文章目录

nmap 用例

// 使用zmap 快速扫描出网络中开放相关端口的主机  
// 使用nmap 嗅探主机存在的漏洞及其他可以利用的相关信息

zmap

/etc/zmap/zmap.conf //配置文件 指定默认参数 指定带宽 指定扫描模块 指定默认扫描协议等

zmap -B 20M -p 3306 -n 10000 -o results.txt -b /etc/zmap/blacklist.conf  -s 889 //在20M网速下,随机1W个IP对3306端口进行扫描 -b 指定不扫描的主机地址 -s 制定本机源端口

zmap -p 22 -n 50 23.110.64.0/24 //查找24子网下下开启22端口的主机 查找到50个结束 
      --probe-module=udp 指定udp扫描

nmap

// 常用的扫描参数网上很多本文不一一介绍

nmap -sL80  192.168.123.1-255 //指定80端口的主机段进行扫描

nmap -sP  192.168.123.1-255 //  23.110.64.125
     -sn //只探测存活主机 不扫描其他信息
     -sU //udp 端口扫描
     -sT -V //启用细节模式
     -O //启用操作系统检测

nmap -sT -p 22 -O --osscan-limit 192.168.123.1-255 //针对整段IP进行扫描 限制能探测到22端口的主机进行操作系统扫描 限制条件

nmap --iflist //查看本地路由信息
nmap -e {mac} {ip} 伪装mac地址
nmap -sV --soure-port 9000 192.168.123.183 //指定源端口为9000,而不是nmap默认的端口
nmap -O -F -n 23.110.64.125 //快速扫描 -F(只扫描常用端口)

nmap -iR 100000 -sS -Ps80 -p 445 -oG nmap.txt //随机产生10万个ip,对其445端口进行扫描 将扫描结果以greppable格式输出到nmap.txt

nmap-scripts

// namp 脚本使用 这块为学习重点 lua 脚本
参考: https://www.cnblogs.com/Rcsec/p/8977382.html
脚本路径 /usr/share/nmap/scripts/ 
脚本分类:
auth: 负责处理鉴权证书(绕开鉴权)的脚本  
broadcast: 在局域网内探查更多服务开启状况,如dhcp/dns/sqlserver等服务  
brute: 提供暴力破解方式,针对常见的应用如http/snmp等  
default: 使用-sC或-A选项扫描时候默认的脚本,提供基本脚本扫描能力  
discovery: 对网络进行更多的信息,如SMB枚举、SNMP查询等  
dos: 用于进行拒绝服务攻击  
exploit: 利用已知的漏洞入侵系统  
external: 利用第三方的数据库或资源,例如进行whois解析  
fuzzer: 模糊测试的脚本,发送异常的包到目标机,探测出潜在漏洞 intrusive: 入侵性的脚本,此类脚本可能引发对方的IDS/IPS的记录或屏蔽  
malware: 探测目标机是否感染了病毒、开启了后门等信息  
safe: 此类与intrusive相反,属于安全性脚本  
version: 负责增强服务与版本扫描(Version Detection)功能的脚本  
vuln: 负责检查目标机是否有常见的漏洞(Vulnerability),如是否有MS08_067

 
nmap    --script=brute 23.110.64.125 //暴力破解 可对数据库smb,snmp 等进行简单,密码猜解
nmap    --script=ssh-brute 23.110.64.125 //暴力破解 可对数据库smb,snmp 等进行简单,密码猜解
nmap --script-help=auth //帮助文档
        --script=auth //绕开鉴权,也可以作为检测部分应用弱口令
        --script=vuln //检查常用漏洞 
        -p3306 --script=mysql-empty-password.nse //扫描mysql空口令 

root@kali:~# nmap    --script=ssh-brute 192.168.123.100 //这里扫描出192.168.123.100的root密码为root
Host is up (0.015s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-brute: 
|   Accounts: 
|     root:root - Valid credentials
|_  Statistics: Performed 1971 guesses in 601 seconds, average tps: 3.4
3000/tcp open  ppp
3306/tcp open  mysql
5901/tcp open  vnc-1
6001/tcp open  X11:1
MAC Address: 00:0C:29:E5:3C:CE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 605.12 seconds


        

// nmap 现在支持的脚本 使用方法 nmap --script=ssh-brute 23.110.64.125 如有特殊需求可以根据自己实际情况进行更改
// 字典文件 ls /usr/share/nmap/nselib/data/*.lst 
ls /usr/share/nmap/scripts/
acarsd-info.nse                       http-grep.nse                           nntp-ntlm-info.nse
address-info.nse                      http-headers.nse                        nping-brute.nse
afp-brute.nse                         http-huawei-hg5xx-vuln.nse              nrpe-enum.nse
afp-ls.nse                            http-icloud-findmyiphone.nse            ntp-info.nse
afp-path-vuln.nse                     http-icloud-sendmsg.nse                 ntp-monlist.nse
afp-serverinfo.nse                    http-iis-short-name-brute.nse           omp2-brute.nse
afp-showmount.nse                     http-iis-webdav-vuln.nse                omp2-enum-targets.nse
ajp-auth.nse                          http-internal-ip-disclosure.nse         omron-info.nse
ajp-brute.nse                         http-joomla-brute.nse                   openlookup-info.nse
ajp-headers.nse                       http-jsonp-detection.nse                openvas-otp-brute.nse
ajp-methods.nse                       http-litespeed-sourcecode-download.nse  openwebnet-discovery.nse
ajp-request.nse                       http-ls.nse                             oracle-brute.nse
allseeingeye-info.nse                 http-majordomo2-dir-traversal.nse       oracle-brute-stealth.nse
amqp-info.nse                         http-malware-host.nse                   oracle-enum-users.nse
asn-query.nse                         http-mcmp.nse                           oracle-sid-brute.nse
auth-owners.nse                       http-methods.nse                        oracle-tns-version.nse
auth-spoof.nse                        http-method-tamper.nse                  ovs-agent-version.nse
backorifice-brute.nse                 http-mobileversion-checker.nse          p2p-conficker.nse
backorifice-info.nse                  http-ntlm-info.nse                      path-mtu.nse
bacnet-info.nse                       http-open-proxy.nse                     pcanywhere-brute.nse
banner.nse                            http-open-redirect.nse                  pcworx-info.nse
bitcoin-getaddr.nse                   http-passwd.nse                         pgsql-brute.nse
bitcoin-info.nse                      http-phpmyadmin-dir-traversal.nse       pjl-ready-message.nse
bitcoinrpc-info.nse                   http-phpself-xss.nse                    pop3-brute.nse
bittorrent-discovery.nse              http-php-version.nse                    pop3-capabilities.nse
bjnp-discover.nse                     http-proxy-brute.nse                    pop3-ntlm-info.nse
broadcast-ataoe-discover.nse          http-put.nse                            pptp-version.nse
broadcast-avahi-dos.nse               http-qnap-nas-info.nse                  puppet-naivesigning.nse
broadcast-bjnp-discover.nse           http-referer-checker.nse                qconn-exec.nse
broadcast-db2-discover.nse            http-rfi-spider.nse                     qscan.nse
broadcast-dhcp6-discover.nse          http-robots.txt.nse                     quake1-info.nse
broadcast-dhcp-discover.nse           http-robtex-reverse-ip.nse              quake3-info.nse
broadcast-dns-service-discovery.nse   http-robtex-shared-ns.nse               quake3-master-getservers.nse
broadcast-dropbox-listener.nse        http-security-headers.nse               rdp-enum-encryption.nse
broadcast-eigrp-discovery.nse         http-server-header.nse                  rdp-vuln-ms12-020.nse
broadcast-igmp-discovery.nse          http-shellshock.nse                     realvnc-auth-bypass.nse
broadcast-listener.nse                http-sitemap-generator.nse              redis-brute.nse
broadcast-ms-sql-discover.nse         http-slowloris-check.nse                redis-info.nse
broadcast-netbios-master-browser.nse  http-slowloris.nse                      resolveall.nse
broadcast-networker-discover.nse      http-sql-injection.nse                  reverse-index.nse
broadcast-novell-locate.nse           http-stored-xss.nse                     rexec-brute.nse
broadcast-ospf2-discover.nse          http-svn-enum.nse                       rfc868-time.nse
broadcast-pc-anywhere.nse             http-svn-info.nse                       riak-http-info.nse
broadcast-pc-duo.nse                  http-title.nse                          rlogin-brute.nse
broadcast-pim-discovery.nse           http-tplink-dir-traversal.nse           rmi-dumpregistry.nse
broadcast-ping.nse                    http-trace.nse                          rmi-vuln-classloader.nse
broadcast-pppoe-discover.nse          http-traceroute.nse                     rpcap-brute.nse
broadcast-rip-discover.nse            http-trane-info.nse                     rpcap-info.nse
broadcast-ripng-discover.nse          http-unsafe-output-escaping.nse         rpc-grind.nse
broadcast-sonicwall-discover.nse      http-useragent-tester.nse               rpcinfo.nse
broadcast-sybase-asa-discover.nse     http-userdir-enum.nse                   rsa-vuln-roca.nse
broadcast-tellstick-discover.nse      http-vhosts.nse                         rsync-brute.nse
broadcast-upnp-info.nse               http-virustotal.nse                     rsync-list-modules.nse
broadcast-versant-locate.nse          http-vlcstreamer-ls.nse                 rtsp-methods.nse
broadcast-wake-on-lan.nse             http-vmware-path-vuln.nse               rtsp-url-brute.nse
broadcast-wpad-discover.nse           http-vuln-cve2006-3392.nse              rusers.nse
broadcast-wsdd-discover.nse           http-vuln-cve2009-3960.nse              s7-info.nse
broadcast-xdmcp-discover.nse          http-vuln-cve2010-0738.nse              samba-vuln-cve-2012-1182.nse
cassandra-brute.nse                   http-vuln-cve2010-2861.nse              script.db
cassandra-info.nse                    http-vuln-cve2011-3192.nse              servicetags.nse
cccam-version.nse                     http-vuln-cve2011-3368.nse              shodan-api.nse
cics-enum.nse                         http-vuln-cve2012-1823.nse              sip-brute.nse
cics-info.nse                         http-vuln-cve2013-0156.nse              sip-call-spoof.nse
cics-user-brute.nse                   http-vuln-cve2013-6786.nse              sip-enum-users.nse
cics-user-enum.nse                    http-vuln-cve2013-7091.nse              sip-methods.nse
citrix-brute-xml.nse                  http-vuln-cve2014-2126.nse              skypev2-version.nse
citrix-enum-apps.nse                  http-vuln-cve2014-2127.nse              smb2-capabilities.nse
citrix-enum-apps-xml.nse              http-vuln-cve2014-2128.nse              smb2-security-mode.nse
citrix-enum-servers.nse               http-vuln-cve2014-2129.nse              smb2-time.nse
citrix-enum-servers-xml.nse           http-vuln-cve2014-3704.nse              smb2-vuln-uptime.nse
clamav-exec.nse                       http-vuln-cve2014-8877.nse              smb-brute.nse
clock-skew.nse                        http-vuln-cve2015-1427.nse              smb-double-pulsar-backdoor.nse
coap-resources.nse                    http-vuln-cve2015-1635.nse              smb-enum-domains.nse
couchdb-databases.nse                 http-vuln-cve2017-1001000.nse           smb-enum-groups.nse
couchdb-stats.nse                     http-vuln-cve2017-5638.nse              smb-enum-processes.nse
creds-summary.nse                     http-vuln-cve2017-5689.nse              smb-enum-services.nse
cups-info.nse                         http-vuln-cve2017-8917.nse              smb-enum-sessions.nse
cups-queue-info.nse                   http-vuln-misfortune-cookie.nse         smb-enum-shares.nse
cvs-brute.nse                         http-vuln-wnr1000-creds.nse             smb-enum-users.nse
cvs-brute-repository.nse              http-waf-detect.nse                     smb-flood.nse
daap-get-library.nse                  http-waf-fingerprint.nse                smb-ls.nse
daytime.nse                           http-webdav-scan.nse                    smb-mbenum.nse
db2-das-info.nse                      http-wordpress-brute.nse                smb-os-discovery.nse
deluge-rpc-brute.nse                  http-wordpress-enum.nse                 smb-print-text.nse
dhcp-discover.nse                     http-wordpress-users.nse                smb-protocols.nse
dict-info.nse                         http-xssed.nse                          smb-psexec.nse
distcc-cve2004-2687.nse               iax2-brute.nse                          smb-security-mode.nse
dns-blacklist.nse                     iax2-version.nse                        smb-server-stats.nse
dns-brute.nse                         icap-info.nse                           smb-system-info.nse
dns-cache-snoop.nse                   iec-identify.nse                        smb-vuln-conficker.nse
dns-check-zone.nse                    ike-version.nse                         smb-vuln-cve2009-3103.nse
dns-client-subnet-scan.nse            imap-brute.nse                          smb-vuln-cve-2017-7494.nse
dns-fuzz.nse                          imap-capabilities.nse                   smb-vuln-ms06-025.nse
dns-ip6-arpa-scan.nse                 imap-ntlm-info.nse                      smb-vuln-ms07-029.nse
dns-nsec3-enum.nse                    impress-remote-discover.nse             smb-vuln-ms08-067.nse
dns-nsec-enum.nse                     informix-brute.nse                      smb-vuln-ms10-054.nse
dns-nsid.nse                          informix-query.nse                      smb-vuln-ms10-061.nse
dns-random-srcport.nse                informix-tables.nse                     smb-vuln-ms17-010.nse
dns-random-txid.nse                   ip-forwarding.nse                       smb-vuln-regsvc-dos.nse
dns-recursion.nse                     ip-geolocation-geoplugin.nse            smtp-brute.nse
dns-service-discovery.nse             ip-geolocation-ipinfodb.nse             smtp-commands.nse
dns-srv-enum.nse                      ip-geolocation-map-bing.nse             smtp-enum-users.nse
dns-update.nse                        ip-geolocation-map-google.nse           smtp-ntlm-info.nse
dns-zeustracker.nse                   ip-geolocation-map-kml.nse              smtp-open-relay.nse
dns-zone-transfer.nse                 ip-geolocation-maxmind.nse              smtp-strangeport.nse
docker-version.nse                    ip-https-discover.nse                   smtp-vuln-cve2010-4344.nse
domcon-brute.nse                      ipidseq.nse                             smtp-vuln-cve2011-1720.nse
domcon-cmd.nse                        ipmi-brute.nse                          smtp-vuln-cve2011-1764.nse
domino-enum-users.nse                 ipmi-cipher-zero.nse                    sniffer-detect.nse
dpap-brute.nse                        ipmi-version.nse                        snmp-brute.nse
drda-brute.nse                        ipv6-multicast-mld-list.nse             snmp-hh3c-logins.nse
drda-info.nse                         ipv6-node-info.nse                      snmp-info.nse
duplicates.nse                        ipv6-ra-flood.nse                       snmp-interfaces.nse
eap-info.nse                          irc-botnet-channels.nse                 snmp-ios-config.nse
enip-info.nse                         irc-brute.nse                           snmp-netstat.nse
epmd-info.nse                         irc-info.nse                            snmp-processes.nse
eppc-enum-processes.nse               irc-sasl-brute.nse                      snmp-sysdescr.nse
fcrdns.nse                            irc-unrealircd-backdoor.nse             snmp-win32-services.nse
finger.nse                            iscsi-brute.nse                         snmp-win32-shares.nse
fingerprint-strings.nse               iscsi-info.nse                          snmp-win32-software.nse
firewalk.nse                          isns-info.nse                           snmp-win32-users.nse
firewall-bypass.nse                   jdwp-exec.nse                           socks-auth-info.nse
flume-master-info.nse                 jdwp-info.nse                           socks-brute.nse
fox-info.nse                          jdwp-inject.nse                         socks-open-proxy.nse
freelancer-info.nse                   jdwp-version.nse                        ssh2-enum-algos.nse
ftp-anon.nse                          knx-gateway-discover.nse                ssh-auth-methods.nse
ftp-bounce.nse                        knx-gateway-info.nse                    ssh-brute.nse
ftp-brute.nse                         krb5-enum-users.nse                     ssh-hostkey.nse
ftp-libopie.nse                       ldap-brute.nse                          ssh-publickey-acceptance.nse
ftp-proftpd-backdoor.nse              ldap-novell-getpass.nse                 ssh-run.nse
ftp-syst.nse                          ldap-rootdse.nse                        sshv1.nse
ftp-vsftpd-backdoor.nse               ldap-search.nse                         ssl-ccs-injection.nse
ftp-vuln-cve2010-4221.nse             lexmark-config.nse                      ssl-cert-intaddr.nse
ganglia-info.nse                      llmnr-resolve.nse                       ssl-cert.nse
giop-info.nse                         lltd-discovery.nse                      ssl-date.nse
gkrellm-info.nse                      maxdb-info.nse                          ssl-dh-params.nse
gopher-ls.nse                         mcafee-epo-agent.nse                    ssl-enum-ciphers.nse
gpsd-info.nse                         membase-brute.nse                       ssl-heartbleed.nse
hadoop-datanode-info.nse              membase-http-info.nse                   ssl-known-key.nse
hadoop-jobtracker-info.nse            memcached-info.nse                      ssl-poodle.nse
hadoop-namenode-info.nse              metasploit-info.nse                     sslv2-drown.nse
hadoop-secondary-namenode-info.nse    metasploit-msgrpc-brute.nse             sslv2.nse
hadoop-tasktracker-info.nse           metasploit-xmlrpc-brute.nse             sstp-discover.nse
hbase-master-info.nse                 mikrotik-routeros-brute.nse             stun-info.nse
hbase-region-info.nse                 mmouse-brute.nse                        stun-version.nse
hddtemp-info.nse                      mmouse-exec.nse                         stuxnet-detect.nse
hnap-info.nse                         modbus-discover.nse                     supermicro-ipmi-conf.nse
hostmap-bfk.nse                       mongodb-brute.nse                       svn-brute.nse
hostmap-crtsh.nse                     mongodb-databases.nse                   targets-asn.nse
hostmap-ip2hosts.nse                  mongodb-info.nse                        targets-ipv6-map4to6.nse
hostmap-robtex.nse                    mqtt-subscribe.nse                      targets-ipv6-multicast-echo.nse
http-adobe-coldfusion-apsa1301.nse    mrinfo.nse                              targets-ipv6-multicast-invalid-dst.nse
http-affiliate-id.nse                 msrpc-enum.nse                          targets-ipv6-multicast-mld.nse
http-apache-negotiation.nse           ms-sql-brute.nse                        targets-ipv6-multicast-slaac.nse
http-apache-server-status.nse         ms-sql-config.nse                       targets-ipv6-wordlist.nse
http-aspnet-debug.nse                 ms-sql-dac.nse                          targets-sniffer.nse
http-auth-finder.nse                  ms-sql-dump-hashes.nse                  targets-traceroute.nse
http-auth.nse                         ms-sql-empty-password.nse               targets-xml.nse
http-avaya-ipoffice-users.nse         ms-sql-hasdbaccess.nse                  teamspeak2-version.nse
http-awstatstotals-exec.nse           ms-sql-info.nse                         telnet-brute.nse
http-axis2-dir-traversal.nse          ms-sql-ntlm-info.nse                    telnet-encryption.nse
http-backup-finder.nse                ms-sql-query.nse                        telnet-ntlm-info.nse
http-barracuda-dir-traversal.nse      ms-sql-tables.nse                       tftp-enum.nse
http-bigip-cookie.nse                 ms-sql-xp-cmdshell.nse                  tls-alpn.nse
http-brute.nse                        mtrace.nse                              tls-nextprotoneg.nse
http-cakephp-version.nse              murmur-version.nse                      tls-ticketbleed.nse
http-chrono.nse                       mysql-audit.nse                         tn3270-screen.nse
http-cisco-anyconnect.nse             mysql-brute.nse                         tor-consensus-checker.nse
http-coldfusion-subzero.nse           mysql-databases.nse                     traceroute-geolocation.nse
http-comments-displayer.nse           mysql-dump-hashes.nse                   tso-brute.nse
http-config-backup.nse                mysql-empty-password.nse                tso-enum.nse
http-cookie-flags.nse                 mysql-enum.nse                          unittest.nse
http-cors.nse                         mysql-info.nse                          unusual-port.nse
http-cross-domain-policy.nse          mysql-query.nse                         upnp-info.nse
http-csrf.nse                         mysql-users.nse                         url-snarf.nse
http-date.nse                         mysql-variables.nse                     ventrilo-info.nse
http-default-accounts.nse             mysql-vuln-cve2012-2122.nse             versant-info.nse
http-devframework.nse                 nat-pmp-info.nse                        vmauthd-brute.nse
http-dlink-backdoor.nse               nat-pmp-mapport.nse                     vmware-version.nse
http-dombased-xss.nse                 nbd-info.nse                            vnc-brute.nse
http-domino-enum-passwords.nse        nbstat.nse                              vnc-info.nse
http-drupal-enum.nse                  ncp-enum-users.nse                      vnc-title.nse
http-drupal-enum-users.nse            ncp-serverinfo.nse                      voldemort-info.nse
http-enum.nse                         ndmp-fs-info.nse                        vtam-enum.nse
http-errors.nse                       ndmp-version.nse                        vuze-dht-info.nse
http-exif-spider.nse                  nessus-brute.nse                        wdb-version.nse
http-favicon.nse                      nessus-xmlrpc-brute.nse                 weblogic-t3-info.nse
http-feed.nse                         netbus-auth-bypass.nse                  whois-domain.nse
http-fetch.nse                        netbus-brute.nse                        whois-ip.nse
http-fileupload-exploiter.nse         netbus-info.nse                         wsdd-discover.nse
http-form-brute.nse                   netbus-version.nse                      x11-access.nse
http-form-fuzzer.nse                  nexpose-brute.nse                       xdmcp-discover.nse
http-frontpage-login.nse              nfs-ls.nse                              xmlrpc-methods.nse
http-generator.nse                    nfs-showmount.nse                       xmpp-brute.nse
http-git.nse                          nfs-statfs.nse                          xmpp-info.nse
http-gitweb-projects-enum.nse         nje-node-brute.nse
http-google-malware.nse               nje-pass-brute.nse


其他

nc 长连接监听 '

nc -l 80 -k