Nmap: the Network Mapper - Free Security Scanner
https://nmap.org/
目錄
Nmap主機發現
一次簡單的掃描
1.Ping掃描
2.無ping掃描
3.TCP SYN Ping 掃描
4.TCP ACK Ping掃描
5.ARP Ping掃描
6.掃描一個IPv6位址
7.路由追蹤
8.時序選項
指紋識别與探測
1.版本探測
2.整體掃描
3.全端口版本探測
4.作業系統探測
5.IP欺騙
資訊收集
1.檢索smb資訊
2.檢查是否存在漏洞
3.腳本路徑
掃描儲存
1.标準儲存
2.XML儲存(推薦)
Nmap主機發現
一次簡單的掃描
掃描時使用-p參數可以指定掃描的端口
┌──(root㉿vm-suanlunce)-[~]
└─# nmap 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 15:30 CST
Nmap scan report for 192.168.3.75
Host is up (0.00027s latency).
Not shown: 984 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
10243/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49163/tcp open unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds
1.Ping掃描
-sP 小寫的字母s 和 大寫的字母P
當你掃描的主機過多時可以按【空格】顯示目前進度
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -sP 192.168.3.1/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 15:34 CST
Nmap scan report for 192.168.3.1
Host is up (0.00042s latency).
MAC Address: F8:AF:05:28:F8:A8 (Huawei Device)
Nmap scan report for 192.168.3.2
Host is up (0.00011s latency).
MAC Address: 00:D8:61:77:B4:7A (Micro-star Intl)
Nmap scan report for 192.168.3.75
Host is up (0.00014s latency).
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Nmap scan report for 192.168.3.119
Host is up (0.000089s latency).
MAC Address: 00:0C:29:72:98:97 (VMware)
Nmap scan report for 192.168.3.136
Host is up (0.10s latency).
MAC Address: 38:F9:D3:2D:FA:59 (Apple)
Nmap scan report for 192.168.3.127
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 2.38 seconds
區域網路的時候是使用的arp,當公網的時候使用的是ping
2.無ping掃描
-P0 大寫字母P 和 數字0 ,注意并不是字母o而是數字0.
無Ping 掃描通常用于防火牆禁止Ping 的情況下,它能确定正在運作的機器。
可以看到用普通的ping無法判斷192.168.3.2該主機是否存活。
3.TCP SYN Ping 掃描
-PS選項發送一個設定了SYN标志位的空TCP封包。
4.TCP ACK Ping掃描
使用-PA選項可以進行TCP ACK Ping掃描,它與TCP SYN Ping 掃描是非常類似的,唯一的差別是設定TCP的标志位是ACK而不是SYN
5.ARP Ping掃描
-PR選項通常在掃描區域網路時使用.位址解析協定,即ARP(位址解析協定),是根據IP位址擷取實體位址的一個TCP/IP協定,其功能是:主機将ARP請求廣播到網絡上的所有主機,并接收傳回消息,确定目标IP位址的實體位址,同時将IP位址和硬體位址存入本機緩存中,下次請求時直接查詢ARP緩存。
ARP ping掃描是nmap對目标進行一個arp的過程,尤其在内網的情況下,使用的過程,尤其在内網的情況下,使用ping掃描方式是最有效的,在本地區域網路中防火牆不會禁止arp請求,這就使得它比其他Ping掃描都更加高效,在内網中使用ARP Ping是非常有效的。
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -PR 192.168.3.1-100
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:11 CST
Nmap scan report for 192.168.3.1
Host is up (0.0012s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
MAC Address: F8:AF:05:28:F8:A8 (Huawei Device)
Nmap scan report for 192.168.3.2
Host is up (0.00020s latency).
All 1000 scanned ports on 192.168.3.2 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:D8:61:77:B4:7A (Micro-star Intl)
Nmap scan report for 192.168.3.75
Host is up (0.00080s latency).
Not shown: 984 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
10243/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49163/tcp open unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Nmap done: 100 IP addresses (3 hosts up) scanned in 5.44 seconds
6.掃描一個IPv6位址
7.路由追蹤
使用--traceroute選項即可進行路由跟蹤,使用路由跟蹤功能可以幫助使用者了解網絡的同行情況,通過此選項可以輕松地查出從本地計算機到目标之間所經過的網絡節點,并可以看到通過各個節點的時間。
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -traceroute -v www.baidu.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:24 CST
Initiating Ping Scan at 16:24
Scanning www.baidu.com (14.215.177.38) [4 ports]
Completed Ping Scan at 16:24, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:24
Completed Parallel DNS resolution of 1 host. at 16:24, 2.01s elapsed
Initiating SYN Stealth Scan at 16:24
Scanning www.baidu.com (14.215.177.38) [1000 ports]
Discovered open port 443/tcp on 14.215.177.38
Discovered open port 80/tcp on 14.215.177.38
Completed SYN Stealth Scan at 16:24, 11.82s elapsed (1000 total ports)
Initiating Traceroute at 16:24
Completed Traceroute at 16:24, 3.02s elapsed
Initiating Parallel DNS resolution of 5 hosts. at 16:24
Completed Parallel DNS resolution of 5 hosts. at 16:24, 2.02s elapsed
Nmap scan report for www.baidu.com (14.215.177.38)
Host is up (0.031s latency).
Other addresses for www.baidu.com (not scanned): 14.215.177.39
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 1.27 ms 192.168.3.1
2 3.09 ms 192.168.1.1
3 17.80 ms 10.0.0.1
4 ... 7
8 33.11 ms 106.96.135.219.broad.fs.gd.dynamic.163data.com.cn (219.135.96.106)
9 ... 10
11 27.54 ms 14.215.177.38
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.12 seconds
Raw packets sent: 3033 (133.428KB) | Rcvd: 17 (844B)
8.時序選項
在Nmap中使用-T(0-5)可以啟用時序選項,對于時序選項這裡有0~5不同的選項。
-T0(偏執的):非常慢的掃描,用于IDS逃避。
-T1(鬼祟的):緩慢的掃描,用于IDS逃避。
-T2(文雅的):降低速度以降低對帶寬的消耗,此選項一般不常用。
-T3(普通的):預設,根據目标的反應自動調整時間。
-T4(野蠻的):快速掃描,常用掃描方式,需要在很好的網絡環境下進行掃描,請求可能會淹沒目标。
-T5(瘋狂的):極速掃描,這種掃描方式以犧牲準确度來提升掃描速度。
指紋識别與探測
1.版本探測
使用-sV選項即可啟用版本探測。使用該選項不是進行一個端口掃描,而是通過相應的端口對應相應的服務,根據服務指紋識别出相應的版本。
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -sV 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:45 CST
Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 43.75% done; ETC: 16:47 (0:00:58 remaining)
Nmap scan report for 192.168.3.75
Host is up (0.00036s latency).
Not shown: 984 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
554/tcp open rtsp?
2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp open ssl/ms-wbt-server?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Service Info: Host: SUANLUNCEWIN8; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 127.05 seconds
2.整體掃描
-A 參數對其目标進行全方位的掃描
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -A 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:50 CST
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 43.75% done; ETC: 16:51 (0:00:50 remaining)
Stats: 0:02:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.95% done; ETC: 16:53 (0:00:00 remaining)
Nmap scan report for 192.168.3.75
Host is up (0.00028s latency).
Not shown: 984 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: 404 - \xD5\xD2\xB2\xBB\xB5\xBD\xCE\xC4\xBC\xFE\xBB\xF2\xC4\xBF\xC2\xBC\xA1\xA3
|_http-server-header: Microsoft-IIS/8.5
| http-robots.txt: 2 disallowed entries
|_/admineu/ /editor/
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 8.1 Enterprise 9600 microsoft-ds (workgroup: WORKGROUP)
554/tcp open rtsp?
2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2023-01-02T08:53:26+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: SUANLUNCEWIN8
| NetBIOS_Domain_Name: SUANLUNCEWIN8
| NetBIOS_Computer_Name: SUANLUNCEWIN8
| DNS_Domain_Name: suanlunceWIN8
| DNS_Computer_Name: suanlunceWIN8
| Product_Version: 6.3.9600
|_ System_Time: 2023-01-02T08:52:24+00:00
| ssl-cert: Subject: commonName=suanlunceWIN8
| Not valid before: 2022-12-29T08:57:33
|_Not valid after: 2023-06-30T08:57:33
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: SUANLUNCEWIN8; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-01-02T08:52:23
|_ start_date: 2023-01-02T05:43:36
|_clock-skew: mean: -1h36m00s, deviation: 3h34m38s, median: -1s
|_nbstat: NetBIOS name: SUANLUNCEWIN8, NetBIOS user: <unknown>, NetBIOS MAC: 000c29d2acc6 (VMware)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 302:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 8.1 Enterprise 9600 (Windows 8.1 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_8.1::-
| Computer name: suanlunceWIN8
| NetBIOS computer name: SUANLUNCEWIN8\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-01-02T16:52:24+08:00
TRACEROUTE
HOP RTT ADDRESS
1 0.28 ms 192.168.3.75
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 185.70 seconds
3.全端口版本探測
使用--allports選項可以啟用全端口版本探測。這并不是意味着這個選項可以掃描所有的端口,Nmap會跳過9100 TCP端口,隻有使用--allports 才可以掃描所有端口。
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -sV --allports 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:55 CST
Stats: 0:01:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.69% done; ETC: 16:57 (0:00:00 remaining)
Stats: 0:02:03 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.88% done; ETC: 16:57 (0:00:00 remaining)
Nmap scan report for 192.168.3.75
Host is up (0.00088s latency).
Not shown: 984 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
554/tcp open rtsp?
2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp open ssl/ms-wbt-server?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49163/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Service Info: Host: SUANLUNCEWIN8; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.92 seconds
4.作業系統探測
-O 注意此處參數是大寫字母O 并不是數字0和小寫字母o
──(root㉿vm-suanlunce)-[~]
└─# nmap -O 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:59 CST
Nmap scan report for 192.168.3.75
Host is up (0.00023s latency).
Not shown: 984 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
10243/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49163/tcp open unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.08 seconds
5.IP欺騙
使用-D選項就可以達到使用誘餌進行IP欺騙的作用,在使用該選項對目标進行掃描的時候,會讓目标主機誤認為是在利用誘餌進行掃描,而不是一個真實的掃描,這樣可以躲避防火牆和某些規則的限制,也可以達到隐藏自身的目的。
也可以指定多個IP位址,或者使用RND:20 指定不同數量位址
nmap -D 192.168.3.1,192.168.3.2,192.168.3.4 192.168.3.75
nmap -D RND:20 192.168.3.75
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -D 111.111.111.111 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:06 CST
Nmap scan report for 192.168.3.75
Host is up (0.00022s latency).
Not shown: 984 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
10243/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49163/tcp open unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.63 seconds
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -D RND:99 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:09 CST
Nmap scan report for 192.168.3.75
Host is up (0.0017s latency).
Not shown: 984 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
10243/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49163/tcp open unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 16.67 seconds
資訊收集
1.檢索smb資訊
┌──(root㉿vm-suanlunce)-[/]
└─# nmap --script smb-os-discovery.nse 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:26 CST
Nmap scan report for 192.168.3.75
Host is up (0.00022s latency).
Not shown: 984 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
10243/tcp open unknown
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49163/tcp open unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Host script results:
| smb-os-discovery:
| OS: Windows 8.1 Enterprise 9600 (Windows 8.1 Enterprise 6.3)
| OS CPE: cpe:/o:microsoft:windows_8.1::-
| Computer name: suanlunceWIN8
| NetBIOS computer name: SUANLUNCEWIN8\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2023-01-02T17:27:08+08:00
Nmap done: 1 IP address (1 host up) scanned in 18.75 seconds
2.檢查是否存在漏洞
┌──(root㉿vm-suanlunce)-[/]
└─# nmap --script smb-vuln-ms08-067.nse 192.168.3.119
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:28 CST
Nmap scan report for 192.168.3.119
Host is up (0.000094s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
82/tcp open xfer
84/tcp open ctf
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1067/tcp open instl_boots
3389/tcp open ms-wbt-server
MAC Address: 00:0C:29:72:98:97 (VMware)
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds
3.腳本路徑
更多腳本
/usr/share/nmap/scripts
┌──(root㉿vm-suanlunce)-[/]
└─# nmap --script smb-brute.nse 192.168.3.75 -p 445
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:35 CST
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 192.168.3.75
Host is up (0.00022s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Host script results:
| smb-brute:
| administrator:<blank> => Valid credentials, account disabled
|_ guest:<blank> => Valid credentials, account disabled
Nmap done: 1 IP address (1 host up) scanned in 24.81 seconds
掃描儲存
1.标準儲存
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -oN nmap_scan.txt 192.168.3.119
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:42 CST
Nmap scan report for 192.168.3.119
Host is up (0.000065s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
82/tcp open xfer
84/tcp open ctf
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1067/tcp open instl_boots
3389/tcp open ms-wbt-server
MAC Address: 00:0C:29:72:98:97 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds
2.XML儲存(推薦)
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -oX nmap_scan.xml 192.168.3.119
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:44 CST
Nmap scan report for 192.168.3.119
Host is up (0.000065s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE
82/tcp open xfer
84/tcp open ctf
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1067/tcp open instl_boots
3389/tcp open ms-wbt-server
MAC Address: 00:0C:29:72:98:97 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds
利用 xsltproc 指令将其xml檔案轉為html檔案。