欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

Nmap笔记

程序员文章站 2022-03-05 15:34:06
Nmap 正常执行流程: 1.dns解析 nmap –dns-server 8.8.8.8,8.8.4.4 scanme.nmap.org 2.ping 主机是否存活...
Nmap 正常执行流程:

1.dns解析
nmap –dns-server 8.8.8.8,8.8.4.4 scanme.nmap.org
2.ping 主机是否存活
跳过:
nmap -PN scanme.nmap.org
3.反向dns解析,由ip向域名
nmap -n scanme.nmap.org
4.默认扫描1-65535端口
nmap -p1-30 scanme.nmap.org

高权限用户可以构建包,因此默认是SYN Stealth Scan,低权限只能用TCP Connect Scan

扫描结果类型:
Open
Closed
Filtered 显示包应该是被过滤器丢弃
Open/Filtered  被过滤或打开,只是不能确认
Close/Filtered 同上

http://nmap.org/book/man-port-scanning-techinques.html

版本判断  nmap -sV scanme.nmap.org

nmap -sV  –version-intesity 9

nmap  -A Aggressive mode
nmap -O OS detection
nmap  -sV version detected
nmap -sC script scanning
nmap –traceroute traceroute

Findings live hosts in network
nmap -sP 192.168.1.1/24

enum live hosts
如果高权限的话利用TCP ACK包和ICMP echo 请求
如果低权限无法构包的话就用connect()发送SYN包

本地的扫描时会进行ARP请求,而可以跳过这一步,不过要高权限
nmap -sP –send-ip 192.168.1.1/24

–traceroute 参数可以显示自己到目标的中间数

利用NSE scripts
nmap -sP –script discovery 192.168.1.1/24

只扫描80端口
nmap -p80 192.168.1.1/24
nmap -p80,443 192.168.1.1/24
nmap -p80-443 192.168.1.1/24
nmap -pT:25,U:53 target        指明了协议
nmap -p smtp <target>
nmap -p smtp* <target>
nmap -p[1-65535] <target>         only ports registered in Nmap services.

使用NSE
nmap -sV –script http-title scanme.nmap.org
一次多脚本
nmap –script http-headers,http-title scanme.nmap.org

根据分类,表达式或文件夹来执行NSE
nmap -sV –script vlun <target>            run scripts in vlun category
nmap -sV –script=”version,discovery” <target>        run scripts in the categorys ‘version’ and ‘discorery’
nmap -sV –script “not exploit” <target>     run all the scripts except for the ones in the exploit category.
nmap -sV –script “(http.*) and not (http-slowloris or http-brute)” <target>

debug 脚本时,可以指定级0-9 用-d参数
nmap -sV –script exploit -d 3 –script-trace 192.168.1.1

 

NSE Script Arguments
如你要设置HTTP库参数 useragent:
nmap -sV –script http-title –script-args http.useragent=”Mozilla 999″  <target>

添加新的脚本:
1,把脚本复制到 /scripts目录下
2,更新 nmap –script-update-db

指明使用网卡接口:
nmap -e <INTERFACE> scanme.nmap.org

Ndiff 工具可以用来检测两个扫描XML结果

nping –ec “public” -c 1 echo.nmap.org

Nping 是一个用来检测防火墙和路由问题的工具
它会把获得的包显示出来
nmap –ec “public” -c 1 echo.nmap.org

生产TCP包,发送一个TCP SYN包到80端口
nping –tcp -flags syn -p80 -c 1 192.168.1.254
——————————————————————————————————
ping scanning techniques
TCP SYN
TCP ACK
UDP
IP
ICMP
broadcast

ping scan是为了扫描存活主机-sP
默认是利用TCP ACK和ICMP来判断主机是否存活
利用TCP SYN        nmap -sP -PS 192.168.1.1/24
原理:
向目标80端口发送TCP SYN
如果端口是关闭的,会返回RST包
如果端口是开放的,会返回TCP SYN/ACK包,然后再发送RST包
可以设定向哪些个端口发TCP SYN
nmap -sP -PS80,21-25 <target>
利用TCP ACK        nmap -sP -PA <target>
原理:
向目标80端口发送空的TCP包,设置ACK标志
如果主机关机,就不响应
如果主机开机,就返回RST包
可以设定向哪些个端口发TCP SYN
nmap -sP -PA80,21-25 <target>
利用UDP ping scan
nmap -sP -PU <target>
原理:
Nmap 向目标31,338端口发送空的UDP包
如果主机响应,会返回ICMP端口不可达
如果主机关机,各种ICMP错误信息会返回
选定检测利用端口
nmap -sP -PU1337,11111 scanme.nmap.org
用ICMP ping scan
nmap -sP -PE scanme.nmap.org
原理:
发送ICMP包到目标,如果有返回就证明在线
Nmap支持timestamp reply (-PP) 和 address mark reply (-PM) 以跳过防火墙
nmap -sP -PP <target>
nmap -sP -PM <target>
利用IP协议ping scan
nmap -sP -PO scanme.nmap.org
原理:
会利用IGMP,IP-in-IP和ICMP协议通过得到响应来判断在线 参数–packet-trace可以得到更多详细信息
nmap -sP -PO –packet-trace scanme.nmap.org
可以指定协议
nmap -sP -PO1,2,4 scanme.nmap.org         1 ICMP     2 IGMP    6 TCP    17 UDP
这些包默认都是空的,可以指定其长度
nmap -sP -PO –data-length 100 scanme.nmap.org
利用ARPP协议 ARP ping scan
nmap -sP -PR 192.168.1.1/24
原理:向目标发送ARP请求,如果回复,则在线
nmap -sP -PR –packet-trace 192.168.1.254
内网中总是要用ARP的,不管给nmap参数如何  所以要强制其内网中不用arp ,就要用–send-ip参数
nmap -sP -PS –packet-trace –send-ip 192.168.1.254
伪装MAC –spoof-mac
nmap -sP -PR –spoof-mac 5C:4C:A9:F2:DC:7C

broadcast pings
nmap –script broadcast-ping
原理:向本地广播255.255.255.255发ICMP包,等待返回。
nmap –script broadcast-ping –packet-trace
增加ICMP echo 数量  参数 broadcast-ping.num_probes
nmap –script broadcast-ping –script-args broadcast-ping.num_probes=5
设置超时,增加
nmap –script broadcast-ping –script-args broadcast-ping.timeout=10000
指定interface,不指定会向所有interfaces发送
nmap –script broadcast-ping –script-args broadcast-ping.interface=wlan3

Hiding our trafic with additional random data
using random data as payload
nmap -sS -PS –data-length 300 scanme.nmap.org
Forcing DNS resolution
nmap -sS -PS -F -R xx.xx.xx.220-230
-sS TCP SYN STealth
-PS SYN Ping
-F fast port scan
-R always perform DNS resolution
to disable dns resolution , arguments with -n

Specifying different DNS namespaces
nmap -sS -R –dns-servers 8.8.8.8,8.8.4.4 <target>

指定不扫描的主机
nmap -sV -O –exclude 192.168.1.120,192.168.1.254 192.168.1.1/24
文件:
nmap -sV -O –exclude-file dontscan.txt 192.168.1.1/24

nmap  ipv6
nmap -6 ::1        -6 指明是IPV6
nmap -6 -sT –trace-route ::1

Gathering network information with broadcast scripts
nmap –script broadcast
timeout 默认10秒钟,对大网络不行。
nmap –script boradcast –script-args target-sniffer.timeout 30

Target library
nmap –script broadcast-ping –script-args newtarget             设置新的target

————————–
3,Gather Additional Host Information
有三个脚本可以用来确定IP远程地址
ip-geolocation-maxmind,ip-geolocation-ipinfodb,and ip-geolocation-geobytes
nmap –script ip-geolocation-* <target>

Getting information from WHOIS records
nmap –script whois <target>
hostname list -iL <inputfile>
nmap -sn –script whois -v -iL hosts.txt

checking if a host is known for malicious activites
this allow us to check if a host is known for distributing malware or being used in phishing attacks,with some help from Google Safe Browsing API.
need Google Safe Browsing API register. http://code.google.com/apis/safebrowsing/key_signup.html
nmap -p80 –script http-google-malware –script-args http-google-malware.api=<API> <target>

collecting valid email account
插件是http-google-email
nmap -p80 –script http-google-email,http-email-harvest <target>
原理:
1,脚本http-google-email利用google页面和googlegroup页面搜索指定域的邮箱
2,http-email-harvest 会把目标站上的所有邮箱记录下来
nmap -p80 –script http-email-harvest –script-args httpspider.maxpagecount=50 <target>
nmap -p80 –script http-email-harvest –script-args httpspider.url=/welcome.php <target>
nmap -p80 –script http-google-email –script-args pages=10 scanme.nmap.org
HTTP User Agent参数
nmap -p80 –script http-email-harvest –script-args http.useragent=”Mozilla 42″

查找同一IP下其它域名    script ip2hosts

Brute forcing DNS records
nmap –script dns-brute <target>
可以自己设置字典    nmap –script dns-brute –script-args dns-brute.hostlist=words.txt <target>
设置线程数         nmap –script dns-brute –script-args dns-brute.threads=8 <target>
主机操作系统
nmap -O <target>
当检测失败时可以
nmap -O -p- –osscan-guess <target>
Discovering UDP Service
查找所有开放的UDP端口
nmap -sU -p- <target>
原理:
1,如果没有用参数nmap-payload指定,就发空的UDP包到目标
2,如果端口关闭,返回ICMP ECHO Unreachable
3,如果端口开放,返回UDP数据
4,如果没有反应,我们认为是filtered|open

-F 快递端口扫描
nmap -F -sU -p1-25<target>

Listing protocals supported by a remoted host
nmap -sO <target>
指定哪些协议被扫描 -p
nmap -p1,3,5 -sO <target>

Discovering stateful firewalls by using a TCP ACK scan
if the firewall protecting a host is stateful or stateless
nmap -sA <target>
Matching services with known security vlunerabilities
NES vlunscan         http://www.computec.ch/mruef/?s=software&l=e

伪造源IP进行端口扫描
需要一个zombie host.并可以知道它的IP ID序列值, script  ipidseq
nmap -p80 –script ipidseq <your ip> /24
nmap -p80 –script ipidseq -iR 1000

SCAN:
nmap -Pn -sl <zombie host> <target>

原理:
1,NMAP 知道zombie host的IP ID序列号
2,NMAP伪装自己是zombie host ,发包给target,即源地址写zombie host
3,如果端口开放,目标会返回SYN/ACK包,并使IP ID序列号加一
4,NMAP通过判断zombie的序列号来知道目标主机端口状态
检测操作系统:
nmap -O target
原理:

http://nmap.org/book/osdetect-methods.html

————————————————————–
Chapter 4 Auditing Web Servers
Listing Supported HTTP method
nmap -p80,443 –script http-methods scanme.nmap.org
原理:
利用HTTP方法OPTIONS
参数
nmap -p80,443 –script http-methods –script-args http-methods.retest scanme.nmap.org     查看OPTIONS的返回状态码
nmap -p80,443 –script http-methods –script-args http-methods.url-path=/mypath/ scanme.nmap.org     设置根目录
nmap -p80,443 –script http-methods –script-args http.useragent=”Mozilla 42″ <target>
nmap -p80,443 –script http-methods –script-args http.pipeline=25 <target>
nmap -p80,443 –script http-methods –script-args http.max-pipeline=25 <target>
查看HTTP代理是否开放
nmap –script http-open-proxy -p8080 <target>
参数:http-open-proxy.url http-open-proxy.pattern

Discoverying interesting files and directories on various web servers.
nmap –script http-enum -p80 <target>
fingerprints stores at:http-fingerprints.luain/nselib/data/
different fingerprints file:
nmap –script http-enum –script-args http-enum.fingerprintfile=./myfingerprints.txt -p80 <target>
Brute forcing HTTP authentication
namp -p80 –script http-brute –script-args http-brute.path=/admin/ <target>
默认字典:/nselib/data/usernams.lst(passwords.lst)
参数:
因为使用的是NSE库的unpwdb 和 brute 所以它们也有部分参数
namp -p80 –script http-brute –script-args userdb=/var/username.txt,passdb=/var/passwords.txt <target>
namp -p80 –script http-brute –script-args brute.firstOnly <target>     找到一个正确的就停止
nmap -p80 –script http-brute –script-args unpwdb.timelimit=60m <target>
Brute Mode:
user:对每个用户用所有密码来破
–script-args brute.mode=user
pass:对每个密码,使用每个用户来破
–script-args brute.mode=pass
creds:一条条破
–script-args brute.mode=creds,brute.credfile=./creds.txt <target>
Abusing mod_userdir to enumerate user account
apache 有自己用户目录/~username/ 故可以遍历用户名
nmap -p80 –script http-userdir-enum <target>
参数:
nmap -p80 –script http-userdir-enum –script-args userdir.users=./users.txt <target>

Testing default credentials     in web application     : http-default-accounts
nmap -p80 –script http-default-accounts <target>
fingerprints file :nselib/data/http-default-accouts.nse
–script-args http-default-accounts.category=routers
web
router
voip
security
–script-args http-default-accounts.basepath=/web/
–script-args http-default-accounts.fingerprintfile=./more-signatures.txt
Brute-force password auditing WordPress installations
namp -p80 –script http-wordpress-brute <target>          try to find weak password
参数:
–script-args http-wordpress-brute.threads=5 <target>
–script-args http-wordpress-brute.hostname=”ahostname.wordpress.com” <target>     虚拟主机的情况下
–script-args http-wordpress-brute.uri=”/hiden-wp-login.php”        指定登陆口
–script-args http-wordpress-brute.uservar=myuser,http-wordpress-brute.passvar=passgroud
–script-args brute.mode=[user|pass|creds,brute.credfile='./creads.txt']
Brute-force password auditing Jooma installations
namp -p80 –script http-joomla-brute <target>
参数
–script-args http-joomla-brute.theads=5
–script-args http-joomla-brute.hostname=”hostname.com”
–script-args http-joomla-brute.uri=”/joomla/admin/login.php”
–script-args http-joomla-brute.uservar=usuario,http-joomla-brute.passvar=pasguord <target>
–script-args brute.mode=[user|pass|creds,brute.credfile='./creads.txt']
Detecting web application firewalls
nmap -p80 –script http-waf-detect <target>
原理:发送恶意的payload,看是否会有WAF或IPS拦截
脚本先保存正常页面的返回状态码和页面内容,然后和有恶意payload请求的返回页面进行比较,因为恶意的payload都在附加的变量上,故应该不会对程序造成影响
参数
–script-args “http-waf-detect.detectBodyChanges”         检测动态页面中的变化,建议使用
–script-args “http-waf-detect.aggro”         利用更多payload,但相应产生更多结果
–script-args http-wfa-detect.uri=/webapp/

Detecting possible XST vlunerabilities(Cross Site Tracing)
当TRACE方法可用,且存在XSS漏洞时,可以绕过httpOnly对Cookie的限制。所以要检测是否支持TRACE方法
nmap -p80 –script http-methods,http-trace –script-args http-methods.retest <target>
参数
–script-args http-methods.retest,http-trace.path=/secret/,http-methods.url-path=/secret/
Detecting XSS vulnerabilities in web application.
nmap -p80 –script http-unsafe-output-escaping <target>
To php server:
nmap -p80 –script http-phpself-xss,http-unsafe-output-escaping <target>
–script-args httpspider.withinhost=false <target>
–script-args httpspider.maxdepth=10
Finding SQL injection vlunerability in web application
nmap -p80 –script http-sql-injection <target>
SQL 注入使出数据库出错信息
/nselib/data/http-sql-errors.lst
参数:
–script-args httpspider.maxpagecount=20
–script-args httpspider.withinhost=false;
–script-args httpspider.maxdepth=10
–script-args http.useragent
–script-args http.pipeline=25
–script-args http.max-pipeline=10

Detecting web server vulnerable to slowloris denial of service attack.
“slowloris denial of service”
nmap -p80 –script http-slowloris –max-parallelism 300 <target>

http://ha.ckers.org/slowloris/

参数:
设置每个header发送的间隔时间
nmap -p80 –script http-slowloris –script-args http-slowloris.send_interval=200 –max-parallelism 300
nmap -p80 –script http-slowloris –script-args http-slowloris.timelimit=15m <target>        设置超时时间
nmap -p80 –script http-slowloris –script-args http-slowloris.runforever <target>         无休止攻击
另一个同功能脚本: http-slowloris-check
nmap -p80 –script http-slowloris-check <target>

————————————————————————————
Chapter 5 Auditing Databases

Listing MySQL databases
nmap -p3306 –script mysql-databases –script-args mysqluser=<user>,mysqlpass=<password> <target>
如果root密码为空
nmap -p3306 –script mysql-empty-password,mysql-databases <target>
Listing MySQL users
nmap -p3306 –script mysql-users –script-args mysqluser=<user>,mysqlpass=<pass> <target>
如果空密码:
nmap -sV –script mysql-empty-password,mysql-databases,mysql-users <target>
Listing MYSQL various
nmap -p3306 –script mysql-variables –script-args mysqluser=<root>,mysqlpass=<pass> target>
Finding root accounts with empty passwords in MYSQL servers
nmap -p3306 –script mysql-empty-password <target>
Brute forcing MySQL passwords
nmap -p3306 –script mysql-brute <target>
参数:
使用其它字典:
nmap -p3306 –script mysql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
找到第一个时就停止
nmap -p3306 –script mysql-brute –script-args unpwdb.timelimit=0 <target>
nmap -p3306 –script mysql-brute –script-args unpwdb.timelimit=60m <target>
brute mode
–script-args brute.mode=user
–script-args brute.mode=pass
–script-args brute.mode=creds,brute.credfile=./creds.txt
Detecting insecure configurations in MySQL servers
nmap -p3306 –script mysql-audit –script-args ‘mysql-audit.username=”<username>”,mysql-audit.password=”<passwords>”,mysql-audit.filename=/usr/local/share/nmap/nselib/data/mysql-cis.audit’ <target>

Brute forcing Oracle passwords
nmap -sV –script oracle-brute –script-args oracle-brute.sid=TEST <target>
update the neslib/data/oracle-default-accounts.lst to add any default accounts.
参数:
nmap -sV –script oracle-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
nmap -sV –script oracle-brute –script-args brute.firstOnly <target>
nmap -sV –script oracle-brute –script-args unpwdb.timelimit=60m <target>
nmap -sV –script oracle-brute –script-args brute.mode=[user|pass|creds,brute.credfile=./creds.txt <target>
Brute forcing Oracle SID names
nmap -sV –script oracle-sid-brute <target>
参数:
nmap -sV –script oracle-sid-brute –script-args oraclesids=/home/pentests/sids.txt <target>
Retrieving MS SQL server information
nmap -p1433 –script ms-sql-info <target>
if port 443 is open,you can use it to retrieve the information via pipes.
nmap -sV –script-args mssql.instance-name=MSSQLSERVER –script ms-sql-info -p 445 -v <target>
nmap -sV –script-args mssql.instance-all –script ms-sql-info -p445 -v <target>
Force scanned ports only in NSE scripts for MS SQL
nmap -p1433 –script-args     mssql.scanned-ports-only –script ms-sql-* -v <target>
Bruting forcing MS SQL passwords
nmap -p1433 –script ms-sql-brute <target>
参数:
如果SMB端口开放,就可以用pipes来运行这脚本,通过参数  mssql.instance-all 或 mssql.instance-name
nmap -p445 –script ms-sql-brute –script-args mssql.instance-all <target>
nmap -p1433 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
nmap -p1433 –script ms-sql-brute –script-args brute.firstOnly <target>
nmap -p1433 –script ms-sql-brute –script-args unpwdb.timelimit=60m <target>
nmap -p1433 –script ms-sql-brute –script-args brute.mode=[user|pass|creds,brute.credfile=./creds.txt <target>
Dumping the password hashes of an MS SQL server
对于默认空密码:
nmap -p1433 –script ms-sql-empty-password,ms-sql-dump-hashes <target>
Running commands through the command shell on MS SQL server
xp_cmdshell
nmap –script-args ‘mssql.username=”<user>”,mssql.password=”"‘ –script ms-sql-xp-cmdshell -p1433 <target>
默认的话,ms-sql-xp-cmdshell执行的是ipconfig /all,但可以用参数改
nmap –script-args ‘ms-sql-xp-cmdshell.cmd=”<command>”,mssql.username=”<user>”,mssql.password=”"‘ –script ms-sql-xp-cmdshell -p1433 <target>
空密码:
nmap –script ms-sql-xp-cmdshell,ms-sql-empty-password -p1433 <target>
Finding system accounts with empty passwords on MS SQL servers.
nmap -p1433 –script ms-sql-empty-password -v <target>
nmap -sV –script-args mssql.instance-name=MSSQLSERVER –script ms-sql-empty-password -p445 -v <target>
nmap -sV –script-args mssql.instance-all –script ms-sql-empty-password -p445 -v <target>

Force scanned ports only in NSE scripts for MS SQL
nmap -p1433 –script-args mssql.scanned-ports-only –script ms-sql-* -v <target>
Listing MongoDB database
nmap -p27017 –script mongodb-databases <target>
Retrieving MongoDB server information
nmap -p27017 –script mongodb-info <target>
Listing CouchDB databases
nmap -p5984 –script couchdb-databases <target>
Retrieving CouchDB database statistics
nmap -p5984 –script couchdb-stats 127.0.0.1
———————————————————————
Chapter 6 Auditing Mail Servers

Discovering valid e-mail accounts using Google Search
Get:http-google-search.nse      http://seclistsorg/nmap-dev/2011/q3/att-401/http-google-email.nse
nmap -p80 –script http-google-email <target>
参数:
nmap -p80 –script http-google-email –script-args http-google-email.domain=<hostname> <target>
namp -p80 –script http-google-email –script-args http-gogole-email.pages=10 <target>
Debugging NSE scripts
-d for debugging,you can set any integer between 0 and 9
nmap -p80 –script http-google-email -d4 <target>
Detecting open relays
nmap -sV –script smtp-open-relay -v <target>
you can specify an alternate IP address or domain name by specifying the script arguments smtp-open-relay.ip and smtp-open-relay.domain
nmap -sV –script smpt-open-relay -v –script-args smtp-open-relay.ip=<ip> target
nmap -sV –script smtp-open-relay -v –script-args smtp-open-relay.domain=<domain> <target>
Brute forcing SMTP passwords
nmap -p25 –script smtp-brute <target>
支持方式:LOGIN,PLAIN,CRAM-MD5,DIGEST-MD5和NTLM
默认字典:/nselib/data/usernames.lst 和 /nselib/data/passwords.lst
参数:
nmap -p25 –script smtp-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
nmap -p25 –script smtp-brute –script-args brute.firstOnly <target>         找到第一个后就停止
nmap -p25 –script smpt-brute –script-args unpwdb.timelimit=0 <target>
nmap -p25 –script smpt-brute –script-args brute.mode=[user|pass|creds,brute.credfile=./creds.txt <target>
nmap -p80 –script http-google-email -d4 <target>
Enumerating users in an SMTP server
nmap -p25 –script smtp-enum-users <target>
原理:利用SMTP的命令,RCPT,VRFY,EXPN来判断账户是否存在,可以指定使用哪个命令
nmap -p25 –script smtp-enum-users –script-args smtp-enum.users.methods={VRFY,EXPN,RCPT} <target>
设置不同的domain
nmap -p25 –script smpt-enum-users –script-args smtp-enum-users.domain=<domain> <target>
–script-args userdb=/var/usernames.txt,brute.firstOnly,unpwdb.timelimit=0
Detecting backdoor SMTP servers
nmap -sV –script smtp-strangeport <target>

Brute forcing IMAP passwords
nmap -p143 –script imap-brute <target>
nmap -p143 –script imap-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
nmap -p143 –script imap-brute –script-args brute.firstOnly <target>
nmap -p143 –script imap-brute –script-args unpwdb.timelimit=0 <target>
nmap -p143 –script imap-brute –script-args brute.mode=user <target>

Retrieving the capabilities of an IMAP mail server
nmap -p143,993 –script imap-capabilities <target>

Brute forcing POP3 passwords
nmap -p110 –script pop3-brute <target>
同样字典:/nselib/data/usernames.lst,passwords.lst
nmap -p110 –script pop3-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
nmap -p110 –script pop3-brute –script-args unpwdb.timelimit=0 <target>

Retrieving the capabilities of a POP3 mail server
nmap -p110 –script pop3-capabilities <target>
Detecting vlunerable Exim SMTP servers version 4.70 through 4.7
nmap –script smtp-vlun-cve2011-1764 –script-args mailfrom=<Source address>,mailto=<Destination address>,domain=<domain> -p25,465,587  <target>

————————————————————————————–
Chapter 7 Scanning Large Networks

Scanning an IP address range
nmap -A -O 192.168.1.0-255
nmap -p25,80 -O -T4 192.168.1.1/24 scanme.nmap.org/24
从文件中读取要扫描主机:
nmap -iL targets.txt
用不扫描指定文件中主机:
nmap -sV -O –exclude-file dontscan.txt 192.168.1.1/24
扫描随机主机:
nmap -iR 100             100 个随机主机
nmap -iR 0         扫描无数个主机,就是一直随机扫
加快扫描速度,不进行域名解析
nmap -T4 -n -Pn -p- 74.202.23.2
nmap -p80 -n -packet-trace scanme.nmap.org
完整扫描,各种扫描 -A
Selecting the correct timing template
nmap -T4 -d 192.168.2.7
-T0         Paranoid(-0):This Template is used for avoiding detecting systems,but it is painful slow because only one port is scanned at a time,and the timeout between probes is 5 minutes.
-T1        Sneky (-1)This template is useful for avoiding detection system but still very low
-T2        Polite(-2) This template is used when scanning is not supposed to interface with target system.
-T3         Normal(-3) This is Nmap`s default timing template ,which is used when the argument -T is not set
-T4         Aggressive(-4) This is the recommanded timing template for broadband and Ethernet connections.
-T5         Insame(-5) this timing template sacrifices accuracy for speed.
RTT value is used by nmap to know when to give up or retransmit a probe response.
nmap -A -p –initial-rtt-timeout 150ms <target>
nmap -A -p –min-rtt-timeout 200ms –max-rtt-timeout 600ms <target>
set wait time between probes
nmap -A –max-scan-delay 10s scanme.nmap.org
nmap -A –scan-delay 1s scanme.nmap.org
nmap -sV -A -p- –host-timeout 5m <target>         扫描一定时间后退出

nping -c30 <taraget>         发送30个echo包给目标,结束后返回统计结果

Scanning phases of Nmap
Script phases of Nmap
Target enumeration
Host discorery
Reverse DNS resolution
Port scanning
Version detection
OS detection
Traceroute
Script scanning
Output
Script post-scanning

Adjusting timing parameters
nmap -T4 –scan-delay 1s –initial-rtt-timeout 150ms –host-timeout 15m -d scanme.nmap.org
the RTT value is used by Nmap to know when to give up or retransmit a probe response.
be careful not to set –max-scan-delay too low because it will most likely miss the ports that are open.
–host-timeout nmap to quit a scan after a certain amount of time.
Adjusting performace parameters
nmap –min-hostgroup  100 –max-hostgroup 500 –max-retries 2 -iR 0
Nmap to scan and report by grouping no less than 100(–min-hostgroup 100)
no more than 500(–max-hostgroup 500)
Nmap to retry twice(–max-retries 2) before giving up on any port.
nmap -A -p- –min-rate 50 –max-rate 100 <target>
limit the number of packets send per second by Nmap.
nmap -A -p- –max-parallelism 1
–min-parallelism and –max-parallelism can be used to control the number of probes for a host group.
Collecting signature of web servers
www.shodanhq.com http header collections.
nmap  -p80 –script http-headers –script-args http-max-cache-size=0 -iR 0
disable the cache system of HTTP library.
Disctributing a scan among serveral clients using Dnmap.
Download:http://sourceforge.net/projects/dnmap/files/
1,Create a file that will contain your Nmap commands.Each command must be separated by a new line.
nmap -sU -p1-10000 -sV scanme.nmap.org
nmap -sU -p10000-20000 -sV scanme.nmap.org
nmap -sU -p20000-30000 -sV scanme.nmap.org
2,Start the dnmap_server.py
python dnmap_server.py -f cmds.txt
3,On the clients ,run :
python dnmap_client.py -a client1 -s 192.168.1.1
————————————————
Chapter 8 Generating Scan Reports

Saving scan result in normal format
nmap -F -oN scanme.txt scanme.nmap.org
-oX xml-output.xml        XML格式
-oG scanme.grep         图模式

nmap -oA scanme scanme.nmap.org  用所有可能的格式输出
nmap -A -T4 -oN ouput.txt –log-errors scanme.nmap.org
nmap -F –reason scanme.nmap.org
–reason 会记录下为什么显示一个端口是开放的或关闭/过滤…
nmap –append-output -oN existing.log scanme.nmap.org         添加到已有结果
Saving scan result to a SQLite database
PBNJ is a set of tools for network monitoring that users Nmap to detect hosts ,ports ,and services.
apt-get install pbnj            http://pbnj.sourceforge.net/docs.html
scanpbnj -a “-p-” scanme.nmap.org
outputpbnj –list
outputpbnj -q machines
outputpbnj -q services
Dumping the databases in CSV format
outputpbnj -t cvs -q <query name>
Saving scan results in a grepable format

Generating a network topology graph with Zenmap
Generating a HTML scan report
Reporting vulnerability checks performed during a scan.
nmap -sV –script vlun <tartet>
nmap -sV –script vlun –script-args vulns.showall <target>
————————————————————-
Chapter 9 Writing Your Own NSE Scripts
API:http://nmap.org/book/nse-api.html