米斯特白帽培訓(xùn)講義 工具篇 Nmap

講師：gh0stkey

整理：飛龍

協(xié)議：CC BY-NC-SA 4.0

介紹

Nmap（網(wǎng)絡(luò)映射器）是由 Gordon Lyon 涉及，用來(lái)探測(cè)計(jì)算機(jī)網(wǎng)絡(luò)上的主機(jī)和服務(wù)的一種安全掃描器。為了繪制網(wǎng)絡(luò)拓補(bǔ)圖，Nmap 發(fā)送特制的數(shù)據(jù)包到目標(biāo)主機(jī)，然后對(duì)返回?cái)?shù)據(jù)包進(jìn)行分析。Nmap 是一款枚舉和測(cè)試網(wǎng)絡(luò)的強(qiáng)大工具。

Nmap 有兩種界面：可視化界面和命令行界面。

下載

https://nmap.org/download.html

使用

典型用途：

• 通過(guò)對(duì)設(shè)備或者防火墻的探測(cè)來(lái)審計(jì)其安全性。
• 探測(cè)目標(biāo)主機(jī)的開(kāi)放端口。
• 網(wǎng)絡(luò)存儲(chǔ)、網(wǎng)絡(luò)映射、維護(hù)和資產(chǎn)管理。（這個(gè)有待深入）
• 通過(guò)識(shí)別新的服務(wù)器審計(jì)網(wǎng)絡(luò)的安全性。
• 探測(cè)網(wǎng)絡(luò)上的主機(jī)。

簡(jiǎn)單掃描

Nmap 默認(rèn)使用 ICMP ping 和 TCP 全連接（-PB）進(jìn)行主機(jī)發(fā)現(xiàn)，以及使用 TCP 全連接（-sT） 執(zhí)行主機(jī)掃描。默認(rèn)掃描端口是 1 ~ 1024，以及其列表中的常用端口。

語(yǔ)法：

nmap <目標(biāo) IP>

例子：

C:\Users\asus> nmap 192.168.1.1

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:37 ?D1ú±ê×?ê±??
Nmap scan report for localhost (192.168.1.1)
Host is up (0.0062s latency).
Not shown: 993 closed ports
PORT      STATE    SERVICE
21/tcp    filtered ftp
22/tcp    filtered ssh
23/tcp    filtered telnet
53/tcp    open     domain
80/tcp    open     http
49152/tcp open     unknown
49153/tcp open     unknown
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)

Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds

多個(gè) IP 可以以逗號(hào)分隔：192.168.1.1,2,3,4,5，也可以使用短橫線來(lái)表示范圍：192.168.1.1-255，也可以使用 CIDR 記法：192.168.1.0/24。

顯示詳細(xì)結(jié)果

nmap -vv <目標(biāo) IP>

C:\Users\asus> nmap -vv 192.168.1.1

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:47 ?D1ú±ê×?ê±??
Initiating ARP Ping Scan at 10:47
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 10:47, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:47
Completed Parallel DNS resolution of 1 host. at 10:47, 0.01s elapsed
Initiating SYN Stealth Scan at 10:47
Scanning localhost (192.168.1.1) [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 49153/tcp on 192.168.1.1
Discovered open port 49152/tcp on 192.168.1.1
Completed SYN Stealth Scan at 10:47, 2.27s elapsed (1000 total ports)
Nmap scan report for localhost (192.168.1.1)
Host is up, received arp-response (0.0052s latency).
Scanned at 2016-12-22 10:47:09 ?D1ú±ê×?ê±?? for 3s
Not shown: 993 closed ports
Reason: 993 resets
PORT      STATE    SERVICE REASON
21/tcp    filtered ftp     no-response
22/tcp    filtered ssh     no-response
23/tcp    filtered telnet  no-response
53/tcp    open     domain  syn-ack ttl 64
80/tcp    open     http    syn-ack ttl 64
49152/tcp open     unknown syn-ack ttl 64
49153/tcp open     unknown syn-ack ttl 64
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 2.92 seconds
           Raw packets sent: 1004 (44.160KB) | Rcvd: 998 (39.924KB)

自定義端口

nmap <目標(biāo) IP> -p <端口>

C:\Users\asus> nmap 192.168.1.1 -p 1-500

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:59 ?D1ú±ê×?ê±??
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.1
Host is up (0.0061s latency).
Not shown: 495 closed ports
PORT   STATE    SERVICE
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open     domain
80/tcp open     http
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)

Nmap done: 1 IP address (1 host up) scanned in 2.08 seconds

端口可以是單個(gè)，也可以是多個(gè)，多個(gè)端口可以以逗號(hào)分隔，比如21,22,23,53,80，也可以使用短橫線指定范圍，比如1-1024。

Ping 掃描

nmap -sP <目標(biāo) IP>

Ping 掃描其實(shí)就是只執(zhí)行主機(jī)發(fā)現(xiàn)，不掃描具體端口。大家可以看到結(jié)果中沒(méi)有端口的信息，只告訴你主機(jī)通不通，所以也很快。

C:\Users\asus> nmap 192.168.1.1 -sP

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:52 ?D1ú±ê×?ê±??
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.1
Host is up (0.0030s latency).
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds

與之相反，有一個(gè)選項(xiàng)是只執(zhí)行端口掃描，不執(zhí)行主機(jī)發(fā)現(xiàn)的，是-PN（或-P0）。

C:\Users\asus> nmap 192.168.1.1 -PN

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 10:54 ?D1ú±ê×?ê±??
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.1
Host is up (0.0062s latency).
Not shown: 993 closed ports
PORT      STATE    SERVICE
21/tcp    filtered ftp
22/tcp    filtered ssh
23/tcp    filtered telnet
53/tcp    open     domain
80/tcp    open     http
49152/tcp open     unknown
49153/tcp open     unknown
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)

Nmap done: 1 IP address (1 host up) scanned in 2.47 seconds

操作系統(tǒng)類型檢測(cè)

nmap -O <目標(biāo) IP>

C:\Users\asus> nmap www.baidu.com -O

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 11:03 ?D1ú±ê×?ê±??
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.0038s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING): HP embedded (86%)
OS CPE: cpe:/h:hp:procurve_switch_4000m
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.35 seconds

組合掃描

比如我們要掃描1 ~ 1024 端口，詳細(xì)輸出，并且探測(cè)操作系統(tǒng)。

C:\Users\asus> nmap 192.168.1.1 -p 1-1024 -vv -O

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 11:06 ?D1ú±ê×?ê±??
Initiating ARP Ping Scan at 11:06
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 11:06, 0.14s elapsed (1 total hosts)
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating SYN Stealth Scan at 11:06
Scanning 192.168.1.1 [1024 ports]
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 80/tcp on 192.168.1.1
Completed SYN Stealth Scan at 11:06, 2.03s elapsed (1024 total ports)
Initiating OS detection (try #1) against 192.168.1.1
Retrying OS detection (try #2) against 192.168.1.1
Retrying OS detection (try #3) against 192.168.1.1
Retrying OS detection (try #4) against 192.168.1.1
Retrying OS detection (try #5) against 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up, received arp-response (0.0014s latency).
Scanned at 2016-12-22 11:06:44 ?D1ú±ê×?ê±?? for 15s
Not shown: 1019 closed ports
Reason: 1019 resets
PORT   STATE    SERVICE REASON
21/tcp filtered ftp     no-response
22/tcp filtered ssh     no-response
23/tcp filtered telnet  no-response
53/tcp open     domain  syn-ack ttl 64
80/tcp open     http    syn-ack ttl 64
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=12/22%OT=53%CT=1%CU=37502%PV=Y%DS=1%DC=D%G=Y%M=6889C1%
OS:TM=585B4353%P=i686-pc-windows-windows)SEQ(SP=106%GCD=1%ISR=104%TI=Z%CI=Z
OS:%II=I%TS=U)SEQ(CI=Z%II=I%TS=U)SEQ(CI=Z%II=I)OPS(O1=M5B4NNSNW2%O2=M5B4NNS
OS:NW2%O3=M5B4NW2%O4=M5B4NNSNW2%O5=M5B4NNSNW2%O6=M5B4NNS)WIN(W1=16D0%W2=16D
OS:0%W3=16D0%W4=16D0%W5=16D0%W6=16D0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW2%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y
OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%R
OS:D=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=
OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
OS:)

Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros

Read data files from: C:\Program Files (x86)\Nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.21 seconds
           Raw packets sent: 1152 (54.954KB) | Rcvd: 1110 (48.462KB)

可以看出來(lái)沒(méi)探測(cè)到什么東西，因?yàn)槭锹酚善鳎蠹疫@種情況認(rèn)為是 Linux 就好了。

腳本（補(bǔ)充）

Nmap 有個(gè)叫做 NSE 的腳本引擎，也自帶了一些腳本，更多腳本可以去官網(wǎng)下載。

腳本的類型有：

auth: 負(fù)責(zé)處理鑒權(quán)證書（繞開(kāi)鑒權(quán)）的腳本  
broadcast: 在局域網(wǎng)內(nèi)探查更多服務(wù)開(kāi)啟狀況，如dhcp/dns/sqlserver等服務(wù)  
brute: 提供暴力破解方式，針對(duì)常見(jiàn)的應(yīng)用如http/snmp等  
default: 使用-sC或-A選項(xiàng)掃描時(shí)候默認(rèn)的腳本，提供基本腳本掃描能力  
discovery: 對(duì)網(wǎng)絡(luò)進(jìn)行更多的信息，如SMB枚舉、SNMP查詢等  
dos: 用于進(jìn)行拒絕服務(wù)攻擊  
exploit: 利用已知的漏洞入侵系統(tǒng)  
external: 利用第三方的數(shù)據(jù)庫(kù)或資源，例如進(jìn)行whois解析  
fuzzer: 模糊測(cè)試的腳本，發(fā)送異常的包到目標(biāo)機(jī)，探測(cè)出潛在漏洞 intrusive: 入侵性的腳本，此類腳本可能引發(fā)對(duì)方的IDS/IPS的記錄或屏蔽  
malware: 探測(cè)目標(biāo)機(jī)是否感染了病毒、開(kāi)啟了后門等信息  
safe: 此類與intrusive相反，屬于安全性腳本  
version: 負(fù)責(zé)增強(qiáng)服務(wù)與版本掃描（Version Detection）功能的腳本  
vuln: 負(fù)責(zé)檢查目標(biāo)機(jī)是否有常見(jiàn)的漏洞（Vulnerability），如是否有MS08_067

向命令行添加--script=<類型>來(lái)使用腳本。

下面演示了使用default腳本來(lái)探測(cè)主機(jī)上的服務(wù)。

C:\Users\asus> nmap --script=default 192.168.1.1

Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-22 11:10 ?D1ú±ê×?ê±??
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.1.1
Host is up (0.0051s latency).
Not shown: 993 closed ports
PORT      STATE    SERVICE
21/tcp    filtered ftp
22/tcp    filtered ssh
23/tcp    filtered telnet
53/tcp    open     domain
| dns-nsid:
|_  bind.version: dnsmasq-2.49
80/tcp    open     http
|_http-title: Site doesn't have a title (text/html).
49152/tcp open     unknown
49153/tcp open     unknown
MAC Address: 68:89:C1:74:84:43 (Huawei Technologies)

Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds

參考

• Nmap 腳本使用總結(jié)

• Nmap 參考指南