Linux常用命令-nmap

命令

nmap

描述

Network exploration tool and security / port scanner
网络端口扫描工具

用法

nmap [Scan Type...] [Options] {target specification}

选项

Options:
target specification 目标规范:
  目标可以指定为域名,IP,网段,地址范围等,如scanme.nmap.org, 192.168.0.1, 192.168.10.0/24, 10.0.0-255.1-254
  -iL <inputfilename>: 从文件中读取主机列表或网络列表
  -iR <num hosts>: 指定随机主机数量
  --exclude <host1[,host2][,host3],...>: 排除指定主机
  --excludefile <exclude_file>: 排除指定文件中的主机
主机发现:
  -sL: 只显示IP列表而不扫描
  -sn: Ping扫描
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
扫描技巧:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
端口扫描:
  -p <port ranges>: 扫描指定端口
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
服务检测和版本检测:
  -sV: 探测打开的端口以确定服务/版本信息
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
脚本扫描:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma separted list of script-files or
           script-categories.
OS检测:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
时间和性能选项:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
防火墙/IDS规避和欺骗:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
输出:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --log-errors: Log errors/warnings to the normal-format output file
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
其他:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

注意

官方文档 https://nmap.org/book/man.html
中文文档 https://nmap.org/man/zh/

示例

$ nmap -V
Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.2.2 openssl-1.0.2k libpcre-8.32 libpcap-1.5.3 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

# 默认扫描显示如下
$ nmap www.a.com
Starting Nmap 6.40 ( http://nmap.org ) at 2021-12-02 22:57 CST
Nmap scan report for www.a.com (192.168.80.80)
Host is up (0.00059s latency).
Not shown: 890 filtered ports, 103 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql
8080/tcp open  http-proxy
Nmap done: 1 IP address (1 host up) scanned in 30.74 seconds
# 指定目标地址,支持多种不同类型的地址格式,支持单个或多个地址
$ nmap scanme.nmap.org
$ nmap 192.168.0.1
$ nmap 192.168.10.0/24
$ nmap 10.20.0-255.1-254
# 指定不连续的地址段10,15,16,20-25
$ nmap 172.16.10,15,16,20-25.1-253
$ nmap www.a.com 192.168.80.10 192.168.10.0/24
# -iL 从文件中读取地址列表
$ nmap -iL file
# --excludefile 从文件中排除地址列表
$ nmap --excludefile file 172.16.10.0/24
# -sL 只显示IP列表
$ nmap -sL 192.168.80.0/30
Nmap scan report for 192.168.80.0
Nmap scan report for 192.168.80.1
Nmap scan report for 192.168.80.2
Nmap scan report for 192.168.80.3
# -sn 进行Ping扫描
$ nmap -sn 192.168.80.0/24
Nmap scan report for 192.168.80.2
Host is up (0.00043s latency).
Nmap scan report for 192.168.80.10
Host is up (0.000094s latency).
Nmap scan report for 192.168.80.81
Host is up (0.0026s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.03 seconds
# -p 扫描指定端口,STATE为open表示端口开放,closed表示关闭,filtered表示被防火墙过滤的无法确定状态
$ nmap -p22 192.168.80.0/24
Nmap scan report for 192.168.80.1
Host is up (0.00090s latency).
PORT   STATE    SERVICE
22/tcp filtered ssh
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.80.2
Host is up (0.00018s latency).
PORT   STATE  SERVICE
22/tcp closed ssh
MAC Address: 00:50:56:EB:3A:16 (VMware)
Nmap scan report for 192.168.80.10
Host is up (0.000032s latency).
PORT   STATE SERVICE
22/tcp open  ssh
# -sV 显示服务版本
$ nmap -sV 192.168.80.10
Nmap scan report for 192.168.80.10
Host is up (0.000011s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
# -PS 探测目标主机开放的端口
nmap -PS 192.168.80.10
# 列出开放了指定端口的主机列表
nmap -sT -p22 --open -oG - 192.168.80.0/24 | grep open
# 获取远程主机的系统类型及开放端口
nmap -sS -P0 -sV -O <target>
这里的 < target > 可以是单一 IP, 或主机名，或域名，或子网
-sS TCP SYN 扫描 (又称半开放,或隐身扫描)
-P0 允许你关闭 ICMP pings.
-sV 打开系统版本检测
-O 尝试识别远程操作系统
其它选项:
-A 同时打开操作系统指纹和版本检测
-v 详细输出扫描情况.
nmap -sS -P0 -A -v < target >