Mike Zhang

DNS DevOps CISSP CISA Security+ 摄影 程序员 北京

Nmap常用命令

04 Aug 2018 » security

\本篇主要是介绍强大的网络扫描工具Nmap的几种常见的使用方式,通过Nmap我们不仅仅可以进行网络主机,端口扫描,软件及操作系统的识别等常见的网络扫描功能,借助于NSE扫描引擎,我们还可以使用现有的或者自己去编写Lua脚本完成更复杂的扫描方式。

1.活跃主机扫描

我们可以针对一个网络中所有的机器进行扫描,比如下面的一个网络范围192.168.2.1-254,或是一个 192.168.1.0/24 网段主机组, 或者域名,如果我们的ip保存在一个文件中我们还可以使用nmap -iL ips.txt 获得文件中的ip进行扫描。

# nmap 192.168.2.1-254

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-03 12:35 EST
Nmap scan report for 192.168.2.1
Host is up (0.00012s latency).
All 1000 scanned ports on 192.168.2.1 are filtered
MAC Address: 00:50:56:C0:00:08 (VMware)

Nmap scan report for 192.168.2.2
Host is up (0.00027s latency).
All 1000 scanned ports on 192.168.2.2 are closed
MAC Address: 00:50:56:FA:84:28 (VMware)

Nmap scan report for 192.168.2.251
Host is up (0.00036s latency).
All 1000 scanned ports on 192.168.2.251 are filtered
MAC Address: 00:0C:29:55:6D:18 (VMware)

Nmap scan report for 192.168.2.252
Host is up (0.00043s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
MAC Address: 00:0C:29:EA:F2:73 (VMware)

Nmap scan report for 192.168.2.254
Host is up (0.00015s latency).
All 1000 scanned ports on 192.168.2.254 are filtered
MAC Address: 00:50:56:F8:BB:08 (VMware)

Nmap scan report for 192.168.2.134
Host is up (0.0000040s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 254 IP addresses (6 hosts up) scanned in 10.07 seconds

默认情况下,如果我们使用root权限运行扫描,执行的是-sS也就是半连接扫描,如下所示,我们开启一个tcpdump进程捕获针对其中一个端口的扫描过程,扫描中不会经历完整的三次握手,当服务器发送回syn+ack后,客户端直接rst掉该连接。[S]代表标志位syn被设置,[S.] 代表syn和ack被设置 [R]则代表rst设置。

root@localhost:~# tcpdump -nnX tcp and host 192.168.2.252 and port 3306
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:45:09.557473 IP 192.168.2.134.42096 > 192.168.2.252.3306: Flags [S], seq 3604279199, win 1024, options [mss 1460], length 0
    0x0000:  4500 002c 47fb 0000 3206 b9fe c0a8 0286  E..,G...2.......
    0x0010:  c0a8 02fc a470 0cea d6d4 ef9f 0000 0000  .....p..........
    0x0020:  6002 0400 9584 0000 0204 05b4            `...........
12:45:09.557772 IP 192.168.2.252.3306 > 192.168.2.134.42096: Flags [S.], seq 39027716, ack 3604279200, win 5840, options [mss 1460], length 0
    0x0000:  4500 002c 0000 4000 4006 b3f9 c0a8 02fc  E..,..@.@.......
    0x0010:  c0a8 0286 0cea a470 0253 8404 d6d4 efa0  .......p.S......
    0x0020:  6012 16d0 fc4b 0000 0204 05b4 0000       `....K........
12:45:09.557785 IP 192.168.2.134.42096 > 192.168.2.252.3306: Flags [R], seq 3604279200, win 0, length 0
    0x0000:  4500 0028 85a2 4000 4006 2e5b c0a8 0286  E..(..@.@..[....
    0x0010:  c0a8 02fc a470 0cea d6d4 efa0 0000 0000  .....p..........
    0x0020:  5004 0000 b13d 0000                      P....=..

如果普通用户运行的话,使用的是-sT 运行的是完整的三次握手,之后扫描端再rst掉。这种情况下扫描效率不高,而且容易被主机记录下来

2.端口扫描

对于端口扫描的话,分为tcp端口和udp端口,tcp端口扫描的方式比较多,比如上面的半连接或者全连接扫描,FIN扫描等等,而udp只有一种扫描方式-sU。可扫描端口分为三类:

  1. 0-1023 公认的服务端口

  2. 1024-49151 在IANA注册的端口范围

  3. 49152-65535 可随意使用的端口范围

对于TCP的数据,其包头大小 为20字节,当发送了tcp的syn扫描数据包后的响应主要分为以下四类:

  1. 返回syn+ack

  2. 返回rst (一般是关闭的端口)

  3. 返回icmp消息

  4. 直接丢弃,不予以响应 (可能防火墙过滤)

UDP的数据包头部8字节,分别是源端口 目的端口 udp长度 和校验 ,当发送了udp的数据包后响应的类型主要是:

  1. 响应数据

  2. 响应icmp 端口不可达

  3. 响应icmp 其他消息(一般是防火墙过滤)

  4. 直接丢弃,不予以响应

因此我们可以通过不同的响应了解到该端口是否是开启的或者关闭,或者可能开启但是被过滤的状态。对于端口扫描我们常用的命令如下, nmap -F 192.168.2.251 常见的100个端口扫描, nmap -p 1-1024 192.168.2.251 指定范围的端口扫描,以及耗时最长的全部的65535个端口扫描 nmap -p- 192.168.2.251

root@localhost:~# nmap -F  192.168.2.251

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-03 15:54 EST
Nmap scan report for 192.168.2.251
Host is up (0.00035s latency).
Not shown: 92 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
MAC Address: 00:0C:29:55:6D:18 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
root@localhost:~# nmap -p 1-1024  192.168.2.251

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-03 15:55 EST
Nmap scan report for 192.168.2.251
Host is up (0.00048s latency).
Not shown: 1021 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:55:6D:18 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds

root@localhost:~# nmap -p-  192.168.2.251

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-03 15:55 EST
Nmap scan report for 192.168.2.251
Host is up (0.00018s latency).
Not shown: 65526 closed ports
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49159/tcp open  unknown
MAC Address: 00:0C:29:55:6D:18 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 29.09 seconds

另外针对端口扫描我们可以加入扫描的类型,对于udp端口的扫描,最好使用常用的端口,而不是全部的端口扫描,因为本身系统的限制,服务器端响应无法一次性发送大量的icmp 端口不可达信息。

root@localhost:~# nmap -sU -F  192.168.2.251

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-03 16:00 EST
Nmap scan report for 192.168.2.251
Host is up (0.00073s latency).
Not shown: 95 closed ports
PORT     STATE         SERVICE
123/udp  open|filtered ntp
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
500/udp  open|filtered isakmp
4500/udp open|filtered nat-t-ike
MAC Address: 00:0C:29:55:6D:18 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 25.05 seconds

3.服务器操作系统及软件的识别

nmap对于操作系统的识别依赖于不同的技术实现,比如ping的ttl大小,不同的操作系统不太一致,或者利用不同的tcp/ip协议栈中的一些差异信息进行比对。这部分可以参考官网中的详细描述。最简单的方式是使用-A来完成一次全方位的扫描,扫描操作系统及运行的服务版本,以及调用script进行处理,如下所示:

root@localhost:~# nmap -A 192.168.2.252

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-03 13:07 EST
Nmap scan report for 192.168.2.252
Host is up (0.00049s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2017-02-04T01:08:58+00:00; +7h01m01s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      38175/tcp  mountd
|   100005  1,2,3      56508/udp  mountd
|   100021  1,3,4      54829/tcp  nlockmgr
|   100021  1,3,4      60542/udp  nlockmgr
|   100024  1          38290/udp  status
|_  100024  1          44622/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      38175/tcp  mountd
|   100005  1,2,3      56508/udp  mountd
|   100021  1,3,4      54829/tcp  nlockmgr
|   100021  1,3,4      60542/udp  nlockmgr
|   100024  1          38290/udp  status
|_  100024  1          44622/tcp  status
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 11
|   Capabilities flags: 43564
|   Some Capabilities: LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolNew, Support41Auth, SupportsTransactions, SwitchToSSLAfterHandshake, SupportsCompression
|   Status: Autocommit
|_  Salt: |l*(+<-iL"aFwE4q`jv4
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 00:0C:29:EA:F2:73 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2017-02-03T20:08:56-05:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.49 ms 192.168.2.252
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.90 seconds

由于消耗时间比较长,如果我们只是关心其中的一个服务信息的话,我们可以利用-sV来进行单独的服务的扫描:

root@localhost:~# nmap -sV -p 22 192.168.2.252

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-03 16:08 EST
Nmap scan report for 192.168.2.252
Host is up (0.00053s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
MAC Address: 00:0C:29:EA:F2:73 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds

4.保存和处理数据

我们可以将结果保存成xml格式,然后将使用一些转换工具转换为我们需要呈现的格式比如html,网上有很多可以使用的工具,这里不多介绍。默认情况下保存为普通文本,使用txt格式。

nmap -oX output.xml -sV -p 22 192.168.2.252
... 
root@localhost:~# cat  output.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
...
<ports><port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="64"/><service name="ssh" product="OpenSSH" version="4.7p1 Debian 8ubuntu1" extrainfo="protocol 2.0" ostype="Linux" method="probed" conf="10"><cpe>cpe:/a:openbsd:openssh:4.7p1</cpe><cpe>cpe:/o:linux:linux_kernel</cpe></service></port>
</ports>
<times srtt="358" rttvar="3771" to="100000"/>
...
</nmaprun>

5.使用NSE脚本执行扫描

NSE提供了大量的脚本可以直接使用,这些脚本使用lua来编写,可以完成针对多种协议的扫描方式,比如下面的我们针对1.2.4.8进行了dns的扫描,使用了所有标记为dns-*的脚本。

root@localhost:~# nmap -sU -p 53 1.2.4.8 --script dns-*

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-03 16:31 EST
Nmap scan report for public1.sdns.cn (1.2.4.8)
Host is up (0.026s latency).
PORT   STATE SERVICE
53/udp open  domain
| dns-cache-snoop: 71 of 100 tested domains are cached.
| google.com
| www.google.com
| facebook.com
| www.facebook.com
...
|_dns-fuzz: ERROR: Script execution failed (use -d to debug)
| dns-nsec-enum: 
|_  No NSEC records found
| dns-nsec3-enum: 
|_  DNSSEC NSEC3 not supported
| dns-nsid: 
|_  id.server: 10.20.2.33
|_dns-recursion: Recursion appears to be enabled

Host script results:
| dns-blacklist: 
|   SPAM
|     all.spamrats.com - DYNAMIC
|_    l2.apews.org - SPAM
| dns-brute: 
|   DNS Brute-force hostnames: 
|     admin.sdns.cn - 218.241.113.10
|     ns1.sdns.cn - 125.208.48.1
|     ns2.sdns.cn - 125.208.49.1
|     dns.sdns.cn - 211.98.176.7
|     ns3.sdns.cn - 125.208.50.1
|_    www.sdns.cn - 159.226.6.135

Nmap done: 1 IP address (1 host up) scanned in 47.06 seconds

下面的例子中我们使用了http脚本来完成针对http服务器的扫描,来收集一些有用的信息,比如目录枚举,或者http头部信息以及支持的请求方法等等,这里我们看到了phpMyAdmin这个一般是用来管理数据库的,直接暴漏给用户显然不是一个好的方式。

root@localhost:~# nmap --script http-enum,http-headers,http-methods 192.168.2.252 -p 80

Starting Nmap 7.01 ( https://nmap.org ) at 2017-02-03 13:13 EST
Nmap scan report for 192.168.2.252
Host is up (0.00041s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /tikiwiki/: Tikiwiki
|   /test/: Test page
|   /phpinfo.php: Possible information file
|   /phpMyAdmin/: phpMyAdmin
|   /doc/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) dav/2'
|   /icons/: Potentially interesting folder w/ directory listing
|_  /index/: Potentially interesting folder
| http-headers: 
|   Date: Sat, 04 Feb 2017 01:14:28 GMT
|   Server: Apache/2.2.8 (Ubuntu) DAV/2
|   X-Powered-By: PHP/5.2.4-2ubuntu5.10
|   Connection: close
|   Content-Type: text/html
|   
|_  (Request type: HEAD)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
MAC Address: 00:0C:29:EA:F2:73 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds

最后一个比较常用的NSE脚本是vulscan脚本,这个脚本可以通过从不同的漏洞网站查询到的软件版本和扫描到的软件版本进行比对,一旦出现漏洞版本可以显示给用户。但是这个脚本并不存在于默认的脚本库中我们需要下载该脚本并放置于我们的脚本库目录下下载连接

使用方式比较简单我们只需要设定脚本的目录即可,如下所示:

$ nmap -sV --script=vulscan/vulscan.nse -p 2222 jsmean.com

Starting Nmap 6.40-2 ( http://nmap.org ) at 2017-02-04 10:56 CST
Nmap scan report for jsmean.com (45.55.12.65)
Host is up (0.19s latency).
PORT     STATE SERVICE VERSION
2222/tcp open  ssh     OpenSSH 6.4 (protocol 2.0)
| vulscan: scip VulDB - http://www.scip.ch/en/?vuldb:
| [7775] Red Hat Linux/Fedora 6 OpenSSH glibc error() privilege escalation
| 
| MITRE CVE - http://cve.mitre.org:
| [CVE-2012-5975] The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords, as demonstrated by a root login session from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.
| [CVE-2012-5536] A certain Red Hat build of the pam_ssh_agent_auth module on Red Hat Enterprise Linux (RHEL) 6 and Fedora Rawhide calls the glibc error function instead of the error function in the OpenSSH codebase, which allows local users to obtain sensitive information from process memory or possibly gain privileges via crafted use of an application that relies on this module, as demonstrated by su and sudo.
| [CVE-2010-5107] The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.
| [CVE-2008-1483] OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
···

所有的漏洞信息均会暴漏出来,非常便于日常的安全扫描。漏洞数据库的下载路径如下,如需要更新,覆盖原有的即可。另外对于lua语言熟悉的可以尝试自己去编写脚本,执行更加灵活的安全扫描。

http://www.computec.ch/mruef/software/nmap_nse_vulscan/cve.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/exploitdb.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/openvas.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/osvdb.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/scipvuldb.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/securityfocus.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/securitytracker.csv
http://www.computec.ch/mruef/software/nmap_nse_vulscan/xforce.csv