Nmap笔记
1.dns解析
nmap –dns-server 8.8.8.8,8.8.4.4 scanme.nmap.org
2.ping 主机是否存活
跳过:
nmap -PN scanme.nmap.org
3.反向dns解析,由ip向域名
nmap -n scanme.nmap.org
4.默认扫描1-65535端口
nmap -p1-30 scanme.nmap.org
高权限用户可以构建包,因此默认是SYN Stealth Scan,低权限只能用TCP Connect Scan
扫描结果类型:
Open
Closed
Filtered 显示包应该是被过滤器丢弃
Open/Filtered 被过滤或打开,只是不能确认
Close/Filtered 同上
http://nmap.org/book/man-port-scanning-techinques.html
版本判断 nmap -sV scanme.nmap.org
nmap -sV –version-intesity 9
nmap -A Aggressive mode
nmap -O OS detection
nmap -sV version detected
nmap -sC script scanning
nmap –traceroute traceroute
Findings live hosts in network
nmap -sP 192.168.1.1/24
enum live hosts
如果高权限的话利用TCP ACK包和ICMP echo 请求
如果低权限无法构包的话就用connect()发送SYN包
本地的扫描时会进行ARP请求,而可以跳过这一步,不过要高权限
nmap -sP –send-ip 192.168.1.1/24
–traceroute 参数可以显示自己到目标的中间数
利用NSE scripts
nmap -sP –script discovery 192.168.1.1/24
只扫描80端口
nmap -p80 192.168.1.1/24
nmap -p80,443 192.168.1.1/24
nmap -p80-443 192.168.1.1/24
nmap -pT:25,U:53 target 指明了协议
nmap -p smtp <target>
nmap -p smtp* <target>
nmap -p[1-65535] <target> only ports registered in Nmap services.
使用NSE
nmap -sV –script http-title scanme.nmap.org
一次多脚本
nmap –script http-headers,http-title scanme.nmap.org
根据分类,表达式或文件夹来执行NSE
nmap -sV –script vlun <target> run scripts in vlun category
nmap -sV –script=”version,discovery” <target> run scripts in the categorys ‘version’ and ‘discorery’
nmap -sV –script “not exploit” <target> run all the scripts except for the ones in the exploit category.
nmap -sV –script “(http.*) and not (http-slowloris or http-brute)” <target>
debug 脚本时,可以指定级0-9 用-d参数
nmap -sV –script exploit -d 3 –script-trace 192.168.1.1
NSE Script Arguments
如你要设置HTTP库参数 useragent:
nmap -sV –script http-title –script-args http.useragent=”Mozilla 999″ <target>
添加新的脚本:
1,把脚本复制到 /scripts目录下
2,更新 nmap –script-update-db
指明使用网卡接口:
nmap -e <INTERFACE> scanme.nmap.org
Ndiff 工具可以用来检测两个扫描XML结果
nping –ec “public” -c 1 echo.nmap.org
Nping 是一个用来检测防火墙和路由问题的工具
它会把获得的包显示出来
nmap –ec “public” -c 1 echo.nmap.org
生产TCP包,发送一个TCP SYN包到80端口
nping –tcp -flags syn -p80 -c 1 192.168.1.254
——————————————————————————————————
ping scanning techniques
TCP SYN
TCP ACK
UDP
IP
ICMP
broadcast
ping scan是为了扫描存活主机-sP
默认是利用TCP ACK和ICMP来判断主机是否存活
利用TCP SYN nmap -sP -PS 192.168.1.1/24
原理:
向目标80端口发送TCP SYN
如果端口是关闭的,会返回RST包
如果端口是开放的,会返回TCP SYN/ACK包,然后再发送RST包
可以设定向哪些个端口发TCP SYN
nmap -sP -PS80,21-25 <target>
利用TCP ACK nmap -sP -PA <target>
原理:
向目标80端口发送空的TCP包,设置ACK标志
如果主机关机,就不响应
如果主机开机,就返回RST包
可以设定向哪些个端口发TCP SYN
nmap -sP -PA80,21-25 <target>
利用UDP ping scan
nmap -sP -PU <target>
原理:
Nmap 向目标31,338端口发送空的UDP包
如果主机响应,会返回ICMP端口不可达
如果主机关机,各种ICMP错误信息会返回
选定检测利用端口
nmap -sP -PU1337,11111 scanme.nmap.org
用ICMP ping scan
nmap -sP -PE scanme.nmap.org
原理:
发送ICMP包到目标,如果有返回就证明在线
Nmap支持timestamp reply (-PP) 和 address mark reply (-PM) 以跳过防火墙
nmap -sP -PP <target>
nmap -sP -PM <target>
利用IP协议ping scan
nmap -sP -PO scanme.nmap.org
原理:
会利用IGMP,IP-in-IP和ICMP协议通过得到响应来判断在线 参数–packet-trace可以得到更多详细信息
nmap -sP -PO –packet-trace scanme.nmap.org
可以指定协议
nmap -sP -PO1,2,4 scanme.nmap.org 1 ICMP 2 IGMP 6 TCP 17 UDP
这些包默认都是空的,可以指定其长度
nmap -sP -PO –data-length 100 scanme.nmap.org
利用ARPP协议 ARP ping scan
nmap -sP -PR 192.168.1.1/24
原理:向目标发送ARP请求,如果回复,则在线
nmap -sP -PR –packet-trace 192.168.1.254
内网中总是要用ARP的,不管给nmap参数如何 所以要强制其内网中不用arp ,就要用–send-ip参数
nmap -sP -PS –packet-trace –send-ip 192.168.1.254
伪装MAC –spoof-mac
nmap -sP -PR –spoof-mac 5C:4C:A9:F2:DC:7C
broadcast pings
nmap –script broadcast-ping
原理:向本地广播255.255.255.255发ICMP包,等待返回。
nmap –script broadcast-ping –packet-trace
增加ICMP echo 数量 参数 broadcast-ping.num_probes
nmap –script broadcast-ping –script-args broadcast-ping.num_probes=5
设置超时,增加
nmap –script broadcast-ping –script-args broadcast-ping.timeout=10000
指定interface,不指定会向所有interfaces发送
nmap –script broadcast-ping –script-args broadcast-ping.interface=wlan3
Hiding our trafic with additional random data
using random data as payload
nmap -sS -PS –data-length 300 scanme.nmap.org
Forcing DNS resolution
nmap -sS -PS -F -R xx.xx.xx.220-230
-sS TCP SYN STealth
-PS SYN Ping
-F fast port scan
-R always perform DNS resolution
to disable dns resolution , arguments with -n
Specifying different DNS namespaces
nmap -sS -R –dns-servers 8.8.8.8,8.8.4.4 <target>
指定不扫描的主机
nmap -sV -O –exclude 192.168.1.120,192.168.1.254 192.168.1.1/24
文件:
nmap -sV -O –exclude-file dontscan.txt 192.168.1.1/24
nmap ipv6
nmap -6 ::1 -6 指明是IPV6
nmap -6 -sT –trace-route ::1
Gathering network information with broadcast scripts
nmap –script broadcast
timeout 默认10秒钟,对大网络不行。
nmap –script boradcast –script-args target-sniffer.timeout 30
Target library
nmap –script broadcast-ping –script-args newtarget 设置新的target
————————–
3,Gather Additional Host Information
有三个脚本可以用来确定IP远程地址
ip-geolocation-maxmind,ip-geolocation-ipinfodb,and ip-geolocation-geobytes
nmap –script ip-geolocation-* <target>
Getting information from WHOIS records
nmap –script whois <target>
hostname list -iL <inputfile>
nmap -sn –script whois -v -iL hosts.txt
checking if a host is known for malicious activites
this allow us to check if a host is known for distributing malware or being used in phishing attacks,with some help from Google Safe Browsing API.
need Google Safe Browsing API register. http://code.google.com/apis/safebrowsing/key_signup.html
nmap -p80 –script http-google-malware –script-args http-google-malware.api=<API> <target>
collecting valid email account
插件是http-google-email
nmap -p80 –script http-google-email,http-email-harvest <target>
原理:
1,脚本http-google-email利用google页面和googlegroup页面搜索指定域的邮箱
2,http-email-harvest 会把目标站上的所有邮箱记录下来
nmap -p80 –script http-email-harvest –script-args httpspider.maxpagecount=50 <target>
nmap -p80 –script http-email-harvest –script-args httpspider.url=/welcome.php <target>
nmap -p80 –script http-google-email –script-args pages=10 scanme.nmap.org
HTTP User Agent参数
nmap -p80 –script http-email-harvest –script-args http.useragent=”Mozilla 42″
查找同一IP下其它域名 script ip2hosts
Brute forcing DNS records
nmap –script dns-brute <target>
可以自己设置字典 nmap –script dns-brute –script-args dns-brute.hostlist=words.txt <target>
设置线程数 nmap –script dns-brute –script-args dns-brute.threads=8 <target>
主机操作系统
nmap -O <target>
当检测失败时可以
nmap -O -p- –osscan-guess <target>
Discovering UDP Service
查找所有开放的UDP端口
nmap -sU -p- <target>
原理:
1,如果没有用参数nmap-payload指定,就发空的UDP包到目标
2,如果端口关闭,返回ICMP ECHO Unreachable
3,如果端口开放,返回UDP数据
4,如果没有反应,我们认为是filtered|open
-F 快递端口扫描
nmap -F -sU -p1-25<target>
Listing protocals supported by a remoted host
nmap -sO <target>
指定哪些协议被扫描 -p
nmap -p1,3,5 -sO <target>
Discovering stateful firewalls by using a TCP ACK scan
if the firewall protecting a host is stateful or stateless
nmap -sA <target>
Matching services with known security vlunerabilities
NES vlunscan http://www.computec.ch/mruef/?s=software&l=e
伪造源IP进行端口扫描
需要一个zombie host.并可以知道它的IP ID序列值, script ipidseq
nmap -p80 –script ipidseq <your ip> /24
nmap -p80 –script ipidseq -iR 1000
SCAN:
nmap -Pn -sl <zombie host> <target>
原理:
1,NMAP 知道zombie host的IP ID序列号
2,NMAP伪装自己是zombie host ,发包给target,即源地址写zombie host
3,如果端口开放,目标会返回SYN/ACK包,并使IP ID序列号加一
4,NMAP通过判断zombie的序列号来知道目标主机端口状态
检测操作系统:
nmap -O target
原理:
http://nmap.org/book/osdetect-methods.html
————————————————————–
Chapter 4 Auditing Web Servers
Listing Supported HTTP method
nmap -p80,443 –script http-methods scanme.nmap.org
原理:
利用HTTP方法OPTIONS
参数
nmap -p80,443 –script http-methods –script-args http-methods.retest scanme.nmap.org 查看OPTIONS的返回状态码
nmap -p80,443 –script http-methods –script-args http-methods.url-path=/mypath/ scanme.nmap.org 设置根目录
nmap -p80,443 –script http-methods –script-args http.useragent=”Mozilla 42″ <target>
nmap -p80,443 –script http-methods –script-args http.pipeline=25 <target>
nmap -p80,443 –script http-methods –script-args http.max-pipeline=25 <target>
查看HTTP代理是否开放
nmap –script http-open-proxy -p8080 <target>
参数:http-open-proxy.url http-open-proxy.pattern
Discoverying interesting files and directories on various web servers.
nmap –script http-enum -p80 <target>
fingerprints stores at:http-fingerprints.luain/nselib/data/
different fingerprints file:
nmap –script http-enum –script-args http-enum.fingerprintfile=./myfingerprints.txt -p80 <target>
Brute forcing HTTP authentication
namp -p80 –script http-brute –script-args http-brute.path=/admin/ <target>
默认字典:/nselib/data/usernams.lst(passwords.lst)
参数:
因为使用的是NSE库的unpwdb 和 brute 所以它们也有部分参数
namp -p80 –script http-brute –script-args userdb=/var/username.txt,passdb=/var/passwords.txt <target>
namp -p80 –script http-brute –script-args brute.firstOnly <target> 找到一个正确的就停止
nmap -p80 –script http-brute –script-args unpwdb.timelimit=60m <target>
Brute Mode:
user:对每个用户用所有密码来破
–script-args brute.mode=user
pass:对每个密码,使用每个用户来破
–script-args brute.mode=pass
creds:一条条破
–script-args brute.mode=creds,brute.credfile=./creds.txt <target>
Abusing mod_userdir to enumerate user account
apache 有自己用户目录/~username/ 故可以遍历用户名
nmap -p80 –script http-userdir-enum <target>
参数:
nmap -p80 –script http-userdir-enum –script-args userdir.users=./users.txt <target>
Testing default credentials in web application : http-default-accounts
nmap -p80 –script http-default-accounts <target>
fingerprints file :nselib/data/http-default-accouts.nse
–script-args http-default-accounts.category=routers
web
router
voip
security
–script-args http-default-accounts.basepath=/web/
–script-args http-default-accounts.fingerprintfile=./more-signatures.txt
Brute-force password auditing WordPress installations
namp -p80 –script http-wordpress-brute <target> try to find weak password
参数:
–script-args http-wordpress-brute.threads=5 <target>
–script-args http-wordpress-brute.hostname=”ahostname.wordpress.com” <target> 虚拟主机的情况下
–script-args http-wordpress-brute.uri=”/hiden-wp-login.php” 指定登陆口
–script-args http-wordpress-brute.uservar=myuser,http-wordpress-brute.passvar=passgroud
–script-args brute.mode=[user|pass|creds,brute.credfile='./creads.txt']
Brute-force password auditing Jooma installations
namp -p80 –script http-joomla-brute <target>
参数
–script-args http-joomla-brute.theads=5
–script-args http-joomla-brute.hostname=”hostname.com”
–script-args http-joomla-brute.uri=”/joomla/admin/login.php”
–script-args http-joomla-brute.uservar=usuario,http-joomla-brute.passvar=pasguord <target>
–script-args brute.mode=[user|pass|creds,brute.credfile='./creads.txt']
Detecting web application firewalls
nmap -p80 –script http-waf-detect <target>
原理:发送恶意的payload,看是否会有WAF或IPS拦截
脚本先保存正常页面的返回状态码和页面内容,然后和有恶意payload请求的返回页面进行比较,因为恶意的payload都在附加的变量上,故应该不会对程序造成影响
参数
–script-args “http-waf-detect.detectBodyChanges” 检测动态页面中的变化,建议使用
–script-args “http-waf-detect.aggro” 利用更多payload,但相应产生更多结果
–script-args http-wfa-detect.uri=/webapp/
Detecting possible XST vlunerabilities(Cross Site Tracing)
当TRACE方法可用,且存在XSS漏洞时,可以绕过httpOnly对Cookie的限制。所以要检测是否支持TRACE方法
nmap -p80 –script http-methods,http-trace –script-args http-methods.retest <target>
参数
–script-args http-methods.retest,http-trace.path=/secret/,http-methods.url-path=/secret/
Detecting XSS vulnerabilities in web application.
nmap -p80 –script http-unsafe-output-escaping <target>
To php server:
nmap -p80 –script http-phpself-xss,http-unsafe-output-escaping <target>
–script-args httpspider.withinhost=false <target>
–script-args httpspider.maxdepth=10
Finding SQL injection vlunerability in web application
nmap -p80 –script http-sql-injection <target>
SQL 注入使出数据库出错信息
/nselib/data/http-sql-errors.lst
参数:
–script-args httpspider.maxpagecount=20
–script-args httpspider.withinhost=false;
–script-args httpspider.maxdepth=10
–script-args http.useragent
–script-args http.pipeline=25
–script-args http.max-pipeline=10
Detecting web server vulnerable to slowloris denial of service attack.
“slowloris denial of service”
nmap -p80 –script http-slowloris –max-parallelism 300 <target>
http://ha.ckers.org/slowloris/
参数:
设置每个header发送的间隔时间
nmap -p80 –script http-slowloris –script-args http-slowloris.send_interval=200 –max-parallelism 300
nmap -p80 –script http-slowloris –script-args http-slowloris.timelimit=15m <target> 设置超时时间
nmap -p80 –script http-slowloris –script-args http-slowloris.runforever <target> 无休止攻击
另一个同功能脚本: http-slowloris-check
nmap -p80 –script http-slowloris-check <target>
————————————————————————————
Chapter 5 Auditing Databases
Listing MySQL databases
nmap -p3306 –script mysql-databases –script-args mysqluser=<user>,mysqlpass=<password> <target>
如果root密码为空
nmap -p3306 –script mysql-empty-password,mysql-databases <target>
Listing MySQL users
nmap -p3306 –script mysql-users –script-args mysqluser=<user>,mysqlpass=<pass> <target>
如果空密码:
nmap -sV –script mysql-empty-password,mysql-databases,mysql-users <target>
Listing MYSQL various
nmap -p3306 –script mysql-variables –script-args mysqluser=<root>,mysqlpass=<pass> target>
Finding root accounts with empty passwords in MYSQL servers
nmap -p3306 –script mysql-empty-password <target>
Brute forcing MySQL passwords
nmap -p3306 –script mysql-brute <target>
参数:
使用其它字典:
nmap -p3306 –script mysql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
找到第一个时就停止
nmap -p3306 –script mysql-brute –script-args unpwdb.timelimit=0 <target>
nmap -p3306 –script mysql-brute –script-args unpwdb.timelimit=60m <target>
brute mode
–script-args brute.mode=user
–script-args brute.mode=pass
–script-args brute.mode=creds,brute.credfile=./creds.txt
Detecting insecure configurations in MySQL servers
nmap -p3306 –script mysql-audit –script-args ‘mysql-audit.username=”<username>”,mysql-audit.password=”<passwords>”,mysql-audit.filename=/usr/local/share/nmap/nselib/data/mysql-cis.audit’ <target>
Brute forcing Oracle passwords
nmap -sV –script oracle-brute –script-args oracle-brute.sid=TEST <target>
update the neslib/data/oracle-default-accounts.lst to add any default accounts.
参数:
nmap -sV –script oracle-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
nmap -sV –script oracle-brute –script-args brute.firstOnly <target>
nmap -sV –script oracle-brute –script-args unpwdb.timelimit=60m <target>
nmap -sV –script oracle-brute –script-args brute.mode=[user|pass|creds,brute.credfile=./creds.txt <target>
Brute forcing Oracle SID names
nmap -sV –script oracle-sid-brute <target>
参数:
nmap -sV –script oracle-sid-brute –script-args oraclesids=/home/pentests/sids.txt <target>
Retrieving MS SQL server information
nmap -p1433 –script ms-sql-info <target>
if port 443 is open,you can use it to retrieve the information via pipes.
nmap -sV –script-args mssql.instance-name=MSSQLSERVER –script ms-sql-info -p 445 -v <target>
nmap -sV –script-args mssql.instance-all –script ms-sql-info -p445 -v <target>
Force scanned ports only in NSE scripts for MS SQL
nmap -p1433 –script-args mssql.scanned-ports-only –script ms-sql-* -v <target>
Bruting forcing MS SQL passwords
nmap -p1433 –script ms-sql-brute <target>
参数:
如果SMB端口开放,就可以用pipes来运行这脚本,通过参数 mssql.instance-all 或 mssql.instance-name
nmap -p445 –script ms-sql-brute –script-args mssql.instance-all <target>
nmap -p1433 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
nmap -p1433 –script ms-sql-brute –script-args brute.firstOnly <target>
nmap -p1433 –script ms-sql-brute –script-args unpwdb.timelimit=60m <target>
nmap -p1433 –script ms-sql-brute –script-args brute.mode=[user|pass|creds,brute.credfile=./creds.txt <target>
Dumping the password hashes of an MS SQL server
对于默认空密码:
nmap -p1433 –script ms-sql-empty-password,ms-sql-dump-hashes <target>
Running commands through the command shell on MS SQL server
xp_cmdshell
nmap –script-args ‘mssql.username=”<user>”,mssql.password=”"‘ –script ms-sql-xp-cmdshell -p1433 <target>
默认的话,ms-sql-xp-cmdshell执行的是ipconfig /all,但可以用参数改
nmap –script-args ‘ms-sql-xp-cmdshell.cmd=”<command>”,mssql.username=”<user>”,mssql.password=”"‘ –script ms-sql-xp-cmdshell -p1433 <target>
空密码:
nmap –script ms-sql-xp-cmdshell,ms-sql-empty-password -p1433 <target>
Finding system accounts with empty passwords on MS SQL servers.
nmap -p1433 –script ms-sql-empty-password -v <target>
nmap -sV –script-args mssql.instance-name=MSSQLSERVER –script ms-sql-empty-password -p445 -v <target>
nmap -sV –script-args mssql.instance-all –script ms-sql-empty-password -p445 -v <target>
Force scanned ports only in NSE scripts for MS SQL
nmap -p1433 –script-args mssql.scanned-ports-only –script ms-sql-* -v <target>
Listing MongoDB database
nmap -p27017 –script mongodb-databases <target>
Retrieving MongoDB server information
nmap -p27017 –script mongodb-info <target>
Listing CouchDB databases
nmap -p5984 –script couchdb-databases <target>
Retrieving CouchDB database statistics
nmap -p5984 –script couchdb-stats 127.0.0.1
———————————————————————
Chapter 6 Auditing Mail Servers
Discovering valid e-mail accounts using Google Search
Get:http-google-search.nse http://seclistsorg/nmap-dev/2011/q3/att-401/http-google-email.nse
nmap -p80 –script http-google-email <target>
参数:
nmap -p80 –script http-google-email –script-args http-google-email.domain=<hostname> <target>
namp -p80 –script http-google-email –script-args http-gogole-email.pages=10 <target>
Debugging NSE scripts
-d for debugging,you can set any integer between 0 and 9
nmap -p80 –script http-google-email -d4 <target>
Detecting open relays
nmap -sV –script smtp-open-relay -v <target>
you can specify an alternate IP address or domain name by specifying the script arguments smtp-open-relay.ip and smtp-open-relay.domain
nmap -sV –script smpt-open-relay -v –script-args smtp-open-relay.ip=<ip> target
nmap -sV –script smtp-open-relay -v –script-args smtp-open-relay.domain=<domain> <target>
Brute forcing SMTP passwords
nmap -p25 –script smtp-brute <target>
支持方式:LOGIN,PLAIN,CRAM-MD5,DIGEST-MD5和NTLM
默认字典:/nselib/data/usernames.lst 和 /nselib/data/passwords.lst
参数:
nmap -p25 –script smtp-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
nmap -p25 –script smtp-brute –script-args brute.firstOnly <target> 找到第一个后就停止
nmap -p25 –script smpt-brute –script-args unpwdb.timelimit=0 <target>
nmap -p25 –script smpt-brute –script-args brute.mode=[user|pass|creds,brute.credfile=./creds.txt <target>
nmap -p80 –script http-google-email -d4 <target>
Enumerating users in an SMTP server
nmap -p25 –script smtp-enum-users <target>
原理:利用SMTP的命令,RCPT,VRFY,EXPN来判断账户是否存在,可以指定使用哪个命令
nmap -p25 –script smtp-enum-users –script-args smtp-enum.users.methods={VRFY,EXPN,RCPT} <target>
设置不同的domain
nmap -p25 –script smpt-enum-users –script-args smtp-enum-users.domain=<domain> <target>
–script-args userdb=/var/usernames.txt,brute.firstOnly,unpwdb.timelimit=0
Detecting backdoor SMTP servers
nmap -sV –script smtp-strangeport <target>
Brute forcing IMAP passwords
nmap -p143 –script imap-brute <target>
nmap -p143 –script imap-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
nmap -p143 –script imap-brute –script-args brute.firstOnly <target>
nmap -p143 –script imap-brute –script-args unpwdb.timelimit=0 <target>
nmap -p143 –script imap-brute –script-args brute.mode=user <target>
Retrieving the capabilities of an IMAP mail server
nmap -p143,993 –script imap-capabilities <target>
Brute forcing POP3 passwords
nmap -p110 –script pop3-brute <target>
同样字典:/nselib/data/usernames.lst,passwords.lst
nmap -p110 –script pop3-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
nmap -p110 –script pop3-brute –script-args unpwdb.timelimit=0 <target>
Retrieving the capabilities of a POP3 mail server
nmap -p110 –script pop3-capabilities <target>
Detecting vlunerable Exim SMTP servers version 4.70 through 4.7
nmap –script smtp-vlun-cve2011-1764 –script-args mailfrom=<Source address>,mailto=<Destination address>,domain=<domain> -p25,465,587 <target>
————————————————————————————–
Chapter 7 Scanning Large Networks
Scanning an IP address range
nmap -A -O 192.168.1.0-255
nmap -p25,80 -O -T4 192.168.1.1/24 scanme.nmap.org/24
从文件中读取要扫描主机:
nmap -iL targets.txt
用不扫描指定文件中主机:
nmap -sV -O –exclude-file dontscan.txt 192.168.1.1/24
扫描随机主机:
nmap -iR 100 100 个随机主机
nmap -iR 0 扫描无数个主机,就是一直随机扫
加快扫描速度,不进行域名解析
nmap -T4 -n -Pn -p- 74.202.23.2
nmap -p80 -n -packet-trace scanme.nmap.org
完整扫描,各种扫描 -A
Selecting the correct timing template
nmap -T4 -d 192.168.2.7
-T0 Paranoid(-0):This Template is used for avoiding detecting systems,but it is painful slow because only one port is scanned at a time,and the timeout between probes is 5 minutes.
-T1 Sneky (-1)This template is useful for avoiding detection system but still very low
-T2 Polite(-2) This template is used when scanning is not supposed to interface with target system.
-T3 Normal(-3) This is Nmap`s default timing template ,which is used when the argument -T is not set
-T4 Aggressive(-4) This is the recommanded timing template for broadband and Ethernet connections.
-T5 Insame(-5) this timing template sacrifices accuracy for speed.
RTT value is used by nmap to know when to give up or retransmit a probe response.
nmap -A -p –initial-rtt-timeout 150ms <target>
nmap -A -p –min-rtt-timeout 200ms –max-rtt-timeout 600ms <target>
set wait time between probes
nmap -A –max-scan-delay 10s scanme.nmap.org
nmap -A –scan-delay 1s scanme.nmap.org
nmap -sV -A -p- –host-timeout 5m <target> 扫描一定时间后退出
nping -c30 <taraget> 发送30个echo包给目标,结束后返回统计结果
Scanning phases of Nmap
Script phases of Nmap
Target enumeration
Host discorery
Reverse DNS resolution
Port scanning
Version detection
OS detection
Traceroute
Script scanning
Output
Script post-scanning
Adjusting timing parameters
nmap -T4 –scan-delay 1s –initial-rtt-timeout 150ms –host-timeout 15m -d scanme.nmap.org
the RTT value is used by Nmap to know when to give up or retransmit a probe response.
be careful not to set –max-scan-delay too low because it will most likely miss the ports that are open.
–host-timeout nmap to quit a scan after a certain amount of time.
Adjusting performace parameters
nmap –min-hostgroup 100 –max-hostgroup 500 –max-retries 2 -iR 0
Nmap to scan and report by grouping no less than 100(–min-hostgroup 100)
no more than 500(–max-hostgroup 500)
Nmap to retry twice(–max-retries 2) before giving up on any port.
nmap -A -p- –min-rate 50 –max-rate 100 <target>
limit the number of packets send per second by Nmap.
nmap -A -p- –max-parallelism 1
–min-parallelism and –max-parallelism can be used to control the number of probes for a host group.
Collecting signature of web servers
www.shodanhq.com http header collections.
nmap -p80 –script http-headers –script-args http-max-cache-size=0 -iR 0
disable the cache system of HTTP library.
Disctributing a scan among serveral clients using Dnmap.
Download:http://sourceforge.net/projects/dnmap/files/
1,Create a file that will contain your Nmap commands.Each command must be separated by a new line.
nmap -sU -p1-10000 -sV scanme.nmap.org
nmap -sU -p10000-20000 -sV scanme.nmap.org
nmap -sU -p20000-30000 -sV scanme.nmap.org
2,Start the dnmap_server.py
python dnmap_server.py -f cmds.txt
3,On the clients ,run :
python dnmap_client.py -a client1 -s 192.168.1.1
————————————————
Chapter 8 Generating Scan Reports
Saving scan result in normal format
nmap -F -oN scanme.txt scanme.nmap.org
-oX xml-output.xml XML格式
-oG scanme.grep 图模式
nmap -oA scanme scanme.nmap.org 用所有可能的格式输出
nmap -A -T4 -oN ouput.txt –log-errors scanme.nmap.org
nmap -F –reason scanme.nmap.org
–reason 会记录下为什么显示一个端口是开放的或关闭/过滤…
nmap –append-output -oN existing.log scanme.nmap.org 添加到已有结果
Saving scan result to a SQLite database
PBNJ is a set of tools for network monitoring that users Nmap to detect hosts ,ports ,and services.
apt-get install pbnj http://pbnj.sourceforge.net/docs.html
scanpbnj -a “-p-” scanme.nmap.org
outputpbnj –list
outputpbnj -q machines
outputpbnj -q services
Dumping the databases in CSV format
outputpbnj -t cvs -q <query name>
Saving scan results in a grepable format
Generating a network topology graph with Zenmap
Generating a HTML scan report
Reporting vulnerability checks performed during a scan.
nmap -sV –script vlun <tartet>
nmap -sV –script vlun –script-args vulns.showall <target>
————————————————————-
Chapter 9 Writing Your Own NSE Scripts
API:http://nmap.org/book/nse-api.html
上一篇: CAD怎么导出或打印高品质的图片?