第2章 Nmap主机发现

本章知识点

本章节将介绍Nmap的基本用法,以及认识Nmap可视化平台Zenmap。本章节讲到的几种扫描方式是Nmap扫描的基础,我们通过对基础的学习来更加牢靠地掌握Nmap扫描方式。

本章选项

表2.1所示为本章节所需Nmap命令表,可方便读者查阅。

表2.1 本章所需选项

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

该扫描方式可以针对IP或者域名进行扫描,扫描方式迅速,可以很方便地发现目标端口的开放情况及主机在线情况,我们使用一个基本扫描进行测试。

root@Wing:~# nmap 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-09 18:36 CST
Nmap scan report for 192.168.126.131
Host is up (0.00035s latency).
Not shown: 977 closed ports
PORT   STATE SERVICE
21/tcp  open ftp
22/tcp  open ssh
23/tcp  open telnet
25/tcp  open smtp
53/tcp  open domain
80/tcp  open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
root@Wing:~# 


从以上的扫描结果中可以很轻易发现开放(open)的端口,在端口后我们也可以发现相关的服务名称,后面的章节会详细介绍。

Zenmap是安全扫描工具Nmap的一个官方的图形用户界面,是一个跨平台的开源应用,不仅方便初学者使用,同时为高级使用者提供了很多高级特性。频繁的扫描能够被存储,进行重复运行。命令行工具提供了直接与Nmap的交互操作。扫描结果能够被存储以便于事后查阅。存储的扫描可以被比较,以辨别其异同。

图2.1所示为Zenmap运行界面,可以在Linux或Mac OS下轻易地打开并使用。

1

▲图2.1 Zenmap界面

如图2.2所示,在Command处填入Nmap命令,如同在Shell终端下输入同样的命令。稍等片刻就可以在下方区域回显出扫描结果。

2

▲图2.2 Zenmap扫描结果

如图2.3所示,在Zenmap的Ports/Hosts选项标签中可以看到开放端口的详细情况。Zenmap同时也提供了很多方便的快捷操作,在后面的章节中会详细说明。

3

▲图2.3 查看目标端口开放情况

表2.2所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——Ping扫描。

表2.2 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

在Nmap中提供了很多扫描方式,其中就有Ping扫描方式,Ping扫描只进行Ping,然后显示出在线的主机。扫描时只需要加入-sP选项就可以很方便地启用Ping扫描,使用该选项的时候,Nmap仅进行Ping扫描,然后回显出做出响应的主机,使用该选项扫描可以轻易地获取目标信息而不会被轻易发现。在默认的情况下,Nmap会发送一个ICMP回声请求和一个TCP报文到目标端口。Ping扫描的优点是不会返回太多的信息造成对结果的分析,并且这是一种非常高效的扫描方式。

root@Wing:~# nmap -sP 192.168.126.131/24

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-09 21:09 CST
Nmap scan report for 192.168.126.1   #当前扫描的主机是192.168.126.1
Host is up (0.0011s latency).      #确定当前主机是存活的
MAC Address: 00:50:56:C0:00:08 (VMware)#该主机的MAC地址为00:50:56:C0:00:08
Nmap scan report for 192.168.126.2
Host is up (0.00029s latency).
MAC Address: 00:50:56:F1:06:20 (VMware)
Nmap scan report for 192.168.126.131
Host is up (0.00018s latency).
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap scan report for 192.168.126.254
Host is up (0.00010s latency).
MAC Address: 00:50:56:E2:56:FB (VMware)
Nmap scan report for 192.168.126.130
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.59 seconds
root@Wing:~# 


 

在非Nmap中也可利用Ping扫描进行主机发现,例如在Windows的CMD下或Linux的Shell终端下,可以使用命令“Ping 目标”的方式进行最简单的主机发现。

表2.3所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——无Ping扫描。

表2.3 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

无Ping扫描通常用于防火墙禁止Ping的情况下,它能确定正在运行的机器。默认情况下,Nmap只对正在运行的主机进行高强度的探测,如端口扫描、版本探测或者操作系统探测。用-P0禁止主机发现会使Nmap对每一个指定的目标IP地址进行所要求的扫描,这可以穿透防火墙,也可以避免被防火墙发现。需要注意的是,-P0的第二个字符是数字0而不是字母O。使用“nmap -P0【协议1、协议2】【目标】”进行扫描。

root@Wing:~# nmap -P0 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-09 19:17 CST
Nmap scan report for 192.168.126.131
Host is up (0.0044s latency).
Not shown: 977 closed ports
PORT   STATE SERVICE
21/tcp  open ftp
22/tcp  open ssh
23/tcp  open telnet
25/tcp  open smtp
53/tcp  open domain
80/tcp  open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
root@Wing:~# 


如果没有指定任何协议,Nmap会默认使用协议1、协议2、协议4,如果想知道这些协议是如何判断目标主机是否存活可以使用 --packet-trace选项。

root@Wing:~# nmap -p0 --packet-trace scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-27 21:34 CST
SENT (0.4843s) ICMP [192.168.239.128 > 45.33.32.156 Echo request (type=8/code=0) id=930 seq=0] IP [ttl=44 id=52743 iplen=28 ]
SENT (0.4847s) TCP 192.168.239.128:54907 > 45.33.32.156:443 S ttl=50 id=42216 iplen=44 seq=2415939166 win=1024 <mss 1460>
SENT (0.4853s) TCP 192.168.239.128:54907 > 45.33.32.156:80 A ttl=41 id=52925 iplen=40 seq=0 win=1024 
SENT (0.4855s) ICMP [192.168.239.128 > 45.33.32.156 Timestamp request (type=13/code=0) id=32160 seq=0 orig=0 recv=0 trans=0] IP [ttl=54 id=27234 iplen=40 ]
RCVD (0.4864s) TCP 45.33.32.156:80 > 192.168.239.128:54907 R ttl=128 id=34681 iplen=40 seq=2415939166 win=32767 
NSOCK INFO [0.4880s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [0.4880s] nsock_connect_udp(): UDP connection requested to 192.168.239.2:53 (IOD #1) EID 8
NSOCK INFO [0.4880s] nsock_read(): Read request from IOD #1 [192.168.239.2:53] (timeout: -1ms) EID 18
NSOCK INFO [0.4880s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.239.2:53]
NSOCK INFO [0.4880s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.239.2:53]
NSOCK INFO [0.8940s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.239.2:53] (85 bytes)
NSOCK INFO [0.8940s] nsock_read(): Read request from IOD #1 [192.168.239.2:53] (timeout: -1ms) EID 34
NSOCK INFO [0.8940s] nsi_delete(): nsi_delete (IOD #1)
NSOCK INFO [0.8940s] msevent_cancel(): msevent_cancel on event #34 (type READ)
SENT (0.8946s) TCP 192.168.239.128:55163 > 45.33.32.156:0 S ttl=51 id=39619 iplen=44 seq=1637668556 win=1024 <mss 1460>
RCVD (0.8966s) TCP 45.33.32.156:0 > 192.168.239.128:55163 RA ttl=128 id=34684 iplen=40 seq=1398889074 win=64240 
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0015s latency).
rDNS record for 45.33.32.156: li982-156.members.linode.com
PORT STATE SERVICE
0/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds
root@Wing:~#


从以上返回的信息我们可以看到,有4行信息被标记为SENT,并显示为ICMP和IP包,如下所示:

SENT (0.4843s) ICMP [192.168.239.128 > 45.33.32.156 Echo request (type=8/code=0) id=930 seq=0] IP [ttl=44 id=52743 iplen=28 ]
SENT (0.4847s) TCP 192.168.239.128:54907 > 45.33.32.156:443 S ttl=50 id=42216 iplen=44 seq=2415939166 win=1024 <mss 1460>
SENT (0.4853s) TCP 192.168.239.128:54907 > 45.33.32.156:80 A ttl=41 id=52925 iplen=40 seq=0 win=1024 
SENT (0.4855s) ICMP [192.168.239.128 > 45.33.32.156 Timestamp request (type=13/code=0) id=32160 seq=0 orig=0 recv=0 trans=0] IP [ttl=54 id=27234 iplen=40 ]

如此可以判断目标主机是存活状态。我们也可以手动指定扫描目标主机的协议,Nmap支持的协议和编号如下所示:

① TCP:对应协议编号为6。

② ICMP:对应协议编号为1。

③ IGMP:对应协议编号为2。

④ UDP:对应协议编号为17。

我们指定使用TCP、UDP、IGMP协议向目标主机发送包并判断目标主机是否在线。

root@Wing:~# nmap -p06,17,2 --packet-trace scanme.nmap.org

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-27 21:42 CST
SENT (0.0647s) ICMP [192.168.239.128 > 45.33.32.156 Echo request (type=8/code=0) id=28812 seq=0] IP [ttl=51 id=19372 iplen=28 ]
SENT (0.0649s) TCP 192.168.239.128:49262 > 45.33.32.156:443 S ttl=39 id=16459 iplen=44 seq=1786395366 win=1024 <mss 1460>
SENT (0.0651s) TCP 192.168.239.128:49262 > 45.33.32.156:80 A ttl=51 id=47484 iplen=40 seq=0 win=1024 
SENT (0.0652s) ICMP [192.168.239.128 > 45.33.32.156 Timestamp request (type=13/code=0) id=10265 seq=0 orig=0 recv=0 trans=0] IP [ttl=57 id=64987 iplen=40 ]
RCVD (0.0660s) TCP 45.33.32.156:80 > 192.168.239.128:49262 R ttl=128 id=34698 iplen=40 seq=1786395366 win=32767 
NSOCK INFO [0.0660s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [0.0660s] nsock_connect_udp(): UDP connection requested to 192.168.239.2:53 (IOD #1) EID 8
NSOCK INFO [0.0660s] nsock_read(): Read request from IOD #1 [192.168.239.2:53] (timeout: -1ms) EID 18
NSOCK INFO [0.0660s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.239.2:53]
NSOCK INFO [0.0660s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.239.2:53]
NSOCK INFO [0.0770s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.239.2:53] (85 bytes)
NSOCK INFO [0.0770s] nsock_read(): Read request from IOD #1 [192.168.239.2:53] (timeout: -1ms) EID 34
NSOCK INFO [0.0770s] nsi_delete(): nsi_delete (IOD #1)
NSOCK INFO [0.0770s] msevent_cancel(): msevent_cancel on event #34 (type READ)
SENT (0.0781s) TCP 192.168.239.128:49518 > 45.33.32.156:6 S ttl=45 id=62567 iplen=44 seq=2228648245 win=1024 <mss 1460>
SENT (0.0782s) TCP 192.168.239.128:49518 > 45.33.32.156:17 S ttl=47 id=21783 iplen=44 seq=2228648245 win=1024 <mss 1460>
SENT (0.0784s) TCP 192.168.239.128:49518 > 45.33.32.156:2 S ttl=48 id=60557 iplen=44 seq=2228648245 win=1024 <mss 1460>
RCVD (0.3605s) ICMP [45.33.32.156 > 192.168.239.128 Echo reply (type=0/code=0) id=28812 seq=0] IP [ttl=128 id=34700 iplen=28 ]
SENT (1.1801s) TCP 192.168.239.128:49519 > 45.33.32.156:2 S ttl=48 id=28002 iplen=44 seq=2228713780 win=1024 <mss 1460>
SENT (1.1803s) TCP 192.168.239.128:49519 > 45.33.32.156:17 S ttl=38 id=41636 iplen=44 seq=2228713780 win=1024 <mss 1460>
SENT (1.1805s) TCP 192.168.239.128:49519 > 45.33.32.156:6 S ttl=52 id=58195 iplen=44 seq=2228713780 win=1024 <mss 1460>
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.0011s latency).
rDNS record for 45.33.32.156: li982-156.members.linode.com
PORT  STATE  SERVICE
2/tcp filtered compressnet
6/tcp filtered unknown
17/tcp filtered qotd

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
root@Wing:~# 


 

无Ping扫描也可以躲避某些防火墙的防护,可以在目标主机禁止Ping的情况下使用。

表2.4所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——TCP SYN Ping扫描。

表2.4 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

TCP协议是TCP/IP协议族中的面向连接的、可靠的传输层协议,允许发送和接收字节流形式的数据。为了使服务器和客户端以不同的速度产生和消费数据,TCP提供了发送和接收两个缓冲区。TCP提供全双工服务,数据同时能双向流动。通信的每一方都有发送和接收两个缓冲区,可以双向发送数据。TCP在报文中加上一个递进的确认序列号来告诉发送者,接收者期望收到的下一个字节,如果在规定时间内,没有收到关于这个包的确认响应,则重新发送此包,这保证了TCP是一种可靠的传输层协议。

-PS选项发送一个设置了SYN标志位的空TCP报文。默认目的端口为80(可以通过改变nmap.h)文件中的DEFAULT-TCP-PROBE-PORT值进行配置,但不同的端口也可以作为选项指定,甚至可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80,115,3306,3389),在这种情况下,每个端口会被并发地扫描。

通常情况下,Nmap默认Ping扫描是使用TCP ACK和ICMP Echo请求对目标进行是否存活的响应,当目标主机的防火墙阻止这些请求时,我们可以使用TCP SYN Ping扫描来进行对目标主机存活的判断。

root@Wing:~# nmap -PS -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-28 11:31 CST
Initiating Ping Scan at 11:31
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 11:31, 1.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:31
Completed Parallel DNS resolution of 1 host. at 11:31, 0.01s elapsed
Initiating SYN Stealth Scan at 11:31
Scanning 192.168.121.1 [1000 ports]
Discovered open port 135/tcp on 192.168.121.1
Discovered open port 445/tcp on 192.168.121.1
Discovered open port 139/tcp on 192.168.121.1
Discovered open port 49155/tcp on 192.168.121.1
Discovered open port 7000/tcp on 192.168.121.1
Discovered open port 49165/tcp on 192.168.121.1
Discovered open port 49153/tcp on 192.168.121.1
Discovered open port 49152/tcp on 192.168.121.1
Discovered open port 912/tcp on 192.168.121.1
Discovered open port 902/tcp on 192.168.121.1
Discovered open port 843/tcp on 192.168.121.1
Increasing send delay for 192.168.121.1 from 0 to 5 due to 258 out of 858 dropped probes since last increase.
Discovered open port 8000/tcp on 192.168.121.1
Completed SYN Stealth Scan at 11:32, 69.92s elapsed (1000 total ports)
Nmap scan report for 192.168.121.1
Host is up (1.2s latency).
Not shown: 987 closed ports
PORT   STATE  SERVICE
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
514/tcp  filtered shell
843/tcp  open   unknown
902/tcp  open   iss-realsecure
912/tcp  open   apex-mesh
7000/tcp open   afs3-fileserver
8000/tcp open   http-alt
49152/tcp open   unknown
49153/tcp open   unknown
49155/tcp open   unknown
49165/tcp open   unknown


Nmap done: 1 IP address (1 host up) scanned in 70.99 seconds
      Raw packets sent: 1409 (61.996KB) | Rcvd: 1008 (40.605KB)
root@Wing:~# 


从上面的返回结果可得知Nmap是通过SYN/ACK和RST响应来对目标主机是否存活进行判断,但在特定情况下防火墙会丢弃RST包,这种情况下扫描的结果会不准确,这时,我们需要指定一个端口或端口范围来避免这种情况。

root@Wing:~# nmap -PS80,100-200 -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-28 11:38 CST
Initiating Ping Scan at 11:38
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 11:38, 1.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:38
Completed Parallel DNS resolution of 1 host. at 11:38, 0.04s elapsed
Initiating SYN Stealth Scan at 11:38
Scanning 192.168.121.1 [102 ports]
Discovered open port 139/tcp on 192.168.121.1
Discovered open port 135/tcp on 192.168.121.1
Completed SYN Stealth Scan at 11:38, 4.04s elapsed (102 total ports)
Nmap scan report for 192.168.121.1
Host is up (1.0s latency).
Not shown: 100 closed ports
PORT  STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn


Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds
      Raw packets sent: 103 (4.532KB) | Rcvd: 103 (4.128KB)
root@Wing:~# 


表2.5所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——TCP ACK Ping扫描。

表2.5 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

使用-PA选项可以进行TCP ACK Ping扫描,它与TCP SYN Ping扫描是非常类似的,唯一的区别是设置TCP的标志位是ACK而不是SYN,使用这种方式扫描可以探测阻止SYN包或ICMP Echo请求的主机。

很多防火墙会封锁SYN报文,所以Nmap提供了TCP SYN Ping扫描与TCP ACK Ping扫描两种探测方式,这两种方式可以极大地提高通过防火墙的概率,我们还可以同时使用-PS与-SA来既发送SYN又发送ACK。在使用TCP ACK Ping扫描时,Nmap会发送一个ACK标志的TCP包给目标主机,如果目标主机不是存活状态则不响应该请求,如果目标主机在线则会返回一个RST包。

root@Wing:~# nmap -PA -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-28 11:43 CST
Initiating Ping Scan at 11:43
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 11:43, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.01s elapsed
Initiating SYN Stealth Scan at 11:43
Scanning 192.168.121.1 [1000 ports]
Discovered open port 135/tcp on 192.168.121.1
Discovered open port 139/tcp on 192.168.121.1
Discovered open port 445/tcp on 192.168.121.1
Discovered open port 912/tcp on 192.168.121.1
Discovered open port 49155/tcp on 192.168.121.1
Discovered open port 8000/tcp on 192.168.121.1
Discovered open port 902/tcp on 192.168.121.1
Discovered open port 7000/tcp on 192.168.121.1
Increasing send delay for 192.168.121.1 from 0 to 5 due to 126 out of 418 dropped probes since last increase.
Discovered open port 49152/tcp on 192.168.121.1
Discovered open port 49153/tcp on 192.168.121.1
Discovered open port 49165/tcp on 192.168.121.1
Discovered open port 843/tcp on 192.168.121.1
Completed SYN Stealth Scan at 11:45, 139.14s elapsed (1000 total ports)
Nmap scan report for 192.168.121.1
Host is up (1.0s latency).
Not shown: 987 closed ports
PORT   STATE  SERVICE
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
514/tcp  filtered shell
843/tcp  open   unknown
902/tcp  open   iss-realsecure
912/tcp  open   apex-mesh
7000/tcp open   afs3-fileserver
8000/tcp open   http-alt
49152/tcp open   unknown
49153/tcp open   unknown
49155/tcp open   unknown
49165/tcp open   unknown


Nmap done: 1 IP address (1 host up) scanned in 139.22 seconds
      Raw packets sent: 1723 (75.808KB) | Rcvd: 1014 (40.845KB)
root@Wing:~# 


同时使用-PS与-PA选项,代码如下。

root@Wing:~# nmap -PA -PS 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-09 20:39 CST
Nmap scan report for 192.168.126.131
Host is up (0.00037s latency).
Not shown: 977 closed ports
PORT   STATE SERVICE
21/tcp  open ftp
22/tcp  open ssh
23/tcp  open telnet
25/tcp  open smtp
53/tcp  open domain
80/tcp  open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
root@Wing:~# 


接下来我们看一个被防火墙阻止的案例,首先使用TCP ACK Ping方式对目标主机进行扫描。

root@Wing:~# nmap -PA -v 192.168.22.22

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-28 11:46 CST
Initiating Ping Scan at 11:46
Scanning 192.168.22.22 [1 port]
Completed Ping Scan at 11:46, 2.01s elapsed (1 total hosts)
Nmap scan report for 192.168.22.22 [host down]

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.04 seconds
      Raw packets sent: 2 (80B) | Rcvd: 0 (0B)
root@Wing:~# 


从输出的结果中发现目标主机是没有存活的状态,尝试使用TCP SYN Ping进行扫描,对目标主机的存活状态进行判断。

root@Wing:~# nmap -PS -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-28 11:50 CST
Initiating Ping Scan at 11:50
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 11:50, 1.00s elapsed (1 total hosts)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 109.97 seconds
      Raw packets sent: 1760 (77.440KB) | Rcvd: 1020 (40.848KB)
root@Wing:~# 


从输出的结果得知目标主机是存活状态,由此可以说明TCP ACK包被目标主机防火墙阻止了。

表2.6所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——UDP Ping扫描。

表2.6 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

-PU选项是发送一个空的UDP报文到指定端口。如果不指定端口则默认是40125。该默认值可以通过在编译时改变nmap.h文件中的 DEFAULT-UDP-PROBE-PORT值进行配置。默认使用这样一个奇怪的端口是因为对于开放端口,很少会使用这种扫描方式。

使用UDP Ping扫描时Nmap会发送一个空的UDP包到目标主机,如果目标主机响应则返回一个ICMP端口不可达错误,如果目标主机不是存活状态则会返回各种ICMP错误信息。

root@Wing:~# nmap -PU -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-28 11:58 CST
Initiating Ping Scan at 11:58
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 11:58, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:58
Completed Parallel DNS resolution of 1 host. at 11:58, 0.01s elapsed
Initiating SYN Stealth Scan at 11:58
Scanning 192.168.121.1 [1000 ports]
Discovered open port 135/tcp on 192.168.121.1
Discovered open port 139/tcp on 192.168.121.1
Discovered open port 445/tcp on 192.168.121.1
Discovered open port 49165/tcp on 192.168.121.1
Discovered open port 912/tcp on 192.168.121.1
Increasing send delay for 192.168.121.1 from 0 to 5 due to 123 out of 409 dropped probes since last increase.
Discovered open port 902/tcp on 192.168.121.1
Discovered open port 49152/tcp on 192.168.121.1
Discovered open port 49155/tcp on 192.168.121.1
Discovered open port 49153/tcp on 192.168.121.1
Discovered open port 8000/tcp on 192.168.121.1
Discovered open port 7000/tcp on 192.168.121.1
Discovered open port 843/tcp on 192.168.121.1
Completed SYN Stealth Scan at 12:00, 110.73s elapsed (1000 total ports)
Nmap scan report for 192.168.121.1
Host is up (1.00s latency).
Not shown: 987 closed ports
PORT   STATE  SERVICE
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
514/tcp  filtered shell
843/tcp  open   unknown
902/tcp  open   iss-realsecure
912/tcp  open   apex-mesh
7000/tcp open   afs3-fileserver
8000/tcp open   http-alt
49152/tcp open   unknown
49153/tcp open   unknown
49155/tcp open   unknown
49165/tcp open   unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 110.79 seconds
      Raw packets sent: 1724 (75.840KB) | Rcvd: 1009 (40.661KB)
root@Wing:~# 


从输出的结果中可以得知目标主机是存活状态,这表明目标主机存活时会返回一个ICMP端口不可达的信息,这里我们使用Wireshark获取数据包分析。

如图2.4所示,捕获的包中有一条信息为“Destination unreachable”,这表明目标不可达,在详细信息面板中可以看到使用的端口为40125,也可以指定使用其他端口。

图片 15

▲图2.4 信息面板显示一个ICMP包

root@Wing:~# nmap -PU80,111 -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-28 12:26 CST
Initiating Ping Scan at 12:26
Scanning 192.168.121.1 [2 ports]
Completed Ping Scan at 12:26, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:26
Completed Parallel DNS resolution of 1 host. at 12:26, 0.01s elapsed
Initiating SYN Stealth Scan at 12:26
Scanning 192.168.121.1 [1000 ports]


如图2.5所示有两个ICMP包,且包的信息都是“Destination unreachable”,详细信息面板中的端口为25。

图片 16

▲图2.5 信息面板显示两个ICMP包

表2.7所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——ICMP Ping Types扫描。

表2.7 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

使用-PE;-PP;-PM选项可以进行ICMP Ping Types扫描。ICMP(Internet Control Message Protocol)是Internet控制报文协议。它是TCP/IP协议族的一个子协议,用于在IP主机、路由器之间传递控制消息。控制消息是指网络通不通、主机是否可达、路由是否可用等网络本身的消息。这些控制消息虽然并不传输用户数据,但是对于用户数据的传递起着重要的作用

Nmap发送一个ICMP type 8(回声请求)报文到目标IP地址,从运行的主机得到一个type 0(回声响应)报文。-PE选项简单地来说是通过向目标发送ICMP Echo数据包来探测目标主机是否在线,正因为许多主机的防火墙会禁止这些报文,所以仅仅ICMP扫描对于互联网上的目标通常是不够的。但对于系统管理员监视一个内部网络,它们可能是实际有效的途径。使用-PE选项打开该回声请求功能。-PP选项是ICMP时间戳Ping扫描,虽然大多数的防火墙配置不允许ICMP Echo请求,但由于配置不当可能回复ICMP时间戳请求,所以可以使用ICMP时间戳来确定目标主机是否存活。-PM选项可以进行ICMP地址掩码Ping扫描。这种扫描方式会试图用备选的ICMP等级Ping指定主机,通常有不错的穿透防火墙的效果。

(1)使用ICMP Echo扫描方式

root@Wing:~# nmap -PE -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-27 21:22 CST
Initiating Ping Scan at 21:22
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 21:22, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:22
Completed Parallel DNS resolution of 1 host. at 21:22, 0.01s elapsed
Initiating SYN Stealth Scan at 21:22
Scanning 192.168.121.1 [1000 ports]
Discovered open port 139/tcp on 192.168.121.1
Discovered open port 135/tcp on 192.168.121.1
Discovered open port 445/tcp on 192.168.121.1
Discovered open port 49159/tcp on 192.168.121.1
Discovered open port 49152/tcp on 192.168.121.1
Discovered open port 843/tcp on 192.168.121.1
Discovered open port 912/tcp on 192.168.121.1
Increasing send delay for 192.168.121.1 from 0 to 5 due to 119 out of 395 dropped probes since last increase.
Discovered open port 49155/tcp on 192.168.121.1
Discovered open port 7000/tcp on 192.168.121.1
Discovered open port 902/tcp on 192.168.121.1
Discovered open port 8000/tcp on 192.168.121.1
Stats: 0:02:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 21:25 (0:00:00 remaining)
Stats: 0:02:16 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 21:25 (0:00:00 remaining)
Discovered open port 49153/tcp on 192.168.121.1
Completed SYN Stealth Scan at 21:25, 148.61s elapsed (1000 total ports)
Nmap scan report for 192.168.121.1
Host is up (1.0s latency).
Not shown: 987 closed ports
PORT   STATE   SERVICE
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
514/tcp  filtered shell
843/tcp  open   unknown
902/tcp  open   iss-realsecure
912/tcp  open   apex-mesh
7000/tcp open   afs3-fileserver
8000/tcp open   http-alt
49152/tcp open   unknown
49153/tcp open   unknown
49155/tcp open   unknown
49159/tcp open   unknown


Nmap done: 1 IP address (1 host up) scanned in 148.68 seconds
      Raw packets sent: 1744 (76.720KB) | Rcvd: 1017 (40.716KB)
root@Wing:~# 


(2)使用ICMP时间戳Ping扫描

root@Wing:~# nmap -PP -v 163.com

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-27 21:24 CST
Initiating Ping Scan at 21:24
Scanning 163.com (123.58.180.8) [1 port]
Completed Ping Scan at 21:24, 2.01s elapsed (1 total hosts)
Nmap scan report for 163.com (123.58.180.8) [host down]
Other addresses for 163.com (not scanned): 123.58.180.7

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.08 seconds
      Raw packets sent: 2 (80B) | Rcvd: 0 (0B)
root@Wing:~# 


(3)使用ICMP地址掩码Ping扫描

root@Wing:~# nmap -PM -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-27 21:27 CST
Initiating Ping Scan at 21:27
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 21:27, 2.01s elapsed (1 total hosts)
Nmap scan report for 192.168.121.1 [host down]

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 2.05 seconds
      Raw packets sent: 2 (64B) | Rcvd: 0 (0B)
root@Wing:~# 


可以看到,不同的扫描方式穿过不同的防火墙时有着不同的结果。

表2.8所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——ARP Ping扫描。

表2.8 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

-PR选项通常在扫描局域网时使用。地址解析协议,即ARP(Address Resolution Protocol),是根据IP地址获取物理地址的一个TCP/IP协议,其功能是:主机将ARP请求广播到网络上的所有主机,并接收返回消息,确定目标IP地址的物理地址,同时将IP地址和硬件地址存入本机ARP缓存中,下次请求时直接查询ARP缓存。

ARP Ping扫描是Nmap对目标进行一个ARP Ping的过程,尤其在内网的情况下,使用ARP Ping扫描方式是最有效的,在本地局域网中防火墙不会禁止ARP请求,这就使得它比其他Ping扫描都更加高效,在内网中使用ARP Ping是非常有效的。在默认情况下,如果Nmap发现目标主机就在它所在的局域网上,会进行ARP扫描。即使指定了不同的Ping类型(如-PI或者–PS),Nmap也会对任何相同局域网上的目标机使用ARP。如果不想使用ARP扫描,可以指定--send-ip。

root@Wing:~# nmap -PR 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-09 20:51 CST
Nmap scan report for 192.168.126.131
Host is up (0.00049s latency).
Not shown: 977 closed ports
PORT   STATE SERVICE
21/tcp  open ftp
22/tcp  open ssh
23/tcp  open telnet
25/tcp  open smtp
53/tcp  open domain
80/tcp  open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
root@Wing:~# 


表2.9所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——列表扫描。

表2.9 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

列表扫描是主机发现的退化形式,它仅仅列出指定网络上的每台主机,不发送任何报文到目标主机。默认情况下,Nmap仍然对主机进行反向域名解析以获取它们的名字。

root@Wing:~# nmap -sL 192.168.126.131/24

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-09 21:08 CST
Nmap scan report for 192.168.126.0
Nmap scan report for 192.168.126.1
Nmap scan report for 192.168.126.2
Nmap scan report for 192.168.126.3
Nmap scan report for 192.168.126.4
Nmap scan report for 192.168.126.5
…省略…
Nmap scan report for 192.168.126.226
Nmap scan report for 192.168.126.227
Nmap scan report for 192.168.126.228
Nmap scan report for 192.168.126.229
Nmap scan report for 192.168.126.230
Nmap scan report for 192.168.126.231
Nmap scan report for 192.168.126.232
Nmap scan report for 192.168.126.233
Nmap scan report for 192.168.126.234
Nmap scan report for 192.168.126.235
Nmap scan report for 192.168.126.236
Nmap scan report for 192.168.126.237
Nmap scan report for 192.168.126.238
Nmap scan report for 192.168.126.239
Nmap scan report for 192.168.126.240
Nmap scan report for 192.168.126.241
Nmap scan report for 192.168.126.242
Nmap scan report for 192.168.126.243
Nmap scan report for 192.168.126.244
Nmap scan report for 192.168.126.245
Nmap scan report for 192.168.126.246
Nmap scan report for 192.168.126.247
Nmap scan report for 192.168.126.248
Nmap scan report for 192.168.126.249
Nmap scan report for 192.168.126.250
Nmap scan report for 192.168.126.251
Nmap scan report for 192.168.126.252
Nmap scan report for 192.168.126.253
Nmap scan report for 192.168.126.254
Nmap scan report for 192.168.126.255
Nmap done: 256 IP addresses (0 hosts up) scanned in 6.26 seconds
root@Wing:~# 


表2.10所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——禁止DNS反向解析。

表2.10 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

-n选项意为禁止解析域名,使用该选项的时候Nmap永远不对目标IP地址作反向域名解析。

root@Wing:~# nmap -n -sL 124.172.156.75/24

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-09 21:30 CST
Nmap scan report for 124.172.156.0
Nmap scan report for 124.172.156.1
Nmap scan report for 124.172.156.2
Nmap scan report for 124.172.156.3
Nmap scan report for 124.172.156.4
…省略…
Nmap scan report for 124.172.156.240
Nmap scan report for 124.172.156.241
Nmap scan report for 124.172.156.242
Nmap scan report for 124.172.156.243
Nmap scan report for 124.172.156.244
Nmap scan report for 124.172.156.245
Nmap scan report for 124.172.156.246
Nmap scan report for 124.172.156.247
Nmap scan report for 124.172.156.248
Nmap scan report for 124.172.156.249
Nmap scan report for 124.172.156.250
Nmap scan report for 124.172.156.251
Nmap scan report for 124.172.156.252
Nmap scan report for 124.172.156.253
Nmap scan report for 124.172.156.254
Nmap scan report for 124.172.156.255
Nmap done: 256 IP addresses (0 hosts up) scanned in 0.02 seconds
root@Wing:~# 


 

该选项很少使用,如果是对一台有域名绑定的服务器通常不会使用该选项;如果是单纯扫描一段IP,使用该选项可以大幅度减少目标主机的相应时间,从而更快地得到结果。

表2.11所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——反向解析域名。

表2.11 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

-R选项意为反向解析域名,使用该选项时Nmap永远对目标IP地址作反向域名解析。

root@Wing:~# nmap -R -sL *.172.156.75/24

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-09 21:29 CST
Nmap scan report for *.172.156.0
Nmap scan report for *.172.156.1
Nmap scan report for *.172.156.2
Nmap scan report for *.172.156.3
Nmap scan report for *.172.156.4
…省略…
Nmap scan report for mail.***testarlight.com (*.172.156.229)
Nmap scan report for *.172.156.230
Nmap scan report for *.172.156.231
Nmap scan report for *.172.156.232
Nmap scan report for *.172.156.233
Nmap scan report for *.172.156.234
Nmap scan report for *.172.156.235
Nmap scan report for *.172.156.236
Nmap scan report for *.172.156.237
Nmap scan report for *.172.156.238
Nmap scan report for *.172.156.239
Nmap scan report for *.172.156.240
Nmap scan report for *.172.156.241
Nmap scan report for *.172.156.242
Nmap scan report for *.172.156.243
Nmap scan report for *.172.156.244
Nmap scan report for *.172.156.245
Nmap scan report for *.172.156.246
Nmap scan report for *.172.156.247
Nmap scan report for *.172.156.248
Nmap scan report for *.172.156.249
Nmap scan report for *.172.156.250
Nmap scan report for *.172.156.251
Nmap scan report for *.172.156.252
Nmap scan report for *.172.156.253
Nmap scan report for *.172.156.254
Nmap scan report for *.172.156.255
Nmap done: 256 IP addresses (0 hosts up) scanned in 4.41 seconds
root@Wing:~# 


通过上述代码可以看到Nmap对*.172.156.229进行了反向域名解析,其他IP地址并没有绑定域名。

 

该选项多用于绑定域名的服务器主机上,该选项的使用便于我们了解目标的详细信息。例如,在扫描一个C段的时候,我们更加清楚在哪一段IP上存在哪些网站。

表2.12所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——使用系统域名解析器。

表2.12 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

--system-dns意为使用系统域名解析器。默认情况下,Nmap通过直接发送查询到您主机上配置的域名服务器来解析域名。为了提高性能,许多请求(一般几十个)并发执行。如果您希望使用系统自带的解析器,就指定该选项(通过getnameinfo()调用一次解析一个IP)。

root@Wing:~# nmap --system-dns 192.168.126.2 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-09 21:37 CST
Nmap scan report for 192.168.126.2
Host is up (0.00021s latency).
Not shown: 999 closed ports
PORT  STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:F1:06:20 (VMware)

Nmap scan report for 192.168.126.131
Host is up (0.00021s latency).
Not shown: 977 closed ports
PORT   STATE SERVICE
21/tcp  open ftp
22/tcp  open ssh
23/tcp  open telnet
25/tcp  open smtp
53/tcp  open domain
80/tcp  open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 2 IP addresses (2 hosts up) scanned in 0.20 seconds
root@Wing:~# 


表2.13所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——扫描IPv6地址。

表2.13 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

IPv6是Internet Protocol Version 6的缩写,其中,Internet Protocol译为“互联网协议”。IPv6是IETF(Internet Engineering Task Force,互联网工程任务组)设计的用于替代现行版本IP协议(IPv4)的下一代IP协议。目前IP协议的版本号是4(简称为IPv4),它的下一个版本就是IPv6。

Nmap很早就支持对IPv6的扫描,我们在Nmap选项中使用-6选项就可以进行对IPv6的扫描。

root@Wing:~# nmap -6 fe80::20c:29ff:fee0:2e76

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-10 16:50 CST
Nmap scan report for fe80::20c:29ff:fee0:2e76
Host is up (0.00040s latency).
Not shown: 996 closed ports
PORT   STATE SERVICE
22/tcp  open ssh
53/tcp  open domain
2121/tcp open ccproxy-ftp
5432/tcp open postgresql
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
root@Wing:~# 


 

IPv6将会逐渐替换IPv4,但在一段相当长的时间内,IPv4还会大量地存在。后面章节演示的IP则都是IPv4地址,如果需要扫描IPv6地址,则需要在每个语句的IPv6目标地址前面加上-6选项。

表2.14所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——路由跟踪。

表2.14 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

使用--traceroute选项即可进行路由跟踪,使用路由跟踪功能可以帮助用户了解网络的同行情况,通过此选项可以轻松地查出从本地计算机到目标之间所经过的网络节点,并可以看到通过各个节点的时间。

root@Wing:~# nmap --traceroute -v www.163.com

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-27 21:04 CST
Initiating Ping Scan at 21:04
Scanning www.163.com (112.253.19.198) [4 ports]  #此处解析出网易服务器地址
Completed Ping Scan at 21:04, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:04
Completed Parallel DNS resolution of 1 host. at 21:04, 0.02s elapsed
Initiating SYN Stealth Scan at 21:04
Scanning www.163.com (112.253.19.198) [1000 ports]
Discovered open port 80/tcp on 112.253.19.198
Discovered open port 8080/tcp on 112.253.19.198
Discovered open port 443/tcp on 112.253.19.198
Discovered open port 8888/tcp on 112.253.19.198
Discovered open port 88/tcp on 112.253.19.198
Discovered open port 3000/tcp on 112.253.19.198
Discovered open port 9080/tcp on 112.253.19.198
Discovered open port 8085/tcp on 112.253.19.198
adjust_timeouts2: packet supposedly had rtt of 9022009 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 9022009 microseconds. Ignoring time.
Discovered open port 8383/tcp on 112.253.19.198
SYN Stealth Scan Timing: About 30.05% done; ETC: 21:05 (0:01:12 remaining)
Discovered open port 7001/tcp on 112.253.19.198
Discovered open port 8088/tcp on 112.253.19.198
Discovered open port 3030/tcp on 112.253.19.198
SYN Stealth Scan Timing: About 62.28% done; ETC: 21:05 (0:00:37 remaining)
Discovered open port 8082/tcp on 112.253.19.198
Discovered open port 20000/tcp on 112.253.19.198
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Completed SYN Stealth Scan at 21:06, 114.52s elapsed (1000 total ports)
Initiating Traceroute at 21:06
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Completed Traceroute at 21:06, 0.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:06
Completed Parallel DNS resolution of 2 hosts. at 21:06, 0.01s elapsed
Nmap scan report for www.163.com (112.253.19.198)
Host is up (1.1s latency).
Other addresses for www.163.com (not scanned): 218.58.206.54
Not shown: 980 closed ports
PORT   STATE   SERVICE
80/tcp  open   http
88/tcp  open   kerberos-sec
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
443/tcp  open   https
445/tcp  filtered microsoft-ds
514/tcp  filtered shell
593/tcp  filtered http-rpc-epmap
3000/tcp open   ppp
3030/tcp open   arepa-cas
4444/tcp filtered krb524
7001/tcp open   afs3-callback
8080/tcp open   http-proxy
8082/tcp open   blackice-alerts
8085/tcp open   unknown
8088/tcp open   radan-http
8383/tcp open   m2mservices
8888/tcp open   sun-answerbook
9080/tcp open   glrpc
20000/tcp open   dnp

TRACEROUTE (using port 80/tcp)  #经过网易服务器的80端口
HOP RTT   ADDRESS
1  0.13 ms 192.168.239.2
2  0.13 ms 112.253.19.198


Nmap done: 1 IP address (1 host up) scanned in 114.74 seconds
      Raw packets sent: 1098 (48.240KB) | Rcvd: 1091 (43.724KB)
root@Wing:~# 


表2.15所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——SCTP INIT Ping扫描。

表2.15 本节所需命令

选  项

解  释

-sP

Ping扫描

-P0

无Ping扫描

-PS

TCP SYN Ping扫描

-PA

TCP ACK Ping扫描

-PU

UDP Ping扫描

-PE;-PP;-PM

ICMP Ping Types扫描

-PR

ARP Ping扫描

-n

禁止DNS反向解析

-R

反向解析域名

--system-dns

使用系统域名解析器

-sL

列表扫描

-6

扫描IPv6地址

--traceroute

路由跟踪

-PY

SCTP INIT Ping扫描

SCTP(Stream Control Transmission Protocol,流控制传输协议)是IETF(Internet Engineering Task Force,因特网工程任务组)在2000年定义的一个传输层(Transport Layer)协议。SCTP可以看作是TCP协议的改进,它改进了TCP的一些不足,SCTP INIT Ping扫描通过向目标发送INIT包,根据目标主机的相应判断目标主机是否存活。

root@Wing:~# nmap -PY -v 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-28 12:39 CST
Initiating Ping Scan at 12:39
Scanning 192.168.121.1 [1 port]
Completed Ping Scan at 12:39, 0.00s elapsed (1 total hosts)
Nmap scan report for 192.168.121.1 [host down]
Read data files from: /usr/bin/../share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.06 seconds
      Raw packets sent: 1 (52B) | Rcvd: 1 (80B)
root@Wing:~# 


从输出的结果可以看到目标主机是不存活的。