• nmap


    看到一个挺不错的网址, 列出了一些常用命令的语法, 这里参考 https://www.hackfun.org/kali-tools/kali-tools-zh.html

    nmap包说明

    NMAP(“网络映射”)是一个自由和开放源码(许可证)工具进行网络发现和安全审计。许多系统和网络管理员也觉得有用,如网络库存,管理服务升级计划和监控主机或服务的正常运行时间的任务。 NMAP使用原始IP包以新颖的方式来确定哪些主机是在网络上可用,这些主机正在提供什么样的服务(应用程序的名称和版本),什么操作系统(和OS版本),它们都在运行,什么类型的分组过滤器/防火墙在使用中,和许多其他特性。它的目的是快速扫描大型网络,但能正常工作对单个主机。 Nmap的运行在所有主要计算机操作系统,和官方的二进制软件包可用于Linux,Windows和Mac OS X的除了经典的命令行Nmap的可执行文件,nmap的套件包括一个先进的GUI和结果浏览器(Zenmap)一种灵活的数据传送,重定向和调试工具(NCAT),用于比较扫描结果(Ndiff)的实用程序,并且一个分组产生和响应分析工具(Nping)。

    Nmap的被评为“年度安全产品”,由Linux杂志,信息世界,LinuxQuestions.Org和Codetalker摘要。有人甚至功能十二电影,包括重装上阵,虎胆龙威4,女孩龙纹身,和谍影重重。

    Nmap是比较合适?

    • 灵活:支持数十台先进的技术映射出网络充满了IP过滤,防火墙,路由器和其他障碍。这包括许多端口扫描机制(包括TCP和UDP),操作系统检测,版本检测,ping扫描,等等。请参阅文档页面。
    • 功能强大:Nmap的已被用来扫描字面上机数十万庞大的网络。
    • 便携性:大多数操作系统都支持,包括Linux,微软的Windows,FreeBSD下,OpenBSD系统,Solaris和IRIX,Mac OS X中,HP-UX,NetBSD的,SUN OS,Amiga的,等等。
    • 很简单:虽然Nmap的提供了一套丰富的先进功能的电力用户,你可以开始作为简称为“NMAP -v -A targethost”。这两种传统的命令行和图形(GUI)版本可供选择,以满足您的喜好。二进制文件是为那些谁不希望从源代码编译的Nmap。
    • 免费:在Nmap的项目的主要目标是帮助使互联网更安全一点,并为管理员提供/审计/黑客探索他们的网络的先进工具。 NMAP是可以免费下载,并且还配备了完整的源代码,你可以修改,并根据许可协议的条款重新分发。
    • 有据可查:重大努力已投入全面和最新的手册页,白皮书,教程,甚至一整本书!发现他们在这里多国语言。
    • 支持:虽然Nmap的同时没有担保,这是深受开发者和用户一个充满活力的社区提供支持。大多数这种相互作用发生在Nmap的邮件列表。大多数的bug报告和问题应该发送到NMAP-dev邮件列表,但你读的指引之后。我们建议所有用户订阅低流量的nmap-黑客公布名单。您还可以找到的Nmap在Facebook和Twitter。对于即时聊天,加入Freenode上或连接到efnet的#nmap通道。
    • 好评:Nmap的赢得了无数奖项,包括“信息安全产品奖”,由Linux杂志,信息世界和Codetalker文摘。它已被刊登在数以百计的杂志文章,几部电影,几十本书,一本漫画书系列。访问进一步的细节新闻页面。
    • 热门:成千上万的人下载Nmap的每一天,它包含许多操作系统(红帽Linux,Debian的Linux中,Gentoo的,FreeBSD下,OpenBSD的,等等)。它是在Freshmeat.Net库的前十名(总分30000)方案之间。这是很重要的,因为它的Nmap借给其充满活力的发展和用户的支持群体。

    资料来源:http://nmap.org/
    Nmap的首页 | 卡利Nmap的回购

    作者:陀
    许可:GPL第二版

    包含在nmap包工具

    nping - 网络数据包生成工具/ Ping实用程序

    root@kali:~# nping -h
    Nping 0.6.40 ( http://nmap.org/nping )
    Usage: nping [Probe mode] [Options] {target specification}
    
    TARGET SPECIFICATION:
      Targets may be specified as hostnames, IP addresses, networks, etc.
      Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.*.1-24
    PROBE MODES:
      --tcp-connect                    : Unprivileged TCP connect probe mode.
      --tcp                            : TCP probe mode.
      --udp                            : UDP probe mode.
      --icmp                           : ICMP probe mode.
      --arp                            : ARP/RARP probe mode.
      --tr, --traceroute               : Traceroute mode (can only be used with
                                         TCP/UDP/ICMP modes).
    TCP CONNECT MODE:
       -p, --dest-port <port spec>     : Set destination port(s).
       -g, --source-port <portnumber>  : Try to use a custom source port.
    TCP PROBE MODE:
       -g, --source-port <portnumber>  : Set source port.
       -p, --dest-port <port spec>     : Set destination port(s).
       --seq <seqnumber>               : Set sequence number.
       --flags <flag list>             : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
       --ack <acknumber>               : Set ACK number.
       --win <size>                    : Set window size.
       --badsum                        : Use a random invalid checksum.
    UDP PROBE MODE:
       -g, --source-port <portnumber>  : Set source port.
       -p, --dest-port <port spec>     : Set destination port(s).
       --badsum                        : Use a random invalid checksum.
    ICMP PROBE MODE:
      --icmp-type <type>               : ICMP type.
      --icmp-code <code>               : ICMP code.
      --icmp-id <id>                   : Set identifier.
      --icmp-seq <n>                   : Set sequence number.
      --icmp-redirect-addr <addr>      : Set redirect address.
      --icmp-param-pointer <pnt>       : Set parameter problem pointer.
      --icmp-advert-lifetime <time>    : Set router advertisement lifetime.
      --icmp-advert-entry <IP,pref>    : Add router advertisement entry.
      --icmp-orig-time  <timestamp>    : Set originate timestamp.
      --icmp-recv-time  <timestamp>    : Set receive timestamp.
      --icmp-trans-time <timestamp>    : Set transmit timestamp.
    ARP/RARP PROBE MODE:
      --arp-type <type>                : Type: ARP, ARP-reply, RARP, RARP-reply.
      --arp-sender-mac <mac>           : Set sender MAC address.
      --arp-sender-ip  <addr>          : Set sender IP address.
      --arp-target-mac <mac>           : Set target MAC address.
      --arp-target-ip  <addr>          : Set target IP address.
    IPv4 OPTIONS:
      -S, --source-ip                  : Set source IP address.
      --dest-ip <addr>                 : Set destination IP address (used as an
                                         alternative to {target specification} ).
      --tos <tos>                      : Set type of service field (8bits).
      --id  <id>                       : Set identification field (16 bits).
      --df                             : Set Don't Fragment flag.
      --mf                             : Set More Fragments flag.
      --ttl <hops>                     : Set time to live [0-255].
      --badsum-ip                      : Use a random invalid checksum.
      --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
      --ip-options <hex string>                    : Set IP options
      --mtu <size>                     : Set MTU. Packets get fragmented if MTU is
                                         small enough.
    IPv6 OPTIONS:
      -6, --IPv6                       : Use IP version 6.
      --dest-ip                        : Set destination IP address (used as an
                                         alternative to {target specification}).
      --hop-limit                      : Set hop limit (same as IPv4 TTL).
      --traffic-class <class> :        : Set traffic class.
      --flow <label>                   : Set flow label.
    ETHERNET OPTIONS:
      --dest-mac <mac>                 : Set destination mac address. (Disables
                                         ARP resolution)
      --source-mac <mac>               : Set source MAC address.
      --ether-type <type>              : Set EtherType value.
    PAYLOAD OPTIONS:
      --data <hex string>              : Include a custom payload.
      --data-string <text>             : Include a custom ASCII text.
      --data-length <len>              : Include len random bytes as payload.
    ECHO CLIENT/SERVER:
      --echo-client <passphrase>       : Run Nping in client mode.
      --echo-server <passphrase>       : Run Nping in server mode.
      --echo-port <port>               : Use custom <port> to listen or connect.
      --no-crypto                      : Disable encryption and authentication.
      --once                           : Stop the server after one connection.
      --safe-payloads                  : Erase application data in echoed packets.
    TIMING AND PERFORMANCE:
      Options which take <time> are in seconds, or append 'ms' (milliseconds),
      's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h).
      --delay <time>                   : Adjust delay between probes.
      --rate  <rate>                   : Send num packets per second.
    MISC:
      -h, --help                       : Display help information.
      -V, --version                    : Display current version number.
      -c, --count <n>                  : Stop after <n> rounds.
      -e, --interface <name>           : Use supplied network interface.
      -H, --hide-sent                  : Do not display sent packets.
      -N, --no-capture                 : Do not try to capture replies.
      --privileged                     : Assume user is fully privileged.
      --unprivileged                   : Assume user lacks raw socket privileges.
      --send-eth                       : Send packets at the raw Ethernet layer.
      --send-ip                        : Send packets using raw IP sockets.
      --bpf-filter <filter spec>       : Specify custom BPF filter.
    OUTPUT:
      -v                               : Increment verbosity level by one.
      -v[level]                        : Set verbosity level. E.g: -v4
      -d                               : Increment debugging level by one.
      -d[level]                        : Set debugging level. E.g: -d3
      -q                               : Decrease verbosity level by one.
      -q[N]                            : Decrease verbosity level N times
      --quiet                          : Set verbosity and debug level to minimum.
      --debug                          : Set verbosity and debug to the max level.
    EXAMPLES:
      nping scanme.nmap.org
      nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
      nping --icmp --icmp-type time --delay 500ms 192.168.254.254
      nping --echo-server "public" -e wlan0 -vvv
      nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack
    
    SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
    

    ndiff - 实用工具来比较的Nmap扫描结果

    root@kali:~# ndiff -h
    Usage: /usr/bin/ndiff [option] FILE1 FILE2
    Compare two Nmap XML files and display a list of their differences.
    Differences include host state changes, port state changes, and changes to
    service and OS detection.
    
      -h, --help     display this help
      -v, --verbose  also show hosts and ports that haven't changed.
      --text         display output in text format (default)
      --xml          display output in XML format
    

    NCAT - 串联并重定向插座

    root@kali:~# ncat -h
    Ncat 6.40 ( http://nmap.org/ncat )
    Usage: ncat [options] [hostname] [port]
    
    Options taking a time assume seconds. Append 'ms' for milliseconds,
    's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
      -4                         Use IPv4 only
      -6                         Use IPv6 only
      -U, --unixsock             Use Unix domain sockets only
      -C, --crlf                 Use CRLF for EOL sequence
      -c, --sh-exec <command>    Executes the given command via /bin/sh
      -e, --exec <command>       Executes the given command
          --lua-exec <filename>  Executes the given Lua script
      -g hop1[,hop2,...]         Loose source routing hop points (8 max)
      -G <n>                     Loose source routing hop pointer (4, 8, 12, ...)
      -m, --max-conns <n>        Maximum <n> simultaneous connections
      -h, --help                 Display this help screen
      -d, --delay <time>         Wait between read/writes
      -o, --output <filename>    Dump session data to a file
      -x, --hex-dump <filename>  Dump session data as hex to a file
      -i, --idle-timeout <time>  Idle read/write timeout
      -p, --source-port port     Specify source port to use
      -s, --source addr          Specify source address to use (doesn't affect -l)
      -l, --listen               Bind and listen for incoming connections
      -k, --keep-open            Accept multiple connections in listen mode
      -n, --nodns                Do not resolve hostnames via DNS
      -t, --telnet               Answer Telnet negotiations
      -u, --udp                  Use UDP instead of default TCP
          --sctp                 Use SCTP instead of default TCP
      -v, --verbose              Set verbosity level (can be used several times)
      -w, --wait <time>          Connect timeout
          --append-output        Append rather than clobber specified output files
          --send-only            Only send data, ignoring received; quit on EOF
          --recv-only            Only receive data, never send anything
          --allow                Allow only given hosts to connect to Ncat
          --allowfile            A file of hosts allowed to connect to Ncat
          --deny                 Deny given hosts from connecting to Ncat
          --denyfile             A file of hosts denied from connecting to Ncat
          --broker               Enable Ncat's connection brokering mode
          --chat                 Start a simple Ncat chat server
          --proxy <addr[:port]>  Specify address of host to proxy through
          --proxy-type <type>    Specify proxy type ("http" or "socks4")
          --proxy-auth <auth>    Authenticate with HTTP or SOCKS proxy server
          --ssl                  Connect or listen with SSL
          --ssl-cert             Specify SSL certificate file (PEM) for listening
          --ssl-key              Specify SSL private key (PEM) for listening
          --ssl-verify           Verify trust and domain name of certificates
          --ssl-trustfile        PEM file containing trusted SSL certificates
          --version              Display Ncat's version information and exit
    
    See the ncat(1) manpage for full options, descriptions and usage examples
    

    NMAP - 网络映射

    root@kali:~# nmap -h
    Nmap 6.40 ( http://nmap.org )
    Usage: nmap [Scan Type(s)] [Options] {target specification}
    TARGET SPECIFICATION:
      Can pass hostnames, IP addresses, networks, etc.
      Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
      -iL <inputfilename>: Input from list of hosts/networks
      -iR <num hosts>: Choose random targets
      --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
      --excludefile <exclude_file>: Exclude list from file
    HOST DISCOVERY:
      -sL: List Scan - simply list targets to scan
      -sn: Ping Scan - disable port scan
      -Pn: Treat all hosts as online -- skip host discovery
      -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
      -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
      -PO[protocol list]: IP Protocol Ping
      -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
      --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
      --system-dns: Use OS's DNS resolver
      --traceroute: Trace hop path to each host
    SCAN TECHNIQUES:
      -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
      -sU: UDP Scan
      -sN/sF/sX: TCP Null, FIN, and Xmas scans
      --scanflags <flags>: Customize TCP scan flags
      -sI <zombie host[:probeport]>: Idle scan
      -sY/sZ: SCTP INIT/COOKIE-ECHO scans
      -sO: IP protocol scan
      -b <FTP relay host>: FTP bounce scan
    PORT SPECIFICATION AND SCAN ORDER:
      -p <port ranges>: Only scan specified ports
        Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
      -F: Fast mode - Scan fewer ports than the default scan
      -r: Scan ports consecutively - don't randomize
      --top-ports <number>: Scan <number> most common ports
      --port-ratio <ratio>: Scan ports more common than <ratio>
    SERVICE/VERSION DETECTION:
      -sV: Probe open ports to determine service/version info
      --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
      --version-light: Limit to most likely probes (intensity 2)
      --version-all: Try every single probe (intensity 9)
      --version-trace: Show detailed version scan activity (for debugging)
    SCRIPT SCAN:
      -sC: equivalent to --script=default
      --script=<Lua scripts>: <Lua scripts> is a comma separated list of
               directories, script-files or script-categories
      --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
      --script-args-file=filename: provide NSE script args in a file
      --script-trace: Show all data sent and received
      --script-updatedb: Update the script database.
      --script-help=<Lua scripts>: Show help about scripts.
               <Lua scripts> is a comma separted list of script-files or
               script-categories.
    OS DETECTION:
      -O: Enable OS detection
      --osscan-limit: Limit OS detection to promising targets
      --osscan-guess: Guess OS more aggressively
    TIMING AND PERFORMANCE:
      Options which take <time> are in seconds, or append 'ms' (milliseconds),
      's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
      -T<0-5>: Set timing template (higher is faster)
      --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
      --min-parallelism/max-parallelism <numprobes>: Probe parallelization
      --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
          probe round trip time.
      --max-retries <tries>: Caps number of port scan probe retransmissions.
      --host-timeout <time>: Give up on target after this long
      --scan-delay/--max-scan-delay <time>: Adjust delay between probes
      --min-rate <number>: Send packets no slower than <number> per second
      --max-rate <number>: Send packets no faster than <number> per second
    FIREWALL/IDS EVASION AND SPOOFING:
      -f; --mtu <val>: fragment packets (optionally w/given MTU)
      -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
      -S <IP_Address>: Spoof source address
      -e <iface>: Use specified interface
      -g/--source-port <portnum>: Use given port number
      --data-length <num>: Append random data to sent packets
      --ip-options <options>: Send packets with specified ip options
      --ttl <val>: Set IP time-to-live field
      --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
      --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
    OUTPUT:
      -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
         and Grepable format, respectively, to the given filename.
      -oA <basename>: Output in the three major formats at once
      -v: Increase verbosity level (use -vv or more for greater effect)
      -d: Increase debugging level (use -dd or more for greater effect)
      --reason: Display the reason a port is in a particular state
      --open: Only show open (or possibly open) ports
      --packet-trace: Show all packets sent and received
      --iflist: Print host interfaces and routes (for debugging)
      --log-errors: Log errors/warnings to the normal-format output file
      --append-output: Append to rather than clobber specified output files
      --resume <filename>: Resume an aborted scan
      --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
      --webxml: Reference stylesheet from Nmap.Org for more portable XML
      --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
    MISC:
      -6: Enable IPv6 scanning
      -A: Enable OS detection, version detection, script scanning, and traceroute
      --datadir <dirname>: Specify custom Nmap data file location
      --send-eth/--send-ip: Send using raw ethernet frames or IP packets
      --privileged: Assume that the user is fully privileged
      --unprivileged: Assume the user lacks raw socket privileges
      -V: Print version number
      -h: Print this help summary page.
    EXAMPLES:
      nmap -v -A scanme.nmap.org
      nmap -v -sn 192.168.0.0/16 10.0.0.0/8
      nmap -v -iR 10000 -Pn -p 80
    SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
    

    NMAP用法示例

    在扫描详细模式(-v),启用操作系统检测,版本检测,脚本扫描,和traceroute(-A),版本检测(-sV)针对目标IP(192.168.1.1)

    root@kali:~# nmap -v -A -sV 192.168.1.1
    
    Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-13 18:40 MDT
    NSE: Loaded 118 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating ARP Ping Scan at 18:40
    Scanning 192.168.1.1 [1 port]
    Completed ARP Ping Scan at 18:40, 0.06s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 18:40
    Completed Parallel DNS resolution of 1 host. at 18:40, 0.00s elapsed
    Initiating SYN Stealth Scan at 18:40
    Scanning router.localdomain (192.168.1.1) [1000 ports]
    Discovered open port 53/tcp on 192.168.1.1
    Discovered open port 22/tcp on 192.168.1.1
    Discovered open port 80/tcp on 192.168.1.1
    Discovered open port 3001/tcp on 192.168.1.1
    

    nping用法示例

    使用TCP 模式(-tcp)使用SYN标志探测端口22(-p 22)(-flags SYN)与2(TTL电2)在远程主机上的TTL(192.168.1.1)

    ndiff用法示例

    对比昨天的端口扫描(yesterday.xml)自即日起扫描(today.xml)

    root@kali:~# ndiff yesterday.xml today.xml
    -Nmap 6.45 scan initiated Tue May 13 18:46:43 2014 as: nmap -v -F -oX yesterday.xml 192.168.1.1
    +Nmap 6.45 scan initiated Tue May 13 18:47:58 2014 as: nmap -v -F -oX today.xml 192.168.1.1
    
     endian.localdomain (192.168.1.1, 00:01:6C:6F:DD:D1):
    -Not shown: 96 filtered ports
    +Not shown: 97 filtered ports
     PORT   STATE SERVICE VERSION
    -22/tcp open  ssh
    

    NCAT用法示例

    详细(-v),可以运行/ bin / bash的连接上(-exec“/斌/庆典”),只允许1个IP地址(-ALLOW 192.168.1.123),监听TCP端口4444(-l 4444)上,并让听众开上断开(-keep开)

    root@kali:~# ncat -v --exec "/bin/bash" --allow 192.168.1.123 -l 4444 --keep-open
    Ncat: Version 6.45 ( http://nmap.org/ncat )
    Ncat: Listening on :::4444
    Ncat: Listening on 0.0.0.0:4444
    Ncat: Connection from 192.168.1.123.
    Ncat: Connection from 192.168.1.123:39501.
    Ncat: Connection from 192.168.1.15.
    Ncat: Connection from 192.168.1.15:60393.
    Ncat: New connection denied: not allowed
    
  • 相关阅读:
    App调试的几个命令实践【转】
    解决sdk更新时候报错 http://dl-ssl.google.com/android上不去,链接拒绝
    fastjson序列化排序问题
    Java中的四种引用
    equal&==&hashcode
    ThreadPool线程池的关注点
    JVM的本地方法栈
    JVM的堆分配
    JVM的类装载子系统
    JVM的数据类型
  • 原文地址:https://www.cnblogs.com/mikeguan/p/7192701.html
Copyright © 2020-2023  润新知