Shulou(Shulou.com)06/01 Report--

1. Basic msf commands

1.ping

2.arp_sweep enumerates all active hosts in the local LAN using arp requests

Use auxiliary/scanner/discovery/arp_sweep

3.udp_sweep UDP packets enumerate active hosts

Msf > use auxiliary/scanner/discovery/udp_sweep

Second, Nmap to scan the host

Personal perception:

Cannot use sT scan parameters

Slightly (after I have completed the comprehensive study of nmap)

TARGET SPECIFICATION: # Target specifications Can pass hostnames, IP addresses, networks, etc. # Select hostname, IP, or network Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1 10.0.0-255.1-254-iL: Input from list of hosts/networks # Import the target in the list-iR: Choose random targets # (using the host number in the list) export any target-- exclude: Exclude hosts/networks-- excludefile: Exclude list from fileHOST DISCOVERY: # active host discovery strategy-sL: List Scan-simply list targets to scan # simple list scanning strategy Slightly-sn: Ping Scan-disable port scan # scan only with the ping command No port scanning-Pn: Treat all hosts as online-- skip host discovery # only scans out the online host # does not scan the host further-PS/PA/PU/PY [portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports # uses SYSN/ACK/UDP/SCTP technology to mine ports-PE/PP/PM: ICMP echo, timestamp And netmask request discovery probes # uses ICMP echo .timestamp Netmask request as a probe-PO [protocol list]: IP Protocol Ping # scan using the ip protocol ping instruction-DNS dns-servers: Never do DNS resolution/Always resolve [default: sometimes] # choose whether to use DNS parsing-- dns-servers: Specify custom DNS servers-- system-dns: Use OS's DNS resolver-- traceroute: Trace hop path to each host # to track the routing path SCAN TECHNIQUES: # scanning policy -sS/sT/sA/sW/sM: TCP SYN/Connect () / ACK/Window/Maimon scans-sU: UDP Scan-sN/sF/sX: TCP Null FIN, and Xmas scans-- scanflags: Customize TCP scanflags-sI: Idle scan # scan using zombie host address-sY/sZ: SCTP INIT/COOKIE-ECHO scans,-sO: IP protocol scan-b: FTP bounce scanPORT SPECIFICATION AND SCAN ORDER: # Port scanning policy-p: Only scan specified ports # scan specific port Ex:-p22 -p1-65535 -p Urefl 53pr 111 pr 137pr TRU 21-25pr 80pr 139pr 8080 Fast mode 9-- exclude-ports: Exclude the specified ports from scanning-F: Fast mode-Scan fewer ports than the default scan # Quick scan-r: Scan ports consecutively-don't randomize # continuous port scan-- top-ports: Scan most common ports-- port-ratio: Scan ports more common than SERVICE/VERSION DETECTION:-sV: Probe open ports to determine service/version info # determine version information-version-intensity: Set from 0 (light) to 9 (try all probes)-- version-light: Limit to most likely probes (intensity 2)-- version-all: Try every single probe (intensity 9)-- version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN: # script scanning Policy-sC: equivalent to-- script=default-- script=: is a comma separated list of directories Script-files or script-categories-script-args=: provide arguments to scripts-script-args-file=filename: provide NSE script args in a file-script-trace: Show all data sent and received-script-updatedb: Update the script database. -- script-help=: Show help about scripts. Is a comma-separated list of script-files or script-categories.OS DETECTION: # judge the system-O: Enable OS detection-- osscan-limit: Limit OS detection to promising targets-- osscan-guess: Guess OS more aggressivelyTIMING AND PERFORMANCE: set the scan interval Options which take are in seconds, or append 'ms' (milliseconds),' s'(seconds),'m'(minutes) Or 'h' (hours) to the value (e.g. 30m). T: Set timing template (higher is faster)-- min-hostgroup/max-hostgroup: Parallel host scan group sizes-- min-parallelism/max-parallelism: Probe parallelization-- min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout: Specifies probe round trip time. Max-retries: Caps number of port scan probe retransmissions. -host-timeout: Give up on target after this long-- scan-delay/--max-scan-delay: Adjust delay between probes-- min-rate: Send packets no slower than per second-- max-rate: Send packets no faster than per secondFIREWALL/IDS EVASION AND SPOOFING:-f -- mtu: fragment packets (optionally w/given MTU)-D: Cloak a scan with decoys # using spoofed address-S: Spoof source address-e: Use specified interface # using specific interface-g/--source-port: Use given port number # scanning using specific port-proxies: Relay connections through HTTP/SOCKS4 proxies-- data: Append a custom payload to sent packets-- data-string: Append a custom ASCII string to sent Packets-- data-length: Append random data to sent packets-- ip-options: Send packets with specified ip options-- ttl: Set IP time-to-live field-- spoof-mac: Spoof your MAC address-- badsum: Send packets with a bogus TCP/UDP/SCTP checksumOUTPUT: # output the scan results-oN/-oX/-oS/-oG: Output scan in normal XML, s |

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.