概念

Nmap用于在远程机器上探测网络,执行安全扫描,网络审计和搜寻开放端口。它会扫描远程在线主机,该主机的操作系统,包过滤器和开放的端口。

使用场景

掌握了具体使用场景,主要就是掌握如下参数使用:以192.168.31.18为目标靶机

1.普通扫描
root@sunjin:/home/sunjin# nmap 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 09:46 CST
Nmap scan report for 192.168.31.18
Host is up (0.0014s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
3306/tcp open  mysql
8089/tcp open  unknownNmap done: 1 IP address (1 host up) scanned in 0.21 seconds

通过添加-sV参数,能够得到服务版本信息,

root@sunjin:/home/sunjin# nmap -sV 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 09:48 CST
Nmap scan report for 192.168.31.18
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE   VERSION
22/tcp   open  ssh       OpenSSH 7.4 (protocol 2.0)
443/tcp  open  ssl/https
3306/tcp open  mysql     MySQL 5.7.32
8089/tcp open  unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port443-TCP:V=7.80%T=SSL%I=7%D=11/6%Time=5FA4AB6E%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,DE,"HTTP/1\.1\x20302\x20\r\nCache-Control:\x20private\r\n
SF:Expires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nLocation:\x
SF:20https://localhost/index2\.html\r\nContent-Language:\x20zh-CN\r\nConte
SF:nt-Length:\x200\r\nDate:\x20Fri,\x2006\x20Nov\x202020\x2001:48:26\x20GM
SF:T\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,B8,"HTTP/1\.1\x20200\
SF:x20\r\nCache-Control:\x20private\r\nExpires:\x20Thu,\x2001\x20Jan\x2019
SF:70\x2000:00:00\x20GMT\r\nAllow:\x20GET,HEAD,POST,PUT,PATCH,DELETE,OPTIO
SF:NS\r\nDate:\x20Fri,\x2006\x20Nov\x202020\x2001:48:26\x20GMT\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(FourOhFourRequest,113,"HTTP/1\.1\x20302\x20\r\
SF:nCache-Control:\x20private\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x20
……

通过添加-sC参数,能够得到更加详细的服务信息

root@sunjin:/home/sunjin# nmap -sC 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 09:50 CST
Nmap scan report for 192.168.31.18
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey:
|   2048 8e:45:b1:49:8e:4b:80:a7:cc:f0:ba:6c:be:a1:97:a1 (RSA)
|   256 2d:13:df:d4:9e:87:50:e8:db:fe:1c:f4:8a:7e:4c:6c (ECDSA)
|_  256 16:54:fd:53:27:c6:61:4f:76:f9:85:79:97:2b:0c:c5 (ED25519)
443/tcp  open  https
| http-methods:
|_  Potentially risky methods: PUT PATCH DELETE
| http-title: \xE5\xB7\xA5\xE4\xB8\x9A\xE4\xBA\x92\xE8\x81\x94\xE7\xBD\x91\xE8\xAE\xA4\xE8\xAF\x81\xE7\xBD\x91\xE5\x85\xB3\xE7\xAE\xA1\xE7\x90\x86\xE7\xB3\xBB\xE7\xBB\x9F
|_Requested resource was /login.html
| ssl-cert: Subject: commonName=192.168.31.111/organizationName=demo/countryName=cn
| Not valid before: 2020-10-13T03:14:26
|_Not valid after:  2021-10-13T03:14:26
|_ssl-date: 2020-11-06T01:50:37+00:00; -4s from scanner time.
3306/tcp open  mysql
| mysql-info:
|   Protocol: 10
|   Version: 5.7.32
|   Thread ID: 13
|   Capabilities flags: 65535
|   Some Capabilities: SupportsLoadDataLocal, LongPassword, IgnoreSpaceBeforeParenthesis, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, IgnoreSigpipes, SupportsTransactions, Speaks41ProtocolOld, Speaks41ProtocolNew, InteractiveClient, ConnectWithDatabase, Support41Auth, ODBCClient, SupportsCompression, FoundRows, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: 9B|\x7F \x04,[\x03^Y\x05\x0E]x\x14\x0C\x0C\x19v
|_  Auth Plugin Name: mysql_native_password
8089/tcp open  unknownHost script results:
|_clock-skew: -4sNmap done: 1 IP address (1 host up) scanned in 1.74 seconds
2.漏洞扫描

#使用nmap对某主机进行一系列的证书鉴权检查
nmap --script=auth [目标IP]

root@sunjin:/home/sunjin# nmap --script=auth 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 09:57 CST
Nmap scan report for 192.168.31.18
Host is up (0.0014s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-auth-methods:
|   Supported authentication methods:
|     publickey
|     gssapi-keyex
|     gssapi-with-mic
|_    password
| ssh-publickey-acceptance:
|_  Accepted Public Keys: No public keys accepted
443/tcp  open  https
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| http-vuln-cve2010-0738:
|_  /jmx-console/: Authentication was not required
3306/tcp open  mysql
8089/tcp open  unknownNmap done: 1 IP address (1 host up) scanned in 5.31 seconds

#使用nmap 对常见的服务进行暴力力破解
nmap --script=brute [目标IP]
可以看到有不少密码被破译出来了!

root@sunjin:/home/sunjin# nmap --script=brute 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 09:59 CST
Nmap scan report for 192.168.31.18
Host is up (0.0011s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-brute:
|   Accounts: No valid accounts found
|   Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0
|_  ERROR: The service seems to have failed or is heavily firewalled...
443/tcp  open  https
|_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument)
| http-brute:
|_  Path "/" does not require authentication
|_http-joomla-brute: ERROR: Script execution failed (use -d to debug)
| http-wordpress-brute:
|   Accounts:
|     root:root - Valid credentials
|     netadmin:netadmin - Valid credentials
|     guest:guest - Valid credentials
|     user:user - Valid credentials
|     web:web - Valid credentials
|     sysadmin:sysadmin - Valid credentials
|     administrator:administrator - Valid credentials
|     webadmin:webadmin - Valid credentials
|     admin:admin - Valid credentials
|     test:test - Valid credentials
|_  Statistics: Performed 13 guesses in 1 seconds, average tps: 13.0
3306/tcp open  mysql
| mysql-brute:
|   Accounts:
|     root:123456 - Valid credentials
|_  Statistics: Performed 45012 guesses in 317 seconds, average tps: 191.2
| mysql-enum:
|   Valid usernames:
|     root:<empty> - Valid credentials
|     netadmin:<empty> - Valid credentials
|     guest:<empty> - Valid credentials
|     user:<empty> - Valid credentials
|     web:<empty> - Valid credentials
|     sysadmin:<empty> - Valid credentials
|     administrator:<empty> - Valid credentials
|     webadmin:<empty> - Valid credentials
|     admin:<empty> - Valid credentials
|     test:<empty> - Valid credentials
|_  Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
8089/tcp open  unknownNmap done: 1 IP address (1 host up) scanned in 317.33 seconds

#使用nmap 进行基本的扫描
nmap --script=default [目标IP]
这个和普通扫描结果差不多

#使用nmap 进行信息挖掘
nmap --script=discovery [目标IP]
这个会显示大量服务消息,例如TLS的加密算法类型

#使用nmap 进行拒绝服务攻击
nmap --script=dos [目标IP]
这个没有测试,毕竟是公共服务器

#使用nmap 利用已知的漏洞入侵系统
nmap --script=exploit [目标IP]
#使用nmap 进行利用第三方的数据库或资源进行信息收集或者攻击
nmap --script=external [目标IP]
这个没有测试,毕竟是公共服务器

#使用nmap 进行模糊测试,发送异常的包到目标机,探测出潜在漏洞
nmap --script=fuzzer [目标IP]
#使用nmap 进行入侵,此类脚本可能引发对方的IDS/IPS的记录或屏蔽
nmap --script=intrusive [目标IP]
这个没有测试,毕竟是公共服务器

#使用nmap 探测目标机是否感染了病毒、开启了后门等信息
nmap --script=malware [目标IP]

root@sunjin:/home/sunjin# nmap --script=malware 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 13:50 CST
Nmap scan report for 192.168.31.18
Host is up (0.0011s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
3306/tcp open  mysql
8089/tcp open  unknownNmap done: 1 IP address (1 host up) scanned in 0.43 seconds

#使用nmap 对系统进行安全检查
nmap --script=safe [目标IP]
这个结果比较长,可以自行测试

#使用nmap 对目标机进行检查是否存在常见的漏洞
nmap --script=vuln [目标IP]

root@sunjin:/home/sunjin# nmap --script=vuln 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 13:47 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.31.18
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
443/tcp  open  https
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /login.html: Possible admin folder
|   /examples/: Sample scripts
|_  /docs/: Potentially interesting folder
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2010-0738:
|_  /jmx-console/: Authentication was not required
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
3306/tcp open  mysql
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
8089/tcp open  unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)Nmap done: 1 IP address (1 host up) scanned in 137.77 seconds

Kali-linux:nmap命令相关推荐

  1. Kali Linux下命令行终端的中英文切换

    Kali Linux下命令行终端的中英文切换 由于自己想下载个kali linux学习,但是苦于自己设备受限,下载了kali官网的light版本: kali-linux-light-2019.1a-a ...

  2. kali linux nmap使用教程,kali linux下nmap的使用方法介绍

    知道kali 是什么吗,那么linux下nmap的使用方法是怎么回事呢,下面是学习啦小编跟大家分享的是kali linux下nmap的使用方法介绍,欢迎大家来阅读学习. kali linux下nmap ...

  3. kali linux 升级命令_作为高级Java,你应该了解的Linux知识

    原创:小姐姐味道(微信公众号ID:xjjdog),欢迎分享,转载请保留出处. 作为一个javaer,我以前写过很多关于Linux的文章.但经过多年的观察,发现其实对于大部分人,有些东西压根就用不着.用 ...

  4. kali linux nmap使用教程,Kali Linux:使用nmap扫描主机

    以下介绍在Kali Linux系统下使用nmap扫描主机的基本方法. nmap-Network Mapper,是著名的网络扫描和嗅探工具包.他同样支持Windows和OS X系统. 扫描开放端口和判断 ...

  5. kali linux 升级命令_Kali Linux系统:如何升级/更新?

    如果你是刚对Kali Linux入手,你会发现这样一个问题:大家都用过windows系统对吧,它都有一个自动更新或手动更新功能,windows系统可以升级的.我们的Kali Linux系统又如何升级呢 ...

  6. linux nmap命令

    Nmap即Network Mapper,它是在免费软件基金会的GNU General Public License (GPL)下发布的.其基本功能有:探测一组主机是否在线:扫描主机端口,嗅探提供的网络 ...

  7. kali linux 升级命令_linux系统怎么更新?linux更新系统的方法

    大家都知道windows系统有一个自动更新,那么,linux系统又应该怎样更新呢?下面,就以比较常用的linux版本CentOS为例,来教大家具体的操作方法. 方法一:利用终端命令更新 1.启动Cen ...

  8. kali linux 网络命令,Kali Linux系统连接Wifi无线网络命令:

    第一种:root@kali:~# iwconfigroot@kali:~# ifconfigroot@kali:~# ifconfig wlan0 uproot@kali:~#iw dev wlan0 ...

  9. kali linux nmap扫描(二)_商洛学院司徒荆_新浪博客

    使用nmap扫描得知目标主机开放的端口和服务类型 1.打开终端:nmap 192.168.1.1 ,扫描出开放的端口 2.nmap -sT 192.168.1.1  使用全连接进行扫描,完成tcp的三 ...

  10. Kali 使用nmap命令进行局域网扫描

    1.内网IP地址扫描 sudo -i namp -sP 192.168.1.0/24 (P一定要大写,192.168.1.0是自己内网的网络号加子网号,和为0的主机号) 2端口扫描 sudo -i n ...

最新文章

  1. Java的新项目学成在线笔记-day10(二)
  2. mongo mysql 聚合性能_Mongodb和Mysql的性能分析
  3. 浙江金华暂时停用“智能头箍”,专家:监测学生脑电违反伦理
  4. Android测试(二)——drozer使用
  5. Product ID Not in valid range
  6. ajax异步提交案例(用户校验)
  7. 递归;杨辉三角;正则表达式
  8. 802.11相关术语及其设计(二)
  9. python导入自己写的包_python的模块,包和目录的区别和自定义包的注意点
  10. 联想G450 Linux wifi,联想g450无线网卡驱动,详细教您无线网卡安装教程
  11. 华盛顿大学计算机专业gpa,华盛顿大学计算机专业基本信息全盘点 学习来这里就对了...
  12. 类似 Teambition 的9大最佳项目管理软件
  13. 笔记:利用易宝第三方支付实现简单支付的功能
  14. springboot中static下的图片404
  15. 三菱je -c中映射表的作用_最新款中东版三菱帕杰罗V93 现车热卖
  16. Spark的搭建及实现单词统计
  17. 日语操作系统安装日语软件乱码的解放方案
  18. 荣联云发送短信验证码--python3接口
  19. JetBrains出品,一款好用到爆的数据库工具
  20. 与PHP对抗招聘者垃圾邮件-概念证明

热门文章

  1. SENT协议译码的深入探讨
  2. 服务器虚拟计算节点,什么是云服务器计算节点
  3. 基于大众点评字体库的字体反爬案例
  4. SQL SERVER 获得当前系统时间
  5. 台达A2/B2伺服电机编码器改功率软件 台达A2/B2伺服电机编码修改, 用于更换编码器写匹配电机参数
  6. MySQL 学生信息管理系统 表格信息
  7. zdc找不到xenapp服务器,Citrix XenApp 客户端访问服务器的通讯流程
  8. 惠普打印机136w硒鼓芯片怎么清零_HP惠普打印机清零技巧
  9. 2.1 数字图像处理——图像基础
  10. java各层_java后台各个层理解