Shulou(Shulou.com)06/01 Report--

This article mainly introduces "what are the commonly used instructions in nmap". In daily operation, I believe many people have doubts about what are the common instructions in nmap. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "what are the common instructions in nmap?" Next, please follow the editor to study!

Information collection is based on the port.

Web:80 443

Telnet test port is 100% accurate

Outreach: allow external network connection, Internet connection, my computer can connect to other people's computers.

Nmap scan:

1.-sT uses less and leaves a lot of logs.

How much 2.-sS requires root permissions will not be recorded in the log

3. Murp scan all ports 1-65535

4. The default remote port of 3389 is generally considered to be modified to a larger number.

5.Mura scan is slow.

6.-Pn-A bypass firewall sweep (no ping required)

7.ftp can log in to ftp+IP anonymously

8. There are many patches in the intranet, so you can go fishing.

9. Pay attention to the use of blue screen in actual combat.

10. The script calls nmap-sS-- script-vuln

11. First bypass cdn to find the real IP, and scan for script vulnerabilities with nmap

Common scripts:

1.vuln

2.auth

3.brute

4.dos is not needed.

0Accord 24 scan segment c:

Section C refers to other servers in the same private network segment, and each IP has four ABCD segments. For example, 192.168.0.1 ABCD A means 192Magi B is 168, C is 0 and D is 1, while C sniffing means to take down one of the servers in the same C segment, that is, one of the servers in paragraph 1-255 of D, and then use tools to sniff down the server.

TCP3 handshake:

In order to establish a connection TCP connection, both sides of the communication must learn the following information from each other: [2]

1. The starting number of the message sent by the other party. [2]

2. The buffer size of the data sent by the other party. [2]

3. The maximum message segment length that can be received is MSS. [2]

4. Supported TCP options. [2]

In the TCP protocol, both sides of the communication will realize the understanding of the above information through three TCP messages, and establish a TCP connection on this basis, and the exchange process of the three TCP message segments of the two sides of the communication, which is commonly known as the three-way handshake (Three-Way Handshake) process of TCP connection establishment.

IIS:

Internet Information Services

Http basic Certification:

Basic authentication is a relatively simple way of HTTP authentication, the client transmits the user name and password to the server through plaintext (Base64 coding format) for authentication, which usually needs to cooperate with HTTPS to ensure the security of information transmission.

Deserialization (hvv scores are high):

Vnc: remote control software

Redis: remote dictionary library

Svn: version control system, multi-person development system

Common port information and penetration methods:

Port number Port Service / Protocol briefly describes some possible penetration uses of the port

The default data and command transfer port of tcp 21 ftp allows anonymous uploads and downloads, explosions, sniffing, win rights enhancement, remote execution (proftpd 1.3.5) and various backdoors (proftpd,vsftp 2.3.4).

Tcp 22 ssh [data ssl encrypted transmission] can attempt to explode according to the information collected, v1 version can be middleman, ssh tunnel and intranet proxy forwarding, file transfer, etc. Commonly used for linux remote management.

Tcp 23 telnet [plaintext transmission] burst, sniff, commonly used for routing, switching login, can try weak passwords, may have unexpected gains

Tcp 25 smtp [simple Mail transfer Protocol, which may be enabled by default in most linux distributions] email forgery, vrfy/expn query email user information, you can use smtp-user-enum tools to run automatically.

Tcp/udp 53 dns [domain name resolution] allows zone transfer, dns hijacking, cache poisoning, spoofing and various remote controls based on dns tunnels

Tcp/udp 69 tftp [trivial File transfer Protocol, unauthenticated] attempted to download the target and its various important configuration files tcp

80-89443 web 8440-8450 8080-8089 web [various commonly used web service ports] A variety of commonly used web service ports, you can try the classic top n. , owa,webmail, target oa, various java consoles, various server web management panels, various web middleware vulnerabilities, various web framework vulnerabilities, etc.

Tcp 110 [Post Office Protocol, plaintext ciphertext] can attempt blasting, sniffing tcp 137139445 samba [smb to achieve file sharing between windows and linux, plaintext] can attempt blasting and various remote execution vulnerabilities of smb itself, such as ms08-067 ms17-010, sniffing, etc.

Tcp 143imap [can be plaintext but ciphertext] can try to explode udp 161snmp [plaintext] blow up default team strings to collect target intranet information

Tcp 389ldap [lightweight Directory access Protocol] ldap injection, allows anonymous access, weak password tcp 512513514 linux rexec explosible, rlogin login

Tcp 873 rsync backup service anonymous access, file upload tcp 1194 open. Find a way to fish. Account number, enter the intranet

Tcp 1352 Lotus domino mail service weak password, information disclosure, explosion

Tcp 1433 mssql database injection, weighting, sa weak password, blasting

Tcp 1521 oracle database tns explodes, injects, plays shell...

Tcp 1500 ispmanager Host Control Panel weak password

Improper configuration of tcp 1025pr 111pr 2049 nfs permissions

Tcp 1723 pptp blasting, find a way to catch. Account number, enter the intranet

Tcp 2082 cpanel host management panel login weak password

Tcp 2181 zookeeper unauthorized access

Tcp 2601 2604 zebra routing default password zerbra

Tcp 3128 squid Agent Service weak password

Tcp 3312jc3311 kangle host administration login weak password

Tcp 3306 mysql database injection, weighting, blasting

Tcp 3389 windows rdp remote Desktop shift back door, blast, ms12-020 [Blue screen exp]

Tcp 4848 glassfish console weak password

Tcp 4899 radmin remote Desktop Management tool, grasp password expansion machine

Tcp 5000 sybase/DB2 database burst, injection

Tcp 5432 postgresql database burst, injection, weak password

Tcp 5632 pcanywhere remote Desktop Management tool grasps password, code execution

Tcp 5901 vnc 5902 remote Desktop Management tool weak password burst, if the information collection is not in place, the chance of success is very small.

Arbitrary instruction execution caused by unauthorized tcp 5984 CouchDB

Tcp 6379 redis can attempt unauthorized access without authorization, weak password burst

Tcp 7001re7002 weblogic console java deserialization, weak password

Tcp 7778 kloxo host panel login

Tcp 8000 Ajenti Host Control Panel weak password

Tcp 8443 plesk Host Control Panel weak password

Tcp 8069 zabbix remote execution, sql injection

Tcp 8080-8089 Jenkins,jboss deserialization, console weak password

Tcp 9080-9081 websphere console java deserialization / weak password

Tcp 9200je 9300 elasticsearch remote execution

Tcp 10000 webmin linux host web control panel entry weak password

Tcp 11211 memcached unauthorized access

Tcp 27017 27018 mongodb blasting, unauthorized access

Tcp 3690 svn service svn is compromised, unauthorized access

Tcp 50000 SAP Management Console remote execution

Tcp 50070 50030 hadoop default port is not authorized to access

1. Typical uses of Nmap:

Host Discovery-identifies hosts on the network. For example, list hosts that respond to TCP and / or ICMP requests or open specific ports.

Port scan-enumerates open ports on the target host.

Version detection-ask the network service on the remote device to determine the application name and version number.

OS detection-determines the operating system and hardware characteristics of network devices.

Software version detects vulnerabilities (Nmap script)

2. Description of common scanning parameters of Nmap

3. Nmap script classification

Auth: script responsible for handling authentication certificates (bypassing authentication) (detecting weak passwords)

Vuln: responsible for checking whether the target machine has common vulnerabilities (Vulnerability), such as MS08_067

Brute: provides brute force cracking methods for common applications such as http/snmp

Broadcast: probe more services on the LAN, such as dhcp/dns/sqlserver, etc.

Default: default script when scanning with-sC or-An options, providing basic script scanning capabilities

Discovery: perform more information on the network, such as SMB enumeration, SNMP query, etc.

Dos: used for denial of service attacks

Exploit: exploit known vulnerabilities to invade the system

External: leverage third-party databases or resources, such as whois parsing

Fuzzer: a script for fuzzy testing that sends abnormal packets to the target and detects potential vulnerabilities intrusive: intrusive scripts that may trigger the recording or blocking of each other's IDS/IPS

Malware: detect whether the target machine is infected with the virus, open the back door and other information

Safe: this class, contrary to intrusive, is a security script

Version: scripts responsible for enhancing service and version scanning (Version Detection) capabilities

Example:

-sP: perform a ping scan (print out the host responding to the ping scan without further testing (such as port scan or operating system probe))

Nmap-sP 192.168.3.0 tap 24 (this command can be used to detect which machines are in the LAN)

-sS: semi-open scan (tcp scan other than 3-way handshake)

The most frequently used scanning option: SYN scan, also known as semi-open scan, which does not open a full TCP connection and executes quickly and efficiently (a complete tcp connection requires 3 handshakes, while the-sS option does not require 3 handshakes)

Pros: Nmap sends SYN packets to the remote host, but it does not generate any sessions, and the target host rarely logs the connection to the system. (to prevent the other party from judging as a scanning attack), the scanning speed is fast, the efficiency is high, and it is used most frequently in the work.

Disadvantages: it requires root/administrator permission to execute

Nmap-sS-p 1-65535 192.168.3.16 (scan all open ports of the target-half open)

Scanning of sT:3 subhandshake tcp

Advantages: ordinary users can also use it.

Disadvantages: this scan is easy to detect, and a large number of connection requests and error messages will be recorded in the log of the target host. Because it has to complete a three-way handshake, low efficiency and slow speed, it is recommended to use-sS.

SV: scan target address open service (port) version (sV)

Version detection is used to scan the version of the software running on the target host and port, as shown in the following scan, which contains the version information of ssh.

Nmap-sV 192.168.3.16

-O: scan the target address for operating system version

Nmap-O 192.168.3.16

-A:OS recognition, version detection, script scanning and integrated scanning

Nmap-A 192.168.3.16

-Pn-A bypasses the firewall for a full scan

Nmap-Pn-A 192.168.3.16

Demo example of Nmap script:

Nmap-- script=auth 192.168.3.26

Nmap-- script=brute 192.168.3.26

Nmap-- script=vuln 192.168.3.26

At this point, the study of "what are the common instructions in nmap" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.