nmap扫描结果有哪些 如何使用nmap扫描一个网段的主机?很多人不了解,今天健康百科网为大家带来相关内容,下面小编为大家整理介绍。
1. Nmap系统识别
(1)识别操作系统
nmap -O
确定目标主机192.168.33.152的操作系统类型。按如下方式执行命令:
从2021年8月2日15:22 CST开始Nmap 7.70(https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/5iq54audkg1
主机启动(0.00036秒延迟)。
港口国家服务局
22/tcp开放ssh
MAC地址: 00:0 c 3360293360 FD 336058:4 b(VMware)# MAC地址
运行: Linux 3。X|4。X #运行系统
操作系统详细信息: Linux 3.2-4.9 #操作系统详细信息
已执行操作系统检测。请在https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/qazit3qrkbk
Nmap完成: 1个IP地址(1台主机启动)在1.86秒内扫描完毕
root @ daxueba : ~ # nmap-O 10 . 10 . 1 . 11
……
TCP/IP指纹:
OS :4048% P=i686-PC-windows-windows)SEQ(CI=I % II=I % TS=U)OPS(O1=M400 % O2=% O3=% O4
OS :=% O5=% O6=)OPS(O1=% O2=% O3=M400 % O4=% O5=% O6=)OPS(O1=M400 % O2=% O3=M400 % O4=% O5
OS:=0%W6=0)WIN(W1=0%W2=7FF%W3=7FF%W4=0%W5=0%W6=0)WIN(W1=0%W2=0%W3=7FF%W4=0%
OS:%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%DF=Y%T=40%S=O%A=O
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF
OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=40%CD=S)
以上输出信息就是Nmap向数据库提交的指纹信息,这些指纹信息是自动生成的,并且标识了目标系统的操作系统。
Starting Nmap 7.70 ( https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/1nh1svwak3t.org ) at 2021-08-02 16:02 CST
Host is up (0.00073s latency).
PORT STATE SERVICE
80/tcp open https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/zvnon3esuxk
5678/tcp open rrac
52869/tcp open unknown
Device type: general purpose
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
Network Distance: 1 hop
Host is up (0.000085s latency).
MAC Address: 1C:6F:65:C8:4C:89 (Giga-byte Technology)
Host is up (0.00047s latency).
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
443/tcp open https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/pkmeibbzkci
902/tcp open iss-realsecure
1433/tcp open ms-sql-s
5357/tcp open wsdapi
49153/tcp open unknown
49155/tcp open unknown
49158/tcp open unknown
Device type: general purpose
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1
2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
Server 2008 R2, Windows 8, or Windows 8.1 Update 1 #操作系统详细信息
Nmap scan report for 192.168.1.6 (192.168.1.6)
Not shown: 977 closed ports
21/tcp open ftp
23/tcp open telnet
53/tcp open domain
111/tcp open rpcbind
445/tcp open microsoft-ds
513/tcp open login
1099/tcp open rmiregistry
2049/tcp open nfs
3306/tcp open mysql
5900/tcp open vnc
6667/tcp open irc
8180/tcp open unknown
Device type: general purpose
OS CPE: cpe:/o:linux:linux_kernel:2.6
Network Distance: 1 hop
Host is up (0.00093s latency).
MAC Address: 00:0C:29:6C:C4:92 (VMware)
Host is up (0.000010s latency).
OS detection performed. Please report any incorrect results at
Nmap done: 256 IP addresses (6 hosts up) scanned in 7.64 seconds
从以上输出信息可以看到,如果探测到目标主机上存在开放的端口,则推测出了其操作系统类型;如果目标主机上不存在开放的端口,则无法推测其操作系统类型。
(3)推测操作系统
当Nmap无法确定所探测的操作系统时,会尽可能地提供最相近的匹配。为了对目标系统推测得更准确,可以使用--osscan-guess或--fuzzy选项来实现。语法格式如下:
nmap -O --osscan-guess;--fuzzy
其中,--osscan-guess;--fuzzy选项用于推测操作系统检测结果,将以百分比的方式给出对操作系统信息的猜测。当Nmap无法确定所检测的操作系统时,会尽可能地提供最相近的匹配。Nmap默认进行这种匹配,使用任意一个选项将使得Nmap的推测更加有效。
推测目标主机www.163.com的操作系统类型。执行命令如下:
root@daxueba:~# nmap -O --osscan-guess www.163.com
Nmap scan report for www.163.com (124.163.204.105)
Other addresses for www.163.com (not scanned): 2408:8726:5100::4f
Not shown: 955 closed ports
80/tcp open https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/zvnon3esuxk
82/tcp open xfer
88/tcp open kerberos-sec
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Device type: general purpose|firewall|media device|phone|broadband router security-misc
embedded (91%), Google Android 5.X (90%), D-Link embedded (90%), Draytek
OS CPE: cpe:/o:linux:linux_kernel:3.2 cpe:/o:linux:linux_kernel:2.6.32
android:5.0.1 cpe:/h:dlink:dsl-2890al cpe:/o:linux:linux_kernel:2.6.25.20
Aggressive OS guesses: Linux 3.2 (92%), IPCop 2.0 (Linux 2.6.32) (91%), Linux
3.18 (90%), D-Link DSL-2890AL ADSL router (90%), OpenWrt Kamikaze 8.09 (Linux
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/1nh1svwak3t.org/submit/ .
表1 各个操作系统的初始TTL值
使用Ping测试目标主机(192.168.33.152)的操作系统类型(该目标主机的操作系统类型为Linux)。执行命令如下:
root@daxueba:~# ping 192.168.33.152
64 bytes from 192.168.33.152: icmp_seq=1 ttl=64 time=0.242 ms
64 bytes from 192.168.33.152: icmp_seq=3 ttl=64 time=0.431 ms
PING 192.168.33.229 (192.168.33.229) 56(84) bytes of data.
64 bytes from 192.168.33.229: icmp_seq=2 ttl=128 time=1.01 ms
64 bytes from 192.168.33.229: icmp_seq=4 ttl=128 time=1.52 ms
从输出的信息可以看到,该响应包中的TTL值为128。由此可以说明,这是一个Windows操作系统。
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com,meder@o0o.nu
<+> Loading modules. #正在加载模块
<+> Initializing scan engine #初始化扫描引擎
<-> ping:tcp_ping module: no closed/open TCP ports known on 124.163.204.105.
<-> ping:udp_ping module: no closed/open UDP ports known on 124.163.204.105.
<-> No distance calculation. 124.163.204.105 appears to be dead or no ports known
<+> Target: 124.163.204.105 is alive. Round-Trip Time: 0.01503 sec
<-> fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
<-> fingerprint:snmp: need UDP port 161 open
<+> Host 124.163.204.105 Running OS: "Linux Kernel 2.4.19" (Guess
<+> Other guesses: #其他猜测
probability: 100%)
probability: 100%)
probability: 100%)
probability: 100%)
probability: 100%)
probability: 100%)
probability: 100%)
probability: 100%)
probability: 100%)
<+> Modules deinitialized
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com,meder@o0o.nu
<+> Loading modules.
<+> 13 modules registered
<+> Running scan engine
Module test failed
Module test failed
<+> Host: 124.163.204.105 is up (Guess probability: 50%)
<+> Selected safe Round-Trip Time value is: 0.03056 sec
<-> fingerprint:smb need either TCP port 139 or 445 to run
<+> Primary guess:
<+> Other guesses:
<+> Host 124.163.204.105 Running OS: "HP JetDirect ROM G.07.02 EEPROM G.08.04" (Guess probability: 83%)
<+> Host 124.163.204.105 Running OS: "HP JetDirect ROM G.07.19 EEPROM G.08.03" (Guess probability: 83%)
<+> Host 124.163.204.105 Running OS: "HP JetDirect ROM G.08.08 EEPROM G.08.04" (Guess probability: 83%)
<+> Host 124.163.204.105 Running OS: "HP JetDirect ROM H.07.15 EEPROM H.08.20" (Guess probability: 83%)
<+> Cleaning up scan engine
<+> Execution completed.
从以上输出的信息中可以看到,执行结果出错了(HP JetDirect ROM G.07.02 EEPROM G.07.17)。
在Kali Linux的新版本中,xProbe2工具运行后,测试的结果中操作系统类型显示为乱码。具体如下:
<+> Primary guess:
<+> Other guesses:
<+> Host 192.168.1.8 Running OS: ?????U (Guess probability: 100%)
<+> Host 192.168.1.8 Running OS: ????U (Guess probability: 100%)
<+> Host 192.168.1.8 Running OS: ????U (Guess probability: 100%)
<+> Host 192.168.1.8 Running OS: ?????U (Guess probability: 100%)
<+> Cleaning up scan engine
<+> Execution completed.
4. p0f系统识别
p0f是一款用于识别远程操作系统的工具,该工具与前面介绍的其他工具不同,它是一个完全被动地识别操作系统指纹信息的工具,不会直接作用于目标系统。当启动该工具后,即可监听网络中的所有数据包。通过分析监听到的数据包,即可找出与系统相关的信息。下面介绍使用p0f工具来实施操作系统指纹识别的方法。
使用p0f工具对目标主机实施系统识别。执行命令如下:
1)启动p0f工具。执行命令如下:
root@daxueba:~# p0f
<+> Closed 1 file descriptor.
<+> Intercepting traffic on default interface 'eth0'.
<+> Entered main event loop.
从以上输出信息中可以看到,p0f工具仅显示了几行信息,无法捕获到其他信息。但是,p0f会一直处于监听状态。
2)此时,当有其他主机在网络中产生数据流量的话,将会被p0f工具监听到。例如,在另一台主机上通过浏览器访问一个站点,然后返回到p0f所在的终端,将看到如下信息:
.-< 192.168.1.4/38934 -> 65.200.22.161/80 (https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5c request) >- #https://pic.qubaike.com/pic/2023-03-31/c5teypwar5u
| app = Safari 5.1-6 #应用
| params = dishonest #程序
----
| server = 65.200.22.161/80 #服务器
| raw_freq = 1048.46 Hz #频率
.-< 192.168.1.4/38934 -> 65.200.22.161/80 (https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5c response) >-
| app = ???
| params = none
----
| client = 192.168.1.4/32854
| dist = 0
| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
.-< 192.168.1.4/32854 -> 52.27.184.151/443 (host change) >-
| reason = tstamp port
----
| client = 192.168.1.4/32854
| raw_mtu = 1500
.-< 192.168.1.4/32856 -> 52.27.184.151/443 (syn) >-
| os = Linux 3.11 and newer
| params = none
----
以上输出的信息,就是执行监听到客户端访问的数据信息。从以上输出的信息可以看到,探测到客户端的操作系统类型为Linux 3.11或更新的内核版本。