nmap和nc扫描工具

1  使用nmap和nc探测服务器信息-使用curl 查看web服务器类型

2  在centos6系统下进行提权

3  实战-通过tcpdump抓包解决服务器被黑上不了网的问题

.1.1  安装nmap命令

1、nmap概述：nmap是一个网络探测和安全扫描程序，系统管理者和个人可以使用这个软件扫描大型的网络，获取那台主机正在运行以及提供什么服务等信息。nmap支持很多扫描技术，例如：UDP、TCP connect()、TCP SYN(半开扫描)、ftp代理(bounce攻击)、反向标志、ICMP、FIN、ACK扫描、圣诞树(Xmas Tree)、SYN扫描和null扫描。还可以探测操作系统类型。

[root@k9 ~]# yum install nmap -y

1.2 nmap 的使用

使用nmap扫描本机

[root@k9 ~]# nmap 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-17 23:38 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
3306/tcp open mysql

使用nmap扫描局域网其他服务器

[root@k9 ~]# nmap -v 192.168.1.94

Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-17 23:45 CST
Initiating ARP Ping Scan at 23:45
Scanning 192.168.1.94 [1 port]
Completed ARP Ping Scan at 23:45, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:45
Completed Parallel DNS resolution of 1 host. at 23:45, 13.01s elapsed
Initiating SYN Stealth Scan at 23:45
Scanning 192.168.1.94 [1000 ports]
Discovered open port 3306/tcp on 192.168.1.94
Discovered open port 80/tcp on 192.168.1.94
Discovered open port 22/tcp on 192.168.1.94
Completed SYN Stealth Scan at 23:45, 0.09s elapsed (1000 total ports)
Nmap scan report for 192.168.1.94
Host is up (0.00019s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:85:54:01 (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.19 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040

扫描一个范围： 端口1-65535

[root@k9 ~]# nmap -p 1-65535 192.168.1.94

Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-17 23:49 CST
Nmap scan report for 192.168.1.94
Host is up (0.00018s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:85:54:01 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 19.12 seconds

 lsof -i :22    #查看22端口正在被哪个进程使用

 

Unknown operation 'statu'.
[root@k9 ~]# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 789 root 3u IPv4 20503 0t0 TCP *:ssh (LISTEN)
sshd 789 root 4u IPv6 20512 0t0 TCP *:ssh (LISTEN)
sshd 1463 root 3u IPv4 21558 0t0 TCP k9:ssh->192.168.1.9:51177 (ESTABLISHED

通ps命令查找对应的进程文件：

[root@k9 ~]# ps -aux |grep 1463
root 1463 0.0 0.2 160888 5588 ? Ss Sep17 0:00 sshd: root@pts/0

注：看到进程的文件的路径是/usr/sbin/sshd 。如果没有看到此命令的具体执行路径，说明此木马进程可以在bash终端下直接执行，通过which和rpm -qf来查看命令的来源，如下：

[root@k9~]# which  vim

/usr/bin/vim

解决：

[root@k9 ~]# kill -9 1463

总结：这个思路主要用于找出黑客监听的后门端口和木马存放的路径。

扫描一台机器：查看此服务器开放的端口号和操作系统类型。

[root@k9 ~]# nmap -sS -O www.baidu.com

Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-18 01:26 CST
Nmap scan report for www.baidu.com (39.156.66.14)
Host is up (0.043s latency).
Other addresses for www.baidu.com (not scanned): 39.156.66.18
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING): HP embedded (86%)
OS CPE: cpe:/h:hp:procurve_switch_4000m
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (86%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.55 seconds

参数说明：

-O： 显示出操作系统的类型。 每一种操作系统都有一个指纹。

-sS：半开扫描(half-open)

TCP同步扫描(TCP SYN)：因为不必全部打开一个TCP连接，所以这项技术通常称为半开扫描(half-open)。你可以发出一个TCP同步包(SYN)，然后等待回应。如果对方返回SYN|ACK(响应)包就表示目标端口正在监听；如果返回RST数据包，就表示目标端口没有监听程序；如果收到一个SYN|ACK包，源主机就会马上发出一个RST(复位)数据包断开和目标主机的连接，这实际上由我们的操作系统内核自动完成的。

总结：就是tcp三次握手，少发最一个ACK包。

测试自己的电脑（物理机）：

[root@k9 ~]# nmap -sS -O 192.168.1.9

Starting Nmap 6.40 ( http://nmap.org ) at 2019-09-18 01:30 CST
Nmap scan report for 192.168.1.9
Host is up (0.00050s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
443/tcp open https
902/tcp open iss-realsecure
912/tcp open apex-mesh
7070/tcp open realserver
MAC Address: 8C:A9:82:5A:3C:80 (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized
Running (JUST GUESSING): FreeBSD 6.X (89%), AVtech embedded (89%)
OS CPE: cpe:/o:freebsd:freebsd:6.2
Aggressive OS guesses: FreeBSD 6.2-RELEASE (89%), FreeBSD 6.3-RELEASE (89%), AVtech Room Alert 26W environmental monitor (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.40 seconds

扫描一个网段中所有机器是什么类型的操作系统

[root@k9 ~]# nmap -sS -O 192.168.1.0/24

查找一些有特点的IP地址中，开启80端口的服务器。

[root@k9 ~]#  nmap  -v -p 80 192.168.1.1-100 

如何更隐藏的去扫描，频繁扫描会被屏蔽或者锁定IP地址。

--randomize_hosts  # 随机扫描

--scan-delay  #延时扫描,单位秒

（1）、随机扫描

[root@k9 ~]# nmap -v --randomize_hosts -p 80 192.168.1.1-10

Nmap scan report for 192.168.1.6 [host down]

Nmap scan report for 192.168.1.4 [host down]

Nmap scan report for 192.168.1.10 [host down]

Nmap scan report for 192.168.1.2 [host down]

Nmap scan report for 192.168.1.3 [host down]

Nmap scan report for 192.168.1.8 [host down]

Nmap scan report for 192.168.1.7 [host down]

Nmap scan report for 192.168.1.5 [host down]

（2）、随机扫描+延时扫描 ，默认单位秒

[root@k9 ~]# nmap -v --randomize_hosts --scan-delay 3000ms -p 80 192.168.1.1-10

1.2 使用curl查看web服务器类型

[root@k9 ~]# curl -I www.taobao.com

HTTP/1.1 301 Moved Permanently

Server: Tengine

Date: Tue, 17 Sep 2019 17:44:27 GMT

Content-Type: text/html

Content-Length: 278

Connection: keep-alive

Location: https://www.taobao.com/

Via: bcache2.cn2417[,0]

Timing-Allow-Origin: *

EagleId: b7de8e1615687422672211997e

nmap -sS -O 202.106.199.0/24