前言:
后天要参加人生第一次awd线下攻防了,今天赶紧突击一下,先学习一下nmap的一些常规操作
引入:
1) 获取远程主机的系统类型及开放端口
1
|
nmap -sS -P0 -sV -O <target>
|
这里的 < target > 可以是单一 IP, 或主机名,或域名,或子网
-sS TCP SYN 扫描 (又称半开放,或隐身扫描)-P0 允许你关闭 ICMP pings.-sV 打开系统版本检测-O 尝试识别远程操作系统
其它选项:
-A 同时打开操作系统指纹和版本检测-v 详细输出扫描情况.
2) 列出开放了指定端口的主机列表
1
|
nmap -sT -p 80 -oG – 192.168.1.* | grep open
|
3) 在网络寻找所有在线主机
1
|
nmap -sP 192.168.0.*
|
或者也可用以下命令:
1
|
nmap -sP 192.168.0.0/24
|
指定 subnet
4) Ping 指定范围内的 IP 地址
1
|
nmap -sP 192.168.1.100-254
|
5) 在某段子网上查找未占用的 IP
1
|
nmap -T4 -sP 192.168.2.0/24 && egrep “00:00:00:00:00:00″ /proc/net/arp
|
6) 在局域网上扫找 Conficker 蠕虫病毒
1
|
nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 192.168.0.1-254
|
7) 扫描网络上的恶意接入点 (rogue APs).
123 |
nmap -A -p1-85,113,443,8080-8100 -T4 –min-hostgroup 50 –max-rtt-timeout2000 –initial-rtt-timeout 300 –max-retries 3 –host-timeout 20m–max-scan-delay 1000 -oA wapscan 10.0.0.0/8 |
8 ) 使用诱饵扫描方法来扫描主机端口
1
|
sudo nmap -sS 192.168.0.10 -D 192.168.0.2
|
9) 为一个子网列出反向DNS记录
1
|
nmap -R -sL 209.85.229.99/27 | awk ‘{if($3==”not”)print”(“$2″) no PTR”;else print$3″ is “$2}’ | grep ‘(‘
|
10) 显示网络上共有多少台 Linux 及 Win 设备?
12 |
sudo nmap -F -O 192.168.0.1-255 | grep “Running: ” > /tmp/os; echo “$(cat /tmp/os | grep Linux \| wc -l) Linux device(s)”; echo “$(cat /tmp/os | grep Windows | wc -l) Window(s) device” |
###
1. 用主机名和IP地址扫描系统
12345678910111213141516 |
[root@server1 ~]# nmap server2.tecmint.com(192.168.0.101)Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:42 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.415 secondsYou have new mail in /var/spool/mail/root |
2.扫描使用“-v”选项
你可以看到下面的命令使用“ -v “选项后给出了远程机器更详细的信息。
123456789101112131415161718192021222324252627 |
[root@server1 ~]# nmap -v server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 ESTInitiating ARP Ping Scan against 192.168.0.101 [1 port] at 15:43The ARP Ping Scan took 0.01s to scan 1 total hosts.Initiating SYN Stealth Scan against server2.tecmint.com (192.168.0.101) [1680 ports] at 15:43Discovered open port 22/tcp on 192.168.0.101Discovered open port 80/tcp on 192.168.0.101Discovered open port 8888/tcp on 192.168.0.101Discovered open port 111/tcp on 192.168.0.101Discovered open port 3306/tcp on 192.168.0.101Discovered open port 957/tcp on 192.168.0.101The SYN Stealth Scan took 0.30s to scan 1680 total ports.Host server2.tecmint.com (192.168.0.101) appears to be up ... good.Interesting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds Raw packets sent: 1681 (73.962KB) | Rcvd: 1681 (77.322KB) |
3.扫描多台主机
你可以简单的在Nmap命令后加上多个IP地址或主机名来扫描多台主机。
12345678910111213 |
[root@server1 ~]# nmap 192.168.0.101 192.168.0.102 192.168.0.103 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:06 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 3 IP addresses (1 host up) scanned in 0.580 seconds |
4.扫描整个子网 *
你可以使用*通配符来扫描整个子网或某个范围的IP地址。
1234567891011121314151617181920212223 |
[root@server1 ~]# nmap 192.168.0.*Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:11 ESTInteresting ports on server1.tecmint.com (192.168.0.100):Not shown: 1677 closed portsPORT STATE SERVICE22/tcp open ssh111/tcp open rpcbind851/tcp open unknownInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.550 secondsYou have new mail in /var/spool/mail/root |
5.使用IP地址的最后一个字节扫描多台服务器 ,
你可以简单的指定IP地址的最后一个字节来对多个IP地址进行扫描。例如,我在下面执行中扫描了IP地址192.168.0.101,192.168.0.102和192.168.0.103。
123456789101112131415 |
[root@server1 ~]# nmap 192.168.0.101,102,103 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 3 IP addresses (1 host up) scanned in 0.552 secondsYou have new mail in /var/spool/mail/root |
6. 从一个文件中扫描主机列表 -iL
如果你有多台主机需要扫描且所有主机信息都写在一个文件中,那么你可以直接让nmap读取该文件来执行扫描,让我们来看看如何做到这一点。
创建一个名为“nmaptest.txt ”的文本文件,并定义所有你想要扫描的服务器IP地址或主机名。
1234 |
[root@server1 ~]# cat nmaptest.txt localhostserver2.tecmint.com192.168.0.101 |
接下来运行带“iL”选项的nmap命令来扫描文件中列出的所有IP地址
1234567891011121314151617181920212223242526272829303132 |
[root@server1 ~]# nmap -iL nmaptest.txt Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 10:58 ESTInteresting ports on localhost.localdomain (127.0.0.1):Not shown: 1675 closed portsPORT STATE SERVICE22/tcp open ssh25/tcp open smtp111/tcp open rpcbind631/tcp open ipp857/tcp open unknownInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind958/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Interesting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind958/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 3 IP addresses (3 hosts up) scanned in 2.047 seconds |
7.扫描一个IP地址范围 -
你可以在nmap执行扫描时指定IP范围。
12345678910111213 |
[root@server1 ~]# nmap 192.168.0.101-110 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:09 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems) Nmap finished: 10 IP addresses (1 host up) scanned in 0.542 seconds |
8.排除一些远程主机后再扫描–exclude
在执行全网扫描或用通配符扫描时你可以使用“–exclude”选项来排除某些你不想要扫描的主机。
12345678910111213141516 |
[root@server1 ~]# nmap 192.168.0.* --exclude 192.168.0.100Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:16 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 255 IP addresses (1 host up) scanned in 5.313 secondsYou have new mail in /var/spool/mail/root |
9.扫描操作系统信息和路由跟踪-A
使用Nmap,你可以检测远程主机上运行的操作系统和版本。为了启用操作系统和版本检测,脚本扫描和路由跟踪功能,我们可以使用NMAP的“-A“选项。
1234567891011121314151617181920212223242526272829 |
[root@server1 ~]# nmap -A 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:25 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)80/tcp open http Apache httpd 2.2.3 ((CentOS))111/tcp open rpcbind 2 (rpc #100000)957/tcp open status 1 (rpc #100024)3306/tcp open mysql MySQL (unauthorized)8888/tcp open http lighttpd 1.4.32MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).TCP/IP fingerprint:SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52814B66%O=22%C=1%M=080027)TSeq(Class=TR%IPID=Z%TS=1000HZ)T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)T2(Resp=N)T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)Uptime 0.169 days (since Mon Nov 11 12:22:15 2013)Nmap finished: 1 IP address (1 host up) scanned in 22.271 seconds |
从上面的输出你可以看到,Nmap显示出了远程主机操作系统的TCP / IP协议指纹,并且更加具体的显示出远程主机上的端口和服务。
10.启用Nmap的操作系统探测功能-O
使用选项“-O”和“-osscan-guess”也帮助探测操作系统信息。
12345678910111213141516171819202122232425262728293031 |
[root@server1 ~]# nmap -O server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:40 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).TCP/IP fingerprint:SInfo(V=4.11%P=i686-redhat-linux-gnu%D=11/11%Tm=52815CF4%O=22%C=1%M=080027)TSeq(Class=TR%IPID=Z%TS=1000HZ)T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)T2(Resp=N)T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=Option -O and -osscan-guess also helps to discover OSR%Ops=)T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)Uptime 0.221 days (since Mon Nov 11 12:22:16 2013)Nmap finished: 1 IP address (1 host up) scanned in 11.064 secondsYou have new mail in /var/spool/mail/root |
11.扫描主机侦测防火墙-sA
下面的命令将扫描远程主机以探测该主机是否使用了包过滤器或防火墙。
12345678 |
[root@server1 ~]# nmap -sA 192.168Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) 2013-11-11 16:27 ESTAll 1680 scanned ports on server2.tecmint.com (192.168 ) are UNfilteredMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host ) scanned in 0.382 secondsYou have new mail in /var/spool/mail/root |
12.扫描主机检测是否有防火墙保护-PN
扫描主机检测其是否受到数据包过滤软件或防火墙的保护。
123456789101112131415 |
[root@server1 ~]# nmap -PN 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:30 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.399 seconds |
13.找出网络中的在线主机-sP
使用“-sP”选项,我们可以简单的检测网络中有哪些在线主机,该选项会跳过端口扫描和其他一些检测。
1234567 |
[root@server1 ~]# nmap -sP 192.168.0.*Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-18 11:01 ESTHost server1.tecmint.com (192.168.0.100) appears to be up.Host server2.tecmint.com (192.168.0.101) appears to be up.MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 256 IP addresses (2 hosts up) scanned in 5.109 seconds |
14.执行快速扫描-F
你可以使用“-F”选项执行一次快速扫描,仅扫描列在nmap-services文件中的端口而避开所有其它的端口。
1234567891011121314 |
[root@server1 ~]# nmap -F 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:47 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1234 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.322 seconds |
15.查看Nmap的版本
你可以使用“-V”选项来检测你机子上Nmap的版本。
1234 |
[root@server1 ~]# nmap -VNmap version 4.11 ( http://www.insecure.org/nmap/ )You have new mail in /var/spool/mail/root |
16.顺序扫描端口-r
使用“-r”选项表示不会随机的选择端口扫描。
123456789101112131415 |
[root@server1 ~]# nmap -r 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 16:52 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.363 seconds |
17.打印主机接口和路由-iflist
你可以使用nmap的“–iflist”选项检测主机接口和路由信息。
123456789101112 |
[root@server1 ~]# nmap --iflistStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:07 EST************************INTERFACES************************DEV (SHORT) IP/MASK TYPE UP MAClo (lo) 127.0.0.1/8 loopback upeth0 (eth0) 192.168.0.100/24 ethernet up 08:00:27:11:C7:89**************************ROUTES**************************DST/MASK DEV GATEWAY192.168.0.0/0 eth0169.254.0.0/0 eth0 |
从上面的输出你可以看到,nmap列举出了你系统上的接口以及它们各自的路由信息。
18.扫描特定的端口-p
使用Nmap扫描远程机器的端口有各种选项,你可以使用“-p”选项指定你想要扫描的端口,默认情况下nmap只扫描TCP端口。
123456789 |
[root@server1 ~]# nmap -p 80 server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:12 ESTInteresting ports on server2.tecmint.com (192.168.0.101):PORT STATE SERVICE80/tcp open httpMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) sca |
19.扫描TCP端口-p T:
12345678910 |
[root@server1 ~]# nmap -p T:8888,80 server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 ESTInteresting ports on server2.tecmint.com (192.168.0.101):PORT STATE SERVICE80/tcp open http8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds |
20.扫描UDP端口-sU
12345678910 |
[root@server1 ~]# nmap -sU 53 server2.tecmint.comStarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:15 ESTInteresting ports on server2.tecmint.com (192.168.0.101):PORT STATE SERVICE53/udp open http8888/udp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.157 seconds |
21.扫描多个端口
你还可以使用选项“-P”来扫描多个端口。
12345678910 |
[root@server1 ~]# nmap -p 80,443 192.168Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) 2013-11-18 10:56 ESTInteresting ports on server2.tecmint.com (192.168 ):PORT STATE SERVICE80/tcp open http443/tcp closed httpsMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host ) scanned in 0.190 seconds |
22.扫描指定范围内的端口
您可以使用表达式来扫描某个范围内的端口。
1
|
[root@server1 ~]# nmap -p 80-160 192.168.0.101
|
23.查找主机服务版本号-sV
123456789101112131415 |
[root@server1 ~]# nmap -sV 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:48 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)80/tcp open http Apache httpd 2.2.3 ((CentOS))111/tcp open rpcbind 2 (rpc #100000)957/tcp open status 1 (rpc #100024)3306/tcp open mysql MySQL (unauthorized)8888/tcp open http lighttpd 1.4.32MAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 12.624 seconds |
24.使用TCP ACK (-PA)和TCP Syn (-PS)扫描远程主机
有时候包过滤防火墙会阻断标准的ICMP ping请求,在这种情况下,我们可以使用TCP ACK和TCP Syn(tcp探测扫描)方法来扫描远程主机。
12345678910111213141516 |
[root@server1 ~]# nmap -PS 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 17:51 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.360 secondsYou have new mail in /var/spool/mail/root |
25.使用TCP ACK扫描远程主机上特定的端口-PA -p
1234567891011 |
[root@server1 ~]# nmap -PA -p 22,80 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:02 ESTInteresting ports on server2.tecmint.com (192.168.0.101):PORT STATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.166 secondsYou have new mail in /var/spool/mail/root |
26. 使用TCP Syn扫描远程主机上特定的端口
1234567891011 |
[root@server1 ~]# nmap -PS -p 22,80 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:08 ESTInteresting ports on server2.tecmint.com (192.168.0.101):PORT STATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.165 secondsYou have new mail in /var/spool/mail/root |
27.执行一次隐蔽的扫描-sS
12345678910111213141516 |
[root@server1 ~]# nmap -sS 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:10 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.383 secondsYou have new mail in /var/spool/mail/root |
28.使用TCP Syn扫描最常用的端口-sT
12345678910111213141516 |
[root@server1 ~]# nmap -sT 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 18:12 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind957/tcp open unknown3306/tcp open mysql8888/tcp open sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 0.406 secondsYou have new mail in /var/spool/mail/root |
29.执行TCP空扫描以骗过防火墙-sN
12345678910111213141516 |
[root@server1 ~]# nmap -sN 192.168.0.101Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 19:01 ESTInteresting ports on server2.tecmint.com (192.168.0.101):Not shown: 1674 closed portsPORT STATE SERVICE22/tcp open|filtered ssh80/tcp open|filtered http111/tcp open|filtered rpcbind957/tcp open|filtered unknown3306/tcp open|filtered mysql8888/tcp open|filtered sun-answerbookMAC Address: 08:00:27:D9:8E:D7 (Cadmus Computer Systems)Nmap finished: 1 IP address (1 host up) scanned in 1.584 secondsYou have new mail in /var/spool/mail/root |
指令分类
初级使用
nmap -v scanme.nmap.org
这个选项扫描主机scanme.nmap.org中所有的保留TCP端口。选项-v启用细节模式。
nmap -A -T4 scanme.nmap.org
-A用来进行操作系统及其版本的探测,-T4 可以加快执行速度
nmap -sS -O scanme.nmap.org/24
进行秘密SYN扫描,对象为主机Saznme所在的“C类”网段的255台主机。同时尝试确定每台工作主机的操作系统类型。因为进行SYN扫描 和操作系统检测,这个扫描需要有根权限。
nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127
进行主机列举和TCP扫描,对象为B类198.116网段中255个8位子网。这 个测试用于确定系统是否运行了sshd、DNS、imapd或4564端口。如果这些端口 打开,将使用版本检测来确定哪种应用在运行。(-sV)
nmap -v -iR 100000 -P0 -p 80
随机选择100000台主机扫描是否运行Web服务器(80端口)。由起始阶段发送探测报文来确定主机是否工作非常浪费时间,而且只需探测主机的一个端口,因此使用-P0禁止对主机列表。
nmap -P0 -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20
扫描4096个IP地址,查找Web服务器(不ping),将结果以Grep和XML格式保存。
host -l company.com | cut -d -f 4 | nmap -v -iL -
进行DNS区域传输,以发现company.com中的主机,然后将IP地址提供给 Nmap。上述命令用于GNU/Linux – 其它系统进行区域传输时有不同的命令。
深入扫描命令
-Pn 不探测扫描(假定所有主机都存活)
-PB 默认探测扫描(探测端口:TCP 80,445&ICMP)
-PS <portlist> tcp探测扫描
-PE ICMP Echo Request
-PP ICMP Timestamp Request
-PM ICMP Netmask Request
扫描类型
-sP 只探测主机在线情况
-sS SYN扫描(隐身扫描)
-ST TCP扫描
-sU UDP扫描
-sV 系统版本检测
-O 操作系统识别
–scanflags 指定TCP标识位(设置URG, ACK, PSH,RST,SYN,FIN位)
细粒度的时间选项
–min-hostgroup/max-hostgroup 平行的主机扫描组的大小
–min-parallelism/max-parallelism 并行探测
–min-rtt-timeout/max-rtttimeout/initial-rtt-timeout 指定每轮探测的时间
–max-retries 扫描探测的上限次数设定
–host-timeout 设置timeout时间
–scan-delay/–max-scan-delay 调整两次探测之间的延迟
–min-rate 每秒发送数据包不少于次
时序选项
-T0 偏执的:非常非常慢,用于IDS逃逸
-T1 猥琐的:相当慢,用于IDS逃逸
-T2 有礼貌的:降低速度以消耗更小的带宽,比默认慢十倍
-T3 普通的:默认,根据目标的反应自动调整时间模式
-T4 野蛮的:假定处在一个很好的网络环境,请求可能会淹没目标
-T5 疯狂的:非常野蛮,很可能会淹没目标端口或是漏掉一些开放端口
misc选项
-n 禁止反向IP地址查找
-6 只是用 IPv6
-A 是用几个命令:OS 探测,版本探测,脚本扫描,traceroute
–reason 列出nmap的判断:端口开放,关闭,被过滤。
输出格式
-oN 标准输出
-oG 好理解的格式
-ox xml格式
-oA<basename> 用<basename>生成以上格式的文件
线下AWD必须用好的nmap指令
1234567891011121314151617181920212223242526272829 |
1.9 使用nmap扫描主机// http://nmap.org/book/#nmap --version // -V -h#man nmap#nmap -vv -vv参数设置对结果的详细输出#nmap -sS -Pn -A host隐身、操作系统信息和路由跟踪、-P0和-Pn两个选项的效果是一样的,就是不进行主机发现,而直接进行更深层次的扫描,如服务版本扫描或系统类型扫描。-Pn 不探测扫描(假定所有主机都存活)#nmap -A -T4 scanme.nmap.org// -A:to enable OS and version detection, script scanning,and traceroute;// -T4:faster execution加快执行速度#nmap localhost// #netstat -apn | grep 8080 ===> port 8080 process*多机快速扫描#nmap -vv -sP 192.168.102.1-254-sP是使用ICMP协议发送echo请求数据包,但是很容易被防火墙过滤掉。// ==>在线主机#nmap -vv -sP 192.168.102.1-254 | grep 'report for.*[0-9]$'#nmap -v -n -sP --max-rtt-timeout 500ms 192.168.102.1-254// ==>在线主机:端口开放 -n 禁止反向IP地址查找#nmap -v -n -sS -Pn -p22 --max-rtt-timeout 500ms 192.168.102.1-254 | grep 'open'#nmap -v -n -sS -Pn -p21,22,80,8080,3306 --max-rtt-timeout 500ms 192.168.102.1-254 | grep 'open'#nmap -v -n -sS -Pn -p1-1024 --max-rtt-timeout 500ms 192.168.102.1-254 | grep 'open'--max-rtt-timeout调整探测报文超时> results.txt重定向发送到文件 |
番外AWD
附上AWD基操
1、确定环境是密码登录还是密钥登录
密钥登录:(比赛方会提供如下三个文件)
id_rsa
id_rsa.pub
token.txt
文件导入即可
若为密码登录,则看密码是否为随机的哈希值,并推测全场密码是否一样,若一样则首先需要修改密码,避免对方写批量遍历脚本,遍历所有服务器,当可以登录时,就瞬间修改你的机子,然后你就什么都做不了,服务器都落到对方手中,除非重置机子。
修改密码:passwd 用户名 //linux命令
passwd ubuntu sudo passwd root //ubuntu命令:
w //查看当前登录的用户
kill -kill -t 用户的tty //踢掉当前登录的用户
2、迅速备份源码和数据库到本机
1234 |
//这里假定web目录为/var/www/htmlmkdir -p ~/beifencp -ra /var/www/html/. ~/beifen其中~代表用户的家目录,-r是递归,-a是保留原来文件属性, .是代表所有文件(不用*,因为*无法表示所有文件) |
定时备份源码:
123456789 |
while [ 1 ]dotime=`/bin/date +%H-%M-%S`bak_file="/var/www/$time.tar.gz"webdir="/var/www/html"tar zcvf $bak_file $webdir >/dev/null 2>&1 &sleep 60 //一分钟备份一次done |
3、找配置文件&mysql一些操作
找配置文件,找文件名有con、config、db字样的。在刚才备份的文件那里可以使用linux命令
1
|
find . -name '*name*'
|
找到这些文件后,最主要找一些账号密码,例如mysql账号密码,如果找到了,自己可以修改自己服务器上的mysql密码,命令如下:(先自己登陆进去)
1234 |
mysql> use mysql;mysql> update user set password=PASSWORD("新的密码") where user='root'; mysql> flush privileges; (刷新)mysql> exit |
记得修改了mysql密码后,还要把刚才找到的配置文件的密码给修改了,不然你的web服务就会不正常。
得到mysql密码,一般来说你就可以看看你自己mysql数据库里的数据,一般来说别人的数据库记录也是如此,所以别人一些后台账号密码,你都可以找到的(如果里面入库是不经过哈希处理的)
另外,也多注意有什么别的配置文件。
备份数据库
123456 |
//mysql备份指定数据库 mysqldump -u 用户名 -p 密码 数据库名 > back.sql //mysql备份所有数据库 mysqldump --all-databases > bak.sql //还原mysql数据库 mysql -u 用户名 -p 密码 数据库名 < bak.sql |
4、嗅探主机(nmap)
12345 |
ICMP扫描: nmap -sP 192.168.150.0/24检测目标操作系统: -OSYN扫描 : -sS操作系统版本检测: -sVnmap -sS -p 1337 192.168.150.0/24 |
5、嗅探主机(MASSCAN)
安装
1234 |
sudo apt-get install clang git gcc make libpcap-dev git clone https://github.com/robertdavidgraham/masscan cd masscan make |
单端口扫描
扫描443端口的B类子网
1
|
$ Masscan 10.11.0.0/16 -p443
|
多端口扫描
扫描80或443端口的B类子网
1
|
$ Masscan 10.11.0.0/16 -p80,443
|
扫描一系列端口
扫描22到25端口的B类子网
1
|
$ Masscan 10.11.0.0/16 -p22-25
|
快速扫描
使用如上的的设置可以得到结果,但速度将是比较慢。正如已经讨论的那样,整体上masscan要快一点,所以让我们加快速度。
默认情况下,Masscan扫描速度为每秒100个数据包,这是相当慢的。为了增加这一点,只需提供该-rate选项并指定一个值。
扫描100个常见端口的B类子网,每秒100,000个数据包
1
|
$ Masscan 10.11.0.0/16 --top-ports 100 -rate 100000
|
你可以扫描的速度取决于很多因素,包括您的操作系统(Linux扫描扫描远远快于Windows),系统的资源,最重要的是您的带宽。为了以高速扫描非常大的网络,您需要使用百万以上的速率(-rate 1000000)。
排除目标
因为大部分的互联网可以很好地进行扫描,也可能只是出于纯粹的礼貌 – 你可能想要或需要从扫描中排除一些目标。为此,请提供–excludefile交换机以及包含要避免的范围列表的文件的名称。
扫描B类子网,但避免在exclude.txt中的
1
|
$ Masscan 10.11.0.0/16 --top-ports 100 --excludefile exclude.txt
|
结果保存
您可以使用标准的Unix重定向器将输出发送到文件:
1
|
$ Masscan 10.11.0.0/16 --top-ports 100 > results.txt
|
除此之外,您还具有以下输出选项:
123 |
-oX filename:输出到filename的XML。-oG filename:输出到filename的grepable格式。-oJ filename:输出到filename的JSON格式。 |
Nmap功能
正如最初提到的,Masscan可以像nmap许多安全人员一样工作。这里有一些其他类似nmap的选项:
通过传递–nmap开关可以看到类似nmap的功能。
12345678 |
1. -iL filename:从文件读取输入。2. ‐‐exclude host:在命令行中排除网络。3. ‐‐excludefile filename:从文件中排除网络。4. -S:欺骗源IP。5. -v interface:详细输出。6. -vv interface:非常冗长的输出。7. -e interface:使用指定的接口。8. -e interface:使用指定的接口。 |
参考
https://www.cnblogs.com/machangwei-8/p/10353004.html
https://www.cnblogs.com/zhaijiahui/p/8367327.html
https://www.cnblogs.com/xdjun/p/9562030.html
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可联系QQ 643713081,也可以邮件至 [email protected] - source:Van1sh的小屋
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论