Nmap

网络扫描


主机扫描,找出网段内活跃的主机

使用fping扫描192.168.136.0/24网段。
-a :显示活跃的主机ip;
-s :显示网段活跃主机总数;
-r :设置重试次数;
-g :+测试网段。

root@kali:~# fping -a -s -r 1 -g 192.168.136.0/24
192.168.136.1
192.168.136.129
192.168.136.130
192.168.136.131

     254 targets
       4 alive
     250 unreachable
       0 unknown addresses

     250 timeouts (waiting for response)
     504 ICMP Echos sent
       4 ICMP Echo Replies received
       0 other ICMP received

 1.81 ms (min round trip time)
 4.43 ms (avg round trip time)
 8.91 ms (max round trip time)
       14.544 sec (elapsed real time)

使用nmap -sP对网段192.168.136.0/24网段扫描,显示所有255个ip所属的主机都活跃。

root@kali:~# nmap -sP 192.168.136.0/24

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:11 CST
Nmap done: 256 IP addresses (256 hosts up) scanned in 2.58 seconds

端口扫描,找出靶机上处于网络服务监听态的TCP/UDP端口

使用nmap对靶机进行靶机开放端口的扫描。
-sS :TCP SYN扫描。
-sU :UDP端口扫描

root@kali:~# nmap -sS 192.168.136.129

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:17 CST
Nmap scan report for localhost (192.168.136.129)
Host is up (2.0s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
514/tcp  filtered shell
1025/tcp open     NFS-or-IIS
5000/tcp open     upnp

Nmap done: 1 IP address (1 host up) scanned in 10.53 seconds
root@kali:~# nmap -sS 192.168.136.129

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:17 CST
Nmap scan report for localhost (192.168.136.129)
Host is up (2.0s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
514/tcp  filtered shell
1025/tcp open     NFS-or-IIS
5000/tcp open     upnp

Nmap done: 1 IP address (1 host up) scanned in 10.53 seconds
root@kali:~# nmap -sS 192.168.136.130

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:20 CST
Nmap scan report for localhost (192.168.136.130)
Host is up (1.7s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 3.48 seconds
root@kali:~# nmap -sS 192.168.136.131

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 15:21 CST
Nmap scan report for localhost (192.168.136.131)
Host is up (1.00s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
514/tcp filtered shell

Nmap done: 1 IP address (1 host up) scanned in 6.51 seconds
什么是端口?端口又是做什么用的呢?

一台拥有IP地址的主机可以提供许多服务,比如Web服务、FTP服务、SMTP服务等,这些服务完全可以通过1个IP地址来实现。IP 地址与网络服务的关系是一对多的关系,通过“IP地址+端口号”来区分不同的服务。
TCP与UDP协议均定义了1-65535共64KB的端口范围。
具有传输稳定性和可靠性需求的网络服务如,HTTP、SSH、FTP、SMTP等互联网协议,会选择TCP协议
需要高速传输但允许丢包的网络应用如,QQ视频、DNS服务等会选择UDP协议

主机操作系统扫描

使用nmap对靶机的操作系统进行探测
-O :主动探测靶机的操作系统类型

root@kali:~# nmap -O 192.168.136.129

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 16:02 CST
Nmap scan report for localhost (192.168.136.129)
Host is up (0.43s latency).
Not shown: 994 closed ports
PORT     STATE    SERVICE
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
514/tcp  filtered shell
1025/tcp open     NFS-or-IIS
5000/tcp open     upnp
Device type: general purpose
Running: Microsoft Windows 7|2012|XP
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.37 seconds
root@kali:~# nmap -O 192.168.136.130

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 16:04 CST
Nmap scan report for localhost (192.168.136.130)
Host is up (0.11s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
Device type: WAP|general purpose|storage-misc
Running (JUST GUESSING): Actiontec embedded (99%), Linux 2.4.X|3.X (99%), Microsoft Windows 7|2012|XP (96%), BlueArc embedded (91%)
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.07 seconds
root@kali:~# nmap -O 192.168.136.131

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 16:06 CST
Nmap scan report for localhost (192.168.136.131)
Host is up (0.11s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
514/tcp filtered shell
Device type: WAP|general purpose|storage-misc
Running (JUST GUESSING): Actiontec embedded (99%), Linux 2.4.X|3.X (99%), Microsoft Windows 7|2012|XP (96%), BlueArc embedded (91%)
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.26 seconds
主机操作系统探测具体实现方式如下:

1.Nmap内部包含了2600多已知系统的指纹特征(在文件nmap-os-db文件中)。将此指纹数据库作为进行指纹对比的样本库。
2.分别挑选一个open和closed的端口,向其发送经过精心设计的TCP/UDP/ICMP数据包,根据返回的数据包生成一份系统指纹。
3.将探测生成的指纹与nmap-os-db中指纹进行对比,查找匹配的系统。如果无法匹配,以概率形式列举出可能的系统。

CPE?

CPE(Common Platform Enumeration,通用平台枚举)

网络服务探查,主动探测靶机网络中开放端口上绑定的网络应用服务类型和版本

-sV :探测靶机网络中开放端口上绑定的网络应用服务类型和版本。

root@kali:~# nmap -sV 192.168.136.130

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-26 17:35 CST
Nmap scan report for localhost (192.168.136.130)
Host is up (1.1s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          vsftpd 2.3.4
22/tcp   open  ssh          OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet       Linux telnetd
25/tcp   open  smtp         Postfix smtpd
53/tcp   open  domain       ISC BIND 9.4.2
80/tcp   open  http         Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind      2 (RPC #100000)
139/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec         netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  shell?
1099/tcp open  rmiregistry  GNU Classpath grmiregistry
1524/tcp open  shell        Metasploitable root shell
2049/tcp open  nfs          2-4 (RPC #100003)
2121/tcp open  ccproxy-ftp?
3306/tcp open  mysql?
5432/tcp open  postgresql   PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc          VNC (protocol 3.3)
6000/tcp open  X11          (access denied)
6667/tcp open  irc          Unreal ircd
8009/tcp open  ajp13        Apache Jserv (Protocol v1.3)
8180/tcp open  http         Apache Tomcat/Coyote JSP engine 1.1
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.88 seconds
posted @ 2017-04-26 17:41  qing蒸yu  阅读(837)  评论(0编辑  收藏  举报