Nmap چیست؟

Nmap یک ابزار Network Mapper رایگان و Open Source است که معمولا برای network discovery و security auditing مورد استفاده قرار می گیرد. این ابزار قابلیت هایی از جمله یافتن IP های Valid در شبکه، یافتن پورت های باز بر روی تعداد زیادی از IP ها و تشخیص سرویس های Listen بر روی آن پورت ها، یافتن سیستم عامل نصب شده بر روی سرور، اسکریپت هایی جهت بررسی برخی آسیب پذیری های مرتبط با سرویس ها و … می باشد.

برخی قابلیت های این نرم افزار:

    Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
    Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
    Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
    Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as “nmap -v -A targethost”. Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
    Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
    Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
    Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
    Acclaimed: Nmap has won numerous awards, including “Information Security Product of the Year” by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
    Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

لینک منبع: http://insecure.org/
لایسنس: GPLv2
سازنده: Fyodor

برخی از نرم افزار های Include شده در پکیج Nmap:

ابزار سازنده پکت های دلخواه (packet generation) در سطح شبکه

root@regux.com:~# nping -h
Nping 0.7.70 ( https://nmap.org/nping )
Usage: nping [Probe mode] [Options] {target specification}

  Targets may be specified as hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24,; 10.0.*.1-24
  --tcp-connect                    : Unprivileged TCP connect probe mode.
  --tcp                            : TCP probe mode.
  --udp                            : UDP probe mode.
  --icmp                           : ICMP probe mode.
  --arp                            : ARP/RARP probe mode.
  --tr, --traceroute               : Traceroute mode (can only be used with
                                     TCP/UDP/ICMP modes).
   -p, --dest-port      : Set destination port(s).
   -g, --source-port   : Try to use a custom source port.
   -g, --source-port   : Set source port.
   -p, --dest-port      : Set destination port(s).
   --seq                : Set sequence number.
   --flags              : Set TCP flags (ACK,PSH,RST,SYN,FIN...)
   --ack                : Set ACK number.
   --win                     : Set window size.
   --badsum                        : Use a random invalid checksum.
   -g, --source-port   : Set source port.
   -p, --dest-port      : Set destination port(s).
   --badsum                        : Use a random invalid checksum.
  --icmp-type                : ICMP type.
  --icmp-code                      : ICMP code.
  --icmp-id                    : Set identifier.
  --icmp-seq                    : Set sequence number.
  --icmp-redirect-addr       : Set redirect address.
  --icmp-param-pointer        : Set parameter problem pointer.

برای تشخیص تفاوت اسکن های انجام شده بین دو IP توسط Nmap

root@regux.com:~# ndiff -h
Usage: /usr/bin/ndiff [option] FILE1 FILE2
Compare two Nmap XML files and display a list of their differences.
Differences include host state changes, port state changes, and changes to
service and OS detection.

  -h, --help     display this help
  -v, --verbose  also show hosts and ports that haven't changed.
  --text         display output in text format (default)
  --xml          display output in XML format

ترکیب و هدایت Packet ها

root@regux.com:~# ncat -h
Ncat 7.70 ( https://nmap.org/ncat )
Usage: ncat [options] [hostname] [port]

Options taking a time assume seconds. Append 'ms' for milliseconds,
's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
  -4                         Use IPv4 only
  -6                         Use IPv6 only
  -U, --unixsock             Use Unix domain sockets only
  -C, --crlf                 Use CRLF for EOL sequence
  -c, --sh-exec     Executes the given command via /bin/sh
  -e, --exec        Executes the given command
      --lua-exec   Executes the given Lua script
  -g hop1[,hop2,...]         Loose source routing hop points (8 max)
  -G                      Loose source routing hop pointer (4, 8, 12, ...)
  -m, --max-conns         Maximum  simultaneous connections
  -h, --help                 Display this help screen
  -d, --delay 

یک Network Mapper کامل و منحصر به فرد

root@regux.com:~# nmap -h
Nmap 7.70 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24,; 10.0.0-255.1-254
  -iL : Input from list of hosts/networks
  -iR : Choose random targets
  --exclude : Exclude hosts/networks
  --excludefile : Exclude list from file
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers : Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags : Customize TCP scan flags
  -sI : Idle scan
  -sO: IP protocol scan
  -b : FTP bounce scan
  -p : Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports : Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports : Scan  most common ports
  --port-ratio : Scan ports more common than 
  -sV: Probe open ports to determine service/version info
  --version-intensity : Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
  -sC: equivalent to --script=default
  --script=:  is a comma separated list of
           directories, script-files or script-categories
  --script-args=: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=: Show help about scripts.
            is a comma-separated list of script-files or
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
  Options which take 

نمونه ای از دستور مورد استفاده:

استفاده از verbose mode با فلگ v، استفاده از Version Detection با فلگ sV و فعا نمودن تشخیص OS بر روی آدرس

root@regux.com:~# nmap -v -A -sV

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-13 18:40 MDT
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 18:40
Scanning [1 port]
Completed ARP Ping Scan at 18:40, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:40
Completed Parallel DNS resolution of 1 host. at 18:40, 0.00s elapsed
Initiating SYN Stealth Scan at 18:40
Scanning router.localdomain ( [1000 ports]
Discovered open port 53/tcp on
Discovered open port 22/tcp on
Discovered open port 80/tcp on
Discovered open port 3001/tcp on

کار در TCP mode روی پورت 22 با استفاده از syn و ttl به تعداد 2 بر روی هاست

root@regux.com:~# nping --tcp -p 22 --flags syn --ttl 2

Starting Nping 0.6.45 ( http://nmap.org/nping ) at 2014-05-13 18:43 MDT
SENT (0.0673s) TCP > S ttl=2 id=54240 iplen=40  seq=1720523417 win=1480
RCVD (0.0677s) TCP > SA ttl=64 id=0 iplen=44  seq=3377886789 win=5840 
SENT (1.0678s) TCP > S ttl=2 id=54240 iplen=40  seq=1720523417 win=1480
RCVD (1.0682s) TCP > SA ttl=64 id=0 iplen=44  seq=3393519366 win=5840 
SENT (2.0693s) TCP > S ttl=2 id=54240 iplen=40  seq=1720523417 win=1480
RCVD (2.0696s) TCP > SA ttl=64 id=0 iplen=44  seq=3409166569 win=5840 
SENT (3.0707s) TCP > S ttl=2 id=54240 iplen=40  seq=1720523417 win=1480
RCVD (3.0710s) TCP > SA ttl=64 id=0 iplen=44  seq=3424813300 win=5840 
SENT (4.0721s) TCP > S ttl=2 id=54240 iplen=40  seq=1720523417 win=1480
RCVD (4.0724s) TCP > SA ttl=64 id=0 iplen=44  seq=3440460772 win=5840 

Max rtt: 0.337ms | Min rtt: 0.282ms | Avg rtt: 0.296ms
Raw packets sent: 5 (200B) | Rcvd: 5 (230B) | Lost: 0 (0.00%)
Nping done: 1 IP address pinged in 4.13 seconds

مقایسه اسکن دیرز و امروز بر روی یک IP خاص

root@regux.com:~# ndiff yesterday.xml today.xml
-Nmap 6.45 scan initiated Tue May 13 18:46:43 2014 as: nmap -v -F -oX yesterday.xml
+Nmap 6.45 scan initiated Tue May 13 18:47:58 2014 as: nmap -v -F -oX today.xml

 endian.localdomain (, 00:01:6C:6F:DD:D1):
-Not shown: 96 filtered ports
+Not shown: 97 filtered ports
-22/tcp open  ssh

استفاده از Verbose، اجرای شل /bin/bash و اجازه دسترسی فقط یک IP به آدرس و در حالت Listen روی پورت 4444 و باز نگه داشتن Listener

root@regux.com:~# ncat -v --exec "/bin/bash" --allow -l 4444 --keep-open
Ncat: Version 6.45 ( http://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Ncat: Connection from
Ncat: Connection from
Ncat: New connection denied: not allowed
میلاد خوشدل

در حوزه‌ی امنیت وب و شبکه فعالیت می کند، عاشق پارکور است و مدیریت دیتاسنتر، امن سازی شبکه های مخابراتی و کابلی و برنامه نویسی وب و موبایل از تجارب کاری او می باشد. او در حال حاضر بنیانگذار ریجاکس است.

نظر خود را بنویسید

نشانی ایمیل شما منتشر نخواهد شد.

ده − هشت =

تگ های html مجاز به استفاده می باشند: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

ارسال یک پیام