Instructions for using the network scanning tool nmap

零下一度
Release: 2017-06-23 11:15:46
Original
3189 people have browsed it

Directory of this article:

##1.1 Option Description

1.2 Try a scan

1.3 Scan target description

1.4 Port status description

1.5 Time parameter optimization

1.6 Scan Operating system type

1.7 Quick scan of surviving hosts

1.8 Quick scan of ports


#nmap is generally used to scan whether the host is online (especially scanning the surviving machines in the LAN) and which ports are open. Other functions are rarely used, and people who do penetration may need to know more about them.


1.1 Option Description

nmap needs to be installed by yourself.

shell> yum -y install nmap

Use nmap -h to view options and usage. There are a lot of options, which is the inevitable result of a powerful tool, but few of them are easy to use.

Usage: nmap [Scan Type(s)] [Options] {target specification}

TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

## -iL : Input from list of hosts/networks

-iR : Choose random targets

--exclude : Exclude hosts/networks

--excludefile : Exclude list from file

HOST DISCOVERY:

-sL: List Scan - simply list targets to scan

-sn: Ping Scan - disable port scan

-Pn: Treat all hosts as online -- skip host discovery

-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports

-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes

-PO[protocol list]: IP Protocol Ping

-PR: ARP ping - does not need HW address -> ; IP translation

-n/-R: Never do DNS resolution/Always resolve [default: sometimes]

--dns-servers : Specify custom DNS servers

--system-dns: Use OS's DNS resolver

--traceroute: Trace hop path to each host

SCAN TECHNIQUES:

-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans

## -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans

--scanflags : Customize TCP scan flags

-sI : Idle scan

-sY/sZ: SCTP INIT/COOKIE- ECHO scans

-sO: IP protocol scan -b : FTP bounce scan

PORT SPECIFICATION AND SCAN ORDER:

-p : Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 -F: Fast mode - Scan fewer ports than the default scan

-r: Scan ports consecutively - don't randomize

--top-ports : Scan most common ports

- -port-ratio : Scan ports more common than

SERVICE/VERSION DETECTION:

-sV: Probe open ports to determine service/version info

-sR: Check what service uses opened ports using RPC scan

--version-intensity : Set from 0 (light) to 9 (try all probes)

--version-light: Limit to most likely probes (intensity 2)

--version-all: Try every single probe (intensity 9)

  --version-trace: Show detailed version scan activity (for debugging)

SCRIPT SCAN:

  -sC: equivalent to --script=default

  --script=: is a comma separated list of directories, script-files or script-categories

  --script-args=: provide arguments to scripts

  --script-trace: Show all data sent and received

  --script-updatedb: Update the script database.

OS DETECTION:

  -O: Enable OS detection

  --osscan-limit: Limit OS detection to promising targets

  --osscan-guess: Guess OS more aggressively

TIMING AND PERFORMANCE:

  Options which take

  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).

  -T<0-5>: Set timing template (higher is faster)

  --min-hostgroup/max-hostgroup : Parallel host scan group sizes

  --min-parallelism/max-parallelism : Probe parallelization

  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout

      probe round trip time.

  --max-retries : Caps number of port scan probe retransmissions.

  --host-timeout

  --scan-delay/--max-scan-delay

  --min-rate : Send packets no slower than per second

  --max-rate : Send packets no faster than per second

FIREWALL/IDS EVASION AND SPOOFING:

  -f; --mtu : fragment packets (optionally w/given MTU)

  -D : Cloak a scan with decoys

  -S : Spoof source address

  -e : Use specified interface

  -g/--source-port : Use given port number

  --data-length : Append random data to sent packets

  --ip-options : Send packets with specified ip options

  --ttl : Set IP time-to-live field

  --spoof-mac : Spoof your MAC address

  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

OUTPUT:

  -oN/-oX/-oS/-oG : Output scan in normal, XML, s|

     and Grepable format, respectively, to the given filename.

  -oA : Output in the three major formats at once

  -v: Increase verbosity level (use -vv or more for greater effect)

  -d: Increase debugging level (use -dd or more for greater effect)

  --reason: Display the reason a port is in a particular state

  --open: Only show open (or possibly open) ports

  --packet-trace: Show all packets sent and received

  --iflist: Print host interfaces and routes (for debugging)

  --log-errors: Log errors/warnings to the normal-format output file

  --append-output: Append to rather than clobber specified output files

  --resume : Resume an aborted scan

  --stylesheet : XSL stylesheet to transform XML output to HTML

  --webxml: Reference stylesheet from Nmap.Org for more portable XML

  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output

MISC:

  -6: Enable IPv6 scanning

  -A: Enable OS detection, version detection, script scanning, and traceroute

  --datadir : Specify custom Nmap data file location

  --send-eth/--send-ip: Send using raw ethernet frames or IP packets

  --privileged: Assume that the user is fully privileged

  --unprivileged: Assume the user lacks raw socket privileges

  -V: Print version number

  -h: Print this help summary page.

EXAMPLES:

  nmap -v -A scanme.nmap.org

  nmap -v -sn 192.168.0.0/16 10.0.0.0/8

  nmap -v -iR 10000 -Pn -p 80

常用的就上面标红的几个。下面是解释:

-iL <inputfilename>:从输入文件中读取主机或者IP列表作为探测目标-sn: PING扫描,但是禁止端口扫描。默认总是会扫描端口。禁用端口扫描可以加速扫描主机-n/-R: 永远不要/总是进行DNS解析,默认情况下有时会解析-PE/PP/PM:分别是基于echo/timestamp/netmask的ICMP探测报文方式。使用echo最快-sS/sT/sA/sW:TCP SYN/Connect()/ACK/Window,其中sT扫描表示TCP扫描-sU:UDP扫描-sO:IP扫描-p <port ranges>: 指定扫描端口--min-hostgroup/max-hostgroup <size>: 对目标主机进行分组然后组之间并行扫描--min-parallelism/max-parallelism <numprobes>: 设置并行扫描的探针数量-oN/-oX/ <file>: 输出扫描结果到普通文件或XML文件中。输入到XML文件中的结果是格式化的结果-v:显示详细信息,使用-vv或者更多的v显示更详细的信息
Copy after login


1.2 尝试一次扫描

nmap扫描一般会比较慢,特别是扫描非本机的时候。

[root@server2 ~]# nmap 127.0.0.1Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-20 13:03 CSTNmap scan report for localhost (127.0.0.1)
Host is up (0.0000010s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE22/tcp open  ssh25/tcp open  smtp
Copy after login

只扫描出了两个端口,但是不代表真的只开了两个端口,这样不加任何参数的nmap将自动决定扫描1000个高危端口,但哪些是高危端口由nmap决定。从结果中也能看出来,"NOT shown:998 closed ports"表示998个关闭的端口未显示出来,随后又显示了2个open端口,正好1000个。虽说默认只扫描1000个,但常见的端口都能扫描出来。

从虚拟机扫描win主机看看。可以感受到,扫描速度明显降低了。

[root@server2 ~]# nmap 192.168.0.122
 Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-20 13:11 CSTNmap scan report for 192.168.0.122Host is up (1.2s latency).
Not shown: 990 closed ports
PORT     STATE    SERVICE21/tcp   open     ftp135/tcp  open     msrpc139/tcp  open     netbios-ssn443/tcp  open     https445/tcp  open     microsoft-ds514/tcp  filtered shell902/tcp  open     iss-realsecure912/tcp  open     apex-mesh1583/tcp open     simbaexpress5357/tcp open     wsdapi
 
Nmap done: 1 IP address (1 host up) scanned in 8.38 seconds
Copy after login

可以指定"-p [1-65535]"来扫描所有端口,或者使用"-p-"选项也是全面扫描。

[root@xuexi ~]# nmap -p- 127.0.0.1
Copy after login

nmap默认总是会扫描端口,可以使用-sn选项禁止扫描端口,以加速扫描主机是否存活。


1.3 扫描目标说明

Nmap支持CIDR风格的地址,Nmap将会扫描所有和该参考IP地址具有相同cidr位数的所有IP地址或主机。

例如192.168.10.0/24将扫描192.168.10.0和192.168.10.255之间的256台主机,192.168.10.40/24会做同样的事情。假设主机scanme.nmap.org的IP地址是205.217.153.62,scanme.nmap.org/16将扫描205.217.0.0和205.217.255.255之间的65536个IP地址。掩码位所允许的最小值是/1,这将会扫描半个互联网,最大值是/32,这将会扫描该主机或IP地址,因为所有主机位都固定了。

CIDR标志位很简洁但有时候不够灵活。例如也许想要扫描192.168.0.0/16,但略过任何以".0"或者".255"结束的IP地址,因为它们通常是网段地址或广播地址。可以用逗号分开的数字或范围列表为IP地址指定它的范围。例如"192.168.0-255.1-254"将略过该范围内以".0"和".255"结束的地址。范围不必限于最后的8位:"0-255.0-255.13.37"将在整个互联网范围内扫描所有以"13.37"结束的地址。

Nmap命令行接受多个主机说明,它们不必是相同类型。如:

nmap www.hostname.com 192.168.0.0/8 10.0.0,1,3-7.0-255
Copy after login

虽然目标通常在命令行指定,下列选项也可用来控制目标的选择:

  • -iL (从列表中输入)

中读取目标说明。在命令行输入一堆主机名显得很笨拙,然而经常需要这样。例如DHCP服务器可能导出10000个当前租约列表。列表中的项可以是Nmap在命令行上接受的任何格式(IP地址,主机名,CIDR,IPv6,或者八位字节范围)。每一项必须以一个或多个空格、制表符或换行符分开。如果希望Nmap从标准输入读取列表,则使用"-"作为表示/dev/stdin。

  • --exclude (排除主机/网络)

  • --excludefile (排除文件中的列表),这和--exclude的功能一样,只是所排除的目标是用提供的。

1.3.1 范围扫描示例

指定一个IP地址然后加一个CIDR的掩码位,如192.168.100.22/24,当然写成192.168.100.0/24也是一样的,因为nmap需要的是参考IP。如果扫描的是范围地址,可以192.168.100.1-254这样的书写方式。

[root@xuexi ~]# nmap 192.168.100.1/24
 Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-20 13:22 CSTNmap scan report for 192.168.100.1Host is up (0.00053s latency).
Not shown: 992 filtered ports
PORT     STATE SERVICE21/tcp   open  ftp135/tcp  open  msrpc139/tcp  open  netbios-ssn443/tcp  open  https445/tcp  open  microsoft-ds902/tcp  open  iss-realsecure912/tcp  open  apex-mesh5357/tcp open  wsdapi
MAC Address: 00:50:56:C0:00:08 (VMware)
 
Nmap scan report for 192.168.100.2Host is up (0.000018s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE53/tcp open  domain
MAC Address: 00:50:56:E2:16:04 (VMware)

Nmap scan report for 192.168.100.70Host is up (0.00014s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE22/tcp open  sshMAC Address: 00:0C:29:71:81:64 (VMware)

Nmap scan report for 192.168.100.254Host is up (0.000095s latency).
All 1000 scanned ports on 192.168.100.254 are filtered
MAC Address: 00:50:56:ED:A1:04 (VMware)

Nmap scan report for 192.168.100.62Host is up (0.0000030s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE22/tcp open  sshNmap done: 256 IP addresses (5 hosts up) scanned in 7.96 seconds
Copy after login

Generally speaking, it is probably not the computer that has all the ports closed, but it may be the router, virtual network card and other devices.


1.4 Port Status Description

Nmap has more and more functions, but what it is famous for is its core function-port scanning.

Nmap divides ports into six states: open (open), closed (closed), filtered (filtered), unfiltered (unfiltered), open|filtered (open or filtered) ), or closed|filtered (closed or filtered).

These states are not properties of the ports themselves, but describe how Nmap views them. For example, for the same target machine's 135/tcp port, scanning from the same network shows that it is open, but doing the exact same scan across the network may show that it is filtered.

  • 1.open: (Open) The application is receiving TCP or UDP packets on this port. It is often the primary target for port scans.

  • 2.closed: (Closed) A closed port is also accessible to Nmap (it accepts Nmap's detection messages and responds), but no application is listening on it. .

  • 3.filtered: (Filtered) Because packet filtering (such as a firewall device) is set up on the target, detection packets are blocked from reaching the port, and Nmap cannot determine whether the port is open. . Filtering may come from specialized firewall devices, router rules, or software firewalls on the host.

  • 4.unfiltered: The unfiltered status means that the port is accessible, but Nmap cannot determine whether it is open or closed. Scanning these unfiltered ports with other types of scans such as window scans, SYN scans, and FIN scans can help determine whether the port is open.

  • 5.open|filtered: (open or filtered): When it is impossible to determine whether a port is open or filtered, Nmap divides the port into this state. An open port not responding is an example. No response may also mean that the packet filter on the target host discarded the probe packet or any response it caused. Therefore Nmap cannot determine whether the port is open or filtered.

  • 6.closed|filtered: (closed or filtered) This status is used when Nmap cannot determine whether the port is closed or filtered. It may only appear in IPID Idle scans.


1.5 Time parameter optimization

Techniques to improve scan time include: ignoring non-critical detections, upgrading to the latest version of Nmap( The document says that the higher the nmap version, the better the performance) etc. In addition, optimizing the time parameters will also bring substantial optimizations. These parameters are as follows:

TIMING AND PERFORMANCE:

-T<0-5>: Set timing template (higher is faster)

## --min-hostgroup/max-hostgroup : Parallel host scan group sizes

--min-parallelism/max-parallelism : Probe parallelization

--min-rtt-timeout/max-rtt -timeout/initial-rtt-timeout

The above is the detailed content of Instructions for using the network scanning tool nmap. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template