Use Nmap to scan system risk points

0x00 quickly learn about Nmap

Nmap is a tool for scanning target network information, which can be used by hackers to detect host information and collect intelligence artifacts. It can also be a good helper for operators to scan the network environment and discover the system vulnerabilities in time.

0x01 It's function

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20150419/1429407123138187.png "title= "1429407123138187.png" alt= "1.png"/>

1, host Discovery #探测目标网络环境中有哪些主机是可以进行通信的, of course, you can also use the ping command to try

2, port scanning #扫描主机的端口, the corresponding service through the port to determine which applications the target host is running

3. Version Detection #使用各种特征来判断主机运行了哪些服务应用

4, operating system detection (OS detection) #通过特征来识别当前主机的系统版本, not only the computer, but also may be the routing switch

5, firewall/ids evade (firewall/ids evasion) #Nmap可以通过各种方法来规避目标防火墙的拦截, so as to achieve the purpose

6, NSE script engine (Nmap Scripting engine) #这是Nmap自带的扩展脚本, by loading the corresponding script to scan the target of what has been recorded in the scripts of the Vulnerabilities and weaknesses

0x02 Installing Nmap

1, can be in http://nmap.org/download.html This site to get the various versions of Nmap method.

2, if it is CentOS, you can use Yum to install NMAP, if it is Debian or Ubuntu, you can use Apt-get to install.

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20150418/1429344382821126.png "title= "1429344382821126.png" alt= "1.png" style= "width:891px;height:430px;" height= "430" width= "891"/>

3, if you are using the Kali Linux or back track series, then there is no need to install, but the upgrade is still needed.

0X03 Host Discovery

1, probe the online situation of a single host: Nmap-sp <target ip>

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20150418/1429345005993339.png "title= "1429345005993339.png" alt= "1.png" style= "width:876px;height:172px;" height= "172" width= "876"/>

2, probe a network segment of the host online situation: NMAP-SP <network address > </cidr >

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20150418/1429345447696080.png "title= "1429345447696080.png" alt= "1.png" style= "width:915px;height:342px;" height= "342" width= "915"/>

3, scan the custom IP range: nmap-sp <target ip-digital>

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20150418/1429348513677402.png "title= "1429348513677402.png" alt= "1.png"/>

0x04 Port Scan

1. Scan 100 Common host ports: Nmap-f <target ip>

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20150418/1429346235329607.png "title= "1429346235329607.png" alt= "1.png"/>

2. Custom Scan port:nmap-p<port1>-<port2> <target ip>

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20150418/1429346537213977.png "title= "1429346537213977.png" alt= "1.png" style= "WIDTH:863PX;HEIGHT:269PX;" height= "269" width= "863"/>

3. Self-defined continuous port scan: nmap-p (range) <target ip>

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20150418/1429346673548459.png "title= "1429346673548459.png" alt= "1.png"/>

4, the danger port of scanning system:

nmap -sT -sV -p 21,80,443,873,2601,2604,3128,4440,6082,6379,8000,8008,8080,8081,8090,8099,8088,8888,9000,9090,9200,11211,27017,28017 --max-hostgroup 10 --max-parallelism 10 --max-rtt-timeout 1000ms --host-timeout 800s --max-scan-delay 2000ms -iL iplist.txt -oN result/port.txt --open<target IP>

5, Port Status: Using Nmap to scan the port information, there will generally be 6 status information

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20150419/1429407527886304.png "title= "1429407527886304.png" alt= "1.png"/>

1. Open: The port is open.

2. Closed: The port is off.

3. Filtered: The port is shielded by the firewall ids/ips and cannot determine its status.

4. Unfiltered: The port is not blocked, but it needs to be further determined if it is open.

5. Open|filtered: The port is open or blocked.

6. Closed|filtered: The port is closed or masked.

0x05 System and Service information scanning

1. Scanning system service and version information: Nmap-o <target ip>

650) this.width=650; "src=" Http://www.178linux.com/ueditor/php/upload/image/20150418/1429349131463743.png "title= "1429349131463743.png" alt= "1.png" style= "width:1108px;height:653px;" height= "653" width= "1108"/>

0x06 Firewall Escape

1. SOURCE IP spoofing: nmap-s <IP_Address> <target ip> #伪造一个IP, your real IP will not appear in the log of the firewall.

2. Source Port spoofing: Nmap--source-port <portnumber> <target ip> 

3. Source Mac Spoofing: Nmap–spoof-mac<mac address,prefix,or Vendor name><target ip>

4, Datagram segmented scan: nmap-f < designated mtu><target ip>

0X07 Scan Parameters

- a #进行全面的扫描, including port and host version detection, slower.

-ss #以SYN的方式进行扫描, the message reply to determine the port status, but does not establish a complete TCP connection, so relatively covert, and high efficiency, wide application range

-st #TCP扫描, if the other port cannot establish a TCP connection, it is determined to be off, but the scanning speed is slow, and will be recorded on the other host log, so it is not recommended to use

-su #UDP扫描, send a probe packet to the UDP port of the target host, if you receive the reply "ICMP Port unreachable" indicates that the port is closed and vice versa

0x08 Time Parameters

-t0 #非常非常慢的发包, used to evade ids/ips

-t1 #相当慢, used to evade firewalls, slightly faster than T0

-t2 #降低速度以消耗更小的带宽, 10 times times slower than the default

-t3 #默认选项, automatically adjusts the time pattern according to the target's response

-t4 #假定处在一个很好的网络环境, scan will be completed soon, or be discovered by the firewall

-t5 #非常快速的发包, probably missing some open ports

0x09 Common Dangerous ports

FTP main see whether to support Anonymous, can also run weak password
Web common web vulnerabilities and whether it is some management background
443 OpenSSL heart drops and some Web vulnerability tests
873 Rsync mainly depends on whether to support Anonymous, can also run weak password
2601,2604 Zebra Routing, default password zebra
3128 Squid Proxy default port, if not set the password is likely to directly roam the intranet
4440 Rundeck Reference Wooyun: Using Sina service to successfully roam Sina intranet
6082 Varnish reference wooyun:varnish HTTP accelerator CLI unauthorized access can easily cause the website to be tampered with directly or enter the intranet as a proxy
6379 Redis is generally not certified and can be accessed directly
8000-9090 are some common web ports, some operations like to put the management background on these non-80 ports
9200 elasticsearch Reference Wooyun: Play a server elasticsearch command execution vulnerability
11211 Memcache Unauthorized access
27017 MongoDB Unauthorized access
28017 MongoDB Statistics Page

This article is from the "Secure Operations" blog, so be sure to keep this source http://qiudays.blog.51cto.com/8910608/1638144

Use Nmap to scan system risk points