1 nmap 简介

Nmap 即 Network Mapper,最早是Linux下的网络扫描和嗅探工具包。

nmap是网络扫描和主机检测的工具,用nmap进行信息收集和检测漏洞,功能有:

  • 检测存活主机
  • 检测主机开放端口(端口发现或枚举)
  • 检测端口对应的软件和版本
  • 检测操作系统类型、版本,硬件地址和软件版本
  • 检测脆弱性的漏洞

2 安装使用

2-1 安装

安装方式1: yum

(CentOS下)

yum install nmap -y

安装方式2: rpm

上传路径: /opt/nmap/nmap-7.91-1.x86_64.rpm

  • step2 安装
cd /opt/namp/
yum localinstall *.rpm
或者 rpm -Uvh *.rpm


2-2 基本使用

# nmap localhost    #查看主机当前开放的端口
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-23 07:11 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds [root@centos7 ~]# nmap -O localhost Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-23 07:18 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000050s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
3306/tcp open mysql
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.92 seconds
nmap -p 1024-65535 localhost    #查看主机端口(1024-65535)中开放的端口
nmap -PS 192.168.21.163 #探测目标主机开放的端口
nmap -PS22,80,3306 192.168.21.163 #探测所列出的目标主机端口
nmap -O 192.168.21.163 #探测目标主机操作系统类型
nmap -A 192.168.21.163 #探测目标主机操作系统类型
nmap --help #更多nmap参数请查询帮助信息

2-3 常见使用

case0 扫描主机端口并跟踪路由

nmap --traceroute  8.8.7.5

case1 扫描(单台)主机当前开放的端口 : nmap host

# nmap localhost    #查看(单台)主机当前开放的端口
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-23 07:11 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds

case2 扫描多台[整个IP段(子网)]主机当前开放的端口 : nmap host/网段掩码位数 | nmap 192.168.1.*

[通过子网掩码位,分网段扫描]

# nmap 108.61.87.202/24
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 09:37 ?D1ú±ê×?ê±??
Warning: 108.61.87.27 giving up on port because retransmission cap hit (10).
Stats: 0:32:27 elapsed; 10 hosts completed (64 up), 64 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.65% done; ETC: 10:10 (0:00:07 remaining)
Stats: 0:32:29 elapsed; 10 hosts completed (64 up), 64 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.65% done; ETC: 10:10 (0:00:07 remaining)
Stats: 0:32:29 elapsed; 10 hosts completed (64 up), 64 undergoing SYN Stealth Scan

[* 本网络范围内所有主机]

可以用*通配符代表范围内的所有主机

[root@vultr ~]# nmap 108.61.87.*

Starting Nmap 5.51 ( http://nmap.org ) at 2018-07-04 15:01 CST
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 108.61.87.62, 16) => Operation not permitted
Offending packet: TCP 108.61.87.202:35647 > 108.61.87.62:1503 S ttl=57 id=46459 iplen=44 seq=3156521255 win=2048 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 108.61.87.34, 16) => Operation not permitted
Offending packet: TCP 108.61.87.202:35647 > 108.61.87.34:34571 S ttl=45 id=57342 iplen=44 seq=3156521255 win=2048 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 108.61.87.39, 16) => Operation not permitted

[指定具体的多台主机]

nmap 192.168.1.1 192.168.5.6  //加空格分隔,写第二个ipAddress

# nmap 108.61.87.202 108.61.87.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-04 09:39 ?D1ú±ê×?ê±??
Nmap scan report for 108.61.87.202.vultr.com (108.61.87.202)
Host is up (0.32s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
22/tcp open ssh Nmap scan report for 108.61.87.1.vultr.com (108.61.87.1)
Host is up (0.32s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
4444/tcp filtered krb524 Nmap done: 2 IP addresses (2 hosts up) scanned in 77.69 seconds

case3 综合扫描: nmap -A host

-A: Enable OS detection, version detection, script scanning, and traceroute

-A: 综合扫描,包括系统探测,版本探测,脚本扫描,路由跟踪

[root@centos7-202010061038 ~]# nmap  -A   www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-23 07:34 UTC
Nmap scan report for www.baidu.com (119.63.197.139)
Host is up (0.11s latency).
Other addresses for www.baidu.com (not scanned): 119.63.197.151
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http-proxy sslstrip
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-robots.txt: 10 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /bh /shifen/
|_/homepage/ /cpro /
|_http-title: \xE7\x99\xBE\xE5\xBA\xA6\xE4\xB8\x80\xE4\xB8\x8B\xEF\xBC\x8C\xE4\xBD\xA0\xE5\xB0\xB1\xE7\x9F\xA5\xE9\x81\x93
443/tcp open ssl/http-proxy sslstrip
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-robots.txt: 10 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /bh /shifen/
|_/homepage/ /cpro /
|_http-title: \xE7\x99\xBE\xE5\xBA\xA6\xE4\xB8\x80\xE4\xB8\x8B\xEF\xBC\x8C\xE4\xBD\xA0\xE5\xB0\xB1\xE7\x9F\xA5\xE9\x81\x93
| ssl-cert: Subject: commonName=baidu.com/organizationName=Beijing Baidu Netcom Science Technology Co., Ltd/stateOrProvinceName=beijing/countryName=CN
| Not valid before: 2020-04-02T07:04:58+00:00
|_Not valid after: 2021-07-26T05:31:02+00:00
|_ssl-date: 2020-10-23T07:35:14+00:00; 0s from local time.
| tls-nextprotoneg:
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|switch
Running (JUST GUESSING): AVtech embedded (88%), HP embedded (86%)
OS CPE: cpe:/h:hp:procurve_switch_4000m
Aggressive OS guesses: AVtech Room Alert 26W environmental monitor (88%), HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 ...
2 0.35 ms 149.28.184.193
3 ... 4
5 0.36 ms xe-1-1-10.r20.sydnau02.au.bb.gin.ntt.net (202.68.65.5)
6 18.78 ms ae-1.r21.sydnau03.au.bb.gin.ntt.net (129.250.5.44)
7 112.96 ms ae-11.r31.tokyjp05.jp.bb.gin.ntt.net (129.250.5.34)
8 113.45 ms ae-3.r03.tokyjp05.jp.bb.gin.ntt.net (129.250.3.56)
9 113.11 ms ae-0.ocn.tokyjp05.jp.bb.gin.ntt.net (120.88.53.18)
10 114.63 ms 118.23.168.138
11 ... 12
13 114.72 ms 119.63.197.139 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.62 seconds

case4 软件版本检测: nmap -sV host

扫描目标主机的端口上运行的软件版本。

它不是用于扫描目标主机开放的端口,但需要从开放的端口获取信息来判断软件的版本。

所以,需要先进行端口扫描。

[root@centos7 ~]# nmap -sV xx.kk.yy.zz

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-23 07:56 UTC
Nmap scan report for xx.kk.yy.zz.vultr.com (xx.kk.yy.zz)
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
3306/tcp open mysql MySQL 5.7.31-34 Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds

openssl version / ssh -V

case5 列出 指定服务器 开放的所有SSL加密套件: nmap --script ssl-enum-ciphers -p 443 baidu.com

更多类似用法[验证xxxx套件],可参见:

使用nmap 验证多种漏洞 - CSDN

[验证弱加密SSL套件]

[root@centos7 ~]# nmap --script ssl-enum-ciphers -p 443 baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-23 08:05 UTC
Nmap scan report for baidu.com (220.181.38.148)
Host is up (0.34s latency).
Other addresses for baidu.com (not scanned): 39.156.69.79
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong

[更多demo]

nmap -p 80 --script http-iis-short-name-brute +ip(192.168.1.1)[验证iis短文件名泄露]
nmap -sV -p 11211 -script memcached-info +ip[验证Memcached未授权访问漏洞]
nmap -sV -(-)script http-vuln-cve2015-1635 +ip[验证http.sys远程代码执行漏洞]
nmap -sV --script=ssl-heartbleed +ip[验证心脏出血漏洞]
nmap -p 27017 --script mongodb-info +ip[验证Mongodb未授权访问漏洞]
nmap -p 6379 --script redis-info +ip[验证Redis未授权访问漏洞]
nmap --script=http-vuln-cve2015-1427 --script-args command=‘ls’ +ip[验证Elasticsearch未授权访问漏洞]
nmap -p 873 --script rsync-brute --script-args ‘rsync-brute.module=www’ [验证Rsync未授权访问漏洞]

case6 扫描指定端口是否开放

默认扫描端口,1-10000的端口,大于10000的端口无法扫描出来

nmap -p 0-20000  8.8.7.55
# 探测服务器的0-20000端口范围,则能把大于10000的端口扫描出来了

nmap -p 10086,16638 8.8.7.55
# 使用-p参数探测10086、16388端口(指定查一个或者多个端口的状态)

case7 openssl 测试:指定服务器 是否支持 TLS 某版本的协议

关于 OpenSSH 与 OpenSSL可见:

[网络/SSH]OpenSSH: sshd / sftp-server / ssh-agent | ssh / scp / sftp | OpenSSL - 博客园/千千寰宇

# openssl s_client -connect www.baidu.com:443 -cipher RC4-SHA
# openssl s_client -connect www.baidu.com:443 -cipher DES-CBC3-SHA # openssl s_client -connect 192.168.163.131:8443 -tls1_1 # openssl s_client -connect baidu.com:443 -tls1
# openssl s_client -connect baidu.com:443 -tls1_1
# openssl s_client -connect baidu.com:443 -tls1_2

[支持 TLS1.2协议的验证结果]

# openssl s_client -connect www.baidu.com:443 -cipher RC4-SHA
# openssl s_client -connect www.baidu.com:443 -cipher DES-CBC3-SHA
(输出内容与下面类似) # openssl s_client -connect baidu.com:443 -tls1_2
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = CN, ST = Beijing, O = "BeiJing Baidu Netcom Science Technology Co., Ltd", OU = service operation department, CN = www.baidu.cn
verify return:1
---
Certificate chain
0 s:/C=CN/ST=Beijing/O=BeiJing Baidu Netcom Science Technology Co., Ltd/OU=service operation department/CN=www.baidu.cn
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHJjCCBg6gAwIBAgIQAQV1J9uhA/WtTyocZe9DYTANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwMjI3MDAwMDAwWhcN
MjEwMjI2MTIwMDAwWjCBmDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcx
OTA3BgNVBAoTMEJlaUppbmcgQmFpZHUgTmV0Y29tIFNjaWVuY2UgVGVjaG5vbG9n
eSBDby4sIEx0ZDElMCMGA1UECxMcc2VydmljZSBvcGVyYXRpb24gZGVwYXJ0bWVu
dDEVMBMGA1UEAxMMd3d3LmJhaWR1LmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEArYQtyRkFnRTFFIMCr2kfMPZLlCCMUOOCTeLj7VBk5gG4OjQa+Mns
DVOqQgpy58hejCKUgaAl4Jm73RQFeIC/2BDi8yRoRBhL9YrVoQMF7/5/8RI/94Lv
pEsf8hREYtP3uxleeh6ZwJceHzg3mLNuzWbjDg4EOemRE38OHdVeURBif0jG20zm
9Q8yQWT2MKp4oP2CeQv6NdL5lGWfSLq58D6GoWWoszMoP1HPfVv1pw4ywApjc5ls
gBaXquMOTy+AGpX1RmXGDTgK5yeRWAngeIA7szABJfnIndynnW1rTaBGr184sOfq
L7KscKIxErbR6vZD71iGrciHfIG3hP0exwIDAQABo4IDtDCCA7AwHwYDVR0jBBgw
FoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFNWOkWTVS4/rqlwmRPa/
AjIO41XEMIH0BgNVHREEgewwgemCCGJhaWR1LmNuggliYWlkdS5jb22CDGJhaWR1
LmNvbS5jboILdy5iYWlkdS5jb22CDHd3LmJhaWR1LmNvbYIQd3d3LmJhaWR1LmNv
bS5jboIQd3d3LmJhaWR1LmNvbS5oa4IMd3d3LmJhaWR1LmhrghB3d3cuYmFpZHUu
bmV0LmF1ghB3d3cuYmFpZHUubmV0LnBoghB3d3cuYmFpZHUubmV0LnR3ghB3d3cu
YmFpZHUubmV0LnZugg53d3d3LmJhaWR1LmNvbYIRd3d3dy5iYWlkdS5jb20uY26C
DHd3dy5iYWlkdS5jbjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2lj
ZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdp
Y2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwB
ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgG
BmeBDAECAjB8BggrBgEFBQcBAQRwMG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBGBggrBgEFBQcwAoY6aHR0cDovL2NhY2VydHMuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0U0hBMlNlY3VyZVNlcnZlckNBLmNydDAJBgNVHRMEAjAA
MIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+w
ctiDAMR7iXqo/csAAAFwhphdtAAABAMARjBEAiAk6qFarGxA9EQYUwRLa/5c+O32
PoWoiT8UHx2AnlvhpQIgWqfccctYWuyldVrEefwz7oeKmYj4DFZwA2cYqECVfokA
dQBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXCGmF2pAAAEAwBG
MEQCIHbw6/3W4PwZoqwPGwqAnu78DBlbzlg84ngsaZ5O0Ab1AiAFae+lqnF9irvh
x9JyWUoedSqno53X+DqRp4vvD+uTDzANBgkqhkiG9w0BAQsFAAOCAQEAfHiQU/1K
AjZzbD5Eoy/gN5Gkbhtowztis1TZBlxkHsrqAxGXT47ZuHqo5JuSm/LePzKyuJXl
/E4H8kCk7a7tt2NWHFPIahU1svot1pAK9zyQItsJFqnwgQUBPwPGulgP7s/CquK2
U9KCTWHDMiT30lG5ydEKXUq520yn6Ew4V4fzFdINiO78VJzYb1og7Eb1m1wNwEWm
GrMRBOlVdoPKDLluyowGzIbwAADp/GSl5kGgNo7R4fDOT8Umv58p8qYKxu5bto++
G0h8rqce1b2jsRjBd1NaXG0azwAMncK615vGMdgrH/SAXLKewPErz5kWohIdVWzz
wKIvDsysKW1iSg==
-----END CERTIFICATE-----
subject=/C=CN/ST=Beijing/O=BeiJing Baidu Netcom Science Technology Co., Ltd/OU=service operation department/CN=www.baidu.cn
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3672 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 405CBA3129490307D7A3845E07B3717B61295B5C6468D2C8A66A34E1E45DDF4B
Session-ID-ctx:
Master-Key: 2277DC7723C031C06B2DBBBB4E919D580B179BB81C00AF2E7D026A22221794554C1F560DC03311BCB70BC786F42B5A55
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 72000 (seconds)
TLS session ticket:
0000 - 1e 9c 4e 9f 18 19 4b f9-dd ff 98 d8 98 cb ee 0d ..N...K.........
0010 - 7b f5 83 7d 0f a3 31 d2-22 18 d0 db e3 c8 2a 52 {..}..1.".....*R
0020 - f3 c7 06 5d e1 8c 75 c0-58 60 90 b7 af bd 4a 62 ...]..u.X`....Jb
0030 - 3a b8 3c 17 81 32 b5 60-2f 45 16 fe 68 a6 2c c8 :.<..2.`/E..h.,.
0040 - bd 79 6f 57 fb 2d bb f0-a8 38 f1 01 67 3b 6c 8e .yoW.-...8..g;l.
0050 - 0c 8b 73 04 de 0c 02 df-8f 4b dc 3d 31 1f 79 01 ..s......K.=1.y.
0060 - b7 43 86 a2 cc 29 e0 77-0f 0c 56 f7 01 a4 81 ed .C...).w..V.....
0070 - ec a5 74 46 be cd 94 cd-eb af 8e 6d 46 fb b9 62 ..tF.......mF..b
0080 - dc 0d 88 63 1b 6f 60 8c-a2 21 47 72 64 ff 5e 43 ...c.o`..!Grd.^C
0090 - 35 3b 2b 41 19 5b f6 fa-4e 5d 9a de cf 40 de 66 5;+A.[..N]...@.f Start Time: 1603446407
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
closed

Cipher说明:

SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
  • TLS协议: 支持TLS1.2版本
  • 密钥交换算法: ECDHE-RSA (Elliptic Curve Diffie-Hellman Ephemeral, 椭圆曲线Diffie-Hellman临时-RSA密钥交换算法)
  • 加密算法: AES128-GCM
GCM:Galois计数器模式(Galois/Counter Mode)。
消息认证码(MAC,Message Authentication Code)用于保障消息的完整性,防止各种伪造。
AES-CMAC 使用分组密码,取代 HMAC 的加密散列函数。
Galois 消息认证码(GMAC)则采用了 AES 算法的一种特殊模式。
  • 报文认证信息码(MAC)算法: SHA256

[不支持 TLS1协议的验证结果]

# openssl s_client -connect xxxx.com:443 -tls1
CONNECTED(000000D8)
5424:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1565314976
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---

3 namp命令

[root@centos7 ~]# nmap --help

Nmap 6.40 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma separted list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

4 补充: ntsysv

ntsysv # 打开系统服务器管理器(需先安装yum install ntsysv),选择要关闭或者打开的服务

X 参考/推荐资料

[网络/Linux]网络嗅探工具——nmap的更多相关文章

  1. Kail Linux渗透测试教程之网络扫描和嗅探工具Nmap

    Kail Linux渗透测试教程之网络扫描和嗅探工具Nmap 网络扫描和嗅探工具——Nmap Nmap也就网络映射器(Network Mapper),是一个免费开放的网络扫描和嗅探工具.该工具可以扫描 ...

  2. linux 局域网探测工具nmap

    NMap,也就是Network Mapper,是Linux下的网络扫描和嗅探工 具包,其基本功能有三个, 一是探测一组主机是否在线: 其次是扫描主机端口,嗅探所提供的网络服务: 还可以推断主机所用的操 ...

  3. linux如何ARP嗅探 Linux下嗅探工具Dsniff安装记录

      先来下载依赖包 和一些必须要用到的工具 我这里用的是 dsniff-2.3 的版本 wget http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.ta ...

  4. 安全测试 - 端口嗅探工具Nmap

    Nmap 在官网下载nmap端口检测工具https://nmap.org/,nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端. 使用: 通过cmd命令:nmap www.5i5j.c ...

  5. [转]linux下iftop工具的安装与使用详解(图文)——实时的网络流量,监控TCP/IP连接(单机)

    原文链接:http://www.jbxue.com/LINUXjishu/10735.html 在linux中监控系统资源.进程.内存占用等信息,可以使用top命令.查看网络状态可以使用netstat ...

  6. [推荐] 网络侦查工具 NMAP 简单入门

    [推荐] 网络侦查工具 NMAP 简单入门 # 前言 作为一只运维开发,总是避不开要和网络打交道的.尤其是当自身能力到达瓶颈,开始从事云计算以求突破.会有搭建多台虚拟机的需要,这时候如果在手工的查询 ...

  7. 网络防嗅探工具SniffJoke

    网络防嗅探工具SniffJoke   在渗透测试中,通过网络嗅探,可以获取网络通信主机的各种信息.为了防止嗅探,Kali Linux提供了专用工具SniffJoke.该工具能够自动对用户的网络数据进行 ...

  8. 网络数据嗅探工具HexInject

    网络数据嗅探工具HexInject   网络数据嗅探是渗透测试工作的重要组成部分.通过嗅探,渗透人员可以了解足够多的内容.极端情况下,只要通过嗅探,就可以完成整个任务,如嗅探到支持网络登录的管理员帐号 ...

  9. Linux 网络工具

    1 nethogs nethogs 是一个免费的工具,当要查找哪个 PID (注:即 process identifier,进程 ID) 给你的网络流量带来了麻烦时,它是非常方便的.它按每个进程来分组 ...

  10. 批量Linux 网络安装环境建立工具cobbler/kickstart

    批量Linux 网络安装环境建立工具网络安装服务器套件:     Cobbler(Red Hat 2008年发布的项目)    Kickstart(Red Hat08年前项目,相关脚本令人望而却步,现 ...

随机推荐

  1. Java Fastjson Unserialize WriteUp

    Java Fastjson Unserialize 题目地址: https://ctf.bugku.com/challenges/detail/id/339.html 1. 查看网页源代码 <s ...

  2. 狐漠漠养成日记 Cp.00000 前言

    前言 狐漠漠是我的常用网名,来源是因为我非常非常非常喜欢耳廓狐(也称作沙漠狐),所以我就给自己拟造了一个名叫狐漠漠的虚拟形象(如下图所示). 设定上是女孩子因为我想当女孩子但是我不是所以我就在设定上满 ...

  3. 内部类(Java)

    内部类 基本介绍 概念:在一个类的内部再定义一个完整类 特点:编译之后可生成独立的字节码文件:内部类可以直接访问外部类的私有属性,不破坏封装性 分类:成员内部类:静态内部类:局部内部类:匿名内部类 p ...

  4. jetson nano 2gb相关问题

    1.create_ap不能根据address设置带设备号的wifi热点 sudo nohup create_ap wlan0 eth0 ZL_Jetson_WIFI-$(sudo cat /sys/c ...

  5. 简单了解promise

    promise是什么: JavaScript中存在很多异步操作, Promise将异步操作队列化,按照期望的顺序执行,返回 符合预期的结果.可以通过链式调用多个 Promise达到我们的目的. Pro ...

  6. 06 HBase安装与伪分布式配置

    1.下载压缩文件 2.解压 3.修改文件夹名 4.修改文件夹权限 5.配置环境变量 6.伪分布式配置文件 7.启动HDFS,启动Hbase 8.进入shell界面 9.停止Hbase,停止HDFS运行

  7. 02题解-洛谷 P2395 BBCode转换Markdown 题解

    洛谷 P2395 BBCode转换Markdown 题解 题目传送门: here. 一道毒瘤的大模拟,给了你一部分的 BBCode 和 Markdown 语法,叫你转换.如下表: BBCode Mar ...

  8. Java包机制与文档注释

    Java包机制与文档注释 包机制 为了更好地组织类,java提供包机制,用于区分类名的命名空间 包语句的语法: package pkg1.pkg2.pkg3...; // 必须在文件第一行 一般用公司 ...

  9. 初学,Markdown的使用

    Markdown学习 一级标题:"#"+空格+"标题" 二级标题 二级标题:"##"+空格+"标题" 三级标题 三级标题 ...

  10. 007使用IDEA开发

    007使用IDEA开发 1.什么叫IDE? 集成开发环境(IDE,Integrated Development Environment)是用于提供程序开发环境的应用程序,一般包括代码编辑器.编译器.调 ...