nmap常用选项
且任容枯 Lv4
  2024-05-07 08:16:16 2024-05-07 08:16  

目标说明
TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL : Input from list of hosts/networks -iR : Choose random targets –exclude <host1[,host2][,host3],…>: Exclude hosts/networks –excludefile : Exclude list from file -iL 从主机地址列表文件中导入扫描地址 -iR 随机选择目标进行扫描,num hosts表示数目,是指为0则无休止扫描 –exclude 排除模糊个主机地址 –excludefile 排除主机地址列表文件中的地址

主机发现
HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online – skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] –dns-servers <serv1[,serv2],…>: Specify custom DNS servers 自定义域名解析服务器地址 –system-dns: Use OS’s DNS resolver –traceroute: Trace hop path to each host 路由 -sL 列表扫描,仅将指定的目标IP列举出来,不进行主机发现 -sn 和-sP一样,只利用ping扫描进行主机的发现,不扫描目标主机的端口 -Pn 将所有指定的主机视为已开启的状态,跳过主机发现过程

端口扫描
端口状态: open(开放的),closed(关闭的),filtered(过滤的),unfiltered,open|filtered,closed|filtered

SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()连接扫描/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans –scanflags : Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b : FTP bounce scan

端口说明和扫描顺序
PORT SPECIFICATION AND SCAN ORDER: -p : Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 –exclude-ports : Exclude the specified ports from scanning -F: Fast mode - Scan fewer ports than the default scan 快速扫描,100个常用端口 -r: Scan ports consecutively - don’t randomize –top-ports : Scan most common ports –port-ratio : Scan ports more common than -p 指定端口 -p 指定扫描的协议

服务与版本扫描
SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info –version-intensity : Set from 0 (light) to 9 (try all probes) –version-light: Limit to most likely probes (intensity 2) –version-all: Try every single probe (intensity 9) –version-trace: Show detailed version scan activity (for debugging)

脚本扫描(《nmap-script使用帮助手册》)
SCRIPT SCAN: -sC: equivalent to –script=default –script=: is a comma separated list of directories, script-files or script-categories –script-args=<n1=v1,[n2=v2,…]>: provide arguments to scripts –script-args-file=filename: provide NSE script args in a file –script-trace: Show all data sent and received –script-updatedb: Update the script database. –script-help=: Show help about scripts. is a comma-separated list of script-files or script-categories.

操作系统扫描
OS DETECTION: -O: Enable OS detection –osscan-limit: Limit OS detection to promising targets –osscan-guess: Guess OS more aggressively

时间和性能
TIMING AND PERFORMANCE: Options which take are in seconds, or append ‘ms’ (milliseconds) ‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) –min-hostgroup/max-hostgroup : Parallel host scan group sizes –min-parallelism/max-parallelism : Probe parallelization –min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout : Specifies probe round trip time. –max-retries : Caps number of port scan probe retransmissions. –host-timeout : Give up on target after this long –scan-delay/–max-scan-delay : Adjust delay between probes –min-rate : Send packets no slower than per second –max-rate : Send packets no faster than per second

防火墙/IDS规避和欺骗
FIREWALL/IDS EVASION AND SPOOFING: -f(报文分段); –mtu(使用指定的MTU) : fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],…>: Cloak a scan with decoys -S : Spoof source address -e : Use specified interface -g/–source-port : Use given port number –proxies <url1,[url2],…>: Relay connections through HTTP/SOCKS4 proxies –data : Append a custom payload to sent packets –data-string : Append a custom ASCII string to sent packets –data-length : Append random data to sent packets –ip-options : Send packets with specified ip options –ttl : Set IP time-to-live field –spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address –badsum: Send packets with a bogus TCP/UDP/SCTP checksum

输出选项
OUTPUT: -oN/-oX/-oS/-oG : Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA : Output in the three major formats at once -v: Increase verbosity level (use -vv or more for greater effect) -d: Increase debugging level (use -dd or more for greater effect) –reason: Display the reason a port is in a particular state –open: Only show open (or possibly open) ports –packet-trace: Show all packets sent and received –iflist: Print host interfaces and routes (for debugging) –append-output: Append to rather than clobber specified output files –resume : Resume an aborted scan –stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML –webxml: Reference stylesheet from Nmap.Org for more portable XML –no-stylesheet: Prevent associating of XSL stylesheet w/XML output

常用扫描技巧
1 扫描单一目标主机 nmap ip/dns

2 扫描整个子网 nmap 192.168.0.1/24

3 扫描多个目标 nmap ip1 ip2 dns1dns2

4 扫描一个范围 nmap 192.168.1-100

5 导入IP列表 nmap -iL ip.txt

6 列举目标地址但不扫描 nmap -sL 192.168.0.1/24

7 端口 nmap -p port