nmap包说明
NMAP(“网络映射”)是一个自由和开放源码(许可证)工具进行网络发现和安全审计。许多系统和网络管理员也觉得有用,如网络库存,管理服务升级计划和监控主机或服务的正常运行时间的任务。 NMAP使用原始IP包以新颖的方式来确定哪些主机是在网络上可用,这些主机正在提供什么样的服务(应用程序的名称和版本),什么操作系统(和OS版本),它们都在运行,什么类型的分组过滤器/防火墙在使用中,和许多其他特性。它的目的是快速扫描大型网络,但能正常工作对单个主机。 Nmap的运行在所有主要计算机操作系统,和官方的二进制软件包可用于Linux,Windows和Mac OS X的除了经典的命令行Nmap的可执行文件,nmap的套件包括一个先进的GUI和结果浏览器(Zenmap)一种灵活的数据传送,重定向和调试工具(NCAT),用于比较扫描结果(Ndiff)的实用程序,并且一个分组产生和响应分析工具(Nping)。 Nmap的被评为“年度安全产品”,由Linux杂志,信息世界,LinuxQuestions.Org和Codetalker摘要。有人甚至功能十二电影,包括重装上阵,虎胆龙威4,女孩龙纹身,和谍影重重。 Nmap是比较合适?
- 灵活:支持数十台先进的技术映射出网络充满了IP过滤,防火墙,路由器和其他障碍。这包括许多端口扫描机制(包括TCP和UDP),操作系统检测,版本检测,ping扫描,等等。请参阅文档页面。
- 功能强大:Nmap的已被用来扫描字面上机数十万庞大的网络。
- 便携性:大多数操作系统都支持,包括Linux,微软的Windows,FreeBSD下,OpenBSD系统,Solaris和IRIX,Mac OS X中,HP-UX,NetBSD的,SUN OS,Amiga的,等等。
- 很简单:虽然Nmap的提供了一套丰富的先进功能的电力用户,你可以开始作为简称为“NMAP -v -A targethost”。这两种传统的命令行和图形(GUI)版本可供选择,以满足您的喜好。二进制文件是为那些谁不希望从源代码编译的Nmap。
- 免费:在Nmap的项目的主要目标是帮助使互联网更安全一点,并为管理员提供/审计/黑客探索他们的网络的先进工具。 NMAP是可以免费下载,并且还配备了完整的源代码,你可以修改,并根据许可协议的条款重新分发。
- 有据可查:重大努力已投入全面和最新的手册页,白皮书,教程,甚至一整本书!发现他们在这里多国语言。
- 支持:虽然Nmap的同时没有担保,这是深受开发者和用户一个充满活力的社区提供支持。大多数这种相互作用发生在Nmap的邮件列表。大多数的bug报告和问题应该发送到NMAP-dev邮件列表,但你读的指引之后。我们建议所有用户订阅低流量的nmap-黑客公布名单。您还可以找到的Nmap在Facebook和Twitter。对于即时聊天,加入Freenode上或连接到efnet的#nmap通道。
- 好评:Nmap的赢得了无数奖项,包括“信息安全产品奖”,由Linux杂志,信息世界和Codetalker文摘。它已被刊登在数以百计的杂志文章,几部电影,几十本书,一本漫画书系列。访问进一步的细节新闻页面。
- 热门:成千上万的人下载Nmap的每一天,它包含许多操作系统(红帽Linux,Debian的Linux中,Gentoo的,FreeBSD下,OpenBSD的,等等)。它是在Freshmeat.Net库的前十名(总分30000)方案之间。这是很重要的,因为它的Nmap借给其充满活力的发展和用户的支持群体。 资料来源:http://nmap.org/
- 作者:陀
- 许可:GPL第二版
0x01 包含在nmap包工具
nping - 网络数据包生成工具/ Ping实用程序:~# nping -h Nping 0.6.40 ( http://nmap.org/nping ) Usage: nping [Probe mode] [Options] {target specification} TARGET SPECIFICATION: Targets may be specified as hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.*.1-24 PROBE MODES: --tcp-connect : Unprivileged TCP connect probe mode. --tcp : TCP probe mode. --udp : UDP probe mode. --icmp : ICMP probe mode. --arp : ARP/RARP probe mode. --tr, --traceroute : Traceroute mode (can only be used with TCP/UDP/ICMP modes). TCP CONNECT MODE: -p, --dest-port <port spec> : Set destination port(s). -g, --source-port <portnumber> : Try to use a custom source port. TCP PROBE MODE: -g, --source-port <portnumber> : Set source port. -p, --dest-port <port spec> : Set destination port(s). --seq <seqnumber> : Set sequence number. --flags <flag list> : Set TCP flags (ACK,PSH,RST,SYN,FIN...) --ack <acknumber> : Set ACK number. --win <size> : Set window size. --badsum : Use a random invalid checksum. UDP PROBE MODE: -g, --source-port <portnumber> : Set source port. -p, --dest-port <port spec> : Set destination port(s). --badsum : Use a random invalid checksum. ICMP PROBE MODE: --icmp-type <type> : ICMP type. --icmp-code <code> : ICMP code. --icmp-id <id> : Set identifier. --icmp-seq <n> : Set sequence number. --icmp-redirect-addr <addr> : Set redirect address. --icmp-param-pointer <pnt> : Set parameter problem pointer. --icmp-advert-lifetime <time> : Set router advertisement lifetime. --icmp-advert-entry <IP,pref> : Add router advertisement entry. --icmp-orig-time <timestamp> : Set originate timestamp. --icmp-recv-time <timestamp> : Set receive timestamp. --icmp-trans-time <timestamp> : Set transmit timestamp. ARP/RARP PROBE MODE: --arp-type <type> : Type: ARP, ARP-reply, RARP, RARP-reply. --arp-sender-mac <mac> : Set sender MAC address. --arp-sender-ip <addr> : Set sender IP address. --arp-target-mac <mac> : Set target MAC address. --arp-target-ip <addr> : Set target IP address. IPv4 OPTIONS: -S, --source-ip : Set source IP address. --dest-ip <addr> : Set destination IP address (used as an alternative to {target specification} ). --tos <tos> : Set type of service field (8bits). --id <id> : Set identification field (16 bits). --df : Set Don't Fragment flag. --mf : Set More Fragments flag. --ttl <hops> : Set time to live [0-255]. --badsum-ip : Use a random invalid checksum. --ip-options <S|R [route]|L [route]|T|U ...> : Set IP options --ip-options <hex string> : Set IP options --mtu <size> : Set MTU. Packets get fragmented if MTU is small enough. IPv6 OPTIONS: -6, --IPv6 : Use IP version 6. --dest-ip : Set destination IP address (used as an alternative to {target specification}). --hop-limit : Set hop limit (same as IPv4 TTL). --traffic-class <class> : : Set traffic class. --flow <label> : Set flow label. ETHERNET OPTIONS: --dest-mac <mac> : Set destination mac address. (Disables ARP resolution) --source-mac <mac> : Set source MAC address. --ether-type <type> : Set EtherType value. PAYLOAD OPTIONS: --data <hex string> : Include a custom payload. --data-string <text> : Include a custom ASCII text. --data-length <len> : Include len random bytes as payload. ECHO CLIENT/SERVER: --echo-client <passphrase> : Run Nping in client mode. --echo-server <passphrase> : Run Nping in server mode. --echo-port <port> : Use custom <port> to listen or connect. --no-crypto : Disable encryption and authentication. --once : Stop the server after one connection. --safe-payloads : Erase application data in echoed packets. TIMING AND PERFORMANCE: Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h). --delay <time> : Adjust delay between probes. --rate <rate> : Send num packets per second. MISC: -h, --help : Display help information. -V, --version : Display current version number. -c, --count <n> : Stop after <n> rounds. -e, --interface <name> : Use supplied network interface. -H, --hide-sent : Do not display sent packets. -N, --no-capture : Do not try to capture replies. --privileged : Assume user is fully privileged. --unprivileged : Assume user lacks raw socket privileges. --send-eth : Send packets at the raw Ethernet layer. --send-ip : Send packets using raw IP sockets. --bpf-filter <filter spec> : Specify custom BPF filter. OUTPUT: -v : Increment verbosity level by one. -v[level] : Set verbosity level. E.g: -v4 -d : Increment debugging level by one. -d[level] : Set debugging level. E.g: -d3 -q : Decrease verbosity level by one. -q[N] : Decrease verbosity level N times --quiet : Set verbosity and debug level to minimum. --debug : Set verbosity and debug to the max level. EXAMPLES: nping scanme.nmap.org nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1 nping --icmp --icmp-type time --delay 500ms 192.168.254.254 nping --echo-server "public" -e wlan0 -vvv nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES0x02 ndiff - 实用工具来比较的Nmap扫描结果
:~# ndiff -h Usage: /usr/bin/ndiff [option] FILE1 FILE2 Compare two Nmap XML files and display a list of their differences. Differences include host state changes, port state changes, and changes to service and OS detection. -h, --help display this help -v, --verbose also show hosts and ports that haven't changed. --text display output in text format (default) --xml display output in XML format0x03 NCAT - 串联并重定向插座
:~# ncat -h Ncat 6.40 ( http://nmap.org/ncat ) Usage: ncat [options] [hostname] [port] Options taking a time assume seconds. Append 'ms' for milliseconds, 's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms). -4 Use IPv4 only -6 Use IPv6 only -U, --unixsock Use Unix domain sockets only -C, --crlf Use CRLF for EOL sequence -c, --sh-exec <command> Executes the given command via /bin/sh -e, --exec <command> Executes the given command --lua-exec <filename> Executes the given Lua script -g hop1[,hop2,...] Loose source routing hop points (8 max) -G <n> Loose source routing hop pointer (4, 8, 12, ...) -m, --max-conns <n> Maximum <n> simultaneous connections -h, --help Display this help screen -d, --delay <time> Wait between read/writes -o, --output <filename> Dump session data to a file -x, --hex-dump <filename> Dump session data as hex to a file -i, --idle-timeout <time> Idle read/write timeout -p, --source-port port Specify source port to use -s, --source addr Specify source address to use (doesn't affect -l) -l, --listen Bind and listen for incoming connections -k, --keep-open Accept multiple connections in listen mode -n, --nodns Do not resolve hostnames via DNS -t, --telnet Answer Telnet negotiations -u, --udp Use UDP instead of default TCP --sctp Use SCTP instead of default TCP -v, --verbose Set verbosity level (can be used several times) -w, --wait <time> Connect timeout --append-output Append rather than clobber specified output files --send-only Only send data, ignoring received; quit on EOF --recv-only Only receive data, never send anything --allow Allow only given hosts to connect to Ncat --allowfile A file of hosts allowed to connect to Ncat --deny Deny given hosts from connecting to Ncat --denyfile A file of hosts denied from connecting to Ncat --broker Enable Ncat's connection brokering mode --chat Start a simple Ncat chat server --proxy <addr[:port]> Specify address of host to proxy through --proxy-type <type> Specify proxy type ("http" or "socks4") --proxy-auth <auth> Authenticate with HTTP or SOCKS proxy server --ssl Connect or listen with SSL --ssl-cert Specify SSL certificate file (PEM) for listening --ssl-key Specify SSL private key (PEM) for listening --ssl-verify Verify trust and domain name of certificates --ssl-trustfile PEM file containing trusted SSL certificates --version Display Ncat's version information and exit See the ncat(1) manpage for full options, descriptions and usage examples0x04 NMAP - 网络映射
:~# nmap -h Nmap 6.40 ( http://nmap.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio> SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN: -sC: equivalent to --script=default --script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts --script-args-file=filename: provide NSE script args in a file --script-trace: Show all data sent and received --script-updatedb: Update the script database. --script-help=<Lua scripts>: Show help about scripts. <Lua scripts> is a comma separted list of script-files or script-categories. OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: Options which take <time> are in seconds, or append 'ms' (milliseconds), 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <numprobes>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long --scan-delay/--max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per second --max-rate <number>: Send packets no faster than <number> per second FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/--source-port <portnum>: Use given port number --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP/SCTP checksum OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output MISC: -6: Enable IPv6 scanning -A: Enable OS detection, version detection, script scanning, and traceroute --datadir <dirname>: Specify custom Nmap data file location --send-eth/--send-ip: Send using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged --unprivileged: Assume the user lacks raw socket privileges -V: Print version number -h: Print this help summary page. EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sn 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -Pn -p 80 SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES0x05 NMAP用法示例
在扫描详细模式 (-v), 启用操作系统检测,版本检测,脚本扫描,和 traceroute(-A), 版本 检测(-sV) 针对目标 IP(192.168.1.1):
:~# nmap -v -A -sV 192.168.1.1
Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-13 18:40 MDT
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 18:40
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 18:40, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:40
Completed Parallel DNS resolution of 1 host. at 18:40, 0.00s elapsed
Initiating SYN Stealth Scan at 18:40
Scanning router.localdomain (192.168.1.1) [1000 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 3001/tcp on 192.168.1.1
0x06 nping用法示例
使用TCP 模式(-tcp) 使用SYN标志探测端口 22(-p 22)(-flags
- SYN) 与 2(TTL电2) 在远程主机上的 TTL(192.168.1.1):
五
0x07 ndiff用法示例
对比昨天的端口扫描 (yesterday.xml) 自即日起扫描 (today.xml):
:~# ndiff yesterday.xml today.xml
-Nmap 6.45 scan initiated Tue May 13 18:46:43 2014 as: nmap -v -F -oX yesterday.xml 192.168.1.1
+Nmap 6.45 scan initiated Tue May 13 18:47:58 2014 as: nmap -v -F -oX today.xml 192.168.1.1
endian.localdomain (192.168.1.1, 00:01:6C:6F:DD:D1):
-Not shown: 96 filtered ports
+Not shown: 97 filtered ports
PORT STATE SERVICE VERSION
-22/tcp open ssh
0x08 NCAT用法示例
要 详细(-v), 可以运行/ bin / bash的连接上 (-exec“/斌/庆典”), 只允许1个IP地址 (-ALLOW 192.168.1.123), 监听TCP端口 4444(-l 4444) 上,并让听众开上断开 (-keep开):
:~# ncat -v --exec "/bin/bash" --allow 192.168.1.123 -l 4444 --keep-open
Ncat: Version 6.45 ( http://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.1.123.
Ncat: Connection from 192.168.1.123:39501.
Ncat: Connection from 192.168.1.15.
Ncat: Connection from 192.168.1.15:60393.
Ncat: New connection denied: not allowed
原文来自https://www.hackfun.org/kali-tools/nmap_zh.html。转载请注明原出处,商用请联系原作者授权。