1
使用主机名扫描
[[email protected] opt]# nmap www.baidu.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 16:52 CST
Nmap scan report for www.baidu.com (220.181.111.188)
Host is up (0.0025s latency).
Other addresses for www.baidu.com (not scanned): 220.181.112.244
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 5.01 seconds
2
使用IP地址扫描
[[email protected] opt]# nmap 192.168.20.237
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 16:53 CST
Nmap scan report for 192.168.20.237
Host is up (0.0000060s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
3
扫描使用“-v”选项
使用“ -v “选项后给出了远程机器更详细的信息。
[[email protected] opt]# nmap -v www.baidu.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 16:54 CST
Initiating Ping Scan at 16:54
Scanning www.baidu.com (220.181.111.188) [4 ports]
Completed Ping Scan at 16:54, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:54
Completed Parallel DNS resolution of 1 host. at 16:54, 0.02s elapsed
Initiating SYN Stealth Scan at 16:54
Scanning www.baidu.com (220.181.111.188) [1000 ports]
Discovered open port 80/tcp on 220.181.111.188
Discovered open port 443/tcp on 220.181.111.188
Completed SYN Stealth Scan at 16:54, 4.53s elapsed (1000 total ports)
Nmap scan report for www.baidu.com (220.181.111.188)
Host is up (0.0019s latency).
Other addresses for www.baidu.com (not scanned): 220.181.112.244
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.68 seconds
Raw packets sent: 2004 (88.152KB) | Rcvd: 5 (204B)
4
扫描多台主机
Nmap命令后加上多个IP地址或主机名来扫描多台主机
[[email protected] opt]# nmap www.baidu.com www.163.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 16:56 CST
Nmap scan report for www.baidu.com (220.181.112.244)
Host is up (0.0023s latency).
Other addresses for www.baidu.com (not scanned): 220.181.111.188
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap scan report for www.163.com (175.25.168.40)
Host is up (0.0028s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
80/tcp open http
81/tcp open hosts2-ns
88/tcp open kerberos-sec
443/tcp open https
2323/tcp open 3d-nfsd
3030/tcp open arepa-cas
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8083/tcp open us-srv
8088/tcp open radan-http
8090/tcp open unknown
8888/tcp open sun-answerbook
9001/tcp open tor-orport
9500/tcp open ismserver
20000/tcp open dnp
Nmap done: 2 IP addresses (2 hosts up) scanned in 17.15 seconds
5
扫描整个子网
使用*通配符来扫描整个子网或某个范围的IP地址
[[email protected] opt]# nmap 192.168.20.*
6
使用IP地址的最后一个字节扫描多台服务器
[[email protected] opt]# nmap 192.168.20.236,237,238
7
从一个文件中扫描主机列表
运行带“iL” 选项的nmap命令来扫描文件中列出的所有IP地址
[[email protected] opt]# more abc.txt
192.168.20.248
192.168.20.235
192.168.20.227
[[email protected] opt]# nmap -iL abc.txt
8
扫描一个IP地址范围
nmap 192.168.20.236-238
9
排除一些远程主机后再扫描
[[email protected] opt]# nmap 192.168.20.236-238 --exclude 192.168.20.237
10
扫描操作系统信息和路由跟踪
为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可以使用NMAP的“-A“选项。
从下面的输出你可以看到,Nmap显示出了远程主机操作系统的TCP/IP协议指纹,并且更加具体的显示出远程主机上的端口和服务
[[email protected] opt]# nmap -A 192.168.20.229
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:04 CST
Nmap scan report for 192.168.20.229
Host is up (0.00028s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 59:14:67:7a:92:dc:30:76:e0:59:9c:f2:eb:d7:dc:77 (DSA)
|_ 2048 3a:a8:73:5a:e7:02:34:5d:fe:1e:04:7d:5f:b3:ba:19 (RSA)
80/tcp open http nginx
|_http-server-header: nginx
|_http-title: \xE5\xA5\xBD\xE6\x9C\xA8
8088/tcp open http Jetty 7.6.15.v20140411
|_http-server-header: Jetty(7.6.15.v20140411)
|_http-title: Error 404 Not Found
MAC Address: 00:0C:29:6C:03:6A (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.40%E=4%D=3/29%OT=22%CT=1%CU=33617%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=58DB78C6%P=x86_64-redhat-linux-gnu)SEQ(SP=108%GCD=1%ISR=109%TI=Z%CI=Z%
OS:II=I%TS=U)OPS(O1=M5B4NNSNW9%O2=M5B4NNSNW9%O3=M5B4NW9%O4=M5B4NNSNW9%O5=M5
OS:B4NNSNW9%O6=M5B4NNS)WIN(W1=3908%W2=3908%W3=3908%W4=3908%W5=3908%W6=3908)
OS:ECN(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW9%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.28 ms 192.168.20.229
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.09 seconds
11
启用Nmap的操作系统探测功能
使用选项“-O”和“-osscan-guess”也帮助探测操作系统信息
[[email protected] opt]# nmap -O 192.168.20.229
12
扫描主机侦测防火墙
扫描远程主机以探测该主机是否使用了包过滤器或防火墙
[[email protected] opt]# nmap -sA www.baidu.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:11 CST
Nmap scan report for www.baidu.com (220.181.112.244)
Host is up (0.0019s latency).
Other addresses for www.baidu.com (not scanned): 220.181.111.188
All 1000 scanned ports on www.baidu.com (220.181.112.244) are filtered #可以判断出使用了防火墙
Nmap done: 1 IP address (1 host up) scanned in 21.22 seconds
[[email protected] opt]# nmap -sA 192.168.20.229
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:14 CST
Nmap scan report for 192.168.20.229
Host is up (0.00033s latency).
All 1000 scanned ports on 192.168.20.229 are unfiltered #未使用防火墙
MAC Address: 00:0C:29:6C:03:6A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
13
扫描主机检测是否有防火墙保护
扫描主机检测其是否受到数据包过滤软件或防火墙的保护
[[email protected] opt]# nmap -PN www.baidu.com
14
找出网络中的在线主机
使用“-sP”选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。
[[email protected] opt]# nmap -sP 192.168.20.*
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:18 CST
Nmap scan report for 192.168.20.1
Host is up (0.00068s latency).
MAC Address: 68:ED:A4:03:5A:65 (Shenzhen Seavo Technology)
Nmap scan report for 192.168.20.57
Host is up (0.00080s latency).
MAC Address: 14:18:77:27:34:DF (Dell)
Nmap scan report for 192.168.20.211
Host is up (0.00038s latency).
MAC Address: 14:18:77:4F:70:DC (Dell)
15
执行快速扫描
你可以使用“-F”选项执行一次快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其它的端口
[[email protected] opt]# nmap -F www.baidu.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:24 CST
Nmap scan report for www.baidu.com (220.181.112.244)
Host is up (0.0019s latency).
Other addresses for www.baidu.com (not scanned): 220.181.111.188
Not shown: 98 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds
16
查看Nmap的版本
使用“-V”选项来检测你机子上Nmap的版本。
[[email protected] opt]# nmap -V
Nmap version 7.40 ( https://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.0.1e libpcre-7.8 libpcap-1.4.0 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
17
顺序扫描端口
使用“-r”选项表示不会随机的选择端口扫描
[[email protected] opt]# nmap -r www.baidu.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:27 CST
Nmap scan report for www.baidu.com (220.181.111.188)
Host is up (0.0025s latency).
Other addresses for www.baidu.com (not scanned): 220.181.112.244
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 4.39 seconds
18
打印主机接口和路由
你可以使用nmap的"--iflist”选项检测主机接口和路由信息
从下面的输出你可以看到,nmap列举出了你系统上的接口以及它们各自的路由信息
[[email protected] opt]# nmap --iflist
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:28 CST
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo (lo) 127.0.0.1/8 loopback up 16436
lo (lo) ::1/128 loopback up 16436
eth0 (eth0) 192.168.20.237/24 ethernet up 1500 00:0C:29:14:81:57
eth0 (eth0) fe80::20c:29ff:fe14:8157/64 ethernet up 1500 00:0C:29:14:81:57
**************************ROUTES**************************
DST/MASK DEV METRIC GATEWAY
192.168.20.0/24 eth0 0
169.254.0.0/16 eth0 1002
0.0.0.0/0 eth0 0 192.168.20.1
::1/128 lo 0
fe80::20c:29ff:fe14:8157/128 lo 0
fe80::/64 eth0 256
ff00::/8 eth0 256
19
扫描特定的端口
使用Nmap扫描远程机器的端口有各种选项,你可以使用“-P”选项指定你想要扫描的端口,默认情况下nmap只扫描TCP端口
[[email protected] opt]# nmap -p 80 www.baidu.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:34 CST
Nmap scan report for www.baidu.com (220.181.111.188)
Host is up (0.0018s latency).
Other addresses for www.baidu.com (not scanned): 220.181.112.244
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
20
扫描TCP端口
可以指定具体的端口类型和端口号来让nmap扫描
[[email protected] opt]# nmap -p T:80,8088 192.168.20.229
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:46 CST
Nmap scan report for 192.168.20.229
Host is up (0.00042s latency).
PORT STATE SERVICE
80/tcp open http
8088/tcp open radan-http
MAC Address: 00:0C:29:6C:03:6A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
21
扫描UDP端口
[[email protected] opt]# nmap -sU 192.168.20.229
22
扫描多个端口
还可以使用选项“-P”来扫描多个端口
[[email protected] opt]# nmap -p 80,8088 192.168.20.229
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:54 CST
Nmap scan report for 192.168.20.229
Host is up (0.0016s latency).
PORT STATE SERVICE
80/tcp open http
8088/tcp open radan-http
MAC Address: 00:0C:29:6C:03:6A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
23
扫描指定范围内的端口
可以使用表达式来扫描某个范围内的端口
[[email protected] opt]# nmap -p 80-8088 192.168.20.229
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:58 CST
Nmap scan report for 192.168.20.229
Host is up (0.00025s latency).
Not shown: 7999 closed ports
PORT STATE SERVICE
80/tcp open http
5010/tcp open telelpathstart
5011/tcp open telelpathattack
5012/tcp open nsp
5013/tcp open fmpro-v6
5015/tcp open fmwp
5016/tcp open unknown
5017/tcp open unknown
6379/tcp open redis
8088/tcp open radan-http
MAC Address: 00:0C:29:6C:03:6A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds
24
查找主机服务版本号
我们可以使用“-sV”选项找出远程主机上运行的服务版本
[[email protected] opt]# nmap -sV 192.168.20.237
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 17:59 CST
Nmap scan report for 192.168.20.237
Host is up (0.0000060s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
3306/tcp open mysql MySQL 5.6.35
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.80 seconds
25
使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机
有时候包过滤防火墙会阻断标准的ICMP ping请求,在这种情况下,我们可以使用TCP ACK和TCP Syn方法来扫描远程主机
[[email protected] opt]# nmap -PS www.baidu.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 18:01 CST
Nmap scan report for www.baidu.com (220.181.111.188)
Host is up (0.0040s latency).
Other addresses for www.baidu.com (not scanned): 220.181.112.244
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 5.99 seconds
26
使用TCP ACK扫描远程主机上特定的端口
[[email protected] opt]# nmap -PA -p 80,8088 192.168.20.229
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 18:04 CST
Nmap scan report for 192.168.20.229
Host is up (0.00040s latency).
PORT STATE SERVICE
80/tcp open http
8088/tcp open radan-http
MAC Address: 00:0C:29:6C:03:6A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
27
执行一次隐蔽的扫描
[[email protected] opt]# nmap -sS www.baidu.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 18:05 CST
Nmap scan report for www.baidu.com (220.181.112.244)
Host is up (0.0018s latency).
Other addresses for www.baidu.com (not scanned): 220.181.111.188
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 4.99 seconds
28
使用TCP Syn扫描最常用的端口
[[email protected] opt]# nmap -sT www.baidu.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 18:06 CST
Nmap scan report for www.baidu.com (220.181.112.244)
Host is up (0.0019s latency).
Other addresses for www.baidu.com (not scanned): 220.181.111.188
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 4.55 seconds
29
执行TCP空扫描以骗过防火墙
[[email protected] opt]# nmap -sN 192.168.20.237
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-29 18:08 CST
Nmap scan report for 192.168.20.237
Host is up (0.0000060s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
3306/tcp open|filtered mysql
Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds