Shulou(Shulou.com)06/01 Report--

Nmap description:

Nmap ("Network Mapper") is an open source tool for network exploration and security auditing. Its design goal is to quickly scan large networks, and of course there is no problem using it to scan a single host. Nmap uses raw IP messages in a novel way to discover which hosts are on the network, what services those hosts provide (application names and versions), what operating systems those services are running on (including version information), what type of message filters / firewalls they use, and a host of other features. Although Nmap is commonly used for security audits, many system administrators and network administrators also use it to do routine tasks, such as viewing information across the network, managing service upgrade plans, and monitoring hosts and services. Nmap outputs a list of scanned targets, as well as supplementary information for each target, depending on the options used. The "port table of interest" is the key to it. The table lists the port number, protocol, service name, and status. The status may be open (open), filtered (filtered), closed (closed), or unfiltered (unfiltered). Open (open) means that the application on the target machine is listening for connections / messages on this port. Filtered (filtered) means that firewalls, filters or other network obstacles prevent the port from being accessed, and Nmap has no way of knowing whether it is open (open) or closed (closed). The closed (closed) port has no applications listening on it, but they may open at any time. When ports respond to Nmap probes, but Nmap cannot determine whether they are closed or open, these ports are considered unfiltered (unfiltered) if Nmap reports a status combination of open | filtered and closed | filtered, then Nmap cannot determine which of the two states the port is in. When version detection is required, the port table can also contain version information of the software. When an IP protocol scan is required (- sO), Nmap provides information about the supported IP protocol rather than the port on which it is listening. In addition to the list of ports of interest, Nmap can also provide further information about the target, including reverse domain names, operating system guesses, device types, and MAC addresses. A typical Nmap scan is shown in Example 1, "a typical Nmap scan". In this example, the only option is-A for probing the operating system and its version, and-T4 for faster execution, followed by two target hostnames.

# 1: scan a single IP or hostname (IPv4)

# scan a single IP address # nmap 192.168.1.1 # # scan a hostname # nmap weibo.com## to see more information about the hostname # nmap-v weibo.com

# 2: scan multiple IP or network segments (IPv4)

Nmap 192.168.1.1 192.168.1.2 192.168.1.3scan multiple IP # # nmap 192.168.1.1 Magazine 3 scan an IP segment: nmap 192.168.1.1-20 can use the IP wildcard: nmap 192.168.1.* of course this format is also used to scan the entire subnet: nmap 192.168.1.0 pixel 24

# 3: read external host list file for scanning (IPv4)

When you need to scan a large number of regular hosts, you can save the list of hosts to a separate file, and then nmap can read the contents of the file for batch scanning.

The format of the file content is as follows: www.weibo.com192.168.1.0/24192.168.1.1/2410.1.2.3localhost

Nmap uses the parameter-iL (case sensitive)

Nmap-iL / tmp/hostlist.txt

# 4: Excluding hosts/networks (IPv4)

When you want to scan an IP segment, but it also contains hosts that you don't want to scan, you can use the exclusion method.

Nmap 192.168.10.0 exclude 192.168.10.5nmap 24-- exclude 192.168.10.5nmap 192.168.10.0 Universe 24-- exclude 192.168.10.5192.168.10.254

There are also ways to exclude the list of files

Nmap-iL / tmp/scanlist.txt-- excludefile / tmp/exclude.txt

# 5: scan common ports and enable operating system probe (IPv4)

Nmap-A 192.168.10.254nmap-v-A 192.168.10.1nmap-A-iL / tmp/scanlist.txt

It detects common ports, analyzes high-level protocols, and then analyzes a reference value that is more like which operating system, as well as routing information.

# 6: find out whether the host is protected by a firewall

Using this command sends ACK packets instead of SYN packets, because ACK packets are not logged by the firewall if there is a firewall working on the remote computer, and the firewall responds to ACK packets in the same way as SYN packets. TCP ACK scans require root privileges to start (Nmap starts with root privileges), and it works well against stateless firewalls and IDS. As a tester, you need to check the firewall response: there are four possible types of responses:

1.Open port (firewall allows a few ports to open)

2.Closed Port (most ports are closed because of the firewall)

3.Filtered (Nmap is not sure whether the port is open or closed)

4.Unfiltered (Nmap can access this port, but it is not clear when the port is open)

It is now easy to find out whether the target computer has a firewall enabled, because a simple ACK scan means that the victim has a lower probability of detecting the victim, but a higher chance of finding the firewall. Let's take a look at the results of the next SYN scan when the firewall is on and off:

# 7: skip host survival detection

Nmap-PN 192.168.1.1nmap-PN www.weibo.com

# 8: scan an IPv6 address

Nmap defaults to using ipv4. If you need to use IPv6, you need to set the-6 parameter.

Nmap-6 IPv6-Address-Herenmap-6 server1.weibo.comnmap-6 2607:f0d0:1002:51::4nmap-v A-6 2607:f0d0:1002:51::4

# 9: find online IP

Use the icmp protocol to detect

Nmap-sP 192.168.10.

# 10: fast port scan

Detect common ports

Nmap-F 192.168.10.1

# 11: displays the port status and the reason for a specific status tcp

-- reason parameter can show the status of the port under the current connection. As shown in the following figure, when nmap uses the-- reason option to perform a scan, a REASON field will appear at the end to let you know why the connection is in this special state. Generally speaking, a response of SYN-ACK indicates that the port is an open port, while conn-refused or resed is usually closed. No response (no-response) most of them may have been blocked by the firewall.

# 12: only open (or possibly open) ports are displayed.

Nmap-open 192.168.1.1nmap-open server1.weibo.com

# 13: displays all packets sent and received during the scan

Nmap-packet-trace 192.168.1.1nmap-packet-trace server1.weibo.com

# 14: display the network interface and routing information of this machine

Nmap-iflist

# 15: scan a specified port

Basic syntax: map-p [port] hostName## Scan port 80nmap-p 80 192.168.1.1 # # Scan TCP port 80nmap-p TRV 80 192.168.1.1 # # Scan UDP port 53nmap-p URV 53 192.168.1.1 # # Scan two ports # # nmap-p 80443 192.168.1.1 # # scan a continuous port # # nmap-p 80-200192.168.1.1 # combination command # nmap-p Ulux 53111137 TMZ 21-25 server1.weibo.comnmap 80 server1.weibo.comnmap-v-sU-sT-p URG 21-25 80 192.168.1.1nmap-p UJR 53Eng 111Reagle 137Rev-sU-sT-p TRV-v-TREX-p ULV-p TJR 21-25MIT 8080 137Med Glee 21-25MIT 8080 192.168.1.254 # # scan all ports # # nmap-p "*" 192.168.1.1 # # scan the list of the most common ports # # nmap-top-ports 5 192.168.1.1nmap-top-ports 10 192.168.1.1

# 16: scan open ports very quickly

Nmap-T5 192.168.10.

# 17: detect only the operating system of the remote host

Nmap-O 192.168.1.1nmap-O-osscan-guess 192.168.1.1nmap-v-O-- osscan-guess 192.168.1.1

# 18: detect the software version number of the remote port daemon

Nmap-sV 192.168.1.1

# 19: probe the open ports of the target host, and you can specify a comma-separated list of ports (such as-PS22,23,25,80)

Nmap-PS 192.168.10.1

# 20: scan hosts with special IP protocol

You use a special IP packet to find the host. If you do not specify a specific protocol, nmap will send packets with protocols ID of 1 (ICMP), 2 (IGMP), 4 (IP-in-IP) in an attempt to find the host and then continue scanning.

Nmap-PO 192.168.1.1

# 21: probe UDP ping

Nmap-PU 192.168.1.1nmap-PU 2000.2001 192.168.1.1

# 22: find out which TCP ports are most commonly used for TCP SYN scanning

# Stealthy scan # nmap-sS 192.168.1.1 # Find out the most commonly used TCP ports using TCP connect scan (warning: no stealth scan) # OS Fingerprinting # nmap-sT 192.168.1.1 # Find out the most commonly used TCP ports using TCP ACK scannmap-sA 192.168.1.1 # Find out the most commonly used TCP ports using TCP Window scannmap-sW 192.168.1.1 # Find out the most commonly used TCP ports using TCP Maimon scannmap-sM 192.168.1.1

# 23: use UDP to scan the host port

Nmap-sU nas03nmap-sU-p 161 192.168.1.1

# 24: specify the IP protocol type to scan the target host

For a list of IP protocol types, see Wikipedia https://zh.wikipedia.org/wiki/IP%E5%8D%8F%E8%AE%AE%E5%8F%B7%E5%88%97%E8%A1%A8

Nmap-sO-p 1 192.168.10.1

# 25: scan for security vulnerabilities in the firewall

# # TCP Null Scan to fool a firewall to generate a response # Does not set any bits (TCP flag header is 0) # # nmap-sN 192.168.1.254 # # TCP Fin scan to check firewall # Sets just the TCP FIN bit # # nmap-sF 192.168.1.254 # # TCP Xmas scan to check firewall # Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree # # nmap-sX 192.168.1.254

# 26: scan for data fragments in the firewall

Nmap-f 192.168.1.1nmap-f fw2.nixcraft.net.innmap-f 15 fw2.nixcraft.net.in## Set your own offset size with the-- mtu option # # nmap-- mtu 32 192.168.1.1

# 27:Cloak a scan with decoys (check the man document by yourself)

Nmap-n-Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ipnmap-n-D192.168.1.5, 10.5.1.2172.1.2.4, 3.4.2.1 192.168.1.5

# 28: mac address spoofing of firewall

# Spoof your MAC address # # nmap-- spoof-mac MAC-ADDRESS-HERE 192.168.1.1 # Add other options # nmap-v-sT-PN-- spoof-mac MAC-ADDRESS-HERE 192.168.1.1 # Use a random MAC address # The number 0, means nmap chooses a completely random MAC address # nmap-v-sT-PN-spoof-mac 0 192.168.1.1

# 29: save output to file

Nmap 192.168.1.1 > output.txtnmap-oN / path/to/filename 192.168.1.1nmap-oN output.txt 192.168.1.1

# A GUI tool for 30:zenmap nmap

.

Mark: http://www.lijyyh.com/2012/03/nmap-using-nmap-security-scanner.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.