了解更多:端口扫描工具终极用法 | 至察助安 - 网络安全干货博客
为什么要做c段探测,运营商分配给IDC机房地址时大部分都是连续IP地址,租给客户(渗透目标)时很大概率会分配同C段内IP地址(除非目标就一个IP地址),使用工具扫描可以探测出同段服务。
扫描工具UP主经常用的有三个:
- Nmap
- Masscan
- zmap
Nmap用法
Nmap(Network Mapper,网络映射器) 是一款开放源代码的网络探测和安全审核的工具。老规矩先放出我最常用的命令组合方式,想了解原理继续看,不想了解直接套用就可以。
sudo nmap -v -sS -p8000-9000 -Pn -T4 -A 124.*.8.254 --script http-methods --script-args http.useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0" |
-v 实时输出扫描详情
vulab@sechelper:~/masscan$ nmap -v 124.*.8.254 Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-05 04:01 UTC Initiating Ping Scan at 04:01 Scanning 124.*.8.254 [2 ports] Completed Ping Scan at 04:01, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 04:01 Completed Parallel DNS resolution of 1 host. at 04:01, 0.01s elapsed Initiating Connect Scan at 04:01 Scanning 124.*.8.254 [1000 ports] Discovered open port 443/tcp on 124.*.8.254 Discovered open port 22/tcp on 124.*.8.254 Discovered open port 80/tcp on 124.*.8.254 ... |
-A 全面扫描
vulab@sechelper:~$ nmap -A 124.*.8.254 # nmap -A 124.*.8.1/24 扫描C段存活端口 Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-04 12:09 UTC Nmap scan report for 124.*.8.254 Host is up (0.037s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open tcpwrapped |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) 80/tcp open tcpwrapped |_http-server-header: nginx/1.18.0 (Ubuntu) 443/tcp open tcpwrapped |_http-server-header: nginx/1.18.0 (Ubuntu) | ssl-cert: Subject: commonName=navi.sechelper.com | Subject Alternative Name: DNS:navi.sechelper.com | Not valid before: 2022-08-27T00:00:00 |_Not valid after: 2023-08-27T23:59:59 | tls-alpn: |_ http/1.1 | tls-nextprotoneg: |_ http/1.1 |
-Pn 禁ping扫描,扫描前不ping(不加这个参数Nmap会ping目标地址)
vulab@sechelper:~$ nmap -Pn 124.*.8.254 Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-04 13:02 UTC Nmap scan report for 124.*.8.254 Host is up (0.035s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 25.80 seconds |
-p 指定端口
vulab@sechelper:~$ nmap -p22,21,8000-9000 124.*.8.254 Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-04 21:20 CST Nmap scan report for 124.*.8.254 Host is up (0.0031s latency). PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds |
-sP 使用ping探测主机存活,不扫描端口
vulab@sechelper:~$ nmap -sP 192.168.111.1/24 Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-04 12:31 UTC Nmap scan report for _gateway (192.168.111.2) Host is up (0.00032s latency). Nmap scan report for sechelper (192 |