nmap(zenmap)使用

隱藏或說刁鑽的目標(電腦\防火牆\設備) 並不回應ping 也關閉常用port80等等.... 若要揪出來, 就可能用-Pn 從存在的port 1732, 8000去推斷及測試 ========================= 例如:  nmap -Pn 180.177.99.88 Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-30 06:27 ￥x￥_?D·CRE?! Nmap scan report for 180-177-99-88.dynamic.kbronet.com.tw (180.177.99.88) Host is up (0.074s latency). Not shown: 998 filtered ports PORT     STATE SERVICE 1723/tcp open  pptp 8000/tcp open  http-alt Nmap done: 1 IP address (1 host up) scanned in 17.18 seconds =========================

nmap 掃描主機方式很多 這次介紹ICMP (Internet Contorl Message Protocol)方式 -PE : 發送ICMP Echo封包  去偵測主機是否活著~ 發送type8 , 回來是type0 -PP: 使用 ICMP time stamp -PM: 隱蔽地址 的ICMP ping 針對tw.yahoo.com, 發現答案的不同 接著要偵測.....設備是哪一種, 還有哪些回應? 哈哈 ICMP說明: http://www.pcnet.idv.tw/pcnet/network/network_ip_icmp.htm

一般nmap 的ping 內定是ICMP echo方式偵測 但如被防火牆擋住, 那回應就是 host down 所以 建議偵測  要多加TCP SYN 指令: nmap -PS  IP address  (使用 TCP SYN) 指令: nmap -PA  IP address  (使用 TCP ACK)

一般軟體或ping 跑出192.168.0.250設備的MAC address 這算還好的, 還會回應ping ========================== ========================== 主要看的有紅字.... 1. port: 80, 21,1025 2. MAC address 3. ftp 沒有開啟anonymouse登入 4. 判斷設備是Telecomm 5. traceroute 只有一個HOP Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-22 21:06 ￥x￥_?D·CRE?! NSE: Loaded 138 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 21:06 Completed NSE at 21:06, 0.00s elapsed Initiating NSE at 21:06 Completed NSE at 21:06, 0.00s elapsed Initiating ARP Ping Scan at 21:06 Scanning 192.168.0.250 [1 port] Completed ARP Ping Scan at 21:06, 0.18s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 21:06 Completed Parallel DNS resolution of 1 host. at 21:06, 0.02s elapsed Initiating SYN Stealth Scan at 21:06 Scanning 192.168.0.250 [1000 ports] Discovered open port 1025/tcp on 192.168.0.250 Discovered open port 80/tcp on 192.168.0.250 Discovered open port 21/tcp on 192.168.0.250 SYN Stealth Scan

基本指令寫法:  nmap  掃描選項  計時  目標IP   輸出方式 -s(隱藏掃描) -sS  (使用 SYN)  或  -sU  (使用 UDP)   或  -sT   (使用 TCP)   或  -sA   (使用 ACK) 指令介紹: 其中 192.168.1.1 只是個被選來 偵測的IP ping 使用不同協定  那很重要.... 有時LAN ip衝突, 而衝突其中一設備, 並不回應 ping 那時就要透過多個協定方式  去找出.... =================================== 1. nmap -A 192.168.1.1 (192.168.1.1的全部偵測) 2. nmap -PR  192.168.1.1 (ARP掃描) 3. nmap -PN 192.168.1.1(不使用ping的方式掃描) 4. nmap -sP 192.168.1.1 (使用ping) 5. nmap -PE 192.168.1.1 (ICMP ping) 6. nmap -PP 192.168.1.1(ICMP time stamp) 7. nmap -PM 192.168.1.1(ICMP address) 8. nmap --traceroute  192.168.1.1(看trace route) 9.nmap -sP -PS 192.168.1.1 (TCP syn ping) 10. nmap -sP -PU 192.168.1.1(UDP ping) 11. nmap -sT -p- -PN 192.168.1.1( 針對所有port) 12. nmap -PY 192.168.1.1 (SCTP INIT Ping) 13. nmap -6    (IPv6掃描) 14. nmap --dns-servers 168.95.1.1  192.168.1.1 (針對DNS 168.95.1.1 查詢192.168.1.1) 15.  nmap -iL IP.txt  (IP.txt 是一列列IP 方式) 16.  nmap IP1-IP2  (例如: nmap  192.168.1.100-150)( 以 - 表示  整個區間) 17.  nmap  CIDR格式  (例

現在大概有500多個腳本, 還會一直增加 ======================== acarsd-info.nse address-info.nse afp-brute.nse afp-ls.nse afp-path-vuln.nse afp-serverinfo.nse afp-showmount.nse ajp-auth.nse ajp-brute.nse ajp-headers.nse ajp-methods.nse ajp-request.nse allseeingeye-info.nse amqp-info.nse asn-query.nse auth-owners.nse auth-spoof.nse backorifice-brute.nse backorifice-info.nse bacnet-info.nse banner.nse bitcoin-getaddr.nse bitcoin-info.nse bitcoinrpc-info.nse bittorrent-discovery.nse bjnp-discover.nse broadcast-ataoe-discover.nse broadcast-avahi-dos.nse broadcast-bjnp-discover.nse broadcast-db2-discover.nse broadcast-dhcp-discover.nse broadcast-dhcp6-discover.nse broadcast-dns-service-discovery.nse broadcast-dropbox-listener.nse broadcast-eigrp-discovery.nse broadcast-igmp-discovery.nse broadcast-listener.nse broadcast-ms-sql-discover.nse broadcast-netbios-master-browser.nse broadcast-networker-discover.nse broadcast-novell-locate.nse broadcast-pc-anywhere.nse bro

提供官方指令help資料, 方便查詢' Nmap 7.12 ( https://nmap.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION:   Can pass hostnames, IP addresses, networks, etc.   Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254   -iL <inputfilename>: Input from list of hosts/networks   -iR <num hosts>: Choose random targets   --exclude <host1[,host2][,host3],...>: Exclude hosts/networks   --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY:   -sL: List Scan - simply list targets to scan   -sn: Ping Scan - disable port scan   -Pn: Treat all hosts as online -- skip host discovery   -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports   -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes   -PO[protocol list]: IP Protocol Ping   -n/-R: Never do DNS resolution/Always resolve [default: sometimes]   --dns-servers <serv1[,serv2],...>: Specify custom DNS server

一般而言, 你下載zenmap, 是win版, 但你可以到DOS下, 執行 nmap 方式 指令:   nmap --script  ****.nse    偵測IP 因為在window是放在32位元~ C:\Program Files (x86)\Nmap\scripts) (64 位元~ C:\Program Files\Nmap\scripts) (Linux/Kali  是在 /usr/share/nmap/scripts ) 建議寫一個bat 檔,  把要做的腳本寫入, 而產到 某一個 txt檔 例如:  @echo OFF SET /P VAR1=請輸入IP： @echo ===================================== >>nmap.txt @echo --------------------------------------------------------------- >>nmap.txt @echo ******** smb-check-vulns.nse ******** >>nmap.txt nmap --script smb-check-vulns.nse  %VAR1%   >>nmap.txt

這是 網路偵測(network Discovery)與安全審計(security auditing) 軟體 目前到 7.12版 而且跨平台都支援(Linux/window/Mac OS) 提供超過500多個腳本(nse)(nmap scripting Language)(官方) 可以查詢單一或許多IP 目標的 TCP/UDP port 回應 , 判斷OS, 漏洞偵測, 壓力測試  為主 可為網路工程師 必備工具 PS. 安裝過程, 會自動安裝WinPcap 下載 官方網站:  https://nmap.org/download.html