米斯特白帽培训讲义 工具篇 Nmap

讲师:gh0stkey

整理:飞龙

协议:CC BY-NC-SA 4.0

介绍

Nmap(网络映射器)是由 Gordon Lyon 涉及,用来探测计算机网络上的主机和服务的一种安全扫描器。为了绘制网络拓补图,Nmap 发送特制的数据包到目标主机,然后对返回数据包进行分析。Nmap 是一款枚举和测试网络的强大工具。

Nmap 有两种界面:可视化界面和命令行界面。

下载

https://nmap.org/download.html

使用

典型用途:

  • 通过对设备或者防火墙的探测来审计其安全性。
  • 探测目标主机的开放端口。
  • 网络存储、网络映射、维护和资产管理。(这个有待深入)
  • 通过识别新的服务器审计网络的安全性。
  • 探测网络上的主机。

简单扫描

Nmap 默认使用 ICMP ping 和 TCP 全连接(-PB)进行主机发现,以及使用 TCP 全连接(-sT) 执行主机扫描。默认扫描端口是 1 ~ 1024,以及其列表中的常用端口。

语法:

  1. nmap <目标 IP>

例子:

  1. C:\Users\asus> nmap 192.168.1.1
  2. Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:37 ?D1ú±ê×?ê±??
  3. Nmap scan report for localhost (192.168.1.1)
  4. Host is up (0.0062s latency).
  5. Not shown: 993 closed ports
  6. PORT STATE SERVICE
  7. 21/tcp filtered ftp
  8. 22/tcp filtered ssh
  9. 23/tcp filtered telnet
  10. 53/tcp open domain
  11. 80/tcp open http
  12. 49152/tcp open unknown
  13. 49153/tcp open unknown
  14. MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
  15. Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds

多个 IP 可以以逗号分隔:192.168.1.1,2,3,4,5,也可以使用短横线来表示范围:192.168.1.1-255,也可以使用 CIDR 记法:192.168.1.0/24

显示详细结果

  1. nmap -vv <目标 IP>
  1. C:\Users\asus> nmap -vv 192.168.1.1
  2. Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:47 ?D1ú±ê×?ê±??
  3. Initiating ARP Ping Scan at 10:47
  4. Scanning 192.168.1.1 [1 port]
  5. Completed ARP Ping Scan at 10:47, 0.15s elapsed (1 total hosts)
  6. Initiating Parallel DNS resolution of 1 host. at 10:47
  7. Completed Parallel DNS resolution of 1 host. at 10:47, 0.01s elapsed
  8. Initiating SYN Stealth Scan at 10:47
  9. Scanning localhost (192.168.1.1) [1000 ports]
  10. Discovered open port 80/tcp on 192.168.1.1
  11. Discovered open port 53/tcp on 192.168.1.1
  12. Discovered open port 49153/tcp on 192.168.1.1
  13. Discovered open port 49152/tcp on 192.168.1.1
  14. Completed SYN Stealth Scan at 10:47, 2.27s elapsed (1000 total ports)
  15. Nmap scan report for localhost (192.168.1.1)
  16. Host is up, received arp-response (0.0052s latency).
  17. Scanned at 2016-12-22 10:47:09 ?D1ú±ê×?ê±?? for 3s
  18. Not shown: 993 closed ports
  19. Reason: 993 resets
  20. PORT STATE SERVICE REASON
  21. 21/tcp filtered ftp no-response
  22. 22/tcp filtered ssh no-response
  23. 23/tcp filtered telnet no-response
  24. 53/tcp open domain syn-ack ttl 64
  25. 80/tcp open http syn-ack ttl 64
  26. 49152/tcp open unknown syn-ack ttl 64
  27. 49153/tcp open unknown syn-ack ttl 64
  28. MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
  29. Read data files from: C:\Program Files (x86)\Nmap
  30. Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
  31. Raw packets sent: 1004 (44.160KB) | Rcvd: 998 (39.924KB)

自定义端口

  1. nmap <目标 IP> -p <端口>
  1. C:\Users\asus> nmap 192.168.1.1 -p 1-500
  2. Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:59 ?D1ú±ê×?ê±??
  3. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  4. Nmap scan report for 192.168.1.1
  5. Host is up (0.0061s latency).
  6. Not shown: 495 closed ports
  7. PORT STATE SERVICE
  8. 21/tcp filtered ftp
  9. 22/tcp filtered ssh
  10. 23/tcp filtered telnet
  11. 53/tcp open domain
  12. 80/tcp open http
  13. MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
  14. Nmap done: 1 IP address (1 host up) scanned in 2.08 seconds

端口可以是单个,也可以是多个,多个端口可以以逗号分隔,比如21,22,23,53,80,也可以使用短横线指定范围,比如1-1024

Ping 扫描

  1. nmap -sP <目标 IP>

Ping 扫描其实就是只执行主机发现,不扫描具体端口。大家可以看到结果中没有端口的信息,只告诉你主机通不通,所以也很快。

  1. C:\Users\asus> nmap 192.168.1.1 -sP
  2. Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:52 ?D1ú±ê×?ê±??
  3. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  4. Nmap scan report for 192.168.1.1
  5. Host is up (0.0030s latency).
  6. MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
  7. Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

与之相反,有一个选项是只执行端口扫描,不执行主机发现的,是-PN(或-P0)。

  1. C:\Users\asus> nmap 192.168.1.1 -PN
  2. Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:54 ?D1ú±ê×?ê±??
  3. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  4. Nmap scan report for 192.168.1.1
  5. Host is up (0.0062s latency).
  6. Not shown: 993 closed ports
  7. PORT STATE SERVICE
  8. 21/tcp filtered ftp
  9. 22/tcp filtered ssh
  10. 23/tcp filtered telnet
  11. 53/tcp open domain
  12. 80/tcp open http
  13. 49152/tcp open unknown
  14. 49153/tcp open unknown
  15. MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
  16. Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds

操作系统类型检测

  1. nmap -O <目标 IP>
  1. C:\Users\asus> nmap www.baidu.com -O
  2. Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 11:03 ?D1ú±ê×?ê±??
  3. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  4. Nmap scan report for www.baidu.com (61.135.169.125)
  5. Host is up (0.0038s latency).
  6. Other addresses for www.baidu.com (not scanned): 61.135.169.121
  7. Not shown: 998 filtered ports
  8. PORT STATE SERVICE
  9. 80/tcp open http
  10. 443/tcp open https
  11. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
  12. Device type: switch
  13. Running (JUST GUESSING): HP embedded (86%)
  14. OS CPE: cpe:/h:hp:procurve_switch_4000m
  15. Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
  16. No exact OS matches for host (test conditions non-ideal).
  17. OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  18. Nmap done: 1 IP address (1 host up) scanned in 9.35 seconds

组合扫描

比如我们要扫描1 ~ 1024 端口,详细输出,并且探测操作系统。

  1. C:\Users\asus> nmap 192.168.1.1 -p 1-1024 -vv -O
  2. Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 11:06 ?D1ú±ê×?ê±??
  3. Initiating ARP Ping Scan at 11:06
  4. Scanning 192.168.1.1 [1 port]
  5. Completed ARP Ping Scan at 11:06, 0.14s elapsed (1 total hosts)
  6. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  7. Initiating SYN Stealth Scan at 11:06
  8. Scanning 192.168.1.1 [1024 ports]
  9. Discovered open port 53/tcp on 192.168.1.1
  10. Discovered open port 80/tcp on 192.168.1.1
  11. Completed SYN Stealth Scan at 11:06, 2.03s elapsed (1024 total ports)
  12. Initiating OS detection (try #1) against 192.168.1.1
  13. Retrying OS detection (try #2) against 192.168.1.1
  14. Retrying OS detection (try #3) against 192.168.1.1
  15. Retrying OS detection (try #4) against 192.168.1.1
  16. Retrying OS detection (try #5) against 192.168.1.1
  17. Nmap scan report for 192.168.1.1
  18. Host is up, received arp-response (0.0014s latency).
  19. Scanned at 2016-12-22 11:06:44 ?D1ú±ê×?ê±?? for 15s
  20. Not shown: 1019 closed ports
  21. Reason: 1019 resets
  22. PORT STATE SERVICE REASON
  23. 21/tcp filtered ftp no-response
  24. 22/tcp filtered ssh no-response
  25. 23/tcp filtered telnet no-response
  26. 53/tcp open domain syn-ack ttl 64
  27. 80/tcp open http syn-ack ttl 64
  28. MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
  29. No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
  30. TCP/IP fingerprint:
  31. OS:SCAN(V=7.01%E=4%D=12/22%OT=53%CT=1%CU=37502%PV=Y%DS=1%DC=D%G=Y%M=6889C1%
  32. OS:TM=585B4353%P=i686-pc-windows-windows)SEQ(SP=106%GCD=1%ISR=104%TI=Z%CI=Z
  33. OS:%II=I%TS=U)SEQ(CI=Z%II=I%TS=U)SEQ(CI=Z%II=I)OPS(O1=M5B4NNSNW2%O2=M5B4NNS
  34. OS:NW2%O3=M5B4NW2%O4=M5B4NNSNW2%O5=M5B4NNSNW2%O6=M5B4NNS)WIN(W1=16D0%W2=16D
  35. OS:0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW2%
  36. OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y
  37. OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%R
  38. OS:D=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=
  39. OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
  40. OS:)
  41. Network Distance: 1 hop
  42. TCP Sequence Prediction: Difficulty=262 (Good luck!)
  43. IP ID Sequence Generation: All zeros
  44. Read data files from: C:\Program Files (x86)\Nmap
  45. OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  46. Nmap done: 1 IP address (1 host up) scanned in 15.21 seconds
  47. Raw packets sent: 1152 (54.954KB) | Rcvd: 1110 (48.462KB)

可以看出来没探测到什么东西,因为是路由器,大家这种情况认为是 Linux 就好了。

脚本(补充)

Nmap 有个叫做 NSE 的脚本引擎,也自带了一些脚本,更多脚本可以去官网下载。

脚本的类型有:

  1. auth: 负责处理鉴权证书(绕开鉴权)的脚本
  2. broadcast: 在局域网内探查更多服务开启状况,如dhcp/dns/sqlserver等服务
  3. brute: 提供暴力破解方式,针对常见的应用如http/snmp
  4. default: 使用-sC或-A选项扫描时候默认的脚本,提供基本脚本扫描能力
  5. discovery: 对网络进行更多的信息,如SMB枚举、SNMP查询等
  6. dos: 用于进行拒绝服务攻击
  7. exploit: 利用已知的漏洞入侵系统
  8. external: 利用第三方的数据库或资源,例如进行whois解析
  9. fuzzer: 模糊测试的脚本,发送异常的包到目标机,探测出潜在漏洞 intrusive: 入侵性的脚本,此类脚本可能引发对方的IDS/IPS的记录或屏蔽
  10. malware: 探测目标机是否感染了病毒、开启了后门等信息
  11. safe: 此类与intrusive相反,属于安全性脚本
  12. version: 负责增强服务与版本扫描(Version Detection)功能的脚本
  13. vuln: 负责检查目标机是否有常见的漏洞(Vulnerability),如是否有MS08_067

向命令行添加--script=<类型>来使用脚本。

下面演示了使用default脚本来探测主机上的服务。

  1. C:\Users\asus> nmap --script=default 192.168.1.1
  2. Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 11:10 ?D1ú±ê×?ê±??
  3. mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
  4. Nmap scan report for 192.168.1.1
  5. Host is up (0.0051s latency).
  6. Not shown: 993 closed ports
  7. PORT STATE SERVICE
  8. 21/tcp filtered ftp
  9. 22/tcp filtered ssh
  10. 23/tcp filtered telnet
  11. 53/tcp open domain
  12. | dns-nsid:
  13. |_ bind.version: dnsmasq-2.49
  14. 80/tcp open http
  15. |_http-title: Site doesn't have a title (text/html).
  16. 49152/tcp open unknown
  17. 49153/tcp open unknown
  18. MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
  19. Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds

参考