NMap扫描进阶
一, 基础扫描
扫描IP地址:
nmap -sn 192.168.112.0/24 192.168.112.1-255
扫描端口号:
基于SYN包扫描: nmap -sS 192.168.112.200
基于三次握手扫描: nmap -sT 192.168.112.200
指定端口扫描:
nmap -p10-200 192.168.112.200
nmap -p21,22,25,80,445,3306,1521,8080,8888 192.168.112.200
扫描端口和版本:
nmap -sV 192.168.112.200
扫描操作系统:
nmap -O 192.168.112.188
万能开关:
万能开关: nmap -A 192.168.112.188
二, 脚本扫描
使用内置脚本进行功能扩展,命令语法为:
nmap --script=脚本类型名或具体脚本名 192.168.112.200。
auth:负责处理鉴权证书, 绕开鉴权的脚本
broadcast:在局域网内探查更多服务开启状况,如dhcp/dns/sqlserver等服务
brute: 提供暴力破解方式,针对常见的应用如http/snmp等
default:使用-sC或-A选项扫描时候默认的脚本,提供基本脚本扫描能力
discovery:对网络进行更多的信息,如SMB枚举、SNMP查询等dos:用于进行拒绝服务攻击
exploit:利用已知的漏洞入侵系统
externa1:利用第三方的数据库或资源,例如进行whois解析
fuzzer: 模糊测试的脚本,发送异常的包到目标机,探测出潜在漏洞
intrusive:入侵性的脚本,此类脚本可能引发对方的IDS/IPS的记录或屏蔽
malware: 探测目标机是否感染了病毒、开启了后门等信息
safe:此类与intrusive相反,属于安全性脚本
version:负责增强服务与版本扫描(Version Detection)功能的脚本
vuln: 负责检查目标机是否有常见的漏洞(Vulnerability),如是否有MS08_067
所有扫描脚本,可以查看Kali下的目录: /usr/share/nmap/scripts
具体各个脚本的用法及参数,参考: https://nmap.org/nsedoc/scripts/
1. 扫描SSH登录认证情况
nmap -p22 --script=auth 192.168.112.200
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-20 22:31 EST
Nmap scan report for 192.168.112.200 (192.168.112.200)
Host is up (0.00081s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-publickey-acceptance:
|_ Accepted Public Keys: No public keys accepted
| ssh-auth-methods:
| Supported authentication methods:
| publickey
| gssapi-keyex
| gssapi-with-mic
|_ password
MAC Address: 00:0C:29:F2:89:25 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.21 seconds
这里可以看到支持password认证, 可以尝试爆破密码.
2. 爆破SSH
文档:https://nmap.org/nsedoc/scripts/ssh-brute.html
使用内置字典
nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst --script-args ssh-brute.timeout=4s 192.168.112.200
使用自定义字典
nmap -p 22 --script ssh-brute --script-args userdb=/home/kali/dict/username-top500.txt passdb=/home/kali/dict/password-top500.txt 192.168.112.200
22/ssh open ssh
| ssh-brute:
| Accounts
| username:password
| Statistics
|_ Performed 32 guesses in 25 seconds.
也可以使用SNETCracker超级弱口令检查工具, 这是一个窗口化的工具.
3. 扫描主机漏洞
nmap --script=vuln 192.168.112.200
|_http-dombased-xss: Couldn't find any DOM based XSS.
81/tcp open hosts2-ns
111/tcp open rpcbind
443/tcp open https
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /phpmyadmin/: phpMyAdmin
| /icons/: Potentially interesting folder w/ directory listing
| /img/: Potentially interesting folder w/ directory listing
| /security/: Potentially interesting folder w/ directory listing
|_ /webalizer/: Potentially interesting folder w/ directory listing
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CCM
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
3306/tcp open mysql
MAC Address: 00:0C:29:F2:89:25 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 103.79 seconds
8478
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
