Nmap (Network Mapper) 是网络安全和管理中的一个基本工具。这个实验向你介绍了 Nmap 扫描标志,这些标志使你能够执行有效的网络侦察和漏洞评估。通过实践,你将学习如何使用各种 Nmap 命令来发现主机、扫描端口以及识别网络上的服务。这些技能对于网络管理员和安全专业人员来说至关重要,可以帮助他们维护安全的网络环境。
Nmap 并没有预先安装在大多数系统上,所以我们的第一步是安装它。在你的 LabEx 环境中打开一个终端,并运行以下命令:
sudo apt update
sudo apt install nmap -y安装完成后,通过检查 Nmap 的版本来验证它是否正确安装:
nmap --version你应该看到类似这样的输出:
Nmap version 7.80 ( https://nmap.org )
Platform: x86_64-pc-linux-gnu
Compiled with: liblua-5.3.3 openssl-1.1.1f libssh2-1.8.0 libz-1.2.11 libpcre-8.39 libpcap-1.9.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll selectNmap 通过向目标主机发送专门构造的数据包并分析响应来工作。这有助于确定:
Nmap 命令的基本语法是:
nmap [scan type] [options] target其中:
[scan type] 指定要执行的扫描类型[options] 是用于自定义扫描的附加参数target 是要扫描的 IP 地址、主机名或 IP 范围让我们从扫描你自己的机器(本地主机)开始。运行:
nmap localhost此命令扫描你本地机器上最常见的 1000 个 TCP 端口。输出将类似于:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 15:30 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds输出显示:
让我们分析一下输出:
PORT: 显示端口号和协议(例如,22/tcp)STATE: 指示端口是开放、关闭还是被过滤SERVICE: 显示通常与该端口关联的服务最常见的端口状态是:
open: 端口正在接受连接closed: 端口可访问,但没有应用程序正在侦听它filtered: Nmap 无法确定端口是否开放,因为数据包过滤正在阻止其探测要扫描特定端口,请使用 -p 标志,后跟端口号:
nmap -p 22 localhost输出将集中在端口 22 上:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 15:35 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.01 seconds你可以使用连字符扫描端口范围:
nmap -p 20-25 localhost这将扫描端口 20 到 25:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 15:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp closed ftp
22/tcp open ssh
23/tcp closed telnet
24/tcp closed priv-mail
25/tcp closed smtp
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds现在你已经学会了如何安装 Nmap 并执行基本的端口扫描。在下一步中,我们将探索使用各种 Nmap 标志的更高级的扫描技术。
现在你已经了解了 Nmap 的基础知识,让我们探索一些必要的扫描标志,这些标志将让你从扫描中获得更多的控制和信息。
TCP SYN 扫描是在以 root 身份运行时默认的扫描类型。它通常被称为“半开放”扫描,因为它从不完成 TCP 连接。它相对隐蔽且快速。
让我们在本地主机上运行一个 SYN 扫描:
sudo nmap -sS localhost输出将类似于:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds当 Nmap 未以 root 权限运行时,TCP Connect 扫描是默认扫描。它完成了完整的 TCP 握手,这使得它更容易被检测到,但在某些情况下也更可靠。
nmap -sT localhost输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds版本检测标志告诉 Nmap 尝试确定在开放端口上运行的服务的版本:
nmap -sV localhost输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:10 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
631/tcp open ipp CUPS 2.3
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 6.41 seconds请注意,输出现在包括每个服务的详细版本信息。这对于安全评估来说非常宝贵,因为某些版本可能存在已知的漏洞。
操作系统检测标志尝试确定目标操作系统的类型:
sudo nmap -O localhost输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds请注意,Nmap 已经检测到系统正在运行 Linux 内核版本 4.X 或 5.X。
你可以结合多个标志来获得更全面的结果。例如,让我们结合服务版本检测和操作系统检测:
sudo nmap -sV -O localhost输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00015s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
631/tcp open ipp CUPS 2.3
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds积极扫描标志结合了几个扫描选项,包括操作系统检测、版本检测、脚本扫描和 traceroute:
sudo nmap -A localhost输出(为简洁起见已截断):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp CUPS 2.3
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 11
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, Support41Auth, Speaks41ProtocolOld, IgnoreSigpipes, DontAllowDatabaseTableColumn, FoundRows, SupportsCompression, ConnectWithDatabase, LongPassword, InteractiveClient, SwitchToSSLAfterHandshake, ODBCClient, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsTransactions, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: \x14\x12\x1Fjw\x182\x15\x0D\x12\x13C\x1F\x14\x0D\x07
|_ Auth Plugin Name: caching_sha2_password
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.12 seconds请注意积极扫描提供的额外信息量,包括 SSH 密钥信息、HTTP 服务器详细信息以及更详细的 MySQL 服务信息。
在这一步中,你已经了解了几个必要的 Nmap 扫描标志以及如何将它们组合起来以获得更全面的结果。在下一步中,我们将探索针对不同场景的实用扫描策略。
在这一步中,我们将学习网络扫描策略以及如何控制 Nmap 扫描的时间和性能。这在扫描大型网络或需要更谨慎时至关重要。
Nmap 可以通过多种方式扫描多个主机:
你可以指定多个 IP 地址,用空格分隔:
nmap 127.0.0.1 127.0.0.2你可以使用 CIDR 符号扫描 IP 范围:
nmap 127.0.0.1/30此命令扫描 127.0.0.0 到 127.0.0.3。输出将显示:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:35 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap scan report for 127.0.0.2
Host is up (0.00015s latency).
All 1000 scanned ports on 127.0.0.2 are closed
Nmap scan report for 127.0.0.3
Host is up (0.00013s latency).
All 1000 scanned ports on 127.0.0.3 are closed
Nmap done: 4 IP addresses (3 hosts up) scanned in 0.92 seconds有时你只想知道哪些主机在线,而无需扫描端口。Ping 扫描非常适合此目的:
nmap -sn 127.0.0.1/24此命令将扫描整个 127.0.0.1/24 子网,但仅执行主机发现,而不进行端口扫描。由于输出长度,我们只显示一个片段:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Nmap scan report for 127.0.0.2
Host is up (0.00013s latency).
Nmap scan report for 127.0.0.3
Host is up (0.00014s latency).
...
Nmap done: 256 IP addresses (256 hosts up) scanned in 2.34 seconds有时防火墙会阻止 ping 请求。要绕过此限制并扫描所有主机,而不考虑 ping 响应,请使用 -Pn 标志:
nmap -Pn localhost输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:45 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.12 secondsNmap 提供了几个时间模板,用于调整各种扫描参数:
-T0: Paranoid(偏执)- 非常慢,用于规避 IDS-T1: Sneaky(鬼祟)- 慢,用于规避 IDS-T2: Polite(礼貌)- 减慢速度以减少带宽消耗-T3: Normal(正常)- 默认,平衡速度和可靠性-T4: Aggressive(激进)- 更快,假设网络速度合理且可靠-T5: Insane(疯狂)- 非常快,假设网络速度极快让我们尝试一个激进的扫描:
nmap -T4 localhost输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 16:50 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds请注意,扫描完成的速度略快于默认扫描。
Nmap 可以将扫描结果保存为各种格式,以便以后进行分析或报告:
将扫描结果以正常格式保存到文件中:
nmap -oN scan_results.txt localhost此命令将扫描输出保存到当前目录中的 scan_results.txt。
将扫描结果保存为 XML 格式,这对于使用其他工具进行解析很有用:
nmap -oX scan_results.xml localhost将扫描结果保存为所有格式(正常、XML 和 grepable):
nmap -oA scan_results localhost这将创建三个文件:scan_results.nmap、scan_results.xml 和 scan_results.gnmap。
让我们检查正常输出文件的内容:
cat scan_results.txt输出:
## Nmap 7.80 scan initiated Thu Sep 14 16:55:23 2023 as: nmap -oN scan_results.txt localhost
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
631/tcp open ipp
3306/tcp open mysql
## Nmap done at Thu Sep 14 16:55:23 2023 -- 1 IP address (1 host up) scanned in 0.12 seconds让我们结合我们所学到的知识,为全面扫描创建一个实用的扫描策略:
sudo nmap -sS -sV -O -T4 -oA comprehensive_scan localhost此命令:
输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
631/tcp open ipp CUPS 2.3
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 0 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds现在你可以在任何输出文件中查看全面的扫描结果:
ls comprehensive_scan.*输出:
comprehensive_scan.gnmap comprehensive_scan.nmap comprehensive_scan.xml请记住,网络扫描应该仅在你拥有或已获得明确许可扫描的网络上执行。未经授权的扫描可能:
在这个实验环境中,我们只扫描了 localhost,这总是允许的,因为它属于你自己的系统。
你现在已经了解了不同的网络扫描策略、时间控制和输出格式。你拥有使用 Nmap 执行有效网络侦察所需的所有基础知识。
在这一步中,我们将探索 Nmap 强大的脚本引擎 (NSE),并学习如何执行目标服务分析。NSE 脚本通过启用对特定服务和漏洞的更详细扫描来扩展 Nmap 的功能。
Nmap 脚本引擎允许用户编写和共享脚本,以自动化各种网络任务。Nmap 附带了数百个预先编写的脚本,这些脚本被分类到各种组中:
auth: 与身份验证相关的脚本default: 默认情况下使用 -sC 运行的脚本discovery: 主机和服务发现exploit: 尝试利用漏洞malware: 检测恶意软件和后门safe: 安全的、非侵入性的脚本vuln: 漏洞检测脚本-sC 标志运行默认的脚本集,这些脚本通常是安全的,并提供有用的信息:
nmap -sC localhost输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:10 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql
|_mysql-info: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 3.42 seconds请注意,脚本如何提供了关于每个服务的附加信息,例如 SSH 主机密钥和 HTTP 页面标题。
你可以使用 --script 标志运行特定脚本,后跟脚本名称或类别:
nmap --script=http-title localhost这仅运行 http-title 脚本,该脚本检索 HTTP 页面的标题:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds你可以运行特定类别中的所有脚本:
nmap --script=discovery localhost这将运行所有发现脚本,这些脚本可以提供关于网络服务的丰富信息(为简洁起见,输出已截断):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http
|_http-favicon: Unknown favicon MD5: 6D33949773573A11BEBE0D20AC1B7967
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp
| cups-info:
| CUPS Server:
| Server: CUPS/2.3 IPP/2.1
|_ Authentication-Method: Basic
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS POST
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 15
| Capabilities flags: 65535
| Some Capabilities: ConnectWithDatabase, SupportsLoadDataLocal, SupportsTransactions, DontAllowDatabaseTableColumn, Support41Auth, InteractiveClient, Speaks41ProtocolOld, FoundRows, IgnoreSigpipes, ODBCClient, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolNew, SupportsMultipleStatments, LongPassword, SupportsCompression, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: \x7FeL)\x0C\x5C#S\x06N%\x1E\x7EYaC
|_ Auth Plugin Name: caching_sha2_password
Nmap done: 1 IP address (1 host up) scanned in 5.28 seconds为了获得最全面的结果,请将脚本扫描与服务检测相结合:
nmap -sV -sC localhost输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
631/tcp open ipp CUPS 2.3
|_http-server-header: CUPS/2.3 IPP/2.1
|_http-title: Home - CUPS 2.3.1
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
|_mysql-info: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.03 seconds让我们重点关注更详细地分析特定服务。
要详细分析 HTTP 服务,我们可以使用 http-* 脚本:
nmap --script="http-*" -p 80 localhost这会针对端口 80 运行所有与 HTTP 相关的脚本:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:30 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
PORT STATE SERVICE
80/tcp open http
|_http-chrono: Request times for /; avg: 32.68ms; min: 32.68ms; max: 32.68ms
|_http-comments-displayer: Couldn't find any comments.
|_http-date: Thu, 14 Sep 2023 17:30:24 GMT; +6s from local time.
|_http-devframework: Couldn't determine the underlying framework or CMS. Try increasing 'httpspider.maxpagecount' value to spider more pages.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-favicon: Unknown favicon MD5: 6D33949773573A11BEBE0D20AC1B7967
|_http-feed: Couldn't find any feeds.
|_http-fetch: Please enter the complete path of the directory to save data in.
|_http-generator: Couldn't find any generator in the HTML headers and body
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-mobileversion-checker: No mobile version detected.
|_http-referer-checker: Couldn't find any cross-domain scripts.
|_http-security-headers:
| http-server-header:
| Apache/2.4.41
|_ Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-traceroute: ERROR: Script execution failed (use -d to debug)
|_http-useragent-tester:
|_http-xssed: No previously reported XSS vuln.
Nmap done: 1 IP address (1 host up) scanned in 2.31 seconds同样,我们可以分析 SSH 服务:
nmap --script="ssh-*" -p 22 localhost输出:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:35 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 e2:5d:9c:5c:62:42:44:cd:fc:31:e0:a6:18:11:69:1c (RSA)
| 256 7d:95:f0:2f:7a:95:3a:4d:f3:52:ef:6f:6b:af:01:71 (ECDSA)
|_ 256 90:12:20:de:cb:c0:76:3a:fb:15:db:75:4e:78:fc:d7 (ED25519)
|_ssh-run: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 0.26 secondsNmap 包含可以检测潜在漏洞的脚本。使用 vuln 类别可以帮助识别安全问题:
nmap --script=vuln localhost这可能需要一些时间,因为它会运行各种漏洞检查。输出可能如下所示:
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-14 17:40 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
631/tcp open ipp
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 87.28 seconds在这种情况下,Nmap 已经确定 Apache Web 服务器可能容易受到 Slowloris DoS 攻击。此信息对于保护你的系统可能很有价值。
现在,让我们结合我们所学到的一切来创建全面的安全报告:
sudo nmap -sS -sV -O -sC --script=vuln -T4 -oA comprehensive_security_report localhost此命令:
输出将是全面的,可能需要一些时间才能完成。完成后,你将获得一份详细的安全报告,其中包含各种格式(正常、XML 和 grepable),你可以参考这些报告进行安全分析。
在这一步中,你已经学习了如何使用 Nmap 的脚本引擎来收集关于服务的详细信息并检测潜在的漏洞。这些高级技术对于全面的网络安全评估至关重要。
在这个实验中,你已经学习了使用 Nmap 进行网络侦察和安全评估的基础知识。你现在了解:
这些技能构成了网络安全评估的基础,并且对于网络安全专业人员至关重要。请记住,始终负责任地使用这些技术,并且仅在你有权扫描的网络上使用。
在你继续你的网络安全之旅时,请考虑探索更高级的 Nmap 功能,例如自定义 NSE 脚本开发、防火墙规避技术以及与其他安全工具的集成。定期练习 Nmap 将帮助你更熟练地识别网络环境中潜在的安全问题。
