2020年5月8日 星期五

Kali Linux 學習筆記 (二) : Nmap 套件測試

前幾天在 Micro SD 卡上燒錄了 Kali Linux v2020.1 映像檔後插入 Raspberry Pi Zero W 板子進行開機測試, 只要開啟 ssh 服務與設定 WiFi 連網, 就可以在筆電上用 Putty 連線 Pi Zero W, 利用 Kali Linux 進行安全性滲透測試了, 對象是我這台同樣連線手機基地台的 ACER Swift 5 筆電. 以後也可以用這方式對 ESP32 等物聯網終端進行資安滲透測試.





前一篇測試參考 :

Kali Linux 學習筆記 (一) : 樹莓派 Zero W 燒錄 Kali Linux 作業系統

本篇是閱讀 "不會C也是資安高手:用Python和駭客大戰三百回合(第二版)" 第四章後在 Pi Zero W 的 Kali Linux 上進行 Nmap 實測之紀錄.

Nmap 是 Network Mapper (網路對映器) 的簡寫, 是一款優秀的網路掃描與資安稽核之自由軟體, 也是駭客手邊的必備工具, 為美國資安專家 Gordon Lyon 以 C 與 Lua 語言開發. 通常駭客使用 Nmap 蒐集目標主機之網路設定, 應用服務與作業系統資訊, 建構出一張網路的架構圖, 並從中找到可能的安全漏洞, 其基本功能如下 :
  • 掃描主機 :
    向目標主機發送封包, 根據其反應判斷是否有開機與連網.
  • 掃描通訊埠 :
    向目標主機的特定通訊埠 (預設是常用的 1660 個埠) 發送封包, 根據其反應取得這些埠之狀態 (例如是否有開啟).
  • 檢查應用程式服務類型與版本 :
    向目標主機的特定通訊埠發送封包, 根據其反應取得與此埠對映之應用程式之服務類型與版本.
  • 偵測作業系統版本 :
    向目標主機發送封包, 根據其反應取得主機類型, 作業系統類型與版本, 
此外, Nmap 具有偽造掃描者身分 (例如 IP 與 MAC 位址偽裝) 進行隱蔽掃描, 以及避開防火牆對系統進行安全性漏洞檢查等高級稽核技術, 其 NSE (Nmap Scripting Engine) 指令碼功能可用 Lua 語言自行替 Nmap 添加功能模組以擴充 Nmap 的功能, 目前指令碼已超過 350 個. 參考 :

https://zh.wikipedia.org/wiki/Nmap

Kali Linux 內建了非常多的資安滲透工具, Nmap 就是其中之一. 其他 Linux 分散版本一般未內建 Nmap, 對 Debian 系列 Linux 系統可用下列指令安裝 :

sudo apt-get install nmap 

登入 Kali Linux 後在終端機介面下 nmap 就會顯示其指令說明 :

root@kali:~# nmap   
Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

可見 Kali Linux 2020.1 版搭載的是最新的 Nmap 7.8 版. 

使用 nmap 指令以 TCP 半連接方式 (收到 SYN+ACK 後不回送 ACK, 沒有完成三向握手稱為半連接, 此為隱蔽模式, 參數 -sS) 對主機進行埠掃描之指令如下 : 

root@kali:~# nmap -oX - -p 1-500 -sS 192.168.43.14    
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.80 scan initiated Sat May  9 01:33:29 2020 as: nmap -oX - -p 1-500 -sS 192.168.43.14 -->
<nmaprun scanner="nmap" args="nmap -oX - -p 1-500 -sS 192.168.43.14" start="1588988009" startstr="Sat May  9 01:33:29 2020" version="7.80" xmloutputversion="1.04">
<scaninfo type="syn" protocol="tcp" numservices="500" services="1-500"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="1588988009" endtime="1588988095"><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.43.14" addrtype="ipv4"/>
<address addr="1C:1B:B5:xx:xx:xx" addrtype="mac" vendor="Intel Corporate"/>
<hostnames>
<hostname name="DESKTOP-QUTGKxx" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="500">
<extrareasons reason="no-responses" count="500"/>
</extraports>
</ports>
<times srtt="169689" rttvar="169689" to="848445"/>
</host>
<runstats><finished time="1588988096" timestr="Sat May  9 01:34:56 2020" elapsed="87.24" summary="Nmap done at Sat May  9 01:34:56 2020; 1 IP address (1 host up) scanned in 87.24 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

掃描結果會以 XML 格式傳回, 裡面有 192.168.43.14 這台主機的電腦名稱 (hostname), MAC 位址 (address), 以及 CPU 製造商 (vender) 等資訊. 更多的 nmap 指令用法參考 : 

資工專家 Alexsandre Norman 把 Nmap 打包整合成名為 python-nmap 的 Python 套件, 讓熟悉 Python 的程式員可利用此 API 調用 Nmap 進行安全性滲透測試, 但是 Kali Linux 預設並未搭載此套件, 需自行安裝. 參考 :

https://pypi.org/project/python-nmap/
https://github.com/alexandrenorman


1. 安裝 pyhton-nmap 套件 : 

root@kali:~# pip3 install python-nmap 
Collecting python-nmap
Building wheels for collected packages: python-nmap
  Running setup.py bdist_wheel for python-nmap ... done
  Stored in directory: /root/.cache/pip/wheels/bb/a6/48/4d9e2285291b458c3f17064b1dac2f2fb0045736cb88562854
Successfully built python-nmap
Installing collected packages: python-nmap
Successfully installed python-nmap-0.6.1

可見目前最新是 0.6.1 版. 安裝完成就可以進入 Python shell 將 nmap 模組匯入 :

root@kali:~# python3 
Python 3.7.5 (default, Oct 27 2019, 15:43:29)
[GCC 9.2.1 20191022] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import nmap          #匯入 nmap 模組
>>> dir(nmap)
['ET', 'PortScanner', 'PortScannerAsync', 'PortScannerError', 'PortScannerHostDict', 'PortScannerYield', 'Process', '__author__', '__builtins__', '__cached__', '__doc__', '__file__', '__last_modification__', '__loader__', '__name__', '__package__', '__path__', '__spec__', '__version__', 'convert_nmap_output_to_encoding', 'csv', 'io', 'nmap', 'os', 're', 'shlex', 'subprocess', 'sys']

可見此模組本身使用了 csv, io, re, sys 等內建模組, 主角是 PortScanner (同步) 與 PortScannerAsync (非同步) 等類別. 不過這是套件結構中的捷徑, 實際的類別放在下一層的 nmap.nmap 中 :

>>> dir(nmap.nmap) 
['ET', 'PortScanner', 'PortScannerAsync', 'PortScannerError', 'PortScannerHostDict', 'PortScannerYield', 'Process', '__author__', '__builtins__', '__cached__', '__doc__', '__file__', '__get_last_online_version', '__last_modification__', '__loader__', '__name__', '__package__', '__scan_progressive__', '__spec__', '__version__', 'convert_nmap_output_to_encoding', 'csv', 'io', 'os', 're', 'shlex', 'subprocess', 'sys']

與上面 dir(nmap) 結果是一樣的. 接下來就可以呼叫 PortScanner 類別的建構子 PortScanner() 進行通訊埠掃描測試了.


2. 掃描通訊埠 : 

呼叫 nmap.PortScanner() 函數可掃描指定主機的通訊埠, 其參數格式如下 :

nmap.PortScanner('主機網址', '通訊埠範圍', arguments='掃描類型參數')

這三個參數都是字串, 其中通訊埠範圍用 'from-to' 表示, 例如 '1-500' 表示掃描通訊埠 1~500. arguments 為下面是從 Pi Zero W 掃描我的筆電的結果 :

>>> nm=nmap.PortScanner()   
>>> type(nm) 
<class 'nmap.nmap.PortScanner'>
>>> nm.scan('192.168.43.14', '1-500', '-sS') 
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -sS 192.168.43.14', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1-500'}}, 'scanstats': {'timestr': 'Fri May  8 07:00:00 2020', 'elapsed': '24.98', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:xx:xx:xx'}, 'vendor': {'1C:1B:B5:xx:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}}}}

可見呼叫 PortScanner() 會傳回一個 PortScanner 物件, 而呼叫此物件的 scan() 方法會送出對應的 Nmap 指令, 並將 Nmap 回應之 XML 資料轉成一個字典傳回來, 其中鍵 command_line 之值即 python-nmap 套件送出的真正 Nmap 指令, 這指令也可以呼叫 command_line() 方法取得 :

>>> nm.command_line() 
'nmap -oX - -p 1-500 -sS 192.168.43.14'

用 dir() 指令可查詢 PortScanner 物件的方法

>>> dir(nm) 
['_PortScanner__process', '__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getitem__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_nmap_last_output', '_nmap_path', '_nmap_subversion_number', '_nmap_version_number', '_scan_result', 'all_hosts', 'analyse_nmap_xml_scan', 'command_line', 'csv', 'get_nmap_last_output', 'has_host', 'listscan', 'nmap_version', 'scan', 'scaninfo', 'scanstats']

摘要如下表 :


 PortScanner 物件之方法 說明
 scan(ip, ports, arguments) 掃描主機之通訊埠, 傳回字典
 command_line() 傳回對應之 Nmap 指令字串
 csv() 傳回以分號隔開的 csv 格式掃描回應字串
 scaninfo() 傳回掃描資訊 (字典), 例如 tcp/udp, 半連接等
 hostname() 傳回主機名稱 (字串)
 all_hosts() 傳回被掃瞄之主機 IP (串列)
 has_host(ip) 檢查是否有主機之掃描結果 (True/False)


例如 :

>>> nm.scan('192.168.43.14', '1-500', '-sS') 
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -sS 192.168.43.14', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1-500'}}, 'scanstats': {'timestr': 'Sat May  9 04:57:29 2020', 'elapsed': '13.29', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:xx:xx:xx'}, 'vendor': {'1C:1B:B5:xx:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}}}}
>>> nm.all_hosts() 
['192.168.43.14']
>>> nm.csv() 
'host;hostname;hostname_type;protocol;port;name;state;product;extrainfo;reason;version;conf;cpe\r\n'
>>> nm.has_host('192.168.43.14') 
True
>>> nm.has_host('192.168.43.15') 
False
>>> nm.scaninfo() 
{'tcp': {'method': 'syn', 'services': '1-500'}}
>>> nm.all_hosts() 
['192.168.43.14']
>>> nm.nmap_version() 
(7, 80)
>>> nm.listscan() 
['127.0.0.1']
>>> nm.scanstats() 
{'timestr': 'Sat May  9 05:44:45 2020', 'elapsed': '0.01', 'uphosts': '0', 'downhosts': '1', 'totalhosts': '1'}
>>> nm.get_nmap_last_output()
'<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE nmaprun>\n<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>\n<!-- Nmap 7.80 scan initiated Sat May  9 05:44:45 2020 as: nmap -oX - -sL 127.0.0.1 -->\n<nmaprun scanner="nmap" args="nmap -oX - -sL 127.0.0.1" start="1589003085" startstr="Sat May  9 05:44:45 2020" version="7.80" xmloutputversion="1.04">\n<verbose level="0"/>\n<debugging level="0"/>\n<host><status state="unknown" reason="user-set" reason_ttl="0"/>\n<address addr="127.0.0.1" addrtype="ipv4"/>\n<hostnames>\n<hostname name="kali" type="PTR"/>\n</hostnames>\n</host>\n<runstats><finished time="1589003085" timestr="Sat May  9 05:44:45 2020" elapsed="0.01" summary="Nmap done at Sat May  9 05:44:45 2020; 1 IP address (0 hosts up) scanned in 0.01 seconds" exit="success"/><hosts up="0" down="1" total="1"/>\n</runstats>\n</nmaprun>\n'
>>>

上面傳入 '-sS' 掃描類型參數表示對目標主機進行半開通訊埠掃描, 回應資料包括了電腦名稱與 MAC 位址等主機資訊. 可用的掃描類型參數如下表 :


 掃描類型參數 說明
 '-sP' 對目標主機進行 ping 掃描
 '-PR' 對目標主機進行 ARP 掃描
 '-sS' 對目標主機進行半連接 TCP 通訊埠掃描
 '-sT'  對目標主機進行全連接 TCP 通訊埠掃描
 '-sU' 對目標主機進行 UDP 通訊埠掃描
 '-sV' 掃描目標主機所安裝之網路服務軟體版本
 '-O' 掃描目標主機之作業系統資訊


測試結果如下 :

>>> nm.scan('192.168.43.14', '1-500', '-sV') 
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -sV 192.168.43.14', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1-500'}}, 'scanstats': {'timestr': 'Fri May  8 15:43:21 2020', 'elapsed': '19.16', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:66:xx:xx'}, 'vendor': {'1C:1B:B5:66:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}}}}
>>> nm.scan('192.168.43.14', '1-500', '-PR') 
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -PR 192.168.43.14', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1-500'}}, 'scanstats': {'timestr': 'Fri May  8 15:46:01 2020', 'elapsed': '12.33', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:66:xx:xx'}, 'vendor': {'1C:1B:B5:66:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}}}}
>>> nm.scan('192.168.43.14', '1-500', '-sT')   
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -sT 192.168.43.14', 'scaninfo': {'tcp': {'method': 'connect', 'services': '1-500'}}, 'scanstats': {'timestr': 'Fri May  8 15:47:02 2020', 'elapsed': '12.26', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:66:xx:xx'}, 'vendor': {'1C:1B:B5:66:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}}}}
>>> nm.scan('192.168.43.14', '1-500', '-sP')   
{'nmap': {'command_line': None, 'scaninfo': {'error': ['You cannot use -F (fast scan) or -p (explicit port selection) when not doing a port scan\nQUITTING!\n', 'You cannot use -F (fast scan) or -p (explicit port selection) when not doing a port scan\nQUITTING!\n']}, 'scanstats': {'timestr': 'Fri May  8 15:47:57 2020', 'elapsed': '0.01', 'uphosts': '0', 'downhosts': '0', 'totalhosts': '0'}}, 'scan': {}}
>>> nm.scan('192.168.43.14', '1-500', '-sU') 
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -sU 192.168.43.14', 'scaninfo': {'udp': {'method': 'udp', 'services': '1-500'}}, 'scanstats': {'timestr': 'Sat May  9 04:43:45 2020', 'elapsed': '35.95', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:xx:xx:xx'}, 'vendor': {'1C:1B:B5:xx:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}, 'udp': {137: {'state': 'open', 'reason': 'udp-response', 'name': 'netbios-ns', 'product': '', 'version': '', 'extrainfo': '', 'conf': '3', 'cpe': ''}}}}}
>>> nm.scan('192.168.43.14', arguments='-O')
{'nmap': {'command_line': 'nmap -oX - -O 192.168.43.14', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389'}}, 'scanstats': {'timestr': 'Sat May  9 00:17:08 2020', 'elapsed': '165.53', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:xx:xx:xx'}, 'vendor': {'1C:1B:B5:xx:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}, 'tcp': {5357: {'state': 'open', 'reason': 'syn-ack', 'name': 'wsdapi', 'product': '', 'version': '', 'extrainfo': '', 'conf': '3', 'cpe': ''}}, 'portused': [{'state': 'open', 'proto': 'tcp', 'portid': '5357'}], 'osmatch': [{'name': 'AVtech Room Alert 26W environmental monitor', 'accuracy': '87', 'line': '9077', 'osclass': [{'type': 'specialized', 'vendor': 'AVtech', 'osfamily': 'embedded', 'osgen': None, 'accuracy': '87', 'cpe': []}]}, {'name': 'Microsoft Windows XP SP2', 'accuracy': '87', 'line': '81128', 'osclass': [{'type': 'general purpose', 'vendor': 'Microsoft', 'osfamily': 'Windows', 'osgen': 'XP', 'accuracy': '87', 'cpe': ['cpe:/o:microsoft:windows_xp::sp2']}]}, {'name': 'FreeBSD 6.2-RELEASE', 'accuracy': '86', 'line': '27364', 'osclass': [{'type': 'general purpose', 'vendor': 'FreeBSD', 'osfamily': 'FreeBSD', 'osgen': '6.X', 'accuracy': '86', 'cpe': ['cpe:/o:freebsd:freebsd:6.2']}]}, {'name': 'FreeBSD 10.3-STABLE', 'accuracy': '85', 'line': '26140', 'osclass': [{'type': 'general purpose', 'vendor': 'FreeBSD', 'osfamily': 'FreeBSD', 'osgen': '10.X', 'accuracy': '85', 'cpe': ['cpe:/o:freebsd:freebsd:10.3']}]}]}}}

另外也可以用 nm 字典鍵擷取資訊 :

>>> nm['192.168.43.14'].all_protocols()   
[]
>>> nm['192.168.43.14'].state() 
'up'
>>> nm['192.168.43.14'].hostname()   
'DESKTOP-QUTGKxx'
>>> nm['192.168.43.14']['tcp'].keys() 
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
KeyError: 'tcp'
>>> nm['192.168.43.14'].all_tcp()   
[]
>>> nm['192.168.43.14'].all_udp()   
[]
>>> nm['192.168.43.14'].all_sctp() 
[]
>>> nm['192.168.43.14'].has_tcp(22) 
False

但以下這幾個不知為何有錯誤 :

>>> nm['192.168.43.14']['tcp'][22] 
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
KeyError: 'tcp'
>>> nm['192.168.43.14'].tcp(22)   
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.7/dist-packages/nmap/nmap.py", line 975, in tcp
    return self['tcp'][port]
KeyError: 'tcp'
>>> nm['192.168.43.14']['tcp'][22]['state']   
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
KeyError: 'tcp'
>>>


參考 :

黑客終極網絡掃描工具Zenmap使用方法

沒有留言 :