首页 > 代码库 > Nmap 網路診斷工具基本使用技巧與教學
Nmap 網路診斷工具基本使用技巧與教學
Nmap 是一個開放原始碼的網路掃描與探測工具,可以讓網路管理者掃描整個子網域或主機的連接埠等,功能非常強大。
Nmap(Network Mapper)是一個開放原始碼的網路檢測工具,它的功能非常強大,這裡整理了許多使用範例,讓初學者可以快速上手。
安裝
一般的 Linux 系統通常都會將 Nmap 納入官方的套件庫,如果是 Red Hat 系列的 Linux,可以使用 yum 安裝:
sudo yum install nmap
而如果是 Debian 系列的 Linux 則可使用 apt:
sudo apt-get install nmap
基本主機掃描
Nmap 最基本的用法就是掃描主機是否有開機,並且開啟哪些連接埠:
nmap www.hinet.net
輸出為
Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 08:09 CSTNmap scan report for www.hinet.net (202.39.253.11)Host is up (0.0034s latency).rDNS record for 202.39.253.11: 202-39-253-11.HINET-IP.hinet.netNot shown: 998 filtered portsPORT STATE SERVICE80/tcp open http113/tcp closed identNmap done: 1 IP address (1 host up) scanned in 6.05 seconds
也可以直接使用 IP 位址來指定掃描的主機:
nmap 202.39.253.11
如果加上 -v
參數,會有更詳細的輸出:
nmap -v www.hinet.net
輸出為
Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 08:32 CSTInitiating Ping Scan at 08:32Scanning www.hinet.net (202.39.253.11) [2 ports]Completed Ping Scan at 08:32, 1.20s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 08:32Completed Parallel DNS resolution of 1 host. at 08:32, 0.00s elapsedInitiating Connect Scan at 08:32Scanning www.hinet.net (202.39.253.11) [1000 ports]Discovered open port 80/tcp on 202.39.253.11Completed Connect Scan at 08:32, 4.81s elapsed (1000 total ports)Nmap scan report for www.hinet.net (202.39.253.11)Host is up (0.0044s latency).rDNS record for 202.39.253.11: 202-39-253-11.HINET-IP.hinet.netNot shown: 998 filtered portsPORT STATE SERVICE80/tcp open http113/tcp closed identRead data files from: /usr/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 6.13 seconds
掃描多台主機
如果要一次掃描多台主機,就直接把所有的主機名稱都放進 nmap
的參數中即可:
nmap www.hinet.net tw.yahoo.com www.google.com.tw
輸出為
Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 08:36 CSTNmap scan report for www.hinet.net (202.39.253.11)Host is up (0.0038s latency).rDNS record for 202.39.253.11: 202-39-253-11.HINET-IP.hinet.netNot shown: 998 filtered portsPORT STATE SERVICE80/tcp open http113/tcp closed identNmap scan report for tw.yahoo.com (202.43.192.109)Host is up (0.0046s latency).rDNS record for 202.43.192.109: ir1.fp.vip.tw1.yahoo.comNot shown: 997 filtered portsPORT STATE SERVICE80/tcp open http113/tcp closed ident443/tcp open httpsNmap scan report for www.google.com.tw (74.125.31.94)Host is up (0.011s latency).rDNS record for 74.125.31.94: tb-in-f94.1e100.netNot shown: 997 filtered portsPORT STATE SERVICE80/tcp open http113/tcp closed ident443/tcp open httpsNmap done: 3 IP addresses (3 hosts up) scanned in 9.97 seconds
您也可以直接使用萬用字元,一次掃描整個子網域:
nmap 192.168.0.*
或是
nmap 192.168.0.0/24
如果您想要掃描 192.168.0.123
、192.168.0.124
、192.168.0.125
這三台主機,可以寫成這樣:
nmap 192.168.0.123,124,125
如果要掃描子網域中連續的某一段,可以這樣寫:
nmap 192.168.0.123-140
以檔案列表指定主機
nmap
也可以直接從檔案讀取要掃描的主機,假設我們有一個主機列表檔案 hostlist.txt
,其內容為:
www.hinet.net192.168.0.123www.google.com.tw
然後我們就可以使用 nmap
直接讀取這個檔案內容來進行掃描:
nmap -iL hostlist.txt
排除指定的主機
如果要掃描整個網域,但是要排除某些機器,可以使用 --exclude
參數:
nmap 192.168.0.* --exclude 192.168.0.100
若以檔案方式指定主機,也可以使用 --excludefile
指定排除的列表:
nmap -iL hostlist.txt --excludefile excludelist.txt
偵測作業系統版本
如果要偵測主機的作業系統與各種服務的版本,可以加上 -A
參數:
nmap -A scanme.nmap.org
輸出為
Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 09:37 CSTNmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.14s latency).Not shown: 990 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7.11(Ubuntu Linux; protocol 2.0)| ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)53/tcp filtered domain80/tcp open http Apache httpd 2.2.142((Ubuntu))|_http-title: Go ahead and ScanMe!139/tcp filtered netbios-ssn445/tcp filtered microsoft-ds6666/tcp filtered irc6667/tcp filtered irc6668/tcp filtered irc6669/tcp filtered irc9929/tcp open nping-echo Nping echoService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel3Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 58.98 seconds
1SSH 伺服器版本。
2Apache 伺服器版本。
3作業系統類型。
如果只需要作業系統資訊,可以使用 -O
參數:
nmap -O scanme.nmap.org
輸出為
Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 09:44 CSTNmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.14s latency).Not shown: 990 closed portsPORT STATE SERVICE22/tcp open ssh53/tcp filtered domain80/tcp open http139/tcp filtered netbios-ssn445/tcp filtered microsoft-ds6666/tcp filtered irc6667/tcp filtered irc6668/tcp filtered irc6669/tcp filtered irc9929/tcp open nping-echoAggressive OS guesses: Linux 2.6.32 - 3.9 (98%), Linux 2.6.38 - 3.0 (97%), Linux 2.6.32 - 2.6.39 (97%), Netgear DG834G WAP or Western Digital WD TV media player (96%), Linux 2.6.32 - 3.2 (95%), Linux 3.0 - 3.9 (95%), Linux 3.2 (95%), Linux 2.6.32 - 3.6 (95%), Linux 3.1 (95%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%)No exact OS matches for host (test conditions non-ideal).Network Distance: 12 hopsOS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds
若只需要各種服務的版本:
nmap -sV scanme.nmap.org
輸出為
Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 13:16 CSTNmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.14s latency).Not shown: 989 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0)53/tcp filtered domain80/tcp open http Apache httpd 2.2.14 ((Ubuntu))139/tcp filtered netbios-ssn445/tcp filtered microsoft-ds1105/tcp filtered ftranhc6666/tcp filtered irc6667/tcp filtered irc6668/tcp filtered irc6669/tcp filtered irc9929/tcp open nping-echo Nping echoService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 48.03 seconds
測試主機是否有防火牆
Nmap 可以透過 TCP ACK 掃描,偵測主機是否有啟用防火牆:
nmap -sA scanme.nmap.org
輸出為
Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 10:17 CSTNmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.14s latency).All 1000 scanned ports on scanme.nmap.org (74.207.244.221) are unfilteredNmap done: 1 IP address (1 host up) scanned in 2.22 seconds
掃描有防火牆的主機
掃描在防火牆保護下的主機:
nmap -PN scanme.nmap.org
輸出為
Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 10:24 CSTNmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.14s latency).Not shown: 990 closed portsPORT STATE SERVICE22/tcp open ssh53/tcp filtered domain80/tcp open http139/tcp filtered netbios-ssn445/tcp filtered microsoft-ds6666/tcp filtered irc6667/tcp filtered irc6668/tcp filtered irc6669/tcp filtered irc9929/tcp open nping-echoNmap done: 1 IP address (1 host up) scanned in 16.99 seconds
偵測有開機的主機
掃描整個網路,偵測所有有開機的主機(ping scan):
nmap -sP 140.115.35.0/24
輸出為
Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 11:06 CSTNmap scan report for mail.atm.ncu.edu.tw (140.115.35.1)Host is up (0.0018s latency).Nmap scan report for rain.atm.ncu.edu.tw (140.115.35.4)Host is up (0.0015s latency).Nmap scan report for iut.atm.ncu.edu.tw (140.115.35.5)Host is up (0.0017s latency).[略]Nmap scan report for 140.115.35.254Host is up (0.0047s latency).Nmap done: 256 IP addresses (117 hosts up) scanned in 3.00 seconds
快速掃描
加快掃描的速度:
nmap -F www.hinet.net
輸出為
Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 10:55 CSTNmap scan report for www.hinet.net (202.39.253.11)Host is up (0.0034s latency).rDNS record for 202.39.253.11: 202-39-253-11.HINET-IP.hinet.netNot shown: 98 filtered portsPORT STATE SERVICE80/tcp open http113/tcp closed identNmap done: 1 IP address (1 host up) scanned in 2.19 seconds
另一種方式:
nmap -T5 192.168.1.0/24
指定掃描的連接埠
掃描連接埠 80
:
nmap -p 80 192.168.1.1
指定 TCP 連接埠 80
:
nmap -p T:80 192.168.1.1
指定 UDP 連接埠 53
:
nmap -p U:53 192.168.1.1
掃描兩個連接埠:
nmap -p 80,443 192.168.1.1
指定連接埠範圍:
nmap -p 80-200 192.168.1.1
結合各種參數:
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biznmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
掃描前 10
個常用的連接埠:
nmap --top-ports 10 192.168.1.1
查詢主機名稱
只查詢網域中所有的主機名稱,不做任何主機與連接埠的偵測:
nmap -sL 192.168.1.0/24
Nmap 網路診斷工具基本使用技巧與教學