Nmap 扫描端口

发表于 更新于 分类于
Nmap 扫描端口

端口状态

  1. 默认状态

    默认的端口状态有2种,分别是open和close

    • open: 应用程序正在监听该端口
    • close: 端口关闭,Nmap也可以访问该端口,并且会接收目标系统对Nmap发送的探测报文的响应,但是没有应用程序监听该端口

  2. 防火墙

    如果目标主机的一些端口被路由器或防火墙规则过滤,则扫描出的端口状态可能是filtered或unfiltered

    • filtered: 端口被过滤,由于包过滤阻止探测报文到达该端口,该端口不会做出任何响应.
    • unfiltered: 端口未被过滤.但Nmap无法确定它是开放还是关闭的,这种情况只有使用TCP ACK扫描才会出现,如果使用其他类型扫描,如SYN扫描和FIN扫描,可以帮助确定端口是否开放

  3. 不确定

    当Nmap无法确定目标主机的端口状态,将显示open|filtered或closed|filtered

    • open|filtered: 表示端口开放或被过滤
    • closed|filtered: 表示端口关闭或者被过滤,该状态只会在IPID Idle扫描中出现

指定端口

手工指定

Nmap中,用户可以使用-p选项扫描端口范围

  • -p : 用于指定扫描的端口范围.可以是单个,连续,多个端口

单个端口

单个端口就是指定扫描特定的独立端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# 扫描目标主机的80端口
$ nmap --packet-trace -p 80 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 11:15 CST
# Nmap默认使用ICMP Echo请求,SYN和ACK,ICMP时间戳对目标主机进行主机发现
# ICMP Echo
SENT (0.2655s) ICMP[192.168.43.245 > 121.199.61.226 Echo request (type=8/code=0) id=37617 seq=0] IP [ttl=58 id=5913 iplen=28 ]
# TCP SYN
SENT (0.2657s) TCP 192.168.43.245:47588 > 121.199.61.226:443 S ttl=52 id=27457 iplen=44  seq=1103784163 win=1024 <mss 1460>
# TCP ACK
SENT (0.2658s) TCP 192.168.43.245:47588 > 121.199.61.226:80 A ttl=46 id=21464 iplen=40  seq=0 win=1024
# ICMP 时间戳
SENT (0.2659s) ICMP [192.168.43.245 > 121.199.61.226 Timestamp request (type=13/code=0) id=64165 seq=0 orig=0 recv=0 trans=0] IP [ttl=55 id=22350 iplen=40 ]
# 收到ICMP响应报文,目标主机是活动的
RCVD (0.2978s) ICMP [121.199.61.226 > 192.168.43.245 Echo reply (type=0/code=0) id=37617 seq=0] IP [ttl=116 id=1697 iplen=28 ]
# 发送TCP SYN到目标主机80端口
SENT (0.4738s) TCP 192.168.43.245:47844 > 121.199.61.226:80 S ttl=52 id=45397 iplen=44  seq=3857280907 win=1024 <mss 1460>
# 收到目标主机80端口发来的TCP SYN/ACK报文,端口是开放的
RCVD (0.5095s) TCP 121.199.61.226:80 > 192.168.43.245:47844 SA ttl=116 id=1701 iplen=44  seq=1355301614 win=8192 <mss 1400>
Nmap scan report for www.diaoan.xyz (121.199.61.226)
# 主机开放
Host is up (0.033s latency).
# 80端口开放
PORT   STATE SERVICE
80/tcp open  http

连续端口

连续端口是指一个端口范围,可以使用连续端口的方式来指定端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# 扫描目标主机的连续端口
$ nmap --packet-trace -p75-80 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 11:27 CST
# Nmap默认使用ICMP Echo请求,SYN和ACK,ICMP时间戳对目标主机进行主机发现
# ICMP Echo
SENT (0.1535s) ICMP [192.168.43.245 > 121.199.61.226 Echo request (type=8/code=0) id=47438 seq=0] IP [ttl=53 id=52536 iplen=28 ]
# TCP SYN
SENT (0.1536s) TCP 192.168.43.245:35530 > 121.199.61.226:443 S ttl=54 id=14442 iplen=44  seq=2513491371 win=1024 <mss 1460>
# TCP ACK
SENT (0.1536s) TCP 192.168.43.245:35530 > 121.199.61.226:80 A ttl=47 id=34594 iplen=40  seq=0 win=1024
# ICMP 时间戳
SENT (0.1536s) ICMP [192.168.43.245 > 121.199.61.226 Timestamp request (type=13/code=0) id=41255 seq=0 orig=0 recv=0 trans=0] IP [ttl=56 id=62847 iplen=40 ]
# 收到TCP SYN/ACK,主机开启
RCVD (0.1831s) TCP 121.199.61.226:443 > 192.168.43.245:35530 SA ttl=116 id=3911 iplen=44  seq=200796757 win=8192 <mss 1400>
# 向目标主机的75-80端口发送TCP SYN
SENT (0.3439s) TCP 192.168.43.245:35786 > 121.199.61.226:80 S ttl=56 id=42601 iplen=44  seq=45414180 win=1024 <mss 1460>
SENT (0.3440s) TCP 192.168.43.245:35786 > 121.199.61.226:75 S ttl=54 id=12752 iplen=44  seq=45414180 win=1024 <mss 1460>
SENT (0.3440s) TCP 192.168.43.245:35786 > 121.199.61.226:77 S ttl=37 id=18918 iplen=44  seq=45414180 win=1024 <mss 1460>
SENT (0.3440s) TCP 192.168.43.245:35786 > 121.199.61.226:76 S ttl=53 id=49012 iplen=44  seq=45414180 win=1024 <mss 1460>
SENT (0.3441s) TCP 192.168.43.245:35786 > 121.199.61.226:78 S ttl=46 id=61002 iplen=44  seq=45414180 win=1024 <mss 1460>
SENT (0.3442s) TCP 192.168.43.245:35786 > 121.199.61.226:79 S ttl=59 id=36314 iplen=44  seq=45414180 win=1024 <mss 1460>
# 收到目标主机80端口发来的SYN/ACK
RCVD (0.3723s) TCP 121.199.61.226:80 > 192.168.43.245:35786 SA ttl=116 id=3915 iplen=44  seq=2276599736 win=8192 <mss 1400>
# 别的端口没收到,再发一次
SENT (1.4648s) TCP 192.168.43.245:35788 > 121.199.61.226:79 S ttl=56 id=35145 iplen=44  seq=45545254 win=1024 <mss 1460>
SENT (1.4650s) TCP 192.168.43.245:35788 > 121.199.61.226:78 S ttl=59 id=33782 iplen=44  seq=45545254 win=1024 <mss 1460>
SENT (1.4650s) TCP 192.168.43.245:35788 > 121.199.61.226:76 S ttl=37 id=33314 iplen=44  seq=45545254 win=1024 <mss 1460>
SENT (1.4651s) TCP 192.168.43.245:35788 > 121.199.61.226:77 S ttl=40 id=47396 iplen=44  seq=45545254 win=1024 <mss 1460>
SENT (1.4651s) TCP 192.168.43.245:35788 > 121.199.61.226:75 S ttl=45 id=40863 iplen=44  seq=45545254 win=1024 <mss 1460>
Nmap scan report for www.diaoan.xyz (121.199.61.226)
# 主机在线
Host is up (0.029s latency).
# 75-79端口被过滤,80端口开启
PORT   STATE    SERVICE
75/tcp filtered priv-dial
76/tcp filtered deos
77/tcp filtered priv-rje
78/tcp filtered vettcp
79/tcp filtered finger
80/tcp open     http

多个端口

扫描21,25,80端口的格式为”-p21,25,80”,扫描独立端口21和80-100范围的端口格式为”-p21,80-100”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 扫描目标主机的21,25,80端口
$ nmap --packet-trace -p21,25,80 192.168.1.4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 11:39 CST
# 先进行主机发现
SENT (0.1146s) ICMP [192.168.43.245 > 192.168.1.4 Echo request (type=8/code=0) id=22834 seq=0] IP [ttl=59 id=9860 iplen=28 ]
SENT (0.1147s) TCP 192.168.43.245:63801 > 192.168.1.4:443 S ttl=54 id=18425 iplen=44  seq=1162534401 win=1024 <mss 1460>
SENT (0.1148s) TCP 192.168.43.245:63801 > 192.168.1.4:80 A ttl=53 id=44850 iplen=40  seq=0 win=1024
SENT (0.1148s) ICMP [192.168.43.245 > 192.168.1.4 Timestamp request (type=13/code=0) id=27944 seq=0 orig=0 recv=0 trans=0] IP [ttl=47 id=11059 iplen=40 ]
# 主机开启
RCVD (0.1151s) TCP 192.168.1.4:80 > 192.168.43.245:63801 R ttl=63 id=1813 iplen=40  seq=1162534401 win=0
# 开始端口扫描
SENT (0.2748s) TCP 192.168.43.245:64057 > 192.168.1.4:21 S ttl=47 id=25826 iplen=44  seq=2509442157 win=1024 <mss 1460>
SENT (0.2748s) TCP 192.168.43.245:64057 > 192.168.1.4:80 S ttl=49 id=42832 iplen=44  seq=2509442157 win=1024 <mss 1460>
SENT (0.2748s) TCP 192.168.43.245:64057 > 192.168.1.4:25 S ttl=51 id=30051 iplen=44  seq=2509442157 win=1024 <mss 1460>
RCVD (0.2751s) TCP 192.168.1.4:80 > 192.168.43.245:64057 RA ttl=63 id=1819 iplen=40  seq=0 win=0
RCVD (0.2752s) TCP 192.168.1.4:25 > 192.168.43.245:64057 SA ttl=63 id=1820 iplen=44  seq=3188731922 win=64240 <mss 65495>
RCVD (0.2752s) TCP 192.168.1.4:21 > 192.168.43.245:64057 RA ttl=63 id=1818 iplen=40  seq=0 win=0
Nmap scan report for DIAOAN (192.168.1.4)
# 主机开启
Host is up (0.00036s latency).
# 端口状态
PORT   STATE  SERVICE
21/tcp closed ftp
25/tcp open   smtp
80/tcp closed http

不同协议端口

Nmap支持用于指定不同协议类型的端口,其中支持的协议有T(TCP),U(UDP),S(SCTP).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 同时扫描UDP的53,137端口和TCP的25,80端口
$ nmap --packet-trace -sU -Pn -sS -p U:53,137,T:22,80 192.168.1.4
# 先扫描TCP
SENT (0.1207s) TCP 192.168.43.245:39528 > 192.168.1.4:80 S ttl=48 id=46666 iplen=44  seq=1735317672 win=1024 <mss 1460>
SENT (0.1208s) TCP 192.168.43.245:39528 > 192.168.1.4:22 S ttl=42 id=59806 iplen=44  seq=1735317672 win=1024 <mss 1460>
RCVD (0.1210s) TCP 192.168.1.4:22 > 192.168.43.245:39528 RA ttl=63 id=1841 iplen=40  seq=0 win=0
RCVD (0.1210s) TCP 192.168.1.4:80 > 192.168.43.245:39528 RA ttl=63 id=1840 iplen=40  seq=0 win=0
# 再扫描UDP
SENT (0.2800s) UDP 192.168.43.245:39784 > 192.168.1.4:53 ttl=43 id=6898 iplen=40
SENT (0.2801s) UDP 192.168.43.245:39784 > 192.168.1.4:53 ttl=46 id=6898 iplen=58
SENT (0.2801s) UDP 192.168.43.245:39784 > 192.168.1.4:137 ttl=55 id=49237 iplen=78
SENT (0.2804s) UDP 192.168.43.245:39784 > 192.168.1.4:137 ttl=53 id=49237 iplen=78
SENT (0.2805s) UDP 192.168.43.245:39784 > 192.168.1.4:137 ttl=37 id=49237 iplen=78
RCVD (0.2806s) ICMP [192.168.1.4 > 192.168.43.245 Port 53 unreachable (type=3/code=3) ] IP [ttl=63 id=1842 iplen=68 ]
RCVD (0.2806s) ICMP [192.168.1.4 > 192.168.43.245 Port 53 unreachable (type=3/code=3) ] IP [ttl=63 id=1843 iplen=86 ]
RCVD (0.2808s) UDP 192.168.1.4:137 > 192.168.43.245:39784 ttl=63 id=1844 iplen=185
Nmap scan report for 192.168.1.4
Host is up (0.00031s latency).
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  closed http
53/udp  closed domain
137/udp open   netbios-ns

使用预设端口

默认端口扫描

Nmap默认提供了一个服务端口列表文件nmap-services,包括2000多个端口.如果扫描时没有使用-p选项,则默认扫描nmap-services文件中的端口,如果使用了-p选项但是没指定端口,默认扫描1-1024和nmap-services列表文件中的端口.

较少端口扫描

Nmap提供了一个-F选项,仅扫描预设列表的端口,因此扫描速度快

  • -F: 快速扫描端口
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 对目标主机进行快速端口扫描
$ nmap -F 192.168.1.4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 12:11 CST
Nmap scan report for 192.168.1.4
Host is up (0.00021s latency).
Not shown: 92 closed tcp ports (reset)
PORT      STATE SERVICE
25/tcp    open  smtp
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
10000/tcp open  snet-sensor-mgmt

通用端口扫描

通用端口就是一些常见的TCP/UDP端口,如21,22,23等

  • –top-ports: 扫描开放率最高的N的端口
  • –port-ratio: 扫描指定频率以上的端口
1
2
3
4
5
6
7
8
9
10
11
# 扫描目标主机开放率最高的5个端口
$ nmap -Pn --top-ports 5 192.168.1.4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 12:15 CST
Nmap scan report for 192.168.1.4
Host is up (0.00037s latency).
PORT    STATE  SERVICE
21/tcp  closed ftp
22/tcp  closed ssh
23/tcp  closed telnet
80/tcp  closed http
443/tcp closed https
1
2
3
4
5
6
7
8
9
# 扫描目标主机开放率0.2以上的端口
$ nmap -Pn --port-ratio 0.2 192.168.1.4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 12:17 CST
Nmap scan report for 192.168.1.4
Host is up (0.00035s latency).
PORT    STATE  SERVICE
23/tcp  closed telnet
80/tcp  closed http
443/tcp closed https

排除端口

  • –exclude-ports:有端口不需要扫描时,可以用该选项排除端口

顺序扫描

通常,端口扫描都是按顺序依次进行扫描,但是为了防止防火墙检测到端口的扫描行为,Nmap会打乱顺序,随机扫描.Nmap提供了-r选项可以用来实施顺序扫描

  • -r: 顺序扫描

TCP扫描

TCP SYN扫描

TCP SYN扫描称为半开放扫描,TCP SYN扫描通过向目标端口发送TCP SYN报文,而且不会晚完成完整的TCP连接.

判断端口是否为开放状态

  1. Nmap向目标发送一个SYN包
  2. 目标主机收到请求,响应一个SYN/ACK包,说明端口开放
  3. Nmap收到SYN/ACK包后,向目标发送一个RST包,连接终止

判断端口是否为关闭状态

  1. Nmap向目标发送一个SYN包
  2. 如果收到目标响应的RST包,则说明无法连接,即目标端口是关闭状态

实施扫描

Nmap提供了-sS选项,进行TCP SYN扫描

  • -sS: nmap -p <port> -sS <target>,s是scan的缩写,S是SYN的缩写
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 使用TCP SYN扫描目标的22,80端口
$ nmap --packet-trace -P0 --send-ip -sS -p22,80 localhost
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:11 CST
SENT (0.1427s) TCP 127.0.0.1:53857 > 127.0.0.1:22 S ttl=47 id=28445 iplen=44  seq=2898988191 win=1024 <mss 1460>
SENT (0.1428s) TCP 127.0.0.1:53857 > 127.0.0.1:80 S ttl=53 id=9634 iplen=44  seq=2898988191 win=1024 <mss 1460>
RCVD (0.1425s) TCP 127.0.0.1:53857 > 127.0.0.1:22 S ttl=47 id=28445 iplen=44  seq=2898988191 win=1024 <mss 1460>
RCVD (0.1426s) TCP 127.0.0.1:22 > 127.0.0.1:53857 RA ttl=64 id=0 iplen=40  seq=0 win=0
RCVD (0.1428s) TCP 127.0.0.1:53857 > 127.0.0.1:80 S ttl=53 id=9634 iplen=44  seq=2898988191 win=1024 <mss 1460>
RCVD (0.1428s) TCP 127.0.0.1:80 > 127.0.0.1:53857 RA ttl=64 id=0 iplen=40  seq=0 win=0
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0082s latency).
PORT   STATE  SERVICE
22/tcp closed ssh
80/tcp closed http
1
2
3
4
5
6
7
8
9
# 用TCP SYN扫描一个被过滤的端口
$ nmap --packet-trace -P0 --send-ip -sS -p5000 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:14 CST
SENT (0.1563s) TCP 192.168.43.245:36498 > 121.199.61.226:5000 S ttl=41 id=10955 iplen=44  seq=4261193794 win=1024 <mss 1460>
SENT (1.1574s) TCP 192.168.43.245:36500 > 121.199.61.226:5000 S ttl=42 id=41082 iplen=44  seq=4261324864 win=1024 <mss 1460>
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up.
PORT     STATE    SERVICE
5000/tcp filtered upnp

TCP连接扫描

TCP连接扫描是Nmap通过实现TCP三次握手,建立连接进行扫描的.需要的时间更长.

  • -sT: nmap -sT -p<port> <target>,进行TCP连接扫描,s是scan的缩写,T是TCP的缩写
1
2
3
4
5
6
7
8
9
10
# 使用TCP连接扫描目标主机80端
$ nmap --packet-trace -P0 -sT -p80 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:23 CST
CONN (0.0619s) TCP localhost > 121.199.61.226:80 => Operation now in progress
CONN (0.0909s) TCP localhost > 121.199.61.226:80 => Connected
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up (0.029s latency).

PORT   STATE SERVICE
80/tcp open  http

TCP ACK扫描

TCP ACK扫描发送ACK报文,这种扫描方式无法确定目标端口是开放/过滤的状态,TCP ACK扫描主要用于防火墙规则探测

  • -sA: 进行TCP ACK扫描,s是scan的缩写,A是ACK的缩写
1
2
3
4
5
6
7
8
9
# # 使用TCP ACK扫描目标主机80端
$ nmap --packet-trace -P0 -sA -p80 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:32 CST
SENT (0.1522s) TCP 192.168.43.245:63597 > 121.199.61.226:80 A ttl=44 id=4399 iplen=40  seq=0 win=1024
SENT (1.1537s) TCP 192.168.43.245:63599 > 121.199.61.226:80 A ttl=37 id=56895 iplen=40  seq=0 win=1024
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up.
PORT   STATE    SERVICE
80/tcp filtered http

TCP窗口扫描

TCP窗口扫描和TCP ACK扫描完全一样,通过检查返回的RST报文和TCP窗口域来判断端口是开放还是关闭.

  • -sW: 进行TCP窗口扫描,,s是scan的缩写,W是Windows的缩写
1
2
3
4
5
6
7
8
9
# 实施TCP窗口扫描
$ nmap --packet-trace -P0 -sW -p1000 192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:37 CST
SENT (0.1192s) TCP 192.168.43.245:39318 > 192.168.1.1:1000 A ttl=58 id=6765 iplen=40  seq=0 win=1024
RCVD (0.1214s) TCP 192.168.1.1:1000 > 192.168.43.245:39318 R ttl=63 id=15788 iplen=40  seq=1317417045 win=0
Nmap scan report for TianYi.Home (192.168.1.1)
Host is up (0.0023s latency).
PORT     STATE  SERVICE
1000/tcp closed cadlock

TCP NULL扫描

TCP NULL扫描是指向目标端口发送一个不包括任何标志位的数据包,可以通过TCP NULL扫描判断目标主机的操作系统是Windows还是Linux.

  • -sN: 进行TCP NULL扫描,s是scan的缩写,N是NULL的缩写
1
2
3
4
5
6
7
8
9
# 进行TCP NULL扫描
$ nmap --packet-trace -P0 -sN -p80 --send-ip www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:45 CST
SENT (0.1435s) TCP 192.168.43.245:46295 > 121.199.61.226:80  ttl=39 id=45479 iplen=40  seq=2262490571 win=1024
SENT (1.1450s) TCP 192.168.43.245:46297 > 121.199.61.226:80  ttl=53 id=47816 iplen=40  seq=2262359497 win=1024
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up.
PORT   STATE         SERVICE
80/tcp open|filtered http

TCP FIN扫描

TCP FIN扫描与NULL扫描类似,TCP FIN扫描发送FIN报文,该报文用于断开连接

  • -sF: 进行TCP FIN扫描

TCP Xmas扫描

TCP Xmas扫描向目标发送PSH,FIN,URG和TCP标志位为1的数据包.

  • -sX: 进行TCP Xmas扫描

TCP Maimon扫描

TCP Maimon扫描发送FIN/ACK报文.

  • -sM: 进行TCP Maimon扫描

空闲扫描

空闲扫描就是攻击者冒充一台空闲主机的IP地址对目标进行更为隐蔽的扫描

  1. 使用ipidseq脚本寻找一个空闲主机

    1
    2
    nmap -p80 --script ipidseq -iR <num hosts>
    nmap -p80 --script ipidseq <target>

  2. 对目标主机实施空闲扫描

    1
    nmap --packet-trace -P0 --send-ip -p22,80 -sI 192.168.1.1 192.168.1.5

定制TCP扫描

用户可以定制TCP扫描方式绕过防火墙,使用–scanflag选项指定任意TCP标志位设计自己的扫描方式

  • –flag: 定制TCP扫描
1
2
3
4
5
6
7
8
9
# 定制一个发送FIN和ACK的TCP报文,探测目标主机的22端口
$ nmap --packet-trace -P0 --scanflag SYNACK -p22 www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 18:07 CST
SENT (0.1435s) TCP 192.168.43.245:47955 > 121.199.61.226:22 SA ttl=47 id=55190 iplen=44  seq=4070795902 win=1024 <mss 1460>
SENT (1.1450s) TCP 192.168.43.245:47957 > 121.199.61.226:22 SA ttl=48 id=34860 iplen=44  seq=4238387972 win=1024 <mss 1460>
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up.
PORT   STATE    SERVICE
22/tcp filtered ssh

UDP扫描

UDP扫描是扫描基于UDP的服务.

  • -sU: 用来实施UDP端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 对目标主机的53和137端口进行UDP扫描
$ nmap --packet-trace -Pn -sU -p53,137 192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 18:31 CST
SENT (0.1179s) UDP 192.168.43.245:49226 > 192.168.1.1:137 ttl=48 id=4697 iplen=78
SENT (0.1180s) UDP 192.168.43.245:49226 > 192.168.1.1:137 ttl=47 id=4697 iplen=78
SENT (0.1180s) UDP 192.168.43.245:49226 > 192.168.1.1:137 ttl=47 id=4697 iplen=78
SENT (0.1180s) UDP 192.168.43.245:49226 > 192.168.1.1:53 ttl=43 id=24467 iplen=40
SENT (0.1180s) UDP 192.168.43.245:49226 > 192.168.1.1:53 ttl=40 id=24467 iplen=58
RCVD (0.1228s) ICMP [192.168.1.1 > 192.168.43.245 Port 137 unreachable (type=3/code=3) ] IP [ttl=63 id=36572 iplen=106 ]
RCVD (0.1233s) ICMP [192.168.1.1 > 192.168.43.245 Port 137 unreachable (type=3/code=3) ] IP [ttl=63 id=36573 iplen=106 ]
RCVD (0.1244s) ICMP [192.168.1.1 > 192.168.43.245 Port 137 unreachable (type=3/code=3) ] IP [ttl=63 id=36574 iplen=106 ]
SENT (1.2197s) UDP 192.168.43.245:49228 > 192.168.1.1:53 ttl=59 id=61097 iplen=40
SENT (1.2198s) UDP 192.168.43.245:49228 > 192.168.1.1:53 ttl=38 id=61097 iplen=58
Nmap scan report for TianYi.Home (192.168.1.1)
Host is up (0.0049s latency).
PORT    STATE         SERVICE
53/udp  open|filtered domain
137/udp closed        netbios-ns

IP扫描

IP扫描是基于IP进行扫描,而不是直接发送TCP探测数据包.

1
nmap -p<protocol list> -sO <target>
  • -p: 用于指定协议号而不是端口号
  • -sO: 实施IP扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 使用IP扫描探测主机的端口
$ nmap --packet-trace -p1,6 -sO www.diaoan.xyz
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 18:38 CST
SENT (0.3020s) ICMP [192.168.43.245 > 121.199.61.226 Echo request (type=8/code=0) id=56986 seq=0] IP [ttl=39 id=32415 iplen=28 ]
SENT (0.3020s) TCP 192.168.43.245:44211 > 121.199.61.226:443 S ttl=53 id=39451 iplen=44  seq=480974220 win=1024 <mss 1460>
SENT (0.3020s) TCP 192.168.43.245:44211 > 121.199.61.226:80 A ttl=37 id=58089 iplen=40  seq=0 win=1024
SENT (0.3020s) ICMP [192.168.43.245 > 121.199.61.226 Timestamp request (type=13/code=0) id=49360 seq=0 orig=0 recv=0 trans=0] IP [ttl=40 id=53077 iplen=40 ]
RCVD (0.3320s) TCP 121.199.61.226:443 > 192.168.43.245:44211 SA ttl=116 id=8877 iplen=44  seq=1395080373 win=8192 <mss 1400>
SENT (0.4922s) TCP 192.168.43.245:44467 > 121.199.61.226:80 A ttl=45 id=8889 iplen=40  seq=1538793918 win=1024
SENT (0.4922s) ICMP [192.168.43.245 > 121.199.61.226 Echo request (type=8/code=0) id=56602 seq=0] IP [ttl=45 id=64544 iplen=28 ]
RCVD (0.5261s) ICMP [121.199.61.226 > 192.168.43.245 Echo reply (type=0/code=0) id=56602 seq=0] IP [ttl=116 id=8880 iplen=28 ]
SENT (1.6452s) TCP 192.168.43.245:44469 > 121.199.61.226:80 A ttl=59 id=41086 iplen=40  seq=3669701765 win=1024
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up (0.030s latency).
PROTOCOL STATE         SERVICE
1        open          icmp
6        open|filtered tcp

FTP转发扫描

FTP转发扫描是利用存在漏洞的FTP服务器,对目标进行扫描

1
nmap -b [username:password@server:port] -Pn -v [target]
  • -b: 实施FTP转发扫描,其格式为username:password@server:port
  • -v: 显示详细信息