安全测试工具之nmap使用指南

文章目录

- 一、前言
- 二、简介
- 三、使用示例
- - （一）常用命令
  - （二）主机存活检测
  - （三）端口探测
  - （四）服务识别
  - （五）操作系统识别
- 三、其它

一、前言

当我们在构建环境或排查问题时，常常是先确定环境是否正常，首要确定的就是当前ip是否可用，或是是否在使用，将要使用的端口是否已配置等进行，除了我们常用的ping或是telnet工具外，还有别一种工具nmap，可以说是扫描神器。接下来就让我简单的给大家介绍一下nmap吧。

二、简介

本人使用的mac，就以在mac上操作为实例进行介绍。
nmap不是系统自带的工具，所以得先进行安装才能使用。

brew install nmap #brew 神器一个命令行搞定安装nmap

安装完成后，我们就先来看看介绍吧：

man nmap #使用此命令进行查询nmap详情

man命令还是很好用的一个说明文档帮助查看命令，就是非常详细的说明使用文档，就是这个一般是英文，估计也有人跟我一样一看英文就头大，但为了能更好的了解它，只能硬着头皮来读一遍了。为了方便我把里面主要的部分做了翻译。
在这里插入图片描述

man nmap #使用此命令进行查询nmap详情NMAP(1)                            Nmap Reference Guide                            NMAP(1)NAMEnmap - Network exploration tool and security / port scanner#nmap - 网络探测工具和安全端口扫描工具SYNOPSISnmap [Scan Type...] [Options] {target specification}DESCRIPTIONNmap (“Network Mapper”) is an open source tool for network exploration and securityauditing. It was designed to rapidly scan large networks, although it works fineagainst single hosts. Nmap uses raw IP packets in novel ways to determine whathosts are available on the network, what services (application name and version)those hosts are offering, what operating systems (and OS versions) they arerunning, what type of packet filters/firewalls are in use, and dozens of othercharacteristics. While Nmap is commonly used for security audits, many systems andnetwork administrators find it useful for routine tasks such as network inventory,managing service upgrade schedules, and monitoring host or service uptime.#Nmap(Nmap是"Network Mapper"的缩写)是一款免费开源的网络探测和安全审核工具，不但在单个主机里也是很好用的，在大型网络中也是很好用的，其实它设计的目标就是快速地扫描大型网络。nmap以新颖的方式使用原始IP包来确定主机在网络上可用，什么服务(应用程序名称和版本)，正在运行的主机提供什么操作系统(和操作系统的版本) ，过滤/防火墙正在使用什么类型的数据包等等其他特点。虽然nmap通常用于安全审计，但许多系统和网络管理员发现在日常工作中使用它也是非常好用的，如：网络清点、管理服务升级计划以及监控主机或服务正常运行时间等。The output from Nmap is a list of scanned targets, with supplemental information oneach depending on the options used. Key among that information is the “interestingports table”.  That table lists the port number and protocol, service name, andstate. The state is either open, filtered, closed, or unfiltered.  Open means thatan application on the target machine is listening for connections/packets on thatport.  Filtered means that a firewall, filter, or other network obstacle isblocking the port so that Nmap cannot tell whether it is open or closed.  Closedports have no application listening on them, though they could open up at any time.Ports are classified as unfiltered when they are responsive to Nmap's probes, butNmap cannot determine whether they are open or closed. Nmap reports the statecombinations open|filtered and closed|filtered when it cannot determine which ofthe two states describe a port. The port table may also include software versiondetails when version detection has been requested. When an IP protocol scan isrequested (-sO), Nmap provides information on supported IP protocols rather thanlistening ports.#nmap根据不同的输入选项，输出不同的扫描结果列表。列表列出了端口、协议、服务名称和状态，状态有开放、过滤、已关闭、未过滤，其中开放意味着目标计算机上的应用程序正在侦听其上连接/数据包。已过滤意味着防火墙、过滤器或是其他网络障碍阻塞的端口，使得nmap无法判断端口是打开或是关闭的。关闭状态的端口是指尽管端口是打开的但没有应用程序监听的端口。对于有nmap响应，但不能确定是打开还是关闭的端口，归类为未过滤状态。Nmap报告状态组合open|filtered closed|filterd，当无法确定哪一个时，这两种状态描述了一个端口。当请求带有参数(-sO)即请求版本检测的详细信息时，nmap的扫描结果列表还可以包括软件版本请求版本检测时的详细信息，nmap提供有关支持IP协议的信息，但不是监听端口。In addition to the interesting ports table, Nmap can provide further information ontargets, including reverse DNS names, operating system guesses, device types, andMAC addresses.#除了关注的端口列表外，nmap还会输出更详细的信息，包括反向DSN名称、推测操作系统、设备类型和MAC地址。A typical Nmap scan is shown in Example 1. The only Nmap arguments used in thisexample are -A, to enable OS and version detection, script scanning, andtraceroute; -T4 for faster execution; and then the hostname.Example 1. A representative Nmap scan# nmap -A -T4 scanme.nmap.org# nmap有个典型参数实例"raw IP packets"，参数"-A",用于启用操作系统和版本检测，脚本扫描、和追踪路线，参数"-T4"是指快速执行；参数"raw IP packets" 是要扫描的主机名。

根据上面的说明总结出nmap主要使用功能有四项：主机存活检测、端口探测、服务识别、操作系统识别

三、使用示例

（一）常用命令

nmap常用的命令:

命令	作用
nmap localhost	查看当前开放的端口
nmap -p 1024-65535 localhost	查看主机端口(1024-65535)中开放的端口
nmap -p22,80,3306 ip地址	探测所列出的目标主机端口
nmap -sV -O localhost	探测目标主机操作系统类型、端口服务名称、版本信息

操作实例：

sudo nmap -A -T4 IP地名/域名

  /Users/zhh sudo nmap -A -T4 scanme.namp.org
Password:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 07:44 CST
Failed to resolve "scanme.namp.org".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.18 seconds
➜  /Users/zhh sudo nmap -A -T4 www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 07:45 CST
Nmap scan report for www.baidu.com (110.242.68.4)
Host is up (0.020s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.3
Not shown: 996 filtered tcp ports (no-response), 2 filtered tcp ports (port-unreach)
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd
| http-robots.txt: 10 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /bh /shifen/
|_/homepage/ /cpro /
|_http-server-header: BWS/1.1
|_http-title: \xE7\x99\xBE\xE5\xBA\xA6\xE4\xB8\x80\xE4\xB8\x8B\xEF\xBC\x8C\xE4\xBD\xA0\xE5\xB0\xB1\xE7\x9F\xA5\xE9\x81\x93
443/tcp open  ssl/http Apache httpd
| tls-alpn:
|_  http/1.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: BWS/1.1
| http-robots.txt: 10 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /bh /shifen/
|_/homepage/ /cpro /
|_ssl-date: 2022-11-06T23:45:34+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=baidu.com/organizationName=Beijing Baidu Netcom Science Technology Co., Ltd/stateOrProvinceName=beijing/countryName=CN
| Subject Alternative Name: DNS:baidu.com, DNS:baifubao.com, DNS:www.baidu.cn, DNS:www.baidu.com.cn, DNS:mct.y.nuomi.com, DNS:apollo.auto, DNS:dwz.cn, DNS:*.baidu.com, DNS:*.baifubao.com, DNS:*.baidustatic.com, DNS:*.bdstatic.com, DNS:*.bdimg.com, DNS:*.hao123.com, DNS:*.nuomi.com, DNS:*.chuanke.com, DNS:*.trustgo.com, DNS:*.bce.baidu.com, DNS:*.eyun.baidu.com, DNS:*.map.baidu.com, DNS:*.mbd.baidu.com, DNS:*.fanyi.baidu.com, DNS:*.baidubce.com, DNS:*.mipcdn.com, DNS:*.news.baidu.com, DNS:*.baidupcs.com, DNS:*.aipage.com, DNS:*.aipage.cn, DNS:*.bcehost.com, DNS:*.safe.baidu.com, DNS:*.im.baidu.com, DNS:*.baiducontent.com, DNS:*.dlnel.com, DNS:*.dlnel.org, DNS:*.dueros.baidu.com, DNS:*.su.baidu.com, DNS:*.91.com, DNS:*.hao123.baidu.com, DNS:*.apollo.auto, DNS:*.xueshu.baidu.com, DNS:*.bj.baidubce.com, DNS:*.gz.baidubce.com, DNS:*.smartapps.cn, DNS:*.bdtjrcv.com, DNS:*.hao222.com, DNS:*.haokan.com, DNS:*.pae.baidu.com, DNS:*.vd.bdstatic.com, DNS:*.cloud.baidu.com, DNS:click.hm.baidu.com, DNS:log.hm.baidu.com, DNS:cm.pos.baidu.com, DNS:wn.pos.baidu.com, DNS:update.pan.baidu.com
| Not valid before: 2022-07-05T05:16:02
|_Not valid after:  2023-08-06T05:16:01
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 12 hopsTRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   3.59 ms  192.168.1.1
2   9.55 ms  10.70.0.1
3   13.59 ms 125.34.175.81
4   ... 11
12  13.87 ms 110.242.68.4OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.84 seconds

操作实例：

sudo nmap -sV -O  www.baidu.com


➜  /Users/zhh sudo nmap -sV -O  www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 11:28 CST
Nmap scan report for www.baidu.com (110.242.68.4)
Host is up (0.015s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.3
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd
443/tcp open  ssl/http Apache httpd
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for hostOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.57 seconds

（二）主机存活检测

以下是按其四大功能项分类进行操作实例及输出结果说明
常见的扫描方式参数及说明：

参数	说明
-sS/sT/sA/sW/sM	TCPSYN/TCPconnect()/ACK/TCP窗口扫描/TCPMaimon扫描sS称为半开扫描，因为sS扫描并不需要完成三次握手，发送syn包后，对端回syn、ack包就认为是存活，结束本次连接，不会再回ack包。最大的好处是很少有系统能够把这记入系统日志，有隐蔽性
-sU	UDP扫描
-sN/sF/sX	TCPNULL,FIN,and Xmas扫描
-scanflags	自定义TCP包中的flags
-sY/sZ	SCTP INIT/COOKIE-ECHO扫描
–sO	使用IPprotocol扫描确定目标机支持的协议类型
b"FTPrelayhost"	使用FTPbouncescan

操作实例：

sudo nmap -sn 192.168.01.0/24

/Users/zhh sudo nmap -sn 192.168.01.0/24
Password:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 10:51 CST
Nmap scan report for 192.168.10.1
Host is up (0.012s latency).
MAC Address: 90:23:B4:38:56:0A (New H3C Technologies)
Nmap scan report for 192.168.10.3
Host is up (0.013s latency).
MAC Address: B6:9A:33:CE:69:BB (Unknown)
..........Nmap scan report for 192.168.10.164
Host is up.
Nmap done: 256 IP addresses (112 hosts up) scanned in 2.69 seconds

（三）端口探测

参数	说明
-p	特定的端口,如–p 80,443 或者全端口–p 1-65535
-pU:PORT	扫描udp的某个端口,如-p U:53
-F	快速扫描模式,比默认的扫描端口还少
-r	不随机扫描端口,nmap默认是随机扫描的
–top-ports"number"	扫描开放概率最高的number个端口

操作实例1：

sudo nmap -p22,80,3306 www.baidu.com

/Users/zhh sudo nmap -p22,80,3306 www.baidu.com
Password:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 11:03 CST
Nmap scan report for www.baidu.com (110.242.68.3)
Host is up (0.011s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.4PORT     STATE    SERVICE
22/tcp   filtered ssh
80/tcp   open     http
3306/tcp filtered mysqlNmap done: 1 IP address (1 host up) scanned in 1.35 seconds

操作实例2：

sudo nmap -p22-30 www.baidu.com

/Users/zhh sudo nmap -p22-30 www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 11:05 CST
Nmap scan report for www.baidu.com (110.242.68.3)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.4PORT   STATE    SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp filtered smtp
26/tcp filtered rsftp
27/tcp filtered nsw-fe
28/tcp filtered unknown
29/tcp filtered msg-icp
30/tcp filtered unknownNmap done: 1 IP address (1 host up) scanned in 1.34 seconds

（四）服务识别

参数	说明
-sV	开放版本探测,可以直接使用-A同时打开操作系统探测和版本探测
–version-intensity"level"	设置版本扫描强度,强度水平说明了应该使用哪些探测报文。数值越高，服务越有可能被正确识别。默认是7
–version-light	打开轻量级模式,为–version-intensity 2 的别名
–version-all	尝试所有探测,为–version-intensity 9 的别名
–version-trace	显示出详细的版本侦测过程信息

（五）操作系统识别

参数	说明
-O	启用操作系统检测,-A来同时启用操作系统检测和版本检测
–osscan-limit	针对指定的目标进行操作系统检测(至少需确知该主机分别有一个open和closed的端口)
–osscan-guess	推测操作系统检测结果,当Nmap无法确定所检测的操作系统时，会尽可能地提供最相近的匹配，Nmap默认进行这种匹配

一般来说服务器与操作系统是一起识别的,即参数“-sO”

操作实例：

sudo nmap -sO www.baidu.com

/Users/zhh sudo nmap -sO www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 11:25 CST
Nmap scan report for www.baidu.com (110.242.68.4)
Host is up (0.011s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.3
Not shown: 255 open|filtered n/a protocols (no-response)
PROTOCOL STATE SERVICE
1        open  icmpNmap done: 1 IP address (1 host up) scanned in 3.85 seconds
其他操作实例：
nmap -PS ip地址
操作实例结果：
➜  /Users/zhh sudo nmap -PS www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 11:25 CST
Nmap scan report for www.baidu.com (110.242.68.4)
Host is up (0.018s latency).
Other addresses for www.baidu.com (not scanned): 110.242.68.3
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  httpsNmap done: 1 IP address (1 host up) scanned in 5.16 seconds

在上面的操作实例中，是否已经注意到了，在执行的命令前都会有“sudo”，获取管理员权限。没错nmap在执行时一般是需要管理员权限操作，否则输出不了相关的查询信息。

三、其它

除了nmap工具外，如果我们只是查看主机在是否在当前网络存在，还有其他工具，如：arp（address resoloutin display and control）、ping、nc(netcat，注意此工具不同的操作系统版本使用的命令还不一样如CentOS7与CentOS6操作命令就不一样)等，在此不一一做详细介绍与举例说明了，使用时可以使用man命令查看对应的详情。再说一遍,man命令真的是很好的帮助文档使用说明查看的好方法，最快捷方便的，就是需要有英文功底。不过没有关系，慢慢练习，看多了也就习惯了

arp -a    #查看当前在线主机ip地址
for i in {1..254}; do ping -c 1 -t 1 192.168.1.$i;done     #查看当前网段可用的i