nmap工具详解

1.1 nmap基础

在运维过程中有时需要主机存活性探测,一般是namp、tcpdump命令结合使用,相关工具包安装

1
[root@ ]# yum install  nmap tcpdump

列出几种nmap命令语法

1
2
3
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sP: ping Scan

下面我们在2台主机间探测,一主机发nmap探测,另一主机tcpdump抓包分析

在A主机正常发一个ping包看看正常情况下的icmp包
ping -c 1 10.17.200.36

在B主机抓包发现icmp包有去有回

1
2
3
4
5
[root@ ]# tcpdump -np -i ens192 src host 10.17.200.14
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
16:08:38.392418 IP 10.17.200.14 > 10.17.200.36: ICMP echo request, id 5220, seq 1, length 64
16:08:43.400811 ARP, Reply 10.17.200.14 is-at 00:50:56:b9:b2:fb, length 46

可在一台主机临时禁用icmp协议,再用ping将探测不到这台主机

1
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

1.2 nmap ping探测

我们开始nmap ping探测, -n表示不进行DNS解析

1
2
3
4
5
6
[root@ ]# nmap -n -sP 10.17.200.36
Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-15 16:12 CST
Nmap scan report for 10.17.200.36
Host is up (0.00030s latency).
MAC Address: 00:50:56:B9:21:18 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

在B主机探测发现只收到了对方发的请求包,并未回应,但是还是认为这台主机是存活的,这样提高了探测效率

1
2
3
4
[root@localhost roles]# tcpdump -np -i ens192 src host 10.17.200.14
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
16:12:28.972321 ARP, Request who-has 10.17.200.36 (Broadcast) tell 10.17.200.14, length 46

1.3 nmapSYN探测

我们开始nmap TCP的SYN探测, -n表示不进行DNS解析

1
2
3
4
5
6
7
8
9
10
11
[root@ ]# nmap -n -PE 10.17.200.36
Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-15 16:20 CST
Nmap scan report for 10.17.200.36
Host is up (0.00014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
445/tcp filtered microsoft-ds
MAC Address: 00:50:56:B9:21:18 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds

在B主机探测发现,A主机对B主机的各服务都发送了TCP SYN包来进行探测

1
2
3
4
5
6
7
8
9
10
11
12
[root@ ]# tcpdump -np -i ens192 src host 10.17.200.14
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
16:20:07.124327 ARP, Request who-has 10.17.200.36 (Broadcast) tell 10.17.200.14, length 46
16:20:07.148867 IP 10.17.200.14.40911 > 10.17.200.36.rtsp: Flags [S], seq 3791226815, win 1024, options [mss 1460], length 0
16:20:07.148882 IP 10.17.200.14.40911 > 10.17.200.36.smtp: Flags [S], seq 3791226815, win 1024, options [mss 1460], length 0
16:20:07.148906 IP 10.17.200.14.40911 > 10.17.200.36.domain: Flags [S], seq 3791226815, win 1024, options [mss 1460], length 0
16:20:07.148943 IP 10.17.200.14.40911 > 10.17.200.36.https: Flags [S], seq 3791226815, win 1024, options [mss 1460], length 0
16:20:07.148950 IP 10.17.200.14.40911 > 10.17.200.36.mysql: Flags [S], seq 3791226815, win 1024, options [mss 1460], length 0
16:20:07.148950 IP 10.17.200.14.40911 > 10.17.200.36.ssh: Flags [S], seq 3791226815, win 1024, options [mss 1460], length 0
信息太多,略过...
16:20:12.152833 ARP, Reply 10.17.200.14 is-at 00:50:56:b9:b2:fb, length 46

1.4 arping

另外补充一下,arping -D可有效检测IP地址冲突问题,如果命令echo $?返回值为0则表示地址冲突,1则表示不冲突.

1
2
3
4
5
[root@ ]# arping  -D  -c 2   -I ens192   10.17.200.36
ARPING 10.17.200.36 from 0.0.0.0 ens192
Unicast reply from 10.17.200.36 [00:50:56:B9:21:18] 0.887ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)

1.5 总结

  • nmap -sP 可进行ping检测
  • nmap -PE 可进行tcp SYN检测
  • nmap -n -sP -PE 可进行ping与SYN结合检测,以免漏扫
  • arping -D 可进行地址冲突检测

<完结>