最後更新: 2018-12-20
前言
By default, Nmap does host discovery and then performs a port scan against each host it determines is online.
目錄
- ping test 一堆 Host
- Scritps
- - ssl-enum-ciphers.nse
- - http-cookie-flags.nse
Usage by exampe
ping test 一堆 Host
nmap -sP 10.50.100.1-255
OR
nmap -sP 10.50.100.0/24
OE
nmap -sP 10.50.100.*
OR
nmap -sP -iL IP_LIST.txt
- -iL filename # Input from list of hosts/networks
Disable reverse DNS resolution
nmap -n x.y.z
TCP SYN Scan (-sS)
- 用 SYN Scan 會比較快 (half-open)
- 不過對方的 IDS 可能會 detect 到並以為是攻擊
nmap -sS datahunter.org
只對某些 Port 進行 TCP connect scan(Default) (相當於 "-sT")
使用 "-sT" 的原因: non root user does not have raw packet
nmap -sT -p 21,80 192.168.0.1 # multi-port
OR
nmap -p 1-2000 192.168.0.1 # port range. Using default "-sT"
P.S.
-Pn (No ping) # 有些 host 不被 ping, 所以要加 "-Pn" 不 ping 直接 scan
Scan All reserved TCP ports
# -v Increase verbosity level (use -vv or more for greater effect)
nmap -v scanme.nmap.org
TCP ACK scan (-sA)
open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning
that they are reachable by the ACK packet, but whether they are open or closed is undetermined.
Fast (limited port) scan (-F)
Scan fewer ports than the default scan
Default: 1000 port
Fast: 100 port
UDP Scan
# UDP Scan
nmap –sU 192.168.0.1
Show only state open
--open # Show only open (or possibly open) ports
Example:
# 找出 Network 內有開 VNC Service 的 Host
nmap --open -sS 192.168.88.2-254 -p 5900
Probe open ports to determine service/version info
nmap –sV 192.168.0.1
Host is up (0.0047s latency). Not shown: 987 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3 (protocol 2.0) 25/tcp open smtp Postfix smtpd
Enable OS detection (-O)
nmap -sS -O scanme.nmap.org/24
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.9 (96%), Linux 3.16 - 4.6 (95%), Linux 2.6.32 - 3.13 (95%), Linux 4.10 (93%), Linux 2.6.22 - 2.6.36 (93%), Linux 3.10 (93%), Linux 2.6.39 (93%), Linux 4.4 (92%), Linux 2.6.32 (92%) ... Uptime guess: 3.039 days (since Tue Jun 21 09:19:10 2022) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=263 (Good luck!) ...
OS Scan is unreliable without a port scan.
You need to use a scan type along with it, such as -sS, -sT, -sF, etc instead of -sn
有用參數:
- -Pn No ping: Treat all hosts as online -- skip host discovery
- -sn No port scan
- -v Increase verbosity level
- -d Increase debugging level
- -M n n parallel scanning
- -T timing policy for the scan
Port Range
-p n-m
Scripts
Retrieve a list of the SSL/TLS cipher suites a particular website offers
[1]
This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it.
# https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
wget http://nmap.org/svn/scripts/ssl-enum-ciphers.nse
# List ciphers supported by an HTTP server
nmap -sV --script ssl-enum-ciphers -p 443 www.example.com
The output line beginning with Least strength shows the strength of the weakest cipher offered.
[2]
sslscan
# https://github.com/rbsec/sslscan
sslscan is a nice little utility.
sslyze
# https://github.com/iSECPartners/sslyze
This one is Python based, works in Linux/Mac/Windows from command line.
Download: https://svn.nmap.org/nmap/scripts/http-cookie-flags.nse
nmap -p 443 --script http-cookie-flags <target>
Output Format
Opts
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename.
* -oG <-- deprecated
--open: Only show open (or possibly open) ports
Example: Grepable format
nmap -oG - -sT x.x.x.x -p 2222
# Nmap 5.21 scan initiated Tue Jul 24 18:23:12 2018 as: nmap -oG - -sT -p 2222 x.x.x.x Host: x.x.x.x () Status: Up Host: x.x.x.x () Ports: 2222/open/tcp//unknown/// # Nmap done at Tue Jul 24 18:23:12 2018 -- 1 IP address (1 host up) scanned in 0.05 seconds
要要某 port status (open/closed ...)
nmap -oG - -sT x.x.x.x -p 2222 | awk '/Ports: 2222/{print $5}'
2222/open/tcp//unknown///
nmap -oG - -sT x.x.x.x -p 2222 | awk '/Ports: 2222/{print $5}' | cut -d/ -f2
open