Using dblink in Postgres
计算文件的MD5值(Java & Rust)
spring读写分离(配置多数据源）[marked]
Spring Transaction + MyBatis SqlSession事务管理机制[marked]
jetty ZipException: invalid entry size
maven
KAL1 LINUX 官方文档之虚拟化 --- 转换为OVA
原文地址：https://www.cnblogs.com/aixing/p/13327173.html