-sS 执行一次隐秘的svn握手包TCP/IP扫描,判断端口是否存活 (s表示Stealth,隐秘) -sT 执行一次隐秘的TCP connect scan -Pn 不通过ping来预先判断主机是否存活,这点在公网扫描很重要,因为公网主机很多禁止ping来判断其存活性 -A, to enable OS and version detection, script scanning, and traceroute -T4, for faster execution(外网尽量不要用,使用TCP连接使用T2比较合适) -sV, 识别服务指纹信息 -O, 开启操作系统探测的扫描功能 -F, Fast mode - Scan fewer ports than the default scan -oX fileName, 输出为一个 -PO Treat all hosts as online -- skip host discover,即使用IP协议包的ping探测主机是否存活。
Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0-255.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -P0: Treat all hosts as online -- skip host discovery -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery probes to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -n/-R: Never do DNS resolution/Always resolve [default: sometimes resolve] SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idlescan -sO: IP protocol scan -b <ftp relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast - Scan only the ports listed in the nmap-services file) -r: Scan ports consecutively - don't randomize SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-light: Limit to most likely probes for faster identification --version-all: Try every single probe for version detection --version-trace: Show detailed version scan activity (for debugging) OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively TIMING AND PERFORMANCE: -T[0-6]: Set timing template (higher is faster) --min-hostgroup/max-hostgroup <msec>: Parallel host scan group sizes --min-parallelism/max-parallelism <msec>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <msec>: Specifies probe round trip time. --host-timeout <msec>: Give up on target after this long --scan-delay/--max-scan-delay <msec>: Adjust delay between probes FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/--source-port <portnum>: Use given port number --data-length <num>: Append random data to sent packets --ttl <val>: Set IP time-to-live field --spoof-mac <mac address, prefix, or vendor name>: Spoof your MAC address OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan results in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use twice for more effect) -d[level]: Set or increase debugging level (Up to 9 is meaningful) --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --no-stylesheet: Prevent Nmap from associating XSL stylesheet w/XML output MISC: -6: Enable IPv6 scanning -A: Enables OS detection and Version detection --datadir <dirname>: Specify custom Nmap data file location --send-eth/--send-ip: Send packets using raw ethernet frames or IP packets --privileged: Assume that the user is fully privileged -V: Print version number -h: Print this help summary page. EXAMPLES: nmap -v -A scanme.nmap.org nmap -v -sP 192.168.0.0/16 10.0.0.0/8 nmap -v -iR 10000 -P0 -p 80
端口扫描
扫描主机开放的端口:
1
> nmap -sT -v xxx.xxx.xxx.xxx
详细显示,syn探测,高速扫描,系统和服务版本信息,脚本扫描和路由跟踪:
1
> nmap -v -sS -A -T4 target
-sT表示tcp端口扫描(完整三次握手),-v表示显示详细信息
2. Metasploit
2.1 一次简单的使用流程
启动MSF
1
> msfconsole
搜索漏洞
1
> search wordpress
选择漏洞利用exp
1
use xxx
设置攻击载荷(Payload)
1 2
# 'show options' means showing the advandce options to custom. e.g. > msf exploit(windows/mysql/mysql_mof) > show options
设置攻击选项
1 2
# set the information about the exploit process. e.g. > set RHOST 115.28.xxx.xxx