kali資訊收集~ 0.httrack 網站複制機 <a href="http://www.cnblogs.com/dunitian/p/5061954.html" target="_blank">http://www.cnblogs.com/dunitian/p/5061954.html</a> kali資訊收集~ 1.google hacking + github hacking <a href="http://www.cnblogs.com/dunitian/p/5074765.html" target="_blank">http://www.cnblogs.com/dunitian/p/5074765.html</a> kali資訊收集~2.whois :域名資訊 <a href="http://www.cnblogs.com/dunitian/p/5074768.html" target="_blank">http://www.cnblogs.com/dunitian/p/5074768.html</a> kali資訊收集~3.子域名系列 <a href="http://www.cnblogs.com/dunitian/p/5074772.html" target="_blank">http://www.cnblogs.com/dunitian/p/5074772.html</a> kali資訊收集~4.dns系列 <a href="http://www.cnblogs.com/dunitian/p/5074773.html" target="_blank">http://www.cnblogs.com/dunitian/p/5074773.html</a> kali資訊收集~ 5.the harvester:郵箱挖掘器 <a href="http://www.cnblogs.com/dunitian/p/5074776.html" target="_blank">http://www.cnblogs.com/dunitian/p/5074776.html</a> kali資訊收集~6.dmitry:彙總收集 <a href="http://www.cnblogs.com/dunitian/p/5074777.html" target="_blank">http://www.cnblogs.com/dunitian/p/5074777.html</a> kali資訊收集~7.fping :ip段掃描 <a href="http://www.cnblogs.com/dunitian/p/5074783.html" target="_blank">http://www.cnblogs.com/dunitian/p/5074783.html</a> kali資訊收集8.nmap :端口掃描 <a href="http://www.cnblogs.com/dunitian/p/5074784.html" target="_blank">http://www.cnblogs.com/dunitian/p/5074784.html</a>
參數:(zenmap是nmap圖形化工具,不想打指令的可以直接使用)
usage: nmap [scan type(s)] [options] {target specification}
target specification:
can pass hostnames, ip addresses, networks, etc.
ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-il <inputfilename>: input from list of hosts/networks
-ir <num hosts>: choose random targets
--exclude <host1[,host2][,host3],...>: exclude hosts/networks
--excludefile <exclude_file>: exclude list from file
host discovery:
-sl: list scan - simply list targets to scan
-sn: ping scan - disable port scan
-pn: treat all hosts as online -- skip host discovery
-ps/pa/pu/py[portlist]: tcp syn/ack, udp or sctp discovery to given ports
-pe/pp/pm: icmp echo, timestamp, and netmask request discovery probes
-po[protocol list]: ip protocol ping
-n/-r: never do dns resolution/always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: specify custom dns servers
--system-dns: use os's dns resolver
--traceroute: trace hop path to each host
scan techniques:
-ss/st/sa/sw/sm: tcp syn/connect()/ack/window/maimon scans
-su: udp scan
-sn/sf/sx: tcp null, fin, and xmas scans
--scanflags <flags>: customize tcp scan flags
-si <zombie host[:probeport]>: idle scan
-sy/sz: sctp init/cookie-echo scans
-so: ip protocol scan
-b <ftp relay host>: ftp bounce scan
port specification and scan order:
-p <port ranges>: only scan specified ports
ex: -p22; -p1-65535; -p u:53,111,137,t:21-25,80,139,8080,s:9
--exclude-ports <port ranges>: exclude the specified ports from scanning
-f: fast mode - scan fewer ports than the default scan
-r: scan ports consecutively - don't randomize
--top-ports <number>: scan <number> most common ports
--port-ratio <ratio>: scan ports more common than <ratio>
service/version detection:
-sv: probe open ports to determine service/version info
--version-intensity <level>: set from 0 (light) to 9 (try all probes)
--version-light: limit to most likely probes (intensity 2)
--version-all: try every single probe (intensity 9)
--version-trace: show detailed version scan activity (for debugging)
script scan:
-sc: equivalent to --script=default
--script=<lua scripts>: <lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide nse script args in a file
--script-trace: show all data sent and received
--script-updatedb: update the script database.
--script-help=<lua scripts>: show help about scripts.
<lua scripts> is a comma-separated list of script-files or
script-categories.
os detection:
-o: enable os detection
--osscan-limit: limit os detection to promising targets
--osscan-guess: guess os more aggressively
timing and performance:
options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-t<0-5>: set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: specifies
probe round trip time.
--max-retries <tries>: caps number of port scan probe retransmissions.
--host-timeout <time>: give up on target after this long
--scan-delay/--max-scan-delay <time>: adjust delay between probes
--min-rate <number>: send packets no slower than <number> per second
--max-rate <number>: send packets no faster than <number> per second
firewall/ids evasion and spoofing:
-f; --mtu <val>: fragment packets (optionally w/given mtu)
-d <decoy1,decoy2[,me],...>: cloak a scan with decoys
-s <ip_address>: spoof source address
-e <iface>: use specified interface
-g/--source-port <portnum>: use given port number
--proxies <url1,[url2],...>: relay connections through http/socks4 proxies
--data <hex string>: append a custom payload to sent packets
--data-string <string>: append a custom ascii string to sent packets
--data-length <num>: append random data to sent packets
--ip-options <options>: send packets with specified ip options
--ttl <val>: set ip time-to-live field
--spoof-mac <mac address/prefix/vendor name>: spoof your mac address
--badsum: send packets with a bogus tcp/udp/sctp checksum
output:
-on/-ox/-os/-og <file>: output scan in normal, xml, s|<ript kiddi3,
and grepable format, respectively, to the given filename.
-oa <basename>: output in the three major formats at once
-v: increase verbosity level (use -vv or more for greater effect)
-d: increase debugging level (use -dd or more for greater effect)
--reason: display the reason a port is in a particular state
--open: only show open (or possibly open) ports
--packet-trace: show all packets sent and received
--iflist: print host interfaces and routes (for debugging)
--append-output: append to rather than clobber specified output files
--resume <filename>: resume an aborted scan
--stylesheet <path/url>: xsl stylesheet to transform xml output to html
--webxml: reference stylesheet from nmap.org for more portable xml
--no-stylesheet: prevent associating of xsl stylesheet w/xml output
misc:
-6: enable ipv6 scanning
-a: enable os detection, version detection, script scanning, and traceroute
--datadir <dirname>: specify custom nmap data file location
--send-eth/--send-ip: send using raw ethernet frames or ip packets
--privileged: assume that the user is fully privileged
--unprivileged: assume the user lacks raw socket privileges
-v: print version number
-h: print this help summary page.
examples:
nmap -v -a scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -ir 10000 -pn -p 80
離線下載下傳:http://pan.baidu.com/s/1deizdjv
應用:(常用的速度快點,完整的更詳細但慢點~【主要就是全端口掃而導緻慢的】)
識别系統:(先看看,後面有詳解)
nmap -o -pn ip位址
tcp掃描:端口掃描中最穩定的,tcp三次握手
常用:nmap -st -pn ip位址
完整:nmap -st -p- -pn ip位址
-st tcp連接配接掃描(s=>哪種類型掃描? ==>t tcp類型)
-p- 掃描所有端口 (不加就預設掃描1000個常用端口)
-pn 禁用nmap網絡發現功能,假定所有系統都是活動的
批量掃描 eg:nmap -st -p- -pn 192.168.1.1-254
syn 掃描:端口掃描中用的最多的,tcp兩次握手(隐形掃描,速度快)
常用:nmap -ss -pn ip位址
完整:nmap -ss -p- -pn ip位址
-ss (-s => 哪種掃描類型?s=> syn)
udp 掃描:(dhcp,dns,snmp,tftp等都使用了udp協定)
常用:nmap -su ip位址
完整:nmap -suv ip位址
u=> udp, v=>版本資訊 (-sv udp掃描中添加版本掃描資訊)
不存在-pn參數(從udp協定去了解,你發了就ok管他收沒收到)
xmas掃描:rfc文檔描述了系統的技術細節,如果得到rfc文檔,那麼就可能找到系統的漏洞,xmas和null掃描的目的正是基于這一原因。一般xmas針對unix或者linux系統比較有效。
常用:nmap -sx -pn ip位址
完整:nmap -sx -p- -pn ip位址
null 掃描:和xmas掃描相反,發送空資料包,打開端口不會傳回相應資訊關閉端口則傳回一個rst資料包
常用:nmap -sn -pn ip位址
完整:nmap -sn -p- -pn ip位址
擴充:掃描的時候按d可以顯示debug資訊,按其他的鍵(比如x)可以顯示目前進度 xx.xx%
null掃描 和 xmas掃描
如果系統遵循了tcp rfc文檔,那麼不用完成連接配接,在發起連接配接的時候namp就可以判斷出目标系統的狀态。(ps:xmas掃描和null掃描都不會建立任何類型的通信通道。掃描目的就是為了判斷哪些端口開或關)
掃描的其他指令
-sv 參數用于版本掃描
-il 批量掃描檔案裡面的ip
-f: 快速模式-掃描較少,掃描預設端口
-v 輸出的時候更詳細 (使用-vv 或更多的更大的作用)
-a 啟用作業系統檢測、 版本檢測、 腳本掃描等
-t 速度設定(最慢0 - 最快5)避免被檢測到則降低速度,如果趕時間就提高速度
實戰:(滲透中常用指令)
①快速掃描
root@kali:~# nmap -t4 -f 192.168.169.105
nmap scan report for 192.168.169.105
host is up (1.7s latency).
not shown: 92 closed ports
port state service
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
444/tcp open snpp
445/tcp open microsoft-ds
514/tcp filtered shell
1433/tcp open ms-sql-s
nmap done: 1 ip address (1 host up) scanned in 16.67 seconds
②syn迅速掃描:(tcp兩次握手,隐蔽性高)
root@kali:~# nmap -ss -t4 -a -v cnblogs.com
nse: loaded 122 scripts for scanning.
nse: script pre-scanning.
initiating nse at 17:00
completed nse at 17:00, 0.00s elapsed
initiating ping scan at 17:00
scanning cnblogs.com (42.121.252.58) [4 ports]
completed ping scan at 17:00, 0.20s elapsed (1 total hosts)
initiating parallel dns resolution of 1 host. at 17:00
completed parallel dns resolution of 1 host. at 17:00, 2.01s elapsed
initiating syn stealth scan at 17:00
scanning cnblogs.com (42.121.252.58) [1000 ports]
discovered open port 443/tcp on 42.121.252.58
discovered open port 80/tcp on 42.121.252.58
increasing send delay for 42.121.252.58 from 0 to 5 due to 11 out of 20 dropped probes since last increase.
increasing send delay for 42.121.252.58 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
completed syn stealth scan at 17:01, 84.92s elapsed (1000 total ports)
initiating service scan at 17:01
scanning 2 services on cnblogs.com (42.121.252.58)
completed service scan at 17:01, 5.01s elapsed (2 services on 1 host)
initiating os detection (try #1) against cnblogs.com (42.121.252.58)
retrying os detection (try #2) against cnblogs.com (42.121.252.58)
warning: os didn't match until try #2
initiating traceroute at 17:01
completed traceroute at 17:01, 0.02s elapsed
initiating parallel dns resolution of 2 hosts. at 17:01
completed parallel dns resolution of 2 hosts. at 17:01, 0.15s elapsed
nse: script scanning 42.121.252.58.
initiating nse at 17:01
completed nse at 17:02, 6.16s elapsed
initiating nse at 17:02
completed nse at 17:02, 0.00s elapsed
nmap scan report for cnblogs.com (42.121.252.58)
host is up (0.0048s latency).
not shown: 998 filtered ports
port state service version
80/tcp open tcpwrapped
|_http-favicon: unknown favicon md5: cdd795c4b3e1ed39250a6b1b1db89e73
|_http-methods: no allow or public header in options response (status code 301)
| http-title: \xe5\x8d\x9a\xe5\xae\xa2\xe5\x9b\xad - \xe5\xbc\x80\xe5\x8f\x91\xe8\x80\x85\xe7\x9a\x84\xe7\xbd\x91\xe4\xb8\x8a\xe5\xae\xb6\xe5\x9b\xad
443/tcp open tcpwrapped
| http-cisco-anyconnect:
|_ error: not a cisco asa or unsupported version
|_http-methods: no allow or public header in options response (status code 400)
|_http-title: 400 the plain http request was sent to https port
| ssl-cert: subject: commonname=*.cnblogs.com
| issuer: commonname=go daddy secure certificate authority - g2/organizationname=godaddy.com, inc./stateorprovincename=arizona/countryname=us
| public key type: rsa
| public key bits: 2048
| signature algorithm: sha256withrsaencryption
| not valid before: 2015-09-28t08:12:38
| not valid after: 2016-07-27t12:31:38
| md5: 9b12 efe2 1f0c 7967 ca7c fe14 2a13 a200
|_sha-1: 29dd 13c4 11cd e03b de35 cad9 60ac e7e6 52de 8c44
|_ssl-date: tls randomness does not represent time
| tls-nextprotoneg:
|_ http/1.1
warning: osscan results may be unreliable because we could not find at least 1 open and 1 closed port
device type: wap|general purpose
running: actiontec linux, linux 2.4.x|3.x
os cpe: cpe:/o:actiontec:linux_kernel cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:3
os details: actiontec mi424wr-gen3i wap, dd-wrt v24-sp2 (linux 2.4.37), linux 3.2
network distance: 2 hops
traceroute (using port 80/tcp)
hop rtt address
1 0.04 ms 192.168.232.2
2 0.04 ms 42.121.252.58
nse: script post-scanning.
read data files from: /usr/bin/../share/nmap
nmap done: 1 ip address (1 host up) scanned in 108.48 seconds
raw packets sent: 3196 (145.286kb) | rcvd: 195 (9.170kb)
③udp迅速掃描
root@kali:~# nmap -su -v 192.168.169.105
initiating ping scan at 19:20
scanning 192.168.169.105 [4 ports]
completed ping scan at 19:20, 0.20s elapsed (1 total hosts)
initiating parallel dns resolution of 1 host. at 19:20
completed parallel dns resolution of 1 host. at 19:20, 2.01s elapsed
initiating udp scan at 19:20
scanning 192.168.169.105 [1000 ports]
discovered open port 137/udp on 192.168.169.105
completed udp scan at 19:20, 23.11s elapsed (1000 total ports)
host is up (0.0013s latency).
not shown: 998 open|filtered ports
137/udp open netbios-ns
4500/udp closed nat-t-ike
nmap done: 1 ip address (1 host up) scanned in 25.39 seconds
raw packets sent: 3006 (86.660kb) | rcvd: 32 (1.654kb)
④迅速掃描(noping)
root@kali:~# nmap -t4 -a -v -pn 192.168.169.105
initiating nse at 09:52
completed nse at 09:52, 0.00s elapsed
initiating parallel dns resolution of 1 host. at 09:52
completed parallel dns resolution of 1 host. at 09:52, 8.18s elapsed
initiating syn stealth scan at 09:52
discovered open port 80/tcp on 192.168.169.105
increasing send delay for 192.168.169.105 from 0 to 5 due to 11 out of 15 dropped probes since last increase.
discovered open port 443/tcp on 192.168.169.105
discovered open port 135/tcp on 192.168.169.105
discovered open port 139/tcp on 192.168.169.105
discovered open port 445/tcp on 192.168.169.105
increasing send delay for 192.168.169.105 from 5 to 10 due to max_successful_tryno increase to 5
warning: 192.168.169.105 giving up on port because retransmission cap hit (6).
syn stealth scan timing: about 8.99% done; etc: 09:58 (0:05:14 remaining)
syn stealth scan timing: about 14.66% done; etc: 09:59 (0:05:55 remaining)
syn stealth scan timing: about 22.24% done; etc: 09:59 (0:05:18 remaining)
syn stealth scan timing: about 29.91% done; etc: 09:59 (0:04:43 remaining)
discovered open port 1433/tcp on 192.168.169.105
syn stealth scan timing: about 37.97% done; etc: 09:59 (0:04:07 remaining)
discovered open port 444/tcp on 192.168.169.105
discovered open port 2383/tcp on 192.168.169.105
syn stealth scan timing: about 54.17% done; etc: 09:58 (0:02:33 remaining)
discovered open port 2179/tcp on 192.168.169.105
syn stealth scan timing: about 76.10% done; etc: 09:57 (0:01:06 remaining)
discovered open port 912/tcp on 192.168.169.105
discovered open port 902/tcp on 192.168.169.105
completed syn stealth scan at 09:57, 318.66s elapsed (1000 total ports)
initiating service scan at 09:57
scanning 11 services on 192.168.169.105
completed service scan at 09:58, 33.60s elapsed (11 services on 1 host)
initiating os detection (try #1) against 192.168.169.105
initiating traceroute at 09:58
completed traceroute at 09:58, 1.01s elapsed
initiating parallel dns resolution of 2 hosts. at 09:58
completed parallel dns resolution of 2 hosts. at 09:58, 0.05s elapsed
nse: script scanning 192.168.169.105.
initiating nse at 09:58
completed nse at 09:58, 13.23s elapsed
completed nse at 09:58, 0.00s elapsed
host is up (0.59s latency).
not shown: 979 closed ports
80/tcp open http microsoft iis httpd 10.0
| http-methods: options trace get head post
| potentially risky methods: trace
|_http-server-header: microsoft-iis/10.0
|_http-title: iis windows
135/tcp open msrpc microsoft windows rpc
139/tcp open netbios-ssn microsoft windows 98 netbios-ssn
443/tcp open ssl/http apache httpd
| http-auth:
| http/1.1 401 authorization required
|_ basic realm=visualsvn server
|_http-methods: no allow or public header in options response (status code 401)
|_http-server-header: apache
|_http-title: 401 authorization required
| ssl-cert: subject: commonname=desktop-ptacrf6
| issuer: commonname=desktop-ptacrf6
| not valid before: 2015-12-06t14:04:50
| not valid after: 2025-12-03t14:04:50
| md5: c707 0eb2 71d6 5178 6687 9d2f 5594 dc01
|_sha-1: de83 b92f ad7d e0d0 125a 2f88 99d9 c741 6b51 bdcf
444/tcp open ssl/http vmware virtualcenter web service
|_http-methods: no allow or public header in options response (status code 501)
|_http-title: site doesn't have a title (text; charset=plain).
| ssl-cert: subject: commonname=vmware/countryname=us
| issuer: commonname=vmware/countryname=us
| not valid before: 2015-12-06t15:04:18
| not valid after: 2016-12-05t15:04:18
| md5: 6634 afe2 c934 e412 653c ee79 8fbe c64f
|_sha-1: da6f aaeb 31b4 51a8 73b6 403a 728d c0e5 a1e9 7c08
445/tcp open microsoft-ds (primary domain: workgroup)
902/tcp open ssl/vmware-auth vmware authentication daemon 1.10 (uses vnc, soap)
912/tcp open vmware-auth vmware authentication daemon 1.0 (uses vnc, soap)
1198/tcp filtered cajo-discovery
1433/tcp open ms-sql-s microsoft sql server 2014 12.00.4100.00; sp1+
1641/tcp filtered invision
2179/tcp open vmrdp?
2383/tcp open ms-olap4?
2717/tcp filtered pn-requester
2998/tcp filtered iss-realsec
3814/tcp filtered neto-dcs
5950/tcp filtered unknown
9944/tcp filtered unknown
10003/tcp filtered documentum_s
44176/tcp filtered unknown
sf-port445-tcp:v=6.49beta4%i=7%d=12/24%time=567b5124%p=i586-pc-linux-gnu%r
sf:(smbprogneg,85,"\0\0\0\x81\xffsmbr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0
sf:\0\0\0\0@\x06\0\0\x01\0\x11\x07\0\x032\0\x01\0\x04\x11\0\0\0\0\x01\0\0\
sf:0\0\0\xfc\xe3\x01\0\xad\xb4\x16\x7f\xee=\xd1\x01\x20\xfe\x08<\0b2\xe4\^
sf:\xe0\xab\x91pw\0o\0r\0k\0g\0r\0o\0u\0p\0\0\0d\0e\0s\0k\0t\0o\0p\0-\0p\0
sf:t\0a\0c\0r\0f\x006\0\0\0");
device type: general purpose
running: microsoft windows 7|2012|xp
os cpe: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_xp::sp3
os details: microsoft windows 7 or windows server 2012, microsoft windows xp sp3
tcp sequence prediction: difficulty=258 (good luck!)
ip id sequence generation: incremental
service info: host: desktop-ptacrf6; oss: windows, windows 98; cpe: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98
host script results:
| ms-sql-info:
| 192.168.169.105:1433:
| version:
| service pack level: sp1
| post-sp patches applied: true
| name: microsoft sql server 2014 sp1+
| number: 12.00.4100.00
| product: microsoft sql server 2014
|_ tcp port: 1433
| nbstat: netbios name: desktop-ptacrf6, netbios user: <unknown>, netbios mac: ac:b5:7d:18:93:b9 (liteon technology)
| names:
| desktop-ptacrf6<00> flags: <unique><active>
| workgroup<00> flags: <group><active>
|_ desktop-ptacrf6<20> flags: <unique><active>
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: server supports smbv2 protocol
traceroute (using port 587/tcp)
1 0.37 ms 192.168.232.2
2 1000.57 ms 192.168.169.105
nmap done: 1 ip address (1 host up) scanned in 382.58 seconds
raw packets sent: 3582 (159.270kb) | rcvd: 3259 (130.738kb)
⑤快速掃描加強
root@kali:~# nmap -sv -t4 -o -f --version-light 192.168.169.105
host is up (0.31s latency).
1433/tcp open ms-sql-s microsoft sql server 2014
nmap done: 1 ip address (1 host up) scanned in 47.93 seconds
⑥syn全端口掃描
[有些管理者端口不按常理來全端口掃才能發現好東西]
root@kali:~# nmap -ss -p- -t4 -a -v 192.168.169.105
initiating nse at 09:07
completed nse at 09:07, 0.00s elapsed
initiating ping scan at 09:07
completed ping scan at 09:07, 0.20s elapsed (1 total hosts)
initiating parallel dns resolution of 1 host. at 09:07
completed parallel dns resolution of 1 host. at 09:07, 0.06s elapsed
initiating syn stealth scan at 09:07
scanning 192.168.169.105 [65535 ports]
increasing send delay for 192.168.169.105 from 0 to 5 due to 45 out of 112 dropped probes since last increase.
increasing send delay for 192.168.169.105 from 5 to 10 due to 397 out of 991 dropped probes since last increase.
syn stealth scan timing: about 5.11% done; etc: 09:18 (0:09:35 remaining)
syn stealth scan timing: about 8.41% done; etc: 09:43 (0:32:52 remaining)
syn stealth scan timing: about 8.89% done; etc: 09:47 (0:36:03 remaining)
discovered open port 1549/tcp on 192.168.169.105
syn stealth scan timing: about 14.17% done; etc: 10:19 (1:01:18 remaining)
syn stealth scan timing: about 14.89% done; etc: 10:24 (1:04:57 remaining)
syn stealth scan timing: about 15.50% done; etc: 10:29 (1:08:46 remaining)
discovered open port 1539/tcp on 192.168.169.105
syn stealth scan timing: about 16.79% done; etc: 10:35 (1:12:56 remaining)
syn stealth scan timing: about 17.95% done; etc: 10:42 (1:17:19 remaining)
syn stealth scan timing: about 19.25% done; etc: 10:49 (1:22:05 remaining)
syn stealth scan timing: about 20.88% done; etc: 10:58 (1:27:13 remaining)
discovered open port 1553/tcp on 192.168.169.105
syn stealth scan timing: about 22.52% done; etc: 11:07 (1:32:45 remaining)
syn stealth scan timing: about 23.78% done; etc: 11:17 (1:38:46 remaining)
stats: 0:36:36 elapsed; 0 hosts completed (1 up), 1 undergoing syn stealth scan
syn stealth scan timing: about 26.11% done; etc: 11:28 (1:43:32 remaining)
stats: 0:36:39 elapsed; 0 hosts completed (1 up), 1 undergoing syn stealth scan
syn stealth scan timing: about 26.12% done; etc: 11:28 (1:43:36 remaining)
………………………………….比較耗時,就不詳細輸出了…………………………………
⑦大絕招:全面掃描
nmap -ss -su -t4 -a -v -pe -pp -ps80,443 -pa3389 -pu40125 -py -g 53 --script "default or (discovery and safe)" 192.168.169.105
nse: loaded 243 scripts for scanning.
initiating nse at 12:28
nse: [mtrace] a source ip must be provided through fromip argument.
completed nse at 12:28, 10.50s elapsed
completed nse at 12:28, 0.00s elapsed
pre-scan script results:
| broadcast-eigrp-discovery:
|_ error: couldn't get an a.s value.
| broadcast-igmp-discovery:
| 192.168.232.1
| interface: eth0
| version: 2
| group: 224.0.0.251
| description: mdns
| group: 224.0.0.252
| description: link-local multicast name resolution (rfc4795)
| group: 239.255.255.250
| description: organization-local scope (rfc2365)
|_ use the newtargets script-arg to add the results as targets
| broadcast-ping:
| ip: 192.168.232.2 mac: 00:50:56:f5:1a:80
|_ use --script-args=newtargets to add the results as targets
| http-icloud-findmyiphone:
|_ error: no username or password was supplied
| http-icloud-sendmsg:
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
initiating ping scan at 12:28
scanning 192.168.169.105 [7 ports]
completed ping scan at 12:28, 0.20s elapsed (1 total hosts)
initiating parallel dns resolution of 1 host. at 12:28
completed parallel dns resolution of 1 host. at 12:28, 0.04s elapsed
initiating syn stealth scan at 12:28