利用 Nmap 掃描并識別服務(wù)

• 配合使用特定腳本和利用特定漏洞：
• 可以用來識別活動主機(jī)
• 掃描 TCP 和 UDP 的開發(fā)端口
• 檢測防火墻
• 獲取運行在遠(yuǎn)程主機(jī)上的服務(wù)版本和事件

實施步驟

啟動 Vulnerable_VM 靶機(jī)

在安裝 Kali 系統(tǒng)的攻擊機(jī)上

檢測 Vulnerable_VM 是否活動，使用 nmap 掃描工具：

nmap -sn idea.lanyus.com

參數(shù)說明：
-sn | Ping Scan - 關(guān)閉端口掃描

root@kali:~# nmap -sn 192.168.150.143

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 23:50 CST
Nmap scan report for bogon (192.168.150.143)
Host is up (0.00028s latency).
MAC Address: 00:0C:29:8F:CA:00 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

檢測 Vulnerable_VM 開放的端口

root@kali:~# nmap idea.lanyus.com

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 18:33 CST
Nmap scan report for idea.lanyus.com (120.52.29.220)
Host is up (0.0072s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy
Nmap done: 1 IP address (1 host up) scanned in 49.01 seconds

下面的命令掃描靶機(jī)上的1000以內(nèi)的端口

root@kali:~# nmap 192.168.150.143

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 23:53 CST
Nmap scan report for bogon (192.168.150.143)
Host is up (0.00028s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
5001/tcp open  commplex-link
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
MAC Address: 00:0C:29:8F:CA:00 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

掃描靶機(jī)運行的服務(wù)的版本號，并基于此判斷靶機(jī)系統(tǒng)類型

nmap -sV -O idea.lanyus.com

參數(shù)說明：
-sV | Probe open ports to determine service/version info

root@kali:~# nmap -sV -O idea.lanyus.com

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 23:47 CST
Nmap scan report for idea.lanyus.com (120.52.29.220)
Host is up (0.035s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE    VERSION
80/tcp   open  http       cloudflare-nginx
443/tcp  open  ssl/https?
8080/tcp open  http       cloudflare-nginx
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded, Linux 2.4.X|3.X, Microsoft Windows 7|2012
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2, Microsoft Windows 7 or Windows Server 2012

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.32 seconds

下面的命令可以掃描出靶機(jī)運行服務(wù)的版本和操作系統(tǒng)版本

root@kali:~# nmap -sV -O 192.168.150.143

Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 23:55 CST
Nmap scan report for bogon (192.168.150.143)
Host is up (0.00067s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 5.3p1 Debian 3ubuntu4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
143/tcp  open  imap        Courier Imapd (released 2008)
443/tcp  open  ssl/http    Apache httpd 2.2.14 ((Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.30 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL...)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
5001/tcp open  java-rmi    Java RMI
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
8081/tcp open  http        Jetty 6.1.25
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5001-TCP:V=7.01%I=7%D=7/17%Time=578BAA72%P=x86_64-pc-linux-gnu%r(NU
SF:LL,4,"\xac\xed\0\x05");
MAC Address: 00:0C:29:8F:CA:00 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.47 seconds

上面的掃描結(jié)果中，我們可以看出，靶機(jī)的操作系統(tǒng)是 Linux 2.6.X，使用了 Apache httpd 2.2.14 + PHP/5.3.2的 WEB 服務(wù)，以及其他一些信息。

拓展閱讀

Nmap 是一個端口掃描器，它會發(fā)送一堆報文到靶機(jī)的一系列端口中，檢查響應(yīng)內(nèi)容。如果有響應(yīng)，則該端口有對應(yīng)服務(wù)在運行。

在使用 Nmap 掃描過程中，還有其他很多有用的參數(shù)：
-sT | 該參數(shù)下，使用 SYN 掃描，這個參數(shù)下我們使用的是 Full Connect 掃描。這種模式，速度慢而且會在靶機(jī)中留下訪問日志。
-Pn | 如過已經(jīng)確認(rèn)靶機(jī)為活動狀態(tài)或無法Ping通靶機(jī)，我們使用該參數(shù)跳過 Ping 掃描，直接假定靶機(jī)活動，進(jìn)行完整掃描。
-v | 這個參數(shù)會盡可能顯示詳細(xì)的掃描過程和靶機(jī)響應(yīng)信息。
-p N1,N2,...Nn | 掃描指定端口，例如只掃描端口21，80到85，90，那么使用命令 nmap -p 21,80-85，90。
--script=script_name | Nmap 包含很多用于漏洞的檢查、掃描、識別、登陸測試、命令執(zhí)行、用戶枚舉等功能的腳本。使用這個參數(shù)可以在靶機(jī)的特定端口上執(zhí)行腳本，詳細(xì)用法參見：https://nmap.org/nsedoc/scripts/