Shulou(Shulou.com)06/01 Report--

Nmap scan command format

Nmap [Scan Type (s)] [Options] {target specification}

Host scan

-sL (list scan),-sP (Ping scan),-P0 (no ping),-PS [portlist] (TCP SYN Ping),-PA [portlist] (TCP ACK Ping),-PU [portlist] (UDP Ping)

-PE;-PP;-PM (ICMP Ping Types),-PR (ARP Ping)

Parameters:-n (no domain name resolution),-R (domain name resolution for all targets)

Multiple scanning methods can be specified at the same time

Port scan

-sS/sT/sA/sW/sM: TCP SYN/Connect () / ACK/Window/Maimon scans

-sU: UDP Scan

-sN/sF/sX: TCP Null, FIN, and Xmas scans

-- scanflags: Customize TCP scanflags

-sI: Idle scan

-sY/sZ: SCTP INIT/COOKIE-ECHO scans

-sO: IP protocol scan

-b: FTP bounce scan

Nmap-sL * * .10.87.1-255

Nmap-PE * * .10.87.1-255

Nmap-PS80 * * .10.87.1-255specifies the host discovery SYN PING scan at port 80

Nmap-PR 192.168.1.1-255ARP Ping scan

Nmap-Pn * * .10.87.1-255( do not use ping scanning, as PING is generally prohibited on internet, which is more suitable for internet)

Nmap-sP * * .10.87.1-255( fast ping scan)

-sn parameter, which only detects surviving hosts and does not scan other information, for example:

Nmap-Pn-sn *. 10.87.1-255

Nmap- port scan

1. Single host scan

two。 Multi-host scanning

3. Multi-port scanning

Nmap-sS * * .10.87.148 (default 1000 ports)

Nmap-sS * * .10.87.1-255

Nmap-sT * * .10.87.1-255

Nmap-sU * * .10.87.1-255

Nmap-sU-p 80445 * * .10.87.1-255th

Nmap-sT-v * * .10.87.1-255( enable detail mode)

Nmap-sU-p * * .10.87.1-255( scan all ports)

Nmap- operating system probe

-O? (enable operating system detection)

-- osscan-limit (operating system detection is performed for the specified target. If the target is not detected, the detection is stopped)

-- osscan-guess;-- fuzzy (guess the result of the operating system test)

Nmap-sT-O * * .10.87.148

Nmap-sT-p 3390-O-osscan-limit * * .10.87.148

Nmap-sA-O * * .10.87.148

Nmap- service program probe

-sV

Nmap-sV * * .10.87.148

Nmap-sV-p 22. 53. 110. 143.. 10.87.1-255

Some advanced options for Nmap

Nmap-iflist (view local routes and interfaces)

Nmap-e 08:00:27:47:63:E6 * * .10.87.148 (specify mac and ip addresses)

Nmap-T4-F-n-Pn-D192.168.1.100192.168.1.101192.168.1.102 (address Deception)

Nmap-sV-- spoof-mac 08:00:27:47:63:E6 * * .10.87.148 (false mac address)

Nmap-sV-- source-port 900 * * .10.87.148-- source-port (specify source port)

Nmap-p1-25p1-25pl 80512-515pl 2001jue 4001pl 9001 10.20.0.1bin16 (scan Cisco routers)

Nmap-sU-p69-nvv 192.168.1.253 (scan the router's tftp protocol)

Nmap-O-F-n * * .10.87.148 (- F fast scan)

Nmap-iR 100000-sS-PS80-p 445-oG nmap.txt (randomly generates 100000 IP addresses and scans its port 445. Output the scan results to an nmap.txt file in greppable (which can be extracted with the grep command).

You can use the grep command to extract details of interest from the output file)

Nmap--- scripts use

Nmap-- script=brute * * .10.87.148 (brute force cracking)

Reference:

Http://drops.wooyun.org/tips/2188

Zmap installation

Apt-get install build-essential cmake libgmp3-dev libpcap-dev gengetopt byacc flex git dwarfdump libjson0 libunistring-dev libunistring0

Git clone git://github.com/zmap/zmap.git

Cd zmap/

Cmake-DENABLE_HARDENING=ON

Make

Make install

Common options for Zmap

The TCP port number (e. G. 443)

The scan result that we want to save is represented by-screen output.

-bmam Mustang: the CIDR representation method is excluded from the subnets of the blacklist _ color _ path subnet. See / etc/zmap/blacklist.conf

Zmap- General options

The maximum number of targets, such as-n 1000 or-n 0.1% (scannable ground)

Address space), excluding addresses in the blacklist

-Nmam MAXMAXFUTSATCHN: after receiving a number of results, push to exit

-tmai MAXMAXMAXIMAGRIMETHANGSES send packets for the longest time

-Bmaine Meltel bandwidth widthsets the sending rate packet / second

How long does it take to receive and return data after sending a packet (default is 8s)

-efurome, which is used to select address ordering, if you want to run multiple zmap to scan the address.

-TMagneMuthreadsdispatching thread (default 1)

-the number of times each IP is probed by Pmam talk probesymn (by default, one probe per IP).-dmine Mercury dryrun is used when debugging, displaying each packet on the screen, but not sending it.

Zmap- Network option

-the source port where range sends data packets.

-Smam ip house IP | the IP address of the packet sent by range, which can be a single ip or return (e.g)

10.0.1-10.0.0.9)

-G-- the MAC address of the gateway where the gateway-mac-addr sent the packet (automatically detected if it doesn't work)

Zmap- additional options

-Cmam Meltel config filename loads the configuration file

-qmam quotation no longer prints status updates per second.

After scanning, the structure and summary results are printed out.

-vmam Murtel verbosityverbn level of detail (0-5, default 3)

Help info on hmam Mustco help

-VMagneWhile version prints this information

Simple case of Zmap-

Zmap-B 20m-p 80-n 1000000-o results.txt (scan for 80 ports with 100W random ip addresses at 20m speed)

Zmap-B 20m-p 80-n 1000000-o results.txt-b / etc/zmap/blacklist.conf (using blacklist files)

Zmap-B 20m-p 80-n 1000000-o results.txt-s 889 (specify source port)

Zmap icmp scanning

-- probe--module=icmp_echoscan

Zmap-B 20m-p 80-n 1000000-o results.txt-- probe--module=icmp_echoscan

Zmap--udp scanning

-- probe-module=udp

Zmap-B 20m-p 80-n 1000000-o results.txt-- probe--module=udp

Zmap- usage profile

/ etc/zmap/zmap.conf

Zmap-config=/etc/zmap/zmap.conf

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.