目前常见的端口扫描技术一般有如下几类: TCP Connect、TCP SYN、TCP ACK、TCP FIN。
Metasploit中的端口扫描器
Metasploit的辅助模块中提供了几款实用的端口扫描器。可以输入search portscan命令找到相关的端口扫描器。如下
root@kali:~# msfconsole
......
msf>search portscan
Matching Modules================Name Disclosure Date Rank Description---- --------------- ---- -----------auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas"Port Scanner
auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
msf>
Metasploit中ack扫描模块的使用过程
msf > use auxiliary/scanner/portscan/ack
msf auxiliary(ack)> set RHOSTS 202.193.58.13RHOSTS=> 202.193.58.13msf auxiliary(ack)> set THREADS 20THREADS=> 20msf auxiliary(ack)> run
Metasploit中ftpbounce扫描模块的使用过程
msf > use auxiliary/scanner/portscan/ftpbounce
msf auxiliary(ftpbounce)> set RHOSTS 202.193.58.13RHOSTS=> 202.193.58.13msf auxiliary(ftpbounce)> set THREADS 20THREADS=> 20msf auxiliary(ftpbounce)>run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: BOUNCEHOST.
msf auxiliary(ftpbounce)>
Metasploit中tcp扫描模块的使用过程
msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp)> set RHOSTS 202.193.58.13RHOSTS=> 202.193.58.13msf auxiliary(tcp)> set THREADS 20THREADS=> 20msf auxiliary(tcp)>run
[*] 202.193.58.13: - 202.193.58.13:25 -TCP OPEN
[*] 202.193.58.13: - 202.193.58.13:22 -TCP OPEN
[*] 202.193.58.13: - 202.193.58.13:21 -TCP OPEN
[*] 202.193.58.13: - 202.193.58.13:23 - TCP OPEN
Metasploit中xmas扫描模块的使用过程
msf > use auxiliary/scanner/portscan/xmas
msf auxiliary(xmas)> set RHOSTS 202.193.58.13RHOSTS=> 202.193.58.13msf auxiliary(xmas)> set THREADS 20THREADS=> 20msf auxiliary(xmas)>run
[*] TCP OPEN|FILTERED 202.193.58.13:1[*] TCP OPEN|FILTERED 202.193.58.13:2[*] TCP OPEN|FILTERED 202.193.58.13:3[*] TCP OPEN|FILTERED 202.193.58.13:4[*] TCP OPEN|FILTERED 202.193.58.13:5[*] TCP OPEN|FILTERED 202.193.58.13:6[*] TCP OPEN|FILTERED 202.193.58.13:7[*] TCP OPEN|FILTERED 202.193.58.13:8[*] TCP OPEN|FILTERED 202.193.58.13:9[*] TCP OPEN|FILTERED 202.193.58.13:10[*] TCP OPEN|FILTERED 202.193.58.13:11[*] TCP OPEN|FILTERED 202.193.58.13:12[*] TCP OPEN|FILTERED 202.193.58.13:13[*] TCP OPEN|FILTERED 202.193.58.13:14[*] TCP OPEN|FILTERED 202.193.58.13:15[*] TCP OPEN|FILTERED 202.193.58.13:16[*] TCP OPEN|FILTERED 202.193.58.13:17[*] TCP OPEN|FILTERED 202.193.58.13:18[*] TCP OPEN|FILTERED 202.193.58.13:19[*] TCP OPEN|FILTERED 202.193.58.13:20[*] TCP OPEN|FILTERED 202.193.58.13:21[*] TCP OPEN|FILTERED 202.193.58.13:22[*] TCP OPEN|FILTERED 202.193.58.13:23[*] TCP OPEN|FILTERED 202.193.58.13:24[*] TCP OPEN|FILTERED 202.193.58.13:25[*] TCP OPEN|FILTERED 202.193.58.13:26[*] TCP OPEN|FILTERED 202.193.58.13:27[*] TCP OPEN|FILTERED 202.193.58.13:28[*] TCP OPEN|FILTERED 202.193.58.13:29[*] TCP OPEN|FILTERED 202.193.58.13:30[*] TCP OPEN|FILTERED 202.193.58.13:31[*] TCP OPEN|FILTERED 202.193.58.13:32[*] TCP OPEN|FILTERED 202.193.58.13:33[*] TCP OPEN|FILTERED 202.193.58.13:34[*] TCP OPEN|FILTERED 202.193.58.13:35[*] TCP OPEN|FILTERED 202.193.58.13:36[*] TCP OPEN|FILTERED 202.193.58.13:37[*] TCP OPEN|FILTERED 202.193.58.13:38[*] TCP OPEN|FILTERED 202.193.58.13:39[*] TCP OPEN|FILTERED 202.193.58.13:40[*] TCP OPEN|FILTERED 202.193.58.13:41[*] TCP OPEN|FILTERED 202.193.58.13:42[*] TCP OPEN|FILTERED 202.193.58.13:43[*] TCP OPEN|FILTERED 202.193.58.13:44[*] TCP OPEN|FILTERED 202.193.58.13:45[*] TCP OPEN|FILTERED 202.193.58.13:46[*] TCP OPEN|FILTERED 202.193.58.13:47[*] TCP OPEN|FILTERED 202.193.58.13:48[*] TCP OPEN|FILTERED 202.193.58.13:49
Metasploit中syn扫描模块的使用过程
在一般的情况下,推荐使用syn端口扫描器,因为它的扫描速度较快、结果准确切不容易被对方察觉。下面是针对网关服务器(Ubuntu Metasploitable)主机的扫描结果,可以看出与Nmap的扫描结果基本一致。如下。
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set RHOSTS 202.193.58.13RHOSTS => 202.193.58.13msf auxiliary(syn) > set THREADS 20THREADS => 20msf auxiliary(syn) >run
[*] TCP OPEN 202.193.58.13:21[*] TCP OPEN 202.193.58.13:22[*] TCP OPEN 202.193.58.13:23[*] TCP OPEN 202.193.58.13:25[*] TCP OPEN 202.193.58.13:53[*] TCP OPEN 202.193.58.13:80[*] TCP OPEN 202.193.58.13:111[*] TCP OPEN 202.193.58.13:139[*] TCP OPEN 202.193.58.13:445[*] TCP OPEN 202.193.58.13:512[*] TCP OPEN 202.193.58.13:513
当然,大家也可以拿下面的主机来扫描
Metasploit中sap_router_portscanner扫描模块的使用过程
msf > use auxiliary/scanner/sap/sap_router_portscanner
msf auxiliary(sap_router_portscanner)> set RHOSTS 202.193.58.13RHOSTS=> 202.193.58.13msf auxiliary(sap_router_portscanner)> set THREADS 20THREADS=> 20msf auxiliary(sap_router_portscanner)>run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOST, TARGETS.
msf auxiliary(sap_router_portscanner)>
Metasploit中也可以使用namp
常用nmap扫描类型参数:
-sT:TCP connect扫描
-sS:TCP syn扫描
-sF/-sX/-sN:通过发送一些标志位以避开设备或软件的检测
-sP:ICMP扫描
-sU:探测目标主机开放了哪些UDP端口
-sA:TCP ACk扫描
扫描选项:
-Pn:在扫描之前,不发送ICMP echo请求测试目标是否活跃
-O:辨识操作系统等信息
-F:快速扫描模式
-p:指定端口扫描范围
msf auxiliary(syn) > nmap -sS -Pn 202.193.58.13[*] exec: nmap -sS -Pn 202.193.58.13Starting Nmap7.31 ( https://nmap.org ) at 2017-05-17 22:17 CST
Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)
Hostis up (0.0014s latency).
Not shown:977closed ports
PORT STATE SERVICE21/tcp open ftp22/tcp open ssh23/tcp open telnet25/tcp open smtp53/tcp open domain80/tcp open http111/tcp open rpcbind139/tcp open netbios-ssn445/tcp open microsoft-ds512/tcp open exec513/tcp open login514/tcp open shell1099/tcp open rmiregistry1524/tcp open ingreslock2049/tcp open nfs2121/tcp open ccproxy-ftp3306/tcp open mysql5432/tcp open postgresql5900/tcp open vnc6000/tcp open X116667/tcp open irc8009/tcp open ajp138180/tcp open unknown
MAC Address:84:AD:58:82:49:5C (Unknown)
Nmap done:1 IP address (1 host up) scanned in 1.49seconds
msf auxiliary(syn)>
msf auxiliary(syn) > nmap -sV -Pn 202.193.58.13[*] exec: nmap -sV -Pn 202.193.58.13Starting Nmap7.31 ( https://nmap.org ) at 2017-05-17 22:18 CST
Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)
Hostis up (0.0016s latency).
Not shown:977closed ports
PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)23/tcp open telnet Linux telnetd25/tcp open smtp Postfix smtpd53/tcp open domain?
80/tcp open http?
111/tcp open rpcbind?
139/tcp open netbios-ssn?
445/tcp open microsoft-ds?
512/tcp open exec netkit-rsh rexecd513/tcp open login?
514/tcp open shell Netkit rshd1099/tcp open rmiregistry?
1524/tcp open shell Metasploitable root shell2049/tcp open nfs?
2121/tcp open ccproxy-ftp?
3306/tcp open mysql MySQL 5.0.51a-3ubuntu55432/tcp open postgresql?
5900/tcp open vnc VNC (protocol 3.3)6000/tcp open X11?
6667/tcp open irc Unreal ircd8009/tcp open ajp13?
8180/tcp open unknown
MAC Address:84:AD:58:82:49:5C (Unknown)
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.50seconds
msf auxiliary(syn)>
可以,与下面进行对比。
当然,大家也可以拿下面的主机来扫描