目錄
Nmap (Network Mapper) 是在滲透測試中常用的掃描工具,可用於掃描網絡中的 IP 地址和端口,並檢測已安裝的應用程序。無論是作為網絡安全工具還是黑客工具,Nmap 是一個很強大的工具,在《黑客帝國2》電影中就有出現,用於入侵發電站的能源管理系統。本文將介紹 Nmap 的安裝和常用命令。
Nmap簡介及安裝
Nmap官網地址:https://nmap.org/
Nmap 特性
Nmap使用IP數據包來確定網絡上有哪些主機可用、提供哪些服務(應用程序名稱和版本)、它們運行的操作系統(操作系統版本信息)、使用的數據包過濾/防火牆類型等其它特性。Nmap可以運行在所有主流的操作系統上,比如Linux、Windows和Mac OS等。
- Nmap 支持檢查主機是否啟動,可用於監視主機或服務正常運行時間等
- 快速識別網絡中的設備,包括服務器,路由器,交換機,移動設備等
- 幫助識別系統上運行的服務,包括 web 服務器、 DNS 服務器和其他常見應用程序。Nmap 還可以檢測應用程序版本,幫助檢測漏洞
- 查找在設備上運行的操作系統詳細信息
- 漏洞掃描中,可以使用 Nmap 腳本攻擊系統
Nmap提供了以下工具:
- Zenmap 圖形界面:可以繪制網絡映射圖
- Ncat:數據傳輸、重定向和調試工具
- Ndiff:比較掃描結果
- Nping:數據包生成和響應分析工具
Nmap安裝
centos7
Linux系統安裝:https://nmap.org/book/inst-linux.html#inst-rpm
$ rpm -vhU https://nmap.org/dist/nmap-7.91-1.x86_64.rpm
也可以先把rpm下載下來后,再安裝
$ rpm -vhU nmap-7.91-1.x86_64.rpm
查看nmap版本
[root@server ~]# nmap -version
Nmap version 7.91 ( https://nmap.org )
Platform: x86_64-redhat-linux-gnu
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1h nmap-libssh2-1.9.0 nmap-libz-1.2.11 nmap-libpcre-7.6 nmap-libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select
[root@Client ~]#
Windows
- 下載exe可執行文件,雙擊安裝,不勾選npcap,其它默認
- 安裝npcap,下載地址:https://nmap.org/npcap/#download
安裝完成后,npcap默認加入了環境變量,不需要手動添加
D:\software\Nmap>nmap --version
Nmap version 7.91 ( https://nmap.org )
Platform: i686-pc-windows-windows
Compiled with: nmap-liblua-5.3.5 openssl-1.1.1h nmap-libssh2-1.9.0 nmap-libz-1.2.11 nmap-libpcre-7.6 Npcap-1.10 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: iocp poll select
D:\software\Nmap>
其它系統安裝方法參考:https://nmap.org/download.html
Nmap命令
查看幫助命令:
$ nmap -h
掃描單個主機
$ nmap 192.168.20.9
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 16:29 CST
Nmap scan report for 192.168.20.9
Host is up (0.00010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
MAC Address: 00:0C:29:BB:0C:02 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.15 seconds
掃描多個主機
同時掃描多個主機,
$ nmap 192.168.20.9 192.168.20.8
$ nmap 192.168.20.*
$ nmap 192.168.20.8,9,10
$ nmap 192.168.20.8-255
隱秘掃描(Stealth scan)
通過發送 SYN 數據包並分析響應。如果收到 SYN/ACK,則表示端口已打開,可以進行 TCP 連接。
$ nmap -sS 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 17:15 CST
Nmap scan report for 39.99.181.194
Host is up (0.077s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp closed telnet
3306/tcp open mysql
3389/tcp closed ms-wbt-server
8080/tcp closed http-proxy
Nmap done: 1 IP address (1 host up) scanned in 30.31 seconds
版本掃描
查找應用程序的版本,確認目標主機使用的應用版本后,可以在Common vulnerability and Exploits (CVE)數據庫中找到應用特定版本的現有漏洞。然后可以使用 Metasploit 類似的工具來攻擊計算機。
$ nmap -sV 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 17:37 CST
Nmap scan report for 39.99.181.194
Host is up (0.066s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
23/tcp closed telnet
3306/tcp open mysql MySQL 5.7.29
3389/tcp closed ms-wbt-server
8080/tcp closed http-proxy
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.26 seconds
操作系統探測
Nmap 還可以使用 TCP/IP 指紋技術提供有關底層操作系統的信息。Nmap 還將嘗試在操作系統掃描期間查找系統正常運行時間。
$ nmap -O 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 17:49 CST
Nmap scan report for 39.99.181.194
Host is up (0.061s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3389/tcp closed ms-wbt-server
Aggressive OS guesses: Linux 5.1 (94%), Linux 3.10 - 4.11 (92%), HP P2000 G3 NAS device (91%), Linux 3.2 - 4.9 (91%), Linux 3.16 - 4.6 (90%), Linux 2.6.32 (90%), Linux 5.0 (90%), Ubiquiti AirOS 5.5.9 (90%), Linux 4.4 (90%), Linux 5.0 - 5.4 (89%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.84 seconds
激烈掃描模式(-A參數)啟用了操作系統檢測(-O) 和版本掃描(-sV),返回系統信息和版本信息。
$ nmap -A 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-12 14:40 CST
Nmap scan report for 39.99.181.194
Host is up (0.056s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 06:56:59:1d:73:7d:8f:e0:e0:0c:65:fa:75:4b:61:0b (RSA)
| 256 3b:2e:45:69:49:7a:b2:fa:06:42:d2:1f:4a:c8:e6:2a (ECDSA)
|_ 256 6b:a5:e5:b7:39:28:1b:03:e0:c1:6b:2b:fb:19:f0:7b (ED25519)
23/tcp closed telnet
3306/tcp open mysql MySQL 5.7.29
| mysql-info:
| Protocol: 10
| Version: 5.7.29
| Thread ID: 35
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, Speaks41ProtocolNew, Speaks41ProtocolOld, SwitchToSSLAfterHandshake, IgnoreSigpipes, InteractiveClient, DontAllowDatabaseTableColumn, FoundRows, LongPassword, SupportsTransactions, ODBCClient, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsLoadDataLocal, SupportsCompression, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: \x1E7aZ5\x07%|\x02+\x01_#\x1B6FX~\x07
|_ Auth Plugin Name: mysql_native_password
| ssl-cert: Subject: commonName=MySQL_Server_5.7.29_Auto_Generated_Server_Certificate
| Not valid before: 2020-06-17T09:36:07
|_Not valid after: 2030-06-15T09:36:07
|_ssl-date: TLS randomness does not represent time
3389/tcp closed ms-wbt-server
8080/tcp closed http-proxy
Aggressive OS guesses: Linux 5.1 (94%), Linux 3.10 - 4.11 (92%), HP P2000 G3 NAS device (91%), Linux 3.2 - 4.9 (91%), Linux 3.16 - 4.6 (90%), Linux 2.6.32 (90%), Linux 2.6.32 - 3.1 (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Linux 3.7 (90%), Linux 4.4 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops
TRACEROUTE (using port 3389/tcp)
HOP RTT ADDRESS
1 1.00 ms 192.168.101.1
2 6.00 ms 120.237.96.81
3 8.00 ms 183.233.126.85
4 8.00 ms 211.136.248.81
5 12.00 ms 221.183.39.157
6 75.00 ms 221.183.37.137
7 ...
8 51.00 ms 111.13.0.173
9 44.00 ms 39.156.0.37
10 52.00 ms 39.156.7.249
11 ... 12
13 54.00 ms 116.251.124.194
14 ... 15
16 61.00 ms 39.99.181.194
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.85 seconds
端口掃描
使用 -p 參數掃描單個端口
$ nmap -p 3306 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-16 17:35 CST
Nmap scan report for 39.99.181.194
Host is up (0.049s latency).
PORT STATE SERVICE
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.99 seconds
指定端口連接類型,比如TCP連接
$ nmap -p T:3306 39.99.181.194
指定端口范圍
$ nmap -p 22-8080 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-16 17:38 CST
Nmap scan report for 39.99.181.194
Host is up (0.052s latency).
Not shown: 8054 filtered ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
3306/tcp open mysql
3389/tcp closed ms-wbt-server
8080/tcp closed http-proxy
Nmap done: 1 IP address (1 host up) scanned in 22.10 seconds
$ nmap --top-ports 10 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-16 17:41 CST
Nmap scan report for 39.99.181.194
Host is up (0.15s latency).
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
23/tcp open telnet
25/tcp filtered smtp
80/tcp filtered http
110/tcp filtered pop3
139/tcp filtered netbios-ssn
443/tcp filtered https
445/tcp filtered microsoft-ds
3389/tcp filtered ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 5.29 seconds
TCP掃描:
$ nmap -sT 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 16:47 CST
Nmap scan report for 39.99.181.194
Host is up (0.049s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
110/tcp open pop3
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 49.29 seconds
TCP SYN掃描(半開放掃描):
SYN掃描執行快,每秒鍾可以掃描數千個 端口,因為它不完成TCP連接
$ nmap -sS 39.99.181.194
UDP掃描:
UDP掃描一般較慢,DNS,SNMP,和DHCP (端口53,161/162,和67/68)是最常見的三個UDP服務。
$ nmap -sU 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 16:49 CST
Nmap scan report for 39.99.181.194
Host is up (0.052s latency).
All 1000 scanned ports on 39.99.181.194 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 59.64 seconds
open|filtered表示無法確定端口是開放還是被過濾的
UDP掃描比TCP掃描慢的原因是UDP是無連接的,Nmap無法區分應用過濾數據包的開放端口、數據包被防火牆阻止丟棄的端口或者數據包由於網絡擁塞而在傳輸過程中丟失。而且對於closed端口(ICMP端口無法訪問),Nmap無法區分端口被防火牆過濾還是數據包丟失。除非端口返回數據或返回ICMP不可達報文,否則Nmap需要發送多個數據包來消除速率限制或丟失數據包的可能性。
可以通過如下方式提高掃描速度(犧牲掃描精度)
--min-rate參數:--min-rate 5000表示每秒發送5000個數據包--max-rtt-timeout參數:控制nmap等待響應時間,需大於5ms,具體時間可以通過ping命令查看。--max-rtt-timeout 0.005:5ms等待時間--max-retries參數:設置重試次數,--max-retries 1重試1次--max-scan-delay參數:設置掃描間隔,用在主機響應慢的情況下。
$ nmap -sU --min-rate 5000 39.99.181.194
Null掃描 (-sN):
不設置任何標志位(tcp標志頭是0)
$ nmap -sN 39.99.181.194
FIN掃描 (-sF):
只設置TCP FIN標志位。
$ nmap -sF 39.99.181.194
Xmas掃描 (-sX):
設置FIN,PSH,和URG標志位
$ nmap -sX 39.99.181.194
TCP ACK掃描:
用於發現防火牆規則,確定它們是有狀態的還是無狀態的,哪些端口是被過濾的。
$ nmap -sA 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 17:07 CST
Nmap scan report for 39.99.181.194
Host is up (0.053s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
22/tcp unfiltered ssh
23/tcp unfiltered telnet
3306/tcp unfiltered mysql
3389/tcp unfiltered ms-wbt-server
8080/tcp unfiltered http-proxy
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds
IP協議掃描:
確定目標機支持哪些IP協議 (TCP,ICMP,IGMP等)
$ nmap -sO 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 17:11 CST
Nmap scan report for 39.99.181.194
Host is up (0.054s latency).
Not shown: 255 open|filtered protocols
PROTOCOL STATE SERVICE
1 open icmp
Nmap done: 1 IP address (1 host up) scanned in 16.49 seconds
PING掃描:檢測目標主機是否在線
$ nmap -sP 39.99.181.194
讀取文件掃描
如果需要掃描的IP地址很多,可以存放在一個文件里面進行掃描
$ nmap -iL nmap_test.txt
掃描日志
-v 參數打印掃描日志
$ nmap -v -p 3306 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-16 17:51 CST
Initiating Ping Scan at 17:51
Scanning 39.99.181.194 [4 ports]
Completed Ping Scan at 17:51, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:51
Completed Parallel DNS resolution of 1 host. at 17:51, 0.35s elapsed
Initiating SYN Stealth Scan at 17:51
Scanning 39.99.181.194 [1 port]
Discovered open port 3306/tcp on 39.99.181.194
Completed SYN Stealth Scan at 17:51, 0.05s elapsed (1 total ports)
Nmap scan report for 39.99.181.194
Host is up (0.049s latency).
PORT STATE SERVICE
3306/tcp open mysql
Read data files from: D:\software\Nmap
Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)
D:\software\Nmap>
保存到文件,保存格式支持text、xml
$ nmap -oN output.txt 39.99.181.194
$ nmap -oX output.xml 39.99.181.194
或者
$ nmap -oA output 39.99.181.194
生成output,xml、output.nmap、output.gnmap文件
NSE腳本
NSE(Nmap Scripting Engine)是一個非常強大的滲透工具,它允許用戶編寫各種網絡任務的自動化腳本。腳本基於Lua語言,可以自己編寫滿足需求的腳本或者修改已有的腳本。目前Nmap集成了600多個腳本,參考:https://nmap.org/nsedoc/
語法:
$ nmap --script <filename>
$ nmap -sC # 使用默認腳本集執行腳本掃描,等價於 --script=default
多個腳本使用逗號分隔
NSE腳本類別
NSE 通過 -sC 選項(或 --script)激活,主要包括以下功能:
- 網絡發現:掃描目標主機信息、服務等
- 版本檢測:檢測應用版本
- 漏洞檢測:掃描系統漏洞
- 后門檢測
- 攻擊、利用漏洞
NSE 腳本主要包括以下14類:
- auth:身份認證
- broadcast:廣播,通過在本地網絡上廣播來發現沒有列出的主機
- brute:使用暴力破解來猜測遠程服務器的身份認證憑據
- default:默認設置的腳本,使用 -sC 或 -A 選項時默認運行,比如identd-owners、http-auth、ftp-anon。
- discovery:通過查詢公共注冊中心、支持 snmp 的設備、目錄服務等來發現更多關於網絡的信息
- dos:測試拒絕服務的漏洞
- exploit:主動利用某些漏洞
- external:將數據發送到第三方數據庫或其他網絡資源,比如whois-ip通過連接到 whois 服務器獲取目標地址
- fuzzer:在每個數據包中發送隨機字段,可用於發現軟件的缺陷和漏洞
- intrusive:可能會消耗目標主機大量資源,風險太高,可能會導致目標系統崩潰
- malware:測試目標平台是否被惡意軟件或后門感染
- safe:安全腳本,不攻擊,不使用大量網絡帶寬或其他資源
- version:版本檢測:
- vuln:檢查特定的已知漏洞,通常只報告發現的結果
NSE腳本示例
discovery
mysql-info:打印mysql服務器版本,協議,進程ID,密碼鹽度等信息
$ nmap -sV --script=mysql-info 39.99.181.194
Nmap scan report for 39.99.181.194
Host is up (0.064s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
23/tcp open telnet Linux telnetd
3306/tcp open mysql MySQL 5.7.29
| mysql-info:
| Protocol: 10
| Version: 5.7.29
| Thread ID: 33
| Capabilities flags: 65535
| Some Capabilities: LongColumnFlag, SupportsLoadDataLocal, Support41Auth, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSigpipes, FoundRows, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, ODBCClient, Speaks41ProtocolNew, ConnectWithDatabase, InteractiveClient, Speaks41ProtocolOld, LongPassword, SupportsCompression, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt:
| =\x06Dq\x17Z|W'\x1F:\x1C)\x07`Bx,D
|_ Auth Plugin Name: mysql_native_password
3389/tcp closed ms-wbt-server
8080/tcp closed http-proxy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
auth
ssh-auth-methods:返回SSH服務器支持的認證方法
$ nmap --script=ssh-auth-methods 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 16:03 ?D1ú±ê×?ê±??
Nmap scan report for 39.99.181.194
Host is up (0.069s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
| gssapi-keyex
| gssapi-with-mic
|_ password
23/tcp open telnet
3306/tcp open mysql
3389/tcp closed ms-wbt-server
8080/tcp closed http-proxy
Nmap done: 1 IP address (1 host up) scanned in 60.76 seconds
brute
暴力破解
對SSH服務進行暴力破解:
$ nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst --script-args ssh-brute.timeout=4s 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 16:11 CST
NSE: [ssh-brute] Trying username/password pair: root:root
NSE: [ssh-brute] Trying username/password pair: admin:admin
NSE: [ssh-brute] Trying username/password pair: administrator:administrator
NSE: [ssh-brute] Trying username/password pair: webadmin:webadmin
NSE: [ssh-brute] Trying username/password pair: sysadmin:sysadmin
NSE: [ssh-brute] Trying username/password pair: netadmin:netadmin
NSE: [ssh-brute] Trying username/password pair: guest:guest
NSE: [ssh-brute] Trying username/password pair: user:user
NSE: [ssh-brute] Trying username/password pair: web:web
NSE: [ssh-brute] Trying username/password pair: test:test
......
ftp暴力破解
$ nmap --script ftp-brute -p 21 <host>
mysql-enum:獲取mysql有效用戶
$ nmap -p 3306 --script=mysql-enum 39.99.181.194
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 16:19 CST
Nmap scan report for 39.99.181.194
Host is up (0.23s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-enum:
| Valid usernames:
| root:<empty> - Valid credentials
| netadmin:<empty> - Valid credentials
| guest:<empty> - Valid credentials
| test:<empty> - Valid credentials
| web:<empty> - Valid credentials
| sysadmin:<empty> - Valid credentials
| administrator:<empty> - Valid credentials
| webadmin:<empty> - Valid credentials
| admin:<empty> - Valid credentials
| user:<empty> - Valid credentials
|_ Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
Nmap done: 1 IP address (1 host up) scanned in 9.15 seconds
mysql-brute:密碼破解
$ nmap --script=mysql-brute -p 3306 127.0.0.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-22 16:24 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0010s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-brute:
| Accounts:
| admin:admin - Valid credentials
| root:123456 - Valid credentials
|_ Statistics: Performed 40012 guesses in 20 seconds, average tps: 2000.6
Nmap done: 1 IP address (1 host up) scanned in 21.36 seconds
Zenmap可視化
Zenmap是Nmap的圖形化界面
總結
本文簡要介紹了nmap工具的安裝、一些常用掃描命令、NSE腳本以及可視化工具Zenmap的演示。nmap是一個強大的滲透測試工具,提供豐富的命令腳本,可以說是網絡的“瑞士軍刀”,更多用法可以參考Nmap官網網站:https://nmap.org/ ,上面介紹了Nmap工具的詳細信息和更高級的用法。中文文檔參考:https://nmap.org/man/zh/
歡迎關注公眾號:「測試開發小記」及時接收最新技術文章!