说明

  nmap命令是一款开放源代码的网络探测和安全审核工具，是Network Mapper的缩写。其设计目的是快速的扫描大型网络。nmap可以发现网络上有哪些主机，主机提供了什么服务器，并探测操作系统的类型及版本信息。
  如果系统没有nmap命令，则可以使用下面的命令来安装：
yum -y install nmap

格式

  nmap [扫描类型] [选项] [扫描目标]

常用参数

• -sS：TCP同步扫描
• -sT：TCP连接扫描
• -sn：不进行端口扫描，只检查主机正在运行
• -sV：探测服务器版本信息
• -O：获取主机的标志，也就是操作系统类型
• -p<端口>：指定要扫描的端口，可以是一个单独的端口，也可以用逗号分给开多个端口，还可以使用”-“表示一个端口范围
• -n：不进行DNS解析，加快扫描速度
• -v：显示扫描过程中的详细信息

示例

1、查看主机当前开放的端口

[root@localhost ~]# nmap 192.168.71.108

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-21 17:04 CST
Nmap scan report for 192.168.71.108
Host is up (0.00018s latency).#目标主机正在运行
Not shown: 997 closed ports #997个关闭的端口
PORT     STATE SERVICE
22/tcp   open  ssh #22端口提供SSH服务
80/tcp   open  http #80端口提供http服务
3306/tcp open  mysql #3306端口提供mysql服务
MAC Address: 00:0C:29:1E:D8:26 (VMware) #目标主机的mac地址

Nmap done: 1 IP address (1 host up) scanned in 32.95 seconds

2、扫描主机的指定端口

[root@localhost ~]# nmap -p 80 192.168.71.108

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-21 17:06 CST
Nmap scan report for 192.168.71.108
Host is up (0.00033s latency).
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:1E:D8:26 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
[root@localhost ~]# 
[root@localhost ~]# nmap -p 80,3306 192.168.71.108

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-21 17:06 CST
Nmap scan report for 192.168.71.108
Host is up (0.00030s latency).
PORT     STATE SERVICE
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:1E:D8:26 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.45 seconds
[root@localhost ~]# 
[root@localhost ~]# nmap -p 1-10000 192.168.71.108

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-21 17:07 CST
Nmap scan report for 192.168.71.108
Host is up (0.0016s latency).
Not shown: 9997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:1E:D8:26 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 15.40 seconds

3、扫描局域网内所有的IP

[root@localhost ~]# nmap 192.168.71.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-21 17:11 CST
Nmap scan report for 192.168.71.1
Host is up (0.00075s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
443/tcp  open  https
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.71.2
Host is up (0.00024s latency).
Not shown: 999 closed ports
PORT   STATE    SERVICE
53/tcp filtered domain
MAC Address: 00:50:56:F5:F6:48 (VMware)

Nmap scan report for 192.168.71.108
Host is up (0.00051s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:0C:29:1E:D8:26 (VMware)

Nmap scan report for 192.168.71.254
Host is up (-0.10s latency).
All 1000 scanned ports on 192.168.71.254 are filtered
MAC Address: 00:50:56:F4:6C:04 (VMware)

4、扫描局域网内在运行的主机

[root@localhost ~]# nmap -sn 192.168.71.0/24

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-20 06:01 EDT
Nmap scan report for 192.168.71.1
Host is up (0.00010s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.71.2
Host is up (0.000091s latency).
MAC Address: 00:50:56:F5:F6:48 (VMware)
Nmap scan report for 192.168.71.107
Host is up (0.00031s latency).
MAC Address: 00:0C:29:0B:D8:26 (VMware)
Nmap scan report for 192.168.71.254
Host is up (0.00043s latency).
MAC Address: 00:50:56:F4:6C:04 (VMware)
Nmap scan report for 192.168.71.108
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.87 seconds

5、扫描指定范围内进行扫描

[root@localhost ~]# nmap -sn 192.168.71.100-108

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-20 06:03 EDT
Nmap scan report for 192.168.71.107
Host is up (0.00013s latency).
MAC Address: 00:0C:29:0B:D8:26 (VMware)
Nmap scan report for 192.168.71.108
Host is up.
Nmap done: 9 IP addresses (2 hosts up) scanned in 26.34 seconds

6、探测目标主机的服务和操作系统版本

[root@localhost ~]# nmap -O -sV 192.168.71.108

Starting Nmap 6.40 ( http://nmap.org ) at 2018-06-21 17:20 CST
Nmap scan report for 192.168.71.108
Host is up (0.00066s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.4 (protocol 2.0)
80/tcp   open  http    nginx
3306/tcp open  mysql   MySQL (unauthorized)
MAC Address: 00:0C:29:1E:D8:26 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=6/21%OT=22%CT=1%CU=35805%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=5B2B6E11%P=x86_64-redhat-linux-gnu)SEQ(SP=108%GCD=1%ISR=103%TI=Z%CI=I%
OS:TS=A)SEQ(SP=108%GCD=1%ISR=103%TI=Z%CI=I%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=
OS:M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WI
OS:N(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%DF=Y%T=40%W=39
OS:08%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3
OS:(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%R
OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.48 seconds

上面输出的信息中不仅包含了端口号，而且还包含了服务的版本号。在网络安全要求较高的主机上，最好能够屏蔽服务版本号，以防止黑客利用特定版本存在的漏洞进行攻击。