系統漏洞掃描之王-nmap
NMap,也就是Network Mapper,是Linux下的網路掃描和嗅探工具包。
其基本功能有三個:
(1)是掃描主機埠,嗅探所提供的網路服務
(2)是探測一組主機是否線上
(3)還可以推斷主機所用的作業系統,到達主機經過的路由,系統已開放埠的軟體版本
1
2
3
4
5
6
7
|
nmap埠狀態解析
open : 應用程式在該埠接收 TCP 連線或者 UDP 報文。
closed :關閉的埠對於nmap也是可訪問的, 它接收nmap探測報文並作出響應。但沒有應用程式在其上監聽。
filtered :由於包過濾阻止探測報文到達埠,nmap無法確定該埠是否開放。過濾可能來自專業的防火牆裝置,路由規則 或者主機上的軟體防火牆。
unfiltered :未被過濾狀態意味著埠可訪問,但是nmap無法確定它是開放還是關閉。 只有用於對映防火牆規則集的 ACK 掃描才會把埠分類到這個狀態。
open | filtered :無法確定埠是開放還是被過濾, 開放的埠不響應就是一個例子。沒有響應也可能意味著報文過濾器丟棄了探測報文或者它引發的任何反應。UDP,IP協議,FIN, Null 等掃描會引起。
closed|filtered:(關閉或者被過濾的):無法確定埠是關閉的還是被過濾的
|
nmap有windows和linux
Nmap是一款網路掃描和主機檢測的非常有用的工具。Nmap是不侷限於僅僅收集資訊和列舉,同時可以用來作為一個漏洞探測器或安全掃描器。它可以適用於winodws,linux,mac等作業系統
從下面官網可以下載exe程式包和zip包
https://nmap.org/download.html#windows
nmap常用引數
nmap掃描速度要比nc快
面是一些基本的命令和它們的用法的例子:掃描單一的一個主機,命令如下:
前期準備
準備兩臺機器
主機A:ip地址 10.0.1.161
主機B:ip地址 10.0.1.162
B機器安裝nmap的包(這個工具比較強大,習慣上每臺機器都安裝)
埠掃描部分
前期準備
B機器使用nmap去掃描A機器,掃描之前,A機器先檢視自己上面有哪些埠在被佔用
A機器上檢視本地ipv4的監聽埠
netstat引數解釋:
-l (listen) 僅列出 Listen (監聽) 的服務
-t (tcp) 僅顯示tcp相關內容
-n (numeric) 直接顯示ip地址以及埠,不解析為服務名或者主機名
-p (pid) 顯示出socket所屬的程式PID 以及程式名字
--inet 顯示ipv4相關協議的監聽
檢視IPV4埠上的tcp的監聽
netstat -lntp --inet
1
2
3
4
5
6
7
8
9
10
|
[root@A ~] # netstat -lntp --inet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID /Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2157 /sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1930 /cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2365 /master
tcp 0 0 0.0.0.0:13306 0.0.0.0:* LISTEN 21699 /mysqld
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 2640 /rsync
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 21505 /rpcbind
[root@A ~] #
|
過濾掉監控在127.0.0.1的埠
1
2
3
4
5
6
7
8
|
[root@A ~] # netstat -lntp --inet | grep -v 127.0.0.1
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID /Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2157 /sshd
tcp 0 0 0.0.0.0:13306 0.0.0.0:* LISTEN 21699 /mysqld
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 2640 /rsync
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 21505 /rpcbind
[root@A ~] #
|
掃描tcp埠
B機器上使用nmap掃描A機器所有埠(-p後面也可以跟空格)
下面表示掃描A機器的1到65535所有在監聽的tcp埠。
nmap 10.0.1.161 -p1-65535
指定埠範圍使用-p引數,如果不指定要掃描的埠,Nmap預設掃描從1到1024再加上nmap-services列出的埠
nmap-services是一個包含大約2200個著名的服務的資料庫,Nmap通過查詢該資料庫可以報告那些埠可能對應於什麼伺服器,但不一定正確。
所以正確掃描一個機器開放埠的方法是上面命令。-p1-65535
注意,nmap有自己的庫,存放一些已知的服務和對應埠號,假如有的服務不在nmap-services,可能nmap就不會去掃描,這就是明明一些埠已經是處於監聽狀態,nmap預設沒掃描出來的原因,需要加入-p引數讓其掃描所有埠。
雖然直接使用nmap 10.0.1.161也可以掃描出開放的埠,但是使用-p1-65535 能顯示出最多的埠
區別在於不加-p 時,顯示的都是已知協議的埠,對於未知協議的埠沒顯示
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
[root@B ~] # nmap 10.0.1.161 -p1-65535
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:11 CST
Nmap scan report for 10.0.1.161
Host is up (0.00017s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
873 /tcp open rsync
13306 /tcp open unknown
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done : 1 IP address (1 host up) scanned in 2.49 seconds
[root@B ~] #
|
如果不加-p1-65535,對於未知服務的埠(A機器的13306埠)就沒法掃描到
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@B ~] # nmap 10.0.1.161
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:12 CST
Nmap scan report for 10.0.1.161
Host is up (0.000089s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
873 /tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done : 1 IP address (1 host up) scanned in 0.43 seconds
[root@B ~] #
|
掃描一個IP的多個埠
連續的埠可以使用橫線連起來,埠之間可以使用逗號隔開
A機器上再啟動兩個tcp的監聽,分別佔用7777和8888埠,用於測試,加入&符號可以放入後臺
1
2
3
4
5
|
[root@A ~] # nc -l 7777&
[1] 21779
[root@A ~] # nc -l 8888&
[2] 21780
[root@A ~] #
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
[root@B ~] # nmap 10.0.1.161 -p20-200,7777,8888
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:32 CST
Nmap scan report for 10.0.1.161
Host is up (0.00038s latency).
Not shown: 179 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
7777 /tcp open cbt
8888 /tcp open sun-answerbook
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done : 1 IP address (1 host up) scanned in 0.17 seconds
[root@B ~] #
|
掃描udp埠
先檢視哪些ipv4的監聽,使用grep -v排除迴環介面上的監聽
1
|
netstat -lnup --inet | grep - v 127.0.0.1
|
1
2
3
4
5
6
7
8
9
|
[root@A ~] # netstat -lnup --inet |grep -v 127.0.0.1
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID /Program name
udp 0 0 0.0.0.0:111 0.0.0.0:* 21505 /rpcbind
udp 0 0 0.0.0.0:631 0.0.0.0:* 1930 /cupsd
udp 0 0 10.0.1.161:123 0.0.0.0:* 2261 /ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2261 /ntpd
udp 0 0 0.0.0.0:904 0.0.0.0:* 21505 /rpcbind
[root@A ~] #
|
-sU:表示udp scan , udp埠掃描
-Pn:不對目標進行ping探測(不判斷主機是否線上)(直接掃描埠)
對於udp埠掃描比較慢,掃描完6萬多個埠需要20分鐘左右
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
[root@B ~] # nmap -sU 10.0.1.161 -Pn
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:16 CST
Stats: 0:12:54 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 75.19% done ; ETC: 10:33 (0:04:16 remaining)
Stats: 0:12:55 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 75.29% done ; ETC: 10:33 (0:04:15 remaining)
Nmap scan report for 10.0.1.161
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
111 /udp open rpcbind
123 /udp open ntp
631 /udp open |filtered ipp
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done : 1 IP address (1 host up) scanned in 1081.27 seconds
[root@B ~] #
|
掃描多個IP用法
中間用空格分開
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@B ~] # nmap 10.0.1.161 10.0.1.162
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:18 CST
Nmap scan report for 10.0.1.161
Host is up (0.000060s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
873 /tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap scan report for 10.0.1.162
Host is up (0.0000070s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
Nmap done : 2 IP addresses (2 hosts up) scanned in 0.26 seconds
[root@B ~] #
|
也可以採用下面方式逗號隔開
nmap 10.0.1.161,162
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@B ~] # nmap 10.0.1.161,162
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:19 CST
Nmap scan report for 10.0.1.161
Host is up (0.00025s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
873 /tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap scan report for 10.0.1.162
Host is up (0.0000080s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
Nmap done : 2 IP addresses (2 hosts up) scanned in 0.81 seconds
[root@B ~] #
|
掃描連續的ip地址
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@B ~] # nmap 10.0.1.161-162
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:20 CST
Nmap scan report for 10.0.1.161
Host is up (0.00011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
873 /tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap scan report for 10.0.1.162
Host is up (0.0000030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
Nmap done : 2 IP addresses (2 hosts up) scanned in 0.25 seconds
[root@B ~] #
|
掃描一個子網網段所有IP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
[root@B ~] # nmap 10.0.3.0/24
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:21 CST
Nmap scan report for 10.0.3.1
Host is up (0.020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
23 /tcp open telnet
6666 /tcp open irc
8888 /tcp open sun-answerbook
Nmap scan report for 10.0.3.2
Host is up (0.012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21 /tcp filtered ftp
22 /tcp filtered ssh
23 /tcp open telnet
Nmap scan report for 10.0.3.3
Host is up (0.018s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21 /tcp filtered ftp
22 /tcp filtered ssh
23 /tcp open telnet
Nmap done : 256 IP addresses (3 hosts up) scanned in 14.91 seconds
[root@B ~] #
|
掃描檔案裡的IP
如果你有一個ip地址列表,將這個儲存為一個txt檔案,和namp在同一目錄下,掃描這個txt內的所有主機,用法如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
[root@B ~] # cat ip.txt
10.0.1.161
10.0.1.162
[root@B ~] # nmap -iL ip.txt
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:23 CST
Nmap scan report for 10.0.1.161
Host is up (0.00030s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
873 /tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap scan report for 10.0.1.162
Host is up (0.0000070s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
Nmap done : 2 IP addresses (2 hosts up) scanned in 0.68 seconds
[root@B ~] #
|
掃描地址段是排除某個IP地址
1
|
nmap 10.0.1.161-162 --exclude 10.0.1.162
|
用法如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@B ~] # nmap 10.0.1.161-162 --exclude 10.0.1.162
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:24 CST
Nmap scan report for 10.0.1.161
Host is up (0.0022s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
873 /tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done : 1 IP address (1 host up) scanned in 0.53 seconds
[root@B ~] #
|
掃描時排除多個IP地址
排除連續的,可以使用橫線連線起來
1
|
nmap 10.0.1.161-163 --exclude 10.0.1.162-163
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@B ~] # nmap 10.0.1.161-163 --exclude 10.0.1.162-163
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:25 CST
Nmap scan report for 10.0.1.161
Host is up (0.00023s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
873 /tcp open rsync
MAC Address: 00:0C:29:56:DE:46 (VMware)
Nmap done : 1 IP address (1 host up) scanned in 0.56 seconds
[root@B ~] #
|
排除分散的,使用逗號隔開
1
|
nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163
|
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@B ~] # nmap 10.0.1.161-163 --exclude 10.0.1.161,10.0.1.163
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:27 CST
Nmap scan report for 10.0.1.162
Host is up (0.0000030s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
Nmap done : 1 IP address (1 host up) scanned in 0.12 seconds
[root@B ~] #
|
掃描多個地址時排除檔案裡的IP地址
(可以用來排除不連續的IP地址)
把10.0.1.161和10.0.1.163新增到一個檔案裡,檔名可以隨意取
下面掃描10.0.1.161到10.0.1.163 這3個IP地址,排除10.0.1.161和10.0.1.163這兩個IP
1
|
nmap 10.0.1.161-163 --excludefile ex.txt
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
[root@B ~] # cat ex.txt
10.0.1.161
10.0.1.163
[root@B ~] # nmap 10.0.1.161-163 --excludefile ex.txt
Starting Nmap 5.51 ( http: //nmap .org ) at 2016-12-29 10:29 CST
Nmap scan report for 10.0.1.162
Host is up (0.0000050s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22 /tcp open ssh
111 /tcp open rpcbind
Nmap done : 1 IP address (1 host up) scanned in 0.18 seconds
[root@B ~] #
|