前提:内网是10网段的,几乎所有机器都开了80和22端口,所以以此为依据认为扫描到的都是在线的IP。
目标是得到在线的IP启动了哪些端口,尽量猜测端口对应的服务。
- Centos7 (macos用brew直接安装就行)
- Nmap 6.47
- Masscan 1.0.4
- Python 2.7.x
centos7
sudo yum install nmap
## masscan 需要编译安装了
sudo yum install git gcc make libpcap-devel
git clone https://github.com/robertdavidgraham/masscan
cd masscan/
make
sudo make install
macos
brew install masscan
brew install nmap
使用方法
sudo masscan -p22,80 10.0.0.0/8 --rate=15000 -oL ips.txt
cat ips.txt|grep -v '#'|awk '{print $4}'|sort| uniq > avaips.txt
sudo python explore.py avaips.txt
说明:
- 首先用masscan扫描所有开放22,80端口的ip,盲扫为主
- 然后用awk统计所有ip
- 接着对每个IP 1~30000 tcp端口扫描,找出来存活的端口,在用 Nmap做服务识别
explore.py
# coding:utf-8
import os
import sys
import subprocess
scan = 'sudo masscan -p1-30000 {0} --rate 15000 -oL tmp.txt'
nmap_scan = 'nmap --version-all {0} -p{1}'
def run_command(cmd):
"""given shell command, returns communication tuple of stdout and stderr"""
sp = subprocess.Popen(cmd, shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
sp.wait()
return sp.communicate()
def clear_tmp(filename):
try:
os.remove(filename)
except:
pass
def ip_scan(filename):
with open(filename) as f:
for line in f:
ip = line.strip()
run_command(scan.format(ip))
ports_scan(ip)
def ports_scan(ip):
ports = []
with open('tmp.txt') as ff:
for item in ff:
if item.startswith('#'):
continue
sel = item.strip().split()
ports.append(sel[2])
if len(ports) == 0:
return
stdout, stderr = run_command(nmap_scan.format(ip, ','.join(ports)))
if stderr != "":
print 'error', stderr
return
ress = stdout.split('\n')
flag = False
with open('res.txt', 'a+') as f:
f.write('ip: ' + ip + '\n')
for r in ress:
if r.startswith('PORT'):
flag = True
continue
if flag and len(r) > 3 and r.find('open') > 0:
port, _, service = r.split()
f.write('- {0} {1}\n'.format(port, service))
if __name__ == "__main__":
args = sys.argv
if len(args) < 2:
print 'Usage: %s ip_list_file.txt' % args[0]
sys.exit(1)
clear_tmp('red.txt')
ip_scan(args[1])
clear_tmp('tmp.txt')
整个过程比较慢,可以优化的地方,使用多进程,pipeline等。
得到的结果像下面的样子
ip: 10.0.10.12
- 22/tcp ssh
- 18089/tcp unknown
- 19088/tcp unknown
- 19088/tcp unknown
- 19089/tcp unknown
ip: 10.0.10.1
- 22/tcp ssh
- 23/tcp telnet
ip: 10.0.10.12
- 22/tcp ssh
- 18089/tcp unknown
- 19088/tcp unknown
- 19089/tcp unknown
...
python调用的命令
扫描某个ip开放的tcp端口
sudo masscan -p1-30000 10.0.10.44 --rate 15000
服务识别,很多识别不出来,这部分也可以自己写,不过要搜集很多服务指纹,没找到很好的替代品
nmap --version-all 10.101.1.249 -p80,22,3456,10050
主要提供一个思路,可以根据需要修改和优化。