[安全] nmap工具的使用

一、主机探测

1.指定DNS服务器解析域名

nmap --dns-servers 61.139.2.69 www.baidu.com

这样可以手动指定使用的dns服务器来对域名进行解析。

2.不发送ICMP包（避免出发防火墙机制）

nmap -Pn www.baidu.com

使用"-Pn"Option可以在扫描之前不发送ICMP包，从而避免防火墙机制被触发。

3.指定扫描的端口范围

nmap -p 1-1000 www.baidu.com

Nmap scan report for www.baidu.com (14.215.177.39)
Host is up (0.12s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

使用"-p"Option指定扫描端口范围为1-1000。

4.端口状态

状态	说明
open	应用程序在该端口接收 TCP 连接或者 UDP 报文
closed	关闭的端口对于nmap也是可访问的， 它接收nmap探测报文并作出响应。但没有应用程序在其上监听
filtered	由于包过滤阻止探测报文到达端口，nmap无法确定该端口是否开放。过滤可能来自专业的防火墙设备，路由规则 或者主机上的软件防火墙
unfiltered	未被过滤状态意味着端口可访问，但是nmap无法确定它是开放还是关闭。 只有用于映射防火墙规则集的 ACK 扫描才会把端口分类到这个状态
open | filtered	无法确定端口是开放还是被过滤， 开放的端口不响应就是一个例子。没有响应也可能意味着报文过滤器丢弃了探测报文或者它引发的任何反应。UDP，IP协议，　FIN, Null 等扫描会引起。

5.服务指纹识别

通过分区目标往nmap发送的数据包中某个协议标记、选项和数据，推断目标服务器的操作系统信息、应用信息等，这就叫做操作系统指纹识别和服务指纹识别。

nmap -sV -p 1-1000 192.168.4.210

使用-sV选项进行应用指纹识别：

C:\Users\Administrator>nmap -sV -p 1-1000 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 11:07 ?D1ú±ê×?ê±??

Nmap scan report for 192.168.4.210
Host is up (0.00055s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
MAC Address: 00:0C:29:7E:61:77 (VMware)

可以看到，识别出了22端口的监听应用的版本。

6.使用侵略性的探测

C:\Users\Administrator> nmap -A -v -T4 192.168.4.210
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 11:11 ?D1ú±ê×?ê±??

Nmap scan report for 192.168.4.210
Host is up (0.00012s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 02:d6:2b:ca:51:fe:50:02:90:64:49:45:04:2f:26:63 (RSA)
|   256 e4:39:da:a0:ce:84:cc:2e:d5:57:70:98:de:9c:d2:a6 (ECDSA)
|_  256 bf:57:7d:fa:b4:7f:c3:76:e1:c6:97:4a:78:9a:10:e5 (ED25519)
MAC Address: 00:0C:29:7E:61:77 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9
Uptime guess: 0.001 days (since Fri Apr 10 11:10:55 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.12 ms 192.168.4.210
...
...

-A表示使用侵略性探测，-T<0-5>设置时间模板，数值越大越快，-v表示提高输出的冗余级别（显示更多信息，如果使用-vv可以显示更多的信息）。

或者使用以下方式：

nmap -sC -sV -O 192.168.4.210

-sC表使用nmap脚本进行探测（NSE），-sV表示探测目标机器上的服务信息，-O表示探测目标操作系统信息。

7.局域网主机存活探测

使用CIDR（无类别域间路由，Classiess Inter-Domain Routing），快速表示一个网络，比如192.168.4.0/24。

[root@centos7-test ~]# nmap -sP 192.168.4.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 01:19 EDT
Nmap scan report for 192.168.4.1
Host is up (0.00063s latency).
MAC Address: 4C:6E:6E:00:EF:E8 (Comnect Technology)
Nmap scan report for 192.168.4.34
Host is up (0.00094s latency).
MAC Address: B4:2E:99:EE:74:2D (Giga-byte Technology)
Nmap scan report for 192.168.4.41
Host is up (0.00085s latency).
MAC Address: 00:0C:29:53:B4:1D (VMware)
Nmap scan report for 192.168.4.42
Host is up (0.00066s latency).
MAC Address: B4:2E:99:EE:74:35 (Giga-byte Technology)
Nmap scan report for 192.168.4.199
Host is up (0.000041s latency).
MAC Address: B4:2E:99:EE:73:E0 (Giga-byte Technology)
Nmap scan report for 192.168.4.210
Host is up (0.00021s latency).
MAC Address: 00:0C:29:7E:61:77 (VMware)
Nmap scan report for 192.168.4.211
Host is up.
Nmap done: 256 IP addresses (7 hosts up) scanned in 1.28 seconds

-sP表示对该CIDR中所有主机进行ping扫描，以探测主机存活性，扫描过程中使用了TCP SYN扫描、ICMP echo Request来探测主机存活。

另外也可以使用-sn：

nmap -sn 192.168.4.0/24

8.使用TCP（UDP）探测主机

[root@centos7-test ~]# nmap -sN 192.168.4.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-10 01:44 EDT
Nmap scan report for 192.168.4.1
Host is up (0.0016s latency).
Not shown: 995 closed ports
PORT     STATE         SERVICE
22/tcp   open|filtered ssh
53/tcp   open|filtered domain
80/tcp   open|filtered http
443/tcp  open|filtered https
1443/tcp open|filtered ies-lm
MAC Address: 4C:6E:6E:00:EF:E8 (Comnect Technology)

Nmap scan report for 192.168.4.34
Host is up (0.00072s latency).
All 1000 scanned ports on 192.168.4.34 are open|filtered
MAC Address: B4:2E:99:EE:74:2D (Giga-byte Technology)

Nmap scan report for 192.168.4.41
Host is up (0.0035s latency).
All 1000 scanned ports on 192.168.4.41 are closed
MAC Address: 00:0C:29:53:B4:1D (VMware)

Nmap scan report for 192.168.4.42
Host is up (0.00062s latency).
All 1000 scanned ports on 192.168.4.42 are open|filtered
MAC Address: B4:2E:99:EE:74:35 (Giga-byte Technology)

Nmap scan report for 192.168.4.199
Host is up (0.00060s latency).
All 1000 scanned ports on 192.168.4.199 are closed
MAC Address: B4:2E:99:EE:73:E0 (Giga-byte Technology)

Nmap scan report for 192.168.4.210
Host is up (0.00018s latency).
Not shown: 997 closed ports
PORT    STATE         SERVICE
22/tcp  open|filtered ssh
80/tcp  open|filtered http
111/tcp open|filtered rpcbind
MAC Address: 00:0C:29:7E:61:77 (VMware)

Nmap scan report for 192.168.4.211
Host is up (0.0000020s latency).
Not shown: 999 closed ports
PORT   STATE         SERVICE
22/tcp open|filtered ssh

Nmap done: 256 IP addresses (7 hosts up) scanned in 10.40 seconds

-sN表示使用TCP full来探测主机。

也可以使用TCP FIN包来探测主机（速度更快，因为不用建立连接）：

nmap -sF 192.168.4.0/24

除了以上的-sN和-sF，还有-sA使用ACK包，-sS使用SYN包，-sU使用UDP等。

二、nmap结果输出

输出保存为xml文件：

nmap -sP 192.168.4.0/24 -oX test.xml

将结果保存为xml文件。

内容格式如下：

[root@centos7-test ~]# cat test.xml 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.80 scan initiated Fri Apr 10 01:57:13 2020 as: nmap -sP -oX test.xml 192.168.4.0/24 -->
<nmaprun scanner="nmap" args="nmap -sP -oX test.xml 192.168.4.0/24" start="1586498233" startstr="Fri Apr 10 01:57:13 2020" version="7.80" xmloutputversion="1.04">
<verbose level="0"/>
<debugging level="0"/>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.1" addrtype="ipv4"/>
<address addr="4C:6E:6E:00:EF:E8" addrtype="mac" vendor="Comnect Technology"/>
<hostnames>
</hostnames>
<times srtt="575" rttvar="5000" to="100000"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.34" addrtype="ipv4"/>
<address addr="B4:2E:99:EE:74:2D" addrtype="mac" vendor="Giga-byte Technology"/>
<hostnames>
</hostnames>
<times srtt="999" rttvar="5000" to="100000"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.41" addrtype="ipv4"/>
<address addr="00:0C:29:53:B4:1D" addrtype="mac" vendor="VMware"/>
<hostnames>
</hostnames>
<times srtt="1236" rttvar="5000" to="100000"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.42" addrtype="ipv4"/>
<address addr="B4:2E:99:EE:74:35" addrtype="mac" vendor="Giga-byte Technology"/>
<hostnames>
</hostnames>
<times srtt="811" rttvar="5000" to="100000"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.66" addrtype="ipv4"/>
<address addr="C8:3D:D4:A3:D9:AD" addrtype="mac" vendor="CyberTAN Technology"/>
<hostnames>
</hostnames>
<times srtt="216078" rttvar="216078" to="1080390"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.150" addrtype="ipv4"/>
<address addr="A4:83:E7:1E:0A:90" addrtype="mac" vendor="Apple"/>
<hostnames>
</hostnames>
<times srtt="524909" rttvar="524909" to="2624545"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.199" addrtype="ipv4"/>
<address addr="B4:2E:99:EE:73:E0" addrtype="mac" vendor="Giga-byte Technology"/>
<hostnames>
</hostnames>
<times srtt="204" rttvar="3780" to="100000"/>
</host>
<host><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.4.210" addrtype="ipv4"/>
<address addr="00:0C:29:7E:61:77" addrtype="mac" vendor="VMware"/>
<hostnames>
</hostnames>
<times srtt="457" rttvar="5000" to="100000"/>
</host>
<host><status state="up" reason="localhost-response" reason_ttl="0"/>
<address addr="192.168.4.211" addrtype="ipv4"/>
<hostnames>
</hostnames>
</host>
<runstats><finished time="1586498236" timestr="Fri Apr 10 01:57:16 2020" elapsed="3.01" summary="Nmap done at Fri Apr 10 01:57:16 2020; 256 IP addresses (9 hosts up) scanned in 3.01 seconds" exit="success"/><hosts up="9" down="247" total="256"/>
</runstats>
</nmaprun>

View Code