我是一名正在研究 nmap 的网络学生,我不明白为什么我对这种扫描类型有不同的回答:

Im a cyber student im working on nmap now and i didnt understand why i got a different anwser on this scan type:

我正在网站上学习nmap,有些地方没看懂。 当我尝试使用 nmap 通过此命令扫描端口时:

sudo nmap -sS x.x.x.x.

我明白了:

Nmap scan report for x.x.x.x

Host is up (0.011s latency).

Not shown: 992 closed ports

PORT    STATE    SERVICE

21/tcp  open     ftp

22/tcp  open     ssh

53/tcp  filtered domain

80/tcp  open     http

110/tcp open     pop3

139/tcp open     netbios-ssn

143/tcp open     imap

445/tcp filtered microsoft-ds

但是当我尝试像这样使用 -S 命令时:

sudo nmap -sS x.x.x.x -S x.x.x.x -e eth0 -Pn

我明白了:

Nmap done: 1 IP address (0 hosts up) scanned in 1.53 seconds

为什么我没有使用 -S 选项打开端口,但是当我使用 -sS/-sT 选项时却显示了端口? 你通常什么时候使用-S选项?

这是对这些选项的详细解释,当你阅读它们时,你会明白为什么你的扫描没有结果我希望你觉得这个答案有用 -S (欺骗源地址)

In some circumstances, Nmap may not be able to determine your source address (Nmap will tell you if this is the case). In this situation, use -S with the IP address of the interface you wish to send packets through.

Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a company being repeatedly port scanned by a competitor! The -e option and -Pn are generally required for this sort of usage. Note that you usually won't receive reply packets back (they will be addressed to the IP you are spoofing), so Nmap won't produce useful reports.

-e(使用指定接口)

Tells Nmap what interface to send and receive packets on. Nmap should be able to detect this automatically, but it will tell you if it cannot.

-Pn(无 ping)

This option skips the host discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning and to gauge the speed of the network. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested scanning functions against every target IP address specified. So if a /16 sized network is specified on the command line, all 65,536 IP addresses are scanned. Proper host discovery is skipped as with the list scan, but instead of stopping and printing the target list, Nmap continues to perform requested functions as if each target IP is active. Default timing parameters are used, which may result in slower scans. To skip host discovery and port scan, while still allowing NSE to run, use the two options -Pn -sn together.

For machines on a local ethernet network, ARP scanning will still be performed (unless --disable-arp-ping or --send-ip is specified) because Nmap needs MAC addresses to further scan target hosts. In previous versions of Nmap, -Pn was -P0 and -PN.