前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >nmap及其他扫描

nmap及其他扫描

作者头像
顾翔
发布2022-09-23 20:17:35
2K0
发布2022-09-23 20:17:35
举报
文章被收录于专栏:啄木鸟软件测试

最基本的扫描

代码语言:javascript
复制
# nmap 192.168.0.149         
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:26 CST
Nmap scan report for 192.168.0.149
Host is up (0.0000090s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

扫描活跃的主机 -sn

代码语言:javascript
复制
#nmap -sn 192.168.0.149
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:28 CST
Nmap scan report for 192.168.0.149
Host is up.
Nmap done: 1 IP address (1 host up)

扫描多台机器

代码语言:javascript
复制
#map 192.169.0.149 192.168.0.106 192.168.0.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00071s latency).
Not shown: 985 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap scan report for 192.168.0.152
Host is up (0.010s latency).
Not shown: 999 closed tcp ports (reset)
PORT      STATE SERVICE
62078/tcp open  iphone-sync
MAC Address: 76:49:5D:88:B6:35 (Unknown)


Nmap done: 3 IP addresses (2 hosts up) scanned in 14.73 seconds
代码语言:javascript
复制
#map 192.169.0.100-160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:34 CST
…
代码语言:javascript
复制
#nmap192.169.0.0/24 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:38 CST
Nmap done: 256 IP addresses (0 hosts up) scanned in 210.76 seconds

使用ICMP对设备进行扫描

使用ICMP类似Ping的请求响应扫描 -PE

代码语言:javascript
复制
#nmap -PE 192.168.0.106 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:31 CST
Nmap scan report for 192.168.0.106
Host is up (0.00093s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

使用ICMP时间戳响应扫描 -PE

代码语言:javascript
复制
#nmap -PP 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00088s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)

使用ICMP使用ICMP掩码扫描 -PM

代码语言:javascript
复制
#nmap -PM 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00018s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds

使用TCP对设备进行扫描

使用TCP SYN对设备进行扫描 - PS

代码语言:javascript
复制
nmap -sn -PS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:28 CST
Nmap scan report for 192.168.0.106
Host is up (0.00049s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

使用TCP ACK对设备进行扫描 -PA

代码语言:javascript
复制
#nmap -sn -PA 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00054s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

使用UDP对设备进行扫描 -PU

UDP更简单,但是不如TCP方便,且慢。

代码语言:javascript
复制
#nmap -sn -PU 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST
Nmap scan report for 192.168.0.106
Host is up (0.00076s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

对端口进行扫描

端口种类

  • 公有端口(WellKnow Port):0-1024
  • 注册端口(RegisteredPort):1025-49,151
  • 动态/私有端口(Dynamic/Private Port):49,152-65,535

端口状态

  • Open:开放状态。nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK, nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。
  • Closed:关闭状态。nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST, nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed 。
  • Filtered:过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答, 由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。
  • Unfiltered:未过滤状态。nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。
  • open|filtered:Open|filtered 开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口,参考后续 UDP 中的解释。
  • closed|filtered:关闭或者过滤状态。

扫描技术

SYN扫描 -sS

SNMP机器àSYNà机器

机器àSYN+ACKà SNMP机器

SNMP机器àRSTà机器(连接断开)

返回Open、Closed、filtered

代码语言:javascript
复制
#nmap -sS 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:53 CST
Nmap scan report for 192.168.0.106
Host is up (0.00042s latency).
Not shown: 987 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)

Connect扫描 -sT

完成3次握手

SNMP机器SYN机器

机器SYN+ACK SNMP机器

SNMP机器ACK机器(连接建立)

代码语言:javascript
复制
#nmap -sT 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00081s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds

UDP扫描 -sU

返回Open Open|filtered,速度很慢,filtered可能是Open,可能是Closed

代码语言:javascript
复制
#nmap -sU 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:12 CST
Nmap scan report for 192.168.0.106
Host is up (0.00070s latency).
Not shown: 999 open|filtered udp ports (no-response)
PORT    STATE SERVICE
137/udp open  netbios-ns
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds

扫描全部端口 -p "*"

代码语言:javascript
复制
#nmap -p "*" 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:18 CST
Nmap scan report for 192.168.0.106
Host is up (0.00082s latency).
Not shown: 8330 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
1536/tcp open  ampr-inter
1537/tcp open  sdsc-lm
1538/tcp open  3ds-lm
1539/tcp open  intellistor-lm
1550/tcp open  3m-image-lm
1551/tcp open  hecmtl-db
1653/tcp open  alphatech-lm
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5040/tcp open  unknown
5555/tcp open  freeciv
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)

扫描频率最高的n个端口 –top-ports n

代码语言:javascript
复制
# nmap -top-ports 10 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:20 CST
Nmap scan report for 192.168.0.106
Host is up (0.00022s latency).


PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   closed ssh
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http
110/tcp  closed pop3
139/tcp  open   netbios-ssn
443/tcp  open   https
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 2 IP addresses (1 host up) scanned in 3.17 seconds

扫描指定端口 -p port

代码语言:javascript
复制
# nmap -p 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:21 CST
Nmap scan report for 192.168.0.106
Host is up (0.00053s latency).


PORT     STATE SERVICE
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

扫描操作系统

Nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。

最基本的扫描 -O

代码语言:javascript
复制
# nmap -O 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00061s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop


OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.50 seconds

尽对“具有Open和Closed的端口”进行扫描 -O --osscan-limit

代码语言:javascript
复制
# nmap -O --osscan-limit 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:57 CST
Nmap scan report for 192.168.0.106
Host is up (0.00057s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (95%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop


OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.68 seconds

猜测最接近目标端口的操作系统 -O --osscan-guest

需要root权限

代码语言:javascript
复制
# nmap -O --osscan-guess 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00061s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
5555/tcp open  freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_vista::sp2
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 or 8.1 R1 or Server 2008 R2 SP1 (92%), Microsoft Windows 7 or Windows Server 2008 (92%), Microsoft Windows 10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop


OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.73 seconds

扫描目标服务

扫描技术

  • 对端口扫描:默认用SYN进行扫描
  • 对服务识别:发出探针报文,返回确认值,确认服务
  • 对版本识别:发出探针报文,返回报文信息,分析出服务的版本

扫描服务 -sV

代码语言:javascript
复制
# nmap -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CST
Nmap scan report for 192.168.0.106
Host is up (0.00034s latency).
Not shown: 985 closed tcp ports (reset)
PORT     STATE SERVICE         VERSION
80/tcp   open  http            Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp  open  msrpc           Microsoft Windows RPC
139/tcp  open  netbios-ssn     Microsoft Windows netbios-ssn
443/tcp  open  ssl/http        Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
445/tcp  open  microsoft-ds?
902/tcp  open  ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open  vmware-auth     VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open  ms-sql-s        Microsoft SQL Server 2014 12.00.2269
2383/tcp open  ms-olap4?
3000/tcp open  ppp?
3306/tcp open  mysql           MariaDB (unauthorized)
5555/tcp open  freeciv?
8009/tcp open  ajp13           Apache Jserv (Protocol v1.3)
8080/tcp open  http            Apache Tomcat/Coyote JSP engine 1.1
8100/tcp open  http            Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20
SF::09\x20GMT\r\nContent-Length:\x2029\r\n\r\n
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20We
SF:d,\x2015\x20Jun\x202022\x2002:20:14\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Wed,\x2015\x20Jun\x202022\x2002:20:40\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\nFound\.\n\n"
SF:);
===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\
SF:nPragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Op
SF:tions:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Ty
SF:pe-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\"
SF::\x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedR
SF:esponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}")%r(G
SF:etRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlogin\.html\r\
SF:n\r\n")%r(HTTPOptions,2D,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20mlo
SF:gin\.html\r\n\r\n")%r(RTSPRequest,2D,"HTTP/1\.0\x20302\x20Found\r\nLoca
SF:tion:\x20mlogin\.html\r\n\r\n")%r(FourOhFourRequest,6E,"HTTP/1\.1\x2040
SF:4\x20Not\x20Found\r\nCache-Control:\x20max-age=3600,\x20must-revalidate
SF:\r\nExpires:\x20Thu,\x2015\x20Jun\x202023\x2002:21:07\x20GMT\r\n")%r(SI
SF:POptions,138,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache\r\nP
SF:ragma:\x20no-cache\r\nExpires:\x200\r\ncharset:\x20UTF8\r\nX-Frame-Opti
SF:ons:\x20DENY\r\nX-XSS-Protection:\x201;\x20mode=block\r\nX-Content-Type
SF:-Options:\x20nosniff\r\nContent-Type:\x20text/html\r\n\r\n{\"STATUS\":\
SF:x20\"REDIRECT\",\x20\"RESPONSE\":\x20\"mlogin\.html\",\x20\"ExtendedRes
SF:ponse\":\x20\[{\"last_notification_change_ts\"\x20:\x20\"\"}\]}");
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds

将扫描结果存为XML文件名

代码语言:javascript
复制
#nmap -oX nmap.xml 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CST
Nmap scan report for 192.168.0.106
Host is up (0.00023s latency).
Not shown: 985 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds

扫描WEB服务器

Web 服务器的软件构成

编写的应用(内部)

编程语言:PHPJSP ASP ASP.net(内部)

Web服务器:IISApache Nginx Tomcat(外部)

操作系统:Windows Linux(外部)

用dirb扫描目录结构

代码语言:javascript
复制
# dirb http://192.168.0.106:8080/sec/
-----------------
DIRB v2.22   
By The Dark Raver
-----------------
START_TIME: Wed Jun 15 10:34:09 2022
URL_BASE: http://192.168.0.106:8080/sec/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612                                                         
---- Scanning URL: http://192.168.0.106:8080/sec/ ----
==> DIRECTORY: http://192.168.0.106:8080/sec/1/                                                                                                                                                                                           
==> DIRECTORY: http://192.168.0.106:8080/sec/10/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/13/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/14/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/15/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/2/                                                                                                                                                                                           
==> DIRECTORY: http://192.168.0.106:8080/sec/20/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/21/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/22/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/23/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/24/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/25/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/3/                                                                                                                                                                                           
==> DIRECTORY: http://192.168.0.106:8080/sec/30/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/32/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/4/                                                                                                                                                                                           
==> DIRECTORY: http://192.168.0.106:8080/sec/42/                                                                                                                                                                                          
==> DIRECTORY: http://192.168.0.106:8080/sec/5/                                                                                                                                                                                           
==> DIRECTORY: http://192.168.0.106:8080/sec/7/                                                                                                                                                                                           
==> DIRECTORY: http://192.168.0.106:8080/sec/8/                                                                                                                                                                                           
==> DIRECTORY: http://192.168.0.106:8080/sec/9/                                                                                                                                                                                           
==> DIRECTORY: http://192.168.0.106:8080/sec/css/                                                                                                                                                                                         
==> DIRECTORY: http://192.168.0.106:8080/sec/upload/                                                                                                                                                                                      
+ http://192.168.0.106:8080/sec/web.xml (CODE:200|SIZE:1189)                                                                                                                                                                              
==> DIRECTORY: http://192.168.0.106:8080/sec/WEB-INF/                                                                                                                                                                                     
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.0.106:8080/sec/1/ ----
+ http://192.168.0.106:8080/sec/1/index.htm (CODE:200|SIZE:248)                                                                                                                                                                           
==> DIRECTORY: http://192.168.0.106:8080/sec/1/js/                                                                                                                                                                                        
==> DIRECTORY: http://192.168.0.106:8080/sec/1/jsp/                                                                                                                                                                                       
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.0.106:8080/sec/10/ ----
==> DIRECTORY: http://192.168.0.106:8080/sec/10/img/                                                                                                                                                                                      
+ http://192.168.0.106:8080/sec/10/index.html (CODE:200|SIZE:1107)                                                                                                                                                                        
==> DIRECTORY: http://192.168.0.106:8080/sec/10/jsp/                                                                                                                                                                                      
                                                                                                                                                                                                                                          
…                                                                                                                                                                                
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.0.106:8080/sec/1/js/ ----
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.0.106:8080/sec/1/jsp/ ----
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.0.106:8080/sec/10/img/ ----
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.0.106:8080/sec/10/jsp/ ----
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.0.106:8080/sec/13/jsp/ ----
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.0.106:8080/sec/15/image/ ----
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.0.106:8080/sec/20/js/ ----
                                                                                                                                                                                                                                          
---- Entering directory: http://192.168.0.106:8080/sec/20/jsp/ ----
                                                                                                                                                                                                                                          
…

用whatweb扫描Web server

代码语言:javascript
复制
# whatweb http://192.168.0.106:8080/sec/
http://192.168.0.106:8080/sec/ [200 OK] Apache, Cookies[JSESSIONID], Country[RESERVED][ZZ], HTTPServer[Apache-Coyote/1.1], HttpOnly[JSESSIONID], IP[192.168.0.106], Java, Title[WEB 安全测试实验]

扫描操作系统漏洞

扫描某个漏洞

代码语言:javascript
复制
#nmap --script ftp-vsftpd-backdoor 192.168.0.106
[*] exec: nmap --script ftp-vsftpd-backdoor 192.168.0.106


Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:16 CST
Nmap scan report for 192.168.0.106
Host is up (0.00099s latency).
Not shown: 985 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds

通过分类扫描漏洞

基本使用 --script vuln

nse目录/usr/share/nmap/scripts

代码语言:javascript
复制
#nmap --script vuln 192.168.0.106
nmap --script vuln 192.168.0.106
[*] exec: nmap --script vuln 192.168.0.106


Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:21 CST
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
Not shown: 985 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
| http-enum:
|   /reportserver/: Microsoft SQL Report Service (401 Unauthorized)
|_  /reports/: Potentially interesting folder (401 Unauthorized)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| ssl-dh-params:
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: RFC2409/Oakley Group 2
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_http-trace: TRACE is enabled
| http-enum:
|   /examples/: Sample scripts
|   /test.php: Test page
|   /PMA/: phpMyAdmin
|   /pma/: phpMyAdmin
|   /active/: Potentially interesting directory w/ listing on 'apache/2.4.23 (win32) openssl/1.0.2h php/5.6.28'
|   /demo/: Potentially interesting folder
|   /icons/: Potentially interesting folder w/ directory listing
|   /img/: Potentially interesting directory w/ listing on 'apache/2.4.23 (win32) openssl/1.0.2h php/5.6.28'
|   /sec/: Potentially interesting folder
|   /server-info/: Potentially interesting folder
|_  /server-status/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|      
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
445/tcp  open  microsoft-ds
902/tcp  open  iss-realsecure
912/tcp  open  apex-mesh
1433/tcp open  ms-sql-s
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
| ssl-poodle:
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://www.securityfocus.com/bid/70574
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
2383/tcp open  ms-olap4
3000/tcp open  ppp
3306/tcp open  mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
5555/tcp open  freeciv
8009/tcp open  ajp13
8080/tcp open  http-proxy
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|      
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum:
|   /examples/: Sample scripts
|   /test.html: Test page
|   /manager/html/upload: Apache Tomcat (401 Unauthorized)
|   /manager/html: Apache Tomcat (401 Unauthorized)
|   /docs/: Potentially interesting folder
|_  /sec/: Potentially interesting folder
8100/tcp open  xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)


Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR


Nmap done: 1 IP address (1 host up) scanned in 329.10 seconds

利用第三方vulscan进行扫描

安装
代码语言:javascript
复制
#cd /usr/share/nmap/scripts
#git clone https://github.com/scipag/vulscan.git

多出一个vulscan目录

更新脚本
代码语言:javascript
复制
#cd /usr/share/nmap/scripts/vulscan/utilities/updater
# chmod +x updateFiles.sh
./ updateFile.sh

速度特别慢

使用

必须加-sV

全部扫描

代码语言:javascript
复制
# nmap --script=vulscan/vulscan.nse -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:50 CST

仅扫描某个csv

代码语言:javascript
复制
# nmap --script=vulscan/vulscan.nse --script-args vulscandb=scipuldb.csv -sV 192.168.0.106

专业扫描工具

  • Rapid7 Nexpose(商用,部分免费)
  • Tenable Nessus(商用,部分免费)
  • OpenVAS(完全免费)

扫描WEB应用

2017 OWASP TOP 10

序号

名称

攻击难易度

漏洞普遍性

检查难易度

技术影响

A1

注入

3

2

3

3

A2

失效的身份认证

3

2

2

3

A3

敏感数据泄露

2

3

2

3

A4

XML外部实体(XXE)

2

2

3

3

A5

失效的访问控制

2

2

2

3

A6

安全配置错误

3

3

3

2

A7

跨站脚本(XSS)

3

3

3

2

A8

不安全的反序列化

1

2

2

3

A9

使用含有已知漏洞的组件

2

3

2

2

A10

不足的日志记录和监控

2

3

1

2

Zaproxy的使用

# apt install zaproxy

# zaproxy

PHP代码审计工具RIPS

扫描PHP程序,下载rips-0.55放在htdocs下,通过http://IP/rips-0.55l来访问

Netcat扫描

扫描指定端口

代码语言:javascript
复制
#nc -v 192.168.0.106 8080
192.168.0.106: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.0.106] 8080 (http-alt) open
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2022-06-16,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 扫描活跃的主机 -sn
  • 扫描多台机器
  • 使用ICMP对设备进行扫描
    • 使用ICMP类似Ping的请求响应扫描 -PE
      • 使用ICMP时间戳响应扫描 -PE
        • 使用ICMP使用ICMP掩码扫描 -PM
        • 使用TCP对设备进行扫描
          • 使用TCP SYN对设备进行扫描 - PS
            • 使用TCP ACK对设备进行扫描 -PA
            • 使用UDP对设备进行扫描 -PU
            • 对端口进行扫描
              • 端口种类
                • 端口状态
                  • 扫描技术
                    • SYN扫描 -sS
                    • Connect扫描 -sT
                    • UDP扫描 -sU
                    • 扫描全部端口 -p "*"
                    • 扫描频率最高的n个端口 –top-ports n
                    • 扫描指定端口 -p port
                  • 扫描操作系统
                    • 最基本的扫描 -O
                    • 尽对“具有Open和Closed的端口”进行扫描 -O --osscan-limit
                    • 猜测最接近目标端口的操作系统 -O --osscan-guest
                • 扫描目标服务
                  • 扫描技术
                    • 扫描服务 -sV
                    • 将扫描结果存为XML文件名
                    • 扫描WEB服务器
                      • Web 服务器的软件构成
                        • 用dirb扫描目录结构
                          • 用whatweb扫描Web server
                          • 扫描操作系统漏洞
                            • 扫描某个漏洞
                              • 通过分类扫描漏洞
                                • 基本使用 --script vuln
                                • 利用第三方vulscan进行扫描
                            • 专业扫描工具
                            • 扫描WEB应用
                              • 2017 OWASP TOP 10
                                • Zaproxy的使用
                                  • PHP代码审计工具RIPS
                                  • Netcat扫描
                                  相关产品与服务
                                  云服务器
                                  云服务器(Cloud Virtual Machine,CVM)提供安全可靠的弹性计算服务。 您可以实时扩展或缩减计算资源,适应变化的业务需求,并只需按实际使用的资源计费。使用 CVM 可以极大降低您的软硬件采购成本,简化 IT 运维工作。
                                  领券
                                  问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档