nmap工具的使用

发表于:2017-09-07

nmap是专门用于测试扫描端口用的。

首先安装nmap

安装nmap很简单,下面是官方地址,一直Next就好了

https://nmap.org/download.html#macosx
// 安装好之后终端输入 nmap 如果出现大量帮助命令说明安装成功

判断10.1.1.1操作系统

nmap -O 10.1.1.1

// 输出:
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-07 17:20 CST
Nmap scan report for www.x.com (10.1.1.1)
Host is up (0.017s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 3.X|2.6.X (88%)           // 这里扫描出了88%是Linux。那么可以猜测。
OS CPE: cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 3.18 (88%), Linux 2.6.18 - 2.6.22 (86%), OpenWrt Chaos Calmer (Linux 3.18) (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds

在测试中为了不在服务器10.1.1.1上留下连接痕迹,采用半开扫描

nmap -sS 10.1.1.1

简单扫描目标主机端口, 这里只会扫描常用端口并不会扫描所有。

nmap 10.1.1.1

// 输出
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-07 17:24 CST
Nmap scan report for www.x.com (10.1.1.1)
Host is up (0.020s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

简单扫描,并对返回的结果详细描述输出

nmap -vv 10.1.1.1

扫描目标主机10.1.1.1端口范围(70-80)

nmap -p 70-80 10.1.1.1

// 输出
PORT   STATE    SERVICE
70/tcp filtered gopher
71/tcp filtered netrjs-1
72/tcp filtered netrjs-2
73/tcp filtered netrjs-3
74/tcp filtered netrjs-4
75/tcp filtered priv-dial
76/tcp filtered deos
77/tcp filtered priv-rje
78/tcp filtered vettcp
79/tcp filtered finger
80/tcp open     http
81/tcp filtered hosts2-ns
82/tcp filtered xfer
83/tcp filtered mit-ml-dev
84/tcp filtered ctf
85/tcp filtered mit-ml-dev
86/tcp filtered mfcobol
87/tcp filtered priv-term-l
88/tcp filtered kerberos-sec
89/tcp filtered su-mit-tg
90/tcp filtered dnsix

扫描目标指定主机端口

nmap -p 80,90 10.1.1.1

扫描UDP

nmap -sU 10.1.1.1

扫描一个网段下的IP, 解释:-s为设置 CIDR 为你设置的子网掩码(/24 , /16 ,/8 等)

nmap -sP 10.1.1.1/24

nmap 万能开关,选项设置包含了1-10000的端口ping扫描,操作系统扫描,脚本扫描,路由跟踪,服务探测

nmap -A 10.1.1.1

检测是否存在常见漏洞

nmap --script=vuln 10.1.1.1.*

Oracle弱口令破解

nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 10.1.1.1

猜解mssql用户名和密码

nmap -p1433 --script=ms-sql-brute --script-args=userdb=/var/passwd,passdb=/var/passwd 10.1.1.1

列出所有mysql用户, 现在的版本不行了

nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 10.1.1.1
WEB安全