Advanced NMAP usage tips
1. Scan a server with nmap
By default, nmap scans the 1000 most likely open ports
2. Scan a device to view the details of open ports,
Parameters: -v means to display redundant information, display the details of the scan during the scan process, so that the user can understand the current scan status
3. Scan a range: ports 1-65535
In the production environment, we only need to open the port that is providing the service, and other ports can be closed
. There are two ways to close the service that does not need to be opened.
Scenario 1: You know this service, just close it directly.
Systemctl stop Service name
Scenario 2: You don't know This service, check which process uses this port number, find out the path of the process, and then kill the process to delete the file, taking port 22 as an example, the operation idea is as follows
Check which process port 22 is used
by to find the corresponding process file through the ps command
We can see that the file path of the process is /usr/sbin/sshd. If we do not see the specific execution path of this command, it means that the Trojan process can be executed directly under the bash terminal. Use which and rpm -qf to view the source of this command ,as follows
Solution:
The above idea is used to find out the backdoor port monitored by hackers and the path where the Trojan is stored
4. Scan a machine to see the port number and operating system type opened by this service
Parameter description:
-O: Displays the type of operating system. Every operating system has a fingerprint.
-sS: Half-open
TCP Synchronous Scan (TCP SYN): Because it is not necessary to open a TCP connection at all, this technique is often referred to as
half-open. You can send out a TCP synchronization packet (SYN) and wait for a response. If the other party returns a SYN|ACK (response) packet, it
means that the target port is listening; if it returns a RST packet, it means that the target port has no listener; if a
SYN|ACK packet is received, the source host will immediately send a RST (reset). ) packet disconnects from the target host, which is actually done
automatically by our operating system kernel.
When the server port is open, the semi-connection scanning process is shown in Figure 1, and when the server port is closed, the semi-connection scanning process is shown in Figure 2
5. Scan what type of operating system all machines in a network segment have
6. Find some servers with characteristic IP addresses that open port 80
7. How to scan more hidden, frequent scans will block or lock IP addresses
--randomize_hosts: randomize the order of target hosts by scanning
--scan-delay: delay scan, in seconds, adjust the delay between probes
(1) scan immediately
(2) Immediate scan + delay scan, the default unit is seconds
8. Use wildcards to specify ip addresses
9. Connect Scan
This scan is very similar to a SYN scan, except that this scan completes the TCP three-way handshake
10. UDP Scan
Port status analysis
open: get any UDP response from the target port
open|filtered: no response from the target host
closed: ICMP port unreachable error
filtered: ICMP unreachable error
11. Packet segmentation scan
12. Use decoy hosts to block scans
(1) Three baits immediately
(2) Use your own IP as bait
(3) Specify a single ip as bait
(4) Specify multiple IPs as bait to detect the target
13. Forge the source port as 8888 to scan the target
14. Randomly select 10 hosts from the Internet to scan whether to run web services (whether port 80 is open)
15. Treat all hosts as online and skip host discovery, which can penetrate the firewall and avoid being discovered by the firewall
The use of the graphical interface zenmap
Since Kali2021.1 canceled zenmap, we need to install it manually
run zenmap
Introduction to zenmap script
The first: Intense scan
(nmap -T4 -A -v)
Generally speaking, Intense scan can satisfy general scan
-T4 to speed up execution
-A operating system and version detection
-v display detailed output
The second: Intense scan plus UDP
(nmap -sS -sU -T4 -A -v)
is UDP scan
-sS TCP SYN scan
-sU UDP scan
The third type: Intense scan, all TCP ports
(nmap -p 1-65536 -T4 -A -v)
scans all TCP ports, in the range of 1-65535, trying to scan the opening of all ports, which is relatively slow.
-p specifies the port scan range
Fourth: Intense scan, no ping
(nmap -T4 -A -v -Pn)
non-ping scan
-Pn non-ping scan
Fifth: Ping scan
(nmap -sn)
Ping scan
Advantages: fast.
Disadvantages: easy to be blocked by firewall, resulting in no scan results -
sn ping scan
The sixth: Quick scan
(nmap -T4 -F)
quick scan
-F fast mode.
Seventh: Quick scan plus
(nmap -sV -T4 -O -F --version-light)
Quick scan enhanced mode
-sV probe port and version service information.
-O Enable OS detection
--version-light Set detection level to 2.
The eighth type: Quick traceroute
(nmap -sn --traceroute)
route trace-
sn Ping scan, close port scan
-traceroute display the route hop from the machine to the target.
The ninth type: Regular scan
regular scan
Tenth: Slow comprehensive scan
(nmap -sS -sU -T4 -A -v -PE -PP -PS80,443,-PA3389,-PU40125 -PY -g 53 --script all)
slow comprehensive scan
NESSUS Vulnerability Detection
Introduction to NESSUS
In 1998, Nessus founder Renaud Deraison launched a project called "Nessus", whose purpose was
to provide the Internet community with a free, powerful, frequently updated and easy-to-use remote system security scanner. . In 2002, Renaud and Ron Gula, Jack Huffard founded an organization called Tenable Network Security. When the third
version of Nessus was released, the agency reclaimed Nessus' copyright and program source code (originally open source) and registered
nessus.org as the agency's website. This facility is currently located in Columbia, Maryland, USA.
Experimental environment: Because NESSUS occupies a large amount of memory, to do this experiment, you need to adjust the Kali memory to 6G or 8G
download link
https://www.tenable.com/downloads/nessus
Just download the latest version of NESSUS
NESSUS installation configuration
Upload the installation package to Kali and use the rz command to upload
Other browsers may not be able to open this link, use the chrome browser to open the link: https://192.168.91.132:8834 (kali address)
Click Advanced Click Accept Risk and Continue
Choose the first free version
Apply for an activation code:
You don't need to go over the wall, get the activation code link https://www.tenable.com/products/nessus/nessus-essentials
Enter your name at will, and your email address must be correct. The activation code will be sent to your email
Log in to your email to view the activation code
After clicking submit, generate the key, but let's take a step here, because we are installing offline, so we need to click the link below to download the plug
-in, let it download all the time, and we will install it after we activate it.
I have already downloaded it in advance. The downloaded plugin package is: all-
2.0.tar.gz Upload all-2.0.tar.gz to the kali system/root
Copy the certificate information in the browser, the content in the red box should be copied
Create an administrator account and password
start initialization
Upload the plugin we just downloaded to Kali and use the nessuscli command to install it
restart nessus service
Log in
Wait for the plugin to compile
Click on the new scan in the upper right corner to see that there are many ways to scan
These plug-ins with upgrade signs need to be upgraded to a higher version of NESSUS before they can be used. This does not refer to the software version, but refers to the payment
Take it slow bros
Show me scan your own host (WIN10)
After saving, click start
Click to see the details of the current scan. There
are many scan targets. When the time is relatively long, you can set up the scan on the cloud server.