简介
nmap是一款开源网络发现工具,可以找出网络上在线的主机,测试主机上监听了哪些端口,通过端口确定主机上运行的应用程序类型与版本信息,还能利用它检测出操作系统类型和版本。
基本功能
有四个基本功能:
(1)主机发现
(2)端口扫描
(3)应用程序版本侦测
(4)操作系统版本侦测
基本用法:
[root@master ~]# nmap -A -T4 10.0.0.53 Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:31 EDT Nmap scan report for 10.0.0.53 Host is up (0.00056s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 6 Oct 30 2018 pub 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: 2048 7c:53:25:b0:3d:72:e7:46:31:96:3d:b6:a9:19:c5:69 (RSA) |_256 d4:22:2b:72:1b:3a:2d:18:3a:11:fb:5b:6a:69:fa:4e (ECDSA) MAC Address: 00:0C:29:8F:D5:02 (VMware) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=6.40%E=4%D=4/5%OT=21%CT=1%CU=42940%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM OS:=5E896D3B%P=x86_64-redhat-linux-gnu)SEQ(SP=100%GCD=1%ISR=108%TI=Z%TS=A)S OS:EQ(SP=100%GCD=1%ISR=108%TI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7 OS:%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W OS:2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NN OS:SNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y OS:%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR OS:%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40 OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G OS:%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 1 hop Service Info: OS: Unix TRACEROUTE HOP RTT ADDRESS 1 0.56 ms 10.0.0.53 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds
结果说明:
-A:表示开启全面扫描
-T4:指定扫描过程中使用的时序版本,有6个等级(0-5),等级越高,扫描速度越快,但越容易被防火墙和入侵检测设备发现并干掉。一般使用T4
-v:显示扫描细节
通过上面的结果,可以看出整个扫描过程分为5部分:
第一部分:对主机是否在线进行检测
第二部分:对端口进行扫描,默认nmap会扫描1000个常用的端口。由于只扫描到1个端口,所以出现‘999 closed ports’
第三部分:对端口上运行的服务以及版本进行统计
第四部分:探测操作系统类型和版本
第五部分:目标主机的路由跟踪信息
nmap主机发现
原理类似于ping命令,通过发送数据包到目标主机,如果收到响应,那么认为目标主机在线。
语法:
nmap [选项或参数] 目标主机
常用选项
| 选项 | 含义 |
| -sn | 只进行主机发现,不进行端口扫描 |
| -Pn | 跳过主机发现扫描,将所有指定主机都视为在线状态,进行端口扫描 |
| -sL | 仅列出目标主机IP,不进行主机发现扫描 |
| -PS/PA/PU/PY[portlist] |
指定nmap使用TCP SYN、TCP ACK、UDP、SCTP方式进行发现, 例如 -PS80,22 |
| -PE/PP/PM | 指定nmap使用ICMP echo、timestamp 、netmask请求报文方式发现主机 |
| -PO | 使用IP协议包探测目标主机是否在线 |
| -n/-R |
是否使用DNS解析, -n指不使用DNS解析,-R表示使用DNS解析 |
应用举例
1、仅主机探测
[root@master ~]# nmap -sn 10.0.0.53 Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:34 EDT Nmap scan report for 10.0.0.53 Host is up (0.00044s latency). MAC Address: 00:0C:29:8F:D5:02 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
扫描网段
[root@master ~]# nmap -sn 10.0.0.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:39 EDT Nmap scan report for 10.0.0.1 Host is up (0.00021s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.0.0.53 Host is up (0.00044s latency). MAC Address: 00:0C:29:8F:D5:02 (VMware) Nmap scan report for 10.0.0.226 Host is up (0.00013s latency). MAC Address: 00:50:56:F8:14:BA (VMware) Nmap scan report for 10.0.0.254 Host is up (0.000095s latency). MAC Address: 00:50:56:E0:4C:FE (VMware) Nmap scan report for 10.0.0.50 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.06 seconds
2、仅扫描端口
[root@master ~]# nmap -Pn 10.0.0.0/24 Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 01:57 EDT Nmap scan report for 10.0.0.1 Host is up (0.00015s latency). Not shown: 996 filtered ports PORT STATE SERVICE 443/tcp open https 902/tcp open iss-realsecure 912/tcp open apex-mesh 5357/tcp open wsdapi MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 10.0.0.53 Host is up (0.00055s latency). Not shown: 998 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh MAC Address: 00:0C:29:8F:D5:02 (VMware) Nmap scan report for 10.0.0.226 Host is up (0.000059s latency). All 1000 scanned ports on 10.0.0.226 are closed MAC Address: 00:50:56:F8:14:BA (VMware) Nmap scan report for 10.0.0.254 Host is up (0.00013s latency). All 1000 scanned ports on 10.0.0.254 are filtered MAC Address: 00:50:56:E0:4C:FE (VMware) Nmap scan report for 10.0.0.50 Host is up (0.0000080s latency). Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 256 IP addresses (5 hosts up) scanned in 7.43 seconds
结合tcpdump抓包
[root@master ~]# nmap -sn -PE -PS80,21 -PU53 www.abc.com Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 02:04 EDT Nmap scan report for www.abc.com (99.84.133.98) Host is up (0.087s latency). Other addresses for www.abc.com (not scanned): 99.84.133.97 99.84.133.3 99.84.133.46 rDNS record for 99.84.133.98: server-99-84-133-98.nrt57.r.cloudfront.net Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
抓包显示
[root@master ~]# tcpdump -nnn host 10.0.0.50 and host www.abc.com tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 02:20:11.670936 IP 10.0.0.50 > 99.84.133.97: ICMP echo request, id 46737, seq 0, length 8 02:20:11.671034 IP 10.0.0.50.42511 > 99.84.133.97.21: Flags [S], seq 3863690238, win 1024, options [mss 1460], length 0 02:20:11.671074 IP 10.0.0.50.42511 > 99.84.133.97.80: Flags [S], seq 3863690238, win 1024, options [mss 1460], length 0 02:20:11.671127 IP 10.0.0.50.42511 > 99.84.133.97.53: 0 stat [0q] (12) 02:20:11.758253 IP 99.84.133.97.80 > 10.0.0.50.42511: Flags [S.], seq 501169078, ack 3863690239, win 64240, options [mss 1460], length 0 02:20:11.758286 IP 10.0.0.50.42511 > 99.84.133.97.80: Flags [R], seq 3863690239, win 0, length 0 02:20:11.758319 IP 99.84.133.97 > 10.0.0.50: ICMP echo reply, id 46737, seq 0, length 8 02:20:32.673678 IP 99.84.133.97.21 > 10.0.0.50.42511: Flags [R.], seq 2101084543, ack 3863690239, win 64240, length 0
结果说明了:发送的ICMP echo包收到了响应。21端口探测收到了R标识,说明21端口处于关闭状态,TCP的80端口也收到了回复,说明80端口也打开了
端口扫描
nmap检测到的端口分为6中状态:
open:标识开放的端口
closed:表示关闭的端口
filtered:表示被防火墙屏蔽
unfiltered:表示端口没有被屏蔽,但需要进一步确定是否处于开放状态
open|filtered:表示不确定状态,可能是开放的,也可能是屏蔽的
closed|filtered:表示不确定状态,可能是开放的,也可能是屏蔽的
常用选项
| 选项 | 含义 |
| -sS/sT/sA/sW/sM | 表示使用TCP SYN/Connect()/ACK/Window/Maimon scans对目标主机进行扫描 |
| -sU | 使用UDP扫描方式扫描目标主机的UDP端口状态 |
| -sN/sF/sX | 使用TCP null、FIN、Xmas scans方式扫描主机的TCP端口 |
| -p<port list> |
扫描指定范围的端口, 如:-p80,-p1-100,"-p T:80-88,8080,U:53,S:9",T表示TCP,U表示UDP协议,S表示SCTP协议 |
| -F | 快速扫描模式,仅扫描常用的100个端口 |
| --top-ports<number> | 仅扫描使用率最高的number个端口 |
应用举例
[root@master ~]# nmap -sS -sU -F www.godaddy.com Starting Nmap 6.40 ( http://nmap.org ) at 2020-04-05 04:52 EDT Nmap scan report for www.godaddy.com (104.94.41.48) Host is up (0.025s latency). rDNS record for 104.94.41.48: a104-94-41-48.deploy.static.akamaitechnologies.com Not shown: 100 open|filtered ports, 98 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 50.89 seconds