namp小记
nmap
目标说明
TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL : Input from list of hosts/networks -iR : Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file -iL 从主机地址列表文件中导入扫描地址 -iR 随机选择目标进行扫描,num hosts表示数目,是指为0则无休止扫描 --exclude 排除模糊个主机地址 --excludefile 排除主机地址列表文件中的地址
主机发现
HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers 自定义域名解析服务器地址 --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host 路由 -sL 列表扫描,仅将指定的目标IP列举出来,不进行主机发现 -sn 和-sP一样,只利用ping扫描进行主机的发现,不扫描目标主机的端口 -Pn 将所有指定的主机视为已开启的状态,跳过主机发现过程
端口扫描
端口状态: open(开放的),closed(关闭的),filtered(过滤的),unfiltered,open|filtered,closed|filtered
SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()连接扫描/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags : Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b : FTP bounce scan
端口说明和扫描顺序
PORT SPECIFICATION AND SCAN ORDER: -p : Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 --exclude-ports : Exclude the specified ports from scanning -F: Fast mode - Scan fewer ports than the default scan 快速扫描,100个常用端口 -r: Scan ports consecutively - don't randomize --top-ports : Scan most common ports --port-ratio : Scan ports more common than -p 指定端口 -p 指定扫描的协议
服务与版本扫描
SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity : Set from 0 (light) to 9 (try all probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for debugging)
脚本扫描(《nmap-script使用帮助手册》)
SCRIPT SCAN: -sC: equivalent to --script=default --script=: is a comma separated list of directories, script-files or script-categories --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts --script-args-file=filename: provide NSE script args in a file --script-trace: Show all data sent and received --script-updatedb: Update the script database. --script-help=: Show help about scripts. is a comma-separated list of script-files or script-categories.
操作系统扫描
OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively
时间和性能
TIMING AND PERFORMANCE: Options which take are in seconds, or append 'ms' (milliseconds) 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) --min-hostgroup/max-hostgroup : Parallel host scan group sizes --min-parallelism/max-parallelism : Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies probe round trip time. --max-retries : Caps number of port scan probe retransmissions. --host-timeout : Give up on target after this long --scan-delay/--max-scan-delay : Adjust delay between probes --min-rate : Send packets no slower than per second --max-rate : Send packets no faster than per second
防火墙/IDS规避和欺骗
FIREWALL/IDS EVASION AND SPOOFING: -f(报文分段); --mtu(使用指定的MTU) : fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e : Use specified interface -g/--source-port : Use given port number --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies --data : Append a custom payload to sent packets --data-string : Append a custom ASCII string to sent packets --data-length : Append random data to sent packets --ip-options : Send packets with specified ip options --ttl : Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
输出选项
OUTPUT: -oN/-oX/-oS/-oG : Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA : Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --append-output: Append to rather than clobber specified output files --resume : Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
常用扫描技巧
1 扫描单一目标主机 nmap ip/dns
2 扫描整个子网 nmap 192.168.0.1/24
3 扫描多个目标 nmap ip1 ip2 dns1dns2
4 扫描一个范围 nmap 192.168.1-100
5 导入IP列表 nmap -iL ip.txt
6 列举目标地址但不扫描 nmap -sL 192.168.0.1/24
7 端口 nmap -p port
