nmap系統(tǒng)漏洞掃描之王，也就是Network Mapper，是Linux下常用的網(wǎng)絡(luò)掃描和嗅探工具包，現(xiàn)在支持多個平臺。

其基本功能有三個：
（1）是掃描主機端口，嗅探所提供的網(wǎng)絡(luò)服務(wù)
（2）是探測一組主機是否在線
（3）還可以推斷主機所用的操作系統(tǒng)，到達主機經(jīng)過的路由，系統(tǒng)已開放端口的軟件版本

nmap端口狀態(tài)解析

open ： 應(yīng)用程序在該端口接收 TCP 連接或者 UDP 報文。
closed ：關(guān)閉的端口對于nmap也是可訪問的， 它接收nmap探測報文并作出響應(yīng)。但沒有應(yīng)用程序在其上監(jiān)聽。
filtered ：由于包過濾阻止探測報文到達端口，nmap無法確定該端口是否開放。過濾可能來自專業(yè)的防火墻設(shè)備，路由規(guī)則 或者主機上的軟件防火墻。
unfiltered ：未被過濾狀態(tài)意味著端口可訪問，但是nmap無法確定它是開放還是關(guān)閉。 只有用于映射防火墻規(guī)則集的 ACK 掃描才會把端口分類到這個狀態(tài)。
open | filtered ：無法確定端口是開放還是被過濾， 開放的端口不響應(yīng)就是一個例子。沒有響應(yīng)也可能意味著報文過濾器丟棄了探測報文或者它引發(fā)的任何反應(yīng)。UDP，IP協(xié)議,FIN, Null 等掃描會引起。
closed|filtered：（關(guān)閉或者被過濾的）：無法確定端口是關(guān)閉的還是被過濾的

nmap有windows和linux

Nmap是一款網(wǎng)絡(luò)掃描和主機檢測的非常有用的工具。Nmap是不局限于僅僅收集信息和枚舉，同時可以用來作為一個漏洞探測器或安全掃描器。它可以適用于winodws,linux,mac等操作系統(tǒng)
從下面官網(wǎng)可以下載exe程序包和zip包

https://nmap.org/download.html#windows

nmap常用參數(shù)

nmap掃描速度要比nc快
面是一些基本的命令和它們的用法的例子：掃描單一的一個主機，命令如下：

前期準備

準備兩臺機器
主機A：ip地址 10.0.1.161
主機B：ip地址 10.0.1.162

B機器安裝nmap的包（這個工具比較強大，習慣上每臺機器都安裝）

yum install nmap -y　　

端口掃描部分

前期準備
B機器使用nmap去掃描A機器，掃描之前，A機器先查看自己上面有哪些端口在被占用

A機器上查看本地ipv4的監(jiān)聽端口

netstat參數(shù)解釋：
-l (listen) 僅列出 Listen (監(jiān)聽) 的服務(wù)
-t (tcp) 僅顯示tcp相關(guān)內(nèi)容
-n (numeric) 直接顯示ip地址以及端口，不解析為服務(wù)名或者主機名
-p (pid) 顯示出socket所屬的進程PID 以及進程名字
--inet 顯示ipv4相關(guān)協(xié)議的監(jiān)聽

查看IPV4端口上的tcp的監(jiān)聽

netstat -lntp --inet

[root@A ~]# netstat -lntp --inet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2157/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1930/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2365/master
tcp 0 0 0.0.0.0:13306 0.0.0.0:* LISTEN 21699/mysqld
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 2640/rsync
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 21505/rpcbind
[root@A ~]#

過濾掉監(jiān)控在127.0.0.1的端口

[root@A ~]# netstat -lntp --inet | grep -v 127.0.0.1
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2157/sshd
tcp 0 0 0.0.0.0:13306 0.0.0.0:* LISTEN 21699/mysqld
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 2640/rsync
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 21505/rpcbind
[root@A ~]#

掃描tcp端口

B機器上使用nmap掃描A機器所有端口（-p后面也可以跟空格）
下面表示掃描A機器的1到65535所有在監(jiān)聽的tcp端口。
nmap 10.0.1.161 -p1-65535
指定端口范圍使用-p參數(shù)，如果不指定要掃描的端口，Nmap默認掃描從1到1024再加上nmap-services列出的端口
nmap-services是一個包含大約2200個著名的服務(wù)的數(shù)據(jù)庫，Nmap通過查詢該數(shù)據(jù)庫可以報告那些端口可能對應(yīng)于什么服務(wù)器，但不一定正確。
所以正確掃描一個機器開放端口的方法是上面命令。-p1-65535
注意，nmap有自己的庫，存放一些已知的服務(wù)和對應(yīng)端口號，假如有的服務(wù)不在nmap-services，可能nmap就不會去掃描，這就是明明一些端口已經(jīng)是處于監(jiān)聽狀態(tài)，nmap默認沒掃描出來的原因，需要加入-p參數(shù)讓其掃描所有端口。
雖然直接使用nmap 10.0.1.161也可以掃描出開放的端口，但是使用-p1-65535 能顯示出最多的端口
區(qū)別在于不加-p 時，顯示的都是已知協(xié)議的端口，對于未知協(xié)議的端口沒顯示

[root@B ~]# nmap 10.0.1.161 -p1-65535

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:11 CST
Nmap scan report for 10.0.1.161
Host is up (0.00017s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
13306/tcp open unknown
MAC Address: 00:0C:29:56:DE:46 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.49 seconds
[root@B ~]#

如果不加-p1-65535，對于未知服務(wù)的端口（A機器的13306端口）就沒法掃描到

[root@B ~]# nmap 10.0.1.161

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:12 CST
Nmap scan report for 10.0.1.161
Host is up (0.000089s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
[root@B ~]#

掃描一個IP的多個端口

連續(xù)的端口可以使用橫線連起來，端口之間可以使用逗號隔開
A機器上再啟動兩個tcp的監(jiān)聽，分別占用7777和8888端口，用于測試，加入&符號可以放入后臺

[root@A ~]# nc -l 7777&
[1] 21779
[root@A ~]# nc -l 8888&
[2] 21780
[root@A ~]#

[root@B ~]# nmap 10.0.1.161 -p20-200,7777,8888

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:32 CST
Nmap scan report for 10.0.1.161
Host is up (0.00038s latency).
Not shown: 179 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
7777/tcp open cbt
8888/tcp open sun-answerbook
MAC Address: 00:0C:29:56:DE:46 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
[root@B ~]#

掃描udp端口

先查看哪些ipv4的監(jiān)聽，使用grep -v排除回環(huán)接口上的監(jiān)聽
netstat -lnup --inet |grep -v 127.0.0.1　

[root@A ~]# netstat -lnup --inet |grep -v 127.0.0.1
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:111 0.0.0.0:* 21505/rpcbind
udp 0 0 0.0.0.0:631 0.0.0.0:* 1930/cupsd
udp 0 0 10.0.1.161:123 0.0.0.0:* 2261/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2261/ntpd
udp 0 0 0.0.0.0:904 0.0.0.0:* 21505/rpcbind
[root@A ~]#

-sU：表示udp scan ， udp端口掃描
-Pn：不對目標進行ping探測（不判斷主機是否在線）（直接掃描端口）
對于udp端口掃描比較慢，掃描完6萬多個端口需要20分鐘左右

[root@B ~]# nmap -sU 10.0.1.161 -Pn

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:16 CST
Stats: 0:12:54 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 75.19% done; ETC: 10:33 (0:04:16 remaining)
Stats: 0:12:55 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 75.29% done; ETC: 10:33 (0:04:15 remaining)
Nmap scan report for 10.0.1.161
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
111/udp open rpcbind
123/udp open ntp
631/udp open|filtered ipp
MAC Address: 00:0C:29:56:DE:46 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1081.27 seconds
[root@B ~]#

掃描多個IP用法

中間用空格分開

[root@B ~]# nmap 10.0.1.161 10.0.1.162

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:18 CST
Nmap scan report for 10.0.1.161
Host is up (0.000060s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)

Nmap scan report for 10.0.1.162
Host is up (0.0000070s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind

Nmap done: 2 IP addresses (2 hosts up) scanned in 0.26 seconds
[root@B ~]#

也可以采用下面方式逗號隔開
nmap 10.0.1.161,162

[root@B ~]# nmap 10.0.1.161,162

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:19 CST
Nmap scan report for 10.0.1.161
Host is up (0.00025s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)

Nmap scan report for 10.0.1.162
Host is up (0.0000080s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind

Nmap done: 2 IP addresses (2 hosts up) scanned in 0.81 seconds
[root@B ~]#

掃描連續(xù)的ip地址

[root@B ~]# nmap 10.0.1.161-162

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:20 CST
Nmap scan report for 10.0.1.161
Host is up (0.00011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)

Nmap scan report for 10.0.1.162
Host is up (0.0000030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind

Nmap done: 2 IP addresses (2 hosts up) scanned in 0.25 seconds
[root@B ~]#

掃描一個子網(wǎng)網(wǎng)段所有IP

[root@B ~]# nmap 10.0.3.0/24

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:21 CST
Nmap scan report for 10.0.3.1
Host is up (0.020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
23/tcp open telnet
6666/tcp open irc
8888/tcp open sun-answerbook

Nmap scan report for 10.0.3.2
Host is up (0.012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp open telnet

Nmap scan report for 10.0.3.3
Host is up (0.018s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp open telnet

Nmap done: 256 IP addresses (3 hosts up) scanned in 14.91 seconds
[root@B ~]#

掃描文件里的IP

如果你有一個ip地址列表，將這個保存為一個txt文件，和namp在同一目錄下,掃描這個txt內(nèi)的所有主機，用法如下

[root@B ~]# cat ip.txt
10.0.1.161
10.0.1.162
[root@B ~]# nmap -iL ip.txt

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:23 CST
Nmap scan report for 10.0.1.161
Host is up (0.00030s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)

Nmap scan report for 10.0.1.162
Host is up (0.0000070s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind

Nmap done: 2 IP addresses (2 hosts up) scanned in 0.68 seconds
[root@B ~]#

掃描地址段是排除某個IP地址

nmap 10.0.1.161-162 --exclude 10.0.1.162
用法如下

[root@B ~]# nmap 10.0.1.161-162 --exclude 10.0.1.162

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:24 CST
Nmap scan report for 10.0.1.161
Host is up (0.0022s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
[root@B ~]#

掃描時排除多個IP地址

排除連續(xù)的，可以使用橫線連接起來
nmap 10.0.1.161-163 --exclude 10.0.1.162-163

[root@B ~]# nmap 10.0.1.161-163 --exclude 10.0.1.162-163

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:25 CST
Nmap scan report for 10.0.1.161
Host is up (0.00023s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
873/tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
[root@B ~]#

排除分散的，使用逗號隔開

nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163

[root@B ~]# nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:27 CST
Nmap scan report for 10.0.1.162
Host is up (0.0000030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
[root@B ~]#

掃描多個地址時排除文件里的IP地址

（可以用來排除不連續(xù)的IP地址）
把10.0.1.161和10.0.1.163添加到一個文件里，文件名可以隨意取
下面掃描10.0.1.161到10.0.1.163 這3個IP地址，排除10.0.1.161和10.0.1.163這兩個IP
nmap 10.0.1.161-163 --excludefile ex.txt

[root@B ~]# cat ex.txt
10.0.1.161
10.0.1.163
[root@B ~]# nmap 10.0.1.161-163 --excludefile ex.txt

Starting Nmap 5.51 ( http://nmap.org ) at 2016-12-29 10:29 CST
Nmap scan report for 10.0.1.162
Host is up (0.0000050s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
[root@B ~]#

好了，這篇文章就介紹到這，這里推薦大家下載這個非官方翻譯的手冊，幫助大家更加深入的了解。

版權(quán)聲明：本站文章來源標注為YINGSOO的內(nèi)容版權(quán)均為本站所有，歡迎引用、轉(zhuǎn)載，請保持原文完整并注明來源及原文鏈接。禁止復(fù)制或仿造本網(wǎng)站，禁止在非www.sddonglingsh.com所屬的服務(wù)器上建立鏡像，否則將依法追究法律責任。本站部分內(nèi)容來源于網(wǎng)友推薦、互聯(lián)網(wǎng)收集整理而來，僅供學習參考，不代表本站立場，如有內(nèi)容涉嫌侵權(quán)，請聯(lián)系alex-e#qq.com處理。