nmap軟體是一款強大的掃描工具
nmap的基本用法:
- namp 【掃描類型】 【選項】 【掃描目标…】
常用的掃描類型:
- sS :TCP,SYN掃描(半開)
- sT : TCP連接配接掃描(全開 )
- sU : UDP掃描
- sP: ICMP掃描
- A :目标系統全面分析
[[email protected] ~]# nmap -sP 192.168.4.12 #測試通信(可以是多個主機,中間逗号間隔)
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-16 21:04 CST
Nmap scan report for node2 (192.168.4.12)
Host is up (0.00028s latency).
MAC Address: 52:54:00:31:27:74 (QEMU Virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds #(1 host up)表示可以ping通
[[email protected] ~]# nmap 127.0.0.1 #掃描本機開了什麼端口,預設TCP掃描
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-16 21:22 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
[[email protected] ~]# nmap -p 1-65535 192.168.4.12 # -p選項掃描指定端口,一個或多個
Starting Nmap 6.40 ( http://nmap.org ) at 2020-07-16 22:01 CST
Nmap scan report for node2 (192.168.4.12)
Host is up (0.00030s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
6789/tcp open ibm-db2-admin
6800/tcp open unknown
MAC Address: 52:54:00:31:27:74 (QEMU Virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.41 seconds
[[email protected] ~]# nmap -sT 192.168.4.12 #全開掃描
全開掃描表示執行完三次握手
[[email protected] ~]# nmap -sS 192.168.4.12 #半開掃描
半開掃描意思就是,用戶端向伺服器請求連接配接,當伺服器給與回應時,用戶端又不響應伺服器。這就是典型的DDOS攻擊
nmap --help 和 man namp 可以查找幫助
編寫nmap腳本測試線上主機
[[email protected] ~]# cat ping.sh
#!/bin/bash
yum -y install nmap > /dev/null
read -p "輸入整個網段例如104.233.105.0/24:" ip
nmap -n -sP $ip > /root/ping.test # -n表示不做主機名解析
num=$(cat /root/ping.test | tail -1 | awk '{print $3}')
setup=$(cat /root/ping.test | tail -1 | awk '{print $6}')
echo "掃描到$num個IP"
echo "有$setup個可以通信"
rm -rf /root/ping.test
tcpdump抓包
示例:
[[email protected] ~]# tcpdump -i eth0 #抓取經過eth0上的資料包
[[email protected] ~]# tcpdump -i eth0 -c 2 # -c 2 表示抓隻抓兩個包
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes #EN10MB表示網卡速度
23:11:10.618249 IP host50.ssh > 192.168.4.254.51990: Flags [P.], seq 4243925570:4243925758, ack 3202191461, win 295, options [nop,nop,TS val 45484860 ecr 45741396], length 188
23:11:10.623977 IP 192.168.4.254.51990 > host50.ssh: Flags [.], ack 188, win 1424, options [nop,nop,TS val 45741496 ecr 45484860], length 0
[[email protected] ~]# tcpdump -i eth0 -c 2 -w a.test # -w 将抓到的資訊寫入檔案
[[email protected] ~]# tcpdump -r a.test #-r 讀取抓獲的資料包
示例:
**抓取指定協定的資料包**
[[email protected] ~]# tcpdump -i eth0 icmp #抓取經過eth0的icmp協定的資料包
另外打開一個虛拟機ping host50主機
[[email protected] ~]# ping -c 1 192.168.4.50
這時host 50主機就可以抓到相應的ping包
[[email protected] ~]# tcpdump -i eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full pro tocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:27:06.465446 IP node2 > host50: ICMP echo request, id 7227, seq 1, length 64 #node2為源位址,host50為目标位址
23:27:06.465489 IP host50 > node2: ICMP echo reply, id 7227, seq 1, length 64
tcpdump -i 網卡名 什麼協定 什麼端口(端口範圍) and/or 抓源/目标 -c 抓幾次 -w 寫到哪
tcpdump -i eth0 tcp port 80
tcpdump -i eth0 tcp port 80 and host 192.168.4.5
tcpdump -i eth0 icmp and host 192.168.4.5
tcpdump -i eth0 tcp port 21 or port 80
tcpdump -i eth0 tcp portrange 21-110
tcpdump -i eth0 tcp port 21 and src 192.168.4.5
tcpdump -i eth0 tcp port 80 and net 192.168.4.0/24
tcpdump -A -w ftp.cap tcp port 21 and host 192.168.4.5 抓取通路FTP服務的包,儲存位cap檔案
tcpdump -i eth0 tcp port 21 and host