nmap教程(下)
九.脚本引擎
脚本文件存放在/usr/share/nmap/scripts目录下
SCRIPT SCAN:
-sC: equivalent to --script=default #启用默认类脚本
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories #根据指定的脚本名称执行相应的脚本
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts #给脚本指定参数
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
接下来进行实践
nmap --script http-enum,http-headers,http-methods,http-php-version -p 80 192.168.56.101
Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-18 22:42 CST
Nmap scan report for 192.168.56.101
Host is up (0.00033s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /tikiwiki/: Tikiwiki
| /test/: Test page
| /phpinfo.php: Possible information file
| /phpMyAdmin/: phpMyAdmin
| /doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
| /icons/: Potentially interesting folder w/ directory listing
|_ /index/: Potentially interesting folder
| http-headers:
| Date: Mon, 18 Dec 2017 14:42:11 GMT
| Server: Apache/2.2.8 (Ubuntu) DAV/2
| X-Powered-By: PHP/5.2.4-2ubuntu5.10
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-php-version: Versions from logo query (less accurate): 5.1.3 - 5.1.6, 5.2.0 - 5.2.17
| Versions from credits query (more accurate): 5.2.3 - 5.2.5, 5.2.6RC3
|_Version from header x-powered-by: PHP/5.2.4-2ubuntu5.10
MAC Address: 08:00:27:41:71:79 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 3.62 seconds
使用http-enum,http-headers,http-methods,http-php-version脚本对目标主机的80端口进行扫描可以得到更多的信息
十.规避检测的选项
FIREWALL/IDS EVASION AND SPOOFING:#防火墙/IDS躲避和欺骗
-f; --mtu <val>: fragment packets (optionally w/given MTU) #使用小数据包
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address #指定假ip地址
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number #模拟指定源端口
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets #改变发送包的默认长度
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum