NMap扫描进阶

一, 基础扫描

扫描IP地址:

nmap -sn 192.168.112.0/24 192.168.112.1-255

扫描端口号:

基于SYN包扫描: nmap -sS 192.168.112.200
基于三次握手扫描: nmap -sT 192.168.112.200

指定端口扫描:

nmap -p10-200 192.168.112.200
nmap -p21,22,25,80,445,3306,1521,8080,8888 192.168.112.200

扫描端口和版本:

nmap -sV 192.168.112.200

扫描操作系统:

nmap -O 192.168.112.188

万能开关:

万能开关: nmap -A 192.168.112.188

二, 脚本扫描

使用内置脚本进行功能扩展，命令语法为:

nmap --script=脚本类型名或具体脚本名 192.168.112.200。

auth:负责处理鉴权证书, 绕开鉴权的脚本
broadcast:在局域网内探查更多服务开启状况，如dhcp/dns/sqlserver等服务
brute: 提供暴力破解方式，针对常见的应用如http/snmp等
default:使用-sC或-A选项扫描时候默认的脚本，提供基本脚本扫描能力
discovery:对网络进行更多的信息，如SMB枚举、SNMP查询等dos:用于进行拒绝服务攻击
exploit:利用已知的漏洞入侵系统
externa1:利用第三方的数据库或资源，例如进行whois解析
fuzzer: 模糊测试的脚本，发送异常的包到目标机，探测出潜在漏洞
intrusive:入侵性的脚本，此类脚本可能引发对方的IDS/IPS的记录或屏蔽
malware: 探测目标机是否感染了病毒、开启了后门等信息
safe:此类与intrusive相反，属于安全性脚本
version:负责增强服务与版本扫描(Version Detection)功能的脚本
vuln: 负责检查目标机是否有常见的漏洞(Vulnerability)，如是否有MS08_067

所有扫描脚本，可以查看Kali下的目录: /usr/share/nmap/scripts
具体各个脚本的用法及参数，参考: https://nmap.org/nsedoc/scripts/

1. 扫描SSH登录认证情况

nmap -p22 --script=auth 192.168.112.200

Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-20 22:31 EST
Nmap scan report for 192.168.112.200 (192.168.112.200)
Host is up (0.00081s latency).PORT   STATE SERVICE
22/tcp open  ssh
| ssh-publickey-acceptance: 
|_  Accepted Public Keys: No public keys accepted
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|     gssapi-keyex
|     gssapi-with-mic
|_    password
MAC Address: 00:0C:29:F2:89:25 (VMware)Nmap done: 1 IP address (1 host up) scanned in 1.21 seconds

这里可以看到支持password认证, 可以尝试爆破密码.

2. 爆破SSH

文档：https://nmap.org/nsedoc/scripts/ssh-brute.html

使用内置字典

nmap -p 22 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst --script-args ssh-brute.timeout=4s 192.168.112.200

使用自定义字典

nmap -p 22 --script ssh-brute --script-args userdb=/home/kali/dict/username-top500.txt passdb=/home/kali/dict/password-top500.txt 192.168.112.200

22/ssh open  ssh
| ssh-brute:
|  Accounts
|    username:password
|  Statistics
|_   Performed 32 guesses in 25 seconds.

也可以使用SNETCracker超级弱口令检查工具, 这是一个窗口化的工具.

3. 扫描主机漏洞

nmap --script=vuln 192.168.112.200

|_http-dombased-xss: Couldn't find any DOM based XSS.
81/tcp   open  hosts2-ns
111/tcp  open  rpcbind
443/tcp  open  https
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /phpmyadmin/: phpMyAdmin
|   /icons/: Potentially interesting folder w/ directory listing
|   /img/: Potentially interesting folder w/ directory listing
|   /security/: Potentially interesting folder w/ directory listing
|_  /webalizer/: Potentially interesting folder w/ directory listing
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CCM
|             Modulus Type: Safe prime
|             Modulus Source: RFC2409/Oakley Group 2
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
3306/tcp open  mysql
MAC Address: 00:0C:29:F2:89:25 (VMware)Nmap done: 1 IP address (1 host up) scanned in 103.79 seconds