Nmap是一款网络扫描和主机检测的非常有用的工具。Nmap是不局限于仅仅收集信息和枚举,同时可以用来作为一个漏洞探测器或安全扫描器。它可以适用于winodws,linux,mac等操作系统。
   python-nmap是一个帮助使用nmap端口扫描器的python库。它允许轻松操纵nmap扫描结果,并且将是一个完美的选择,为需要自动完成扫描任务的系统管理员提供的工具并报告。它也支持nmap脚本输出。

1. python nmap 安装

   需要安装nmap软件和python_nmap第三方库。nmap的下载地址如下是https://nmap.org/download.html。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
C:\>nmap --version
Nmap version 7.70 ( https://nmap.org )
Platform: i686-pc-windows-windows
Compiled with: nmap-liblua-5.3.3 openssl-1.0.2n nmap-libssh2-1.8.0 nmap-libz-1.2.8 nmap-libpcre-7.6 Npcap-0.99-r2 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: iocp poll select

C:\> pip install python_nmap
Collecting python_nmap
Downloading https://files.pythonhosted.org/packages/dc/f2/9e1a2953d4d824e183ac033e3d223055e40e695fa6db2cb3e94a864eaa84/python-nmap-0.6.1.tar.gz (41kB)
100% |████████████████████████████████| 51kB 118kB/s
Installing collected packages: python-nmap
Running setup.py install for python-nmap ... done
Successfully installed python-nmap-0.6.1

C:\> python
Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 17:00:18) [MSC v.1900 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import nmap
>>>

2. python nmap 的使用

2.1. 查看nmap版本

1
2
3
4
>>> import nmap
>>> n = nmap.PortScanner()
>>> n.nmap_version()
(7, 70)

2.2. 查看nmap命令

1
2
3
>>> date = n.scan("117.185.17.151","1-1024","-sV")
>>> n.command_line()
'nmap -oX - -p 1-1024 -sV 117.185.17.151'

2.3. scan 用法

1
2
3
4
5
def scan(self,
hosts: str = '127.0.0.1', #主机
ports: Any = None, #端口
arguments: str = '-sV', #扫描参数
sudo: bool = False) #是否用管理员身份扫描

2.4. 查看nmap扫描信息

1
2
3
4
5
6
>>> n.scanstats()
{'timestr': 'Wed Jan 02 12:46:46 2019', #开始时间
'elapsed': '24.80', #扫描时间
'uphosts': '1', #存活主机
'downhosts': '0',
'totalhosts': '1'}

2.5. 查看nmap扫描结果

1
2
3
4
>>> n.csv()
'host;hostname;hostname_type;protocol;port;name;state;product;extrainfo;reason;version;conf;cpe\r\n
117.185.17.151;;;tcp;80;http;open;Apache httpd;;syn-ack;;10;cpe:/a:apache:http_server\r\n
117.185.17.151;;;tcp;443;http;open;Apache httpd;;syn-ack;;10;cpe:/a:apache:http_server\r\n'
列名 端口1 端口2 解释
host 117.185.17.151 117.185.17.151 IP
hostname - - 主机名称
hostname_type - - IP类型
protocol tcp tcp 协议
port 80 443 端口
name http http 服务名称
state open open 端口状态
product Apache httpd Apache httpd 服务器类型
extrainfo - - 其他信息
reason syn-ack syn-ack 端口回复
version - - 版本
conf 10 10 配置
cpe cpe:/a:apache:http_server cpe:/a:apache:http_server 消息头

2.6. 查看nmap扫描IP

1
2
>>> n.all_hosts()
['117.185.17.151']

2.7. 查看对应IP相关信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#主机状态
>>> >>> n["117.185.17.151"].state()
'up'

#用什么协议发现的端口
>>> n["117.185.17.151"].all_protocols()
['tcp']

#tcp协议开放的端口
>>> n["117.185.17.151"]["tcp"].keys()
dict_keys([80, 443])

#查看指定协议端口是否开放
>>> n["117.185.17.151"].has_tcp(80)
True
>>> n["117.185.17.151"].has_tcp(81)
False

#查看指定端口协议的信息
>>> n["117.185.17.151"]["tcp"][80]
{'state': 'open', 'reason': 'syn-ack', 'name': 'http', 'product': 'Apache httpd', 'version': '', 'extrainfo': '', 'conf': '10', 'cpe': 'cpe:/a:apache:http_server'}
>>> n["117.185.17.151"].tcp(80)
{'state': 'open', 'reason': 'syn-ack', 'name': 'http', 'product': 'Apache httpd', 'version': '', 'extrainfo': '', 'conf': '10', 'cpe': 'cpe:/a:apache:http_server'}
>>> n["117.185.17.151"]["tcp"][80]["name"]
'http'

3. python namp 主机存活检测

1
2
3
4
5
6
7
8
9
10
11
import nmap
n = nmap.PortScanner()
n.scan(hosts="192.168.1.1/29", arguments="-sP")
for x in n.all_hosts():
print(x+":"+n[x]["status"]["state"])

#执行结果:
192.168.1.1:up
192.168.1.2:up
192.168.1.4:up
192.168.1.5:up

4. python nmap 端口检测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import nmap
n = nmap.PortScanner()
n.scan(hosts="192.168.1.1/30", arguments="-sV -p 1-1024")
for x in n.all_hosts():
print("Host: " + x)
print("State: " + n[x].state())
print("************************")
for y in n[x].all_protocols():
print("Protocols: " + y)
print("↓↓↓↓↓↓↓↓↓")
for z in n[x][y].keys():
print("port: " + str(z) + " | name: " + n[x][y][z]["name"] + " | state: " + n[x][y][z]["state"])
print("---------------------------")



##执行结果

Host: 192.168.1.1
State: up
************************
Protocols: tcp
↓↓↓↓↓↓↓↓↓
port: 22 | name: ssh | state: filtered
port: 80 | name: http | state: open
port: 443 | name: http | state: open
---------------------------
Host: 192.168.1.2
State: up
************************
Protocols: tcp
↓↓↓↓↓↓↓↓↓
port: 22 | name: ssh | state: filtered
port: 53 | name: domain | state: open
port: 514 | name: shell | state: filtered
port: 873 | name: rsync | state: filtered
---------------------------

5.PortScannerYield的使用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import nmap

n = nmap.PortScannerYield()
for x in n.scan(hosts="192.168.0.1/24", arguments="-sP"):
print(x[0])

#执行(扫描一个输出一个)
C:\Python\python.exe C:/Code/Python/nmap/2.py
192.168.0.0
192.168.0.1
192.168.0.10
192.168.0.100
192.168.0.101
192.168.0.102
192.168.0.103
192.168.0.104
192.168.0.105
192.168.0.106
192.168.0.107
192.168.0.108
192.168.0.109
192.168.0.11
192.168.0.110
192.168.0.111
192.168.0.112
......