Nmap详细使用说明
作者: 分类: 网络安全 发布于: 2024-06-18 10:44:28 浏览:2,530 评论(0)
官网Nmap: the Network Mapper - Free Security Scanner 。nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统(这是亦称 fingerprinting)。它是网络管理员必用的软件之一,以及用以评估网络系统安全。
选项概要
当Nmap不带选项运行时,选项概要会被输出:
> nmap
Nmap 7.92 ( https://nmap.org ) #版本号
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks #从主机/网络列表输入
-iR <num hosts>: Choose random targets #选择随机目标
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks #排除某些主机/网络
--excludefile <exclude_file>: Exclude list from file #排除文件中的主机/网络
HOST DISCOVERY: #主机发现
-sL: List Scan - simply list targets to scan #简单地列出要扫描的目标
-sn: Ping Scan - disable port scan #禁用端口扫描
-Pn: Treat all hosts as online -- skip host discovery #将所有主机视为在线—跳过主机发现
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports #TCP SYN/ACK, UDP或SCTP发现给定的端口
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes #ICMP echo、时间戳和netmask请求发现探测
-PO[protocol list]: IP Protocol Ping #IP协议Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes] #从不做DNS解析/总是解析[默认值:有时]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers #指定自定义DNS服务器
--system-dns: Use OS's DNS resolver #使用操作系统的DNS解析器
--traceroute: Trace hop path to each host #跟踪每台主机的跳路径
SCAN TECHNIQUES: #扫描技术
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans #TCP SYN/Connect()/ACK/Window/Maimon扫描
-sU: UDP Scan #UDP扫描
-sN/sF/sX: TCP Null, FIN, and Xmas scans #TCP Null、FIN和Xmas扫描
--scanflags <flags>: Customize TCP scan flags #自定义TCP扫描标志
-sI <zombie host[:probeport]>: Idle scan #闲置的扫描
-sY/sZ: SCTP INIT/COOKIE-ECHO scans #SCTP INIT/COOKIE-ECHO扫描
-sO: IP protocol scan #IP协议扫描
-b <FTP relay host>: FTP bounce scan #FTP反弹扫描
PORT SPECIFICATION AND SCAN ORDER: #端口规格和扫描顺序
-p <port ranges>: Only scan specified ports #只扫描指定端口
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning #排除指定端口扫描
-F: Fast mode - Scan fewer ports than the default scan #快速模式 - 扫描的端口比默认扫描少
-r: Scan ports consecutively - don't randomize #连续扫描端口-不要随机
--top-ports <number>: Scan <number> most common ports #扫描<number>最常用的端口
--port-ratio <ratio>: Scan ports more common than <ratio> #扫描端口比<ratio >更常见
SERVICE/VERSION DETECTION: #服务/版本检测
-sV: Probe open ports to determine service/version info #探测打开的端口以确定服务/版本信息
--version-intensity <level>: Set from 0 (light) to 9 (try all probes) #设置从0(光)到9(尝试所有探头)
--version-light: Limit to most likely probes (intensity 2) #最可能探测的限制(强度2)
--version-all: Try every single probe (intensity 9) #尝试每一个探针(强度9)
--version-trace: Show detailed version scan activity (for debugging) #显示详细的版本扫描活动(用于调试)
SCRIPT SCAN: #脚本扫描
-sC: equivalent to --script=default #相当于——script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories #<Lua scripts>是一个逗号分隔的目录、脚本文件或脚本类别列表
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts #为脚本提供参数
--script-args-file=filename: provide NSE script args in a file #在文件中提供NSE脚本参数
--script-trace: Show all data sent and received #显示所有发送和接收的数据
--script-updatedb: Update the script database. #更新脚本数据库
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories. #显示关于脚本的帮助。<Lua scripts>是一个以逗号分隔的脚本文件或脚本类别列表。
OS DETECTION: #操作系统识别,作业系统侦测
-O: Enable OS detection #启用操作系统检测
--osscan-limit: Limit OS detection to promising targets #限制操作系统检测到有希望的目标
--osscan-guess: Guess OS more aggressively #猜测操作系统更具侵略性?
TIMING AND PERFORMANCE: # 时序和性能
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster) #设置定时模板(越高越快)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes #并行主机扫描组大小
--min-parallelism/max-parallelism <numprobes>: Probe parallelization #探针并行化
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time. #指定探针往返时间。
--max-retries <tries>: Caps number of port scan probe retransmissions. #限制端口扫描探测重传的次数。
--host-timeout <time>: Give up on target after this long #超时放弃
--scan-delay/--max-scan-delay <time>: Adjust delay between probes #调整探头之间的延迟
--min-rate <number>: Send packets no slower than <number> per second #发送数据包的速度不低于每秒<number>
--max-rate <number>: Send packets no faster than <number> per second #发送数据包的速度不超过每秒<number>
FIREWALL/IDS EVASION AND SPOOFING: #防火墙/ ids规避和欺骗
-f; --mtu <val>: fragment packets (optionally w/given MTU) #分段数据包(可选的给定MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys #用诱饵掩护扫描
-S <IP_Address>: Spoof source address #欺骗源地址
-e <iface>: Use specified interface #使用指定接口
-g/--source-port <portnum>: Use given port number #使用给定端口号
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies #通过HTTP/SOCKS4代理中继连接
--data <hex string>: Append a custom payload to sent packets #向发送的数据包附加自定义负载
--data-string <string>: Append a custom ASCII string to sent packets #在发送的数据包中附加一个自定义ASCII字符串
--data-length <num>: Append random data to sent packets #向发送的数据包附加随机数据
--ip-options <options>: Send packets with specified ip options #发送带有指定ip选项的数据包
--ttl <val>: Set IP time-to-live field #设置IP生存时间字段
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address #伪造你的MAC地址
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum #发送带有虚假TCP/UDP/SCTP校验和的数据包
OUTPUT: #输出
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename. #输出扫描在正常,XML, s|<rIpt kIddi3,和Grepable格式,分别转换为给定的文件名。
-oA <basename>: Output in the three major formats at once #同时以三种主要格式输出
-v: Increase verbosity level (use -vv or more for greater effect) #增加冗长级别(使用-vv或更多以获得更好的效果)
-d: Increase debugging level (use -dd or more for greater effect) #增加调试级别(使用-dd或更多以获得更好的效果)
--reason: Display the reason a port is in a particular state #显示端口处于特定状态的原因
--open: Only show open (or possibly open) ports #只显示打开的(或可能打开的)端口
--packet-trace: Show all packets sent and received #显示所有发送和接收的数据包
--iflist: Print host interfaces and routes (for debugging) #打印主机接口和路由(用于调试)
--append-output: Append to rather than clobber specified output files #附加到而不是删除指定的输出文件(在文件末尾添加而不是删除内容后)
--resume <filename>: Resume an aborted scan #恢复已中断的扫描(通过文件)
--noninteractive: Disable runtime interactions via keyboard #通过键盘禁用运行时交互
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML #将XML输出转换为HTML的XSL样式表
--webxml: Reference stylesheet from Nmap.Org for more portable XML #来自Nmap的引用样式表。Org以获得更可移植的XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output #防止将XSL样式表与XML输出相关联
MISC: #杂项
-6: Enable IPv6 scanning #开启IPv6扫描
-A: Enable OS detection, version detection, script scanning, and traceroute #启用操作系统检测、版本检测、脚本扫描和traceroute功能
--datadir <dirname>: Specify custom Nmap data file location #指定自定义Nmap数据文件位置
--send-eth/--send-ip: Send using raw ethernet frames or IP packets #使用原始以太网帧或IP数据包发送
--privileged: Assume that the user is fully privileged #假设用户拥有完全的权限
--unprivileged: Assume the user lacks raw socket privileges #假设用户缺乏原始套接字特权
-V: Print version number #打印版本号
-h: Print this help summary page. #打印此帮助摘要
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
端口状态
- open(开放的):意味着目标机器上的应用程序正在该端口监听连接/报文。
- filtered(被过滤的) :意味着防火墙、过滤器或者其它网络障碍阻止了该端口被访问,Nmap无法得知它是open还是closed。
- closed(关闭的):端口没有应用程序在它上面监听,但是它们随时可能开放。
- unfiltered(未被过滤的):当端口对Nmap的探测做出响应,但是Nmap无法确定它们是关闭还是开放时,这些端口就被认为是unfiltered。
- open|filtered 和 closed|filtered :状态组合,即Nmap无法确定该端口处于两个状态中的哪一个状态。
除了端口表以外,Nmap还能提供关于目标机器的进一步信息,包括反向域名,操作系统猜测,设备类
型,和MAC地址。
示例
一个典型的Nmap扫描nmap官方提供的扫描路径
> nmap -A -T4 scanme.nmap.org playground
Starting Nmap 7.95 ( https://nmap.org ) at 2024-06-18 10:35 中国标准时间
Failed to resolve "playground".
Failed to resolve "playground".
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.21s latency).
Not shown: 986 closed tcp ports (reset)
# 端口相关
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
| 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
| 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_ 256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
|_http-favicon: Nmap Project
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
1068/tcp filtered instl_bootc
1434/tcp filtered ms-sql-m
4444/tcp filtered krb524
5800/tcp filtered vnc-http
6667/tcp filtered irc
9929/tcp open nping-echo Nping echo
31337/tcp open tcpwrapped
# 操作系统猜测
Aggressive OS guesses: Linux 4.19 - 5.15 (98%), Linux 4.15 (95%), IPFire 2.27 (Linux 5.15 - 6.1) (94%), Linux 5.4 (94%), Linux 3.11 - 4.9 (92%), Linux 3.2 - 3.8 (92%), Linux 5.0 - 5.14 (91%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (91%), Linux 2.6.32 (91%), Android TV OS 11 (Linux 4.19) (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 18 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# 路由信息跟踪
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 0.00 ms 192.168.2.1 (192.168.2.1)
2 2.00 ms 192.168.1.1
3 8.00 ms 100.98.128.1
4 ... 17
18 210.00 ms scanme.nmap.org (45.33.32.156)
Failed to resolve "playground".
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.72 seconds
转载时请注明出处及相应链接。
本文永久链接: http://www.baigei.com/articles/nmap-explain