扫描系列之: Fingerprinting(一) #6
Description
概述
对主机信息收集,主要集中在这些方面:
- Banner: 工具 Netcat,Python sockets,Dmitry, Nmap, Amap
- Service:工具Nmap, Amap
- OS:工具Scapy,Nmap,xProbe2,p0f
- SNMP: 工具Onesixtyone,SNMPwalk
- Firewall:工具Scapy, Nmap, Metasploit
这里主要讲解Namp工具的使用
Banner收集
Nmap
root@funday:~# nmap -sT 121.41.x.x --script=banner -p1-65535
Starting Nmap 7.01 ( https://nmap.org ) at 2016-04-20 18:52 EDT
Nmap scan report for laxiong.localdomain (121.41.x.x)
Host is up (0.011s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_5.1p1 Debian-5
80/tcp open http
88/tcp open kerberos-sec
443/tcp open https
2222/tcp open EtherNetIP-1
|_banner: SSH-2.0-OpenSSH_5.1p1 Debian-5
3306/tcp open mysql
| banner: J\x00\x00\x00\x0A5.5.46\x00T\xC3\xCF\x00dGs2<v_W\x00\xFF\xF7\x0
|_8\x02\x00\x0F\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00wrV9V'\...
4404/tcp open unknown
4444/tcp filtered krb524
5554/tcp filtered sgi-esphttp
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
29940/tcp open unknown
52187/tcp open unknown
|_banner: SSH-2.0-OpenSSH_5.3
Nmap done: 1 IP address (1 host up) scanned in 65.28 seconds
root@funday:~#获取版本,可以简单使用-sV参数
root@funday:~# nmap -sV 121.41.x.x -p1-65535
Starting Nmap 7.01 ( https://nmap.org ) at 2016-04-20 18:56 EDT
Nmap scan report for laxiong.localdomain (121.41.x.x)
Host is up (0.013s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
80/tcp open http nginx 1.6.3
88/tcp open http nginx 1.6.3
443/tcp open ssl/http nginx 1.6.3
2222/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
3306/tcp open mysql MySQL 5.5.46
4404/tcp open unknown
4444/tcp filtered krb524
5554/tcp filtered sgi-esphttp
8081/tcp open http nginx 1.6.3
8082/tcp open ssl/http nginx 1.6.3
29940/tcp open unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.43 seconds
root@funday:~#Amap
root@funday:~# amap -B 121.41.x.x 1-65535 | grep " on "
Banner on 121.41.x.x:22/tcp : SSH-2.0-OpenSSH_5.1p1 Debian-5\r\n
Banner on 121.41.x.x:2222/tcp : SSH-2.0-OpenSSH_5.1p1 Debian-5\r\n
Banner on 121.41.x.x:3306/tcp : J\n5.5.46+tsf&(3h7s`gc<As>xeq*mysql_native_password
Banner on 121.41.x.x:52187/tcp : SSH-2.0-OpenSSH_5.3\r\nService 收集
Amap
root@funday:~# amap 121.41.x.x 1-65535 | grep " on "
Protocol on 121.41.x.x:22/tcp matches ssh
Protocol on 121.41.x.x:22/tcp matches ssh-openssh
Protocol on 121.41.x.x:80/tcp matches http
Protocol on 121.41.x.x:88/tcp matches http
Protocol on 121.41.x.x:443/tcp matches http
Protocol on 121.41.x.x:2222/tcp matches ssh
Protocol on 121.41.x.x:2222/tcp matches ssh-openssh
Protocol on 121.41.x.x:3306/tcp matches mysql
Protocol on 121.41.x.x:4404/tcp matches http
Protocol on 121.41.x.x:8082/tcp matches http
Protocol on 121.41.x.x:8081/tcp matches http
Protocol on 121.41.x.x:29940/tcp matches http
Protocol on 121.41.x.x:52187/tcp matches ssh
Protocol on 121.41.x.x:52187/tcp matches ssh-openssh
Protocol on 121.41.x.x:443/tcp matches ntp
Protocol on 121.41.x.x:443/tcp matches ssl
Protocol on 121.41.x.x:8082/tcp matches ntp
Protocol on 121.41.x.x:8082/tcp matches sslNmap
参考OS收集里的Nmap
OS收集
nmap 121.41.x.x -O ,参数 -O: Enable OS detection,其结果含有 Service Info。
SNMP收集
Nmap的script snmp-info可以嗅探到SNMP信息