? ?Zenmap是Nmap官方提供的图形界面,通常随Nmap的安装包发布。Zenmap是用Python语言编写而成的开源免费的图形界面,能够运行在不同操作系统平台上(Windows/Linux/Unix/Mac OS等)。Zenmap旨在为nmap提供更加简单的操作方式。简单常用的操作命令可以保存成为profile,用户扫描时选择profile即可;可以方便地比较不同的扫描结果;
常用参数:
| Intense scan | (nmap -T4 -A -v) | 一般来说,Intense scan可以满足一般扫描 |
| -T4 | ?加快执行速度 | |
| -A | ?操作系统及版本探测 | |
| -v | ?显示详细的输出 | |
| Intense scan plus UDP | (nmap -sS -sU -T4 -A -v) | 即UDP扫描 |
| -sS | ? TCP SYN 扫描 | |
| -sU | ? UDP 扫描 | |
| Intense scan,all TCP ports | (nmap -p 1-65536 -T4 -A -v) | 扫描所有TCP端口,范围在1-65535,试图扫描所有端口的开放情况,速度比较慢。 |
| -p | ?指定端口扫描范围 | |
| Intense scan,no ping | (nmap -T4 -A -v -Pn) | 非ping扫描 |
| -Pn | ?非ping扫描 | |
| Ping scan | (nmap -sn) | Ping 扫描 优点:速度快。 缺点:容易被防火墙屏蔽,导致无扫描结果 |
| -sn | ?ping扫描 | |
| Quick scan | (nmap -T4 -F) | 快速的扫描 |
| -F | ?快速模式。 | |
| Quick scan plus | (nmap -sV -T4 -O -F –version-light) | 快速扫描加强模式 |
| -sV | ?探测端口及版本服务信息。 | |
| -O | ?开启OS检测 | |
| –version-light | ?设定侦测等级为2。 | |
| Quick traceroute | (nmap -sn –traceroute) | 路由跟踪 |
| -sn Ping | 扫描,关闭端口扫描 | |
| -traceroute | ?显示本机到目标的路由跃点。 | |
| Regular scan | 规则扫描 | |
| Slow comprehensive scan | (nmap -sS -sU -T4 -A -v -PE -PP -PS80,443,-PA3389,PU40125 -PY -g 53 –script all) | 慢速全面扫描。 |
*************nmap示例说明****************************************
Profile主要参数
1.Intense scan:强烈的扫描
nmap -T4 -A -v
-T4:?????-T option and their number (0–5) or their
?????????? name. The template names areparanoid (0), sneaky (1), polite (2),
?????????? normal (3), aggressive (4), andinsane (5). The first two are for
?????????? IDS evasion. Polite mode slows downthe scan to use less bandwidth
?????????? and target machine resources. Normalmode is the default and so -T3
?????????? does nothing. Aggressive mode speedsscans up by making the
?????????? assumption that you are on areasonably fast and reliable network.
?????????? Finally insane mode.? assumes that you are on an extraordinarily
?????????? fast network or are willing tosacrifice some accuracy for speed.
For example,
?????????? -T4.?prohibits the dynamic scan delay from exceeding 10 ms for TCP
?????????? ports and -T5 caps that value at 5ms.
??? ?????? ???-T4 for faster execution
由以上说明-T4参数是一种适用在局域网,可靠性网络进行扫描,略带侵略性,扫描一个tcp端口平均耗时10ms
-A: ???????????????? -A, to enable OS and versiondetection, script scanning, and traceroute;
三个作用:操作系统及版本检测,系统脚本运行,路由
-v:????????????????????显示扫描过程中的详细信息
2.Intensescan plus UDP:强烈的扫描,加上udp协议扫描
nmap -sS -sU -T4-A -v
-sS:?????????????????? -sS (TCP SYN scan) .
?????????? SYN scan is the default and mostpopular scan option for good
?????????? reasons. It can be performedquickly, scanning thousands of ports
?????????? per second on a fast network nothampered by restrictive firewalls.
?????????? It is also relatively unobtrusiveand stealthy since it never
?????????? completes TCP connections. SYN scanworks against any compliant TCP
?????????? stack rather than depending onidiosyncrasies of specific platforms
?????????? as Nmap's FIN/NULL/Xmas, Maimon andidle scans do. It also allows
?????????? clear, reliable differentiationbetween the open, closed, and
?????????? filtered states.
?????????? This technique is often referred toas half-open scanning, because
?????????? you don't open a full TCPconnection. You send a SYN packet, as if
?????????? you are going to open a real connectionand then wait for a
?????????? response. A SYN/ACK indicates theport is listening (open), while a
?????????? RST (reset) is indicative of anon-listener. If no response is
?????????? received after severalretransmissions, the port is marked as
???? ??????filtered. The port is also markedfiltered if an ICMP unreachable
?????????? error (type 3, code 1, 2, 3, 9, 10,or 13) is received. The port is
?????????? also considered open if a SYN packet(without the ACK flag) is
?????????? received in response. This can bedue to an extremely rare TCP
?????????? feature known as a simultaneous openor split handshake connection
?????????? (seehttp://nmap.org/misc/split-handshake.pdf).
主要说明-sS参数是一个比较流行好用的,该参数运行扫描快,而且隐蔽,因为它是一种半开方式扫描,并没有完成一个完整真实的tcp连接,
发送SYN包,如果收到一个SYN/ACK(或SYN)响应包则说明对方该端口处于打开监听状态;如果是RST,则说明对方端口处于非监听状态;如果未收到任何响应包则标记该端口被过滤
-sU:????????????? -sU(UDP scans) .
?????????? While most popular services on theInternet run over the TCP
?????????? protocol, UDP[6] services are widelydeployed. DNS, SNMP, and DHCP
?????????? (registered ports 53, 161/162, and67/68) are three of the most
?????????? common. Because UDP scanning isgenerally slower and more difficult
?????????? than TCP, some security auditorsignore these ports. This is a
?????????? mistake, as exploitable UDP servicesare quite common and attackers
?????????? certainly don't ignore the wholeprotocol. Fortunately, Nmap can
?????????? help inventory UDP ports.
?????????? UDP scan is activated with the -sUoption. It can be combined with
?????????? a TCP scan type such as SYN scan(-sS) to check both protocols
?????????? during the same run.
?????????? UDP scan works by sending a UDPpacket to every targeted port. For
?????????? some common ports such as 53 and161, a protocol-specific payload
?????? ????is sent, but for most ports the packet isempty..? The
?????????? --data-length option can be used tosend a fixed-length random
?????????? payload to every port or (if youspecify a value of 0) to disable
?????????? payloads. If an ICMP port unreachableerror (type 3, code 3) is
?????????? returned, the port is closed. OtherICMP unreachable errors (type
?????????? 3, codes 1, 2, 9, 10, or 13) markthe port as filtered.
?????????? Occasionally, a service will respondwith a UDP packet, proving
??????? ???that it is open. If no response is receivedafter retransmissions,
?????????? the port is classified asopen|filtered. This means that the port
?????????? could be open, or perhaps packetfilters are blocking the
?????????? communication. Version detection(-sV) can be used to help
?????????? differentiate the truly open portsfrom the filtered ones.
?????????? A big challenge with UDP scanning isdoing it quickly. Open and
?????????? filtered ports rarely send anyresponse, leaving Nmap to time out
?????????? and then conduct retransmissionsjust in case the probe or response
?????????? were lost. Closed ports are often aneven bigger problem. They
?????????? usually send back an ICMP portunreachable error. But unlike the
?????????? RST packets sent by closed TCP portsin response to a SYN or
?????????? connect scan, many hosts ratelimit.? ICMP port unreachable
?????????? messages by default. Linux andSolaris are particularly strict
?????????? about this. For example, the Linux2.4.20 kernel limits destination
?????????? unreachable messages to one persecond (in net/ipv4/icmp.c).
?????????? Nmap detects rate limiting and slowsdown accordingly to avoid
?????????? flooding the network with uselesspackets that the target machine
?????????? will drop. Unfortunately, aLinux-style limit of one packet per
?????????? second makes a 65,536-port scan takemore than 18 hours. Ideas for
?????????? speeding your UDP scans up includescanning more hosts in parallel,
?????????? doing a quick scan of just the popularports first, scanning from
?????????? behind the firewall, and using--host-timeout to skip slow hosts.
使用UDP协议的服务主要有DNS,SNMP,DHCP等,由于UDP扫描更困难和耗费时间因此一些审计的时候进行了省略,困难点在于linux和Solaris系统默认限制了每秒不可到达的信息数,Nmap为了避免造成服务器掉包的危害降低发包的速度,因此在扫描时将会耗费非常多的时间,建议先对常用UDP端口进行扫描,并且设置主机超时以跳过哪些扫描慢的主机
通常服务器响应一个UDP包,说明对方端口打开;当没有响应是nmap?????????????????????????????????????????????????????????????????????????
会将其定级为open|filtered,这是需要结合-sV参数来协助判断端口的状态。
3.Intense scan, all TCP ports:对目标的所有端口进行强烈的扫描
nmap -p 1-65535 -T4 -A -v
4.Intensescan, no ping:对目标进行强烈的扫描,不进行主机发现
nmap -T4 -A -v -Pn????
-Pn: Treat all hosts as online -- skip host discovery?
-Pn (No ping) .
?????????? Thisoption skips the Nmap discovery stage altogether. Normally,
?????????? Nmapuses this stage to determine active machines for heavier
??????????scanning. By default, Nmap only performs heavy probing such as port
??????????scans, version detection, or OS detection against hosts that are
?????????? foundto be up. Disabling host discovery with -Pn causes Nmap to
??????????attempt the requested scanning functions against every target IP
??????????address specified. So if a class B target address space (/16) is
??????????specified on the command line, all 65,536 IP addresses are scanned.
??????????Proper host discovery is skipped as with the list scan, but instead
?????????? ofstopping and printing the target list, Nmap continues to perform
??????????requested functions as if each target IP is active. To skip ping
?????????? scanand port scan, while still allowing NSE to run, use the two
??????????options -Pn -sn together.
?????????? Formachines on a local ethernet network, ARP scanning will still
?????????? beperformed (unless --disable-arp-ping or --send-ip is specified)
??????????because Nmap needs MAC addresses to further scan target hosts. In
??????????previous versions of Nmap, -Pn was -P0.?and -PN..
假设所有主机在线,跳过主机发现过程。
5.Ping scan??在发现主机后,不进行端口扫描
nmap -sn:
sn: Ping Scan - disable port scan
-sn (No port scan) .
?????????? Thisoption tells Nmap not to do a port scan after host discovery,
?????????? andonly print out the available hosts that responded to the scan.
?????????? Thisis often known as a “ping scan”, but you can also request that
??????????traceroute and NSE host scripts be run. This is by default one step
?????????? moreintrusive than the list scan, and can often be used for the
?????????? samepurposes. It allows light reconnaissance of a target network
??????????without attracting much attention. Knowing how many hosts are up is
?????????? morevaluable to attackers than the list provided by list scan of
?????????? everysingle IP and host name.
??????????Systems administrators often find this option valuable as well. It
?????????? caneasily be used to count available machines on a network or
??????????monitor server availability. This is often called a ping sweep, and
?????????? ismore reliable than pinging the broadcast address because many
?????????? hostsdo not reply to broadcast queries.
?????????? Thedefault host discovery done with -sn consists of an ICMP echo
??????????request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP
??????????timestamp request by default. When executed by an unprivileged
?????????? user,only SYN packets are sent (using a connect call) to ports 80
?????????? and443 on the target. When a privileged user tries to scan targets
?????????? on alocal ethernet network, ARP requests are used unless --send-ip
?????????? wasspecified. The -sn option can be combined with any of the
??????????discovery probe types (the -P* options, excluding -Pn) for greater
??????????flexibility. If any of those probe type and port number options are
?????????? used,the default probes are overridden. When strict firewalls are
?????????? inplace between the source host running Nmap and the target
??? ???????network, using those advanced techniquesis recommended. Otherwise
?????????? hostscould be missed when the firewall drops probes or their
??????????responses.
?????????? Inprevious releases of Nmap, -sn was known as -sP..
6.Quick scan:快速扫描
nmap -T4 -F
-F:??????? ?-F: Fast mode - Scan fewer ports than thedefault scan
? ?????????-F (Fast (limited port) scan) .
??????????Specifies that you wish to scan fewer ports than the default.
??????????Normally Nmap scans the most common 1,000 ports for each scanned
??????????protocol. With -F, this is reduced to 100.
?????????? Nmapneeds an nmap-services file with frequency information in
?????????? orderto know which ports are the most common. If port frequency
??????????information isn't available, perhaps because of the use of a custom
??????????nmap-services file, Nmap scans all named ports plus ports 1-1024.
?????????? Inthat case, -F means to scan only ports that are named in the
??????????services file.
7.Quickscan plus:更快速的扫描
nmap -sV -T4 -O -F --version-light
-O:??????? EnableOS detection
--version-intensity intensity (Set version scanintensity) .
?????????? Whenperforming a version scan (-sV), Nmap sends a series of
??????????probes, each of which is assigned a rarity value between one and
?????????? nine.The lower-numbered probes are effective against a wide
??????????variety of common services, while the higher-numbered ones are
??????????rarely useful. The intensity level specifies which probes should be
??????????applied. The higher the number, the more likely it is the service
?????????? willbe correctly identified. However, high intensity scans take
??????????longer. The intensity must be between 0 and 9..? The default is 7..
?????????? Whena probe is registered to the target port via the
??????????nmap-service-probesports directive, that probe is tried regardless
?????????? ofintensity level. This ensures that the DNS probes will always be
??????????attempted against any open port 53, the SSL probe will be done
??????????against 443, etc.
??????--version-light (Enable light mode) .
?????????? Thisis a convenience alias for --version-intensity 2. This light
?????????? modemakes version scanning much faster, but it is slightly less
?????????? likelyto identify services.
-sV:???
?????? -sV(Version detection) .
??????????Enables version detection, as discussed above. Alternatively, you
?????????? canuse -A, which enables version detection among other things.
??????????-sR.? is an alias for -sV. Priorto March 2011, it was used to
??????????active the RPC grinder separately from version detection, but now
?????????? theseoptions are always combined.
?
8.Quick traceroute:快速扫描,不扫端口返回每一跳的主机ip
nmap -sn --traceroute?:
--traceroute:?Trace hop path to each host
9.Regular scan:常规扫描
nmap??
?
10.Slow comprehensive scan:慢速综合性扫描
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389-PU40125 -PY -g 53 --script "default or (discovery and safe)"
-PE/PP:ICMP echo, timestamp
-PS port list (TCP SYN Ping) .
?????????? Thisoption sends an empty TCP packet with the SYN flag set. The
??????????default destination port is 80 (configurable at compile time by
??????????changing DEFAULT_TCP_PROBE_PORT_SPEC.?in nmap.h)..? Alternate
?????????? portscan be specified as a parameter. The syntax is the same as
?????????? forthe -p except that port type specifiers like T: are not
??????????allowed. Examples are -PS22 and -PS22-25,80,113,1050,35000. Note
?????????? thatthere can be no space between -PS and the port list. If
??????????multiple probes are specified they will be sent in parallel.
?????????? TheSYN flag suggests to the remote system that you are attempting
?????????? toestablish a connection. Normally the destination port will be
?????????? closed,and a RST (reset) packet sent back. If the port happens to
?????????? beopen, the target will take the second step of a TCP
??????????three-way-handshake.? byresponding with a SYN/ACK TCP packet. The
??????????machine running Nmap then tears down the nascent connection by
??????????responding with a RST rather than sending an ACK packet which would
??????????complete the three-way-handshake and establish a full connection.
?????????? TheRST packet is sent by the kernel of the machine running Nmap in
??????????response to the unexpected SYN/ACK, not by Nmap itself.
?????????? Nmapdoes not care whether the port is open or closed. Either the
?????????? RSTor SYN/ACK response discussed previously tell Nmap that the
?????????? hostis available and responsive.
?????????? OnUnix boxes, only the privileged user root.?is generally able to
?????????? sendand receive raw TCP packets..? Forunprivileged users, a
??????????workaround is automatically employed.?whereby the connect system
?????????? callis initiated against each target port. This has the effect of
??????????sending a SYN packet to the target host, in an attempt to establish
?????????? aconnection. If connect returns with a quick success or an
???????? ??ECONNREFUSED failure, the underlying TCPstack must have received a
??????????SYN/ACK or RST and the host is marked available. If the connection
??????????attempt is left hanging until a timeout is reached, the host is
??????????marked as down.
-PA?? ?????-PA port list (TCP ACK Ping) .
?????????? TheTCP ACK ping is quite similar to the just-discussed SYN ping.
?????????? Thedifference, as you could likely guess, is that the TCP ACK flag
?????????? isset instead of the SYN flag. Such an ACK packet purports to be
??????????acknowledging data over an established TCP connection, but no such
??????????connection exists. So remote hosts should always respond with a RST
??????????packet, disclosing their existence in the process.
?????????? The-PA option uses the same default port as the SYN probe (80) and
?????????? canalso take a list of destination ports in the same format. If an
??????????unprivileged user tries this, the connect workaround discussed
??????????previously is used. This workaround is imperfect because connect is
??????????actually sending a SYN packet rather than an ACK.
?????????? Thereason for offering both SYN and ACK ping probes is to maximize
?????????? thechances of bypassing firewalls. Many administrators configure
??????????routers and other simple firewalls to block incoming SYN packets
??????????except for those destined for public services like the company web
?????????? siteor mail server. This prevents other incoming connections to
?????????? theorganization, while allowing users to make unobstructed
??????????outgoing connections to the Internet. This non-stateful approach
?????????? takesup few resources on the firewall/router and is widely
??????????supported by hardware and software filters. The Linux
??????????Netfilter/iptables.? firewallsoftware offers the --syn convenience
??????????option to implement this stateless approach. When stateless
??????????firewall rules such as this are in place, SYN ping probes (-PS) are
??????????likely to be blocked when sent to closed target ports. In such
??????????cases, the ACK probe shines as it cuts right through these rules.
??????????Another common type of firewall uses stateful rules that drop
??????????unexpected packets. This feature was initially found mostly on
??????????high-end firewalls, though it has become much more common over the
??????????years. The Linux Netfilter/iptables system supports this through
?????????? the--state option, which categorizes packets based on connection
??????? ???state. A SYN probe is more likely to workagainst such a system, as
??????????unexpected ACK packets are generally recognized as bogus and
??????????dropped. A solution to this quandary is to send both SYN and ACK
??????????probes by specifying -PS and -PA.
-PS和PA一起使用来最大限度的避过防火墙等安全设备的检测
-g/--source-port <portnum>: Use given portnumber
nmap --script "default or safe"
?????????? Thisis functionally equivalent to nmap --script "default,safe". It
?????????? loadsall scripts that are in the default category or the safe
??????????category or both.
