nmap教程(下)

九.脚本引擎

脚本文件存放在/usr/share/nmap/scripts目录下

SCRIPT SCAN:
  -sC: equivalent to --script=default #启用默认类脚本
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories #根据指定的脚本名称执行相应的脚本
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts #给脚本指定参数
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.

 接下来进行实践

nmap --script http-enum,http-headers,http-methods,http-php-version -p 80 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-18 22:42 CST
Nmap scan report for 192.168.56.101
Host is up (0.00033s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /tikiwiki/: Tikiwiki
|   /test/: Test page
|   /phpinfo.php: Possible information file
|   /phpMyAdmin/: phpMyAdmin
|   /doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
|   /icons/: Potentially interesting folder w/ directory listing
|_  /index/: Potentially interesting folder
| http-headers: 
|   Date: Mon, 18 Dec 2017 14:42:11 GMT
|   Server: Apache/2.2.8 (Ubuntu) DAV/2
|   X-Powered-By: PHP/5.2.4-2ubuntu5.10
|   Connection: close
|   Content-Type: text/html
|   
|_  (Request type: HEAD)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-php-version: Versions from logo query (less accurate): 5.1.3 - 5.1.6, 5.2.0 - 5.2.17
| Versions from credits query (more accurate): 5.2.3 - 5.2.5, 5.2.6RC3
|_Version from header x-powered-by: PHP/5.2.4-2ubuntu5.10
MAC Address: 08:00:27:41:71:79 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.62 seconds

使用http-enum,http-headers,http-methods,http-php-version脚本对目标主机的80端口进行扫描可以得到更多的信息

十.规避检测的选项

FIREWALL/IDS EVASION AND SPOOFING:#防火墙/IDS躲避和欺骗
  -f; --mtu <val>: fragment packets (optionally w/given MTU) #使用小数据包
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address #指定假ip地址
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number  #模拟指定源端口
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets #改变发送包的默认长度
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

 

posted @ 2017-12-18 22:09  思却  阅读(532)  评论(0编辑  收藏  举报