Kali-linux:nmap命令
概念
Nmap用于在远程机器上探测网络,执行安全扫描,网络审计和搜寻开放端口。它会扫描远程在线主机,该主机的操作系统,包过滤器和开放的端口。
使用场景
掌握了具体使用场景,主要就是掌握如下参数使用:以192.168.31.18为目标靶机
1.普通扫描
root@sunjin:/home/sunjin# nmap 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 09:46 CST
Nmap scan report for 192.168.31.18
Host is up (0.0014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
3306/tcp open mysql
8089/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 0.21 seconds
通过添加-sV参数,能够得到服务版本信息,
root@sunjin:/home/sunjin# nmap -sV 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 09:48 CST
Nmap scan report for 192.168.31.18
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
443/tcp open ssl/https
3306/tcp open mysql MySQL 5.7.32
8089/tcp open unknown
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port443-TCP:V=7.80%T=SSL%I=7%D=11/6%Time=5FA4AB6E%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,DE,"HTTP/1\.1\x20302\x20\r\nCache-Control:\x20private\r\n
SF:Expires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nLocation:\x
SF:20https://localhost/index2\.html\r\nContent-Language:\x20zh-CN\r\nConte
SF:nt-Length:\x200\r\nDate:\x20Fri,\x2006\x20Nov\x202020\x2001:48:26\x20GM
SF:T\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,B8,"HTTP/1\.1\x20200\
SF:x20\r\nCache-Control:\x20private\r\nExpires:\x20Thu,\x2001\x20Jan\x2019
SF:70\x2000:00:00\x20GMT\r\nAllow:\x20GET,HEAD,POST,PUT,PATCH,DELETE,OPTIO
SF:NS\r\nDate:\x20Fri,\x2006\x20Nov\x202020\x2001:48:26\x20GMT\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(FourOhFourRequest,113,"HTTP/1\.1\x20302\x20\r\
SF:nCache-Control:\x20private\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x20
……
通过添加-sC参数,能够得到更加详细的服务信息
root@sunjin:/home/sunjin# nmap -sC 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 09:50 CST
Nmap scan report for 192.168.31.18
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 8e:45:b1:49:8e:4b:80:a7:cc:f0:ba:6c:be:a1:97:a1 (RSA)
| 256 2d:13:df:d4:9e:87:50:e8:db:fe:1c:f4:8a:7e:4c:6c (ECDSA)
|_ 256 16:54:fd:53:27:c6:61:4f:76:f9:85:79:97:2b:0c:c5 (ED25519)
443/tcp open https
| http-methods:
|_ Potentially risky methods: PUT PATCH DELETE
| http-title: \xE5\xB7\xA5\xE4\xB8\x9A\xE4\xBA\x92\xE8\x81\x94\xE7\xBD\x91\xE8\xAE\xA4\xE8\xAF\x81\xE7\xBD\x91\xE5\x85\xB3\xE7\xAE\xA1\xE7\x90\x86\xE7\xB3\xBB\xE7\xBB\x9F
|_Requested resource was /login.html
| ssl-cert: Subject: commonName=192.168.31.111/organizationName=demo/countryName=cn
| Not valid before: 2020-10-13T03:14:26
|_Not valid after: 2021-10-13T03:14:26
|_ssl-date: 2020-11-06T01:50:37+00:00; -4s from scanner time.
3306/tcp open mysql
| mysql-info:
| Protocol: 10
| Version: 5.7.32
| Thread ID: 13
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, LongPassword, IgnoreSpaceBeforeParenthesis, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, IgnoreSigpipes, SupportsTransactions, Speaks41ProtocolOld, Speaks41ProtocolNew, InteractiveClient, ConnectWithDatabase, Support41Auth, ODBCClient, SupportsCompression, FoundRows, LongColumnFlag, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: 9B|\x7F \x04,[\x03^Y\x05\x0E]x\x14\x0C\x0C\x19v
|_ Auth Plugin Name: mysql_native_password
8089/tcp open unknownHost script results:
|_clock-skew: -4sNmap done: 1 IP address (1 host up) scanned in 1.74 seconds
2.漏洞扫描
#使用nmap对某主机进行一系列的证书鉴权检查
nmap --script=auth [目标IP]
root@sunjin:/home/sunjin# nmap --script=auth 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 09:57 CST
Nmap scan report for 192.168.31.18
Host is up (0.0014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
| gssapi-keyex
| gssapi-with-mic
|_ password
| ssh-publickey-acceptance:
|_ Accepted Public Keys: No public keys accepted
443/tcp open https
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| http-vuln-cve2010-0738:
|_ /jmx-console/: Authentication was not required
3306/tcp open mysql
8089/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 5.31 seconds
#使用nmap 对常见的服务进行暴力力破解
nmap --script=brute [目标IP]
可以看到有不少密码被破译出来了!
root@sunjin:/home/sunjin# nmap --script=brute 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 09:59 CST
Nmap scan report for 192.168.31.18
Host is up (0.0011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-brute:
| Accounts: No valid accounts found
| Statistics: Performed 0 guesses in 1 seconds, average tps: 0.0
|_ ERROR: The service seems to have failed or is heavily firewalled...
443/tcp open https
|_citrix-brute-xml: FAILED: No domain specified (use ntdomain argument)
| http-brute:
|_ Path "/" does not require authentication
|_http-joomla-brute: ERROR: Script execution failed (use -d to debug)
| http-wordpress-brute:
| Accounts:
| root:root - Valid credentials
| netadmin:netadmin - Valid credentials
| guest:guest - Valid credentials
| user:user - Valid credentials
| web:web - Valid credentials
| sysadmin:sysadmin - Valid credentials
| administrator:administrator - Valid credentials
| webadmin:webadmin - Valid credentials
| admin:admin - Valid credentials
| test:test - Valid credentials
|_ Statistics: Performed 13 guesses in 1 seconds, average tps: 13.0
3306/tcp open mysql
| mysql-brute:
| Accounts:
| root:123456 - Valid credentials
|_ Statistics: Performed 45012 guesses in 317 seconds, average tps: 191.2
| mysql-enum:
| Valid usernames:
| root:<empty> - Valid credentials
| netadmin:<empty> - Valid credentials
| guest:<empty> - Valid credentials
| user:<empty> - Valid credentials
| web:<empty> - Valid credentials
| sysadmin:<empty> - Valid credentials
| administrator:<empty> - Valid credentials
| webadmin:<empty> - Valid credentials
| admin:<empty> - Valid credentials
| test:<empty> - Valid credentials
|_ Statistics: Performed 10 guesses in 1 seconds, average tps: 10.0
8089/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 317.33 seconds
#使用nmap 进行基本的扫描
nmap --script=default [目标IP]
这个和普通扫描结果差不多
#使用nmap 进行信息挖掘
nmap --script=discovery [目标IP]
这个会显示大量服务消息,例如TLS的加密算法类型
#使用nmap 进行拒绝服务攻击
nmap --script=dos [目标IP]
这个没有测试,毕竟是公共服务器
#使用nmap 利用已知的漏洞入侵系统
nmap --script=exploit [目标IP]
#使用nmap 进行利用第三方的数据库或资源进行信息收集或者攻击
nmap --script=external [目标IP]
这个没有测试,毕竟是公共服务器
#使用nmap 进行模糊测试,发送异常的包到目标机,探测出潜在漏洞
nmap --script=fuzzer [目标IP]
#使用nmap 进行入侵,此类脚本可能引发对方的IDS/IPS的记录或屏蔽
nmap --script=intrusive [目标IP]
这个没有测试,毕竟是公共服务器
#使用nmap 探测目标机是否感染了病毒、开启了后门等信息
nmap --script=malware [目标IP]
root@sunjin:/home/sunjin# nmap --script=malware 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 13:50 CST
Nmap scan report for 192.168.31.18
Host is up (0.0011s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
3306/tcp open mysql
8089/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 0.43 seconds
#使用nmap 对系统进行安全检查
nmap --script=safe [目标IP]
这个结果比较长,可以自行测试
#使用nmap 对目标机进行检查是否存在常见的漏洞
nmap --script=vuln [目标IP]
root@sunjin:/home/sunjin# nmap --script=vuln 192.168.31.18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-06 13:47 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.31.18
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
443/tcp open https
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /login.html: Possible admin folder
| /examples/: Sample scripts
|_ /docs/: Potentially interesting folder
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2010-0738:
|_ /jmx-console/: Authentication was not required
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
3306/tcp open mysql
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
8089/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)Nmap done: 1 IP address (1 host up) scanned in 137.77 seconds
Kali-linux:nmap命令相关推荐
- Kali Linux下命令行终端的中英文切换
Kali Linux下命令行终端的中英文切换 由于自己想下载个kali linux学习,但是苦于自己设备受限,下载了kali官网的light版本: kali-linux-light-2019.1a-a ...
- kali linux nmap使用教程,kali linux下nmap的使用方法介绍
知道kali 是什么吗,那么linux下nmap的使用方法是怎么回事呢,下面是学习啦小编跟大家分享的是kali linux下nmap的使用方法介绍,欢迎大家来阅读学习. kali linux下nmap ...
- kali linux 升级命令_作为高级Java,你应该了解的Linux知识
原创:小姐姐味道(微信公众号ID:xjjdog),欢迎分享,转载请保留出处. 作为一个javaer,我以前写过很多关于Linux的文章.但经过多年的观察,发现其实对于大部分人,有些东西压根就用不着.用 ...
- kali linux nmap使用教程,Kali Linux:使用nmap扫描主机
以下介绍在Kali Linux系统下使用nmap扫描主机的基本方法. nmap-Network Mapper,是著名的网络扫描和嗅探工具包.他同样支持Windows和OS X系统. 扫描开放端口和判断 ...
- kali linux 升级命令_Kali Linux系统:如何升级/更新?
如果你是刚对Kali Linux入手,你会发现这样一个问题:大家都用过windows系统对吧,它都有一个自动更新或手动更新功能,windows系统可以升级的.我们的Kali Linux系统又如何升级呢 ...
- linux nmap命令
Nmap即Network Mapper,它是在免费软件基金会的GNU General Public License (GPL)下发布的.其基本功能有:探测一组主机是否在线:扫描主机端口,嗅探提供的网络 ...
- kali linux 升级命令_linux系统怎么更新?linux更新系统的方法
大家都知道windows系统有一个自动更新,那么,linux系统又应该怎样更新呢?下面,就以比较常用的linux版本CentOS为例,来教大家具体的操作方法. 方法一:利用终端命令更新 1.启动Cen ...
- kali linux 网络命令,Kali Linux系统连接Wifi无线网络命令:
第一种:root@kali:~# iwconfigroot@kali:~# ifconfigroot@kali:~# ifconfig wlan0 uproot@kali:~#iw dev wlan0 ...
- kali linux nmap扫描(二)_商洛学院司徒荆_新浪博客
使用nmap扫描得知目标主机开放的端口和服务类型 1.打开终端:nmap 192.168.1.1 ,扫描出开放的端口 2.nmap -sT 192.168.1.1 使用全连接进行扫描,完成tcp的三 ...
- Kali 使用nmap命令进行局域网扫描
1.内网IP地址扫描 sudo -i namp -sP 192.168.1.0/24 (P一定要大写,192.168.1.0是自己内网的网络号加子网号,和为0的主机号) 2端口扫描 sudo -i n ...
最新文章
- Java的新项目学成在线笔记-day10(二)
- mongo mysql 聚合性能_Mongodb和Mysql的性能分析
- 浙江金华暂时停用“智能头箍”,专家:监测学生脑电违反伦理
- Android测试(二)——drozer使用
- Product ID Not in valid range
- ajax异步提交案例(用户校验)
- 递归;杨辉三角;正则表达式
- 802.11相关术语及其设计(二)
- python导入自己写的包_python的模块,包和目录的区别和自定义包的注意点
- 联想G450 Linux wifi,联想g450无线网卡驱动,详细教您无线网卡安装教程
- 华盛顿大学计算机专业gpa,华盛顿大学计算机专业基本信息全盘点 学习来这里就对了...
- 类似 Teambition 的9大最佳项目管理软件
- 笔记:利用易宝第三方支付实现简单支付的功能
- springboot中static下的图片404
- 三菱je -c中映射表的作用_最新款中东版三菱帕杰罗V93 现车热卖
- Spark的搭建及实现单词统计
- 日语操作系统安装日语软件乱码的解放方案
- 荣联云发送短信验证码--python3接口
- JetBrains出品,一款好用到爆的数据库工具
- 与PHP对抗招聘者垃圾邮件-概念证明