一、Nmap简介

nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统(这是亦称 fingerprinting)。它是网络管理员必用的软件之一,以及用以评估网络系统安全。
正如大多数被用于网络安全的工具,nmap 也是不少黑客及骇客爱用的工具 。系统管理员可以利用nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用nmap来搜集目标电脑的网络设定,从而计划攻击的方法。
Nmap 以隐秘的手法,避开闯入检测系统的监视,并尽可能不影响目标系统的日常操作。  --(来自百度)
环境介绍:
我将用两个不同的部分来涵盖大部分NMAP的使用方法,这是nmap关键的第一部分。在下面的设置中,我使用两台已关闭防火墙的服务器来测试Nmap命令的工作情况。
  • 192.168.0.100 – server1.tecmint.com
  • 192.168.0.101 – server2.tecmint.com

Nmap语法:

nmap [Scan Type(s)] [Options] {target specification}

二、Nmap常用操作

1:批量ping扫描

[root@localhost ~]# nmap -sP 192.168.1.0/24Starting Nmap6.40 ( http://nmap.org ) at 2018-06-04 14:19 CST
Nmap scan report for192.168.1.1Host is up (0.0043s latency).
Nmap scan reportfor 192.168.1.2Host is up (0.0040s latency).
Nmap scan reportfor 192.168.1.3Host is up (0.0036s latency).
Nmap scan reportfor 192.168.1.4Host is up (0.0042s latency).
Nmap scan reportfor 192.168.1.5

2:仅列出指定网络上的每台主机,不发送任何报文到目标主机(隐蔽探测)

[root@localhost ~]# nmap -sL 192.168.1.0/24Starting Nmap6.40 ( http://nmap.org ) at 2018-06-04 14:22 CST
Nmap scan report for 192.168.1.0Nmap scan reportfor 192.168.1.1Nmap scan reportfor 192.168.1.2Nmap scan reportfor 192.168.1.3

3:探测目标主机开放的端口,可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80)

[root@localhost ~]# nmap -PS 220.181.111.188Starting Nmap6.40 ( http://nmap.org ) at 2018-06-04 14:25 CST
Nmap scan report for 220.181.111.188Host is up (0.0043s latency).
Not shown:998filtered ports
PORT    STATE SERVICE80/tcp  open  http443/tcp open  httpsNmapdone: 1 IP address (1 host up) scanned in 4.06 seconds

4:使用UDP ping探测主机

[root@localhost ~]# nmap -PU 192.168.1.1[root@localhost~]# nmap -PU 192.168.1.0/24

5:使用SYN半开放扫描

[root@localhost ~]# nmap -sS 220.181.111.188[root@localhost~]# nmap -sS 220.181.111.0/24Starting Nmap6.40 ( http://nmap.org ) at 2018-06-04 14:29 CST
Nmap scan report for 220.181.111.188Host is up (0.0048s latency).
Not shown:998filtered ports
PORT    STATE SERVICE80/tcp  open  http443/tcp open  httpsNmapdone: 1 IP address (1 host up) scanned in 4.56 seconds

6:使用TCP扫描

[root@localhost ~]# nmap -sT 220.181.111.188[root@localhost~]# nmap -sT 220.181.111.0/24Starting Nmap6.40 ( http://nmap.org ) at 2018-06-04 14:32 CST
Nmap scan report for 220.181.111.188Host is up (0.0044s latency).
Not shown:998filtered ports
PORT    STATE SERVICE80/tcp  open  http443/tcp open  httpsNmapdone: 1 IP address (1 host up) scanned in 4.24 seconds

7:使用UDP扫描

[root@localhost ~]# nmap -sU 220.181.111.188[root@localhost~]# nmap -sU 220.181.111.0/24Starting Nmap6.40 ( http://nmap.org ) at 2018-06-04 14:34 CST
Nmap scan report for 220.181.111.188Host is up (0.0039s latency).
Not shown:999 open|filtered ports
PORT    STATE    SERVICE161/udp filtered snmpNmapdone: 1 IP address (1 host up) scanned in 4.05 seconds

8:探测目标主机支持哪些IP协议

[root@localhost ~]# nmap -sO 220.181.111.188Starting Nmap6.40 ( http://nmap.org ) at 2018-06-04 14:35 CST
Nmap scan report for 220.181.111.188Host is up (0.0054s latency).
Not shown:255 open|filtered protocols
PROTOCOL STATE SERVICE1open  icmpNmapdone: 1 IP address (1 host up) scanned in 2.73 seconds

9:探测目标主机操作系统

[root@localhost ~]# nmap -O 220.181.111.188[root@localhost~]# nmap -A 220.181.111.188Starting Nmap6.40 ( http://nmap.org ) at 2018-06-04 14:36 CST
Nmap scan report for 220.181.111.188Host is up (0.0050s latency).
Not shown:998filtered ports
PORT    STATE SERVICE80/tcp  open  http443/tcp open  https
Warning: OSScan results may be unreliable because we could notfind at least 1 open and 1closed port
Device type: switch
Running (JUST GUESSING): HP embedded (86%)
OS CPE: cpe:/h:hp:procurve_switch_4000m
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matchesfor host (test conditions non-ideal).OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds

10:用主机名和IP地址扫描系统

Nmap工具提供各种方法来扫描系统。在这个例子中,我使用server2.tecmint.com主机名来扫描系统找出该系统上所有开放的端口,服务和MAC地址。

a)用主机名扫描系统

[root@server1 ~]# nmap server2.tecmint.comStarting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.415seconds
You have new mailin /var/spool/mail/root

b)用IP地址扫描系统

[root@server1 ~]# nmap 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind958/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.465seconds
You have new mailin /var/spool/mail/root

11:扫描时使用-v选项

可以看到下面的命令使用“ -“选项后给出了远程机器更详细的信息。

[root@server1 ~]# nmap -v server2.tecmint.comStarting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST
Initiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43The ARP Ping Scan took0.01s to scan 1total hosts.
Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43Discovered open port22/tcp on 192.168.0.101Discovered open port80/tcp on 192.168.0.101Discovered open port8888/tcp on 192.168.0.101Discovered open port111/tcp on 192.168.0.101Discovered open port3306/tcp on 192.168.0.101Discovered open port957/tcp on 192.168.0.101The SYN Stealth Scan took0.30s to scan 1680total ports.
Host server2.tecmint.com (192.168.0.101) appears to be up ... good.
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.485seconds

12:扫描多台主机

简单的在Nmap命令后加上多个IP地址或主机名来扫描多台主机。

[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished:3 IP addresses (1 host up) scanned in 0.580 seconds

13:扫描整个子网

使用*通配符来扫描整个子网或某个范围的IP地址。

[root@server1 ~]# nmap 192.168.0.*Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST
Interesting ports on server1.tecmint.com (192.168.0.100):
Not shown:1677closed ports
PORT    STATE SERVICE22/tcp  open  ssh
111/tcp open  rpcbind851/tcp open  unknownInteresting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:256 IP addresses (2 hosts up) scanned in 5.550 seconds

14:使用IP地址的最后一个字节扫描多台服务器

简单的指定IP地址的最后一个字节来对多个IP地址进行扫描。例如,我在下面执行中扫描了IP地址192.168.0.101,192.168.0.102和192.168.0.103。

[root@server1 ~]# nmap 192.168.0.101,102,103Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:3 IP addresses (1 host up) scanned in 0.552 seconds

15:从一个文件中扫描主机列表

如果你有多台主机需要扫描且所有主机信息都写在一个文件中,那么你可以直接让nmap读取该文件来执行扫描,让我们来看看如何做到这一点。

创建一个名为“nmaptest.txt ”的文本文件,并定义所有你想要扫描的服务器IP地址或主机名。

[root@server1 ~]# cat >nmaptest.txt
localhost
server2.tecmint.com192.168.0.101

接下来运行带“iL” 选项的nmap命令来扫描文件中列出的所有IP地址

[root@server1 ~]# nmap -iL nmaptest.txt
Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 EST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown:1675closed ports
PORT    STATE SERVICE22/tcp  open  ssh
25/tcp  open  smtp111/tcp open  rpcbind631/tcp open  ipp857/tcp open  unknownInteresting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind958/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind958/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished:3 IP addresses (3 hosts up) scanned in 2.047 seconds

16:扫描一个IP地址范围

扫描一个IP地址范围

[root@server1 ~]# nmap 192.168.0.101-110Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished:10 IP addresses (1 host up) scanned in 0.542 seconds

17:排除一些远程主机后再扫描

在执行全网扫描或用通配符扫描时你可以使用“-exclude”选项来排除某些你不想要扫描的主机。

[root@server1 ~]# nmap 192.168.0.* --exclude 192.168.0.100Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:255 IP addresses (1 host up) scanned in 5.313 seconds

18:扫描操作系统信息和路由跟踪

使用Nmap,你可以检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可以使用NMAP的“-A“选项。

[root@server1 ~]# nmap -A 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE VERSION22/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)80/tcp   open  http    Apache httpd 2.2.3((CentOS))111/tcp  open  rpcbind  2 (rpc #100000)957/tcp  open  status   1 (rpc #100024)3306/tcp open  mysql   MySQL (unauthorized)8888/tcp open  http    lighttpd 1.4.32MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matchesfor host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)Uptime0.169 days (since Mon Nov 11 12:22:15 2013)Nmap finished:1 IP address (1 host up) scanned in 22.271 seconds

从上面的输出你可以看到,Nmap显示出了远程主机操作系统的TCP / IP协议指纹,并且更加具体的显示出远程主机上的端口和服务。

19:启用Nmap的操作系统探测功能

使用选项“-O”和“-osscan-guess”也帮助探测操作系统信息。

[root@server1 ~]# nmap -O server2.tecmint.comStarting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matchesfor host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS
R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)Uptime0.221 days (since Mon Nov 11 12:22:16 2013)Nmap finished:1 IP address (1 host up) scanned in 11.064 seconds

20:扫描主机并侦测防火墙

扫描远程主机以探测该主机是否使用了包过滤器或防火墙。

[root@server1 ~]# nmap -sA 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:27 EST
All 1680 scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.382 seconds

21:扫描主机检测是否有防火墙保护

扫描主机检测其是否受到数据包过滤软件或防火墙的保护。

[root@server1 ~]# nmap -PN 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.399 seconds

22:找出网络中的在线主机

使用“-sP”选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。

[root@server1 ~]# nmap -sP 192.168.0.*Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST
Host server1.tecmint.com (192.168.0.100) appears to be up.
Host server2.tecmint.com (192.168.0.101) appears to be up.
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished:256 IP addresses (2 hosts up) scanned in 5.109 seconds

23:执行快速扫面

你可以使用“-F”选项执行一次快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其它的端口。

[root@server1 ~]# nmap -F 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1234closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.322 seconds

24:顺序扫描端口

使用“-r”选项表示不会随机的选择端口扫描。

[root@server1 ~]# nmap -r 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.363 seconds

25:打印主机接口和路由

你可以使用nmap的“–iflist”选项检测主机接口和路由信息。

[root@server1 ~]# nmap --iflistStarting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST
************************INTERFACES************************DEV  (SHORT) IP/MASK          TYPE     UP MAC
lo   (lo)127.0.0.1/8loopback up
eth0 (eth0)192.168.0.100/24 ethernet up 08:00:27:11:C7:89**************************ROUTES**************************DST/MASK      DEV  GATEWAY192.168.0.0/0eth0169.254.0.0/0 eth0

从上面的输出你可以看到,nmap列举出了你系统上的接口以及它们各自的路由信息。

26:扫描特定的端口

使用Nmap扫描远程机器的端口有各种选项,你可以使用“-P”选项指定你想要扫描的端口,默认情况下nmap只扫描TCP端口。

[root@server1 ~]# nmap -p 80server2.tecmint.comStarting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT   STATE SERVICE80/tcp open  http
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) sca

26:扫描TCP端口

指定具体的端口类型和端口号来让nmap扫描。

[root@server1 ~]# nmap -p T:8888,80server2.tecmint.comStarting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT     STATE SERVICE80/tcp   open  http8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.157 seconds

27:扫描UDP端口

[root@server1 ~]# nmap -sU 53server2.tecmint.comStarting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT     STATE SERVICE53/udp   open  http8888/udp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.157 seconds

28:扫描多个端口

使用选项“-P”来扫描多个端口。

[root@server1 ~]# nmap -p 80,443 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:56 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT    STATE  SERVICE80/tcp  open   http443/tcp closed https
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.190 seconds

29:扫描多个端口

使用表达式来扫描某个范围内的端口。

[root@server1 ~]#  nmap -p 80-160 192.168.0.101

30:查找主机服务版本号

[root@server1 ~]# nmap -sV 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:48 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE VERSION22/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)80/tcp   open  http    Apache httpd 2.2.3((CentOS))111/tcp  open  rpcbind  2 (rpc #100000)957/tcp  open  status   1 (rpc #100024)3306/tcp open  mysql   MySQL (unauthorized)8888/tcp open  http    lighttpd 1.4.32MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 12.624 seconds

31:使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机

有时候包过滤防火墙会阻断标准ICMP ping请求,在这种情况下,我们可以使用TCP ACKTCP Syn方法来扫描远程主机。

[root@server1 ~]# nmap -PS 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:51 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.360 seconds

32:使用TCP ACK扫描远程主机上特定的端口

[root@server1 ~]# nmap -PA -p 22,80 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT   STATE SERVICE22/tcp open  ssh
80/tcp open  http
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.166 seconds

33:使用TCP Syn扫描远程主机上特定的端口

[root@server1 ~]# nmap -PS -p 22,80 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:08 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT   STATE SERVICE22/tcp open  ssh
80/tcp open  http
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.165 seconds

34:执行一次隐蔽的扫描

[root@server1 ~]# nmap -sS 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:10 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE SERVICE22/tcp   open  ssh
80/tcp   open  http111/tcp  open  rpcbind957/tcp  open  unknown3306/tcp open  mysql8888/tcp open  sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 0.383 seconds

35:执行TCP空扫描规避防火墙

[root@server1 ~]# nmap -sN 192.168.0.101Starting Nmap4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 19:01 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:1674closed ports
PORT     STATE         SERVICE22/tcp   open|filtered ssh
80/tcp   open|filtered http111/tcp  open|filtered rpcbind957/tcp  open|filtered unknown3306/tcp open|filtered mysql8888/tcp open|filtered sun-answerbook
MAC Address:08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished:1 IP address (1 host up) scanned in 1.584 seconds

参考文献:http://www.cnblogs.com/hongfei

参考文献:https://baike.baidu.com/item/nmap/1400075?fr=aladdin

转载于:https://www.cnblogs.com/LyShark/p/9133292.html

Nmap命令的常用实例相关推荐

  1. Docker 命令以及常用实例汇总

    1.容器生命周期管理 (1)docker run 命令说明     创建一个新的容器并运行一个命令 语法      docker run [OPTIONS] IMAGE [COMMAND] [ARG- ...

  2. Nmap命令详解及常用命令总结

    Nmap学习 文章目录 Nmap学习 0 Nmap 介绍 1 Nmap命令详解 1.1 Nmap 命令help详解(内附中文翻译) 1.2 Nmap 命令思维导图 2 Nmap 常见使用场景以及相关命 ...

  3. Kubernetes 常用命令及应用实例

    ###一. 常用命令### Kubernetes是一个开源的,用于管理云平台中多个主机上的容器化的应用,Kubernetes的目标是让部署容器化的应用简单并且高效(powerful),Kubernet ...

  4. Xshell常用命令大全(附常用实例)

    Xshell常用命令大全 Xshell常用命令 cd-更改目录 cp-复制文件 cat-显示文件内容 diff-比较文件内容 find-查找文件 grep-搜索文件内容 head-查看文件的名字和后缀 ...

  5. Vue学习(常用实例、脚手架搭建)-学习笔记

    文章目录 Vue学习(常用实例.脚手架搭建)-学习笔记 实例1 法1 法2 实例2 脚手架搭建 vue-cli2.0 vue-cli4.0 Vue学习(常用实例.脚手架搭建)-学习笔记 附加:阿里巴巴 ...

  6. traceroute命令的用法实例

    ceroute命令的用法实例 traceroute 跟踪数据包到达网络主机所经过的路由工具: traceroute 是用来发出数据包的主机到目标主机之间所经过的网关的工具.traceroute 的原理 ...

  7. 渗透测试之Nmap命令(一)

    1.介绍 相信很多朋友在这之前已经对nmap有所了解,或者已经使用过nmap了,这里做一下简单的介绍.nmap(Network Mapper)最初由Gordon Fyodor Lyon于1997年创建 ...

  8. mtr和nmap命令

    mtr mtr是一个网络连通性判断工具,它可以结合ping nslookup tracert 来判断网络的相关特性. [root@10.10.90.97 ~]# mtr -h usage: mtr [ ...

  9. linux查cpu命令4可以选择哪些运动,Linux 查看cpu 信息的命令及简单实例

    Linux 查看cpu 信息的命令及简单实例 有的时候领导会问你某个服务器是多少核的,多少线程的,是不是会懵了,下面教你怎么看cpuinfo 1.查看cpu个数: # cat /proc/cpuinf ...

最新文章

  1. spring boot 服务 正确关闭方式
  2. 程序员发现 Bug 的时候是怎样一种心境?
  3. Struts2.x中获取request,response,session的方式
  4. nodejs+html转换pdf,Nodejs 中将html转换成pdf文件
  5. Python实战从入门到精通第十八讲——改变对象的字符串显示
  6. ES6——函数的name属性
  7. 30 位 90 后霸榜福布斯,有颜、有才、有头脑!
  8. 用java网络编程中的TCP方式上传文本文件及出现的小问题
  9. bootstrap带图标的按钮与图标做连接
  10. 《团队-团队编程项目作业名称-最终程序》
  11. xmind8 安装方法(old)
  12. 关于table表格头部固定和列固定的方式
  13. 微信小程序——云开发|计费方式调整大家怎么看?
  14. zabbix 自动发现/自定义宏
  15. 线性变换的矩阵表示式
  16. 其他品牌的触控笔能用在ipad上?性价比高的触控笔合集
  17. 隐藏IDEA的行首的黄色小灯泡
  18. Your PHP version does not satisfy that requirement
  19. 北京 怀揣理想的地方!
  20. 网易云音乐(netease-cloud-music)无法通过图标打开,只能用命令行开启

热门文章

  1. 02-c#基础之01-基础语法(一)
  2. jQuery datepicker和jQuery validator 共用时bug
  3. ubuntu-14.04.2-desktop使用方法
  4. Canvas createImageData
  5. IE通过推理IE陈述的版本号
  6. 【百度地图API】如何制作一张魔兽地图!!——CS地图也可以,哈哈哈
  7. IOS开发(104)之程序执行状态更改
  8. SqlServerDBHelper类
  9. PHP foreach 小结
  10. 基于微信小程序开发的仿微信demo