Home | 簡體中文 | 繁體中文 | 雜文 | 知乎專欄 | Github | OSChina 博客 | 雲社區 | 雲棲社區 | Facebook | Linkedin | 視頻教程 | 打賞(Donations) | About
知乎專欄多維度架構 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者”

第 142 章 Sniffer

目錄

142.1. nmap - Network exploration tool and security / port scanner
142.1.1. 連接埠掃瞄
142.1.2. HOST DISCOVERY
142.1.2.1. -sP: Ping Scan - go no further than determining if host is online
142.1.3. SCAN TECHNIQUES
142.1.3.1. -sU: UDP Scan 掃瞄
142.1.3.2. -b <FTP relay host>: FTP bounce scan
142.1.4. PORT SPECIFICATION AND SCAN ORDER
142.1.4.1. -p <port ranges>: Only scan specified ports
142.1.5. SCRIPT SCAN
142.1.5.1. ftp-anon
142.1.5.2. mysql-info
142.1.5.3. http
142.1.5.4. snmp
142.1.5.5. SSHv1
142.1.5.6. --script-updatedb 更新腳本
142.1.6. OS DETECTION
142.1.6.1. -O: Enable OS detection 操作系統探測
142.1.7. OUTPUT
142.1.7.1. --open: Only show open (or possibly open) ports 操作系統探測
142.1.8. 排除指定的主機
142.1.9. 查看本地路由與介面
142.1.10. MISC
142.1.10.1. -6: Enable IPv6 scanning
142.1.10.2. -A: Enables OS detection and Version detection, Script scanning and Traceroute
142.1.11. Nmap Scripting Engine (NSE)
142.2. tcpdump - A powerful tool for network monitoring and data acquisition
142.2.1. 監控網絡適配器介面
142.2.2. 監控主機
142.2.3. 監控TCP連接埠
142.2.4. 監控協議
142.2.5. 輸出到檔案
142.2.6. src / dst
142.2.7. 保存結果
142.2.8. Cisco Discovery Protocol (CDP)
142.2.9. Flags
142.2.10. 案例
142.2.10.1. 監控80連接埠與icmp,arp
142.2.10.2. monitor mysql tcp package
142.2.10.3. HTTP 包
142.2.10.4. 顯示SYN、FIN和ACK-only包
142.2.10.5. 嗅探 Oracle 錯誤
142.2.10.6. smtp
142.3. cdpr - Cisco Discovery Protocol Reporter
142.4. ncat - Concatenate and redirect sockets
142.4.1. TCP 數據傳輸
142.4.2. UDP 數據傳輸
142.4.3. 始終保持伺服器開啟
142.4.4. 傳輸視頻流
142.5. ngrep - Network layer grep tool
142.5.1. 匹配關鍵字
142.5.2. 指定網絡介面
142.6. Unicornscan,Zenmap,nast
142.7. netstat-nat - Show the natted connections on a linux iptable firewall
142.8. Tcpreplay
142.9. Wireshark

142.1. nmap - Network exploration tool and security / port scanner

nmap
	
Nmap支持的四種最基本的掃瞄方式:

    * TCP connect()連接埠掃瞄(-sT參數)

    * TCP同步(SYN)連接埠掃瞄(-sS參數)

    * UDP連接埠掃瞄(-sU參數)

    * Ping掃瞄(-sP參數)

如果要勾畫一個網絡的整體情況,Ping掃瞄和TCP SYN掃瞄最為實用

 Ping掃瞄通過發送ICMP(Internet Control Message Protocol,Internet控制消息協議)回應請求數據包和TCP應答(Acknowledge,簡寫ACK)數據包,確定主機的狀態,非常適合于檢測指定網段內正在運行的主機數量.

 TCP SYN掃瞄與TCP connect()掃瞄比較
    TCP connect()掃瞄中,掃瞄器利用操作系統本身的系統調用打開一個完整的TCP連接也就是說,掃瞄器打開了兩個主機之間的完整握手過程(SYN, SYN-ACK和ACK).一次完整執行的握手過程表明遠程主機連接埠是打開的.

    TCP SYN掃瞄創建的是半打開的連接,它與TCP connect()掃瞄的不同之處在於,TCP SYN掃瞄發送的是複位(RST)標記而不是結束ACK標記(即SYN,SYN-ACK,或RST):如果遠程主機正在監聽且連接埠是打開的,遠程主機用 SYN-ACK應答,Nmap發送一個RST:如果遠程主機的連接埠是關閉的,它的應答將是RST,此時Nmap轉入下一個連接埠


-sS 使用SYN+ACK的方法,使用TCP SYN,

-sT 使用TCP的方法,3次握手全做

-sU 使用UDP的方法

-sP ICMP ECHO Request 送信,有反應的連接埠進行檢查

-sN 全部FLAG OFF的無效的TCP包送信,根據錯誤代碼判斷連接埠情況

-P0 無視ICMP ECHO request的結果,SCAN

-p scan port range 指定SCAN的目標連接埠的範圍

   1-100, 或者使用25,100的方式

-O 偵測OS的類型

-A 全面進攻性掃瞄(包括各種主機發現、連接埠掃瞄、版本掃瞄、OS掃瞄及預設腳本掃瞄)

-oN 檔案名 通常格式檔案輸出

-oX 檔案名 通過DTD,使用XML格式輸出結果

-oG 檔案名, grep容易的格式輸出

-sV 服務的程序名和版本SCAN	
	
	
$ nmap localhost

Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-19 05:20 EST
Interesting ports on localhost (127.0.0.1):
Not shown: 1689 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
3306/tcp open  mysql
	

142.1.1. 連接埠掃瞄

# nmap -Pn 192.168.4.13

Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-04 15:41 CST
Nmap scan report for gts2apidemo.cfddealer88.com (192.168.4.13)
Host is up (0.0051s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE
8008/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds
		

掃瞄網段內開機的主機

nmap -sP 140.15.35.0/24		
		

142.1.2. HOST DISCOVERY

142.1.2.1. -sP: Ping Scan - go no further than determining if host is online

掃瞄一個網段

$ nmap  -v -sP 172.16.0.0/24

Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-27 10:00 CST
Initiating Ping Scan at 10:00
Scanning 256 hosts [1 port/host]
Completed Ping Scan at 10:00, 0.80s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 10:00
Completed Parallel DNS resolution of 256 hosts. at 10:00, 2.77s elapsed
Host 172.16.0.0 appears to be down.
Host 172.16.0.1 appears to be up.
Host 172.16.0.2 appears to be up.
Host 172.16.0.3 appears to be down.
Host 172.16.0.4 appears to be down.
Host 172.16.0.5 appears to be up.
Host 172.16.0.6 appears to be down.
Host 172.16.0.7 appears to be down.
Host 172.16.0.8 appears to be down.
Host 172.16.0.9 appears to be up.
...
...
Host 172.16.0.253 appears to be down.
Host 172.16.0.254 appears to be down.
Host 172.16.0.255 appears to be down.
Read data files from: /usr/share/nmap
Nmap done: 256 IP addresses (8 hosts up) scanned in 3.596 seconds
			

掃瞄正在使用的IP地址

$ nmap  -v -sP 172.16.0.0/24 | grep up
Host 172.16.0.1 appears to be up.
Host 172.16.0.2 appears to be up.
Host 172.16.0.5 appears to be up.
Host 172.16.0.9 appears to be up.
Host 172.16.0.19 appears to be up.
Host 172.16.0.40 appears to be up.
Host 172.16.0.188 appears to be up.
Host 172.16.0.252 appears to be up.
Nmap done: 256 IP addresses (8 hosts up) scanned in 6.574 seconds


$ nmap -sn -oG - 172.16.1.0/24 | grep Up
Host: 172.16.1.1 ()	Status: Up
Host: 172.16.1.2 ()	Status: Up
Host: 172.16.1.3 ()	Status: Up
Host: 172.16.1.4 ()	Status: Up
Host: 172.16.1.5 ()	Status: Up
Host: 172.16.1.6 ()	Status: Up

			

掃瞄MAC地址

nmap -sP -PI -PT -oN ipandmaclist.txt 192.168.80.0/24
			

142.1.3. SCAN TECHNIQUES

142.1.3.1. -sU: UDP Scan 掃瞄

掃瞄DNS連接埠

$ sudo nmap -sU -p 53 xxx.xxx.xxx.xxx
neo@deployment:~$ sudo nmap -sU -p 53 localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 15:24 CST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
PORT   STATE         SERVICE
53/udp open|filtered domain

Nmap done: 1 IP address (1 host up) scanned in 2.14 seconds


neo@deployment:~$ sudo nmap -sU -p 1194 localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 15:24 CST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
PORT     STATE  SERVICE
1194/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds


neo@deployment:~$ sudo nmap -sU -v localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 15:22 CST
NSE: Loaded 0 scripts for scanning.
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Initiating UDP Scan at 15:22
Scanning localhost (127.0.0.1) [1000 ports]
Completed UDP Scan at 15:22, 1.26s elapsed (1000 total ports)
Host localhost (127.0.0.1) is up (0.000010s latency).
Interesting ports on localhost (127.0.0.1):
Not shown: 993 closed ports
PORT     STATE         SERVICE
53/udp   open|filtered domain
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
1812/udp open|filtered radius
1813/udp open|filtered radacct

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds
           Raw packets sent: 1007 (28.196KB) | Rcvd: 993 (55.608KB)

			

以UDP數據包格式進行掃瞄, 如果你想知道在某台主機上提供哪些UDP(用戶數據報協議,RFC768)服務,可以使用這種掃瞄方法.nmap首先向目標主機的每個連接埠發出一個0位元組的UDP包,如果我們收到連接埠不可達的ICMP消息,連接埠就是關閉的,否則我們就假設它是打開的.

			
[root@netkiller ~]# nmap -sU x.x.x.x

Nmap scan report for x.x.x.x
Host is up (0.023s latency).
Not shown: 984 closed ports
PORT     STATE         SERVICE
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
80/udp   open|filtered http
111/udp  open          rpcbind
135/udp  open|filtered msrpc
136/udp  open|filtered profile
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
139/udp  open|filtered netbios-ssn
445/udp  open|filtered microsoft-ds
520/udp  open|filtered route
626/udp  open|filtered serialnumberd
631/udp  open|filtered ipp
1433/udp open|filtered ms-sql-s
1434/udp open|filtered ms-sql-m
5353/udp open          zeroconf

Nmap done: 1 IP address (1 host up) scanned in 1026.28 seconds
	
			
			

142.1.3.2. -b <FTP relay host>: FTP bounce scan


			

142.1.4. PORT SPECIFICATION AND SCAN ORDER

142.1.4.1. -p <port ranges>: Only scan specified ports

Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080

sudo nmap -sU -p 53 localhost
			

掃瞄DHCP伺服器

sudo nmap -sU -p U:67,68 192.168.0.0/24

sudo nmap -sU -p U:67,68 192.168.0.0/24 > /tmp/dhcp.log
			

$ sudo nmap -sU -p161 192.168.0.0/24 > /tmp/snmp.log
			

掃瞄多台主機

			
1) 掃瞄子網
nmap 192.168.0.*
nmap 192.168.0.0/24

2) 指定幾台主機
nmap 192.168.0.123,124,125

3) 指定一段主機
nmap 192.168.0.123-140			
			
			

142.1.5. SCRIPT SCAN

nmap script 使用lua編寫,請先安裝lua環境。

		
$ sudo apt-get install lua5.1

$ lua
Lua 5.1.4  Copyright (C) 1994-2008 Lua.org, PUC-Rio
> ^C
		
		
		
$ nmap --script "default and safe" localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 16:23 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00023s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey: 1024 a6:ab:76:a5:fb:80:4e:2c:bc:06:d4:85:ff:22:18:1a (DSA)
|_2048 c7:da:16:7a:e7:01:cc:f0:d2:02:b4:17:52:c9:c2:50 (RSA)
80/tcp   open  http
|_html-title: 500 Internal Server Error
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
3000/tcp open  ppp
9000/tcp open  cslistener

Host script results:
|_nbstat: NetBIOS name: NEO-OPTIPLEX-38, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
|   OS: Unix (Samba 3.5.11)
|   Name: WORKGROUP\Unknown
|_  System time: 2012-02-02 16:23:08 UTC+8

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds


$ nmap --script=default 172.16.1.5

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 16:25 CST
Nmap scan report for 172.16.1.5
Host is up (0.024s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey: 1024 c1:40:33:3b:be:4d:ef:52:40:a9:08:0a:e1:ae:d7:91 (DSA)
|_2048 9d:db:c5:41:94:63:c7:51:d1:97:36:d3:87:ad:8f:a5 (RSA)
3306/tcp open  mysql
| mysql-info: Protocol: 10
| Version: 5.1.48-community-log
| Thread ID: 6647320
| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection
| Status: Autocommit
|_Salt: 0%eRHQ?'Fi_!%6|4+w9U
5666/tcp open  nrpe

Nmap done: 1 IP address (1 host up) scanned in 3.23 seconds
		
		

142.1.5.1. ftp-anon

$ nmap -p21 --script=ftp-anon 172.16.3.100

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 16:51 CST
NSE: Script Scanning completed.
Nmap scan report for 172.16.3.100
Host is up (0.0066s latency).
PORT   STATE SERVICE
21/tcp open  ftp
|_ftp-anon: Anonymous FTP login allowed

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
			

142.1.5.2. mysql-info

$ nmap -p3306 --script=mysql-info 172.16.0.5

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 16:58 CST
Interesting ports on 172.16.0.5:
PORT     STATE SERVICE
3306/tcp open  mysql
|  mysql-info: Protocol: 10
|  Version: 5.1.48-community-log
|  Thread ID: 62837508
|  Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection
|  Status: Autocommit
|_ Salt: T{3(moe.R2C;?fgP:rQ|

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
			

142.1.5.3. http

http-date

$ nmap -p80 --script=http-date www.baidu.com

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 18:37 CST
NSE: Script Scanning completed.
Nmap scan report for www.baidu.com (220.181.111.147)
Host is up (0.037s latency).
PORT   STATE SERVICE
80/tcp open  http
|_http-date: Thu, 02 Feb 2012 10:37:40 GMT; 0s from local time.

Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds

			

http-headers

$ nmap -p80 --script=http-headers www.baidu.com

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 18:38 CST
NSE: Script Scanning completed.
Nmap scan report for www.baidu.com (220.181.111.147)
Host is up (0.036s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-headers:
|   Date: Thu, 02 Feb 2012 10:38:15 GMT
|   Server: BWS/1.0
|   Content-Length: 7677
|   Content-Type: text/html;charset=gb2312
|   Cache-Control: private
|   Expires: Thu, 02 Feb 2012 10:38:15 GMT
|   Set-Cookie: BAIDUID=0279AEA82B65E8B74C03D5B6AA92326C:FG=1; expires=Thu, 02-Feb-42 10:38:15 GMT; path=/; domain=.baidu.com
|   P3P: CP=" OTI DSP COR IVA OUR IND COM "
|   Connection: Close
|
|_  (Request type: HEAD)

Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds
			
$ nmap -p80 --script=http-date,http-headers,http-malware-host,http-trace,http-enum 192.168.3.5

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 19:15 CST
NSE: Script Scanning completed.
Nmap scan report for 192.168.3.5
Host is up (0.0015s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-headers:
|   Date: Thu, 02 Feb 2012 11:15:00 GMT
|   Server: Apache
|   Last-Modified: Mon, 29 Nov 2010 14:56:50 GMT
|   ETag: "7bcaa3-2c-496324828b080"
|   Accept-Ranges: bytes
|   Content-Length: 44
|   Connection: close
|   Content-Type: text/html
|
|_  (Request type: HEAD)
|_http-malware-host: Host appears to be clean
|_http-date: Thu, 02 Feb 2012 11:15:00 GMT; 0s from local time.
|_http-enum:

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

			

142.1.5.4. snmp

$ sudo nmap -sU -p161 --script=snmp-sysdescr 172.16.3.250

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 19:20 CST
Interesting ports on 172.16.3.250:
PORT    STATE SERVICE
161/udp open  snmp
|  snmp-sysdescr: Cisco Adaptive Security Appliance Version 8.2(5)
|_   System uptime: 84 days, 18:39:55.00 (732479500 timeticks)

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
			

142.1.5.5. SSHv1

$ sudo nmap -sT -p22 --script=sshv1 172.16.0.0/24

$ sudo nmap -sT -p22 --script=sshv1 172.16.3.0/24 --open | grep -B4 sshv1

Interesting ports on 172.16.3.250:
PORT   STATE SERVICE
22/tcp open  ssh
|_ sshv1: Server supports SSHv1

Interesting ports on 172.16.3.251:
PORT   STATE SERVICE
22/tcp open  ssh
|_ sshv1: Server supports SSHv1
			
$ nmap -sT -p22 172.16.0.0/24 --script=ssh-hostkey --script-args=ssh_hostkey=all > ssh.log

$ nmap -sT -p22 172.16.0.5 --script=ssh-hostkey --script-args=ssh_hostkey=full

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 19:35 CST
NSE: Script Scanning completed.
Nmap scan report for 172.16.0.5
Host is up (0.0017s latency).
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: ssh-dss AAAAB3NzaC1kc3MAAACBANinhMHgAGFMhkYW0qmFTNsJKuim8P7vFfPV3+c9R0urqF42HwZrIbhEZhRlUDSGo0v5cFzufabQaQ58//L4UXYqKOHaiqSo4ju5CWquH6YY+SNhszJY4OSessioJJfjbLCXx73pfqX8akEV13jQujLhYD0Tuela0/c4iQW+ktnjAAAAFQDxCjX3PK+dAUKviG6xX2C6DstqUQAAAIBrEephaZhQJg3ctO3Y7OMAOu/uRKt9VpeChbptsh4DGXk6Lmet5hYJ1/UOzEAZd4dEO0uijy8iKYSZoAaZh2qGa9PynIWuD1ENt8feEMwRv5VV7zaNitmjYedmPO9rLAja1/49mxUq9XAeRYTOhWJlbwrc38sybTsCrDsdoxDqUwAAAIEAzV7w+dy0lzER0OHfy/E70So80V8/2Bo3AIwnACWGMTqKC2CrFm6VWDKA9P4x0bq+JBshpjtur/3H0sgAt+Zky3Z2EWpdf+9z1AqTy3l95J+xQhQTzD2lw+NqroInxEqJU0eip3YgdTqksQuDRCSy/hKJDLJOELkWbDLMlb1vXA8=
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAlgJcaT8/F0Ah+Jq9PifhQ3Bvfh4Nl5/WWiyoF0yIhhKlNnO04Vnbi8Qb39BDVRKaqIrfhgbG3vxfyF3TeSEOoAiXXyCns6Ivl7HUEHVsjHOVu7nwwMqo94CaM1+pUgJtXmbmTWyfWGCm8kGD2xNaxs10uxIcuukBN7jlN2TGyEmOD8QkA+1Dx7XGBjpMZT+DQwmEo72V2taAo3a0UOz9ivAakZ/kysP+PN+Kz106iT3BWMkvQScyt96HAwbq8Z0tO531mz90UGVBS1KqNMtNsLHsXYJnQ3obXUTwo8KvtEvJ1UHDs6QdEP55PiBTVvCS+CbEwZZ9O1yGNfznBWmp4Q==

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds


$ nmap -sT -p22 172.16.0.5 --script=ssh-hostkey --script-args=ssh_hostkey=all

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 19:35 CST
NSE: Script Scanning completed.
Nmap scan report for 172.16.0.5
Host is up (0.0014s latency).
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 1024 26:89:a4:1d:f1:28:3c:36:88:ea:49:6d:1b:df:de:70 (DSA)
| 1024 xumep-dynut-poheh-cenys-dyfyz-tubap-lupoz-fofyd-figuf-timaz-byxox (DSA)
| +--[ DSA 1024]----+
| |    .            |
| |.o   +           |
| |o * + .          |
| |...B o .         |
| |...+o o S        |
| |o o + .o         |
| | o . . o E       |
| |      . +        |
| |       . .       |
| +-----------------+
| ssh-dss AAAAB3NzaC1kc3MAAACBANinhMHgAGFMhkYW0qmFTNsJKuim8P7vFfPV3+c9R0urqF42HwZrIbhEZhRlUDSGo0v5cFzufabQaQ58//L4UXYqKOHaiqSo4ju5CWquH6YY+SNhszJY4OSessioJJfjbLCXx73pfqX8akEV13jQujLhYD0Tuela0/c4iQW+ktnjAAAAFQDxCjX3PK+dAUKviG6xX2C6DstqUQAAAIBrEephaZhQJg3ctO3Y7OMAOu/uRKt9VpeChbptsh4DGXk6Lmet5hYJ1/UOzEAZd4dEO0uijy8iKYSZoAaZh2qGa9PynIWuD1ENt8feEMwRv5VV7zaNitmjYedmPO9rLAja1/49mxUq9XAeRYTOhWJlbwrc38sybTsCrDsdoxDqUwAAAIEAzV7w+dy0lzER0OHfy/E70So80V8/2Bo3AIwnACWGMTqKC2CrFm6VWDKA9P4x0bq+JBshpjtur/3H0sgAt+Zky3Z2EWpdf+9z1AqTy3l95J+xQhQTzD2lw+NqroInxEqJU0eip3YgdTqksQuDRCSy/hKJDLJOELkWbDLMlb1vXA8=
| 2048 98:fb:db:e0:a3:99:18:04:cb:8c:42:25:f0:f5:b3:5a (RSA)
| 2048 xogok-vykec-zacyg-ruzup-baral-kotyv-latoz-hygyz-hysis-zadun-hyxix (RSA)
| +--[ RSA 2048]----+
| |o. ..            |
| | .o. .           |
| | .o   o          |
| |.+ o   =         |
| |o + . E S        |
| |.  . o .         |
| |    o . .        |
| |     o =.o       |
| |    . +.+o.      |
| +-----------------+
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAlgJcaT8/F0Ah+Jq9PifhQ3Bvfh4Nl5/WWiyoF0yIhhKlNnO04Vnbi8Qb39BDVRKaqIrfhgbG3vxfyF3TeSEOoAiXXyCns6Ivl7HUEHVsjHOVu7nwwMqo94CaM1+pUgJtXmbmTWyfWGCm8kGD2xNaxs10uxIcuukBN7jlN2TGyEmOD8QkA+1Dx7XGBjpMZT+DQwmEo72V2taAo3a0UOz9ivAakZ/kysP+PN+Kz106iT3BWMkvQScyt96HAwbq8Z0tO531mz90UGVBS1KqNMtNsLHsXYJnQ3obXUTwo8KvtEvJ1UHDs6QdEP55PiBTVvCS+CbEwZZ9O1yGNfznBWmp4Q==

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds


$ nmap -sT -p22 172.16.0.5 --script=ssh-hostkey --script-args=ssh_hostkey='visual bubble'

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 19:36 CST
NSE: Script Scanning completed.
Nmap scan report for 172.16.0.5
Host is up (0.0017s latency).
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 1024 xumep-dynut-poheh-cenys-dyfyz-tubap-lupoz-fofyd-figuf-timaz-byxox (DSA)
| +--[ DSA 1024]----+
| |    .            |
| |.o   +           |
| |o * + .          |
| |...B o .         |
| |...+o o S        |
| |o o + .o         |
| | o . . o E       |
| |      . +        |
| |       . .       |
| +-----------------+
| 2048 xogok-vykec-zacyg-ruzup-baral-kotyv-latoz-hygyz-hysis-zadun-hyxix (RSA)
| +--[ RSA 2048]----+
| |o. ..            |
| | .o. .           |
| | .o   o          |
| |.+ o   =         |
| |o + . E S        |
| |.  . o .         |
| |    o . .        |
| |     o =.o       |
| |    . +.+o.      |
|_+-----------------+

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

			

142.1.5.6. --script-updatedb 更新腳本

$ sudo nmap --script-updatedb

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 16:34 CST
NSE: Updating rule database.
NSE script database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.12 seconds

			

142.1.6. OS DETECTION

142.1.6.1. -O: Enable OS detection 操作系統探測

nmap -O -v scanme.nmap.org
			

探測目標主機的操作系統和 tcp 連接埠

			
[root@cacti ~]# nmap -O 192.168.2.40

Starting Nmap 5.51 ( http://nmap.org ) at 2014-02-11 16:22 HKT
Nmap scan report for 192.168.2.40
Host is up (0.00039s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE
135/tcp open  msrpc
MAC Address: 78:E3:B5:90:D0:A8 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista (97%), FreeBSD 6.X (88%)
Aggressive OS guesses: Microsoft Windows Server 2008 (97%), Microsoft Windows Server 2008 Beta 3 (97%), Microsoft Windows 7 Professional (97%), Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7 (97%), Microsoft Windows Vista Business SP1 (91%), Microsoft Windows Vista Home Premium SP1, Windows 7, or Server 2008 (90%), FreeBSD 6.2-RELEASE (88%), FreeBSD 6.3-RELEASE (88%), Microsoft Windows Server 2008 R2 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.00 seconds			
			
			

142.1.7. OUTPUT

142.1.7.1. --open: Only show open (or possibly open) ports 操作系統探測

nmap -O -v scanme.nmap.org
			

142.1.8. 排除指定的主機

1) nmap 192.168.0.* --exclude 192.168.0.100

2) 也可以使用 --excludefile 指定排除的列表

nmap -iL hostlist.txt --excludefile excludelist.txt		
		

142.1.9. 查看本地路由與介面

		
Nmap中提供了 --iflist 選項來查看本地主機的介面信息與路由信息.

[root@test23 ~]# nmap --iflist

Starting Nmap 5.51 ( http://nmap.org ) at 2017-03-30 14:23 CST
************************INTERFACES************************
DEV     (SHORT)   IP/MASK        TYPE     UP MTU   MAC
lo      (lo)      127.0.0.1/8    loopback up 65536
eth0    (eth0)    10.1.2.23/24   ethernet up 1500  00:50:56:80:04:FA
docker0 (docker0) 172.17.42.1/16 ethernet up 1500  56:84:7A:FE:97:99

**************************ROUTES**************************
DST/MASK       DEV     GATEWAY
10.1.2.0/24    eth0
169.254.0.0/16 eth0
172.17.0.0/16  docker0
0.0.0.0/0      eth0    10.1.2.1

> 指定網口與IP地址


1) 在Nmap可指定用哪個網口發送數據, -e <interface>選項.

2) Nmap也可以顯式地指定發送的源端IP地址, 使用-S <spoofip>選項, nmap將用指定的spoofip作為源端IP來發送探測包.

3) Nmap 使用 Decoy(誘騙)方式來掩蓋真實的掃瞄地址,例如-D ip1,ip2,ip3,ip4,ME,這樣就會產生多個虛假的ip同時對目標機進行探測,其中ME代表本機的真實地址,這樣對方的防火牆不容易識別出是掃瞄者的身份.

nmap -F -n -Pn -D192.168.1.100,192.168.1.101,192.168.1.102,ME 192.168.1.1

> 定製探測包


Nmap 提供 --scanflags 選項, 用戶可以對需要發送的TCP探測包的標誌位進行完全的控制.可以使用數字或符號指定 TCP 標誌位:URG ACK PSH RST SYN FIN.
例如, --scanflags URGACKPSHRSTSYNFIN 設置了所有標誌位,但是這對掃瞄沒有太大用處. 標誌位的順序不重要.

-sN; -sF; -sX (TCP Null,FIN,and Xmas掃瞄)

Null掃瞄 (-sN)
    不設置任何標誌位(tcp標誌頭是0)

FIN掃瞄 (-sF)
    只設置TCP FIN標誌位
Xmas掃瞄 (-sX)
    設置FIN, PSH, 和URG標誌位


#### nmap scan port shell

#!/bin/bash
#author junun
#This script for scan the port for you commit servers
#
#
server_list=(x.x.x.x x1.x1.x1.x1)
port_list=(5307 5308)
while true ;do
    for i in `seq 0 $[${#server_list[*]}-1]`; do
        nmap -p ${port_list[$i]} ${server_list[$i]} | grep open
        if  [ $? -gt 0 ];then
            for m in {1..3};do
                nmap -p ${port_list[$i]} ${server_list[$i]} | grep open
                if [ $?  -gt 0 ] ;then
                     let result$m=$m
                else
                     break
                fi
                sleep 1
            done
            if [ $result1 -gt 0 -a $result2 -gt 0 -a $result3 -gt 0 ];then
                echo "error port"
            fi
        fi
    done
    sleep 30
done
		
		

142.1.10. MISC

142.1.10.1. -6: Enable IPv6 scanning

142.1.10.2. -A: Enables OS detection and Version detection, Script scanning and Traceroute

			
  $ nmap -A -T4 localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 14:54 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00025s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 5.8p1 Debian 7ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 a6:ab:76:a5:fb:80:4e:2c:bc:06:d4:85:ff:22:18:1a (DSA)
|_2048 c7:da:16:7a:e7:01:cc:f0:d2:02:b4:17:52:c9:c2:50 (RSA)
80/tcp   open  http        nginx 1.0.5
|_html-title: 500 Internal Server Error
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
631/tcp  open  ipp         CUPS 1.4
3000/tcp open  ntop-http   Ntop web interface 4.0.3
9000/tcp open  tcpwrapped
Service Info: OS: Linux

Host script results:
|_nbstat: NetBIOS name: NEO-OPTIPLEX-38, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
|   OS: Unix (Samba 3.5.11)
|   Name: WORKGROUP\Unknown
|_  System time: 2012-02-02 14:54:19 UTC+8

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds
			
			

142.1.11. Nmap Scripting Engine (NSE)

http://nmap.org/nsedoc/

預置腳本

$ ls /usr/share/nmap/scripts
asn-query.nse                http-malware-host.nse    smb-enum-groups.nse
auth-owners.nse              http-open-proxy.nse      smb-enum-processes.nse
auth-spoof.nse               http-passwd.nse          smb-enum-sessions.nse
banner.nse                   http-trace.nse           smb-enum-shares.nse
citrix-brute-xml.nse         http-userdir-enum.nse    smb-enum-users.nse
citrix-enum-apps.nse         iax2-version.nse         smb-os-discovery.nse
citrix-enum-apps-xml.nse     imap-capabilities.nse    smb-psexec.nse
citrix-enum-servers.nse      irc-info.nse             smb-security-mode.nse
citrix-enum-servers-xml.nse  ms-sql-info.nse          smb-server-stats.nse
daytime.nse                  mysql-info.nse           smb-system-info.nse
db2-info.nse                 nbstat.nse               smbv2-enabled.nse
dhcp-discover.nse            nfs-showmount.nse        smtp-commands.nse
dns-random-srcport.nse       ntp-info.nse             smtp-open-relay.nse
dns-random-txid.nse          oracle-sid-brute.nse     smtp-strangeport.nse
dns-recursion.nse            p2p-conficker.nse        sniffer-detect.nse
dns-zone-transfer.nse        pjl-ready-message.nse    snmp-brute.nse
finger.nse                   pop3-brute.nse           snmp-sysdescr.nse
ftp-anon.nse                 pop3-capabilities.nse    socks-open-proxy.nse
ftp-bounce.nse               pptp-version.nse         sql-injection.nse
ftp-brute.nse                realvnc-auth-bypass.nse  ssh-hostkey.nse
html-title.nse               robots.txt.nse           sshv1.nse
http-auth.nse                rpcinfo.nse              ssl-cert.nse
http-date.nse                script.db                sslv2.nse
http-enum.nse                skypev2-version.nse      telnet-brute.nse
http-favicon.nse             smb-brute.nse            upnp-info.nse
http-headers.nse             smb-check-vulns.nse      whois.nse
http-iis-webdav-vuln.nse     smb-enum-domains.nse     x11-access.nse
		

使用所有腳本進行掃瞄

nmap --script all localhost