Nmap 确定目标

发表于 2022-01-24 更新于 2022-01-24 分类于安全

Nmap 确定目标

确定单一主机

IP地址

1	nmap 192.168.1.1

主机名

1	nmap hostname

域名

使用指定DNS服务器进行域名解析

1	nmap --dns-server 114.114.114.114 www.diaoan.xyz

使用系统DNS解析器

1 2	nmap --system-dns www.diaoan.xyz namp www.diaoan.xyz

指定多个主机

CIDR

CIDR由网络地址和子网掩码两部分组成,格式为IP/掩码长度

netmask

netmask用于网段掩码计算处理,可以快速计算出一个CIDR网络范围

查看CIDR对应的网络范围

1 2	$ netmask -r 10.10.10.0/8 10.0.0.0-10.255.255.255 (16777216)

查看地址范围对应的CIDR

1 2	$ netmask -c 192.168.1.0:192.168.1.255 192.168.1.0/24

验证扫描目标

使用Nmap的-sL选项,sL是Scan List的缩写,s是Scan的缩写,List缩写为大写L

# nmap -sL 192.168.1.0/24
Nmap scan report for 192.168.1.0
Nmap scan report for TianYi.Home (192.168.1.1)
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap scan report for DIAOAN (192.168.1.4)
Nmap scan report for SU (192.168.1.5)
Nmap scan report for 192.168.1.6
...
Nmap scan report for 192.168.1.253
Nmap scan report for 192.168.1.254
Nmap scan report for 192.168.1.255
Nmap done: 256 IP addresses (0 hosts up) scanned in 328.10 seconds

连续的主机

扫描连续的主机,可以使用连字符(-)

# nmap -sL 192.168.1.1-10
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 16:10 CST
Stats: 0:00:09 elapsed; 0 hosts completed (0 up), 0 undergoing Host Discovery
Nmap scan report for TianYi.Home (192.168.1.1)
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap scan report for DIAOAN (192.168.1.4)
Nmap scan report for SU (192.168.1.5)
Nmap scan report for 192.168.1.6
Nmap scan report for 192.168.1.7
Nmap scan report for 192.168.1.8
Nmap scan report for 192.168.1.9
Nmap scan report for 192.168.1.10
Nmap done: 10 IP addresses (0 hosts up) scanned in 13.02 seconds

不连续的主机

可以指定IP不连续的多个主机,IP地址用空格分隔

# nmap -sL 192.168.1.1 192.168.1.4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 16:12 CST
Nmap scan report for TianYi.Home (192.168.1.1)
Nmap scan report for DIAOAN (192.168.1.4)
Nmap done: 2 IP addresses (0 hosts up) scanned in 0.00 seconds

扫描主机的所有IP地址

DNS服务器中,一个域名可以解析到多个IP,如果一个域名有多个IP时,Nmap默认探测第一个IP地址,为了能探测到所有IP,可以使用–resolve-all选项

# nmap --resolve-all www.baidu.com -sL
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 16:15 CST
Nmap scan report for www.baidu.com (14.215.177.39)
Nmap scan report for www.baidu.com (14.215.177.38)
Nmap scan report for www.baidu.com (110.242.68.42)
Nmap scan report for www.baidu.com (220.181.33.32)
Nmap scan report for www.baidu.com (112.80.255.253)
Nmap scan report for www.baidu.com (14.215.177.229)
Nmap scan report for www.baidu.com (180.76.76.95)
Nmap done: 7 IP addresses (0 hosts up) scanned in 11.21 seconds

排除主机

用–exclude选项排除指定的主机

# nmap -sL 192.168.1.1/24 --exclude 192.168.1.10-255
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 16:18 CST
Stats: 0:00:09 elapsed; 0 hosts completed (0 up), 0 undergoing Host Discovery
Nmap scan report for 192.168.1.0
Nmap scan report for TianYi.Home (192.168.1.1)
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap scan report for DIAOAN (192.168.1.4)
Nmap scan report for SU(192.168.1.5)
Nmap scan report for 192.168.1.6
Nmap scan report for 192.168.1.7
Nmap scan report for 192.168.1.8
Nmap scan report for 192.168.1.9
Nmap done: 10 IP addresses (0 hosts up) scanned in 13.01 seconds

随机扫描

使用-iR选项指定随机的扫描数

# nmap -iR 5 -sL
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 16:20 CST
Nmap scan report for 1.253.146.226
Nmap scan report for 140.4.133.179
Nmap scan report for 88.241.142.89
Nmap scan report for 153.231.164.151
Nmap scan report for 42.199.161.231
Nmap done: 5 IP addresses (0 hosts up) scanned in 13.01 seconds

扫描方法

全部扫描

使用-A选项进行全部扫描

# nmap -A www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-24 16:22 CST
Nmap scan report for www.diaoan.xyz (121.199.61.226)
#主机状态
Host is up (0.032s latency).  
#关闭的端口
Not shown: 988 filtered tcp ports (no-response) 
#开放的端口
PORT     STATE  SERVICE            VERSION  
21/tcp   open   ftp                Microsoft ftpd
22/tcp   open   ssh                OpenSSH for_Windows_8.6 (protocol 2.0)
80/tcp   open   http               nginx 1.20.1
443/tcp  open   ssl/http           nginx 1.20.1
#设备类型
Device type: general purpose 
#运行的系统
Running (JUST GUESSING): Microsoft Windows 2012|7|2008|2016|Vista|8.1 (92%) 
#系统CPE
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1:r1
#系统猜测
Aggressive OS guesses: Microsoft Windows Server 2012 (92%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 (92%), Microsoft Windows 7 Professional (87%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (87%), Microsoft Windows Server 2008 R2 SP1 (87%), Microsoft Windows Server 2008 (87%), Microsoft Windows Server 2008 R2 (87%), Microsoft Windows 7 SP1 (87%), Microsoft Windows 7 or Windows Server 2008 R2 (86%)
#网络距离
Network Distance: 13 hops
#服务信息
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
#主机脚本扫描结果
Host script results:
...
#路由追踪
TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   0.44 ms  DIAOAN (192.168.32.1)
2   4.05 ms  TianYi.Home (192.168.1.1)
3   ... 12
13  29.50 ms www.diaoan.xyz (121.199.61.226)

Nmap done: 1 IP address (1 host up) scanned in 86.86 seconds

发包模式

扫描时,可以设置发包模式,如指定发包格式和发包权限等

发包格式

可以设置发包格式为以太帧或IP包

–send-eth:发送原始的以太帧

–send-ip:发送IP包

发包权限

–privileged:假设用户拥有所有权限

–unprivileged:假设用户缺少原始套接字权限,如不是root