免责声明
本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者及本公众号不为此承担任何责任。
常见端口的意义
信息收集是渗透测试里不可缺少的一环,而端口信息又是信息收集中至关重要的一项。获取常见的端口号,以及这些端口号以及其对应的服务,对于我们渗透测试与防御十分有帮助。
但是,我们搜素常用端口时,往往存在两个问题:
-
总结的端口很少,无法真正覆盖实际场景中的常见端口;
-
总结的时间距今已经很久,无法适应现在日新月异的网络环境;
nmap常见端口
我们都知道,nmap有个扫描常见端口的指令:
nmap -F your_ip这个命令,会去扫描nmap-services文件内的所有端口(一般目录为/usr/share/nmap/nmap-services),打开nmap-services,可以看到按照服务名、端口号/协议、出现频率和备注列出了一系列常用端口:
在nmap版本7.80里,大概有27416个常用端口,包括tcp和udp:
我们可以用这条指令去获取频率最高的100个端口:
grep '/tcp' /usr/share/nmap/nmap-services | sort -r -k 3 | head -n 100输出为:
root@hecs-231264:/usr/share/nmap# grep '/tcp' /usr/share/nmap/nmap-services | sort -r -k 3 | head -n 100http 80/tcp 0.484143 # World Wide Web HTTPtelnet 23/tcp 0.221265https 443/tcp 0.208669 # secure http (SSL)ftp 21/tcp 0.197667 # File Transfer [Control]ssh 22/tcp 0.182286 # Secure Shell Loginsmtp 25/tcp 0.131314 # Simple Mail Transferms-wbt-server 3389/tcp 0.083904 # Microsoft Remote Display Protocol (aka ms-term-serv, microsoft-rdp) | MS WBT Serverpop3 110/tcp 0.077142 # PostOffice V.3 | Post Office Protocol - Version 3microsoft-ds 445/tcp 0.056944 # SMB directly over IPnetbios-ssn 139/tcp 0.050809 # NETBIOS Session Serviceimap 143/tcp 0.050420 # Interim Mail Access Protocol v2 | Internet Message Access Protocoldomain 53/tcp 0.048463 # Domain Name Servermsrpc 135/tcp 0.047798 # epmap | Microsoft RPC services | DCE endpoint resolutionmysql 3306/tcp 0.045390http-proxy 8080/tcp 0.042052 # http-alt | Common HTTP proxy/second web server port | HTTP Alternate (see port 80)pptp 1723/tcp 0.032468 # Point-to-point tunnelling protocolrpcbind 111/tcp 0.030034 # sunrpc | portmapper, rpcbind | SUN Remote Procedure Callpop3s 995/tcp 0.029921 # POP3 protocol over TLS/SSL | pop3 protocol over TLS/SSL (was spop3) | POP3 over TLS protocolimaps 993/tcp 0.027199 # imap4 protocol over TLS/SSL | IMAP over TLS protocolvnc 5900/tcp 0.023560 # rfb | Virtual Network Computer display 0 | Remote FramebufferNFS-or-IIS 1025/tcp 0.022406 # blackjack | IIS, NFS, or listener RFS remote_file_sharing | network blackjacksubmission 587/tcp 0.019721 # Message Submissionsun-answerbook 8888/tcp 0.016522 # ddi-udp-1 | ddi-tcp-1 | Sun Answerbook HTTP server. Or gnump3d streaming music server | NewsEDGE server TCP (TCP 1) | NewsEDGE server UDP (UDP 1)smux 199/tcp 0.015945 # SNMP Unix Multiplexerh323q931 1720/tcp 0.014277 # h323hostcall | Interactive media | H.323 Call Control Signalling | H.323 Call Controlsmtps 465/tcp 0.013888 # submissions | igmpv3lite | urd | smtp protocol over TLS/SSL (was ssmtp) | URL Rendesvous Directory for SSM | IGMP over UDP for SSM | URL Rendezvous Directory for SSM | Message Submission over TLS protocolafp 548/tcp 0.012395 # afpovertcp | AFP over TCPident 113/tcp 0.012370 # auth | ident, tap, Authentication Service | Authentication Servicehosts2-ns 81/tcp 0.012056 # HOSTS2 Name ServerX11:1 6001/tcp 0.011730 # X Window serversnet-sensor-mgmt 10000/tcp 0.011692 # ndmp | SecureNet Pro Sensor https management server or apple airport admin | Network Data Management Protocolshell 514/tcp 0.011078 # syslog | BSD rshd(8) | cmd like exec, but automatic authentication is performed as for login serversip 5060/tcp 0.010613 # Session Initiation Protocol (SIP)bgp 179/tcp 0.010538 # Border Gateway ProtocolLSA-or-nterm 1026/tcp 0.010237 # cap | nterm remote_login network_terminal | Calendar Access Protocolcisco-sccp 2000/tcp 0.010112 # cisco SCCP (Skinny Client Control Protocol) | Cisco SCCP | Cisco SCCphttps-alt 8443/tcp 0.009986 # pcsync-https | Common alternative https port | PCsync HTTPShttp-alt 8000/tcp 0.009710 # irdmi | A common alternative http port | iRDMIfilenet-tms 32768/tcp 0.009199 # Filenet TMSrtsp 554/tcp 0.008104 # Real Time Stream Control Protocol | Real Time Streaming Protocol (RTSP)rsftp 26/tcp 0.007991 # RSFTPms-sql-s 1433/tcp 0.007929 # Microsoft-SQL-Serverunknown 49152/tcp 0.007907dc 2001/tcp 0.007339 # wizard | or nfr20 web queries | curryprinter 515/tcp 0.007214 # spooler (lpd) | spoolerhttp 8008/tcp 0.006843 # http-alt | IBM HTTP server | HTTP Alternateunknown 49154/tcp 0.006767IIS 1027/tcp 0.006724 # 6a44 | IPv6 Behind NAT44 CPEsnrpe 5666/tcp 0.006614 # Nagios NRPE | Nagios Remote Plugin Executorldp 646/tcp 0.006549 # Label Distributionupnp 5000/tcp 0.006423 # commplex-main | Universal PnP, also Free Internet Chess Serverpcanywheredata 5631/tcp 0.006248ipp 631/tcp 0.006160 # ipps | Internet Printing Protocol -- for one implementation see http://www.cups.org (Common UNIX Printing System) | IPP (Internet Printing Protocol) | Internet Printing Protocol over HTTPSunknown 49153/tcp 0.006158blackice-icecap 8081/tcp 0.006147 # sunproxyadmin | ICECap user console | Sun Proxy Admin Servicenfs 2049/tcp 0.006110 # networked file systemkerberos-sec 88/tcp 0.006072 # kerberos | Kerberos (v5) | Kerberosfinger 79/tcp 0.006022vnc-http 5800/tcp 0.005947 # Virtual Network Computer HTTP Access, display 0pop3pw 106/tcp 0.005934 # 3com-tsmux | Eudora compatible PW changer | 3COM-TSMUXccproxy-ftp 2121/tcp 0.005834 # scientia-ssdb | CCProxy FTP Proxy | SCIENTIA-SSDBnfsd-status 1110/tcp 0.005809 # nfsd-keepalive | webadmstart | Cluster status info | Start web admin server | Client status infounknown 49155/tcp 0.005702X11 6000/tcp 0.005683 # X Window serverlogin 513/tcp 0.005595 # who | BSD rlogind(8) | remote login a la telnet; automatic authentication performed based on priviledged port numbers and distributed data bases which identify "authentication domains" | maintains data bases showing who's logged in to machines on a local net and the load average of the machineftps 990/tcp 0.005570 # ftp protocol, control, over TLS/SSLwsdapi 5357/tcp 0.005474 # Web Services for Devicessvrloc 427/tcp 0.005382 # Server Locationunknown 49156/tcp 0.005322klogin 543/tcp 0.005282 # Kerberos (v4/v5)kshell 544/tcp 0.005269 # krcmd Kerberos (v4/v5) | krcmdadmdog 5101/tcp 0.005156 # talarian-udp | talarian-tcp | (chili!soft asp) | Talarian_TCP | Talarian_UDPnews 144/tcp 0.004981 # uma | NewS window system | Universal Management Architectureecho 7/tcp 0.004855ldap 389/tcp 0.004717 # Lightweight Directory Access Protocolajp13 8009/tcp 0.004642 # nvme-disc | Apache JServ Protocol 1.3 | NVMe over Fabrics Discovery Servicesquid-http 3128/tcp 0.004516 # ndl-aas | Active API Server Portsnpp 444/tcp 0.004466 # Simple Network Paging Protocolabyss 9999/tcp 0.004441 # Abyss web server remote web management interface | distinctairport-admin 5009/tcp 0.004416 # winfs | Apple AirPort WAP Administration | Microsoft Windows Filesystemrealserver 7070/tcp 0.004328 # arcp | ARCPaol 5190/tcp 0.004190 # America-Online. Also can be used by ICQ | America-Onlineppp 3000/tcp 0.004115 # remoteware-cl | hbci | User-level ppp daemon, or chili!soft asp | HBCI | RemoteWare Clientpostgresql 5432/tcp 0.004090 # PostgreSQL database server | PostgreSQL Databaseupnp 1900/tcp 0.003977 # ssdp | Universal PnP | SSDPmapper-ws_ethd 3986/tcp 0.003977 # mapper-ws-ethd | MAPPER workstation serverdaytime 13/tcp 0.003927ms-lsa 1029/tcp 0.003801 # solid-mux | Solid Mux Serverdiscard 9/tcp 0.003764 # sink nullida-agent 5051/tcp 0.003649 # ita-agent | Symantec Intruder Alert | ITA Agentunknown 6646/tcp 0.003649unknown 49157/tcp 0.003573unknown 1028/tcp 0.003421rsync 873/tcp 0.003400 # Rsync server ( http://rsync.samba.org )wms 1755/tcp 0.003350 # Windows media service | ms-streamingpn-requester 2717/tcp 0.003345 # PN REQUESTERradmin 4899/tcp 0.003337 # radmin-port | Radmin (www.radmin.com) remote PC control software | RAdmin Portjetdirect 9100/tcp 0.003287 # pdl-datastream | hp-pdl-datastr | HP JetDirect card | PDL Data Streaming Port | Printer PDL Data Streamnntp 119/tcp 0.003262 # Network News Transfer Protocoltime 37/tcp 0.003161 # timserver
包含了80、443、23、3306等端口,可以看到跟我们的直觉是差不多的。
总结
本文讲述了了解常见端口在渗透测试与入侵检测中的必要性,阐述了传统收集方式的不足。通过逆向思维,从端口扫描器nmap中获取常见端口,具有结果全面、实时更新的优点。
原文始发于微信公众号(赛博安全狗):【安全杂谈】逆向思维,通过nmap获取常见的端口及其对应的服务
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论