nmap及其他扫描
最基本的扫描
# nmap 192.168.0.149
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:26 CST
Nmap scan report for 192.168.0.149
Host is up (0.0000090s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds扫描活跃的主机 -sn
#nmap -sn 192.168.0.149
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:28 CST
Nmap scan report for 192.168.0.149
Host is up.
Nmap done: 1 IP address (1 host up)扫描多台机器
#map 192.169.0.149 192.168.0.106 192.168.0.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00071s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.152
Host is up (0.010s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
62078/tcp open iphone-sync
MAC Address: 76:49:5D:88:B6:35 (Unknown)
Nmap done: 3 IP addresses (2 hosts up) scanned in 14.73 seconds#map 192.169.0.100-160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:34 CST
…#nmap192.169.0.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:38 CST
Nmap done: 256 IP addresses (0 hosts up) scanned in 210.76 seconds使用ICMP对设备进行扫描
使用ICMP类似Ping的请求响应扫描 -PE
#nmap -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:31 CST
Nmap scan report for 192.168.0.106
Host is up (0.00093s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds使用ICMP时间戳响应扫描 -PE
#nmap -PP 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00088s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)使用ICMP使用ICMP掩码扫描 -PM
#nmap -PM 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00018s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds使用TCP对设备进行扫描
使用TCP SYN对设备进行扫描 - PS
nmap -sn -PS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:28 CST
Nmap scan report for 192.168.0.106
Host is up (0.00049s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds使用TCP ACK对设备进行扫描 -PA
#nmap -sn -PA 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00054s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds使用UDP对设备进行扫描 -PU
UDP更简单,但是不如TCP方便,且慢。
#nmap -sn -PU 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST
Nmap scan report for 192.168.0.106
Host is up (0.00076s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds对端口进行扫描
端口种类
- 公有端口(WellKnow Port):0-1024
- 注册端口(RegisteredPort):1025-49,151
- 动态/私有端口(Dynamic/Private Port):49,152-65,535
端口状态
- Open:开放状态。nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK, nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。
- Closed:关闭状态。nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST, nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed 。
- Filtered:过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答, 由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。
- Unfiltered:未过滤状态。nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。
- open|filtered:Open|filtered 开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口,参考后续 UDP 中的解释。
- closed|filtered:关闭或者过滤状态。
扫描技术
SYN扫描 -sS
SNMP机器àSYNà机器
机器àSYN+ACKà SNMP机器
SNMP机器àRSTà机器(连接断开)
返回Open、Closed、filtered
#nmap -sS 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:53 CST
Nmap scan report for 192.168.0.106
Host is up (0.00042s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Connect扫描 -sT
完成3次握手
SNMP机器SYN机器
机器SYN+ACK SNMP机器
SNMP机器ACK机器(连接建立)
#nmap -sT 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00081s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.59 secondsUDP扫描 -sU
返回Open Open|filtered,速度很慢,filtered可能是Open,可能是Closed
#nmap -sU 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:12 CST
Nmap scan report for 192.168.0.106
Host is up (0.00070s latency).
Not shown: 999 open|filtered udp ports (no-response)
PORT STATE SERVICE
137/udp open netbios-ns
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds扫描全部端口 -p "*"
#nmap -p "*" 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:18 CST
Nmap scan report for 192.168.0.106
Host is up (0.00082s latency).
Not shown: 8330 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
1536/tcp open ampr-inter
1537/tcp open sdsc-lm
1538/tcp open 3ds-lm
1539/tcp open intellistor-lm
1550/tcp open 3m-image-lm
1551/tcp open hecmtl-db
1653/tcp open alphatech-lm
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5040/tcp open unknown
5555/tcp open freeciv
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)扫描频率最高的n个端口 –top-ports n
# nmap -top-ports 10 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:20 CST
Nmap scan report for 192.168.0.106
Host is up (0.00022s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 2 IP addresses (1 host up) scanned in 3.17 seconds扫描指定端口 -p port
# nmap -p 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:21 CST
Nmap scan report for 192.168.0.106
Host is up (0.00053s latency).
PORT STATE SERVICE
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds扫描操作系统
Nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。
最基本的扫描 -O
# nmap -O 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00061s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.50 seconds尽对“具有Open和Closed的端口”进行扫描 -O --osscan-limit
# nmap -O --osscan-limit 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:57 CST
Nmap scan report for 192.168.0.106
Host is up (0.00057s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (95%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.68 seconds猜测最接近目标端口的操作系统 -O --osscan-guest
需要root权限
# nmap -O --osscan-guess 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00061s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_vista::sp2
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 or 8.1 R1 or Server 2008 R2 SP1 (92%), Microsoft Windows 7 or Windows Server 2008 (92%), Microsoft Windows 10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.73 seconds扫描目标服务
扫描技术
- 对端口扫描:默认用SYN进行扫描
- 对服务识别:发出探针报文,返回确认值,确认服务
- 对版本识别:发出探针报文,返回报文信息,分析出服务的版本
扫描服务 -sV
# nmap -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CST
Nmap scan report for 192.168.0.106
Host is up (0.00034s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
445/tcp open microsoft-ds?
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2269
2383/tcp open ms-olap4?
3000/tcp open ppp?
3306/tcp open mysql MariaDB (unauthorized)
5555/tcp open freeciv?
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8100/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20
SF::09\x20GMT\r\nContent-Length:\x2029\r\n\r\n
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20We
SF:d,\x2015\x20Jun\x202022\x2002:20:14\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20:40\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\nFound\.\n\n"
SF:);
===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\
SF:nPragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Op
SF:tions:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Ty
SF:pe-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\"
SF::\x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedR
SF:esponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}")%r(G
SF:etRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlogin\.html\r\
SF:n\r\n")%r(HTTPOptions,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlo
SF:gin\.html\r\n\r\n")%r(RTSPRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLoca
SF:tion:\x20mlogin\.html\r\n\r\n")%r(FourOhFourRequest,6E,"HTTP/1\.1\x2040
SF:4\x20Not\x20Found\r\nCache-Control:\x20max-age=3600,\x20must-revalidate
SF:\r\nExpires:\x20Thu,\x2015\x20Jun\x202023\x2002:21:07\x20GMT\r\n")%r(SI
SF:POptions,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\nP
SF:ragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Opti
SF:ons:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Type
SF:-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\":\
SF:x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedRes
SF:ponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}");
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds将扫描结果存为XML文件名
#nmap -oX nmap.xml 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CST
Nmap scan report for 192.168.0.106
Host is up (0.00023s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds扫描WEB服务器
Web 服务器的软件构成
编写的应用(内部) |
|---|
编程语言:PHPJSP ASP ASP.net(内部) |
Web服务器:IISApache Nginx Tomcat(外部) |
操作系统:Windows Linux(外部) |
用dirb扫描目录结构
# dirb http://192.168.0.106:8080/sec/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jun 15 10:34:09 2022
URL_BASE: http://192.168.0.106:8080/sec/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.106:8080/sec/ ----
==> DIRECTORY: http://192.168.0.106:8080/sec/1/
==> DIRECTORY: http://192.168.0.106:8080/sec/10/
==> DIRECTORY: http://192.168.0.106:8080/sec/13/
==> DIRECTORY: http://192.168.0.106:8080/sec/14/
==> DIRECTORY: http://192.168.0.106:8080/sec/15/
==> DIRECTORY: http://192.168.0.106:8080/sec/2/
==> DIRECTORY: http://192.168.0.106:8080/sec/20/
==> DIRECTORY: http://192.168.0.106:8080/sec/21/
==> DIRECTORY: http://192.168.0.106:8080/sec/22/
==> DIRECTORY: http://192.168.0.106:8080/sec/23/
==> DIRECTORY: http://192.168.0.106:8080/sec/24/
==> DIRECTORY: http://192.168.0.106:8080/sec/25/
==> DIRECTORY: http://192.168.0.106:8080/sec/3/
==> DIRECTORY: http://192.168.0.106:8080/sec/30/
==> DIRECTORY: http://192.168.0.106:8080/sec/32/
==> DIRECTORY: http://192.168.0.106:8080/sec/4/
==> DIRECTORY: http://192.168.0.106:8080/sec/42/
==> DIRECTORY: http://192.168.0.106:8080/sec/5/
==> DIRECTORY: http://192.168.0.106:8080/sec/7/
==> DIRECTORY: http://192.168.0.106:8080/sec/8/
==> DIRECTORY: http://192.168.0.106:8080/sec/9/
==> DIRECTORY: http://192.168.0.106:8080/sec/css/
==> DIRECTORY: http://192.168.0.106:8080/sec/upload/
+ http://192.168.0.106:8080/sec/web.xml (CODE:200|SIZE:1189)
==> DIRECTORY: http://192.168.0.106:8080/sec/WEB-INF/
---- Entering directory: http://192.168.0.106:8080/sec/1/ ----
+ http://192.168.0.106:8080/sec/1/index.htm (CODE:200|SIZE:248)
==> DIRECTORY: http://192.168.0.106:8080/sec/1/js/
==> DIRECTORY: http://192.168.0.106:8080/sec/1/jsp/
---- Entering directory: http://192.168.0.106:8080/sec/10/ ----
==> DIRECTORY: http://192.168.0.106:8080/sec/10/img/
+ http://192.168.0.106:8080/sec/10/index.html (CODE:200|SIZE:1107)
==> DIRECTORY: http://192.168.0.106:8080/sec/10/jsp/
…
---- Entering directory: http://192.168.0.106:8080/sec/1/js/ ----
---- Entering directory: http://192.168.0.106:8080/sec/1/jsp/ ----
---- Entering directory: http://192.168.0.106:8080/sec/10/img/ ----
---- Entering directory: http://192.168.0.106:8080/sec/10/jsp/ ----
---- Entering directory: http://192.168.0.106:8080/sec/13/jsp/ ----
---- Entering directory: http://192.168.0.106:8080/sec/15/image/ ----
---- Entering directory: http://192.168.0.106:8080/sec/20/js/ ----
---- Entering directory: http://192.168.0.106:8080/sec/20/jsp/ ----
…用whatweb扫描Web server
# whatweb http://192.168.0.106:8080/sec/
http://192.168.0.106:8080/sec/ [200 OK] Apache, Cookies[JSESSIONID], Country[RESERVED][ZZ], HTTPServer[Apache-Coyote/1.1], HttpOnly[JSESSIONID], IP[192.168.0.106], Java, Title[WEB 安全测试实验]扫描操作系统漏洞
扫描某个漏洞
#nmap --script ftp-vsftpd-backdoor 192.168.0.106
[*] exec: nmap --script ftp-vsftpd-backdoor 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:16 CST
Nmap scan report for 192.168.0.106
Host is up (0.00099s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds通过分类扫描漏洞
基本使用 --script vuln
nse目录/usr/share/nmap/scripts
#nmap --script vuln 192.168.0.106
nmap --script vuln 192.168.0.106
[*] exec: nmap --script vuln 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:21 CST
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /reportserver/: Microsoft SQL Report Service (401 Unauthorized)
|_ /reports/: Potentially interesting folder (401 Unauthorized)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_http-trace: TRACE is enabled
| http-enum:
| /examples/: Sample scripts
| /test.php: Test page
| /PMA/: phpMyAdmin
| /pma/: phpMyAdmin
| /active/: Potentially interesting directory w/ listing on 'apache/2.4.23 (win32) openssl/1.0.2h php/5.6.28'
| /demo/: Potentially interesting folder
| /icons/: Potentially interesting folder w/ directory listing
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.23 (win32) openssl/1.0.2h php/5.6.28'
| /sec/: Potentially interesting folder
| /server-info/: Potentially interesting folder
|_ /server-status/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum:
| /examples/: Sample scripts
| /test.html: Test page
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
| /docs/: Potentially interesting folder
|_ /sec/: Potentially interesting folder
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Nmap done: 1 IP address (1 host up) scanned in 329.10 seconds利用第三方vulscan进行扫描
安装
#cd /usr/share/nmap/scripts
#git clone https://github.com/scipag/vulscan.git多出一个vulscan目录
更新脚本
#cd /usr/share/nmap/scripts/vulscan/utilities/updater
# chmod +x updateFiles.sh
./ updateFile.sh速度特别慢
使用
必须加-sV
全部扫描
# nmap --script=vulscan/vulscan.nse -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:50 CST仅扫描某个csv
# nmap --script=vulscan/vulscan.nse --script-args vulscandb=scipuldb.csv -sV 192.168.0.106专业扫描工具
- Rapid7 Nexpose(商用,部分免费)
- Tenable Nessus(商用,部分免费)
- OpenVAS(完全免费)
扫描WEB应用
2017 OWASP TOP 10
序号 | 名称 | 攻击难易度 | 漏洞普遍性 | 检查难易度 | 技术影响 |
|---|---|---|---|---|---|
A1 | 注入 | 3 | 2 | 3 | 3 |
A2 | 失效的身份认证 | 3 | 2 | 2 | 3 |
A3 | 敏感数据泄露 | 2 | 3 | 2 | 3 |
A4 | XML外部实体(XXE) | 2 | 2 | 3 | 3 |
A5 | 失效的访问控制 | 2 | 2 | 2 | 3 |
A6 | 安全配置错误 | 3 | 3 | 3 | 2 |
A7 | 跨站脚本(XSS) | 3 | 3 | 3 | 2 |
A8 | 不安全的反序列化 | 1 | 2 | 2 | 3 |
A9 | 使用含有已知漏洞的组件 | 2 | 3 | 2 | 2 |
A10 | 不足的日志记录和监控 | 2 | 3 | 1 | 2 |
Zaproxy的使用
# apt install zaproxy
# zaproxy
PHP代码审计工具RIPS
扫描PHP程序,下载rips-0.55放在htdocs下,通过http://IP/rips-0.55l来访问
Netcat扫描
扫描指定端口
#nc -v 192.168.0.106 8080
192.168.0.106: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.0.106] 8080 (http-alt) open本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2022-06-16,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
