- 浏览: 278232 次
文章分类
- 全部博客 (276)
- burp+hydra暴力破解 (1)
- kali linux工具集 (6)
- kali (59)
- linux (54)
- password (14)
- web (63)
- 渗透测试 (50)
- windows (40)
- metasploit (9)
- 信息收集 (32)
- burp suit (4)
- 安全审计 (9)
- https://github.com/secretsquirrel/the-backdoor-factory (0)
- nmap (4)
- arachni (2)
- 工具 (5)
- sql (3)
- 网络 (2)
- 后渗透测试 (10)
- 内网 (5)
- 无线 (2)
- C (3)
- bios (1)
- RoR (12)
- mongodb (1)
- linxu (1)
- gdb (1)
- linux,虚拟化 (1)
- python (4)
最新评论
原文地址:http://resources.infosecinstitute.com/nmap-evade-firewall-scripting/
TCP ACK Scan (-sA)
发送ACK数据报比发送SYN数据包更好,因为如果远端主机存在主动防火墙,那么由于防火墙对于ACK数据报不产生log,因为防火墙把ACK数据包当成SYN数据包的应答。TCP ACK扫描要求攻击者有root权限,它对stateless类型的防火墙和IDS很有效果。ACK扫描与其他扫描技术不同,因为它本意不是用来发现open端口的,而是用来判断防火墙类型的。
Firewall Enabled
# nmap -sA 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:30 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00077s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
Firewall Disabled
# nmap -sA 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:31 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00020s latency).
All 1000 scanned ports on 192.168.1.9 are unfiltered
所以它很容易用来发现目标是否有防火墙,而且ACK扫描被发现的风险较低但是发现是否存在防火墙的几率比较大。
TCP Window Scan (-sW)
类似于ACK扫描但是有一点不同,TCP Windows扫描用于发现open/closed端口而不是发现是否被过滤的状态。它也需要root权限。
Firewall Enabled
# nmap -sW 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:50 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00051s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
Firewall Disabled
# nmap -sW 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:51 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.1.9 are closed
这种扫描不与目标之间创建session,所以受害者机器不会记录log。
Fragment Packets (-f)
改技术把请求分成小段发送,所以叫做分片技术,使用-ff如果你想进一步分片
Firewall Enabled
# nmap -f 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:21 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00056s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
Firewall enabled + all ports are closed
# nmap -ff 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:24 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00083s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
Firewall Disabled
# nmap -f 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:20 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00057s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
Spoof MAC Address
有一种很简单的技术伪装你的MaC地址,nmap可以为每次扫描随机选择一个MAC地址,另一个选项是手动指定MAC地址(这样做攻击者可以伪装成同一网段内的一台电脑),nmap含有一个nmap-mac-prefixe数据库,当给定一个生产厂商的名字时,它查找数据库来找一个合适的名字。
# nmap –spoof-mac Cisco 192.168.1.3
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 17:18 PKT
Spoofing MAC address 00:00:0C:6D:3F:26 (Cisco Systems)
Nmap scan report for 192.168.1.3
Host is up (0.00036s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
23/tcp closed telnet
80/tcp closed http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
nmap脚本
1. smb-check-vulns
MS08-067 Windows vulnerability that can be exploited
Conficker malware on the target machine
Denial of service vulnerability of Windows 2000
MS06-025 Windows vulnerability
MS07-029 Windows vulnerability
2. Http-enum
如果想枚举web服务器来寻找web服务器的目录,这个脚本是最适合的。Http-enum同样可以发现开放端口以及每个端口的软件版本
root@bt:~# nmap -sV –script=http-enum 127.0.0.1
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 18:47 PKT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000036s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
| http-enum:
| /login.php: Possible admin folder
| /login/: Login page
| /login.php: Login page
| /logs/: Logs
3. samba-vuln-cve-2012-1182
用于发现samba CVE-2012-1182栈溢出漏洞
nmap –script=samba-vuln-cve-2012-1182 -p 139 target
nmap –script=samba-vuln-cve-2012-1182 -p 139 192.168.1.3
4. smtp-strangeport
用于发现smtp服务是否运行在标准端口
nmap -sV –script=smtp-strangeport target
5. http-php-version
用于获得http版本
nmap -sV –script=http-php-version target
另外还有
http-wordpress-plugins
http-wordpress-enum
http-wordpress-brute
6. dns-blacklist
用于发现黑名单IP,你所需要提供的是一个IP以及用于检查反垃圾邮件和代理黑名单的脚本
# nmap -sn 67.213.218.72 –script dns-blacklist
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-28 23:54 PKT
Nmap scan report for 67.213.218.72
Host is up (0.24s latency).
Host script results:
| dns-blacklist:
| PROXY
| dnsbl.tornevall.org – PROXY
| IP marked as “abusive host”
| Proxy is working
|_ Proxy has been scanned
TCP ACK Scan (-sA)
发送ACK数据报比发送SYN数据包更好,因为如果远端主机存在主动防火墙,那么由于防火墙对于ACK数据报不产生log,因为防火墙把ACK数据包当成SYN数据包的应答。TCP ACK扫描要求攻击者有root权限,它对stateless类型的防火墙和IDS很有效果。ACK扫描与其他扫描技术不同,因为它本意不是用来发现open端口的,而是用来判断防火墙类型的。
Firewall Enabled
# nmap -sA 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:30 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00077s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
Firewall Disabled
# nmap -sA 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:31 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00020s latency).
All 1000 scanned ports on 192.168.1.9 are unfiltered
所以它很容易用来发现目标是否有防火墙,而且ACK扫描被发现的风险较低但是发现是否存在防火墙的几率比较大。
TCP Window Scan (-sW)
类似于ACK扫描但是有一点不同,TCP Windows扫描用于发现open/closed端口而不是发现是否被过滤的状态。它也需要root权限。
Firewall Enabled
# nmap -sW 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:50 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00051s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
Firewall Disabled
# nmap -sW 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:51 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.1.9 are closed
这种扫描不与目标之间创建session,所以受害者机器不会记录log。
Fragment Packets (-f)
改技术把请求分成小段发送,所以叫做分片技术,使用-ff如果你想进一步分片
Firewall Enabled
# nmap -f 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:21 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00056s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
Firewall enabled + all ports are closed
# nmap -ff 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:24 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00083s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
Firewall Disabled
# nmap -f 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:20 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00057s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
Spoof MAC Address
有一种很简单的技术伪装你的MaC地址,nmap可以为每次扫描随机选择一个MAC地址,另一个选项是手动指定MAC地址(这样做攻击者可以伪装成同一网段内的一台电脑),nmap含有一个nmap-mac-prefixe数据库,当给定一个生产厂商的名字时,它查找数据库来找一个合适的名字。
# nmap –spoof-mac Cisco 192.168.1.3
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 17:18 PKT
Spoofing MAC address 00:00:0C:6D:3F:26 (Cisco Systems)
Nmap scan report for 192.168.1.3
Host is up (0.00036s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
23/tcp closed telnet
80/tcp closed http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
nmap脚本
1. smb-check-vulns
MS08-067 Windows vulnerability that can be exploited
Conficker malware on the target machine
Denial of service vulnerability of Windows 2000
MS06-025 Windows vulnerability
MS07-029 Windows vulnerability
2. Http-enum
如果想枚举web服务器来寻找web服务器的目录,这个脚本是最适合的。Http-enum同样可以发现开放端口以及每个端口的软件版本
root@bt:~# nmap -sV –script=http-enum 127.0.0.1
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 18:47 PKT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000036s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
| http-enum:
| /login.php: Possible admin folder
| /login/: Login page
| /login.php: Login page
| /logs/: Logs
3. samba-vuln-cve-2012-1182
用于发现samba CVE-2012-1182栈溢出漏洞
nmap –script=samba-vuln-cve-2012-1182 -p 139 target
nmap –script=samba-vuln-cve-2012-1182 -p 139 192.168.1.3
4. smtp-strangeport
用于发现smtp服务是否运行在标准端口
nmap -sV –script=smtp-strangeport target
5. http-php-version
用于获得http版本
nmap -sV –script=http-php-version target
另外还有
http-wordpress-plugins
http-wordpress-enum
http-wordpress-brute
6. dns-blacklist
用于发现黑名单IP,你所需要提供的是一个IP以及用于检查反垃圾邮件和代理黑名单的脚本
# nmap -sn 67.213.218.72 –script dns-blacklist
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-28 23:54 PKT
Nmap scan report for 67.213.218.72
Host is up (0.24s latency).
Host script results:
| dns-blacklist:
| PROXY
| dnsbl.tornevall.org – PROXY
| IP marked as “abusive host”
| Proxy is working
|_ Proxy has been scanned
发表评论
-
kali 2.0 broadcom wifi connection
2015-12-12 16:28 414引用apt-get install -y linux-head ... -
kali2.0中国源
2015-09-27 01:42 423#中科大kali源 deb http://mirrors.us ... -
如何找书
2015-09-20 19:21 319引用intitle:"index.of" ... -
wpscan
2015-08-01 10:39 404https://www.digitalocean.com/co ... -
[转]Tunneling Data and Commands Over DNS to Bypass Firewalls
2015-07-13 20:44 458https://zeltser.com/c2-dns-tunn ... -
[转]linkedin_crawl
2015-06-30 00:24 390https://blog.netspi.com/collect ... -
linux dd命令
2015-06-06 14:29 346dd if=/dev/hda of=disk.mbr coun ... -
[译]从配置错误的web server中dump git数据
2015-03-26 01:07 540原文地址:https://blog.netspi.com/du ... -
[译]解密MSSQL密码
2015-03-26 00:43 2820原文地址: https://blog.ne ... -
自动化Man-in-the-Middle SSHv2攻击
2015-03-18 01:26 1017参考:http://www.david-guembel.de/ ... -
Wine中使用MinGW
2015-03-17 00:49 626原文:http://null-byte.wonderhowto ... -
linux install firefix&plugin
2015-01-22 20:56 4151. download firefox&plugins ... -
gitrob--github信息收集
2015-01-17 00:36 951原文地址:http://michenriksen.com/bl ... -
合并gif和php文件
2015-01-04 23:07 8081. apt-get install gifsicle ... -
kaili 1.09安装问题解决
2014-12-28 14:10 415本人采用的安装方法是 1. 在VMware中安装1.09 Ka ... -
[译]剪切粘贴二进制文件
2014-12-17 01:20 802原文地址:http://pen-testing.sans.or ... -
kali更新exploit-db
2014-12-12 01:08 1770cd /usr/share/exploitdb wget h ... -
使用Tesseract 识别验证码
2014-12-10 00:48 768参考: http://code.google.com/p/te ... -
使用apt-fast加速Ubuntu软件安装
2014-12-02 01:21 527apt-get是Ubuntu常用的软件安装和更新命令但是它使用 ... -
the-backdoor-factory
2014-11-27 01:30 1882参考:https://github.com/secretsqu ...
相关推荐
Nmap是用于端口扫描,服务检测,甚至是漏洞扫描等多种功能的强大工具。Nmap从入门到高级覆盖了许多基础的概念和命令,在这篇文章的第二部分,我将提及Nmap一些高级的技术。
nmap的欺骗与绕过防火墙.pdf
Nmap绕过防火墙&脚本的使用.zip
Nmap绕过防火墙以及脚本的基础概念与高级技术的使用整理.pdf
Nmap在实战中的高级用法,包括静默扫描,绕过防火墙检测等
Nmap是一款非常强大的实用工具,可用于:检测活在网络上的主机(主机发现)检测主机上开放的端口(端口发现或枚举)检测到相应的端口...我们需要使用一些先进的技术来绕过防火墙和入侵检测/防御系统,以获得正确的结果。
nmap4j 是 一个用 Java 写的 Nmap 扫描器,用来执行、扫描和持久化 Nmap 输出信息。
nmap api,用Python可调nmap api,用Python可调nmap api,用Python可调nmap api,用Python可调nmap api,用Python可调nmap api,用Python可调nmap api,用Python可调nmap api,用Python可调nmap api,用Python可调...
nmap -sP 192.168.1.0/24 仅列出指定网络上的每台主机,不发送任何报文到目标主机: nmap -sL 192.168.1.0/24 探测目标主机开放的端口,可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80): nmap -...
nmap
在不同情况下,你可能需要隐藏扫描、越过防火墙扫描或者使用不同的协议进行扫描,比如:UDP、TCP、ICMP 等)。它支持:Vanilla TCP connect 扫描、TCP SYN(半开式)扫描、TCP FIN、Xmas、或NULL(隐藏)扫描、TCP ...
Nmap.Project.Nmap.Network.Scanning 压缩第三卷,共三卷。
Nmap渗透测试指南
Nmap可用于扫描仅有两个节点的LAN,直至500个节点以上的网络。Nmap 还允许用户定制扫描技巧。通常,一个简单的使用ICMP协议的ping操 作可以满足一般需求;也可以深入探测UDP或者TCP端口,直至主机所 使用的操作系统...
Nmap以新颖的方式使用原始IP报文来发现网络上有哪些主机,那些主机提供什么服务(应用程序名和版本),那些服务运行在什么操作系统(包括版本信息), 它们使用什么类型的报文过滤器/防火墙,以及一堆其它功能。虽然Nmap...
Nmap是一个著名的开源工具,它是在20世纪90后期出现的。2003年,在电影《黑客帝国2》中Tritnity曾用Nmap 2.54BETA25版攻击SSH 服务器, 破坏发电厂的安全,Nmap因此受到了普遍关注。在现实生活中,Nmap主要用于确定...
这个压缩包有比较去全面的Nmap用法和原理分析文档。 (1)Nmap核心功能的源码(如nmap.cc/ scan_engine.cc/ service_scan.cc/osscan2.cc/ nse_main.lua等)。 (2)Nmap的核心数据库文件(nmap-os-db/ nmap-...
实训环境根据测试目的不同,可以基于两种环境配置: (1)测试真实的互联网环境; 1.正常的互联网连接及访问公开请允许使用的测试站点;...6.绕过防火墙扫描端口; 知识目标: 掌握安全扫描的概念,意义及应用分析
nmap 免安装版,解压直接使用
Nmap中文官方文档Nmap中文官方文档Nmap中文官方文档