nmap命令:端口扫描工具¶
简单使用:
nmap <host>
备注
CentOS使用nmap-ncat.x86_64软件的, nmap与nc命令一样. 而原始的nmap命令是要安装nmap.x86_64软件
//进行ping扫描,打印出对扫描做出响应的主机,不做进一步测试(如端口扫描或者操作系统探测)
nmap -sP 192.168.1.0/24
//仅列出指定网络上的每台主机,不发送任何报文到目标主机
nmap -sL 192.168.1.0/24
//使用UDP ping探测主机
nmap -PU 192.168.1.0/24
//【常用】SYN扫描,又称为半开放扫描,它不打开一个完全的TCP连接,执行得很快
nmap -sS 192.168.1.0/24
//【常用】当SYN扫描不能用时,TCP Connect()扫描就是默认的TCP扫描
nmap -sT 192.168.1.0/24
//UDP扫描用-sU选项,UDP扫描发送空的(没有数据)UDP报头到每个目标端口
nmap -sU 192.168.1.0/24
//扫描主机scanme.nmap.org中 所有的保留TCP端口。选项-v启用细节模式
nmap -sS -O scanme.nmap.org/24
其他选项:
-p <port ranges> (只扫描指定的端口)
//将扫描 UDP 端口53,111,和137,同时扫描列出的TCP端口
-p U:53,111,137,T:21-25,80,139,8080
//探测目标主机开放的端口,可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80)
nmap -PS 192.168.1.234
// 确定目标机支持哪些IP协议 (TCP,ICMP,IGMP等):
nmap -sO 192.168.1.19
//探测目标主机的操作系统
nmap -O 192.168.1.19
nmap -A 192.168.1.19
实战¶
察看指定域名支持的 https 加密套件¶
- 命令::
$ nmap -script ssl-enum-ciphers www.zhaoweiguo.com
一种结果: 只支持 TLSv1.2, 且加密套件要求严格:
Starting Nmap 7.40 ( https://nmap.org ) at 2021-09-24 18:10 CST Nmap scan report for www.zhaoweiguo.com (39.107.143.41) Host is up (0.025s latency). Not shown: 999 filtered ports PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 8.51 seconds
另一种结果: 各种加密套件都支持:
Starting Nmap 7.40 ( https://nmap.org ) at 2021-09-24 18:09 CST Nmap scan report for www.zhaoweiguo.com (120.26.164.111) Host is up (0.00038s latency). Not shown: 993 closed ports PORT STATE SERVICE 80/tcp open http 111/tcp open rpcbind 443/tcp open https | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (rsa 2048) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: client |_ least strength: A 3306/tcp open mysql 7000/tcp open afs3-fileserver 8080/tcp open http-proxy 8082/tcp open blackice-alerts Nmap done: 1 IP address (1 host up) scanned in 2.76 seconds