nmap(zenmap)使用

查詢伺服器 一些訊息 指令:  nmap --script afp-serverinfo.nse 192.168.8.251 官方說明: https://nmap.org/nsedoc/scripts/afp-serverinfo.html 內容: local afp = require "afp" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" local table = require "table" description = [[ Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example <code>Macmini</code> or <code>MacBookPro</code>). ]] --- -- @output -- PORT    STATE SERVICE -- 548/tcp open  afp -- | afp-serverinfo: -- |   Server Flags: -- |     Flags hex: 0x837d -- |     Super Client: true -- |     UUIDs: false -- |     UTF8 Server Name: true -- |     Open Directory: true -- |     Reconnect: false -- |     Server Notifications: true -- |     TCP/IP: true -- |     Server Signature: true -- |     Server Messages: true -- |     P

Detects the Mac OS X AFP directory traversal vulnerability 判斷 MacOS 那台  是否可以被暴力攻擊破解目錄 官方說明: https://nmap.org/nsedoc/scripts/afp-path-vuln.html 参考: https://www.cqure.net/wp/2010/03/detecting-apple-mac-os-x-afp-vulnerability-cve-2010-0533-with-nmap/ 內容: local afp = require "afp" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" local table = require "table" local vulns = require "vulns" description = [[ Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533. This script attempts to iterate over all AFP shares on the remote host. For each share it attempts to access the parent directory by exploiting the directory traversal vulnerability as described in CVE-2010-0533. The script reports whether the system is vulnerable or not. In addition it lists the contents of the parent and child directories to a max depth of 2. When running in verbo

指令: nmap --script address-info.nse IP 官方:  https://nmap.org/nsedoc/scripts/address-info.html 內容: local bit = require "bit" local datafiles = require "datafiles" local nmap = require "nmap" local stdnse = require "stdnse" local string = require "string" local table = require "table" description = [[ Shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available. Some IP address formats encode extra information; for example some IPv6 addresses encode an IPv4 address or MAC address. This script can decode these address formats: * IPv4-compatible IPv6 addresses, * IPv4-mapped IPv6 addresses, * Teredo IPv6 addresses, * 6to4 IPv6 addresses, * IPv6 addresses using an EUI-64 interface ID, * IPv4-embedded IPv6 addresses, * IPv4-translated IPv6 addresses and * ISATAP Modified EUI-64 IPv6 addresses. See RFC 4291 for general IPv6 addressing architecture and the definit

用來針對Mac port 548 進行測試攻擊 指令:  nmap -p 548 --script afp-brute IP 說明: 官方網址:  https://nmap.org/nsedoc/scripts/afp-brute.html 內容: local afp = require "afp" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local table = require "table" local unpwdb = require "unpwdb" -- we don't really need openssl here, but let's attempt to load it as a way -- to simply prevent the script from running, in case we don't have it local openssl = stdnse.silent_require("openssl") description = [[ Performs password guessing against Apple Filing Protocol (AFP). ]] --- -- @usage -- nmap -p 548 --script afp-brute <host> -- -- @output -- PORT    STATE SERVICE -- 548/tcp open  afp -- | afp-brute: -- |_  admin:KenSentMe => Valid credentials -- Information on AFP implementations -- -- Snow Leopard -- ---

AFP 說明: The  Apple Filing Protocol  ( AFP ) https://en.wikipedia.org/wiki/Apple_Filing_Protocol 例如: nmap -sS -sV -p 548 --script afp-ls 192.168.8.111 內容: local afp = require "afp" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" local ls = require "ls" description = [[ Attempts to get useful information about files from AFP volumes. The output is intended to resemble the output of <code>ls</code>. ]] --- -- -- @usage -- nmap -sS -sV -p 548 --script=afp-ls target -- -- @output -- PORT    STATE SERVICE -- 548/tcp open  afp     syn-ack -- | afp-ls: -- |   Information retrieved as patrik -- |   Volume Macintosh HD -- |   maxfiles limit reached (10) -- |   PERMISSION  UID  GID  SIZE    TIME              FILENAME -- |   -rw-r--r--  501  80   15364   2010-06-13 17:52  .DS_Store -- |   ----------  0    80   0       2009-10-05 07:42  .file -- |

Acars Devoder port 2202 官方網站:  1.    https://nmap.org/nsedoc/scripts/acarsd-info.html  2.    http://www.acarsd.org/server_howto.html  3.    https://play.google.com/store/apps/details?id=com.blackcatsystems.acars&hl=zh_TW ==================================== 內容: local comm = require "comm" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local table = require "table" description = [[ Retrieves information from a listening acarsd daemon. Acarsd decodes ACARS (Aircraft Communication Addressing and Reporting System) data in real time.  The information retrieved by this script includes the daemon version, API version, administrator e-mail address and listening frequency. For more information about acarsd, see: * http://www.acarsd.org/ ]] --- -- @usage -- nmap --script acarsd-info --script-args "acarsd-info.timeout

一台伺服器有時會開很多個服務, 例如: HTTP(80), FTP(21)等等 查閱出這些服務(port)所用的軟體 可以幫助再進一步檢查 是否 有漏洞 指令:  nmap -sV    IP address 若是要 加強查詢 伺服器版本, 可加上-A 用來針對目標物(IP位址或 伺服器網域名稱)之內安裝服務  詳細版本訊息 說明:   nmap  -sV --version-trace  IP位址

其實有專屬NSE的腳本編輯器~ Halcyon-master 但是因為不能win下安裝, 所以不推薦 考量很多因素, 我推薦使用 Notepad++這套 官方網址：  https://notepad-plus-plus.org/ 免安裝版:   http://www.azofreeware.com/2006/10/notepad-35.html   ( 阿榮福利味 ) 以下是到官網去下載安裝版

腳本 命名的 特性 auth: 檢測判定類型的脚本 broadcast: 查看port 狀況，如dhcp/dns/sqlserver等服务 brute: 暴力破解可能的漏洞 default: 使用-sC或-A 去掃描基本特性 discovery: 查詢網路上的訊息 dos: 使用DOS攻擊 exploit: 利用已知的漏洞入侵系统 external: 利用第三方的資料庫查詢, 例如透過whois解析 fuzzer: 模糊方式去偵測出潛在漏洞, 是入侵性 intrusive 的脚本 malware: 偵測是否感染了病毒、後門等訊息 safe: 與intrusive相反，比較是安全性脚本 version: 針對作業系統＋iis＋sql等版本功能的脚本 vuln: 檢查是否有漏洞（Vulnerability），例如: XP否有MS08_067補救 官方查詢： https://nmap.org/nsedoc/scripts/mysql-info.html

隱藏或說刁鑽的目標(電腦\防火牆\設備) 並不回應ping 也關閉常用port80等等.... 若要揪出來, 就可能用-Pn 從存在的port 1732, 8000去推斷及測試 ========================= 例如:  nmap -Pn 180.177.99.88 Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-30 06:27 ￥x￥_?D·CRE?! Nmap scan report for 180-177-99-88.dynamic.kbronet.com.tw (180.177.99.88) Host is up (0.074s latency). Not shown: 998 filtered ports PORT     STATE SERVICE 1723/tcp open  pptp 8000/tcp open  http-alt Nmap done: 1 IP address (1 host up) scanned in 17.18 seconds =========================

nmap 掃描主機方式很多 這次介紹ICMP (Internet Contorl Message Protocol)方式 -PE : 發送ICMP Echo封包  去偵測主機是否活著~ 發送type8 , 回來是type0 -PP: 使用 ICMP time stamp -PM: 隱蔽地址 的ICMP ping 針對tw.yahoo.com, 發現答案的不同 接著要偵測.....設備是哪一種, 還有哪些回應? 哈哈 ICMP說明: http://www.pcnet.idv.tw/pcnet/network/network_ip_icmp.htm

一般nmap 的ping 內定是ICMP echo方式偵測 但如被防火牆擋住, 那回應就是 host down 所以 建議偵測  要多加TCP SYN 指令: nmap -PS  IP address  (使用 TCP SYN) 指令: nmap -PA  IP address  (使用 TCP ACK)

一般軟體或ping 跑出192.168.0.250設備的MAC address 這算還好的, 還會回應ping ========================== ========================== 主要看的有紅字.... 1. port: 80, 21,1025 2. MAC address 3. ftp 沒有開啟anonymouse登入 4. 判斷設備是Telecomm 5. traceroute 只有一個HOP Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-22 21:06 ￥x￥_?D·CRE?! NSE: Loaded 138 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 21:06 Completed NSE at 21:06, 0.00s elapsed Initiating NSE at 21:06 Completed NSE at 21:06, 0.00s elapsed Initiating ARP Ping Scan at 21:06 Scanning 192.168.0.250 [1 port] Completed ARP Ping Scan at 21:06, 0.18s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 21:06 Completed Parallel DNS resolution of 1 host. at 21:06, 0.02s elapsed Initiating SYN Stealth Scan at 21:06 Scanning 192.168.0.250 [1000 ports] Discovered open port 1025/tcp on 192.168.0.250 Discovered open port 80/tcp on 192.168.0.250 Discovered open port 21/tcp on 192.168.0.250 SYN Stealth Scan

基本指令寫法:  nmap  掃描選項  計時  目標IP   輸出方式 -s(隱藏掃描) -sS  (使用 SYN)  或  -sU  (使用 UDP)   或  -sT   (使用 TCP)   或  -sA   (使用 ACK) 指令介紹: 其中 192.168.1.1 只是個被選來 偵測的IP ping 使用不同協定  那很重要.... 有時LAN ip衝突, 而衝突其中一設備, 並不回應 ping 那時就要透過多個協定方式  去找出.... =================================== 1. nmap -A 192.168.1.1 (192.168.1.1的全部偵測) 2. nmap -PR  192.168.1.1 (ARP掃描) 3. nmap -PN 192.168.1.1(不使用ping的方式掃描) 4. nmap -sP 192.168.1.1 (使用ping) 5. nmap -PE 192.168.1.1 (ICMP ping) 6. nmap -PP 192.168.1.1(ICMP time stamp) 7. nmap -PM 192.168.1.1(ICMP address) 8. nmap --traceroute  192.168.1.1(看trace route) 9.nmap -sP -PS 192.168.1.1 (TCP syn ping) 10. nmap -sP -PU 192.168.1.1(UDP ping) 11. nmap -sT -p- -PN 192.168.1.1( 針對所有port) 12. nmap -PY 192.168.1.1 (SCTP INIT Ping) 13. nmap -6    (IPv6掃描) 14. nmap --dns-servers 168.95.1.1  192.168.1.1 (針對DNS 168.95.1.1 查詢192.168.1.1) 15.  nmap -iL IP.txt  (IP.txt 是一列列IP 方式) 16.  nmap IP1-IP2  (例如: nmap  192.168.1.100-150)( 以 - 表示  整個區間) 17.  nmap  CIDR格式  (例

現在大概有500多個腳本, 還會一直增加 ======================== acarsd-info.nse address-info.nse afp-brute.nse afp-ls.nse afp-path-vuln.nse afp-serverinfo.nse afp-showmount.nse ajp-auth.nse ajp-brute.nse ajp-headers.nse ajp-methods.nse ajp-request.nse allseeingeye-info.nse amqp-info.nse asn-query.nse auth-owners.nse auth-spoof.nse backorifice-brute.nse backorifice-info.nse bacnet-info.nse banner.nse bitcoin-getaddr.nse bitcoin-info.nse bitcoinrpc-info.nse bittorrent-discovery.nse bjnp-discover.nse broadcast-ataoe-discover.nse broadcast-avahi-dos.nse broadcast-bjnp-discover.nse broadcast-db2-discover.nse broadcast-dhcp-discover.nse broadcast-dhcp6-discover.nse broadcast-dns-service-discovery.nse broadcast-dropbox-listener.nse broadcast-eigrp-discovery.nse broadcast-igmp-discovery.nse broadcast-listener.nse broadcast-ms-sql-discover.nse broadcast-netbios-master-browser.nse broadcast-networker-discover.nse broadcast-novell-locate.nse broadcast-pc-anywhere.nse bro

提供官方指令help資料, 方便查詢' Nmap 7.12 ( https://nmap.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION:   Can pass hostnames, IP addresses, networks, etc.   Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254   -iL <inputfilename>: Input from list of hosts/networks   -iR <num hosts>: Choose random targets   --exclude <host1[,host2][,host3],...>: Exclude hosts/networks   --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY:   -sL: List Scan - simply list targets to scan   -sn: Ping Scan - disable port scan   -Pn: Treat all hosts as online -- skip host discovery   -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports   -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes   -PO[protocol list]: IP Protocol Ping   -n/-R: Never do DNS resolution/Always resolve [default: sometimes]   --dns-servers <serv1[,serv2],...>: Specify custom DNS server