MSF魔鬼训练营-3.2.1活跃主机扫描

概要：

msf的arp_sweep 、udp_sweep模块

Nmap -sn使用ping探测 -PU -sn 使用UDP协议端口探测

---

msf模块

arp_sweep     常用

ipv6_multicast_ping

ipv6_neighbor

ipv6_neighbor_router_advertisement

udp_probe

udp_sweep     常用 同时也会发现主机上的udp服务

---

msf > use auxiliary/scanner/discovery/arp_sweep

msf auxiliary(arp_sweep) > show options

 

Module options (auxiliary/scanner/discovery/arp_sweep):

 

   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   INTERFACE                   no        The name of the interface

   RHOSTS                      yes       The target address range or CIDR identifier

   SHOST                       no        Source IP Address

   SMAC                        no        Source MAC Address

   THREADS    1                yes       The number of concurrent threads

   TIMEOUT    5                yes       The number of seconds to wait for new data

 

msf auxiliary(arp_sweep) > set rhosts 192.168.3.0/24

rhosts => 192.168.3.0/24

msf auxiliary(arp_sweep) > set t

set threads          set timeout          set timestampoutput

msf auxiliary(arp_sweep) > set threads 100

threads => 100

msf auxiliary(arp_sweep) > run

 

[*] 192.168.3.1 appears to be up (UNKNOWN).

[*] 192.168.3.20 appears to be up (UNKNOWN).

[*] 192.168.3.24 appears to be up (UNKNOWN).

[*] 192.168.3.85 appears to be up (UNKNOWN).

[*] 192.168.3.88 appears to be up (UNKNOWN).

[*] 192.168.3.96 appears to be up (UNKNOWN).

[*] 192.168.3.111 appears to be up (UNKNOWN).

[*] 192.168.3.133 appears to be up (UNKNOWN).

[*] 192.168.3.140 appears to be up (UNKNOWN).

[*] 192.168.3.142 appears to be up (UNKNOWN).

[*] 192.168.3.144 appears to be up (UNKNOWN).

[*] 192.168.3.168 appears to be up (UNKNOWN).

[*] 192.168.3.172 appears to be up (UNKNOWN).

[*] 192.168.3.176 appears to be up (UNKNOWN).

[*] 192.168.3.186 appears to be up (UNKNOWN).

[*] 192.168.3.191 appears to be up (UNKNOWN).

[*] 192.168.3.199 appears to be up (Raspberry Pi Foundation).

[*] 192.168.3.211 appears to be up (UNKNOWN).

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(arp_sweep) >

 

---

 

msf > use auxiliary/scanner/discovery/udp_sweep

msf auxiliary(udp_sweep) > show options

 

Module options (auxiliary/scanner/discovery/udp_sweep):

 

   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   BATCHSIZE  256              yes       The number of hosts to probe in each set

   RHOSTS                      yes       The target address range or CIDR identifier

   THREADS    10               yes       The number of concurrent threads

 

msf auxiliary(udp_sweep) > set rhosts 192.168.3.0/24

rhosts => 192.168.3.0/24

msf auxiliary(udp_sweep) > set threads 100

threads => 100

msf auxiliary(udp_sweep) > run

 

[*] Sending 13 probes to 192.168.3.0->192.168.3.255 (256 hosts)

[*] Discovered DNS on 192.168.3.1:53 (36c8858000010001000000000756455253494f4e0442494e440000100003c00c0010000300000000000d0c646e736d6173712d322e3736)

[*] Discovered NetBIOS on 192.168.3.111:137 (LAPTOP-V63UITPH:<20>:U :LAPTOP-V63UITPH:<00>:U :WORKGROUP:<00>:G :74:c6:3b:9c:00:65)

[*] Discovered NTP on 192.168.3.199:123 (NTP v4)

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed

 

---

Nmap

 

msf > nmap -sn 192.168.3.0/24

[*] exec: nmap -sn 192.168.3.0/24

 

 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 16:17 CST

Nmap scan report for RT-AC54U (192.168.3.1)

Host is up (0.0015s latency).

MAC Address: 8C:AB:8E:FA:10:A1 (Shanghai Feixun Communication)

Nmap scan report for 192.168.3.24

Host is up (0.018s latency).

MAC Address: B8:44:D9:D0:04:08 (Apple)

Nmap scan report for DESKTOP-QU5496C (192.168.3.88)

Host is up (0.00052s latency).

MAC Address: 80:E6:50:15:C2:60 (Apple)

Nmap scan report for 192.168.3.96

Host is up (0.057s latency).

MAC Address: 14:2D:27:2B:1C:E9 (Hon Hai Precision Ind.)

Nmap scan report for 192.168.3.111

Host is up (0.050s latency).

MAC Address: 74:C6:3B:9C:00:65 (AzureWave Technology)

Nmap scan report for 192.168.3.140

Host is up (0.10s latency).

MAC Address: 00:CD:FE:33:16:02 (Apple)

Nmap scan report for 192.168.3.165

Host is up (0.019s latency).

MAC Address: C0:EE:FB:EA:80:8A (OnePlus Tech (Shenzhen))

Nmap scan report for 192.168.3.168

Host is up (0.085s latency).

MAC Address: 9C:B6:D0:12:75:27 (Rivet Networks)

Nmap scan report for 192.168.3.186

Host is up (0.11s latency).

MAC Address: E4:F8:9C:E7:58:B0 (Intel Corporate)

Nmap scan report for 192.168.3.191

Host is up (0.10s latency).

MAC Address: 68:DB:CA:74:57:B9 (Apple)

Nmap scan report for android-9b63a7f1b6f8164f (192.168.3.219)

Host is up (0.075s latency).

MAC Address: B8:5A:73:C9:E6:E2 (Samsung Electronics)

Nmap scan report for 192.168.3.103

Host is up.

Nmap done: 256 IP addresses (12 hosts up) scanned in 1.78 seconds

 

---

nmap  -PU对开放的UDP端口进行探测以确定存活的主机

-sn 告诉nmap仅探测存活主机不对tcp端口进行扫描

 

msf > nmap -PU -sn 192.168.3.0/24

[*] exec: nmap -PU -sn 192.168.3.0/24

 

 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 16:48 CST

Nmap scan report for RT-AC54U (192.168.3.1)

Host is up (0.0020s latency).

MAC Address: 8C:AB:8E:FA:10:A1 (Shanghai Feixun Communication)

Nmap scan report for 192.168.3.20

Host is up (0.015s latency).

MAC Address: 68:DB:CA:A9:CE:63 (Apple)

Nmap scan report for 192.168.3.21

Host is up (0.017s latency).

MAC Address: A0:CC:2B:A4:29:E5 (Murata Manufacturing)

Nmap scan report for 192.168.3.24

Host is up (0.018s latency).

MAC Address: B8:44:D9:D0:04:08 (Apple)

Nmap scan report for DESKTOP-QU5496C (192.168.3.88)

Host is up (0.00023s latency).

MAC Address: 80:E6:50:15:C2:60 (Apple)

Nmap scan report for 192.168.3.96

Host is up (0.072s latency).

MAC Address: 14:2D:27:2B:1C:E9 (Hon Hai Precision Ind.)

Nmap scan report for 192.168.3.111

Host is up (0.070s latency).

MAC Address: 74:C6:3B:9C:00:65 (AzureWave Technology)

Nmap scan report for 192.168.3.133

Host is up (0.10s latency).

MAC Address: 5C:AD:CF:86:87:B1 (Apple)

Nmap scan report for 192.168.3.140

Host is up (0.061s latency).

MAC Address: 00:CD:FE:33:16:02 (Apple)

Nmap scan report for 192.168.3.142

Host is up (0.10s latency).

MAC Address: 20:AB:37:62:9F:18 (Apple)

Nmap scan report for 192.168.3.144

Host is up (0.089s latency).

MAC Address: 70:EC:E4:D4:E9:D2 (Apple)

Nmap scan report for 192.168.3.176

Host is up (0.058s latency).

MAC Address: 04:52:F3:13:38:71 (Apple)

Nmap scan report for 192.168.3.186

Host is up (0.093s latency).

MAC Address: E4:F8:9C:E7:58:B0 (Intel Corporate)

Nmap scan report for 192.168.3.195

Host is up (0.050s latency).

MAC Address: 5C:A8:6A:A7:90:4F (Huawei Technologies)

Nmap scan report for raspberrypi (192.168.3.199)

Host is up (0.048s latency).

MAC Address: B8:27:EB:A9:1C:84 (Raspberry Pi Foundation)

Nmap scan report for 192.168.3.211

Host is up (0.018s latency).

MAC Address: C8:F2:30:9E:93:83 (Guangdong Oppo Mobile Telecommunications)

Nmap scan report for 192.168.3.103

Host is up.

Nmap done: 256 IP addresses (17 hosts up) scanned in 2.59 seconds

---

msf > nmap -PU 192.168.3.0/24

[*] exec: nmap -PU 192.168.3.0/24

 

 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-08 16:18 CST

 

Nmap scan report for RT-AC54U (192.168.3.1)

Host is up (0.0055s latency).

Not shown: 997 closed ports

PORT     STATE SERVICE

53/tcp   open  domain

1723/tcp open  pptp

8000/tcp open  http-alt

MAC Address: 8C:AB:8E:FA:10:A1 (Shanghai Feixun Communication)

 

Nmap scan report for 192.168.3.20

Host is up (0.0044s latency).

Not shown: 999 closed ports

PORT      STATE SERVICE

62078/tcp open  iphone-sync

MAC Address: 68:DB:CA:A9:CE:63 (Apple)

 

Nmap scan report for 192.168.3.24

Host is up (0.011s latency).

Not shown: 999 closed ports

PORT      STATE SERVICE

62078/tcp open  iphone-sync

MAC Address: B8:44:D9:D0:04:08 (Apple)

 

Nmap scan report for DESKTOP-QU5496C (192.168.3.88)

Host is up (0.00063s latency).

Not shown: 998 filtered ports

PORT     STATE SERVICE

80/tcp   open  http

3306/tcp open  mysql

MAC Address: 80:E6:50:15:C2:60 (Apple)

 

Nmap scan report for 192.168.3.96

Host is up (0.019s latency).

Not shown: 983 closed ports

PORT      STATE    SERVICE

80/tcp    open     http

135/tcp   filtered msrpc

139/tcp   filtered netbios-ssn

445/tcp   filtered microsoft-ds

2869/tcp  open     icslap

5060/tcp  open     sip

5357/tcp  open     wsdapi

5678/tcp  open     rrac

9593/tcp  open     cba8

9594/tcp  open     msgsys

9595/tcp  open     pds

10000/tcp open     snet-sensor-mgmt

33354/tcp open     unknown

49152/tcp open     unknown

49153/tcp open     unknown

49154/tcp open     unknown

49176/tcp open     unknown

MAC Address: 14:2D:27:2B:1C:E9 (Hon Hai Precision Ind.)

 

Nmap scan report for 192.168.3.111

Host is up (0.086s latency).

Not shown: 999 filtered ports

PORT     STATE SERVICE

6646/tcp open  unknown

MAC Address: 74:C6:3B:9C:00:65 (AzureWave Technology)

 

Nmap scan report for 192.168.3.133

Host is up (0.21s latency).

Not shown: 999 closed ports

PORT      STATE SERVICE

62078/tcp open  iphone-sync

MAC Address: 5C:AD:CF:86:87:B1 (Apple)

 

Nmap scan report for 192.168.3.140

Host is up (0.012s latency).

Not shown: 999 closed ports

PORT      STATE SERVICE

62078/tcp open  iphone-sync

MAC Address: 00:CD:FE:33:16:02 (Apple)

 

Nmap scan report for 192.168.3.142

Host is up (0.021s latency).

Not shown: 999 closed ports

PORT      STATE SERVICE

62078/tcp open  iphone-sync

MAC Address: 20:AB:37:62:9F:18 (Apple)

 

Nmap scan report for 192.168.3.144

Host is up (0.0055s latency).

Not shown: 999 closed ports

PORT      STATE SERVICE

62078/tcp open  iphone-sync

MAC Address: 70:EC:E4:D4:E9:D2 (Apple)

 

Nmap scan report for 192.168.3.168

Host is up (0.0053s latency).

Not shown: 997 filtered ports

PORT     STATE SERVICE

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

6646/tcp open  unknown

MAC Address: 9C:B6:D0:12:75:27 (Rivet Networks)

 

Nmap scan report for 192.168.3.176

Host is up (0.0078s latency).

Not shown: 999 closed ports

PORT      STATE SERVICE

62078/tcp open  iphone-sync

MAC Address: 04:52:F3:13:38:71 (Apple)

 

Nmap scan report for 192.168.3.186

Host is up (0.017s latency).

Not shown: 992 closed ports

PORT      STATE SERVICE

135/tcp   open  msrpc

139/tcp   open  netbios-ssn

445/tcp   open  microsoft-ds

49152/tcp open  unknown

49153/tcp open  unknown

49154/tcp open  unknown

49156/tcp open  unknown

49157/tcp open  unknown

MAC Address: E4:F8:9C:E7:58:B0 (Intel Corporate)

 

Nmap scan report for 192.168.3.191

Host is up (0.046s latency).

Not shown: 999 closed ports

PORT      STATE SERVICE

62078/tcp open  iphone-sync

MAC Address: 68:DB:CA:74:57:B9 (Apple)

 

Nmap scan report for raspberrypi (192.168.3.199)

Host is up (0.0072s latency).

Not shown: 996 closed ports

PORT     STATE SERVICE

21/tcp   open  ftp

22/tcp   open  ssh

80/tcp   open  http

3389/tcp open  ms-wbt-server

MAC Address: B8:27:EB:A9:1C:84 (Raspberry Pi Foundation)

 

Nmap scan report for 192.168.3.211

Host is up (0.020s latency).

All 1000 scanned ports on 192.168.3.211 are closed

MAC Address: C8:F2:30:9E:93:83 (Guangdong Oppo Mobile Telecommunications)

 

Nmap scan report for android-9b63a7f1b6f8164f (192.168.3.219)

Host is up (0.48s latency).

Not shown: 997 closed ports

PORT      STATE    SERVICE

1244/tcp  filtered isbconference1

32781/tcp filtered unknown

40911/tcp filtered unknown

MAC Address: B8:5A:73:C9:E6:E2 (Samsung Electronics)

 

Nmap scan report for 192.168.3.103

Host is up (0.0000020s latency).

All 1000 scanned ports on 192.168.3.103 are closed

 

Nmap done: 256 IP addresses (18 hosts up) scanned in 1544.16 seconds

msf >

 

---