利用 Nmap 扫描并识别服务
配合使用特定脚本和利用特定漏洞:
· 可以用来识别活动主机
· 扫描 TCP 和 UDP 的开发端口
· 检测防火墙
· 获取运行在远程主机上的服务版本和事件
实施步骤
启动 Vulnerable_VM 靶机
在安装 KALI 系统的攻击机上
检测 Vulnerable_VM 是否活动,使用 nmap 扫描工具:
nmap -sn idea.lanyus.com
参数说明:
-sn | Ping Scan - 关闭端口扫描 root@kali:~# nmap -sn 192.168.150.143 Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 23:50 CST Nmap scan report for bogon (192.168.150.143) Host is up (0.00028s latency). MAC Address: 00:0C:29:8F:CA:00 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds |
检测 Vulnerable_VM 开放的端口
root@kali:~# nmap idea.lanyus.com Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 18:33 CST Nmap scan report for idea.lanyus.com (120.52.29.220) Host is up (0.0072s latency). Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp open https 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 49.01 seconds |
下面的命令扫描靶机上的1000以内的端口
root@kali:~# nmap 192.168.150.143 Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 23:53 CST Nmap scan report for bogon (192.168.150.143) Host is up (0.00028s latency). Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 5001/tcp open commplex-link 8080/tcp open http-proxy 8081/tcp open blackice-icecap MAC Address: 00:0C:29:8F:CA:00 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds |
扫描靶机运行的服务的版本号,并基于此判断靶机系统类型
nmap -sV -O idea.lanyus.com
参数说明:
-sV | Probe open ports to determine service/version info root@kali:~# nmap -sV -O idea.lanyus.com Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 23:47 CST Nmap scan report for idea.lanyus.com (120.52.29.220) Host is up (0.035s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http cloudflare-nginx 443/tcp open ssl/https? 8080/tcp open http cloudflare-nginx Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: WAP|general purpose OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2, Microsoft Windows 7 or Windows Server 2012 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 72.32 seconds |