首页 > 代码库 > Nmap 網路診斷工具基本使用技巧與教學

Nmap 網路診斷工具基本使用技巧與教學

Nmap 是一個開放原始碼的網路掃描與探測工具,可以讓網路管理者掃描整個子網域或主機的連接埠等,功能非常強大。

Nmap(Network Mapper)是一個開放原始碼的網路檢測工具,它的功能非常強大,這裡整理了許多使用範例,讓初學者可以快速上手。

 

安裝

一般的 Linux 系統通常都會將 Nmap 納入官方的套件庫,如果是 Red Hat 系列的 Linux,可以使用 yum 安裝:

sudo yum install nmap

而如果是 Debian 系列的 Linux 則可使用 apt:

sudo apt-get install nmap
 

基本主機掃描

Nmap 最基本的用法就是掃描主機是否有開機,並且開啟哪些連接埠:

nmap www.hinet.net

輸出為

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 08:09 CSTNmap scan report for www.hinet.net (202.39.253.11)Host is up (0.0034s latency).rDNS record for 202.39.253.11: 202-39-253-11.HINET-IP.hinet.netNot shown: 998 filtered portsPORT    STATE  SERVICE80/tcp  open   http113/tcp closed identNmap done: 1 IP address (1 host up) scanned in 6.05 seconds

也可以直接使用 IP 位址來指定掃描的主機:

nmap 202.39.253.11

如果加上 -v 參數,會有更詳細的輸出:

nmap -v www.hinet.net

輸出為

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 08:32 CSTInitiating Ping Scan at 08:32Scanning www.hinet.net (202.39.253.11) [2 ports]Completed Ping Scan at 08:32, 1.20s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 08:32Completed Parallel DNS resolution of 1 host. at 08:32, 0.00s elapsedInitiating Connect Scan at 08:32Scanning www.hinet.net (202.39.253.11) [1000 ports]Discovered open port 80/tcp on 202.39.253.11Completed Connect Scan at 08:32, 4.81s elapsed (1000 total ports)Nmap scan report for www.hinet.net (202.39.253.11)Host is up (0.0044s latency).rDNS record for 202.39.253.11: 202-39-253-11.HINET-IP.hinet.netNot shown: 998 filtered portsPORT    STATE  SERVICE80/tcp  open   http113/tcp closed identRead data files from: /usr/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 6.13 seconds
 

掃描多台主機

如果要一次掃描多台主機,就直接把所有的主機名稱都放進 nmap 的參數中即可:

nmap www.hinet.net tw.yahoo.com www.google.com.tw

輸出為

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 08:36 CSTNmap scan report for www.hinet.net (202.39.253.11)Host is up (0.0038s latency).rDNS record for 202.39.253.11: 202-39-253-11.HINET-IP.hinet.netNot shown: 998 filtered portsPORT    STATE  SERVICE80/tcp  open   http113/tcp closed identNmap scan report for tw.yahoo.com (202.43.192.109)Host is up (0.0046s latency).rDNS record for 202.43.192.109: ir1.fp.vip.tw1.yahoo.comNot shown: 997 filtered portsPORT    STATE  SERVICE80/tcp  open   http113/tcp closed ident443/tcp open   httpsNmap scan report for www.google.com.tw (74.125.31.94)Host is up (0.011s latency).rDNS record for 74.125.31.94: tb-in-f94.1e100.netNot shown: 997 filtered portsPORT    STATE  SERVICE80/tcp  open   http113/tcp closed ident443/tcp open   httpsNmap done: 3 IP addresses (3 hosts up) scanned in 9.97 seconds

您也可以直接使用萬用字元,一次掃描整個子網域:

nmap 192.168.0.*

或是

nmap 192.168.0.0/24

如果您想要掃描 192.168.0.123192.168.0.124192.168.0.125 這三台主機,可以寫成這樣:

nmap 192.168.0.123,124,125

如果要掃描子網域中連續的某一段,可以這樣寫:

nmap 192.168.0.123-140
 

以檔案列表指定主機

nmap 也可以直接從檔案讀取要掃描的主機,假設我們有一個主機列表檔案 hostlist.txt,其內容為:

www.hinet.net192.168.0.123www.google.com.tw

然後我們就可以使用 nmap 直接讀取這個檔案內容來進行掃描:

nmap -iL hostlist.txt
 

排除指定的主機

如果要掃描整個網域,但是要排除某些機器,可以使用 --exclude 參數:

nmap 192.168.0.* --exclude 192.168.0.100

若以檔案方式指定主機,也可以使用 --excludefile 指定排除的列表:

nmap -iL hostlist.txt --excludefile excludelist.txt

偵測作業系統版本

如果要偵測主機的作業系統與各種服務的版本,可以加上 -A 參數:

nmap -A scanme.nmap.org

輸出為

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 09:37 CSTNmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.14s latency).Not shown: 990 closed portsPORT     STATE    SERVICE      VERSION22/tcp   open     ssh          OpenSSH 5.3p1 Debian 3ubuntu7.11(Ubuntu Linux; protocol 2.0)| ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)53/tcp   filtered domain80/tcp   open     http         Apache httpd 2.2.142((Ubuntu))|_http-title: Go ahead and ScanMe!139/tcp  filtered netbios-ssn445/tcp  filtered microsoft-ds6666/tcp filtered irc6667/tcp filtered irc6668/tcp filtered irc6669/tcp filtered irc9929/tcp open     nping-echo   Nping echoService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel3Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 58.98 seconds

1SSH 伺服器版本。

2Apache 伺服器版本。

3作業系統類型。

如果只需要作業系統資訊,可以使用 -O 參數:

nmap -O scanme.nmap.org

輸出為

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 09:44 CSTNmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.14s latency).Not shown: 990 closed portsPORT     STATE    SERVICE22/tcp   open     ssh53/tcp   filtered domain80/tcp   open     http139/tcp  filtered netbios-ssn445/tcp  filtered microsoft-ds6666/tcp filtered irc6667/tcp filtered irc6668/tcp filtered irc6669/tcp filtered irc9929/tcp open     nping-echoAggressive OS guesses: Linux 2.6.32 - 3.9 (98%), Linux 2.6.38 - 3.0 (97%), Linux 2.6.32 - 2.6.39 (97%), Netgear DG834G WAP or Western Digital WD TV media player (96%), Linux 2.6.32 - 3.2 (95%), Linux 3.0 - 3.9 (95%), Linux 3.2 (95%), Linux 2.6.32 - 3.6 (95%), Linux 3.1 (95%), AXIS 210A or 211 Network Camera (Linux 2.6) (94%)No exact OS matches for host (test conditions non-ideal).Network Distance: 12 hopsOS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds

若只需要各種服務的版本:

nmap -sV scanme.nmap.org

輸出為

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 13:16 CSTNmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.14s latency).Not shown: 989 closed portsPORT     STATE    SERVICE      VERSION22/tcp   open     ssh          OpenSSH 5.3p1 Debian 3ubuntu7.1 (Ubuntu Linux; protocol 2.0)53/tcp   filtered domain80/tcp   open     http         Apache httpd 2.2.14 ((Ubuntu))139/tcp  filtered netbios-ssn445/tcp  filtered microsoft-ds1105/tcp filtered ftranhc6666/tcp filtered irc6667/tcp filtered irc6668/tcp filtered irc6669/tcp filtered irc9929/tcp open     nping-echo   Nping echoService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 48.03 seconds

測試主機是否有防火牆

Nmap 可以透過 TCP ACK 掃描,偵測主機是否有啟用防火牆:

nmap -sA scanme.nmap.org

輸出為

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 10:17 CSTNmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.14s latency).All 1000 scanned ports on scanme.nmap.org (74.207.244.221) are unfilteredNmap done: 1 IP address (1 host up) scanned in 2.22 seconds

掃描有防火牆的主機

掃描在防火牆保護下的主機:

nmap -PN scanme.nmap.org

輸出為

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 10:24 CSTNmap scan report for scanme.nmap.org (74.207.244.221)Host is up (0.14s latency).Not shown: 990 closed portsPORT     STATE    SERVICE22/tcp   open     ssh53/tcp   filtered domain80/tcp   open     http139/tcp  filtered netbios-ssn445/tcp  filtered microsoft-ds6666/tcp filtered irc6667/tcp filtered irc6668/tcp filtered irc6669/tcp filtered irc9929/tcp open     nping-echoNmap done: 1 IP address (1 host up) scanned in 16.99 seconds

偵測有開機的主機

掃描整個網路,偵測所有有開機的主機(ping scan):

nmap -sP 140.115.35.0/24

輸出為

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 11:06 CSTNmap scan report for mail.atm.ncu.edu.tw (140.115.35.1)Host is up (0.0018s latency).Nmap scan report for rain.atm.ncu.edu.tw (140.115.35.4)Host is up (0.0015s latency).Nmap scan report for iut.atm.ncu.edu.tw (140.115.35.5)Host is up (0.0017s latency).[略]Nmap scan report for 140.115.35.254Host is up (0.0047s latency).Nmap done: 256 IP addresses (117 hosts up) scanned in 3.00 seconds

快速掃描

加快掃描的速度:

nmap -F www.hinet.net

輸出為

Starting Nmap 6.40 ( http://nmap.org ) at 2014-10-02 10:55 CSTNmap scan report for www.hinet.net (202.39.253.11)Host is up (0.0034s latency).rDNS record for 202.39.253.11: 202-39-253-11.HINET-IP.hinet.netNot shown: 98 filtered portsPORT    STATE  SERVICE80/tcp  open   http113/tcp closed identNmap done: 1 IP address (1 host up) scanned in 2.19 seconds

另一種方式:

nmap -T5 192.168.1.0/24

指定掃描的連接埠

掃描連接埠 80

nmap -p 80 192.168.1.1

指定 TCP 連接埠 80

nmap -p T:80 192.168.1.1

指定 UDP 連接埠 53

nmap -p U:53 192.168.1.1

掃描兩個連接埠:

nmap -p 80,443 192.168.1.1

指定連接埠範圍:

nmap -p 80-200 192.168.1.1

結合各種參數:

nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biznmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254

掃描前 10 個常用的連接埠:

nmap --top-ports 10 192.168.1.1

查詢主機名稱

只查詢網域中所有的主機名稱,不做任何主機與連接埠的偵測:

nmap -sL 192.168.1.0/24

Nmap 網路診斷工具基本使用技巧與教學