【kali-信息收集】（1.6）服务的指纹识别：Nmap、Amap

目录

一、简介

1.1、概述：

二、工具

2.1、Nmap（识别服务指纹信息）

使用：

测试：

2.2、Amap（服务枚举工具）

简介：

安装：

命令：

使用：

---

一、简介

1.1、概述：

为了确保有一个成功的渗透测试 ， 必须需要知道目标系统中服务的指纹信息。 服务指 纹信息包括服务端口 、 服务名和版本等

---

---

二、工具

2.1、Nmap（识别服务指纹信息）

使用：

【端口扫描工具】nmap核心使用方法https://blog.csdn.net/qq_53079406/article/details/125263917?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165932934416781432923359%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165932934416781432923359&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125263917-null-null.nonecase&utm_term=nmap&spm=1018.2226.3001.4450nmap“扫描基础”“端口扫描技术”“服务和版本探测”“操作系统探测”“时间和性能”“防火墙/IDS躲避和哄骗”相关参考指南https://blog.csdn.net/qq_53079406/article/details/122759253?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165932934416781432923359%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165932934416781432923359&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-4-122759253-null-null.nonecase&utm_term=nmap&spm=1018.2226.3001.4450

---

测试：

用Nmap工具查看39.106.226.142服务上正在运行的端口

nmap -sV 39.106.226.142 

可以查看到目标服务器上运行的端口号、各个端口对应的服务及版本信息

2.2、Amap（服务枚举工具）

简介：

Amap是一个服务枚举工具。 使用该工具能识别正运行在 一 ·个指定端口或一个范围端
口上的应用程序

---

安装：

sudo apt install amap 

---

命令：

Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
Modes:
  -A         Map applications: send triggers and analyse responses (default)
  -B         Just grab banners, do not send triggers
  -P         No banner or application stuff - be a (full connect) port scanner
Options:
  -1         Only send triggers to a port until 1st identification. Speeeeed!
  -6         Use IPv6 instead of IPv4
  -b         Print ascii banner of responses
  -i FILE    Nmap machine readable outputfile to read ports from
  -u         Ports specified on commandline are UDP (default is TCP)
  -R         Do NOT identify RPC service
  -H         Do NOT send application triggers marked as potentially harmful
  -U         Do NOT dump unrecognised responses (better for scripting)
  -d         Dump all responses
  -v         Verbose mode, use twice (or more!) for debug (not recommended :-)
  -q         Do not report closed ports, and do not print them as unidentified
  -o FILE [-m] Write output to file FILE, -m creates machine readable output
  -c CONS    Amount of parallel connections to make (default 32, max 256)
  -C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
  -T SEC     Connect timeout on connection attempts in seconds (default 5)
  -t SEC     Response wait timeout in seconds (default 5)
  -p PROTO   Only send triggers for this protocol (e.g. ftp)
  TARGET PORT   The target address and port(s) to scan (additional to -i)
amap is a tool to identify application protocols on target ports.
Note: this version was NOT compiled with SSL support!
Usage hint: Options "-bqv" are recommended, add "-1" for fast/rush checks.

---

使用：

用Amap 工具在指定的端口（或一段范围）， 测试目标主机39.106.226.142上正在运行的应用程序

amap -bqv 39.106.226.142 80