Nmap
网络扫描
主机扫描,找出网段内活跃的主机
使用fping扫描192.168.136.0/24网段。
-a :显示活跃的主机ip;
-s :显示网段活跃主机总数;
-r :设置重试次数;
-g :+测试网段。
root@kali:~# fping -a -s -r 1 -g 192.168.136.0/24
192.168.136.1
192.168.136.129
192.168.136.130
192.168.136.131
254 targets
4 alive
250 unreachable
0 unknown addresses
250 timeouts (waiting for response)
504 ICMP Echos sent
4 ICMP Echo Replies received
0 other ICMP received
1.81 ms (min round trip time)
4.43 ms (avg round trip time)
8.91 ms (max round trip time)
14.544 sec (elapsed real time)
使用nmap -sP对网段192.168.136.0/24网段扫描,显示所有255个ip所属的主机都活跃。
root@kali:~# nmap -sP 192.168.136.0/24
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:11 CST
Nmap done: 256 IP addresses (256 hosts up) scanned in 2.58 seconds
端口扫描,找出靶机上处于网络服务监听态的TCP/UDP端口
使用nmap对靶机进行靶机开放端口的扫描。
-sS :TCP SYN扫描。
-sU :UDP端口扫描
root@kali:~# nmap -sS 192.168.136.129
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:17 CST
Nmap scan report for localhost (192.168.136.129)
Host is up (2.0s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
514/tcp filtered shell
1025/tcp open NFS-or-IIS
5000/tcp open upnp
Nmap done: 1 IP address (1 host up) scanned in 10.53 seconds
root@kali:~# nmap -sS 192.168.136.129
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:17 CST
Nmap scan report for localhost (192.168.136.129)
Host is up (2.0s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
514/tcp filtered shell
1025/tcp open NFS-or-IIS
5000/tcp open upnp
Nmap done: 1 IP address (1 host up) scanned in 10.53 seconds
root@kali:~# nmap -sS 192.168.136.130
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:20 CST
Nmap scan report for localhost (192.168.136.130)
Host is up (1.7s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 3.48 seconds
root@kali:~# nmap -sS 192.168.136.131
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:21 CST
Nmap scan report for localhost (192.168.136.131)
Host is up (1.00s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
514/tcp filtered shell
Nmap done: 1 IP address (1 host up) scanned in 6.51 seconds
什么是端口?端口又是做什么用的呢?
一台拥有IP地址的主机可以提供许多服务,比如Web服务、FTP服务、SMTP服务等,这些服务完全可以通过1个IP地址来实现。IP 地址与网络服务的关系是一对多的关系,通过“IP地址+端口号”来区分不同的服务。
TCP与UDP协议均定义了1-65535共64KB的端口范围。
具有传输稳定性和可靠性需求的网络服务如,HTTP、SSH、FTP、SMTP等互联网协议,会选择TCP协议。
需要高速传输但允许丢包的网络应用如,QQ视频、DNS服务等会选择UDP协议。
主机操作系统扫描
使用nmap对靶机的操作系统进行探测
-O :主动探测靶机的操作系统类型
root@kali:~# nmap -O 192.168.136.129
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 16:02 CST
Nmap scan report for localhost (192.168.136.129)
Host is up (0.43s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
514/tcp filtered shell
1025/tcp open NFS-or-IIS
5000/tcp open upnp
Device type: general purpose
Running: Microsoft Windows 7|2012|XP
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.37 seconds
root@kali:~# nmap -O 192.168.136.130
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 16:04 CST
Nmap scan report for localhost (192.168.136.130)
Host is up (0.11s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
Device type: WAP|general purpose|storage-misc
Running (JUST GUESSING): Actiontec embedded (99%), Linux 2.4.X|3.X (99%), Microsoft Windows 7|2012|XP (96%), BlueArc embedded (91%)
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.07 seconds
root@kali:~# nmap -O 192.168.136.131
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 16:06 CST
Nmap scan report for localhost (192.168.136.131)
Host is up (0.11s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
514/tcp filtered shell
Device type: WAP|general purpose|storage-misc
Running (JUST GUESSING): Actiontec embedded (99%), Linux 2.4.X|3.X (99%), Microsoft Windows 7|2012|XP (96%), BlueArc embedded (91%)
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.26 seconds
主机操作系统探测具体实现方式如下:
1.Nmap内部包含了2600多已知系统的指纹特征(在文件nmap-os-db文件中)。将此指纹数据库作为进行指纹对比的样本库。
2.分别挑选一个open和closed的端口,向其发送经过精心设计的TCP/UDP/ICMP数据包,根据返回的数据包生成一份系统指纹。
3.将探测生成的指纹与nmap-os-db中指纹进行对比,查找匹配的系统。如果无法匹配,以概率形式列举出可能的系统。
CPE?
CPE(Common Platform Enumeration,通用平台枚举)
网络服务探查,主动探测靶机网络中开放端口上绑定的网络应用服务类型和版本
-sV :探测靶机网络中开放端口上绑定的网络应用服务类型和版本。
root@kali:~# nmap -sV 192.168.136.130
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 17:35 CST
Nmap scan report for localhost (192.168.136.130)
Host is up (1.1s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell?
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ccproxy-ftp?
3306/tcp open mysql?
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.88 seconds
