Python之nmap库的使用

   Nmap是一款网络扫描和主机检测的非常有用的工具。Nmap是不局限于仅仅收集信息和枚举，同时可以用来作为一个漏洞探测器或安全扫描器。它可以适用于winodws,linux,mac等操作系统。
   python-nmap是一个帮助使用nmap端口扫描器的python库。它允许轻松操纵nmap扫描结果，并且将是一个完美的选择，为需要自动完成扫描任务的系统管理员提供的工具并报告。它也支持nmap脚本输出。

1. python nmap 安装

   需要安装nmap软件和python_nmap第三方库。nmap的下载地址如下是https://nmap.org/download.html。

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

C:\>nmap --version Nmap version 7.70 ( https://nmap.org ) Platform: i686-pc-windows-windows Compiled with: nmap-liblua-5.3.3 openssl-1.0.2n nmap-libssh2-1.8.0 nmap-libz-1.2.8 nmap-libpcre-7.6 Npcap-0.99-r2 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: iocp poll select C:\> pip install python_nmap Collecting python_nmap Downloading https://files.pythonhosted.org/packages/dc/f2/9e1a2953d4d824e183ac033e3d223055e40e695fa6db2cb3e94a864eaa84/python-nmap-0.6.1.tar.gz (41kB) 100% |████████████████████████████████| 51kB 118kB/s Installing collected packages: python-nmap Running setup.py install for python-nmap ... done Successfully installed python-nmap-0.6.1 C:\> python Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 17:00:18) [MSC v.1900 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> import nmap >>>

2. python nmap 的使用

2.1. 查看nmap版本

1 2 3 4

>>> import nmap >>> n = nmap.PortScanner() >>> n.nmap_version() (7, 70)

2.2. 查看nmap命令

1 2 3

>>> date = n.scan("117.185.17.151","1-1024","-sV") >>> n.command_line() 'nmap -oX - -p 1-1024 -sV 117.185.17.151'

2.3. scan 用法

1 2 3 4 5

def scan(self, hosts: str = '127.0.0.1', #主机 ports: Any = None, #端口 arguments: str = '-sV', #扫描参数 sudo: bool = False) #是否用管理员身份扫描

2.4. 查看nmap扫描信息

1 2 3 4 5 6

>>> n.scanstats() {'timestr': 'Wed Jan 02 12:46:46 2019', #开始时间 'elapsed': '24.80', #扫描时间 'uphosts': '1', #存活主机 'downhosts': '0', 'totalhosts': '1'}

2.5. 查看nmap扫描结果

1 2 3 4

>>> n.csv() 'host;hostname;hostname_type;protocol;port;name;state;product;extrainfo;reason;version;conf;cpe\r\n 117.185.17.151;;;tcp;80;http;open;Apache httpd;;syn-ack;;10;cpe:/a:apache:http_server\r\n 117.185.17.151;;;tcp;443;http;open;Apache httpd;;syn-ack;;10;cpe:/a:apache:http_server\r\n'

列名	端口1	端口2	解释
host	117.185.17.151	117.185.17.151	IP
hostname	-	-	主机名称
hostname_type	-	-	IP类型
protocol	tcp	tcp	协议
port	80	443	端口
name	http	http	服务名称
state	open	open	端口状态
product	Apache httpd	Apache httpd	服务器类型
extrainfo	-	-	其他信息
reason	syn-ack	syn-ack	端口回复
version	-	-	版本
conf	10	10	配置
cpe	cpe:/a:apache:http_server	cpe:/a:apache:http_server	消息头

2.6. 查看nmap扫描IP

1 2	>>> n.all_hosts() ['117.185.17.151']

2.7. 查看对应IP相关信息

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

#主机状态 >>> >>> n["117.185.17.151"].state() 'up' #用什么协议发现的端口 >>> n["117.185.17.151"].all_protocols() ['tcp'] #tcp协议开放的端口 >>> n["117.185.17.151"]["tcp"].keys() dict_keys([80, 443]) #查看指定协议端口是否开放 >>> n["117.185.17.151"].has_tcp(80) True >>> n["117.185.17.151"].has_tcp(81) False #查看指定端口协议的信息 >>> n["117.185.17.151"]["tcp"][80] {'state': 'open', 'reason': 'syn-ack', 'name': 'http', 'product': 'Apache httpd', 'version': '', 'extrainfo': '', 'conf': '10', 'cpe': 'cpe:/a:apache:http_server'} >>> n["117.185.17.151"].tcp(80) {'state': 'open', 'reason': 'syn-ack', 'name': 'http', 'product': 'Apache httpd', 'version': '', 'extrainfo': '', 'conf': '10', 'cpe': 'cpe:/a:apache:http_server'} >>> n["117.185.17.151"]["tcp"][80]["name"] 'http'

3. python namp 主机存活检测

1 2 3 4 5 6 7 8 9 10 11

import nmap n = nmap.PortScanner() n.scan(hosts="192.168.1.1/29", arguments="-sP") for x in n.all_hosts(): print(x+":"+n[x]["status"]["state"]) #执行结果： 192.168.1.1:up 192.168.1.2:up 192.168.1.4:up 192.168.1.5:up

4. python nmap 端口检测

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

import nmap n = nmap.PortScanner() n.scan(hosts="192.168.1.1/30", arguments="-sV -p 1-1024") for x in n.all_hosts(): print("Host: " + x) print("State: " + n[x].state()) print("************************") for y in n[x].all_protocols(): print("Protocols: " + y) print("↓↓↓↓↓↓↓↓↓") for z in n[x][y].keys(): print("port: " + str(z) + " | name: " + n[x][y][z]["name"] + " | state: " + n[x][y][z]["state"]) print("---------------------------") ##执行结果 Host: 192.168.1.1 State: up ************************ Protocols: tcp ↓↓↓↓↓↓↓↓↓ port: 22 | name: ssh | state: filtered port: 80 | name: http | state: open port: 443 | name: http | state: open --------------------------- Host: 192.168.1.2 State: up ************************ Protocols: tcp ↓↓↓↓↓↓↓↓↓ port: 22 | name: ssh | state: filtered port: 53 | name: domain | state: open port: 514 | name: shell | state: filtered port: 873 | name: rsync | state: filtered ---------------------------

5.PortScannerYield的使用

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

import nmap n = nmap.PortScannerYield() for x in n.scan(hosts="192.168.0.1/24", arguments="-sP"): print(x[0]) #执行(扫描一个输出一个) C:\Python\python.exe C:/Code/Python/nmap/2.py 192.168.0.0 192.168.0.1 192.168.0.10 192.168.0.100 192.168.0.101 192.168.0.102 192.168.0.103 192.168.0.104 192.168.0.105 192.168.0.106 192.168.0.107 192.168.0.108 192.168.0.109 192.168.0.11 192.168.0.110 192.168.0.111 192.168.0.112 ......