NMAP扫描
一款强大的网络探测利器工具
支持多种探测技术
--ping扫描
--多端口扫描
-- TCP/IP指纹校验
为什么需要扫描?
以获取一些公开/非公开信息为目的
--检测潜在风险
--查找可攻击目标
--收集设备/主机/系统/软件信息
--发现可利用的安全漏洞
基本用法
nmap [扫描类型] [选项] <扫描目标...>
常用的扫描类型
常用选项
-sS TCP SYN扫描(半开) 该方式发送SYN到目标端口,如果收到SYN/ACK回复,那么判断端口是开放的;如果收到RST包,说明该端口是关闭的。简单理解就是3次握手只完成一半就可以判断端口是否打开,提高扫描速度
-sT TCP 连接扫描(全开)
-sU UDP扫描
-sP ICMP扫描
-sV 探测打开的端口对应的服务版本信息
-A 目标系统全面分析 (可能会比较慢)
-p 扫描指定端口
1 ) 检查目标主机是否能ping通
[root@case100 ~]# yum -y install nmap //nmap安装
[root@case100 ~]# nmap -sP 192.168.4.0/24 //扫描 192.168.4.0/24 网段所有打开的主机
[root@case100 ~]# nmap -sP 192.168.4.140-160 //扫描 140到160网段所有打开的主机
[root@case100 ~]# nmap -sP 192.168.4.100,140,141 //扫描 100,140,141 主机是否打开
[root@case100 ~]# nmap -n -sP 192.168.4.140 //-n 不执行DNS解析
2)检查目标主机所开启的TCP服务
[root@case100 ~]# nmap -sT 192.168.4.100
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-16 16:46 CST
Nmap scan report for 192.168.4.100
Host is up (0.00026s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
[root@case100 ~]# nmap 192.168.4.100 //不加任何参数 默认就是TCP的扫描 和-sT效果一样
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-16 16:46 CST
Nmap scan report for 192.168.4.100
Host is up (0.0000030s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
[root@case100 ~]# nmap -sT www.baidu.com //当然目标主机也可以是域名
3 ) 检查192.168.4.0/24网段内哪些主机开启了FTP、SSH服务
[root@case100 ~]# nmap -p 21-22 192.168.4.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-16 16:53 CST
Nmap scan report for 192.168.4.140
Host is up (0.00036s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
MAC Address: 52:54:00:B4:8C:9E (QEMU Virtual NIC)
Nmap scan report for 192.168.4.141
Host is up (0.00052s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
MAC Address: 52:54:00:24:A1:77 (QEMU Virtual NIC)
Nmap scan report for 192.168.4.142
Host is up (0.00051s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp open ssh
MAC Address: 52:54:00:16:E6:DE (QEMU Virtual NIC)
......
4)检查目标主机所开启的UDP服务
[root@case100 ~]# nmap -sU 192.168.4.100
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-16 16:54 CST
Nmap scan report for 192.168.4.100
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
111/udp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds
5 ) 探测打开的端口对应的服务版本信息
[root@case100 ~]# nmap -sV 192.168.4.100,140,141 //扫描100,140,141 3台主机
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-19 15:50 CST
Nmap scan report for 192.168.4.100
Host is up (0.0000030s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
111/tcp open rpcbind 2-4 (RPC #100000)
3306/tcp open mysql MySQL 5.7.17
Nmap scan report for 192.168.4.140
Host is up (0.00016s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
MAC Address: 52:54:00:B4:8C:9E (QEMU Virtual NIC)
Nmap scan report for 192.168.4.141
Host is up (0.00019s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
MAC Address: 52:54:00:24:A1:77 (QEMU Virtual NIC)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 6.38 seconds
6)全面分析目标主机192.168.4.100的操作系统信息
[root@case100 ~]# nmap -A 192.168.4.100
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-16 16:58 CST
Nmap scan report for 192.168.4.100
Host is up (0.000035s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 2048 bb:57:60:4b:40:e1:ed:41:45:7b:eb:cf:23:86:04:13 (RSA)
|_256 1e:76:cc:e8:d9:55:86:df:dc:a1:ea:7a:6c:67:c6:00 (ECDSA)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
|_ 100000 2,3,4 111/udp rpcbind
3306/tcp open mysql MySQL 5.7.17
| mysql-info: Protocol: 10
| Version: 5.7.17
| Thread ID: 13
| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, SSL, Transactions, Secure Connection
| Status: Autocommit
\x08lt: Q\x1FX01}
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=10/16%OT=22%CT=1%CU=43703%PV=Y%DS=0%D
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.05 seconds
tcpdump
命令行抓取数据包工具
基本用法
tcpdump [选项] [过滤条件]
常见监控选项
-i,指定监控的网络接口(默认监听第一个网卡)
-A,转换为 ACSII 码,以方便阅读
-w,将数据包信息保存到指定文件
-r,从指定文件读取数据包信息
常用的过滤条件:
类型:host、net、port、portrange
方向:src、dst
协议:tcp、udp、ip、wlan、arp、……
多个条件组合:and、or、not
案例1
[root@case100 ~]# tcpdump //抓取所有的包
如果报错
tcpdump: packet printing is not supported for link type NFLOG: use -w
需要指定接口ifconfig查看要抓包的接口
[root@case100 ~]# tcpdump -i ens5 host 192.168.44.100 //抓取从接口ens5 主机为192.168.4.140的 数据包
[root@case100 ~]# tcpdump -i ens5 tcp port 22004 //抓取TCP 22004
通过and组合限定更多条件
[root@case100 ~]# tcpdump -i ens5 tcp port 22004 and host 192.168.4.140 //通过and组合过滤条件
抓取icmp协议
[root@case100 ~]# tcpdump -A -i ens5 icmp //抓取icmp协议包
[root@case100 ~]# tcpdump -i ens5 icmp and host 10.0.3.211 //抓取icmp协议 主机为10.0.3.211的包
[root@case100 ~]# tcpdump -A -w test1.cap -i ens5 icmp //如果想进一步分析 可把结果保存下来 后面用WireShark软件分析
案例2:使用tcpdump分析FTP访问中的明文交换信息
1 ) 安装部署vsftpd服务
[root@case254 ~]# yum -y install vsftpd
[root@case254 ~]# systemctl restart vsftpd
这里假设,192.168.4.254 主机有vsftpd服务 共享和登陆用户之类的配置都已经部署好,如果没有需要提前安装并启动服务!!!
2 ) 并启动tcpdump等待抓包
执行tcpdump命令行,添加适当的过滤条件,只抓取访问主机192.168.4.100的21端口的数据通信 ,并转换为ASCII码格式的易读文本。
[root@case254 ~]# tcpdump -A tcp port 21 -i private1 //因为4网段不是默认接口所有要指定
3 ) case100作为客户端访问case254服务端
[root@case100 ~]# yum -y install ftp
[root@case100 ~]# ftp 192.168.4.254
Connected to 192.168.4.254 (192.168.4.254).
220 (vsFTPd 3.0.2)
Name (192.168.4.254:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (192,168,4,254,47,162).
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Oct 20 2019 ansible
drwxr-xr-x 2 0 0 6 Oct 13 2019 extras
drwxr-xrwx 3 0 0 24 Oct 10 2019 ios
drwxrwxrwx 10 0 0 4096 Aug 13 05:42 pub
drwxr-xr-x 2 0 0 6 Oct 13 2019 redhat
drwxrwxrwx 2 0 0 32 Jul 07 2019 share
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
......
ftp> quit
221 Goodbye.
4 ) 查看tcpdump抓包
[root@case254 ~]# tcpdump -A tcp port 21 -i private1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on private1, link-type EN10MB (Ethernet), capture size 65535 bytes
17:42:11.926001 IP 192.168.4.100.47604 > 192.168.4.254.ftp: Flags [P.], seq 1412379158:1412379164, ack 3282094552, win 229, options [nop,nop,TS val 526602819 ecr 527385903], length 6
E..:..@....)...d........T/2................
.cRC.oE/PASV
17:42:11.926212 IP 192.168.4.254.ftp > 192.168.4.100.47604: Flags [P.], seq 1:51, ack 6, win 227, options [nop,nop,TS val 527456805 ecr 526602819], length 50
E..f.j@.@.,u.......d........T/2............
.pZ%.cRC227 Entering Passive Mode (192,168,4,254,254,7).
17:42:11.927147 IP 192.168.4.100.47604 > 192.168.4.254.ftp: Flags [P.], seq 6:12, ack 51, win 229, options [nop,nop,TS val 526602820 ecr 527456805], length 6
E..:..@....(...d........T/2....
...........
.cRD.pZ%LIST
17:42:11.927299 IP 192.168.4.254.ftp > 192.168.4.100.47604: Flags [P.], seq 51:90, ack 12, win 227, options [nop,nop,TS val 527456806 ecr 526602820], length 39
E..[.k@.@.,........d.......
T/2"...........
.pZ&.cRD150 Here comes the directory listing.
17:42:11.928886 IP 192.168.4.254.ftp > 192.168.4.100.47604: Flags [P.], seq 90:114, ack 12, win 227, options [nop,nop,TS val 527456807 ecr 526602820], length 24
E..L.l@.@.,........d.......1T/2"...........
.pZ'.cRD226 Directory send OK.
//通过抓包可以看到 192.168.4.254.ftp 传输协议 3次握手等信息
5 ) 再次使用tcpdump抓包,使用-w选项可以将抓取的数据包另存为文件,方便后期慢慢分析。
[root@case254 ~]# tcpdump -A tcp port 21 -i private1 -w ftp.cap
6 ) tcpdump命令的-r选项,可以去读之前抓取的历史数据文件
[root@case254 ~]# tcpdump -A -r ftp.cap |grep ftp
reading from file ftp.cap, link-type EN10MB (Ethernet)
18:03:18.353802 IP 192.168.4.100.47610 > 192.168.4.254.ftp: Flags [S], seq 2971413673, win 29200, options [mss 1460,sackOK,TS val 527869246 ecr 0,nop,wscale 7], length 0
18:03:18.353959 IP 192.168.4.254.ftp > 192.168.4.100.47610: Flags [S.], seq 2254235441, ack 2971413674, win 28960, options [mss 1460,sackOK,TS val 528723232 ecr 527869246,nop,wscale 7], length 0
18:03:18.354474 IP 192.168.4.100.47610 > 192.168.4.254.ftp: Flags [.], ack 1, win 229, options [nop,nop,TS val 527869247 ecr 528723232], length 0
18:03:18.357118 IP 192.168.4.254.ftp > 192.168.4.100.47610: Flags [P.], seq 1:21, ack 1, win 227, options [nop,nop,TS val 528723236 ecr 527869247], length 20
18:03:18.357874 IP 192.168.4.100.47610 > 192.168.4.254.ftp: Flags [.], ack 21, win 229, options [nop,nop,TS val 527869250 ecr 528723236], length 0
18:03:20.596123 IP 192.168.4.100.47610 > 192.168.4.254.ftp: Flags [F.], seq 1, ack 21, win 229, options [nop,nop,TS val 527871489 ecr 528723236], length 0
18:03:20.596218 IP 192.168.4.254.ftp > 192.168.4.100.47610: Flags [.], ack 2, win 227, options [nop,nop,TS val 528725475 ecr 527871489], length 0
18:03:20.596382 IP 192.168.4.254.ftp > 192.168.4.100.47610: Flags [F.], seq 21, ack 2, win 227, options [nop,nop,TS val 528725475 ecr 527871489], length 0
......
网友评论