如何使用 Nmap 排除网络故障

专家级故障排除技能是系统管理员的必备技能。了解如何识别和解决遇到的问题对于制定最佳解决方案至关重要。工具可帮助您成功找到答案。Nmap 是安全和 IT 专业人员的有用工具。

如果不了解哪些网络端口是开放的，就无法评估系统的安全性。系统管理员使用 Nmap 检查系统是否在线并帮助发现网络中的任何问题。您还可以检测操作系统版本、确定服务是否在线、测试嵌入式网络堆栈，甚至识别攻击性网络流量。

安装 Nmap

有几种方法可以在 Linux 上安装 Nmap。在最近的发行版中，安装非常简单。例如，在Red Hat Enterprise Linux、Fedora 和类似发行版上，输入：

$ sudo dnf install nmap

最新版本始终可从源代码获得，该源代码可在Insecure.org上找到，但许多发行版已经安装并可供使用。

接下来，我将回顾系统管理员使用 Nmap 的一些常用方法。

运行默认扫描

安装 Nmap 并选择目标后，一切就变得非常简单了。以下是默认扫描：

$ nmap scanme.nmap.org

在您收到的输出中，最左边的列显示端口号和协议（例如，22/tcp、80/tcp 等）。此扫描显示端口是否打开以及哪些服务正在使用它。Nmap 可以显示更详细的信息，例如服务版本，但您必须指定服务版本扫描才能识别实际的服务版本。

进行服务版本扫描

添加-sV标志以运行服务版本扫描。输出将提供更多详细信息，例如服务的补丁版本。这些信息对于安全评估非常有用。漏洞存在于特定软件版本中，因此从防御的角度来看，拥有这些详细信息是有益的。

需要注意的是，Nmap 不会显示所有关闭和打开的端口；默认情况下，它只显示前 1,000 个端口，因为输出会变得混乱。您可以增加扫描的详细程度以显示这些详细信息。显示的顶级端口不一定是前 1,000 个端口，而是最常打开的端口。

日志扫描

查看扫描输出很有帮助，但长期评估呢？或者超长时间扫描呢？这就是日志记录的作用所在。

Nmap supports three different logging formats: .xml, .nmap, and .gmap. Gmap stands for grepable nmap. Each format has a different supporting flag, but you can simply use the -oA flag to get all output. It will automatically save all three file extensions:

$ nmap scanme.nmap.org -oA logbase

$ cat logbase.nmap | grep open

Specify scan ranges

Many sysadmins run services on high ports so that they are not detected through normal scans. But security through obscurity isn't the best way to go about it. To detect hosts on particular ports, specify a port with the -p flag.

For example, if you only want to scan port 80 on scanme.nmap.org, you can enter:

$ nmap -p 80 scanme.nmap.org

This flag works for port ranges as well. So, for example, if you want to scan all privileged ports (1- 1024), you can use:

$ nmap -p 1-1024 scanme.nmap.org

Another choice to consider is the –reason flag. You can use this to help determine how Nmap reached its conclusions. For example, it may show a SYN-ACK response to a SYN request. Since that service is attempting a three-way handshake, that verifies that something is listening.

Now that I've covered how to run Nmap on multiple ports, I'll discuss how to detect the host target using various methods, scan devices attempting to hide, and more.

Detect host targets

Because so many people attempt to hide their hosts from the internet, it's important to identify if hosts are online or offline. Nmap has several ways to determine this.

The easiest way is to run a ping sweep. You can run the ping command; however, running a sweep with Nmap allows for greater efficiency by using a larger network scope. You can use the -sn flag to run a ping-only sweep. Since it only runs ping and not a full port scan, it will show which hosts are online or offline.

Sometimes you may need to take the scan a bit further. As mentioned previously, some system administrators hide their systems from the internet by ignoring ping requests. Fortunately, Nmap supports an agnostic option for scanning systems, which the next section covers.

Run a ping agnostic scan

Normal Nmap scans run a ping sweep first and then check the specified ports (based on the ranges provided). If hosts do not respond to a ping, those systems will not be fully scanned—even if they are online! You can skip the ping sweep with the -Pn flag to run a full scan. This scan generally takes longer to run, but in the end, it's helpful to identify hosts that were missed originally. Run this scan with:

$ nmap -Pn -n scanme.net

It's also useful to use the -sL flag, which runs a simple list to scan the target ranges. This can be useful for reverse DNS lookups and to identify what hosts are online in a specified range:

$ nmap 1.1.1.1 -sL

There is another useful feature of Nmap: a TCP SYN ping scan. In place of an ICMP ping, the TCP SYN ping can treat the target host as online if it responds to a SYN request on a specific port. For example, when scanning an IP block that normally runs web servers, using -PS 80 displays the hosts as online, so long as they respond on port 80.

Wrap up

Nmap is a powerful tool for most system administrators. Various ways to utilize the tool allow admins to work more quickly and efficiently. The better use you make of your troubleshooting skills, the quicker you will resolve issues effectively.