Kali linux 2016.2(Rolling)中的Nmap的端口扫描功能
不多说,直接上干货!
如下,是使用Nmap对主机202.193.58.13进行一次端口扫描的结果,其中使用
root@kali:~# nmap -sS -Pn 202.193.58.13 Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:04 CST
Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)
Host is up (.0014s latency).
Not shown: closed ports
PORT STATE SERVICE
/tcp open ftp
/tcp open ssh
/tcp open telnet
/tcp open smtp
/tcp open domain
/tcp open http
/tcp open rpcbind
/tcp open netbios-ssn
/tcp open microsoft-ds
/tcp open exec
/tcp open login
/tcp open shell
/tcp open rmiregistry
/tcp open ingreslock
/tcp open nfs
/tcp open ccproxy-ftp
/tcp open mysql
/tcp open postgresql
/tcp open vnc
/tcp open X11
/tcp open irc
/tcp open ajp13
/tcp open unknown
MAC Address: :AD::::5C (Unknown) Nmap done: IP address ( host up) scanned in 0.95 seconds
root@kali:~#
默认参数下,nmap使用发送ICMP请求来探测存活主机(即-sP选项)
root@kali:~# nmap -sP 202.193.58.13 Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:12 CST
Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)
Host is up (.0017s latency).
MAC Address: :AD::::5C (Unknown)
Nmap done: IP address ( host up) scanned in 0.18 seconds
root@kali:~#
如果是在INTERNET环境中,则应该使用-Pn选项,不要使用ICMP ping扫描,因为ICMP数据包通常无法穿透Internet上的网络边界;
还可以使用-PU通过对开放的UDP端口进行探测以确定存活的主机。
可以使用-O选项辨识目标主机的操作系统;
再加以-sV选项辨识操作系统中运行的服务的类型信息,如下
取更加详细的服务版本等信息,需要使用-sV选项,如下所示。
root@kali:~# nmap -sV -Pn 202.193.58.13 Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:06 CST
Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13)
Host is up (0.0015s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain?
80/tcp open http?
111/tcp open rpcbind?
139/tcp open netbios-ssn?
445/tcp open microsoft-ds?
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell Netkit rshd
1099/tcp open rmiregistry?
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs?
2121/tcp open ccproxy-ftp?
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql?
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11?
6667/tcp open irc Unreal ircd
8009/tcp open ajp13?
8180/tcp open unknown
MAC Address: 84:AD:58:82:49:5C (Unknown)
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.64 seconds
root@kali:~#
以补充Nmap工具的服务指纹数据库。
更多,其实,
msf > nmap -h
[*] exec: nmap -h Nmap 7.31 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
msf >
Kali linux 2016.2(Rolling)中的Nmap的端口扫描功能的更多相关文章
- MetaSploit攻击实例讲解------Metasploit自动化攻击(包括kali linux 2016.2(rolling) 和 BT5)
不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)里Metasploit连接(包括默认和自定义)的PostgreSQL数据库 Kali linux 2016.2(Ro ...
- MetaSploit攻击实例讲解------终端下PostgreSQL数据库的使用(包括kali linux 2016.2(rolling) 和 BT5)
不多说,直接上干货! 配置msf连接postgresql数据库 我这里是使用kali linux 2016.2(rolling) 用过的博友们都知道,已经预安装好了PostgreSQL. 1. p ...
- MetaSploit攻击实例讲解------社会工程学set攻击(kali linux 2016.2(rolling))(详细)
不多说,直接上干货! 首先,如果你是用的BT5,则set的配置文件是在 /pentest/exploits/set/set_config下. APACHE_SERVER=ONSELF_SIGNED_A ...
- MetaSploit攻击实例讲解------工具Meterpreter常用功能介绍(kali linux 2016.2(rolling))(详细)
不多说,直接上干货! 说在前面的话 注意啦:Meterpreter的命令非常之多,本篇博客下面给出了所有,大家可以去看看.给出了详细的中文 由于篇幅原因,我只使用如下较常用的命令. 这篇博客,利用下面 ...
- kali 2.0 linux中的Nmap的操作系统扫描功能
不多说,直接上干货! 可以使用-O选项,让Nmap对目标的操作系统进行识别. msf > nmap -O 202.193.58.13 [*] exec: nmap -O 202.193.58.1 ...
- MetaSploit攻击实例讲解------攻击445端口漏洞(kali linux 2016.2(rolling))(详细)
不多说,直接上干货! 大家,相信最近的这个事件,对于445端口已经是非常的小心了.勒索病毒 445端口是一个毁誉参半的端口,有了它我们可以在局域网中轻松访问各种共享文件夹或共享打印机,但也正是因为有了 ...
- Kali linux 2016.2(Rolling)中metasploit的端口扫描
目前常见的端口扫描技术一般有如下几类: TCP Connect.TCP SYN.TCP ACK.TCP FIN. Metasploit中的端口扫描器 Metasploit的辅助模块中提供了几款实用的 ...
- Kali linux 2016.2 的 plyload模块之meterpreter plyload详解
不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)中的payloads模块详解 当利用成功后尝试运行一个进程,它将在系统进程列表里显示,即使在木马中尝试执行系统命令, ...
- Kali linux 2016.2(Rolling)中的payloads模块详解
不多说,直接上干货! 前期博客 Kali linux 2016.2(Rolling)中的Exploits模块详解 payloads模块,也就是shellcode,就是在漏洞利用成功后所要做的事情.在M ...
随机推荐
- HDOJ 1753 大明A+B
JAVA大数.... 大明A+B Time Limit: 3000/1000 MS (Java/Others) Memory Limit: 32768/32768 K (Java/Others) ...
- Light OJ 1317 Throwing Balls into the Baskets 概率DP
n个人 m个篮子 每一轮每一个人能够选m个篮子中一个扔球 扔中的概率都是p 求k轮后全部篮子里面球数量的期望值 依据全期望公式 进行一轮球数量的期望值为dp[1]*1+dp[2]*2+...+dp[ ...
- Android 输入管理服务-输入事件向详细应用的分发
输入管理服务接收到输入事件,对输入事件进行处理之后会把输入事件分发到详细的应用中(如WMS.壁纸服务等)去处理的,这里涉及到了JNI从C++层向JAVA层的调用. 详细流程例如以下图所看到的:
- Medium上的文章
Welcome to Medium, a place to read, write, and interact with the stories that matter most to you. 网站 ...
- Java中异常处理之try和catch代码块的使用
转自:https://www.jb51.net/article/72901.htm Java try和catch的使用 尽管由Java运行时系统提供的默认异常处理程序对于调试是很有用的,但通常你希望自 ...
- mount ntfs 失败解决办法
在双系统中,ntfs可能会应为windows的缓存而挂载失败.可用下面命令修复. Use ntfsfix in the terminal, even if you can't access Windo ...
- Objective-C —内存管理(上)
内存管理 一.为什么要进行内存管理 移动设备的内存极其有限,每个app所能占用的内存是有限制的 下列行为都会增加一个app的内存占用 创建一个OC对象 定义一个变量 调用一个函数或者方法 内存占用多大 ...
- [nginx]第一篇
世界太大,我无法安心学习,决定看一个简单的. nginx-1.11.9的代码是nginx-0.5.38的两倍,决定看前者的. 阅读工具:UnderStand 3.1. 入口在nginx.c的195行. ...
- AndroidStudio EventBus报错解决方法its super classes have no public methods with the @Subscribe
首先说明,以前我用eventBus的jar包写得项目demo,前几天就写了一个EventBus的实例,这次我没用jar包,直接用gradle引用的,可是demo写完了,报错: its super cl ...
- python中index、slice与slice assignment用法
python中index.slice与slice assignment用法 一.index与slice的定义: index用于枚举list中的元素(Indexes enumerate the elem ...