龙空技术网

网络安全学习笔记01-Nmap之从入门到精通

Mongolia赵Sir 117

前言:

现在小伙伴们对“framesetcss”大体比较注重,咱们都想要知道一些“framesetcss”的相关文章。那么小编在网上汇集了一些有关“framesetcss””的相关内容,希望大家能喜欢,小伙伴们快快来学习一下吧!

1.Nmap介绍

Nmap(“Network Mapper”)是一个用于网络发现和安全审计的免费开源实用程序,Nmap 使用原始 IP 数据包来确定网络上有哪些主机、这些主机提供哪些服务(应用程序名称和版本号)、所运行的操作系统(和操作系统版本)、使用什么类型的数据包过滤器/防火墙,以及数十种其他特征。

除了经典的命令行 Nmap 可执行程序外,Nmap 套件还包括:

图形用户界面和结果查看工具 (Zenmap)数据传输、重定向和调试工具 (Ncat)、扫描结果比较工具 (Ndiff)数据包生成和响应分析工具 (Nping)2.Nmap的特点主机探测:探测网络上的主机,例如列出响应TCP和ICMP请求、icmp请求、开放特别端口的主机。端口扫描:探测目标主机所开放的端口版本检测:探测目标主机的网络服务,判断其服务名称及版本号系统检测:探测目标主机的操作系统及网络设的硬件特性支持探测脚本的编写:使用Nmap的脚本引擎(NSE)和(Lua)编程语言Nmap可支持市面大部分的操作系统,例如Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS等。Nmap 能扫描出目标的详细信息包括、DNS反、设备类型和mac地址3.Nmap的用途

4.Nmap下载

Download the Free Nmap Security Scanner for Linux/Mac/Windows

以linux系统下使用为例,在命令窗口下输入nmap,可以看到nmap的帮助信息,说明Nmap安装成功。

─$ nmapNmap 7.94 (  )Usage: nmap [Scan Type(s)] [Options] {target specification}TARGET SPECIFICATION:Can pass hostnames, IP addresses, networks, etc.Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254-iL <inputfilename>: Input from list of hosts/networks-iR <num hosts>: Choose random targets--exclude <host1[,host2][,host3],...>: Exclude hosts/networks--excludefile <exclude_file>: Exclude list from fileHOST DISCOVERY:-sL: List Scan - simply list targets to scan-sn: Ping Scan - disable port scan-Pn: Treat all hosts as online -- skip host discovery-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes-PO[protocol list]: IP Protocol Ping-n/-R: Never do DNS resolution/Always resolve [default: sometimes]--dns-servers <serv1[,serv2],...>: Specify custom DNS servers--system-dns: Use OS's DNS resolver--traceroute: Trace hop path to each hostSCAN TECHNIQUES:-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans-sU: UDP Scan-sN/sF/sX: TCP Null, FIN, and Xmas scans--scanflags <flags>: Customize TCP scan flags-sI <zombie host[:probeport]>: Idle scan-sY/sZ: SCTP INIT/COOKIE-ECHO scans-sO: IP protocol scan-b <FTP relay host>: FTP bounce scanPORT SPECIFICATION AND SCAN ORDER:-p <port ranges>: Only scan specified portsEx: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9--exclude-ports <port ranges>: Exclude the specified ports from scanning-F: Fast mode - Scan fewer ports than the default scan-r: Scan ports sequentially - don't randomize--top-ports <number>: Scan <number> most common ports--port-ratio <ratio>: Scan ports more common than <ratio>SERVICE/VERSION DETECTION:-sV: Probe open ports to determine service/version info--version-intensity <level>: Set from 0 (light) to 9 (try all probes)--version-light: Limit to most likely probes (intensity 2)--version-all: Try every single probe (intensity 9)--version-trace: Show detailed version scan activity (for debugging)SCRIPT SCAN:-sC: equivalent to --script=default--script=<Lua scripts>: <Lua scripts> is a comma separated list ofdirectories, script-files or script-categories--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts--script-args-file=filename: provide NSE script args in a file--script-trace: Show all data sent and received--script-updatedb: Update the script database.--script-help=<Lua scripts>: Show help about scripts.<Lua scripts> is a comma-separated list of script-files orscript-categories.OS DETECTION:-O: Enable OS detection--osscan-limit: Limit OS detection to promising targets--osscan-guess: Guess OS more aggressivelyTIMING AND PERFORMANCE:Options which take <time> are in seconds, or append 'ms' (milliseconds),'s' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).-T<0-5>: Set timing template (higher is faster)--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes--min-parallelism/max-parallelism <numprobes>: Probe parallelization--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifiesprobe round trip time.--max-retries <tries>: Caps number of port scan probe retransmissions.--host-timeout <time>: Give up on target after this long--scan-delay/--max-scan-delay <time>: Adjust delay between probes--min-rate <number>: Send packets no slower than <number> per second--max-rate <number>: Send packets no faster than <number> per secondFIREWALL/IDS EVASION AND SPOOFING:-f; --mtu <val>: fragment packets (optionally w/given MTU)-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys-S <IP_Address>: Spoof source address-e <iface>: Use specified interface-g/--source-port <portnum>: Use given port number--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies--data <hex string>: Append a custom payload to sent packets--data-string <string>: Append a custom ASCII string to sent packets--data-length <num>: Append random data to sent packets--ip-options <options>: Send packets with specified ip options--ttl <val>: Set IP time-to-live field--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address--badsum: Send packets with a bogus TCP/UDP/SCTP checksumOUTPUT:-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,and Grepable format, respectively, to the given filename.-oA <basename>: Output in the three major formats at once-v: Increase verbosity level (use -vv or more for greater effect)-d: Increase debugging level (use -dd or more for greater effect)--reason: Display the reason a port is in a particular state--open: Only show open (or possibly open) ports--packet-trace: Show all packets sent and received--iflist: Print host interfaces and routes (for debugging)--append-output: Append to rather than clobber specified output files--resume <filename>: Resume an aborted scan--noninteractive: Disable runtime interactions via keyboard--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML--webxml: Reference stylesheet from Nmap.Org for more portable XML--no-stylesheet: Prevent associating of XSL stylesheet w/XML outputMISC:-6: Enable IPv6 scanning-A: Enable OS detection, version detection, script scanning, and traceroute--datadir <dirname>: Specify custom Nmap data file location--send-eth/--send-ip: Send using raw ethernet frames or IP packets--privileged: Assume that the user is fully privileged--unprivileged: Assume the user lacks raw socket privileges-V: Print version number-h: Print this help summary page.EXAMPLES:nmap -v -A scanme.nmap.orgnmap -v -sn 192.168.0.0/16 10.0.0.0/8nmap -v -iR 10000 -Pn -p 80SEE THE MAN PAGE () FOR MORE OPTIONS AND EXAMPLES
5.Nmap参数相关思维导图6.Nmap常用参数简单扫描,不加参数,以192.168.95.130靶机为例

nmap 192.168.95.130

$ nmap 192.168.95.130  Starting Nmap 7.94 (  ) at 2023-08-31 04:57 EDTNmap scan report for 192.168.95.130Host is up (0.0012s latency).Not shown: 977 closed tcp ports (conn-refused)PORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh23/tcp   open  telnet25/tcp   open  smtp53/tcp   open  domain80/tcp   open  http111/tcp  open  rpcbind139/tcp  open  netbios-ssn445/tcp  open  microsoft-ds512/tcp  open  exec513/tcp  open  login514/tcp  open  shell1099/tcp open  rmiregistry1524/tcp open  ingreslock2049/tcp open  nfs2121/tcp open  ccproxy-ftp3306/tcp open  mysql5432/tcp open  postgresql5900/tcp open  vnc6000/tcp open  X116667/tcp open  irc8009/tcp open  ajp138180/tcp open  unknownNmap done: 1 IP address (1 host up) scanned in 0.14 seconds
参数-A 检查操作,版本号,脚本扫描,探测路由

nmap -A 192.168.95.130

$ nmap -A 192.168.95.130        Starting Nmap 7.94 (  ) at 2023-08-31 04:43 EDTNmap scan report for 192.168.95.130Host is up (0.0012s latency).Not shown: 977 closed tcp ports (conn-refused)PORT     STATE SERVICE     VERSION21/tcp   open  ftp         vsftpd 2.3.4| ftp-syst: |   STAT: | FTP server status:|      Connected to 192.168.95.129|      Logged in as ftp|      TYPE: ASCII|      No session bandwidth limit|      Session timeout in seconds is 300|      Control connection is plain text|      Data connections will be plain text|      vsFTPd 2.3.4 - secure, fast, stable|_End of status|_ftp-anon: Anonymous FTP login allowed (FTP code 230)22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)| ssh-hostkey: |   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)23/tcp   open  telnet      Linux telnetd25/tcp   open  smtp        Postfix smtpd|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX| Not valid before: 2010-03-17T14:07:45|_Not valid after:  2010-04-16T14:07:45|_ssl-date: 2023-08-31T08:44:01+00:00; +2s from scanner time.| sslv2: |   SSLv2 supported|   ciphers: |     SSL2_DES_192_EDE3_CBC_WITH_MD5|     SSL2_RC4_128_WITH_MD5|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5|     SSL2_RC4_128_EXPORT40_WITH_MD5|     SSL2_DES_64_CBC_WITH_MD5|_    SSL2_RC2_128_CBC_WITH_MD553/tcp   open  domain      ISC BIND 9.4.2| dns-nsid: |_  bind.version: 9.4.280/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)|_http-title: Metasploitable2 - Linux|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2111/tcp  open  rpcbind     2 (RPC #100000)| rpcinfo: |   program version    port/proto  service|   100000  2            111/tcp   rpcbind|   100000  2            111/udp   rpcbind|   100003  2,3,4       2049/tcp   nfs|   100003  2,3,4       2049/udp   nfs|   100005  1,2,3      42206/udp   mountd|   100005  1,2,3      55478/tcp   mountd|   100021  1,3,4      41882/tcp   nlockmgr|   100021  1,3,4      42697/udp   nlockmgr|   100024  1          47382/tcp   status|_  100024  1          59790/udp   status139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp  open  etbios-    Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)512/tcp  open  exec        netkit-rsh rexecd513/tcp  open  login       OpenBSD or Solaris rlogind514/tcp  open  shell       Netkit rshd1099/tcp open  java-rmi    GNU Classpath grmiregistry1524/tcp open  bindshell   Metasploitable root shell2049/tcp open  nfs         2-4 (RPC #100003)2121/tcp open  ftp         ProFTPD 1.3.13306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5| mysql-info: |   Protocol: 10|   Version: 5.0.51a-3ubuntu5|   Thread ID: 9|   Capabilities flags: 43564|   Some Capabilities: Support41Auth, ConnectWithDatabase, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, SupportsTransactions, LongColumnFlag, SupportsCompression|   Status: Autocommit|_  Salt: \?cXpI]vY:Tz,e<<Uy!55432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX| Not valid before: 2010-03-17T14:07:45|_Not valid after:  2010-04-16T14:07:45|_ssl-date: 2023-08-31T08:44:01+00:00; +2s from scanner time.5900/tcp open  vnc         VNC (protocol 3.3)| vnc-info: |   Protocol version: 3.3|   Security types: |_    VNC Authentication (2)6000/tcp open  X11         (access denied)6667/tcp open  irc         UnrealIRCd| irc-info: |   users: 1|   servers: 1|   lusers: 1|   lservers: 0|   server: irc.Metasploitable.LAN|   version: Unreal3.2.8.1. irc.Metasploitable.LAN |   uptime: 0 days, 0:01:58|   source ident: nmap|   source host: 6CE67320.3D69DBFD.FFFA6D49.IP|_  error: Closing Link: xzaaxaqfb[192.168.95.129] (Quit: xzaaxaqfb)8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)|_ajp-methods: Failed to get a valid response for the OPTION request8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1|_http-favicon: Apache Tomcat|_http-title: Apache Tomcat/5.5|_http-server-header: Apache-Coyote/1.1Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)|_smb2-time: Protocol negotiation failed (SMB2)|_clock-skew: mean: 1h00m01s, deviation: 2h00m00s, median: 1s| smb-os-discovery: |   OS: Unix (Samba 3.0.20-Debian)|   Computer name: metasploitable|   NetBIOS computer name: |   Domain name: localdomain|   FQDN: metasploitable.localdomain|_  System time: 2023-08-31T04:43:52-04:00| smb-security-mode: |   account_used: <blank>|   authentication_level: user|   challenge_response: supported|_  message_signing: disabled (dangerous, but default)Service detection performed. Please report any incorrect results at  .Nmap done: 1 IP address (1 host up) scanned in 20.65 seconds
-T参数

采用-T选项及数字0−5 或名称。名称有paranoid (0)、sneaky (1)、polite (2)、normal(3)、aggressive (4)和insane (5)

paranoid、sneaky模式用于IDS躲避Polite模式降低了扫描速度以使用更少的带宽和目标主机资源。Normal为默认模式,因此-T3 实际上是未做任何优化。Aggressive模式假设用户具有合适及可靠的网络从而加速扫描.insane模式假设用户具有特别快的网络或者愿意为获得速度而牺牲准确性。-vv参数,Increase verbosity level,提高详细程度

nmap -vv 192.168.95.130

$ nmap -vv 192.168.95.130Starting Nmap 7.94 (  ) at 2023-08-31 05:07 EDTInitiating Ping Scan at 05:07Scanning 192.168.95.130 [2 ports]Completed Ping Scan at 05:07, 0.04s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 05:07Completed Parallel DNS resolution of 1 host. at 05:07, 0.01s elapsedInitiating Connect Scan at 05:07Scanning 192.168.95.130 [1000 ports]Discovered open port 5900/tcp on 192.168.95.130Discovered open port 22/tcp on 192.168.95.130Discovered open port 111/tcp on 192.168.95.130Discovered open port 25/tcp on 192.168.95.130Discovered open port 445/tcp on 192.168.95.130Discovered open port 3306/tcp on 192.168.95.130Discovered open port 23/tcp on 192.168.95.130Discovered open port 139/tcp on 192.168.95.130Discovered open port 53/tcp on 192.168.95.130Discovered open port 80/tcp on 192.168.95.130Discovered open port 21/tcp on 192.168.95.130Discovered open port 5432/tcp on 192.168.95.130Discovered open port 6000/tcp on 192.168.95.130Discovered open port 514/tcp on 192.168.95.130Discovered open port 512/tcp on 192.168.95.130Discovered open port 2049/tcp on 192.168.95.130Discovered open port 6667/tcp on 192.168.95.130Discovered open port 1099/tcp on 192.168.95.130Discovered open port 1524/tcp on 192.168.95.130Discovered open port 2121/tcp on 192.168.95.130Discovered open port 513/tcp on 192.168.95.130Discovered open port 8180/tcp on 192.168.95.130Discovered open port 8009/tcp on 192.168.95.130Completed Connect Scan at 05:07, 0.31s elapsed (1000 total ports)Nmap scan report for 192.168.95.130Host is up, received syn-ack (0.013s latency).Scanned at 2023-08-31 05:07:45 EDT for 1sNot shown: 977 closed tcp ports (conn-refused)PORT     STATE SERVICE      REASON21/tcp   open  ftp          syn-ack22/tcp   open  ssh          syn-ack23/tcp   open  telnet       syn-ack25/tcp   open  smtp         syn-ack53/tcp   open  domain       syn-ack80/tcp   open  http         syn-ack111/tcp  open  rpcbind      syn-ack139/tcp  open  netbios-ssn  syn-ack445/tcp  open  microsoft-ds syn-ack512/tcp  open  exec         syn-ack513/tcp  open  login        syn-ack514/tcp  open  shell        syn-ack1099/tcp open  rmiregistry  syn-ack1524/tcp open  ingreslock   syn-ack2049/tcp open  nfs          syn-ack2121/tcp open  ccproxy-ftp  syn-ack3306/tcp open  mysql        syn-ack5432/tcp open  postgresql   syn-ack5900/tcp open  vnc          syn-ack6000/tcp open  X11          syn-ack6667/tcp open  irc          syn-ack8009/tcp open  ajp13        syn-ack8180/tcp open  unknown      syn-ackRead data files from: /usr/bin/../share/nmapNmap done: 1 IP address (1 host up) scanned in 0.53 seconds                                                            

标签: #framesetcss #ubuntup2p1 #xpubuntu804 #ubuntu804添加源