分享技术,记录生活,在互联网上留下属于自己的一亩三分地。

Kali渗透测试-Nmap的使用(4)

默认笔记 novadmin 277℃ 0评论

nmap 是一款用于网络发现和安全审计的网络安全工具,是 Network Mapper 的简称。

Nmap 可以检测目标主机是否在线、端口开放情况、侦测运行的服务类型及版本信息、侦测操作系统与设备类型等信息。它是网络管理员必用的软件之一。

例如我们可以通过 nmap 对目标主机进行特征抓取(获得版本、端口的相关信息)、服务识别(相关的厂商)、操作系统的识别(使用的 Windows 还是 Linux):

打开我们的虚拟机,前面安装的Kali和Metasploitable2 靶机系统。

这里我Kali的主机IP地址是:192.168.1.63

Metasploitable2靶机系统的IP地址是:192.168.1.35

我们在kali的系统做下面的命令:


root@zhjpc:~# nmap -sn 192.168.1.35

会有如下返回:


root@zhjpc:~# nmap -sn 192.168.1.35
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-11 10:22 CST
Nmap scan report for bogon (192.168.1.35)
Host is up (0.00032s latency).
MAC Address: 00:0C:29:F2:1C:1D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds

可以看到有:“Host is up (0.00032s latency).”说明主机是存活的;在攻击一个主机之前我们当然要看它是否处于活动状态,否则后面的一切都属于白忙活,这样的扫描称之为探索扫描。

-sn 参数通常被称作 ping 扫描,用于发现目标主机,探测其是否处于开机状态。其原理便是该命令会在局域网中广播 ARP 请求,若是响应了请求的话定是处于开机状态,而反之则处于关闭的状态。

端口扫描

我们可以看到靶机中所有基于 TCP 协议开放的端口:


root@zhjpc:~# nmap -sS 192.168.1.35
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-11 10:26 CST
Nmap scan report for bogon (192.168.1.35)
Host is up (0.00057s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:F2:1C:1D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

当然若是你想查看 UDP 相关的开放端口,我们也可以使用 -sU 参数,但是对于 UDP 的端口扫描十分的缓慢,大约需要 10 分钟左右甚至更多的时间,在他定格的画面敲击回车可以看见其扫描的进度:


root@zhjpc:~# nmap -sU 192.168.1.35
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-11 10:28 CST
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 5.39% done; ETC: 10:41 (0:12:00 remaining)
Stats: 0:01:19 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 8.79% done; ETC: 10:43 (0:13:40 remaining)
Stats: 0:01:40 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 10.84% done; ETC: 10:43 (0:13:43 remaining)
Stats: 0:01:41 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 10.95% done; ETC: 10:43 (0:13:50 remaining)
Stats: 0:02:09 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 13.52% done; ETC: 10:44 (0:13:52 remaining)
Stats: 0:02:11 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 13.72% done; ETC: 10:44 (0:13:44 remaining)
Stats: 0:02:12 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 13.82% done; ETC: 10:44 (0:13:43 remaining)
Stats: 0:02:13 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 13.83% done; ETC: 10:44 (0:13:49 remaining)
Stats: 0:02:13 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 13.93% done; ETC: 10:44 (0:13:48 remaining)
Stats: 0:02:14 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 14.03% done; ETC: 10:44 (0:13:41 remaining)
Stats: 0:03:07 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 18.42% done; ETC: 10:45 (0:13:48 remaining)
Nmap scan report for bogon (192.168.1.35)
Host is up (0.00023s latency).
Not shown: 993 closed ports
PORT     STATE         SERVICE
53/udp   open          domain
68/udp   open|filtered dhcpc
69/udp   open|filtered tftp
111/udp  open          rpcbind
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
2049/udp open          nfs
MAC Address: 00:0C:29:F2:1C:1D (VMware)

因为 UDP 本身是无连接的协议,所以一个打开的 UDP 端口并不会给我们返回任何响应包,不过如果端口关闭,某些系统将返回PORT_UNREACH 信息。由此可以查探 UDP 的端口是否开放,因为是某些系统给予响应,所以这样的探测方式也有可能出错。这就是为什么 UDP 的扫描如此的慢,不像 TCP 开放的端口三次握手,很快就有响应数据包传回,就可以知道端口是否开放。

在确认其处于正常的开机状态、有开放的端口后,我们可查看其使用的操作系统是哪一种平台,毕竟 Linux 与 Windows 还有 Mac 的差异化还是蛮大的,当然若是服务器的话也就是 Linux 与 Windows 了。这样的探查通常称之为指纹识别,我们可以使用以下这个命令:


root@zhjpc:~# nmap -O 192.168.1.35
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-11 11:12 CST
Nmap scan report for bogon (192.168.1.35)
Host is up (0.00025s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:F2:1C:1D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds

其中 -O 参数的作用便是开启操作系统的检测,从上面我们可以看到 nmap 扫描除了目标主机当前能够检测到的所有开放的端口,并且在最后提供了目标主机操作系统的类型与版本的猜测。

在对于操作系统的确认与版本信息的确认之后我们便需要对目标主机的服务识别,我们通过的 nmap -O 可以看到它只是把相关的协议的一些版本信息显示出来,但是具体用的什么组件是有很多没有显示出来的,例如 80 端口上运行的 HTTP 协议,但是实现该协议的服务组件有很多,如 Apache、Nginx 等等这样的组件默认都是运行在 80 端口上,还有 Tomcat、Jetty 等等这样的 HTTP 实现的组件也是可以运行在 80 端口上,不同的组件出现的漏洞也是不同的,当然攻击的方式也是不同的。

所以服务的识别能帮助我们进一步的缩小攻击面,进一步的提高攻击的成功率,使得后面的工作更加的高效。

通过这样的一个命令,我们不仅仅能够识别所有开放的端口,以及相关端口运行的协议,我们还可以看到实现相关协议所使用的组件:


root@zhjpc:~# nmap -sV 192.168.1.35
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-11 11:14 CST
Nmap scan report for bogon (192.168.1.35)
Host is up (0.00027s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec?
513/tcp  open  login?
514/tcp  open  shell?
1099/tcp open  rmiregistry GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.70%I=7%D=9/11%Time=5B973315%P=i686-pc-linux-gnu%r(NULL,
SF:28,"\x01Host\x20address\x20mismatch\x20for\x20192\.168\.1\.63\n");
MAC Address: 00:0C:29:F2:1C:1D (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.14 seconds

在图中我们可以看到,每个端口上运行的组件我们都知道了,80 上运行的 Apache 不是 nginx,我们只需要查找 Apache 相关的漏洞,由此可以减少很多不必要的工作(例如去搜集其他组件的相关漏洞)。

若是你对获得的操作系统的信息并不满足我们可以使用 -A 参数来同时启用操作系统检测和版本检测:


root@zhjpc:~# nmap -A 192.168.1.35
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-11 11:16 CST
Nmap scan report for bogon (192.168.1.35)
Host is up (0.00024s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.1.63
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2018-09-11T03:17:05+00:00; -36s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      41020/tcp  mountd
|   100005  1,2,3      47023/udp  mountd
|   100021  1,3,4      37246/tcp  nlockmgr
|   100021  1,3,4      46843/udp  nlockmgr
|   100024  1          39618/tcp  status
|_  100024  1          54584/udp  status
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp  open  exec?
513/tcp  open  login?
514/tcp  open  shell?
| fingerprint-strings: 
|   NULL: 
|_    Host address mismatch for 192.168.1.63
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 9
|   Capabilities flags: 43564
|   Some Capabilities: ConnectWithDatabase, Speaks41ProtocolNew, Support41Auth, SupportsTransactions, LongColumnFlag, SwitchToSSLAfterHandshake, SupportsCompression
|   Status: Autocommit
|_  Salt: {gs+w;[;Sp\Y-rw}1x.u
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2018-09-11T03:17:04+00:00; -37s from scanner time.
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    VNC Authentication (2)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 0:58:16
|   source ident: nmap
|   source host: 852D1840.78DED367.FFFA6D49.IP
|_  error: Closing Link: tswuehufy[192.168.1.63] (Quit: tswuehufy)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port514-TCP:V=7.70%I=7%D=9/11%Time=5B97338F%P=i686-pc-linux-gnu%r(NULL,
SF:28,"\x01Host\x20address\x20mismatch\x20for\x20192\.168\.1\.63\n");
MAC Address: 00:0C:29:F2:1C:1D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m24s, deviation: 2h18m35s, median: -36s
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2018-09-10T23:17:03-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.24 ms bogon (192.168.1.35)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.97 seconds

往上翻看我们可以发现这次得到信息量非常的大,不仅显示了开放出来的端口号,同时把对应端口使用的服务以及服务使用的软件本版信息一同显示出来,最后给予了更加详尽的操作系统版本的信息。使用 -A 参数与使用 -sV 参数都可以获得相关服务识别的信息,但是他们的侧重点不同,根据自己需要信息的重点来选择怎样的参数。

由此方法我们可以获得更加详尽的信息,我们甚至得到了运行软件的版本信息,这样可以再次缩小我们需要针对的范围,甚至可以查看漏洞库,使用攻击手段是针对某个版本出现的漏洞。

例如在 Linux kernel >= 2.6.22 ,并且在 2016 年 10 月 18 日打补丁之前的版本都会遭受到 Dirty COW 的漏洞影响,若是检测目标的操作系统的版本较为老旧,我们便可使用该漏洞来提权获得目标主机的掌控权了。

而 nmap 是如何做到这样一切的呢?在于 Nmap 最著名的功能之一:用 TCP/IP 协议栈 fingerprinting 进行远程操作系统探测。Nmap 发送一系列 TCP 和 UDP 报文到远程主机,检查响应中的每一个比特。 在进行一打测试如 TCP ISN 采样,TCP 选项支持和排序,IPID 采样,和初始窗口大小检查之后, Nmap 把结果和数据库 nmap-os-fingerprints 中超过 1500 个已知的操作系统的 fingerprints 进行比较,如果有匹配,就打印出操作系统的详细信息。 每个fingerprint 包括一个自由格式的关于 OS 的描述文本, 和一个分类信息,它提供供应商名称(如 Sun),下面的操作系统(如 Solaris),OS 版本(如 10), 和设备类型(通用设备,路由器,switch,游戏控制台等)。(此段来自于nmap 官网)

有攻击的方法也有防范的措施,所以我们不仅需要识别服务、操作系统,我们还需要对防火墙进行识别,我们可以通过这样一个命令来查看对方在端口是否使用了防火墙来进行过滤:


root@zhjpc:~# nmap -sA 192.168.1.35
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-11 11:19 CST
Nmap scan report for bogon (192.168.1.35)
Host is up (0.00041s latency).
All 1000 scanned ports on bogon (192.168.1.35) are unfiltered
MAC Address: 00:0C:29:F2:1C:1D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

可以看到有unfiltered说明没有被防火墙过滤

而如何做到的防火墙识别?最简单的方法便是通过 TCP 三次握手的不同数据包得到的不同响应来判断,是否被防火墙所过滤:

 

通过这样的方法从端口的状态中得出防火墙扫描的结论,端口的状态与类型有这样的一些情况:

在 nmap 中还有一个非常有用的参数:

nmap 非常的强大,还可以针对数据包的类型状态来扫描目标主机,还可以同时扫描多个 IP,更甚者可以扫描整个子网等等的高级用法,有兴趣的同学可以查看nmap 官网提供的手册来学习。

 

转载请注明:Nov » Kali渗透测试-Nmap的使用(4)

喜欢 (0)or分享 (0)
发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址