本章知识点
本章节将介绍对目标服务以及目标系统的指纹识别,通过对目标指纹的识别可以确定目标使用的系统及服务,这是在信息搜集中不可或缺的部分。本章节介绍的多种指纹识别技术可以以多种方式组合的形式出现,增加指纹识别的正确率。
本章选项
表4.1所示为本章节所需Nmap命令表,为方便读者查阅,笔者特此整理。
表4.1 本章所需选项
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
如果您认为Nmap只是一款端口扫描工具那您就大错特错了,Nmap因为端口扫描而闻名,它还可以对目标主机的服务及版本进行识别和探测。当我们使用Nmap进行端口扫描的时候,如果发现了开放的端口Nmap就可以报告目标端口所对应的服务和版本。例如,445端口就是对应的SMB服务,3306对应的是Mysql的相关服务,22端口则对应SSH相关的服务。这些服务全部储存在Nmap-services里面,约有2200条记录。
某些聪明的管理员会故意开放相关的端口迷惑Nmap。Nmap可以探测服务的版本,例如目标服务器开放了SSH端口,Nmap会告诉你是SSH服务,以及Open SSH和版本号等信息,如果目标服务器使用较低版本的服务可能会存在某些历史漏洞。
Nmap之所以可以识别出相关的服务及版本得益于强大的Nmap-service,使用Nmap通过某种扫描方式发现TCP端口或UDP端口后,Nmap会在Nmap-service中查询对应的是哪种服务。Nmap-ervice中包含了很多不同服务的报文,Nmap会与Nmap-service中的相应表达式进行匹配,接下来Nmap会识别对应的服务协议,例如http、ssh等,包括对应的应用程序名,例如Apache、Open SSH等,然后会继续探索版本号、主机名、设备类型、操作系统。对于操作系统,Nmap可以识别出具体的版本,例如Windows XP、Windows 7、Windows 8、Windwos 2003等,当然这不是完全的识别,对于Nmap无法确定的版本它还会给出每一个版本的几率让用户去参考辨别,确定了相关操作系统版本就可以使用历史漏洞进行渗透测试。
表4.2所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——版本探测。
表4.2 本节所需命令
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
使用-sV选项即可启用版本探测。使用该选项不是进行一个端口扫描,而是通过相应的端口对应相应的服务,根据服务指纹识别出相应的版本。
root@Wing:~# nmap -sV 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 16:45 CST
Nmap scan report for 192.168.126.131
Host is up (0.00027s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 12.05 seconds
root@Wing:~#
从以上结果我们可以识别出相应的版本号,例如FTP服务对应的FTP程序及其版本号是vsftpd 2.3.4,SSH对应的是OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0),这些服务及版本号Nmap可以很轻易地识别出来。在最下方可以识别出操作系统类型为UNIX、Linux。
当然我们还可以借助-A选项进行操作系统探测和版本探测。
root@Wing:~# nmap -sV -A 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 16:46 CST
Nmap scan report for 192.168.126.131
Host is up (0.00034s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/ stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45+00:00
|_Not valid after: 2010-04-16T14:07:45+00:00
|_ssl-date: 2014-06-10T01:31:33+00:00; -1d7h14m47s from local time.
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 40529/tcp mountd
| 100005 1,2,3 43983/udp mountd
| 100021 1,3,4 41255/tcp nlockmgr
| 100021 1,3,4 55723/udp nlockmgr
| 100024 1 35526/tcp status
|_ 100024 1 50609/udp status
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
|_rmi-dumpregistry: Registry listing failed (No return data received from server)
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 40529/tcp mountd
| 100005 1,2,3 43983/udp mountd
| 100021 1,3,4 41255/tcp nlockmgr
| 100021 1,3,4 55723/udp nlockmgr
| 100024 1 35526/tcp status
|_ 100024 1 50609/udp status
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info: Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 11
| Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
| Status: Autocommit
|_Salt: $kqv|/pf2bwQmQ/4YD)>
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2014-06-09T21:31:33-04:00
TRACEROUTE
HOP RTT ADDRESS
1 0.34 ms 192.168.126.131
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 74.85 seconds
root@Wing:~#
使用-A选项后我们可以获取更加详细的信息和更加直观的方式。我们在以上的结果中甚至可以得到具体的Linux内核版本,这得益于强大的Nmap。
![]()
使用-sV选项或-A选项时,对于获知的结果不要过分地相信,Nmap并不一定能全部躲过某些软件的伪装。
表4.3所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——全端口版本探测。
表4.3 本节所需命令
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
使用--allports选项可以启用全端口版本探测。这并不是意味着这个选项可以扫描所有的端口,Nmap会跳过9100 TCP端口,只有使用--allports才可以扫描所有端口。
root@Wing:~# nmap -sV --allports 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 17:24 CST
Nmap scan report for 192.168.126.131
Host is up (0.00026s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 11.39 seconds
root@Wing:~#
表4.4所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——设置扫描强度。
表4.4 本节所需命令
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
在我们用Nmap进行扫描的时候,Nmap发送一系列探测报文,--version-intensity选线可以为每个报文赋予1~9之间的值。被赋予较低值的探测报文对大范围的常见服务有效,而被赋予较高值的报文一般没有实际作用。强度水平说明了应该使用哪些探测报文。当我们赋予的值越高,服务越有可能被正确识别,但是这也会牺牲相当长的一段时间,强度必须在0~9,默认的强度是7。
root@Wing:~# nmap -sV --version-intensity 1 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 17:40 CST
Nmap scan report for 192.168.126.131
Host is up (0.00028s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 12.41 seconds
root@Wing:~#
![]()
该选项的取值范围是0~9,0代表最低的强度等级,9代表着最高的强度等级,之间的数值强度依次增大。
表4.5所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——轻量级扫描。
表4.5 本节所需命令
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
使用--version-light即可进行轻量级扫描。在说明设置扫描强度的时候讲过--version-intensity有0~9几个测试等级,--version-intensity则是对应的--version-intensity 2的快捷方式,轻量级扫描会节省大幅度的时间,但同样会牺牲一部分准确性,当然,如果您想要节约部分时间又不想牺牲太多的准确性时可以试一下该选项。
root@Wing:~# nmap -sV --version-light 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 17:47 CST
Nmap scan report for 192.168.126.131
Host is up (0.00028s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 11.37 seconds
root@Wing:~#
![]()
该选项取代的是--version-intensity 2,它与--version-intensity 2是等价的。
表4.6所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——重量级扫描。
使用--version-all选项可以进行重量级扫描。重量级测试也来源于--version-intensity的0~9个测试等级,--version-all对应的是--version-intensity 9的快捷方式。使用该选项可以保证对每个端口尝试每个探测报文,这会牺牲很多的时间,但准确性确是毋庸置疑的。
表4.6 本节所需命令
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
root@Wing:~# nmap -sV --version-all 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 17:51 CST
Nmap scan report for 192.168.126.131
Host is up (0.00028s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 13.22 seconds
root@Wing:~#
![]()
该选项取代的是--version-intensity 9,它与--version-intensity 9选项等价。
表4.7所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——获取详细版本信息。
表4.7 本节所需命令
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
使用--version-trace就可以获取详细版本信息。它对于获取目标主机的额外信息是非常有帮助的。
root@Wing:~# nmap -sV --version-trace 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 18:01 CST
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.2. #NSE信息
NSE: Script Arguments seen from CLI:
NSE: Loaded 23 scripts for scanning.
Packet capture filter (device eth0): arp and arp[18:4] = 0x000C2996 and arp[22:2] = 0x752B
Overall sending rates: 399.52 packets / s, 16779.86 bytes / s. #发送宝的速率
mass_rdns: Using DNS server 192.168.126.2 #解析的DNS服务
mass_rdns: 0.04s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Packet capture filter (device eth0): dst host 192.168.126.130 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.126.131)))
Overall sending rates: 17200.45 packets / s, 756819.98 bytes / s.
…省略…
Service scan sending probe ajp to 192.168.126.131:8009 (tcp)
NSOCK INFO [11.3290s] nsock_read(): Read request from IOD #55 [192.168.126.131:8009] (timeout: 5000ms) EID 1378
NSOCK INFO [11.3290s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 1371 [192.168.126.131:8009] #与目标主机的8009端口建立连接并扫描
NSOCK INFO [11.3290s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 1378 [192.168.126.131:8009] (5 bytes): AB...
Service scan match (Probe ajp matched with ajp line 11783): 192.168.126.131:8009 is ajp13. Version: |Apache Jserv||Protocol v1.3|
NSOCK INFO [11.3290s] nsi_delete(): nsi_delete (IOD #55)
NSOCK INFO [11.3380s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 1330 [192.168.126.131:8180] (8838 bytes)
Service scan match (Probe GetRequest matched with GetRequest line 5566): 192.168.126.131:8180 is http. Version: |Apache Tomcat/Coyote JSP engine|1.1||
NSOCK INFO [11.3380s] nsi_delete(): nsi_delete (IOD #53)
NSE: Script scanning 192.168.126.131.
NSE: Starting runlevel 1 (of 1) scan.
NSE: Starting rpc-grind against 192.168.126.131:513.
NSE: Starting rpc-grind against 192.168.126.131:111.
NSE: Starting rpc-grind against 192.168.126.131:2049.
NSE: Starting jdwp-version against 192.168.126.131:514.
NSE: Starting rpc-grind against 192.168.126.131:111.
NSE: Starting rpc-grind against 192.168.126.131:111.
NSE: Starting rpc-grind against 192.168.126.131:111.
NSE: Starting rpc-grind against 192.168.126.131:111.
NSE: Starting rpc-grind against 192.168.126.131:2049.
NSE: Starting rpc-grind against 192.168.126.131:2049.
NSE: Starting rpc-grind against 192.168.126.131:2049.
NSE: Starting rpc-grind against 192.168.126.131:2049.
NSE: Finished jdwp-version against 192.168.126.131:514.
NSE: rpc-grind: isRPC didn't receive response.
NSE: Target port 513 is not a RPC port.
NSE: Finished rpc-grind against 192.168.126.131:513.
NSE: Finished rpc-grind against 192.168.126.131:111.
NSE: Finished rpc-grind against 192.168.126.131:111.
NSE: Finished rpc-grind against 192.168.126.131:2049.
NSE: Finished rpc-grind against 192.168.126.131:111.
NSE: Finished rpc-grind against 192.168.126.131:111.
NSE: Finished rpc-grind against 192.168.126.131:111.
NSE: Finished rpc-grind against 192.168.126.131:2049.
NSE: Finished rpc-grind against 192.168.126.131:2049.
NSE: Finished rpc-grind against 192.168.126.131:2049.
NSE: Finished rpc-grind against 192.168.126.131:2049.
Nmap scan report for 192.168.126.131
Host is up (0.00031s latency).
Scanned at 2014-06-11 18:01:09 CST for 11s
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Final times for host: srtt: 308 rttvar: 31 to: 100000
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 11.43 seconds
root@Wing:~#
从结果可以看到扫描的详细信息,便于我们更加了解Nmap的扫描过程及获取到的相关信息。
表4.8所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——RPC扫描。
表4.8 本节所需命令
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
使用-sR就可以进行RPC扫描。该选项多用于与其他端口扫描选项相结合使用。它对所有被发现开放的TCP/UDP端口执行SunRPC程序NULL命令,来试图确定它们是否为RPC端口,如果是RPC端口,则返回程序和版本号。
root@Wing:~# nmap -sS -sR 192.168.126.131
WARNING: -sR is now an alias for -sV and activates version detection as well as RPC scan.
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 18:07 CST
Nmap scan report for 192.168.126.131
Host is up (0.00025s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 11.43 seconds
root@Wing:~#
在进行网络安全扫描的过程中,对操作系统的探测也是非常重要的一部分工作,在众多的扫描软件扫描方法下Nmap发挥出了它的特色,它可以基于TCP/IP协议栈fingerprinting指纹扫描,这种技术无异于对操作系统的探测是非常有效的。
我们可以通过几个方面对操作系统进行探测,最常见的是利用TTL也就是数据包的存活时间,这表示了一个数据包被丢弃之前可以通过多少活跃点,不同的操作系统的TTL也是不同的,我们可以根据这些TTL来进行操作系统探测,当然TTL也可以人为地进行更改,如今这个方法不再经常使用。TCP数据包响应探测是根据不同操作系统对特定的TCP的不同反应来进行识别区分。ACK序号也是重要的参考标准之一,不同的操作系统处理ACK序号时也是不一样的。也有根据ICMP报文响应进行识别的,不同的操作系统对ICMP报文的响应也是不同的。
操作系统的探测方法是多种多样的,并不仅仅局限于上述方法。但相同的是,它们都是根据某些系统的响应特征进行分析识别。
表4.9所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——启用操作系统探测。
表4.9 本节所需命令
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
使用-O选项可以轻易启用操作系统探测。需要注意的是,选项中的“O”是字母O,并不是数字0。渗透测试人员就可以从获得到的信息中发现存在的漏洞。
root@Wing:~# nmap -O 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 18:31 CST
Nmap scan report for 192.168.126.131
Host is up (0.00036s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Device type: general purpose #设备类型
Running: Linux 2.6.X #运行系统
OS CPE: cpe:/o:linux:linux_kernel:2.6 #系统中央处理单元
OS details: Linux 2.6.9 - 2.6.33 #操作系统详细信息
Network Distance: 1 hop #网络距离
OS detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds
root@Wing:~#
从结果中可以得知目标主机是一台Linux系统主机,并且内核版本是Linux-2.6。下面再尝试一下扫描一个Windows系统。
root@Wing:~# nmap -O 192.168.126.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 18:34 CST
Nmap scan report for 192.168.126.1
Host is up (0.00059s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
1033/tcp open netinfo
MAC Address: 00:50:56:C0:00:08 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: phone|general purpose
Running (JUST GUESSING): Microsoft Windows Phone|2008|7|Vista (97%), FreeBSD 6.X (88%)
OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008::beta3 cpe:/ o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_vista::- cpe:/o: microsoft:windows_vista::sp1 cpe:/o:freebsd:freebsd:6.2 cpe:/o:microsoft:windows_8
Aggressive OS guesses: Microsoft Windows Phone 7.5 (97%), Microsoft Windows Server 2008 Beta 3 (97%), Microsoft Windows 7 Professional (97%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (97%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (97%), Microsoft Windows Server 2008 SP1 (94%), Microsoft Windows Vista SP0 - SP1 (91%), Microsoft Windows Vista Home Premium SP1, Windows 7, or Windows Server 2008 (90%), Microsoft Windows Vista Home Premium SP1 (89%), Microsoft Windows 7 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 21.41 seconds
root@Wing:~#
从以上结果来看,可能是因为Windows主机有防火墙的缘故,Nmap没有确定是哪一个版本的Windows系统,仅提供了对版本可能性的百分比。我们看到目标运行Microsoft Windows Phone|2008|7|Vista的百分比为97%是最高的可能性。根据Nmap的判断,我们大致可以确定这几个版本,实际上目标主机运行的操作系统为Windows 7旗舰版,由此可见Nmap的识别率是相当高的。
在使用-O参数的同时,我们可以搭配使用-A参数以达到更好的效果。
表4.10所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——对指定的目标进行操作系统检测。
表4.10 本节所需命令
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
使用--osscan-limit选项就可以对指定的目标进行操作系统检测。Nmap只对满足“具有打开和关闭的端口”条件的主机进行操作系统检测,这样可以节约时间,特别是在使用-P0扫描多个主机时。这个选项仅在使用-O或-A进行操作系统检测时起作用。
root@Wing:~# nmap -O --osscan-limit 192.168.126.131/24
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 18:57 CST
Nmap scan report for 192.168.126.1
Host is up (0.00076s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
1033/tcp open netinfo
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.126.2
Host is up (0.0089s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
53/tcp open domain
MAC Address: 00:50:56:F1:06:20 (VMware)
Aggressive OS guesses: Microsoft Windows 7 Enterprise (93%), Microsoft Windows XP SP3 (93%), DVTel DVT-9540DW network camera (91%), DD-WRT v24-sp2 (Linux 2.4.37) (90%), Linux 3.2 (90%), BlueArc Titan 2100 NAS device (89%), Brother HL-5170DN printer (88%), Aethra Starvoice 1042 ADSL router (87%), Brother HL-1870N printer (87%), Brother NC-3100h print server (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Nmap scan report for 192.168.126.131
Host is up (0.00027s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Nmap scan report for 192.168.126.254
Host is up (0.00022s latency).
All 1000 scanned ports on 192.168.126.254 are filtered
MAC Address: 00:50:56:F1:F0:83 (VMware)
Nmap scan report for 192.168.126.130
Host is up (0.0000040s latency).
All 1000 scanned ports on 192.168.126.130 are closed
OS detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 256 IP addresses (5 hosts up) scanned in 16.33 seconds
root@Wing:~#
![]()
该选项需要配合-O选项或-A选项使用。
表4.11所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——推测系统并识别。
表4.11 本节所需命令
选 项 |
解 释 |
---|---|
-sV |
版本探测 |
--allports |
全端口版本探测 |
--version-intensity |
设置扫描强度 |
--version-light |
轻量级扫描 |
--version-all |
重量级扫描 |
--version-trace |
获取详细版本信息 |
-sR |
RPC扫描 |
-O |
启用操作系统探测 |
--osscan-limit |
对指定的目标进行操作系统检测 |
--osscan-guess; --fuzzy |
推测系统识别 |
使用--osscan-guess; --fuzzy选项可以推测系统并识别。Nmap对系统进行识别时并不一定都能准确识别,当无法准确识别的时候,Nmap会从最接近的数据中取值,大胆地猜测目标系统。
root@Wing:~# nmap -O --osscan-guess 192.168.126.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 19:09 CST
Nmap scan report for 192.168.126.1
Host is up (0.00051s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
1033/tcp open netinfo
MAC Address: 00:50:56:C0:00:08 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: phone|general purpose
Running (JUST GUESSING): Microsoft Windows Phone|2008|7|Vista (97%), FreeBSD 6.X (88%)
OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008::beta3 cpe:/ o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_vista::- cpe:/o: microsoft:windows_vista::sp1 cpe:/o:freebsd:freebsd:6.2 cpe:/o:microsoft:windows_8
Aggressive OS guesses: Microsoft Windows Phone 7.5 (97%), Microsoft Windows Server 2008 Beta 3 (97%), Microsoft Windows 7 Professional (97%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (97%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (97%), Microsoft Windows Server 2008 SP1 (94%), Microsoft Windows 7 SP1 (91%), Microsoft Windows Vista SP0 - SP1 (91%), Microsoft Windows Vista Home Premium SP1, Windows 7, or Windows Server 2008 (90%), Microsoft Windows Vista Home Premium SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 26.12 seconds
root@Wing:~# nmap -O --fuzzy 192.168.126.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-11 19:10 CST
Nmap scan report for 192.168.126.1
Host is up (0.00071s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
1033/tcp open netinfo
MAC Address: 00:50:56:C0:00:08 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: phone|general purpose
Running (JUST GUESSING): Microsoft Windows Phone|2008|Vista|7 (97%), FreeBSD 6.X (88%)
OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008::beta3 cpe:/o: microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft: windows_7 cpe:/o:freebsd:freebsd:6.2 cpe:/o:microsoft:windows_8
Aggressive OS guesses: Microsoft Windows Phone 7.5 (97%), Microsoft Windows Server 2008 Beta 3 (97%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (97%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (97%), Microsoft Windows 7 Professional (95%), Microsoft Windows Server 2008 SP1 (94%), Microsoft Windows Vista SP0 - SP1 (91%), Microsoft Windows Vista Home Premium SP1 (89%), Microsoft Windows 7 SP1 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 SP1 - SP2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 19.01 seconds
root@Wing:~#
我们可以用Nmap搜集更多的信息进行推测,Nmap会对可能是某种系统进行百分比的显示,这样就有数据方便我们做出判断,这比单纯地使用Nmap或得到的数据可靠得多。
![]()
这里的-osscan-guess; --fuzzy并不一起使用。