第11章 Nmap技巧

本章知识点

前面的章节已经较为全面地介绍了Nmap的基本用法以及高级技巧,本章节作为前面基本使用选项以及高级技巧选项的补充,介绍Nmap中并不经常使用但是却非常有用的选项。

本章选项

表11.1所示为本章节所需Nmap命令表,为方便读者查阅,笔者特此整理。

表11.1 本章所需选项

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

表11.2所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——发送以太网数据包。

表11.2 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

--send-eth选项用于发送以太网数据包,该选项会要求Nmap在数据链路层发送报文,而不是在网络层发送报文。需要注意的是,在UNIX中无论是否使用该选项,Nmap都会使用原IP包。

root@Wing:~# nmap --send-eth 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-13 17:11 CST
Nmap scan report for 192.168.126.131
Host is up (0.00030s latency).
Not shown: 977 closed ports
PORT   STATE SERVICE
21/tcp  open ftp
22/tcp  open ssh
23/tcp  open telnet
25/tcp  open smtp
53/tcp  open domain
80/tcp  open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
root@Wing:~# 


表11.3所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——网络层发送。

表11.3 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

--send-ip选项要求Nmap通过网络层发送报文,而不是在数据链路层发送报文,这个选项与--send-eth选项在实际运用中互相补充。

root@Wing:~# nmap --send-ip 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-13 17:14 CST
Nmap scan report for 192.168.126.131
Host is up (0.00024s latency).
Not shown: 977 closed ports
PORT   STATE SERVICE
21/tcp  open ftp
22/tcp  open ssh
23/tcp  open telnet
25/tcp  open smtp
53/tcp  open domain
80/tcp  open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
root@Wing:~# 


表11.4所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——假定拥有所有权。

表11.4 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

--privileged选项要求Nmap假定其具有足够的权限进行源套接字包发送、报文捕获和类似UNIX系统中根用户操作的权限。默认状态下,如果由getuid()请求的类似操作不为0,Nmap将退出。

--privileged在具有Linux内核性能的类似系统中使用非常有效,这些系统配置允许非特权用户可以进行原报文扫描。需要明确的是,在其他选项之前使用这些需要权限的选项(SYN扫描、操作系统检测等)。Nmap-PRIVILEGED变量设置等价于--privileged选项。

root@Wing:~# nmap --privileged 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-13 17:18 CST
Nmap scan report for 192.168.126.131
Host is up (0.00030s latency).
Not shown: 977 closed ports
PORT   STATE SERVICE
21/tcp  open ftp
22/tcp  open ssh
23/tcp  open telnet
25/tcp  open smtp
53/tcp  open domain
80/tcp  open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
root@Wing:~# 


表11.5所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——在交互模式中启动。

表11.5 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

--interactive告诉Nmap在交互模式中启动,这时Nmap会提供交互模式,便于进行多个扫描。如果要使用这个选项,需要对Shell终端的命令足够熟悉。

root@Wing:~# nmap --interactive
Starting Nmap V. 6.40 ( http://nmap.org

 )
Welcome to Interactive Mode -- press h <enter> for help
nmap>


下面使用-T4选项进行快速扫描。

nmap> n -T4 192.168.126.163
Interesting ports on 192.168.126.163:
Not shown: 98 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds


表11.6所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——查看Nmap版本号。

表11.6 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

使用-V选项或者 --version选项查看Nmap的版本信息。

root@Wing:~# nmap -V

Nmap version 6.40 ( http://nmap.org

 )
Platform: i686-pc-linux-gnu
Compiled with: nmap-liblua-5.2.2 openssl-1.0.1e libpcre-8.30 libpcap-1.3.0 nmap- libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
root@Wing:~# 


表11.7所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——设置调试级别。

表11.7 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

使用-d选项设置调试级别。当详细模式也不能为我们提供充足的数据时,可以启用-d选项,在-d选项后面填入输入表示调试级别,可选有1~9,-d 9是最高阶别,这时候产生的数据会非常多。

root@Wing:~# nmap -d 1 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-13 17:30 CST
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
 hostgroups: min 1, max 100000
 rtt-timeouts: init 1000, min 100, max 10000
 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
 parallelism: min 0, max 0
 max-retries: 10, host-timeout: 0
 min-rate: 0, max-rate: 0
---------------------------------------------
setup_target: failed to determine route to 1 (0.0.0.1)
Initiating ARP Ping Scan at 17:30
Scanning 192.168.126.131 [1 port]
Packet capture filter (device eth0): arp and arp[18:4] = 0x000C2996 and arp[22:2] = 0x752B
Completed ARP Ping Scan at 17:30, 0.00s elapsed (1 total hosts)
Overall sending rates: 350.14 packets / s, 14705.88 bytes / s.
mass_rdns: Using DNS server 192.168.126.2
Initiating Parallel DNS resolution of 1 host. at 17:30
mass_rdns: 0.02s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 17:30, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:30
Scanning 192.168.126.131 [1000 ports]
Packet capture filter (device eth0): dst host 192.168.126.130 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.126.131)))
Discovered open port 80/tcp on 192.168.126.131
Discovered open port 53/tcp on 192.168.126.131
Discovered open port 25/tcp on 192.168.126.131
Discovered open port 3306/tcp on 192.168.126.131
…省略…
Discovered open port 6667/tcp on 192.168.126.131
Discovered open port 1524/tcp on 192.168.126.131
Discovered open port 6000/tcp on 192.168.126.131
Completed SYN Stealth Scan at 17:30, 0.07s elapsed (1000 total ports)
Overall sending rates: 13382.22 packets / s, 588817.81 bytes / s.
Nmap scan report for 192.168.126.131
Host is up, received arp-response (0.00035s latency).
Scanned at 2014-06-13 17:30:32 CST for 0s
Not shown: 977 closed ports
Reason: 977 resets
PORT   STATE SERVICE     REASON
21/tcp  open ftp       syn-ack
22/tcp  open ssh       syn-ack
23/tcp  open telnet     syn-ack
25/tcp  open smtp       syn-ack
53/tcp  open domain      syn-ack
80/tcp  open http       syn-ack
111/tcp open rpcbind     syn-ack
139/tcp open netbios-ssn   syn-ack
445/tcp open microsoft-ds  syn-ack
512/tcp open exec       syn-ack
513/tcp open login      syn-ack
514/tcp open shell       syn-ack
1099/tcp open rmiregistry   syn-ack
1524/tcp open ingreslock    syn-ack
2049/tcp open nfs       syn-ack
2121/tcp open ccproxy-ftp  syn-ack
3306/tcp open mysql      syn-ack
5432/tcp open postgresql   syn-ack
5900/tcp open vnc       syn-ack
6000/tcp open X11       syn-ack
6667/tcp open irc       syn-ack
8009/tcp open ajp13      syn-ack
8180/tcp open unknown    syn-ack
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Final times for host: srtt: 355 rttvar: 64 to: 100000

Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
      Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.120KB)
root@Wing:~# 


表11.8所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——跟踪发送接受的报文。

表11.8 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

--packet-trace选项经常用来调试,而不是实际运用到扫描网络,该选项会要求Nmap将接收到的每个报文打印出来。为了便于分析,可以使用-p选项控制端口而产生少量的报文,便于我们分析。

root@Wing:~# nmap --packet-trace -p 20-30 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-13 17:34 CST
SENT (0.0586s) ARP who-has 192.168.126.131 tell 192.168.126.130
RCVD (0.0588s) ARP reply 192.168.126.131 is-at 00:0C:29:E0:2E:76
NSOCK INFO [0.0590s] nsi_new2(): nsi_new (IOD #1)
NSOCK INFO [0.0590s] nsock_connect_udp(): UDP connection requested to 192.168.126.2:53 (IOD #1) EID 8
NSOCK INFO [0.0590s] nsock_read(): Read request from IOD #1 [192.168.126.2:53] (timeout: -1ms) EID 18
NSOCK INFO [0.0590s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.126.2:53]
NSOCK INFO [0.0590s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.126.2:53]
NSOCK INFO [4.0610s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.168.126.2:53]
NSOCK INFO [4.0770s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.126.2:53] (81 bytes)
NSOCK INFO [4.0770s] nsock_read(): Read request from IOD #1 [192.168.126.2:53] (timeout: -1ms) EID 42
NSOCK INFO [4.0770s] nsi_delete(): nsi_delete (IOD #1)
NSOCK INFO [4.0770s] msevent_cancel(): msevent_cancel on event #42 (type READ)
SENT (4.0794s) TCP 192.168.126.130:58690 > 192.168.126.131:23 S ttl=50 id=20236 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0802s) TCP 192.168.126.130:58690 > 192.168.126.131:21 S ttl=42 id=37211 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0808s) TCP 192.168.126.130:58690 > 192.168.126.131:25 S ttl=48 id=28839 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0814s) TCP 192.168.126.130:58690 > 192.168.126.131:22 S ttl=43 id=63745 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0820s) TCP 192.168.126.130:58690 > 192.168.126.131:20 S ttl=50 id=49669 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0825s) TCP 192.168.126.130:58690 > 192.168.126.131:24 S ttl=41 id=22347 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0831s) TCP 192.168.126.130:58690 > 192.168.126.131:30 S ttl=58 id=24619 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0836s) TCP 192.168.126.130:58690 > 192.168.126.131:26 S ttl=53 id=64810 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0842s) TCP 192.168.126.130:58690 > 192.168.126.131:29 S ttl=51 id=40683 iplen=44 seq=4147884221 win=1024 <mss 1460>
SENT (4.0848s) TCP 192.168.126.130:58690 > 192.168.126.131:27 S ttl=41 id=61656 iplen=44 seq=4147884221 win=1024 <mss 1460>
RCVD (4.0791s) TCP 192.168.126.131:23 > 192.168.126.130:58690 SA ttl=64 id=0 iplen=44 seq=2700394672 win=5840 <mss 1460>
RCVD (4.0797s) TCP 192.168.126.131:21 > 192.168.126.130:58690 SA ttl=64 id=0 iplen=44 seq=2705356047 win=5840 <mss 1460>
RCVD (4.0805s) TCP 192.168.126.131:25 > 192.168.126.130:58690 SA ttl=64 id=0 iplen=44 seq=2695721692 win=5840 <mss 1460>
RCVD (4.0811s) TCP 192.168.126.131:22 > 192.168.126.130:58690 SA ttl=64 id=0 iplen=44 seq=2696301698 win=5840 <mss 1460>
RCVD (4.0817s) TCP 192.168.126.131:20 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0 
RCVD (4.0823s) TCP 192.168.126.131:24 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0 
RCVD (4.0828s) TCP 192.168.126.131:30 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0 
RCVD (4.0834s) TCP 192.168.126.131:26 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0 
RCVD (4.0839s) TCP 192.168.126.131:29 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0 
RCVD (4.0846s) TCP 192.168.126.131:27 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0 
SENT (4.0867s) TCP 192.168.126.130:58690 > 192.168.126.131:28 S ttl=54 id=16933 iplen=44 seq=4147884221 win=1024 <mss 1460>
RCVD (4.0866s) TCP 192.168.126.131:28 > 192.168.126.130:58690 RA ttl=64 id=0 iplen=40 seq=0 win=0 
Nmap scan report for 192.168.126.131
Host is up (0.00021s latency).
PORT  STATE SERVICE
20/tcp closed ftp-data
21/tcp open  ftp
22/tcp open  ssh
23/tcp open  telnet
24/tcp closed priv-mail
25/tcp open  smtp
26/tcp closed rsftp
27/tcp closed nsw-fe
28/tcp closed unknown
29/tcp closed msg-icp
30/tcp closed unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.11 seconds
root@Wing:~# 


表11.9所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——列举接口和路由。

表11.9 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

--iflist选项会告诉Nmap打印出检测到的接口列表和路由,多用于调试路由。

root@Wing:~# nmap --iflist www.0day.co

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-13 17:36 CST
************************INTERFACES************************
DEV (SHORT) IP/MASK           TYPE   UP MTU  MAC
lo  (lo)  127.0.0.1/8         loopback up 65536
lo  (lo)  ::1/128           loopback up 65536
eth0 (eth0) 192.168.126.130/24    ethernet up 1500 00:0C:29:96:75:2B
eth0 (eth0) fe80::20c:29ff:fe96:752b/64 ethernet up 1500 00:0C:29:96:75:2B

**************************ROUTES**************************
DST/MASK              DEV METRIC GATEWAY
192.168.126.0/24         eth0  0
0.0.0.0/0             eth0  0   192.168.126.2
::1/128              lo   0
fe80::20c:29ff:fe96:752b/128  lo   0
fe80::/64             eth0 256
ff00::/8              eth0 256

root@Wing:~# 


表11.10所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——指定网络接口。

表11.10 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

-e选项可以指定从哪个网络接口发送数据。我们先看一下网络接口。

root@Wing:~# ifconfig
eth0   Link encap:Ethernet HWaddr 00:0c:29:96:75:2b 
     inet addr:192.168.126.130 Bcast:192.168.126.255 Mask:255.255.255.0
     inet6 addr: fe80::20c:29ff:fe96:752b/64 Scope:Link
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
     RX packets:316840 errors:15 dropped:0 overruns:0 frame:0
     TX packets:374973 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:1000 
     RX bytes:93509186 (89.1 MiB) TX bytes:33407506 (31.8 MiB)
     Interrupt:19 Base address:0x2000 

lo    Link encap:Local Loopback 
     inet addr:127.0.0.1 Mask:255.0.0.0
     inet6 addr: ::1/128 Scope:Host
     UP LOOPBACK RUNNING MTU:65536 Metric:1
     RX packets:19013 errors:0 dropped:0 overruns:0 frame:0
     TX packets:19013 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:0 
     RX bytes:867762 (847.4 KiB) TX bytes:867762 (847.4 KiB)

root@Wing:~# 


我们指定从eth0发送数据。

root@Wing:~# nmap -e eth0 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-13 17:39 CST
Nmap scan report for 192.168.126.131
Host is up (0.00029s latency).
Not shown: 977 closed ports
PORT   STATE SERVICE
21/tcp  open ftp
22/tcp  open ssh
23/tcp  open telnet
25/tcp  open smtp
53/tcp  open domain
80/tcp  open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
root@Wing:~# 


表11.11所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——继续中断扫描。

表11.11 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

--resume选项可以继续中断扫描,在使用Nmap扫描网络的时候可能会需要很长的时间,但是我们可能需要在多个时间段进行扫描,或者由于其他的原因导致网络中断时,我们可以使用--resume选项继续扫描,但必须配合-oN选项或者-oG选项使用。

我们使用-oG将扫描结果保存为TXT,然后在扫描过程中按下Ctrl+C终端扫描。

root@Wing:~# nmap -oG 1.txt -v 192.168.126.1/24

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-13 17:54 CST
Initiating ARP Ping Scan at 17:54
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 17:54, 1.95s elapsed (255 total hosts)
Initiating Parallel DNS resolution of 255 hosts. at 17:54
Completed Parallel DNS resolution of 255 hosts. at 17:54, 0.03s elapsed
Nmap scan report for 192.168.126.0 [host down]
Nmap scan report for 192.168.126.3 [host down]
Nmap scan report for 192.168.126.4 [host down]
Nmap scan report for 192.168.126.5 [host down]
Nmap scan report for 192.168.126.6 [host down]
…省略…
Nmap scan report for 192.168.126.251 [host down]
Nmap scan report for 192.168.126.252 [host down]
Nmap scan report for 192.168.126.253 [host down]
Nmap scan report for 192.168.126.255 [host down]
Initiating Parallel DNS resolution of 1 host. at 17:54
Completed Parallel DNS resolution of 1 host. at 17:54, 0.02s elapsed
Initiating SYN Stealth Scan at 17:54
Scanning 4 hosts [1000 ports/host]
Discovered open port 21/tcp on 192.168.126.131
Discovered open port 3306/tcp on 192.168.126.131
Discovered open port 80/tcp on 192.168.126.131
Discovered open port 22/tcp on 192.168.126.131
Discovered open port 25/tcp on 192.168.126.131
Discovered open port 111/tcp on 192.168.126.131
Discovered open port 23/tcp on 192.168.126.131
Discovered open port 5900/tcp on 192.168.126.131
Discovered open port 139/tcp on 192.168.126.131
Discovered open port 53/tcp on 192.168.126.131
Discovered open port 445/tcp on 192.168.126.131
Discovered open port 6000/tcp on 192.168.126.131
Discovered open port 53/tcp on 192.168.126.2
Discovered open port 8180/tcp on 192.168.126.131
Discovered open port 6667/tcp on 192.168.126.131
Discovered open port 1524/tcp on 192.168.126.131
Discovered open port 8009/tcp on 192.168.126.131
Discovered open port 2049/tcp on 192.168.126.131
Discovered open port 5432/tcp on 192.168.126.131
Discovered open port 512/tcp on 192.168.126.131
Discovered open port 1099/tcp on 192.168.126.131
Discovered open port 2121/tcp on 192.168.126.131
Discovered open port 514/tcp on 192.168.126.131
Discovered open port 513/tcp on 192.168.126.131
Completed SYN Stealth Scan against 192.168.126.2 in 0.17s (3 hosts left)
Completed SYN Stealth Scan against 192.168.126.131 in 0.17s (2 hosts left)

root@Wing:~# 


我们使用--resume选项继续扫描。

root@Wing:~# nmap --resume 1.txt

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-13 17:54 CST
Initiating ARP Ping Scan at 17:54
Scanning 2 hosts [1 port/host]
Completed ARP Ping Scan at 17:54, 0.20s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 17:54
Completed Parallel DNS resolution of 2 hosts. at 17:54, 0.02s elapsed
Nmap scan report for 192.168.126.255 [host down]
Initiating SYN Stealth Scan at 17:54
Scanning 192.168.126.254 [1000 ports]
Completed SYN Stealth Scan at 17:54, 21.24s elapsed (1000 total ports)
Nmap scan report for 192.168.126.254
Host is up (0.000090s latency).
All 1000 scanned ports on 192.168.126.254 are filtered
MAC Address: 00:50:56:FC:2E:96 (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 2 IP addresses (1 host up) scanned in 21.54 seconds
      Raw packets sent: 2003 (88.084KB) | Rcvd: 1 (28B)
root@Wing:~# 


可以看到Nmap继续扫描,扫描完成后将结果保存为1.txt。

Dnmap是一款基于Nmap的分布式框架,使用客户端/服务端架构,服务器接收命令并发送至客户端进行Nmap安全扫描,扫描完毕后,客户端返回扫描结果。

首先我们先在http://sourceforge.net/projects/dnmap/ 下载Dnmap。

root@Wing:/home/dnmap# wget http://sourceforge.net/projects/dnmap/files/dnmap_v0.6.tgz


--2014-06-13 18:07:04-- http://sourceforge.net/projects/dnmap/files/dnmap_v0.6.tgz


…省略…
100%[======================================>] 12,609   2.67K/s 用时 29s   

2014-06-13 18:07:39 (434 B/s) - 已保存 “dnmap_v0.6.tgz” [12609/12609])

root@Wing:/home/dnmap# 
解压压缩包。
root@Wing:/home/dnmap/dnmap_v0.6# ./dnmap_server.py 
+-------------------------------------------------------------------------+
| dnmap_server Version 0.6                                                |
| This program is free software; you can redistribute it and/or modify    |
| it under the terms of the GNU General Public License as published by    |
| the Free Software Foundation; either version 2 of the License, or       |
| (at your option) any later version.                                     |
|                                                                         |
| Author: Garcia Sebastian, eldraco@gmail.com                             |
| www.mateslab.com.ar                                                     |
+-------------------------------------------------------------------------+

usage: ./dnmap_server.py <options>
options:
 -f, --nmap-commands    Nmap commands file
 -p, --port    TCP port where we listen for connections.
 -L, --log-file    Log file. Defaults to /var/log/dnmap_server.conf.
 -l, --log-level    Log level. Defaults to info.
 -v, --verbose_level     Verbose level. Give a number between 1 and 5. Defaults to 1. Level 0 means be quiet.
 -t, --client-timeout     How many time should we wait before marking a client Offline. We still remember its values just in case it cames back.
 -s, --sort       Field to sort the statical value. You can choose from: Alias, #Commands, UpTime, RunCmdXMin, AvrCmdXMin, Status
 -P, --pem-file     pem file to use for TLS connection. By default we use the server.pem file provided with the server in the current directory.

dnmap_server uses a '<nmap-commands-file-name>.dnmaptrace' file to know where it must continue reading the nmap commands file. If you want to start over again,
just delete the '<nmap-commands-file-name>.dnmaptrace' file

root@Wing:/home/dnmap/dnmap_v0.6# 


新建一个文件,里面写入我们需要扫描的命令,每行一条,如下所示。

nmap -sS -p22 192.168.84.0/24 -v -n -oA 192.168.84.0
nmap -sS -p22 192.168.126.0/24 -v -n -oA 192.168.126.0
nmap -sS -p22 192.168.3.0/24 -v -n -oA 192.168.4.0
nmap -sP -p22 192.168.3.0/24 -v -n -oA 192.168.4.0
nmap -sS --top-ports 100 192.168.3.3 -v -n -oA 192.168.3.3.top100
nmap -sS --top-ports 100 192.168.3.4 -v -n -oA 192.168.3.4.top100
nmap -sS --top-ports 100 192.168.3.5 -v -n -oA 192.168.3.5.top100

启动Dnmap服务。-f选项指定我们的命令文件。

root@Wing:/home/dnmap/dnmap_v0.6# ./dnmap_server.py -f /home/test
+-------------------------------------------------------------------------+
| dnmap_server Version 0.6                                                |
| This program is free software; you can redistribute it and/or modify    |
| it under the terms of the GNU General Public License as published by    |
| the Free Software Foundation; either version 2 of the License, or       |
| (at your option) any later version.                                     |
|                                                                         |
| Author: Garcia Sebastian, eldraco@gmail.com                             |
| www.mateslab.com.ar                                                     |
+-------------------------------------------------------------------------+

=| MET:0:00:00.000735 | Amount of Online clients: 0 |=
=| MET:0:00:05.006164 | Amount of Online clients: 0 |=
=| MET:0:00:10.005340 | Amount of Online clients: 0 |=


重新打开一个终端,让Dnmap链接服务器。

root@Wing:/home/dnmap/dnmap_v0.6# ./dnmap_client.py -s 192.168.126.130 -a test
+--------------------------------------------------------------------------+
| dnmap Client Version 0.6                                                 |
| This program is free software; you can redistribute it and/or modify     |
| it under the terms of the GNU General Public License as published by     |
| the Free Software Foundation; either version 2 of the License, or        |
| (at your option) any later version.                                      |
|                                                                          |
| Author: Garcia Sebastian, eldraco@gmail.com                              |
| www.mateslab.com.ar                                                      |
+--------------------------------------------------------------------------+

Client Started...
Nmap output files stored in 'nmap_output' directory...
Starting connection...
Client connected succesfully...
Waiting for more commands....
  Command Executed: nmap -sS -p22 192.168.84.0/24 -v -n -oA 192.168.84.0 
  Sending output to the server...
Waiting for more commands....


这时两个Dnmap的窗口数据会不断滚动直到扫描完成。

在nmap_output文件夹下面有Dnmap保存的扫描结果。

root@Wing:/home/dnmap/dnmap_v0.6/nmap_output# ls
192.168.126.0.gnmap           192.168.3.4.top100.gnmap       192.168.4.0.gnmap
192.168.126.0.nmap            192.168.3.4.top100.nmap        192.168.4.0.nmap
192.168.126.0.xml             192.168.3.4.top100.xml         192.168.4.0.xml
192.168.3.3.top100.gnmap      192.168.3.5.top100.gnmap       192.168.84.0.gnmap
192.168.3.3.top100.nmap       192.168.3.5.top100.nmap        192.168.84.0.nmap
192.168.3.3.top100.xml        192.168.3.5.top100.xml         192.168.84.0.xml
root@Wing:/home/dnmap/dnmap_v0.6/nmap_output#

Nse脚本的强大之处在之前的章节已经展示过了,Nmap提供了强大的API,结合LUA编程语言可以简单并高效地开发出适用于各种情况的NES脚本。本小节将结合我们的需求实例开发一个Nse脚本。

编写NES脚本需要有LUA编程语言基础或者相关的编程经验。首先我们先了解一下Nse的注释。

-- The scanning module --

注释是以“--”为起始的。

-- The scanning module -- 
author = "Wing"
categories = {"version"}

portrule = function(host, port) 
  return port.protocol == "tcp" and port.number == 80 and port.state == "open" 
end 

action = function(host, port) 
  return "Found!!!" 
end

使用该Nse脚本的时候,当发现80端口处于open状态时会提示“Found!!!”,在本段代码定义了TCP协议、80端口、端口状态为open。

我们尝试着扫描一下。

root@kali:~# nmap -p80 --script found80 192.168.1.100-120

Starting Nmap 6.46 ( http://nmap.org

 ) at 2014-10-17 20:14 CST
Nmap scan report for 192.168.1.100
Host is up (0.00070s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.101
Host is up (0.00093s latency).
PORT  STATE  SERVICE
80/tcp filtered http

…省略…

Nmap scan report for 192.168.1.110
Host is up (0.0012s latency).
PORT  STATE SERVICE
80/tcp open http
|_found80: Found!!!

Nmap scan report for 192.168.1.111
Host is up (0.00024s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.112
Host is up (0.00020s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.113
Host is up (0.00066s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.114
Host is up (0.00045s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.115
Host is up (0.00028s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.116
Host is up (0.00018s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.117
Host is up (0.00026s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.118
Host is up (0.00021s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.119
Host is up (0.00019s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.120
Host is up (0.00022s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap done: 21 IP addresses (21 hosts up) scanned in 3.63 seconds
root@kali:~# 


发现了IP 192.168.1.110开放了80端口,并出现了“Found!!!”提示。

-- The scanning module -- 
author = "Wing"
categories = {"version"}

local comm=require "comm"
require "shortport"
local http=require "http"

portrule = function(host,port)
      return (port.number == 80) and (port.state=="open")
    end

action = function(host,port)
    local uri = "/admin.php"
    local response = http.get(host, port, uri)
    return "Found!!!" 
End

该脚本会寻找包含“admin.php”的URL,当发现后返回“Found!!!”告知用户。我们使用该脚本对一个IP段进行扫描。

root@kali:~# nmap -p80 --script scanadmin 192.168.1.100-120

Starting Nmap 6.46 ( http://nmap.org

 ) at 2014-10-17 20:21 CST
Nmap scan report for 192.168.1.100
Host is up (0.00090s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.101
Host is up (0.00085s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.103
Host is up (0.0040s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap scan report for 192.168.1.110
Host is up (0.00046s latency).
PORT  STATE  SERVICE
80/tcp open http
|_scanadmin: Found!!!

Nmap scan report for 192.168.1.120
Host is up (0.00039s latency).
PORT  STATE  SERVICE
80/tcp filtered http

Nmap done: 21 IP addresses (5 hosts up) scanned in 44.42 seconds
root@kali:~# 


发现了IP 192.168.1.110开放80端口并存在admin.php。

表11.12所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——探测防火墙。

表11.12 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

在Nmap的firewalk脚本通过发送一个请求并分析TTL值,可以探测防火的规则。

使用命令“nmap --script=firewalk --traceroute目标”即可对目标服务器的防火墙规则进行探测。

root@Wing:~# nmap --script=firewalk --traceroute 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-28 21:22 CST
Nmap scan report for 192.168.121.1
Host is up (0.68s latency).
Not shown: 987 closed ports
PORT   STATE  SERVICE
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
514/tcp  filtered shell
843/tcp  open   unknown
902/tcp  open   iss-realsecure
912/tcp  open   apex-mesh
7000/tcp open   afs3-fileserver
8000/tcp open   http-alt
49152/tcp open   unknown
49153/tcp open   unknown
49155/tcp open   unknown
49157/tcp open   unknown

Host script results:
| firewalk: 
| HOP HOST      PROTOCOL BLOCKED PORTS
|_1  192.168.239.2 tcp    514

TRACEROUTE (using port 8888/tcp)
HOP RTT   ADDRESS
1  9.34 ms 192.168.239.2
2  3.52 ms 192.168.121.1

Nmap done: 1 IP address (1 host up) scanned in 146.12 seconds
root@Wing:~# 


从以上输出的信息可以得知目标主机阻止了192.168.239.2的访问,阻止的TCP协议端口为514的数据。

表11.13所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——VMWare认证破解。

表11.13 本节所需命令

选  项

解  释

--send-eth

发送以太网数据包

--send-ip

网络层发送

--privileged

假定拥有所有权

--interactive

在交互模式中启动

-V

查看Nmap版本号

-d

设置调试级别

--packet-trace

跟踪发送接受的报文

--iflist

列举接口和路由

-e

指定网络接口

-oG

继续中断扫描

firewalk

探测防火墙

vmauthd-brute

VMWare认证破解

VMware(中文名“威睿”,纽约证券交易所代码:VMW)虚拟机软件,是全球桌面到数据中心虚拟化解决方案的领导厂商。Nmap中的vmauthd-brute脚本可以破解安装虚拟机系统的用户名与密码。

使用命令“nmap -p 902 --script vmauthd-brute 目标”进行破解。

root@Wing:~# nmap -p 902 --script vmauthd-brute 192.168.121.1

Starting Nmap 6.47 ( http://nmap.org

 ) at 2015-06-28 21:32 CST
Nmap scan report for 192.168.121.1
Host is up (0.0011s latency).
PORT  STATE SERVICE
902/tcp open iss-realsecure
| vmauthd-brute: 
|  Accounts
|   root:root - Valid credentials
|  Statistics
|_  Performed 1247 guesses in 604 seconds, average tps: 2

Nmap done: 1 IP address (1 host up) scanned in 603.79 seconds
root@Wing:~# 


从以上信息可以得知脚本成功破解了一个账号信息,账号与密码均是root。