本章知识点
前面的章节已经较为全面地介绍了Nmap的基本用法以及高级技巧,本章节作为前面基本使用选项以及高级技巧选项的补充,介绍Nmap中并不经常使用但是却非常有用的选项。
本章选项
表11.1所示为本章节所需Nmap命令表,为方便读者查阅,笔者特此整理。
表11.1 本章所需选项
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
表11.2所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——发送以太网数据包。
表11.2 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
--send-eth选项用于发送以太网数据包,该选项会要求Nmap在数据链路层发送报文,而不是在网络层发送报文。需要注意的是,在UNIX中无论是否使用该选项,Nmap都会使用原IP包。
root@Wing:~# nmap --send-eth 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-13 17:11 CST
Nmap scan report for 192.168.126.131
Host is up (0.00030s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
root@Wing:~#
表11.3所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——网络层发送。
表11.3 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
--send-ip选项要求Nmap通过网络层发送报文,而不是在数据链路层发送报文,这个选项与--send-eth选项在实际运用中互相补充。
root@Wing:~# nmap --send-ip 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-13 17:14 CST
Nmap scan report for 192.168.126.131
Host is up (0.00024s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
root@Wing:~#
表11.4所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——假定拥有所有权。
表11.4 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
--privileged选项要求Nmap假定其具有足够的权限进行源套接字包发送、报文捕获和类似UNIX系统中根用户操作的权限。默认状态下,如果由getuid()请求的类似操作不为0,Nmap将退出。
--privileged在具有Linux内核性能的类似系统中使用非常有效,这些系统配置允许非特权用户可以进行原报文扫描。需要明确的是,在其他选项之前使用这些需要权限的选项(SYN扫描、操作系统检测等)。Nmap-PRIVILEGED变量设置等价于--privileged选项。
root@Wing:~# nmap --privileged 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-13 17:18 CST
Nmap scan report for 192.168.126.131
Host is up (0.00030s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
root@Wing:~#
表11.5所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——在交互模式中启动。
表11.5 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
--interactive告诉Nmap在交互模式中启动,这时Nmap会提供交互模式,便于进行多个扫描。如果要使用这个选项,需要对Shell终端的命令足够熟悉。
root@Wing:~# nmap --interactive
Starting Nmap V. 6.40 ( http://nmap.org
)
Welcome to Interactive Mode -- press h <enter> for help
nmap>
下面使用-T4选项进行快速扫描。
nmap> n -T4 192.168.126.163
Interesting ports on 192.168.126.163:
Not shown: 98 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds
表11.6所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——查看Nmap版本号。
表11.6 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
使用-V选项或者 --version选项查看Nmap的版本信息。
root@Wing:~# nmap -V
Nmap version 6.40 ( http://nmap.org
)
Platform: i686-pc-linux-gnu
Compiled with: nmap-liblua-5.2.2 openssl-1.0.1e libpcre-8.30 libpcap-1.3.0 nmap- libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
root@Wing:~#
表11.7所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——设置调试级别。
表11.7 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
使用-d选项设置调试级别。当详细模式也不能为我们提供充足的数据时,可以启用-d选项,在-d选项后面填入输入表示调试级别,可选有1~9,-d 9是最高阶别,这时候产生的数据会非常多。
root@Wing:~# nmap -d 1 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-13 17:30 CST
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
setup_target: failed to determine route to 1 (0.0.0.1)
Initiating ARP Ping Scan at 17:30
Scanning 192.168.126.131 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x000C2996 and arp[22:2] = 0x752B
Completed ARP Ping Scan at 17:30, 0.00s elapsed (1 total hosts)
Overall sending rates: 350.14 packets / s, 14705.88 bytes / s.
mass_rdns: Using DNS server 192.168.126.2
Initiating Parallel DNS resolution of 1 host. at 17:30
mass_rdns: 0.02s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 17:30, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:30
Scanning 192.168.126.131 [1000 ports]
Packet capture filter (device eth0): dst host 192.168.126.130 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.126.131)))
Discovered open port 80/tcp on 192.168.126.131
Discovered open port 53/tcp on 192.168.126.131
Discovered open port 25/tcp on 192.168.126.131
Discovered open port 3306/tcp on 192.168.126.131
…省略…
Discovered open port 6667/tcp on 192.168.126.131
Discovered open port 1524/tcp on 192.168.126.131
Discovered open port 6000/tcp on 192.168.126.131
Completed SYN Stealth Scan at 17:30, 0.07s elapsed (1000 total ports)
Overall sending rates: 13382.22 packets / s, 588817.81 bytes / s.
Nmap scan report for 192.168.126.131
Host is up, received arp-response (0.00035s latency).
Scanned at 2014-06-13 17:30:32 CST for 0s
Not shown: 977 closed ports
Reason: 977 resets
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
23/tcp open telnet syn-ack
25/tcp open smtp syn-ack
53/tcp open domain syn-ack
80/tcp open http syn-ack
111/tcp open rpcbind syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
512/tcp open exec syn-ack
513/tcp open login syn-ack
514/tcp open shell syn-ack
1099/tcp open rmiregistry syn-ack
1524/tcp open ingreslock syn-ack
2049/tcp open nfs syn-ack
2121/tcp open ccproxy-ftp syn-ack
3306/tcp open mysql syn-ack
5432/tcp open postgresql syn-ack
5900/tcp open vnc syn-ack
6000/tcp open X11 syn-ack
6667/tcp open irc syn-ack
8009/tcp open ajp13 syn-ack
8180/tcp open unknown syn-ack
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Final times for host: srtt: 355 rttvar: 64 to: 100000
Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.120KB)
root@Wing:~#
表11.8所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——跟踪发送接受的报文。
表11.8 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
--packet-trace选项经常用来调试,而不是实际运用到扫描网络,该选项会要求Nmap将接收到的每个报文打印出来。为了便于分析,可以使用-p选项控制端口而产生少量的报文,便于我们分析。
root@Wing:~# nmap --packet-trace -p 20-30 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-13 17:34 CST
SENT (0.0586s) ARP who-has 192.168.126.131 tell 192.168.126.130
RCVD (0.0588s) ARP reply 192.168.126.131 is-at 00:0C:29:E0:2E:76
NSOCK INFO [0.0590s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [0.0590s] nsock_connect_udp(): UDP connection requested to 192.168.126.2:53 (IOD #1) EID 8
NSOCK INFO [0.0590s] nsock_read(): Read request from IOD #1 [192.168.126.2:53] (timeout: -1ms) EID 18
NSOCK INFO [0.0590s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.126.2:53]
NSOCK INFO [0.0590s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.126.2:53]
NSOCK INFO [4.0610s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.168.126.2:53]
NSOCK INFO [4.0770s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.126.2:53] (81 bytes)
NSOCK INFO [4.0770s] nsock_read(): Read request from IOD #1 [192.168.126.2:53] (timeout: -1ms) EID 42
NSOCK INFO [4.0770s] nsi_delete(): nsi_delete (IOD #1)
NSOCK INFO [4.0770s] msevent_cancel(): msevent_cancel on event #42 (type READ)
SENT (4.0794s) TCP 192.168.126.130:58690 > 192.168.126.131:23 S ttl=50 id=20236 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0802s) TCP 192.168.126.130:58690 > 192.168.126.131:21 S ttl=42 id=37211 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0808s) TCP 192.168.126.130:58690 > 192.168.126.131:25 S ttl=48 id=28839 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0814s) TCP 192.168.126.130:58690 > 192.168.126.131:22 S ttl=43 id=63745 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0820s) TCP 192.168.126.130:58690 > 192.168.126.131:20 S ttl=50 id=49669 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0825s) TCP 192.168.126.130:58690 > 192.168.126.131:24 S ttl=41 id=22347 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0831s) TCP 192.168.126.130:58690 > 192.168.126.131:30 S ttl=58 id=24619 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0836s) TCP 192.168.126.130:58690 > 192.168.126.131:26 S ttl=53 id=64810 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0842s) TCP 192.168.126.130:58690 > 192.168.126.131:29 S ttl=51 id=40683 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0848s) TCP 192.168.126.130:58690 > 192.168.126.131:27 S ttl=41 id=61656 iplen=44 seq=4147884221 win=1024 <mss 1460>
RCVD (4.0791s) TCP 192.168.126.131:23 > 192.168.126.130:58690 SA ttl=64 id=0 iplen=44 seq=2700394672 win=5840 <mss 1460>
RCVD (4.0797s) TCP 192.168.126.131:21 > 192.168.126.130:58690 SA ttl=64 id=0 iplen=44 seq=2705356047 win=5840 <mss 1460>
RCVD (4.0805s) TCP 192.168.126.131:25 > 192.168.126.130:58690 SA ttl=64 id=0 iplen=44 seq=2695721692 win=5840 <mss 1460>
RCVD (4.0811s) TCP 192.168.126.131:22 > 192.168.126.130:58690 SA ttl=64 id=0 iplen=44 seq=2696301698 win=5840 <mss 1460>
RCVD (4.0817s) TCP 192.168.126.131:20 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0
RCVD (4.0823s) TCP 192.168.126.131:24 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0
RCVD (4.0828s) TCP 192.168.126.131:30 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0
RCVD (4.0834s) TCP 192.168.126.131:26 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0
RCVD (4.0839s) TCP 192.168.126.131:29 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0
RCVD (4.0846s) TCP 192.168.126.131:27 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0
SENT (4.0867s) TCP 192.168.126.130:58690 > 192.168.126.131:28 S ttl=54 id=16933 iplen=44 seq=4147884221 win=1024 <mss 1460>
RCVD (4.0866s) TCP 192.168.126.131:28 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0
Nmap scan report for 192.168.126.131
Host is up (0.00021s latency).
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
24/tcp closed priv-mail
25/tcp open smtp
26/tcp closed rsftp
27/tcp closed nsw-fe
28/tcp closed unknown
29/tcp closed msg-icp
30/tcp closed unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 4.11 seconds
root@Wing:~#
表11.9所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——列举接口和路由。
表11.9 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
--iflist选项会告诉Nmap打印出检测到的接口列表和路由,多用于调试路由。
root@Wing:~# nmap --iflist www.0day.co
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-13 17:36 CST
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MTU MAC
lo (lo) 127.0.0.1/8 loopback up 65536
lo (lo) ::1/128 loopback up 65536
eth0 (eth0) 192.168.126.130/24 ethernet up 1500 00:0C:29:96:75:2B
eth0 (eth0) fe80::20c:29ff:fe96:752b/64 ethernet up 1500 00:0C:29:96:75:2B
**************************ROUTES**************************
DST/MASK DEV METRIC GATEWAY
192.168.126.0/24 eth0 0
0.0.0.0/0 eth0 0 192.168.126.2
::1/128 lo 0
fe80::20c:29ff:fe96:752b/128 lo 0
fe80::/64 eth0 256
ff00::/8 eth0 256
root@Wing:~#
表11.10所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——指定网络接口。
表11.10 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
-e选项可以指定从哪个网络接口发送数据。我们先看一下网络接口。
root@Wing:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:96:75:2b
inet addr:192.168.126.130 Bcast:192.168.126.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe96:752b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:316840 errors:15 dropped:0 overruns:0 frame:0
TX packets:374973 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:93509186 (89.1 MiB) TX bytes:33407506 (31.8 MiB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:19013 errors:0 dropped:0 overruns:0 frame:0
TX packets:19013 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:867762 (847.4 KiB) TX bytes:867762 (847.4 KiB)
root@Wing:~#
我们指定从eth0发送数据。
root@Wing:~# nmap -e eth0 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-13 17:39 CST
Nmap scan report for 192.168.126.131
Host is up (0.00029s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
root@Wing:~#
表11.11所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——继续中断扫描。
表11.11 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
--resume选项可以继续中断扫描,在使用Nmap扫描网络的时候可能会需要很长的时间,但是我们可能需要在多个时间段进行扫描,或者由于其他的原因导致网络中断时,我们可以使用--resume选项继续扫描,但必须配合-oN选项或者-oG选项使用。
我们使用-oG将扫描结果保存为TXT,然后在扫描过程中按下Ctrl+C终端扫描。
root@Wing:~# nmap -oG 1.txt -v 192.168.126.1/24
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-13 17:54 CST
Initiating ARP Ping Scan at 17:54
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 17:54, 1.95s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 255 hosts. at 17:54
Completed Parallel DNS resolution of 255 hosts. at 17:54, 0.03s elapsed
Nmap scan report for 192.168.126.0 [host down]
Nmap scan report for 192.168.126.3 [host down]
Nmap scan report for 192.168.126.4 [host down]
Nmap scan report for 192.168.126.5 [host down]
Nmap scan report for 192.168.126.6 [host down]
…省略…
Nmap scan report for 192.168.126.251 [host down]
Nmap scan report for 192.168.126.252 [host down]
Nmap scan report for 192.168.126.253 [host down]
Nmap scan report for 192.168.126.255 [host down]
Initiating Parallel DNS resolution of 1 host. at 17:54
Completed Parallel DNS resolution of 1 host. at 17:54, 0.02s elapsed
Initiating SYN Stealth Scan at 17:54
Scanning 4 hosts [1000 ports/host]
Discovered open port 21/tcp on 192.168.126.131
Discovered open port 3306/tcp on 192.168.126.131
Discovered open port 80/tcp on 192.168.126.131
Discovered open port 22/tcp on 192.168.126.131
Discovered open port 25/tcp on 192.168.126.131
Discovered open port 111/tcp on 192.168.126.131
Discovered open port 23/tcp on 192.168.126.131
Discovered open port 5900/tcp on 192.168.126.131
Discovered open port 139/tcp on 192.168.126.131
Discovered open port 53/tcp on 192.168.126.131
Discovered open port 445/tcp on 192.168.126.131
Discovered open port 6000/tcp on 192.168.126.131
Discovered open port 53/tcp on 192.168.126.2
Discovered open port 8180/tcp on 192.168.126.131
Discovered open port 6667/tcp on 192.168.126.131
Discovered open port 1524/tcp on 192.168.126.131
Discovered open port 8009/tcp on 192.168.126.131
Discovered open port 2049/tcp on 192.168.126.131
Discovered open port 5432/tcp on 192.168.126.131
Discovered open port 512/tcp on 192.168.126.131
Discovered open port 1099/tcp on 192.168.126.131
Discovered open port 2121/tcp on 192.168.126.131
Discovered open port 514/tcp on 192.168.126.131
Discovered open port 513/tcp on 192.168.126.131
Completed SYN Stealth Scan against 192.168.126.2 in 0.17s (3 hosts left)
Completed SYN Stealth Scan against 192.168.126.131 in 0.17s (2 hosts left)
root@Wing:~#
我们使用--resume选项继续扫描。
root@Wing:~# nmap --resume 1.txt
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-13 17:54 CST
Initiating ARP Ping Scan at 17:54
Scanning 2 hosts [1 port/host]
Completed ARP Ping Scan at 17:54, 0.20s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 17:54
Completed Parallel DNS resolution of 2 hosts. at 17:54, 0.02s elapsed
Nmap scan report for 192.168.126.255 [host down]
Initiating SYN Stealth Scan at 17:54
Scanning 192.168.126.254 [1000 ports]
Completed SYN Stealth Scan at 17:54, 21.24s elapsed (1000 total ports)
Nmap scan report for 192.168.126.254
Host is up (0.000090s latency).
All 1000 scanned ports on 192.168.126.254 are filtered
MAC Address: 00:50:56:FC:2E:96 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 2 IP addresses (1 host up) scanned in 21.54 seconds
Raw packets sent: 2003 (88.084KB) | Rcvd: 1 (28B)
root@Wing:~#
可以看到Nmap继续扫描,扫描完成后将结果保存为1.txt。
Dnmap是一款基于Nmap的分布式框架,使用客户端/服务端架构,服务器接收命令并发送至客户端进行Nmap安全扫描,扫描完毕后,客户端返回扫描结果。
首先我们先在http://sourceforge.net/projects/dnmap/ 下载Dnmap。
root@Wing:/home/dnmap# wget http://sourceforge.net/projects/dnmap/files/dnmap_v0.6.tgz
--2014-06-13 18:07:04-- http://sourceforge.net/projects/dnmap/files/dnmap_v0.6.tgz
…省略…
100%[======================================>] 12,609 2.67K/s 用时 29s
2014-06-13 18:07:39 (434 B/s) - 已保存 “dnmap_v0.6.tgz” [12609/12609])
root@Wing:/home/dnmap#
解压压缩包。
root@Wing:/home/dnmap/dnmap_v0.6# ./dnmap_server.py
+-------------------------------------------------------------------------+
| dnmap_server Version 0.6 |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or |
| (at your option) any later version. |
| |
| Author: Garcia Sebastian, eldraco@gmail.com |
| www.mateslab.com.ar |
+-------------------------------------------------------------------------+
usage: ./dnmap_server.py <options>
options:
-f, --nmap-commands Nmap commands file
-p, --port TCP port where we listen for connections.
-L, --log-file Log file. Defaults to /var/log/dnmap_server.conf.
-l, --log-level Log level. Defaults to info.
-v, --verbose_level Verbose level. Give a number between 1 and 5. Defaults to 1. Level 0 means be quiet.
-t, --client-timeout How many time should we wait before marking a client Offline. We still remember its values just in case it cames back.
-s, --sort Field to sort the statical value. You can choose from: Alias, #Commands, UpTime, RunCmdXMin, AvrCmdXMin, Status
-P, --pem-file pem file to use for TLS connection. By default we use the server.pem file provided with the server in the current directory.
dnmap_server uses a '<nmap-commands-file-name>.dnmaptrace' file to know where it must continue reading the nmap commands file. If you want to start over again,
just delete the '<nmap-commands-file-name>.dnmaptrace' file
root@Wing:/home/dnmap/dnmap_v0.6#
新建一个文件,里面写入我们需要扫描的命令,每行一条,如下所示。
nmap -sS -p22 192.168.84.0/24 -v -n -oA 192.168.84.0
nmap -sS -p22 192.168.126.0/24 -v -n -oA 192.168.126.0
nmap -sS -p22 192.168.3.0/24 -v -n -oA 192.168.4.0
nmap -sP -p22 192.168.3.0/24 -v -n -oA 192.168.4.0
nmap -sS --top-ports 100 192.168.3.3 -v -n -oA 192.168.3.3.top100
nmap -sS --top-ports 100 192.168.3.4 -v -n -oA 192.168.3.4.top100
nmap -sS --top-ports 100 192.168.3.5 -v -n -oA 192.168.3.5.top100
启动Dnmap服务。-f选项指定我们的命令文件。
root@Wing:/home/dnmap/dnmap_v0.6# ./dnmap_server.py -f /home/test
+-------------------------------------------------------------------------+
| dnmap_server Version 0.6 |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or |
| (at your option) any later version. |
| |
| Author: Garcia Sebastian, eldraco@gmail.com |
| www.mateslab.com.ar |
+-------------------------------------------------------------------------+
=| MET:0:00:00.000735 | Amount of Online clients: 0 |=
=| MET:0:00:05.006164 | Amount of Online clients: 0 |=
=| MET:0:00:10.005340 | Amount of Online clients: 0 |=
重新打开一个终端,让Dnmap链接服务器。
root@Wing:/home/dnmap/dnmap_v0.6# ./dnmap_client.py -s 192.168.126.130 -a test
+--------------------------------------------------------------------------+
| dnmap Client Version 0.6 |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or |
| (at your option) any later version. |
| |
| Author: Garcia Sebastian, eldraco@gmail.com |
| www.mateslab.com.ar |
+--------------------------------------------------------------------------+
Client Started...
Nmap output files stored in 'nmap_output' directory...
Starting connection...
Client connected succesfully...
Waiting for more commands....
Command Executed: nmap -sS -p22 192.168.84.0/24 -v -n -oA 192.168.84.0
Sending output to the server...
Waiting for more commands....
这时两个Dnmap的窗口数据会不断滚动直到扫描完成。
在nmap_output文件夹下面有Dnmap保存的扫描结果。
root@Wing:/home/dnmap/dnmap_v0.6/nmap_output# ls
192.168.126.0.gnmap 192.168.3.4.top100.gnmap 192.168.4.0.gnmap
192.168.126.0.nmap 192.168.3.4.top100.nmap 192.168.4.0.nmap
192.168.126.0.xml 192.168.3.4.top100.xml 192.168.4.0.xml
192.168.3.3.top100.gnmap 192.168.3.5.top100.gnmap 192.168.84.0.gnmap
192.168.3.3.top100.nmap 192.168.3.5.top100.nmap 192.168.84.0.nmap
192.168.3.3.top100.xml 192.168.3.5.top100.xml 192.168.84.0.xml
root@Wing:/home/dnmap/dnmap_v0.6/nmap_output#
Nse脚本的强大之处在之前的章节已经展示过了,Nmap提供了强大的API,结合LUA编程语言可以简单并高效地开发出适用于各种情况的NES脚本。本小节将结合我们的需求实例开发一个Nse脚本。
编写NES脚本需要有LUA编程语言基础或者相关的编程经验。首先我们先了解一下Nse的注释。
-- The scanning module --
注释是以“--”为起始的。
-- The scanning module --
author = "Wing"
categories = {"version"}
portrule = function(host, port)
return port.protocol == "tcp" and port.number == 80 and port.state == "open"
end
action = function(host, port)
return "Found!!!"
end
使用该Nse脚本的时候,当发现80端口处于open状态时会提示“Found!!!”,在本段代码定义了TCP协议、80端口、端口状态为open。
我们尝试着扫描一下。
root@kali:~# nmap -p80 --script found80 192.168.1.100-120
Starting Nmap 6.46 ( http://nmap.org
) at 2014-10-17 20:14 CST
Nmap scan report for 192.168.1.100
Host is up (0.00070s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.101
Host is up (0.00093s latency).
PORT STATE SERVICE
80/tcp filtered http
…省略…
Nmap scan report for 192.168.1.110
Host is up (0.0012s latency).
PORT STATE SERVICE
80/tcp open http
|_found80: Found!!!
Nmap scan report for 192.168.1.111
Host is up (0.00024s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.112
Host is up (0.00020s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.113
Host is up (0.00066s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.114
Host is up (0.00045s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.115
Host is up (0.00028s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.116
Host is up (0.00018s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.117
Host is up (0.00026s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.118
Host is up (0.00021s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.119
Host is up (0.00019s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.120
Host is up (0.00022s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap done: 21 IP addresses (21 hosts up) scanned in 3.63 seconds
root@kali:~#
发现了IP 192.168.1.110开放了80端口,并出现了“Found!!!”提示。
-- The scanning module --
author = "Wing"
categories = {"version"}
local comm=require "comm"
require "shortport"
local http=require "http"
portrule = function(host,port)
return (port.number == 80) and (port.state=="open")
end
action = function(host,port)
local uri = "/admin.php"
local response = http.get(host, port, uri)
return "Found!!!"
End
该脚本会寻找包含“admin.php”的URL,当发现后返回“Found!!!”告知用户。我们使用该脚本对一个IP段进行扫描。
root@kali:~# nmap -p80 --script scanadmin 192.168.1.100-120
Starting Nmap 6.46 ( http://nmap.org
) at 2014-10-17 20:21 CST
Nmap scan report for 192.168.1.100
Host is up (0.00090s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.101
Host is up (0.00085s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.103
Host is up (0.0040s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap scan report for 192.168.1.110
Host is up (0.00046s latency).
PORT STATE SERVICE
80/tcp open http
|_scanadmin: Found!!!
Nmap scan report for 192.168.1.120
Host is up (0.00039s latency).
PORT STATE SERVICE
80/tcp filtered http
Nmap done: 21 IP addresses (5 hosts up) scanned in 44.42 seconds
root@kali:~#
发现了IP 192.168.1.110开放80端口并存在admin.php。
表11.12所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——探测防火墙。
表11.12 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
在Nmap的firewalk脚本通过发送一个请求并分析TTL值,可以探测防火的规则。
使用命令“nmap --script=firewalk --traceroute目标”即可对目标服务器的防火墙规则进行探测。
root@Wing:~# nmap --script=firewalk --traceroute 192.168.121.1
Starting Nmap 6.47 ( http://nmap.org
) at 2015-06-28 21:22 CST
Nmap scan report for 192.168.121.1
Host is up (0.68s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
514/tcp filtered shell
843/tcp open unknown
902/tcp open iss-realsecure
912/tcp open apex-mesh
7000/tcp open afs3-fileserver
8000/tcp open http-alt
49152/tcp open unknown
49153/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
Host script results:
| firewalk:
| HOP HOST PROTOCOL BLOCKED PORTS
|_1 192.168.239.2 tcp 514
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 9.34 ms 192.168.239.2
2 3.52 ms 192.168.121.1
Nmap done: 1 IP address (1 host up) scanned in 146.12 seconds
root@Wing:~#
从以上输出的信息可以得知目标主机阻止了192.168.239.2的访问,阻止的TCP协议端口为514的数据。
表11.13所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——VMWare认证破解。
表11.13 本节所需命令
选 项 |
解 释 |
---|---|
--send-eth |
发送以太网数据包 |
--send-ip |
网络层发送 |
--privileged |
假定拥有所有权 |
--interactive |
在交互模式中启动 |
-V |
查看Nmap版本号 |
-d |
设置调试级别 |
--packet-trace |
跟踪发送接受的报文 |
--iflist |
列举接口和路由 |
-e |
指定网络接口 |
-oG |
继续中断扫描 |
firewalk |
探测防火墙 |
vmauthd-brute |
VMWare认证破解 |
VMware(中文名“威睿”,纽约证券交易所代码:VMW)虚拟机软件,是全球桌面到数据中心虚拟化解决方案的领导厂商。Nmap中的vmauthd-brute脚本可以破解安装虚拟机系统的用户名与密码。
使用命令“nmap -p 902 --script vmauthd-brute 目标”进行破解。
root@Wing:~# nmap -p 902 --script vmauthd-brute 192.168.121.1
Starting Nmap 6.47 ( http://nmap.org
) at 2015-06-28 21:32 CST
Nmap scan report for 192.168.121.1
Host is up (0.0011s latency).
PORT STATE SERVICE
902/tcp open iss-realsecure
| vmauthd-brute:
| Accounts
| root:root - Valid credentials
| Statistics
|_ Performed 1247 guesses in 604 seconds, average tps: 2
Nmap done: 1 IP address (1 host up) scanned in 603.79 seconds
root@Wing:~#
从以上信息可以得知脚本成功破解了一个账号信息,账号与密码均是root。