这里写自定义目录标题

  • 声明!
  • 学习内容
    • 一、端口查询
    • 二、服务指纹
    • 三、局域网探测
  • reference

声明!

请勿从事违法行为!

学习内容

一、端口查询

  1. 原理

  2. 常规扫描

nmap scanme.nmap.org

  1. 指定DNS
nmap -Pn scanme.nmap.org
  1. 停止探测之前的ICMP请求?
nmap.exe -Pn scanme.nmap.org

  1. 设置端口范围
nmap.exe -p 1-1000 scanme.nmap.org


5. 端口状态

  1. 查看帮助
nmap -h

E:\Program Files (x86)\Nmap>nmap -h
Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:Can pass hostnames, IP addresses, networks, etc.Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254-iL <inputfilename>: Input from list of hosts/networks-iR <num hosts>: Choose random targets--exclude <host1[,host2][,host3],...>: Exclude hosts/networks--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:-sL: List Scan - simply list targets to scan-sn: Ping Scan - disable port scan-Pn: Treat all hosts as online -- skip host discovery-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes-PO[protocol list]: IP Protocol Ping-n/-R: Never do DNS resolution/Always resolve [default: sometimes]--dns-servers <serv1[,serv2],...>: Specify custom DNS servers--system-dns: Use OS's DNS resolver--traceroute: Trace hop path to each host
SCAN TECHNIQUES:-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans-sU: UDP Scan-sN/sF/sX: TCP Null, FIN, and Xmas scans--scanflags <flags>: Customize TCP scan flags-sI <zombie host[:probeport]>: Idle scan-sY/sZ: SCTP INIT/COOKIE-ECHO scans-sO: IP protocol scan-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:-p <port ranges>: Only scan specified portsEx: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9--exclude-ports <port ranges>: Exclude the specified ports from scanning-F: Fast mode - Scan fewer ports than the default scan-r: Scan ports consecutively - don't randomize--top-ports <number>: Scan <number> most common ports--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:-sV: Probe open ports to determine service/version info--version-intensity <level>: Set from 0 (light) to 9 (try all probes)--version-light: Limit to most likely probes (intensity 2)--version-all: Try every single probe (intensity 9)--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:-sC: equivalent to --script=default--script=<Lua scripts>: <Lua scripts> is a comma separated list ofdirectories, script-files or script-categories--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts--script-args-file=filename: provide NSE script args in a file--script-trace: Show all data sent and received--script-updatedb: Update the script database.--script-help=<Lua scripts>: Show help about scripts.<Lua scripts> is a comma-separated list of script-files orscript-categories.
OS DETECTION:-O: Enable OS detection--osscan-limit: Limit OS detection to promising targets--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:Options which take <time> are in seconds, or append 'ms' (milliseconds),'s' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).-T<0-5>: Set timing template (higher is faster)--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes--min-parallelism/max-parallelism <numprobes>: Probe parallelization--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifiesprobe round trip time.--max-retries <tries>: Caps number of port scan probe retransmissions.--host-timeout <time>: Give up on target after this long--scan-delay/--max-scan-delay <time>: Adjust delay between probes--min-rate <number>: Send packets no slower than <number> per second--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:-f; --mtu <val>: fragment packets (optionally w/given MTU)-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys-S <IP_Address>: Spoof source address-e <iface>: Use specified interface-g/--source-port <portnum>: Use given port number--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies--data <hex string>: Append a custom payload to sent packets--data-string <string>: Append a custom ASCII string to sent packets--data-length <num>: Append random data to sent packets--ip-options <options>: Send packets with specified ip options--ttl <val>: Set IP time-to-live field--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,and Grepable format, respectively, to the given filename.-oA <basename>: Output in the three major formats at once-v: Increase verbosity level (use -vv or more for greater effect)-d: Increase debugging level (use -dd or more for greater effect)--reason: Display the reason a port is in a particular state--open: Only show open (or possibly open) ports--packet-trace: Show all packets sent and received--iflist: Print host interfaces and routes (for debugging)--append-output: Append to rather than clobber specified output files--resume <filename>: Resume an aborted scan--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML--webxml: Reference stylesheet from Nmap.Org for more portable XML--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:-6: Enable IPv6 scanning-A: Enable OS detection, version detection, script scanning, and traceroute--datadir <dirname>: Specify custom Nmap data file location--send-eth/--send-ip: Send using raw ethernet frames or IP packets--privileged: Assume that the user is fully privileged--unprivileged: Assume the user lacks raw socket privileges-V: Print version number-h: Print this help summary page.
EXAMPLES:nmap -v -A scanme.nmap.orgnmap -v -sn 192.168.0.0/16 10.0.0.0/8nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

二、服务指纹

  1. 服务信息
nmap -sV scanme.nmap.org

Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.34s latency).
Not shown: 989 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open     ssl/http       Apache/2.4.7 (Ubuntu)
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
3389/tcp  filtered ms-wbt-server
4444/tcp  filtered krb524
4899/tcp  filtered radmin
9929/tcp  open     nping-echo     Nping echo
31337/tcp open     tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.27 seconds
  1. 侵略性探测
在这里插入代码片

-A表示侵略性
-v表示持续输出
-T4表示速度(0-5)

E:\Program Files (x86)\Nmap>nmap.exe -A -v -T4 scanme.nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-02 19:07 ?D1ú±ê×?ê±??
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:07
Completed NSE at 19:07, 0.00s elapsed
Initiating NSE at 19:07
Completed NSE at 19:07, 0.00s elapsed
Initiating NSE at 19:07
Completed NSE at 19:07, 0.00s elapsed
Initiating Ping Scan at 19:07
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Completed Ping Scan at 19:07, 0.86s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:07
Completed Parallel DNS resolution of 1 host. at 19:07, 0.01s elapsed
Initiating SYN Stealth Scan at 19:07
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156
Discovered open port 31337/tcp on 45.33.32.156
Completed SYN Stealth Scan at 19:08, 39.60s elapsed (1000 total ports)
Initiating Service scan at 19:08
Scanning 4 services on scanme.nmap.org (45.33.32.156)
Completed Service scan at 19:08, 6.63s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against scanme.nmap.org (45.33.32.156)
Retrying OS detection (try #2) against scanme.nmap.org (45.33.32.156)
Initiating Traceroute at 19:08
Stats: 0:00:57 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 19:08 (0:00:00 remaining)
Completed Traceroute at 19:08, 3.55s elapsed
Initiating Parallel DNS resolution of 20 hosts. at 19:09
Stats: 0:01:59 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Parallel DNS resolution of 20 hosts. Timing: About 78.95% done; ETC: 19:09 (0:00:01 remaining)
Stats: 0:02:00 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Parallel DNS resolution of 20 hosts. Timing: About 94.74% done; ETC: 19:09 (0:00:00 remaining)
Stats: 0:02:00 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Parallel DNS resolution of 20 hosts. Timing: About 94.74% done; ETC: 19:09 (0:00:00 remaining)
Completed Parallel DNS resolution of 20 hosts. at 19:09, 2.83s elapsed
NSE: Script scanning 45.33.32.156.
Initiating NSE at 19:09
Stats: 0:02:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 15 (15 waiting)
NSE Timing: About 97.21% done; ETC: 19:09 (0:00:00 remaining)
Stats: 0:02:02 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 14 (8 waiting)
NSE Timing: About 97.39% done; ETC: 19:09 (0:00:00 remaining)
Stats: 0:02:03 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 11 (7 waiting)
NSE Timing: About 97.95% done; ETC: 19:09 (0:00:00 remaining)
Stats: 0:02:03 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 6 (5 waiting)
NSE Timing: About 98.88% done; ETC: 19:09 (0:00:00 remaining)
Completed NSE at 19:09, 8.99s elapsed
Initiating NSE at 19:09
Completed NSE at 19:09, 1.26s elapsed
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.22s latency).
Not shown: 989 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
|   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
80/tcp    open     http           Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 156515DA3C0F7DC6B2493BD5CE43F795
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
3389/tcp  filtered ms-wbt-server
4444/tcp  filtered krb524
4899/tcp  filtered radmin
9929/tcp  open     nping-echo     Nping echo
31337/tcp open     tcpwrapped
Aggressive OS guesses: Linux 2.6.18 - 2.6.22 (88%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), Linux 3.10 - 4.11 (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Asus RT-AC66U router (Linux 2.6) (86%), Asus RT-N16 WAP (Linux 2.6) (86%), Asus RT-N66U WAP (Linux 2.6) (86%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 37.909 days (since Fri Mar 25 21:21:08 2022)
Network Distance: 24 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   ...
2   26.00 ms  10.255.252.21
3   33.00 ms  36.152.112.45
4   4.00 ms   181.4.65.223.static.js.chinamobile.com (223.65.4.181)
5   ... 6
7   71.00 ms  112.2.73.49
8   79.00 ms  183.207.204.89
9   96.00 ms  from-NJ-PK-1.js.chinamobile.com (183.207.26.134)
10  126.00 ms 121.55.207.183.static.js.chinamobile.com (183.207.55.121)
11  17.00 ms  111.24.6.93
12  173.00 ms 221.183.107.50
13  53.00 ms  111.24.5.174
14  69.00 ms  221.176.22.158
15  ... 16
17  227.00 ms 223.120.13.221
18  242.00 ms 223.120.6.70
19  196.00 ms 223.120.6.218
20  306.00 ms te0-10-0-6-4.ccr41.lax05.atlas.cogentco.com (38.104.85.161)
21  311.00 ms be3243.ccr41.lax01.atlas.cogentco.com (154.54.27.117)
22  312.00 ms be3176.ccr21.sjc01.atlas.cogentco.com (154.54.31.190)
23  322.00 ms be2095.rcr21.b001848-1.sjc01.atlas.cogentco.com (154.54.3.138)
24  233.00 ms scanme.nmap.org (45.33.32.156)NSE: Script Post-scanning.
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Initiating NSE at 19:09
Completed NSE at 19:09, 0.00s elapsed
Read data files from: E:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.35 secondsRaw packets sent: 1189 (54.504KB) | Rcvd: 1082 (45.561KB)

使用nmap -sc -sv -oIP地址
来探测目标机器的操作系统、服务等信息。
其中sc参数表示使用Nmap脚本进行探测,sV表示探测目标机器上的服务信息,o表示探测目标机器的操作系统信息。-sc: equivalent to --script=default

nmap.exe -sC -sV -O scanme.nmap.org

Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.22s latency).
Not shown: 989 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA)
|   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA)
|   256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA)
|_  256 33:fa:91:0f:e0:e1:7b:1f:6d:05:a2:b0:f1:54:41:56 (ED25519)
80/tcp    open     http           Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Go ahead and ScanMe!
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
3389/tcp  filtered ms-wbt-server
4444/tcp  filtered krb524
4899/tcp  filtered radmin
9929/tcp  open     nping-echo     Nping echo
31337/tcp open     tcpwrapped
Aggressive OS guesses: Linux 2.6.18 - 2.6.22 (89%), Linux 3.10 - 4.11 (89%), Linux 4.4 (88%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), Asus RT-AC66U router (Linux 2.6) (87%), Linux 3.10 (87%), Linux 3.2 - 3.8 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 26 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.38 secondsE:\Program Files (x86)\Nmap>

三、局域网探测

  1. 主机发现

nmap.exe -sP 192.168.137.1/24

E:\Program Files (x86)\Nmap>nmap.exe -sP 192.168.137.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-02 19:37 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.137.200
Host is up (0.0020s latency).
MAC Address: 9C:28:F7:9B:AF:E4 (Unknown)
Nmap scan report for 192.168.137.1
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 297.31 seconds
  1. 主机探测
E:\Program Files (x86)\Nmap>nmap -h | findstr "sn"-sn: Ping Scan - disable port scannmap -v -sn 192.168.0.0/16 10.0.0.0/8
  1. 结果输出

reference

黑客工具—Nmap的使用

都看到这儿了,点个赞呗
||
\/

nmap学习记录(未完待续)相关推荐

  1. pythonb超分辨成像_Papers | 超分辨 + 深度学习(未完待续)

    1. SRCNN 1.1. Contribution end-to-end深度学习应用在超分辨领域的开山之作(非 end-to-end 见 Story.3 ). 指出了超分辨方向上传统方法( spar ...

  2. Linux学习总结 (未完待续...)

    Linux学习总结: 1.用户管理部分 a,用户与组配置文件 a1.与用户和组相关的配置文件:passwd,shadow group,gshadow a2.超级权限控制Sudo的配置文件:/etc/s ...

  3. c++课程学习(未完待续)

    关于c++课程学习 按照计划,我首先阅读谭浩强c++程序设计一书的ppt,发现第一章基本上都是很基础的东西. 同时,书中与班导师一样,推荐了使用visual c++. 而师爷的教程里面推荐使用的是ec ...

  4. Linux学习(未完待续。。。)

    安装好ubuntu 并且注册用户成功后,给root设置密码 sudo passwd root 先输入自己的密码,然后输入root的密码,再确认 密码都是不可见的,不是键盘坏了 显示日期格式 date ...

  5. Multimodal Deep Learning(多模态深度学习)未完待续

    摘要: 本文提出一种在深度网络上的新应用,用深度网络学习多模态.特别的是,我们证明了跨模态特征学习--如果在特征学习过程中多模态出现了,对于一个模态而言,更好的特征可以被学习(多模态上学习,单模态上测 ...

  6. linux安装java学习环境(未完待续)

    linux安装java学习环境 数据库连接命令 连接mysql数据库 格式为: mysql -hip地址 -p端口号 -u root -p 输入密码例如: mysql -hlocalhost -p33 ...

  7. 树图区块链学习(未完待续)

    树图区块链基本结构 1.每个区块只有一条父边指向父区块; 2.每个区块可能有多条关联边指向"happen-before" 关系的区块; 确定区块链的主链 1.从创世区块开始; 2. ...

  8. TS学习笔记 ---未完待续....

    TS学习笔记 1 .ts文件与.tsx文件有什么区别 2.使用TS之前需要配置 3.TS特性 泛型和类型注解有什么区别? 3.什么是泛型参数? 4.函数.类.接口有什么区别? 4.1 一个class不 ...

  9. vimtex的安装与应用(仍在学习,未完待续... ...)

    本文记录了笔者为了在Ubuntu18.04上使用vim编写latex文档,而进行的vimtex配置过程.笔者所用vim的其他基础配置课参见本人以前的博客:https://blog.csdn.net/q ...

最新文章

  1. python保存快捷键_超详细的Sublime Text配置python教程
  2. 一文学会,胶位偏移、缺胶、断胶、溢胶检测
  3. android 自定义弹窗diss,Android中自定义PopupWindow,动态弹窗。
  4. 华为鸿蒙游戏引擎,打破技术封锁!鸿蒙OS后,国产顶级游戏引擎也已问世!
  5. IT女性必备——5个方法变身小腰精
  6. [UE4]编辑器偏好设置,在同一个窗口以标签打开蓝图
  7. Julia : string =Int,Float
  8. esp8266开发入门教程(基于Arduino)——点亮LED灯
  9. (软考)图示法求候选键,及快捷求候选键,和数据库模式分解的表格法,及无损连接分解的快捷判别方法
  10. html背景图怎么做成水印,如何制作出有水印feel的PPT背景图片
  11. 根据输入的姓氏,随机获取对应的男生和女生姓名
  12. 隐私浏览器DuckDuckGo爆出漏洞,可导致URL欺骗攻击
  13. Auto.jsMIUI小米手机锁屏界面无法上滑输入密码解锁的问题 以及如何输入密码进行解锁
  14. nrf51822 按键蓝牙通知 例程 加入 串口 打印 log
  15. 生活随记 - 火星梦
  16. 项目开发成本高周期长 数维图低代码平台解决行业痛点
  17. Cortex—世界上第一个图形化人工智能界面问世
  18. 如何申请微信公众号--企业服务号
  19. word中自带插入公式,实现换行和对齐
  20. linux 终端修改字体大小,linux系统终端修改字体的方法

热门文章

  1. 深入浅出JS—15 ES6中Proxy及Reflect的使用
  2. 【archlinux】安装系统
  3. Apache web服务器目录结构、发布网站
  4. 解决Couldn‘t determine repo type for URL
  5. 【物联网】AT指令|AT返回错误|AT 指令 收发短信和GPRS上网 SIM508/548
  6. pda扫码相关的打印机,用蓝牙连接打印,斑马打印机,zsu
  7. JS对象基础-怎么理解对象
  8. 用人篇-曾国藩家书整理
  9. 园区元宇宙:打造智慧园区综合治理可视化管理平台
  10. 如何取消Stadia Pro订阅