关于nmap的几个技巧

Nmap (“Network Mapper(网络映射器)”) 是一款开放源代码的 网络探测和安全审核的工具。它的设计目标是快速地扫描大型网络，当然用它扫描单个 主机也没有问题 。Nmap以新颖的方式使用原始IP报文来发现网络上有哪些主机，那些 主机提供什么服务(应用程序名和版本)，那些服务运行在什么操作系统(包括版本信息)， 它们使用什么类型的报文过滤器/防火墙，以及一堆其它功能。虽然Nmap通常用于安全审核， 许多系统管理员和网络管理员也用它来做一些日常的工作，比如查看整个网络的信息，管理服务升级计划，以及监视主机和服务的运行。

这里举几个例子，分享一下神奇的技巧

[root@localhost ~]# nmap -v www.XXXX.com -----------------------------> 探测目标主机所有的保留TCP端口

[root@localhost ~]# nmap -sS -O 192.168.254.152 ------------------查看目标主机的系统


Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-13 15:23 CST
Nmap scan report for 192.168.254.152
Host is up (0.00069s latency).
Not shown: 992 closed ports
………………………………………………
Running: Microsoft Windows Vista
OS CPE: cpe:/o:microsoft:windows_vista
OS details: Microsoft Windows Vista
Network Distance: 1 hop

nmap -PT 使用TCP的ping方式进行扫描，可以获取当前已经启动的所有计算机。

[root@kissing ~]# nmap -PT 192.168.0.0/24
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-09-18 22:59 CST
Interesting ports on 192.168.0.1:
Not shown: 1679 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 1C:AF:F7:89:48:70 (Unknown)

Interesting ports on 192.168.0.100:
Not shown: 1675 filtered ports
PORT STATE SERVICE
21/tcp open ftp
139/tcp open netbios-ssn
445/tcp open microsoft-ds
6001/tcp closed X11:1
6002/tcp closed X11:2
MAC Address: C4:46:19:39:9D:E7 (Unknown)

All 1680 scanned ports on 192.168.0.101 are closed
MAC Address: E8:99:C4:08:B0:EE (Unknown)

Interesting ports on 192.168.0.102:
Not shown: 1677 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:23:5A:BA:9F:51 (Unknown)

All 1680 scanned ports on 192.168.0.104 are closed
MAC Address: 38:AA:3C:2F:34:18 (Unknown)

Interesting ports on 192.168.0.144:
Not shown: 1676 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
1022/tcp open unknown

Nmap finished: 256 IP addresses (6 hosts up) scanned in 41.821 seconds

---------------------------------------------------------------------------------

nmap -sP 192.168.x.0/24 扫描本网段中所有up的主机

[root@kissing ~]# nmap -sP 192.168.0.0/24

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-09-18 22:57 CST
Host 192.168.0.1 appears to be up.
MAC Address: 1C:AF:F7:89:48:70 (Unknown)
Host 192.168.0.101 appears to be up.
MAC Address: E8:99:C4:08:B0:EE (Unknown)
Host 192.168.0.102 appears to be up.
MAC Address: 00:23:5A:BA:9F:51 (Unknown)
Host 192.168.0.104 appears to be up.
MAC Address: 38:AA:3C:2F:34:18 (Unknown)
Host 192.168.0.144 appears to be up.
Nmap finished: 256 IP addresses (5 hosts up) scanned in 5.161 seconds

-----------------------------------------------------------------------------------

nmap -O 192.168.x.x 扫描主机的操作系统，只有root才可以使用O这个参数

-------------------------------------------------------------------------------

nmap -A 192.168.x.x扫描主机的操作系统，不需要root权限

[root@kissing ~]# nmap -A 192.168.0.102


Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-09-18 23:01 CST
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on 192.168.0.102:
Not shown: 1677 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open netbios-ssn
MAC Address: 00:23:5A:BA:9F:51 (Unknown)
No OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=9/18%Tm=5239C07A%O=135%C=-1%M=00235A)
TSeq(Class=TR%IPID=I%TS=100HZ)
T1(Resp=Y%DF=N%W=2000%ACK=S++%Flags=AS%Ops=MNNT)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)


Uptime 0.157 days (since Wed Sep 18 19:16:50 2013)
Service Info: OS: Windows


Nmap finished: 1 IP address (1 host up) scanned in 42.652 seconds

常用选项：
-v：表示显示冗余（verbosity）信息，在扫描过程中显示扫描的细节
-A：激烈扫描模式，包括打开操作系统探测、版本探测、脚本扫描、路径跟踪
-T：设置时间模板，总有6个级别（0-5），级别越高，扫描速度越快
-sT：TCP扫描
-sU：UDP扫描
-Pn：将所有指定的主机视作开启的，跳过主机发现的过程

更多选项请参考nmap中文参考手册：http://nmap.org/man/zh/index.html