端口状态
默认状态
默认的端口状态有2种,分别是open和close
open: 应用程序正在监听该端口
close: 端口关闭,Nmap也可以访问该端口,并且会接收目标系统对Nmap发送的探测报文的响应,但是没有应用程序监听该端口
防火墙
如果目标主机的一些端口被路由器或防火墙规则过滤,则扫描出的端口状态可能是filtered或unfiltered
filtered: 端口被过滤,由于包过滤阻止探测报文到达该端口,该端口不会做出任何响应.
unfiltered: 端口未被过滤.但Nmap无法确定它是开放还是关闭的,这种情况只有使用TCP ACK扫描才会出现,如果使用其他类型扫描,如SYN扫描和FIN扫描,可以帮助确定端口是否开放
不确定
当Nmap无法确定目标主机的端口状态,将显示open|filtered或closed|filtered
open|filtered: 表示端口开放或被过滤
closed|filtered: 表示端口关闭或者被过滤,该状态只会在IPID Idle扫描中出现
指定端口 手工指定 Nmap中,用户可以使用-p选项扫描端口范围
-p : 用于指定扫描的端口范围.可以是单个,连续,多个端口
单个端口 单个端口就是指定扫描特定的独立端口
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 # 扫描目标主机的80端口 $ nmap --packet-trace -p 80 www.diaoan.xyz Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 11:15 CST # Nmap默认使用ICMP Echo请求,SYN和ACK,ICMP时间戳对目标主机进行主机发现 # ICMP Echo SENT (0.2655s) ICMP[192.168.43.245 > 121.199.61.226 Echo request (type=8/code=0) id=37617 seq=0] IP [ttl=58 id=5913 iplen=28 ] # TCP SYN SENT (0.2657s) TCP 192.168.43.245:47588 > 121.199.61.226:443 S ttl=52 id=27457 iplen=44 seq=1103784163 win=1024 <mss 1460> # TCP ACK SENT (0.2658s) TCP 192.168.43.245:47588 > 121.199.61.226:80 A ttl=46 id=21464 iplen=40 seq=0 win=1024 # ICMP 时间戳 SENT (0.2659s) ICMP [192.168.43.245 > 121.199.61.226 Timestamp request (type=13/code=0) id=64165 seq=0 orig=0 recv=0 trans=0] IP [ttl=55 id=22350 iplen=40 ] # 收到ICMP响应报文,目标主机是活动的 RCVD (0.2978s) ICMP [121.199.61.226 > 192.168.43.245 Echo reply (type=0/code=0) id=37617 seq=0] IP [ttl=116 id=1697 iplen=28 ] # 发送TCP SYN到目标主机80端口 SENT (0.4738s) TCP 192.168.43.245:47844 > 121.199.61.226:80 S ttl=52 id=45397 iplen=44 seq=3857280907 win=1024 <mss 1460> # 收到目标主机80端口发来的TCP SYN/ACK报文,端口是开放的 RCVD (0.5095s) TCP 121.199.61.226:80 > 192.168.43.245:47844 SA ttl=116 id=1701 iplen=44 seq=1355301614 win=8192 <mss 1400> Nmap scan report for www.diaoan.xyz (121.199.61.226) # 主机开放 Host is up (0.033s latency). # 80端口开放 PORT STATE SERVICE 80/tcp open http
连续端口 连续端口是指一个端口范围,可以使用连续端口的方式来指定端口
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 # 扫描目标主机的连续端口 $ nmap --packet-trace -p75-80 www.diaoan.xyz Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 11:27 CST # Nmap默认使用ICMP Echo请求,SYN和ACK,ICMP时间戳对目标主机进行主机发现 # ICMP Echo SENT (0.1535s) ICMP [192.168.43.245 > 121.199.61.226 Echo request (type=8/code=0) id=47438 seq=0] IP [ttl=53 id=52536 iplen=28 ] # TCP SYN SENT (0.1536s) TCP 192.168.43.245:35530 > 121.199.61.226:443 S ttl=54 id=14442 iplen=44 seq=2513491371 win=1024 <mss 1460> # TCP ACK SENT (0.1536s) TCP 192.168.43.245:35530 > 121.199.61.226:80 A ttl=47 id=34594 iplen=40 seq=0 win=1024 # ICMP 时间戳 SENT (0.1536s) ICMP [192.168.43.245 > 121.199.61.226 Timestamp request (type=13/code=0) id=41255 seq=0 orig=0 recv=0 trans=0] IP [ttl=56 id=62847 iplen=40 ] # 收到TCP SYN/ACK,主机开启 RCVD (0.1831s) TCP 121.199.61.226:443 > 192.168.43.245:35530 SA ttl=116 id=3911 iplen=44 seq=200796757 win=8192 <mss 1400> # 向目标主机的75-80端口发送TCP SYN SENT (0.3439s) TCP 192.168.43.245:35786 > 121.199.61.226:80 S ttl=56 id=42601 iplen=44 seq=45414180 win=1024 <mss 1460> SENT (0.3440s) TCP 192.168.43.245:35786 > 121.199.61.226:75 S ttl=54 id=12752 iplen=44 seq=45414180 win=1024 <mss 1460> SENT (0.3440s) TCP 192.168.43.245:35786 > 121.199.61.226:77 S ttl=37 id=18918 iplen=44 seq=45414180 win=1024 <mss 1460> SENT (0.3440s) TCP 192.168.43.245:35786 > 121.199.61.226:76 S ttl=53 id=49012 iplen=44 seq=45414180 win=1024 <mss 1460> SENT (0.3441s) TCP 192.168.43.245:35786 > 121.199.61.226:78 S ttl=46 id=61002 iplen=44 seq=45414180 win=1024 <mss 1460> SENT (0.3442s) TCP 192.168.43.245:35786 > 121.199.61.226:79 S ttl=59 id=36314 iplen=44 seq=45414180 win=1024 <mss 1460> # 收到目标主机80端口发来的SYN/ACK RCVD (0.3723s) TCP 121.199.61.226:80 > 192.168.43.245:35786 SA ttl=116 id=3915 iplen=44 seq=2276599736 win=8192 <mss 1400> # 别的端口没收到,再发一次 SENT (1.4648s) TCP 192.168.43.245:35788 > 121.199.61.226:79 S ttl=56 id=35145 iplen=44 seq=45545254 win=1024 <mss 1460> SENT (1.4650s) TCP 192.168.43.245:35788 > 121.199.61.226:78 S ttl=59 id=33782 iplen=44 seq=45545254 win=1024 <mss 1460> SENT (1.4650s) TCP 192.168.43.245:35788 > 121.199.61.226:76 S ttl=37 id=33314 iplen=44 seq=45545254 win=1024 <mss 1460> SENT (1.4651s) TCP 192.168.43.245:35788 > 121.199.61.226:77 S ttl=40 id=47396 iplen=44 seq=45545254 win=1024 <mss 1460> SENT (1.4651s) TCP 192.168.43.245:35788 > 121.199.61.226:75 S ttl=45 id=40863 iplen=44 seq=45545254 win=1024 <mss 1460> Nmap scan report for www.diaoan.xyz (121.199.61.226) # 主机在线 Host is up (0.029s latency). # 75-79端口被过滤,80端口开启 PORT STATE SERVICE 75/tcp filtered priv-dial 76/tcp filtered deos 77/tcp filtered priv-rje 78/tcp filtered vettcp 79/tcp filtered finger 80/tcp open http
多个端口 扫描21,25,80端口的格式为”-p21,25,80”,扫描独立端口21和80-100范围的端口格式为”-p21,80-100”
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 # 扫描目标主机的21,25,80端口 $ nmap --packet-trace -p21,25,80 192.168.1.4 Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 11:39 CST # 先进行主机发现 SENT (0.1146s) ICMP [192.168.43.245 > 192.168.1.4 Echo request (type=8/code=0) id=22834 seq=0] IP [ttl=59 id=9860 iplen=28 ] SENT (0.1147s) TCP 192.168.43.245:63801 > 192.168.1.4:443 S ttl=54 id=18425 iplen=44 seq=1162534401 win=1024 <mss 1460> SENT (0.1148s) TCP 192.168.43.245:63801 > 192.168.1.4:80 A ttl=53 id=44850 iplen=40 seq=0 win=1024 SENT (0.1148s) ICMP [192.168.43.245 > 192.168.1.4 Timestamp request (type=13/code=0) id=27944 seq=0 orig=0 recv=0 trans=0] IP [ttl=47 id=11059 iplen=40 ] # 主机开启 RCVD (0.1151s) TCP 192.168.1.4:80 > 192.168.43.245:63801 R ttl=63 id=1813 iplen=40 seq=1162534401 win=0 # 开始端口扫描 SENT (0.2748s) TCP 192.168.43.245:64057 > 192.168.1.4:21 S ttl=47 id=25826 iplen=44 seq=2509442157 win=1024 <mss 1460> SENT (0.2748s) TCP 192.168.43.245:64057 > 192.168.1.4:80 S ttl=49 id=42832 iplen=44 seq=2509442157 win=1024 <mss 1460> SENT (0.2748s) TCP 192.168.43.245:64057 > 192.168.1.4:25 S ttl=51 id=30051 iplen=44 seq=2509442157 win=1024 <mss 1460> RCVD (0.2751s) TCP 192.168.1.4:80 > 192.168.43.245:64057 RA ttl=63 id=1819 iplen=40 seq=0 win=0 RCVD (0.2752s) TCP 192.168.1.4:25 > 192.168.43.245:64057 SA ttl=63 id=1820 iplen=44 seq=3188731922 win=64240 <mss 65495> RCVD (0.2752s) TCP 192.168.1.4:21 > 192.168.43.245:64057 RA ttl=63 id=1818 iplen=40 seq=0 win=0 Nmap scan report for DIAOAN (192.168.1.4) # 主机开启 Host is up (0.00036s latency). # 端口状态 PORT STATE SERVICE 21/tcp closed ftp 25/tcp open smtp 80/tcp closed http
不同协议端口 Nmap支持用于指定不同协议类型的端口,其中支持的协议有T(TCP),U(UDP),S(SCTP).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 # 同时扫描UDP的53,137端口和TCP的25,80端口 $ nmap --packet-trace -sU -Pn -sS -p U:53,137,T:22,80 192.168.1.4 # 先扫描TCP SENT (0.1207s) TCP 192.168.43.245:39528 > 192.168.1.4:80 S ttl=48 id=46666 iplen=44 seq=1735317672 win=1024 <mss 1460> SENT (0.1208s) TCP 192.168.43.245:39528 > 192.168.1.4:22 S ttl=42 id=59806 iplen=44 seq=1735317672 win=1024 <mss 1460> RCVD (0.1210s) TCP 192.168.1.4:22 > 192.168.43.245:39528 RA ttl=63 id=1841 iplen=40 seq=0 win=0 RCVD (0.1210s) TCP 192.168.1.4:80 > 192.168.43.245:39528 RA ttl=63 id=1840 iplen=40 seq=0 win=0 # 再扫描UDP SENT (0.2800s) UDP 192.168.43.245:39784 > 192.168.1.4:53 ttl=43 id=6898 iplen=40 SENT (0.2801s) UDP 192.168.43.245:39784 > 192.168.1.4:53 ttl=46 id=6898 iplen=58 SENT (0.2801s) UDP 192.168.43.245:39784 > 192.168.1.4:137 ttl=55 id=49237 iplen=78 SENT (0.2804s) UDP 192.168.43.245:39784 > 192.168.1.4:137 ttl=53 id=49237 iplen=78 SENT (0.2805s) UDP 192.168.43.245:39784 > 192.168.1.4:137 ttl=37 id=49237 iplen=78 RCVD (0.2806s) ICMP [192.168.1.4 > 192.168.43.245 Port 53 unreachable (type=3/code=3) ] IP [ttl=63 id=1842 iplen=68 ] RCVD (0.2806s) ICMP [192.168.1.4 > 192.168.43.245 Port 53 unreachable (type=3/code=3) ] IP [ttl=63 id=1843 iplen=86 ] RCVD (0.2808s) UDP 192.168.1.4:137 > 192.168.43.245:39784 ttl=63 id=1844 iplen=185 Nmap scan report for 192.168.1.4 Host is up (0.00031s latency). PORT STATE SERVICE 22/tcp closed ssh 80/tcp closed http 53/udp closed domain 137/udp open netbios-ns
使用预设端口 默认端口扫描 Nmap默认提供了一个服务端口列表文件nmap-services,包括2000多个端口.如果扫描时没有使用-p选项,则默认扫描nmap-services文件中的端口,如果使用了-p选项但是没指定端口,默认扫描1-1024和nmap-services列表文件中的端口.
较少端口扫描 Nmap提供了一个-F选项,仅扫描预设列表的端口,因此扫描速度快
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 # 对目标主机进行快速端口扫描 $ nmap -F 192.168.1.4 Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 12:11 CST Nmap scan report for 192.168.1.4 Host is up (0.00021s latency). Not shown: 92 closed tcp ports (reset) PORT STATE SERVICE 25/tcp open smtp 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3306/tcp open mysql 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 10000/tcp open snet-sensor-mgmt
通用端口扫描 通用端口就是一些常见的TCP/UDP端口,如21,22,23等
–top-ports: 扫描开放率最高的N的端口
–port-ratio: 扫描指定频率以上的端口
1 2 3 4 5 6 7 8 9 10 11 # 扫描目标主机开放率最高的5个端口 $ nmap -Pn --top-ports 5 192.168.1.4 Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 12:15 CST Nmap scan report for 192.168.1.4 Host is up (0.00037s latency). PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 23/tcp closed telnet 80/tcp closed http 443/tcp closed https
1 2 3 4 5 6 7 8 9 # 扫描目标主机开放率0.2以上的端口 $ nmap -Pn --port-ratio 0.2 192.168.1.4 Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 12:17 CST Nmap scan report for 192.168.1.4 Host is up (0.00035s latency). PORT STATE SERVICE 23/tcp closed telnet 80/tcp closed http 443/tcp closed https
排除端口
–exclude-ports:有端口不需要扫描时,可以用该选项排除端口
顺序扫描 通常,端口扫描都是按顺序依次进行扫描,但是为了防止防火墙检测到端口的扫描行为,Nmap会打乱顺序,随机扫描.Nmap提供了-r选项可以用来实施顺序扫描
TCP扫描 TCP SYN扫描 TCP SYN扫描称为半开放扫描,TCP SYN扫描通过向目标端口发送TCP SYN报文,而且不会晚完成完整的TCP连接.
判断端口是否为开放状态
Nmap向目标发送一个SYN包
目标主机收到请求,响应一个SYN/ACK包,说明端口开放
Nmap收到SYN/ACK包后,向目标发送一个RST包,连接终止
判断端口是否为关闭状态
Nmap向目标发送一个SYN包
如果收到目标响应的RST包,则说明无法连接,即目标端口是关闭状态
实施扫描 Nmap提供了-sS选项,进行TCP SYN扫描
-sS: nmap -p <port> -sS <target>,s是scan的缩写,S是SYN的缩写
1 2 3 4 5 6 7 8 9 10 11 12 13 14 # 使用TCP SYN扫描目标的22,80端口 $ nmap --packet-trace -P0 --send-ip -sS -p22,80 localhost Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:11 CST SENT (0.1427s) TCP 127.0.0.1:53857 > 127.0.0.1:22 S ttl=47 id=28445 iplen=44 seq=2898988191 win=1024 <mss 1460> SENT (0.1428s) TCP 127.0.0.1:53857 > 127.0.0.1:80 S ttl=53 id=9634 iplen=44 seq=2898988191 win=1024 <mss 1460> RCVD (0.1425s) TCP 127.0.0.1:53857 > 127.0.0.1:22 S ttl=47 id=28445 iplen=44 seq=2898988191 win=1024 <mss 1460> RCVD (0.1426s) TCP 127.0.0.1:22 > 127.0.0.1:53857 RA ttl=64 id=0 iplen=40 seq=0 win=0 RCVD (0.1428s) TCP 127.0.0.1:53857 > 127.0.0.1:80 S ttl=53 id=9634 iplen=44 seq=2898988191 win=1024 <mss 1460> RCVD (0.1428s) TCP 127.0.0.1:80 > 127.0.0.1:53857 RA ttl=64 id=0 iplen=40 seq=0 win=0 Nmap scan report for localhost (127.0.0.1) Host is up (0.0082s latency). PORT STATE SERVICE 22/tcp closed ssh 80/tcp closed http
1 2 3 4 5 6 7 8 9 # 用TCP SYN扫描一个被过滤的端口 $ nmap --packet-trace -P0 --send-ip -sS -p5000 www.diaoan.xyz Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:14 CST SENT (0.1563s) TCP 192.168.43.245:36498 > 121.199.61.226:5000 S ttl=41 id=10955 iplen=44 seq=4261193794 win=1024 <mss 1460> SENT (1.1574s) TCP 192.168.43.245:36500 > 121.199.61.226:5000 S ttl=42 id=41082 iplen=44 seq=4261324864 win=1024 <mss 1460> Nmap scan report for www.diaoan.xyz (121.199.61.226) Host is up. PORT STATE SERVICE 5000/tcp filtered upnp
TCP连接扫描 TCP连接扫描是Nmap通过实现TCP三次握手,建立连接进行扫描的.需要的时间更长.
-sT: nmap -sT -p<port> <target>,进行TCP连接扫描,s是scan的缩写,T是TCP的缩写
1 2 3 4 5 6 7 8 9 10 # 使用TCP连接扫描目标主机80端 $ nmap --packet-trace -P0 -sT -p80 www.diaoan.xyz Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:23 CST CONN (0.0619s) TCP localhost > 121.199.61.226:80 => Operation now in progress CONN (0.0909s) TCP localhost > 121.199.61.226:80 => Connected Nmap scan report for www.diaoan.xyz (121.199.61.226) Host is up (0.029s latency). PORT STATE SERVICE 80/tcp open http
TCP ACK扫描 TCP ACK扫描发送ACK报文,这种扫描方式无法确定目标端口是开放/过滤的状态,TCP ACK扫描主要用于防火墙规则探测
-sA: 进行TCP ACK扫描,s是scan的缩写,A是ACK的缩写
1 2 3 4 5 6 7 8 9 # $ nmap --packet-trace -P0 -sA -p80 www.diaoan.xyz Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:32 CST SENT (0.1522s) TCP 192.168.43.245:63597 > 121.199.61.226:80 A ttl=44 id=4399 iplen=40 seq=0 win=1024 SENT (1.1537s) TCP 192.168.43.245:63599 > 121.199.61.226:80 A ttl=37 id=56895 iplen=40 seq=0 win=1024 Nmap scan report for www.diaoan.xyz (121.199.61.226) Host is up. PORT STATE SERVICE 80/tcp filtered http
TCP窗口扫描 TCP窗口扫描和TCP ACK扫描完全一样,通过检查返回的RST报文和TCP窗口域来判断端口是开放还是关闭.
-sW: 进行TCP窗口扫描,,s是scan的缩写,W是Windows的缩写
1 2 3 4 5 6 7 8 9 # 实施TCP窗口扫描 $ nmap --packet-trace -P0 -sW -p1000 192.168.1.1 Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:37 CST SENT (0.1192s) TCP 192.168.43.245:39318 > 192.168.1.1:1000 A ttl=58 id=6765 iplen=40 seq=0 win=1024 RCVD (0.1214s) TCP 192.168.1.1:1000 > 192.168.43.245:39318 R ttl=63 id=15788 iplen=40 seq=1317417045 win=0 Nmap scan report for TianYi.Home (192.168.1.1) Host is up (0.0023s latency). PORT STATE SERVICE 1000/tcp closed cadlock
TCP NULL扫描 TCP NULL扫描是指向目标端口发送一个不包括任何标志位的数据包,可以通过TCP NULL扫描判断目标主机的操作系统是Windows还是Linux.
-sN: 进行TCP NULL扫描,s是scan的缩写,N是NULL的缩写
1 2 3 4 5 6 7 8 9 # 进行TCP NULL扫描 $ nmap --packet-trace -P0 -sN -p80 --send-ip www.diaoan.xyz Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 16:45 CST SENT (0.1435s) TCP 192.168.43.245:46295 > 121.199.61.226:80 ttl=39 id=45479 iplen=40 seq=2262490571 win=1024 SENT (1.1450s) TCP 192.168.43.245:46297 > 121.199.61.226:80 ttl=53 id=47816 iplen=40 seq=2262359497 win=1024 Nmap scan report for www.diaoan.xyz (121.199.61.226) Host is up. PORT STATE SERVICE 80/tcp open|filtered http
TCP FIN扫描 TCP FIN扫描与NULL扫描类似,TCP FIN扫描发送FIN报文,该报文用于断开连接
TCP Xmas扫描 TCP Xmas扫描向目标发送PSH,FIN,URG和TCP标志位为1的数据包.
TCP Maimon扫描 TCP Maimon扫描发送FIN/ACK报文.
空闲扫描 空闲扫描就是攻击者冒充一台空闲主机的IP地址对目标进行更为隐蔽的扫描
使用ipidseq脚本寻找一个空闲主机
1 2 nmap -p80 --script ipidseq -iR <num hosts> nmap -p80 --script ipidseq <target>
对目标主机实施空闲扫描
1 nmap --packet-trace -P0 --send-ip -p22,80 -sI 192.168.1.1 192.168.1.5
定制TCP扫描 用户可以定制TCP扫描方式绕过防火墙,使用–scanflag选项指定任意TCP标志位设计自己的扫描方式
1 2 3 4 5 6 7 8 9 # 定制一个发送FIN和ACK的TCP报文,探测目标主机的22端口 $ nmap --packet-trace -P0 --scanflag SYNACK -p22 www.diaoan.xyz Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 18:07 CST SENT (0.1435s) TCP 192.168.43.245:47955 > 121.199.61.226:22 SA ttl=47 id=55190 iplen=44 seq=4070795902 win=1024 <mss 1460> SENT (1.1450s) TCP 192.168.43.245:47957 > 121.199.61.226:22 SA ttl=48 id=34860 iplen=44 seq=4238387972 win=1024 <mss 1460> Nmap scan report for www.diaoan.xyz (121.199.61.226) Host is up. PORT STATE SERVICE 22/tcp filtered ssh
UDP扫描 UDP扫描是扫描基于UDP的服务.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 # 对目标主机的53和137端口进行UDP扫描 $ nmap --packet-trace -Pn -sU -p53,137 192.168.1.1 Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 18:31 CST SENT (0.1179s) UDP 192.168.43.245:49226 > 192.168.1.1:137 ttl=48 id=4697 iplen=78 SENT (0.1180s) UDP 192.168.43.245:49226 > 192.168.1.1:137 ttl=47 id=4697 iplen=78 SENT (0.1180s) UDP 192.168.43.245:49226 > 192.168.1.1:137 ttl=47 id=4697 iplen=78 SENT (0.1180s) UDP 192.168.43.245:49226 > 192.168.1.1:53 ttl=43 id=24467 iplen=40 SENT (0.1180s) UDP 192.168.43.245:49226 > 192.168.1.1:53 ttl=40 id=24467 iplen=58 RCVD (0.1228s) ICMP [192.168.1.1 > 192.168.43.245 Port 137 unreachable (type=3/code=3) ] IP [ttl=63 id=36572 iplen=106 ] RCVD (0.1233s) ICMP [192.168.1.1 > 192.168.43.245 Port 137 unreachable (type=3/code=3) ] IP [ttl=63 id=36573 iplen=106 ] RCVD (0.1244s) ICMP [192.168.1.1 > 192.168.43.245 Port 137 unreachable (type=3/code=3) ] IP [ttl=63 id=36574 iplen=106 ] SENT (1.2197s) UDP 192.168.43.245:49228 > 192.168.1.1:53 ttl=59 id=61097 iplen=40 SENT (1.2198s) UDP 192.168.43.245:49228 > 192.168.1.1:53 ttl=38 id=61097 iplen=58 Nmap scan report for TianYi.Home (192.168.1.1) Host is up (0.0049s latency). PORT STATE SERVICE 53/udp open|filtered domain 137/udp closed netbios-ns
IP扫描 IP扫描是基于IP进行扫描,而不是直接发送TCP探测数据包.
1 nmap -p<protocol list> -sO <target>
-p: 用于指定协议号而不是端口号
-sO: 实施IP扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 # 使用IP扫描探测主机的端口 $ nmap --packet-trace -p1,6 -sO www.diaoan.xyz Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-26 18:38 CST SENT (0.3020s) ICMP [192.168.43.245 > 121.199.61.226 Echo request (type=8/code=0) id=56986 seq=0] IP [ttl=39 id=32415 iplen=28 ] SENT (0.3020s) TCP 192.168.43.245:44211 > 121.199.61.226:443 S ttl=53 id=39451 iplen=44 seq=480974220 win=1024 <mss 1460> SENT (0.3020s) TCP 192.168.43.245:44211 > 121.199.61.226:80 A ttl=37 id=58089 iplen=40 seq=0 win=1024 SENT (0.3020s) ICMP [192.168.43.245 > 121.199.61.226 Timestamp request (type=13/code=0) id=49360 seq=0 orig=0 recv=0 trans=0] IP [ttl=40 id=53077 iplen=40 ] RCVD (0.3320s) TCP 121.199.61.226:443 > 192.168.43.245:44211 SA ttl=116 id=8877 iplen=44 seq=1395080373 win=8192 <mss 1400> SENT (0.4922s) TCP 192.168.43.245:44467 > 121.199.61.226:80 A ttl=45 id=8889 iplen=40 seq=1538793918 win=1024 SENT (0.4922s) ICMP [192.168.43.245 > 121.199.61.226 Echo request (type=8/code=0) id=56602 seq=0] IP [ttl=45 id=64544 iplen=28 ] RCVD (0.5261s) ICMP [121.199.61.226 > 192.168.43.245 Echo reply (type=0/code=0) id=56602 seq=0] IP [ttl=116 id=8880 iplen=28 ] SENT (1.6452s) TCP 192.168.43.245:44469 > 121.199.61.226:80 A ttl=59 id=41086 iplen=40 seq=3669701765 win=1024 Nmap scan report for www.diaoan.xyz (121.199.61.226) Host is up (0.030s latency). PROTOCOL STATE SERVICE 1 open icmp 6 open|filtered tcp
FTP转发扫描 FTP转发扫描是利用存在漏洞的FTP服务器,对目标进行扫描
1 nmap -b [username:password@server:port] -Pn -v [target]
-b: 实施FTP转发扫描,其格式为username:password@server:port
-v: 显示详细信息