简介
系统中端口对应着不同的服务,只了解开放的端口,搜集的信息可谓是少之又少。既然端口对应着相应的服务,那么可以通过端口对目标服务进行识别,甚至对服务的版本号进行识别。如果目标服务器版本过低则可能存在相应的安全漏洞。
一、服务版本探测
可使用“-sV” 选项对目标端口对应的服务进行探测,并识别出服务对应的版本号。
[root@localhost ~]# nmap -sV 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 15:21 CST
Nmap scan report for 192.168.52.132
Host is up (0.00023s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
111/tcp open rpcbind 2-4 (RPC #100000)
8080/tcp open http Apache Tomcat 10.0.0
MAC Address: 00:0C:29:A2:B4:44 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.90 seconds
可以看到对于可以确定的版本号Nmap会直接显示,对于不确定的版本号Nmap则是显示了一个特定的范围供参考。默认情况下Nmap会跳过9100以后的端口,很多时候为了安全,管理员会把服务默认的端口号进行改动,以达到规避扫描的目的。对于这种情况可采用“–allports”选项扫描目标主机的所有端口增加结果的准确性。
[root@localhost ~]# nmap -sV --allports 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 15:26 CST
Nmap scan report for 192.168.52.132
Host is up (0.00016s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
111/tcp open rpcbind 2-4 (RPC #100000)
8080/tcp open http Apache Tomcat 10.0.0
MAC Address: 00:0C:29:A2:B4:44 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.07 seconds
二、OS指纹识别
OS指纹识别主要是对操作系统进行探测,可使用“-O”选项
[root@localhost ~]# nmap -O 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 15:28 CST
Nmap scan report for 192.168.52.132
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
8080/tcp open http-proxy
MAC Address: 00:0C:29:A2:B4:44 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.92 seconds
根据结果可以看出系统为Linux操作系统,内核版本号为2.6。有些时候此选项如果不能正常识别操作系统的话可以使用“–osscan-guess”方式发起系统版本推测。
[root@localhost ~]# nmap -O --osscan-guess 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 15:37 CST
Nmap scan report for 192.168.52.132
Host is up (0.00039s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
8080/tcp open http-proxy
MAC Address: 00:0C:29:A2:B4:44 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.45 seconds
三、全面扫描
Nmap还提供了一个更为全面的扫描选项“-A”。这种方法可以较为全面对目标主机的多方位进行探测。
[root@localhost ~]# nmap -A 192.168.52.132
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-22 15:38 CST
Nmap scan report for 192.168.52.132
Host is up (0.00048s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
8080/tcp open http Apache Tomcat 10.0.0
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/10.0.0
MAC Address: 00:0C:29:A2:B4:44 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.48 ms 192.168.52.132
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.16 seconds