关于nmap的几个技巧
Nmap (“Network Mapper(网络映射器)”) 是一款开放源代码的 网络探测和安全审核的 工具。它的设计目标是快速地扫描大型网络,当然用它扫描单个 主机也没有问题 。Nmap以新颖的方式使用原始IP报文来发现网络上有哪些主机,那些 主机提供什么服务(应用程序名和版本),那些服务运行在什么操作系统(包括版本信息), 它们使用什 么类型的报文过滤器/防火墙,以及一堆其它功能。虽然Nmap通常用于安全审核, 许 多系统管理员和网络管理员也用它来做一些日常的工作,比如查看整个网络的信息, 管理服务升级计划,以及监视主机和服务的运行。
这里举几个例子,分享一下神奇的技巧
[root@localhost ~]# nmap -v www.XXXX.com -----------------------------> 探测目标主机所有的保留TCP端口
[root@localhost ~]# nmap -sS -O 192.168.254.152 ------------------查看目标主机的系统
Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-13 15:23 CST
Nmap scan report for 192.168.254.152
Host is up (0.00069s latency).
Not shown: 992 closed ports
………………………………………………
Running: Microsoft Windows Vista
OS CPE: cpe:/o:microsoft:windows_vista
OS details: Microsoft Windows Vista
Network Distance: 1 hop
nmap -PT 使用TCP的ping方式进行扫描,可以获取当前已经启动的所有计算机。
[root@kissing ~]# nmap -PT 192.168.0.0/24
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-09-18 22:59 CST
Interesting ports on 192.168.0.1:
Not shown: 1679 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 1C:AF:F7:89:48:70 (Unknown)
Interesting ports on 192.168.0.100:
Not shown: 1675 filtered ports
PORT STATE SERVICE
21/tcp open ftp
139/tcp open netbios-ssn
445/tcp open microsoft-ds
6001/tcp closed X11:1
6002/tcp closed X11:2
MAC Address: C4:46:19:39:9D:E7 (Unknown)
All 1680 scanned ports on 192.168.0.101 are closed
MAC Address: E8:99:C4:08:B0:EE (Unknown)
Interesting ports on 192.168.0.102:
Not shown: 1677 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:23:5A:BA:9F:51 (Unknown)
All 1680 scanned ports on 192.168.0.104 are closed
MAC Address: 38:AA:3C:2F:34:18 (Unknown)
Interesting ports on 192.168.0.144:
Not shown: 1676 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
1022/tcp open unknown
Nmap finished: 256 IP addresses (6 hosts up) scanned in 41.821 seconds
---------------------------------------------
nmap -sP 192.168.x.0/24 扫描本网段中所有up的主机
[root@kissing ~]# nmap -sP 192.168.0.0/24
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-09-18 22:57 CST
Host 192.168.0.1 appears to be up.
MAC Address: 1C:AF:F7:89:48:70 (Unknown)
Host 192.168.0.101 appears to be up.
MAC Address: E8:99:C4:08:B0:EE (Unknown)
Host 192.168.0.102 appears to be up.
MAC Address: 00:23:5A:BA:9F:51 (Unknown)
Host 192.168.0.104 appears to be up.
MAC Address: 38:AA:3C:2F:34:18 (Unknown)
Host 192.168.0.144 appears to be up.
Nmap finished: 256 IP addresses (5 hosts up) scanned in 5.161 seconds
-----------------------------------------------
nmap -O 192.168.x.x 扫描主机的操作系统,只有root才可以使用O这个参数
-------------------------------------------
nmap -A 192.168.x.x 扫描主机的操作系统,不需要root权限
[root@kissing ~]# nmap -A 192.168.0.102
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-09-18 23:01 CST
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on 192.168.0.102:
Not shown: 1677 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open netbios-ssn
MAC Address: 00:23:5A:BA:9F:51 (Unknown)
No OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=9/18%Tm=5239C07A%O=135%C=-1%M=00235A)
TSeq(Class=TR%IPID=I%TS=100HZ)
T1(Resp=Y%DF=N%W=2000%ACK=S++%Flags=AS%Ops=MNNT)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Uptime 0.157 days (since Wed Sep 18 19:16:50 2013)
Service Info: OS: Windows
Nmap finished: 1 IP address (1 host up) scanned in 42.652 seconds
常用选项:
-v:表示显示冗余(verbosity)信息,在扫描过程中显示扫描的细节
-A:激烈扫描模式,包括打开操作系统探测、版本探测、脚本扫描、路径跟踪
-T:设置时间模板,总有6个级别(0-5),级别越高,扫描速度越快
-sT:TCP扫描
-sU:UDP扫描
-Pn:将所有指定的主机视作开启的,跳过主机发现的过程
更多选项请参考nmap中文参考手册:http://nmap.org/man/zh/index.html