端口扫描的目的是识别目标系统中哪些端口是开启状态,哪些服务可以使用。比如FTP/SSH/TELNET/打印服务/web服务等等。计算机系统中共有65536个端口,因此连接这些端口并扫描出可用的端口就变的有意义了。
1、网络连接
kali的网络默认是 设备未托管状态,因此需要开启。开启方法:
修改/etc/NetworkManager/下的NetworkManger.conf文件,
managed = false修改为true
重启机子
2、FPing工具
- root@walfred:~# fping -h
- Usage: fping [options] [targets...]
- -a show targets that are alive
- -A show targets by address
- -b n amount of ping data to send, in bytes (default 56)
- -B f set exponential backoff factor to f
- -c n count of pings to send to each target (default 1)
- -C n same as -c, report results in verbose format
- -e show elapsed time on return packets
- -f file read list of targets from a file ( - means stdin) (only if no -g specified)
- -g generate target list (only if no -f specified)
- (specify the start and end IP in the target list, or supply a IP netmask)
- (ex. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24)
- -H n Set the IP TTL value (Time To Live hops)
- -i n interval between sending ping packets (in millisec) (default 25)
- -l loop sending pings forever
- -m ping multiple interfaces on target host
- -n show targets by name (-d is equivalent)
- -p n interval between ping packets to one target (in millisec)
- (in looping and counting modes, default 1000)
- -q quiet (don't show per-target/per-ping results)
- -Q n same as -q, but show summary every n seconds
- -r n number of retries (default 3)
- -s print final stats
- -I if bind to a particular interface
- -S addr set source address
- -t n individual target initial timeout (in millisec) (default 500)
- -T n ignored (for compatibility with fping 2.4)
- -u show targets that are unreachable
- -O n set the type of service (tos) flag on the ICMP packets
- -v show version
- targets list of targets to check (if no -f specified)
3、Nmap工具
使用方法:
- root@walfred:~# nmap -h
- Nmap 6.47 ( http://nmap.org )
- Usage: nmap [Scan Type(s)] [Options] {target specification}
- TARGET SPECIFICATION:
- Can pass hostnames, IP addresses, networks, etc.
- Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
- -iL <inputfilename>: Input from list of hosts/networks
- -iR <num hosts>: Choose random targets
- --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
- --excludefile <exclude_file>: Exclude list from file
- HOST DISCOVERY: 主机网络发现功能
- -sL: List Scan - simply list targets to scan
- -sn: Ping Scan - disable port scan
- -Pn: Treat all hosts as online -- skip host discovery 禁止网络发现功能,认为所有主机在线
- -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
- -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
- -PO[protocol list]: IP Protocol Ping
- -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
- --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
- --system-dns: Use OS's DNS resolver
- --traceroute: Trace hop path to each host
- SCAN TECHNIQUES:
- -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans SYN/TCP/ACK/windown/conn扫描参数
- -sU: UDP Scan UDP扫描参数指定
- -sN/sF/sX: TCP Null, FIN, and Xmas scans NULL/FIN/xmas扫描
- --scanflags <flags>: Customize TCP scan flags
- -sI <zombie host[:probeport]>: Idle scan
- -sY/sZ: SCTP INIT/COOKIE-ECHO scans
- -sO: IP protocol scan
- -b <FTP relay host>: FTP bounce scan
- PORT SPECIFICATION AND SCAN ORDER:
- -p <port ranges>: Only scan specified ports
- Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
- -F: Fast mode - Scan fewer ports than the default scan
- -r: Scan ports consecutively - don't randomize
- --top-ports <number>: Scan <number> most common ports
- --port-ratio <ratio>: Scan ports more common than <ratio>
- SERVICE/VERSION DETECTION:
- -sV: Probe open ports to determine service/version info
- --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
- --version-light: Limit to most likely probes (intensity 2)
- --version-all: Try every single probe (intensity 9)
- --version-trace: Show detailed version scan activity (for debugging)
- SCRIPT SCAN:
- -sC: equivalent to --script=default
- --script=<Lua scripts>: <Lua scripts> is a comma separated list of
- directories, script-files or script-categories
- --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
- --script-args-file=filename: provide NSE script args in a file
- --script-trace: Show all data sent and received
- --script-updatedb: Update the script database.
- --script-help=<Lua scripts>: Show help about scripts.
- <Lua scripts> is a comma-separated list of script-files or
- script-categories.
- OS DETECTION:
- -O: Enable OS detection
- --osscan-limit: Limit OS detection to promising targets
- --osscan-guess: Guess OS more aggressively
- TIMING AND PERFORMANCE:
- Options which take <time> are in seconds, or append 'ms' (milliseconds),
- 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
- -T<0-5>: Set timing template (higher is faster)
- --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
- --min-parallelism/max-parallelism <numprobes>: Probe parallelization
- --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
- probe round trip time.
- --max-retries <tries>: Caps number of port scan probe retransmissions.
- --host-timeout <time>: Give up on target after this long
- --scan-delay/--max-scan-delay <time>: Adjust delay between probes
- --min-rate <number>: Send packets no slower than <number> per second
- --max-rate <number>: Send packets no faster than <number> per second
- FIREWALL/IDS EVASION AND SPOOFING:
- -f; --mtu <val>: fragment packets (optionally w/given MTU)
- -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
- -S <IP_Address>: Spoof source address
- -e <iface>: Use specified interface
- -g/--source-port <portnum>: Use given port number
- --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
- --data-length <num>: Append random data to sent packets
- --ip-options <options>: Send packets with specified ip options
- --ttl <val>: Set IP time-to-live field
- --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
- --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
- OUTPUT:
- -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
- and Grepable format, respectively, to the given filename.
- -oA <basename>: Output in the three major formats at once
- -v: Increase verbosity level (use -vv or more for greater effect)
- -d: Increase debugging level (use -dd or more for greater effect)
- --reason: Display the reason a port is in a particular state
- --open: Only show open (or possibly open) ports
- --packet-trace: Show all packets sent and received
- --iflist: Print host interfaces and routes (for debugging)
- --log-errors: Log errors/warnings to the normal-format output file
- --append-output: Append to rather than clobber specified output files
- --resume <filename>: Resume an aborted scan
- --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
- --webxml: Reference stylesheet from Nmap.Org for more portable XML
- --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
- MISC:
- -6: Enable IPv6 scanning
- -A: Enable OS detection, version detection, script scanning, and traceroute
- --datadir <dirname>: Specify custom Nmap data file location
- --send-eth/--send-ip: Send using raw ethernet frames or IP packets
- --privileged: Assume that the user is fully privileged
- --unprivileged: Assume the user lacks raw socket privileges
- -V: Print version number
- -h: Print this help summary page.
- EXAMPLES:
- nmap -v -A scanme.nmap.org
- nmap -v -sn 192.168.0.0/16 10.0.0.0/8
- nmap -v -iR 10000 -Pn -p 80
- SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
3.1Nmap执行TCP扫描
-sT 对TCP进行扫描
-p- 对所有端口扫描
-PN 禁用Nmap网络发现功能,假定所有系统都是活动的
- root@walfred:~# nmap -sT -p- -PN 192.168.115.1
- Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:38 CST
- Stats: 0:12:34 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
- Connect Scan Timing: About 90.20% done; ETC: 20:51 (0:01:22 remaining)
- Stats: 0:16:16 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
- Connect Scan Timing: About 94.41% done; ETC: 20:55 (0:00:58 remaining)
- Nmap scan report for 192.168.115.1
- Host is up (0.0022s latency).
- Not shown: 65533 closed ports
- PORT STATE SERVICE
- 23/tcp open telnet
- 80/tcp open http
- Nmap done: 1 IP address (1 host up) scanned in 1274.21 seconds
3.2Nmap执行UDP扫描
扫描udp也是有理由的,比如一些基于udp的服务,SNMP、TFTP、DHCP、DNS等等
- root@walfred:~# nmap -sU 192.168.115.188
- Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:21 CST
- Nmap scan report for 192.168.115.188
- Host is up (0.00069s latency).
- Not shown: 994 closed ports
- PORT STATE SERVICE
- 137/udp open netbios-ns
- 138/udp open|filtered netbios-dgm
- 500/udp open|filtered isakmp
- 1900/udp open|filtered upnp
- 4500/udp open|filtered nat-t-ike
- 5355/udp open|filtered llmnr
- MAC Address: xxxxxxxxxxxxxx (Universal Global Scientific Industrial Co.)
- Nmap done: 1 IP address (1 host up) scanned in 974.78 seconds
3.3Nmap执行SYN扫描
nmap默认就是这种方式。这种方式要比TCP扫描快,因为只执行三次握手的前两次。也不会造成拒绝服务攻击
哇偶,竟然开放了telnet....
- root@walfred:~# nmap -sS -p- -PN 192.168.115.1
- Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:26 CST
- Nmap scan report for 192.168.115.1
- Host is up (0.0020s latency).
- Not shown: 65533 closed ports
- PORT STATE SERVICE
- 23/tcp open telnet
- 80/tcp open http
- MAC Address: xxxxxxxxxxxxxx (Digital China (Shanghai) Networks)
- Nmap done: 1 IP address (1 host up) scanned in 368.52 seconds
3.3Nmap执行Xmas扫描
RFC文档描述了系统的技术细节,因此如果得到RFC文档,那么就可能找到系统的漏洞,xmas和null扫描的目的正是基于这一原因。
如果系统遵循了TCP RFC文档,那么不用完成连接,仅仅在发起连接的时候,namp就可以判断出目标系统的状态。
但是一般xmas针对unix或者linux系统比较有效。
- root@walfred:~# nmap -sX -p- -Pn 192.168.115.1
- Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:42 CST
- Nmap scan report for 192.168.115.1
- Host is up (0.0029s latency).
- Not shown: 65533 closed ports
- PORT STATE SERVICE
- 23/tcp open|filtered telnet
- 80/tcp open|filtered http
- MAC Address: XXXXXXXXXXXXX (Digital China (Shanghai) Networks)
- Nmap done: 1 IP address (1 host up) scanned in 382.91 seconds
3.4Nmap执行Null
- root@walfred:~# nmap -sN -p- -Pn 192.168.115.1
- Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-23 20:49 CST
- Stats: 0:04:54 elapsed; 0 hosts completed (1 up), 1 undergoing NULL Scan
- NULL Scan Timing: About 78.30% done; ETC: 20:55 (0:01:20 remaining)
- Nmap scan report for 192.168.115.1
- Host is up (0.0018s latency).
- Not shown: 65533 closed ports
- PORT STATE SERVICE
- 23/tcp open|filtered telnet
- 80/tcp open|filtered http
- MAC Address: XXXXXXXXXXXXX (Digital China (Shanghai) Networks)
- Nmap done: 1 IP address (1 host up) scanned in 376.37 seconds
本文由 cswxzx 创作,采用 知识共享署名4.0 国际许可协议进行许可
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名
最后编辑时间为: May 19, 2016 at 03:37 pm