nmap掃描結(jié)果有哪些 如何使用nmap掃描一個(gè)網(wǎng)段的主機(jī)？很多人不了解，今天各百科為大家?guī)?lái)相關(guān)內(nèi)容，下面小編為大家整理介紹。

1. Nmap系統(tǒng)識(shí)別

（1）識(shí)別操作系統(tǒng)

nmap -O

確定目標(biāo)主機(jī)192.168.33.152的操作系統(tǒng)類(lèi)型。按如下方式執(zhí)行命令：

從2021年8月2日15:22 CST開(kāi)始Nmap 7.70(https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/5iq54audkg1

主機(jī)啟動(dòng)(0.00036秒延遲)。

港口國(guó)家服務(wù)局

22/tcp開(kāi)放ssh

MAC地址： 00:0 c 3360293360 FD 336058:4 b(VMware)# MAC地址

運(yùn)行： Linux 3。X|4。X #運(yùn)行系統(tǒng)

操作系統(tǒng)詳細(xì)信息： Linux 3.2-4.9 #操作系統(tǒng)詳細(xì)信息

已執(zhí)行操作系統(tǒng)檢測(cè)。請(qǐng)?jiān)趆ttps://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/qazit3qrkbk

Nmap完成： 1個(gè)IP地址(1臺(tái)主機(jī)啟動(dòng))在1.86秒內(nèi)掃描完畢

root @ daxueba : ~ # nmap-O 10 . 10 . 1 . 11

……

TCP/IP指紋：

OS :4048% P=i686-PC-windows-windows)SEQ(CI=I % II=I % TS=U)OPS(O1=M400 % O2=% O3=% O4

OS :=% O5=% O6=)OPS(O1=% O2=% O3=M400 % O4=% O5=% O6=)OPS(O1=M400 % O2=% O3=M400 % O4=% O5

OS:=0%W6=0)WIN(W1=0%W2=7FF%W3=7FF%W4=0%W5=0%W6=0)WIN(W1=0%W2=0%W3=7FF%W4=0%

OS:%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%DF=Y%T=40%S=O%A=O

OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=

OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF

OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=40%CD=S)

以上輸出信息就是Nmap向數(shù)據(jù)庫(kù)提交的指紋信息，這些指紋信息是自動(dòng)生成的，并且標(biāo)識(shí)了目標(biāo)系統(tǒng)的操作系統(tǒng)。

Starting Nmap 7.70 ( https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/1nh1svwak3t.org ) at 2021-08-02 16:02 CST

Host is up (0.00073s latency).

PORT STATE SERVICE

80/tcp open https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/zvnon3esuxk

5678/tcp open rrac

52869/tcp open unknown

Device type: general purpose

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4

Network Distance: 1 hop

Host is up (0.000085s latency).

MAC Address: 1C:6F:65:C8:4C:89 (Giga-byte Technology)

Host is up (0.00047s latency).

PORT STATE SERVICE

22/tcp open ssh

135/tcp open msrpc

443/tcp open https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/pkmeibbzkci

902/tcp open iss-realsecure

1433/tcp open ms-sql-s

5357/tcp open wsdapi

49153/tcp open unknown

49155/tcp open unknown

49158/tcp open unknown

Device type: general purpose

OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1

2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1

Server 2008 R2, Windows 8, or Windows 8.1 Update 1 #操作系統(tǒng)詳細(xì)信息

Nmap scan report for 192.168.1.6 (192.168.1.6)

Not shown: 977 closed ports

21/tcp open ftp

23/tcp open telnet

53/tcp open domain

111/tcp open rpcbind

445/tcp open microsoft-ds

513/tcp open login

1099/tcp open rmiregistry

2049/tcp open nfs

3306/tcp open mysql

5900/tcp open vnc

6667/tcp open irc

8180/tcp open unknown

Device type: general purpose

OS CPE: cpe:/o:linux:linux_kernel:2.6

Network Distance: 1 hop

Host is up (0.00093s latency).

MAC Address: 00:0C:29:6C:C4:92 (VMware)

Host is up (0.000010s latency).

OS detection performed. Please report any incorrect results at

Nmap done: 256 IP addresses (6 hosts up) scanned in 7.64 seconds

從以上輸出信息可以看到，如果探測(cè)到目標(biāo)主機(jī)上存在開(kāi)放的端口，則推測(cè)出了其操作系統(tǒng)類(lèi)型；如果目標(biāo)主機(jī)上不存在開(kāi)放的端口，則無(wú)法推測(cè)其操作系統(tǒng)類(lèi)型。

（3）推測(cè)操作系統(tǒng)

當(dāng)Nmap無(wú)法確定所探測(cè)的操作系統(tǒng)時(shí)，會(huì)盡可能地提供最相近的匹配。為了對(duì)目標(biāo)系統(tǒng)推測(cè)得更準(zhǔn)確，可以使用--osscan-guess或--fuzzy選項(xiàng)來(lái)實(shí)現(xiàn)。語(yǔ)法格式如下：

nmap -O --osscan-guess;--fuzzy

其中，--osscan-guess;--fuzzy選項(xiàng)用于推測(cè)操作系統(tǒng)檢測(cè)結(jié)果，將以百分比的方式給出對(duì)操作系統(tǒng)信息的猜測(cè)。當(dāng)Nmap無(wú)法確定所檢測(cè)的操作系統(tǒng)時(shí)，會(huì)盡可能地提供最相近的匹配。Nmap默認(rèn)進(jìn)行這種匹配，使用任意一個(gè)選項(xiàng)將使得Nmap的推測(cè)更加有效。

推測(cè)目標(biāo)主機(jī)www.163.com的操作系統(tǒng)類(lèi)型。執(zhí)行命令如下：

root@daxueba:~# nmap -O --osscan-guess www.163.com

Nmap scan report for www.163.com (124.163.204.105)

Other addresses for www.163.com (not scanned): 2408:8726:5100::4f

Not shown: 955 closed ports

80/tcp open https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/zvnon3esuxk

82/tcp open xfer

88/tcp open kerberos-sec

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

Device type: general purpose|firewall|media device|phone|broadband router security-misc

embedded (91%), Google Android 5.X (90%), D-Link embedded (90%), Draytek

OS CPE: cpe:/o:linux:linux_kernel:3.2 cpe:/o:linux:linux_kernel:2.6.32

android:5.0.1 cpe:/h:dlink:dsl-2890al cpe:/o:linux:linux_kernel:2.6.25.20

Aggressive OS guesses: Linux 3.2 (92%), IPCop 2.0 (Linux 2.6.32) (91%), Linux

3.18 (90%), D-Link DSL-2890AL ADSL router (90%), OpenWrt Kamikaze 8.09 (Linux

No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5cs://pic.qubaike.com/pic/2023-03-31/1nh1svwak3t.org/submit/ .

表1 各個(gè)操作系統(tǒng)的初始TTL值

使用Ping測(cè)試目標(biāo)主機(jī)（192.168.33.152）的操作系統(tǒng)類(lèi)型（該目標(biāo)主機(jī)的操作系統(tǒng)類(lèi)型為L(zhǎng)inux）。執(zhí)行命令如下：

root@daxueba:~# ping 192.168.33.152

64 bytes from 192.168.33.152: icmp_seq=1 ttl=64 time=0.242 ms

64 bytes from 192.168.33.152: icmp_seq=3 ttl=64 time=0.431 ms

PING 192.168.33.229 (192.168.33.229) 56(84) bytes of data.

64 bytes from 192.168.33.229: icmp_seq=2 ttl=128 time=1.01 ms

64 bytes from 192.168.33.229: icmp_seq=4 ttl=128 time=1.52 ms

從輸出的信息可以看到，該響應(yīng)包中的TTL值為128。由此可以說(shuō)明，這是一個(gè)Windows操作系統(tǒng)。

Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected],[email protected]

<+> Loading modules. #正在加載模塊

<1> ping:icmp_ping - ICMP echo discovery module

<3> ping:udp_ping - UDP-based ping discovery module

<5> infogather:portscan - TCP and UDP PortScanner

<7> fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module

<9> fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module

<11> fingerprint:tcp_rst - TCP RST fingerprinting module

<13> fingerprint:snmp - SNMPv2c fingerprinting module

<+> Initializing scan engine #初始化掃描引擎

<-> ping:tcp_ping module: no closed/open TCP ports known on 124.163.204.105.

<-> ping:udp_ping module: no closed/open UDP ports known on 124.163.204.105.

<-> No distance calculation. 124.163.204.105 appears to be dead or no ports known

<+> Target: 124.163.204.105 is alive. Round-Trip Time: 0.01503 sec

<-> fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)

<-> fingerprint:snmp: need UDP port 161 open

<+> Host 124.163.204.105 Running OS: "Linux Kernel 2.4.19" (Guess

<+> Other guesses: #其他猜測(cè)

probability: 100%)

probability: 100%)

probability: 100%)

probability: 100%)

probability: 100%)

probability: 100%)

probability: 100%)

probability: 100%)

probability: 100%)

<+> Modules deinitialized

Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected],[email protected]

<+> Loading modules.

<1> ping:icmp_ping - ICMP echo discovery module

<3> ping:udp_ping - UDP-based ping discovery module

<5> infogather:portscan - TCP and UDP PortScanner

<7> fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module

<9> fingerprint:icmp_port_unreach - ICMP port unreachable

<10> fingerprint:tcp_hshake - TCP Handshake fingerprinting module

<12> fingerprint:smb - SMB fingerprinting module

<+> 13 modules registered

<+> Running scan engine

Module test failed

Module test failed

<+> Host: 124.163.204.105 is up (Guess probability: 50%)

<+> Selected safe Round-Trip Time value is: 0.03056 sec

<-> fingerprint:smb need either TCP port 139 or 445 to run

<+> Primary guess:

<+> Other guesses:

<+> Host 124.163.204.105 Running OS: "HP JetDirect ROM G.07.02 EEPROM G.08.04" (Guess probability: 83%)

<+> Host 124.163.204.105 Running OS: "HP JetDirect ROM G.07.19 EEPROM G.08.03" (Guess probability: 83%)

<+> Host 124.163.204.105 Running OS: "HP JetDirect ROM G.08.08 EEPROM G.08.04" (Guess probability: 83%)

<+> Host 124.163.204.105 Running OS: "HP JetDirect ROM H.07.15 EEPROM H.08.20" (Guess probability: 83%)

<+> Cleaning up scan engine

<+> Execution completed.

從以上輸出的信息中可以看到，執(zhí)行結(jié)果出錯(cuò)了（HP JetDirect ROM G.07.02 EEPROM G.07.17）。

在Kali Linux的新版本中，xProbe2工具運(yùn)行后，測(cè)試的結(jié)果中操作系統(tǒng)類(lèi)型顯示為亂碼。具體如下：

<+> Primary guess:

<+> Other guesses:

<+> Host 192.168.1.8 Running OS: ?????U (Guess probability: 100%)

<+> Host 192.168.1.8 Running OS: ????U (Guess probability: 100%)

<+> Host 192.168.1.8 Running OS: ????U (Guess probability: 100%)

<+> Host 192.168.1.8 Running OS: ?????U (Guess probability: 100%)

<+> Cleaning up scan engine

<+> Execution completed.

4. p0f系統(tǒng)識(shí)別

p0f是一款用于識(shí)別遠(yuǎn)程操作系統(tǒng)的工具，該工具與前面介紹的其他工具不同，它是一個(gè)完全被動(dòng)地識(shí)別操作系統(tǒng)指紋信息的工具，不會(huì)直接作用于目標(biāo)系統(tǒng)。當(dāng)啟動(dòng)該工具后，即可監(jiān)聽(tīng)網(wǎng)絡(luò)中的所有數(shù)據(jù)包。通過(guò)分析監(jiān)聽(tīng)到的數(shù)據(jù)包，即可找出與系統(tǒng)相關(guān)的信息。下面介紹使用p0f工具來(lái)實(shí)施操作系統(tǒng)指紋識(shí)別的方法。

使用p0f工具對(duì)目標(biāo)主機(jī)實(shí)施系統(tǒng)識(shí)別。執(zhí)行命令如下：

1）啟動(dòng)p0f工具。執(zhí)行命令如下：

root@daxueba:~# p0f

<+> Closed 1 file descriptor.

<+> Intercepting traffic on default interface 'eth0'.

<+> Entered main event loop.

從以上輸出信息中可以看到，p0f工具僅顯示了幾行信息，無(wú)法捕獲到其他信息。但是，p0f會(huì)一直處于監(jiān)聽(tīng)狀態(tài)。

2）此時(shí)，當(dāng)有其他主機(jī)在網(wǎng)絡(luò)中產(chǎn)生數(shù)據(jù)流量的話，將會(huì)被p0f工具監(jiān)聽(tīng)到。例如，在另一臺(tái)主機(jī)上通過(guò)瀏覽器訪問(wèn)一個(gè)站點(diǎn)，然后返回到p0f所在的終端，將看到如下信息：

.-< 192.168.1.4/38934 -> 65.200.22.161/80 (https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5c request) >- #https://pic.qubaike.com/pic/2023-03-31/c5teypwar5u

| app = Safari 5.1-6 #應(yīng)用

| params = dishonest #程序

----

| server = 65.200.22.161/80 #服務(wù)器

| raw_freq = 1048.46 Hz #頻率

.-< 192.168.1.4/38934 -> 65.200.22.161/80 (https://pic.qubaike.com/pic/2023-03-31/mnoelzzyb5c response) >-

| app = ???

| params = none

----

| client = 192.168.1.4/32854

| dist = 0

| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0

.-< 192.168.1.4/32854 -> 52.27.184.151/443 (host change) >-

| reason = tstamp port

----

| client = 192.168.1.4/32854

| raw_mtu = 1500

.-< 192.168.1.4/32856 -> 52.27.184.151/443 (syn) >-

| os = Linux 3.11 and newer

| params = none

----

以上輸出的信息，就是執(zhí)行監(jiān)聽(tīng)到客戶端訪問(wèn)的數(shù)據(jù)信息。從以上輸出的信息可以看到，探測(cè)到客戶端的操作系統(tǒng)類(lèi)型為L(zhǎng)inux 3.11或更新的內(nèi)核版本。