说明:这里主要介绍 Profile 相关扫描选项,其他部分的内容百度上已经有大神说的比较详细,参照nmap相关man说明整理
Target:需要扫描的IP地址和端口,支持多种形式,比如网段10.123.10.1-10.123.10.244 ,子网掩码方式:10.123.10.1/24,域名,单个IP和网段组合等形式。
Profile主要参数
1.Intense scan:强烈的扫描
nmap -T4 -A -v
-T4: -T option and their number (0–5) or their
name. The template names areparanoid (0), sneaky (1), polite (2),
normal (3), aggressive (4), andinsane (5). The first two are for
IDS evasion. Polite mode slows downthe scan to use less bandwidth
and target machine resources. Normalmode is the default and so -T3
does nothing. Aggressive mode speedsscans up by making the
assumption that you are on areasonably fast and reliable network.
Finally insane mode. assumes that you are on an extraordinarily
fast network or are willing tosacrifice some accuracy for speed.
For example,
-T4. prohibits the dynamic scan delay from exceeding 10 ms for TCP
ports and -T5 caps that value at 5ms.
-T4 for faster execution
由以上说明-T4参数是一种适用在局域网,可靠性网络进行扫描,略带侵略性,扫描一个tcp端口平均耗时10ms
-A: -A, to enable OS and versiondetection, script scanning, and traceroute;
三个作用:操作系统及版本检测,系统脚本运行,路由
-v: 显示扫描过程中的详细信息
2.Intensescan plus UDP:强烈的扫描,加上udp协议扫描
nmap -sS -sU -T4-A -v
-sS: -sS (TCP SYN scan) .
SYN scan is the default and mostpopular scan option for good
reasons. It can be performedquickly, scanning thousands of ports
per second on a fast network nothampered by restrictive firewalls.
It is also relatively unobtrusiveand stealthy since it never
completes TCP connections. SYN scanworks against any compliant TCP
stack rather than depending onidiosyncrasies of specific platforms
as Nmap's FIN/NULL/Xmas, Maimon andidle scans do. It also allows
clear, reliable differentiationbetween the open, closed, and
filtered states.
This technique is often referred toas half-open scanning, because
you don't open a full TCPconnection. You send a SYN packet, as if
you are going to open a real connectionand then wait for a
response. A SYN/ACK indicates theport is listening (open), while a
RST (reset) is indicative of anon-listener. If no response is
received after severalretransmissions, the port is marked as
filtered. The port is also markedfiltered if an ICMP unreachable
error (type 3, code 1, 2, 3, 9, 10,or 13) is received. The port is
also considered open if a SYN packet(without the ACK flag) is
received in response. This can bedue to an extremely rare TCP
feature known as a simultaneous openor split handshake connection
(seehttp://nmap.org/misc/split-handshake.pdf).
主要说明-sS参数是一个比较流行好用的,该参数运行扫描快,而且隐蔽,因为它是一种半开方式扫描,并没有完成一个完整真实的tcp连接,
发送SYN包,如果收到一个SYN/ACK(或SYN)响应包则说明对方该端口处于打开监听状态;如果是RST,则说明对方端口处于非监听状态;如果未收到任何响应包则标记该端口被过滤
-sU: -sU(UDP scans) .
While most popular services on theInternet run over the TCP
protocol, UDP[6] services are widelydeployed. DNS, SNMP, and DHCP
(registered ports 53, 161/162, and67/68) are three of the most
common. Because UDP scanning isgenerally slower and more difficult
than TCP, some security auditorsignore these ports. This is a
mistake, as exploitable UDP servicesare quite common and attackers
certainly don't ignore the wholeprotocol. Fortunately, Nmap can
help inventory UDP ports.
UDP scan is activated with the -sUoption. It can be combined with
a TCP scan type such as SYN scan(-sS) to check both protocols
during the same run.
UDP scan works by sending a UDPpacket to every targeted port. For
some common ports such as 53 and161, a protocol-specific payload
is sent, but for most ports the packet isempty.. The
--data-length option can be used tosend a fixed-length random
payload to every port or (if youspecify a value of 0) to disable
payloads. If an ICMP port unreachableerror (type 3, code 3) is
returned, the port is closed. OtherICMP unreachable errors (type
3, codes 1, 2, 9, 10, or 13) markthe port as filtered.
Occasionally, a service will respondwith a UDP packet, proving
that it is open. If no response is receivedafter retransmissions,
the port is classified asopen|filtered. This means that the port
could be open, or perhaps packetfilters are blocking the
communication. Version detection(-sV) can be used to help
differentiate the truly open portsfrom the filtered ones.
A big challenge with UDP scanning isdoing it quickly. Open and
filtered ports rarely send anyresponse, leaving Nmap to time out
and then conduct retransmissionsjust in case the probe or response
were lost. Closed ports are often aneven bigger problem. They
usually send back an ICMP portunreachable error. But unlike the
RST packets sent by closed TCP portsin response to a SYN or
connect scan, many hosts ratelimit. ICMP port unreachable
messages by default. Linux andSolaris are particularly strict
about this. For example, the Linux2.4.20 kernel limits destination
unreachable messages to one persecond (in net/ipv4/icmp.c).
Nmap detects rate limiting and slowsdown accordingly to avoid
flooding the network with uselesspackets that the target machine
will drop. Unfortunately, aLinux-style limit of one packet per
second makes a 65,536-port scan takemore than 18 hours. Ideas for
speeding your UDP scans up includescanning more hosts in parallel,
doing a quick scan of just the popularports first, scanning from
behind the firewall, and using--host-timeout to skip slow hosts.
使用UDP协议的服务主要有DNS,SNMP,DHCP等,由于UDP扫描更困难和耗费时间因此一些审计的时候进行了省略,困难点在于linux和Solaris系统默认限制了每秒不可到达的信息数,Nmap为了避免造成服务器掉包的危害降低发包的速度,因此在扫描时将会耗费非常多的时间,建议先对常用UDP端口进行扫描,并且设置主机超时以跳过哪些扫描慢的主机
通常服务器响应一个UDP包,说明对方端口打开;当没有响应是nmap
会将其定级为open|filtered,这是需要结合-sV参数来协助判断端口的状态。
3.Intense scan, all TCP ports:对目标的所有端口进行强烈的扫描
nmap -p 1-65535 -T4 -A -v
4.Intensescan, no ping:对目标进行强烈的扫描,不进行主机发现
nmap -T4 -A -v -Pn
-Pn: Treat all hosts as online -- skip host discovery
-Pn (No ping) .
Thisoption skips the Nmap discovery stage altogether. Normally,
Nmapuses this stage to determine active machines for heavier
scanning. By default, Nmap only performs heavy probing such as port
scans, version detection, or OS detection against hosts that are
foundto be up. Disabling host discovery with -Pn causes Nmap to
attempt the requested scanning functions against every target IP
address specified. So if a class B target address space (/16) is
specified on the command line, all 65,536 IP addresses are scanned.
Proper host discovery is skipped as with the list scan, but instead
ofstopping and printing the target list, Nmap continues to perform
requested functions as if each target IP is active. To skip ping
scanand port scan, while still allowing NSE to run, use the two
options -Pn -sn together.
Formachines on a local ethernet network, ARP scanning will still
beperformed (unless --disable-arp-ping or --send-ip is specified)
because Nmap needs MAC addresses to further scan target hosts. In
previous versions of Nmap, -Pn was -P0. and -PN..
假设所有主机在线,跳过主机发现过程。
5.Ping scan 在发现主机后,不进行端口扫描
nmap -sn:
sn: Ping Scan - disable port scan
-sn (No port scan) .
Thisoption tells Nmap not to do a port scan after host discovery,
andonly print out the available hosts that responded to the scan.
Thisis often known as a “ping scan”, but you can also request that
traceroute and NSE host scripts be run. This is by default one step
moreintrusive than the list scan, and can often be used for the
samepurposes. It allows light reconnaissance of a target network
without attracting much attention. Knowing how many hosts are up is
morevaluable to attackers than the list provided by list scan of
everysingle IP and host name.
Systems administrators often find this option valuable as well. It
caneasily be used to count available machines on a network or
monitor server availability. This is often called a ping sweep, and
ismore reliable than pinging the broadcast address because many
hostsdo not reply to broadcast queries.
Thedefault host discovery done with -sn consists of an ICMP echo
request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP
timestamp request by default. When executed by an unprivileged
user,only SYN packets are sent (using a connect call) to ports 80
and443 on the target. When a privileged user tries to scan targets
on alocal ethernet network, ARP requests are used unless --send-ip
wasspecified. The -sn option can be combined with any of the
discovery probe types (the -P* options, excluding -Pn) for greater
flexibility. If any of those probe type and port number options are
used,the default probes are overridden. When strict firewalls are
inplace between the source host running Nmap and the target
network, using those advanced techniquesis recommended. Otherwise
hostscould be missed when the firewall drops probes or their
responses.
Inprevious releases of Nmap, -sn was known as -sP..
6.Quick scan:快速扫描
nmap -T4 -F
-F: -F: Fast mode - Scan fewer ports than thedefault scan
-F (Fast (limited port) scan) .
Specifies that you wish to scan fewer ports than the default.
Normally Nmap scans the most common 1,000 ports for each scanned
protocol. With -F, this is reduced to 100.
Nmapneeds an nmap-services file with frequency information in
orderto know which ports are the most common. If port frequency
information isn't available, perhaps because of the use of a custom
nmap-services file, Nmap scans all named ports plus ports 1-1024.
Inthat case, -F means to scan only ports that are named in the
services file.
7.Quickscan plus:更快速的扫描
nmap -sV -T4 -O -F --version-light
-O: EnableOS detection
--version-intensity intensity (Set version scanintensity) .
Whenperforming a version scan (-sV), Nmap sends a series of
probes, each of which is assigned a rarity value between one and
nine.The lower-numbered probes are effective against a wide
variety of common services, while the higher-numbered ones are
rarely useful. The intensity level specifies which probes should be
applied. The higher the number, the more likely it is the service
willbe correctly identified. However, high intensity scans take
longer. The intensity must be between 0 and 9.. The default is 7..
Whena probe is registered to the target port via the
nmap-service-probesports directive, that probe is tried regardless
ofintensity level. This ensures that the DNS probes will always be
attempted against any open port 53, the SSL probe will be done
against 443, etc.
--version-light (Enable light mode) .
Thisis a convenience alias for --version-intensity 2. This light
modemakes version scanning much faster, but it is slightly less
likelyto identify services.
-sV:
-sV(Version detection) .
Enables version detection, as discussed above. Alternatively, you
canuse -A, which enables version detection among other things.
-sR. is an alias for -sV. Priorto March 2011, it was used to
active the RPC grinder separately from version detection, but now
theseoptions are always combined.
8.Quick traceroute:快速扫描,不扫端口返回每一跳的主机ip
nmap -sn --traceroute :
--traceroute: Trace hop path to each host
9.Regular scan:常规扫描
nmap
10.Slow comprehensive scan:慢速综合性扫描
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389-PU40125 -PY -g 53 --script "default or (discovery and safe)"
-PE/PP:ICMP echo, timestamp
-PS port list (TCP SYN Ping) .
Thisoption sends an empty TCP packet with the SYN flag set. The
default destination port is 80 (configurable at compile time by
changing DEFAULT_TCP_PROBE_PORT_SPEC. in nmap.h).. Alternate
portscan be specified as a parameter. The syntax is the same as
forthe -p except that port type specifiers like T: are not
allowed. Examples are -PS22 and -PS22-25,80,113,1050,35000. Note
thatthere can be no space between -PS and the port list. If
multiple probes are specified they will be sent in parallel.
TheSYN flag suggests to the remote system that you are attempting
toestablish a connection. Normally the destination port will be
closed,and a RST (reset) packet sent back. If the port happens to
beopen, the target will take the second step of a TCP
three-way-handshake. byresponding with a SYN/ACK TCP packet. The
machine running Nmap then tears down the nascent connection by
responding with a RST rather than sending an ACK packet which would
complete the three-way-handshake and establish a full connection.
TheRST packet is sent by the kernel of the machine running Nmap in
response to the unexpected SYN/ACK, not by Nmap itself.
Nmapdoes not care whether the port is open or closed. Either the
RSTor SYN/ACK response discussed previously tell Nmap that the
hostis available and responsive.
OnUnix boxes, only the privileged user root. is generally able to
sendand receive raw TCP packets.. Forunprivileged users, a
workaround is automatically employed. whereby the connect system
callis initiated against each target port. This has the effect of
sending a SYN packet to the target host, in an attempt to establish
aconnection. If connect returns with a quick success or an
ECONNREFUSED failure, the underlying TCPstack must have received a
SYN/ACK or RST and the host is marked available. If the connection
attempt is left hanging until a timeout is reached, the host is
marked as down.
-PA -PA port list (TCP ACK Ping) .
TheTCP ACK ping is quite similar to the just-discussed SYN ping.
Thedifference, as you could likely guess, is that the TCP ACK flag
isset instead of the SYN flag. Such an ACK packet purports to be
acknowledging data over an established TCP connection, but no such
connection exists. So remote hosts should always respond with a RST
packet, disclosing their existence in the process.
The-PA option uses the same default port as the SYN probe (80) and
canalso take a list of destination ports in the same format. If an
unprivileged user tries this, the connect workaround discussed
previously is used. This workaround is imperfect because connect is
actually sending a SYN packet rather than an ACK.
Thereason for offering both SYN and ACK ping probes is to maximize
thechances of bypassing firewalls. Many administrators configure
routers and other simple firewalls to block incoming SYN packets
except for those destined for public services like the company web
siteor mail server. This prevents other incoming connections to
theorganization, while allowing users to make unobstructed
outgoing connections to the Internet. This non-stateful approach
takesup few resources on the firewall/router and is widely
supported by hardware and software filters. The Linux
Netfilter/iptables. firewallsoftware offers the --syn convenience
option to implement this stateless approach. When stateless
firewall rules such as this are in place, SYN ping probes (-PS) are
likely to be blocked when sent to closed target ports. In such
cases, the ACK probe shines as it cuts right through these rules.
Another common type of firewall uses stateful rules that drop
unexpected packets. This feature was initially found mostly on
high-end firewalls, though it has become much more common over the
years. The Linux Netfilter/iptables system supports this through
the--state option, which categorizes packets based on connection
state. A SYN probe is more likely to workagainst such a system, as
unexpected ACK packets are generally recognized as bogus and
dropped. A solution to this quandary is to send both SYN and ACK
probes by specifying -PS and -PA.
-PS和PA一起使用来最大限度的避过防火墙等安全设备的检测
-g/--source-port
nmap --script "default or safe"
Thisis functionally equivalent to nmap --script "default,safe". It
loadsall scripts that are in the default category or the safe
category or both.