Shulou(Shulou.com)06/02 Report--

Nmap usage

Nmap is a host scanning tool, its graphical interface is Zenmap, and the distributed framework is Dnamp.

Nmap can accomplish the following tasks:

Host detection

Port scan

Version detection

System detection

Support the writing of probe script

The practical applications of Nmap are as follows:

Audit its security by probing the device or firewall

Probe the ports opened by the target host

Audit the security of the network by identifying new servers

Detect hosts on the network

The common ports are as follows

HTTP 80

HTTPS 443

Telnet 23

FTP 21

SSH 22

SMTP 25

POP3 110

WebLogic 7001

TOMCAT 8080

Remote login 3389

Oracle Database 1521

MS SQL* SEVER 1433

MySQL 3306

1. Nmap simple scan

Nmap 192.168.120.116

2. Nmap simply scans and returns a detailed description of the result.

Nmap-vv 192.168.120.116

3. Nmap custom port scan

Nmap-p21 443 Magi 22 192.168.120.116 (specify discontiguous ports)

Nmap-P100-200 192.168.120.116 (specify contiguous ports)

4. Nmap ping scan (it is very convenient to find out the surviving hosts of a certain network segment)

Nmap-sP 192.168.120.0 ax 24

5. Nmap route tracking

Nmap-traceroute 192.168.120.116

6. Detection of nmap operating system type

Nmap-O 192.168.120.116

7. Nmap comprehensive scan (including port scan, operating system scan, script scan, route trace, service probe)

Nmap-A 192.168.120.116

8. Nmap mixed scan

Nmap-vv-p1-200-O 192.168.120.116

9. Semi-open scanning (fast execution, high efficiency, generally used in cases with more ip)

Nmap-sS 192.168.0.0 Universe 16

10. (for use when png is prohibited by the firewall)

Nmap-P0 192.168.120.116

11 、

Parameter introduction

Nmap-e specifies the network interface

Nmap-v detail output

Nmap-p designated port

Nmap-iR network scan

Nmap-iL scans for ip in files

Nmap-exclude does not scan some ip

Nmap-PO some hosts turn off ping detection, so use this command to skip ping detection and speed up scanning.

Nmap-PS Port (SYN)

Nmap-PU Port (UDP)

Nmap-Pn uses ping scanning to explicitly turn off port scanning for host discovery

Nmap-sn uses ping scan to scan the port. Assuming that the host is up, return the host ip and mac

Nmap-sA sends an ACK packet to the port of the target host, and if you receive a RST packet, the port is not screened by a fire wall. This method can only be used to determine whether the firewall is blocking a port.

Nmap-sS uses SYN scanning and does not need to complete a three-way handshake (hidden scan)

Nmap-sT scans devices with tcp ports open, and tcp scan of the three-way handshake is required

Nmap-sU scan UDP Port

Nmap-sF FIN scan, used to detect the status of the firewall, identify whether the port is closed, easy to miss

Nmap-sV scans the port and software version of the target host

Which ip protocols are supported by the nmap-sO probe host

Nmap-sW window scan to get some port information

Nmap-sP sends ICMP messages to the hosts on the corresponding host side to query which hosts are alive

Nmap-O remote detection operating system and software

Nmap-O-osscan-guess guesses the target operating system version

Nmap-traceroute route trace

Nmap-A comprehensive scan, including 1-10000 port ping scan, operating system scan, script scan, route trace, service probe

Nmap-oN result.txt writes standard output to the specified file

Nmap-oX result.xml writes input in the form of xml

Nmap-oS result.txt writes the output in the form of special symbols, and the content is the same as-oN, except that the font has changed.

Nmap-oG result.txt writes the output in a special format

Nmap-oA will output all formats, with three .xml / .gnmap / .nmap

Nmap-T [0-5] time parameter template

-T0 is used to avoid IDS for a long time

-T1 is used to avoid IDS for a long time

-T2 reduces the scanning speed and scans the target machine with less bandwidth and target host resources

-T3 default mode, not optimized

-T4 accelerates the scanning of the target aircraft on the assumption that the user has a suitable and reliable network

-T5 assumes that users have a better network or are willing to speed up scanning at the expense of accuracy

Nmap-sC automatically invokes the default script based on the port identification service

Nmap-script

Nmap scans by script

Nmap scripts are mainly divided into the following categories, which can be set as needed when scanning-- the script= category is used for general scanning:

Auth: the script responsible for handling authentication certificates (bypassing authentication)

Broadcast: probe more services on the LAN, such as dhcp/dns/sqlserver, etc.

Brute: provides brute force cracking methods for common applications such as http/snmp

Default: default script when scanning with-sC or-An options, providing basic script scanning capabilities

Discovery: perform more information on the network, such as SMB enumeration, SNMP query, etc.

Dos: used for denial of service *

Exploit: exploit known vulnerabilities * system

External: leverage third-party databases or resources, such as whois parsing

Fuzzer: fuzzy test script that sends abnormal packets to the target machine to detect potential vulnerabilities intrusive: * scripts that may trigger the recording or blocking of each other's IDS/IPS

Malware: detect whether the target machine is infected with the virus, open the back door and other information

Safe: this class, contrary to intrusive, is a security script

Version: scripts responsible for enhancing service and version scanning (Version Detection) capabilities

Vuln: responsible for checking whether the target machine has common vulnerabilities (Vulnerability), such as MS08_067

Nmap-script=broadcast-netbios-master-browser 192.168.137.4 Discovery Gateway

Nmap-p 873-- script rsync-brute-- script-args' rsync-brute.module=www' 192.168.137.4 crack rsync

Nmap-script informix-brute-p 9088 192.168.137.4 informix database cracking

Nmap-p 5432-- script pgsql-brute 192.168.137.4 pgsql crack

Nmap-sU-- script snmp-brute 192.168.137.4 snmp crack

Nmap-sV-- script=telnet-brute 192.168.137.4 telnet crack

Nmap-- script=http-vuln-cve2010-0738-- script-args' http-vuln-cve2010-0738.paths = {/ path2/,/path3/} 'jboss autopwn

Nmap-- script=http-methods.nse 192.168.137.4 check http method

Nmap-- script http-slowloris-- max-parallelism 400 192.168.137.4 dos***, is quite good for sites with low processing capacity. 'half-HTTP' connections

Nmap-- script=samba-vuln-cve-2012-1182-p 139 192.168.137.4

Oracle sid scanning

Nmap-- script=oracle-sid-brute-p 1521-1560 192.168.137.5

Oracle weak password cracking

Nmap-- script oracle-brute-p 1521-- script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 192.168.137.5

List all mysql users

Nmap-p3306-- script=mysql-users.nse-- script-args=mysqluser=root 192.168.137.4

Nmap-- script=mysql-* 192.168.137.4

Scan root empty password

Nmap-p3306-- script=mysql-empty-password.nse 192.168.137.4

Guess the mssql username and password

Nmap-p1433-- script=ms-sql-brute-- script-args=userdb=/var/passwd,passdb=/var/passwd 192.168.137.4

System information

Nmap-n-p445-- script=smb-os-discovery.nse-- script-args=smbuser=test,smbpass=test 192.168.137.4

View session

Nmap-n-p445-- script=smb-enum-sessions.nse-- script-args=smbuser=test,smbpass=test 192.168.137.4

View shared directory

Nmap-p 445-- script smb-ls-- script-args' share=e$,path=\, smbuser=test,smbpass=test' 192.168.137.4

Vnc scan:

Nmap-- script=realvnc-auth-bypass 192.168.137.4

Check the vnc authentication method

Nmap-- script=vnc-auth 192.168.137.4

Get vnc information

Nmap-- script=vnc-info 192.168.137.4

Smb cracking

Nmap-- script=smb-brute.nse 192.168.137.4

Smb dictionary cracking

Nmap-- script=smb-brute.nse-- script-args=userdb=/var/passwd,passdb=/var/passwd 192.168.137.4

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.