Linux command – nmap

Loading

測試環境為 CentOS 7 x86_64 虛擬機

一般我們會設定防火牆 Firewall (iptable) ,來確保哪一些服務是可以對外提供,設定完成之後可以在透過 nmap 檢查系統對外有開哪一些服務 (TCP Port).

套件名稱就是 nmap

[root@localhost ~]# yum install nmap
[root@localhost ~]# nmap 10.32.76.21
Starting Nmap 7.70 ( https://nmap.org ) at 2022-01-05 16:33 CST
Nmap scan report for 10.32.76.21
Host is up (0.000010s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http

Nmap done: 1 IP address (1 host up) scanned in 1.71 seconds

除了直接掃之外,還有以下的常用參數.

–iflist: Print host interfaces and routes (for debugging)
首先可以透過 –iflist 參數,觀看本機的網路狀態.

[root@localhost ~]# nmap --iflist

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 22:15 EDT
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo (lo) 127.0.0.1/8 loopback up 65536
lo (lo) ::1/128 loopback up 65536
virbr0-nic (virbr0-nic) (null)/0 ethernet down 1500 52:54:00:61:5D:80
virbr0 (virbr0) 192.168.122.1/24 ethernet up 1500 52:54:00:61:5D:80
ens33 (ens33) 192.168.95.129/24 ethernet up 1500 00:0C:29:EB:F1:61
ens33 (ens33) fe80::fbcb:9dff:259b:f6ea/64 ethernet up 1500 00:0C:29:EB:F1:61

**************************ROUTES**************************
DST/MASK DEV METRIC GATEWAY
192.168.122.0/24 virbr0 0
192.168.95.0/24 ens33 100
0.0.0.0/0 ens33 100 192.168.95.2
::1/128 lo 0
fe80::fbcb:9dff:259b:f6ea/128 lo 0
fe80::/64 ens33 100
fe80::/64 ens33 256
ff00::/8 ens33 256

-sO: IP protocol scan
接下來可以使用參數 -sO 來檢視該系統的哪一些通訊協定有開啟,如 TCP,UDP,ICMP … ,掃描對象可以是 Host Name 或是 IP (可以指定範圍,如 192.168.95.129-130)

[root@localhost ~]# nmap -sO 192.168.95.129

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 23:01 EDT
Nmap scan report for 192.168.95.129
Host is up (0.000014s latency).
Not shown: 249 closed protocols
PROTOCOL STATE         SERVICE
1        open          icmp
2        open|filtered igmp
6        open          tcp
17       open          udp
103      open|filtered pim
136      open|filtered udplite
255      open|filtered unknown

其他 SCAN 常用的參數
-sS/sT/sA/sW/sM: TCP SYN / Connect() / ACK / Window / Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
–scanflags : Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans

我們來看看 TCP / IP 是怎麼建立連線的,TCP 是透過三方交握 (TCP 3-way handshake) 的方式,也就是 Server 與 Client 需要 3 次的溝通,才會開始進行資料的傳輸,這步驟如下:

  1. Client 用戶端向 Server 伺服器發送一個 “SYN” 訊息,跟 Server 伺服器請求連線.
  2. 如果 Server 伺服器準備好與 Client 用戶端連線,就會回傳一個 “SYN-ACK” 的訊息.
  3. 如果 Client 用戶端接受到剛剛的 “SYN-ACL” 而且也準備好,就會向 Server 伺服器發送一個 “ACK”訊號,讓 Server 伺服器知道現在要開始傳送資料了.

接下來即開始資料的傳送,更多關於封包格式請參考 tcpdump command – https://benjr.tw/96904 .

-sT (TCP connect scan)
會跑完正常的三方交握.

[root@localhost ~]# nmap -sT 192.168.95.129

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 22:45 EDT
Nmap scan report for 192.168.95.129
Host is up (0.000023s latency).
All 1000 scanned ports on 192.168.95.129 are unfiltered

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

-sS (TCP SYN scan)
三方交握 Client 最後不是發出 ACK 訊號,而是用 RST 中斷連接.

[root@localhost ~]# nmap -sS 192.168.95.129

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 23:26 EDT
Nmap scan report for 192.168.95.129
Host is up (0.000016s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

-sU (UDP scans)
針對 UDP 通訊協定來掃描.

[root@localhost ~]# nmap -sU 192.168.95.129

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 23:32 EDT
Nmap scan report for 192.168.95.129
Host is up (0.000017s latency).
Not shown: 998 closed ports
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
5353/udp open|filtered zeroconf

Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds

其他常用參數:
-v : Increase verbosity level

[root@localhost ~]# nmap -v 192.168.95.129

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 21:42 EDT
Initiating Parallel DNS resolution of 1 host. at 21:42
Completed Parallel DNS resolution of 1 host. at 21:42, 0.12s elapsed
Initiating SYN Stealth Scan at 21:42
Scanning 192.168.95.129 [1000 ports]
Discovered open port 22/tcp on 192.168.95.129
Discovered open port 3306/tcp on 192.168.95.129
Completed SYN Stealth Scan at 21:42, 0.05s elapsed (1000 total ports)
Nmap scan report for 192.168.95.129
Host is up (0.000014s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3306/tcp open  mysql

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
           Raw packets sent: 1000 (44.000KB) | Rcvd: 2002 (84.088KB)

-A, to enable OS and version detection, script scanning, and traceroute;
-T4 for faster execution; and then the two target hostnames.

[root@localhost ~]# nmap -A -T4 192.168.95.129

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 21:52 EDT
Nmap scan report for 192.168.95.129
Host is up (0.00026s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 2048 ef:e3:b7:30:f0:84:05:c0:d2:d8:40:82:64:87:3f:08 (RSA)
|_256 b3:ff:1f:39:ec:df:28:80:19:34:80:f7:96:7d:1b:88 (ECDSA)
3306/tcp open  mysql?
| mysql-info: MySQL Error detected!
| Error Code was: 1130
|_Host '192.168.95.129' is not allowed to connect to this MariaDB server
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.18 seconds

-O: Enable OS detection

[root@localhost ~]# nmap -O 192.168.95.129

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 21:54 EDT
Nmap scan report for 192.168.95.129
Host is up (0.00013s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3306/tcp open  mysql
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.02 seconds

-sV, -sR (Version detection)

[root@localhost ~]# nmap -sV 192.168.95.129

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 21:56 EDT
Nmap scan report for 192.168.95.129
Host is up (0.000015s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
3306/tcp open  mysql?
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

-6: Enable IPv6 scanning

[root@localhost ~]# nmap -6 fe80::fbcb:9dff:259b:f6ea

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 22:06 EDT
Nmap scan report for localhost.localdomain (fe80::fbcb:9dff:259b:f6ea)
Host is up (0.000028s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 10.14 seconds

-p <port ranges>: Only scan specified ports

[root@localhost ~]# nmap -p 80 192.168.95.129

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-26 22:08 EDT
Nmap scan report for 192.168.95.129
Host is up (0.00024s latency).
PORT   STATE  SERVICE
80/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
沒有解決問題,試試搜尋本站其他內容

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料