nmap和nc扫描工具
nmap和nc扫描工具
1 使用nmap和nc探测服务器信息-使用curl 查看web服务器类型
2 在centos6系统下进行提权
3 实战-通过tcpdump抓包解决服务器被黑上不了网的问题
.1.1 安装nmap命令
1、nmap概述:nmap是一个网络探测和安全扫描程序,系统管理者和个人可以使用这个软件扫描大型的网络,获取那台主机正在运行以及提供什么服务等信息。nmap支持很多扫描技术,例如:UDP、TCP connect()、TCP SYN(半开扫描)、ftp代理(bounce攻击)、反向标志、ICMP、FIN、ACK扫描、圣诞树(Xmas Tree)、SYN扫描和null扫描。还可以探测操作系统类型。
[root@k9 ~]# yum install nmap -y
1.2 nmap 的使用
使用nmap扫描本机
[root@k9 ~]# nmap 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-17 23:38 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3306/tcp open mysql
使用nmap扫描局域网其他服务器
[root@k9 ~]# nmap -v 192.168.1.94
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-17 23:45 CST
Initiating ARP Ping Scan at 23:45
Scanning 192.168.1.94 [1 port]
Completed ARP Ping Scan at 23:45, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:45
Completed Parallel DNS resolution of 1 host. at 23:45, 13.01s elapsed
Initiating SYN Stealth Scan at 23:45
Scanning 192.168.1.94 [1000 ports]
Discovered open port 3306/tcp on 192.168.1.94
Discovered open port 80/tcp on 192.168.1.94
Discovered open port 22/tcp on 192.168.1.94
Completed SYN Stealth Scan at 23:45, 0.09s elapsed (1000 total ports)
Nmap scan report for 192.168.1.94
Host is up (0.00019s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:85:54:01 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.19 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040
扫描一个范围: 端口1-65535
[root@k9 ~]# nmap -p 1-65535 192.168.1.94
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-17 23:49 CST
Nmap scan report for 192.168.1.94
Host is up (0.00018s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:85:54:01 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 19.12 seconds
lsof -i :22 #查看22端口正在被哪个进程使用
Unknown operation 'statu'.
[root@k9 ~]# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 789 root 3u IPv4 20503 0t0 TCP *:ssh (LISTEN)
sshd 789 root 4u IPv6 20512 0t0 TCP *:ssh (LISTEN)
sshd 1463 root 3u IPv4 21558 0t0 TCP k9:ssh->192.168.1.9:51177 (ESTABLISHED
通ps命令查找对应的进程文件:
[root@k9 ~]# ps -aux |grep 1463
root 1463 0.0 0.2 160888 5588 ? Ss Sep17 0:00 sshd: root@pts/0
注:看到进程的文件的路径是/usr/sbin/sshd 。如果没有看到此命令的具体执行路径,说明此木马进程可以在bash终端下直接执行,通过which和rpm -qf来查看命令的来源,如下:
[root@k9~]# which vim
/usr/bin/vim
解决:
[root@k9 ~]# kill -9 1463
总结:这个思路主要用于找出黑客监听的后门端口和木马存放的路径。
扫描一台机器:查看此服务器开放的端口号和操作系统类型。
[root@k9 ~]# nmap -sS -O www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-18 01:26 CST
Nmap scan report for www.baidu.com (39.156.66.14)
Host is up (0.043s latency).
Other addresses for www.baidu.com (not scanned): 39.156.66.18
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING): HP embedded (86%)
OS CPE: cpe:/h:hp:procurve_switch_4000m
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.55 seconds
参数说明:
-O: 显示出操作系统的类型。 每一种操作系统都有一个指纹。
-sS:半开扫描(half-open)
TCP同步扫描(TCP SYN):因为不必全部打开一个TCP连接,所以这项技术通常称为半开扫描(half-open)。你可以发出一个TCP同步包(SYN),然后等待回应。如果对方返回SYN|ACK(响应)包就表示目标端口正在监听;如果返回RST数据包,就表示目标端口没有监听程序;如果收到一个SYN|ACK包,源主机就会马上发出一个RST(复位)数据包断开和目标主机的连接,这实际上由我们的操作系统内核自动完成的。
总结:就是tcp三次握手,少发最一个ACK包。
测试自己的电脑(物理机):
[root@k9 ~]# nmap -sS -O 192.168.1.9
Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-18 01:30 CST
Nmap scan report for 192.168.1.9
Host is up (0.00050s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
443/tcp open https
902/tcp open iss-realsecure
912/tcp open apex-mesh
7070/tcp open realserver
MAC Address: 8C:A9:82:5A:3C:80 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized
Running (JUST GUESSING): FreeBSD 6.X (89%), AVtech embedded (89%)
OS CPE: cpe:/o:freebsd:freebsd:6.2
Aggressive OS guesses: FreeBSD 6.2-RELEASE (89%), FreeBSD 6.3-RELEASE (89%), AVtech Room Alert 26W environmental monitor (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.40 seconds
扫描一个网段中所有机器是什么类型的操作系统
[root@k9 ~]# nmap -sS -O 192.168.1.0/24
查找一些有特点的IP地址中,开启80端口的服务器。
[root@k9 ~]# nmap -v -p 80 192.168.1.1-100
如何更隐藏的去扫描,频繁扫描会被屏蔽或者锁定IP地址。
--randomize_hosts # 随机扫描
--scan-delay #延时扫描,单位秒
(1)、随机扫描
[root@k9 ~]# nmap -v --randomize_hosts -p 80 192.168.1.1-10
Nmap scan report for 192.168.1.6 [host down]
Nmap scan report for 192.168.1.4 [host down]
Nmap scan report for 192.168.1.10 [host down]
Nmap scan report for 192.168.1.2 [host down]
Nmap scan report for 192.168.1.3 [host down]
Nmap scan report for 192.168.1.8 [host down]
Nmap scan report for 192.168.1.7 [host down]
Nmap scan report for 192.168.1.5 [host down]
(2)、随机扫描+延时扫描 ,默认单位秒
[root@k9 ~]# nmap -v --randomize_hosts --scan-delay 3000ms -p 80 192.168.1.1-10
1.2 使用curl查看web服务器类型
[root@k9 ~]# curl -I www.taobao.com
HTTP/1.1 301 Moved Permanently
Server: Tengine
Date: Tue, 17 Sep 2019 17:44:27 GMT
Content-Type: text/html
Content-Length: 278
Connection: keep-alive
Location: https://www.taobao.com/
Via: bcache2.cn2417[,0]
Timing-Allow-Origin: *
EagleId: b7de8e1615687422672211997e
nmap -sS -O 202.106.199.0/24