nmap
nmap
desciption
- Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime。
[^Tips]: nmap - Network exploration tool and security / port scanner
常用功能:
- 主机发现扫描
- 主机端口扫描,并可以判断服务的版本。
- 主机操作系统版本扫描,根据内置db,根据主机返回来的指纹猜测主机的操作系统版本。
options
Usage: nmap [Scan Type(s)] [Options] {target specification}
| 参数 | 参数说明 |
|---|---|
| 空 | ping和端口扫描(常用服务端口) |
| -sn / -sP | ping扫描 |
| -p | 指定端口扫描后边加端口号,例如-p 21,80,443,-p 1-65535(扫描6w多个端口,速度极慢)。不加端口号的情况下,默认之扫描1000左右个常用服务端口。 |
| -iL | 指定ip地址/IP地址段 文件进行扫描,或者nmap后面直接+多个IP地址,多个IP地址可以使用,简写,或者连续的IP地址使用-简写。或者使用--exclude +IP地址(表示排除地址),或是使用--excludefile+IP地址文件 |
| -Pn | no ping,不对目标进行ping探测(不判断主机是否在线)(直接扫描端口) |
| -sU | UDP扫描,默认只进行TCP扫描,UDP扫描速度很慢。 |
| -F | 快速模式,只扫描最可能开放100个端口(默认扫描tcp端口) |
| -sN | 秘密扫描,tcp flag字段设为null,但扫描的结果往往不太准确。(秘密扫描类似还有-sF; -sX (FIN, and Xmas scans) |
| -T | 时间模板,T0-T5 paranoid|sneaky|polite|normal|aggressive|insane(等级越高,扫描速度越快,准确度相应会降低),nmap --min-rate也可以设置扫描的最大速率,nmap --min-rate 10000,每秒10000个包,速度快。 |
| --min-rate | 设置最小每秒发包数量 |
| -v | 输出扫描的详细信息 |
| -O | 大写字母O,nmap根据os-db库和扫描出的操作系统指纹做匹配,但很多情况只是给出扫描的指纹,猜不出系统,像家庭路由器等。 |
| -A | Enable OS detection, version detection, script scanning, and traceroute,扫描比较全面 |
| --script | 脚本扫描,默认在/usr/share/nmap/scripts目录下有很多脚本,漏洞,暴力破解等脚本可以使用。 |
| --scanflags | Customize TCP scan flags,自定义tcp flags字段 扫描。nmap --scanflags ack --scanflags fin --scanflags syn当设置多个tcp flags时,只有最后一个生效。 |
| -sS | TCP SYN scan,默认模式。半连接扫描。syn-syn ack-RST。 |
| -sF | TCP FIN scan,只将tcp flags FIN置位扫描,发送数据包对端端口关闭会回RST,端口开启的话 不回包(nmap就认为是端口开启或数据包被防火墙之类过滤) |
| -sT | TCP connect scan,建立3次连接后再发送RST,断开扫描。 |
| -sA | TCP ACK scan,只将tcp flags ACK置位扫描,但扫描结果往往不准,比如对方80端口开启,给对方发送ACK数据包,对方会回RST数据包,nmap认为80端口关闭,-sW 和-sA 一样的原理。 |
| -sM | man上说Maimon scans,但不懂什么意思,抓包看了一下将FIN和ACK置位,但扫描结果往往不准,比如对方80端口开启,给对方发送FIN ACK数据包,对方会回RST数据包,nmap认为80端口关闭,和-sA、-sW原理一样,效果不好。 |
| -sX | Xmas scans,将tcp flags FIN、URG、PSH置位 扫描。发送这类数据包,对端端口关闭会回RST,端口开启的话 不回包(nmap就认为是端口开启或数据包被防火墙之类过滤) |
| -S | 当扫描机上有多个IP地址时,指定一个指定源地址扫描。 |
| -g/--source-port | Use given port number,指定源端口扫描。 |
| -sV | Probe open ports to determine service/version info,根据端口的端口判断服务的版本或信息。 |
| -e | 指定源端口 |
| --data | 自定义扫描的payload |
| --data-string | 自定义ASCII string |
| --badsum | 设置一个bad TCP/UDP/SCTP checksum |
| --ttl | 设置ipv4 ttl字段值 |
| -n | 不做dns解析。-R做dns解析 |
| -o | 小写字母o,输出。-oN输出普通文件,-o输出xml文件。 |
| …… | …… |
| 备注 | 以上有些按时可以一起组合使用,例如 nmap -FsU(-F、-sU) |
| 返回状态 | 状态说明 |
|---|---|
| open | 端口为开启状态 |
| closed | 端口为关闭状态 |
| Filtered | 扫描数据包被过滤,不知道该端口的状态 |
| open|filtered | 端口没有返回值,端口可能处于开启状态,主要发生在UDP、IP、FIN、NULL和Xmas扫描中 |
examples
nmap 192.168.3.0/25
[root@rhel ~]# nmap 192.168.3.0/25
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 09:06 CST
Nmap scan report for 192.168.3.1
Host is up (0.0065s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap scan report for 192.168.3.74
Host is up (0.0052s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
6000/tcp open X11
MAC Address: 5C:87:9C:F8:8E:00 (Unknown)
Nmap scan report for 192.168.3.94
Host is up (0.00034s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
3389/tcp open ms-wbt-server
MAC Address: 0C:84:DC:34:8D:4C (Hon Hai Precision Ind.)
Nmap done: 128 IP addresses (3 hosts up) scanned in 319.88 seconds
nmap -sP 192.168.3.0/24
[root@rhel ~]# nmap -sP 192.168.3.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 09:01 CST
Nmap scan report for 192.168.3.1
Host is up (0.0074s latency).
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap scan report for 192.168.3.74
Host is up (0.23s latency).
MAC Address: 5C:87:9C:F8:8E:00 (Unknown)
Nmap scan report for 192.168.3.94
Host is up (0.00022s latency).
MAC Address: 0C:84:DC:34:8D:4C (Hon Hai Precision Ind.)
Nmap done: 256 IP addresses (3 hosts up) scanned in 5.36 seconds
nmap 192.168.3.1 -p 80,443
[root@rhel ~]# nmap 192.168.3.1 -p 80,443
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 09:21 CST
Nmap scan report for 192.168.3.1
Host is up (0.050s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.54 seconds
----------------------
[root@rhel ~]# nmap 192.168.3.1 -p 1-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 09:33 CST
Nmap scan report for 192.168.3.1
Host is up (0.0029s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
37215/tcp open unknown
37443/tcp open unknown
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 6600.07 seconds //速度极慢耗时近2个小时
------------------------
[root@rhel ~]# nmap -T4 192.168.3.1 -p 1-65535
Nmap scan report for 192.168.3.1
Host is up (0.0040s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
53/tcp open domain
……
37443/tcp open unknown
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1664.88 seconds //使用-T参数,则快很多
nmap -iL ip ==nmap+多个IP地址
[root@rhel tmp]# cat ip
192.168.3.1/26
192.168.3.94
[root@rhel tmp]# nmap -iL ip
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 09:20 CST
Nmap scan report for 192.168.3.1
Host is up (0.0035s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap scan report for 192.168.3.94
Host is up (0.00028s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
3389/tcp open ms-wbt-server
MAC Address: 0C:84:DC:34:8D:4C (Hon Hai Precision Ind.)
Nmap done: 65 IP addresses (2 hosts up) scanned in 200.46 seconds
--------------------------使用独立IP地址--------------
[root@rhel tmp]# nmap -sP 192.168.3.1 192.168.3.94
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 10:36 CST
Nmap scan report for 192.168.3.1
Host is up (0.0050s latency).
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap scan report for 192.168.3.94
Host is up (0.00026s latency).
MAC Address: 0C:84:DC:34:8D:4C (Hon Hai Precision Ind.)
Nmap done: 2 IP addresses (2 hosts up) scanned in 0.29 seconds
--------------------------使用,分开IP地址--------------
[root@rhel tmp]# nmap -sP 192.168.3.1,94
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 10:37 CST
Nmap scan report for 192.168.3.1
Host is up (0.023s latency).
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap scan report for 192.168.3.94
Host is up (0.00021s latency).
MAC Address: 0C:84:DC:34:8D:4C (Hon Hai Precision Ind.)
Nmap done: 2 IP addresses (2 hosts up) scanned in 0.29 seconds
--------------------------使用-连续的IP地址--------------
[root@rhel tmp]# nmap -sP 192.168.3.1-5
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 10:38 CST
Nmap scan report for 192.168.3.1
Host is up (0.0040s latency).
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap done: 5 IP addresses (1 host up) scanned in 0.39 seconds
--------------------------使用"--exclude"排除IP地址--------------
[root@rhel tmp]# nmap -sP 192.168.3.0/25 --exclude 192.168.3.10-60
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 10:59 CST
Nmap scan report for 192.168.3.1
Host is up (0.0044s latency).
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap scan report for 192.168.3.74
Host is up (0.100s latency).
MAC Address: 5C:87:9C:F8:8E:00 (Unknown)
Nmap scan report for 192.168.3.94
Host is up (0.00019s latency).
MAC Address: 0C:84:DC:34:8D:4C (Hon Hai Precision Ind.)
Nmap done: 77 IP addresses (3 hosts up) scanned in 0.96 seconds
nmap -Pn -sU 192.168.3.1
[root@rhel yum.repos.d]# nmap -Pn -sU 192.168.3.1
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 10:01 CST
Nmap scan report for 192.168.3.1
Host is up (0.0024s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/udp open|filtered domain //dns 53端口开启
67/udp open|filtered dhcps //67 dhcp server端口开启
68/udp open|filtered dhcpc //68 dhcp client端口开启
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1087.90 seconds //UDP扫描比较慢
nmap -F 192.168.3.1
[root@rhel tmp]# nmap -F 192.168.3.1
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 11:14 CST
Nmap scan report for 192.168.3.1
Host is up (0.0058s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.83 seconds
-------------
[root@rhel tmp]# nmap -F -sU 192.168.3.1
Not shown: 97 closed ports
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 107.72 seconds
nmap -sN 192.168.3.94
[root@rhel ~]# nmap -sN 192.168.3.94
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 11:39 CST
Nmap scan report for 192.168.3.94
Host is up (0.00026s latency).
All 1000 scanned ports on 192.168.3.94 are open|filtered //通过结果看扫描不准确。
MAC Address: 0C:84:DC:34:8D:4C (Hon Hai Precision Ind.)
Nmap done: 1 IP address (1 host up) scanned in 21.90 seconds
扫描过程中抓到的报文:
192.168.3.143 192.168.3.94 TCP 54B 44386 → 5101 [<None>] Seq=1 Win=1024 Len=0
Flags: 0x000 (<None>)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ············]
nmap -T4 192.168.3.94
[root@rhel ~]# nmap -T4 192.168.3.94
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 11:48 CST
Nmap scan report for 192.168.3.94
Host is up (0.00027s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
3389/tcp open ms-wbt-server
MAC Address: 0C:84:DC:34:8D:4C (Hon Hai Precision Ind.)
Nmap done: 1 IP address (1 host up) scanned in 9.86 seconds
---------------------------------
[root@rhel ~]# nmap 192.168.3.94
Not shown: 991 filtered ports
PORT STATE SERVICE
21/tcp open ftp
……
Nmap done: 1 IP address (1 host up) scanned in 15.08 seconds
----------------------
nmap --min-rate 10000 192.168.3.1
[root@rhel ~]# nmap --min-rate 10000 192.168.3.1
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-08 08:46 CST
Nmap scan report for 192.168.3.1
Host is up (0.0063s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.99 seconds //扫描速度快
nmap -v -Pn -F 192.168.3.94
[root@rhel tmp]# nmap -v -Pn -F 192.168.3.94
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 12:34 CST
Initiating ARP Ping Scan at 12:34
Scanning 192.168.3.94 [1 port]
Completed ARP Ping Scan at 12:34, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:34
Completed Parallel DNS resolution of 1 host. at 12:34, 0.02s elapsed
Initiating SYN Stealth Scan at 12:34
Scanning 192.168.3.94 [100 ports]
Discovered open port 21/tcp on 192.168.3.94
Discovered open port 3389/tcp on 192.168.3.94
Discovered open port 445/tcp on 192.168.3.94
Discovered open port 135/tcp on 192.168.3.94
Discovered open port 139/tcp on 192.168.3.94
Completed SYN Stealth Scan at 12:34, 6.12s elapsed (100 total ports)
Nmap scan report for 192.168.3.94
Host is up (0.00026s latency).
Not shown: 95 filtered ports
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
MAC Address: 0C:84:DC:34:8D:4C (Hon Hai Precision Ind.)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds
Raw packets sent: 295 (12.964KB) | Rcvd: 10 (424B)
nmap -O 192.168.3.1
[root@rhel ~]# nmap -O 192.168.3.1
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 12:52 CST
Nmap scan report for 192.168.3.1
Host is up (0.0072s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=3/5%OT=53%CT=1%CU=41802%PV=Y%DS=1%DC=D%G=Y%M=F4A59D%TM
OS:=6404202A%P=x86_64-redhat-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=I%T
OS:S=U)OPS(O1=M5B4NNSNW4%O2=M5B4NNSNW4%O3=M5B4NW4%O4=M5B4NNSNW4%O5=M5B4NNSN
OS:W4%O6=M5B4NNS)WIN(W1=7210%W2=7210%W3=7210%W4=7210%W5=7210%W6=7210)ECN(R=
OS:Y%DF=Y%T=40%W=7210%O=M5B4NNSNW4%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%
OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=4
OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.52 seconds
------------------------------
[root@rhel ~]# nmap -O 192.168.3.209 //扫描我的手机操作系统
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 12:55 CST
Nmap scan report for 192.168.3.209
Host is up (0.012s latency).
All 1000 scanned ports on 192.168.3.209 are closed
MAC Address: 00:AD:D5:1B:51:7B (Unknown)
Device type: remote management|phone|general purpose|webcam|storage-misc
Running: Avocent embedded, Google Android 2.X, Linux 2.6.X, AXIS embedded, ZyXEL embedded //nmap猜测可能是安卓手机
OS CPE: cpe:/o:google:android:2.2 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.17 cpe:/h:axis:210a_network_camera cpe:/h:axis:211_network_camera cpe:/h:zyxel:nsa-210
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.53 seconds
nmap -A 192.168.3.1
[root@rhel ~]# nmap -A 192.168.3.1
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 12:46 CST
Nmap scan report for 192.168.3.1
Host is up (0.0033s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
80/tcp open http
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe:
| HTTP/1.1 405
| Content-Length: 0
| FourOhFourRequest, GetRequest:
| HTTP/1.1 404
| Content-Type: text/plain
| X-Download-Options: noopen
| X-Frame-Options: SAMEORIGIN
| X-XSS-Protection: 1; mode=block
| Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
| X-Content-Type-Options: nosniff
|_ Content-Length: 0
|_http-title: Success
443/tcp open ssl/https
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, HTTPOptions, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe, tor-versions:
| HTTP/1.1 405
| Content-Length: 0
| FourOhFourRequest, GetRequest:
| HTTP/1.1 404
| Content-Type: text/plain
| X-Download-Options: noopen
| X-Frame-Options: SAMEORIGIN
| X-XSS-Protection: 1; mode=block
| Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
| X-Content-Type-Options: nosniff
| Strict-Transport-Security: max-age=31536000
|_ Content-Length: 0
|_http-title: Success
| ssl-cert: Subject: commonName=mediarouter.home/organizationName=Huawei Technologies Co., Ltd/stateOrProvinceName=Hubei/countryName=CN
| Not valid before: 2019-04-19T03:33:29
|_Not valid after: 2044-04-12T03:33:29
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.70%I=7%D=3/5%Time=64041ECE%P=x86_64-redhat-linux-gnu%r(G
SF:etRequest,104,"HTTP/1\.1\x20404\x20\r\nContent-Type:\x20text/plain\r\nX
SF:-Download-Options:\x20noopen\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-XSS
SF:-Protection:\x201;\x20mode=block\r\nContent-Security-Policy:\x20default
SF:-src\x20'self'\x20'unsafe-inline'\x20'unsafe-eval'\r\nX-Content-Type-Op
SF:tions:\x20nosniff\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,24,"H
SF:TTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,24,
SF:"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(X11Probe,24,"
SF:HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(FourOhFourRequ
SF:est,104,"HTTP/1\.1\x20404\x20\r\nContent-Type:\x20text/plain\r\nX-Downl
SF:oad-Options:\x20noopen\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-XSS-Prote
SF:ction:\x201;\x20mode=block\r\nContent-Security-Policy:\x20default-src\x
SF:20'self'\x20'unsafe-inline'\x20'unsafe-eval'\r\nX-Content-Type-Options:
SF:\x20nosniff\r\nContent-Length:\x200\r\n\r\n")%r(GenericLines,24,"HTTP/1
SF:\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(RPCCheck,24,"HTTP/1\
SF:.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(DNSVersionBindReqTCP,
SF:24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(DNSStatusR
SF:equestTCP,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(
SF:Help,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(SSLSe
SF:ssionReq,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(T
SF:LSSessionReq,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")
SF:%r(Kerberos,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%
SF:r(SMBProgNeg,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")
SF:%r(LPDString,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r\n")
SF:%r(LDAPSearchReq,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n\r
SF:\n")%r(LDAPBindReq,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\n
SF:\r\n")%r(SIPOptions,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\
SF:n\r\n")%r(LANDesk-RC,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r
SF:\n\r\n")%r(TerminalServer,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x
SF:200\r\n\r\n")%r(NCP,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x200\r\
SF:n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port443-TCP:V=7.70%T=SSL%I=7%D=3/5%Time=64041ED3%P=x86_64-redhat-linux-
SF:gnu%r(GetRequest,131,"HTTP/1\.1\x20404\x20\r\nContent-Type:\x20text/pla
SF:in\r\nX-Download-Options:\x20noopen\r\nX-Frame-Options:\x20SAMEORIGIN\r
SF:\nX-XSS-Protection:\x201;\x20mode=block\r\nContent-Security-Policy:\x20
SF:default-src\x20'self'\x20'unsafe-inline'\x20'unsafe-eval'\r\nX-Content-
SF:Type-Options:\x20nosniff\r\nStrict-Transport-Security:\x20max-age=31536
SF:000\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,24,"HTTP/1\.1\x2040
SF:5\x20\r\nContent-Length:\x200\r\n\r\n")%r(FourOhFourRequest,131,"HTTP/1
SF:\.1\x20404\x20\r\nContent-Type:\x20text/plain\r\nX-Download-Options:\x2
SF:0noopen\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX-XSS-Protection:\x201;\x2
SF:0mode=block\r\nContent-Security-Policy:\x20default-src\x20'self'\x20'un
SF:safe-inline'\x20'unsafe-eval'\r\nX-Content-Type-Options:\x20nosniff\r\n
SF:Strict-Transport-Security:\x20max-age=31536000\r\nContent-Length:\x200\
SF:r\n\r\n")%r(tor-versions,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:\x2
SF:00\r\n\r\n")%r(GenericLines,24,"HTTP/1\.1\x20405\x20\r\nContent-Length:
SF:\x200\r\n\r\n")%r(RTSPRequest,24,"HTTP/1\.1\x20405\x20\r\nContent-Lengt
SF:h:\x200\r\n\r\n")%r(RPCCheck,24,"HTTP/1\.1\x20405\x20\r\nContent-Length
SF::\x200\r\n\r\n")%r(DNSVersionBindReqTCP,24,"HTTP/1\.1\x20405\x20\r\nCon
SF:tent-Length:\x200\r\n\r\n")%r(DNSStatusRequestTCP,24,"HTTP/1\.1\x20405\
SF:x20\r\nContent-Length:\x200\r\n\r\n")%r(Help,24,"HTTP/1\.1\x20405\x20\r
SF:\nContent-Length:\x200\r\n\r\n")%r(SSLSessionReq,24,"HTTP/1\.1\x20405\x
SF:20\r\nContent-Length:\x200\r\n\r\n")%r(TLSSessionReq,24,"HTTP/1\.1\x204
SF:05\x20\r\nContent-Length:\x200\r\n\r\n")%r(Kerberos,24,"HTTP/1\.1\x2040
SF:5\x20\r\nContent-Length:\x200\r\n\r\n")%r(SMBProgNeg,24,"HTTP/1\.1\x204
SF:05\x20\r\nContent-Length:\x200\r\n\r\n")%r(X11Probe,24,"HTTP/1\.1\x2040
SF:5\x20\r\nContent-Length:\x200\r\n\r\n")%r(LPDString,24,"HTTP/1\.1\x2040
SF:5\x20\r\nContent-Length:\x200\r\n\r\n")%r(LDAPSearchReq,24,"HTTP/1\.1\x
SF:20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(LDAPBindReq,24,"HTTP/1\.1
SF:\x20405\x20\r\nContent-Length:\x200\r\n\r\n")%r(SIPOptions,24,"HTTP/1\.
SF:1\x20405\x20\r\nContent-Length:\x200\r\n\r\n");
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=3/5%OT=80%CT=1%CU=42957%PV=Y%DS=1%DC=D%G=Y%M=F4A59D%TM
OS:=64041EF7%P=x86_64-redhat-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=I%T
OS:S=U)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=RD%II=I%TS=U)OPS(O1=M5B4NNSNW4%O2=M
OS:5B4NNSNW4%O3=M5B4NW4%O4=M5B4NNSNW4%O5=M5B4NNSNW4%O6=M5B4NNS)WIN(W1=7210%
OS:W2=7210%W3=7210%W4=7210%W5=7210%W6=7210)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4N
OS:NSNW4%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=
OS:Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=A
OS:R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=4
OS:0%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=
OS:G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 3.27 ms 192.168.3.1
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.84 seconds
nmap --script "default or safe" 192.168.3.1
[root@rhel ~]# nmap --script "default or safe" 192.168.3.1
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-05 13:31 CST
Pre-scan script results:
| broadcast-dhcp-discover:
| Response 1 of 1:
| IP Offered: 192.168.3.217
| Server Identifier: 192.168.3.1
| Subnet Mask: 255.255.255.0
| Router: 192.168.3.1
|_ Domain Name Server: 192.168.3.1
| broadcast-listener:
| ether
| ARP Request
| sender ip sender mac target ip
| 192.168.3.145 00:0C:29:86:AC:89 192.168.3.1
| udp
| DHCP
| srv ip cli ip mask gw dns vendor
| 192.168.3.1 192.168.3.217 255.255.255.0 192.168.3.1 192.168.3.1 -
| 192.168.3.1 192.168.3.218 255.255.255.0 192.168.3.1 192.168.3.1 -
| MDNS
| Generic
| ip ipv6 name
| 192.168.3.212 _services._dns-sd._udp.local
| SSDP
| ip uri
|_ 192.168.3.74 urn:dial-multiscreen-org:service:dial:1
| broadcast-ping:
| IP: 192.168.3.212 MAC: a6:19:9f:6b:98:f2
|_ Use --script-args=newtargets to add the results as targets
|_eap-info: please specify an interface with -e
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
Nmap scan report for 192.168.3.1
Host is up (0.0057s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.3.1
|
| Path: http://192.168.3.1:80/
| Line number: 5
| Comment:
| <!-- fake for iphone internet detect -->
|
| Path: http://192.168.3.1:80/
| Line number: 6
| Comment:
|_ <!-- <HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML> -->
|_http-fetch: Please enter the complete path of the directory to save data in.
| http-headers:
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Content-Type: text/html
| X-Download-Options: noopen
| X-Frame-Options: SAMEORIGIN
| X-XSS-Protection: 1; mode=block
| Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
| X-Content-Type-Options: nosniff
| Date: Sun, 05 Mar 2023 05:33:34 GMT
| Connection: Keep-Alive
| Content-Length: 5053
|
|_ (Request type: GET)
|_http-mobileversion-checker: No mobile version detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-security-headers:
|_http-title: Success
|_http-traceroute: ERROR: Script execution failed (use -d to debug)
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-xssed: No previously reported XSS vuln.
443/tcp open https
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.3.1
|
| Path: https://192.168.3.1:443/
| Line number: 5
| Comment:
| <!-- fake for iphone internet detect -->
|
| Path: https://192.168.3.1:443/
| Line number: 6
| Comment:
|_ <!-- <HTML><HEAD><TITLE>Success</TITLE></HEAD><BODY>Success</BODY></HTML> -->
|_http-fetch: Please enter the complete path of the directory to save data in.
| http-headers:
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Content-Type: text/html
| X-Download-Options: noopen
| X-Frame-Options: SAMEORIGIN
| X-XSS-Protection: 1; mode=block
| Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'
| X-Content-Type-Options: nosniff
| Strict-Transport-Security: max-age=31536000
| Date: Sun, 05 Mar 2023 05:33:35 GMT
| Connection: Keep-Alive
| Content-Length: 5053
|
|_ (Request type: GET)
|_http-mobileversion-checker: No mobile version detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
| http-security-headers:
| Strict_Transport_Security:
|_ HSTS not configured in HTTPS Server
|_http-title: Success
| http-useragent-tester:
| Status for browser useragent: 200
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
|_ WWW-Mechanize/1.34
|_http-xssed: No previously reported XSS vuln.
|_ssl-ccs-injection: No reply from server (TIMEOUT)
| ssl-cert: Subject: commonName=mediarouter.home/organizationName=Huawei Technologies Co., Ltd/stateOrProvinceName=Hubei/countryName=CN
| Not valid before: 2019-04-19T03:33:29
|_Not valid after: 2044-04-12T03:33:29
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Host script results:
| dns-blacklist:
| SPAM
|_ l2.apews.org - FAIL
|_fcrdns: FAIL (No PTR record)
|_ipidseq: All zeros
|_path-mtu: PMTU == 1500
| qscan:
| PORT FAMILY MEAN (us) STDDEV LOSS (%)
| 1 0 3540.89 2324.91 10.0%
| 53 0 4914.20 5168.15 0.0%
| 80 0 3131.40 1146.52 50.0%
|_443 0 3728.25 2188.45 60.0%
| unusual-port:
|_ WARNING: this script depends on Nmap's service/version detection (-sV)
Post-scan script results:
| reverse-index:
| 53/tcp: 192.168.3.1
| 80/tcp: 192.168.3.1
|_ 443/tcp: 192.168.3.1
Nmap done: 1 IP address (1 host up) scanned in 159.68 seconds
nmap --scanflags ack --scanflags fin --scanflags syn 192.168.3.1
[root@rhel ~]# nmap --scanflags ack --scanflags fin --scanflags syn 192.168.3.1 //当设置多个tcp flags时,只有最后一个生效。
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-08 08:41 CST
Nmap scan report for 192.168.3.1
Host is up (0.0034s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 3.66 seconds
1872 4.394532 192.168.3.143 192.168.3.1 TCP 58 65007 → 20 [SYN] Seq=0 Win=1024 Len=0 MSS=1460
1873 4.394628 192.168.3.143 192.168.3.1 TCP 58 65007 → 1026 [SYN] Seq=0 Win=1024 Len=0 MSS=1460
1874 4.394768 192.168.3.143 192.168.3.1 TCP 58 65007 → 32770 [SYN] Seq=0 Win=1024 Len=0 MSS=1460
都是syn数据包。
man nmap examples:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
nmap -Pn -sS -p 80 -iR 0 --open
nmap --script "http-*"
nmap --script "not intrusive"
nmap --script "default or safe"
nmap --script "default and safe"
nmap -sS -O scanme.nmap.org/24
nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
nmap -v -iR 100000 -Pn -p 80
nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20
nmap
[root@rhel ~]# nmap -sX 192.168.3.1
Starting Nmap 7.70 ( https://nmap.org ) at 2023-03-09 12:56 CST
Nmap scan report for 192.168.3.1
Host is up (0.0053s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open|filtered domain //对方不回RST(重置链接)数据包,nmap就认为是端口开启或数据包被防火墙之类过滤。
80/tcp open|filtered http
443/tcp open|filtered https
MAC Address: F4:A5:9D:6B:87:AA (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 101.67 seconds
extends
全扫描
-
会产生大量的审计数据,容易被对方发现。
-
过程
- client发送syn;
- server返回sys ack表明端口开放 2.server返回RST ack表明端口关闭;
- client返回ack 表明链接建立 3.client返回RST 表明知道server端口关闭;
- client主动断开连接。
半扫描
- 具有隐蔽性和可靠性
- 过程
- client发送syn;
- server返回sys ack表明端口开放,2.server返回RST ack表明端口关闭;
- client发送RST断开连接。
秘密扫描
- -sN/sF/sX: TCP Null, FIN, and Xmas scans,能有效的避免对方入侵检测系统和防火墙的检测,但使用的数据包在网络时容易被丢弃从而产生错误的探测信息。
- 原理
- 当一个FIN包到达一个关闭的端口,数据包被丢弃,返回一个RST数据包;
- 当一个FIN包到达一个打开的端口,数据包被丢弃,不返回一个RST数据包。
- 变种
- xmax
- 打开所有标记(ACK、FIN、RST、SYN、USG、PSH);
- 过程:1.client发送xmax(all flags),无返回表示端口打开,server返回RST表明端口关闭。
- Null
- 关闭了所有flags标记,client发送null(no flags),无返回表示端口打开,server返回RST表明端口关闭。
- xmax
浙公网安备 33010602011771号