Nmap之主机发现 0x00 主机发现原理 0x01 基本扫描 0x02 Ping扫描 0x03 无Ping扫描 0x04 TCP SYN Ping扫描 0x05 TCP ACK Ping扫描 0x06 UDP Ping扫描 0x07 ICMP Ping Types扫描 0x08 ARP Ping扫描 0x09 列表扫描 0x10 禁止反向域名解析 0x11 反向域名解析 0x12 使用系统域名解析器 0x13 扫描一个IPv6地址 0x14 路由跟踪 0x15 SCTP INIT Ping扫描
文章目录
主机发现发现的原理与Ping命令类似,发送探测包到目标主机,如果收到回复,那么说明目标主机是开启的。Nmap支持十多种不同的主机探测方式,比如发送ICMP ECHO/TIMESTAMP/NETMASK报文、发送TCPSYN/ACK包、发送SCTP INIT/COOKIE-ECHO包,用户可以在不同的条件下灵活选用不同的方式来探测目标机。
主机发现基本原理:(以ICMP echo方式为例)
Nmap的用户位于源端,IP地址192.168.0.5,向目标主机192.168.0.3发送ICMP Echo Request。如果该请求报文没有被防火墙拦截掉,那么目标机会回复ICMP Echo Reply包回来。以此来确定目标主机是否在线。
默认情况下,Nmap会发送四种不同类型的数据包来探测目标主机是否在线。
-
ICMP echo request -
a TCP SYN packet to port 443 -
a TCP ACK packet to port 80 -
an ICMP timestamp request
依次发送四个报文探测目标机是否开启。只要收到其中一个包的回复,那就证明目标机开启。使用四种不同类型的数据包可以避免因防火墙或丢包造成的判断错误。
| 选项 | 解释 |
|---|---|
-sP |
Ping扫描 |
-P0 |
无Ping扫描 |
-PS |
TCP SYN Ping扫描 |
-PA |
TCP ACK Ping扫描 |
-PU |
UDP Ping 扫描 |
-PE;-PP;-PM |
ICMP Ping Types 扫描 |
-PR |
ARP Ping 扫描 |
-n |
禁止DNS反向解析 |
-R |
反向解析域名 |
--system-dns |
使用系统域名解析器 |
sL |
列表扫描 |
-6 |
扫描IPv6地址 |
--traceroute |
路由跟踪 |
-PY |
SCTP INIT Ping |
0x01 基本扫描
该扫描方式可以针对IP或者域名进行扫描,扫描方式迅速,可以很方便地发现目标端口的开放情况及主机在线情况。使用命令为如下格式:
# IP
nmap 10.10.10.148
# 域名
nmap www.furi.com.cn
- 若主机不存活,扫描得到的结果如下图所示:
λ nmap 10.10.10.148 # 基本扫描,扫IP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 14:00 ?D1ú±ê×?ê±??
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.66 seconds # 结果主机不存活
该命令执行结果和nmap -sP 10.10.10.148命令的执行结果一致。
- 若主机存活,则扫描得到的结果如下图所示:
λ nmap www.furi.com.cn # 基本扫描,扫域名
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 13:36
Nmap scan report for www.furi.com.cn (58.215.65.32)
Host is up (0.029s latency).
Not shown: 975 closed ports
PORT STATE SERVICE # 主机中端口和服务扫描结果
21/tcp open ftp # ftp协议的21号端口开放
42/tcp filtered nameserver # nameserver服务的42号端口可能被过滤
53/tcp open domain
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
901/tcp filtered samba-swat
1025/tcp filtered NFS-or-IIS
1433/tcp open ms-sql-s
1434/tcp filtered ms-sql-m
3128/tcp filtered squid-http
3306/tcp open mysql
3389/tcp open ms-wbt-server
4444/tcp filtered krb524
6129/tcp filtered unknown
6669/tcp filtered irc
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49158/tcp open unknown
49167/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 3.77 seconds
该命令执行结果和nmap -P0 www.furi.com.cn命令的执行结果一致。
0x02 Ping扫描
Ping扫描只进行Ping,然后显示出在线的主机,使用该选项扫描可以轻易地获取目标信息而不会被轻易发现。在默认的情况下,Nmap会发送一个ICMP回声请求和一个TCP报文到目标端口。Ping扫描的优点是不会返回太多结果信息且效率很高,但不能保证扫描结果的准确性。
λ nmap -sP 10.10.10.148-150 # 对指定范围内的IP进行Ping扫描
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 14:35 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148 # 扫描10.10.10.148主机
Host is up (0.00s latency). # 确定主机存活
MAC Address: 00:0C:29:7C:0C:79 (VMware) # 主机的MAC地址
Nmap done: 3 IP addresses (1 host up) scanned in 1.65 seconds
0x03 无Ping扫描
无Ping扫描常用于防火墙禁止Ping的情况下,它能确定正在运行的主机。默认情况下,Nmap只对正在运行的主机进行高强度的探测,如端口扫描、版本探测、操作系统探测等。使用-P0选项后禁止使用Ping进行主机发现而会对每一个指定目标的IP地址进行扫有要求的扫描,这可以穿透防火墙也可以避免被防火墙发现。
- 命令格式:
nmap -P0 [协议1、协议2、...] 目标
λ nmap -P0 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 14:46 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.00094s latency).
Not shown: 963 closed ports
PORT STATE SERVICE
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
88/tcp open kerberos-sec
89/tcp open su-mit-tg
90/tcp open dnsix
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3306/tcp open mysql
3389/tcp open ms-wbt-server
8001/tcp open vcom-tunnel
8002/tcp open teradataordbms
8007/tcp open ajp12
8008/tcp open http
8009/tcp open ajp13
8010/tcp open xmpp
8021/tcp open ftp-proxy
8022/tcp open oa-system
8031/tcp open unknown
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8084/tcp open unknown
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
8200/tcp open trivnet1
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds
-
如果没有指定任何协议,Nmap会默认使用协议1、协议2、协议4,如果想知道这些协议的如何判断目标主机是否存活可以使用
--packet-trace选项。nmap -P0 --packet-trace 10.10.10.148 -
Nmap支持的协议和编号如下所示
- TCP:对应协议编号为6.
- UDP:对应协议编号为17.
- ICMP:对应协议编号为1.
- IGMP:对应协议编号为2.
nmap -P0 6,17,2 10.10.10.148
0x04 TCP SYN Ping扫描
通常情况下,Nmap默认Ping扫描是使用TCP SYN和ICMP ECHO请求对目标进行是否存活的响应,当目标主机的防火墙阻止这些请求时,可以使用TCP SYN Ping扫描来进行对目标主机存活的判断。
λ nmap -PS 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 15:33 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.00085s latency).
Not shown: 963 closed ports
PORT STATE SERVICE
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
88/tcp open kerberos-sec
89/tcp open su-mit-tg
90/tcp open dnsix
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3306/tcp open mysql
3389/tcp open ms-wbt-server
8001/tcp open vcom-tunnel
8002/tcp open teradataordbms
8007/tcp open ajp12
8008/tcp open http
8009/tcp open ajp13
8010/tcp open xmpp
8021/tcp open ftp-proxy
8022/tcp open oa-system
8031/tcp open unknown
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8084/tcp open unknown
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
8200/tcp open trivnet1
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.54 seconds
-
-PS选项发送一个设置为SYN标志位的空TCP报文,默认目的端口为80,但不同的端口也可以作为选项指定,设置可以指定一个以逗号分隔的端口列表,每个端口会被并发地扫描。nmap -PS80,100-200 10.10.10.148
0x05 TCP ACK Ping扫描
很多防火墙会封锁SYN报文,所以Nmap还提供了TCP ACK Ping扫描,与YCP SYN Ping不同的是TCP的标志位是ACK而不是SYN。Nmap发送一个ACK标志的TCP包给目标主机,如果目标主机不是存活状态则不响应该请求,如果目标主机在线会返回一个RST包。
λ nmap -PA 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 15:48 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.00052s latency).
Not shown: 963 closed ports
PORT STATE SERVICE
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
88/tcp open kerberos-sec
89/tcp open su-mit-tg
90/tcp open dnsix
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3306/tcp open mysql
3389/tcp open ms-wbt-server
8001/tcp open vcom-tunnel
8002/tcp open teradataordbms
8007/tcp open ajp12
8008/tcp open http
8009/tcp open ajp13
8010/tcp open xmpp
8021/tcp open ftp-proxy
8022/tcp open oa-system
8031/tcp open unknown
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8084/tcp open unknown
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
8200/tcp open trivnet1
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds
-
Nmap提供的TCP SYN Ping和TCP ACK Ping两种方式可以同时使用
nmap -PA -PS 10.10.10.148
0x06 UDP Ping扫描
使用UDP Ping扫描时Nmap会发送一个空的UDP包到目标主机,如果目标主机响应则返回一个ICMP端口不可达错误,如果目标不是存活状态则会返回各种ICMP报错信息。-PU选项是发送一个空的UDP报文到指定端口。如果不指定端口则默认是40125。
λ nmap -PU 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 15:55 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.0011s latency).
Not shown: 963 closed ports
PORT STATE SERVICE
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
88/tcp open kerberos-sec
89/tcp open su-mit-tg
90/tcp open dnsix
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3306/tcp open mysql
3389/tcp open ms-wbt-server
8001/tcp open vcom-tunnel
8002/tcp open teradataordbms
8007/tcp open ajp12
8008/tcp open http
8009/tcp open ajp13
8010/tcp open xmpp
8021/tcp open ftp-proxy
8022/tcp open oa-system
8031/tcp open unknown
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8084/tcp open unknown
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
8200/tcp open trivnet1
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds
-
-PU选项也可以指定端口nmap -PU80,100 10.10.10.148
0x07 ICMP Ping Types扫描
使用-PE,-PP,-PM选项可以进行ICMP Ping Types扫描。
-
-PE选项打开该回声请求功能; -
-PP选项是ICMP时间戳Ping扫描,虽然大多数的防火墙配置不允许ICMP Echo请求,但由于配置不当可能回复ICMP时间戳请求,所以可以使用ICMP时间戳来确定主机是否存活; -
-PM选项可以进行ICMP地址掩码Ping扫描。
nmap -PE 10.10.10.148
nmap -PP 10.10.10.148
nmap -PM 10.10.10.148
0x08 ARP Ping扫描
-PR选项通常在扫描局域网时使用。ARP Ping扫描是Nmap对目标进行一个ARP Ping的过程,尤其在内网的情况下,使用ARP Ping扫描方式是最有效的,在本地局域网中防火墙不会禁止ARP请求,所以在内容中使用ARP Ping非常有效。默认情况下若nmap与目标主机在同一局域网中,会默认进行ARP扫描,若不想使用可以指定--send-ip。
λ nmap -PR 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:13 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.00066s latency).
Not shown: 963 closed ports
PORT STATE SERVICE
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
88/tcp open kerberos-sec
89/tcp open su-mit-tg
90/tcp open dnsix
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3306/tcp open mysql
3389/tcp open ms-wbt-server
8001/tcp open vcom-tunnel
8002/tcp open teradataordbms
8007/tcp open ajp12
8008/tcp open http
8009/tcp open ajp13
8010/tcp open xmpp
8021/tcp open ftp-proxy
8022/tcp open oa-system
8031/tcp open unknown
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8084/tcp open unknown
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
8200/tcp open trivnet1
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds
0x09 列表扫描
列表扫描是主机发现的一种退化形式,它仅仅列出指定网络上的每台主机,不发送任何报文到目标主机。默认情况下,Nmap仍然对主机进行反向域名解析以获取他们的名字。
λ nmap -sL 127.0.0.1/30
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:39 ?D1ú±ê×?ê±??
Nmap scan report for 127.0.0.0
Nmap scan report for transact.netsarang.com (127.0.0.1)
Nmap scan report for 127.0.0.2
Nmap scan report for 127.0.0.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 3.64 seconds
0x10 禁止反向域名解析
-n选项意为禁止解析域名,使用该选项时Nmap永远不会对目标主机IP地址作反向域名解析。
λ nmap -n -sL 127.0.0.1/30
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:40 ?D1ú±ê×?ê±??
Nmap scan report for 127.0.0.0
Nmap scan report for 127.0.0.1
Nmap scan report for 127.0.0.2
Nmap scan report for 127.0.0.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.22 seconds
0x11 反向域名解析
-R选项意为反向解析域名,使用该选项时Nmap永远对目标IP地址做反向域名解析。
λ nmap -R -sL 127.0.0.1/30
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:40 ?D1ú±ê×?ê±??
Nmap scan report for 127.0.0.0
Nmap scan report for transact.netsarang.com (127.0.0.1)
Nmap scan report for 127.0.0.2
Nmap scan report for 127.0.0.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 1.07 seconds
0x12 使用系统域名解析器
--system-dns意为使用系统域名解析器。默认情况下,Nmap通过直接发送查询到您主机上配置的域名服务器来解析域名。为了提高性能,许多请求并发执行。如果希望使用系统自带的解析器,就指定该选项。
λ nmap --system-dns 127.0.0.1/30
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:45 ?D1ú±ê×?ê±??
Nmap scan report for 127.0.0.0
Host is up.
All 1000 scanned ports on 127.0.0.0 are filtered
Nmap scan report for transact.netsarang.com (127.0.0.1)
Host is up (0.0014s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
135/tcp open msrpc
443/tcp open https
445/tcp open microsoft-ds
808/tcp open ccproxy-http
902/tcp open iss-realsecure
912/tcp open apex-mesh
1001/tcp open webpush
5357/tcp open wsdapi
6000/tcp open X11
50000/tcp open ibm-db2
Nmap scan report for 127.0.0.2
Host is up (0.0017s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
135/tcp open msrpc
443/tcp open https
445/tcp open microsoft-ds
808/tcp open ccproxy-http
902/tcp open iss-realsecure
912/tcp open apex-mesh
5357/tcp open wsdapi
Nmap scan report for 127.0.0.3
Host is up (0.0018s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
135/tcp open msrpc
443/tcp open https
445/tcp open microsoft-ds
808/tcp open ccproxy-http
902/tcp open iss-realsecure
912/tcp open apex-mesh
5357/tcp open wsdapi
Nmap done: 4 IP addresses (4 hosts up) scanned in 18.36 seconds
0x13 扫描一个IPv6地址
λ nmap -6 fe80::a8b7:c0a2:aa08:4655
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 17:11 ?D1ú±ê×?ê±??
Nmap scan report for fe80::a8b7:c0a2:aa08:4655
Host is up.
All 1000 scanned ports on fe80::a8b7:c0a2:aa08:4655 are filtered
Nmap done: 1 IP address (1 host up) scanned in 202.67 seconds
0x14 路由跟踪
使用--traceroute选线即可进行路由跟踪,使用路由跟踪功能可以帮助用户了解网络的同行情况,通过此选项可以轻松查出从本地计算机到目标之间所经过的网络节点,并可以看到通过各个节点的时间。
λ nmap --traceroute -v 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:57 ?D1ú±ê×?ê±??
Initiating ARP Ping Scan at 16:57
Scanning 10.10.10.148 [1 port]
Completed ARP Ping Scan at 16:57, 0.62s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:57
Completed Parallel DNS resolution of 1 host. at 16:58, 2.55s elapsed
Initiating SYN Stealth Scan at 16:58
Scanning 10.10.10.148 [1000 ports]
Discovered open port 3306/tcp on 10.10.10.148
Discovered open port 445/tcp on 10.10.10.148
Discovered open port 135/tcp on 10.10.10.148
Discovered open port 3389/tcp on 10.10.10.148
Discovered open port 80/tcp on 10.10.10.148
Discovered open port 81/tcp on 10.10.10.148
Discovered open port 8009/tcp on 10.10.10.148
Discovered open port 8008/tcp on 10.10.10.148
Discovered open port 49153/tcp on 10.10.10.148
Discovered open port 8200/tcp on 10.10.10.148
Discovered open port 8021/tcp on 10.10.10.148
Discovered open port 8084/tcp on 10.10.10.148
Discovered open port 49154/tcp on 10.10.10.148
Discovered open port 49157/tcp on 10.10.10.148
Discovered open port 83/tcp on 10.10.10.148
Discovered open port 8081/tcp on 10.10.10.148
Discovered open port 1433/tcp on 10.10.10.148
Discovered open port 8031/tcp on 10.10.10.148
Discovered open port 49155/tcp on 10.10.10.148
Discovered open port 89/tcp on 10.10.10.148
Discovered open port 8086/tcp on 10.10.10.148
Discovered open port 85/tcp on 10.10.10.148
Discovered open port 90/tcp on 10.10.10.148
Discovered open port 8085/tcp on 10.10.10.148
Discovered open port 8001/tcp on 10.10.10.148
Discovered open port 139/tcp on 10.10.10.148
Discovered open port 8002/tcp on 10.10.10.148
Discovered open port 88/tcp on 10.10.10.148
Discovered open port 8007/tcp on 10.10.10.148
Discovered open port 8022/tcp on 10.10.10.148
Discovered open port 49152/tcp on 10.10.10.148
Discovered open port 8088/tcp on 10.10.10.148
Discovered open port 84/tcp on 10.10.10.148
Discovered open port 82/tcp on 10.10.10.148
Discovered open port 8082/tcp on 10.10.10.148
Discovered open port 8010/tcp on 10.10.10.148
Discovered open port 49156/tcp on 10.10.10.148
Completed SYN Stealth Scan at 16:58, 1.37s elapsed (1000 total ports)
Nmap scan report for 10.10.10.148
Host is up (0.00034s latency).
Not shown: 963 closed ports
PORT STATE SERVICE
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
88/tcp open kerberos-sec
89/tcp open su-mit-tg
90/tcp open dnsix
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3306/tcp open mysql
3389/tcp open ms-wbt-server
8001/tcp open vcom-tunnel
8002/tcp open teradataordbms
8007/tcp open ajp12
8008/tcp open http
8009/tcp open ajp13
8010/tcp open xmpp
8021/tcp open ftp-proxy
8022/tcp open oa-system
8031/tcp open unknown
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8084/tcp open unknown
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
8200/tcp open trivnet1
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)
TRACEROUTE
HOP RTT ADDRESS
1 0.34 ms 10.10.10.148
Read data files from: D:RolanToolsInfoGatheringNmap
Nmap done: 1 IP address (1 host up) scanned in 5.17 seconds
Raw packets sent: 1093 (48.076KB) | Rcvd: 1001 (40.176KB)
0x15 SCTP INIT Ping扫描
SCTP是IETF在2000年定义的一个传输层协议。SCTP可看作是TCP协议的改进,它改进了TCP的一些不足,SCTF INIT Ping扫描通过向目标发送INIT包,根据目标主机的响应判断目标主机是否存活。
λ nmap -PY 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 17:03 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.0015s latency).
Not shown: 963 closed ports
PORT STATE SERVICE
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
88/tcp open kerberos-sec
89/tcp open su-mit-tg
90/tcp open dnsix
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
3306/tcp open mysql
3389/tcp open ms-wbt-server
8001/tcp open vcom-tunnel
8002/tcp open teradataordbms
8007/tcp open ajp12
8008/tcp open http
8009/tcp open ajp13
8010/tcp open xmpp
8021/tcp open ftp-proxy
8022/tcp open oa-system
8031/tcp open unknown
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8084/tcp open unknown
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
8200/tcp open trivnet1
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.49 seconds