06-Kali中Nmap的脚本扫描

本篇中我们来了解一下Nmap的一些高级用法, 脚本扫描,

在nmap有,有一些官方自带的脚本文件,他们通常被存储在下面这个路径中

/usr/share/nmap/scripts/

我们可以看出,图中有很多后缀为nse的文件,这个文件就是nmap能够运行的脚本文件,我们

--script=auth

# auth: 负责处理鉴权证书
nmap --script=auth IP地址

运行结果:

root@Hoime-Kali:/usr/share/nmap/scripts# nmap --script=auth 192.168.75.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 23:25 CST
Nmap scan report for 192.168.75.3
Host is up (0.00057s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|     gssapi-keyex
|     gssapi-with-mic
|_    password
| ssh-publickey-acceptance: 
|_  Accepted Public Keys: No public keys accepted
80/tcp  open   http
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
| http-vuln-cve2010-0738: 
|_  /jmx-console/: Authentication was not required
443/tcp closed https
MAC Address: 00:0C:29:BB:4E:7C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 51.42 seconds

--script=default

# default: 默认扫描脚本
nmap --script=default IP地址

运行结果

root@Hoime-Kali:/usr/share/nmap/scripts# nmap --script=default 192.168.75.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 23:32 CST
Nmap scan report for 192.168.75.3
Host is up (0.00045s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
| ssh-hostkey: 
|   2048 72:f4:f3:6e:a6:f3:4b:42:e1:c8:5e:d2:ed:9b:6c:ea (RSA)
|   256 89:10:dc:40:16:68:cd:51:1c:f5:74:5e:a0:d9:2b:fe (ECDSA)
|_  256 5b:cd:40:a3:d7:e1:3f:53:31:fa:35:0f:f5:0d:c1:16 (ED25519)
80/tcp  open   http
|_http-title: French - \xE4\xB8\xBA\xE6\x91\xA7\xE6\xAF\x81AI\xE8\x80\x8C\xE7\x94\x9F
443/tcp closed https
MAC Address: 00:0C:29:BB:4E:7C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 9.72 seconds

--script=fuzzer

# fuzzer: 模糊测试 通过发送异常的数据包到目标机器，从而探测出潜在漏洞
nmap --script=fuzzer IP地址

运行结果

root@Hoime-Kali:/usr/share/nmap/scripts# nmap --script=fuzzer 192.168.75.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 23:34 CST
Nmap scan report for 192.168.75.3
Host is up (0.00057s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https
MAC Address: 00:0C:29:BB:4E:7C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 11.79 seconds

--script=broadcast

# broadcast : 局域网内探查更多服务开启状况，如dhcp/dns/sqlserver等服务
nmap --script=broadcast IP地址

运行结果

root@Hoime-Kali:/usr/share/nmap/scripts# nmap --script=broadcast 192.168.75.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 23:42 CST
too short
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
| broadcast-dhcp-discover: 
|   Response 1 of 1: 
|     IP Offered: 192.168.75.137
|     Server Identifier: 192.168.75.254
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.75.2
|     Domain Name Server: 192.168.75.2
|     Domain Name: localdomain
|     Broadcast Address: 192.168.75.255
|_    NetBIOS Name Server: 192.168.75.2
| broadcast-dns-service-discovery: 
|   224.0.0.251
|     47989/tcp nvstream_dbd
|_      Address=192.168.75.4 fe80::d5dc:c56e:fea:2ee
| broadcast-igmp-discovery: 
|   192.168.75.4
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.252
|     Description: Link-local Multicast Name Resolution (rfc4795)
|_  Use the newtargets script-arg to add the results as targets
| broadcast-listener: 
|   ether
|       EIGRP Hello
|         
|       ARP Request
|         sender ip     sender mac         target ip
|         192.168.75.4  00:50:56:c0:00:08  192.168.75.2
|   udp
|       LLMNR
|         ip                       query
|         fe80::d5dc:c56e:fea:2ee  DESKTOP-0LKS2M3
|_        192.168.75.4             DESKTOP-0LKS2M3
|_eap-info: please specify an interface with -e
| ipv6-multicast-mld-list: 
|   fe80::a5a4:1b6d:da2:e9da: 
|     device: eth0
|     mac: 00:0c:29:bb:4e:7c
|     multicast_ips: 
|       ff02::1:ffa2:e9da         (NDP Solicited-node)
|       ff02::1:ff58:94d9         (Solicited-Node Address)
|       ff02::1:ffa2:e9da         (NDP Solicited-node)
|       ff02::1:ff58:94d9         (Solicited-Node Address)
|       ff02::1:ff58:94d9         (Solicited-Node Address)
|       ff02::1:ff58:94d9         (Solicited-Node Address)
|       ff02::1:ffa2:e9da         (NDP Solicited-node)
|       ff02::1:ffa2:e9da         (NDP Solicited-node)
|       ff02::1:ffa2:e9da         (NDP Solicited-node)
|   fe80::d5dc:c56e:fea:2ee: 
|     device: eth0
|     mac: 00:50:56:c0:00:08
|     multicast_ips: 
|       ff02::1:ffea:2ee          (NDP Solicited-node)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::1:ffdd:a515         (Solicited-Node Address)
|       ff02::fb                  (mDNSv6)
|       ff02::1:ffdd:a515         (Solicited-Node Address)
|_      ff02::1:3                 (Link-local Multicast Name Resolution)
| targets-ipv6-multicast-echo: 
|   IP: fe80::a5a4:1b6d:da2:e9da  MAC: 00:0c:29:bb:4e:7c  IFACE: eth0
|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-invalid-dst: 
|   IP: fe80::a5a4:1b6d:da2:e9da  MAC: 00:0c:29:bb:4e:7c  IFACE: eth0
|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-mld: 
|   IP: fe80::a5a4:1b6d:da2:e9da  MAC: 00:0c:29:bb:4e:7c  IFACE: eth0
|   IP: fe80::d5dc:c56e:fea:2ee   MAC: 00:50:56:c0:00:08  IFACE: eth0
| 
|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-slaac: 
|   IP: fe80::d5dc:c56e:fea:2ee    MAC: 00:50:56:c0:00:08  IFACE: eth0
|   IP: fe80::2191:2af6:76dd:a515  MAC: 00:50:56:c0:00:08  IFACE: eth0
|   IP: fe80::50e2:d2f9:9558:94d9  MAC: 00:0c:29:bb:4e:7c  IFACE: eth0
|_  Use --script-args=newtargets to add the results as targets
Nmap scan report for 192.168.75.3
Host is up (0.00039s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https
MAC Address: 00:0C:29:BB:4E:7C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 45.64 seconds

--script=malware

# malware: 探测目标主机是否感染了病毒、开启了后门等信息
nmap --script=malware IP地址

运行结果

root@Hoime-Kali:/usr/share/nmap/scripts# nmap --script=malware 192.168.75.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 23:48 CST
Nmap scan report for 192.168.75.3
Host is up (0.00060s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https
MAC Address: 00:0C:29:BB:4E:7C (VMware)

Nmap done: 1 IP address (1 host up) scanned in 6.17 seconds

参数	简介
--script=auth	负责处理鉴权证书
--script=default	默认的扫描方式
--script=fuzzer	模糊测试通过发送异常的数据包到目标机器，从而探测出潜在漏洞
--script=broadcast	局域网内探查更多服务开启状况，如dhcp/dns/sqlserver等服务
--script=malware	探测目标主机是否感染了病毒、开启了后门等信息