Nmap命令的常用实例

一、Nmap简介

nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统(这是亦称 fingerprinting)。它是网络管理员必用的软件之一,以及用以评估网络系统安全。
正如大多数被用于网络安全的工具,nmap 也是不少黑客及骇客爱用的工具 。系统管理员可以利用nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用nmap来搜集目标电脑的网络设定,从而计划攻击的方法。
Nmap 以隐秘的手法,避开闯入检测系统的监视,并尽可能不影响目标系统的日常操作。  --(来自百度)
环境介绍:
我将用两个不同的部分来涵盖大部分NMAP的使用方法,这是nmap关键的第一部分。在下面的设置中,我使用两台已关闭防火墙的服务器来测试Nmap命令的工作情况。
  • 192.168.0.100 – server1.tecmint.com
  • 192.168.0.101 – server2.tecmint.com

Nmap语法:

nmap [Scan Type(s)] [Options] {target specification}

 

二、Nmap常用操作

1:批量ping扫描

[root@localhost ~]# nmap -sP 192.168.1.0/24Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:19 CST
Nmap scan report for192.168.1.1
Host is up (0.0043s latency).
Nmap scan report for 192.168.1.2
Host is up (0.0040s latency).
Nmap scan report for 192.168.1.3
Host is up (0.0036s latency).
Nmap scan report for 192.168.1.4
Host is up (0.0042s latency).
Nmap scan report for 192.168.1.5

2:仅列出指定网络上的每台主机,不发送任何报文到目标主机(隐蔽探测)

[root@localhost ~]# nmap -sL 192.168.1.0/24Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:22 CST
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3

3:探测目标主机开放的端口,可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80)

[root@localhost ~]# nmap -PS 220.181.111.188Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:25 CST
Nmap scan report for 220.181.111.188
Host is up (0.0043s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  httpsNmap done: 1 IP address (1 host up) scanned in 4.06 seconds

4:使用UDP ping探测主机

[root@localhost ~]# nmap -PU 192.168.1.1[root@localhost ~]# nmap -PU 192.168.1.0/24

5:使用SYN半开放扫描

[root@localhost ~]# nmap -sS 220.181.111.188
[root@localhost ~]# nmap -sS 220.181.111.0/24Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:29 CST
Nmap scan report for 220.181.111.188
Host is up (0.0048s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  httpsNmap done: 1 IP address (1 host up) scanned in 4.56 seconds

6:使用TCP扫描

[root@localhost ~]# nmap -sT 220.181.111.188
[root@localhost ~]# nmap -sT 220.181.111.0/24Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:32 CST
Nmap scan report for 220.181.111.188
Host is up (0.0044s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  httpsNmap done: 1 IP address (1 host up) scanned in 4.24 seconds

7:使用UDP扫描

[root@localhost ~]# nmap -sU 220.181.111.188
[root@localhost ~]# nmap -sU 220.181.111.0/24Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:34 CST
Nmap scan report for 220.181.111.188
Host is up (0.0039s latency).
Not shown: 999 open|filtered ports
PORT    STATE    SERVICE
161/udp filtered snmpNmap done: 1 IP address (1 host up) scanned in 4.05 seconds

8:探测目标主机支持哪些IP协议

[root@localhost ~]# nmap -sO 220.181.111.188Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:35 CST
Nmap scan report for 220.181.111.188
Host is up (0.0054s latency).
Not shown: 255 open|filtered protocols
PROTOCOL STATE SERVICE
1        open  icmpNmap done: 1 IP address (1 host up) scanned in 2.73 seconds

9:探测目标主机操作系统

[root@localhost ~]# nmap -O 220.181.111.188
[root@localhost ~]# nmap -A 220.181.111.188Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:36 CST
Nmap scan report for 220.181.111.188
Host is up (0.0050s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING): HP embedded (86%)
OS CPE: cpe:/h:hp:procurve_switch_4000m
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matches for host (test conditions non-ideal).OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds

10:用主机名和IP地址扫描系统

Nmap工具提供各种方法来扫描系统。在这个例子中,我使用server2.tecmint.com主机名来扫描系统找出该系统上所有开放的端口,服务和MAC地址。

a)用主机名扫描系统

[root@server1 ~]# nmap server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.415 seconds
You have new mail in /var/spool/mail/root

b)用IP地址扫描系统

[root@server1 ~]# nmap 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
958/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.465 seconds
You have new mail in /var/spool/mail/root

11:扫描时使用-v选项

可以看到下面的命令使用“ -“选项后给出了远程机器更详细的信息。

[root@server1 ~]# nmap -v server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST
Initiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43
The ARP Ping Scan took 0.01s to scan 1 total hosts.
Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43
Discovered open port 22/tcp on 192.168.0.101
Discovered open port 80/tcp on 192.168.0.101
Discovered open port 8888/tcp on 192.168.0.101
Discovered open port 111/tcp on 192.168.0.101
Discovered open port 3306/tcp on 192.168.0.101
Discovered open port 957/tcp on 192.168.0.101
The SYN Stealth Scan took 0.30s to scan 1680 total ports.
Host server2.tecmint.com (192.168.0.101) appears to be up ... good.
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds

12:扫描多台主机

 简单的在Nmap命令后加上多个IP地址或主机名来扫描多台主机。

[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds

13:扫描整个子网

使用*通配符来扫描整个子网或某个范围的IP地址。

[root@server1 ~]# nmap 192.168.0.*Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST
Interesting ports on server1.tecmint.com (192.168.0.100):
Not shown: 1677 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
851/tcp open  unknownInteresting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds

14:使用IP地址的最后一个字节扫描多台服务器

简单的指定IP地址的最后一个字节来对多个IP地址进行扫描。例如,我在下面执行中扫描了IP地址192.168.0.101,192.168.0.102和192.168.0.103。

[root@server1 ~]# nmap 192.168.0.101,102,103 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds

15:从一个文件中扫描主机列表

如果你有多台主机需要扫描且所有主机信息都写在一个文件中,那么你可以直接让nmap读取该文件来执行扫描,让我们来看看如何做到这一点。

创建一个名为“nmaptest.txt ”的文本文件,并定义所有你想要扫描的服务器IP地址或主机名。

[root@server1 ~]# cat > nmaptest.txt 
localhost
server2.tecmint.com
192.168.0.101

接下来运行带“iL” 选项的nmap命令来扫描文件中列出的所有IP地址

[root@server1 ~]# nmap -iL nmaptest.txt 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 EST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1675 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
111/tcp open  rpcbind
631/tcp open  ipp
857/tcp open  unknownInteresting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
958/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) 
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
958/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) 
Nmap finished: 3 IP addresses (3 hosts up) scanned in 2.047 seconds

16:扫描一个IP地址范围

扫描一个IP地址范围

[root@server1 ~]# nmap 192.168.0.101-110 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) 
Nmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds

17:排除一些远程主机后再扫描

在执行全网扫描或用通配符扫描时你可以使用“-exclude”选项来排除某些你不想要扫描的主机。

[root@server1 ~]# nmap 192.168.0.* --exclude 192.168.0.100Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 255 IP addresses (1 host up) scanned in 5.313 seconds

18:扫描操作系统信息和路由跟踪

使用Nmap,你可以检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可以使用NMAP的“-A“选项。

[root@server1 ~]# nmap -A 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.3 ((CentOS))
111/tcp  open  rpcbind  2 (rpc #100000)
957/tcp  open  status   1 (rpc #100024)
3306/tcp open  mysql   MySQL (unauthorized)
8888/tcp open  http    lighttpd 1.4.32
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)Uptime 0.169 days (since Mon Nov 11 12:22:15 2013)Nmap finished: 1 IP address (1 host up) scanned in 22.271 seconds

从上面的输出你可以看到,Nmap显示出了远程主机操作系统的TCP / IP协议指纹,并且更加具体的显示出远程主机上的端口和服务。

19:启用Nmap的操作系统探测功能

使用选项“-O”和“-osscan-guess”也帮助探测操作系统信息。

[root@server1 ~]# nmap -O server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027)
TSeq(Class=TR%IPID=Z%TS=1000HZ)
T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS
R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)Uptime 0.221 days (since Mon Nov 11 12:22:16 2013)Nmap finished: 1 IP address (1 host up) scanned in 11.064 seconds

20:扫描主机并侦测防火墙

扫描远程主机以探测该主机是否使用了包过滤器或防火墙。

[root@server1 ~]# nmap -sA 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:27 EST
All 1680 scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.382 seconds

21:扫描主机检测是否有防火墙保护

扫描主机检测其是否受到数据包过滤软件或防火墙的保护。

[root@server1 ~]# nmap -PN 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds

22:找出网络中的在线主机

使用“-sP”选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。

[root@server1 ~]# nmap -sP 192.168.0.*Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST
Host server1.tecmint.com (192.168.0.100) appears to be up.
Host server2.tecmint.com (192.168.0.101) appears to be up.
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds

23:执行快速扫面

你可以使用“-F”选项执行一次快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其它的端口。

[root@server1 ~]# nmap -F 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1234 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds

24:顺序扫描端口

使用“-r”选项表示不会随机的选择端口扫描。

[root@server1 ~]# nmap -r 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds

25:打印主机接口和路由

你可以使用nmap的“–iflist”选项检测主机接口和路由信息。

[root@server1 ~]# nmap --iflistStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST
************************INTERFACES************************
DEV  (SHORT) IP/MASK          TYPE     UP MAC
lo   (lo)    127.0.0.1/8      loopback up
eth0 (eth0)  192.168.0.100/24 ethernet up 08:00:27:11:C7:89**************************ROUTES**************************
DST/MASK      DEV  GATEWAY
192.168.0.0/0 eth0
169.254.0.0/0 eth0

 从上面的输出你可以看到,nmap列举出了你系统上的接口以及它们各自的路由信息。

26:扫描特定的端口

使用Nmap扫描远程机器的端口有各种选项,你可以使用“-P”选项指定你想要扫描的端口,默认情况下nmap只扫描TCP端口。

[root@server1 ~]# nmap -p 80 server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) sca

26:扫描TCP端口

指定具体的端口类型和端口号来让nmap扫描。

[root@server1 ~]# nmap -p T:8888,80 server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT     STATE SERVICE
80/tcp   open  http
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds

27:扫描UDP端口

[root@server1 ~]# nmap -sU 53 server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT     STATE SERVICE
53/udp   open  http
8888/udp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds

28:扫描多个端口

使用选项“-P”来扫描多个端口。

[root@server1 ~]# nmap -p 80,443 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:56 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.190 seconds

29:扫描多个端口

使用表达式来扫描某个范围内的端口。

[root@server1 ~]#  nmap -p 80-160 192.168.0.101

30:查找主机服务版本号

[root@server1 ~]# nmap -sV 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:48 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 4.3 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.3 ((CentOS))
111/tcp  open  rpcbind  2 (rpc #100000)
957/tcp  open  status   1 (rpc #100024)
3306/tcp open  mysql   MySQL (unauthorized)
8888/tcp open  http    lighttpd 1.4.32
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 12.624 seconds

31:使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机

有时候包过滤防火墙会阻断标准ICMP ping请求,在这种情况下,我们可以使用TCP ACKTCP Syn方法来扫描远程主机。

[root@server1 ~]# nmap -PS 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:51 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.360 seconds

32:使用TCP ACK扫描远程主机上特定的端口

[root@server1 ~]# nmap -PA -p 22,80 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.166 seconds

33:使用TCP Syn扫描远程主机上特定的端口

[root@server1 ~]# nmap -PS -p 22,80 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:08 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.165 seconds

34:执行一次隐蔽的扫描

[root@server1 ~]# nmap -sS 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:10 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.383 seconds

35:执行TCP空扫描规避防火墙

[root@server1 ~]# nmap -sN 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 19:01 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
80/tcp   open|filtered http
111/tcp  open|filtered rpcbind
957/tcp  open|filtered unknown
3306/tcp open|filtered mysql
8888/tcp open|filtered sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 1.584 seconds

 

参考文献:http://www.cnblogs.com/hongfei

参考文献:https://baike.baidu.com/item/nmap/1400075?fr=aladdin

转载于:https://www.cnblogs.com/LyShark/p/9133292.html

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/397779.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

mysql sqlexception_c-很奇怪-mysql的sql :: SQLException未被其类型捕...

我正在使用带有此(稍微简化)代码的mysql c连接器.try{statement->setString(1, word);statement->executeUpdate();}catch( sql::SQLException& e ){// I dont get herereturn sqlerrno_to_error_code( e.getErrorCode() );}catch( std::exception& e ){// I do …

Linux Kernel系列 - 黄牛X内核代码凝视

Hanks.Wang - 专注于操作系统与移动安全研究。Linux-Kernel/SELinux/SEAndroid/TrustZone/Encription/MDM Mail - byhankswanggmail.com 牛X的内核代码凝视 大牛的代码质量高稳定性好,并且逻辑清晰易读性比較强,今天看到Linux Kernel红黑树的代码时&a…

电子商务计算机网络安全技术教案,网络安全技术教案.pdf

名师精编 优秀教案《网络安全技术》教案2011-2012 第 2 学期适用班级: 2010 级计算机网络技术专业编写:徐英武名师精编 优秀教案第 1~2 课时周次 1 日期 2012 年 02 月 14 日 授课班级 2010 级计算机网络技术课题 网络安全概述 课 型 理论课教…

技术文章汇总

点击以下链接,可以查看相关技术文章:包括APP软件开发、手机软件开发、嵌入式开发、Java和C/C编程,同时涉及原型设计、效果图设计、切图、网络、多媒体、加密、字符编码、通信原理、测试和项目管理等各方面的知识。APP开发实战手机开发实战技术…

咋样查mysql的url_eclipse用jdbc连接mysql数据库时,url是填什么?怎样找出地址?

展开全部 jdbc连接mysql数据62616964757a686964616fe78988e69d8331333337623535库的url为: jdbc:mysql://主机名或IP抵制:端口号/数据库名?useUnicode=true&characterEncoding=UTF-8 jdbc连接其他数据库的连接字符串写法为:1、Oracle8/8i/9i数据库(thin模式) Class.for…

HP服务器ile进系统,HP GEN10服务器UEFI安装Windows Sverver 2012 R2教程

1.操作系统:Windows Server 2012 R2 VL with Update (x64) – DVD (Chinese-Simplified),MSDN下载地址:ed2k://|file|cn_windows_server_2012_r2_vl_with_update_x64_dvd_6052729.iso|5545527296|BD499EBCABF406AB82293DD8A5803493|/2.镜像写…

[程序设计语言] 堆和栈的全面总结

操作系统堆栈: 分配由编译器自己主动和自己主动释放。对应于堆栈的函数。参数存储功能值、函数调用结束后完成值和局部变量的函数体内。段内存空间。其操作和组织方式与数据结构中的栈十分相似。栈是为了运行线程留出的内存空间。当调用函数时创建栈。当函数运行完毕…

py文件的操作

文件操作基本流程。 计算机系统分为:计算机硬件,操作系统,应用程序三部分。 我们用python或其他语言编写的应用程序若想要把数据永久保存下来,必须要保存于硬盘中,这就涉及到应用程序要操作硬件,众所周知&a…

CentOS系统启动流程你懂否

一、Linux内核的组成相关概念:Linux系统的组成部分:内核根文件系统内核:进程管理、内存管理、网络协议栈、文件系统、驱动程序。IPC(Inter-Process Communication进程间通信):就是指多个进程之间相互通信,交换信息的方法。Linux I…

怎样用css设置图片下的投影,css – 做这种投影的最佳方法是什么?

如果您更喜欢使用CSS来创建该类型的阴影,则可以将CSS3用作seen here!CSS/* Lifted corners */.lifted {-moz-border-radius:4px;border-radius:4px;}.lifted:before,.lifted:after {bottom:15px;left:10px;width:50%;height:20%;max-width:300px;-webkit-Box-shadow:0 15px 10p…

mysql 排版 指令_Mysql语句排版

SQL 高效排版指北统一 SQL 排版的相关用法,极大提高编写和维护 SQL 的效率。注: column 选取的字段;table 选取的表名语句结构错误SELECT column1 FROM table1 ORDER BY column1正确SELECTcolumn1FROMtable1ORDER BYcolumn1解析SQL 语句在内部执行时会…

Linux命令学习手册-tr命令 2015-07-26 20:35 9人阅读 评论(0) 收藏...

tr [OPTION]... SET1 [SET2] [功能] 转换或者删除字符。 [描述] tr指令从标准输入设备读取数据,经过字符串转译后,输出到标准输出设备。 通过使用 tr,您可以非常容易地实现 sed 的许多最基本功能。您可以将 tr 看作为 sed 的&#xff08…

css商品,商品标签例子——CSS3 transform 属性

积累很重要。从此开始记录前端生涯的点滴....div{width:150px;height:30px;background-color:#f83944;/* Rotate div */transform:rotate(-40deg);-ms-transform:rotate(-40deg); /* Internet Explorer */-moz-transform:rotate(-40deg); /* Firefox */-webkit-transform:rotat…

The literal of int xxxxx is out of range

有时候我们定义了long型的变量,当我们给该变量赋值过长的整数时,系统依然会提示长度超过范围,解决办法如下: long timeShow 1437565243495L; 我们需要在整形变量的后面加上“L”,便可以避免系统报错。转载于:https://…

debian 访问 windows 共享_【续】windows环境redis未授权利用方式梳理

01Redis未授权产生原因1.redis绑定在0.0.0.0:6379默认端口,直接暴露在公网,无防火墙进行来源信任防护。2.没有设置密码认证,可以免密远程登录redis服务02漏洞危害1.信息泄露,攻击者可以恶意执行flushall清空数据2.可以通过eval执行…

HTML比较常用的标签

1.全局架构标签&#xff1a;<html><head><title>标题</title><meta charset"utf-8"></head><body>正文部分</body></html><!--注释部分-->2.body标签的属性bgcolor&#xff1a;背景色text:整个网页的颜…

sae项目服务器,基于SAE的游戏服务器: Server on SAE for RGSS Games 部署在SAE上的简易游戏服务器,为用 RMXP/VX/VA 开发的游戏提供网络服务...

本项目已经关闭服务端已经关闭并且不再重启&#xff0c;后续请访问 RGSOS on Gitlab基于SAE的游戏服务器重写服务端逻辑中……暂时无法正常提供服务功能数据库封装封装了 SAE 上的 Memcached&#xff0c;KVDB 和 Storage 到 SAE_IO 类&#xff0c;并引申到两个子类&#xff1a;…

1090 Highest Price in Supply Chain (25)

A supply chain is a network of retailers&#xff08;零售商&#xff09;, distributors&#xff08;经销商&#xff09;, and suppliers&#xff08;供应商&#xff09;-- everyone involved in moving a product from supplier to customer. Starting from one root suppli…

mysql 列数据显示转成行数据显示_Mysql的列修改成行并显示数据的简单实现

创建测试表&#xff1a;DROP TABLE IF EXISTS test;CREATE TABLE test (year int(11) DEFAULT NULL,month int(11) DEFAULT NULL,amount double DEFAULT NULL) ENGINEInnoDB DEFAULT CHARSETutf8;插入数据&#xff1a;INSERT INTO test VALUES (1991, 1, 1.1);INSERT INTO test…

Android两种常见错误(ANR和FC)解决办法

ANR(Activity Not Respone)(无响应)先介绍下Main线程&#xff08;也称为UI线程、主线程&#xff09;功能: 1.创建UI控件2.更新UI控件状态3.事件处理限制&#xff1a;Main线程不建议有超过5秒的事件出现条件&#xff1a;当用户输入事件5s内没有得到响应&#xff0c;将弹出ANR对话…