個(gè)中要害的信息是端口的掃描,顯示的是該端口對應(yīng)的協(xié)議、處事名稱和狀態(tài),雖然nmap掃描也受到一些防火墻的限制,使nmap無法確切的判定處事的開啟與否,可是這個(gè)nmap確實(shí)很好用的,尤其是系統(tǒng)打點(diǎn)員來說!
常用的掃描范例:
1、-sP(ping的方法掃描,查抄主機(jī)在線與否,不發(fā)送任何報(bào)文到目標(biāo)主機(jī),想知道方針主機(jī)是否運(yùn)行,而不想舉辦其它掃描,這掃描方法很常用)
2、-sL(僅僅列網(wǎng)段內(nèi)出主機(jī)的狀態(tài)、端口等信息,查詢端口的話用 -p port,port1......)
3、 -PS/PA/PU [portlist](按照給定的端口用TCP或UDP報(bào)文探測:對付root用戶,這個(gè)選項(xiàng)讓nmap利用SYN包而不是ACK包來對方針主機(jī)舉辦掃描。假如主機(jī)正在運(yùn)行就返回一個(gè)RST包(可能一個(gè)SYNACK包))
4、-sS(TCP同步掃描(TCP SYN):發(fā)出一個(gè)TCP同步包(SYN),然后期待回對方應(yīng))
5、 -sF -sF -sN(奧秘FIN數(shù)據(jù)包掃描、圣誕樹 (Xmas Tree)、空(Null)掃描模式利用-sF、-sX可能-sN掃描顯示所有的端口都是封鎖的,而利用SYN掃 描顯示有打開的端口,你可以確定方針主機(jī)大概運(yùn)行的是Windwos系統(tǒng))
6、-sU(UDP掃描:nmap首先向方針主機(jī)的每個(gè)端口發(fā)出一個(gè)0字節(jié)的UDP包,假如我們收到端口不行達(dá)的ICMP動(dòng)靜,端口就是封鎖的,不然我們就假設(shè)它是打開的)
7、-P0 (No ping)(這個(gè)選項(xiàng)跳過Nmap掃描)
8、-PE/PP/PM
掃描范例的節(jié)制
1、sW (對滑動(dòng)窗口的掃描)
2、-sR(RPC掃描)
3、 -PE; -PP; -PM (ICMP 范例的ping)
4、-PR (ARP 范例的ping-n (無 DNS 理會)
5、-R (為所有的方針做DNS理會)
6、-sV(對處事版本的檢測)
常用的對主機(jī)的操縱
1、-A可能-O(對操縱系統(tǒng)的檢測)
2、-v(增加信息的詳盡水平)
3、-p(ports的范疇)
一個(gè)掃描的實(shí)例
[[email protected] ~]# nmap -sP 59.69.131.0/24(查抄這個(gè)網(wǎng)段的主機(jī)哪個(gè)在線,下邊是部門截取)
Host 59.69.131.250 appears to be up.(這個(gè)主機(jī)在線)
Host 59.69.131.251 appears to be up.
Host 59.69.131.252 seems to be a subnet broadcast address (returned
1 extra pings). Note -- the actual IP also
responded.(這個(gè)很大概用于一個(gè)子網(wǎng)的最后一個(gè)ip地點(diǎn):用于廣播(broadcast),所以還可以以此來推算子網(wǎng)掩碼)
Host 59.69.131.253 appears to be up.
Host 59.69.131.254 appears to be up.
Host 59.69.131.255 appears to be up.
Nmap finished: 256 IP addresses (56 hosts up) scanned in 82.089
seconds
[[email protected] ~]# nmap -O 59.69.131.255(檢測這個(gè)主機(jī)的操縱系統(tǒng)范例和開放的端口)
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at
2011-03-12 06:19 CST
Warning: OS detection will be MUCH less reliable because we
did not find at least 1 open and 1 closed TCP port
Interesting ports on 59.69.131.255:
Not shown: 1665 closed ports
PORT STATE SERVICE
113/tcp filtered auth
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
389/tcp filtered ldap
445/tcp filtered microsoft-ds
539/tcp filtered apertus-ldp
593/tcp filtered http-rpc-epmap
1023/tcp filtered netvenuechat
1025/tcp filtered NFS-or-IIS
1068/tcp filtered instl_bootc
1720/tcp filtered H.323/Q.931
4444/tcp filtered krb524
6667/tcp filtered irc
Too many fingerprints match this host to give specific OS
details
Nmap finished: 1 IP address (1 host up) scanned in 29.099 seconds
這個(gè)實(shí)現(xiàn)的成果太多了臨時(shí)沒發(fā)明操縱系統(tǒng)簡直切范例(換一個(gè)ip會有差異的功效哦)
最后總結(jié)下常用的nmap參數(shù)
1、nmap -sP 59.69.139.0/24(掃描在線的主機(jī))
2、nmap -sS 59.69.139-10 -p
80,22,23,52-300(SYN的掃描方法,可以加ip和端口的限制)
3、nmap -sV 59.69.139.1 -p1-65535(探測端口的處事和版本(Version) )
4、nmap -O 192.168.1.1可能nmap -A 192.168.1.1(探測操縱系統(tǒng)的范例和版本)
以上是常用的操縱,更詳盡的可以找漢子(man)啦!
