Linux Nmap命令典型用法全揭秘：网络扫描与安全利器

2024年11月22日20:04:29评论9 views字数 6608阅读22分1秒阅读模式

nmap典型用法

[root@node01 ~]# nmap 192.168.1.220Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 13:08 CSTNmap scan report for 192.168.1.220Host is up (0.00012s latency).Not shown: 999 closed portsPORT   STATE SERVICE22/tcp open  sshMAC Address: 00:0C:29:C5:19:99 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

由输出可知，192.168.1.220主机处于UP状态，并且主机开放了22端口，同时还侦测到端口对应的服务，最后还给出了目标主机网卡的MAC地址。

了解目标主机的更多信息。

[root@node01 ~]# nmap -T4 -A -v 192.168.1.220Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 13:12 CSTNSE: Loaded 110 scripts for scanning.NSE: Script Pre-scanning.Initiating ARP Ping Scan at 13:12Scanning 192.168.1.220 [1 port]Completed ARP Ping Scan at 13:12, 0.00s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 13:12Completed Parallel DNS resolution of 1 host. at 13:12, 0.01s elapsedInitiating SYN Stealth Scan at 13:12Scanning 192.168.1.220 [1000 ports]Discovered open port 22/tcp on 192.168.1.220Completed SYN Stealth Scan at 13:12, 0.05s elapsed (1000 total ports)Initiating Service scan at 13:12Scanning 1 service on 192.168.1.220Completed Service scan at 13:12, 0.04s elapsed (1 service on 1 host)Initiating OS detection (try #1) against 192.168.1.220Retrying OS detection (try #2) against 192.168.1.220Retrying OS detection (try #3) against 192.168.1.220Retrying OS detection (try #4) against 192.168.1.220Retrying OS detection (try #5) against 192.168.1.220NSE: Script scanning 192.168.1.220.Initiating NSE at 13:13Completed NSE at 13:13, 0.08s elapsedNmap scan report for 192.168.1.220Host is up (0.00089s latency).Not shown: 999 closed portsPORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)| ssh-hostkey: 2048 e5:a6:1b:ba:13:4e:84:7e:21:2e:4f:23:f6:0e:a8:80 (RSA)|_256 6c:e7:fe:f6:b4:a6:b1:e4:04:47:fc:6b:e6:51:55:8b (ECDSA)MAC Address: 00:0C:29:C5:19:99 (VMware)No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=6.40%E=4%D=3/21%OT=22%CT=1%CU=33000%PV=Y%DS=1%DC=D%G=Y%M=000C29%TOS:M=5E75A260%P=x86_64-redhat-linux-gnu)SEQ(SP=106%GCD=1%ISR=10E%TI=Z%TS=A)OS:OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4OS:ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)OS:ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)TOS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DFOS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40OS:%CD=S)Uptime guess: 0.004 days (since Sat Mar 21 13:07:06 2020)Network Distance: 1 hopTCP Sequence Prediction: Difficulty=262 (Good luck!)IP ID Sequence Generation: All zerosTRACEROUTEHOP RTT     ADDRESS1   0.89 ms 192.168.1.220NSE: Script Post-scanning.Initiating NSE at 13:13Completed NSE at 13:13, 0.00s elapsedRead data files from: /usr/bin/../share/nmapOS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.57 seconds           Raw packets sent: 1111 (52.918KB) | Rcvd: 1072 (46.334KB)

-A：用于开启全面扫描，

-T4：指定扫描过程中使用的时序的模板，总共有6个等级（0~5），等级越高扫描速度越快，但也越容易被防火墙或者入侵检测设备发现并屏蔽，推荐使用-T4。

-v：显示扫描细节。

第一部分是对主机是否在线的扫描

Host is up (0.00068s latency).

第二部分是对端口进行扫描，在默认情况下nmap会扫描1000个最有可能会开放的端口，因为只扫描到22号端口是开放的，所以在输出中会显示

Not shown: 999 closed ports

第三部分是对端口上运行的服务以及版本号进行统计

PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)| ssh-hostkey: 2048 e5:a6:1b:ba:13:4e:84:7e:21:2e:4f:23:f6:0e:a8:80 (RSA)|_256 6c:e7:fe:f6:b4:a6:b1:e4:04:47:fc:6b:e6:51:55:8b (ECDSA)

第四部分是对操作系统类型和版本进行探测。

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

第五部分是对目标主机路由跟踪信息。

TRACEROUTEHOP RTT     ADDRESS1   0.75 ms 192.168.1.220

nmap主机发现方法

选项
-sn	只进行主机发现扫描，不进行端口扫描
-Pn	路过主机发现扫描，将所有指定的主机都视为在线状态，进行端口扫描
-sL	仅仅列出指定主机的IP地址，不进行主机发现扫描
-PS/PA/PU/PY[printlist]	指定nmap使用TCP SYN、TCP ACK、UDP、SCTP方式进行主机发现，例如：nmap -PS80,21
-PE/PP/PM	指定nmap使用ICMP echo、timestamp、netmask请求报文发现主机。
-PO	使用ip协议包探测目标主机是否在线，
-n/-R	指定是否使用DNS解析，其中-n表示不进行dns解析，-R表示总是进行DNS解析

比较常用的是-sn和-Pn，

[root@node01 ~]# nmap -sn -PE -PS22,80 -PU53 www.baidu.comStarting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 13:47 CSTNmap scan report for www.baidu.com (39.156.66.14)Host is up (0.019s latency).Other addresses for www.baidu.com (not scanned): 39.156.66.18Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds

Linux Nmap命令典型用法全揭秘：网络扫描与安全利器

nmap端口扫描

侦测到的端口状态分为6种状态。

Linux Nmap命令典型用法全揭秘：网络扫描与安全利器

端口扫描的用法

Linux Nmap命令典型用法全揭秘：网络扫描与安全利器

[root@node01 ~]# nmap -sS -sU -F www.baidu.comStarting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 14:09 CSTNmap scan report for www.baidu.com (39.156.66.18)Host is up (0.013s latency).Other addresses for www.baidu.com (not scanned): 39.156.66.14Not shown: 100 open|filtered ports, 98 filtered portsPORT    STATE SERVICE80/tcp  open  http443/tcp open  httpsNmap done: 1 IP address (1 host up) scanned in 10.13 seconds

-sS：使用TCP SYN扫描TCP端口
-sU：扫描UDP端口
-F：表示使用快速扫描方式，扫描最有可能开放的前100个端口，（TCP、UDP各一百个端口）

nmap版本侦测

[root@node01 ~]# nmap -sV www.baidu.comStarting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 14:15 CSTNmap scan report for www.baidu.com (39.156.66.18)Host is up (0.016s latency).Other addresses for www.baidu.com (not scanned): 39.156.66.14Not shown: 998 filtered portsPORT    STATE SERVICE        VERSION80/tcp  open  http-proxy     sslstrip443/tcp open  ssl/http-proxy sslstripService detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 27.15 seconds

nmap操作系统侦测

Linux Nmap命令典型用法全揭秘：网络扫描与安全利器

[root@node01 ~]# nmap -O --osscan-guess 192.168.1.220Starting Nmap 6.40 ( http://nmap.org ) at 2020-03-21 14:18 CSTNmap scan report for 192.168.1.220Host is up (0.00078s latency).Not shown: 999 closed portsPORT   STATE SERVICE22/tcp open  sshMAC Address: 00:0C:29:C5:19:99 (VMware)Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Netgear DG834G WAP or Western Digital WD TV media player (96%), Linux 2.6.32 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%), Linux 2.6.32 - 2.6.35 (94%), Linux 2.6.32 - 3.2 (94%), Linux 3.0 - 3.9 (93%), Linux 2.6.32 - 3.6 (93%)No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=6.40%E=4%D=3/21%OT=22%CT=1%CU=44396%PV=Y%DS=1%DC=D%G=Y%M=000C29%TOS:M=5E75B1D5%P=x86_64-redhat-linux-gnu)SEQ(SP=104%GCD=1%ISR=10D%TI=Z%II=I%OS:TS=A)SEQ(SP=104%GCD=1%ISR=10D%TI=Z%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NWOS:7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%OS:W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NOS:NSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=OS:Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AOS:R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=4OS:0%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=OS:G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 1 hopOS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 12.21 seconds

链接：https://www.cnblogs.com/liujunjun/p/12538941.html

（版权归原作者所有，侵删）

Linux Nmap命令典型用法全揭秘：网络扫描与安全利器

原文始发于微信公众号（马哥网络安全）：Linux Nmap命令典型用法全揭秘：网络扫描与安全利器

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

Linux Nmap命令典型用法全揭秘：网络扫描与安全利器

一文了解清算网络：业务、技术及安全

DeepSeep本地部署及微调步骤和微调方法

HTB-Haze笔记

GitHub供应链攻击：Coinbase与SpotBugsPAT泄露，静态分析工具成焦点

【HTB】UnderPass靶机渗透

Vulnhub-靶机-Oz。一台让人做呕的靶机，不要换平台打靶机

Web登录一把梭

Hackable_III

Vulnerable Docker 1靶机通关教学

xss靶场

发表评论

在线咨询

微信