Linux下使用nmap扫描端口
扫描192.168.0.x的全部端口
Raspberry Pi Documentation - Remote Access
https://www.raspberrypi.com/documentation/computers/remote-access.html
Now you have the IP address of your computer, you will scan the whole subnet for other devices. For example, if your IP address is 192.168.1.5, other devices will be at addresses like 192.168.1.2, 192.168.1.3, 192.168.1.4, etc. The notation of this subnet range is 192.168.1.0/24 (this covers 192.168.1.0 to 192.168.1.255).
Now use the nmap command with the -sn flag (ping scan) on the whole subnet range. This may take a few seconds:
nmap -sn 192.168.1.0/24其实我也不知道这个0/24代表什么,网上找到这么一段解释,
192.168.0.0/24 24代表什么?
24是CIDR值。简单说就是一个CIDR值对应一个子网掩码,然后对网络就行分段。
/24对应的是255.255.255.0
192.168.0.0/24就代表了192.168.0.0至192.168.0.255
一直分下去有 192.168.1.0至192.168.1.255
192.168.2.0至192.168.2.255等等
再说说这24是怎么得到255.255.255.0
每个IP地址的长度为32位(bit),分4段,每段8位(1个字节)。简单的说24代表从前往后有24个1,就是11111111.11111111.11111111.00000000
把这个转换成十进制就是255.255.255.0
官方参考资料
全英文的,
https://nmap.org/book/man.htmlhttps://nmap.org/book/man.html
nmap基本使用方法
中文解释,参考:nmap基本使用方法 - 简书
1、nmap简单扫描
nmap默认发送一个ARP的PING数据包,来探测目标主机1-10000范围内所开放的所有端口
命令语法:
nmap <target ip address>
其中:target ip address是扫描的目标主机的ip地址
例子:nmap 173.22.90.10
[root@docker-node4 ~]# nmap 173.22.90.10
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
扫描出开放的端口
2、nmap简单扫描,并对结果返回详细的描述输出
命令语法:namp -vv <target ip address>
介绍:-vv参数设置对结果的详细输出
例子:nmap -vv 173.22.90.10
效果如下:
[root@docker-node4 ~]# nmap -vv 173.22.90.10
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 04:48 CST
Initiating ARP Ping Scan at 04:48
Scanning 173.22.90.10 [1 port]
Completed ARP Ping Scan at 04:48, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:48
Completed Parallel DNS resolution of 1 host. at 04:48, 6.53s elapsed
Initiating SYN Stealth Scan at 04:48
Scanning 173-22-90-10.client.mchsi.com (173.22.90.10) [1000 ports]
Discovered open port 111/tcp on 173.22.90.10
Discovered open port 80/tcp on 173.22.90.10
Discovered open port 22/tcp on 173.22.90.10
3、nmap自定义扫描
命令语法:nmap -p(range) <target IP>
介绍:(range)为要扫描的端口范围,端口大小不能超过65535
例子:扫描目标主机的20-120号端口
nmap -p20-120 173.22.90.10
image.png
4、nmap 指定端口扫描
命令语法:nmap -p(port1,port2,…) <target IP>
介绍:port1,port2…为想要扫描的端口号
例子:扫描目标主机的80,22端口
[root@docker-node4 ~]# nmap -p22,80 173.22.90.10
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 04:57 CST
Nmap scan report for 173-22-90-10.client.mchsi.com (173.22.90.10)
Host is up (0.00032s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:CF:A7:30 (VMware)
5、nmap ping 扫描
nmap可以利用类似windows/linux系统下的ping 方式进行扫描
命令语法: nmap -sP <target ip>
例子:nmap sP 10.1.112.89
[root@docker-node4 ~]# nmap -sP 173.22.90.10 扫描存活的主机,这个机器存活
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 05:00 CST
Nmap scan report for 173-22-90-10.client.mchsi.com (173.22.90.10)
Host is up (0.00048s latency).
MAC Address: 00:0C:29:CF:A7:30 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds
[root@docker-node4 ~]# nmap -sP 173.22.90.16
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 05:00 CST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.43 seconds
这个就是显示不是存活状态的主机,没有ping成功
6、nmap 路由跟踪
路由器追踪功能,能够帮助网络管理员了解网络通行情况,同时也是网络管理人员很好的辅助工具,通过路由器追踪可以轻松的查处从我们电脑所在地到目的地之间所经常的网络节点,并可以看到通过各个结点所花费的时间
命令语法:
nmap –traceroute <target IP>
例子:namp –traceroute 8.8.8.8(geogle dns服务器ip)
[root@docker-node4 ~]# nmap --traceroute 8.8.8.8
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 05:04 CST
Nmap scan report for dns.google (8.8.8.8)
Host is up (0.045s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
53/tcp open domain
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 2.77 ms 192.168.1.1
2 5.63 ms 113.45.32.1
3 6.26 ms 124.205.97.50
4 6.31 ms 124.205.97.50
5 6.41 ms 218.241.165.41
6 8.75 ms 124.205.98.41
7 6.52 ms 202.99.1.173
8 6.58 ms 218.241.244.98
7、nmap设置扫描一个网段下的ip
命令语法:
nmap -sP <network address> </CIDR>
介绍:CIDR为设置的子网掩码(/24,/16,/8等)
例子:nmap -sP 10.1.1.0 /24
[root@docker-node4 ~]# nmap -sP 192.168.1.1 /24
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 05:11 CST
Failed to resolve "".
Nmap scan report for 192.168.1.1
Host is up (0.0061s latency).
MAC Address: B0:95:8E:5F:98:85 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 13.04 seconds
8、nmap 操作系统类型的探测
命令语法:
nmap -0 <target IP>
例子:nmap -O(大写的o) 10.1.112.89
效果:
[root@docker-node4 ~]# nmap -O 192.168.1.103
Running (JUST GUESSING): AVtech embedded (87%), FreeBSD 6.X (86%), Microsoft Windows XP (85%)
扫描出是windows的系统
不过不准确我的这个是windows10的系统
9、nmap万能开关
包含了1-10000端口ping扫描,操作系统扫描,脚本扫描,路由跟踪,服务探测
命令语法:
nmap -A <target ip>
例子:nmap -A 10.1.112.89
[root@docker-node4 ~]# nmap -A 192.168.1.105
Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-18 05:23 CST
Stats: 0:01:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 86.40% done; ETC: 05:24 (0:00:09 remaining)
Nmap scan report for 192.168.1.105
Host is up (0.064s latency).
All 1000 scanned ports on 192.168.1.105 are filtered
MAC Address: F4:D1:08:BE:1C:CA (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 63.61 ms 192.168.1.105
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.40 seconds
10、nmap命令混合式扫描
可以做到类似参数-A所完成的功能,但又能细化我们的需求要求
命令语法:
nmap -vv -p1-100 -O <target ip>
例子:
nmap -vv -p1-100 -O 10.1.112.89
[root@docker-node4 ~]# nmap -vv -p1-100 -o 173.22.90.10
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:CF:A7:30 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=8/18%OT=22%CT=1%CU=39398%PV=N%DS=1%DC=D%G=Y%M=000C29%T
OS:M=5D58714F%P=x86_64-redhat-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%TS=A)