Scan of web penetration test series (3)

Others 2020-09-22 14:51:28 views: null

Nmap-the king of scanners

Today we are going to talk about nmap, which is called the king of scanners. Generally, we will say this when we infiltrate. The first step is that nmap opens the way. Nmap is a tool for network scanning and host detection. Open source and free. Can be used for: host discovery, port discovery or enumeration, service discovery, operating system, hardware address, and software version detection, vulnerability detection (Nmap script)

0x01: Port scan usage

Scanning method selection

  • -sS/sT/sA/sW/sM: Specify the use of TCP SYN/Connect()/ACK/Window/Maimon scans to scan the target host.
  • -sU: Specify the UDP scanning method to determine the UDP port status of the target host.
  • -sN/sF/sX: Specify the use of TCP Null, FIN, and Xmas scans to assist in detecting the status of the other party's TCP port.
  • --scanflags <flags>: Customize the flags of the TCP packet.
  • -sI <zombiehost[:probeport]>: Specify the idle scan method to scan the target host (provided you need to find a suitable zombie host)
  • -sY/sZ: Use SCTP INIT/COOKIE-ECHO to scan for the opening of SCTP protocol ports.
  • -sO: Use IP protocol scan to determine the protocol type supported by the target machine.
  • -b <FTP relay host>: Use FTP bounce scan scanning method

Port parameters and scan order

-p <port ranges>: scan the specified port

Example: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9 (where T stands for TCP protocol, U stands for UDP protocol, S stands for SCTP protocol)

-F: Fast mode-fast mode, only scan TOP 100 ports

-r: Do not perform random port scramble operations (if there is no such parameter, nmap will scan the ports to be scanned in a random order, so that nmap scanning is not easy to be detected by the other party's firewall).

--top-ports <number>: Scan the number of ports with the highest open probability (the author of nmap has done a large-scale Internet scan to calculate the probability of various ports on the network that may be open. This ranks the most For a list of possible open ports, please refer to the file: nmap-services. By default, nmap will scan the most likely 1000 TCP ports)

--port-ratio <ratio>: Scan ports above the specified frequency. Similar to the above --top-ports, here the probability is used as a parameter, so that only ports with a probability greater than --port-ratio will be scanned. Obviously, the parameter must be between 0 and 1. The specific range of probability can be viewed in the nmap-services file

Simple scan (search for the open port number and running service of the target host)

nmap 10.10.10.1

Full scan (detailed version information)

nmap -T4 -A -v 10.10.10.1

-A option is used to scan using offensive methods

-T4 specifies the timing used in the scanning process. There are always 6 levels (0-5). The higher the level, the faster the scanning speed, but it is also easy to be detected and blocked by the firewall or IDS. T4 is recommended

-v means to display redundant information and display the details of the scan during the scan.

Detect the open status of the specified port

Example: nmap -p 80-445 10.10.10.1 scans the open status of port 80-445 of the target host

nmap -sS -sU -p T:80,U:445 10.10.10.1 Scan the target host's port 80 in semi-connected TCP SYN mode, and scan the target host's port 445 in UDP mode

Detect the N most likely open ports nmap -sS -sU -T4 --top -ports 100 10.10.20.53

The parameter -sS means using TCP SYN to scan TCP ports;

-sU means to scan UDP ports;

-T4 means time level configuration level 4;

--top-ports 100 means to scan the 100 most likely open ports (100 ports for TCP and UDP).

0x02: version detection

Used to determine the specific application and version information running on the open port of the target host.

The version detection provided by Nmap has the following advantages:

  • high speed. Socket operations are performed in parallel to implement a set of efficient detection matching definition syntax.
  • Determine the application name and version name as much as possible.
  • Support TCP/UDP protocol, support text format and binary format.
  • Support detection of multiple platform services, including Linux/Windows/Mac OS/FreeBSD and other systems.
  • If SSL is detected, openSSL will be called to continue to detect the specific protocol running on SSL (such as HTTPS/POP3S/IMAPS).
  • If SunRPC service is detected, brute-force RPC grinder will be called to further determine the RPC program number, name, and version number.
  • Supports complete IPv6 functions, including TCP/UDP, and TCP-based SSL.
  • Common Platform Enumeration Function (CPE)
  • Extensive application database (nmap-services-probes). At present, Nmap can recognize the signatures of thousands of services, including more than 180 different protocols.

Version detection usage

For example, if the target host changes port 22 of SSH to port 2222, if you use ordinary scanning, you will only find that port 2222 is open, and you cannot know the program running on port 2222. You can scan the version by adding the parameter -sV. It is detected that port 2222 on the target host is running an SSH service

-sV: Specify to let Nmap perform version detection

--version-intensity <level>: Specify the version detection intensity (0-9), the default is 7. The higher the value, the more accurate the service detected, but the running time will be longer.

--version-light: Specify to use lightweight detection method (intensity 2)

--version-all: try to use all probes for detection (intensity 9)

--version-trace: Display detailed version detection process information

nmap -sV 10.10.20.53

0x03: operating system detection

Operating system detection is used to detect information such as the operating system type and device type running on the target host. Nmap has a rich system database nmap-os-db, which can identify more than 2,600 operating systems and device types.

-O: Specify Nmap for OS detection.

--osscan-limit: Limit Nmap to only perform OS detection on a certain host (at least be sure that the host has an open and closed port respectively).

--osscan-guess: Guess the system type of the other party's host boldly. As a result, the accuracy will drop a lot, but as much as possible to provide users with potential operating systems

0x04:Zenmap

Zenmap is an official graphical interface provided by Nmap, which is usually released with the Nmap installation package.

Enter the IP address/mask digits in the target bar, the tool will automatically generate the nmap command, or select the configuration drop-down option, there are 10 integrated scanning modes, or you can write your own nmap command in the command dialog box.

After the scan is complete

 

 

Guess you like

Origin blog.csdn.net/GUDUzhongliang/article/details/108708905
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com