1.Nmap介绍

1.是一款开源免费的网络探测、安全审计的工具
2.通过Nmap探测服务器存活以及开放的服务,以及对目标进行安全审计
3.功能:主机发现、端口扫描、版本侦测、操作系统侦测
4.主要用于内网,专门扫描端口开放情况
5.namp扫描ip:只有能连接到的ip,可以扫描同网段ip

2.一些常用参数

  1. -T4指定扫描过程的级别,级别越高扫描速度越快,但也越容易被防火墙或者IDS屏蔽,一般推荐使用T4级别
  2. -sn只进行主机发现,不进行端口扫描
  3. -O 进行系统版本扫描

    –osscan-guess 当无法精确匹配时,强制显示最接近的操作系统猜测结果

  4. -sV进行服务版本扫描
  5. -p 扫描指定端口
  6. -sS发送SYN包扫描
  7. -sT 发送TCP包扫描
  8. -sA 发送ACK包扫描
  9. -sU UDP扫描
  10. -PO 不进行ping扫描
  11. -script 指定脚本扫描
  12. -Pn(跳过主机存活检测),不进行ping检测
  13. -p- 扫描所有65535端口(而非常规的1000个)

3.一些实例

1.扫描本机
1
2
namp 192.168.xxx.xxx
nc -lvp 8888 # 打开端口
1
2
3
4
5
6
7
8
9
10
11
# 探测出端口
┌──(kali㉿kali)-[~]
└─$ nmap 192.168.178.130
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-18 09:13 EDT
Nmap scan report for 192.168.178.130
Host is up (0.0000030s latency).
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE
8888/tcp open  sun-answerbook

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

端口范围:0-65535
两个不同的程序不能共用一个端口

2.扫描同网段机器台数
1
nmap 192.xxx.xxx.0/24

A类 /8 B类 /16 C类 /24

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(kali㉿kali)-[~]
└─$ nmap 192.168.178.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-20 09:32 EDT
Nmap scan report for 192.168.178.1
Host is up (0.00032s latency).
All 1000 scanned ports on 192.168.178.1 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.178.2
Host is up (0.00010s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
53/tcp open  domain
MAC Address: 00:50:56:F6:6C:BA (VMware)

Nmap scan report for 192.168.178.254
Host is up (0.000099s latency).
All 1000 scanned ports on 192.168.178.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:E7:15:C1 (VMware)

Nmap scan report for 192.168.178.130
Host is up (0.0000040s latency).
All 1000 scanned ports on 192.168.178.130 are in ignored states.
Not shown: 1000 closed tcp ports (reset)

Nmap done: 256 IP addresses (4 hosts up) scanned in 8.50 seconds

正常情况,192.xxx.xxx.1为路由器 192.xxx.xxx.2为网关
虚拟机NAT模式,192.xxx.xxx.1为物理机
指路另一篇(先挖个坑) 网络编程

3.只进行主机探测
1
nmap -T4 -sn 192.168.178.130
1
2
3
4
5
6
┌──(kali㉿kali)-[~]
└─$ nmap -T4 -sn 192.168.178.130
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-20 09:52 EDT
Nmap scan report for 192.168.178.130
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds
4.系统版本扫描
1
sudo nmap -O --osscan-guess 192.168.178.130
5.其他扫描
1
nmap 192.168.178.130 -O -sV -T4 -sS -p 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~]
└─$ nmap 192.168.178.130 -O -sV -T4 -sS -p 22
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-20 10:10 EDT
Nmap scan report for 192.168.178.130
Host is up (0.000062s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.9p2 Debian 1 (protocol 2.0)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:6
OS details: Linux 2.6.32, Linux 5.0 - 6.2
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds

open 打开 close 关闭 filltered 过滤 unfilltered 未被过滤(无法确定端口状态)

1
nmap 192.168.178.130 -O -sV -T4 -sS -p 40000-65535

SYN:同步序列编号(Synchronize Sequence Numbers)。是TCP/IP建立连接时使用的握手信号。在客户机和服务器之间建立正常的TCP网络连接时,客户机首先发出一个SYN消息,服务器使用SYN+ACK应答表示接收到了这个消息,最后客户机再以ACK消息响应。这样在客户机和服务器之间才能建立起可靠的TCP连接,数据才可以在客户机和服务器之间传递。TCP连接的第一个包,非常小的一种数据包。SYN 攻击包括大量此类的包,由于这些包看上去来自实际不存在的站点,因此无法有效进行处理。每个机器的欺骗包都要花几秒钟进行尝试方可放弃提供正常响应。

6.脚本扫描
1
cd /usr/share/nmap/scripts # 脚本文件夹
1
2
namp --script=vuln 192.168.178.130 # 检查有没有常见漏洞的一个脚本
namp --script=exploit 192.168.178.130 # 利用已知漏洞入侵系统