scanning-network-with-nmap-advanced

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Scanning Network with Nmap Advanced Techniques

使用Nmap高级技术扫描网络

When to Use

适用场景

Performing comprehensive asset discovery across large enterprise networks during authorized assessments
Enumerating service versions and configurations to identify outdated or vulnerable software
Bypassing firewall rules and IDS during authorized penetration tests using scan evasion techniques
Scripting automated vulnerability checks using the Nmap Scripting Engine (NSE)
Generating structured scan output for integration into vulnerability management pipelines

Do not use against networks without explicit written authorization, on production systems during peak hours without approval, or to perform denial-of-service through aggressive scan timing.

在授权评估期间对大型企业网络执行全面资产发现
枚举服务版本和配置，识别过时或存在漏洞的软件
在授权渗透测试期间使用扫描规避技术绕过防火墙规则和IDS
利用Nmap脚本引擎(NSE)编写自动化漏洞检查脚本
生成结构化扫描输出，用于集成到漏洞管理流水线中

禁止在未获得明确书面授权的情况下扫描任何网络，未经批准不得在高峰时段对生产系统执行扫描，也不得通过激进的扫描时序执行拒绝服务攻击。

Prerequisites

前提条件

Nmap 7.90+ installed (
```
nmap --version
```
to verify)
Root/sudo privileges for SYN scans, OS detection, and raw packet techniques
Written authorization specifying in-scope IP ranges and any excluded hosts
Network access to target ranges (VPN, direct connection, or jump host)
Familiarity with TCP/IP protocols and common port assignments

已安装Nmap 7.90及以上版本（执行
```
nmap --version
```
验证）
拥有Root/sudo权限，可执行SYN扫描、操作系统检测和原始数据包操作
持有书面授权，明确标注了扫描范围内的IP段和所有排除的主机
可访问目标网段（通过VPN、直连或跳板机）
熟悉TCP/IP协议和常见端口分配规则

Workflow

操作流程

Step 1: Host Discovery with Multiple Probes

步骤1：多探针主机发现

Use layered discovery to find live hosts even when ICMP is blocked:

bash

undefined

使用分层发现策略，即使ICMP被拦截也能找到存活主机：

bash

undefined

ARP discovery for local subnet (most reliable on LAN)

本地子网ARP发现（局域网下最可靠）

nmap -sn -PR 192.168.1.0/24 -oA discovery_arp

Combined ICMP + TCP + UDP probes for remote networks

针对远程网络的ICMP+TCP+UDP组合探针

nmap -sn -PE -PP -PS21,22,25,80,443,445,3389,8080 -PU53,161,500 10.0.0.0/16 -oA discovery_combined

List scan to resolve DNS names without sending packets to targets

列表扫描，解析DNS名称但不向目标发送数据包

nmap -sL 10.0.0.0/24 -oN dns_resolution.txt


Consolidate results into a live hosts file:

```bash
grep "Host:" discovery_combined.gnmap | awk '{print $2}' | sort -t. -k1,1n -k2,2n -k3,3n -k4,4n > live_hosts.txt

nmap -sL 10.0.0.0/24 -oN dns_resolution.txt


将结果合并为存活主机文件：

```bash
grep "Host:" discovery_combined.gnmap | awk '{print $2}' | sort -t. -k1,1n -k2,2n -k3,3n -k4,4n > live_hosts.txt

Step 2: Port Scanning with Timing and Performance Tuning

步骤2：带时序和性能调优的端口扫描

bash

undefined

bash

undefined

Full TCP SYN scan with optimized timing

优化时序的全端口TCP SYN扫描

nmap -sS -p- --min-rate 5000 --max-retries 2 -T4 -iL live_hosts.txt -oA full_tcp_scan

Top 1000 UDP ports with version detection

前1000个UDP端口扫描+版本检测

nmap -sU --top-ports 1000 --version-intensity 0 -T4 -iL live_hosts.txt -oA udp_scan

Specific port ranges for targeted assessment

针对性评估的特定端口范围扫描

nmap -sS -p 1-1024,3306,5432,6379,8080-8090,9200,27017 -iL live_hosts.txt -oA targeted_ports

undefined

nmap -sS -p 1-1024,3306,5432,6379,8080-8090,9200,27017 -iL live_hosts.txt -oA targeted_ports

undefined

Step 3: Service Version Detection and OS Fingerprinting

步骤3：服务版本检测与操作系统指纹识别

bash

undefined

bash

undefined

Aggressive service detection with version intensity

带版本强度配置的激进服务检测

nmap -sV --version-intensity 5 -sC -O --osscan-guess -p <open_ports> -iL live_hosts.txt -oA service_enum

Specific service probing for ambiguous ports

针对模糊端口的特定服务探测

nmap -sV --version-all -p 8443 --script ssl-cert,http-title,http-server-header <target> -oN service_detail.txt

undefined

nmap -sV --version-all -p 8443 --script ssl-cert,http-title,http-server-header <target> -oN service_detail.txt

undefined

Step 4: NSE Vulnerability Scanning

步骤4：NSE漏洞扫描

bash

undefined

bash

undefined

Run vulnerability detection scripts

运行漏洞检测脚本

nmap --script vuln -p <open_ports> -iL live_hosts.txt -oA vuln_scan

Target specific vulnerabilities

针对性检测特定漏洞

nmap --script smb-vuln-ms17-010,smb-vuln-ms08-067 -p 445 -iL live_hosts.txt -oA smb_vulns nmap --script ssl-heartbleed,ssl-poodle,ssl-ccs-injection -p 443,8443 -iL live_hosts.txt -oA ssl_vulns

Brute force default credentials on discovered services

对已发现服务暴力破解默认凭证

nmap --script http-default-accounts,ftp-anon,ssh-auth-methods -p 21,22,80,8080 -iL live_hosts.txt -oA default_creds

undefined

nmap --script http-default-accounts,ftp-anon,ssh-auth-methods -p 21,22,80,8080 -iL live_hosts.txt -oA default_creds

undefined

Step 5: Firewall Evasion Techniques

步骤5：防火墙规避技术

bash

undefined

bash

undefined

Fragment packets to evade simple packet inspection

分片数据包以绕过简单的包检测

nmap -sS -f --mtu 24 -p 80,443 <target> -oN fragmented_scan.txt

Use decoy addresses to obscure scan origin

使用诱饵地址隐藏扫描来源

nmap -sS -D RND:10 -p 80,443 <target> -oN decoy_scan.txt

Spoof source port as DNS (53) to bypass poorly configured firewalls

伪造源端口为DNS(53)绕过配置不当的防火墙

nmap -sS --source-port 53 -p 1-1024 <target> -oN spoofed_port_scan.txt

Idle scan using a zombie host (completely stealthy)

使用僵尸主机的空闲扫描（完全隐蔽）

nmap -sI <zombie_host> -p 80,443,445 <target> -oN idle_scan.txt

Slow scan to evade IDS rate-based detection

慢速扫描规避基于速率的IDS检测

nmap -sS -T1 --max-rate 10 -p 1-1024 <target> -oA stealth_scan

undefined

nmap -sS -T1 --max-rate 10 -p 1-1024 <target> -oA stealth_scan

undefined

Step 6: Output Parsing and Reporting

步骤6：输出解析与报告

bash

undefined

bash

undefined

Convert XML output to HTML report

将XML输出转换为HTML报告

xsltproc full_tcp_scan.xml -o scan_report.html

Extract open ports per host from grepable output

从可grep输出中提取每个主机的开放端口

grep "Ports:" full_tcp_scan.gnmap | awk -F'Ports: ' '{print $1 $2}' > open_ports_summary.txt

Parse XML with nmap-parse-output for structured data

使用nmap-parse-output解析XML获取结构化数据

nmap-parse-output full_tcp_scan.xml hosts-to-port 445

Import into Metasploit database

导入Metasploit数据库

msfconsole -q -x "db_import full_tcp_scan.xml; hosts; services; exit"

Generate CSV for vulnerability management tools

生成CSV供漏洞管理工具使用

nmap-parse-output full_tcp_scan.xml csv > scan_results.csv

undefined

nmap-parse-output full_tcp_scan.xml csv > scan_results.csv

undefined

Key Concepts

核心概念

Term	Definition
SYN Scan (-sS)	Half-open TCP scan that sends SYN packets and analyzes responses without completing the three-way handshake, making it faster and stealthier than connect scans
NSE (Nmap Scripting Engine)	Lua-based scripting framework built into Nmap that enables vulnerability detection, brute forcing, service discovery, and custom automation
Timing Templates (-T0 to -T5)	Predefined scan speed profiles ranging from Paranoid (T0) to Insane (T5), controlling probe parallelism, timeout values, and inter-probe delays
Idle Scan (-sI)	Advanced scan technique that uses a zombie host's IP ID sequence to port scan a target without sending packets from the scanner's own IP address
Version Intensity	Controls how many probes Nmap sends to determine service versions, ranging from 0 (light) to 9 (all probes), trading speed for accuracy
Grepable Output (-oG)	Legacy Nmap output format designed for easy parsing with grep, awk, and sed for scripted analysis of scan results

术语	定义
SYN扫描 (-sS)	半开TCP扫描，发送SYN数据包并分析响应，无需完成三次握手，比connect扫描更快更隐蔽
NSE (Nmap Scripting Engine)	Nmap内置的基于Lua的脚本框架，支持漏洞检测、暴力破解、服务发现和自定义自动化操作
时序模板 (-T0 到 -T5)	预定义的扫描速度配置，从偏执(T0)到疯狂(T5)不等，控制探针并行度、超时值和探针间隔
空闲扫描 (-sI)	高级扫描技术，利用僵尸主机的IP ID序列对目标执行端口扫描，扫描器自身IP不会向目标发送任何数据包
版本强度	控制Nmap发送多少探针来确定服务版本，范围从0（轻量）到9（全部探针），是速度和准确率的权衡项
可Grep输出 (-oG)	Nmap传统输出格式，设计用于通过grep、awk和sed轻松解析，适合对扫描结果进行脚本化分析

Tools & Systems

工具与系统

Nmap 7.90+: Core scanning engine with NSE scripting, OS detection, version probing, and multiple output formats
nmap-parse-output: Community tool for parsing Nmap XML output into structured formats (CSV, JSON, host lists)
Ndiff: Nmap utility for comparing two scan results to identify changes in network state over time
Zenmap: Official Nmap GUI providing visual network topology mapping and scan profile management
Metasploit Framework: Imports Nmap XML output for direct correlation of scan results with exploit modules

Nmap 7.90+: 核心扫描引擎，支持NSE脚本、操作系统检测、版本探测和多种输出格式
nmap-parse-output: 社区工具，用于将Nmap XML输出解析为结构化格式（CSV、JSON、主机列表）
Ndiff: Nmap配套工具，用于对比两次扫描结果，识别网络状态随时间的变化
Zenmap: Nmap官方GUI，提供可视化网络拓扑映射和扫描配置文件管理功能
Metasploit Framework: 可导入Nmap XML输出，直接将扫描结果与 exploit 模块关联

Common Scenarios

常见场景

Scenario: Enterprise Network Asset Discovery and Vulnerability Baseline

场景：企业网络资产发现与漏洞基线建立

Context: A security team needs to establish a vulnerability baseline for a corporate network spanning 10.0.0.0/8 with approximately 5,000 active hosts. Scanning must complete within a weekend maintenance window with minimal network disruption.

Approach:

Run layered host discovery using ARP (local subnets), TCP SYN (ports 22,80,443,445,3389), and ICMP echo probes across all /24 subnets
Perform a full TCP SYN scan on discovered hosts using
```
--min-rate 5000
```
and
```
-T4
```
to complete within the window
Run service version detection and default NSE scripts on all open ports
Execute targeted NSE vulnerability scripts for critical services (SMB, SSL/TLS, HTTP)
Parse XML output to generate per-subnet CSV reports and import into the vulnerability management platform
Schedule Ndiff comparisons against future scans to track remediation progress

Pitfalls:

Setting
```
--min-rate
```
too high on congested network segments causing packet loss and false negatives
Running
```
-T5
```
(Insane) timing on production networks, potentially overwhelming older network devices
Forgetting to scan UDP ports, missing critical services like SNMP (161), DNS (53), and TFTP (69)
Not saving output in XML format (
```
-oX
```
or
```
-oA
```
), losing structured data for downstream tool integration

背景：安全团队需要为覆盖10.0.0.0/8、约5000台活跃主机的企业网络建立漏洞基线。扫描必须在周末维护窗口内完成，且对网络的影响要降到最低。

方案：

对所有/24子网执行分层主机发现，使用ARP（本地子网）、TCP SYN（端口22,80,443,445,3389）和ICMP echo探针
对已发现的主机执行全TCP SYN扫描，使用
```
--min-rate 5000
```
和
```
-T4
```
参数确保在窗口内完成扫描
对所有开放端口执行服务版本检测和默认NSE脚本扫描
针对关键服务（SMB、SSL/TLS、HTTP）执行针对性NSE漏洞脚本扫描
解析XML输出生成按子网划分的CSV报告，并导入漏洞管理平台
安排未来扫描使用Ndiff做对比，跟踪漏洞修复进度

注意事项：

在拥塞网段设置过高的
```
--min-rate
```
会导致丢包和漏报
在生产网络使用
```
-T5
```
（疯狂）时序，可能导致老旧网络设备过载
忘记扫描UDP端口，会漏掉SNMP(161)、DNS(53)、TFTP(69)等关键服务
未保存XML格式输出（
```
-oX
```
或
```
-oA
```
），会丢失可供下游工具集成的结构化数据

Output Format

输出格式

undefined

undefined

Nmap Scan Summary

Nmap扫描摘要

Scan Profile: Full TCP + Top 200 UDP + Service Enumeration Target Range: 10.10.0.0/16 Hosts Discovered: 347 live hosts Scan Duration: 2h 14m

扫描配置: 全TCP + 前200 UDP + 服务枚举 目标范围: 10.10.0.0/16 发现主机: 347台存活主机 扫描时长: 2小时14分钟

Critical Findings

高危发现

Host	Port	Service	Version	Vulnerability
10.10.5.23	445/tcp	SMB	Windows Server 2012 R2	MS17-010 (EternalBlue)
10.10.8.100	443/tcp	Apache httpd	2.4.29	CVE-2021-41773 (Path Traversal)
10.10.12.5	3306/tcp	MySQL	5.6.24	CVE-2016-6662 (RCE)
10.10.3.77	161/udp	SNMP	v2c	Public community string

主机	端口	服务	版本	漏洞
10.10.5.23	445/tcp	SMB	Windows Server 2012 R2	MS17-010 (永恒之蓝)
10.10.8.100	443/tcp	Apache httpd	2.4.29	CVE-2021-41773 (路径穿越)
10.10.12.5	3306/tcp	MySQL	5.6.24	CVE-2016-6662 (远程代码执行)
10.10.3.77	161/udp	SNMP	v2c	公共社区字符串

Recommendations

修复建议

Patch MS17-010 on 10.10.5.23 immediately -- Critical RCE vulnerability
Upgrade Apache httpd to 2.4.58+ on 10.10.8.100
Upgrade MySQL to 8.0.x on 10.10.12.5 and restrict bind address
Change SNMP community strings from "public" on 10.10.3.77

undefined

立即为10.10.5.23修补MS17-010漏洞 -- 高危远程代码执行漏洞
将10.10.8.100的Apache httpd升级到2.4.58及以上版本
将10.10.12.5的MySQL升级到8.0.x版本，并限制绑定地址
修改10.10.3.77的SNMP社区字符串，不再使用"public"默认值

undefined