└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # nmaps
  2 | 
  3 | > Nmaps是采用Golang语言编写的新一代端口及指纹扫描器，利用Golang语言特性使其扫描更快、跨平台等特点，内置并精简了nmap指纹库，以此摆脱调用nmap进行指纹识别。
  4 | 
  5 | ## 初衷
  6 | 
  7 | > nmaps是后期开发信息搜集综合平台的子模块（不需要识别所有端口指纹，但常见服务能识别出来），在以往进行端口探测时，往往是调用masscan/nmap进行探测，对于大批量资产探测会导致识别不精确、速度慢、调用不方便等缺点，或进行内网横向探测时能单文件跨平台使用。
  8 | 
  9 | ## 原理
 10 | 
 11 | - 端口存活探测：非root权限使用CONNECT方式扫描、root权限使用SYN方式扫描，对于批量资产探测，借鉴了masscan核心扫描算法及naabu开源项目
 12 | 
 13 |   > Masscan first stores the targets as a "list of ranges". IP address
 14 |   > ranges are stored in one structure, and port ranges are stored
 15 |   > in another structure.
 16 |   > Then, a single index variable is used to enumerate the set of all 
 17 |   > IP:port combinations. The scan works by simply incrementing the 
 18 |   >
 19 |   >  index variable from 0 to the total number of probes (the 'range').
 20 |   >  Then, before the enumeration step, the index is permuted into another
 21 |   >  random index within the same range, in a 1-to-1 mapping. In other
 22 |   >  words, the algorithm is theoretically reversable: given the output
 23 |   >  of the permutation function, we can obtain the original index.
 24 | 
 25 | - 指纹识别：使用nmap开源的指纹库，并去除了UDP及探测等级为8以上的部分不常用服务规则，对于单个端口的指纹识别，先并发探测等级优先的规则库，若未匹配到，则在并发探测下一等级规则库（由于是并发探测，故小部分服务会有多个匹配结果，导致匹配结果不精确），若还是未匹配到相应指纹，则使用常规端口对应的服务进行判断（可能会有误报情况）
 26 | 
 27 | ## 命令行说明
 28 | 
 29 | ```
 30 | Usage of ./nmap:
 31 |   -c int
 32 |         扫描并发工作协程数(切勿太大,造成网络波动) (default 25)
 33 |   -debug
 34 |         输出debug调试信息
 35 |   -exclude-file string
 36 |         指定包含要从扫描中排除的目标,以换行符分隔的文件 (ip, cidr)
 37 |   -exclude-hosts string
 38 |         指定要从扫描中排除的目标以逗号分隔列表 (ip, cidr)
 39 |   -exclude-ports string
 40 |         要从枚举中排除的端口
 41 |   -host string
 42 |         指定扫描的主机地址
 43 |   -iL string
 44 |         指定包含待扫描的主机文本文件
 45 |   -interface string
 46 |         指定用于端口扫描的网络接口
 47 |   -interface-list
 48 |         列出可用接口和公有IP
 49 |   -json
 50 |         以json格式保存
 51 |   -nC
 52 |         在输出中不使用彩色输出
 53 |   -nmaptimeout int
 54 |         端口指纹识别socket连接超时时间 (default 7)
 55 |   -o string
 56 |         指定保存扫描结果
 57 |   -p string
 58 |         指定待扫描的端口范围 (80, 80,443, 100-200, (-p - 将全端口扫描)
 59 |   -ping
 60 |         扫描前使用ping探针验证主机存活
 61 |   -ports-file string
 62 |         指定包含要枚举的端口文件
 63 |   -rate int
 64 |         端口扫描探测请求的速率 (default 1000)
 65 |   -retries int
 66 |         端口扫描探测的重试次数 (default 1)
 67 |   -silent
 68 |         仅在输出中显示找到的端口
 69 |   -source-ip string
 70 |         指定在TCP数据包中使用的SourceIP
 71 |   -timeout int
 72 |         扫描超时前等待的毫秒数 (default 700)
 73 |   -top-ports string
 74 |         指定扫描的常规端口 (top 100/1000
 75 |   -v    显示详细输出
 76 |   -verify
 77 |         扫描出端口后使用TCP连接二次验证
 78 |   -version
 79 |         显示版本信息
 80 |   -warm-up-time int
 81 |         扫描阶段之间的间隔时间(秒) (default 2)
 82 | ```
 83 | 
 84 | ## 演示
 85 | 
 86 | > 示例IP为fofa随机查询，不针对特定IP，若造成了困恼请联系我进行删除
 87 | 
 88 | > 非root权限使用CONNECT方式扫描，适用于Macos、Windows，但推荐使用Linux服务器进行批量扫描
 89 | 
 90 | ```
 91 | ./nmap -host 42.192.0.159 -top-ports 1000                                                                                                                                   (miniconda3)    100%    5.60G 
 92 | 
 93 |  _    _ __  __          _____   _____ 
 94 | |  \ | |  \/  |   /\   |  __ \ / ____|
 95 | |   \| | \  / |  /  \  | |__) | (___  
 96 | |      | |\/| | / /\ \ |  ___/ \___ \
 97 | | |\   | |  | |/ ____ \| |     ____) |
 98 | |_| \_ |_|  |_/_/    \_\_|    |_____/   V1.0
 99 | 
100 | 
101 | [INF] 当前非root权限运行CONNECT扫描(速度比SYN探测方式慢)
102 | [INF] nmap指纹库加载成功，共计[42]个探针,[10652]条正则匹配
103 | [INF] 主机[42.192.0.159]探测到[6]个存活端口 [3389,49153,49155,49152,49154,49156,]
104 | [INF] 开始进行端口指纹识别，请稍后
105 | [INF] 42.192.0.159:3389  [ssl]   
106 | [INF] 42.192.0.159:49153  [msrpc] Microsoft Windows RPC  Windows
107 | [INF] 42.192.0.159:49152  [msrpc] Microsoft Windows RPC  Windows
108 | [INF] 42.192.0.159:49154  [msrpc] Microsoft Windows RPC  Windows
109 | [INF] 42.192.0.159:49155  [msrpc] Microsoft Windows RPC  Windows
110 | [INF] 42.192.0.159:49156  [msrpc] Microsoft Windows RPC  Windows
111 | ```
112 | 
113 | 
114 | 
115 | ## 速度及准确度比较
116 | 
117 | ### 1、nmap-126秒
118 | 
119 | > nmap -p- -Pn -sV 61.186.243.130
120 | 
121 | ```
122 | Nmap scan report for 61.186.243.130
123 | Host is up (0.042s latency).
124 | Not shown: 65506 closed ports
125 | PORT      STATE    SERVICE            VERSION
126 | 23/tcp    filtered telnet
127 | 25/tcp    filtered smtp
128 | 80/tcp    filtered http
129 | 137/tcp   filtered netbios-ns
130 | 350/tcp   open     matip-type-a?
131 | 352/tcp   open     http               Microsoft IIS httpd 6.0
132 | 443/tcp   filtered https
133 | 445/tcp   filtered microsoft-ds
134 | 1433/tcp  open     ms-sql-s           Microsoft SQL Server 2008 R2 10.50.1600; RTM
135 | 1723/tcp  filtered pptp
136 | 3389/tcp  open     ssl/ms-wbt-server?
137 | 4444/tcp  filtered krb524
138 | 5554/tcp  filtered sgi-esphttp
139 | 8033/tcp  open     http               Apache Tomcat/Coyote JSP engine 1.1
140 | 8080/tcp  filtered http-proxy
141 | 8081/tcp  filtered blackice-icecap
142 | 8082/tcp  filtered blackice-alerts
143 | 8085/tcp  filtered unknown
144 | 8086/tcp  open     http               Microsoft IIS httpd 10.0
145 | 8088/tcp  filtered radan-http
146 | 8090/tcp  open     opsmessaging?
147 | 8099/tcp  open     http               Microsoft IIS httpd 7.5
148 | 8181/tcp  filtered intermapper
149 | 9090/tcp  open     http               Microsoft IIS httpd 10.0
150 | 9100/tcp  open     jetdirect?
151 | 9101/tcp  open     jetdirect?
152 | 10084/tcp filtered unknown
153 | 20002/tcp open     tcpwrapped
154 | 33400/tcp filtered unknown
155 | Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
156 | Nmap done: 1 IP address (1 host up) scanned in 126.03 seconds
157 | ```
158 | 
159 | ### 2、nmaps-51秒
160 | 
161 | > 设置linux服务器ulimt的值为65535
162 | 
163 | ```
164 | $ ulimit -a
165 | core file size          (blocks, -c) 0
166 | data seg size           (kbytes, -d) unlimited
167 | scheduling priority             (-e) 0
168 | file size               (blocks, -f) unlimited
169 | pending signals                 (-i) 7844
170 | max locked memory       (kbytes, -l) 64
171 | max memory size         (kbytes, -m) unlimited
172 | open files                      (-n) 65535
173 | ```
174 | 
175 | >  ./nmaps -p - -c 100 -rate 2000 -host 61.186.243.130
176 | 
177 | > 端口扫描快慢取决于rate参数的大小，请设置合理范围，内网中可以设置稍大，超时时间较小。外网设置较小，超时较大点
178 | 
179 | > 可看到，http服务有点差距，因为精简了http服务识别，后期信息搜集平台会针对http服务单独进行全面识别，当然针对单个IP扫描不能较好的比较，可批量资产进行比较
180 | 
181 | ```
182 |  _    _ __  __          _____   _____ 
183 | |  \ | |  \/  |   /\   |  __ \ / ____|
184 | |   \| | \  / |  /  \  | |__) | (___  
185 | |      | |\/| | / /\ \ |  ___/ \___ \
186 | | |\   | |  | |/ ____ \| |     ____) |
187 | |_| \_ |_|  |_/_/    \_\_|    |_____/   V1.0
188 | 
189 | 
190 | [INF] 当前root权限运行TCP/ICMP/SYN扫描
191 | [INF] nmap指纹库加载成功，共计[42]个探针,[10652]条正则,[8282]条TCP端口指纹
192 | [INF] 主机[61.186.243.130]探测到[12]个存活端口 [8033,1433,8086,20002,9090,350,8099,8090,3389,352,9100,9101,]
193 | [INF] 开始进行端口指纹识别，请稍后
194 | [INF] 61.186.243.130:20002  [commtact-http]   
195 | [INF] 61.186.243.130:9090  [http] Microsoft IIS httpd 10.0 Windows
196 | [INF] 61.186.243.130:3389  [ssl]   
197 | [INF] 61.186.243.130:8033  [http]  1.1 
198 | [INF] 61.186.243.130:8086  [http] Microsoft IIS httpd 10.0 Windows
199 | [INF] 61.186.243.130:8090  [opsmessaging]   
200 | [INF] 61.186.243.130:9100  [jetdirect]   
201 | [INF] 61.186.243.130:8099  [unknown]   
202 | [INF] 61.186.243.130:9101  [jetdirect]   
203 | [INF] 61.186.243.130:350  [matip-type-a]   
204 | [INF] 61.186.243.130:1433  [ms-sql-s] Microsoft SQL Server 2008 R2 10.50.1600; RTM Windows
205 | [INF] 61.186.243.130:352  [dtag-ste-sb]
206 | ```
207 | 
208 | 


--------------------------------------------------------------------------------