www.cnbreak.org
4.2、完整全面的扫描
如果希望对某台主机进行完整全面的扫描,那么可以使用 nmap 内置的-A 选项。使用了改选项,nmap 对目标主
机进行主机发现、端口扫描、应用程序与版本侦测、操作系统侦测及调用默认 NSE 脚本扫描。
命令形式:
nmap -T4 -A -v targethost
其中-A 选项用于使用进攻性(Aggressive)方式扫描;-T4 指定扫描过程使用的时序(Timing),总有 6 个级别
(0-5),级别越高,扫描速度越快,但也容易被防火墙或 IDS 检测并屏蔽掉,在网络通讯状况良好的情况推荐使
用 T4;-v 表示显示冗余(verbosity)信息,在扫描过程中显示扫描的细节,从而让用户了解当前的扫描状态。
break@kali:~$ nmap -T4 -A -v 10.10.10.130
Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-17 14:14 EDT
NSE: Loaded 143 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:14
Completed NSE at 14:14, 0.00s elapsed
Initiating NSE at 14:14
Completed NSE at 14:14, 0.00s elapsed
Initiating Ping Scan at 14:14
Scanning 10.10.10.130 [2 ports]
Completed Ping Scan at 14:14, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:14
Completed Parallel DNS resolution of 1 host. at 14:14, 0.02s elapsed
Initiating Connect Scan at 14:14
Scanning 10.10.10.130 [1000 ports]
Discovered open port 445/tcp on 10.10.10.130
www.cnbreak.org
Discovered open port 1025/tcp on 10.10.10.130
Discovered open port 135/tcp on 10.10.10.130
Discovered open port 80/tcp on 10.10.10.130
Discovered open port 139/tcp on 10.10.10.130
Discovered open port 21/tcp on 10.10.10.130
Discovered open port 6002/tcp on 10.10.10.130
Discovered open port 8099/tcp on 10.10.10.130
Discovered open port 1026/tcp on 10.10.10.130
Discovered open port 777/tcp on 10.10.10.130
Discovered open port 1521/tcp on 10.10.10.130
Discovered open port 1031/tcp on 10.10.10.130
Discovered open port 7002/tcp on 10.10.10.130
Discovered open port 1027/tcp on 10.10.10.130
Discovered open port 7001/tcp on 10.10.10.130
Completed Connect Scan at 14:14, 0.06s elapsed (1000 total ports)
Initiating Service scan at 14:14
Scanning 15 services on 10.10.10.130
Completed Service scan at 14:16, 141.14s elapsed (15 services on 1 host)
NSE: Script scanning 10.10.10.130.
Initiating NSE at 14:16
Completed NSE at 14:16, 15.18s elapsed
Initiating NSE at 14:16
Completed NSE at 14:16, 1.01s elapsed
Nmap scan report for 10.10.10.130
Host is up (0.00032s latency).
Not shown: 985 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp open http Microsoft IIS httpd 6.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/6.0
|_http-title: Under Construction
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2003 3790 microsoft-ds
777/tcp open multiling-http?
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1031/tcp open msrpc Microsoft Windows RPC
1521/tcp open oracle-tns Oracle TNS Listener 10.2.0.1.0 (for 32-bit Windows)
6002/tcp open http SafeNet Sentinel Protection Server httpd 7.3
| http-methods:
|_ Supported Methods: GET
|_http-title: Sentinel License Monitor
7001/tcp open afs3-callback?
7002/tcp open http SafeNet Sentinel Keys License Monitor httpd 1.0 (Java Console)
| http-methods:
|_ Supported Methods: GET
|_http-title: Sentinel Keys License Monitor
8099/tcp open http Microsoft IIS httpd 6.0
|_http-server-header: Microsoft-IIS/6.0
|_http-title: The page must be viewed over a secure channel
www.cnbreak.org
1 service unrecognized despite returning data. If you know the service/version, please submit the following
fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port777-TCP:V=7.40%I=7%D=6/17%Time=594571B0%P=x86_64-pc-linux-gnu%r(Ker
SF:beros,5,"\x01\0\t\xe0\x06")%r(SMBProgNeg,5,"\x01\0\t\xe0\x06")%r(Termin
SF:alServer,A,"\x01\0\t\xe0\x06\x01\0\t\xe0\x06")%r(WMSRequest,5,"\x01\0\t
SF:\xe0\x06");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
Host script results:
| nbstat: NetBIOS name: ROOT-TVI862UBEH, NetBIOS user: , NetBIOS MAC: 00:0c:29:1a:e7:0d
(VMware)
| Names:
| ROOT-TVI862UBEH<00> Flags:
| WORKGROUP<00> Flags:
| SNTL_ROOT-TVI86<32> Flags:
| ROOT-TVI862UBEH<20> Flags:
| WORKGROUP<1e> Flags:
| WORKGROUP<1d> Flags:
|_ \x01\x02__MSBROWSE__\x02<01> Flags:
| smb-os-discovery:
| OS: Windows Server 2003 3790 (Windows Server 2003 5.2)
| OS CPE: cpe:/o:microsoft:windows_server_2003::-
| Computer name: root-tvi862ubeh
| NetBIOS computer name: ROOT-TVI862UBEH\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2017-06-18T02:16:33+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
NSE: Script Post-scanning.
Initiating NSE at 14:16
Completed NSE at 14:16, 0.00s elapsed
Initiating NSE at 14:16
Completed NSE at 14:16, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 157.96 seconds
从扫描得出的结果我们可以看出目标开放的端口上运行的具体的应用程序和版本信息,还有操作系统的版本等等等等
信息。
4.3、主机发现的用法
通常主机发现并不单独使用,而只是作为端口扫描、版本侦测、OS 侦测先行步骤。而在某些特殊应用(例如确定大型
局域网内活动主机的数量),可能会单独专门适用主机发现功能来完成。
不管是作为辅助用法还是专门用途,用户都可以使用 Nmap 提供的丰富的选项来定制主机发现的探测方式。
-sL: List Scan 列表扫描,仅将指定的目标的 IP 列举出来,不进行主机发现。
-sn: Ping Scan 只进行主机发现,不进行端口扫描。
-Pn: 将所有指定的主机视作开启的,跳过主机发现的过程。