Nmap命令的常用实例

一、Nmap简介

nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统。
 
环境介绍:
我将用两个不同的部分来涵盖大部分NMAP的使用方法,这是nmap关键的第一部分。在下面的设置中,我使用两台已关闭防火墙的服务器来测试Nmap命令的工作情况。
 
  • 192.168.0.100 – server1.tecmint.com
  • 192.168.0.101 – server2.tecmint.com

Nmap语法:

nmap [Scan Type(s)] [Options] {target specification}

 

二、Nmap常用操作

1:批量ping扫描

[root@localhost ~]# nmap -sP 192.168.1.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:19 CST
Nmap scan report for192.168.1.1
Host is up (
0.0043s latency).
Nmap scan report
for 192.168.1.2
Host is up (
0.0040s latency).
Nmap scan report
for 192.168.1.3
Host is up (
0.0036s latency).
Nmap scan report
for 192.168.1.4
Host is up (
0.0042s latency).
Nmap scan report
for 192.168.1.5

2:仅列出指定网络上的每台主机,不发送任何报文到目标主机(隐蔽探测)

[root@localhost ~]# nmap -sL 192.168.1.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:22 CST
Nmap scan report for 192.168.1.0
Nmap scan report
for 192.168.1.1
Nmap scan report
for 192.168.1.2
Nmap scan report
for 192.168.1.3

3:探测目标主机开放的端口,可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80)

[root@localhost ~]# nmap -PS 220.181.111.188

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:25 CST
Nmap scan report for 220.181.111.188
Host is up (
0.0043s latency).
Not shown:
998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 4.06 seconds

4:使用UDP ping探测主机

[root@localhost ~]# nmap -PU 192.168.1.1

[root@localhost ~]# nmap -PU 192.168.1.0/24

5:使用SYN半开放扫描

[root@localhost ~]# nmap -sS 220.181.111.188
[root@localhost ~]# nmap -sS 220.181.111.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:29 CST
Nmap scan report for 220.181.111.188
Host is up (
0.0048s latency).
Not shown:
998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 4.56 seconds

6:使用TCP扫描

[root@localhost ~]# nmap -sT 220.181.111.188
[root@localhost ~]# nmap -sT 220.181.111.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:32 CST
Nmap scan report for 220.181.111.188
Host is up (
0.0044s latency).
Not shown:
998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 4.24 seconds

7:使用UDP扫描

[root@localhost ~]# nmap -sU 220.181.111.188
[root@localhost ~]# nmap -sU 220.181.111.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:34 CST
Nmap scan report for 220.181.111.188
Host is up (
0.0039s latency).
Not shown:
999 open|filtered ports
PORT STATE SERVICE
161/udp filtered snmp

Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds

8:探测目标主机支持哪些IP协议

[root@localhost ~]# nmap -sO 220.181.111.188

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:35 CST
Nmap scan report for 220.181.111.188
Host is up (
0.0054s latency).
Not shown:
255 open|filtered protocols
PROTOCOL STATE SERVICE
1 open icmp

Nmap done: 1 IP address (1 host up) scanned in 2.73 seconds

9:探测目标主机操作系统

[root@localhost ~]# nmap -O 220.181.111.188
[root@localhost ~]# nmap -A 220.181.111.188


Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-04 14:36 CST
Nmap scan report for 220.181.111.188
Host is up (
0.0050s latency).
Not shown:
998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Warning: OSScan results may be unreliable because we could not
find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING): HP embedded (
86%)
OS CPE: cpe:
/h:hp:procurve_switch_4000m
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (
86%)
No exact OS matches
for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.44 seconds

10:用主机名和IP地址扫描系统

Nmap工具提供各种方法来扫描系统。在这个例子中,我使用server2.tecmint.com主机名来扫描系统找出该系统上所有开放的端口,服务和MAC地址。

a)用主机名扫描系统

[root@server1 ~]# nmap server2.tecmint.com
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.415 seconds
You have new mail
in /var/spool/mail/root

b)用IP地址扫描系统

[root@server1 ~]# nmap 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:04 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
958/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.465 seconds
You have new mail
in /var/spool/mail/root

11:扫描时使用-v选项

可以看到下面的命令使用“ -“选项后给出了远程机器更详细的信息。

[root@server1 ~]# nmap -v server2.tecmint.com
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST
Initiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43
The ARP Ping Scan took
0.01s to scan 1 total hosts.
Initiating SYN Stealth Scan against server2.tecmint.com (
192.168.0.101) [1680 ports] at 15:43
Discovered open port
22/tcp on 192.168.0.101
Discovered open port
80/tcp on 192.168.0.101
Discovered open port
8888/tcp on 192.168.0.101
Discovered open port
111/tcp on 192.168.0.101
Discovered open port
3306/tcp on 192.168.0.101
Discovered open port
957/tcp on 192.168.0.101
The SYN Stealth Scan took
0.30s to scan 1680 total ports.
Host server2.tecmint.com (
192.168.0.101) appears to be up … good.
Interesting ports on server2.tecmint.com (
192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds

12:扫描多台主机

 简单的在Nmap命令后加上多个IP地址或主机名来扫描多台主机。

[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds

13:扫描整个子网

使用*通配符来扫描整个子网或某个范围的IP地址。

[root@server1 ~]# nmap 192.168.0.*
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 EST
Interesting ports on server1.tecmint.com (192.168.0.100):
Not shown:
1677 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
851/tcp open unknown

Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 seconds

14:使用IP地址的最后一个字节扫描多台服务器

简单的指定IP地址的最后一个字节来对多个IP地址进行扫描。例如,我在下面执行中扫描了IP地址192.168.0.101,192.168.0.102和192.168.0.103。

[root@server1 ~]# nmap 192.168.0.101,102,103 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)
 

Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 seconds

15:从一个文件中扫描主机列表

如果你有多台主机需要扫描且所有主机信息都写在一个文件中,那么你可以直接让nmap读取该文件来执行扫描,让我们来看看如何做到这一点。

创建一个名为“nmaptest.txt ”的文本文件,并定义所有你想要扫描的服务器IP地址或主机名。

[root@server1 ~]# cat > nmaptest.txt 
localhost
server2.tecmint.com
192.168.0.101

接下来运行带“iL” 选项的nmap命令来扫描文件中列出的所有IP地址

[root@server1 ~]# nmap -iL nmaptest.txt 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 EST
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1675 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
111/tcp open  rpcbind
631/tcp open  ipp
857/tcp open  unknown
 

Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
958/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Interesting ports on server2.tecmint.com (
192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
958/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished:
3 IP addresses (3 hosts up) scanned in 2.047 seconds

16:扫描一个IP地址范围

扫描一个IP地址范围

[root@server1 ~]# nmap 192.168.0.101-110 
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown: 1674 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
957/tcp  open  unknown
3306/tcp open  mysql
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) 
Nmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds

17:排除一些远程主机后再扫描

在执行全网扫描或用通配符扫描时你可以使用“-exclude”选项来排除某些你不想要扫描的主机。

[root@server1 ~]# nmap 192.168.0.* --exclude 192.168.0.100
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 255 IP addresses (1 host up) scanned in 5.313 seconds

18:扫描操作系统信息和路由跟踪

使用Nmap,你可以检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可以使用NMAP的“-A“选项。

[root@server1 ~]# nmap -A 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.3 ((CentOS))
111/tcp open rpcbind 2 (rpc #100000)
957/tcp open status 1 (rpc #100024)
3306/tcp open mysql MySQL (unauthorized)
8888/tcp open http lighttpd 1.4.32
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matches
for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V
=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027)
TSeq(Class
=TR%IPID=Z%TS=1000HZ)
T1(Resp
=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp
=N)
T3(Resp
=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp
=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp
=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp
=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp
=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp
=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Uptime 0.169 days (since Mon Nov 11 12:22:15 2013)

Nmap finished: 1 IP address (1 host up) scanned in 22.271 seconds

从上面的输出你可以看到,Nmap显示出了远程主机操作系统的TCP / IP协议指纹,并且更加具体的显示出远程主机上的端口和服务。

19:启用Nmap的操作系统探测功能

使用选项“-O”和“-osscan-guess”也帮助探测操作系统信息。

[root@server1 ~]# nmap -O server2.tecmint.com
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)
No exact OS matches
for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V
=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027)
TSeq(Class
=TR%IPID=Z%TS=1000HZ)
T1(Resp
=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp
=N)
T3(Resp
=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp
=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OS
R
%Ops=)
T5(Resp
=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp
=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp
=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp
=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Uptime 0.221 days (since Mon Nov 11 12:22:16 2013)

Nmap finished: 1 IP address (1 host up) scanned in 11.064 seconds

20:扫描主机并侦测防火墙

扫描远程主机以探测该主机是否使用了包过滤器或防火墙。

[root@server1 ~]# nmap -sA 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:27 EST
All 1680 scanned ports on server2.tecmint.com (192.168.0.101) are UNfiltered
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.382 seconds

21:扫描主机检测是否有防火墙保护

扫描主机检测其是否受到数据包过滤软件或防火墙的保护。

[root@server1 ~]# nmap -PN 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds

22:找出网络中的在线主机

使用“-sP”选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。

[root@server1 ~]# nmap -sP 192.168.0.*
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 EST
Host server1.tecmint.com (192.168.0.100) appears to be up.
Host server2.tecmint.com (
192.168.0.101) appears to be up.
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)
Nmap finished:
256 IP addresses (2 hosts up) scanned in 5.109 seconds

23:执行快速扫面

你可以使用“-F”选项执行一次快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其它的端口。

[root@server1 ~]# nmap -F 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1234 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds

24:顺序扫描端口

使用“-r”选项表示不会随机的选择端口扫描。

[root@server1 ~]# nmap -r 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds

25:打印主机接口和路由

你可以使用nmap的“–iflist”选项检测主机接口和路由信息。

[root@server1 ~]# nmap --iflist
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST
INTERFACES
DEV (SHORT) IP
/MASK TYPE UP MAC
lo (lo)
127.0.0.1/8 loopback up
eth0 (eth0)
192.168.0.100/24 ethernet up 08:00:27:11:C7:89

ROUTES
DST
/MASK DEV GATEWAY
192.168.0.0/0 eth0
169.254.0.0/0 eth0

 从上面的输出你可以看到,nmap列举出了你系统上的接口以及它们各自的路由信息。

26:扫描特定的端口

使用Nmap扫描远程机器的端口有各种选项,你可以使用“-P”选项指定你想要扫描的端口,默认情况下nmap只扫描TCP端口。

[root@server1 ~]# nmap -p 80 server2.tecmint.com
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT STATE SERVICE
80/tcp open http
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) sca

26:扫描TCP端口

指定具体的端口类型和端口号来让nmap扫描。

[root@server1 ~]# nmap -p T:8888,80 server2.tecmint.com
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT STATE SERVICE
80/tcp open http
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds

27:扫描UDP端口

[root@server1 ~]# nmap -sU 53 server2.tecmint.com
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT STATE SERVICE
53/udp open http
8888/udp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds

28:扫描多个端口

使用选项“-P”来扫描多个端口。

[root@server1 ~]# nmap -p 80,443 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:56 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.190 seconds

29:扫描多个端口

使用表达式来扫描某个范围内的端口。

[root@server1 ~]#  nmap -p 80-160 192.168.0.101

30:查找主机服务版本号

[root@server1 ~]# nmap -sV 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:48 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.3 ((CentOS))
111/tcp open rpcbind 2 (rpc #100000)
957/tcp open status 1 (rpc #100024)
3306/tcp open mysql MySQL (unauthorized)
8888/tcp open http lighttpd 1.4.32
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 12.624 seconds

31:使用TCP ACK (PA)和TCP Syn (PS)扫描远程主机

有时候包过滤防火墙会阻断标准ICMP ping请求,在这种情况下,我们可以使用TCP ACKTCP Syn方法来扫描远程主机。

[root@server1 ~]# nmap -PS 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:51 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.360 seconds

32:使用TCP ACK扫描远程主机上特定的端口

[root@server1 ~]# nmap -PA -p 22,80 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.166 seconds

33:使用TCP Syn扫描远程主机上特定的端口

[root@server1 ~]# nmap -PS -p 22,80 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:08 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.165 seconds

34:执行一次隐蔽的扫描

[root@server1 ~]# nmap -sS 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:10 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
8888/tcp open sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 0.383 seconds

35:执行TCP空扫描规避防火墙

[root@server1 ~]# nmap -sN 192.168.0.101
 

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 19:01 EST
Interesting ports on server2.tecmint.com (192.168.0.101):
Not shown:
1674 closed ports
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
111/tcp open|filtered rpcbind
957/tcp open|filtered unknown
3306/tcp open|filtered mysql
8888/tcp open|filtered sun-answerbook
MAC Address:
08:00:27:D9:8E:D7 (Cadmus Computer Systems)

Nmap finished: 1 IP address (1 host up) scanned in 1.584 seconds

 

参考文献:http://www.cnblogs.com/hongfei

参考文献:https://baike.baidu.com/item/nmap/1400075?fr=aladdin