# nmap 常用指令集 ##### 掃描單一主機 ```shell ### Scan a single ip address ### nmap 192.168.1.1 ## Scan a host name ### nmap server1.cyberciti.biz ## Scan a host name with more info### nmap -v server1.cyberciti.biz ``` ##### 掃描多個主機 ```shell nmap 192.168.1.1 192.168.1.2 192.168.1.3 ## works with same subnet i.e. 192.168.1.0/24 nmap 192.168.1.1,2,3 ## You can scan a range of IP address too: nmap 192.168.1.1-20 ## You can scan a range of IP address using a wildcard: nmap 192.168.1.* ## you scan an entire subnet: nmap 192.168.1.0/24 # Ping scan subnet nmap -sP 10.15.9.0/24 | grep -E '\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' nmap -sP 10.15.9.0/24 | sed -n '/^.* [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/p' | sed 's/^.* \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*$/\1 /g' ``` ##### 從檔案讀入 IP 清單 ```shell nmap -iL /tmp/ip.txt ``` ##### 排除 IP 的方法 ```shell nmap 192.168.1.0/24 --exclude 192.168.1.5 nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254 nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt ``` ##### 偵測遠端的作業系統類型 ```shell nmap -A 192.168.1.254 nmap -v -A 192.168.1.1 nmap -A -iL /tmp/scanlist.txt ``` ##### 偵測遠端主機是否有防火牆 ```shell nmap -A 192.168.1.254 nmap -v -A 192.168.1.1 nmap -A -iL /tmp/scanlist.txt ``` ##### 掃描主機(有防火牆保護時) ```shell nmap -PN 192.168.1.1 nmap -PN server1.cyberciti.biz ``` ##### 掃描 IPv6 主機 ```shell nmap -6 IPv6-Address-Here nmap -6 server1.cyberciti.biz nmap -6 2607:f0d0:1002:51::4 nmap -v A -6 2607:f0d0:1002:51::4 ``` ##### 掃描一個子網路內有哪些主機/裝置 ```shell nmap -sP 192.168.1.0/24 ``` ##### 執行快速掃描 ```shell nmap -F 192.168.1.1 ``` ##### 顯示通訊埠狀態原因(Reason) ```shell nmap --reason 192.168.1.1 ``` ##### 顯示開啟中的通訊埠 ```shell nmap --open 192.168.1.1 ``` ##### 顯示已傳送/接收的封包 ```shell nmap --packet-trace 192.168.1.1 ``` ##### 顯示本機網路介面裝置與路由 ```shell nmap --iflist ``` ##### 掃描指定通訊埠 ```shell nmap -p [port] hostName ## Scan port 80 nmap -p 80 192.168.1.1 ## Scan TCP port 80 nmap -p T:80 192.168.1.1 ## Scan UDP port 53 nmap -p U:53 192.168.1.1 ## Scan two ports ## nmap -p 80,443 192.168.1.1 ## Scan port ranges ## nmap -p 80-200 192.168.1.1 ## Combine all options ## nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1 nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254 ## Scan all ports with * wildcard ## nmap -p "*" 192.168.1.1 ## Scan top ports i.e. scan $number most common ports ## nmap --top-ports 5 192.168.1.1 nmap --top-ports 10 192.168.1.1 ``` ##### 快速掃描網路內有開啟通訊埠的主機/裝置 ```shell nmap -T5 192.168.1.0/24 ``` ##### Cheat Sheet [![nmap_cheatsheet.jpg](https://osslab.tw/uploads/images/gallery/2022-09/scaled-1680-/nmap-cheatsheet.jpg)](https://osslab.tw/uploads/images/gallery/2022-09/nmap-cheatsheet.jpg)