详解nmap命令

Last Updated: 2023-04-07 10:03:16 Friday

-- TOC --

著名的网络扫描工具,Nmap,Network Mapper,各种扫描都有,黑客必备。建议在使用nmap命令时,带上sudo,此时nmap才能发送raw packet,表现出更强大的功能。

$ sudo nmap [Scan Type...] [Options] <target specification> 

Scan Type体现了nmap的主要功能类别:Host Discovery, Port Scanning, Version Detection, Operation System Detection。

输出设置

The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used.

当nmap长时间运行时,它自己会每隔一段时间输出一点进度信息,如果键入Enter,也能得到当前进度信息。

-v,verbosity,可以使用-vv,或-v3

--open,only show open (or possibly open) ports

Target Specification

Nmap was designed to rapidly scan large networks, although it works fine against single hosts.

CIDR notation is short but not always flexible enough. For example, you might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they may be used as subnet network and broadcast addresses. Nmap supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma-separated list of numbers or ranges for each octet. For example, 192.168.0-255.1-254 will skip all addresses in the range that end in .0 or .255, and 192.168.3-5,7.1 will scan the four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1. Either side of a range may be omitted; the default values are 0 on the left and 255 on the right. Using - by itself is the same as 0-255, but remember to use 0- in the first octet so the target specification doesn't look like a command-line option. Ranges need not be limited to the final octets: the specifier 0-255.0-255.13.37 will perform an Internet-wide scan for all IP addresses ending in 13.37. This sort of broad sampling can be useful for Internet surveys and research.

-n,关闭nmap对ip地址进行rDNS查询的功能。

-R,强制执行rDNS查询,有时nmap默认也不执行rDNS查询。

主机发现(Host Discovery)

Host discovery is sometimes called ping scan, but it(nmap) goes well beyond the simple ICMP echo request packets associated with the ubiquitous ping tool. 单纯的ping检测是不够的....

-sn,no port scan,only host discovery

早起nmap版本,使用-sP参数。

对每个host进行如下检测:

理解ICMP协议

只要收到回复,就说明host is online!

$ sudo nmap -sn -n 114.215.183.12
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 16:46 CST
Nmap scan report for 114.215.183.12
Host is up (0.019s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

$ sudo nmap -sn -nv 114.215.183.12
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 16:46 CST
Initiating Ping Scan at 16:46
Scanning 114.215.183.12 [4 ports]
Completed Ping Scan at 16:46, 0.03s elapsed (1 total hosts)
Nmap scan report for 114.215.183.12
Host is up (0.016s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
           Raw packets sent: 4 (152B) | Rcvd: 1 (28B)

$ sudo nmap -sn -n -v3 192.222.9.0/20 | tee nmap.result
...

当使用-sn扫描Local Network时,默认使用ARP报文探测,还可以得到所有up host的mac地址:

$ sudo nmap -sn -n 192.168.16.1-254
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 17:32 CST
Nmap scan report for 192.168.16.1
Host is up (0.00024s latency).
MAC Address: 48:7D:2E:C4:C8:81 (Tp-link Technologies)
Nmap scan report for 192.168.16.100
Host is up (0.00022s latency).
MAC Address: B0:7B:25:2A:71:86 (Dell)
Nmap scan report for 192.168.16.101
Host is up (0.00084s latency).
MAC Address: 1C:69:7A:69:70:35 (EliteGroup Computer Systems)
Nmap scan report for 192.168.16.102
Host is up (0.0014s latency).
MAC Address: 00:0C:29:DF:2E:44 (VMware)
Nmap scan report for 192.168.16.103
Host is up (0.00050s latency).
MAC Address: 1C:69:7A:69:D5:69 (EliteGroup Computer Systems)
Nmap scan report for 192.168.16.105
Host is up (0.00084s latency).
MAC Address: 1C:69:7A:6A:E7:3C (EliteGroup Computer Systems)
Nmap scan report for 192.168.16.104
Host is up.
Nmap done: 254 IP addresses (7 hosts up) scanned in 3.87 seconds

使用ARP是更好的方式,有些host会因为防火墙的原因,不回应ping(ip报文)。可以使用--send-ip参数来强制nmap使用ip报文进行探测:

$ sudo nmap -sn --send-ip -n <local_network>

-sn --traceroute,探测host后执行trauceroute:

$ sudo nmap -sn --traceroute <target>

override -sn with -P* options

默认的主机探测行为,可以被-P*系列参数改变。

-PS[port list],TCP SYN ping, default port is 80。只要在任意port收到ACK或RST回复,就说明host is online。如果收到ACK,nmap会最后发出RST。

$ sudo nmap -sn -PS22 -nv <target>
$ sudo nmap -sn -PS22-25,80,113,1050,35000 <target>

-PA[port list],TCP ACK ping,default port is 80。如果被ping的端口开放,会因为这并不是个合法的conection而回复一个RST报文。

-PU[port list],UDP ping,default port is 40125。当向一个关闭的端口发送UDP报文,可能会得到一个icmp port unreachable的回复,这说明host is online。默认选择40125端口,因为它极大可能是个关闭的端口。向开放的端口做UDP ping反而没有效果。

-PE,icmp ping
-PP,icmp timestamp
-PM,icmp address mask

可以同时使用多种探测方式:

$ sudo nmap -sn -PE -PP --send-ip <target>

如果target属于local network,要加上--send-ip才能让-PE和-PP有效果。

端口扫描(Port Scan)

这是nmap最核心的功能。默认nmap会先执行host discovery,当判断host is oneline后,再执行默认的port scan动作,它会用默认的扫描方式,扫描1000个常用端口。

-sS,默认的扫描方式,TCP SYN ping scan,也被成为半连接扫描,half-open scanning。

端口状态分类

$ sudo nmap <target>  # 1000 most common port with default scan method

-F,Fast scan,只扫描100 most common port!

-sT,调用conect接口进行扫描,非sudo用户的默认扫描方式。

-sU,UDP scan

-sA,TCP ACK scan

nmap命令还提供了很多其它的扫描方式,并且多种扫描方式可以同时在命令行指定,用不同的扫描方式,得到的相同端口的状态可能会不一样。

跳过主机发现

-Pn,no ping probe,让nmap认为host是online的,直接进行scan。

指定端口范围

-p,指定扫描端口范围

$ sudo nmap -p 10050,10051,10052,2048-2400 <target>
$ sudo nmap -p- <target>  # port range from 1 to 65535
$ sudo nmap -p0- <target>  # 0 to 65535

还可以指定端口协议,但必须要同时指定对应的扫描方式:

$ sudo nmap -sS -sU -p U:53,111,137,T:21-25,80,443 <target>

按端口顺序扫描

nmap默认以随机化的方式扫描端口。

-r,don't randomize ports

排除端口

--exclude-ports,端口范围格式与-p参数一致。

IP Protocol Scan

-sO,大写的字母O,不是数字0。

IPv4头有8bits的protocol字段,这个功能就是扫描这个字段,0-255,可以使用-p参数指定协议号。Nmap会构造含有各种protocol数字IP报文,发送给目标host,根据是否能够收到ICMP unreachable消息,来确认协议的状态。

$ sudo nmap -Pn -sO 167.172.189.145
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-07 15:10 CST
Nmap scan report for 167.172.189.145
Host is up (0.23s latency).
Not shown: 254 open|filtered protocols
PROTOCOL STATE SERVICE
1        open  icmp
17       open  udp

Nmap done: 1 IP address (1 host up) scanned in 52.68 seconds

Service/Version Scan

探测open ports上运行的service及其版本信息。

-sV

$ sudo nmap -Pn -sV -p 22,50500-50600 167.172.189.245
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-04 15:11 CST
Nmap scan report for 167.172.189.245
Host is up (0.25s latency).
Not shown: 100 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.8 (protocol 2.0)
50595/tcp open  ssh     OpenSSH 8.8 (protocol 2.0)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.83 seconds

--version-intensity <level>: 指定强度(0-9),默认为7。数值越高,探测出的服务越准确,但是运行时间会比较长。

--version-light: 指定使用轻量侦测方式 (intensity 2)

--version-all: 尝试使用所有的probes进行侦测 (intensity 9)

--version-trace: 显示出详细的版本侦测过程信息

OS Detection

Nmap使用TCP/IP协议栈指纹来识别不同的操作系统和设备。在RFC规范中,有些地方对TCP/IP的实现并没有强制规定,因此不同的TCP/IP实现中可能都有自己的特定方式。Nmap主要是根据这些细节上的差异来判断操作系统的类型的。具体实现方式如下:

-O

$ sudo nmap -Pn -O 167.172.189.245
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-04 15:12 CST
Nmap scan report for 167.172.189.245
Host is up (0.23s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
Aggressive OS guesses: Linux 4.15 - 5.6 (98%), Linux 5.0 - 5.3 (96%), Linux 5.4 (95%), Linux 2.6.32 (94%), Linux 3.2 - 4.9 (94%), Linux 2.6.32 - 3.10 (94%), Linux 5.3 - 5.4 (94%), Linux 5.0 - 5.4 (94%), Linux 3.4 - 3.10 (93%), Linux 3.1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 23 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.10 seconds

Timing & Performance

网络扫描有时非常耗时,特别是扫描一个非常庞大的网段时,性能是很重要的考虑因素。Nmap很在意性能,提供了很多用户可以控制性能的参数选项,作者建议保持最新的nmap版本,因为nmap非常频繁的为了提升性能而进行升级。

Timing Template

有一组参数用来控制nmap的运行性能,但相对来说,直接使用Timing Template参数会更简单(避免了一个个的设置那一组参数)。

-T<0-5>,一共6个Template。

其它

-A,Aggressive scan options,包括了OS检测-O,版本检测-sV,脚本检测-sC,traceroute--traceroute。此功能可能会随版本扩展,具体查看manual。

$ sudo nmap -A 114.215.183.12
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-31 10:51 CST
Nmap scan report for 114.215.183.12
Host is up (0.015s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE  SERVICE       VERSION
6789/tcp closed ibm-db2-admin
Too many fingerprints match this host to give specific OS details
Network Distance: 13 hops

TRACEROUTE (using port 6789/tcp)
HOP RTT      ADDRESS
1   0.18 ms  _gateway (192.168.16.1)
2   0.97 ms  192.222.1.254
3   4.68 ms  222.94.115.1
4   4.69 ms  61.155.254.221
5   4.09 ms  222.190.59.165
6   24.08 ms 202.97.52.81
7   10.87 ms 101.95.218.82
8   ...
9   11.61 ms 180.163.38.26
10  ... 12
13  14.77 ms 114.215.183.12

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.50 seconds

本文链接:https://cs.pynote.net/net/202303291/

-- EOF --

-- MORE --