目前常见的端口扫描技术一般有如下几类: TCP Connect、TCP SYN、TCP ACK、TCP FIN。
Metasploit中的端口扫描器
Metasploit的辅助模块中提供了几款实用的端口扫描器。可以输入search portscan命令找到相关的端口扫描器。如下
root@kali:~# msfconsole ...... msf > search portscan Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner auxiliary/scanner/portscan/tcp normal TCP Port Scanner auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner msf >
Metasploit中ack扫描模块的使用过程
msf > use auxiliary/scanner/portscan/ack msf auxiliary(ack) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(ack) > set THREADS 20 THREADS => 20 msf auxiliary(ack) > run
Metasploit中ftpbounce扫描模块的使用过程
msf > use auxiliary/scanner/portscan/ftpbounce msf auxiliary(ftpbounce) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(ftpbounce) > set THREADS 20 THREADS => 20 msf auxiliary(ftpbounce) > run [-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: BOUNCEHOST. msf auxiliary(ftpbounce) >
Metasploit中tcp扫描模块的使用过程
msf > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(tcp) > set THREADS 20 THREADS => 20 msf auxiliary(tcp) > run [*] 202.193.58.13: - 202.193.58.13:25 - TCP OPEN [*] 202.193.58.13: - 202.193.58.13:22 - TCP OPEN [*] 202.193.58.13: - 202.193.58.13:21 - TCP OPEN [*] 202.193.58.13: - 202.193.58.13:23 - TCP OPEN
Metasploit中xmas扫描模块的使用过程
msf > use auxiliary/scanner/portscan/xmas msf auxiliary(xmas) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(xmas) > set THREADS 20 THREADS => 20 msf auxiliary(xmas) > run [*] TCP OPEN|FILTERED 202.193.58.13:1 [*] TCP OPEN|FILTERED 202.193.58.13:2 [*] TCP OPEN|FILTERED 202.193.58.13:3 [*] TCP OPEN|FILTERED 202.193.58.13:4 [*] TCP OPEN|FILTERED 202.193.58.13:5 [*] TCP OPEN|FILTERED 202.193.58.13:6 [*] TCP OPEN|FILTERED 202.193.58.13:7 [*] TCP OPEN|FILTERED 202.193.58.13:8 [*] TCP OPEN|FILTERED 202.193.58.13:9 [*] TCP OPEN|FILTERED 202.193.58.13:10 [*] TCP OPEN|FILTERED 202.193.58.13:11 [*] TCP OPEN|FILTERED 202.193.58.13:12 [*] TCP OPEN|FILTERED 202.193.58.13:13 [*] TCP OPEN|FILTERED 202.193.58.13:14 [*] TCP OPEN|FILTERED 202.193.58.13:15 [*] TCP OPEN|FILTERED 202.193.58.13:16 [*] TCP OPEN|FILTERED 202.193.58.13:17 [*] TCP OPEN|FILTERED 202.193.58.13:18 [*] TCP OPEN|FILTERED 202.193.58.13:19 [*] TCP OPEN|FILTERED 202.193.58.13:20 [*] TCP OPEN|FILTERED 202.193.58.13:21 [*] TCP OPEN|FILTERED 202.193.58.13:22 [*] TCP OPEN|FILTERED 202.193.58.13:23 [*] TCP OPEN|FILTERED 202.193.58.13:24 [*] TCP OPEN|FILTERED 202.193.58.13:25 [*] TCP OPEN|FILTERED 202.193.58.13:26 [*] TCP OPEN|FILTERED 202.193.58.13:27 [*] TCP OPEN|FILTERED 202.193.58.13:28 [*] TCP OPEN|FILTERED 202.193.58.13:29 [*] TCP OPEN|FILTERED 202.193.58.13:30 [*] TCP OPEN|FILTERED 202.193.58.13:31 [*] TCP OPEN|FILTERED 202.193.58.13:32 [*] TCP OPEN|FILTERED 202.193.58.13:33 [*] TCP OPEN|FILTERED 202.193.58.13:34 [*] TCP OPEN|FILTERED 202.193.58.13:35 [*] TCP OPEN|FILTERED 202.193.58.13:36 [*] TCP OPEN|FILTERED 202.193.58.13:37 [*] TCP OPEN|FILTERED 202.193.58.13:38 [*] TCP OPEN|FILTERED 202.193.58.13:39 [*] TCP OPEN|FILTERED 202.193.58.13:40 [*] TCP OPEN|FILTERED 202.193.58.13:41 [*] TCP OPEN|FILTERED 202.193.58.13:42 [*] TCP OPEN|FILTERED 202.193.58.13:43 [*] TCP OPEN|FILTERED 202.193.58.13:44 [*] TCP OPEN|FILTERED 202.193.58.13:45 [*] TCP OPEN|FILTERED 202.193.58.13:46 [*] TCP OPEN|FILTERED 202.193.58.13:47 [*] TCP OPEN|FILTERED 202.193.58.13:48 [*] TCP OPEN|FILTERED 202.193.58.13:49
Metasploit中syn扫描模块的使用过程
在一般的情况下,推荐使用syn端口扫描器,因为它的扫描速度较快、结果准确切不容易被对方察觉。下面是针对网关服务器(Ubuntu Metasploitable)主机的扫描结果,可以看出与Nmap的扫描结果基本一致。如下。
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set RHOSTS 202.193.58.13
RHOSTS => 202.193.58.13
msf auxiliary(syn) > set THREADS 20
THREADS => 20
msf auxiliary(syn) > run
[*] TCP OPEN 202.193.58.13:21
[*] TCP OPEN 202.193.58.13:22
[*] TCP OPEN 202.193.58.13:23
[*] TCP OPEN 202.193.58.13:25
[*] TCP OPEN 202.193.58.13:53
[*] TCP OPEN 202.193.58.13:80
[*] TCP OPEN 202.193.58.13:111
[*] TCP OPEN 202.193.58.13:139
[*] TCP OPEN 202.193.58.13:445
[*] TCP OPEN 202.193.58.13:512
[*] TCP OPEN 202.193.58.13:513
当然,大家也可以拿下面的主机来扫描
Metasploit中sap_router_portscanner扫描模块的使用过程
msf > use auxiliary/scanner/sap/sap_router_portscanner msf auxiliary(sap_router_portscanner) > set RHOSTS 202.193.58.13 RHOSTS => 202.193.58.13 msf auxiliary(sap_router_portscanner) > set THREADS 20 THREADS => 20 msf auxiliary(sap_router_portscanner) > run [-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: RHOST, TARGETS. msf auxiliary(sap_router_portscanner) >
Metasploit中也可以使用namp
常用nmap扫描类型参数:
-sT:TCP connect扫描
-sS:TCP syn扫描
-sF/-sX/-sN:通过发送一些标志位以避开设备或软件的检测
-sP:ICMP扫描
-sU:探测目标主机开放了哪些UDP端口
-sA:TCP ACk扫描
扫描选项:
-Pn:在扫描之前,不发送ICMP echo请求测试目标是否活跃
-O:辨识操作系统等信息
-F:快速扫描模式
-p<端口范围>:指定端口扫描范围
msf auxiliary(syn) > nmap -sS -Pn 202.193.58.13 [*] exec: nmap -sS -Pn 202.193.58.13 Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:17 CST Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13) Host is up (0.0014s latency). Not shown: 977 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 84:AD:58:82:49:5C (Unknown) Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds msf auxiliary(syn) >
msf auxiliary(syn) > nmap -sV -Pn 202.193.58.13 [*] exec: nmap -sV -Pn 202.193.58.13 Starting Nmap 7.31 ( https://nmap.org ) at 2017-05-17 22:18 CST Nmap scan report for 13.58.193.202.in-addr.arpa (202.193.58.13) Host is up (0.0016s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain? 80/tcp open http? 111/tcp open rpcbind? 139/tcp open netbios-ssn? 445/tcp open microsoft-ds? 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open shell Netkit rshd 1099/tcp open rmiregistry? 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs? 2121/tcp open ccproxy-ftp? 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql? 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11? 6667/tcp open irc Unreal ircd 8009/tcp open ajp13? 8180/tcp open unknown MAC Address: 84:AD:58:82:49:5C (Unknown) Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.50 seconds msf auxiliary(syn) >
可以,与下面进行对比。
kali 2.0 linux中的Nmap的端口扫描功能
当然,大家也可以拿下面的主机来扫描
