Nmap 服务与系统探测

发表于 更新于 分类于
Nmap 服务与系统探测

实施服务探测

用于实施服务探测的语法:

1
nmap -sV <target>

s是scan的缩写,V是Version的缩写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 对目标192.168.1.1实施服务探测
$ nmap -sV 192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-28 21:17 China Standard Time
Nmap scan report for 192.168.1.1
Host is up (0.0040s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          D-Link/Comtrend DSL modem ftp firmware update
23/tcp    open  telnet       D-Link DSL-2640B ADSL router telnetd
80/tcp    open  http
445/tcp   open  netbios-ssn  Samba smbd 4.6.2
8080/tcp  open  http-proxy   ty_httpd
32768/tcp open  filenet-tms  ?
49152/tcp open  upnp         Cisco-Linksys E4200 WAP upnpd (UPnP 1.0)
MAC Address: 28:93:7D:1D:A7:90 (Sichuan Tianyi Comheart Telecom)
Service Info: Device: broadband router; CPE: cpe:/h:dlink:dsl-2640b, cpe:/h:cisco:e4200
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 145.08 seconds

服务探测模式

探测所有端口

  • –allports: 该选项指定扫描所有端口
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 探测所有端口
$ nmap -sV --allports  192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-28 23:14 China Standard Time
Nmap scan report for TianYi.Home (192.168.1.1)
Host is up (0.0042s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
21/tcp    open  ftp          D-Link/Comtrend DSL modem ftp firmware update
23/tcp    open  telnet       D-Link DSL-2640B ADSL router telnetd
80/tcp    open  http
445/tcp   open  netbios-ssn  Samba smbd 4.6.2
8080/tcp  open  http-proxy   ty_httpd
32768/tcp open  filenet-tms?
49152/tcp open  upnp         Cisco-Linksys E4200 WAP upnpd (UPnP 1.0)
MAC Address: 28:93:7D:1D:A7:90 (Sichuan Tianyi Comheart Telecom)
Service Info: Device: broadband router; CPE: cpe:/h:dlink:dsl-2640b, cpe:/h:cisco:e4200
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.43 seconds

探测强度

探测强度不同,使用的探针也不同,设置强度更高,使用的探针也越多,服务越有可能被正确使别.

  • –version-intensity: 设置版本扫描强度值,范围0-9,默认7
  • –version-light: 就是 –version-intensity 2
  • –version-all: 就是 –version-intensity 9

调试信息

  • –version-trace: 输出探测进度信息

系统探测

  • -O :探测目标主机的操作系统,O是OS的缩写
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# 对目标主机实施系统探测
$ nmap -Pn -O 192.168.1.4
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-28 23:31 China Standard Time
Nmap scan report for DIAOAN (192.168.1.4)
Host is up (0.00048s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE
25/tcp    open  smtp
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2179/tcp  open  vmrdp
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
10000/tcp open  snet-sensor-mgmt
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/28%OT=25%CT=1%CU=44770%PV=Y%DS=0%DC=L%G=Y%TM=61F40C6
OS:D%P=i686-pc-windows-windows)SEQ(SP=106%GCD=2%ISR=10C%TI=I%CI=I%II=I%SS=S
OS:%TS=U)OPS(O1=MFFD7NW8NNS%O2=MFFD7NW8NNS%O3=MFFD7NW8%O4=MFFD7NW8NNS%O5=MF
OS:0)ECN(R=Y%DF=Y%T=40%W=FFFF%O=MFFD7NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y
OS:%T=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=O%F=R%O=%RD
OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=Z%RUCK=G%RUD=G)IE(R=Y%DFI
OS:=N%T=40%CD=Z)
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .

探测模式

  • –osscan-limit: 针对指定的目标进行操作系统检测.该选项仅根据tcp端口进行探测
  • –osscan-guess/–fuzzy: 实施模糊测试,推测操作系统检测结果