共计 10457 个字符,预计需要花费 27 分钟才能阅读完成。
实验平台
- Windows
- Linux
参考手册
命令详解
终端输入 nmap -h,查看帮助文档
Nmap 7.80 (https://nmap.org)
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
对照翻译如下
目标说明
参数 | 英文 | 中文 |
-iL <inputfilename> | Input from list of hosts/networks | 从文件中读取待检测的目标 |
-iR <num hosts> | Choose random targets | 随机选择目标, 如果 -iR 指定为 0, 则无休止的扫描 |
–exclude <host1[,host2][,host3],…> | Exclude hosts/networks | 排除主机 / 网络 |
–excludefile <exclude_file> | Exclude list from file | 排除文件中的列表 |
主机发现
参数 | 英文 | 中文 |
-sL | List Scan – simply list targets to scan | 列表扫描,只扫描 IP 数目,不进行其他扫描 |
-sn | Ping Scan – disable port scan | Ping 扫描, |
-Pn | Treat all hosts as online — skip host discovery | 将所有主机视为联机 - 跳过主机发现,不检测主机存活 |
-PS/PA/PU/PY[portlist] | TCP SYN/ACK, UDP or SCTP discovery to given ports | TCP SYN Ping / TCP ACK Ping / UDP Ping 发现 |
-PE/PP/PM | ICMP echo, timestamp, and netmask request discovery probes | 使用 ICMP echo, timestamp and netmask 请求包发现主机 |
-PO[protocol list] | IP Protocol Ping | 使用 IP 协议包探测对方主机是否开启 |
-n/-R | Never do DNS resolution/Always resolve [default: sometimes] | 不对 IP 进行域名反向解析 / 为所有目标 IP 进行反向域名解析 |
–dns-servers <serv1[,serv2],…> | Specify custom DNS servers | 指定自定义 DNS 服务器 |
–system-dns | Use OS’s DNS resolver | 使用系统域名解析器 |
–tracerout | Trace hop path to each host | 跟踪到每个主机的跃点路径 |
扫描技术
参数 | 英文 | 中文 |
-sS/sT/sA/sW/sM | TCP SYN/Connect()/ACK/ Window/Maimon scans |
TCP SYN/ TCP connect()/ACK/ TCP 窗口扫描 /TCP Maimon 扫描 |
-sU | UDP Scan | UDP 扫描 |
-sN/sF/sX | TCP Null, FIN, and Xmas scans | TCP Null,FIN,and Xmas 扫描 |
–scanflags <flags> | Customize TCP scan flags | 定制的 TCP 扫描 |
-sI<zombie host[:probeport]> | Idle scan | 空闲扫描 |
-sY/sZ | SCTP INIT/COOKIE-ECHO scans | SCTP INIT/COOKIE-ECHO 扫描 |
-sO | IP protocol scan | IP 协议扫描 |
-b | FTP bounce scan | FTP 弹跳扫描 |
端口说明和扫描顺序
参数 | 英文 | 中文 |
-p <port ranges> | Only scan specified ports | 只扫描指定的端口 |
–exclude-ports <port ranges> | Exclude the specified ports from scanning | 从扫描中排除指定的端口 |
-F | Fast mode – Scan fewer ports than the default scan | 快速 (有限的端口) 扫描 |
-r | Scan ports consecutively – don’t randomize | 不要按随机顺序扫描端口 |
–top-ports <number> | Scan most common ports | 扫描常见端口 |
–port-ratio<ratio> | Scan ports more common than <ratio> | 扫描常用端口中比重较高的端口 |
服务和版本探测
参数 | 英文 | 中文 |
-sV | Probe open ports to determine service/version info | 探测打开的端口以确定服务 / 版本信息 |
–version-intensity <level> | Set from 0 (light) to 9 (try all probes) | 设置版本扫描强度 |
–version-light | Limit to most likely probes (intensity 2) | 打开轻量级模式 |
–version-all | Try every single probe (intensity 9) | 尝试每个探测 |
–version-trace | Show detailed version scan activity (for debugging) | 跟踪版本扫描活动 |
脚本扫描
参数 | 英文 | 中文 |
-sC | equivalent to –script=default | 根据端口识别的服务, 调用默认脚本, 等效于 –script = default |
–script=<Lua scripts> | <Lua scripts>is a comma separated list of directories, script-files or script-categories | 调用的脚本名 |
–script-args=<n1=v1,[n2=v2,…> | provide arguments to scripts | 调用的脚本传递的参数 |
–script-args-file=filename | provide NSE script args in a file | 使用文本传递参数 |
–script-trace | Show all data sent and received | 显示所有发送和接收到的数据 |
–script-updatedb | Update the script database | 更新脚本的数据库 |
–script-help=<Lua scripts> | Show help about scripts.<Lua script> is a comma-separated list of script-files or script-categories. | 显示指定 Lua 脚本的帮助 |
操作系统探测
参数 | 英文 | 中文 |
-O | Enable OS detection | 启用操作系统检测 |
–osscan-limit | Limit OS detection to promising targets | 针对指定的目标进行操作系统检测 |
–osscan-guess | Guess OS more aggressively | 推测操作系统检测结果 |
时间与性能
参数 | 英文 | 中文 |
-T<0-5> | Set timing template (higher is faster) | 设置时间模板 (越高越快) |
–min-hostgroup/max-hostgroup <size> | Parallel host scan group sizes | 调整并行扫描组的大小 |
–min-parallelism/max-parallelism<numprobes> | Probe parallelization | 调整探测报文的并行度 |
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time> | Specifies probe round trip time | 调整探测报文超时 |
–max-retries | Caps number of port scan probe retransmissions | 端口扫描探针重传的最大次数 |
–host-timeout | Give up on target after this long | 放弃低速目标主机 |
–scan-delay/–max-scan-delay <time> | Adjust delay between probes | 调整探测报文的时间间隔 |
–min-rate <number> | Send packets no slower than per second | 每秒发送的数据包不低于指定数字 |
–max-rate <number> | Send packets no faster than per second | 每秒发送的数据包的速度不超过指定数字 |
防火墙 / IDS 逃避和欺骗
参数 | 英文 | 中文 |
-f; –mtu <val> | fragment packets (optionally w/given MTU) | 使用指定的 MTU |
-D <decoy1,decoy2[,ME],…> | Cloak a scan with decoys | 使用诱饵隐蔽扫描 |
-S <IP_Address> | Spoof source address | 源地址欺骗 |
-e <iface> | Use specified interface | 使用指定的接口 |
-g/–source-port <portnum> | Use given port number | 使用指定源端口 |
–proxies <url1,[url2],…> | Relay connections through HTTP/SOCKS4 proxies | 通过 HTTP / SOCKS4 代理中继连接 |
–data <hex string> | Append a custom payload to sent packets | 向发送的数据包附加 自定义有效载荷 |
–data-string <string> | Append a custom ASCII string to sent packets | 将自定义 ASCII 字符串附加到已发送的数据包 |
–data-length <num> | Append random data to sent packets | 发送报文时附加随机数据 |
–ip-options <options> | Send packets with specified ip options | 发送具有指定 IP 选项的数据包 |
–ttl <val> | Set IP time-to-live field | 设置 IP time-to-live 域 |
–spoof-mac <mac address/prefix/vendor name> | Spoof your MAC address | MAC 地址欺骗 |
–badsum | Send packets with a bogus TCP/UDP/SCTP checksum | 发送带有虚假 TCP / UDP / SCTP 校验和的数据包 |
Nmap 输出
参数 | 英文 | 中文 |
-oN/-oX/-oS/-oG <file> | Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename |
将标准输出直接写入指定的文件 / 输出 xml 文件 / 输出改为大写 / 输出通过 bash 或者 perl 处理的格式 |
-oA <basename> | Output in the three major formats at once | 输出至所有格式 |
-v | Increase verbosity level (use -vv or more for greater effect) | 提高输出信息的详细度 |
-d | Increase debugging level (use -dd or more for greater effect) | 提高或设置调试级别 |
–reason | Display the reason a port is in a particular state | 显示端口处于带确认状态的原因 |
–open | Only show open (or possibly open) ports | 只输出端口状态为 open 的端口 |
–packet-trace | Show all packets sent and received | 跟踪发送和接收的报文 |
–iflist | Print host interfaces and routes (for debugging) | 列举接口和路由 |
–append-output | Append to rather than clobber specified output files | 在输出文件中添加 |
–resume <filename> | Resume an aborted scan | 继续中断的扫描 |
–stylesheet <path/URL> | XSL stylesheet to transform XML output to HTML | 设置 XSL 样式表,转换 XML 输出 |
–webxml | Reference stylesheet from Nmap.Org for more portable XML | 从 namp.org 得到 XML 的样式 |
–no-stylesheet | Prevent associating of XSL stylesheet w/XML output | 忽略 XML 声明的 XSL 样式表 |
其它选项
参数 | 英文 | 中文 |
-6 | Enable IPv6 scanning | 启用 IPv6 扫描 |
-A | Enable OS detection, version detection, script scanning, and traceroute | OS 识别, 版本探测, 脚本扫描和 traceroute |
–datadir <dirname> | Specify custom Nmap data file location | 说明用户 Nmap 数据文件位置 |
–send-eth/–send-ip | Send using raw ethernet frames or IP packets | 使用原以太网帧发送 / 在原 IP 层发送 |
–privileged | Assume that the user is fully privileged | 假定用户具有全部权限 |
–unprivileged | Assume the user lacks raw socket privileges | 假定用户不具有全部权限 |
-V | Print version number | 打印版本信息 |
-h | Print this help summary page | 打印帮助摘要面 |
实例
- nmap -v -A scanme.nmap.org
- nmap -v -sn 192.168.0.0/16 10.0.0.0/8
- nmap -v -iR 10000 -Pn -p 80
正文完
发表至: 网络安全
2020-03-24