nmap(zenmap)使用

查詢 網路上 sonicwall 路由器, 但必須透過UDP方式 內文: local ipOps = require "ipOps" local nmap = require "nmap" local packet = require "packet" local stdnse = require "stdnse" local string = require "string" local target = require "target" description = [[ Discovers Sonicwall firewalls which are directly attached (not routed) using the same method as the manufacturers own 'SetupTool'. An interface needs to be configured, as the script broadcasts a UDP packet. The script needs to be run as a privileged user, typically root. References: * https://support.software.dell.com/kb/sw3677) ]] --- -- @usage -- nmap -e eth0 --script broadcast-sonicwall-discover -- -- @output -- | broadcast-sonicwall-discover: -- |   192.168.5.1 -- |     MAC/Serial: 0006B1001122 -- |     Subnetmask: 255.255.255.0 -- |     Firmware: 3.9.1.2 -- |_    ROM: 14.0.1.1 -- -- @args broadcast-sonicwall-discover.timeout time in seconds to wa

在LAN , 傳送   RIPng Request command , 確定是否有電腦或設備 回應 nmap --script broadcast-ripng-discover 內容: local bin = require "bin" local ipOps = require "ipOps" local nmap = require "nmap" local stdnse = require "stdnse" local tab = require "tab" local table = require "table" description = [[ Discovers hosts and routing information from devices running RIPng on the LAN by sending a broadcast RIPng Request command and collecting any responses. ]] --- -- @usage -- nmap --script broadcast-ripng-discover -- -- @output -- | broadcast-ripng-discover: -- |   fe80::a00:27ff:fe9a:880c -- |     route                       metric  next hop -- |     fe80:470:0:0:0:0:0:0/64     1 -- |     fe80:471:0:0:0:0:0:0/64     1 -- |_    fe80:472:0:0:0:0:0:0/64     1 -- -- @args broadcast-ripng-discover.timeout sets the connection timeout --       (default: 5s) author = "Patrik Karlsson" license = "Same as Nmap--S

查詢LAN 裏頭, RIPv2的電腦設備, 透過發送  Request command, 取得回應 nmap --script broadcast-rip-discover 內容: local bin = require "bin" local ipOps = require "ipOps" local nmap = require "nmap" local stdnse = require "stdnse" local tab = require "tab" local table = require "table" description=[[ Discovers hosts and routing information from devices running RIPv2 on the LAN. It does so by sending a RIPv2 Request command and collects the responses from all devices responding to the request. ]] --- -- @usage -- nmap --script broadcast-rip-discover -- -- @output -- Pre-scan script results: -- | broadcast-rip-discover: -- | Discovered RIPv2 devices -- |   10.0.200.107 -- |     ip           netmask        nexthop       metric -- |     10.46.100.0  255.255.255.0  0.0.0.0       1 -- |     10.46.110.0  255.255.255.0  0.0.0.0       1 -- |     10.46.120.0  255.255.255.0  0.0.0.0       1 -- |     10.46.123.0  255.255.255.0  10.0.

nmap 常用到  -T    , 簡單說明: -T1   傳送TCP封包 , Flag=SYN    到目標電腦的開啟port -T2   傳送空TCP封包    到目標電腦的開啟port -T3   傳送TCP封包 , Flag=SYN, URG, PSH, FIN     到目標電腦的開啟port -T4   傳送TCP封包 , Flag=ACK    到目標電腦的開啟port -T5   傳送TCP封包 , Flag=SYN     到目標電腦的關閉port -T6   傳送TCP封包 , Flag=ACK    到目標電腦的關閉port -T7   傳送TCP封包 , Flag=SYN, URG, PSH, FIN     到目標電腦的關閉port 網路封包說明: http://www.pcnet.idv.tw/pcnet/network/network_ip_tcp.htm

尋找網路上 PPPoE server 官方:  https://nmap.org/nsedoc/scripts/broadcast-pppoe-discover.html 內文: local nmap = require "nmap" local pppoe = require "pppoe" local stdnse = require "stdnse" local table = require "table" description = [[ Discovers PPPoE (Point-to-Point Protocol over Ethernet) servers using the PPPoE Discovery protocol (PPPoED).  PPPoE is an ethernet based protocol so the script has to know what ethernet interface to use for discovery. If no interface is specified, requests are sent out on all available interfaces. As the script send raw ethernet frames it requires Nmap to be run in privileged mode to operate. ]] --- -- @usage -- nmap --script broadcast-pppoe-discover -- -- @output -- | broadcast-pppoe-discover: -- | Server: 08:00:27:AB:CD:EF -- |   Version: 1 -- |   Type: 1 -- |   TAGs -- |     AC-Name: ISP -- |     Service-Name: test -- |     AC-Cookie: e98010ed8c59a870f0dc94d56ac1095dd321000001 -- |_   

ping 這是 很常用指令... 透過ICMP方式, 去詢問LAN的電腦.. 其實與 DOS ping 類似(指令參數不同) 說明: nmap -e <interface> [--ttl <ttl>] [--data-length <payload_length>] --script broadcast-ping [--script-args [broadcast-ping.timeout=<ms>],[num-probes=<n>]] 官方:   https://nmap.org/nsedoc/scripts/broadcast-ping.html 內文: local bin = require "bin" local coroutine = require "coroutine" local ipOps = require "ipOps" local nmap = require "nmap" local packet = require "packet" local stdnse = require "stdnse" local tab = require "tab" local table = require "table" local target = require "target" local openssl = stdnse.silent_require "openssl" description = [[ Sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets.  Root privileges on UNIX are required to

發送  PIM (Protocol Independent Multicast). 的Hello 去給router , 確定是否回應 官方網址:  https://nmap.org/nsedoc/scripts/broadcast-pim-discovery.html PIM說明: http://www.networksorcery.com/enp/protocol/pim.htm 內文: local nmap = require "nmap" local packet = require "packet" local ipOps = require "ipOps" local bin = require "bin" local stdnse = require "stdnse" local target = require "target" local table = require "table" local math = require "math" local string = require "string" description = [[ Discovers routers that are running PIM (Protocol Independent Multicast). This works by sending a PIM Hello message to the PIM multicast address 224.0.0.13 and listening for Hello messages from other routers. ]] --- -- @args broadcast-pim-discovery.timeout Time to wait for responses in seconds. -- Defaults to <code>5s</code>. -- --@usage -- nmap --script broadcast-pim-discovery --

可以找尋 LAN 裡頭 的 PC-Duo client 指令:  nmap --script broadcast-pc-duo PC-Duo 這是一套 遠端控管軟體, 類似  teamviewer... 但他 提供 中央控管與VMware 特性 http://www.vector-networks.com/it-asset-and-service-management/ITIL-ITSM-products/PC-Duo-remote-control.html 官方網址:  https://nmap.org/nsedoc/scripts/broadcast-pc-duo.html 內文: local bin = require "bin" local coroutine = require "coroutine" local nmap = require "nmap" local os = require "os" local stdnse = require "stdnse" local table = require "table" description = [[ Discovers PC-DUO remote control hosts and gateways running on a LAN by sending a special broadcast UDP probe. ]] --- -- @usage -- nmap --script broadcast-pc-duo -- -- @output -- Pre-scan script results: -- | broadcast-pc-duo: -- |   PC-Duo Gateway Server -- |     10.0.200.113 - WIN2K3SRV-1 -- |   PC-Duo Hosts -- |_    10.0.200.113 - WIN2K3SRV-1 -- -- @args broadcast-pc-duo.timeout specifies the amount of secon