Linux命令之nmap端口扫描工具_linux文件在哪查看被namp扫描的文件

Linux命令之nmap端口扫描工具

介绍

https://nmap.org/man/zh/
Nmap (“Network Mapper(网络映射器)”) 是一款开放源代码的 网络探测和安全审核的工具。
它的设计目标是快速地扫描大型网络，当然用它扫描单个主机也没有问题。
Nmap以新颖的方式使用原始IP报文：

• 来发现网络上有哪些主机
• 那些主机提供什么服务(应用程序名和版本)
• 那些服务运行在什么操作系统(包括版本信息)
• 它们使用什么类型的报文过滤器/防火墙
• 以及一堆其它功能

虽然Nmap通常用于安全审核， 许多系统管理员和网络管理员也用它来做一些日常的工作，比如查看整个网络的信息， 管理服务升级计划，以及监视主机和服务的运行。
Nmap输出的是扫描目标的列表，以及每个目标的补充信息，至于是哪些信息则依赖于所使用的选项。 “所感兴趣的端口表格”是其中的关键。那张表列出端口号，协议，服务名称和状态。
nmap的状态有4种
可能是 open(开放的)，filtered(被过滤的)， closed(关闭的)，或者unfiltered(未被过滤的)。

• Open(开放的)意味着目标机器上的应用程序正在该端口监听连接/报文。
• filtered(被过滤的) 意味着防火墙，过滤器或者其它网络障碍阻止了该端口被访问，Nmap无法得知 它是 open(开放的) 还是 closed(关闭的)。
• closed(关闭的) 端口没有应用程序在它上面监听，但是他们随时可能开放。
• unfiltered(未被过滤的)端口对Nmap的探测做出响应，但是Nmap无法确定它们是关闭还是开放。

如果Nmap报告状态组合 open|filtered 和 closed|filtered时，那说明Nmap无法确定该端口处于两个状态中的哪一个状态。

当要求进行版本探测时，端口表也可以包含软件的版本信息。
当要求进行IP协议扫描时 (-sO)，Nmap提供关于所支持的IP协议而不是正在监听的端口的信息。
除了所感兴趣的端口表，Nmap还能提供关于目标机的进一步信息，包括反向域名，操作系统猜测，设备类型，和MAC地址。

安装nmap

yum install -y nmap
1

nmap帮助

[root@localhost ~]# nmap -h

== TARGET SPECIFICATION 目标说明
可用: 主机名, Ipv4, IPv6, CIDR, 八位字节范围, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks //从<文件>列表中读取目标
-iR <num hosts>: Choose random targets //随机选择目标
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks //排除主机/网络
--excludefile <exclude_file>: Exclude list from file //排除<文件>中的列表
== HOST DISCOVERY 主机发现
-sL: List Scan - simply list targets to scan //列表扫描，仅列出网络上的主机，不发送任何报文。
-sn: Ping Scan - disable port scan //ping，不扫描端口。
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes] //不用域名解析
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver //使用系统域名解析器
--traceroute: Trace hop path to each host
== SCAN TECHNIQUES[https://nmap.org/man/zh/man-port-scanning-techniques.html](https://nmap.org/man/zh/man-port-scanning-techniques.html)
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags //定制的TCP扫描
-sI <zombie host[:probeport]>: Idle scan //[https://nmap.org/book/idlescan.html](https://nmap.org/book/idlescan.html)
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan //IP协议扫描
-b <FTP relay host>: FTP bounce scan //FTP弹跳扫描
== PORT SPECIFICATION AND SCAN ORDER //端口说明和扫描顺序
-p <port ranges>: Only scan specified ports //只扫描指定端口
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan //快速扫描:nmap-services约1200个
-r: Scan ports consecutively - don't randomize //不要按随机顺序扫描端口
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
== SERVICE/VERSION DETECTION 服务和版本探测
nmap-service-probes 数据库包含查询不同服务的探测报文 和解析识别响应的匹配表达式。
-sV: Probe open ports to determine service/version info //版本探测(-A的一部分)
--version-intensity <level>: Set from 0 (light) to 9 (try all probes) //设置版本扫描强度，默认7
--version-light: Limit to most likely probes (intensity 2) //轻量级模式
--version-all: Try every single probe (intensity 9) //尝试每个探测
--version-trace: Show detailed version scan activity (for debugging) //跟踪版本扫描活动,--packet-trace的子集
== SCRIPT SCAN
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or script-categories.
== OS DETECTION 操作系统探测
-O: Enable OS detection //启用操作系统检测（-A的一部分）
--osscan-limit: Limit OS detection to promising targets //针对指定的目标进行操作系统检测
--osscan-guess: Guess OS more aggressively //推测操作系统检测结果
== TIMING AND PERFORMANCE 时间和性能
改善扫描时间的技术有：忽略非关键的检测。优化时间参数也会带来实质性的变化，这些参数如下。
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster) //设置时间模板，T4 可以加快执行速度
　　paranoid (0)、sneaky (1)、polite (2)、normal(3)、 aggressive (4)和insane (5)。

- -T0: paranoid (0)模式用于IDS躲避，在一个时间只能扫描一个端口， 每个探测报文的发送间隔为5分钟。
- -T1: sneaky (1) 模式用于IDS躲避，T1和T2选项比较类似， 探测报文间隔分别为15秒和0.4秒。
- -T2: Polite (2) 模式降低了扫描 速度以使用更少的带宽和目标主机资源。
- -T3: Normal (3) (默认模式)，因此-T3 实际上是未做任何优化。包含了并行扫描。
- -T4: Aggressive (4) 模式假设用户具有合适及可靠的网络从而加速 扫描。最大TCP扫描延迟为10ms。
- -T5: Insane (5) 模式假设用户具有特别快的网络或者愿意为获得速度而牺牲准确性。最大延迟为5ms。

　　T4选项与 --max-rtt-timeout 1250 --initial-rtt-timeout 500 等价，
　　T5等价于 --max-rtt-timeout 300 --min-rtt-timeout 50 --initial-rtt-timeout 250 --host-timeout 900000，
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes //调整并行扫描组大小
--min-parallelism/max-parallelism <numprobes>: Probe parallelization //调整探测报文的并行度
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long //放弃低速目标主机
--scan-delay/--max-scan-delay <time>: Adjust delay between probes //调整探测报文的时间间隔
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
== FIREWALL/IDS EVASION AND SPOOFING 防火墙/IDS躲避和哄骗
-f; --mtu <val>: fragment packets (optionally w/given MTU) //报文分段，--mtu,使用指定MTU
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys //使用诱饵隐蔽扫描
-S <IP_Address>: Spoof source address //源地址哄骗
-e <iface>: Use specified interface //使用指定的接口
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets //发送报文时，附加随机数据
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field //设置IP time-to-live域
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address //MAC地址哄骗
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
== OUTPUT 输出
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. //oN,标准输出; oX,XML输出; oS,脚本输出; oG,Grep输出
-oA <basename>: Output in the three major formats at once //标准.nmap, .xml, .gnamp文件中
-v: Increase verbosity level (use -vv or more for greater effect) //更详细信息，
-d: Increase debugging level (use -dd or more for greater effect) //提高或设置调试级别
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received //跟踪发送和接收的报文
--iflist: Print host interfaces and routes (for debugging) //列举接口和路由
--append-output: Append to rather than clobber specified output files //在输出文件中添加
--resume <filename>: Resume an aborted scan //继续中断的扫描
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML //设置XSL样式
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output //忽略XML声明的XSL样式
== MISC 杂项
-6: Enable IPv6 scanning //启用IPv6扫描
-A: Enable OS detection, version detection, script scanning, and traceroute //激烈扫描模式选项
--datadir <dirname>: Specify custom Nmap data file location //说明用户Nmap数据文件位置
--send-eth/--send-ip: Send using raw ethernet frames or IP packets //使用原以太网帧发送或IP包
--privileged: Assume that the user is fully privileged //假定用户具有全部权限
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
== EXAMPLES 示例
nmap -v -A scanme.nmap.org:
这个选项扫描主机scanme.nmap.org中 所有的保留TCP端口。选项-v启用细节模式。
[root@localhost ~]# nmap -v -A scanme.nmap.org
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 16:29 CST
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 16:29
Scanning scanme.nmap.org (45.33.32.156) [4 ports]
Completed Ping Scan at 16:29, 0.16s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:29
Completed Parallel DNS resolution of 1 host. at 16:29, 0.19s elapsed
Initiating SYN Stealth Scan at 16:29
Scanning scanme.nmap.org (45.33.32.156) [1000 ports]
Discovered open port 80/tcp on 45.33.32.156
Discovered open port 22/tcp on 45.33.32.156
Discovered open port 9929/tcp on 45.33.32.156

nmap -v -sn 192.168.0.0/16 10.0.0.0/8:
nmap -v -iR 10000 -Pn -p 80:
SEE THE MAN PAGE: [nmap.org/book/man.html](https://www.cnblogs.com/sztom/p/nmap.org/book/man.html)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

npam实例

1.nmap localhost #查看主机当前开放的端口

[root@localhost ~]# nmap localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 16:41 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000050s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: VM_0_3_centos
Not shown: 999 closed ports
PORT   STATE SERVICE
81/tcp open  hosts2-ns
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
1
2
3
4
5
6
7
8
9
10

2.-vv详细输出

[root@localhost ~]# nmap -vv 192.168.59.128
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 04:13 EST
Initiating ARP Ping Scan at 04:13
Scanning 192.168.59.128 [1 port]
Completed ARP Ping Scan at 04:13, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:13
Completed Parallel DNS resolution of 1 host. at 04:13, 0.00s elapsed
Initiating SYN Stealth Scan at 04:13
Scanning 192.168.59.128 [1000 ports]
Discovered open port 22/tcp on 192.168.59.128
Discovered open port 111/tcp on 192.168.59.128
Discovered open port 9002/tcp on 192.168.59.128
Discovered open port 6000/tcp on 192.168.59.128
Discovered open port 5432/tcp on 192.168.59.128
Completed SYN Stealth Scan at 04:13, 0.03s elapsed (1000 total ports)
Nmap scan report for 192.168.59.128
Host is up (0.00011s latency).
Scanned at 2019-12-17 04:13:46 EST for 0s
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
5432/tcp open  postgresql
6000/tcp open  X11
9002/tcp open  dynamid
MAC Address: 00:0C:29:F1:DD:9C (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
          Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.048KB)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

3.nmap -p 1024-65535 localhost #查看主机端口（1024-65535）中开放的端口

[root@localhost ~]# nmap -p 1024-65535 localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 16:42 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: VM_0_3_centos
Not shown: 64511 closed ports
PORT     STATE SERVICE
7011/tcp open  unknown
Nmap done: 1 IP address (1 host up) scanned in 0.86 seconds
1
2
3
4
5
6
7
8
9
10

4.nmap -PS 192.168.59.130 #探测目标主机开放的端口

[root@localhost ~]# nmap -PS 192.168.59.130
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 03:56 EST
Nmap scan report for localhost (192.168.59.130)
Host is up (0.0000020s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
9090/tcp open  zeus-admin
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
1
2
3
4
5
6
7
8
9
10

5.nmap -p22,80,3306 192.168.59.128 #探测所列出的目标主机端口

[root@localhost ~]# nmap -p22,80,3306  192.168.59.128
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 04:11 EST
Nmap scan report for 192.168.59.128
Host is up (0.00036s latency).
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
3306/tcp closed mysql
MAC Address: 00:0C:29:F1:DD:9C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
1
2
3
4
5
6
7
8
9
10

6.nmap -O 192.168.59.130 #探测目标主机操作系统类型 （-O 是-A的一部分）

[root@localhost ~]# nmap -O 192.168.59.130
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 04:14 EST
Nmap scan report for localhost (192.168.59.130)
Host is up (0.000023s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
9090/tcp open  zeus-admin
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

7.nmap -sP 192.168.59.130 #探测目标主机在线状况（ping检测）

[root@localhost ~]# nmap -sP 192.168.59.130
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 04:19 EST
Nmap scan report for localhost (192.168.59.130)
Host is up.
Nmap done: 1 IP address (1 host up) scanned in 0.00 seconds
1
2
3
4
5

8.nmap -sV -O localhost #探测目标主机操作系统类型、端口服务名称、版本信息

[root@localhost ~]# nmap -sV -O localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 17:21 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000048s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: VM_0_3_centos
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
81/tcp open  http    nginx 1.16.1
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.72 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

9.路由跟踪

nmap -traceroute <target ip>
[root@localhost ~]# nmap -traceroute 192.168.59.128
Starting Nmap 6.40 ( http://nmap.org ) at 2019-12-17 04:24 EST
Nmap scan report for 192.168.59.128
Host is up (0.000074s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
5432/tcp open  postgresql
6000/tcp open  X11
9002/tcp open  dynamid
MAC Address: 00:0C:29:F1:DD:9C (VMware)
TRACEROUTE
HOP RTT     ADDRESS
1   0.07 ms 192.168.59.128
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

常见服务端口

nmap –T4 –A –v
1

其中-A选项用于使用进攻性（Aggressive）方式扫描；-T4指定扫描过程使用的时序（Timing），总有6个级别（0-5），级别越高，扫描速度越快，但也容易被防火墙或IDS检测并屏蔽掉，在网络通讯状况良好的情况推荐使用T4；-v表示显示冗余（verbosity）信息，在扫描过程中显示扫描的细节，从而让用户了解当前的扫描状态。