使用 Nmap 枚举新网络使用 Nmap 枚举新网络使用 Nmap 枚举新网络使用 Nmap 枚举新网络
  • 业务
  • 目标
  • 支持
  • 登录
找到的结果: {phrase} (显示: {results_count} 共: {results_count_total})
显示: {results_count} 共: {results_count_total}

加载更多搜索结果...

搜索范围
模糊匹配
搜索标题
搜索内容

使用 Nmap 枚举新网络

发表 admin at 2024年8月26日
类别
  • 未分类
标签

您是否曾经来到一份新工作岗位,准备立即开始工作,但却惊讶地发现没有人有网络图,这让您的热情消耗殆尽?

您可能会挠头并疑惑:“这里的一切是如何完成的?”

但别担心——哪里有问题,哪里就有机会成为问题解决者。你不是从我这里听说的,但我听说问题解决者会加薪。

本文旨在以系统管理员的身份在新环境中探索网络范围。因此,它涵盖了简单的 Nmap 标志,以帮助网络内部的某人发现主机及其相关信息。这不是一篇关于安全审计、渗透测试或其他高级 Nmap 用例的文章。如果您是 Nmap 新手,需要了解您的网络,请继续阅读。

警告: 您的雇主可能会将网络扫描视为攻击。在执行任何扫描之前,请确保您有权使用 Nmap。

没有比 Nmap 更好的工具来解决不熟悉和未记录的网络问题。Nmap 不仅仅是花哨的 ping 扫描,通过正确的扫描,Nmap 可以使用网络上主机的 MAC 地址、开放端口、操作系统 (OS) 和服务填充您的新网络图。

以下是如何发现你的网络上的内容的方法。

主机发现-家里有人吗?

了解新网络的第一步是确定连接到网络的内容以及公开哪些服务。虽然这听起来像是一项简单的任务,但请考虑一下 A 类网络 (10.0.0.0/8) 有超过 1600 万个可用地址。大多数现代防火墙都会阻止 ICMP 回显 (ping) 请求,这让这项工作变得更加困难。

这就是为什么 Nmap 默认通过发送四种不同的探测来执行主机发现:ICMP 类型 8(回显请求)、ICMP 类型 13(时间戳请求)、到端口 443 的 TCP SYN 数据包和到端口 80 的 TCP ACK 数据包。此外,Nmap 还会向本地网络上的任何主机发送 ARP 请求,填写 MAC 地址详细信息。

[ 你可能还想阅读: 使用 Nmap 查找网络中的恶意设备]

使用 nmap 执行第一次扫描

# nmap -sn <target>

这里,<target>可以是主机名、IP 地址、CIDR 表示法或 IP 范围。

注意:主机名是通过 DNS 查询的,而 IP 则是通过反向查找。IP 范围可能类似于 192.168.1-10.0-255,它将从 192.168.1.0 开始并递增到 192.168.10.255。

为了了解新网络,使用完整的子网地址(例如 192.168.1.0/24)是有意义的。

This command performs a no port scan, sending the four host discovery probes discussed earlier, recording their result, and then ending. This is a quick and easy way to learn what’s on your network in a more reliable way than a simple broadcast ping or ping sweep.

Tracing routes

To dig deeper into your network environment, you can perform the same scan with the --traceroute option. This scan will attempt to determine what intermediate hops are between your workstation and any scanned remote hosts.

While this is enough to get your new network diagram started, you might decide that you are missing a few details.

Scanning for open ports

With the hosts in our network discovered, it’s time to dig a little deeper.

At this point, you might want to put your new list of active IPs into a file, with entries separated by a space, tab, or newline. Use this file as the target input for a port scan.

# nmap -iL <ip list>

This command scans all named ports plus ports 0-1024. If you want to speed up the process, you can issue the -F flag, which will reduce the scan to the 100 most common ports.

If you want to define a port range manually, then a simple -p#-# instructs Nmap to scan all ports in your range, including the ports defined as the start and endpoints.

Nmap reports each of these ports with one of these three results:

  • Open - An application is actively receiving packets
  • Closed - The port is accessible, but there’s no application listening
  • Filtered - Nmap can’t determine whether it’s open or closed

There are three other states (unfiltered, open|filtered, closed|filtered). However, you’ll generally only see these when running more advanced scans.

Next-level port scanning

Nmap can take port scanning further, providing details on the services listening on open ports.

One of the really impressive aspects of Nmap is its extensive database of 2,200+ services. It uses this database to correlate probe responses with the particular software and version listening on the port. You can use this information not only for developing a new network diagram but for verifying patching throughout your network.

Implementing this functionality is as simple as adding -sV to the open port scan command.

# nmap -iL <ip list> -sV

Identifying the OS

By now, you’ve enumerated hosts on the network, open ports, and the services running on those ports. There’s just one thing missing: The host operating systems.

Like most things in Nmap, finding this information is just one flag away: -O

This is best combined with a service version scan:

# nmap -iL <ip list> -sV -O

[ Free cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ] 

Network enumeration complete

You now have the tools you need to scan and enumerate your new network.

Of course, there will be a few things to figure out, such as missed or filtered ports, incorrect software version, OS misidentification, or other details, but the birds-eye view of your new network should be fairly complete.

Here's a quick review of what you’ve learned:

  • Scan targets can take the form of hostnames, IPs, CIDR networks, or IP ranges
  • -sn will perform a no port scan, a light-touch discovery method consisting of four probes
  • -iL will import a list of IPs, separated by newlines, tabs, or spaces
  • A default scan will scan all named ports plus ports 0-1024
  • Port ranges can be defined with -p#-#, which will scan all ports, inclusive
  • Ports will generally be reported as open, closed, or filtered
  • Determine the software and version listening on a port with -sV
  • OS information is discovered by using -O

If you want to learn more, have a look at the man page (man 1 nmap), or pick up the book Nmap Network Scanning to become a real Nmap expert.

©2015-2025 Norria support@alaica.com