nmap端口扫描实验.docx

1、nmap端口扫描实验信息安全技术与应用课程实验实验二 端口扫描与安全审计一、Nmap简介1. 基本功能与目标端口状态说明Nmap（Network Mapper）是开放源码的网络探测和端口扫描工具，具有主机发现、端口扫描、操作系统检测、服务和版本检测、逃避放火墙及入侵检测系统等功能。可从网站http:/www.insecure.org/nmap/下载不同操作系统版本的源代码和可执行程序，而且提供了详细的中文使用手册（http:/www.insecure.org/nmap/man/zh/）。Nmap以表格形式输出扫描目标的端口号、协议、服务名称和状态，端口状态分别用开放（open）、关闭（clos

2、ed）、已过滤（filtered）和未过滤（unfiltered）表示。其中“开放”表示应用程序正在该端口监听连接或分组；“关闭”表示没有应用程序在该端口监听；“已过滤”表示防火墙或其他过滤器封锁了该端口，Nmap无法知道该端口的状态；“未过滤”表示端口对Nmap探测有响应，但Nmap不能确定端口是开放还是关闭。Nmap有时也可能输出open|filtered或closed|filtered的状态组合，表示不能正确识别端口处于其中那一个状态。2. 命令格式与帮助Nmap命令格式：nmap Scan Type . Options target specification Nmap命令帮助：C:n

3、map（不带命令参数运行nmap）3. 常用扫描类型（1）-sT (TCP connect() 端口扫描)；（2）-sS (TCP SYN 同步扫描)；（3）-sU (UDP端口扫描)；（4）-sN (Null扫描 ) ；（5）-sF 扫描 (FIN)（6）-sP（Ping扫描）；（7）-sX (Xmas扫描 )；（8）-sA (TCP ACK扫描，探测端口是否被过滤，open和closed端口返回RST报文，表示unfiltered，否则为filtered） （9）-sM (TCP Maimon扫描， Maimon发现BSD系统探测报文FIN-ACK，响应RST ) ；（10）-scanfl

4、ags (定制TCP标志位URG， ACK，PSH， RST，SYN，和FIN的任何组合设计扫描探测报文 ) （11）-sW (TCP窗口扫描) ；-sI (Idlescan盲扫描) ；-sO (IP协议扫描) 等，详细内容参考Nmap手册；（12）未指定扫描类型，默认扫描类型为TCP SYN 同步扫描。4. 命令参数选项（1）主机发现参数（也称ping扫描，但与ping 命令发送ICMP不同）-sL (列表扫描) 、-sP (Ping扫描) 、-P0 (无ping) 、-PS portlist (TCP SYN Ping) 、-PA portlist (TCP ACK Ping) 、-PU

5、portlist (UDP Ping) 、-PR (ARP Ping)等。（2）端口说明参数-p仅扫描指定端口。例如，-p22;-p1-65535;-pU:53,111,137,T:21-25,80,139,8080（其中U、T分别指定UDP和TCP端口）（3）服务和版本探测参数-sV (版本探测) 、-sR (RPC扫描) （4）操作系统探测参数nmap-os-fingerprints文件包含了 1500多个已知操作系统的指纹信息。-O (操作系统检测) 、-A（同时启用操作系统和服务版本检测）（5）输出格式参数Nmap具有交互、标准、XML等5种不同输出格式，默认为交互式输出。-v (详细

6、输出) 5. 目标地址规范Nmap支持多种目标地址规范，包括单个目标IP地址、主机名称和网络地址。例如：（1）nmap -sP 192.168.7.8，对目标主机192.168.7.8 ping扫描；（2）nmap -sT scanme.nmap.org，对目标主机scanme.nmap.org进行TCP connect()扫描；（3）nmap -v 192.168.10.0/24，扫描192.168.10.0至192.168.10.255之间的256台目标主机，其中输出参数-v表示显示详细信息verbose；（4）nmap -v 10.0.0-255.1-254，扫描10.0.0.1至10.

7、0.255.254之间的所有IP地址；（5）nmap -v 0-255.0-255.13.37，扫描Internet所有以13.37结束的IP地址；（6）nmap -v -iR 1000 -P0 -p 80，随机选择1000个目标主机扫描，其中-P0 表示无ping扫描。随机地址扫描格式为-iR ，其中-iR表示随机地址扫描，num hosts表示随机地址数。二、实验内容1. 安装nmap-4.01-setup.exe软件注意事项：采用nmap-4.01-setup.exe时将自动安装WinPcap分组捕获库，采用解压缩nmap-4.01-win32.zip时需事先安装WinPcap 分组捕获

8、库。2. 局域网主机发现 列表扫描：nmap -sL 局域网地址3. 扫描目标主机端口 连续扫描目标主机端口：nmap r目标主机IP地址或名称 4. 服务和版本检测 目标主机服务和版本检测：nmap -sV目标主机IP地址或名称5. 操作系统检测 目标主机操作系统检测：nmap -O目标主机IP地址或名称6. 端口扫描组合应用nmap -v -A scanme.nmap.orgnmap -v -sP 192.168.0.0/16 10.0.0.0/8nmap -v -iR 10000 -P0 -p 80三、实验要求由于Nmap扫描功能强大、命令参数众多，在有限时间内不可能对所有命令参数进行实

9、验。但实验内容中列举的扫描命令必须完成，也可以任意选择其他命令参数进行实验。命令执行后将执行结果复制到实验报告表格中，并对命令执行结果进行解释。实验记录：2. 局域网主机发现列表扫描：nmap -sL 局域网地址C:Documents and SettingsAdministratornmap -sL 219.226.87.40-50Starting Nmap 4.01 ( http:/www.insecure.org/nmap ) at 2008-05-27 17:31 中国标准时间Host 219.226.87.40 not scannedHost 219.226.87.41 not sc

10、annedHost 219.226.87.42 not scannedHost 219.226.87.43 not scannedHost 219.226.87.44 not scannedHost 219.226.87.45 not scannedHost 219.226.87.46 not scannedHost 219.226.87.47 not scannedHost 219.226.87.48 not scannedHost 219.226.87.49 not scannedHost 219.226.87.50 not scannedNmap finished: 11 IP addr

11、esses (0 hosts up) scanned in 13.078 seconds3. 扫描目标主机端口连续扫描目标主机端口：nmap r目标主机IP地址或名称C:Documents and SettingsAdministratornmap -r 219.226.87.56Starting Nmap 4.01 ( http:/www.insecure.org/nmap ) at 2008-05-27 17:29 中国标准时间Interesting ports on 219.226.87.56:(The 1667 ports scanned but not shown below are

12、 in state: closed)PORT STATE SERVICE80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds7000/tcp open afs3-fileserverMAC Address: 00:E0:4C:E9:5E:19 (Realtek Semiconductor)Nmap finished: 1 IP address (1 host up) scanned in 0.734 seconds4. 服务和版本检测C:Documents and Settings

13、Administratornmap -sV 219.226.87.56Starting Nmap 4.01 ( http:/www.insecure.org/nmap ) at 2008-05-27 17:26 中国标准时间Interesting ports on 219.226.87.56:(The 1667 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION80/tcp open http?135/tcp open msrpc Microsoft Windows RPC139/t

14、cp open netbios-ssn445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds7000/tcp open afs3-fileserver?MAC Address: 00:E0:4C:E9:5E:19 (Realtek Semiconductor)Service Info: OS: WindowsNmap finished: 1 IP address (1 host up) scanned in 124.969 seconds5. 操作系统检测目标主机操作系统检测：nmap -O目标主机IP地址或名称C:Documen

15、ts and SettingsAdministratornmap -O 219.226.87.56Starting Nmap 4.01 ( http:/www.insecure.org/nmap ) at 2008-05-27 17:25 中国标准时间Interesting ports on 219.226.87.56:(The 1667 ports scanned but not shown below are in state: closed)PORT STATE SERVICE80/tcp open http135/tcp open msrpc139/tcp open netbios-s

16、sn445/tcp open microsoft-ds7000/tcp open afs3-fileserverMAC Address: 00:E0:4C:E9:5E:19 (Realtek Semiconductor)Device type: general purposeRunning: Microsoft Windows NT/2K/XPOS details: Microsoft Windows XP Pro SP1/SP2 or 2000 SP4Nmap finished: 1 IP address (1 host up) scanned in 4.047 seconds6. 端口扫描

17、组合应用nmap -v -A scanme.nmap.orgC:Documents and SettingsAdministratornmap -v -A 219.226.87.56Starting Nmap 4.01 ( http:/www.insecure.org/nmap ) at 2008-05-27 17:22 中国标准时间Initiating ARP Ping Scan against 219.226.87.56 1 port at 17:22The ARP Ping Scan took 0.22s to scan 1 total hosts.DNS resolution of 1

18、 IPs took 0.01s. Mode: Async #: 2, OK: 0, NX: 1, DR: 0, SF:0, TR: 1, CN: 0Initiating SYN Stealth Scan against 219.226.87.56 1672 ports at 17:22Discovered open port 80/tcp on 219.226.87.56Discovered open port 7000/tcp on 219.226.87.56Discovered open port 139/tcp on 219.226.87.56Discovered open port 4

19、45/tcp on 219.226.87.56Discovered open port 135/tcp on 219.226.87.56The SYN Stealth Scan took 0.19s to scan 1672 total ports.Initiating service scan against 5 services on 219.226.87.56 at 17:22The service scan took 88.56s to scan 5 services on 1 host.For OSScan assuming port 80 is open, 1 is closed,

20、 and neither are firewalledHost 219.226.87.56 appears to be up . good.Interesting ports on 219.226.87.56:(The 1667 ports scanned but not shown below are in state: closed)PORT STATE SERVICE VERSION80/tcp open http?135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn445/tcp open microsoft-

21、ds Microsoft Windows XP microsoft-ds7000/tcp open afs3-fileserver?MAC Address: 00:E0:4C:E9:5E:19 (Realtek Semiconductor)Device type: general purposeRunning: Microsoft Windows NT/2K/XPOS details: Microsoft Windows XP Pro SP1/SP2 or 2000 SP4TCP Sequence Prediction: Class=truly random Difficulty=999999

22、9 (Good luck!)IPID Sequence Generation: IncrementalService Info: OS: WindowsNmap finished: 1 IP address (1 host up) scanned in 90.156 seconds Raw packets sent: 1687 (74.7KB) | Rcvd: 1687 (77.7KB)nmap -v -sP 192.168.0.0/16 10.0.0.0/8C:Documents and SettingsAdministratornmap -v -sP 219.226.87.50/24Sta

23、rting Nmap 4.01 ( http:/www.insecure.org/nmap ) at 2008-05-27 17:20 中国标准时间Initiating ARP Ping Scan against 65 hosts 1 port/host at 17:20The ARP Ping Scan took 0.53s to scan 65 total hosts.DNS resolution of 35 IPs took 13.09s. Mode: Async #: 2, OK: 0, NX: 25, DR: 10,SF: 0, TR: 97, CN: 0Host 219.226.8

24、7.0 appears to be down.Host 219.226.87.1 appears to be up.MAC Address: 00:0F:E2:12:CA:0B (Hangzhou Huawei-3Com Tech. Co.)Host 219.226.87.2 appears to be up.MAC Address: 00:08:02:F7:81:6F (Compaq Computer)Host 219.226.87.3 appears to be up.MAC Address: 00:11:43:5B:2C:29 (Dell)Host 219.226.87.4 appear

25、s to be up.MAC Address: 00:11:D8:A2:0D:11 (Asustek Computer)Host 219.226.87.5 appears to be down.Host 219.226.87.6 appears to be down.Host 219.226.87.7 appears to be down.Host 219.226.87.8 appears to be down.Host 219.226.87.9 appears to be down.Host 219.226.87.10 appears to be down.Host 219.226.87.1

26、1 appears to be up.MAC Address: 00:E0:4C:F1:77:42 (Realtek Semiconductor)Host 219.226.87.12 appears to be down.Host 219.226.87.13 appears to be down.Host 219.226.87.14 appears to be down.Host 219.226.87.15 appears to be down.Host 219.226.87.16 appears to be down.Host 219.226.87.17 appears to be up.M

27、AC Address: 00:E0:4C:F1:76:95 (Realtek Semiconductor)Host 219.226.87.18 appears to be up.MAC Address: 00:E0:4C:E9:5E:65 (Realtek Semiconductor)Host 219.226.87.19 appears to be down.Host 219.226.87.20 appears to be up.MAC Address: 00:E0:4C:F1:76:88 (Realtek Semiconductor)Host 219.226.87.21 appears to

28、 be up.MAC Address: 00:E0:4C:E9:5E:5A (Realtek Semiconductor)Host 219.226.87.22 appears to be up.MAC Address: 00:E0:4C:E9:5D:B5 (Realtek Semiconductor)Host 219.226.87.23 appears to be down.Host 219.226.87.24 appears to be up.MAC Address: 00:E0:4C:E9:5E:63 (Realtek Semiconductor)Host 219.226.87.25 ap

29、pears to be down.Host 219.226.87.26 appears to be down.Host 219.226.87.27 appears to be up.MAC Address: 00:E0:4C:F1:76:91 (Realtek Semiconductor)Host 219.226.87.28 appears to be up.MAC Address: 00:E0:4C:E9:5E:42 (Realtek Semiconductor)Host 219.226.87.29 appears to be up.MAC Address: 00:E0:4C:E9:5E:4

30、B (Realtek Semiconductor)Host 219.226.87.30 appears to be up.MAC Address: 00:E0:4C:E9:5D:FB (Realtek Semiconductor)Host 219.226.87.31 appears to be up.MAC Address: 00:E0:4C:F1:76:BC (Realtek Semiconductor)Host 219.226.87.32 appears to be up.MAC Address: 00:E0:4C:E9:5D:CF (Realtek Semiconductor)Host

31、219.226.87.33 appears to be up.MAC Address: 00:E0:4C:F1:76:84 (Realtek Semiconductor)Host 219.226.87.34 appears to be up.MAC Address: 00:E0:4C:E9:5E:76 (Realtek Semiconductor)Host 219.226.87.35 appears to be down.Host 219.226.87.36 appears to be down.Host 219.226.87.37 appears to be down.Host 219.226.87.38 appears to be down.Host 219.226.87.39 appears to be up.MAC Address: 00:E0:4C:E9:5E:88 (Realtek Semiconductor)Host 219.226.87.40