Nmap 是一款开放源的网络探测和安全审核的工具,它的设计目标是快速地扫描大型网络, 又被称呼为上帝之眼,足以说明其功能强大。使用 Nmap 进行系统安全审计是一种高效的方式,可以发现局域网中潜在漏洞、开放端口、服务版本等信息。
现在开始我们使用Nmap之旅,收集本地局域网192.168.0.1/24段的主机信息。
PS> nmap -sS -T4 192.168.0.1/24
参数说明:
-sS:使用tcp syn技术探测端口存活
-T4:指定使用4线程任务扫描,范围是1-5,默认是3扫描结果输出如下:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-04 23:45 EDT
--扫描任务启动时间 2025-04-04 23:45 EDT# 目标1
Nmap scan report for 192.168.0.1 (192.168.0.1)
--扫描到存活主机地址
Host is up (0.00085s latency).
--检测存活主机耗时
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
1900/tcp open upnp
--扫描发现开放的端口
MAC Address: 50:BD:5F:5E:E5:CC (TP-Link Technologies)
--获取的主机mac地址信息
---
Nmap done: 256 IP addresses (5 hosts up) scanned in 7.59 seconds
--任务结束,扫描对象,命中对象,任务耗时第一轮的扫描里面,我们发现命中了5个目标,其中只有2个目标开放了端口,其余三台都没有开放端口。从扫描结果可以看到,扫描技术默认情况下是扫描常用的高频1000个端口,没有检测到开放的端口不代表设备没有端口开放,而是端口不在扫描列表中。
我们可以对已发现的地址做更详细的探测,发送新的探测指令,测试192.168.0.108的全端口及对应的服务版本探测:
PS> nmap -T4 -sS -sV -p- 192.168.0.108
参数说明:
-sV:服务版本探测
-p-:扫描端口范围设定-号代表全端口输出结果如下:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-05 00:56 EDT
Nmap scan report for 192.168.0.108 (192.168.0.108)
Host is up (0.00069s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.64
135/tcp open msrpc Microsoft Windows RPC
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1029/tcp open msrpc Microsoft Windows RPC
1042/tcp open msrpc Microsoft Windows RPC
1085/tcp open msrpc Microsoft Windows RPC
3389/tcp open ms-wbt-server Microsoft Terminal Service
9003/tcp open ssl/unknown
MAC Address: 88:88:88:88:87:88 (Unknown)
Service Info: Host: PC-workgroups; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.47 seconds在输出结果里面,我们可以看到对应端口开放的服务版本信息。进一步获取操作系统版本信息:
PS> nmap -O 192.168.0.108
参数说明:
-O:探测系统版本输出结果入下:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-05 01:06 EDT
Nmap scan report for 192.168.0.108 (192.168.0.108)
Host is up (0.00065s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
135/tcp open msrpc
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1029/tcp open ms-lsa
1042/tcp open afrog
1085/tcp open webobjects
3389/tcp open ms-wbt-server
9003/tcp open unknown
MAC Address: 88:88:88:88:87:88 (Unknown)
Device type: general purpose
Running: Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7::-:ultimate
OS details: Microsoft Windows 7 Ultimate
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.67 seconds探测的操作系统版本为Microsoft Windows 7 Ultimate,看到这里有会有人好奇,为什么探测系统版本也会打印端口号?因为探测系统版本也是根据系统开放服务的指纹信息获取,所以会探测系统开放的服务。
细心的朋友可能会发现,我们上面所有测试都是tcp端口,为啥没有UDP端口测试?这个是因为我们选用的测试技术问题,sS是基于TCP发送syn建立半连接过程探测tcp端口,因此无法用来探测udp端口,Nmap默认是tcp探测技术,下面开启udp端口探测:
PS> nmap -sU --top-ports 1000 192.168.0.108
参数说明:
-sU:使用udp端口扫描
--top-ports:扫描使用频率最高的端口输出结果如下:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-05 01:25 EDT
Nmap scan report for 192.168.0.108 (192.168.0.108)
Host is up (0.00052s latency).
Not shown: 996 closed udp ports (port-unreach)
PORT STATE SERVICE
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
MAC Address: 88:88:88:88:87:88 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 187.19 seconds使用udp探测可以发现主机开放的udp端口服务。
Nmap内置了600余种脚本,其中包含漏洞探测类,可以使用Nmap内置脚本进行漏洞扫描:
PS> nmap --script vuln -v 192.168.0.108
参数说明:
--script:使用nmap内置脚本
-v:输出详细信息输出结果
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-05 01:44 EDT
NSE: Loaded 105 scripts for scanning.
--加载的脚本数量
NSE: Script Pre-scanning.
Initiating NSE at 01:44
NSE Timing: About 50.00% done; ETC: 01:45 (0:00:31 remaining)
Completed NSE at 01:45, 37.26s elapsed
Initiating NSE at 01:45
Completed NSE at 01:45, 0.00s elapsed
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
| Hosts that seem down (vulnerable):
|_ 224.0.0.251
--命中漏洞结果示例
---
3389/tcp open ms-wbt-server
|_ssl-ccs-injection: No reply from server (TIMEOUT)
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 1024
| Public Key Length: 1024
| References:
|_ https://weakdh.org
Host script results:
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
NSE: Script Post-scanning.
Initiating NSE at 01:46
Completed NSE at 01:46, 0.00s elapsed
Initiating NSE at 01:46
Completed NSE at 01:46, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 133.21 seconds
Raw packets sent: 1016 (44.688KB) | Rcvd: 1001 (40.076KB)使用漏洞扫描发现了192.168.0.108上存在漏洞;由于nmap内置脚本带有渗透测试性质,在无法评估影响前提下,请谨慎使用。