前言:
Nmap如今是每个黑客必备的漏洞扫描神器,这期出一次扫描之王Nmap最详细的使用教程.
Nmap的安装:
windows:请到nmap.org下载对应的版本
linux:apt install nmap
一、NMAP是什么?
Nmap,也就是Network Mapper,最早是Linux下的网络扫描和嗅探工具包.
Nmap是一款开放源代码的网络探测和安全审核工具,它的设计目标是快速地扫描大型网络.
Nmap官网:https://nmap.org/
Nmap扫描出来的状态:
状态-----------------------详细的参数说明
Open----------------------端口开启,数据有到达主机,有程序在端口上监控
Closed-------------------端口关闭,数据有到达主机,没有程序在端口上监控
Filtered------------------数据没有到达主机,返回的结果为空,数据被防火墙或者是IDS过滤
UnFiltered--------------数据有到达主机,但是不能识别端口的当前状态
Open|Filtered---------端口没有返回值,主要发生在UDP、IP、FIN、NULL和Xmas扫描中
Closed|Filtered-------只发生在IP ID idle扫描
二、使用步骤:
1.nmap语法
nmap (选项)(参数):
参数:ip地址
选项如下:
-O:激活操作探测;
-P0:值进行扫描,不ping主机;
-PT:是同TCP的ping;
-sV:探测服务版本信息;
-sP:ping扫描,仅发现目标主机是否存活;
-ps:发送同步(SYN)报文;
-PU:发送udp ping;
-PE:强制执行直接的ICMPping;
-PB:默认模式,可以使用ICMPping和TCPping;
-6:使用IPv6地址;
-v:得到更多选项信息;
-d:增加调试信息地输出;
-oN:以人们可阅读的格式输出;
-oX:以xml格式向指定文件输出信息;
-oM:以机器可阅读的格式输出;
-A:使用所有高级扫描选项;
--resume:继续上次执行完的扫描;
-P:指定要扫描的端口,可以是一个单独的端口,用逗号隔开多个端口,使用“-”表示端口范围;
-e:在多网络接口Linux系统中,指定扫描使用的网络接口;
-g:将指定的端口作为源端口进行扫描;
--ttl:指定发送的扫描报文的生存期;
--packet-trace:显示扫描过程中收发报文统计;
--scanflags:设置在扫描报文中的TCP标志。
--send-eth/--send-ip 使用原始以太网发送/构造指定IP发送
2.举例:
例子如下(示例):
E:\zm>nmap -sV -Pn --script=vuln 192.168.10.103
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-30 20:55 中国标准时间
Stats: 0:02:36 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 77.78% done; ETC: 20:58 (0:00:41 remaining)
Stats: 0:02:39 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 77.78% done; ETC: 20:58 (0:00:42 remaining)
Nmap scan report for 192.168.10.103
Host is up (0.0013s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
25/tcp filtered smtp
110/tcp filtered pop3
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Date: Wed, 30 Mar 2022 12:55:34 GMT
| Connection: close
| Content-Security-Policy: block-all-mixed-content
| Content-Type: text/plain; charset=utf-8
| Strict-Transport-Security: max-age=31536000
| X-Content-Type-Options: nosniff
| X-Frame-Options: DENY
| X-XSS-Protection: 1
| Content-Length: 0
| GetRequest:
| HTTP/1.1 403 Forbidden
| Date: Wed, 30 Mar 2022 12:55:34 GMT
| Connection: close
| Content-Security-Policy: block-all-mixed-content
| Content-Type: text/plain; charset=utf-8
| Strict-Transport-Security: max-age=31536000
| X-Content-Type-Options: nosniff
| X-Frame-Options: DENY
| X-XSS-Protection: 1
| Content-Length: 0
| HTTPOptions:
| HTTP/1.1 501 Not Implemented
| Date: Wed, 30 Mar 2022 12:55:34 GMT
| Connection: close
| Content-Security-Policy: block-all-mixed-content
| Content-Type: text/plain; charset=utf-8
| Strict-Transport-Security: max-age=31536000
| X-Content-Type-Options: nosniff
| X-Frame-Options: DENY
| X-XSS-Protection: 1
| Content-Length: 0
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Date: Wed, 30 Mar 2022 12:55:45 GMT
| Connection: close
| Content-Type: text/html
| Content-Length: 50
| <HTML><BODY><H1>400 Bad Request</H1></BODY></HTML>
| SIPOptions:
| HTTP/1.1 400 Bad Request
| Date: Wed, 30 Mar 2022 12:56:52 GMT
| Connection: close
| Content-Type: text/html
| Content-Length: 50
|_ <HTML><BODY><H1>400 Bad Request</H1></BODY></HTML>
445/tcp open microsoft-ds?
548/tcp filtered afp
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
|_ssl-ccs-injection: No reply from server (TIMEOUT)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: Microsoft-HTTPAPI/2.0
7000/tcp open afs3-fileserver?
8000/tcp open http-alt?
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 353.40 seconds
Script脚本的用法举例:
nmap -sV --script=afp-path-vuln <目标>
nmap -sV -sC <目标>
nmap --script firewall-bypass <目标>