1. 参数
| option | note |
|---|---|
| -sS | TCP SYN 扫描 (又称半开放,或隐身扫描) |
| -P0 | 允许你关闭 ICMP pings. |
| -sV | 打开系统版本检测 |
| -O | 尝试识别远程操作系统 |
| -A | 同时打开操作系统指纹和版本检测 |
| -v | 详细输出扫描情况. |
2. 常用命令
nmap -PN -n -F -T4 -sV -A -oG temp.txt <target>
amap -i temp.txt
| 探测 | cmd |
|---|---|
| 获取远程主机的系统类型及开放端口 | nmap -sS -P0 -sV -O <target> |
| 获取远程主机的系统类型及开放端口 | nmap -sS -P0 -A -v <target> |
| 检查特定端口是否开放 | nmap -p <port> <target> nmap -p <port1>,<port2> <target> |
3. Chapter 1 ~::~ Nmap Fundamentals
3.0.1. Listing open ports on a remote host
nmap hiren.com
3.0.2. Version detection
nmap -sV hiren.me
3.0.3. Aggressive detection
nmap -sC -sV -O <target>
3.0.4. Finding live hosts
nmap -sP 192.168.1.1/24
More
- Port list:
nmap -p80,443 localhost - Port range:
nmap -p1-100 localhost - All ports:
nmap -p- localhost - Specific ports by protocols:
nmap -pT:25,U:53 <target> - Service name:
nmap -p smtp <target> - Service name wildcards:
nmap -p smtp* <target> - Only ports registered in Nmap services:
nmap -p[1-65535] <target>3.0.5. Scan using script
nmap --script <script name> <host>3.0.6. Scanning using a specified network interface
nmap -e <INTERFACE> scanme.nmap.orgChapter 2 ~::~ Network Exploration
3.0.7. Discovering hosts with TCP SYN ping scans
nmap -sP -PS 192.168.1.1/243.0.8. Discovering hosts with TCP ACK ping scans
nmap -sP -PA <target>3.0.9. Discovering hosts with UDP ping scans
nmap -sP -PU <target>3.0.10. Discovering hosts with ICMP ping scans
nmap -sP -PE hiren.net3.0.11. Discovering hosts with IP protocol ping scans
nmap -sP -PO <target>3.0.12. Discovering hosts with ARP ping scans
Effective for LAN networknmap -sP -PR 192.168.1.1/243.0.13. MAC address spoofing
Change your motherfking MAC adrs ~nmap -sP -PR --spoof-mac 5C:4C:A9:F2:DC:7C3.0.14. Hiding our traffic with additional random data
Generate Random Datanmap -sS -PS --data-length 300 scanme.nmap.org3.0.15. Forcing DNS resolution
Force DNS resulation even if host is offline :(nmap -sS -PS -F -R XX.XXX.XXX.220-2304. Chapter 3 ~::~ Gathering Additional Host Information
4.0.1. Getting information from WHOIS records
nmap --script whois <target>4.0.2. Collecting valid e-mail accounts
The script http-google-email is not included in Nmap's official repository. So you need to download it from http://seclists.org/nmap-dev/2011/q3/att-401/ http-google-email.nse and copy it to your local scripts directory. After copying http-google-email.nse , you should update the script database with:
thennmap --script-updatedbnmap -p80 --script http-google-email,http-email-harvest <target>4.0.3. Discovering hostnames pointing to the same IP address
https://secwiki.org/w/Nmap/ External_Script_Library .nmap --script-updatedb nmap -p80 --script hostmap nmap.org4.0.4. Brute forcing DNS records
nmap --script dns-brute <target>4.0.5. Fingerprinting the operating system of a host
nmap -O <target>4.0.6. Discovering UDP services
nmap -sU -p- <target>4.0.7. Listing protocols supported by a remote host
nmap -sO <target>4.0.8. Discovering stateful firewalls by using a TCP ACK scan
nmap -sA <target>Port states
Nmap categorizes ports using the following states:
Open : Indicates that an application is listening for connections on this port. Closed : Indicates that the probes were received but there is no application listening on this port. Filtered : Indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering. Unfiltered : Indicates that the probes were received but a state could not be established. Open/Filtered : Indicates that Nmap couldn't determine if the port is filtered or open. Closed/Filtered : Indicates that Nmap couldn't determine if the port is filtered or closed.
5. Chapter 4 ~::~ Auditing Web Servers
6. Chapter 5 ~::~ Auditing Databases