nmap
看到一個挺不錯的網址, 列出了一些經常使用命令的語法, 這裏參考 https://www.hackfun.org/kali-tools/kali-tools-zh.htmlhtml
nmap包說明
NMAP(「網絡映射」)是一個自由和開放源碼(許可證)工具進行網絡發現和安全審計。許多系統和網絡管理員也以爲有用,如網絡庫存,管理服務升級計劃和監控主機或服務的正常運行時間的任務。 NMAP使用原始IP包以新穎的方式來肯定哪些主機是在網絡上可用,這些主機正在提供什麼樣的服務(應用程序的名稱和版本),什麼操做系統(和OS版本),它們都在運行,什麼類型的分組過濾器/防火牆在使用中,和許多其餘特性。它的目的是快速掃描大型網絡,但能正常工做對單個主機。 Nmap的運行在全部主要計算機操做系統,和官方的二進制軟件包可用於Linux,Windows和Mac OS X的除了經典的命令行Nmap的可執行文件,nmap的套件包括一個先進的GUI和結果瀏覽器(Zenmap)一種靈活的數據傳送,重定向和調試工具(NCAT),用於比較掃描結果(Ndiff)的實用程序,而且一個分組產生和響應分析工具(Nping)。node
Nmap的被評爲「年度安全產品」,由Linux雜誌,信息世界,LinuxQuestions.Org和Codetalker摘要。有人甚至功能十二電影,包括重裝上陣,虎膽龍威4,女孩龍紋身,和諜影重重。git
Nmap是比較合適?
- 靈活:支持數十臺先進的技術映射出網絡充滿了IP過濾,防火牆,路由器和其餘障礙。這包括許多端口掃描機制(包括TCP和UDP),操做系統檢測,版本檢測,ping掃描,等等。請參閱文檔頁面。
- 功能強大:Nmap的已被用來掃描字面上機數十萬龐大的網絡。
- 便攜性:大多數操做系統都支持,包括Linux,微軟的Windows,FreeBSD下,OpenBSD系統,Solaris和IRIX,Mac OS X中,HP-UX,NetBSD的,SUN OS,Amiga的,等等。
- 很簡單:雖然Nmap的提供了一套豐富的先進功能的電力用戶,你能夠開始做爲簡稱爲「NMAP -v -A targethost」。這兩種傳統的命令行和圖形(GUI)版本可供選擇,以知足您的喜愛。二進制文件是爲那些誰不但願從源代碼編譯的Nmap。
- 免費:在Nmap的項目的主要目標是幫助使互聯網更安全一點,併爲管理員提供/審計/黑客探索他們的網絡的先進工具。 NMAP是能夠免費下載,而且還配備了完整的源代碼,你能夠修改,並根據許可協議的條款從新分發。
- 有據可查:重大努力已投入全面和最新的手冊頁,白皮書,教程,甚至一整本書!發現他們在這裏多國語言。
- 支持:雖然Nmap的同時沒有擔保,這是深受開發者和用戶一個充滿活力的社區提供支持。大多數這種相互做用發生在Nmap的郵件列表。大多數的bug報告和問題應該發送到NMAP-dev郵件列表,但你讀的指引以後。咱們建議全部用戶訂閱低流量的nmap-黑客公佈名單。您還能夠找到的Nmap在Facebook和Twitter。對於即時聊天,加入Freenode上或鏈接到efnet的#nmap通道。
- 好評:Nmap的贏得了無數獎項,包括「信息安全產品獎」,由Linux雜誌,信息世界和Codetalker文摘。它已被刊登在數以百計的雜誌文章,幾部電影,幾十本書,一本漫畫書系列。訪問進一步的細節新聞頁面。
- 熱門:成千上萬的人下載Nmap的每一天,它包含許多操做系統(紅帽Linux,Debian的Linux中,Gentoo的,FreeBSD下,OpenBSD的,等等)。它是在Freshmeat.Net庫的前十名(總分30000)方案之間。這是很重要的,由於它的Nmap借給其充滿活力的發展和用戶的支持羣體。
資料來源:http://nmap.org/
Nmap的首頁 | 卡利Nmap的回購web
做者:陀
許可:GPL第二版瀏覽器
包含在nmap包工具
nping - 網絡數據包生成工具/ Ping實用程序安全
root@kali:~# nping -h
Nping 0.6.40 ( http://nmap.org/nping )
Usage: nping [Probe mode] [Options] {target specification}
TARGET SPECIFICATION:
Targets may be specified as hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.*.1-24
PROBE MODES:
--tcp-connect : Unprivileged TCP connect probe mode.
--tcp : TCP probe mode.
--udp : UDP probe mode.
--icmp : ICMP probe mode.
--arp : ARP/RARP probe mode.
--tr, --traceroute : Traceroute mode (can only be used with
TCP/UDP/ICMP modes).
TCP CONNECT MODE:
-p, --dest-port <port spec> : Set destination port(s).
-g, --source-port <portnumber> : Try to use a custom source port.
TCP PROBE MODE:
-g, --source-port <portnumber> : Set source port.
-p, --dest-port <port spec> : Set destination port(s).
--seq <seqnumber> : Set sequence number.
--flags <flag list> : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
--ack <acknumber> : Set ACK number.
--win <size> : Set window size.
--badsum : Use a random invalid checksum.
UDP PROBE MODE:
-g, --source-port <portnumber> : Set source port.
-p, --dest-port <port spec> : Set destination port(s).
--badsum : Use a random invalid checksum.
ICMP PROBE MODE:
--icmp-type <type> : ICMP type.
--icmp-code <code> : ICMP code.
--icmp-id <id> : Set identifier.
--icmp-seq <n> : Set sequence number.
--icmp-redirect-addr <addr> : Set redirect address.
--icmp-param-pointer <pnt> : Set parameter problem pointer.
--icmp-advert-lifetime <time> : Set router advertisement lifetime.
--icmp-advert-entry <IP,pref> : Add router advertisement entry.
--icmp-orig-time <timestamp> : Set originate timestamp.
--icmp-recv-time <timestamp> : Set receive timestamp.
--icmp-trans-time <timestamp> : Set transmit timestamp.
ARP/RARP PROBE MODE:
--arp-type <type> : Type: ARP, ARP-reply, RARP, RARP-reply.
--arp-sender-mac <mac> : Set sender MAC address.
--arp-sender-ip <addr> : Set sender IP address.
--arp-target-mac <mac> : Set target MAC address.
--arp-target-ip <addr> : Set target IP address.
IPv4 OPTIONS:
-S, --source-ip : Set source IP address.
--dest-ip <addr> : Set destination IP address (used as an
alternative to {target specification} ).
--tos <tos> : Set type of service field (8bits).
--id <id> : Set identification field (16 bits).
--df : Set Don't Fragment flag.
--mf : Set More Fragments flag.
--ttl <hops> : Set time to live [0-255].
--badsum-ip : Use a random invalid checksum.
--ip-options <S|R [route]|L [route]|T|U ...> : Set IP options
--ip-options <hex string> : Set IP options
--mtu <size> : Set MTU. Packets get fragmented if MTU is
small enough.
IPv6 OPTIONS:
-6, --IPv6 : Use IP version 6.
--dest-ip : Set destination IP address (used as an
alternative to {target specification}).
--hop-limit : Set hop limit (same as IPv4 TTL).
--traffic-class <class> : : Set traffic class.
--flow <label> : Set flow label.
ETHERNET OPTIONS:
--dest-mac <mac> : Set destination mac address. (Disables
ARP resolution)
--source-mac <mac> : Set source MAC address.
--ether-type <type> : Set EtherType value.
PAYLOAD OPTIONS:
--data <hex string> : Include a custom payload.
--data-string <text> : Include a custom ASCII text.
--data-length <len> : Include len random bytes as payload.
ECHO CLIENT/SERVER:
--echo-client <passphrase> : Run Nping in client mode.
--echo-server <passphrase> : Run Nping in server mode.
--echo-port <port> : Use custom <port> to listen or connect.
--no-crypto : Disable encryption and authentication.
--once : Stop the server after one connection.
--safe-payloads : Erase application data in echoed packets.
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m, 0.25h).
--delay <time> : Adjust delay between probes.
--rate <rate> : Send num packets per second.
MISC:
-h, --help : Display help information.
-V, --version : Display current version number.
-c, --count <n> : Stop after <n> rounds.
-e, --interface <name> : Use supplied network interface.
-H, --hide-sent : Do not display sent packets.
-N, --no-capture : Do not try to capture replies.
--privileged : Assume user is fully privileged.
--unprivileged : Assume user lacks raw socket privileges.
--send-eth : Send packets at the raw Ethernet layer.
--send-ip : Send packets using raw IP sockets.
--bpf-filter <filter spec> : Specify custom BPF filter.
OUTPUT:
-v : Increment verbosity level by one.
-v[level] : Set verbosity level. E.g: -v4
-d : Increment debugging level by one.
-d[level] : Set debugging level. E.g: -d3
-q : Decrease verbosity level by one.
-q[N] : Decrease verbosity level N times
--quiet : Set verbosity and debug level to minimum.
--debug : Set verbosity and debug to the max level.
EXAMPLES:
nping scanme.nmap.org
nping --tcp -p 80 --flags rst --ttl 2 192.168.1.1
nping --icmp --icmp-type time --delay 500ms 192.168.254.254
nping --echo-server "public" -e wlan0 -vvv
nping --echo-client "public" echo.nmap.org --tcp -p1-1024 --flags ack
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
ndiff - 實用工具來比較的Nmap掃描結果
root@kali:~# ndiff -h Usage: /usr/bin/ndiff [option] FILE1 FILE2 Compare two Nmap XML files and display a list of their differences. Differences include host state changes, port state changes, and changes to service and OS detection. -h, --help display this help -v, --verbose also show hosts and ports that haven't changed. --text display output in text format (default) --xml display output in XML format
NCAT - 串聯並重定向插座
root@kali:~# ncat -h
Ncat 6.40 ( http://nmap.org/ncat )
Usage: ncat [options] [hostname] [port]
Options taking a time assume seconds. Append 'ms' for milliseconds,
's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
-4 Use IPv4 only
-6 Use IPv6 only
-U, --unixsock Use Unix domain sockets only
-C, --crlf Use CRLF for EOL sequence
-c, --sh-exec <command> Executes the given command via /bin/sh
-e, --exec <command> Executes the given command
--lua-exec <filename> Executes the given Lua script
-g hop1[,hop2,...] Loose source routing hop points (8 max)
-G <n> Loose source routing hop pointer (4, 8, 12, ...)
-m, --max-conns <n> Maximum <n> simultaneous connections
-h, --help Display this help screen
-d, --delay <time> Wait between read/writes
-o, --output <filename> Dump session data to a file
-x, --hex-dump <filename> Dump session data as hex to a file
-i, --idle-timeout <time> Idle read/write timeout
-p, --source-port port Specify source port to use
-s, --source addr Specify source address to use (doesn't affect -l)
-l, --listen Bind and listen for incoming connections
-k, --keep-open Accept multiple connections in listen mode
-n, --nodns Do not resolve hostnames via DNS
-t, --telnet Answer Telnet negotiations
-u, --udp Use UDP instead of default TCP
--sctp Use SCTP instead of default TCP
-v, --verbose Set verbosity level (can be used several times)
-w, --wait <time> Connect timeout
--append-output Append rather than clobber specified output files
--send-only Only send data, ignoring received; quit on EOF
--recv-only Only receive data, never send anything
--allow Allow only given hosts to connect to Ncat
--allowfile A file of hosts allowed to connect to Ncat
--deny Deny given hosts from connecting to Ncat
--denyfile A file of hosts denied from connecting to Ncat
--broker Enable Ncat's connection brokering mode
--chat Start a simple Ncat chat server
--proxy <addr[:port]> Specify address of host to proxy through
--proxy-type <type> Specify proxy type ("http" or "socks4")
--proxy-auth <auth> Authenticate with HTTP or SOCKS proxy server
--ssl Connect or listen with SSL
--ssl-cert Specify SSL certificate file (PEM) for listening
--ssl-key Specify SSL private key (PEM) for listening
--ssl-verify Verify trust and domain name of certificates
--ssl-trustfile PEM file containing trusted SSL certificates
--version Display Ncat's version information and exit
See the ncat(1) manpage for full options, descriptions and usage examples
NMAP - 網絡映射
root@kali:~# nmap -h
Nmap 6.40 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma separted list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
NMAP用法示例
在掃描詳細模式(-v),啓用操做系統檢測,版本檢測,腳本掃描,和traceroute(-A),版本檢測(-sV)針對目標IP(192.168.1.1):bash
root@kali:~# nmap -v -A -sV 192.168.1.1 Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-13 18:40 MDT NSE: Loaded 118 scripts for scanning. NSE: Script Pre-scanning. Initiating ARP Ping Scan at 18:40 Scanning 192.168.1.1 [1 port] Completed ARP Ping Scan at 18:40, 0.06s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:40 Completed Parallel DNS resolution of 1 host. at 18:40, 0.00s elapsed Initiating SYN Stealth Scan at 18:40 Scanning router.localdomain (192.168.1.1) [1000 ports] Discovered open port 53/tcp on 192.168.1.1 Discovered open port 22/tcp on 192.168.1.1 Discovered open port 80/tcp on 192.168.1.1 Discovered open port 3001/tcp on 192.168.1.1
nping用法示例
使用TCP 模式(-tcp)使用SYN標誌探測端口22(-p 22)(-flags SYN)與2(TTL電2)在遠程主機上的TTL(192.168.1.1):網絡
ndiff用法示例
對比昨天的端口掃描(yesterday.xml)自即日起掃描(today.xml):session
root@kali:~# ndiff yesterday.xml today.xml -Nmap 6.45 scan initiated Tue May 13 18:46:43 2014 as: nmap -v -F -oX yesterday.xml 192.168.1.1 +Nmap 6.45 scan initiated Tue May 13 18:47:58 2014 as: nmap -v -F -oX today.xml 192.168.1.1 endian.localdomain (192.168.1.1, 00:01:6C:6F:DD:D1): -Not shown: 96 filtered ports +Not shown: 97 filtered ports PORT STATE SERVICE VERSION -22/tcp open ssh
NCAT用法示例
要詳細(-v),能夠運行/ bin / bash的鏈接上(-exec「/斌/慶典」),只容許1個IP地址(-ALLOW 192.168.1.123),監聽TCP端口4444(-l 4444)上,並讓聽衆開上斷開(-keep開):app
root@kali:~# ncat -v --exec "/bin/bash" --allow 192.168.1.123 -l 4444 --keep-open Ncat: Version 6.45 ( http://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 192.168.1.123. Ncat: Connection from 192.168.1.123:39501. Ncat: Connection from 192.168.1.15. Ncat: Connection from 192.168.1.15:60393. Ncat: New connection denied: not allowed
相關文章
- 1. nmap -- write a nmap script
- 2. nmap
- 3. NMAP
- 4. Nmap
- 5. Linux-nmap
- 6. nmap===nmap掃描參考指南
- 7. Nmap-09:可視化Nmap的使用
- 8. Nmap-08:Nmap對比掃描結果ndiff
- 9. nmap簡介
- 10. Cheat Sheet of Nmap
- 更多相關文章...
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. nmap -- write a nmap script
- 2. nmap
- 3. NMAP
- 4. Nmap
- 5. Linux-nmap
- 6. nmap===nmap掃描參考指南
- 7. Nmap-09:可視化Nmap的使用
- 8. Nmap-08:Nmap對比掃描結果ndiff
- 9. nmap簡介
- 10. Cheat Sheet of Nmap