Nmap备忘单

12 months ago
red.ghostwolflab.com
4 minutes

简单命令示例

# Ping scan
nmap -sP 192.168.0.0/24

# Quick scan
nmap -T4 -F 192.168.1.1 -vvv

# Quick scan plus (more info but more aggressive)
nmap -sV -T4 -O -F –version-light 192.168.1.1 -vvv

# TCP Syn and UDP Scan (requires root)
nmap -sS -sU -PN -p T:80,T:445,U:161 192.168.1.1

# Soft nmap
nmap -v -Pn -n -T4 -sT -sV --version-intensity=5 --reason 192.168.1.1

# Full nmap
nmap -v -Pn -n -T4 -sT -p- --reason 192.168.1.1

# Dedicated nmap
nmap -v -Pn -n -T4 -sV --version-intensity=5 -sT -p T:ports_found --reason <IP>

提取实时IP

1.
nmap -n -sn 192.168.1.0/24 -oG - | awk '/Up$/{print $2}'

2.
nmap 10.1.1.1 --open -oG scan-results; cat scan-results | grep "/open" | cut -d " " -f 2 > exposed-services-ips

扫描范围

nmap 192.168.1.1
nmap 192.168.1.1-10
nmap 192.168.1.0/24
nmap ghostwolflab.com
nmap 192.168.1.0/24 --exclude192.168.1.1
nmap -iL targets.txt

协议扫描

# TCP SYN port scan
nmap -sS 192.168.1.1

# TCP CONNECT port scan 
nmap -sT 192.168.1.1

# UDP port scan
nmap -sU 192.168.1.1

nmap -sA 192.168.1.1
nmap -sW 192.168.1.1
nmap -sN 192.168.1.1

# Ping 
nmap -sP 192.168.0.0/24

主机枚举

nmap -sL 192.168.1.1
nmap -sn 192.168.1.1
nmap -Pn 192.168.1.1
nmap 192.168.1.1 -n
nmap -A -T4 IP地址/域名
nmap -T4 -p 1-65535 IP地址/域名  //全端口扫描
nmap -T4 IP地址/域名 --spoof-mac 0  //伪造MAC地址
nmap -T4 -f IP地址/域名  //请求包分段
nmap -D IP地址1,IP地址2,...... IP/域名  //伪造IP地址并插入攻击者IP地址
nmap -D RND 随机IP地址数量 IP/域名  //随机IP地址伪造
nmap --spoof-mac 0 --data-length 24 -T4 -f --mtu 16 -D RND -sS -sV -p 1-65535 -n -oA 文本文件 IP/域名
//高隐蔽性扫描
-
nmap IP地址段 --open -oG scan; cat scan | grep "/open" | cut -d " " -f 2 > active
cat active
-

指纹识别

nmap -p 20 192.168.1.1
nmap -p 20-100 192.168.1.1
nmap -p U:53,T:25-100 192.168.1.1
nmap -p http,https 192.168.1.1

# All ports
nmap -p- 192.168.1.1

# Fast port scan (100 more common ports)
nmap 192.168.1.1 -F

# Top X ports
nmap 192.168.1.1 --top-ports 2000

# Try to get service version
nmap 192.168.1.1 -sV

# 0-9
nmap 192.168.1.1 -sV --version-intensity 3

# Light mode but faster
nmap 192.168.1.1 -sV --version-light

# Equivalent to version-intensity 9. Harder
nmap 192.168.1.1 -sV --version-all

# Aggressive mode (OS Detection, version, script, traceroute)
nmap 192.168.1.1 -A

# OS Detection using TCP/IP
nmap 192.168.1.1 -O 

# Disable OS dection if at least one open and one closed port are not found
nmap 192.168.1.1 -O --osscan-limit

# OS Scan guess more aggressive
nmap 192.168.1.1 -O --osscan-guess

# Set the maximum number x of OS detection tries against a target 
nmap 192.168.1.1 -O --max-os-tries 2

NSE脚本

nmap 192.168.1.1 -sC
nmap 192.168.1.1 --script default
nmap 192.168.1.1 --script=xxx
nmap 192.168.1.1 --script=xxx --script-args xx=xx
nmap 192.168.1.1 --script “not intrusive"

VulScan

下载地址:

  • Scipvuldb

http://www.scip.ch/en/?vuldb

  • Cve

http://cve.mitre.org

  • Osvdb

http://www.osvdb.org

  • Securityfocus

http://www.securityfocus.com/bid/

  • Securitytracker

http://www.securitytracker.com

  • Xforce

http://xforce.iss.net

  • Exploitdb

http://www.exploit-db.com

  • Openvas

http://www.openvas.org

下载并安装到 Nmap 文件夹:

wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar -czvf nmap_nse_vulscan-2.0.tar.gz vulscan/ && sudo cp -r vulscan/ /usr/share/nmap/scripts/

还需要从数据库下载软件包添加到:/usr/share/nmap/scripts/vulscan/

# 全部扫描
nmap -sV --script=vulscan HOST_A_ESCANEAR

# 指定数据库扫描
nmap -sV --script=vulscan --script-args vulscandb=cve.csv HOST_A_ESCANEAR

配置选项

# Scan speed
# T0-T1 : Slow (useful for Intrusion Detection Systems evasion)
# T2-T3 : Normal
# T4-T5 : Agressive (Need a realiable and strong network)
nmap 192.168.1.1 -T0

nmap 192.168.1.1 --host-timeout 10s

# Delay between probes
nmap 192.168.1.1 --scan-delay 1s
nmap 192.168.1.1 --max-scan-delay 2s

nmap 192.168.1.1 --max-retries 3

# No faster or no slower than 100 packets/second
nmap 192.168.1.1 --min-rate 100
nmap 192.168.1.1 --max-rate 100

# If you need to scan a large network in a short period of time
# You can set up a timeout value for connection attemps
https://nmap.org/book/ncat-man-timing-options.html
nmap 192.168.0.0/16  --host-timeout <msec>

规避

# Tiny fragmented packets
nmap 192.168.1.1 -f

# Set your own offset size
nmap 192.168.1.1 -mtu 32

# Scan Facebook from Microsoft
nmap -S www.microsoft.com www.facebook.com

# Use a specific source port
nmap 192.168.1.1 -g 53

# Proxy
nmap 192.168.1.1 --proxies http://X.X.X.X:8080

# Append random data to sent packets
nmap 192.168.1.1 --data-length 200

nmap -T4 IP地址/域名 --spoof-mac 0  //伪造MAC地址

nmap -T4 -f IP地址/域名  //请求包分段

nmap -D IP地址1,IP地址2,...... IP/域名  //伪造IP地址并插入攻击者IP地址

nmap -D RND 随机IP地址数量 IP/域名  //随机IP地址伪造

nmap --spoof-mac 0 --data-length 24 -T4 -f --mtu 16 -D RND -sS -sV -p 1-65535 -n -oA 文本文件 IP/域名

输出

# Save result (oN=normal oX=xml oG=grepable oA=all)
nmap 192.168.1.1 -oN scanResult.file

# Verbosity level (one v or more) and debugging level
nmap 192.168.1.1 -vvvvvv
nmap 192.168.1.1 -ddd

# Reason for the port state (equivalent to -vv)
nmap 192.168.1.1 --reason

# Show only open ports
nmap 192.168.1.1 --open

# Show all packets sent and received
nmap 192.168.1.1 --packets-trace

# Show the host interface and routes
nmap 192.168.1.1 --iflist

# Resume a scan
nmap --resume scan.file
nmap 192.168.1.1 -vvvvvv
nmap 192.168.1.1 -vvvvvv