zoukankan html css js c++ java

Nmap之主机发现

文章目录

0x00 主机发现原理
0x01 基本扫描
0x02 Ping扫描
0x03 无Ping扫描
0x04 TCP SYN Ping扫描
0x05 TCP ACK Ping扫描
0x06 UDP Ping扫描
0x07 ICMP Ping Types扫描
0x08 ARP Ping扫描
0x09 列表扫描
0x10 禁止反向域名解析
0x11 反向域名解析
0x12 使用系统域名解析器
0x13 扫描一个IPv6地址
0x14 路由跟踪
0x15 SCTP INIT Ping扫描

0x00 主机发现原理

主机发现发现的原理与Ping命令类似，发送探测包到目标主机，如果收到回复，那么说明目标主机是开启的。Nmap支持十多种不同的主机探测方式，比如发送ICMP ECHO/TIMESTAMP/NETMASK报文、发送TCPSYN/ACK包、发送SCTP INIT/COOKIE-ECHO包，用户可以在不同的条件下灵活选用不同的方式来探测目标机。

主机发现基本原理：（以ICMP echo方式为例）

Nmap的用户位于源端，IP地址192.168.0.5，向目标主机192.168.0.3发送ICMP Echo Request。如果该请求报文没有被防火墙拦截掉，那么目标机会回复ICMP Echo Reply包回来。以此来确定目标主机是否在线。

默认情况下，Nmap会发送四种不同类型的数据包来探测目标主机是否在线。

ICMP echo request
a TCP SYN packet to port 443
a TCP ACK packet to port 80
an ICMP timestamp request

依次发送四个报文探测目标机是否开启。只要收到其中一个包的回复，那就证明目标机开启。使用四种不同类型的数据包可以避免因防火墙或丢包造成的判断错误。

主机发现常用命令

选项	解释
`-sP`	Ping扫描
`-P0`	无Ping扫描
`-PS`	TCP SYN Ping扫描
`-PA`	TCP ACK Ping扫描
`-PU`	UDP Ping 扫描
`-PE；-PP；-PM`	ICMP Ping Types 扫描
`-PR`	ARP Ping 扫描
`-n`	禁止DNS反向解析
`-R`	反向解析域名
`--system-dns`	使用系统域名解析器
`sL`	列表扫描
`-6`	扫描IPv6地址
`--traceroute`	路由跟踪
`-PY`	SCTP INIT Ping

0x01 基本扫描

该扫描方式可以针对IP或者域名进行扫描，扫描方式迅速，可以很方便地发现目标端口的开放情况及主机在线情况。使用命令为如下格式：

# IP
nmap 10.10.10.148
# 域名
nmap www.furi.com.cn

若主机不存活，扫描得到的结果如下图所示：

λ nmap 10.10.10.148			# 基本扫描，扫IP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 14:00 ?D1ú±ê×?ê±??
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.66 seconds		# 结果主机不存活

该命令执行结果和nmap -sP 10.10.10.148命令的执行结果一致。

若主机存活，则扫描得到的结果如下图所示：

λ nmap www.furi.com.cn             # 基本扫描，扫域名                         
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 13:36 
Nmap scan report for www.furi.com.cn (58.215.65.32)         
Host is up (0.029s latency).                                
Not shown: 975 closed ports                                 
PORT      STATE    SERVICE         # 主机中端口和服务扫描结果                         
21/tcp    open     ftp             # ftp协议的21号端口开放                         
42/tcp    filtered nameserver      # nameserver服务的42号端口可能被过滤               
53/tcp    open     domain                                   
80/tcp    open     http                                     
135/tcp   filtered msrpc                                    
139/tcp   filtered netbios-ssn                              
445/tcp   filtered microsoft-ds                             
593/tcp   filtered http-rpc-epmap                           
901/tcp   filtered samba-swat                               
1025/tcp  filtered NFS-or-IIS                               
1433/tcp  open     ms-sql-s                                 
1434/tcp  filtered ms-sql-m                                 
3128/tcp  filtered squid-http                               
3306/tcp  open     mysql                                    
3389/tcp  open     ms-wbt-server                            
4444/tcp  filtered krb524                                   
6129/tcp  filtered unknown                                  
6669/tcp  filtered irc                                      
49152/tcp open     unknown                                  
49153/tcp open     unknown                                  
49154/tcp open     unknown                                  
49155/tcp open     unknown                                  
49156/tcp open     unknown                                  
49158/tcp open     unknown                                  
49167/tcp open     unknown                                  
                                                            
Nmap done: 1 IP address (1 host up) scanned in 3.77 seconds

该命令执行结果和nmap -P0 www.furi.com.cn命令的执行结果一致。

0x02 Ping扫描

Ping扫描只进行Ping，然后显示出在线的主机，使用该选项扫描可以轻易地获取目标信息而不会被轻易发现。在默认的情况下，Nmap会发送一个ICMP回声请求和一个TCP报文到目标端口。Ping扫描的优点是不会返回太多结果信息且效率很高，但不能保证扫描结果的准确性。

λ nmap -sP 10.10.10.148-150			# 对指定范围内的IP进行Ping扫描
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 14:35 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148   	# 扫描10.10.10.148主机
Host is up (0.00s latency).				# 确定主机存活
MAC Address: 00:0C:29:7C:0C:79 (VMware)		# 主机的MAC地址
Nmap done: 3 IP addresses (1 host up) scanned in 1.65 seconds

0x03 无Ping扫描

无Ping扫描常用于防火墙禁止Ping的情况下，它能确定正在运行的主机。默认情况下，Nmap只对正在运行的主机进行高强度的探测，如端口扫描、版本探测、操作系统探测等。使用-P0选项后禁止使用Ping进行主机发现而会对每一个指定目标的IP地址进行扫有要求的扫描，这可以穿透防火墙也可以避免被防火墙发现。

命令格式：nmap -P0 [协议1、协议2、...] 目标

λ nmap -P0 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 14:46 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.00094s latency).
Not shown: 963 closed ports
PORT      STATE SERVICE
80/tcp    open  http
81/tcp    open  hosts2-ns
82/tcp    open  xfer
83/tcp    open  mit-ml-dev
84/tcp    open  ctf
85/tcp    open  mit-ml-dev
88/tcp    open  kerberos-sec
89/tcp    open  su-mit-tg
90/tcp    open  dnsix
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server
8001/tcp  open  vcom-tunnel
8002/tcp  open  teradataordbms
8007/tcp  open  ajp12
8008/tcp  open  http
8009/tcp  open  ajp13
8010/tcp  open  xmpp
8021/tcp  open  ftp-proxy
8022/tcp  open  oa-system
8031/tcp  open  unknown
8081/tcp  open  blackice-icecap
8082/tcp  open  blackice-alerts
8084/tcp  open  unknown
8085/tcp  open  unknown
8086/tcp  open  d-s-n
8088/tcp  open  radan-http
8200/tcp  open  trivnet1
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.64 seconds

如果没有指定任何协议，Nmap会默认使用协议1、协议2、协议4，如果想知道这些协议的如何判断目标主机是否存活可以使用--packet-trace选项。
```
nmap -P0 --packet-trace 10.10.10.148
```
Nmap支持的协议和编号如下所示
- TCP：对应协议编号为6.
- UDP：对应协议编号为17.
- ICMP：对应协议编号为1.
- IGMP：对应协议编号为2.
```
nmap -P0 6,17,2 10.10.10.148
```

0x04 TCP SYN Ping扫描

通常情况下，Nmap默认Ping扫描是使用TCP SYN和ICMP ECHO请求对目标进行是否存活的响应，当目标主机的防火墙阻止这些请求时，可以使用TCP SYN Ping扫描来进行对目标主机存活的判断。

λ nmap -PS 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 15:33 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.00085s latency).
Not shown: 963 closed ports
PORT      STATE SERVICE
80/tcp    open  http
81/tcp    open  hosts2-ns
82/tcp    open  xfer
83/tcp    open  mit-ml-dev
84/tcp    open  ctf
85/tcp    open  mit-ml-dev
88/tcp    open  kerberos-sec
89/tcp    open  su-mit-tg
90/tcp    open  dnsix
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server
8001/tcp  open  vcom-tunnel
8002/tcp  open  teradataordbms
8007/tcp  open  ajp12
8008/tcp  open  http
8009/tcp  open  ajp13
8010/tcp  open  xmpp
8021/tcp  open  ftp-proxy
8022/tcp  open  oa-system
8031/tcp  open  unknown
8081/tcp  open  blackice-icecap
8082/tcp  open  blackice-alerts
8084/tcp  open  unknown
8085/tcp  open  unknown
8086/tcp  open  d-s-n
8088/tcp  open  radan-http
8200/tcp  open  trivnet1
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.54 seconds

-PS选项发送一个设置为SYN标志位的空TCP报文，默认目的端口为80，但不同的端口也可以作为选项指定，设置可以指定一个以逗号分隔的端口列表，每个端口会被并发地扫描。
```
nmap -PS80,100-200 10.10.10.148
```

0x05 TCP ACK Ping扫描

很多防火墙会封锁SYN报文，所以Nmap还提供了TCP ACK Ping扫描，与YCP SYN Ping不同的是TCP的标志位是ACK而不是SYN。Nmap发送一个ACK标志的TCP包给目标主机，如果目标主机不是存活状态则不响应该请求，如果目标主机在线会返回一个RST包。

λ nmap -PA 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 15:48 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.00052s latency).
Not shown: 963 closed ports
PORT      STATE SERVICE
80/tcp    open  http
81/tcp    open  hosts2-ns
82/tcp    open  xfer
83/tcp    open  mit-ml-dev
84/tcp    open  ctf
85/tcp    open  mit-ml-dev
88/tcp    open  kerberos-sec
89/tcp    open  su-mit-tg
90/tcp    open  dnsix
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server
8001/tcp  open  vcom-tunnel
8002/tcp  open  teradataordbms
8007/tcp  open  ajp12
8008/tcp  open  http
8009/tcp  open  ajp13
8010/tcp  open  xmpp
8021/tcp  open  ftp-proxy
8022/tcp  open  oa-system
8031/tcp  open  unknown
8081/tcp  open  blackice-icecap
8082/tcp  open  blackice-alerts
8084/tcp  open  unknown
8085/tcp  open  unknown
8086/tcp  open  d-s-n
8088/tcp  open  radan-http
8200/tcp  open  trivnet1
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds

Nmap提供的TCP SYN Ping和TCP ACK Ping两种方式可以同时使用
```
nmap -PA -PS 10.10.10.148
```

0x06 UDP Ping扫描

使用UDP Ping扫描时Nmap会发送一个空的UDP包到目标主机，如果目标主机响应则返回一个ICMP端口不可达错误，如果目标不是存活状态则会返回各种ICMP报错信息。-PU选项是发送一个空的UDP报文到指定端口。如果不指定端口则默认是40125。

λ nmap -PU 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 15:55 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.0011s latency).
Not shown: 963 closed ports
PORT      STATE SERVICE
80/tcp    open  http
81/tcp    open  hosts2-ns
82/tcp    open  xfer
83/tcp    open  mit-ml-dev
84/tcp    open  ctf
85/tcp    open  mit-ml-dev
88/tcp    open  kerberos-sec
89/tcp    open  su-mit-tg
90/tcp    open  dnsix
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server
8001/tcp  open  vcom-tunnel
8002/tcp  open  teradataordbms
8007/tcp  open  ajp12
8008/tcp  open  http
8009/tcp  open  ajp13
8010/tcp  open  xmpp
8021/tcp  open  ftp-proxy
8022/tcp  open  oa-system
8031/tcp  open  unknown
8081/tcp  open  blackice-icecap
8082/tcp  open  blackice-alerts
8084/tcp  open  unknown
8085/tcp  open  unknown
8086/tcp  open  d-s-n
8088/tcp  open  radan-http
8200/tcp  open  trivnet1
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds

-PU选项也可以指定端口
```
nmap -PU80,100 10.10.10.148
```

0x07 ICMP Ping Types扫描

使用-PE,-PP,-PM选项可以进行ICMP Ping Types扫描。

-PE选项打开该回声请求功能；
-PP选项是ICMP时间戳Ping扫描，虽然大多数的防火墙配置不允许ICMP Echo请求，但由于配置不当可能回复ICMP时间戳请求，所以可以使用ICMP时间戳来确定主机是否存活；
-PM选项可以进行ICMP地址掩码Ping扫描。

nmap -PE 10.10.10.148
nmap -PP 10.10.10.148
nmap -PM 10.10.10.148

0x08 ARP Ping扫描

-PR选项通常在扫描局域网时使用。ARP Ping扫描是Nmap对目标进行一个ARP Ping的过程，尤其在内网的情况下，使用ARP Ping扫描方式是最有效的，在本地局域网中防火墙不会禁止ARP请求，所以在内容中使用ARP Ping非常有效。默认情况下若nmap与目标主机在同一局域网中，会默认进行ARP扫描，若不想使用可以指定--send-ip。

λ nmap -PR 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:13 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.00066s latency).
Not shown: 963 closed ports
PORT      STATE SERVICE
80/tcp    open  http
81/tcp    open  hosts2-ns
82/tcp    open  xfer
83/tcp    open  mit-ml-dev
84/tcp    open  ctf
85/tcp    open  mit-ml-dev
88/tcp    open  kerberos-sec
89/tcp    open  su-mit-tg
90/tcp    open  dnsix
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server
8001/tcp  open  vcom-tunnel
8002/tcp  open  teradataordbms
8007/tcp  open  ajp12
8008/tcp  open  http
8009/tcp  open  ajp13
8010/tcp  open  xmpp
8021/tcp  open  ftp-proxy
8022/tcp  open  oa-system
8031/tcp  open  unknown
8081/tcp  open  blackice-icecap
8082/tcp  open  blackice-alerts
8084/tcp  open  unknown
8085/tcp  open  unknown
8086/tcp  open  d-s-n
8088/tcp  open  radan-http
8200/tcp  open  trivnet1
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds

0x09 列表扫描

列表扫描是主机发现的一种退化形式，它仅仅列出指定网络上的每台主机，不发送任何报文到目标主机。默认情况下，Nmap仍然对主机进行反向域名解析以获取他们的名字。

λ nmap -sL 127.0.0.1/30
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:39 ?D1ú±ê×?ê±??
Nmap scan report for 127.0.0.0
Nmap scan report for transact.netsarang.com (127.0.0.1)
Nmap scan report for 127.0.0.2
Nmap scan report for 127.0.0.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 3.64 seconds

0x10 禁止反向域名解析

-n选项意为禁止解析域名，使用该选项时Nmap永远不会对目标主机IP地址作反向域名解析。

λ nmap -n -sL 127.0.0.1/30
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:40 ?D1ú±ê×?ê±??
Nmap scan report for 127.0.0.0
Nmap scan report for 127.0.0.1
Nmap scan report for 127.0.0.2
Nmap scan report for 127.0.0.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.22 seconds

0x11 反向域名解析

-R选项意为反向解析域名，使用该选项时Nmap永远对目标IP地址做反向域名解析。

λ nmap -R -sL 127.0.0.1/30
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:40 ?D1ú±ê×?ê±??
Nmap scan report for 127.0.0.0
Nmap scan report for transact.netsarang.com (127.0.0.1)
Nmap scan report for 127.0.0.2
Nmap scan report for 127.0.0.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 1.07 seconds

0x12 使用系统域名解析器

--system-dns意为使用系统域名解析器。默认情况下，Nmap通过直接发送查询到您主机上配置的域名服务器来解析域名。为了提高性能，许多请求并发执行。如果希望使用系统自带的解析器，就指定该选项。

λ nmap --system-dns 127.0.0.1/30
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:45 ?D1ú±ê×?ê±??
Nmap scan report for 127.0.0.0
Host is up.
All 1000 scanned ports on 127.0.0.0 are filtered

Nmap scan report for transact.netsarang.com (127.0.0.1)
Host is up (0.0014s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
443/tcp   open  https
445/tcp   open  microsoft-ds
808/tcp   open  ccproxy-http
902/tcp   open  iss-realsecure
912/tcp   open  apex-mesh
1001/tcp  open  webpush
5357/tcp  open  wsdapi
6000/tcp  open  X11
50000/tcp open  ibm-db2

Nmap scan report for 127.0.0.2
Host is up (0.0017s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
443/tcp  open  https
445/tcp  open  microsoft-ds
808/tcp  open  ccproxy-http
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi

Nmap scan report for 127.0.0.3
Host is up (0.0018s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
443/tcp  open  https
445/tcp  open  microsoft-ds
808/tcp  open  ccproxy-http
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
5357/tcp open  wsdapi

Nmap done: 4 IP addresses (4 hosts up) scanned in 18.36 seconds

0x13 扫描一个IPv6地址

λ nmap -6 fe80::a8b7:c0a2:aa08:4655
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 17:11 ?D1ú±ê×?ê±??
Nmap scan report for fe80::a8b7:c0a2:aa08:4655
Host is up.
All 1000 scanned ports on fe80::a8b7:c0a2:aa08:4655 are filtered

Nmap done: 1 IP address (1 host up) scanned in 202.67 seconds

0x14 路由跟踪

使用--traceroute选线即可进行路由跟踪，使用路由跟踪功能可以帮助用户了解网络的同行情况，通过此选项可以轻松查出从本地计算机到目标之间所经过的网络节点，并可以看到通过各个节点的时间。

λ nmap --traceroute -v 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 16:57 ?D1ú±ê×?ê±??
Initiating ARP Ping Scan at 16:57
Scanning 10.10.10.148 [1 port]
Completed ARP Ping Scan at 16:57, 0.62s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:57
Completed Parallel DNS resolution of 1 host. at 16:58, 2.55s elapsed
Initiating SYN Stealth Scan at 16:58
Scanning 10.10.10.148 [1000 ports]
Discovered open port 3306/tcp on 10.10.10.148
Discovered open port 445/tcp on 10.10.10.148
Discovered open port 135/tcp on 10.10.10.148
Discovered open port 3389/tcp on 10.10.10.148
Discovered open port 80/tcp on 10.10.10.148
Discovered open port 81/tcp on 10.10.10.148
Discovered open port 8009/tcp on 10.10.10.148
Discovered open port 8008/tcp on 10.10.10.148
Discovered open port 49153/tcp on 10.10.10.148
Discovered open port 8200/tcp on 10.10.10.148
Discovered open port 8021/tcp on 10.10.10.148
Discovered open port 8084/tcp on 10.10.10.148
Discovered open port 49154/tcp on 10.10.10.148
Discovered open port 49157/tcp on 10.10.10.148
Discovered open port 83/tcp on 10.10.10.148
Discovered open port 8081/tcp on 10.10.10.148
Discovered open port 1433/tcp on 10.10.10.148
Discovered open port 8031/tcp on 10.10.10.148
Discovered open port 49155/tcp on 10.10.10.148
Discovered open port 89/tcp on 10.10.10.148
Discovered open port 8086/tcp on 10.10.10.148
Discovered open port 85/tcp on 10.10.10.148
Discovered open port 90/tcp on 10.10.10.148
Discovered open port 8085/tcp on 10.10.10.148
Discovered open port 8001/tcp on 10.10.10.148
Discovered open port 139/tcp on 10.10.10.148
Discovered open port 8002/tcp on 10.10.10.148
Discovered open port 88/tcp on 10.10.10.148
Discovered open port 8007/tcp on 10.10.10.148
Discovered open port 8022/tcp on 10.10.10.148
Discovered open port 49152/tcp on 10.10.10.148
Discovered open port 8088/tcp on 10.10.10.148
Discovered open port 84/tcp on 10.10.10.148
Discovered open port 82/tcp on 10.10.10.148
Discovered open port 8082/tcp on 10.10.10.148
Discovered open port 8010/tcp on 10.10.10.148
Discovered open port 49156/tcp on 10.10.10.148
Completed SYN Stealth Scan at 16:58, 1.37s elapsed (1000 total ports)
Nmap scan report for 10.10.10.148
Host is up (0.00034s latency).
Not shown: 963 closed ports
PORT      STATE SERVICE
80/tcp    open  http
81/tcp    open  hosts2-ns
82/tcp    open  xfer
83/tcp    open  mit-ml-dev
84/tcp    open  ctf
85/tcp    open  mit-ml-dev
88/tcp    open  kerberos-sec
89/tcp    open  su-mit-tg
90/tcp    open  dnsix
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server
8001/tcp  open  vcom-tunnel
8002/tcp  open  teradataordbms
8007/tcp  open  ajp12
8008/tcp  open  http
8009/tcp  open  ajp13
8010/tcp  open  xmpp
8021/tcp  open  ftp-proxy
8022/tcp  open  oa-system
8031/tcp  open  unknown
8081/tcp  open  blackice-icecap
8082/tcp  open  blackice-alerts
8084/tcp  open  unknown
8085/tcp  open  unknown
8086/tcp  open  d-s-n
8088/tcp  open  radan-http
8200/tcp  open  trivnet1
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 10.10.10.148

Read data files from: D:RolanToolsInfoGatheringNmap
Nmap done: 1 IP address (1 host up) scanned in 5.17 seconds
           Raw packets sent: 1093 (48.076KB) | Rcvd: 1001 (40.176KB)

0x15 SCTP INIT Ping扫描

SCTP是IETF在2000年定义的一个传输层协议。SCTP可看作是TCP协议的改进，它改进了TCP的一些不足，SCTF INIT Ping扫描通过向目标发送INIT包，根据目标主机的响应判断目标主机是否存活。

λ nmap -PY 10.10.10.148
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 17:03 ?D1ú±ê×?ê±??
Nmap scan report for 10.10.10.148
Host is up (0.0015s latency).
Not shown: 963 closed ports
PORT      STATE SERVICE
80/tcp    open  http
81/tcp    open  hosts2-ns
82/tcp    open  xfer
83/tcp    open  mit-ml-dev
84/tcp    open  ctf
85/tcp    open  mit-ml-dev
88/tcp    open  kerberos-sec
89/tcp    open  su-mit-tg
90/tcp    open  dnsix
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1433/tcp  open  ms-sql-s
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server
8001/tcp  open  vcom-tunnel
8002/tcp  open  teradataordbms
8007/tcp  open  ajp12
8008/tcp  open  http
8009/tcp  open  ajp13
8010/tcp  open  xmpp
8021/tcp  open  ftp-proxy
8022/tcp  open  oa-system
8031/tcp  open  unknown
8081/tcp  open  blackice-icecap
8082/tcp  open  blackice-alerts
8084/tcp  open  unknown
8085/tcp  open  unknown
8086/tcp  open  d-s-n
8088/tcp  open  radan-http
8200/tcp  open  trivnet1
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
MAC Address: 00:0C:29:7C:0C:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.49 seconds

查看全文

相关阅读:
SQL Server 添加数据库没有权限等
 网站图片优化的重要性与技巧方案
 5年前端经验小伙伴教你纯css3实现饼状图
 css3 斜切角/斜边的实现方式来自BAT大神的出品
 Validate表单验证插件之常用参数介绍
 html实现邮箱发送邮件_js发送邮件至指定邮箱功能
 css重设样式_清除浏览器的默认样式
 大厂前端工程师教你如何使用css3绘制任意角度扇形+动画
 WordPress教程之如何批量删除未引用（无用）的TAG标签
 css引入的方式有哪些_四种css的引入方式与特点

原文地址：https://www.cnblogs.com/z1r0s/p/14284137.html