Nmap

時間 2019-11-13

標籤 nmap 简体版

原文原文鏈接

網絡掃描

主機掃描，找出網段內活躍的主機

使用fping掃描192.168.136.0/24網段。
-a :顯示活躍的主機ip；
-s ：顯示網段活躍主機總數；
-r ：設置重試次數；
-g ：+測試網段。mysql

root@kali:~# fping -a -s -r 1 -g 192.168.136.0/24
192.168.136.1
192.168.136.129
192.168.136.130
192.168.136.131

     254 targets
       4 alive
     250 unreachable
       0 unknown addresses

     250 timeouts (waiting for response)
     504 ICMP Echos sent
       4 ICMP Echo Replies received
       0 other ICMP received

 1.81 ms (min round trip time)
 4.43 ms (avg round trip time)
 8.91 ms (max round trip time)
       14.544 sec (elapsed real time)

使用nmap -sP對網段192.168.136.0/24網段掃描，顯示全部255個ip所屬的主機都活躍。linux

root@kali:~# nmap -sP 192.168.136.0/24

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:11 CST
Nmap done: 256 IP addresses (256 hosts up) scanned in 2.58 seconds

端口掃描，找出靶機上處於網絡服務監聽態的TCP/UDP端口

使用nmap對靶機進行靶機開放端口的掃描。
-sS ：TCP SYN掃描。
-sU ：UDP端口掃描ios

root@kali:~# nmap -sS 192.168.136.129

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:17 CST
Nmap scan report for localhost (192.168.136.129)
Host is up (2.0s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
514/tcp  filtered shell
1025/tcp open     NFS-or-IIS
5000/tcp open     upnp

Nmap done: 1 IP address (1 host up) scanned in 10.53 seconds

root@kali:~# nmap -sS 192.168.136.129

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:17 CST
Nmap scan report for localhost (192.168.136.129)
Host is up (2.0s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
514/tcp  filtered shell
1025/tcp open     NFS-or-IIS
5000/tcp open     upnp

Nmap done: 1 IP address (1 host up) scanned in 10.53 seconds
root@kali:~# nmap -sS 192.168.136.130

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:20 CST
Nmap scan report for localhost (192.168.136.130)
Host is up (1.7s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 3.48 seconds

root@kali:~# nmap -sS 192.168.136.131

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:21 CST
Nmap scan report for localhost (192.168.136.131)
Host is up (1.00s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
514/tcp filtered shell

Nmap done: 1 IP address (1 host up) scanned in 6.51 seconds

什麼是端口？端口又是作什麼用的呢？

一臺擁有IP地址的主機能夠提供許多服務，好比Web服務、FTP服務、SMTP服務等，這些服務徹底能夠經過1個IP地址來實現。IP 地址與網絡服務的關係是一對多的關係，經過「IP地址+端口號」來區分不一樣的服務。
****TCP與UDP協****議均定義了1-65535共64KB的端口範圍。
具備傳輸穩定性和可靠性需求的網絡服務如，HTTP、SSH、FTP、SMTP等互聯網協議，會選擇******TCP協議******。
須要高速傳輸但容許丟包的網絡應用如，QQ視頻、DNS服務等會選擇****UDP協議****。sql

主機操做系統掃描

使用nmap對靶機的操做系統進行探測
-O :主動探測靶機的操做系統類型shell

root@kali:~# nmap -O 192.168.136.129

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 16:02 CST
Nmap scan report for localhost (192.168.136.129)
Host is up (0.43s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
514/tcp  filtered shell
1025/tcp open     NFS-or-IIS
5000/tcp open     upnp
Device type: general purpose
Running: Microsoft Windows 7|2012|XP
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.37 seconds

root@kali:~# nmap -O 192.168.136.130

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 16:04 CST
Nmap scan report for localhost (192.168.136.130)
Host is up (0.11s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
Device type: WAP|general purpose|storage-misc
Running (JUST GUESSING): Actiontec embedded (99%), Linux 2.4.X|3.X (99%), Microsoft Windows 7|2012|XP (96%), BlueArc embedded (91%)
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.07 seconds

root@kali:~# nmap -O 192.168.136.131

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 16:06 CST
Nmap scan report for localhost (192.168.136.131)
Host is up (0.11s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
514/tcp filtered shell
Device type: WAP|general purpose|storage-misc
Running (JUST GUESSING): Actiontec embedded (99%), Linux 2.4.X|3.X (99%), Microsoft Windows 7|2012|XP (96%), BlueArc embedded (91%)
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.26 seconds

主機操做系統探測具體實現方式以下：

1.Nmap內部包含了2600多已知系統的指紋特徵（在文件nmap-os-db文件中）。將此指紋數據庫做爲進行指紋對比的樣本庫。
2.分別挑選一個open和closed的端口，向其發送通過精心設計的TCP/UDP/ICMP數據包，根據返回的數據包生成一份系統指紋。
3.將探測生成的指紋與nmap-os-db中指紋進行對比，查找匹配的系統。若是沒法匹配，以機率形式列舉出可能的系統。數據庫

CPE？

CPE（Common Platform Enumeration，通用平臺枚舉）ubuntu

網絡服務探查，主動探測靶機網絡中開放端口上綁定的網絡應用服務類型和版本

-sV ：探測靶機網絡中開放端口上綁定的網絡應用服務類型和版本。windows

root@kali:~# nmap -sV 192.168.136.130

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 17:35 CST
Nmap scan report for localhost (192.168.136.130)
Host is up (1.1s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          vsftpd 2.3.4
22/tcp   open  ssh          OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet       Linux telnetd
25/tcp   open  smtp         Postfix smtpd
53/tcp   open  domain       ISC BIND 9.4.2
80/tcp   open  http         Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind      2 (RPC #100000)
139/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec         netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  shell?
1099/tcp open  rmiregistry  GNU Classpath grmiregistry
1524/tcp open  shell        Metasploitable root shell
2049/tcp open  nfs          2-4 (RPC #100003)
2121/tcp open  ccproxy-ftp?
3306/tcp open  mysql?
5432/tcp open  postgresql   PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc          VNC (protocol 3.3)
6000/tcp open  X11          (access denied)
6667/tcp open  irc          Unreal ircd
8009/tcp open  ajp13        Apache Jserv (Protocol v1.3)
8180/tcp open  http         Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.88 seconds

相關標籤/搜索

nmap

nc&nmap

nmap+wireshark

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。