主动信息收集1：使用Nmap进行扫描 - 简书
主动信息收集1：使用Nmap进行扫描
使用 Nmap 进行端口扫描
Nmap 是很流行的扫描工具，在 Nmap 中扫描获得的结果可以保存在 MSF 的数据库中以备后续使用。
Nmap 有着众多的选项，不过一般我们只会弄到其中的一部分，可以用nmap --help命令查看基本用法。Nmap 的官方中文文档
Kali 自带 Nmap，直接使用即可，不需要先进入msfconsole
先来介绍几个常用的选项。
首先是-sS选项，这个选项指定使用隐秘的TCP协议来扫描端口是否开放。
然后是-Pn选项，这个选项让nmap不要预先用ping来判断主机是否存活，而是默认主机为存活。这个选项适用于Internet上的测试环境，因为在Internet上有很多网络不允许ping命令使用的ICMP协议通行。如果预先用ping判断，则可能会漏掉许多实际存活的主机。如果你在内网环境下扫描，则可以不使用这个选项。
我们用这两个选项对XP虚拟机进行扫描来看看效果：
nmap-ss-pn-example.png
（图中的 172.16.83.128 请更改为你自己虚拟机的 IP 地址）
可以看到，nmap 显示出了目标主机开放的端口列表，和这个端口一般对应的服务。
为了获取目标的更多信息，可以开启-A选项，此选项的介绍如下。
-A: Enable OS detection, version detection, script scanning, and traceroute
从帮助文档中可以看到，开启-A选项等同于开启了系统探测，版本探测，脚本扫描和路由追踪。
加上-A选项再对虚拟机扫描一遍，结果如下：
nmap-ss-pn-a-example-1.png
从结果来看，和没有-A选项相比，1234分别显示出了使用这个端口的程序，有的还给出了版本号。5处FTP服务还探测出了允许匿名登录。这些消息能给我们的渗透准备工作带来很大的帮助。
nmap-ss-pn-a-example-2.png
1显示出了被扫描系统的猜测信息，可能的OS CPE（Operating System Common Platform Enumeration，详情点）
2显示了系统上运行的 SQL 数据库类型，版本，实例名称等信息。
nmap-ss-pn-a-example-3.png
1处为SQL服务的端口
2为用SMB协议的缺陷探测出的OS信息，一般来说这个比上面那个给出的准确一点。
3为路由跟踪信息
通过这两个简单的样例应该能体会到 Nmap 的强大之处，其他的用法以后会逐渐介绍。
在 MSF 中使用数据库
将 MSF 连接到数据库
要在 MSF 中使用数据库，首先请启动postgresql服务。
然后使用msfconsole打开msf交互终端
start-pg-and-msfconsole.png
随后输入以下命令连接postgresql数据库：
db_connect postgresql:&password&@&ipaddr&/&book&
postgresql 的默认密码是toor，ip 当然是本机 ip 啦，book随便填～一般用msf3，虽然 msf 已近是 V4 版本了。
执行之后使用db_status查看数据库连接情况
msf-connect-db.png
将扫描结果导入数据库
在 msf 控制台内可以直接使用 Nmap 命令，这次我们用-oX指令指定将扫描结果输出为XML格式。
在 msf 终端中直接输入下列指令：
nmap -sS -Pn -A -oX report.xml 172.16.83.128
执行完成后输入ls命令并回车，可以看见当前目录下生成了report.xml文件
XML 文件生成后，可以使用db_import命令将文件导入数据库。操作完毕后，可以使用hosts和services命令核实导入结果，hosts命令显示当前数据库中保存的所有主机信息，services命令显示各个服务器提供的服务信息，如下图：
xml-import-to-db-and-check.png
下图中三个红框部分为输入的指令，其余为输出。
主动信息收集部分较长，分段，下一节继续。
Forward.Forward
nmap使用指南（终极版） 原创hl0rey信安之路 一、目标指定 1.CIDR标志位 192.168.1.0/24 2.指定范围 192.168.1.1-255 192.168.1-255.1（任意位置）3.IPv6地址只能用规范的IPv6地址或主机名...
Nmap扫描原理与用法 1Nmap介绍 Nmap扫描原理与用法PDF：下载地址 Nmap是一款开源免费的网络发现（Network Discovery）和安全审计（Security Auditing）工具。软件名字Nmap是Network Mapper的简称。Nmap最初是由...
secbang.com simeon 最近一直在思考，Web渗透中，正面的渗透是一种思路，横向和纵向渗透也是一种思路，在渗透过程中，目标主站的防护越来越严格，而子站或者目标所在IP地址的C段或者B端的渗透相对容易，这种渗透涉及目标信息的搜集和设定，而对这些目标信息收集最主要...
Nmap简介 Nmap (“Network Mapper(网络映射器)”) 是一款开放源代码的 网络探测和安全审核的工具。 它的设计目标是快速地扫描大型网络，当然用它扫描单个主机也没有问题。 Nmap以新颖的方式使用原始IP报文来发现网络上有哪些主机，那些主机提供什么服务(...
第二章 探索扫描（二） 作者：Justin Hutchens 译者：飞龙 协议：CC BY-NC-SA 4.0 2.7 使用 Scapy 发现第三层 Scapy 是一种工具，允许用户制作并向网络中注入自定义数据包。 此工具可以用于构建 ICMP 协议请求，并将它们注入网络来...
很想把日子过得像花儿一样绽放，可是……
来豆瓣这么久 发现我并没有过什么大的功绩 在即将跨越一个重大的年龄坎之际 决定做一些改变 本贴主要写一些我从小学到现在工作的一些能给女生们分享的东西 长相，衣服搭配，祛痘，长个，气质，情商，工作小技巧…… 纯属个人观点 可以讨论 但绝不撕逼 谢谢 声明我绝对不是女神 可以算...
第一幕：(场景：酒店饭桌) 社团成功传承，创始人聚餐 第二幕：(场景：傍晚的图书馆门口) 聚餐中回忆，画面转到一个夜晚一个充满激情的有志青年的黯然伤神，回忆聚乐特训营，因为他，见到了外边的世界，打开了自己的思维格局，看到了好多优秀的人，想到自己的大学，自己大学的兄弟姐妹很堕...
终于迎来了大学第一天，因为刚刚开学，事情还是蛮多的，行程排的很满。可是，晚上洗完衣服后，忽然一下子来了闲情，想写字了。 因为上大学了，白天的时候听舍友说她自己的字还像小学生的，我说不会吧，她说不像大学生写的很大气的感觉，然后我就反省了一下我自己的字。 其实我已经很认真地在写...★Kali信息收集~ 0.Httrack 网站复制机
★Kali信息收集~ 1.Google Hacking + Github Hacking&
★Kali信息收集~2.Whois ：域名信息
★Kali信息收集~3.子域名系列
★Kali信息收集~4.DNS系列
★Kali信息收集~ 5.The Harvester：邮箱挖掘器
★Kali信息收集~★6.Dmitry:汇总收集
★Kali信息收集~★7.FPing ：ip段扫描
★Kali信息收集★8.Nmap ：端口扫描
参数：（Zenmap是Nmap图形化工具，不想打指令的可以直接使用）
Nmap 6.49BETA4 (
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL &inputfilename&: Input from list of hosts/networks
-iR &num hosts&: Choose random targets
--exclude &host1[,host2][,host3],...&: Exclude hosts/networks
--excludefile &exclude_file&: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers &serv1[,serv2],...&: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags &flags&: Customize TCP scan flags
-sI &zombie host[:probeport]&: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b &FTP relay host&: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p &port ranges&: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports &port ranges&: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports &number&: Scan &number& most common ports
--port-ratio &ratio&: Scan ports more common than &ratio&
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity &level&: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=&Lua scripts&: &Lua scripts& is a comma separated list of
directories, script-files or script-categories
--script-args=&n1=v1,[n2=v2,...]&: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=&Lua scripts&: Show help about scripts.
&Lua scripts& is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take &time& are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T&0-5&: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup &size&: Parallel host scan group sizes
--min-parallelism/max-parallelism &numprobes&: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout &time&: Specifies
probe round trip time.
--max-retries &tries&: Caps number of port scan probe retransmissions.
--host-timeout &time&: Give up on target after this long
--scan-delay/--max-scan-delay &time&: Adjust delay between probes
--min-rate &number&: Send packets no slower than &number& per second
--max-rate &number&: Send packets no faster than &number& per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu &val&: fragment packets (optionally w/given MTU)
-D &decoy1,decoy2[,ME],...&: Cloak a scan with decoys
-S &IP_Address&: Spoof source address
-e &iface&: Use specified interface
-g/--source-port &portnum&: Use given port number
--proxies &url1,[url2],...&: Relay connections through HTTP/SOCKS4 proxies
--data &hex string&: Append a custom payload to sent packets
--data-string &string&: Append a custom ASCII string to sent packets
--data-length &num&: Append random data to sent packets
--ip-options &options&: Send packets with specified ip options
--ttl &val&: Set IP time-to-live field
--spoof-mac &mac address/prefix/vendor name&: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
-oN/-oX/-oS/-oG &file&: Output scan in normal, XML, s|&rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA &basename&: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume &filename&: Resume an aborted scan
--stylesheet &path/URL&: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir &dirname&: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE () FOR MORE OPTIONS AND EXAMPLES
离线下载：http://pan.baidu.com/s/1dEiZdJV
应用：（常用的速度快点，完整的更详细但慢点~【主要就是全端口扫而导致慢的】）
&识别系统：(先看看，后面有详解)
nmap -O -Pn ip地址
&TCP扫描：端口扫描中最稳定的，TCP三次握手
常用：nmap -sT -Pn ip地址
完整：nmap -sT -p- -Pn ip地址
-sT TCP连接扫描（s=&哪种类型扫描？ ==&t TCP类型）
-p- 扫描所有端口 （不加就默认扫描1000个常用端口）
-Pn 禁用Nmap网络发现功能，假定所有系统都是活动的
批量扫描 eg：nmap -sT -p- -Pn 192.168.1.1-254
&SYN 扫描：★端口扫描中用的最多的，TCP两次握手（隐形扫描，速度快）
常用：nmap -sS -Pn ip地址
完整：nmap -sS -p- -Pn ip地址
-sS （-s =& 哪种扫描类型？S=& SYN）
&UDP 扫描：（DHCP,DNS,SNMP,TFTP等都使用了UDP协议）
常用：nmap -sU ip地址
完整：nmap -sUV ip地址
U=& UDP, V=&版本信息 (-sV UDP扫描中添加版本扫描信息)
不存在-PN参数（从UDP协议去理解，你发了就ok管他收没收到）
&Xmas扫描：RFC文档描述了系统的技术细节，如果得到RFC文档，那么就可能找到系统的漏洞，xmas和null扫描的目的正是基于这一原因。一般xmas针对unix或者linux系统比较有效。
常用：nmap -sX -Pn
完整：nmap -sX -p- -Pn ip地址
&Null 扫描：和Xmas扫描相反,发送空数据包，打开端口不会返回相应信息关闭端口则返回一个RST数据包
常用：nmap -sN -Pn
完整：nmap -sN -p- -Pn ip地址
扩充：扫描的时候按d可以显示debug信息，按其他的键（比如X）可以显示当前进度 XX.XX%
Null扫描 和 Xmas扫描
&如果系统遵循了TCP RFC文档，那么不用完成连接，在发起连接的时候namp就可以判断出目标系统的状态。(PS：Xmas扫描和Null扫描都不会建立任何类型的通信通道。扫描目的就是为了判断哪些端口开或关)
扫描的其他指令
-sV 参数用于版本扫描
-iL 批量扫描文件里面的ip
-F: 快速模式-扫描较少，扫描默认端口
-v 输出的时候更详细 (使用-vv 或更多的更大的作用)
-A 启用操作系统检测、 版本检测、 脚本扫描等
-T 速度设置（最慢0 - 最快5）避免被检测到则降低速度，如果赶时间就提高速度
实战：（渗透中常用命令）
&①快速扫描
root@Kali:~# nmap -T4 -F 192.168.169.105
Starting Nmap 6.49BETA4 (
Nmap scan report for 192.168.169.105
Host is up (1.7s latency).
Not shown: 92 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
444/tcp open snpp
445/tcp open microsoft-ds
514/tcp filtered shell
1433/tcp open ms-sql-s
Nmap done: 1 IP address (1 host up) scanned in 16.67 seconds
&②SYN迅速扫描：（TCP两次握手，隐蔽性高）
root@Kali:~# nmap -sS -T4 -A -v cnblogs.com
Starting Nmap 6.49BETA4 (
NSE: Loaded 122 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
Initiating NSE at 17:00
Completed NSE at 17:00, 0.00s elapsed
Initiating Ping Scan at 17:00
Scanning cnblogs.com (42.121.252.58) [4 ports]
Completed Ping Scan at 17:00, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:00
Completed Parallel DNS resolution of 1 host. at 17:00, 2.01s elapsed
Initiating SYN Stealth Scan at 17:00
Scanning cnblogs.com (42.121.252.58) [1000 ports]
Discovered open port 443/tcp on 42.121.252.58
Discovered open port 80/tcp on 42.121.252.58
Increasing send delay for 42.121.252.58 from 0 to 5 due to 11 out of 20 dropped probes since last increase.
Increasing send delay for 42.121.252.58 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Completed SYN Stealth Scan at 17:01, 84.92s elapsed (1000 total ports)
Initiating Service scan at 17:01
Scanning 2 services on cnblogs.com (42.121.252.58)
Completed Service scan at 17:01, 5.01s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against cnblogs.com (42.121.252.58)
Retrying OS detection (try #2) against cnblogs.com (42.121.252.58)
WARNING: OS didn't match until try #2
Initiating Traceroute at 17:01
Completed Traceroute at 17:01, 0.02s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 17:01
Completed Parallel DNS resolution of 2 hosts. at 17:01, 0.15s elapsed
NSE: Script scanning 42.121.252.58.
Initiating NSE at 17:01
Completed NSE at 17:02, 6.16s elapsed
Initiating NSE at 17:02
Completed NSE at 17:02, 0.00s elapsed
Nmap scan report for cnblogs.com (42.121.252.58)
Host is up (0.0048s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open tcpwrapped
|_http-favicon: Unknown favicon MD5: CDD795C4B3E1EDB1DB89E73
|_http-methods: No Allow or Public header in OPTIONS response (status code 301)
| http-title: \xE5\x8D\x9A\xE5\xAE\xA2\xE5\x9B\xAD - \xE5\xBC\x80\xE5\x8F\x91\xE8\x80\x85\xE7\x9A\x84\xE7\xBD\x91\xE4\xB8\x8A\xE5\xAE\xB6\xE5\x9B\xAD
|_Requested resource was
443/tcp open tcpwrapped
| http-cisco-anyconnect:
|_ ERROR: Not a Cisco ASA or unsupported version
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=*.cnblogs.com
| Issuer: commonName=Go Daddy Secure Certificate Authority - G2/organizationName=GoDaddy.com, Inc./stateOrProvinceName=Arizona/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: T08:12:38
| Not valid after: T12:31:38
| MD5: 9b12 efe2 1f0c 7967 ca7c fe14 2a13 a200
|_SHA-1: 29dd 13c4 11cd e03b de35 cad9 60ac e7e6 52de 8c44
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec Linux, Linux 2.4.X|3.X
OS CPE: cpe:/o:actiontec:linux_kernel cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:3
OS details: Actiontec MI424WR-GEN3I WAP, DD-WRT v24-sp2 (Linux 2.4.37), Linux 3.2
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.04 ms 192.168.232.2
2 0.04 ms 42.121.252.58
NSE: Script Post-scanning.
Initiating NSE at 17:02
Completed NSE at 17:02, 0.00s elapsed
Initiating NSE at 17:02
Completed NSE at 17:02, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at
Nmap done: 1 IP address (1 host up) scanned in 108.48 seconds
Raw packets sent: 6KB) | Rcvd: 195 (9.170KB)
&③UDP迅速扫描
root@Kali:~# nmap -sU -v 192.168.169.105
Starting Nmap 6.49BETA4 (
Initiating Ping Scan at 19:20
Scanning 192.168.169.105 [4 ports]
Completed Ping Scan at 19:20, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:20
Completed Parallel DNS resolution of 1 host. at 19:20, 2.01s elapsed
Initiating UDP Scan at 19:20
Scanning 192.168.169.105 [1000 ports]
Discovered open port 137/udp on 192.168.169.105
Completed UDP Scan at 19:20, 23.11s elapsed (1000 total ports)
Nmap scan report for 192.168.169.105
Host is up (0.0013s latency).
Not shown: 998 open|filtered ports
PORT STATE SERVICE
137/udp open netbios-ns
4500/udp closed nat-t-ike
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 25.39 seconds
Raw packets sent: KB) | Rcvd: 32 (1.654KB)
&④迅速扫描（NoPing）
root@Kali:~# nmap -T4 -A -v -Pn 192.168.169.105
Starting Nmap 6.49BETA4 (
NSE: Loaded 122 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:52
Completed NSE at 09:52, 0.00s elapsed
Initiating NSE at 09:52
Completed NSE at 09:52, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 09:52
Completed Parallel DNS resolution of 1 host. at 09:52, 8.18s elapsed
Initiating SYN Stealth Scan at 09:52
Scanning 192.168.169.105 [1000 ports]
Discovered open port 80/tcp on 192.168.169.105
Increasing send delay for 192.168.169.105 from 0 to 5 due to 11 out of 15 dropped probes since last increase.
Discovered open port 443/tcp on 192.168.169.105
Discovered open port 135/tcp on 192.168.169.105
Discovered open port 139/tcp on 192.168.169.105
Discovered open port 445/tcp on 192.168.169.105
Increasing send delay for 192.168.169.105 from 5 to 10 due to max_successful_tryno increase to 5
Warning: 192.168.169.105 giving up on port because retransmission cap hit (6).
SYN Stealth Scan Timing: About 8.99% ETC: 09:58 (0:05:14 remaining)
SYN Stealth Scan Timing: About 14.66% ETC: 09:59 (0:05:55 remaining)
SYN Stealth Scan Timing: About 22.24% ETC: 09:59 (0:05:18 remaining)
SYN Stealth Scan Timing: About 29.91% ETC: 09:59 (0:04:43 remaining)
Discovered open port 1433/tcp on 192.168.169.105
SYN Stealth Scan Timing: About 37.97% ETC: 09:59 (0:04:07 remaining)
Discovered open port 444/tcp on 192.168.169.105
Discovered open port 2383/tcp on 192.168.169.105
SYN Stealth Scan Timing: About 54.17% ETC: 09:58 (0:02:33 remaining)
Discovered open port 2179/tcp on 192.168.169.105
SYN Stealth Scan Timing: About 76.10% ETC: 09:57 (0:01:06 remaining)
Discovered open port 912/tcp on 192.168.169.105
Discovered open port 902/tcp on 192.168.169.105
Completed SYN Stealth Scan at 09:57, 318.66s elapsed (1000 total ports)
Initiating Service scan at 09:57
Scanning 11 services on 192.168.169.105
Completed Service scan at 09:58, 33.60s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 192.168.169.105
Initiating Traceroute at 09:58
Completed Traceroute at 09:58, 1.01s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:58
Completed Parallel DNS resolution of 2 hosts. at 09:58, 0.05s elapsed
NSE: Script scanning 192.168.169.105.
Initiating NSE at 09:58
Completed NSE at 09:58, 13.23s elapsed
Initiating NSE at 09:58
Completed NSE at 09:58, 0.00s elapsed
Nmap scan report for 192.168.169.105
Host is up (0.59s latency).
Not shown: 979 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: OPTIONS TRACE GET HEAD POST
| Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
443/tcp open ssl/http Apache httpd
| http-auth:
| HTTP/1.1 401 Authorization Required
|_ Basic realm=VisualSVN Server
| http-cisco-anyconnect:
|_ ERROR: Not a Cisco ASA or unsupported version
|_http-methods: No Allow or Public header in OPTIONS response (status code 401)
|_http-server-header: Apache
|_http-title: 401 Authorization Required
| ssl-cert: Subject: commonName=DESKTOP-PTACRF6
| Issuer: commonName=DESKTOP-PTACRF6
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: T14:04:50
| Not valid after: T14:04:50
| MD5: c707 0eb2 71d6 d2f 5594 dc01
|_SHA-1: de83 b92f ad7d e0d0 125a 2f88 99d9 c741 6b51 bdcf
|_ssl-date: TLS randomness does not represent time
444/tcp open ssl/http VMware VirtualCenter Web service
| http-cisco-anyconnect:
|_ ERROR: Not a Cisco ASA or unsupported version
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: Site doesn't have a title ( charset=plain).
| ssl-cert: Subject: commonName=VMware/countryName=US
| Issuer: commonName=VMware/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: T15:04:18
| Not valid after: T15:04:18
| MD5: 6634 afe2 c934 e412 653c ee79 8fbe c64f
|_SHA-1: da6f aaeb 31b4 51a8 73b6 403a 728d c0e5 a1e9 7c08
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds (primary domain: WORKGROUP)
514/tcp filtered shell
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1198/tcp filtered cajo-discovery
1433/tcp open ms-sql-s Microsoft SQL Server .4100.00; SP1+
1641/tcp filtered invision
2179/tcp open vmrdp?
2383/tcp open ms-olap4?
2717/tcp filtered pn-requester
2998/tcp filtered iss-realsec
3814/tcp filtered neto-dcs
5950/tcp filtered unknown
9944/tcp filtered unknown
10003/tcp filtered documentum_s
44176/tcp filtered unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at
SF-Port445-TCP:V=6.49BETA4%I=7%D=12/24%Time=567B5124%P=i586-pc-linux-gnu%r
SF:(SMBProgNeg,85,"\0\0\0\x81\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0
SF:\0\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\x04\x11\0\0\0\0\x01\0\0\
SF:0\0\0\xfc\xe3\x01\0\xad\xb4\x16\x7f\xee=\xd1\x01\x20\xfe\x08&\0B2\xe4\^
SF:\xe0\xab\x91PW\0O\0R\0K\0G\0R\0O\0U\0P\0\0\0D\0E\0S\0K\0T\0O\0P\0-\0P\0
SF:T\0A\0C\0R\0F\x006\0\0\0");
Device type: general purpose
Running: Microsoft Windows 7|2012|XP
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DESKTOP-PTACRF6; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98
Host script results:
| ms-sql-info:
| 192.168.169.105:1433:
| Version:
| Service pack level: SP1
| Post-SP patches applied: true
| name: Microsoft SQL Server 2014 SP1+
| number: 12.00.4100.00
Product: Microsoft SQL Server 2014
|_ TCP port: 1433
| nbstat: NetBIOS name: DESKTOP-PTACRF6, NetBIOS user: &unknown&, NetBIOS MAC: ac:b5:7d:18:93:b9 (Liteon Technology)
| DESKTOP-PTACRF6&00& Flags: &unique&&active&
| WORKGROUP&00& Flags: &group&&active&
|_ DESKTOP-PTACRF6&20& Flags: &unique&&active&
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 0.37 ms 192.168.232.2
2 1000.57 ms 192.168.169.105
NSE: Script Post-scanning.
Initiating NSE at 09:58
Completed NSE at 09:58, 0.00s elapsed
Initiating NSE at 09:58
Completed NSE at 09:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at
Nmap done: 1 IP address (1 host up) scanned in 382.58 seconds
Raw packets sent: 0KB) | Rcvd: 8KB)
&⑤快速扫描加强
root@Kali:~# nmap -sV -T4 -O -F --version-light 192.168.169.105
Starting Nmap 6.49BETA4 (
Nmap scan report for 192.168.169.105
Host is up (0.31s latency).
Not shown: 92 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
443/tcp open ssl/http Apache httpd
444/tcp open ssl/http VMware VirtualCenter Web service
445/tcp open microsoft-ds (primary domain: WORKGROUP)
514/tcp filtered shell
1433/tcp open ms-sql-s Microsoft SQL Server 2014
Device type: general purpose
Running: Microsoft Windows 7|2012|XP
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows 7 or Windows Server 2012, Microsoft Windows XP SP3
Service Info: Host: DESKTOP-PTACRF6; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98
OS and Service detection performed. Please report any incorrect results at
Nmap done: 1 IP address (1 host up) scanned in 47.93 seconds
&⑥SYN全端口扫描
[有些管理员端口不按常理来全端口扫才能发现好东西]
root@Kali:~# nmap -sS -p- -T4 -A -v 192.168.169.105
Starting Nmap 6.49BETA4 (
NSE: Loaded 122 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:07
Completed NSE at 09:07, 0.00s elapsed
Initiating NSE at 09:07
Completed NSE at 09:07, 0.00s elapsed
Initiating Ping Scan at 09:07
Scanning 192.168.169.105 [4 ports]
Completed Ping Scan at 09:07, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:07
Completed Parallel DNS resolution of 1 host. at 09:07, 0.06s elapsed
Initiating SYN Stealth Scan at 09:07
Scanning 192.168.169.105 [65535 ports]
Discovered open port 135/tcp on 192.168.169.105
Discovered open port 443/tcp on 192.168.169.105
Discovered open port 80/tcp on 192.168.169.105
Discovered open port 445/tcp on 192.168.169.105
Discovered open port 139/tcp on 192.168.169.105
Increasing send delay for 192.168.169.105 from 0 to 5 due to 45 out of 112 dropped probes since last increase.
Increasing send delay for 192.168.169.105 from 5 to 10 due to 397 out of 991 dropped probes since last increase.
SYN Stealth Scan Timing: About 5.11% ETC: 09:18 (0:09:35 remaining)
Warning: 192.168.169.105 giving up on port because retransmission cap hit (6).
SYN Stealth Scan Timing: About 8.41% ETC: 09:43 (0:32:52 remaining)
SYN Stealth Scan Timing: About 8.89% ETC: 09:47 (0:36:03 remaining)
Discovered open port 1549/tcp on 192.168.169.105
SYN Stealth Scan Timing: About 14.17% ETC: 10:19 (1:01:18 remaining)
SYN Stealth Scan Timing: About 14.89% ETC: 10:24 (1:04:57 remaining)
SYN Stealth Scan Timing: About 15.50% ETC: 10:29 (1:08:46 remaining)
Discovered open port 1539/tcp on 192.168.169.105
SYN Stealth Scan Timing: About 16.79% ETC: 10:35 (1:12:56 remaining)
SYN Stealth Scan Timing: About 17.95% ETC: 10:42 (1:17:19 remaining)
SYN Stealth Scan Timing: About 19.25% ETC: 10:49 (1:22:05 remaining)
SYN Stealth Scan Timing: About 20.88% ETC: 10:58 (1:27:13 remaining)
Discovered open port 1553/tcp on 192.168.169.105
SYN Stealth Scan Timing: About 22.52% ETC: 11:07 (1:32:45 remaining)
SYN Stealth Scan Timing: About 23.78% ETC: 11:17 (1:38:46 remaining)
Stats: 0:36:36 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 26.11% ETC: 11:28 (1:43:32 remaining)
Stats: 0:36:39 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 26.12% ETC: 11:28 (1:43:36 remaining)
&&&&&&&&&&&&&.比较耗时，就不详细输出了&&&&&&&&&&&&&
&⑦大绝招：全面扫描
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" 192.168.169.105
Starting Nmap 6.49BETA4 (
NSE: Loaded 243 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:28
NSE: [mtrace] A source IP must be provided through fromip argument.
Completed NSE at 12:28, 10.50s elapsed
Initiating NSE at 12:28
Completed NSE at 12:28, 0.00s elapsed
Pre-scan script results:
| broadcast-eigrp-discovery:
|_ ERROR: Couldn't get an A.S value.
| broadcast-igmp-discovery:
| 192.168.232.1
| Interface: eth0
| Version: 2
| Group: 224.0.0.251
| Description: mDNS
| 192.168.232.1
| Interface: eth0
| Version: 2
| Group: 224.0.0.252
| Description: Link-local Multicast Name Resolution (rfc4795)
| 192.168.232.1
| Interface: eth0
| Version: 2
| Group: 239.255.255.250
| Description: Organization-Local Scope (rfc2365)
|_ Use the newtargets script-arg to add the results as targets
| broadcast-ping:
| IP: 192.168.232.2 MAC: 00:50:56:f5:1a:80
|_ Use --script-args=newtargets to add the results as targets
| http-icloud-findmyiphone:
|_ ERROR: No username or password was supplied
| http-icloud-sendmsg:
|_ ERROR: No username or password was supplied
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
Initiating Ping Scan at 12:28
Scanning 192.168.169.105 [7 ports]
Completed Ping Scan at 12:28, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:28
Completed Parallel DNS resolution of 1 host. at 12:28, 0.04s elapsed
Initiating SYN Stealth Scan at 12:28
Scanning 192.168.169.105 [1000 ports]
&&&&&&&&&&&&&.比较耗时，就不详细输出了&&&&&&&&&&&&&
阅读(...) 评论()
/* 置顶 */}