1.概念
Nmap,也就是Network Mapper,最早是Linux下的网络扫描和嗅探工具包。
2.简介
nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统(这是亦称 fingerprinting)。它是网络管理员必用的软件之一,以及用以评估网络系统安全。
正如大多数被用于网络安全的工具,nmap 也是不少黑客及骇客(又称脚本小子)爱用的工具 。系统管理员可以利用nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用nmap来搜集目标电脑的网络设定,从而计划攻击的方法。
Nmap 常被跟评估系统漏洞软件Nessus 混为一谈。Nmap 以隐秘的手法,避开闯入检测系统的监视,并尽可能不影响目标系统的日常操作。
3.安装
1. 先安装nmap yum install nmap wget http://nmap.org/dist/nmap-7.40.tar.bz2 tar -xvf nmap-7.01.tar.bz2 cd nmap-7.01/ ./configure make make install 2.再安装python-nmap sudo pip install python-nmap
4.命令行使用
a.进行ping扫描,打印出对扫描做出响应的主机,不做进一步测试(如端口扫描或者操作系统探测):
nmap -sP 192.168.1.0/24
b.仅列出指定网络上的每台主机,不发送任何报文到目标主机:
nmap -sL 192.168.1.0/24
探测目标主机开放的端口,可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80):
nmap -PS 192.168.1.234
使用UDP ping探测主机:
nmap -PU 192.168.1.0/24
使用频率最高的扫描选项:SYN扫描,又称为半开放扫描,它不打开一个完全的TCP连接,执行得很快:
nmap -sS 192.168.1.0/24
5.选项 :
-sP :使用ping扫描,打印出对扫描做出响应的主机。
-Sn:只进行主机发现,不进行端口扫描
-sS:使用频率最高的扫描选项,sw扫描,他不打开一个完全的TCP连接,因此执行速度较快。
-sT:全连接扫描
-sU:UDP扫描
-sO:获取服务器支持哪些协议
-SV:探测开放端口的服务和版本信息
-Pn:深层次扫描
-A: 使用带有攻击性方式扫描
-O:操作系统识别
-T4:指定扫描过程中使用的时序
-v: 显示冗长信息
应用简单案例
import nmap
nm = nmap.PortScanner()
ret = nm.scan('115.239.210.26','20')
print ret
返回格式如下:
{'nmap': {'scanstats':
{'uphosts': '1', 'timestr': 'Tue Oct 25 11:30:47 2016', 'downhosts': '0', 'totalhosts': '1', 'elapsed': '1.11'},
'scaninfo': {'tcp': {'services': '20', 'method': 'connect'}}, 'command_line': 'nmap -oX - -p 20 -sV 115.239.210.26'},
'scan': {'115.239.210.26': {'status': {'state': 'up', 'reason': 'syn-ack'}, 'hostnames': [{'type': '', 'name': ''}],
'vendor': {}, 'addresses': {'ipv4': '115.239.210.26'},
'tcp': {20: {'product': '', 'state': 'filtered', 'version': '', 'name': 'ftp-data', 'conf': '3', 'extrainfo': '',
'reason': 'no-response', 'cpe': ''}
}
}
}
}
扫描存活ip及mac地址
def nmap_ping_scan(network_prefix):
# network_prefix '192.168.6.1-4'或者'192.168.6.1/24'
nm = nmap.PortScanner() # 设置为nmap扫描状态。
ping_scan_raw = nm.scan(hosts=network_prefix, arguments='-sn') # arguments就是运用什么方式扫描
host_list_ip = []
for result in ping_scan_raw['scan'].values(): # 将scan下面的数值赋值给result,并开始遍历
if result['status']['state'] == 'up': # 如果是up则表明对方主机是存活的
host_list_ip.append(result['addresses']) # 在addresses层下的ipv4,也就是IP地址添加到result字典中
return host_list_ip
使用图示
1.ping扫描:扫描192.168.0.0/24网段上有哪些主机是存活的;
[root@laolinux ~]# nmap -sP 192.168.0.0/24 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 06:59 CST Host laolinux (192.168.0.3) appears to be up. Host 192.168.0.20 appears to be up. MAC Address: 00:1E:4F:CD:C6:0E (Unknown) Host 192.168.0.108 appearxprobe2、 p0f # 安装
使用说明
扫描存活ip及mac地址
def nmap_ping_scan(network_prefix):
# network_prefix '192.168.6.1-4'或者'192.168.6.1/24'
nm = nmap.PortScanner() # 设置为nmap扫描状态。
ping_scan_raw = nm.scan(hosts=network_prefix, arguments='-sn') # arguments就是运用什么方式扫描
host_list_ip = []
for result in ping_scan_raw['scan'].values(): # 将scan下面的数值赋值给result,并开始遍历
if result['status']['state'] == 'up': # 如果是up则表明对方主机是存活的
host_list_ip.append(result['addresses']) # 在addresses层下的ipv4,也就是IP地址添加到result字典中
return host_list_ip
1.ping扫描:扫描192.168.0.0/24网段上有哪些主机是存活的;
[root@laolinux ~]# nmap -sP 192.168.0.0/24 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 06:59 CST Host laolinux (192.168.0.3) appears to be up. Host 192.168.0.20 appears to be up. MAC Address: 00:1E:4F:CD:C6:0E (Unknown) Host 192.168.0.108 appears to be up. MAC Address: 00:E3:74:27:05:B7 (Unknown) Host 192.168.0.109 appears to be up. MAC Address: 00:E0:E4:A6:14:6F (Fanuc Robotics North America)
2、端口扫描:扫描192.168.0.3这台主机开放了哪些端口;
[root@laolinux ~]# nmap -sT 192.168.0.3 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 07:02 CST Interesting ports on laolinux (192.168.0.3): Not shown: 1667 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 964/tcp open unknown 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 10000/tcp open snet-sensor-mgmt Nmap finished: 1 IP address (1 host up) scanned in 4.755 seconds
3、隐藏扫描,只在目标主机上留下很少的日志信息:隐藏扫描
[root@laolinux ~]# nmap -sS 192.168.0.127 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 07:08 CST Interesting ports on 192.168.0.127: Not shown: 1675 closed ports PORT STATE SERVICE 21/tcp open ftp 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 912/tcp open unknown MAC Address: 00:11:1A:35:38:62 (Motorola BCS) Nmap finished: 1 IP address (1 host up) scanned in 3.121 seconds
4、UDP端口扫描:扫描192.168.0.127开放了哪些UDP端口;
[root@laolinux ~]# nmap -sU 192.168.0.127 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 07:08 CST Interesting ports on 192.168.0.127: Not shown: 1480 closed ports PORT STATE SERVICE 123/udp open|filtered ntp 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 445/udp open|filtered microsoft-ds 500/udp open|filtered isakmp 1900/udp open|filtered UPnP 4500/udp open|filtered sae-urn MAC Address: 00:11:1A:35:38:62 (Motorola BCS) Nmap finished: 1 IP address (1 host up) scanned in 2.947 seconds
5、操作系统识别:
[root@laolinux ~]# nmap -sS -O 192.168.0.127 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-04-25 07:09 CST Interesting ports on 192.168.0.127: Not shown: 1675 closed ports PORT STATE SERVICE 21/tcp open ftp 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 912/tcp open unknown MAC Address: 00:11:1A:35:38:62 (Motorola BCS) Device type: general purpose Running: Microsoft Windows 2003/.NET|NT/2K/XP OS details: Microsoft Windows 2003 Server or XP SP2 Nmap finished: 1 IP address (1 host up) scanned in 5.687 seconds
官方文档:https://nmap.org/man/zh/index.html
参考链接Blog:https://www.cnblogs.com/zhaijiahui/p/8367327.html
参考链接Blog:https://my.oschina.net/u/4518087/blog/4728442?hmsr=kaifa_page