★Kali信息收集★8.Nmap :端口扫描
突然发现,微信一次最多推送8篇
- 参数:(Zenmap是Nmap图形化工具,不想打指令的可以直接使用) 详细:https://nmap.org/man/zh/index.html
- 篇幅太长,微信文章最多2W字,参数就不贴了
- 离线下载:http://pan.baidu.com/s/1dEiZdJV
- 应用:(常用的速度快点,完整的更详细但慢点~【主要就是全端口扫而导致慢的】)
识别系统:(先看看,后面有详解) nmap -O -Pn ip地址
TCP扫描:端口扫描中最稳定的,TCP三次握手 常用:nmap -sT -Pn ip地址
完整:nmap -sT -p- -Pn ip地址
-sT TCP连接扫描(s=>哪种类型扫描? ==>t TCP类型) -p- 扫描所有端口 (不加就默认扫描1000个常用端口) -Pn 禁用Nmap网络发现功能,假定所有系统都是活动的 批量扫描 eg:nmap -sT -p- -Pn 192.168.1.1-254 SYN 扫描:★端口扫描中用的最多的,TCP两次握手(隐形扫描,速度快) 常用:nmap -sS -Pn ip地址
完整:nmap -sS -p- -Pn ip地址
-sS (-s => 哪种扫描类型?S=> SYN)
UDP 扫描:(DHCP,DNS,SNMP,TFTP等都使用了UDP协议) 常用:nmap -sU ip地址
完整:nmap -sUV ip地址
U=> UDP, V=>版本信息 (-sV UDP扫描中添加版本扫描信息) 不存在-PN参数(从UDP协议去理解,你发了就ok管他收没收到)
Xmas扫描:RFC文档描述了系统的技术细节,如果得到RFC文档,那么就可能找到系统的漏洞,xmas和null扫描的目的正是基于这一原因。一般xmas针对unix或者linux系统比较有效。 常用:nmap -sX -Pn ip地址
完整:nmap -sX -p- -Pn ip地址
Null 扫描:和Xmas扫描相反,发送空数据包,打开端口不会返回相应信息关闭端口则返回一个RST数据包 常用:nmap -sN -Pn ip地址
完整:nmap -sN -p- -Pn ip地址
- 扩充:扫描的时候按d可以显示debug信息,按其他的键(比如X)可以显示当前进度 XX.XX% Null扫描 和 Xmas扫描
如果系统遵循了TCP RFC文档,那么不用完成连接,在发起连接的时候namp就可以判断出目标系统的状态。(PS:Xmas扫描和Null扫描都不会建立任何类型的通信通道。扫描目的就是为了判断哪些端口开或关) 扫描的其他指令 -sV 参数用于版本扫描 -iL 批量扫描文件里面的ip -F: 快速模式-扫描较少,扫描默认端口 -v 输出的时候更详细 (使用-vv 或更多的更大的作用) -A 启用操作系统检测、 版本检测、 脚本扫描等 -T 速度设置(最慢0 - 最快5)避免被检测到则降低速度,如果赶时间就提高速度
- 实战:(渗透中常用命令)
①快速扫描 root@Kali:~# nmap -T4 -F 192.168.169.105 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-24 12:06 CST Nmap scan report for 192.168.169.105 Host is up (1.7s latency). Not shown: 92 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 444/tcp open snpp 445/tcp open microsoft-ds 514/tcp filtered shell 1433/tcp open ms-sql-s Nmap done: 1 IP address (1 host up) scanned in 16.67 seconds
②SYN迅速扫描:(TCP两次握手,隐蔽性高) root@Kali:~# nmap -sS -T4 -A -v cnblogs.com Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-23 17:00 CST NSE: Loaded 122 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 17:00 Completed NSE at 17:00, 0.00s elapsed Initiating NSE at 17:00 Completed NSE at 17:00, 0.00s elapsed Initiating Ping Scan at 17:00 Scanning cnblogs.com (42.121.252.58) [4 ports] Completed Ping Scan at 17:00, 0.20s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 17:00 Completed Parallel DNS resolution of 1 host. at 17:00, 2.01s elapsed Initiating SYN Stealth Scan at 17:00 Scanning cnblogs.com (42.121.252.58) [1000 ports] Discovered open port 443/tcp on 42.121.252.58 Discovered open port 80/tcp on 42.121.252.58 Increasing send delay for 42.121.252.58 from 0 to 5 due to 11 out of 20 dropped probes since last increase. Increasing send delay for 42.121.252.58 from 5 to 10 due to 11 out of 11 dropped probes since last increase. Completed SYN Stealth Scan at 17:01, 84.92s elapsed (1000 total ports) Initiating Service scan at 17:01 Scanning 2 services on cnblogs.com (42.121.252.58) Completed Service scan at 17:01, 5.01s elapsed (2 services on 1 host) Initiating OS detection (try #1) against cnblogs.com (42.121.252.58) Retrying OS detection (try #2) against cnblogs.com (42.121.252.58) WARNING: OS didn't match until try #2 Initiating Traceroute at 17:01 Completed Traceroute at 17:01, 0.02s elapsed Initiating Parallel DNS resolution of 2 hosts. at 17:01 Completed Parallel DNS resolution of 2 hosts. at 17:01, 0.15s elapsed NSE: Script scanning 42.121.252.58. Initiating NSE at 17:01 Completed NSE at 17:02, 6.16s elapsed Initiating NSE at 17:02 Completed NSE at 17:02, 0.00s elapsed Nmap scan report for cnblogs.com (42.121.252.58) Host is up (0.0048s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 80/tcp open tcpwrapped |_http-favicon: Unknown favicon MD5: CDD795C4B3E1ED39250A6B1B1DB89E73 |_http-methods: No Allow or Public header in OPTIONS response (status code 301) | http-title: \xE5\x8D\x9A\xE5\xAE\xA2\xE5\x9B\xAD - \xE5\xBC\x80\xE5\x8F\x91\xE8\x80\x85\xE7\x9A\x84\xE7\xBD\x91\xE4\xB8\x8A\xE5\xAE\xB6\xE5\x9B\xAD |_Requested resource was http://www.cnblogs.com/ 443/tcp open tcpwrapped | http-cisco-anyconnect: |_ ERROR: Not a Cisco ASA or unsupported version |_http-methods: No Allow or Public header in OPTIONS response (status code 400) |_http-title: 400 The plain HTTP request was sent to HTTPS port | ssl-cert: Subject: commonName=*.cnblogs.com | Issuer: commonName=Go Daddy Secure Certificate Authority - G2/organizationName=GoDaddy.com, Inc./stateOrProvinceName=Arizona/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-09-28T08:12:38 | Not valid after: 2016-07-27T12:31:38 | MD5: 9b12 efe2 1f0c 7967 ca7c fe14 2a13 a200 |_SHA-1: 29dd 13c4 11cd e03b de35 cad9 60ac e7e6 52de 8c44 |_ssl-date: TLS randomness does not represent time | tls-nextprotoneg: |_ http/1.1 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: WAP|general purpose Running: Actiontec Linux, Linux 2.4.X|3.X OS CPE: cpe:/o:actiontec:linux_kernel cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:3 OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2 Network Distance: 2 hops TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 0.04 ms 192.168.232.2 2 0.04 ms 42.121.252.58 NSE: Script Post-scanning. Initiating NSE at 17:02 Completed NSE at 17:02, 0.00s elapsed Initiating NSE at 17:02 Completed NSE at 17:02, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 108.48 seconds Raw packets sent: 3196 (145.286KB) | Rcvd: 195 (9.170KB)
③UDP迅速扫描 root@Kali:~# nmap -sU -v 192.168.169.105 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-23 19:20 CST Initiating Ping Scan at 19:20 Scanning 192.168.169.105 [4 ports] Completed Ping Scan at 19:20, 0.20s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 19:20 Completed Parallel DNS resolution of 1 host. at 19:20, 2.01s elapsed Initiating UDP Scan at 19:20 Scanning 192.168.169.105 [1000 ports] Discovered open port 137/udp on 192.168.169.105 Completed UDP Scan at 19:20, 23.11s elapsed (1000 total ports) Nmap scan report for 192.168.169.105 Host is up (0.0013s latency). Not shown: 998 open|filtered ports PORT STATE SERVICE 137/udp open netbios-ns 4500/udp closed nat-t-ike Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 25.39 seconds Raw packets sent: 3006 (86.660KB) | Rcvd: 32 (1.654KB)
④迅速扫描(NoPing) root@Kali:~# nmap -T4 -A -v -Pn 192.168.169.105 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-24 09:52 CST NSE: Loaded 122 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 09:52 Completed NSE at 09:52, 0.00s elapsed Initiating NSE at 09:52 Completed NSE at 09:52, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 09:52 Completed Parallel DNS resolution of 1 host. at 09:52, 8.18s elapsed Initiating SYN Stealth Scan at 09:52 Scanning 192.168.169.105 [1000 ports] Discovered open port 80/tcp on 192.168.169.105 Increasing send delay for 192.168.169.105 from 0 to 5 due to 11 out of 15 dropped probes since last increase. Discovered open port 443/tcp on 192.168.169.105 Discovered open port 135/tcp on 192.168.169.105 Discovered open port 139/tcp on 192.168.169.105 Discovered open port 445/tcp on 192.168.169.105 Increasing send delay for 192.168.169.105 from 5 to 10 due to max_successful_tryno increase to 5 Warning: 192.168.169.105 giving up on port because retransmission cap hit (6). SYN Stealth Scan Timing: About 8.99% done; ETC: 09:58 (0:05:14 remaining) SYN Stealth Scan Timing: About 14.66% done; ETC: 09:59 (0:05:55 remaining) SYN Stealth Scan Timing: About 22.24% done; ETC: 09:59 (0:05:18 remaining) SYN Stealth Scan Timing: About 29.91% done; ETC: 09:59 (0:04:43 remaining) Discovered open port 1433/tcp on 192.168.169.105 SYN Stealth Scan Timing: About 37.97% done; ETC: 09:59 (0:04:07 remaining) Discovered open port 444/tcp on 192.168.169.105 Discovered open port 2383/tcp on 192.168.169.105 SYN Stealth Scan Timing: About 54.17% done; ETC: 09:58 (0:02:33 remaining) Discovered open port 2179/tcp on 192.168.169.105 SYN Stealth Scan Timing: About 76.10% done; ETC: 09:57 (0:01:06 remaining) Discovered open port 912/tcp on 192.168.169.105 Discovered open port 902/tcp on 192.168.169.105 Completed SYN Stealth Scan at 09:57, 318.66s elapsed (1000 total ports) Initiating Service scan at 09:57 Scanning 11 services on 192.168.169.105 Completed Service scan at 09:58, 33.60s elapsed (11 services on 1 host) Initiating OS detection (try #1) against 192.168.169.105 Initiating Traceroute at 09:58 Completed Traceroute at 09:58, 1.01s elapsed Initiating Parallel DNS resolution of 2 hosts. at 09:58 Completed Parallel DNS resolution of 2 hosts. at 09:58, 0.05s elapsed NSE: Script scanning 192.168.169.105. Initiating NSE at 09:58 Completed NSE at 09:58, 13.23s elapsed Initiating NSE at 09:58 Completed NSE at 09:58, 0.00s elapsed Nmap scan report for 192.168.169.105 Host is up (0.59s latency). Not shown: 979 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: OPTIONS TRACE GET HEAD POST | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn 443/tcp open ssl/http Apache httpd | http-auth: | HTTP/1.1 401 Authorization Required |_ Basic realm=VisualSVN Server | http-cisco-anyconnect: |_ ERROR: Not a Cisco ASA or unsupported version |_http-methods: No Allow or Public header in OPTIONS response (status code 401) |_http-server-header: Apache |_http-title: 401 Authorization Required | ssl-cert: Subject: commonName=DESKTOP-PTACRF6 | Issuer: commonName=DESKTOP-PTACRF6 | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-12-06T14:04:50 | Not valid after: 2025-12-03T14:04:50 | MD5: c707 0eb2 71d6 5178 6687 9d2f 5594 dc01 |_SHA-1: de83 b92f ad7d e0d0 125a 2f88 99d9 c741 6b51 bdcf |_ssl-date: TLS randomness does not represent time 444/tcp open ssl/http VMware VirtualCenter Web service | http-cisco-anyconnect: |_ ERROR: Not a Cisco ASA or unsupported version |_http-methods: No Allow or Public header in OPTIONS response (status code 501) |_http-title: Site doesn't have a title (text; charset=plain). | ssl-cert: Subject: commonName=VMware/countryName=US | Issuer: commonName=VMware/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2015-12-06T15:04:18 | Not valid after: 2016-12-05T15:04:18 | MD5: 6634 afe2 c934 e412 653c ee79 8fbe c64f |_SHA-1: da6f aaeb 31b4 51a8 73b6 403a 728d c0e5 a1e9 7c08 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds (primary domain: WORKGROUP) 514/tcp filtered shell 902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP) 912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP) 1198/tcp filtered cajo-discovery 1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.4100.00; SP1+ 1641/tcp filtered invision 2179/tcp open vmrdp? 2383/tcp open ms-olap4? 2717/tcp filtered pn-requester 2998/tcp filtered iss-realsec 3814/tcp filtered neto-dcs 5950/tcp filtered unknown 9944/tcp filtered unknown 10003/tcp filtered documentum_s 44176/tcp filtered unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port445-TCP:V=6.49BETA4%I=7%D=12/24%Time=567B5124%P=i586-pc-linux-gnu%r SF:(SMBProgNeg,85,"\0\0\0\x81\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0 SF:\0\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\x04\x11\0\0\0\0\x01\0\0\ SF:0\0\0\xfc\xe3\x01\0\xad\xb4\x16\x7f\xee=\xd1\x01\x20\xfe\x08<\0B2\xe4\^ SF:\xe0\xab\x91PW\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0D\0E\0S\0K\0T\0O\0P\0-\0P\0 SF:T\0A\0C\0R\0F\x006\0\0\0"); Device type: general purpose Running: Microsoft Windows 7|2012|XP OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3 Network Distance: 2 hops TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: DESKTOP-PTACRF6; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98 Host script results: | ms-sql-info: | 192.168.169.105:1433: | Version: | Service pack level: SP1 | Post-SP patches applied: true | name: Microsoft SQL Server 2014 SP1+ | number: 12.00.4100.00 | Product: Microsoft SQL Server 2014 |_ TCP port: 1433 | nbstat: NetBIOS name: DESKTOP-PTACRF6, NetBIOS user: <unknown>, NetBIOS MAC: ac:b5:7d:18:93:b9 (Liteon Technology) | Names: | DESKTOP-PTACRF6<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ DESKTOP-PTACRF6<20> Flags: <unique><active> | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE (using port 587/tcp) HOP RTT ADDRESS 1 0.37 ms 192.168.232.2 2 1000.57 ms 192.168.169.105 NSE: Script Post-scanning. Initiating NSE at 09:58 Completed NSE at 09:58, 0.00s elapsed Initiating NSE at 09:58 Completed NSE at 09:58, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 382.58 seconds Raw packets sent: 3582 (159.270KB) | Rcvd: 3259 (130.738KB)
⑤快速扫描加强 root@Kali:~# nmap -sV -T4 -O -F --version-light 192.168.169.105 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-12-24 12:10 CST Nmap scan report for 192.168.169.105 Host is up (0.31s latency). Not shown: 92 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn 443/tcp open ssl/http Apache httpd 444/tcp open ssl/http VMware VirtualCenter Web service 445/tcp open microsoft-ds (primary domain: WORKGROUP) 514/tcp filtered shell 1433/tcp open ms-sql-s Microsoft SQL Server 2014 Device type: general purpose Running: Microsoft Windows 7|2012|XP OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3 Service Info: Host: DESKTOP-PTACRF6; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 47.93 seconds
⑥SYN全端口扫描 [有些管理员端口不按常理来全端口扫才能发现好东西] root@Kali:~# nmap -sS -p- -T4 -A -v 192.168.169.105 篇幅太长,微信文章最多2W字
⑦大绝招:全面扫描 nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" 192.168.169.105 篇幅太长。