nmap是专门用于测试扫描端口用的。
首先安装nmap
安装nmap很简单,下面是官方地址,一直Next就好了
https://nmap.org/download.html#macosx
// 安装好之后终端输入 nmap 如果出现大量帮助命令说明安装成功
判断10.1.1.1操作系统
nmap -O 10.1.1.1
// 输出:
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-07 17:20 CST
Nmap scan report for www.x.com (10.1.1.1)
Host is up (0.017s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 3.X|2.6.X (88%) // 这里扫描出了88%是Linux。那么可以猜测。
OS CPE: cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 3.18 (88%), Linux 2.6.18 - 2.6.22 (86%), OpenWrt Chaos Calmer (Linux 3.18) (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.24 seconds
在测试中为了不在服务器10.1.1.1上留下连接痕迹,采用半开扫描
nmap -sS 10.1.1.1
简单扫描目标主机端口, 这里只会扫描常用端口并不会扫描所有。
nmap 10.1.1.1
// 输出
Starting Nmap 7.60 ( https://nmap.org ) at 2017-09-07 17:24 CST
Nmap scan report for www.x.com (10.1.1.1)
Host is up (0.020s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
简单扫描,并对返回的结果详细描述输出
nmap -vv 10.1.1.1
扫描目标主机10.1.1.1端口范围(70-80)
nmap -p 70-80 10.1.1.1
// 输出
PORT STATE SERVICE
70/tcp filtered gopher
71/tcp filtered netrjs-1
72/tcp filtered netrjs-2
73/tcp filtered netrjs-3
74/tcp filtered netrjs-4
75/tcp filtered priv-dial
76/tcp filtered deos
77/tcp filtered priv-rje
78/tcp filtered vettcp
79/tcp filtered finger
80/tcp open http
81/tcp filtered hosts2-ns
82/tcp filtered xfer
83/tcp filtered mit-ml-dev
84/tcp filtered ctf
85/tcp filtered mit-ml-dev
86/tcp filtered mfcobol
87/tcp filtered priv-term-l
88/tcp filtered kerberos-sec
89/tcp filtered su-mit-tg
90/tcp filtered dnsix
扫描目标指定主机端口
nmap -p 80,90 10.1.1.1
扫描UDP
nmap -sU 10.1.1.1
扫描一个网段下的IP, 解释:-s为设置 CIDR 为你设置的子网掩码(/24 , /16 ,/8 等)
nmap -sP 10.1.1.1/24
nmap 万能开关,选项设置包含了1-10000的端口ping扫描,操作系统扫描,脚本扫描,路由跟踪,服务探测
nmap -A 10.1.1.1
检测是否存在常见漏洞
nmap --script=vuln 10.1.1.1.*
Oracle弱口令破解
nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 10.1.1.1
猜解mssql用户名和密码
nmap -p1433 --script=ms-sql-brute --script-args=userdb=/var/passwd,passdb=/var/passwd 10.1.1.1
列出所有mysql用户, 现在的版本不行了
nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 10.1.1.1