Jex’s Note

Nmap 指令

介紹

有時候你想知道該網域下有哪些 ip 正在使用或有哪些 port 是開放的, 就可以使用 nmap 來檢查

安裝

ubuntu :

sudo apt-get install nmap

使用

假如已經有確定的 port 想知道是否開放可直接用 telnet nc

telnet xxx.oo 8010

$ nc -zv test-db.c6c8mn7tsdgv0.us-west-2.rds.amazonaws.com 3306
Connection to test-db.c6c8mn7tsdgv0.us-west-2.rds.amazonaws.com 3306 port [tcp/mysql] succeeded!
  • -z: Specifies that nc should just scan for listening daemons, without sending any data to them. It is an error to use this option in conjunction with the -l option.
  • -v: Have nc give more verbose output.

-sP 掃網段下有使用的 ip

nmap -sP 192.168.1.0/24

or

nmap -sP 192.168.1.1-254

-sT : TCP connect 掃描(Port Scanning)

這是對 TCP 的最基本形式的偵測,直接連到目標主機進行埠掃描並完成一個完整的三次交握過程 (SYN, SYN/ACK, ACK),但因為服務器接受了一個連接但它卻馬上斷開,於是其記錄會顯示出一連串的連接及錯誤資訊很容易被目標主電腦察覺並記錄下來,因此缺點是容易被目標系統檢測到。

$ nmap -sT 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:12 CST
Nmap scan report for 10.0.2.15
Host is up (0.00024s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2222/tcp open  EtherNet/IP-1

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

-sU : UDP掃描 (UDP Scanning)

可用來確定遠端主機開放哪些 UDP Port 原理為送出零位元組的 UDP 封包到目標主機的各連接埠,如果我們收到一個 ICMP port unreachable 無法到達的回應則可確定連接埠是關閉的,否則我們可認為該埠是打開的。

$ sudo nmap -sU 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:24 CST
Nmap scan report for 10.0.2.15
Host is up (0.0000060s latency).
Not shown: 997 closed ports
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
137/udp open          netbios-ns
138/udp open|filtered netbios-dgm

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

-sS : TCP SYN(半公開)掃描

這種掃描技術也叫半公開式掃描 (half-open scanning),因為它沒有完成一個完整的 TCP 連接三次交握過程。此方法為向目標 Port 發送一個 SYN 封包,如果目標 Port 回應 SYN / ACK 封包則表示該 Port 處於打開狀態;若回應的是 RST / ACK 封包則表示該 Port 為關閉狀態。這種掃描方法比 TCP Connect Scan 更具隱蔽性,只有極少數的網站會對它作出記錄因此比較不會在目標系統中留下掃描痕跡。

sudo nmap -sS 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:16 CST
Nmap scan report for 10.0.2.15
Host is up (0.0000060s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2222/tcp open  EtherNet/IP-1

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

-sF -sX -sN : Stealth FIN、Xmas Tree或 NULL秘密掃描(Stealth Scanning)

一些防火墻及 Packet 過濾裝置會在重要連接 Port 守護,半公開的 SYN 封包掃描會在此時會被截獲因此要有更秘密的進行掃描;而 FIN、Xmas、NULL 掃描方法則是關閉的連接埠會對你送出的探測資訊包返回一個 RST,而打開的連接埠則對其忽略不理可參考 [RFC793],其中 FIN 掃瞄使用空的 FIN 資訊包作為探針、Xmas tree 使用 FIN、URG、PUSH 標記、Null 掃描則不用任何標記,但微軟不支援此一標準,所以 -sF,-sX,-sN 的掃瞄顯示所有連接埠都是關閉的但一個 SYN(-sS) 掃瞄卻顯示有打開連接埠,那你就能大致推斷它是 WINDOWS 平台。

$ sudo nmap -sF 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:19 CST
Nmap scan report for 10.0.2.15
Host is up (0.0000060s latency).
Not shown: 996 closed ports
PORT     STATE         SERVICE
80/tcp   open|filtered http
139/tcp  open|filtered netbios-ssn
445/tcp  open|filtered microsoft-ds
2222/tcp open|filtered EtherNet/IP-1

Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds

-sF -sX -sN 三個指令的結果一樣

-sP ICMP 掃描 (Ping Sweeping)

若僅想了解網路上有哪些主電腦是開放的,你可對你指定的IP地址送出一個 ICMP 的 Echo Request 封包來偵測。但有些站台會把 ICMP 的 Echo Request 封包給關掉 (例如Microsoft.com)。在這種情況下可利用發送 TCP Ping 送一個 ACK 到目標網路上的每個主機。網路上的主機如果在線,則會返回一個 TCP RST 響應。使用帶有 Ping 掃描的 TCP Ping 選項,也就是 -PT 選項可以對網絡上指定 Port 進行掃描,它將可能通過目標邊界路由器甚至是防火牆。注意,被探測的主機上的目標 Port 無須打開,關鍵取決於是否在網路上。

$ sudo nmap -sP 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:23 CST
Nmap scan report for 10.0.2.15
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

-sL : 列出子網路所有IP及對應的主機名稱

$ sudo nmap -sL 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:29 CST
Nmap scan report for 10.0.2.15
Nmap done: 1 IP address (0 hosts up) scanned in 0.03 seconds

-PS : 偵測遠端主機已開啟的通訊埠

$ sudo nmap -PS 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:34 CST
Nmap scan report for 10.0.2.15
Host is up (0.0000060s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2222/tcp open  EtherNet/IP-1

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

-sT 結果一樣

-PU : 使用UDP協定 ping 遠端的主機

$ sudo nmap -PU 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:35 CST
Nmap scan report for 10.0.2.15
Host is up (0.0000050s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
2222/tcp open  EtherNet/IP-1

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

-sO : 偵測遠端主機已開啟哪些通訊協定 TCP,UDP,ICMP,…

$ sudo nmap -sO 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:36 CST
Nmap scan report for 10.0.2.15
Host is up (0.0000080s latency).
Not shown: 249 closed protocols
PROTOCOL STATE         SERVICE
1        open          icmp
2        open|filtered igmp
6        open          tcp
17       open          udp
103      open|filtered pim
136      open|filtered udplite
255      open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.23 seconds

-p80 : 指定 port 掃描是否開啟, ex: 80 port

80 port 是 open 的 :

    $ sudo nmap -p80 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:33 CST
Nmap scan report for 10.0.2.15
Host is up (0.00020s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

81 port 是 closed 的 :

$ sudo nmap -p81 10.0.2.15

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:33 CST
Nmap scan report for 10.0.2.15
Host is up (0.000048s latency).
PORT   STATE  SERVICE
81/tcp closed hosts2-ns

掃描網段內有開啟 80 port 的 IP

$ sudo nmap -p80 10.0.2.0/24

Starting Nmap 6.00 ( http://nmap.org ) at 2013-12-15 18:38 CST
Nmap scan report for 10.0.2.2
Host is up (0.00051s latency).
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 52:54:00:12:35:02 (QEMU Virtual NIC)

Nmap scan report for 10.0.2.3
Host is up (0.00074s latency).
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 52:54:00:12:35:03 (QEMU Virtual NIC)

Nmap scan report for 10.0.2.4
Host is up (0.00071s latency).
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 52:54:00:12:35:04 (QEMU Virtual NIC)

Nmap scan report for 10.0.2.15
Host is up (0.00027s latency).
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 256 IP addresses (4 hosts up) scanned in 10.09 seconds

掃網段指定 port

nmap comes with a nice output parameter -oG (grepable output) which makes parsing more easy.

Also it is not necessary to iterate through all IP addresses you want to scan. nmap is netmask aware.

nmap -p80 192.168.0.0/24 -oG - | grep 80/open

The -oG enables the grepable output, and - specifies the file to output to (in this case stdout). The pipe symbol redirects the output of nmap (stdout) to grep, which only returns lines containing 80/open in this case.

  • -oG filespec (grepable output) .
  • This output format is covered last because it is deprecated. The XML output format is
  • far more powerful, and is nearly as convenient for experienced users. XML is a standard
  • for which dozens of excellent parsers are available, while grepable output is my own
  • simple hack. XML is extensible to support new Nmap features as they are released, while
  • I often must omit those features from grepable output for lack of a place to put them.
  • (…略…)

ref: http://stackoverflow.com/questions/3773183/how-to-determine-which-ips-in-a-given-range-have-port-80-using-nmap 不自量力 http://idobest.pixnet.net/blog/post/22040775-%5B%E8%BD%89%E8%B2%BC%5D-linux-%E7%B6%B2%E8%B7%AF%E6%AA%A2%E6%B8%AC%E5%B7%A5%E5%85%B7-nmap-%E7%9A%84%E7%94%A8%E6%B3%95

Comments