最基本的扫描
代码语言:javascript复制# nmap 192.168.0.149
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:26 CST
Nmap scan report for 192.168.0.149
Host is up (0.0000090s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds扫描活跃的主机 -sn
代码语言:javascript复制#nmap -sn 192.168.0.149
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:28 CST
Nmap scan report for 192.168.0.149
Host is up.
Nmap done: 1 IP address (1 host up)扫描多台机器
代码语言:javascript复制#map 192.169.0.149 192.168.0.106 192.168.0.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00071s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap scan report for 192.168.0.152
Host is up (0.010s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
62078/tcp open iphone-sync
MAC Address: 76:49:5D:88:B6:35 (Unknown)
Nmap done: 3 IP addresses (2 hosts up) scanned in 14.73 seconds#map 192.169.0.100-160
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:34 CST
…#nmap192.169.0.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 18:38 CST
Nmap done: 256 IP addresses (0 hosts up) scanned in 210.76 seconds使用ICMP对设备进行扫描
使用ICMP类似Ping的请求响应扫描 -PE
代码语言:javascript复制#nmap -PE 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:31 CST
Nmap scan report for 192.168.0.106
Host is up (0.00093s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds使用ICMP时间戳响应扫描 -PE
代码语言:javascript复制#nmap -PP 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00088s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)使用ICMP使用ICMP掩码扫描 -PM
代码语言:javascript复制#nmap -PM 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00018s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds使用TCP对设备进行扫描
使用TCP SYN对设备进行扫描 - PS
代码语言:javascript复制nmap -sn -PS 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 16:28 CST
Nmap scan report for 192.168.0.106
Host is up (0.00049s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds使用TCP ACK对设备进行扫描 -PA
代码语言:javascript复制#nmap -sn -PA 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:32 CST
Nmap scan report for 192.168.0.106
Host is up (0.00054s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds使用UDP对设备进行扫描 -PU
UDP更简单,但是不如TCP方便,且慢。
代码语言:javascript复制#nmap -sn -PU 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:36 CST
Nmap scan report for 192.168.0.106
Host is up (0.00076s latency).
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds对端口进行扫描
端口种类
- 公有端口(WellKnow Port):0-1024
- 注册端口(RegisteredPort):1025-49,151
- 动态/私有端口(Dynamic/Private Port):49,152-65,535
端口状态
- Open:开放状态。nmap 发起两个 SYN 的请求,服务器上监听在此端口的进程会进行应答,会返回 SYN/ACK, nmap 收到服务端返还回来的应答后会发送两个 RST ,并不会和服务端建立通信连接,完成端口的探测。
- Closed:关闭状态。nmap 发起两个 SYN 的请求,服务器上由于没有进程监听该端口,内核会返回 RST, nmap 收到服务端返还回来的 RST 报文,将探测结果定义为 closed 。
- Filtered:过滤状态。这种情况是服务端将收到的 nmap SYN 报文直接丢弃,不进行应答, 由于 nmap 直接发送了两个 SYN 报文,都没有收到应答,所以认定服务端开启了防火墙,将 SYN 报文丢弃。
- Unfiltered:未过滤状态。nmap 默认进行的是 SYN 扫描,当用 -sA 选项( TCP ACK 扫描),连续发送两个同样的 ACK 报文,由于 snmp 确认收到了一个服务端根本没有发送的报文,所以服务端会发送一个 RST 报文, snmp 收到服务端发送来的 RST 报文后,确认服务端没有对报文进行丢弃处理,注意本探测不能发现端口是开放还是关闭状态,只能确认探测的报文服务端已收到,并回复给了 snmp RST报文。
- open|filtered:Open|filtered 开放或过滤状态。这种状态主要是nmap无法区别端口处于 open 状态还是 filtered 状态。这种状态长出现于UDP端口,参考后续 UDP 中的解释。
- closed|filtered:关闭或者过滤状态。
扫描技术
SYN扫描 -sS
SNMP机器àSYNà机器
机器àSYN ACKà SNMP机器
SNMP机器àRSTà机器(连接断开)
返回Open、Closed、filtered
代码语言:javascript复制#nmap -sS 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:53 CST
Nmap scan report for 192.168.0.106
Host is up (0.00042s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)Connect扫描 -sT
完成3次握手
SNMP机器SYN机器
机器SYN ACK SNMP机器
SNMP机器ACK机器(连接建立)
代码语言:javascript复制#nmap -sT 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 18:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00081s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.59 secondsUDP扫描 -sU
返回Open Open|filtered,速度很慢,filtered可能是Open,可能是Closed
代码语言:javascript复制#nmap -sU 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:12 CST
Nmap scan report for 192.168.0.106
Host is up (0.00070s latency).
Not shown: 999 open|filtered udp ports (no-response)
PORT STATE SERVICE
137/udp open netbios-ns
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds扫描全部端口 -p "*"
代码语言:javascript复制#nmap -p "*" 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:18 CST
Nmap scan report for 192.168.0.106
Host is up (0.00082s latency).
Not shown: 8330 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
1536/tcp open ampr-inter
1537/tcp open sdsc-lm
1538/tcp open 3ds-lm
1539/tcp open intellistor-lm
1550/tcp open 3m-image-lm
1551/tcp open hecmtl-db
1653/tcp open alphatech-lm
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5040/tcp open unknown
5555/tcp open freeciv
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)扫描频率最高的n个端口 –top-ports n
代码语言:javascript复制# nmap -top-ports 10 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:20 CST
Nmap scan report for 192.168.0.106
Host is up (0.00022s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
25/tcp closed smtp
80/tcp open http
110/tcp closed pop3
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3389/tcp closed ms-wbt-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 2 IP addresses (1 host up) scanned in 3.17 seconds扫描指定端口 -p port
代码语言:javascript复制# nmap -p 8100 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-14 19:21 CST
Nmap scan report for 192.168.0.106
Host is up (0.00053s latency).
PORT STATE SERVICE
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds扫描操作系统
Nmap扫描操作系统采用主动方式,15个探针,不能正确发现,仅做推测。
最基本的扫描 -O
代码语言:javascript复制# nmap -O 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00061s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.50 seconds尽对“具有Open和Closed的端口”进行扫描 -O --osscan-limit
代码语言:javascript复制# nmap -O --osscan-limit 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:57 CST
Nmap scan report for 192.168.0.106
Host is up (0.00057s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista|Embedded Compact 7 (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_embedded_compact_7
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (95%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Server 2008 R2 SP1 (92%), Microsoft Windows 7 Professional (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 Ultimate (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.68 seconds猜测最接近目标端口的操作系统 -O --osscan-guest
需要root权限
代码语言:javascript复制# nmap -O --osscan-guess 192.168.0.106 192.168.0.155
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 09:56 CST
Nmap scan report for 192.168.0.106
Host is up (0.00061s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
5555/tcp open freeciv
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|Longhorn|7|2008|8.1|Vista (96%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_vista::sp2
Aggressive OS guesses: Microsoft Windows 10 1709 - 1803 (96%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Longhorn (95%), Microsoft Windows 7 or Windows Server 2008 R2 (93%), Microsoft Windows 10 10586 - 14393 (92%), Microsoft Windows 10 1507 - 1607 (92%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (92%), Microsoft Windows 7 or 8.1 R1 or Server 2008 R2 SP1 (92%), Microsoft Windows 7 or Windows Server 2008 (92%), Microsoft Windows 10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (1 host up) scanned in 6.73 seconds扫描目标服务
扫描技术
- 对端口扫描:默认用SYN进行扫描
- 对服务识别:发出探针报文,返回确认值,确认服务
- 对版本识别:发出探针报文,返回报文信息,分析出服务的版本
扫描服务 -sV
代码语言:javascript复制# nmap -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:19 CST
Nmap scan report for 192.168.0.106
Host is up (0.00034s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
445/tcp open microsoft-ds?
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2269
2383/tcp open ms-olap4?
3000/tcp open ppp?
3306/tcp open mysql MariaDB (unauthorized)
5555/tcp open freeciv?
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8100/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
=====NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port3000-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20t
SF:ext/plain;x20charset=utf-8rnConnection:x20closernrn400x20Badx
SF:20Request")%r(GetRequest,174,"HTTP/1.0x20302x20FoundrnCache-Contro
SF:l:x20no-cachernContent-Type:x20text/html;x20charset=utf-8rnExpir
SF:es:x20-1rnLocation:x20/loginrnPragma:x20no-cachernSet-Cookie:
SF:x20redirect_to=/;x20Path=/;x20HttpOnly;x20SameSite=LaxrnX-Conten
SF:t-Type-Options:x20nosniffrnX-Frame-Options:x20denyrnX-Xss-Protect
SF:ion:x201;x20mode=blockrnDate:x20Wed,x2015x20Junx202022x2002:20
SF::09x20GMTrnContent-Length:x2029rnrn
SF:/a>.nn")%r(Help,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Ty
SF:pe:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400
SF:x20Badx20Request")%r(HTTPOptions,12E,"HTTP/1.0x20302x20FoundrnCac
SF:he-Control:x20no-cachernExpires:x20-1rnLocation:x20/loginrnPra
SF:gma:x20no-cachernSet-Cookie:x20redirect_to=/;x20Path=/;x20HttpO
SF:nly;x20SameSite=LaxrnX-Content-Type-Options:x20nosniffrnX-Frame-O
SF:ptions:x20denyrnX-Xss-Protection:x201;x20mode=blockrnDate:x20We
SF:d,x2015x20Junx202022x2002:20:14x20GMTrnContent-Length:x200rn
SF:rn")%r(RTSPRequest,67,"HTTP/1.1x20400x20Badx20RequestrnContent-T
SF:ype:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400
SF:x20Badx20Request")%r(SSLSessionReq,67,"HTTP/1.1x20400x20Badx20Req
SF:uestrnContent-Type:x20text/plain;x20charset=utf-8rnConnection:x2
SF:0closernrn400x20Badx20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:.1x20400x20Badx20RequestrnContent-Type:x20text/plain;x20charset
SF:=utf-8rnConnection:x20closernrn400x20Badx20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20text/
SF:plain;x20charset=utf-8rnConnection:x20closernrn400x20Badx20Re
SF:quest")%r(Kerberos,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Ty
SF:pe:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400
SF:x20Badx20Request")%r(FourOhFourRequest,1A1,"HTTP/1.0x20302x20Found
SF:rnCache-Control:x20no-cachernContent-Type:x20text/html;x20charset
SF:=utf-8rnExpires:x20-1rnLocation:x20/loginrnPragma:x20no-cache
SF:rnSet-Cookie:x20redirect_to=/nice%20ports%2C/Tri%6Eity.txt
SF:%2ebak;x20Path=/;x20HttpOnly;x20SameSite=LaxrnX-Content-Type-Opt
SF:ions:x20nosniffrnX-Frame-Options:x20denyrnX-Xss-Protection:x201;
SF:x20mode=blockrnDate:x20Wed,x2015x20Junx202022x2002:20:40x20GMT
SF:rnContent-Length:x2029rnrnFound.nn"
SF:);
===NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)=======
SF-Port5555-TCP:V=7.92%I=7%D=6/15%Time=62A941D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,138,"HTTP/1.0x20200x20OKrnCache-Control:x20no-cacher
SF:nPragma:x20no-cachernExpires:x200rncharset:x20UTF8rnX-Frame-Op
SF:tions:x20DENYrnX-XSS-Protection:x201;x20mode=blockrnX-Content-Ty
SF:pe-Options:x20nosniffrnContent-Type:x20text/htmlrnrn{"STATUS"
SF::x20"REDIRECT",x20"RESPONSE":x20"mlogin.html",x20"ExtendedR
SF:esponse":x20[{"last_notification_change_ts"x20:x20""}]}")%r(G
SF:etRequest,2D,"HTTP/1.0x20302x20FoundrnLocation:x20mlogin.htmlr
SF:nrn")%r(HTTPOptions,2D,"HTTP/1.0x20302x20FoundrnLocation:x20mlo
SF:gin.htmlrnrn")%r(RTSPRequest,2D,"HTTP/1.0x20302x20FoundrnLoca
SF:tion:x20mlogin.htmlrnrn")%r(FourOhFourRequest,6E,"HTTP/1.1x2040
SF:4x20Notx20FoundrnCache-Control:x20max-age=3600,x20must-revalidate
SF:rnExpires:x20Thu,x2015x20Junx202023x2002:21:07x20GMTrn")%r(SI
SF:POptions,138,"HTTP/1.0x20200x20OKrnCache-Control:x20no-cachernP
SF:ragma:x20no-cachernExpires:x200rncharset:x20UTF8rnX-Frame-Opti
SF:ons:x20DENYrnX-XSS-Protection:x201;x20mode=blockrnX-Content-Type
SF:-Options:x20nosniffrnContent-Type:x20text/htmlrnrn{"STATUS":
SF:x20"REDIRECT",x20"RESPONSE":x20"mlogin.html",x20"ExtendedRes
SF:ponse":x20[{"last_notification_change_ts"x20:x20""}]}");
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.23 seconds将扫描结果存为XML文件名
代码语言:javascript复制#nmap -oX nmap.xml 192.168.0.106
tarting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 10:25 CST
Nmap scan report for 192.168.0.106
Host is up (0.00023s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds扫描WEB服务器
Web 服务器的软件构成
编写的应用(内部) |
|---|
编程语言:PHPJSP ASP ASP.net(内部) |
Web服务器:IISApache Nginx Tomcat(外部) |
操作系统:Windows Linux(外部) |
用dirb扫描目录结构
代码语言:javascript复制# dirb http://192.168.0.106:8080/sec/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jun 15 10:34:09 2022
URL_BASE: http://192.168.0.106:8080/sec/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.106:8080/sec/ ----
==> DIRECTORY: http://192.168.0.106:8080/sec/1/
==> DIRECTORY: http://192.168.0.106:8080/sec/10/
==> DIRECTORY: http://192.168.0.106:8080/sec/13/
==> DIRECTORY: http://192.168.0.106:8080/sec/14/
==> DIRECTORY: http://192.168.0.106:8080/sec/15/
==> DIRECTORY: http://192.168.0.106:8080/sec/2/
==> DIRECTORY: http://192.168.0.106:8080/sec/20/
==> DIRECTORY: http://192.168.0.106:8080/sec/21/
==> DIRECTORY: http://192.168.0.106:8080/sec/22/
==> DIRECTORY: http://192.168.0.106:8080/sec/23/
==> DIRECTORY: http://192.168.0.106:8080/sec/24/
==> DIRECTORY: http://192.168.0.106:8080/sec/25/
==> DIRECTORY: http://192.168.0.106:8080/sec/3/
==> DIRECTORY: http://192.168.0.106:8080/sec/30/
==> DIRECTORY: http://192.168.0.106:8080/sec/32/
==> DIRECTORY: http://192.168.0.106:8080/sec/4/
==> DIRECTORY: http://192.168.0.106:8080/sec/42/
==> DIRECTORY: http://192.168.0.106:8080/sec/5/
==> DIRECTORY: http://192.168.0.106:8080/sec/7/
==> DIRECTORY: http://192.168.0.106:8080/sec/8/
==> DIRECTORY: http://192.168.0.106:8080/sec/9/
==> DIRECTORY: http://192.168.0.106:8080/sec/css/
==> DIRECTORY: http://192.168.0.106:8080/sec/upload/
http://192.168.0.106:8080/sec/web.xml (CODE:200|SIZE:1189)
==> DIRECTORY: http://192.168.0.106:8080/sec/WEB-INF/
---- Entering directory: http://192.168.0.106:8080/sec/1/ ----
http://192.168.0.106:8080/sec/1/index.htm (CODE:200|SIZE:248)
==> DIRECTORY: http://192.168.0.106:8080/sec/1/js/
==> DIRECTORY: http://192.168.0.106:8080/sec/1/jsp/
---- Entering directory: http://192.168.0.106:8080/sec/10/ ----
==> DIRECTORY: http://192.168.0.106:8080/sec/10/img/
http://192.168.0.106:8080/sec/10/index.html (CODE:200|SIZE:1107)
==> DIRECTORY: http://192.168.0.106:8080/sec/10/jsp/
…
---- Entering directory: http://192.168.0.106:8080/sec/1/js/ ----
---- Entering directory: http://192.168.0.106:8080/sec/1/jsp/ ----
---- Entering directory: http://192.168.0.106:8080/sec/10/img/ ----
---- Entering directory: http://192.168.0.106:8080/sec/10/jsp/ ----
---- Entering directory: http://192.168.0.106:8080/sec/13/jsp/ ----
---- Entering directory: http://192.168.0.106:8080/sec/15/image/ ----
---- Entering directory: http://192.168.0.106:8080/sec/20/js/ ----
---- Entering directory: http://192.168.0.106:8080/sec/20/jsp/ ----
…用whatweb扫描Web server
代码语言:javascript复制# whatweb http://192.168.0.106:8080/sec/
http://192.168.0.106:8080/sec/ [200 OK] Apache, Cookies[JSESSIONID], Country[RESERVED][ZZ], HTTPServer[Apache-Coyote/1.1], HttpOnly[JSESSIONID], IP[192.168.0.106], Java, Title[WEB 安全测试实验]扫描操作系统漏洞
扫描某个漏洞
代码语言:javascript复制#nmap --script ftp-vsftpd-backdoor 192.168.0.106
[*] exec: nmap --script ftp-vsftpd-backdoor 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:16 CST
Nmap scan report for 192.168.0.106
Host is up (0.00099s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Nmap done: 1 IP address (1 host up) scanned in 2.53 seconds通过分类扫描漏洞
基本使用 --script vuln
nse目录/usr/share/nmap/scripts
代码语言:javascript复制#nmap --script vuln 192.168.0.106
nmap --script vuln 192.168.0.106
[*] exec: nmap --script vuln 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:21 CST
Nmap scan report for 192.168.0.106
Host is up (0.00066s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /reportserver/: Microsoft SQL Report Service (401 Unauthorized)
|_ /reports/: Potentially interesting folder (401 Unauthorized)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_http-trace: TRACE is enabled
| http-enum:
| /examples/: Sample scripts
| /test.php: Test page
| /PMA/: phpMyAdmin
| /pma/: phpMyAdmin
| /active/: Potentially interesting directory w/ listing on 'apache/2.4.23 (win32) openssl/1.0.2h php/5.6.28'
| /demo/: Potentially interesting folder
| /icons/: Potentially interesting folder w/ directory listing
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.23 (win32) openssl/1.0.2h php/5.6.28'
| /sec/: Potentially interesting folder
| /server-info/: Potentially interesting folder
|_ /server-status/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
902/tcp open iss-realsecure
912/tcp open apex-mesh
1433/tcp open ms-sql-s
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
| ssl-poodle:
| VULNERABLE:
| SSL POODLE information leak
| State: VULNERABLE
| IDs: BID:70574 CVE:CVE-2014-3566
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
| products, uses nondeterministic CBC padding, which makes it easier
| for man-in-the-middle attackers to obtain cleartext data via a
| padding-oracle attack, aka the "POODLE" issue.
| Disclosure date: 2014-10-14
| Check results:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA
| References:
| https://www.imperialviolet.org/2014/10/14/poodle.html
| https://www.openssl.org/~bodo/ssl-poodle.pdf
| https://www.securityfocus.com/bid/70574
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
2383/tcp open ms-olap4
3000/tcp open ppp
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
5555/tcp open freeciv
8009/tcp open ajp13
8080/tcp open http-proxy
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum:
| /examples/: Sample scripts
| /test.html: Test page
| /manager/html/upload: Apache Tomcat (401 Unauthorized)
| /manager/html: Apache Tomcat (401 Unauthorized)
| /docs/: Potentially interesting folder
|_ /sec/: Potentially interesting folder
8100/tcp open xprint-server
MAC Address: C8:FF:28:E8:B8:AD (Liteon Technology)
Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
Nmap done: 1 IP address (1 host up) scanned in 329.10 seconds利用第三方vulscan进行扫描
安装
代码语言:javascript复制#cd /usr/share/nmap/scripts
#git clone https://github.com/scipag/vulscan.git多出一个vulscan目录
更新脚本
代码语言:javascript复制#cd /usr/share/nmap/scripts/vulscan/utilities/updater
# chmod x updateFiles.sh
./ updateFile.sh速度特别慢
使用
必须加-sV
全部扫描
代码语言:javascript复制# nmap --script=vulscan/vulscan.nse -sV 192.168.0.106
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-15 11:50 CST仅扫描某个csv
代码语言:javascript复制# nmap --script=vulscan/vulscan.nse --script-args vulscandb=scipuldb.csv -sV 192.168.0.106专业扫描工具
- Rapid7 Nexpose(商用,部分免费)
- Tenable Nessus(商用,部分免费)
- OpenVAS(完全免费)
扫描WEB应用
2017 OWASP TOP 10
序号 | 名称 | 攻击难易度 | 漏洞普遍性 | 检查难易度 | 技术影响 |
|---|---|---|---|---|---|
A1 | 注入 | 3 | 2 | 3 | 3 |
A2 | 失效的身份认证 | 3 | 2 | 2 | 3 |
A3 | 敏感数据泄露 | 2 | 3 | 2 | 3 |
A4 | XML外部实体(XXE) | 2 | 2 | 3 | 3 |
A5 | 失效的访问控制 | 2 | 2 | 2 | 3 |
A6 | 安全配置错误 | 3 | 3 | 3 | 2 |
A7 | 跨站脚本(XSS) | 3 | 3 | 3 | 2 |
A8 | 不安全的反序列化 | 1 | 2 | 2 | 3 |
A9 | 使用含有已知漏洞的组件 | 2 | 3 | 2 | 2 |
A10 | 不足的日志记录和监控 | 2 | 3 | 1 | 2 |
Zaproxy的使用
# apt install zaproxy
# zaproxy
PHP代码审计工具RIPS
扫描PHP程序,下载rips-0.55放在htdocs下,通过http://IP/rips-0.55l来访问
Netcat扫描
扫描指定端口
代码语言:javascript复制#nc -v 192.168.0.106 8080
192.168.0.106: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.0.106] 8080 (http-alt) open
