Kali Linux 渗透测试之主动信息收集（四）——四层发现之端口扫描（scapy、nmap、dmitry、python socket、amap、）

最新推荐文章于 2024-07-30 15:23:17 发布

weixin_45116657

最新推荐文章于 2024-07-30 15:23:17 发布

阅读量666

点赞数

本文链接：https://blog.csdn.net/weixin_45116657/article/details/99654416

版权

端口扫描

1、nmap

1.1> nmap -sU

nmap -sU 192.168.85.152
# -sU扫描udp 默认的1000个参数（端口）

root@kali:~# nmap -sU 192.168.85.152
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-15 21:01 CST
Nmap scan report for 192.168.85.152 (192.168.85.152)
Host is up (0.00043s latency).
Not shown: 999 open|filtered ports
PORT    STATE SERVICE
137/udp open  netbios-ns
MAC Address: 00:0C:29:32:2A:91 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.81 seconds

nmap 192.168.85.156 -sU -p 53
# 扫描53号端口

root@kali:~# nmap 192.168.85.156 -sU -p 53
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-15 20:14 CST
Nmap scan report for 192.168.85.156 (192.168.85.156)
Host is up (0.00043s latency).

PORT   STATE  SERVICE
53/udp closed domain           #目标主机的53端口处于关闭状态
MAC Address: 00:0C:29:72:2E:9D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

通过这里可以知道目标主机的53端口处于关闭状态，也可验证上面的scapy udp scan 得到的结果。

nmap -sS 192.168.85.152 -p 80,21,23,35
# 扫描端口80,21,23,35

root@kali:~# nmap -sS 192.168.85.152 -p 80,21,23,35
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-15 20:59 CST
Nmap scan report for 192.168.85.152 (192.168.85.152)
Host is up (0.0059s latency).

PORT   STATE    SERVICE
21/tcp filtered ftp
23/tcp filtered telnet
35/tcp filtered priv-print
80/tcp filtered http
MAC Address: 00:0C:29:32:2A:91 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds

nmap -sS 192.168.244.134 -p 1-65535
# 扫描1-65535端口

root@kali:~# nmap -sS 192.168.85.152 -p 1-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-15 20:56 CST
Stats: 0:00:36 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
Nmap scan report for 192.168.85.152 (192.168.85.152)
Host is up (0.0084s latency).
Not shown: 65532 filtered ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:32:2A:91 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 135.60 seconds

nmap -sT 192.168.244.134 -p 22 --script=banner
# 扫描134中22端口的banner信息的

服务扫描——Banner（准确性不高）

获取软件开发商、软件名称、服务类型、版本号（可能直接发现已知的漏洞和弱点）;
只有建立完整的连接后才能获取目标系统的Banner信息，才能更准确地识别端口上运行的应用。
Banner并不是特别准确，它需要结合另类的服务识别方法——特征行为和响应字段，不同的操作系统对于同一请求的响应结果是不同的，因此不同的响应可用于识别低层操作系统。
通过连接服务器的端口，使其返回banner信息，结果可能查不到，也可能是管理员伪造的。

root@kali:~# nmap -sT 192.168.85.152 -p 22 --script=banner
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-15 20:54 CST
Nmap scan report for 192.168.85.152 (192.168.85.152)
Host is up (0.00035s latency).

PORT   STATE    SERVICE
22/tcp filtered ssh
MAC Address: 00:0C:29:32:2A:91 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

nmap 192.168.85.152 -O
# 系统服务识别

oot@kali:~# nmap 192.168.85.152 -O
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-15 20:53 CST
Nmap scan report for 192.168.85.152 (192.168.85.152)
Host is up (0.0010s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:32:2A:91 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|phone
Running: Microsoft Windows 2008|8.1|7|Phone|Vista                      #运行的操作系统
OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
OS details: Microsoft Windows Server 2008 R2 or Windows 8.1, Microsoft Windows 7 Professional or Windows 8, Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7, Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds

2、dmitry

2.1> dmitry -p 192.168.85.152
# 默认扫描150个最常用的端口

root@kali:~# dmitry -p 192.168.85.152
Deepmagic Information Gathering Tool
"There be some deep magic going on"

HostIP:192.168.85.152
HostName:192.168.85.152

Gathered TCP Port information for 192.168.85.152
---------------------------------

 Port		State

135/tcp		open
139/tcp		open

Portscan Finished: Scanned 150 ports, 0 ports were in state closed


All scans completed, exiting

2.2> dmitry -p 192.168.85.152 -o port
# 输出到port.txt文件中，注意这里不用加.txt

root@kali:~# dmitry -p 192.168.85.152 -o port
Deepmagic Information Gathering Tool
"There be some deep magic going on"

Writing output to 'port.txt'

HostIP:192.168.85.152
HostName:192.168.85.152

Gathered TCP Port information for 192.168.85.152
---------------------------------

 Port		State

135/tcp		open
139/tcp		open

Portscan Finished: Scanned 150 ports, 0 ports were in state closed

段错误

2.3> dmitry -pb 192.168.244.134
# -pd 端口信息扫描

3、python中socket模块

oot@kali:~# dmitry -pb 192.168.85.152
Deepmagic Information Gathering Tool
"There be some deep magic going on"

HostIP:192.168.85.152
HostName:192.168.85.152

Gathered TCP Port information for 192.168.85.152
---------------------------------

 Port		State

135/tcp		open

Portscan Finished: Scanned 150 ports, 148 ports were in state closed


All scans completed, exiting

4、amap

amap -B 192.168.85.152 21

root@kali:~# amap -B 192.168.85.152 21
amap v5.4 (www.thc.org/thc-amap) started at 2019-08-15 21:42:07 - BANNER mode


amap v5.4 finished at 2019-08-15 21:42:07