-
Notifications
You must be signed in to change notification settings - Fork 425
/
Copy pathsniffer.html
660 lines (547 loc) · 33.4 KB
/
sniffer.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>第 2 章 Sniffer</title><link rel="stylesheet" type="text/css" href="/docbook.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><meta name="keywords" content="Sniffer, Scanner, Vulnerability, Penetration, nmap, tcpdump, sqlmap, Nessus, Backtrack" /><link rel="home" href="index.html" title="Netkiller Security 手札" /><link rel="up" href="index.html" title="Netkiller Security 手札" /><link rel="prev" href="authentication/auth.html" title="1.3. Network Authentication" /><link rel="next" href="tcpdump.html" title="2.2. tcpdump - A powerful tool for network monitoring and data acquisition" /></head><body><a xmlns="" href="http://www.netkiller.cn/">Home</a> |
<a xmlns="" href="http://netkiller.github.io/">简体中文</a> |
<a xmlns="" href="http://netkiller.sourceforge.net/">繁体中文</a> |
<a xmlns="" href="/journal/index.html">杂文</a> |
<a xmlns="" href="//www.netkiller.cn/home/donations.html">打赏(Donations)</a> |
<a xmlns="" href="http://netkiller-github-com.iteye.com/">ITEYE 博客</a> |
<a xmlns="" href="http://my.oschina.net/neochen/">OSChina 博客</a> |
<a xmlns="" href="https://www.facebook.com/bg7nyt">Facebook</a> |
<a xmlns="" href="http://cn.linkedin.com/in/netkiller/">Linkedin</a> |
<a xmlns="" href="https://zhuanlan.zhihu.com/netkiller">知乎专栏</a> |
<a xmlns="" href="/search.html">Search</a> |
<a xmlns="" href="mailto:netkiller@msn.com">Email</a><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">第 2 章 Sniffer</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="authentication/auth.html">上一页</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="tcpdump.html">下一页</a></td></tr></table><hr /></div><table xmlns=""><tr><td><iframe src="http://ghbtns.com/github-btn.html?user=netkiller&repo=netkiller.github.io&type=watch&count=true&size=large" height="30" width="170" frameborder="0" scrolling="0" style="width:170px; height: 30px;" allowTransparency="true"></iframe></td><td><iframe src="http://ghbtns.com/github-btn.html?user=netkiller&repo=netkiller.github.io&type=fork&count=true&size=large" height="30" width="170" frameborder="0" scrolling="0" style="width:170px; height: 30px;" allowTransparency="true"></iframe></td><td><iframe src="http://ghbtns.com/github-btn.html?user=netkiller&type=follow&count=true&size=large" height="30" width="240" frameborder="0" scrolling="0" style="width:240px; height: 30px;" allowTransparency="true"></iframe></td></tr></table><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="sniffer"></a>第 2 章 Sniffer</h1></div></div></div><div class="toc"><p><strong>目录</strong></p><dl class="toc"><dt><span class="section"><a href="sniffer.html#nmap">2.1. nmap - Network exploration tool and security / port scanner</a></span></dt><dd><dl><dt><span class="section"><a href="sniffer.html#port">2.1.1. 端口扫描</a></span></dt><dt><span class="section"><a href="sniffer.html#host">2.1.2. HOST DISCOVERY</a></span></dt><dd><dl><dt><span class="section"><a href="sniffer.html#idp17">2.1.2.1. -sP: Ping Scan - go no further than determining if host is online</a></span></dt></dl></dd><dt><span class="section"><a href="sniffer.html#udp">2.1.3. SCAN TECHNIQUES</a></span></dt><dd><dl><dt><span class="section"><a href="sniffer.html#idp18">2.1.3.1. -sU: UDP Scan 扫描</a></span></dt><dt><span class="section"><a href="sniffer.html#idp19">2.1.3.2. -b <FTP relay host>: FTP bounce scan</a></span></dt></dl></dd><dt><span class="section"><a href="sniffer.html#idp21">2.1.4. PORT SPECIFICATION AND SCAN ORDER</a></span></dt><dd><dl><dt><span class="section"><a href="sniffer.html#idp20">2.1.4.1. -p <port ranges>: Only scan specified ports</a></span></dt></dl></dd><dt><span class="section"><a href="sniffer.html#idp28">2.1.5. SCRIPT SCAN</a></span></dt><dd><dl><dt><span class="section"><a href="sniffer.html#idp22">2.1.5.1. ftp-anon</a></span></dt><dt><span class="section"><a href="sniffer.html#idp23">2.1.5.2. mysql-info</a></span></dt><dt><span class="section"><a href="sniffer.html#idp24">2.1.5.3. http</a></span></dt><dt><span class="section"><a href="sniffer.html#idp25">2.1.5.4. snmp</a></span></dt><dt><span class="section"><a href="sniffer.html#idp26">2.1.5.5. SSHv1</a></span></dt><dt><span class="section"><a href="sniffer.html#idp27">2.1.5.6. --script-updatedb 更新脚本</a></span></dt></dl></dd><dt><span class="section"><a href="sniffer.html#idp30">2.1.6. OS DETECTION</a></span></dt><dd><dl><dt><span class="section"><a href="sniffer.html#idp29">2.1.6.1. -O: Enable OS detection 操作系统探测</a></span></dt></dl></dd><dt><span class="section"><a href="sniffer.html#idp32">2.1.7. OUTPUT</a></span></dt><dd><dl><dt><span class="section"><a href="sniffer.html#idp31">2.1.7.1. --open: Only show open (or possibly open) ports 操作系统探测</a></span></dt></dl></dd><dt><span class="section"><a href="sniffer.html#idp35">2.1.8. MISC</a></span></dt><dd><dl><dt><span class="section"><a href="sniffer.html#idp33">2.1.8.1. -6: Enable IPv6 scanning</a></span></dt><dt><span class="section"><a href="sniffer.html#idp34">2.1.8.2. -A: Enables OS detection and Version detection, Script scanning and Traceroute</a></span></dt></dl></dd><dt><span class="section"><a href="sniffer.html#idp36">2.1.9. Nmap Scripting Engine (NSE)</a></span></dt></dl></dd><dt><span class="section"><a href="tcpdump.html">2.2. tcpdump - A powerful tool for network monitoring and data acquisition</a></span></dt><dd><dl><dt><span class="section"><a href="tcpdump.html#idp37">2.2.1. 监控网络适配器接口</a></span></dt><dt><span class="section"><a href="tcpdump.html#idp38">2.2.2. 监控主机</a></span></dt><dt><span class="section"><a href="tcpdump.html#idp39">2.2.3. 监控TCP端口</a></span></dt><dt><span class="section"><a href="tcpdump.html#idp40">2.2.4. 监控协议</a></span></dt><dt><span class="section"><a href="tcpdump.html#idp41">2.2.5. 输出到文件</a></span></dt><dt><span class="section"><a href="tcpdump.html#idp42">2.2.6. src / dst</a></span></dt><dt><span class="section"><a href="tcpdump.html#tcpdump.save">2.2.7. 保存结果</a></span></dt><dt><span class="section"><a href="tcpdump.html#tcpdump.cdp">2.2.8. Cisco Discovery Protocol (CDP)</a></span></dt><dt><span class="section"><a href="tcpdump.html#Flags">2.2.9. Flags</a></span></dt><dt><span class="section"><a href="tcpdump.html#example">2.2.10. 案例</a></span></dt><dd><dl><dt><span class="section"><a href="tcpdump.html#icmp">2.2.10.1. 监控80端口与icmp,arp</a></span></dt><dt><span class="section"><a href="tcpdump.html#mysql">2.2.10.2. monitor mysql tcp package</a></span></dt><dt><span class="section"><a href="tcpdump.html#http">2.2.10.3. HTTP 包</a></span></dt><dt><span class="section"><a href="tcpdump.html#syn">2.2.10.4. 显示SYN、FIN和ACK-only包</a></span></dt><dt><span class="section"><a href="tcpdump.html#oracle">2.2.10.5. 嗅探 Oracle 错误</a></span></dt><dt><span class="section"><a href="tcpdump.html#smtp">2.2.10.6. smtp</a></span></dt></dl></dd></dl></dd><dt><span class="section"><a href="cdpr.html">2.3. cdpr - Cisco Discovery Protocol Reporter</a></span></dt><dt><span class="section"><a href="ncat.html">2.4. ncat - Concatenate and redirect sockets</a></span></dt><dd><dl><dt><span class="section"><a href="ncat.html#idp43">2.4.1. TCP 数据传输</a></span></dt><dt><span class="section"><a href="ncat.html#idp44">2.4.2. UDP 数据传输</a></span></dt><dt><span class="section"><a href="ncat.html#idp45">2.4.3. 始终保持服务器开启</a></span></dt><dt><span class="section"><a href="ncat.html#idp46">2.4.4. 传输视频流</a></span></dt></dl></dd><dt><span class="section"><a href="ngrep.html">2.5. ngrep - Network layer grep tool</a></span></dt><dd><dl><dt><span class="section"><a href="ngrep.html#idp47">2.5.1. 匹配关键字</a></span></dt><dt><span class="section"><a href="ngrep.html#idp48">2.5.2. 指定网络接口</a></span></dt></dl></dd><dt><span class="section"><a href="zenmap.html">2.6. Unicornscan,Zenmap,nast</a></span></dt><dt><span class="section"><a href="netstat-nat.html">2.7. netstat-nat - Show the natted connections on a linux iptable firewall</a></span></dt><dt><span class="section"><a href="tcpreplay.html">2.8. Tcpreplay</a></span></dt><dt><span class="section"><a href="wireshark.html">2.9. Wireshark</a></span></dt></dl></div>
<div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="nmap"></a>2.1. nmap - Network exploration tool and security / port scanner</h2></div></div></div>
<span class="command"><strong>nmap</strong></span>
<pre class="screen">
$ nmap localhost
Starting Nmap 4.20 ( http://insecure.org ) at 2007-11-19 05:20 EST
Interesting ports on localhost (127.0.0.1):
Not shown: 1689 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
</pre>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="port"></a>2.1.1. 端口扫描</h3></div></div></div>
<pre class="screen">
# nmap -Pn 192.168.4.13
Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-04 15:41 CST
Nmap scan report for gts2apidemo.cfddealer88.com (192.168.4.13)
Host is up (0.0051s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
8008/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="host"></a>2.1.2. HOST DISCOVERY</h3></div></div></div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp17"></a>2.1.2.1. -sP: Ping Scan - go no further than determining if host is online</h4></div></div></div>
<p>扫描一个网段</p>
<pre class="screen">
$ nmap -v -sP 172.16.0.0/24
Starting Nmap 4.62 ( http://nmap.org ) at 2010-11-27 10:00 CST
Initiating Ping Scan at 10:00
Scanning 256 hosts [1 port/host]
Completed Ping Scan at 10:00, 0.80s elapsed (256 total hosts)
Initiating Parallel DNS resolution of 256 hosts. at 10:00
Completed Parallel DNS resolution of 256 hosts. at 10:00, 2.77s elapsed
Host 172.16.0.0 appears to be down.
Host 172.16.0.1 appears to be up.
Host 172.16.0.2 appears to be up.
Host 172.16.0.3 appears to be down.
Host 172.16.0.4 appears to be down.
Host 172.16.0.5 appears to be up.
Host 172.16.0.6 appears to be down.
Host 172.16.0.7 appears to be down.
Host 172.16.0.8 appears to be down.
Host 172.16.0.9 appears to be up.
...
...
Host 172.16.0.253 appears to be down.
Host 172.16.0.254 appears to be down.
Host 172.16.0.255 appears to be down.
Read data files from: /usr/share/nmap
Nmap done: 256 IP addresses (8 hosts up) scanned in 3.596 seconds
</pre>
<p>扫描正在使用的IP地址</p>
<pre class="screen">
$ nmap -v -sP 172.16.0.0/24 | grep up
Host 172.16.0.1 appears to be up.
Host 172.16.0.2 appears to be up.
Host 172.16.0.5 appears to be up.
Host 172.16.0.9 appears to be up.
Host 172.16.0.19 appears to be up.
Host 172.16.0.40 appears to be up.
Host 172.16.0.188 appears to be up.
Host 172.16.0.252 appears to be up.
Nmap done: 256 IP addresses (8 hosts up) scanned in 6.574 seconds
$ nmap -sn -oG - 172.16.1.0/24 | grep Up
Host: 172.16.1.1 () Status: Up
Host: 172.16.1.2 () Status: Up
Host: 172.16.1.3 () Status: Up
Host: 172.16.1.4 () Status: Up
Host: 172.16.1.5 () Status: Up
Host: 172.16.1.6 () Status: Up
</pre>
<p>扫描MAC地址</p>
<pre class="screen">
nmap -sP -PI -PT -oN ipandmaclist.txt 192.168.80.0/24
</pre>
</div>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="udp"></a>2.1.3. SCAN TECHNIQUES</h3></div></div></div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp18"></a>2.1.3.1. -sU: UDP Scan 扫描</h4></div></div></div>
<p>扫描DNS端口</p>
<span class="command"><strong>$ sudo nmap -sU -p 53 xxx.xxx.xxx.xxx</strong></span>
<pre class="screen">
neo@deployment:~$ sudo nmap -sU -p 53 localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 15:24 CST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE
53/udp open|filtered domain
Nmap done: 1 IP address (1 host up) scanned in 2.14 seconds
neo@deployment:~$ sudo nmap -sU -p 1194 localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 15:24 CST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE
1194/udp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
neo@deployment:~$ sudo nmap -sU -v localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 15:22 CST
NSE: Loaded 0 scripts for scanning.
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Initiating UDP Scan at 15:22
Scanning localhost (127.0.0.1) [1000 ports]
Completed UDP Scan at 15:22, 1.26s elapsed (1000 total ports)
Host localhost (127.0.0.1) is up (0.000010s latency).
Interesting ports on localhost (127.0.0.1):
Not shown: 993 closed ports
PORT STATE SERVICE
53/udp open|filtered domain
111/udp open|filtered rpcbind
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
1812/udp open|filtered radius
1813/udp open|filtered radacct
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds
Raw packets sent: 1007 (28.196KB) | Rcvd: 993 (55.608KB)
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp19"></a>2.1.3.2. -b <FTP relay host>: FTP bounce scan</h4></div></div></div>
<pre class="screen">
</pre>
</div>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp21"></a>2.1.4. PORT SPECIFICATION AND SCAN ORDER</h3></div></div></div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp20"></a>2.1.4.1. -p <port ranges>: Only scan specified ports</h4></div></div></div>
<p>Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080</p>
<pre class="screen">
sudo nmap -sU -p 53 localhost
</pre>
<p>扫描DHCP服务器</p>
<pre class="screen">
sudo nmap -sU -p U:67,68 192.168.0.0/24
sudo nmap -sU -p U:67,68 192.168.0.0/24 > /tmp/dhcp.log
</pre>
<p></p>
<pre class="screen">
$ sudo nmap -sU -p161 192.168.0.0/24 > /tmp/snmp.log
</pre>
</div>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp28"></a>2.1.5. SCRIPT SCAN</h3></div></div></div>
<p>nmap script 使用lua编写,请先安装lua环境。</p>
<pre class="screen">
$ sudo apt-get install lua5.1
$ lua
Lua 5.1.4 Copyright (C) 1994-2008 Lua.org, PUC-Rio
> ^C
</pre>
<pre class="screen">
$ nmap --script "default and safe" localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 16:23 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00023s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: 1024 a6:ab:76:a5:fb:80:4e:2c:bc:06:d4:85:ff:22:18:1a (DSA)
|_2048 c7:da:16:7a:e7:01:cc:f0:d2:02:b4:17:52:c9:c2:50 (RSA)
80/tcp open http
|_html-title: 500 Internal Server Error
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
3000/tcp open ppp
9000/tcp open cslistener
Host script results:
|_nbstat: NetBIOS name: NEO-OPTIPLEX-38, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Unix (Samba 3.5.11)
| Name: WORKGROUP\Unknown
|_ System time: 2012-02-02 16:23:08 UTC+8
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
$ nmap --script=default 172.16.1.5
Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 16:25 CST
Nmap scan report for 172.16.1.5
Host is up (0.024s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: 1024 c1:40:33:3b:be:4d:ef:52:40:a9:08:0a:e1:ae:d7:91 (DSA)
|_2048 9d:db:c5:41:94:63:c7:51:d1:97:36:d3:87:ad:8f:a5 (RSA)
3306/tcp open mysql
| mysql-info: Protocol: 10
| Version: 5.1.48-community-log
| Thread ID: 6647320
| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection
| Status: Autocommit
|_Salt: 0%eRHQ?'Fi_!%6|4+w9U
5666/tcp open nrpe
Nmap done: 1 IP address (1 host up) scanned in 3.23 seconds
</pre>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp22"></a>2.1.5.1. ftp-anon</h4></div></div></div>
<pre class="screen">
$ nmap -p21 --script=ftp-anon 172.16.3.100
Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 16:51 CST
NSE: Script Scanning completed.
Nmap scan report for 172.16.3.100
Host is up (0.0066s latency).
PORT STATE SERVICE
21/tcp open ftp
|_ftp-anon: Anonymous FTP login allowed
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp23"></a>2.1.5.2. mysql-info</h4></div></div></div>
<pre class="screen">
$ nmap -p3306 --script=mysql-info 172.16.0.5
Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 16:58 CST
Interesting ports on 172.16.0.5:
PORT STATE SERVICE
3306/tcp open mysql
| mysql-info: Protocol: 10
| Version: 5.1.48-community-log
| Thread ID: 62837508
| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection
| Status: Autocommit
|_ Salt: T{3(moe.R2C;?fgP:rQ|
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp24"></a>2.1.5.3. http</h4></div></div></div>
<p>http-date</p>
<pre class="screen">
$ nmap -p80 --script=http-date www.baidu.com
Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 18:37 CST
NSE: Script Scanning completed.
Nmap scan report for www.baidu.com (220.181.111.147)
Host is up (0.037s latency).
PORT STATE SERVICE
80/tcp open http
|_http-date: Thu, 02 Feb 2012 10:37:40 GMT; 0s from local time.
Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
</pre>
<p>http-headers</p>
<pre class="screen">
$ nmap -p80 --script=http-headers www.baidu.com
Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 18:38 CST
NSE: Script Scanning completed.
Nmap scan report for www.baidu.com (220.181.111.147)
Host is up (0.036s latency).
PORT STATE SERVICE
80/tcp open http
| http-headers:
| Date: Thu, 02 Feb 2012 10:38:15 GMT
| Server: BWS/1.0
| Content-Length: 7677
| Content-Type: text/html;charset=gb2312
| Cache-Control: private
| Expires: Thu, 02 Feb 2012 10:38:15 GMT
| Set-Cookie: BAIDUID=0279AEA82B65E8B74C03D5B6AA92326C:FG=1; expires=Thu, 02-Feb-42 10:38:15 GMT; path=/; domain=.baidu.com
| P3P: CP=" OTI DSP COR IVA OUR IND COM "
| Connection: Close
|
|_ (Request type: HEAD)
Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds
</pre>
<pre class="screen">
$ nmap -p80 --script=http-date,http-headers,http-malware-host,http-trace,http-enum 192.168.3.5
Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 19:15 CST
NSE: Script Scanning completed.
Nmap scan report for 192.168.3.5
Host is up (0.0015s latency).
PORT STATE SERVICE
80/tcp open http
| http-headers:
| Date: Thu, 02 Feb 2012 11:15:00 GMT
| Server: Apache
| Last-Modified: Mon, 29 Nov 2010 14:56:50 GMT
| ETag: "7bcaa3-2c-496324828b080"
| Accept-Ranges: bytes
| Content-Length: 44
| Connection: close
| Content-Type: text/html
|
|_ (Request type: HEAD)
|_http-malware-host: Host appears to be clean
|_http-date: Thu, 02 Feb 2012 11:15:00 GMT; 0s from local time.
|_http-enum:
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp25"></a>2.1.5.4. snmp</h4></div></div></div>
<pre class="screen">
$ sudo nmap -sU -p161 --script=snmp-sysdescr 172.16.3.250
Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 19:20 CST
Interesting ports on 172.16.3.250:
PORT STATE SERVICE
161/udp open snmp
| snmp-sysdescr: Cisco Adaptive Security Appliance Version 8.2(5)
|_ System uptime: 84 days, 18:39:55.00 (732479500 timeticks)
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp26"></a>2.1.5.5. SSHv1</h4></div></div></div>
<pre class="screen">
$ sudo nmap -sT -p22 --script=sshv1 172.16.0.0/24
$ sudo nmap -sT -p22 --script=sshv1 172.16.3.0/24 --open | grep -B4 sshv1
Interesting ports on 172.16.3.250:
PORT STATE SERVICE
22/tcp open ssh
|_ sshv1: Server supports SSHv1
Interesting ports on 172.16.3.251:
PORT STATE SERVICE
22/tcp open ssh
|_ sshv1: Server supports SSHv1
</pre>
<pre class="screen">
$ nmap -sT -p22 172.16.0.0/24 --script=ssh-hostkey --script-args=ssh_hostkey=all > ssh.log
$ nmap -sT -p22 172.16.0.5 --script=ssh-hostkey --script-args=ssh_hostkey=full
Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 19:35 CST
NSE: Script Scanning completed.
Nmap scan report for 172.16.0.5
Host is up (0.0017s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: ssh-dss AAAAB3NzaC1kc3MAAACBANinhMHgAGFMhkYW0qmFTNsJKuim8P7vFfPV3+c9R0urqF42HwZrIbhEZhRlUDSGo0v5cFzufabQaQ58//L4UXYqKOHaiqSo4ju5CWquH6YY+SNhszJY4OSessioJJfjbLCXx73pfqX8akEV13jQujLhYD0Tuela0/c4iQW+ktnjAAAAFQDxCjX3PK+dAUKviG6xX2C6DstqUQAAAIBrEephaZhQJg3ctO3Y7OMAOu/uRKt9VpeChbptsh4DGXk6Lmet5hYJ1/UOzEAZd4dEO0uijy8iKYSZoAaZh2qGa9PynIWuD1ENt8feEMwRv5VV7zaNitmjYedmPO9rLAja1/49mxUq9XAeRYTOhWJlbwrc38sybTsCrDsdoxDqUwAAAIEAzV7w+dy0lzER0OHfy/E70So80V8/2Bo3AIwnACWGMTqKC2CrFm6VWDKA9P4x0bq+JBshpjtur/3H0sgAt+Zky3Z2EWpdf+9z1AqTy3l95J+xQhQTzD2lw+NqroInxEqJU0eip3YgdTqksQuDRCSy/hKJDLJOELkWbDLMlb1vXA8=
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAlgJcaT8/F0Ah+Jq9PifhQ3Bvfh4Nl5/WWiyoF0yIhhKlNnO04Vnbi8Qb39BDVRKaqIrfhgbG3vxfyF3TeSEOoAiXXyCns6Ivl7HUEHVsjHOVu7nwwMqo94CaM1+pUgJtXmbmTWyfWGCm8kGD2xNaxs10uxIcuukBN7jlN2TGyEmOD8QkA+1Dx7XGBjpMZT+DQwmEo72V2taAo3a0UOz9ivAakZ/kysP+PN+Kz106iT3BWMkvQScyt96HAwbq8Z0tO531mz90UGVBS1KqNMtNsLHsXYJnQ3obXUTwo8KvtEvJ1UHDs6QdEP55PiBTVvCS+CbEwZZ9O1yGNfznBWmp4Q==
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
$ nmap -sT -p22 172.16.0.5 --script=ssh-hostkey --script-args=ssh_hostkey=all
Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 19:35 CST
NSE: Script Scanning completed.
Nmap scan report for 172.16.0.5
Host is up (0.0014s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: 1024 26:89:a4:1d:f1:28:3c:36:88:ea:49:6d:1b:df:de:70 (DSA)
| 1024 xumep-dynut-poheh-cenys-dyfyz-tubap-lupoz-fofyd-figuf-timaz-byxox (DSA)
| +--[ DSA 1024]----+
| | . |
| |.o + |
| |o * + . |
| |...B o . |
| |...+o o S |
| |o o + .o |
| | o . . o E |
| | . + |
| | . . |
| +-----------------+
| ssh-dss AAAAB3NzaC1kc3MAAACBANinhMHgAGFMhkYW0qmFTNsJKuim8P7vFfPV3+c9R0urqF42HwZrIbhEZhRlUDSGo0v5cFzufabQaQ58//L4UXYqKOHaiqSo4ju5CWquH6YY+SNhszJY4OSessioJJfjbLCXx73pfqX8akEV13jQujLhYD0Tuela0/c4iQW+ktnjAAAAFQDxCjX3PK+dAUKviG6xX2C6DstqUQAAAIBrEephaZhQJg3ctO3Y7OMAOu/uRKt9VpeChbptsh4DGXk6Lmet5hYJ1/UOzEAZd4dEO0uijy8iKYSZoAaZh2qGa9PynIWuD1ENt8feEMwRv5VV7zaNitmjYedmPO9rLAja1/49mxUq9XAeRYTOhWJlbwrc38sybTsCrDsdoxDqUwAAAIEAzV7w+dy0lzER0OHfy/E70So80V8/2Bo3AIwnACWGMTqKC2CrFm6VWDKA9P4x0bq+JBshpjtur/3H0sgAt+Zky3Z2EWpdf+9z1AqTy3l95J+xQhQTzD2lw+NqroInxEqJU0eip3YgdTqksQuDRCSy/hKJDLJOELkWbDLMlb1vXA8=
| 2048 98:fb:db:e0:a3:99:18:04:cb:8c:42:25:f0:f5:b3:5a (RSA)
| 2048 xogok-vykec-zacyg-ruzup-baral-kotyv-latoz-hygyz-hysis-zadun-hyxix (RSA)
| +--[ RSA 2048]----+
| |o. .. |
| | .o. . |
| | .o o |
| |.+ o = |
| |o + . E S |
| |. . o . |
| | o . . |
| | o =.o |
| | . +.+o. |
| +-----------------+
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAlgJcaT8/F0Ah+Jq9PifhQ3Bvfh4Nl5/WWiyoF0yIhhKlNnO04Vnbi8Qb39BDVRKaqIrfhgbG3vxfyF3TeSEOoAiXXyCns6Ivl7HUEHVsjHOVu7nwwMqo94CaM1+pUgJtXmbmTWyfWGCm8kGD2xNaxs10uxIcuukBN7jlN2TGyEmOD8QkA+1Dx7XGBjpMZT+DQwmEo72V2taAo3a0UOz9ivAakZ/kysP+PN+Kz106iT3BWMkvQScyt96HAwbq8Z0tO531mz90UGVBS1KqNMtNsLHsXYJnQ3obXUTwo8KvtEvJ1UHDs6QdEP55PiBTVvCS+CbEwZZ9O1yGNfznBWmp4Q==
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
$ nmap -sT -p22 172.16.0.5 --script=ssh-hostkey --script-args=ssh_hostkey='visual bubble'
Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 19:36 CST
NSE: Script Scanning completed.
Nmap scan report for 172.16.0.5
Host is up (0.0017s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey: 1024 xumep-dynut-poheh-cenys-dyfyz-tubap-lupoz-fofyd-figuf-timaz-byxox (DSA)
| +--[ DSA 1024]----+
| | . |
| |.o + |
| |o * + . |
| |...B o . |
| |...+o o S |
| |o o + .o |
| | o . . o E |
| | . + |
| | . . |
| +-----------------+
| 2048 xogok-vykec-zacyg-ruzup-baral-kotyv-latoz-hygyz-hysis-zadun-hyxix (RSA)
| +--[ RSA 2048]----+
| |o. .. |
| | .o. . |
| | .o o |
| |.+ o = |
| |o + . E S |
| |. . o . |
| | o . . |
| | o =.o |
| | . +.+o. |
|_+-----------------+
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
</pre>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp27"></a>2.1.5.6. --script-updatedb 更新脚本</h4></div></div></div>
<pre class="screen">
$ sudo nmap --script-updatedb
Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-02 16:34 CST
NSE: Updating rule database.
NSE script database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.12 seconds
</pre>
</div>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp30"></a>2.1.6. OS DETECTION</h3></div></div></div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp29"></a>2.1.6.1. -O: Enable OS detection 操作系统探测</h4></div></div></div>
<pre class="screen">
nmap -O -v scanme.nmap.org
</pre>
</div>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp32"></a>2.1.7. OUTPUT</h3></div></div></div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp31"></a>2.1.7.1. --open: Only show open (or possibly open) ports 操作系统探测</h4></div></div></div>
<pre class="screen">
nmap -O -v scanme.nmap.org
</pre>
</div>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp35"></a>2.1.8. MISC</h3></div></div></div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp33"></a>2.1.8.1. -6: Enable IPv6 scanning</h4></div></div></div>
</div>
<div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp34"></a>2.1.8.2. -A: Enables OS detection and Version detection, Script scanning and Traceroute</h4></div></div></div>
<pre class="screen">
$ nmap -A -T4 localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2012-02-02 14:54 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00025s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 7ubuntu1 (protocol 2.0)
| ssh-hostkey: 1024 a6:ab:76:a5:fb:80:4e:2c:bc:06:d4:85:ff:22:18:1a (DSA)
|_2048 c7:da:16:7a:e7:01:cc:f0:d2:02:b4:17:52:c9:c2:50 (RSA)
80/tcp open http nginx 1.0.5
|_html-title: 500 Internal Server Error
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
631/tcp open ipp CUPS 1.4
3000/tcp open ntop-http Ntop web interface 4.0.3
9000/tcp open tcpwrapped
Service Info: OS: Linux
Host script results:
|_nbstat: NetBIOS name: NEO-OPTIPLEX-38, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Unix (Samba 3.5.11)
| Name: WORKGROUP\Unknown
|_ System time: 2012-02-02 14:54:19 UTC+8
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds
</pre>
</div>
</div>
<div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="idp36"></a>2.1.9. Nmap Scripting Engine (NSE)</h3></div></div></div>
<p>http://nmap.org/nsedoc/</p>
<p>预置脚本</p>
<pre class="screen">
$ ls /usr/share/nmap/scripts
asn-query.nse http-malware-host.nse smb-enum-groups.nse
auth-owners.nse http-open-proxy.nse smb-enum-processes.nse
auth-spoof.nse http-passwd.nse smb-enum-sessions.nse
banner.nse http-trace.nse smb-enum-shares.nse
citrix-brute-xml.nse http-userdir-enum.nse smb-enum-users.nse
citrix-enum-apps.nse iax2-version.nse smb-os-discovery.nse
citrix-enum-apps-xml.nse imap-capabilities.nse smb-psexec.nse
citrix-enum-servers.nse irc-info.nse smb-security-mode.nse
citrix-enum-servers-xml.nse ms-sql-info.nse smb-server-stats.nse
daytime.nse mysql-info.nse smb-system-info.nse
db2-info.nse nbstat.nse smbv2-enabled.nse
dhcp-discover.nse nfs-showmount.nse smtp-commands.nse
dns-random-srcport.nse ntp-info.nse smtp-open-relay.nse
dns-random-txid.nse oracle-sid-brute.nse smtp-strangeport.nse
dns-recursion.nse p2p-conficker.nse sniffer-detect.nse
dns-zone-transfer.nse pjl-ready-message.nse snmp-brute.nse
finger.nse pop3-brute.nse snmp-sysdescr.nse
ftp-anon.nse pop3-capabilities.nse socks-open-proxy.nse
ftp-bounce.nse pptp-version.nse sql-injection.nse
ftp-brute.nse realvnc-auth-bypass.nse ssh-hostkey.nse
html-title.nse robots.txt.nse sshv1.nse
http-auth.nse rpcinfo.nse ssl-cert.nse
http-date.nse script.db sslv2.nse
http-enum.nse skypev2-version.nse telnet-brute.nse
http-favicon.nse smb-brute.nse upnp-info.nse
http-headers.nse smb-check-vulns.nse whois.nse
http-iis-webdav-vuln.nse smb-enum-domains.nse x11-access.nse
</pre>
<p>使用所有脚本进行扫描</p>
<pre class="screen">
nmap --script all localhost
</pre>
</div>
</div>
</div><div xmlns="" id="disqus_thread"></div><script xmlns="">
var disqus_config = function () {
this.page.url = "http://www.netkiller.cn"; // Replace PAGE_URL with your page's canonical URL variable
this.page.identifier = 'netkiller'; // Replace PAGE_IDENTIFIER with your page's unique identifier variable
};
(function() { // DON'T EDIT BELOW THIS LINE
var d = document, s = d.createElement('script');
s.src = '//netkiller.disqus.com/embed.js';
s.setAttribute('data-timestamp', +new Date());
(d.head || d.body).appendChild(s);
})();
</script><noscript xmlns="">Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript><br xmlns="" /><script xmlns="" type="text/javascript" id="clustrmaps" src="//cdn.clustrmaps.com/map_v2.js?u=r5HG&d=9mi5r_kkDC8uxG8HuY3p4-2qgeeVypAK9vMD-2P6BYM"></script><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="authentication/auth.html">上一页</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="tcpdump.html">下一页</a></td></tr><tr><td width="40%" align="left" valign="top">1.3. Network Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">起始页</a></td><td width="40%" align="right" valign="top"> 2.2. tcpdump - A powerful tool for network monitoring and data acquisition</td></tr></table></div><script xmlns="">
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-11694057-1', 'auto');
ga('send', 'pageview');
</script><script xmlns="" async="async">
var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "https://hm.baidu.com/hm.js?93967759a51cda79e49bf4e34d0b0f2c";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
</script><script xmlns="" async="async">
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
</script><script xmlns="" type="text/javascript" src="/js/q.js" async="async"></script></body></html>