最基本的扫描
# nmap 192.168.0.149
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:26 CST
Nmap scan report for 192.168.0.149
Host is up (0.0000090s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
#nmap -sn 192.168.0.149
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:28 CST
Nmap scan report for 192.168.0.149
Host is up.
Nmap done: 1 IP address (1 host up)
#map 192.169.0.149 192.168.0.106 192.168.0.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00071s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.152
Host is up (0.010s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
62078/tcp open iphone-sync
MAC Address: 76:49:5D:88:B6:35 (Unknown)
Nmap done: 3 IP addresses (2 hosts up) scanned in 14.73 seconds
#map 192.169.0.100-160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:34 CST
…
#nmap192.169.0.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:38 CST
Nmap done: 256 IP addresses (0 hosts up) scanned in 210.76 seconds
#nmap -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:31 CST
Nmap scan report for 192.168.0.106
Host is up (0.00093s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
#nmap -PP 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00088s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
#nmap -PM 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00018s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
nmap -sn -PS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:28 CST
Nmap scan report for 192.168.0.106
Host is up (0.00049s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
#nmap -sn -PA 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00054s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
UDP更简单,但是不如TCP方便,且慢。
#nmap -sn -PU 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST
Nmap scan report for 192.168.0.106
Host is up (0.00076s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
SNMP机器àSYNà机器
机器àSYN+ACKà SNMP机器
SNMP机器àRSTà机器(连接断开)
返回Open、Closed、filtered
#nmap -sS 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:53 CST
Nmap scan report for 192.168.0.106
Host is up (0.00042s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
完成3次握手
SNMP机器SYN机器
机器SYN+ACK SNMP机器
SNMP机器ACK机器(连接建立)
#nmap -sT 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00081s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
返回Open Open|filtered,速度很慢,filtered可能是Open,可能是Closed
#nmap -sU 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:12 CST
Nmap scan report for 192.168.0.106
Host is up (0.00070s latency).
Not shown: 999 open|filtered udp ports (no-response)
PORT STATE SERVICE
137/udp open netbios-ns
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds
#nmap -p "*" 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:18 CST
Nmap scan report for 192.168.0.106
Host is up (0.00082s latency).
Not shown: 8330 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
1536/tcp open ampr-inter
1537/tcp open sdsc-lm
1538/tcp open 3ds-lm
1539/tcp open intellistor-lm
1550/tcp open 3m-image-lm
1551/tcp open hecmtl-db
1653/tcp open alphatech-lm
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5040/tcp open unknown
5555/tcp open freeciv
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
# nmap -top-ports 10 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:20 CST
Nmap scan report for 192.168.0.106
Host is up (0.00022s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 2 IP addresses (1 host up) scanned in 3.17 seconds
# nmap -p 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:21 CST
Nmap scan report for 192.168.0.106
Host is up (0.00053s latency).
PORT STATE SERVICE
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
Nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。
# nmap -O 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00061s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.50 seconds
# nmap -O --osscan-limit 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:57 CST
Nmap scan report for 192.168.0.106
Host is up (0.00057s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (95%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.68 seconds
需要root权限
# nmap -O --osscan-guess 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00061s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_vista::sp2
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 or 8.1 R1 or Server 2008 R2 SP1 (92%), Microsoft Windows 7 or Windows Server 2008 (92%), Microsoft Windows 10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.73 seconds
# nmap -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CST
Nmap scan report for 192.168.0.106
Host is up (0.00034s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
445/tcp open microsoft-ds?
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2269
2383/tcp open ms-olap4?
3000/tcp open ppp?
3306/tcp open mysql MariaDB (unauthorized)
5555/tcp open freeciv?
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8100/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20
SF::09\x20GMT\r\nContent-Length:\x2029\r\n\r\n
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20We
SF:d,\x2015\x20Jun\x202022\x2002:20:14\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20:40\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\nFound\.\n\n"
SF:);
===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\
SF:nPragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Op
SF:tions:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Ty
SF:pe-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\"
SF::\x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedR
SF:esponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}")%r(G
SF:etRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlogin\.html\r\
SF:n\r\n")%r(HTTPOptions,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlo
SF:gin\.html\r\n\r\n")%r(RTSPRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLoca
SF:tion:\x20mlogin\.html\r\n\r\n")%r(FourOhFourRequest,6E,"HTTP/1\.1\x2040
SF:4\x20Not\x20Found\r\nCache-Control:\x20max-age=3600,\x20must-revalidate
SF:\r\nExpires:\x20Thu,\x2015\x20Jun\x202023\x2002:21:07\x20GMT\r\n")%r(SI
SF:POptions,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\nP
SF:ragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Opti
SF:ons:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Type
SF:-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\":\
SF:x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedRes
SF:ponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}");
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds
#nmap -oX nmap.xml 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CST
Nmap scan report for 192.168.0.106
Host is up (0.00023s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
编写的应用(内部) |
---|
编程语言:PHPJSP ASP ASP.net(内部) |
Web服务器:IISApache Nginx Tomcat(外部) |
操作系统:Windows Linux(外部) |
# dirb http://192.168.0.106:8080/sec/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jun 15 10:34:09 2022
URL_BASE: http://192.168.0.106:8080/sec/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.106:8080/sec/ ----
==> DIRECTORY: http://192.168.0.106:8080/sec/1/
==> DIRECTORY: http://192.168.0.106:8080/sec/10/
==> DIRECTORY: http://192.168.0.106:8080/sec/13/
==> DIRECTORY: http://192.168.0.106:8080/sec/14/
==> DIRECTORY: http://192.168.0.106:8080/sec/15/
==> DIRECTORY: http://192.168.0.106:8080/sec/2/
==> DIRECTORY: http://192.168.0.106:8080/sec/20/
==> DIRECTORY: http://192.168.0.106:8080/sec/21/
==> DIRECTORY: http://192.168.0.106:8080/sec/22/
==> DIRECTORY: http://192.168.0.106:8080/sec/23/
==> DIRECTORY: http://192.168.0.106:8080/sec/24/
==> DIRECTORY: http://192.168.0.106:8080/sec/25/
==> DIRECTORY: http://192.168.0.106:8080/sec/3/
==> DIRECTORY: http://192.168.0.106:8080/sec/30/
==> DIRECTORY: http://192.168.0.106:8080/sec/32/
==> DIRECTORY: http://192.168.0.106:8080/sec/4/
==> DIRECTORY: http://192.168.0.106:8080/sec/42/
==> DIRECTORY: http://192.168.0.106:8080/sec/5/
==> DIRECTORY: http://192.168.0.106:8080/sec/7/
==> DIRECTORY: http://192.168.0.106:8080/sec/8/
==> DIRECTORY: http://192.168.0.106:8080/sec/9/
==> DIRECTORY: http://192.168.0.106:8080/sec/css/
==> DIRECTORY: http://192.168.0.106:8080/sec/upload/
+ http://192.168.0.106:8080/sec/web.xml (CODE:200|SIZE:1189)
==> DIRECTORY: http://192.168.0.106:8080/sec/WEB-INF/
---- Entering directory: http://192.168.0.106:8080/sec/1/ ----
+ http://192.168.0.106:8080/sec/1/index.htm (CODE:200|SIZE:248)
==> DIRECTORY: http://192.168.0.106:8080/sec/1/js/
==> DIRECTORY: http://192.168.0.106:8080/sec/1/jsp/
---- Entering directory: http://192.168.0.106:8080/sec/10/ ----
==> DIRECTORY: http://192.168.0.106:8080/sec/10/img/
+ http://192.168.0.106:8080/sec/10/index.html (CODE:200|SIZE:1107)
==> DIRECTORY: http://192.168.0.106:8080/sec/10/jsp/
…
---- Entering directory: http://192.168.0.106:8080/sec/1/js/ ----
---- Entering directory: http://192.168.0.106:8080/sec/1/jsp/ ----
---- Entering directory: http://192.168.0.106:8080/sec/10/img/ ----
---- Entering directory: http://192.168.0.106:8080/sec/10/jsp/ ----
---- Entering directory: http://192.168.0.106:8080/sec/13/jsp/ ----
---- Entering directory: http://192.168.0.106:8080/sec/15/image/ ----
---- Entering directory: http://192.168.0.106:8080/sec/20/js/ ----
---- Entering directory: http://192.168.0.106:8080/sec/20/jsp/ ----
…
# whatweb http://192.168.0.106:8080/sec/
http://192.168.0.106:8080/sec/ [200 OK] Apache, Cookies[JSESSIONID], Country[RESERVED][ZZ], HTTPServer[Apache-Coyote/1.1], HttpOnly[JSESSIONID], IP[192.168.0.106], Java, Title[WEB 安全测试实验]
#nmap --script ftp-vsftpd-backdoor 192.168.0.106
[*] exec: nmap --script ftp-vsftpd-backdoor 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:16 CST
Nmap scan report for 192.168.0.106
Host is up (0.00099s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds
nse目录/usr/share/nmap/scripts
#nmap --script vuln 192.168.0.106
nmap --script vuln 192.168.0.106
[*] exec: nmap --script vuln 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:21 CST
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /reportserver/: Microsoft SQL Report Service (401 Unauthorized)
|_ /reports/: Potentially interesting folder (401 Unauthorized)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_http-trace: TRACE is enabled
| http-enum:
| /examples/: Sample scripts
| /test.php: Test page
| /PMA/: phpMyAdmin
| /pma/: phpMyAdmin
| /active/: Potentially interesting directory w/ listing on 'apache/2.4.23 (win32) openssl/1.0.2h php/5.6.28'
| /demo/: Potentially interesting folder
| /icons/: Potentially interesting folder w/ directory listing
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.23 (win32) openssl/1.0.2h php/5.6.28'
| /sec/: Potentially interesting folder
| /server-info/: Potentially interesting folder
|_ /server-status/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum:
| /examples/: Sample scripts
| /test.html: Test page
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
| /docs/: Potentially interesting folder
|_ /sec/: Potentially interesting folder
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Nmap done: 1 IP address (1 host up) scanned in 329.10 seconds
#cd /usr/share/nmap/scripts
#git clone https://github.com/scipag/vulscan.git
多出一个vulscan目录
#cd /usr/share/nmap/scripts/vulscan/utilities/updater
# chmod +x updateFiles.sh
./ updateFile.sh
速度特别慢
必须加-sV
全部扫描
# nmap --script=vulscan/vulscan.nse -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:50 CST
仅扫描某个csv
# nmap --script=vulscan/vulscan.nse --script-args vulscandb=scipuldb.csv -sV 192.168.0.106
序号 | 名称 | 攻击难易度 | 漏洞普遍性 | 检查难易度 | 技术影响 |
---|---|---|---|---|---|
A1 | 注入 | 3 | 2 | 3 | 3 |
A2 | 失效的身份认证 | 3 | 2 | 2 | 3 |
A3 | 敏感数据泄露 | 2 | 3 | 2 | 3 |
A4 | XML外部实体(XXE) | 2 | 2 | 3 | 3 |
A5 | 失效的访问控制 | 2 | 2 | 2 | 3 |
A6 | 安全配置错误 | 3 | 3 | 3 | 2 |
A7 | 跨站脚本(XSS) | 3 | 3 | 3 | 2 |
A8 | 不安全的反序列化 | 1 | 2 | 2 | 3 |
A9 | 使用含有已知漏洞的组件 | 2 | 3 | 2 | 2 |
A10 | 不足的日志记录和监控 | 2 | 3 | 1 | 2 |
# apt install zaproxy
# zaproxy
扫描PHP程序,下载rips-0.55放在htdocs下,通过http://IP/rips-0.55l来访问
扫描指定端口
#nc -v 192.168.0.106 8080
192.168.0.106: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.0.106] 8080 (http-alt) open