How to scan open ports in a network segment using the NMAP port scan tool on Linux

Linux generally does not automatically install NMAP commands using the Yum-y install nmap installation nmap command, provided that you have configured the Yum source.

Nmap Features:

Host detection

Port scan

Version detection

System detection

Supports the authoring of probe scripts

1. Nmap Command Detailed

nmap ip_address    #nmap默认发送一个arp的ping数据包 to detect all open ports in the target host 1-10000 range [[email protected]  scanport]# nmap 10.132.71.1  Starting Nmap 6.40  ( http:// nmap.org )  at 2017-11-17 10:20 CSTNmap scan report for  10.132.71.1host is up  (0.00030s latency). Not shown: 987 closed portsport     state service21/tcp    open  ftp135/tcp  open  msrpc139/tcp  open   netbios-ssn1027/tcp open  iis1028/tcp open  unknown1029/tcp open   ms-lsa1031/tcp open  iad22638/tcp open  sybase3389/tcp open   ms-wbt-server6059/tcp open  x11:597001/tcp open  afs3-callback8001/ Tcp open  vcom-tunnel8089/tcp open  unknownmac address: 5c:f3:fc:e4:81:40  (IBM) nmap done: 1 ip address  (1 host up)  scanned  in 1.27 seconds[[email protected] scanport]#

The

-VV parameter Indicates the result verbose output

[[email protected] scanport]# nmap -vv 10.132.71.1 starting nmap 6.40   ( http://nmap.org )  at 2017-11-17 10:21 cstinitiating arp ping  Scan at 10:21Scanning 10.132.71.1 [1 port]Completed ARP Ping  scan at 10:21, 0.02s elapsed  (1 total hosts) Initiating Parallel  dns resolution of 1 host. at 10:21completed parallel dns  resolution of 1 host. at 10:21, 0.00s elapsedinitiating syn  stealth scan at 10:21scanning 10.132.71.1 [1000 ports]discovered open  port 21/tcp on 10.132.71.1discovered open port 139/tcp on  10.132.71.1discovered open port 3389/tcp on 10.132.71.1discovered open port  135/tcp on 10.132.71.1discOvered open port 1029/tcp on 10.132.71.1discovered open port 1028/tcp  on 10.132.71.1Discovered open port 1031/tcp on 10.132.71.1Discovered  Open port 8001/tcp on 10.132.71.1discovered open port 1027/tcp on  10.132.71.1discovered open port 7001/tcp on 10.132.71.1discovered open  port 8089/tcp on 10.132.71.1Discovered open port 6059/tcp on  10.132.71.1discovered open port 2638/tcp on 10.132.71.1completed syn  stealth scan at 10:21, 1.15s elapsed  (1000 total ports) Nmap scan  report for 10.132.71.1Host is up  (0.00029s latency). Scanned at 2017-11-17 10:21:43 cst for 2snot shown: 987 closed  portsport     state  service21/tcp   open  ftp135/tcp  open  msrpc139/tcp   Open  netbios-ssn1027/tcp open  iis1028/tcp open  unknown1029/tcp  open  ms-lsa1031/tcp open  iad22638/tcp open  sybase3389/tcp  open  ms-wbt-server6059/tcp open  X11:597001/tcp open   Afs3-callback8001/tcp open  vcom-tunnel8089/tcp open  unknownmac address:  5C:F3:FC:E4:81:40  (IBM) read data files from: /usr/bin/. /share/nmapnmap done: 1 ip address  (1 host up)  scanned in  1.26 seconds           raw packets sent:  1082  (47.592KB)  | Rcvd: 1001  (40.080KB) [[email protected] scanport]#

-P Custom Scanned port

For example, scan port 1-200

[Email protected] scanport]# nmap-p1-200 10.128.71.1 starting Nmap 6.40 (http://nmap.org) at 2017-11-17 10:26 Cstnmap Scan report for 10.128.71.1Host was up (0.00030s latency). Not shown:197 closed Portsport State service21/tcp open ftp135/tcp Open msrpc139/tcp open Netbios-ssnmac Address: 5c:f3:fc:e4:81:40 (IBM) Nmap done:1 IP address (1 host up) scanned in 0.15 seconds[[email protected] scanport]#

Example: specifying a specific port

[Email protected] scanport]# nmap-p135,136,137,139 10.128.71.1 starting Nmap 6.40 (http://nmap.org) at 2017-11-17 10:2 8 Cstnmap Scan Report for 10.128.71.1Host are up (0.0045s latency). PORT State service135/tcp Open msrpc136/tcp closed profile137/tcp closed netbios-ns139/tcp open Netbios-ssnmac Add Ress:5c:f3:fc:e4:81:40 (IBM) Nmap done:1 IP address (1 host up) scanned in 0.14 seconds[[email protected] scanport]#

-SP Specifies that the scan mode is ping (does not scan the port)

NMAP-SP ip_address #使用ping方式扫描 (no ports scanned)

Nmap--traceroute ip_address #路由跟踪

NMAP-SP xx.xx.xx.xx/24 #扫描一个网段 (using ping)

NMAP-SP 10.1.1.1-255 #也可以扫描一个网段 (using ping)

Nmap-st ip_address #TCP contect () port scan

Nmap-su IP_Address #UDP端口扫描

Nmap-ss ip_address #TCP同步 (SYN) port scan

nmap 10.1.1.1/24 #扫描一个网段使用默认端口扫描, results with the following script

#!/bin/bashfor i in {1..254} does nmap 10.128.71. $i >>scan.port Done

Nmap Probe Operating system type

Nmap-o IP_Address #扫描操作系统类型

Nmap-a ip_address #使用默认扫描, ping Scan, OS scan, script scan, route tracking, service detection, etc.

[[email protected] scanport]# nmap -a 10.128.71.1starting nmap 6.40  (  http://nmap.org )  at 2017-11-17 10:46 cstnmap scan report for  10.128.71.1Host is up  (0.00028s latency). not shown: 987 closed portsport     state service        VERSION21/tcp   open  ftp            Microsoft ftpd| ftp-anon: Anonymous FTP  login allowed  (ftp code 230) | 07-21-12  03:03am        <DIR>          aspnet_client|  11-17-17  07:35am       <dir>           download|_12-13-12  10:31am&nbSp;              105984 \xd2\xbd\ xb1\xa3\xb2\xbf\xc3\xc5\xc8\xcb\xd4\xb1.xls135/tcp  open  msrpc          Microsoft Windows RPC139/tcp  open   Netbios-ssn1027/tcp open  msrpc         microsoft  Windows RPC1028/tcp open  msrpc          Microsoft Windows RPC1029/tcp open  msrpc          microsoft windows rpc1031/tcp open  tcpwrapped2638/tcp open   sybase?3389/tcp open  ms-wbt-server microsoft terminal service6059/ tcp open  tcpwrapped7001/tcp open  http           oracle weblogic&nBsp server  (servlet 2.5; jsp 2.1) |_http-generator: weblogic server|_http-methods:  No Allow or Public header in OPTIONS response  (Status code  404) |_http-title: error 404--not found8001/tcp open  http           Oracle WebLogic Server  (servlet 2.5;  jsp 2.1) |_http-generator: weblogic server|_http-methods: no allow or public  header in OPTIONS response  (status code 404) |_http-title: error  404--not found8089/tcp open  http           microsoft iis httpd 6.0| http-methods: potentially risky methods:  trace delete copy move propfind proppatch search mkcol lock  unlock put|_see http://nmap.org/nsedoc/scripts/http-methods.html|_http-title: 10.128.71.1 - /mac  address: 5c:f3:fc:e4:81:40  (IBM) Device type: general purposerunning: microsoft  Windows XPOS CPE: cpe:/o:microsoft:windows_xp::sp2OS details: Microsoft  windows xp sp2network distance: 1 hopservice info: os: windows;  Cpe: cpe:/o:microsoft:windowshost script results:|_nbstat: netbios name: ld,  NetBIOS user: <unknown>, NetBIOS MAC: 5c:f3:fc:e4:81:40  (IBM) |  smb-os-discovery: |   os: windows server 2003 3790 service  pack 2  (windows server 2003 5.2) |   os cpe: cpe:/o:microsoft :windows_server_2003::sp2|   computer name: ld|   netbios  Computer name: ld|   workgroup: workgroup|_  system time: 2017-11-17t10:50:02+08:00|  Smb-security-mode: |   account that was used for smb scripts :  <blank>|   user-level authentication|   smb security:  Challenge/response passwords supported|_  Message signing disabled  ( Dangerous, but default) |_SMBV2-ENABLED:&NBSP;SERVER&NBSP;DOESN ' t support smbv2  protocoltraceroutehop rtt     address1   0.28 ms  10.128.71.1os and service detection performed. please report any  incorrect results at http://nmap.org/submit/ . nmap done: 1 ip address  (1 host up)  scanned in 89.36  seconds[[email protected] scanport]#

This article is from the "Night" blog, please be sure to keep this source http://liuqun.blog.51cto.com/3544993/1982726

How to scan open ports in a network segment using the NMAP port scan tool on Linux