nmap扫描端口
A while back, I posted a Twitter thread that described the Nmap features that I actually use. It really blew up! Nearly 80,000 people saw that thread, so I thought it would be good to put it into a blog post that can be searched and referred to over the long term. The original tweet is here: https://twitter.com/hakluke/status/1263821957163741185
前一段时间,我发布了一个Twitter线程,描述了我实际使用的Nmap功能。 真的炸了! 近80,000人看到了该主题,因此我认为最好将其放在可以长期搜索和引用的博客文章中。 原始推文在这里: https : //twitter.com/hakluke/status/1263821957163741185
The thing is, Nmap is one of those OG hacking tools that has been around since forever, and it’s incredible, but similar to amass, Nmap is one of those tools that is synonymous with hacking, and extremely well known, but most people don’t know how to use it to full advantage. Many people rarely do more than this:
事实是,Nmap是永远存在的OG黑客工具之一,这令人难以置信,但与大量积累类似,Nmap是与hacking同义的工具之一,并且众所周知,但大多数人不会不知道如何充分利用它。 许多人很少能做到以下几点:
$ nmap hostIf you’re doing this, you’re not even scanning all the ports, and you’re definitely not exfiltrating all of the information that Nmap is capable of finding! Nmap is a port scanner at heart, but it does so much more than just tell you which ports are open. You can use Nmap for service/OS detection and even vuln scanning. In this blog post, I’m going to outline how I use Nmap. I hope that by reading this, you will be able to use Nmap more effectively, and find more bugs!
如果这样做,您甚至都不会扫描所有端口,并且绝对不会泄漏Nmap能够找到的所有信息! Nmap是端口扫描程序的核心,但是它不仅可以告诉您哪些端口是打开的,还可以做更多的事情。 您可以使用Nmap进行服务/操作系统检测,甚至进行漏洞扫描。 在此博客文章中,我将概述如何使用Nmap。 我希望通过阅读本文,您将能够更有效地使用Nmap,并发现更多错误!
基本扫描 (The Basic Scan)
By default Nmap does a standard TCP SYN scan on the top 1000 ports of host. I never really use this by itself.
默认情况下,Nmap在主机的前1000个端口上执行标准TCP SYN扫描。 我从来没有真正单独使用它。
$ nmap hostAt an absolute minimum, I will get more verbosity using -v or -vv.
至少,使用-v或-vv会得到更多的详细信息。
$ nmap -vv host目标规格 (Target Specification)
Nmap accepts target specification in loads of different formats including plain IP addresses, CIDR ranges and dash notation.
Nmap接受目标规范的各种格式的负载,包括普通IP地址,CIDR范围和破折号。
$ nmap hostname
$ nmap 123.123.123.123
$ nmap 123.123.123.1/24
$ nmap 123.123.123.1–255平扫 (Ping Sweeping)
If you just want to find which hosts are alive, you can perform a ping scan with -sn
如果您只想查找哪些主机仍在运行,则可以使用-sn执行ping扫描
$ nmap -sn 123.123.123.1/24Sometimes, hosts don’t respond to ping. To skip ping checks and just scan the host ports anyway, use -Pn:
有时,主机不响应ping。 要跳过ping检查并仅扫描主机端口,请使用-Pn:
$ nmap -Pn host扫描文件中的目标 (Scan Targets in a File)
To scan a list of hosts from a file, use -iL:
要从文件扫描主机列表,请使用-iL:
$ nmap -iL ./hosts.txt扫描方式 (Scan Types)
There are 9 scan types. The main 2 that you will use are:
有9种扫描类型。 您将使用的主要2个是:
TCP SYN (-sS)
UDP (-sU)The default scan type is TCP SYN. To scan UDP ports use -sU. Other scan types can be useful for stealth or probing firewalls but may sacrifice accuracy or speed. You can find more information about the different nmap scan types here: https://nmap.org/book/man-port-scanning-techniques.html
默认扫描类型为TCP SYN。 要扫描UDP端口,请使用-sU 。 其他扫描类型对于隐身或探测防火墙可能很有用,但可能会牺牲准确性或速度。 您可以在此处找到有关不同的nmap扫描类型的更多信息: https : //nmap.org/book/man-port-scanning-techniques.html
指定端口 (Specifying Ports)
You can specify which ports to scan with -p. By default, only 1000 ports are scanned. To scan all ports:
您可以使用-p指定要扫描的端口。 默认情况下,仅扫描1000个端口 。 要扫描所有端口:
$ nmap -p 1–65535 hostProtip: To scan all ports you can also use nmap -p- host, which is shorthand for nmap -p 1–65535 host.
提示:要扫描所有端口,您也可以使用nmap -p- host ,它是nmap -p 1–65535 host简写。
You can also specify a comma separated list with single ports, ranges and specific UDP ports:
您还可以指定一个由逗号分隔的列表,其中包含单个端口,范围和特定的UDP端口:
$ nmap -p 23,23,25,110,80–90,U:53,1000–2000 版本和操作系统枚举 (Version and OS Enumeration)
When Nmap finds an open port it can probe further to discover what service it is running if you specify -sV. You can set how intense you want the probes to be from 0 (light probe, fast but not accurate) to 9 (try all probes, slow but accurate)
如果您指定-sV ,则当Nmap找到一个开放的端口时,它可以进一步探测以发现其正在运行的服务。 您可以将希望的强度设置为0(轻度,快速但不准确)到9(尝试所有度速,缓慢但准确)
$ nmap -sV — version-intensity 9 Nmap can guess which operating system a host is running based the scan results. Enable this feature with -O:
Nmap可以根据扫描结果猜测主机正在运行哪个操作系统。 使用-O启用此功能:
$ nmap -O host防火墙规避 (Firewall Evasion)
It also has extensive firewall evasion functionality. I’ve honestly never used these features but they allow you to do some cool things including spoofing the source address.
它还具有广泛的防火墙规避功能。 老实说,我从未使用过这些功能,但是它们使您可以做一些很酷的事情,包括欺骗源地址。
输出格式 (Output Formats)
Nmap offers many output formats. Some are better for humans to read, others are better for parsing into other tools. I tend to output scans into all formats using:
Nmap提供许多输出格式。 有些更适合人类阅读,有些更适合解析为其他工具。 我倾向于使用以下方式将扫描输出为所有格式:
$ nmap -oA outputfile hostSpecific options include:
具体选项包括:
-oN Normal
-oX XML
-oS scr1pt k1dd13
-oG greppable 扫描速度 (Scan Speed)
You can also adjust the speed that nmap scans at. using -T<0–5>. A higher number means a higher speed.
您还可以调整nmap扫描的速度。 使用-T <0–5>。 数字越高,意味着速度越高。
Higher speed means less accuracy, and vice versa.
较高的速度意味着较低的精度,反之亦然。
$ nmap -T3 hostNmap脚本引擎 (Nmap Scripting Engine)
This is where Nmap gets really interesting! It can also run Lua scripts. These can do pretty much anything. Nmap comes with about 600 of them that perform various vuln scanning and enumeration tasks, but you can also code your own.
这是Nmap 真正有趣的地方! 它还可以运行Lua脚本。 这些几乎可以做任何事情。 Nmap附带了大约600个,可以执行各种外伤扫描和枚举任务,但是您也可以编写自己的代码。
The location of Lua scripts is:
Lua脚本的位置是:
<nmap directory>/share/nmap/scripts/* Depending on your setup, you might also find them by running:
根据您的设置,您还可以通过运行以下命令找到它们:
$ locate *.nseAs an example of using Nmap scripts, to check if a host is vulnerable to Eternal Blue, you could run:
作为使用Nmap脚本的示例,要检查主机是否容易受到Eternal Blue的攻击,可以运行:
$ nmap --script=smb-vuln-cve-2017–7494 hostSome scripts require arguments, you can specify them with --script-args=n1=v1,n2=v2 etc.
有些脚本需要参数,您可以使用--script-args=n1=v1,n2=v2等指定它们。
To get help on which arguments may be accepted by a script:
要获得脚本可以接受的参数的帮助,请执行以下操作:
$ nmap --script-help=scriptnameTo upgrade your scripts to the latest and greatest, just run:
要将脚本升级到最新版本,只需运行:
$ nmap --script-updatedb好的别名-A (A Nice Alias -A)
A helpful alias is -A, which will enable OS detection, service version detection, script scanning, and traceroute.
有用的别名是-A,它将启用OS检测,服务版本检测,脚本扫描和traceroute。
nmap -A host我的执行命令 (My Go-To Command)
For a thorough scan of a single host, a decent go-to command is:
要对单个主机进行彻底扫描,可以使用如下命令:
$ nmap -A -p1–65535 -v host一些热门提示 (A Few Hot Tips)
These are just random tips from the comments of my original tweet that didn’t totally fit into the other categories but were too useful to leave out.
这些只是我原始推文中的评论中的随机技巧,这些评论并不完全适合其他类别,但太有用了,不能忽略。
If your scan is taking a long time and you want more verbosity, hit ‘v’ while the scan is running. You can increase it multiple steps during the scan. No need to stop the scan to add ‘-v’!
如果您的扫描时间很长,并且想要更多的详细信息,请在扫描运行时按“ v”。 您可以在扫描过程中将其增加多个步骤。 无需停止扫描即可添加“ -v”!
Convert Nmap XML output to report friendly HTML using xsltproc.
使用xsltproc将Nmap XML输出转换为报告友好HTML。
xsltproc <nmap-output.xml> -o <nmap-output.html>If you output to a file with -oN, -oG or -oX, you can interrupt a scan in progress and pick up exactly where you left off later by using resume <file>.
如果使用-oN,-oG或-oX输出到文件,则可以中断进行中的扫描,并使用resume <file>准确地获取以后要保留的位置。
结论 (Conclusion)
I haven’t even covered all of the awesome features that Nmap has here, but I’ve covered all of the features that I have ever found to be useful.
我什至没有介绍过Nmap在这里提供的所有很棒的功能,但是我已经介绍了我发现有用的所有功能。
If you like this blog post, follow me on Twitter and subscribe to my YouTube channel.
翻译自: https://medium.com/@hakluke/haklukes-guide-to-nmap-port-scanning-is-just-the-beginning-25d971692fdb
nmap扫描端口
转播
