Nmap扫描教程之基础扫描详解
Nmap扫描教程之基础扫描详解
Nmap扫描基础扫描
当用户对Nmap工具了解后,便可使用该工具实施扫描。经过上一章的介绍,用户可知Nmap工具能够分别对主机、端口、版本、操做系统等实施扫描。可是,在实施这些扫描工做以前,须要先简单了解下Nmap工具的使用,以方便后面实施扫描。因此,本章将经过使用Nmap工具实施基础的扫描,来帮助用户了解该工具。mysql
Nmap扫描扫描概述
在实施基本的扫描以前,须要先了解一些Nmap网络扫描的基本知识,及须要考虑的一些法律边界问题。本节将对网络基本扫描进行一个简单介绍。linux
1.网络扫描基础知识ios
在使用网络扫描以前,须要先理解如下内容:算法
q 当目标主机上使用了防火墙、路由器、代理服务或其它安全设备时,使用Nmap扫描结果可能会存在一些误差。或者当扫描的远程目标主机不在本地网络内时,也有可能会出现误导信息。sql
q 在使用Nmap实施扫描时,一些选项须要提高权限。在Unix和Linux系统中,必须使用root登陆或者使用sudo命令执行Nmap命令。shell
2.法律边界问题api
在实施网络扫描时,须要考虑一些法律边界问题。以下所示:安全
q 在扫描互联网服务提供商网络时(如政府或秘密服务器网站),若是没有被容许的话,不要进行扫描。不然,会惹上法律麻烦。服务器
q 全面扫描某些主机时,可能会致使主机崩溃、停机或数据丢失等不良结果。因此,在扫描关键任务时要当心谨慎。网络
Nmap扫描指定扫描目标
当用户有明确的扫描目标时,能够直接使用Nmap工具实施扫描。根据扫描目标的多少,能够分为扫描单个目标、多个目标及目标列表三种状况。本节将依次讲解这三种状况的扫描方式。
Nmap扫描扫描单个目标
经过指定单个目标,使用Nmap工具能够实现一个基本的扫描。指定的目标能够是一个IP地址,也能够是主机名(Nmap会自动解析其主机名)。其中,语法格式以下所示:
nmap [目标]
其中,参数[目标]能够是一个IP地址,也能够是一个主机名。
【示例2-4】扫描局域网中IP地址为192.168.1.105的主机。执行命令以下所示:
root@localhost :~# nmap 192.168.1.105
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-05 18:44 CST
Nmap scan report for localhost (192.168.1.105)
Host is up (0.00010s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
445/tcp open microsoft-ds
MAC Address: 00:0C:29:31:02:17 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds
从输出信息中,能够看到目标主机192.168.1.105上开启的端口有21、22、23、111、445,及这些端口所对应的服务。并且,还能够看到该目标主机的MAC地址为00:0C:29:31:02:17。从最后一行信息,能够看出目标主机是活动的(up),而且扫描该目标主机共用了0.87秒。
提示:Nmap工具默认扫描前1000个端口,即1-1000。若是用户想扫描1000以上端口的话,须要使用-p选项来指定。关于如何使用Nmap的一些选项,将在后面章节介绍。
因为IP地址分为IPv4和IPv6两类。因此,使用Nmap工具扫描单个目标时,指定的IP地址能够是IPv4,也能够是IPv6。上例中指定扫描的目标是使用IPv4类地址。若是用户指定扫描目标地址是IPv6类地址时,须要使用-6选项。例如,扫描IP地址为fe80::20c:29ff:fe31:217的目标主机,则执行命令以下所示:
[root@router ~]# nmap -6 fe80::20c:29ff:fe31:217
执行以上命令后,将显示以下所示的信息:
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-06 15:07 CST
Nmap scan report for fe80::20c:29ff:fe31:217
Host is up (0.000017s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
从以上输出信息中,能够看到IPv6地址为fe80::20c:29ff:fe31:217的主机是活动的,而且开放了22、23、111、139、445端口。
提示:若是要使用IPv6类地址做为目标时,则扫描主机和目标主机都必须支持IPv6协议。不然,没法实施扫描。
Nmap扫描扫描多个目标
Nmap能够用来同时扫描多个主机。当用户须要扫描多个目标时,能够在命令行中同时指定多个目标,每一个目标之间使用空格分割。其中,语法格式以下所示:
nmap [目标1 目标2 ...]
【示例2-5】使用Nmap工具同时扫描主机192.168.1.1、192.168.1.101和192.168.1.105。执行命令以下所示:
root@localhost :~# nmap 192.168.1.1 192.168.1.101 192.168.1.105
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-05 19:07 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.00094s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
49152/tcp open unknown
MAC Address: 14:E6:E4:84:23:7A (Tp-link Technologies CO.)
Nmap scan report for localhost (192.168.1.101)
Host is up (0.0060s latency).
All 1000 scanned ports on localhost (192.168.1.101) are closed
MAC Address: 14:F6:5A:CE:EE:2A (Xiaomi)
Nmap scan report for localhost (192.168.1.105)
Host is up (0.00038s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
445/tcp open microsoft-ds
MAC Address: 00:0C:29:31:02:17 (VMware)
Nmap done: 3 IP addresses (3 hosts up) scanned in 1.00 seconds
从以上输出信息,能够看到共扫描了三台主机,而且依次显示了每台主机的扫描结果。在以上信息中,将扫描的每台主机地址行已加粗,方便用户了解其扫描结果。下面分别介绍这三台主机的扫描结果,以下所示:
q 192.168.1.1:从输出信息中能够看到该主机开启了三个端口,MAC地址为14:E6:E4:84:23:7A。根据MAC地址后面括号中的信息,能够推断出该主机是一个Tp-link路由器。
q 192.168.1.101:从输出信息中,能够看到该主机上前1000个端口是关闭的。可是,能够看到该主机的MAC地址为14:F6:5A:CE:EE:2A,设备类型为Xiaomi。由此能够判断出,该主机是一个小米手机设备。
q 192.168.1.105:从输出信息中,能够看到该主机上995个端口是关闭的,五个端口是开启的。其中,MAC地址为00:0C:29:31:02:17,并且是一台VMware(虚拟机)操做系统。
提示:当用户同时指定扫描的目标太多时,可使用简化符号来获取扫描结果。其中,目标地址之间使用逗号(,)分割。例如,同时扫描以上三台主机,则可使用以下命令:
nmap 192.168.1.1,101,105
Nmap扫描扫描一个目标列表
当用户有大量主机须要扫描时,能够将这些主机的IP地址(或主机名)写入到一个文本文件中。而后,使用Nmap工具进行扫描。这样避免在命令行中手工输入目标。其中,语法格式以下所示:
nmap -iL [IP地址列表文件]
以上语法中的-iL选项,就是用来从IP地址列表文件中提取全部地址的。其中,IP地址列表文件中包含了一列被扫描的主机IP地址。而且,在IP地址列表文件中的每一个条目必须使用空格、Tab键或换行符分割。
【示例2-6】使用Nmap工具扫描list.txt文件中全部的主机。具体操做步骤以下所示:
(1)建立list.txt文本文件,并将扫描的主机IP地址写入到该文本文件中。以下所示:
root@localhost :~# vi list.txt
192.168.1.1
192.168.1.100
192.168.1.101
192.168.1.102
192.168.1.103
192.168.1.104
192.168.1.105
以上就是在list.txt文件中,指定将要扫描的目标地址。
(2)扫描list.txt文件中指定的全部主机。执行命令以下所示:
root@localhost :~# nmap -iL list.txt
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-06 10:53 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.00045s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
49152/tcp open unknown
MAC Address: 14:E6:E4:84:23:7A (Tp-link Technologies CO.)
Nmap scan report for localhost (192.168.1.100)
Host is up (0.00023s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1033/tcp open netinfo
1034/tcp open zincite-a
1035/tcp open multidropper
1038/tcp open mtqp
1040/tcp open netsaint
1075/tcp open rdrmshc
2869/tcp open icslap
5357/tcp open wsdapi
MAC Address: 00:E0:1C:3C:18:79 (Cradlepoint)
Nmap scan report for localhost (192.168.1.103)
Host is up (0.00028s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:F8:2B:38 (VMware)
Nmap scan report for localhost (192.168.1.104)
Host is up (0.00028s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:C3:1F:D7 (VMware)
Nmap scan report for localhost (192.168.1.105)
Host is up (0.00034s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
445/tcp open microsoft-ds
MAC Address: 00:0C:29:31:02:17 (VMware)
Nmap scan report for localhost (192.168.1.102)
Host is up (0.0000080s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
9876/tcp open sd
Nmap done: 7 IP addresses (6 hosts up) scanned in 1.05 seconds
从输出的信息中,能够看到依次扫描了list.txt文件中的每台主机,而且显示了每台主机的扫描结果。从最后一行信息,能够看到共扫描了七个IP地址。其中,六个主机是活动的,而且整个扫描过程共用了1.05秒。
Nmap扫描扫描随机目标
Nmap工具提供了一个-iR选项,能够用来选择随机的互联网主机来扫描。Nmap工具将会随机的生成指定数量的目标进行扫描。其中,语法格式以下所示:
nmap -iR [主机数量]
【示例2-7】使用Nmap工具随机选择两个目标主机进行扫描。执行命令以下所示:
root@localhost:~# nmap -iR 2
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-06 11:07 CST
Nmap scan report for suncokret.vguk.hr (161.53.173.3)
Host is up (0.43s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
81/tcp open hosts2-ns
110/tcp open pop3
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap
443/tcp open https
444/tcp open snpp
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
2002/tcp open globe
3306/tcp open mysql
4444/tcp filtered krb524
Nmap done: 3 IP addresses (1 host up) scanned in 29.64 seconds
从输出信息中,能够看到Nmap工具随机生成了三个IP地址。可是,只有主机161.53.137.3是活动的,而且显示了对该主机的扫描结果。
提示:通常状况下,不建议用户实施随机扫描。除非,你是在作一个研究项目。不然,常常实施随机扫描可能会给本身的互联网服务提供商带来麻烦。
Nmap扫描指定扫描范围
当用户不肯定扫描主机的地址时,能够经过指定一个地址范围实施扫描。经过指定扫描范围,从扫描结果中能够获取到活动的主机及相关信息。用户在指定一个扫描范围时,还能够排除单个或多个扫描目标。本节将介绍使用Nmap工具实施指定地址范围的扫描方法。
Nmap扫描IP地址范围扫描
用户在指定扫描范围时,能够经过IP地址或子网的方式来实现。下面将介绍使用IP地址指定扫描范围的方法。其中,语法格式以下所示:
nmap [IP地址范围]
在以上语法中,IP地址范围之间使用短连字符(-)。
【示例2-8】使用Nmap工具扫描192.168.1.1到100之间的全部主机。执行命令以下所示:
root@localhost:~# nmap 192.168.1.1-100
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-05 19:40 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.0014s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
49152/tcp open unknown
MAC Address: 14:E6:E4:84:23:7A (Tp-link Technologies CO.)
Nmap scan report for localhost (192.168.1.100)
Host is up (0.00025s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1033/tcp open netinfo
1034/tcp open zincite-a
1035/tcp open multidropper
1037/tcp open ams
1039/tcp open sbl
1041/tcp open danf-ak2
2869/tcp open icslap
5357/tcp open wsdapi
MAC Address: 00:E0:1C:3C:18:79 (Cradlepoint)
Nmap done: 100 IP addresses (2 hosts up) scanned in 3.34 seconds
从以上输出信息中,能够看到192.168.1-100之间,只有192.168.1.1和192.168.1.100两台主机是活动的。
用户也能够指定扫描多个网络/子网范围的主机。例如,扫描C类IP网络192.168.1.*到192.168.100.*之间的全部主机。则执行命令以下所示:
nmap 192.168.1-100.*
以上命令中星号(*)是一个通配符,表示0-255之间全部有效的主机。
Nmap扫描整个子网扫描
Nmap也可使用CIDR(无类别域间路由,Classless Inter-Domain Routing)格式来扫描整个子网。CIDR将多个IP网络结合在一块儿,使用一种无类别的域际路由选择算法,能够减小由核心路由器运载的路由选择信息的数量。其中,语法格式以下所示:
nmap [CIDR格式的网络地址]
以上语法中的CIDR是由网络地址和子网掩码两部分组成,而且中间使用斜杠(/)分割。其中,CIDR和子网掩码对照表如表2-1所示。
表2-3 CIDR对照表
【示例2-9】使用Nmap扫描192.168.1.1/24整个子网中的全部主机。执行命令以下所示:
root@localhost:~# nmap 192.168.1.1/24
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-05 19:41 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.00064s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
49152/tcp open unknown
MAC Address: 14:E6:E4:84:23:7A (Tp-link Technologies CO.)
Nmap scan report for localhost (192.168.1.100)
Host is up (0.00022s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1033/tcp open netinfo
2869/tcp open icslap
5357/tcp open wsdapi
MAC Address: 00:E0:1C:3C:18:79 (Cradlepoint)
Nmap scan report for localhost (192.168.1.101)
Host is up (0.0041s latency).
All 1000 scanned ports on localhost (192.168.1.101) are closed
MAC Address: 14:F6:5A:CE:EE:2A (Xiaomi)
Nmap scan report for localhost (192.168.1.103)
Host is up (0.00027s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
......
49157/tcp open unknown
MAC Address: 00:0C:29:DE:7E:04 (VMware)
Nmap scan report for localhost (192.168.1.102)
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
9876/tcp open sd
Nmap done: 256 IP addresses (9 hosts up) scanned in 3.39 seconds
从输出信息中,能够看到共扫描了256个地址。其中,九台主机是活动的,而且共用时间为3.39秒。因为章节的缘由,以上只列举了五台主机的扫描结果。其中,中间部份内容,使用省略号(......)代替了。
Nmap扫描排除扫描目标
当用户指定一个扫描范围时(如局域网),在该范围内可能会包括本身的主机,或者是本身搭建的一些服务等。这时,用户为了安全及节约时间,可能不但愿扫描这些主机。此时,用户就可使用--exclude命令将这些主机排除。其中,排除单个目标的语法格式以下所示:
nmap [目标] --exclude [目标]
【示例2-10】扫描192.168.1.1/24网络内除192.168.1.101之外的全部主机。执行命令以下所示:
root@localhost:~# nmap 192.168.1.1/24 --exclude 192.168.1.101
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-05 19:44 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.00068s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
49152/tcp open unknown
MAC Address: 14:E6:E4:84:23:7A (Tp-link Technologies CO.)
Nmap scan report for localhost (192.168.1.100)
Host is up (0.00025s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1033/tcp open netinfo
1034/tcp open zincite-a
1035/tcp open multidropper
1037/tcp open ams
1039/tcp open sbl
1041/tcp open danf-ak2
2869/tcp open icslap
5357/tcp open wsdapi
MAC Address: 00:E0:1C:3C:18:79 (Cradlepoint)
Nmap scan report for localhost (192.168.1.103)
Host is up (0.00036s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
......
Nmap scan report for localhost (192.168.1.105)
Host is up (0.00026s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
445/tcp open microsoft-ds
MAC Address: 00:0C:29:31:02:17 (VMware)
Nmap scan report for localhost (192.168.1.106)
Host is up (0.00039s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:C7:6A:2A (VMware)
......
Nmap scan report for localhost (192.168.1.102)
Host is up (0.0000030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
9876/tcp open sd
Nmap done: 255 IP addresses (8 hosts up) scanned in 3.05 seconds
从输出信息中,能够看到共扫描了255个IP地址。其中,八个主机是活动的。因为章节的缘由,中间省略了一部份内容。
用户使用--exclude选项,能够指定排除单个主机、范围或者整个网络块(使用CIDR格式)。例如,扫描192.168.1.1/24网络内,除192.168.1.100-192.168.1.103以外的全部主机。则执行命令以下所示:
root@localhost:~# nmap 192.168.1.1/24 --exclude 192.168.1.100-103
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-05 19:45 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
49152/tcp open unknown
MAC Address: 14:E6:E4:84:23:7A (Tp-link Technologies CO.)
Nmap scan report for localhost (192.168.1.104)
Host is up (0.00028s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:C3:1F:D7 (VMware)
Nmap scan report for localhost (192.168.1.105)
Host is up (0.00019s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open rpcbind
445/tcp open microsoft-ds
MAC Address: 00:0C:29:31:02:17 (VMware)
Nmap scan report for localhost (192.168.1.106)
Host is up (0.00017s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:C7:6A:2A (VMware)
Nmap scan report for localhost (192.168.1.107)
Host is up (0.0014s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
902/tcp open iss-realsecure
912/tcp open apex-mesh
2869/tcp open icslap
5357/tcp open wsdapi
10243/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:DE:7E:04 (VMware)
Nmap done: 252 IP addresses (5 hosts up) scanned in 2.27 seconds
从以上输出信息中,能够看到共扫描了252个主机。其中,有五个主机是活动的,其地址分别是192.168.1.1、192.168.1.104、192.168.1.105、192.168.1.106和192.168.1.107。根据输出的信息,能够发现没有对192.168.1.100-103之间主机进行扫描。
Nmap扫描排除列表中的目标
当用户排除扫描的目标不少时,也能够将这些目标主机的IP地址写入到一个文本文件中。而后,使用--excludefile选项来指定排除扫描的目标。其中,排除扫描列表中目标的语法格式以下所示:
nmap [目标] --excludefile [目标列表]
【示例2-11】使用Nmap扫描192.168.1.0/24网络内主机,可是排除list.txt文件列表中指定的目标。具体操做步骤以下所示:
(1)建立list.txt文件,并写入要排除扫描目标的IP地址。以下所示:
root@localhost:~#vi list.txt
192.168.102
192.168.1.103
192.168.1.104
192.168.1.105
在以上列表文件中,指定排除扫描以上四个IP地址的主机。
(2)实施扫描。执行命令以下所示:
root@localhost:~# nmap 192.168.1.0/24 --excludefile list.txt
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-05 19:46 CST
Nmap scan report for localhost (192.168.1.1)
Host is up (0.0014s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
49152/tcp open unknown
MAC Address: 14:E6:E4:84:23:7A (Tp-link Technologies CO.)
Nmap scan report for localhost (192.168.1.100)
Host is up (0.00021s latency).
Not shown: 986 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1033/tcp open netinfo
1034/tcp open zincite-a
MAC Address: 00:E0:1C:3C:18:79 (Cradlepoint)
Nmap scan report for localhost (192.168.1.106)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
MAC Address: 00:0C:29:C7:6A:2A (VMware)
Nmap scan report for localhost (192.168.1.107)
Host is up (0.0010s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
902/tcp open iss-realsecure
912/tcp open apex-mesh
2869/tcp open icslap
5357/tcp open wsdapi
10243/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
MAC Address: 00:0C:29:DE:7E:04 (VMware)
Nmap scan report for localhost (192.168.1.102)
Host is up (0.0000030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
9876/tcp open sd
Nmap done: 253 IP addresses (5 hosts up) scanned in 3.31 seconds
从以上输出信息中,能够看到扫描的全部目标中,共有五台主机是活动的。
Nmap扫描实施全面扫描
在使用Nmap工具实施扫描时,使用不一样的选项,则扫描结果不一样。用户可使用不一样的选项,单独扫描目标主机上的端口、应用程序版本或操做系统类型等。可是,大部分人又不太喜欢记这些选项。这时候,用户只须要记一个选项-A便可。该选项能够对目标主机实施全面扫描,扫描结果中包括各类类型的信息。其中,实施全面扫描的语法格式以下所示:
nmap -A [目标]
【示例2-12】使用Nmap工具对目标主机192.168.1.105实施全面扫描。则执行命令以下所示:
root@localhost:~# nmap -A 192.168.1.105
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-06 15:20 CST
Nmap scan report for localhost (192.168.1.105)
Host is up (0.00028s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.2.2 #FTP服务版本为2.2.2,供应商是Vsftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230) #容许匿名登陆
|_drwxr-xr-x 2 14 0 4096 Apr 03 06:10 pub #FTP服务的根目录为pub
22/tcp open ssh OpenSSH 5.3 (protocol 2.0) #SSH服务版本是5.3,供应商是OpenSSH
| ssh-hostkey: #SSH服务密钥
| 1024 83:9f:d0:8e:29:3c:7f:d9:11:da:a8:bb:b5:5a:4d:69 (DSA)
|_ 2048 2e:ea:ee:63:03:fd:9c:ae:39:9b:4c:e0:49:a9:8f:5d (RSA)
23/tcp open telnet Linux telnetd #Telnet服务
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo: #RPC详细信息
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 34525/tcp status
|_ 100024 1 51866/udp status
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MYGROUP)#Samba服务版本为3.X,供应商为smbd
MAC Address: 00:0C:29:31:02:17 (VMware) #目标主机的MAC地址
Device type: general purpose #设备类型
Running: Linux 2.6.X|3.X #正在运行的系统
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 #操做系统中央处理单元
OS details: Linux 2.6.32 - 3.10 #操做系统详细信息
Network Distance: 1 hop #网络距离
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel #服务信息
Host script results:
| smb-os-discovery: #SMB操做系统发现
| OS: Unix (Samba 3.6.9-151.el6) #操做系统为Unix,Samba版本为3.6.9
| Computer name: router #计算机名
| NetBIOS computer name: #NetBIOS计算机名
| Domain name: #域名
| FQDN: router #彻底合格域名(FQDN)
|_ System time: 2015-05-06T15:20:28+08:00 #系统时间
| smb-security-mode:
| Account that was used for smb scripts: <blank>
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.28 ms localhost (192.168.1.105)
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.51 seconds
从以上输出的信息,能够明显看出比前面例子扫描结果更详细。在以上输出信息中,能够看到目标主机上开启的端口、服务器、版本、操做系统版本、内核、系统类型等。根据分析输出的信息,可知目标主机上运行了FTP、SSH、Telnet等服务,而且能够看到各服务的版本及权限信息。并且,还能够知道目标主机的操做系统是Linux,内核版本为2.6.32等。
本文选自:Nmap扫描基础教程大学霸内部资料,转载请注明出处,尊重技术尊重IT人!
- 1. Nmap扫描教程之Nmap基础知识
- 2. Nmap扫描
- 3. NMAP扫描
- 4. nmap扫描
- 5. Nmap扫描教程之DNS服务类
- 6. Nmap——端口扫描
- 7. 扫描神器--nmap
- 8. Nmap扫描工具
- 9. 端口扫描———nmap
- 10. nmap 扫描命令
- 更多相关文章...
- • 基于ARP协议进行扫描 - TCP/IP教程
- • 使用TCP协议扫描主机 - TCP/IP教程
- • Java 8 Stream 教程
- • YAML 入门教程
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. Nmap扫描教程之Nmap基础知识
- 2. Nmap扫描
- 3. NMAP扫描
- 4. nmap扫描
- 5. Nmap扫描教程之DNS服务类
- 6. Nmap——端口扫描
- 7. 扫描神器--nmap
- 8. Nmap扫描工具
- 9. 端口扫描———nmap
- 10. nmap 扫描命令