12. 扫描主机以检查其受到防火墙保护
扫描检测一个主机是否受到任何包过滤器软件或者防火墙保护。
[root@server1 ~]# nmap -PN 192.168.0.101 Starting Nmap 4.11 ( ) at 2013-11-11 16:30 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open MySQL 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds 13. 找出网络中在线主机在“-sP”选项的bang帮助下,我们可以简单地检测网络中的主机是否在线,带这个选项后nmap会跳过端口检测和其他检测。
[root@server1 ~]# nmap -sP 192.168.0.* Starting Nmap 4.11 ( ) at 2013-11-18 11:01 EST Host server1.tecmint.com (192.168.0.100) appears to be up. Host server2.tecmint.com (192.168.0.101) appears to be up. MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds 14. 执行快速扫描你可以带“-F”选项仅扫描所有列在nmap-services文件中的端口。
[root@server1 ~]# nmap -F 192.168.0.101 Starting Nmap 4.11 ( ) at 2013-11-11 16:47 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1234 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds 15. 找出nmap版本你可以使用“-V”选项找出运行在你机器上的nmap版本。
[root@server1 ~]# nmap -V Nmap version 4.11 ( ) You have new mail in /var/spool/mail/root 16. 连续扫描端口使用“-r”选项而不随机排列端口的扫描顺序。
[root@server1 ~]# nmap -r 192.168.0.101 Starting Nmap 4.11 ( ) at 2013-11-11 16:52 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds 17. 显示主机接口及路由你可以使用nmap的“–iflist”选项来列出本机的主机接口和路由信息。
[root@server1 ~]# nmap --iflist Starting Nmap 4.11 ( ) at 2013-11-11 17:07 EST ************************INTERFACES************************ DEV (SHORT) IP/MASK TYPE UP MAC lo (lo) 127.0.0.1/8 loopback up eth0 (eth0) 192.168.0.100/24 ethernet up 08:00:27:11:C7:89 **************************ROUTES************************** DST/MASK DEV GATEWAY 192.168.0.0/0 eth0 169.254.0.0/0 eth0在上面的输出中,你可以看到上述清单列出了你系统中的已经启用的接口及它们相应的路由。(译注:这样你就知道可以通过这些接口扫描哪些网络了)
18. 扫描特定端口nmap使用不同的选项来发现远程机器上的端口。你可以用“-p”选项指定你想扫描的TCP端口。默认上,nmap只会扫描TCP端口。
[root@server1 ~]# nmap -p 80 server2.tecmint.com Starting Nmap 4.11 ( ) at 2013-11-11 17:12 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) sca 19. 扫描TCP端口当然,你可以指定nmap扫描的端口类型(TCP或UDP)和端口号。
[root@server1 ~]# nmap -p T:8888,80 server2.tecmint.com Starting Nmap 4.11 ( ) at 2013-11-11 17:15 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 80/tcp open http 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds 20. 扫描UDP端口 [root@server1 ~]# nmap -sU 53 server2.tecmint.com Starting Nmap 4.11 ( ) at 2013-11-11 17:15 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 53/udp open http 8888/udp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds 21. 扫描多个端口你可以使用“-p”选项来指定多个要扫描的端口。
[root@server1 ~]# nmap -p 80,443 192.168.0.101 Starting Nmap 4.11 ( ) at 2013-11-18 10:56 EST Interesting ports on server2.tecmint.com (192.168.0.101): PORT STATE SERVICE 80/tcp open http 443/tcp closed https MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.190 seconds 22. 扫描网络的端口范围你也可以使用表达式指定扫描端口的范围。
[root@server1 ~]# nmap -p 80-160 192.168.0.101 23. 找出主机服务版本号我们可以使用“-sV”选项找出远程主机上运行的服务及其版本号。
[root@server1 ~]# nmap -sV 192.168.0.101 Starting Nmap 4.11 ( ) at 2013-11-11 17:48 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 80/tcp open http Apache httpd 2.2.3 ((CentOS)) 111/tcp open rpcbind 2 (rpc #100000) 957/tcp open status 1 (rpc #100024) 3306/tcp open mysql MySQL (unauthorized) 8888/tcp open http lighttpd 1.4.32 MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 12.624 seconds 24. 使用 TCP ACK (PA) 和 TCP Syn (PS) 扫描远程主机有时包过滤防火墙阻止了标准ICMPping请求,在这个情况下,我们可以使用TCP ACK和TCP Syn方法来扫描远程主机。
[root@server1 ~]# nmap -PS 192.168.0.101 Starting Nmap 4.11 ( ) at 2013-11-11 17:51 EST Interesting ports on server2.tecmint.com (192.168.0.101): Not shown: 1674 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 957/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 1 IP address (1 host up) scanned in 0.360 seconds You have new mail in /var/spool/mail/root