米斯特白帽培訓講義 工具篇 Nmap
講師:gh0stkey
整理:飛龍
協(xié)議:CC BY-NC-SA 4.0
介紹
Nmap(網(wǎng)絡映射器)是由 Gordon Lyon 涉及撑蚌,用來探測計算機網(wǎng)絡上的主機和服務的一種安全掃描器愿棋。為了繪制網(wǎng)絡拓補圖,Nmap 發(fā)送特制的數(shù)據(jù)包到目標主機低缩,然后對返回數(shù)據(jù)包進行分析。Nmap 是一款枚舉和測試網(wǎng)絡的強大工具曹货。
Nmap 有兩種界面:可視化界面和命令行界面咆繁。
下載
https://nmap.org/download.html
使用
典型用途:
- 通過對設備或者防火墻的探測來審計其安全性。
- 探測目標主機的開放端口顶籽。
- 網(wǎng)絡存儲玩般、網(wǎng)絡映射、維護和資產管理礼饱。(這個有待深入)
- 通過識別新的服務器審計網(wǎng)絡的安全性坏为。
- 探測網(wǎng)絡上的主機。
簡單掃描
Nmap 默認使用 ICMP ping 和 TCP 全連接(-PB
)進行主機發(fā)現(xiàn)镊绪,以及使用 TCP 全連接(-sT
) 執(zhí)行主機掃描匀伏。默認掃描端口是 1 ~ 1024,以及其列表中的常用端口镰吆。
語法:
nmap <目標 IP>
例子:
C:\Users\asus> nmap 192.168.1.1
Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:37 ?D1ú±ê×?ê±??
Nmap scan report for localhost (192.168.1.1)
Host is up (0.0062s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
49152/tcp open unknown
49153/tcp open unknown
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds
多個 IP 可以以逗號分隔:192.168.1.1,2,3,4,5
帘撰,也可以使用短橫線來表示范圍:192.168.1.1-255
,也可以使用 CIDR 記法:192.168.1.0/24
万皿。
顯示詳細結果
nmap -vv <目標 IP>
C:\Users\asus> nmap -vv 192.168.1.1
Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:47 ?D1ú±ê×?ê±??
Initiating ARP Ping Scan at 10:47
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 10:47, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:47
Completed Parallel DNS resolution of 1 host. at 10:47, 0.01s elapsed
Initiating SYN Stealth Scan at 10:47
Scanning localhost (192.168.1.1) [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 49153/tcp on 192.168.1.1
Discovered open port 49152/tcp on 192.168.1.1
Completed SYN Stealth Scan at 10:47, 2.27s elapsed (1000 total ports)
Nmap scan report for localhost (192.168.1.1)
Host is up, received arp-response (0.0052s latency).
Scanned at 2016-12-22 10:47:09 ?D1ú±ê×?ê±?? for 3s
Not shown: 993 closed ports
Reason: 993 resets
PORT STATE SERVICE REASON
21/tcp filtered ftp no-response
22/tcp filtered ssh no-response
23/tcp filtered telnet no-response
53/tcp open domain syn-ack ttl 64
80/tcp open http syn-ack ttl 64
49152/tcp open unknown syn-ack ttl 64
49153/tcp open unknown syn-ack ttl 64
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
Raw packets sent: 1004 (44.160KB) | Rcvd: 998 (39.924KB)
自定義端口
nmap <目標 IP> -p <端口>
C:\Users\asus> nmap 192.168.1.1 -p 1-500
Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:59 ?D1ú±ê×?ê±??
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.1
Host is up (0.0061s latency).
Not shown: 495 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
Nmap done: 1 IP address (1 host up) scanned in 2.08 seconds
端口可以是單個摧找,也可以是多個核行,多個端口可以以逗號分隔,比如21,22,23,53,80
蹬耘,也可以使用短橫線指定范圍芝雪,比如1-1024
。
Ping 掃描
nmap -sP <目標 IP>
Ping 掃描其實就是只執(zhí)行主機發(fā)現(xiàn)综苔,不掃描具體端口惩系。大家可以看到結果中沒有端口的信息,只告訴你主機通不通如筛,所以也很快堡牡。
C:\Users\asus> nmap 192.168.1.1 -sP
Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:52 ?D1ú±ê×?ê±??
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.1
Host is up (0.0030s latency).
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
與之相反,有一個選項是只執(zhí)行端口掃描杨刨,不執(zhí)行主機發(fā)現(xiàn)的晤柄,是-PN
(或-P0
)。
C:\Users\asus> nmap 192.168.1.1 -PN
Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:54 ?D1ú±ê×?ê±??
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.1
Host is up (0.0062s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
49152/tcp open unknown
49153/tcp open unknown
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds
操作系統(tǒng)類型檢測
nmap -O <目標 IP>
C:\Users\asus> nmap www.baidu.com -O
Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 11:03 ?D1ú±ê×?ê±??
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.0038s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING): HP embedded (86%)
OS CPE: cpe:/h:hp:procurve_switch_4000m
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.35 seconds
組合掃描
比如我們要掃描1 ~ 1024 端口妖胀,詳細輸出芥颈,并且探測操作系統(tǒng)。
C:\Users\asus> nmap 192.168.1.1 -p 1-1024 -vv -O
Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 11:06 ?D1ú±ê×?ê±??
Initiating ARP Ping Scan at 11:06
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 11:06, 0.14s elapsed (1 total hosts)
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating SYN Stealth Scan at 11:06
Scanning 192.168.1.1 [1024 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Completed SYN Stealth Scan at 11:06, 2.03s elapsed (1024 total ports)
Initiating OS detection (try #1) against 192.168.1.1
Retrying OS detection (try #2) against 192.168.1.1
Retrying OS detection (try #3) against 192.168.1.1
Retrying OS detection (try #4) against 192.168.1.1
Retrying OS detection (try #5) against 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up, received arp-response (0.0014s latency).
Scanned at 2016-12-22 11:06:44 ?D1ú±ê×?ê±?? for 15s
Not shown: 1019 closed ports
Reason: 1019 resets
PORT STATE SERVICE REASON
21/tcp filtered ftp no-response
22/tcp filtered ssh no-response
23/tcp filtered telnet no-response
53/tcp open domain syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=12/22%OT=53%CT=1%CU=37502%PV=Y%DS=1%DC=D%G=Y%M=6889C1%
OS:TM=585B4353%P=i686-pc-windows-windows)SEQ(SP=106%GCD=1%ISR=104%TI=Z%CI=Z
OS:%II=I%TS=U)SEQ(CI=Z%II=I%TS=U)SEQ(CI=Z%II=I)OPS(O1=M5B4NNSNW2%O2=M5B4NNS
OS:NW2%O3=M5B4NW2%O4=M5B4NNSNW2%O5=M5B4NNSNW2%O6=M5B4NNS)WIN(W1=16D0%W2=16D
OS:0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW2%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y
OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%R
OS:D=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=
OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
OS:)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: C:\Program Files (x86)\Nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.21 seconds
Raw packets sent: 1152 (54.954KB) | Rcvd: 1110 (48.462KB)
可以看出來沒探測到什么東西,因為是路由器,大家這種情況認為是 Linux 就好了歹嘹。
腳本(補充)
Nmap 有個叫做 NSE 的腳本引擎,也自帶了一些腳本戳气,更多腳本可以去官網(wǎng)下載。
腳本的類型有:
auth: 負責處理鑒權證書(繞開鑒權)的腳本
broadcast: 在局域網(wǎng)內探查更多服務開啟狀況,如dhcp/dns/sqlserver等服務
brute: 提供暴力破解方式,針對常見的應用如http/snmp等
default: 使用-sC或-A選項掃描時候默認的腳本闯估,提供基本腳本掃描能力
discovery: 對網(wǎng)絡進行更多的信息灼舍,如SMB枚舉吼和、SNMP查詢等
dos: 用于進行拒絕服務攻擊
exploit: 利用已知的漏洞入侵系統(tǒng)
external: 利用第三方的數(shù)據(jù)庫或資源,例如進行whois解析
fuzzer: 模糊測試的腳本骑素,發(fā)送異常的包到目標機炫乓,探測出潛在漏洞 intrusive: 入侵性的腳本,此類腳本可能引發(fā)對方的IDS/IPS的記錄或屏蔽
malware: 探測目標機是否感染了病毒献丑、開啟了后門等信息
safe: 此類與intrusive相反末捣,屬于安全性腳本
version: 負責增強服務與版本掃描(Version Detection)功能的腳本
vuln: 負責檢查目標機是否有常見的漏洞(Vulnerability),如是否有MS08_067
向命令行添加--script=<類型>
來使用腳本创橄。
下面演示了使用default
腳本來探測主機上的服務箩做。
C:\Users\asus> nmap --script=default 192.168.1.1
Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 11:10 ?D1ú±ê×?ê±??
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.1
Host is up (0.0051s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain
| dns-nsid:
|_ bind.version: dnsmasq-2.49
80/tcp open http
|_http-title: Site doesn't have a title (text/html).
49152/tcp open unknown
49153/tcp open unknown
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds