官網:
https://nmap.org/
文檔:
Nmap(Network MApper,網絡映射器)是一款開放源代碼的網絡探測和安全審核工具,被用來快速掃描大型網絡,包括主機探測與發現、開放的端口情況、操作系統與應用服務指紋識別、WAF識別及常見安全漏洞。
圖形化界面:Zenmap
分布式框架:DNmap
特點:
主機探測
端口掃描
版本檢測
系統檢測
支持探測腳本的編寫:Nmap的腳本引擎(NSE)和Lua編程語言
(share/nmap/scripts)
windows下:
Kali linux 2020.2:
工作原理:
(一切英文說明來源于官方文檔)
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network,
what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running,what type of packet filters/firewalls are in use, and dozens of other characteristics.
Nmap is commonly used for security audits!
Nmap使用TCP/IP協議棧對目標主機進行一系列的測試,利用測試結果建立相應目標主機的Nmap指紋,Nmap會對指紋進行匹配,輸出相應的結果。
When a hostname is given as a target,
it is resolved via the Domain Name System (DNS) to determine the IP address to scan.
If the name resolves to more than one IP address, only the first one will be scanned.To make Nmap scan all the resolved addresses instead of only the first one,
use the --resolve-all option.
==========實驗環境==========
Windows Server 2008:192.168.10.128
Kali Linux 2020.2:192.168.10.133
==========實驗環境==========
nmap --help // 版本:7.8
Target Specification:指定掃描目標(主機名、IP地址、網段等)
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
如果對大量的系統進行掃描,就可以在文本文件中輸入IP地址(或主機名),并使用該文件作為輸入。
nmap -iL ip.txt
-iR <num hosts>: Choose random targets(隨機選擇主機數量進行掃描)
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks(排除的主機/網段)
nmap 192.168.10.0/24 --exclude 192.168.10.133
--excludefile <exclude_file>: Exclude list from file(文件中指定排除的主機/網段)
nmap 192.168.10.0/24 --exclude targets.txt // 相對路徑
Host Discovery(主機發現)
不使用任何參數:
nmap 192.168.10.128
If no host discovery options are given,
Nmap sends an ICMP echo request, a TCP SYN packet to port 443,
a TCP ACK packet to port 80,
and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.)
These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network.
For unprivileged Unix shell users,
the default probes are a SYN packet to ports 80 and 443 using the connect system call.
This host discovery is often sufficient when scanning local networks,
but a more comprehensive set of discovery probes is recommended for security auditing.
等價于:
namp -PE -PS443 -PA80 -PP 192.168.10.128
其他:
nmap 192.168.10.128 192.168.10.166 // 掃描多個目標地址
nmap 192.168.10.128-188 // 掃描范圍內目標地址
nmpa 192.168.10.128/24 // 掃描目標地址所在的網段
ping掃描:-sP
Host discovery is sometimes called ping scan,
but it goes well beyond the simple ICMP echo request packets associated with the ubiquitous ping tool.
注意:這里的ping方式,不是ping命令IMCP協議方式,它發送一個arp廣播包請求,是ping echo檢查,但是不會發送ICMP、TCP協議數據包給目標主機!
-sP效率非常的快,比ICMP的協議還快!
-Pn (No ping):Treat all hosts as online -- skip host discovery
將指定的主機視作開啟的,跳過主機發現的過程。
-PS <port list> (TCP SYN Ping):TCP SYN Ping掃描
這個選項發送一個設置了SYN標志的空TCP包。
默認的目標端口是80(在編譯時可以通過更改nmap.h中的DEFAULT_TCP_PROBE_PORT_SPEC進行配置)。
-PA <port list> (TCP ACK Ping)
-PU <port list> (UDP Ping)
-PY <port list> (SCTP INIT Ping)
-PE; -PP; -PM (ICMP Ping Types):ICMP echo、timestamp、netmask
-PO <protocol list> (IP Protocol Ping)
如果沒有指定協議,默認是為ICMP(協議1)、IGMP(協議2)和IP-in-IP(協議4)發送多個IP包。
注意,對于ICMP、IGMP、TCP(協議6)、UDP(協議17)和SCTP(協議132),數據包發送時帶有適當的協議標頭,
而其他協議發送時除了IP標頭之外沒有其他數據(除非指定了——data、——data-string或——data-length選項)。
-sL (List Scan):列表掃描,僅列舉指定目標的IP,不進行主機發現。
-sn (No port scan):只進行主機發現,不進行端口掃描。
-n (No DNS resolution):禁止解析域名
告訴Nmap不要對它找到的活動IP地址執行反向DNS解析。因為解析速度慢,所以這個選項可以減少掃描的時間。(多在指定IP地址范圍時使用)
--resolve-all (Scan each resolved address)
-R (DNS resolution for all targets):域名解析
告訴Nmap始終對目標IP地址執行反向DNS解析
-R -sL
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers(指定DNS服務器)
--system-dns: Use OS's DNS resolver(使用系統的域名解析器)
--traceroute: Trace hop path to each host(路由跟蹤)
