zenmap(nmap的window版)工具参数说明

说明:这里主要介绍 Profile 相关扫描选项,其他部分的内容百度上已经有大神说的比较详细,参照nmap相关man说明整理

Target:需要扫描的IP地址和端口,支持多种形式,比如网段10.123.10.1-10.123.10.244 ,子网掩码方式:10.123.10.1/24,域名,单个IP和网段组合等形式。

Profile主要参数

1.Intense scan:强烈的扫描

nmap -T4 -A -v

-T4:     -T option and their number (0–5) or their

name. The template names areparanoid (0), sneaky (1), polite (2),

normal (3), aggressive (4), andinsane (5). The first two are for

IDS evasion. Polite mode slows downthe scan to use less bandwidth

and target machine resources. Normalmode is the default and so -T3

does nothing. Aggressive mode speedsscans up by making the

assumption that you are on areasonably fast and reliable network.

Finally insane mode.  assumes that you are on an extraordinarily

fast network or are willing tosacrifice some accuracy for speed.

For example,

-T4. prohibits the dynamic scan delay from exceeding 10 ms for TCP

ports and -T5 caps that value at 5ms.

-T4 for faster execution

由以上说明-T4参数是一种适用在局域网,可靠性网络进行扫描,略带侵略性,扫描一个tcp端口平均耗时10ms

-A:                  -A, to enable OS and versiondetection, script scanning, and traceroute;

三个作用:操作系统及版本检测,系统脚本运行,路由

-v:                    显示扫描过程中的详细信息

2.Intensescan plus UDP:强烈的扫描,加上udp协议扫描

nmap -sS -sU -T4-A -v

-sS:                   -sS (TCP SYN scan) .

SYN scan is the default and mostpopular scan option for good

reasons. It can be performedquickly, scanning thousands of ports

per second on a fast network nothampered by restrictive firewalls.

It is also relatively unobtrusiveand stealthy since it never

completes TCP connections. SYN scanworks against any compliant TCP

stack rather than depending onidiosyncrasies of specific platforms

as Nmap‘s FIN/NULL/Xmas, Maimon andidle scans do. It also allows

clear, reliable differentiationbetween the open, closed, and

filtered states.

This technique is often referred toas half-open scanning, because

you don‘t open a full TCPconnection. You send a SYN packet, as if

you are going to open a real connectionand then wait for a

response. A SYN/ACK indicates theport is listening (open), while a

RST (reset) is indicative of anon-listener. If no response is

received after severalretransmissions, the port is marked as

filtered. The port is also markedfiltered if an ICMP unreachable

error (type 3, code 1, 2, 3, 9, 10,or 13) is received. The port is

also considered open if a SYN packet(without the ACK flag) is

received in response. This can bedue to an extremely rare TCP

feature known as a simultaneous openor split handshake connection

(seehttp://nmap.org/misc/split-handshake.pdf).

主要说明-sS参数是一个比较流行好用的,该参数运行扫描快,而且隐蔽,因为它是一种半开方式扫描,并没有完成一个完整真实的tcp连接,

发送SYN包,如果收到一个SYN/ACK(或SYN)响应包则说明对方该端口处于打开监听状态;如果是RST,则说明对方端口处于非监听状态;如果未收到任何响应包则标记该端口被过滤

-sU:              -sU(UDP scans) .

While most popular services on theInternet run over the TCP

protocol, UDP[6] services are widelydeployed. DNS, SNMP, and DHCP

(registered ports 53, 161/162, and67/68) are three of the most

common. Because UDP scanning isgenerally slower and more difficult

than TCP, some security auditorsignore these ports. This is a

mistake, as exploitable UDP servicesare quite common and attackers

certainly don‘t ignore the wholeprotocol. Fortunately, Nmap can

help inventory UDP ports.

UDP scan is activated with the -sUoption. It can be combined with

a TCP scan type such as SYN scan(-sS) to check both protocols

during the same run.

UDP scan works by sending a UDPpacket to every targeted port. For

some common ports such as 53 and161, a protocol-specific payload

is sent, but for most ports the packet isempty..  The

--data-length option can be used tosend a fixed-length random

payload to every port or (if youspecify a value of 0) to disable

payloads. If an ICMP port unreachableerror (type 3, code 3) is

returned, the port is closed. OtherICMP unreachable errors (type

3, codes 1, 2, 9, 10, or 13) markthe port as filtered.

Occasionally, a service will respondwith a UDP packet, proving

that it is open. If no response is receivedafter retransmissions,

the port is classified asopen|filtered. This means that the port

could be open, or perhaps packetfilters are blocking the

communication. Version detection(-sV) can be used to help

differentiate the truly open portsfrom the filtered ones.

A big challenge with UDP scanning isdoing it quickly. Open and

filtered ports rarely send anyresponse, leaving Nmap to time out

and then conduct retransmissionsjust in case the probe or response

were lost. Closed ports are often aneven bigger problem. They

usually send back an ICMP portunreachable error. But unlike the

RST packets sent by closed TCP portsin response to a SYN or

connect scan, many hosts ratelimit.  ICMP port unreachable

messages by default. Linux andSolaris are particularly strict

about this. For example, the Linux2.4.20 kernel limits destination

unreachable messages to one persecond (in net/ipv4/icmp.c).

Nmap detects rate limiting and slowsdown accordingly to avoid

flooding the network with uselesspackets that the target machine

will drop. Unfortunately, aLinux-style limit of one packet per

second makes a 65,536-port scan takemore than 18 hours. Ideas for

speeding your UDP scans up includescanning more hosts in parallel,

doing a quick scan of just the popularports first, scanning from

behind the firewall, and using--host-timeout to skip slow hosts.

使用UDP协议的服务主要有DNS,SNMP,DHCP等,由于UDP扫描更困难和耗费时间因此一些审计的时候进行了省略,困难点在于linux和Solaris系统默认限制了每秒不可到达的信息数,Nmap为了避免造成服务器掉包的危害降低发包的速度,因此在扫描时将会耗费非常多的时间,建议先对常用UDP端口进行扫描,并且设置主机超时以跳过哪些扫描慢的主机

通常服务器响应一个UDP包,说明对方端口打开;当没有响应是nmap

会将其定级为open|filtered,这是需要结合-sV参数来协助判断端口的状态。

3.Intense scan, all TCP ports:对目标的所有端口进行强烈的扫描

nmap -p 1-65535 -T4 -A -v

4.Intensescan, no ping:对目标进行强烈的扫描,不进行主机发现

nmap -T4 -A -v -Pn

-Pn: Treat all hosts as online -- skip host discovery

-Pn (No ping) .

Thisoption skips the Nmap discovery stage altogether. Normally,

Nmapuses this stage to determine active machines for heavier

scanning. By default, Nmap only performs heavy probing such as port

scans, version detection, or OS detection against hosts that are

foundto be up. Disabling host discovery with -Pn causes Nmap to

attempt the requested scanning functions against every target IP

address specified. So if a class B target address space (/16) is

specified on the command line, all 65,536 IP addresses are scanned.

Proper host discovery is skipped as with the list scan, but instead

ofstopping and printing the target list, Nmap continues to perform

requested functions as if each target IP is active. To skip ping

scanand port scan, while still allowing NSE to run, use the two

options -Pn -sn together.

Formachines on a local ethernet network, ARP scanning will still

beperformed (unless --disable-arp-ping or --send-ip is specified)

because Nmap needs MAC addresses to further scan target hosts. In

previous versions of Nmap, -Pn was -P0. and -PN..

假设所有主机在线,跳过主机发现过程。

5.Ping scan  在发现主机后,不进行端口扫描

nmap -sn:

sn: Ping Scan - disable port scan

-sn (No port scan) .

Thisoption tells Nmap not to do a port scan after host discovery,

andonly print out the available hosts that responded to the scan.

Thisis often known as a “ping scan”, but you can also request that

traceroute and NSE host scripts be run. This is by default one step

moreintrusive than the list scan, and can often be used for the

samepurposes. It allows light reconnaissance of a target network

without attracting much attention. Knowing how many hosts are up is

morevaluable to attackers than the list provided by list scan of

everysingle IP and host name.

Systems administrators often find this option valuable as well. It

caneasily be used to count available machines on a network or

monitor server availability. This is often called a ping sweep, and

ismore reliable than pinging the broadcast address because many

hostsdo not reply to broadcast queries.

Thedefault host discovery done with -sn consists of an ICMP echo

request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP

timestamp request by default. When executed by an unprivileged

user,only SYN packets are sent (using a connect call) to ports 80

and443 on the target. When a privileged user tries to scan targets

on alocal ethernet network, ARP requests are used unless --send-ip

wasspecified. The -sn option can be combined with any of the

discovery probe types (the -P* options, excluding -Pn) for greater

flexibility. If any of those probe type and port number options are

used,the default probes are overridden. When strict firewalls are

inplace between the source host running Nmap and the target

network, using those advanced techniquesis recommended. Otherwise

hostscould be missed when the firewall drops probes or their

responses.

Inprevious releases of Nmap, -sn was known as -sP..

6.Quick scan:快速扫描

nmap -T4 -F

-F:         -F: Fast mode - Scan fewer ports than thedefault scan

-F (Fast (limited port) scan) .

Specifies that you wish to scan fewer ports than the default.

Normally Nmap scans the most common 1,000 ports for each scanned

protocol. With -F, this is reduced to 100.

Nmapneeds an nmap-services file with frequency information in

orderto know which ports are the most common. If port frequency

information isn‘t available, perhaps because of the use of a custom

nmap-services file, Nmap scans all named ports plus ports 1-1024.

Inthat case, -F means to scan only ports that are named in the

services file.

7.Quickscan plus:更快速的扫描

nmap -sV -T4 -O -F --version-light

-O:        EnableOS detection

--version-intensity intensity (Set version scanintensity) .

Whenperforming a version scan (-sV), Nmap sends a series of

probes, each of which is assigned a rarity value between one and

nine.The lower-numbered probes are effective against a wide

variety of common services, while the higher-numbered ones are

rarely useful. The intensity level specifies which probes should be

applied. The higher the number, the more likely it is the service

willbe correctly identified. However, high intensity scans take

longer. The intensity must be between 0 and 9..  The default is 7..

Whena probe is registered to the target port via the

nmap-service-probesports directive, that probe is tried regardless

ofintensity level. This ensures that the DNS probes will always be

attempted against any open port 53, the SSL probe will be done

against 443, etc.

--version-light (Enable light mode) .

Thisis a convenience alias for --version-intensity 2. This light

modemakes version scanning much faster, but it is slightly less

likelyto identify services.

-sV:

-sV(Version detection) .

Enables version detection, as discussed above. Alternatively, you

canuse -A, which enables version detection among other things.

-sR.  is an alias for -sV. Priorto March 2011, it was used to

active the RPC grinder separately from version detection, but now

theseoptions are always combined.

 

8.Quick traceroute:快速扫描,不扫端口返回每一跳的主机ip

nmap -sn --traceroute :

--traceroute: Trace hop path to each host

9.Regular scan:常规扫描

nmap

 

10.Slow comprehensive scan:慢速综合性扫描

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389-PU40125 -PY -g 53 --script "default or (discovery and safe)"

-PE/PP:ICMP echo, timestamp

-PS port list (TCP SYN Ping) .

Thisoption sends an empty TCP packet with the SYN flag set. The

default destination port is 80 (configurable at compile time by

changing DEFAULT_TCP_PROBE_PORT_SPEC. in nmap.h)..  Alternate

portscan be specified as a parameter. The syntax is the same as

forthe -p except that port type specifiers like T: are not

allowed. Examples are -PS22 and -PS22-25,80,113,1050,35000. Note

thatthere can be no space between -PS and the port list. If

multiple probes are specified they will be sent in parallel.

TheSYN flag suggests to the remote system that you are attempting

toestablish a connection. Normally the destination port will be

closed,and a RST (reset) packet sent back. If the port happens to

beopen, the target will take the second step of a TCP

three-way-handshake.  byresponding with a SYN/ACK TCP packet. The

machine running Nmap then tears down the nascent connection by

responding with a RST rather than sending an ACK packet which would

complete the three-way-handshake and establish a full connection.

TheRST packet is sent by the kernel of the machine running Nmap in

response to the unexpected SYN/ACK, not by Nmap itself.

Nmapdoes not care whether the port is open or closed. Either the

RSTor SYN/ACK response discussed previously tell Nmap that the

hostis available and responsive.

OnUnix boxes, only the privileged user root. is generally able to

sendand receive raw TCP packets..  Forunprivileged users, a

workaround is automatically employed. whereby the connect system

callis initiated against each target port. This has the effect of

sending a SYN packet to the target host, in an attempt to establish

aconnection. If connect returns with a quick success or an

ECONNREFUSED failure, the underlying TCPstack must have received a

SYN/ACK or RST and the host is marked available. If the connection

attempt is left hanging until a timeout is reached, the host is

marked as down.

-PA        -PA port list (TCP ACK Ping) .

TheTCP ACK ping is quite similar to the just-discussed SYN ping.

Thedifference, as you could likely guess, is that the TCP ACK flag

isset instead of the SYN flag. Such an ACK packet purports to be

acknowledging data over an established TCP connection, but no such

connection exists. So remote hosts should always respond with a RST

packet, disclosing their existence in the process.

The-PA option uses the same default port as the SYN probe (80) and

canalso take a list of destination ports in the same format. If an

unprivileged user tries this, the connect workaround discussed

previously is used. This workaround is imperfect because connect is

actually sending a SYN packet rather than an ACK.

Thereason for offering both SYN and ACK ping probes is to maximize

thechances of bypassing firewalls. Many administrators configure

routers and other simple firewalls to block incoming SYN packets

except for those destined for public services like the company web

siteor mail server. This prevents other incoming connections to

theorganization, while allowing users to make unobstructed

outgoing connections to the Internet. This non-stateful approach

takesup few resources on the firewall/router and is widely

supported by hardware and software filters. The Linux

Netfilter/iptables.  firewallsoftware offers the --syn convenience

option to implement this stateless approach. When stateless

firewall rules such as this are in place, SYN ping probes (-PS) are

likely to be blocked when sent to closed target ports. In such

cases, the ACK probe shines as it cuts right through these rules.

Another common type of firewall uses stateful rules that drop

unexpected packets. This feature was initially found mostly on

high-end firewalls, though it has become much more common over the

years. The Linux Netfilter/iptables system supports this through

the--state option, which categorizes packets based on connection

state. A SYN probe is more likely to workagainst such a system, as

unexpected ACK packets are generally recognized as bogus and

dropped. A solution to this quandary is to send both SYN and ACK

probes by specifying -PS and -PA.

-PS和PA一起使用来最大限度的避过防火墙等安全设备的检测

-g/--source-port <portnum>: Use given portnumber

nmap --script "default or safe"

Thisis functionally equivalent to nmap --script "default,safe". It

loadsall scripts that are in the default category or the safe

category or both.

时间: 2024-10-12 20:53:05

zenmap(nmap的window版)工具参数说明的相关文章

nmap 输出格式过滤小工具

想用nmap 扫描ip段输出一个干净的 IP:PORT格式的文件.于是写了个简单脚本. import xml.dom.minidom import sys import getopt statstr="" statstrlist=["open"] infile="" outfile="" infileflag=0 outfileflag=0 statstrflag=0 isstatflag=0 helpflag=0 #chu

[Baidu Map]百度地图 JAVASCRIPT API V2.0 大众版 工具类

关键代码: /* *@description 百度地图 JAVASCRIPT API V2.0 大众版 工具类 *@author YanZhiwei *@see http://developer.baidu.com/map/reference/index.php *@email [email protected] */ (function () { map = {}; infoWindow = {}; BmapUtils = { CONSTANT: { DYNAMIC_CITY: "上海&quo

在centos 6.5 在virtual box 上 安装增强版工具

centos 6.5 在virtual box 上 安装增强版工具: 出现:centos unable to find the source of your current linux kernel Is it too late to contribute to this thread? I found that gcc and kernel-devel was not included with the generic desktop install so also needed to do

安装window 版zabbix-agent

官网下载window版zabbix_agents软件包. 1:创建zabbix_agent目录并解压zabbix_agents_3.4.5.win.zip,生成conf,bin目录文件. 2:修改zabbix_agent,conf文件: EnableRemoteCommands=1   #允许在本地执行远程命令     LogRemoteCommands=1         #执行远程命令是否保存操作日志     Server = 192.168.133.135               #填

Eclipse C/C++开发环境搭建----Window版

转载请注明出处:http://blog.csdn.net/yf210yf/article/details/8017121 1.JavaJDK 安装javaSDK很简单.到http://java.sun.com上找到适合你的操作系统的Java JDK安装程序,下载之并运行 2.Eclipse http://eclipse.org/downloads/下载 3.CDT http://www.eclipse.org/cdt/downloads.php下载 首先了解一下什么是CDT,就是 C/C++ D

安卓手机链接window服务器工具。安卓手机连接linux服务器工具

服务器端分为window和类unix 链接类unix工具juicessh 1. 手机搜索juicessh 2. 下载安装软件,以下是安装后界面图,点击链接 3. 输入IP,端口,选择认证方式 4.添加认证 5.点击链接,点击空白区域,出现下图 链接window工具 搜索microsoft远程桌面,也可在APP应用市场搜索下载 打开软件,增加链接 选择desktop,进入增加主机信息页面 选择add 输入主机,端口,用户密码等信息 输入完成保存 原文地址:http://blog.51cto.com

ie剪切增强版工具---自由填表工具filltable

Preface:见前一篇转载的博客,Windows剪贴板增强小工具---ditto. 帮小屁孩抢报名系统序列号事件有新进展.报名系统需要在IE中打开,找到了神器filltable这个软件,简单来讲就是把一些基本的信息通过filltable这个软件集成到ie右键菜单里,通过右键的选择直接填充,能够更快完成填充. Figure 1: filltable效果图 下面做简要介绍: 首先:软件下载,百度可破,另外,从师兄那里拷贝了一份,卤煮传到了百度云,可从这里下载:http://pan.baidu.co

memcached window版 下载安装,简单测试

官网: http://www.memcached.org/ 只有tag格式的,搞了好久都没找到windows版的,还有很多uri找不开,google的都打不开,中国政府就是威武. 下载地址: http://jehiah.cz/projects/memcached-win32/files/memcached-1.2.1-win32.zip 这个用讯雷可以下载下来! 错误: 通过cmd命令行进入到D:\webEve\memcached(下载后的解压目录) 运行 memcached.exe -d in

emacs window版环境配置(设置默认的.emacs文件,指向自定义.emacs达到自定义home的目的)

1.下载解压包 下载地址  ,下载之后我是直接解压到E:\emacs中的,E:\emacs中就有bin,libexec…等文件; 2.点击bin中的addpm.exe文件进行安装emacs; 3.就会发现配置文件在C:\Users\电脑名\AppData\Roaming\.emacs,(可以打开emacs点击options  ,修改一些配置,然后点击save options)在最下面的会出现   “Wrote 文件路径” 这个路径就是emacs默认配置文件的目录); 4.在C:\Users\电脑