• nmap网络探测工具


    简介

    nmap是一款开源网络发现工具,可以找出网络上在线的主机,测试主机上监听了哪些端口,通过端口确定主机上运行的应用程序类型与版本信息,还能利用它检测出操作系统类型和版本。

    基本功能

    有四个基本功能:

    (1)主机发现

    (2)端口扫描

    (3)应用程序版本侦测

    (4)操作系统版本侦测

    基本用法:

    [root@master ~]# nmap -A -T4  10.0.0.53
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:31 EDT
    Nmap scan report for 10.0.0.53
    Host is up (0.00056s latency).
    Not shown: 998 closed ports
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp     vsftpd 3.0.2
    | ftp-anon: Anonymous FTP login allowed (FTP code 230)
    |_drwxr-xr-x    2 0        0               6 Oct 30  2018 pub
    22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
    | ssh-hostkey: 2048 7c:53:25:b0:3d:72:e7:46:31:96:3d:b6:a9:19:c5:69 (RSA)
    |_256 d4:22:2b:72:1b:3a:2d:18:3a:11:fb:5b:6a:69:fa:4e (ECDSA)
    MAC Address: 00:0C:29:8F:D5:02 (VMware)
    No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=6.40%E=4%D=4/5%OT=21%CT=1%CU=42940%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
    OS:=5E896D3B%P=x86_64-redhat-linux-gnu)SEQ(SP=100%GCD=1%ISR=108%TI=Z%TS=A)S
    OS:EQ(SP=100%GCD=1%ISR=108%TI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7
    OS:%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W
    OS:2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NN
    OS:SNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y
    OS:%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR
    OS:%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40
    OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G
    OS:%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
    
    Network Distance: 1 hop
    Service Info: OS: Unix
    
    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.56 ms 10.0.0.53
    
    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds

    结果说明:

    -A:表示开启全面扫描

    -T4:指定扫描过程中使用的时序版本,有6个等级(0-5),等级越高,扫描速度越快,但越容易被防火墙和入侵检测设备发现并干掉。一般使用T4

    -v:显示扫描细节

    通过上面的结果,可以看出整个扫描过程分为5部分:

    第一部分:对主机是否在线进行检测

    第二部分:对端口进行扫描,默认nmap会扫描1000个常用的端口。由于只扫描到1个端口,所以出现‘999 closed ports’

    第三部分:对端口上运行的服务以及版本进行统计

    第四部分:探测操作系统类型和版本

    第五部分:目标主机的路由跟踪信息

    nmap主机发现

    原理类似于ping命令,通过发送数据包到目标主机,如果收到响应,那么认为目标主机在线。

    语法:

        nmap  [选项或参数]   目标主机

    常用选项

    选项 含义
    -sn 只进行主机发现,不进行端口扫描
    -Pn 跳过主机发现扫描,将所有指定主机都视为在线状态,进行端口扫描
    -sL 仅列出目标主机IP,不进行主机发现扫描
    -PS/PA/PU/PY[portlist]

    指定nmap使用TCP SYN、TCP ACK、UDP、SCTP方式进行发现,

    例如 -PS80,22

    -PE/PP/PM 指定nmap使用ICMP echo、timestamp 、netmask请求报文方式发现主机
    -PO 使用IP协议包探测目标主机是否在线
    -n/-R

    是否使用DNS解析,

    -n指不使用DNS解析,-R表示使用DNS解析

    应用举例

    1、仅主机探测

    [root@master ~]# nmap -sn 10.0.0.53
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:34 EDT
    Nmap scan report for 10.0.0.53
    Host is up (0.00044s latency).
    MAC Address: 00:0C:29:8F:D5:02 (VMware)
    Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

    扫描网段

    [root@master ~]# nmap -sn 10.0.0.0/24
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:39 EDT
    Nmap scan report for 10.0.0.1
    Host is up (0.00021s latency).
    MAC Address: 00:50:56:C0:00:08 (VMware)
    Nmap scan report for 10.0.0.53
    Host is up (0.00044s latency).
    MAC Address: 00:0C:29:8F:D5:02 (VMware)
    Nmap scan report for 10.0.0.226
    Host is up (0.00013s latency).
    MAC Address: 00:50:56:F8:14:BA (VMware)
    Nmap scan report for 10.0.0.254
    Host is up (0.000095s latency).
    MAC Address: 00:50:56:E0:4C:FE (VMware)
    Nmap scan report for 10.0.0.50
    Host is up.
    Nmap done: 256 IP addresses (5 hosts up) scanned in 2.06 seconds

    2、仅扫描端口

    [root@master ~]# nmap -Pn 10.0.0.0/24
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:57 EDT
    Nmap scan report for 10.0.0.1
    Host is up (0.00015s latency).
    Not shown: 996 filtered ports
    PORT     STATE SERVICE
    443/tcp  open  https
    902/tcp  open  iss-realsecure
    912/tcp  open  apex-mesh
    5357/tcp open  wsdapi
    MAC Address: 00:50:56:C0:00:08 (VMware)
    
    Nmap scan report for 10.0.0.53
    Host is up (0.00055s latency).
    Not shown: 998 closed ports
    PORT   STATE SERVICE
    21/tcp open  ftp
    22/tcp open  ssh
    MAC Address: 00:0C:29:8F:D5:02 (VMware)
    
    Nmap scan report for 10.0.0.226
    Host is up (0.000059s latency).
    All 1000 scanned ports on 10.0.0.226 are closed
    MAC Address: 00:50:56:F8:14:BA (VMware)
    
    Nmap scan report for 10.0.0.254
    Host is up (0.00013s latency).
    All 1000 scanned ports on 10.0.0.254 are filtered
    MAC Address: 00:50:56:E0:4C:FE (VMware)
    
    Nmap scan report for 10.0.0.50
    Host is up (0.0000080s latency).
    Not shown: 998 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    
    Nmap done: 256 IP addresses (5 hosts up) scanned in 7.43 seconds

    结合tcpdump抓包

    [root@master ~]# nmap -sn -PE -PS80,21 -PU53 www.abc.com
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 02:04 EDT
    Nmap scan report for www.abc.com (99.84.133.98)
    Host is up (0.087s latency).
    Other addresses for www.abc.com (not scanned): 99.84.133.97 99.84.133.3 99.84.133.46
    rDNS record for 99.84.133.98: server-99-84-133-98.nrt57.r.cloudfront.net
    Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

    抓包显示

    [root@master ~]# tcpdump -nnn host 10.0.0.50 and host www.abc.com
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    02:20:11.670936 IP 10.0.0.50 > 99.84.133.97: ICMP echo request, id 46737, seq 0, length 8
    02:20:11.671034 IP 10.0.0.50.42511 > 99.84.133.97.21: Flags [S], seq 3863690238, win 1024, options [mss 1460], length 0
    02:20:11.671074 IP 10.0.0.50.42511 > 99.84.133.97.80: Flags [S], seq 3863690238, win 1024, options [mss 1460], length 0
    02:20:11.671127 IP 10.0.0.50.42511 > 99.84.133.97.53: 0 stat [0q] (12)
    02:20:11.758253 IP 99.84.133.97.80 > 10.0.0.50.42511: Flags [S.], seq 501169078, ack 3863690239, win 64240, options [mss 1460], length 0
    02:20:11.758286 IP 10.0.0.50.42511 > 99.84.133.97.80: Flags [R], seq 3863690239, win 0, length 0
    02:20:11.758319 IP 99.84.133.97 > 10.0.0.50: ICMP echo reply, id 46737, seq 0, length 8
    02:20:32.673678 IP 99.84.133.97.21 > 10.0.0.50.42511: Flags [R.], seq 2101084543, ack 3863690239, win 64240, length 0

    结果说明了:发送的ICMP echo包收到了响应。21端口探测收到了R标识,说明21端口处于关闭状态,TCP的80端口也收到了回复,说明80端口也打开了

    端口扫描

    nmap检测到的端口分为6中状态:

    open:标识开放的端口

    closed:表示关闭的端口

    filtered:表示被防火墙屏蔽

    unfiltered:表示端口没有被屏蔽,但需要进一步确定是否处于开放状态

    open|filtered:表示不确定状态,可能是开放的,也可能是屏蔽的

    closed|filtered:表示不确定状态,可能是开放的,也可能是屏蔽的

    常用选项

    选项 含义
    -sS/sT/sA/sW/sM 表示使用TCP SYN/Connect()/ACK/Window/Maimon scans对目标主机进行扫描
    -sU 使用UDP扫描方式扫描目标主机的UDP端口状态
    -sN/sF/sX 使用TCP null、FIN、Xmas scans方式扫描主机的TCP端口
    -p<port list>

    扫描指定范围的端口,

    如:-p80,-p1-100,"-p T:80-88,8080,U:53,S:9",T表示TCP,U表示UDP协议,S表示SCTP协议

    -F 快速扫描模式,仅扫描常用的100个端口
    --top-ports<number> 仅扫描使用率最高的number个端口

     应用举例

    [root@master ~]# nmap -sS -sU -F www.godaddy.com
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 04:52 EDT
    Nmap scan report for www.godaddy.com (104.94.41.48)
    Host is up (0.025s latency).
    rDNS record for 104.94.41.48: a104-94-41-48.deploy.static.akamaitechnologies.com
    Not shown: 100 open|filtered ports, 98 filtered ports
    PORT    STATE SERVICE
    80/tcp  open  http
    443/tcp open  https
    
    Nmap done: 1 IP address (1 host up) scanned in 50.89 seconds
  • 相关阅读:
    一篇笔记整理JVM工作原理
    深入理解java异常处理机制
    Javaee----重新回顾servlet
    dubbo框架----探索-大型系统架构设计(图解)
    Java 中浮点数---------BigDecimal和double(初探)
    dubbo框架----初探索-配置
    ConcurrentHashMap-----不安全线程hashmap-安全线程-hashtable
    Maven Eclipse (m2e) SCM connector for subclipse 1.10 (svn 1.8) 无法检测
    从svn检出项目---------不是web项目
    Java当中的内存分配以及值传递问题内存解析
  • 原文地址:https://www.cnblogs.com/zh-dream/p/12597641.html
Copyright © 2020-2023  润新知