Nmap常用选项
-A: Enable OS detection, version detection, script scanning, and traceroute(扫描选项较多容易暴露)
root@bt:~# nmap -A 192.168.0.99
Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 09:52 EDT
Nmap scan report for 192.168.0.99
Host is up (0.00045s latency). #########主机是否存活
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0) ######################端口及服务信息描述
| ssh-hostkey: 1024 fb:11:7d:63:2b:8f:26:50:24:b7:c3:5b:86:b0:79:84 (DSA)
|_2048 e8:db:be:cb:af:e9:e8:62:d3:bf:87:72:fd:f8:c9:a1 (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: mail.hnyckj.f3322.org, PIPELINING, SIZE 10485760, VRFY, ETRN, STARTTLS, AUTH LOGIN PLAIN, AUTH=LOGIN PLAIN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=localhost/organizationName=ExtMail Server/stateOrProvinceName=GZ/countryName=CN
| Not valid before: 2015-06-15T14:06:27+00:00
|_Not valid after: 2016-06-14T14:06:27+00:00
|_ssl-date: 2015-06-19T21:53:10+00:00; +8h00m00s from local time.
80/tcp open http Apache httpd 2.2.15 ((Scientific Linux))
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Courier pop3d
|_pop3-capabilities: TOP STLS LOGIN-DELAY(10) UIDL USER PIPELINING IMPLEMENTATION(Courier Mail Server)
143/tcp open imap Courier Imapd (released 2010)
|_imap-capabilities: completed CHILDREN OK QUOTA STARTTLSA0001 IDLE UIDPLUS THREAD=REFERENCES ACL SORT ACL2=UNION THREAD=ORDEREDSUBJECT CAPABILITY NAMESPACE IMAP4rev1
443/tcp closed https
993/tcp open ssl/imap Courier Imapd (released 2010)
|_imap-capabilities: completed CHILDREN AUTH=PLAIN QUOTA ACL2=UNIONA0001 OK UIDPLUS THREAD=REFERENCES ACL SORT IDLE THREAD=ORDEREDSUBJECT CAPABILITY NAMESPACE IMAP4rev1
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Not valid before: 2015-06-15T14:07:31+00:00
|_Not valid after: 2016-06-14T14:07:31+00:00
995/tcp open ssl/pop3 Courier pop3d
|_pop3-capabilities: TOP LOGIN-DELAY(10) UIDL USER PIPELINING IMPLEMENTATION(Courier Mail Server)
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Not valid before: 2015-06-15T14:07:31+00:00
|_Not valid after: 2016-06-14T14:07:31+00:00
|_sslv2: server supports SSLv2 protocol, but no SSLv2 cyphers
MAC Address: 00:0C:29:79:E1:43 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 #######操作系统及内核版本
OS details: Linux 2.6.22 - 2.6.36
Network Distance: 1 hop
Service Info: Host: mail.hnyckj.f3322.org; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.45 ms 192.168.0.99
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.89 seconds
-T (0~5) 扫描速度:0最慢,最缓;5最快最猛(但容易被发现)
root@bt:~# nmap -T5 192.168.0.99
Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 10:02 EDT
Nmap scan report for 192.168.0.99
Host is up (0.00026s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp closed https
993/tcp open imaps
995/tcp open pop3s
MAC Address: 00:0C:29:79:E1:43 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.55 seconds
-p 端口范围
root@bt:~# nmap -p 1-1000 192.168.0.99
Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 10:07 EDT
Nmap scan report for 192.168.0.99
Host is up (0.00033s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp closed https
993/tcp open imaps
995/tcp open pop3s
MAC Address: 00:0C:29:79:E1:43 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.02 seconds
-O 识别操作系统
root@bt:~# nmap -O 192.168.0.99
。。。
Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (98%), HP embedded (94%), Ubiquiti Linux 2.6.X (93%), Check Point embedded (91%), Sony embedded (90%), Cisco Linux 2.6.X (89%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:3 cpe:/o:ubiquiti:linux:2.6.32 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6.34 cpe:/o:sony:smp-n200 cpe:/o:cisco:linux:2.6
Aggressive OS guesses: Linux 2.6.22 - 2.6.36 (98%), Linux 2.6.32 (96%), Linux 2.6.23 - 2.6.38 (95%), Linux 2.6.31 - 2.6.35 (95%), Linux 2.6.9 - 2.6.27 (95%), Linux 2.6.39 (95%), HP P2000 G3 NAS device (94%), Linux 2.6.32 - 2.6.35 (93%), Linux 2.6.24 - 2.6.36 (93%), Linux 3.1 - 3.4 (93%)
No exact OS matches for host (test conditions non-ideal).
-sV 识别服务和版本信息
root@bt:~# nmap -sV 192.168.0.99
Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 10:19 EDT
Nmap scan report for 192.168.0.99
Host is up (0.00030s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.15 ((Scientific Linux))
110/tcp open pop3 Courier pop3d
143/tcp open imap Courier Imapd (released 2010)
443/tcp closed https
993/tcp open ssl/imap Courier Imapd (released 2010)
995/tcp open ssl/pop3 Courier pop3d
MAC Address: 00:0C:29:79:E1:43 (VMware)
Service Info: Host: mail.hnyckj.f3322.org; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.96 seconds
-Pn 认为所有主机是在线状态来扫描;可以和其他选项来叠加使用-sA ACK扫描:检测端口是否开放,可用于探测防火墙
root@bt:~# nmap -Pn -sA 192.168.0.99
Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 10:31 EDT
Nmap scan report for 192.168.0.99
Host is up (0.00028s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
22/tcp unfiltered ssh
25/tcp unfiltered smtp #####我们已经认为其在线
80/tcp unfiltered http
110/tcp unfiltered pop3
143/tcp unfiltered imap
443/tcp unfiltered https
993/tcp unfiltered imaps
995/tcp unfiltered pop3s
MAC Address: 00:0C:29:79:E1:43 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.01 seconds
-sS TCP SYN扫描,快速和具有隐蔽性的扫描,建议扫描加此选项
root@bt:~# nmap -sS -Pn 192.168.0.99
Starting Nmap 6.25 ( http://nmap.org ) at 2015-06-19 10:37 EDT
Nmap scan report for 192.168.0.99
Host is up (0.00026s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp closed https
993/tcp open imaps
995/tcp open pop3s
MAC Address: 00:0C:29:79:E1:43 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.02 seconds