目前常見的端口掃描技術一般有如下幾類: TCP Connect、TCP SYN、TCP ACK、TCP FIN。
Metasploit中的端口掃描器
Metasploit的輔助模塊中提供了幾款實用的端口掃描器。可以輸入search portscan命令找到相關的端口掃描器。如下
root@kali:~# msfconsole ...... msf > search portscan Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner auxiliary/scanner/portscan/tcp normal TCP Port Scanner auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner msf >
Metasploit中ack掃描模塊的使用過程
msf > use auxiliary/scanner/portscan/ack msf auxiliary(ack) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(ack) > set THREADS 20 THREADS => 20 msf auxiliary(ack) > run
Metasploit中ftpbounce掃描模塊的使用過程
msf > use auxiliary/scanner/portscan/ftpbounce msf auxiliary(ftpbounce) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(ftpbounce) > set THREADS 20 THREADS => 20 msf auxiliary(ftpbounce) > run [-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: BOUNCEHOST. msf auxiliary(ftpbounce) >
Metasploit中tcp掃描模塊的使用過程
msf > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(tcp) > set THREADS 20 THREADS => 20 msf auxiliary(tcp) > run [*] 202.193.58.13: - 202.193.58.13:25 - TCP OPEN [*] 202.193.58.13: - 202.193.58.13:22 - TCP OPEN [*] 202.193.58.13: - 202.193.58.13:21 - TCP OPEN [*] 202.193.58.13: - 202.193.58.13:23 - TCP OPEN
Metasploit中xmas掃描模塊的使用過程
msf > use auxiliary/scanner/portscan/xmas msf auxiliary(xmas) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(xmas) > set THREADS 20 THREADS => 20 msf auxiliary(xmas) > run [*] TCP OPEN|FILTERED 202.193.58.13:1 [*] TCP OPEN|FILTERED 202.193.58.13:2 [*] TCP OPEN|FILTERED 202.193.58.13:3 [*] TCP OPEN|FILTERED 202.193.58.13:4 [*] TCP OPEN|FILTERED 202.193.58.13:5 [*] TCP OPEN|FILTERED 202.193.58.13:6 [*] TCP OPEN|FILTERED 202.193.58.13:7 [*] TCP OPEN|FILTERED 202.193.58.13:8 [*] TCP OPEN|FILTERED 202.193.58.13:9 [*] TCP OPEN|FILTERED 202.193.58.13:10 [*] TCP OPEN|FILTERED 202.193.58.13:11 [*] TCP OPEN|FILTERED 202.193.58.13:12 [*] TCP OPEN|FILTERED 202.193.58.13:13 [*] TCP OPEN|FILTERED 202.193.58.13:14 [*] TCP OPEN|FILTERED 202.193.58.13:15 [*] TCP OPEN|FILTERED 202.193.58.13:16 [*] TCP OPEN|FILTERED 202.193.58.13:17 [*] TCP OPEN|FILTERED 202.193.58.13:18 [*] TCP OPEN|FILTERED 202.193.58.13:19 [*] TCP OPEN|FILTERED 202.193.58.13:20 [*] TCP OPEN|FILTERED 202.193.58.13:21 [*] TCP OPEN|FILTERED 202.193.58.13:22 [*] TCP OPEN|FILTERED 202.193.58.13:23 [*] TCP OPEN|FILTERED 202.193.58.13:24 [*] TCP OPEN|FILTERED 202.193.58.13:25 [*] TCP OPEN|FILTERED 202.193.58.13:26 [*] TCP OPEN|FILTERED 202.193.58.13:27 [*] TCP OPEN|FILTERED 202.193.58.13:28 [*] TCP OPEN|FILTERED 202.193.58.13:29 [*] TCP OPEN|FILTERED 202.193.58.13:30 [*] TCP OPEN|FILTERED 202.193.58.13:31 [*] TCP OPEN|FILTERED 202.193.58.13:32 [*] TCP OPEN|FILTERED 202.193.58.13:33 [*] TCP OPEN|FILTERED 202.193.58.13:34 [*] TCP OPEN|FILTERED 202.193.58.13:35 [*] TCP OPEN|FILTERED 202.193.58.13:36 [*] TCP OPEN|FILTERED 202.193.58.13:37 [*] TCP OPEN|FILTERED 202.193.58.13:38 [*] TCP OPEN|FILTERED 202.193.58.13:39 [*] TCP OPEN|FILTERED 202.193.58.13:40 [*] TCP OPEN|FILTERED 202.193.58.13:41 [*] TCP OPEN|FILTERED 202.193.58.13:42 [*] TCP OPEN|FILTERED 202.193.58.13:43 [*] TCP OPEN|FILTERED 202.193.58.13:44 [*] TCP OPEN|FILTERED 202.193.58.13:45 [*] TCP OPEN|FILTERED 202.193.58.13:46 [*] TCP OPEN|FILTERED 202.193.58.13:47 [*] TCP OPEN|FILTERED 202.193.58.13:48 [*] TCP OPEN|FILTERED 202.193.58.13:49
Metasploit中syn掃描模塊的使用過程
在一般的情況下,推薦使用syn端口掃描器,因為它的掃描速度較快、結果准確切不容易被對方察覺。下面是針對網關服務器(Ubuntu Metasploitable)主機的掃描結果,可以看出與Nmap的掃描結果基本一致。如下。
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(syn) > set THREADS 20 THREADS => 20 msf auxiliary(syn) > run [*] TCP OPEN 202.193.58.13:21 [*] TCP OPEN 202.193.58.13:22 [*] TCP OPEN 202.193.58.13:23 [*] TCP OPEN 202.193.58.13:25 [*] TCP OPEN 202.193.58.13:53 [*] TCP OPEN 202.193.58.13:80 [*] TCP OPEN 202.193.58.13:111 [*] TCP OPEN 202.193.58.13:139 [*] TCP OPEN 202.193.58.13:445 [*] TCP OPEN 202.193.58.13:512 [*] TCP OPEN 202.193.58.13:513
當然,大家也可以拿下面的主機來掃描
Metasploit中sap_router_portscanner掃描模塊的使用過程
msf > use auxiliary/scanner/sap/sap_router_portscanner msf auxiliary(sap_router_portscanner) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(sap_router_portscanner) > set THREADS 20 THREADS => 20 msf auxiliary(sap_router_portscanner) > run [-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOST, TARGETS. msf auxiliary(sap_router_portscanner) >
Metasploit中也可以使用namp
常用nmap掃描類型參數:
-sT:TCP connect掃描
-sS:TCP syn掃描
-sF/-sX/-sN:通過發送一些標志位以避開設備或軟件的檢測
-sP:ICMP掃描
-sU:探測目標主機開放了哪些UDP端口
-sA:TCP ACk掃描
掃描選項:
-Pn:在掃描之前,不發送ICMP echo請求測試目標是否活躍
-O:辨識操作系統等信息
-F:快速掃描模式
-p<端口范圍>:指定端口掃描范圍
msf auxiliary(syn) > nmap -sS -Pn 202.193.58.13 [*] exec: nmap -sS -Pn 202.193.58.13 Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:17 CST Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13) Host is up (0.0014s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 84:AD:58:82:49:5C (Unknown) Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds msf auxiliary(syn) >
msf auxiliary(syn) > nmap -sV -Pn 202.193.58.13 [*] exec: nmap -sV -Pn 202.193.58.13 Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:18 CST Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13) Host is up (0.0016s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain? 80/tcp open http? 111/tcp open rpcbind? 139/tcp open netbios-ssn? 445/tcp open microsoft-ds? 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open shell Netkit rshd 1099/tcp open rmiregistry? 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs? 2121/tcp open ccproxy-ftp? 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql? 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11? 6667/tcp open irc Unreal ircd 8009/tcp open ajp13? 8180/tcp open unknown MAC Address: 84:AD:58:82:49:5C (Unknown) Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.50 seconds msf auxiliary(syn) >
可以,與下面進行對比。
kali 2.0 linux中的Nmap的端口掃描功能
當然,大家也可以拿下面的主機來掃描
