细谈网络瑞士军刀-Nmap使用指南
前言
nmap是业内非常知名的网络扫描工具,和netcat齐名为网络瑞士军刀,想必大部分人都看过或者听说过《黑客帝国》,里面的有几个场景使用的是nmap,不妨引用一张电影剧照:
每次发完SYN后,不接受第二次握手直接RST掉对端主机的SYN包,因为从对方发送第二次握手包时nmap就已经能判断端口是否有开放。
5.TCP连接扫描(-sT)
顾名思义,建立在三次握手的基础上;当SYN半开扫描不能用的时候才考虑用它,同时也是端口扫描中最基础、最稳定的扫描方式。
$ nmap -sT -p 22,80 -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 14:43 CST
Nmap scan report for 192.168.1.1
Host is up (0.00028s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:BE:5A:26 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
$
完成建联后紧接着断开连接。
6.UDP扫描(-sU)
使用UDP报文探测,扫描速度较慢,通过ICMP不可达判断端口开放情况;以下通过-p指定端口大大缩短扫描耗时:
$ nmap -sU -p 53,80 -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 14:45 CST
Nmap scan report for 192.168.1.1
Host is up (0.00028s latency).
PORT STATE SERVICE
53/udp open|filtered domain
80/udp closed http
MAC Address: 00:0C:29:BE:5A:26 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 secondss
$
7.隐蔽扫描(-sN;-sF;-sX)
-sN为Null扫描,通过发送非常规TCP通信数据对计算机进行探测,若目标主机相应端口是关闭的,会响应一个RST数据表,若端口开放则不会响应任何信息。
$ nmap -sN -p 22,80 -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 14:49 CST
Nmap scan report for 192.168.1.1
Host is up (0.00026s latency).
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
MAC Address: 00:0C:29:BE:5A:26 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
$
-sF为FIN扫描,不需要完成TCP握手,只向目标端口发送一个FIN包,如果收到目标响应的RST包,则说明端口开放,否则视为关闭或者被拦截的(不确定态),因为目标主机对于此类无意义请求可以选择RST也可以选择不响应。
$ nmap -sF -p 22,80 -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 14:52 CST
Nmap scan report for 192.168.1.1
Host is up (0.00024s latency).
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
MAC Address: 00:0C:29:BE:5A:26 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.59 seconds
$
-sX为Xmas扫描,数据包的FIN、PSH和URG标志位置打开,即标志为1,如果目标主机端口开放则会响应一个RST包,否则判断位不确定态。
$ nmap -sX -p 22,80 -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 14:57 CST
Nmap scan report for 192.168.1.1
Host is up (0.00030s latency).
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
MAC Address: 00:0C:29:BE:5A:26 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds
$
以上三种扫描方式都会躲过一些无状态防火墙的过滤,都是通过对端的RST包来做判断,比前面提到的SYN、UDP扫描效果更好,隐蔽性大于SYN扫描。
三、指纹识别与探测
nmap通过目标指纹识别确定目标使用的系统及服务,也是信息收集中不可或缺的一部分。
|
选项 |
含义 |
|---|---|
|
-sV |
版本检测 |
|
--allports |
全端口扫描 |
|
--version-intensity |
设置扫描强度 |
|
--version-light |
轻量级扫描 |
|
--version-all |
重量级扫描 |
|
--version-trace |
获取详细版本信息 |
|
-sR |
RPC扫描 |
|
-O |
操作系统扫描 |
|
--osscan-limit |
对指定的目标进行OS探测 |
|
--osscan-guess;--fuzzy |
推测系统版本 |
1.服务及版本探测(-sV)
-sV的最终目的并不是做端口扫描,而是通过端口判断服务类型,通过服务指纹识别出服务版本号,用的也是SYN扫描
$ nmap -sV -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 15:11 CST
Stats: 0:02:49 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 81.82% done; ETC: 15:14 (0:00:29 remaining)
Nmap scan report for 192.168.1.1
Host is up (0.00025s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh Dropbear sshd (protocol 2.0)
53/tcp open domain dnsmasq 2.81
80/tcp open http
81/tcp open hosts2-ns?
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/https
444/tcp open snpp?
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
1234/tcp open hotline?
5000/tcp open upnp MiniUPnP 2.1.20200510 (UPnP 1.1)
5 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.91%I=7%D=12/25%Time=61C6C459%P=x86_64-pc-linux-gnu%r(Get
SF:Request,14F3,"HTTP/1\\.0\\x20403\\x20Forbidden\\r\\nConnection:\\x20close\\r\\n
SF:=\\"viewport\\"\\x20/>\\n\\t<meta\\x20name=\\"format-detection\\"\\x20content=\\"
...略
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel #192.168.1.1为Openwrt,nmap识别为类Unix系统
$
常见组合用法:
$ nmap -sV -n -Pn -A 192.168.1.1 # -A操作系统探测和版本探测,还将发起traceroute等
$ nmap -sV -p 22,80 -T4 -n 192.168.1.1 #指定端口和扫描速度
$ nmap -sV --allports -n 192.168.1.12.设置扫描强度(--version-intensity)
强度范围为1-9,数字越大强度越强消耗时间越长,默认为7,而轻量级扫描--version-light相当于--version-intensity 2的快捷方式,--version-all则对应的是--version-intensity 9
$ nmap -p 80 --version-intensity 2 qq.com
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 15:20 CST
Nmap scan report for qq.com (183.3.226.35)
Host is up (0.0031s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
$3.操作系统探测(-O)
nmap判断操作系统是通过指纹识别进行探测,并不是通过TTL探测,TTL值人为可以更改,因此某些场景下并不适用。
最简单的用法,直接接-O参数,不过对于IP习惯性的加上-n、-Pn,不做DNS反解,不做主机存活探测:
$ nmap -O -n -Pn 119.29.29.29
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 15:21 CST
Nmap scan report for 119.29.29.29
Host is up (0.0025s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Apple macOS 10.13 (High Sierra) - 10.15 (Catalina) or iOS 11.0 - 13.4 (Darwin 17.0.0 - 19.2.0) (91%), Apple macOS 10.14 (Mojave) (Darwin 18.2.0 - 18.6.0) (91%), Apple Mac OS X 10.11 (El Capitan) or iOS 12.4 - 13.0 (Darwin 15.6.0 - 19.0.0) (90%), Linux 4.4 (88%), Linux 2.6.18 (CentOS 5, x86_64, SMP) (86%), Apple iOS 10 (85%), Apple iOS 5.0.1 (85%), Apple iOS 5.0.1 - 5.1.1 (85%), Apple iOS 6.1.3 (85%), Apple iOS 6.0.1 (85%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.53 seconds
$4.操作系统识别(--osscan-guess;--fuzzy)
通过已有信息推测目标主机操作系统版本,此选项常用,可配合-O选项
$ nmap -O --osscan-guess -n 192.168.1.11 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 15:24 CST
Nmap scan report for 192.168.1.11
Host is up (0.00020s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
53/tcp open domain
1723/tcp open pptp
2000/tcp open cisco-sccp
8291/tcp open unknown
MAC Address: 00:0C:29:42:37:61 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.91 seconds
$5.定时探测(--host-timeout;--scan-delay;max-scan-delay)
另外说几个比较重要的参数,可以极大程度的减少我们扫描的时间,特别是扫描整个网段的时候
$ nmap --host-timeout 10s -sS -sU -p U:53,T:443 -n 192.168.1.0/24 #每个主机最大探测时间10s,可以设置ms$ nmap --scan-delay 1s --max-scan-delay 10s -n -sV -A 192.168.1.1 #探测服务版本信息,每隔1s-10s发送一次探测包,可以有效规避限定单位时间发包量的防火墙规则$ nmap --scan-delay 2s -p 22,80 -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 15:24 CST
Nmap scan report for 192.168.1.1
Host is up (0.00024s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:BE:5A:26 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.27 seconds
$仅设置--scan-delay 2s,每个包将会间隔2s才继续发下个包:
四、防火墙/IDS逃逸
包含的选项如下,这里只讲几个常用选项
|
选项 |
含义 |
|---|---|
|
-f |
报文分段 |
|
--mtu |
指定偏移大小 |
|
-D |
IP欺骗 |
|
-sI |
源地址欺骗 |
|
--source-port |
源端口欺骗 |
|
--data-length |
指定发包长度 |
|
--randomize-hosts |
目标主机随机排序 |
|
--spoof-mac |
MAC地址欺骗 |
1.报文分段(-f)
-f选项会将TCP头分段在几个包中,使得IDS及其它工具检测更加困难
$ nmap -f -v -p 80 -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 19:06 CST
Nmap wishes you a merry Christmas! Specify -sX for Xmas Scan (https://nmap.org/book/man-port-scanning-techniques.html).
Initiating ARP Ping Scan at 19:06
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 19:06, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:06
Scanning 192.168.1.1 [1 port]
Discovered open port 80/tcp on 192.168.1.1
Completed SYN Stealth Scan at 19:06, 0.04s elapsed (1 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.00025s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:BE:5A:26 (VMware)
$2.IP欺骗(-D)
-D选项可以使用fake IP进行IP欺骗,使用该选项扫描对方时,会让目标主机误认为是用fake IP进行扫描,并非攻击者真实IP:
$ nmap -D RND:5 -p 80 -n 192.168.1.1 #随机使用5个IP向对端发起端口扫描
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 19:11 CST
Nmap scan report for 192.168.1.1
Host is up (0.00035s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:BE:5A:26 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.38 second
$当然,其中也会包含攻击者自己的IP,起到混乱效果:
使用指定IP地址+随机IP进行端口探测:
$ nmap -D 1.1.1.1,2.2.2.2,RND:2 -p 80 -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 19:13 CST
Nmap scan report for 192.168.1.1
Host is up (0.00037s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:BE:5A:26 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
$
3.源端口欺骗(--source-port/-g)
指定本端源地址端口,如对方信任这些端口,则能有效规避防火墙/IDS检测:
$ nmap --source-port 80 -p 22,80 -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 19:20 CST
Nmap scan report for 192.168.1.1
Host is up (0.00025s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:BE:5A:26 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
$
4.指定数据包大小(--data-length)
--data-length在发送报文时刻指定长度,通常情况下,TCP包是40byte,ICMP Echo是28byte,在此基础上附加任意大小的数据可达到规避防火墙效果:
$ nmap --data-length 50 -p 22 -n 192.168.1.1 #指定数据长度50字节
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 19:29 CST
Nmap scan report for 192.168.1.1
Host is up (0.00036s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 00:0C:29:BE:5A:26 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
$
5.MAC地址欺骗(--spoof-mac)
该选项可指定mac地址,也可以随机分配一个mac地址,--spoof-mac后面可以接0、Mac、Vendor Name;0表示随机生成,vendor name表示从指定厂商生成,正确的--spoof-mac参数有, Apple, 0,01:02:03:04:05:06, deadbeefcafe,0020F2, 和Cisco.。
$ nmap -sU -p 53 -n --spoof-mac 0 192.168.1.1
$ nmap -sS -sV -A -T4 --spoof-mac Cisco -n 192.168.1.1五、信息收集
信息收集通过调用nmap内置的lua脚本进行探测,由于nmap强项并不在于漏洞扫描,这里只列出几个常用的漏洞扫描脚本:
|
脚本 |
含义 |
|---|---|
|
ip-geolocation-* |
IP信息收集 |
|
whois-domian/whois-ip |
whois信息收集 |
|
http-email-harvest |
收集E-mail信息 |
|
hostmap-ip2hosts |
IP反查 |
|
dns-brute |
DNS信息收集 |
|
membase-http-info |
检索系统信息 |
|
smb-security-mode |
后台打印机服务漏洞 |
|
vuln |
系统漏洞扫描 |
1.whois信息收集(--script whois-domain/whois-ip)
输出篇幅过长,不贴到本篇内单独讲,可使用whois命令直接替代此功能,内置于namp的用法也很简单:
$ nmap --script whois-domain linux-code.com #查看linux-code.com的whois信息
$ nmap --script whois-ip 8.8.8.8 #查看8.8.8.8的whois信息2.dns信息收集(--script dns-brute)
枚举dns主机名,对linux-code.com进行子域名枚举:
$ nmap --script dns-brute --script-args dns-brute.domain=linux-code.com3.系统漏洞扫描(--script vuln)
nmap会调用内置脚本vuln.nse对目标主机做一次综合性的安全扫描,当然扫描强度也是局限的,有时能扫到CVE漏洞,但大部分无法实际价值;更专业的安全扫描工具建议用OpenVas、nessus等,vuln脚本相当于入门级的安全扫描。
$ nmap --script vuln -sS -n 192.168.1.1
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 19:32 CST
Stats: 0:04:43 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.90% done; ETC: 19:37 (0:00:00 remaining)
Nmap scan report for 192.168.1.1
Host is up (0.00022s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_sslv2-drown:
22/tcp open ssh
53/tcp open domain
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.1
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.1.1:80/
| Form id:
|_ Form action: /
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-internal-ip-disclosure: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
81/tcp open hosts2-ns
139/tcp open netbios-ssn
443/tcp open https
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.1
| Found the following possible CSRF vulnerabilities:
|
| Path: https://192.168.1.1:443/
| Form id:
|_ Form action: /
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
444/tcp open snpp
445/tcp open microsoft-ds
1234/tcp open hotline
5000/tcp open upnp
MAC Address: 00:0C:29:BE:5A:26 (VMware)
...略
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
Nmap done: 1 IP address (1 host up) scanned in 303.22 seconds
$六、暴力穷举
nmap有相当多针对服务的暴力破解脚本,你甚至可以自定义字典文件,但暴力破解这块我更倾向于使用hydra,这里只轻度提及nmap的暴力破解常见用法
|
脚本 |
含义 |
|---|---|
|
mysql-brute |
破解mysql密码 |
|
oracle-brute |
破解oracle密码 |
|
ms-sql-brute |
破解mssql密码 |
|
pgsql-brute |
破解pgsql密码 |
|
http-brute |
破解http登录 |
|
ftp-brute |
破解ftp密码 |
1.mysql密码破解
默认不指定字典:
$ nmap --script=mysql-brute -p3306 192.168.1.197 #如果对方数据库端口非默认,可以-p指定其他数据库同理,指定字典文件的用法,通过userdb、passsdb指定账号密码文件:
$ nmap -p 3306 --script=mysql-brute --script-args userdb=/root/user.txt --script-args passdb=/root/pass.txt -n 192.168.1.84 #习惯性加上-n不做DNS反解
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 19:44 CST
Nmap scan report for 192.168.1.84
Host is up (0.00027s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-brute:
| Accounts:
| root:123456 - Valid credentials
|_ Statistics: Performed 60 guesses in 1 seconds, average tps: 60.0
MAC Address: 00:0C:29:92:26:BB (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds
$抓包可以看到nmap不断枚举账号密码登录mysql,扫描结果将汇总成功登录的账号密码:
其他数据库一概而论,只是调用的脚本不一样,参数都是共用的,不一一列举
2.http、ftp、samba破解
和上述数据库破解同理,可以通过指定字典文件穷举登录密码:
$ nmap --script http-brute --script-args userdb=/root/user.txt,passdb=/root/pass.txt -p 82 -n 192.168.1.197
$ nmap --script ftp-brute --script-args userdb=/root/user.txt,passdb=/root/pass.txt -p 21 -n 192.168.1.197
$ nmap --script smb-brute --script-args userdb=/root/user.txt,passdb=/root/pass.txt -p 445 -n 192.168.1.1973.网段性扫描及匿名登录
nmap提供--open参数过滤只处于open状态的端口对应的主机,因此可以批量扫描整个网段某个端口开放情况:
$ nmap -p 3389 --open -n -sS 192.168.1.0/24扫描可以匿名登录的ftp主机:
$ nmap -p 21 --open -n -Pn --script=ftp-anon 192.168.1.0/24通过-oG参数可格式化输出:
$ nmap -p 3389 --open -n -sS -oG - 192.168.1.0/24 |&grep open-oX则保存为xml格式:
$ nmap -p U:53,T:80 -sU -n -sT -oX result.xml 192.168.1.0/24七、总结
nmap对于网络排错、渗透测试、网络安全领域都起着功不可没的作用,同时也饱受黑客们的青睐,技术是把双刃剑,用在哪怎么用还需使用者洁身自好。
同时附上PDF版本:
#细谈网络瑞士军刀-nmap使用指南.pdf#
