中国红客联盟国际站联盟介绍联盟架构联盟文化联盟事记联盟邮箱购买特权捐助我们收藏本站
请登录
立即注册
首页Portal
资讯
圈子Group
贡献榜
关于我们
红客起源事记
搜索
当前位置:»交流社区 中国红客联盟【技术分享区】 攻击技术探索 Nmap常用基础命令详解

[工具使用] Nmap常用基础命令详解

52 0
Honkers 昨天 12:46 | 显示全部楼层 |阅读模式

阅读目录

Nmap 主机发现扫描

Nmap 使用扫描脚本

Nmap 内网服务扫描

Nmap 是免费开放源代码实用程序,用于网络发现和安全审核。许多系统和网络管理员还发现它对于诸如网络清单,管理服务升级计划以及监视主机或服务正常运行时间之类的任务很有用。Nmap以新颖的方式使用原始IP数据包来确定网络上可用的主机,这些主机提供的服务,它们正在运行的操作系统,包过滤器/防火墙的类型。正在使用中,还有许多其他特性。它旨在快速扫描大型网络,但可以在单个主机上正常运行。

Nmap 主机发现扫描

主机发现有时候也叫做 Ping 扫描,但它远远超越用世人皆知的 Ping 工具发送简单的 IcMp 回声请求报文,这些探测的目的是获得响应以显示某个 lP 地址是否是活动的(正在被某主机或者网络设备使用).主机发现能够找到零星分布于 lP 地址海洋上的那些机器.

Nmap 命令参数解析 扫描之前先来看一下参数解析.

  1. -sT TCP connect() 扫描,这是最基本的 TCP 扫描方式。这种扫描很容易被检测到,在目标主机的日志中会记录大批的连接请求以及错误信息。
  2. -sS TCP 同步扫描 (TCP SYN),因为不必全部打开一个 TCP 连接,所以这项技术通常称为半开扫描 (half-open)。这项技术最大的好处是,很少有系统能够把这记入系统日志。不过,你需要 root 权限来定制 SYN 数据包。
  3. -sF,-sX,-sN 秘密 FIN 数据包扫描、圣诞树 (Xmas Tree)、空 (Null) 扫描模式。这些扫描方式的理论依据是:关闭的端口需要对你的探测包回应 RST 包,而打开的端口必需忽略有问题的包(参考 RFC 793 第 64 页)。
  4. -sP ping 扫描,用 ping 方式检查网络上哪些主机正在运行。当主机阻塞 ICMP echo 请求包是 ping 扫描是无效的。nmap 在任何情况下都会进行 ping 扫描,只有目标主机处于运行状态,才会进行后续的扫描。
  5. -sU UDP 的数据包进行扫描,如果你想知道在某台主机上提供哪些 UDP(用户数据报协议,RFC768) 服务,可以使用此选项。
  6. -sA ACK 扫描,这项高级的扫描方法通常可以用来穿过防火墙。
  7. -sW 滑动窗口扫描,非常类似于 ACK 的扫描。
  8. -sR RPC 扫描,和其它不同的端口扫描方法结合使用。
  9. -b FTP 反弹攻击 (bounce attack),连接到防火墙后面的一台 FTP 服务器做代理,接着进行端口扫描。
  10. -P0 在扫描之前,不 ping 主机。
  11. -PT 扫描之前,使用 TCP ping 确定哪些主机正在运行。
  12. -PS 对于 root 用户,这个选项让 nmap 使用 SYN 包而不是 ACK 包来对目标主机进行扫描。
  13. -PI 设置这个选项,让 nmap 使用真正的 ping(ICMP echo 请求)来扫描目标主机是否正在运行。
  14. -PB 这是默认的 ping 扫描选项。它使用 ACK(-PT) 和 ICMP(-PI) 两种扫描类型并行扫描。如果防火墙能够过滤其中一种包,使用这种方法,你就能够穿过防火墙。
  15. -O 这个选项激活对 TCP/IP 指纹特征 (fingerprinting) 的扫描,获得远程主机的标志,也就是操作系统类型。
  16. -I 打开 nmap 的反向标志扫描功能。
  17. -f 使用碎片 IP 数据包发送 SYN、FIN、XMAS、NULL。包增加包过滤、入侵检测系统的难度,使其无法知道你的企图。
  18. -v 冗余模式。强烈推荐使用这个选项,它会给出扫描过程中的详细信息。
  19. -S <IP> 在一些情况下,nmap 可能无法确定你的源地址 (nmap 会告诉你)。在这种情况使用这个选项给出你的 IP 地址。
  20. -g port 设置扫描的源端口。一些天真的防火墙和包过滤器的规则集允许源端口为 DNS(53) 或者 FTP-DATA(20) 的包通过和实现连接。显然,如果攻击者把源端口修改为 20 或者 53,就可以摧毁防火墙的防护。
  21. -oN 把扫描结果重定向到一个可读的文件 logfilename 中。
  22. -oS 扫描结果输出到标准输出。
  23. --host_timeout 设置扫描一台主机的时间,以毫秒为单位。默认的情况下,没有超时限制。
  24. --max_rtt_timeout 设置对每次探测的等待时间,以毫秒为单位。如果超过这个时间限制就重传或者超时。默认值是大约 9000 毫秒。
  25. --min_rtt_timeout 设置 nmap 对每次探测至少等待你指定的时间,以毫秒为单位。
  26. -M count 置进行 TCP connect() 扫描时,最多使用多少个套接字进行并行的扫描。
复制代码

批量Ping扫描: 批量扫描一个网段的主机存活数.

  1. [root@localhost ~]# nmap -sP 192.168.1.0/24
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:41 EDT
  4. Nmap scan report for 192.168.1.1
  5. Host is up (0.0011s latency).
  6. MAC Address: 44:7D:3F:07:2C:A1 (Unknown)
  7. Nmap scan report for 192.168.1.2
  8. Host is up (0.000095s latency).
  9. MAC Address: FF:8E:BB:EE:AA:B4 (Unknown)
  10. Nmap scan report for 192.168.1.3
  11. Host is up (0.051s latency).
  12. MAC Address: CC:C0:AC:22:DD:07 (Unknown)
  13. Nmap scan report for 192.168.1.7
  14. Host is up.
  15. Nmap done: 256 IP addresses (4 hosts up) scanned in 50.15 seconds
复制代码

跳过Ping探测: 有些主机关闭了ping检测,所以可以使用-P0跳过ping的探测,可以加快扫描速度.

  1. [root@localhost ~]# nmap -P0 192.168.1.7
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:52 EDT
  4. Nmap scan report for 192.168.1.7
  5. Host is up (0.0000090s latency).
  6. Not shown: 999 closed ports
  7. PORT STATE SERVICE
  8. 22/tcp open ssh
  10. Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
复制代码

计算网段主机IP: 仅列出指定网段上的每台主机,不发送任何报文到目标主机.

  1. [root@localhost ~]# nmap -sL 192.168.1.0/24
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:43 EDT
  4. Nmap scan report for 192.168.1.0
  5. Nmap scan report for 192.168.1.1
  6. Nmap scan report for 192.168.1.2
  7. Nmap scan report for 192.168.1.3
  8. Nmap scan report for 192.168.1.4
  9. Nmap scan report for 192.168.1.5
  10. ...省略...
  11. Nmap done: 256 IP addresses (0 hosts up) scanned in 4.03 seconds
复制代码

扫描IP地址范围: 可以指定一个IP地址范围

  1. [root@localhost ~]# nmap -sP 192.168.1.1-10
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:17 EDT
  4. Nmap scan report for 192.168.1.1
  5. Host is up (0.00087s latency).
  6. MAC Address: 1A:7D:2E:AC:6E:1A (Unknown)
  7. Nmap scan report for 192.168.1.2
  8. Host is up (0.00016s latency).
  9. MAC Address: 81:8E:38:BC:7C:8E (Unknown)
  10. Nmap scan report for 192.168.1.4
  11. Host is up (0.061s latency).
  12. MAC Address: 81:29:81:64:81:A3 (Unknown)
  13. Nmap scan report for 192.168.1.5
  14. Host is up (0.060s latency).
  15. MAC Address: EA:3A:EA:EA:81:EA (Unknown)
  16. Nmap scan report for 192.168.1.7
  17. Host is up.
  18. Nmap done: 10 IP addresses (5 hosts up) scanned in 0.26 seconds
复制代码

探测开放端口(SYN): 探测目标主机开放的端口,可指定一个以逗号分隔的端口列表(如-PS22,443,80).

  1. [root@localhost ~]# nmap -PS22,80,443 192.168.1.7
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:15 EDT
  4. Nmap scan report for 192.168.1.7
  5. Host is up (0.0000090s latency).
  6. Not shown: 997 closed ports
  7. PORT STATE SERVICE
  8. 22/tcp open ssh
  9. 80/tcp open http
  10. 3306/tcp open mysql
  12. Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
复制代码

探测开放端口(UDP): 探测目标主机开放的端口,可指定一个以逗号分隔的端口列表(如-PS22,443,80).

  1. [root@localhost ~]# nmap -PU 192.168.1.7
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:55 EDT
  4. Nmap scan report for 192.168.1.7
  5. Host is up (0.0000090s latency).
  6. Not shown: 999 closed ports
  7. PORT STATE SERVICE
  8. 22/tcp open ssh
  10. Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
复制代码

SYN扫描: 使用SYN半开放扫描

  1. [root@localhost ~]# nmap -sS 192.168.1.7
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:01 EDT
  4. Nmap scan report for 192.168.1.7
  5. Host is up (0.0000090s latency).
  6. Not shown: 999 closed ports
  7. PORT STATE SERVICE
  8. 22/tcp open ssh
  10. Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
复制代码

TCP扫描: 扫描开放了TCP端口的设备.

  1. [root@localhost ~]# nmap -sT 192.168.1.7
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:01 EDT
  4. Nmap scan report for 192.168.1.7
  5. Host is up (0.0012s latency).
  6. Not shown: 999 closed ports
  7. PORT STATE SERVICE
  8. 22/tcp open ssh
  10. Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
复制代码

UDP扫描: 扫描开放了UDP端口的设备.

  1. [root@localhost ~]# nmap -sU 192.168.1.7
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:02 EDT
  4. Nmap scan report for 192.168.1.7
  5. Host is up (0.0010s latency).
  6. Not shown: 999 closed ports
  7. PORT STATE SERVICE
  8. 68/udp open|filtered dhcpc
  10. Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
复制代码

协议探测: 探测目标主机支持哪些IP协议

  1. [root@localhost ~]# nmap -sO 192.168.1.7
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:04 EDT
  4. Nmap scan report for 192.168.1.7
  5. Host is up (0.000016s latency).
  6. Not shown: 249 closed protocols
  7. PROTOCOL STATE SERVICE
  8. 1 open icmp
  9. 2 open|filtered igmp
  10. 6 open tcp
  11. 17 open udp
  12. 103 open|filtered pim
  13. 136 open|filtered udplite
  14. 255 open|filtered unknown
  16. Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
复制代码

探测目标系统: 扫描探测目标主机操作系统,这里结果仅供参考.

  1. [root@localhost ~]# nmap -O 192.168.1.7
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:06 EDT
  4. Nmap scan report for 192.168.1.7
  5. Host is up (0.000056s latency).
  6. Not shown: 997 closed ports
  7. PORT STATE SERVICE
  8. 22/tcp open ssh
  9. 80/tcp open http
  10. 3306/tcp open mysql
  11. Device type: general purpose
  12. Running: Linux 3.X
  13. OS CPE: cpe:/o:linux:linux_kernel:3
  14. OS details: Linux 3.7 - 3.9
  15. Network Distance: 0 hops
  17. OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  18. Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds
复制代码

探测服务版本: 用于扫描目标主机服务版本号.

  1. [root@localhost ~]# nmap -sV 192.168.1.7
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:08 EDT
  4. Nmap scan report for 192.168.1.7
  5. Host is up (0.0000090s latency).
  6. Not shown: 997 closed ports
  7. PORT STATE SERVICE VERSION
  8. 22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
  9. 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
  10. 3306/tcp open mysql ?
  12. Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  13. Nmap done: 1 IP address (1 host up) scanned in 6.43 seconds
复制代码

扫描多台主机: 一次性扫描多台目标主机.

  1. [root@localhost ~]# nmap 192.168.1.2 192.168.1.7
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:11 EDT
  4. Nmap scan report for 192.168.1.2
  5. Host is up (0.00052s latency).
  6. Not shown: 997 filtered ports
  7. PORT STATE SERVICE
  8. 135/tcp open msrpc
  9. 139/tcp open netbios-ssn
  10. 445/tcp open microsoft-ds
  11. MAC Address: F4:8E:38:EE:7C:B4 (Unknown)
  13. Nmap scan report for 192.168.1.7
  14. Host is up (0.000010s latency).
  15. Not shown: 997 closed ports
  16. PORT STATE SERVICE
  17. 22/tcp open ssh
  18. 80/tcp open http
  19. 3306/tcp open mysql
  21. Nmap done: 2 IP addresses (2 hosts up) scanned in 4.26 seconds
复制代码

导入扫描文件: 从一个文件中导入IP地址,并进行扫描.

  1. [root@localhost ~]# cat lyshark.log
  2. localhost
  3. www.baidu.com
  4. 192.168.1.7
  6. [root@localhost ~]# nmap -iL lyshark.log
  8. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:13 EDT
  9. Nmap scan report for localhost (127.0.0.1)
  10. Host is up (0.0000090s latency).
  11. Other addresses for localhost (not scanned): 127.0.0.1
  12. Not shown: 996 closed ports
  13. PORT STATE SERVICE
  14. 22/tcp open ssh
  15. 25/tcp open smtp
  16. 80/tcp open http
  17. 3306/tcp open mysql
  19. Nmap scan report for 192.168.1.7
  20. Host is up (0.0000090s latency).
  21. Not shown: 997 closed ports
  22. PORT STATE SERVICE
  23. 22/tcp open ssh
  24. 80/tcp open http
  25. 3306/tcp open mysql
  27. Nmap done: 3 IP addresses (2 hosts up) scanned in 3.09 seconds
复制代码

绕过防火墙: 在扫描时通过使用-f参数以及使用--mtu 4/8/16使用分片、指定数据包的MTU,来绕过防火墙.

  1. [root@localhost ~]# nmap -f 127.0.0.1
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 03:12 EDT
  4. Nmap scan report for localhost (127.0.0.1)
  5. Host is up (0.000012s latency).
  6. Not shown: 998 closed ports
  7. PORT STATE SERVICE
  8. 22/tcp open ssh
  9. 25/tcp open smtp
  11. Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
复制代码

其他基本:

  1. nmap localhost #查看主机当前开放的端口
  2. nmap -p 1024-65535 localhost #查看主机端口(1024-65535)中开放的端口
  3. nmap -PS 192.168.21.163 #探测目标主机开放的端口
  4. nmap -PS22,80,3306 192.168.21.163 #探测所列出的目标主机端口
  5. nmap -O 192.168.21.163 #探测目标主机操作系统类型
  6. nmap -A 192.168.21.163 #探测目标主机操作系统类型
复制代码

Nmap 使用扫描脚本

Nmap不仅用于端口扫描,服务检测,其还具有强大的脚本功能,利用Nmap Script可以快速探测服务器,一般情况下,常用的扫描脚本会放在/usr/share/nmap/script目录下,并且脚本扩招名为*.nse后缀的,接下来将介绍最常用的扫描脚本.

扫描WEB敏感目录: 通过使用--script=http-enum.nse可以扫描网站的敏感目录.

  1. [root@localhost ~]# nmap -p 80 --script=http-enum.nse www.mkdirs.com
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 01:49 EDT
  4. Nmap scan report for localhost (127.0.0.1)
  5. Host is up (0.000010s latency).
  6. Not shown: 995 closed ports
  7. PORT STATE SERVICE
  8. 21/tcp open ftp
  9. 22/tcp open ssh
  10. 25/tcp open smtp
  11. 80/tcp open http
  12. | http-enum:
  13. | /login.php: Possible admin folder
  14. | /robots.txt: Robots file
  15. | /config/: Potentially interesting folder w/ directory listing
  16. | /docs/: Potentially interesting folder w/ directory listing
  17. | /external/: Potentially interesting folder w/ directory listing
  18. |_ /icons/: Potentially interesting folder w/ directory listing
  19. 3306/tcp open mysql
  21. Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds
复制代码

绕开鉴权: 负责处理鉴权证书(绕开鉴权)的脚本,也可以作为检测部分应用弱口令.

  1. [root@localhost ~]# nmap --script=auth www.mkdirs.com
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:16 EDT
  4. Nmap scan report for localhost (127.0.0.1)
  5. Host is up (0.0000090s latency).
  6. Not shown: 995 closed ports
  7. PORT STATE SERVICE
  8. 21/tcp open ftp
  9. | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  10. |_drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub
  11. 22/tcp open ssh
  12. 25/tcp open smtp
  13. | smtp-enum-users:
  14. |_ root
  15. 80/tcp open http
  16. | http-domino-enum-passwords:
  17. |_ ERROR: No valid credentials were found
  18. 3306/tcp open mysql
  20. Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds
复制代码

默认脚本扫描: 脚本扫描,主要是搜集各种应用服务的信息,收集到后可再针对具体服务进行攻击.

  1. [root@localhost ~]# nmap --script=default www.mkdirs.com
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:21 EDT
  4. Nmap scan report for localhost (127.0.0.1)
  5. Host is up (0.000010s latency).
  6. Not shown: 995 closed ports
  7. PORT STATE SERVICE
  8. 21/tcp open ftp
  9. | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  10. |_drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub
  11. 22/tcp open ssh
  12. | ssh-hostkey: 2048 c2:89:44:fc:e3:1b:5a:65:a1:6e:11:34:73:6d:d5:04 (RSA)
  13. |_256 54:0e:d4:47:2f:b2:d4:2b:33:b6:d8:35:66:2d:a2:aa (ECDSA)
  14. 3306/tcp open mysql
  15. | mysql-info: Protocol: 10
  16. | Version: 5.5.60-MariaDB
  17. | Thread ID: 10408
  18. | Status: Autocommit
  19. |_Salt: <D"y]F(2
  21. Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds
复制代码

检测常见漏洞: 通过使用--script=luln,可以扫描网站的常见漏洞,以及网页的目录结构.

  1. [root@localhost ~]# nmap --script=vuln www.mkdirs.com
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:24 EDT
  4. Nmap scan report for localhost (127.0.0.1)
  5. Host is up (0.000017s latency).
  6. Not shown: 995 closed ports
  7. PORT STATE SERVICE
  8. 21/tcp open ftp
  9. 22/tcp open ssh
  10. 25/tcp open smtp
  11. | smtp-vuln-cve2010-4344:
  12. |_ The SMTP server is not Exim: NOT VULNERABLE
  13. 80/tcp open http
  14. | http-enum:
  15. | /login.php: Possible admin folder
  16. | /robots.txt: Robots file
  17. | /config/: Potentially interesting folder w/ directory listing
  18. | /docs/: Potentially interesting folder w/ directory listing
  19. | /external/: Potentially interesting folder w/ directory listing
  20. |_ /icons/: Potentially interesting folder w/ directory listing
  21. |_http-fileupload-exploiter:
  22. |_http-frontpage-login: false
  23. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
  24. |_http-trace: TRACE is enabled
  25. 3306/tcp open mysql
  27. Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
复制代码

内网服务探测: 通过使用--script=broadcast,可以实现在局域网内探查更多服务开启状况.

  1. [root@localhost ~]# nmap -n -p445 --script=broadcast 127.0.0.1
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:28 EDT
  4. Pre-scan script results:
  5. | broadcast-dhcp-discover:
  6. | IP Offered: 192.168.1.14
  7. | Server Identifier: 192.168.1.1
  8. | Subnet Mask: 255.255.255.0
  9. | Router: 192.168.1.1
  10. |_ Domain Name Server: 192.168.1.1
  11. | broadcast-eigrp-discovery:
  12. |_ ERROR: Couldn't get an A.S value.
  13. | broadcast-listener:
  14. | ether
  15. | ARP Request
  16. | sender ip sender mac target ip
  17. | 192.168.1.1 43:72:23:04:56:21 192.168.1.2
  18. | 192.168.1.2 B4:8C:28:BE:4C:34 192.168.1.1
  19. | EIGRP Update
  20. ........
复制代码

进行WhoIS查询: 通过使用--script whois模块,可以查询网站的简单信息.

  1. [root@localhost ~]# nmap --script whois www.baidu.com
  3. Host script results:
  4. | whois: Record found at whois.apnic.net
  5. | inetnum: 61.135.0.0 - 61.135.255.255
  6. | netname: UNICOM-BJ
  7. | descr: China Unicom Beijing province network
  8. | country: CN
  9. | person: ChinaUnicom Hostmaster
  10. |_email: hqs-ipabuse@chinaunicom.cn
  12. Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds
复制代码

详细WhoIS解析: 利用第三方的数据库或资源,查询详细的WhoIS解析情况.

  1. [root@localhost ~]# nmap --script external www.baidu.com
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:31 EDT
  4. Nmap scan report for www.baidu.com (61.135.169.125)
  5. Host is up (0.018s latency).
  6. |_http-robtex-shared-ns: ERROR: Script execution failed (use -d to debug)
  7. | ip-geolocation-geoplugin:
  8. | 61.135.169.125 (www.baidu.com)
  9. | coordinates (lat,lon): 39.9288,116.3889
  10. |_ state: Beijing, China
  11. |_ip-geolocation-maxmind: ERROR: Script execution failed (use -d to debug)
  12. | whois: Record found at whois.apnic.net
  13. | inetnum: 61.135.0.0 - 61.135.255.255
  14. | netname: UNICOM-BJ
  15. | descr: China Unicom Beijing province network
  16. |_country: CN
  17. .....
复制代码

发现内网网关: 通过使用--script=broadcast-netbios-master-browser可以发现内网网关的地址.

  1. [root@localhost ~]# nmap --script=broadcast-netbios-master-browser 192.168.1.1
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:05 EDT
  4. Pre-scan script results:
  5. | broadcast-netbios-master-browser:
  6. | ip server domain
  7. |_192.168.1.2 Web-Server WORKGROUP
  8. Nmap scan report for 192.168.1.1
  9. Host is up (0.0011s latency).
  10. Not shown: 998 closed ports
  11. PORT STATE SERVICE
  12. 80/tcp filtered http
  13. 1900/tcp open upnp
  14. MAC Address: 42:1C:1B:E7:B1:B2 (TP-Link)
复制代码

发现WEB中Robots文件: 通过使用--script=http-robots.txt.nse可以检测到robots文件内容.

  1. [root@localhost scripts]# nmap --script=http-robots.txt.nse www.baidu.com
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:12 EDT
  4. Nmap scan report for www.baidu.com (61.135.169.125)
  5. Host is up (0.019s latency).
  6. Other addresses for www.baidu.com (not scanned): 61.135.169.121
  7. Not shown: 998 filtered ports
  8. PORT STATE SERVICE
  9. 80/tcp open http
  10. | http-robots.txt: 9 disallowed entries
  11. | /baidu /s? /ulink? /link? /home/news/data/ /shifen/
  12. |_/homepage/ /cpro /
  13. 443/tcp open https
  14. | http-robots.txt: 9 disallowed entries
  15. | /baidu /s? /ulink? /link? /home/news/data/ /shifen/
  16. |_/homepage/ /cpro /
  18. Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds
复制代码

检查WEB服务器时间: 检查web服务器的当前时间.

  1. [root@localhost scripts]# nmap -p 443 --script http-date.nse www.baidu.com
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:16 EDT
  4. Nmap scan report for www.baidu.com (61.135.169.121)
  5. Host is up (0.017s latency).
  6. Other addresses for www.baidu.com (not scanned): 61.135.169.125
  7. PORT STATE SERVICE
  8. 443/tcp open https
  9. |_http-date: Sun, 31 Mar 2019 06:16:53 GMT; 0s from local time.
  11. Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
复制代码

执行DOS攻击: dos攻击,对于处理能力较小的站点还挺好用的.

  1. [root@localhost ~]# nmap --script http-slowloris --max-parallelism 1000 www.mkdirs.com
  2. Warning: Your max-parallelism (-M) option is extraordinarily high, which can hurt reliability
  4. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:21 EDT
复制代码

检查DNS子域: 检查目标ns服务器是否允许传送,如果能,直接把子域拖出来就好了.

  1. [root@localhost scripts]# nmap -p 53 --script dns-zone-transfer.nse -v www.baidu.com
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:28 EDT
  4. NSE: Loaded 1 scripts for scanning.
  5. NSE: Script Pre-scanning.
  6. Initiating Ping Scan at 02:28
  7. Scanning www.baidu.com (61.135.169.121) [4 ports]
  8. Completed Ping Scan at 02:28, 0.02s elapsed (1 total hosts)
  9. Initiating Parallel DNS resolution of 1 host. at 02:28
  10. Completed Parallel DNS resolution of 1 host. at 02:28, 0.01s elapsed
  11. Initiating SYN Stealth Scan at 02:28
  12. Scanning www.baidu.com (61.135.169.121) [1 port]
  13. Completed SYN Stealth Scan at 02:28, 0.20s elapsed (1 total ports)
  14. NSE: Script scanning 61.135.169.121.
  15. Nmap scan report for www.baidu.com (61.135.169.121)
  16. Host is up (0.016s latency).
  17. Other addresses for www.baidu.com (not scanned): 61.135.169.125
  18. PORT STATE SERVICE
  19. 53/tcp filtered domain
  21. NSE: Script Post-scanning.
  22. Read data files from: /usr/bin/../share/nmap
  23. Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
  24. Raw packets sent: 6 (240B) | Rcvd: 1 (28B)
复制代码

查询WEB旁站: 旁站查询,ip2hosts接口该接口似乎早已停用,如果想继续用,可自行到脚本里把接口部分的代码改掉.

  1. [root@localhost scripts]# nmap -p80 --script hostmap-ip2hosts.nse www.baidu.com
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:29 EDT
  4. Nmap scan report for www.baidu.com (61.135.169.121)
  5. Host is up (0.017s latency).
  6. Other addresses for www.baidu.com (not scanned): 61.135.169.125
  7. PORT STATE SERVICE
  8. 80/tcp open http
  10. Host script results:
  11. | hostmap-ip2hosts:
  12. |_ hosts: Error: could not GET http://www.ip2hosts.com/csv.php?ip=61.135.169.121
  14. Nmap done: 1 IP address (1 host up) scanned in 5.89 seconds
复制代码

暴力破解DNS记录: 这里以破解百度的域名为例子,由于内容较多这里简化显示.

  1. [root@localhost scripts]# nmap --script=dns-brute.nse www.baidu.com
  3. Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 03:19 EDT
  4. Nmap scan report for www.baidu.com (61.135.169.125)
  5. Host is up (0.018s latency).
  6. Other addresses for www.baidu.com (not scanned): 61.135.169.121
  7. Not shown: 998 filtered ports
  8. PORT STATE SERVICE
  9. 80/tcp open http
  10. 443/tcp open https
  12. Host script results:
  13. | dns-brute:
  14. | DNS Brute-force hostnames
  15. | lab.baidu.com - 180.149.144.192
  16. | lab.baidu.com - 180.149.132.122
  17. | corp.baidu.com - 123.129.254.12
  18. |_ log.baidu.com - 10.26.39.14
  20. Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds
复制代码

Nmap 内网服务扫描

内网VNC扫描: 通过使用脚本,检查VNC版本等一些敏感信息.

  1. [root@localhost ~]# nmap --script=realvnc-auth-bypass 127.0.0.1 #检查VNC版本
  2. [root@localhost ~]# nmap --script=vnc-auth 127.0.0.1 #检查VNC认证方式
  3. [root@localhost ~]# nmap --script=vnc-info 127.0.0.1 #获取VNC信息
  4. [root@localhost ~]# nmap --script=vnc-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1 #暴力破解VNC密码
复制代码

内网SMB扫描: 检查局域网中的Samba服务器,以及对服务器的暴力破解.

  1. [root@localhost ~]# nmap --script=smb-brute.nse 127.0.0.1 #简单尝试破解SMB服务
  2. [root@localhost ~]# nmap --script=smb-check-vulns.nse --script-args=unsafe=1 127.0.0.1 #SMB已知几个严重漏
  3. [root@localhost ~]# nmap --script=smb-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1 #通过传递字段文件,进行暴力破解
  4. [root@localhost ~]# nmap -p445 -n --script=smb-psexec --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查询主机一些敏感信息:nmap_service
  5. [root@localhost ~]# nmap -n -p445 --script=smb-enum-sessions.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查看会话
  6. [root@localhost ~]# nmap -n -p445 --script=smb-os-discovery.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查看系统信息
复制代码

MSSQL扫描: 检查局域网中的SQL Server服务器,以及对服务器的暴力破解.

  1. [root@localhost ~]# nmap -p1433 --script=ms-sql-brute --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #暴力破解MSSQL密码
  2. [root@localhost ~]# nmap -p 1433 --script ms-sql-dump-hashes.nse --script-args mssql.username=sa,mssql.password=sa 127.0.0.1 #dumphash值
  3. [root@localhost ~]# nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net user" 192.168.137.4 xp_cmdshell #执行命令
复制代码

MYSQL扫描: 检查局域网中的MySQL服务器,以及对服务器的暴力破解.

  1. [root@localhost ~]# nmap -p3306 --script=mysql-empty-password.nse 127.0.0.1 #扫描root空口令
  2. [root@localhost ~]# nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 127.0.0.1 #列出所有用户
  3. [root@localhost ~]# nmap -p3306 --script=mysql-brute.nse --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #暴力破解MYSQL口令
复制代码

Oracle扫描: 检查局域网中的Oracle服务器,以及对服务器的暴力破解.

  1. [root@localhost ~]# nmap --script=oracle-sid-brute -p 1521-1560 127.0.0.1 #oracle sid扫描
  2. [root@localhost ~]# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #oracle弱口令破解
复制代码

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

×
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Honkers

特级红客

关注
  • 3313
    主题
  • 36
    粉丝
  • 0
    关注
这家伙很懒,什么都没留下!

中国红客联盟公众号

联系站长QQ:5520533

admin@chnhonker.com
Copyright © 2001-2025 Discuz Team. Powered by Discuz! X3.5 ( 粤ICP备13060014号 )|天天打卡 本站已运行