天天看点
返回

Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

Nmap: the Network Mapper - Free Security Scanner

Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

https://nmap.org/

目录

Nmap主机发现

一次简单的扫描

1.Ping扫描

2.无ping扫描

3.TCP SYN Ping 扫描

4.TCP ACK Ping扫描

5.ARP Ping扫描

6.扫描一个IPv6地址

7.路由追踪

8.时序选项

指纹识别与探测

1.版本探测

2.整体扫描

3.全端口版本探测

4.操作系统探测

5.IP欺骗

信息收集

1.检索smb信息

2.检查是否存在漏洞

3.脚本路径

扫描保存

1.标准保存

2.XML保存(推荐)

Nmap主机发现

一次简单的扫描

扫描时使用-p参数可以指定扫描的端口 
┌──(root㉿vm-suanlunce)-[~]
└─# nmap 192.168.3.75                         
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 15:30 CST
Nmap scan report for 192.168.3.75
Host is up (0.00027s latency).
Not shown: 984 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
2869/tcp  open  icslap
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
10243/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49163/tcp open  unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds

1.Ping扫描

-sP        小写的字母s  和 大写的字母P

当你扫描的主机过多时可以按【空格】显示当前进度

┌──(root㉿vm-suanlunce)-[~]
└─# nmap  -sP 192.168.3.1/24 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 15:34 CST
Nmap scan report for 192.168.3.1
Host is up (0.00042s latency).
MAC Address: F8:AF:05:28:F8:A8 (Huawei Device)
Nmap scan report for 192.168.3.2
Host is up (0.00011s latency).
MAC Address: 00:D8:61:77:B4:7A (Micro-star Intl)
Nmap scan report for 192.168.3.75
Host is up (0.00014s latency).
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Nmap scan report for 192.168.3.119
Host is up (0.000089s latency).
MAC Address: 00:0C:29:72:98:97 (VMware)
Nmap scan report for 192.168.3.136
Host is up (0.10s latency).
MAC Address: 38:F9:D3:2D:FA:59 (Apple)
Nmap scan report for 192.168.3.127
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 2.38 seconds
Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存
Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

局域网的时候是使用的arp,当公网的时候使用的是ping

2.无ping扫描

-P0  大写字母P 和 数字0 ,注意并不是字母o而是数字0.

无Ping 扫描通常用于防火墙禁止Ping 的情况下,它能确定正在运行的机器。

 可以看到用普通的ping无法判断192.168.3.2该主机是否存活。

Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存
Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存
Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

3.TCP SYN Ping 扫描

-PS选项发送一个设置了SYN标志位的空TCP报文。
Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存
Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

4.TCP ACK Ping扫描

使用-PA选项可以进行TCP ACK Ping扫描,它与TCP SYN Ping 扫描是非常类似的,唯一的区别是设置TCP的标志位是ACK而不是SYN
Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存
Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

5.ARP Ping扫描

-PR选项通常在扫描局域网时使用.地址解析协议,即ARP(地址解析协议),是根据IP地址获取物理地址的一个TCP/IP协议,其功能是:主机将ARP请求广播到网络上的所有主机,并接收返回消息,确定目标IP地址的物理地址,同时将IP地址和硬件地址存入本机缓存中,下次请求时直接查询ARP缓存。

ARP ping扫描是nmap对目标进行一个arp的过程,尤其在内网的情况下,使用的过程,尤其在内网的情况下,使用ping扫描方式是最有效的,在本地局域网中防火墙不会禁止arp请求,这就使得它比其他Ping扫描都更加高效,在内网中使用ARP Ping是非常有效的。

┌──(root㉿vm-suanlunce)-[~]
└─# nmap -PR 192.168.3.1-100       
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:11 CST
Nmap scan report for 192.168.3.1
Host is up (0.0012s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https
MAC Address: F8:AF:05:28:F8:A8 (Huawei Device)

Nmap scan report for 192.168.3.2
Host is up (0.00020s latency).
All 1000 scanned ports on 192.168.3.2 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:D8:61:77:B4:7A (Micro-star Intl)

Nmap scan report for 192.168.3.75
Host is up (0.00080s latency).
Not shown: 984 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
2869/tcp  open  icslap
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
10243/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49163/tcp open  unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)

Nmap done: 100 IP addresses (3 hosts up) scanned in 5.44 seconds

6.扫描一个IPv6地址

Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

7.路由追踪

使用--traceroute选项即可进行路由跟踪,使用路由跟踪功能可以帮助用户了解网络的同行情况,通过此选项可以轻松地查出从本地计算机到目标之间所经过的网络节点,并可以看到通过各个节点的时间。 
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -traceroute -v www.baidu.com
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:24 CST
Initiating Ping Scan at 16:24
Scanning www.baidu.com (14.215.177.38) [4 ports]
Completed Ping Scan at 16:24, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:24
Completed Parallel DNS resolution of 1 host. at 16:24, 2.01s elapsed
Initiating SYN Stealth Scan at 16:24
Scanning www.baidu.com (14.215.177.38) [1000 ports]
Discovered open port 443/tcp on 14.215.177.38
Discovered open port 80/tcp on 14.215.177.38
Completed SYN Stealth Scan at 16:24, 11.82s elapsed (1000 total ports)
Initiating Traceroute at 16:24
Completed Traceroute at 16:24, 3.02s elapsed
Initiating Parallel DNS resolution of 5 hosts. at 16:24
Completed Parallel DNS resolution of 5 hosts. at 16:24, 2.02s elapsed
Nmap scan report for www.baidu.com (14.215.177.38)
Host is up (0.031s latency).
Other addresses for www.baidu.com (not scanned): 14.215.177.39
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   1.27 ms  192.168.3.1
2   3.09 ms  192.168.1.1
3   17.80 ms 10.0.0.1
4   ... 7
8   33.11 ms 106.96.135.219.broad.fs.gd.dynamic.163data.com.cn (219.135.96.106)
9   ... 10
11  27.54 ms 14.215.177.38

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.12 seconds
           Raw packets sent: 3033 (133.428KB) | Rcvd: 17 (844B)

8.时序选项

在Nmap中使用-T(0-5)可以启用时序选项,对于时序选项这里有0~5不同的选项。

-T0(偏执的):非常慢的扫描,用于IDS逃避。

-T1(鬼祟的):缓慢的扫描,用于IDS逃避。

-T2(文雅的):降低速度以降低对带宽的消耗,此选项一般不常用。

-T3(普通的):默认,根据目标的反应自动调整时间。

-T4(野蛮的):快速扫描,常用扫描方式,需要在很好的网络环境下进行扫描,请求可能会淹没目标。

-T5(疯狂的):极速扫描,这种扫描方式以牺牲准确度来提升扫描速度。

Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

指纹识别与探测

1.版本探测

使用-sV选项即可启用版本探测。使用该选项不是进行一个端口扫描,而是通过相应的端口对应相应的服务,根据服务指纹识别出相应的版本。 
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -sV 192.168.3.75  
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:45 CST
Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 43.75% done; ETC: 16:47 (0:00:58 remaining)
Nmap scan report for 192.168.3.75
Host is up (0.00036s latency).
Not shown: 984 closed tcp ports (reset)
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
554/tcp   open  rtsp?
2869/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp  open  ssl/ms-wbt-server?
5357/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10243/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49157/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49163/tcp open  msrpc              Microsoft Windows RPC
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Service Info: Host: SUANLUNCEWIN8; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 127.05 seconds

2.整体扫描

-A 参数对其目标进行全方位的扫描 
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -A 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:50 CST
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 43.75% done; ETC: 16:51 (0:00:50 remaining)
Stats: 0:02:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.95% done; ETC: 16:53 (0:00:00 remaining)
Nmap scan report for 192.168.3.75
Host is up (0.00028s latency).
Not shown: 984 closed tcp ports (reset)
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: 404 - \xD5\xD2\xB2\xBB\xB5\xBD\xCE\xC4\xBC\xFE\xBB\xF2\xC4\xBF\xC2\xBC\xA1\xA3
|_http-server-header: Microsoft-IIS/8.5
| http-robots.txt: 2 disallowed entries 
|_/admineu/ /editor/
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows 8.1 Enterprise 9600 microsoft-ds (workgroup: WORKGROUP)
554/tcp   open  rtsp?
2869/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp  open  ssl/ms-wbt-server?
|_ssl-date: 2023-01-02T08:53:26+00:00; -1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: SUANLUNCEWIN8
|   NetBIOS_Domain_Name: SUANLUNCEWIN8
|   NetBIOS_Computer_Name: SUANLUNCEWIN8
|   DNS_Domain_Name: suanlunceWIN8
|   DNS_Computer_Name: suanlunceWIN8
|   Product_Version: 6.3.9600
|_  System_Time: 2023-01-02T08:52:24+00:00
| ssl-cert: Subject: commonName=suanlunceWIN8
| Not valid before: 2022-12-29T08:57:33
|_Not valid after:  2023-06-30T08:57:33
5357/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
10243/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49157/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49163/tcp open  msrpc              Microsoft Windows RPC
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: SUANLUNCEWIN8; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-01-02T08:52:23
|_  start_date: 2023-01-02T05:43:36
|_clock-skew: mean: -1h36m00s, deviation: 3h34m38s, median: -1s
|_nbstat: NetBIOS name: SUANLUNCEWIN8, NetBIOS user: <unknown>, NetBIOS MAC: 000c29d2acc6 (VMware)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   302: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 8.1 Enterprise 9600 (Windows 8.1 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_8.1::-
|   Computer name: suanlunceWIN8
|   NetBIOS computer name: SUANLUNCEWIN8\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-01-02T16:52:24+08:00

TRACEROUTE
HOP RTT     ADDRESS
1   0.28 ms 192.168.3.75

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 185.70 seconds

3.全端口版本探测

使用--allports选项可以启用全端口版本探测。这并不是意味着这个选项可以扫描所有的端口,Nmap会跳过9100 TCP端口,只有使用--allports 才可以扫描所有端口。 
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -sV --allports 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:55 CST
Stats: 0:01:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.69% done; ETC: 16:57 (0:00:00 remaining)
Stats: 0:02:03 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 96.88% done; ETC: 16:57 (0:00:00 remaining)
Nmap scan report for 192.168.3.75
Host is up (0.00088s latency).
Not shown: 984 closed tcp ports (reset)
PORT      STATE SERVICE            VERSION
80/tcp    open  http               Microsoft IIS httpd 8.5
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
554/tcp   open  rtsp?
2869/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp  open  ssl/ms-wbt-server?
5357/tcp  open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10243/tcp open  http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49157/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49163/tcp open  msrpc              Microsoft Windows RPC
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Service Info: Host: SUANLUNCEWIN8; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.92 seconds

4.操作系统探测

-O  注意此处参数是大写字母O  并不是数字0和小写字母o 
──(root㉿vm-suanlunce)-[~]
└─# nmap -O 192.168.3.75            
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 16:59 CST
Nmap scan report for 192.168.3.75
Host is up (0.00023s latency).
Not shown: 984 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
2869/tcp  open  icslap
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
10243/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49163/tcp open  unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.08 seconds

5.IP欺骗

使用-D选项就可以达到使用诱饵进行IP欺骗的作用,在使用该选项对目标进行扫描的时候,会让目标主机误认为是在利用诱饵进行扫描,而不是一个真实的扫描,这样可以躲避防火墙和某些规则的限制,也可以达到隐藏自身的目的。

也可以指定多个IP地址,或者使用RND:20 指定不同数量地址

nmap -D 192.168.3.1,192.168.3.2,192.168.3.4 192.168.3.75

nmap -D RND:20 192.168.3.75

┌──(root㉿vm-suanlunce)-[~]
└─# nmap -D 111.111.111.111 192.168.3.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:06 CST
Nmap scan report for 192.168.3.75
Host is up (0.00022s latency).
Not shown: 984 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
2869/tcp  open  icslap
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
10243/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49163/tcp open  unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.63 seconds
                                                               
           
┌──(root㉿vm-suanlunce)-[~]
└─# nmap -D RND:99  192.168.3.75 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:09 CST
Nmap scan report for 192.168.3.75
Host is up (0.0017s latency).
Not shown: 984 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
2869/tcp  open  icslap
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
10243/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49163/tcp open  unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 16.67 seconds

信息收集

1.检索smb信息 

┌──(root㉿vm-suanlunce)-[/]
└─# nmap --script smb-os-discovery.nse 192.168.3.75 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:26 CST
Nmap scan report for 192.168.3.75
Host is up (0.00022s latency).
Not shown: 984 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
2869/tcp  open  icslap
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
10243/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49163/tcp open  unknown
MAC Address: 00:0C:29:D2:AC:C6 (VMware)

Host script results:
| smb-os-discovery: 
|   OS: Windows 8.1 Enterprise 9600 (Windows 8.1 Enterprise 6.3)
|   OS CPE: cpe:/o:microsoft:windows_8.1::-
|   Computer name: suanlunceWIN8
|   NetBIOS computer name: SUANLUNCEWIN8\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-01-02T17:27:08+08:00

Nmap done: 1 IP address (1 host up) scanned in 18.75 seconds

2.检查是否存在漏洞 

┌──(root㉿vm-suanlunce)-[/]
└─# nmap --script smb-vuln-ms08-067.nse 192.168.3.119
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:28 CST
Nmap scan report for 192.168.3.119
Host is up (0.000094s latency).
Not shown: 993 closed tcp ports (reset)
PORT     STATE SERVICE
82/tcp   open  xfer
84/tcp   open  ctf
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1067/tcp open  instl_boots
3389/tcp open  ms-wbt-server
MAC Address: 00:0C:29:72:98:97 (VMware)

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

Nmap done: 1 IP address (1 host up) scanned in 1.57 seconds

3.脚本路径

更多脚本

/usr/share/nmap/scripts

┌──(root㉿vm-suanlunce)-[/]
└─# nmap --script smb-brute.nse 192.168.3.75 -p 445 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:35 CST
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 192.168.3.75
Host is up (0.00022s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:D2:AC:C6 (VMware)

Host script results:
| smb-brute: 
|   administrator:<blank> => Valid credentials, account disabled
|_  guest:<blank> => Valid credentials, account disabled

Nmap done: 1 IP address (1 host up) scanned in 24.81 seconds

扫描保存

1.标准保存 

┌──(root㉿vm-suanlunce)-[~]
└─# nmap   -oN nmap_scan.txt 192.168.3.119  
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:42 CST
Nmap scan report for 192.168.3.119
Host is up (0.000065s latency).
Not shown: 993 closed tcp ports (reset)
PORT     STATE SERVICE
82/tcp   open  xfer
84/tcp   open  ctf
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1067/tcp open  instl_boots
3389/tcp open  ms-wbt-server
MAC Address: 00:0C:29:72:98:97 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds
Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

2.XML保存(推荐) 

┌──(root㉿vm-suanlunce)-[~]
└─# nmap -oX  nmap_scan.xml 192.168.3.119
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 17:44 CST
Nmap scan report for 192.168.3.119
Host is up (0.000065s latency).
Not shown: 993 closed tcp ports (reset)
PORT     STATE SERVICE
82/tcp   open  xfer
84/tcp   open  ctf
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1067/tcp open  instl_boots
3389/tcp open  ms-wbt-server
MAC Address: 00:0C:29:72:98:97 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds
Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存

 利用 xsltproc 命令将其xml文件转为html文件。

Nmap食用手册Nmap主机发现指纹识别与探测信息收集扫描保存
nmap食用手册 信息收纳 网络
上一篇: KaTeX|LaTeX数学公式编辑手册
下一篇: 让你简单理解c++中的引用c++中的引用

继续阅读