nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统(这是亦称 fingerprinting)。它是网络管理员必用的软件之一,以及用以评估网络系统安全。
1.场景
虚拟机:vmware
攻击主机:kali
IP:192.168.239.142
靶机:Windows10
IP:192.168.239.1
2.nmap参数
| –traceroute | 扫描主机端口并跟踪路由 |
|---|---|
| -p | 扫描指定端口和端口范围 |
| -sP | 对目标主机进行ping扫描 |
| -A | 使用高级功能进行扫描 |
| -sV | 探测开放的端口以确定服务/版本信息 |
| -sC | 相当于加入了–script=default参数 |
| -sU | 发送udp |
| -Pn | 将所有主机视为在线 – 跳过主机发现 |
| -sT | TCP全连接,保证扫描准确 |
| –min-rate | 每秒最少发多少包,用于提高扫描速度 |
| –max-rate | 每秒最多发多少包,用于降低扫描速度,绕过防火墙检测 |
3.实验
- -p端口扫描
? 批量端口扫描
? 指定端口扫描
-
-sP存活扫描
-
-A 使用高级功能进行扫描
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-fnhaAGaq-1628682169380)(file:///C:/Users/liuyb/AppData/Local/Temp/msohtmlclip1/01/clip_image006.jpg)]](https://img-blog.csdnimg.cn/34a11df5664c4e1ea1f387ad5ec211ab.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzg3OTM0NA==,size_16,color_FFFFFF,t_70)
-
-sV 探测开放的端口以确定服务/版本信息
-
-sC 相当于加入了–script=default参数
-
–min-rate 每秒最少发多少包,用于提高扫描速度。
添加—min-rate参数,10.75秒直接扫完。上图没加用时25.43秒。
4.综合运用
在实际进行扫描时,如果不确定对方开放端口需要进行全端口扫描时。应该先快速扫描获取目标端口号。然后取出这些端口号作为指定端口号加-sC -sV进行详细的扫描。以下是一个结合上面两方面的命令,
nmap -p `nmap -p- --min-rate=10000 -T4 192.168.239.1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//` -sC -sV 192.168.239.1
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-YoIvTeds-1628682169384)(file:///C:/Users/liuyb/AppData/Local/Temp/msohtmlclip1/01/clip_image013.jpg)]](https://img-blog.csdnimg.cn/5b5faf476ec84491b585d2d60679bb10.png)
扫描结果如下
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-11 07:19 EDT
Nmap scan report for 192.168.239.1
Host is up (0.000054s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.41 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
25/tcp open smtp Mercury/32 smtpd (Mail server account Maiser)
| smtp-commands: localhost Hello nmap.scanme.org; ESMTPs are:, TIME, SIZE 0, HELP,
|_ Recognized SMTP commands are: HELO EHLO MAIL RCPT DATA RSET AUTH NOOP QUIT HELP VRFY SOML Mail server account is 'Maiser'.
79/tcp open finger Mercury/32 fingerd
| finger: Login: Admin Name: Mail System Administrator\x0D
| \x0D
|_[No profile information]\x0D
80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.239.1/dashboard/
105/tcp open ph-addressbook Mercury/32 PH addressbook server
106/tcp open pop3pw Mercury/32 poppass service
110/tcp open pop3 Mercury/32 pop3d
|_pop3-capabilities: TOP APOP USER UIDL EXPIRE(NEVER)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
143/tcp open imap Mercury/32 imapd 4.62
|_imap-capabilities: OK AUTH=PLAIN IMAP4rev1 CAPABILITY X-MERCURY-1A0001 complete
443/tcp open ssl/https VMware Workstation SOAP API 14.1.2
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Date: Wed, 11 Aug 2021 11:20:03 GMT
| Connection: close
| Content-Type: text/plain; charset=utf-8
| X-Frame-Options: DENY
| Content-Length: 0
| GetRequest:
| HTTP/1.1 403 Forbidden
| Date: Wed, 11 Aug 2021 11:20:03 GMT
| Connection: close
| Content-Type: text/plain; charset=utf-8
| X-Frame-Options: DENY
| Content-Length: 0
| HTTPOptions:
| HTTP/1.1 501 Not Implemented
| Date: Wed, 11 Aug 2021 11:20:03 GMT
| Connection: close
| Content-Type: text/plain; charset=utf-8
| X-Frame-Options: DENY
| Content-Length: 0
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Date: Wed, 11 Aug 2021 11:20:13 GMT
| Connection: close
| Content-Type: text/html
| Content-Length: 50
| <HTML><BODY><H1>400 Bad Request</H1></BODY></HTML>
| SIPOptions:
| HTTP/1.1 400 Bad Request
| Date: Wed, 11 Aug 2021 11:21:20 GMT
| Connection: close
| Content-Type: text/html
| Content-Length: 50
|_ <HTML><BODY><H1>400 Bad Request</H1></BODY></HTML>
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| ssl-cert: Subject: commonName=VMware/countryName=US
| Not valid before: 2018-10-16T14:29:30
|_Not valid after: 2019-10-16T14:29:30
|_ssl-date: TLS randomness does not represent time
| vmware-version:
| Server version: VMware Workstation 14.1.2
| Build: 8497320
| Locale version: INTL
| OS type: win32-x86
|_ Product Line ID: ws
445/tcp open microsoft-ds?
480/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.239.1:480/dashboard/
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1010/tcp open surf?
1433/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.1600.00; RTM
| ms-sql-ntlm-info:
| Target_Name: DESKTOP-CR4GABK
| NetBIOS_Domain_Name: DESKTOP-CR4GABK
| NetBIOS_Computer_Name: DESKTOP-CR4GABK
| DNS_Domain_Name: DESKTOP-CR4GABK
| DNS_Computer_Name: DESKTOP-CR4GABK
|_ Product_Version: 10.0.19041
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-08-09T14:13:00
|_Not valid after: 2051-08-09T14:13:00
|_ssl-date: 2021-08-11T11:23:04+00:00; 0s from scanner time.
1536/tcp open msrpc Microsoft Windows RPC
1537/tcp open msrpc Microsoft Windows RPC
1538/tcp open msrpc Microsoft Windows RPC
1539/tcp open msrpc Microsoft Windows RPC
1540/tcp open msrpc Microsoft Windows RPC
1541/tcp open msrpc Microsoft Windows RPC
1545/tcp open msrpc Microsoft Windows RPC
1546/tcp open msrpc Microsoft Windows RPC
2025/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.1600; RTM
| ms-sql-ntlm-info:
| Target_Name: DESKTOP-CR4GABK
| NetBIOS_Domain_Name: DESKTOP-CR4GABK
| NetBIOS_Computer_Name: DESKTOP-CR4GABK
| DNS_Domain_Name: DESKTOP-CR4GABK
| DNS_Computer_Name: DESKTOP-CR4GABK
|_ Product_Version: 10.0.19041
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-08-09T14:13:00
|_Not valid after: 2051-08-09T14:13:00
|_ssl-date: 2021-08-11T11:23:04+00:00; -1s from scanner time.
2224/tcp open http Mercury/32 httpd
|_http-title: Mercury HTTP Services
3306/tcp open mysql?
| fingerprint-strings:
| NULL:
|_ Host '192.168.239.142' is not allowed to connect to this MariaDB server
5040/tcp open unknown
5426/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
6000/tcp open X11?
|_x11-access: ERROR: Script execution failed (use -d to debug)
7680/tcp open pando-pub?
8680/tcp open http FRITZ!Box TR-069 service
|_http-title: Site doesn't have a title.
41091/tcp open unknown
| fingerprint-strings:
| FourOhFourRequest, GetRequest, HTTPOptions, Help, LPDString, RTSPRequest, SIPOptions:
| HTTP/1.1 400 Invalid header received from client
| Content-Type: text/plain
| Connection: close
|_ Invalid header received from client.
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3306-TCP:V=7.91%I=7%D=8/11%Time=6113B261%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4E,"J\0\0\x01\xffj\x04Host\x20'192\.168\.239\.142'\x20is\x20not\x20a
SF:llowed\x20to\x20connect\x20to\x20this\x20MariaDB\x20server");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port41091-TCP:V=7.91%I=7%D=8/11%Time=6113B263%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,87,"HTTP/1\.1\x20400\x20Invalid\x20header\x20received\x20from
SF:\x20client\r\nContent-Type:\x20text/plain\r\nConnection:\x20close\r\n\r
SF:\nInvalid\x20header\x20received\x20from\x20client\.\r\n")%r(HTTPOptions
SF:,87,"HTTP/1\.1\x20400\x20Invalid\x20header\x20received\x20from\x20clien
SF:t\r\nContent-Type:\x20text/plain\r\nConnection:\x20close\r\n\r\nInvalid
SF:\x20header\x20received\x20from\x20client\.\r\n")%r(RTSPRequest,87,"HTTP
SF:/1\.1\x20400\x20Invalid\x20header\x20received\x20from\x20client\r\nCont
SF:ent-Type:\x20text/plain\r\nConnection:\x20close\r\n\r\nInvalid\x20heade
SF:r\x20received\x20from\x20client\.\r\n")%r(Help,87,"HTTP/1\.1\x20400\x20
SF:Invalid\x20header\x20received\x20from\x20client\r\nContent-Type:\x20tex
SF:t/plain\r\nConnection:\x20close\r\n\r\nInvalid\x20header\x20received\x2
SF:0from\x20client\.\r\n")%r(FourOhFourRequest,87,"HTTP/1\.1\x20400\x20Inv
SF:alid\x20header\x20received\x20from\x20client\r\nContent-Type:\x20text/p
SF:lain\r\nConnection:\x20close\r\n\r\nInvalid\x20header\x20received\x20fr
SF:om\x20client\.\r\n")%r(LPDString,87,"HTTP/1\.1\x20400\x20Invalid\x20hea
SF:der\x20received\x20from\x20client\r\nContent-Type:\x20text/plain\r\nCon
SF:nection:\x20close\r\n\r\nInvalid\x20header\x20received\x20from\x20clien
SF:t\.\r\n")%r(SIPOptions,87,"HTTP/1\.1\x20400\x20Invalid\x20header\x20rec
SF:eived\x20from\x20client\r\nContent-Type:\x20text/plain\r\nConnection:\x
SF:20close\r\n\r\nInvalid\x20header\x20received\x20from\x20client\.\r\n");
MAC Address: 00:50:56:C0:00:08 (VMware)
Service Info: Host: localhost; OS: Windows; Device: broadband router; CPE: cpe:/o:microsoft:windows, cpe:/o:vmware:Workstation:14.1.2
Host script results:
| ms-sql-info:
| 192.168.239.1:1433:
| Version:
| name: Microsoft SQL Server 2008 R2 RTM
| number: 10.50.1600.00
| Product: Microsoft SQL Server 2008 R2
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_nbstat: NetBIOS name: DESKTOP-CR4GABK, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:c0:00:08 (VMware)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-08-11T11:22:34
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 195.34 seconds
这样我们能以较快的速度获取了目标的详细扫描信息。