前一篇測試參考 :
# Kali Linux 學習筆記 (一) : 樹莓派 Zero W 燒錄 Kali Linux 作業系統
本篇是閱讀 "不會C也是資安高手:用Python和駭客大戰三百回合(第二版)" 第四章後在 Pi Zero W 的 Kali Linux 上進行 Nmap 實測之紀錄.
Nmap 是 Network Mapper (網路對映器) 的簡寫, 是一款優秀的網路掃描與資安稽核之自由軟體, 也是駭客手邊的必備工具, 為美國資安專家 Gordon Lyon 以 C 與 Lua 語言開發. 通常駭客使用 Nmap 蒐集目標主機之網路設定, 應用服務與作業系統資訊, 建構出一張網路的架構圖, 並從中找到可能的安全漏洞, 其基本功能如下 :
- 掃描主機 :
向目標主機發送封包, 根據其反應判斷是否有開機與連網. - 掃描通訊埠 :
向目標主機的特定通訊埠 (預設是常用的 1660 個埠) 發送封包, 根據其反應取得這些埠之狀態 (例如是否有開啟). - 檢查應用程式服務類型與版本 :
向目標主機的特定通訊埠發送封包, 根據其反應取得與此埠對映之應用程式之服務類型與版本. - 偵測作業系統版本 :
向目標主機發送封包, 根據其反應取得主機類型, 作業系統類型與版本,
# https://zh.wikipedia.org/wiki/Nmap
Kali Linux 內建了非常多的資安滲透工具, Nmap 就是其中之一. 其他 Linux 分散版本一般未內建 Nmap, 對 Debian 系列 Linux 系統可用下列指令安裝 :
sudo apt-get install nmap
登入 Kali Linux 後在終端機介面下 nmap 就會顯示其指令說明 :
root@kali:~# nmap
Nmap 7.80 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
可見 Kali Linux 2020.1 版搭載的是最新的 Nmap 7.8 版.
使用 nmap 指令以 TCP 半連接方式 (收到 SYN+ACK 後不回送 ACK, 沒有完成三向握手稱為半連接, 此為隱蔽模式, 參數 -sS) 對主機進行埠掃描之指令如下 :
root@kali:~# nmap -oX - -p 1-500 -sS 192.168.43.14
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.80 scan initiated Sat May 9 01:33:29 2020 as: nmap -oX - -p 1-500 -sS 192.168.43.14 -->
<nmaprun scanner="nmap" args="nmap -oX - -p 1-500 -sS 192.168.43.14" start="1588988009" startstr="Sat May 9 01:33:29 2020" version="7.80" xmloutputversion="1.04">
<scaninfo type="syn" protocol="tcp" numservices="500" services="1-500"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="1588988009" endtime="1588988095"><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="192.168.43.14" addrtype="ipv4"/>
<address addr="1C:1B:B5:xx:xx:xx" addrtype="mac" vendor="Intel Corporate"/>
<hostnames>
<hostname name="DESKTOP-QUTGKxx" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="500">
<extrareasons reason="no-responses" count="500"/>
</extraports>
</ports>
<times srtt="169689" rttvar="169689" to="848445"/>
</host>
<runstats><finished time="1588988096" timestr="Sat May 9 01:34:56 2020" elapsed="87.24" summary="Nmap done at Sat May 9 01:34:56 2020; 1 IP address (1 host up) scanned in 87.24 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>
掃描結果會以 XML 格式傳回, 裡面有 192.168.43.14 這台主機的電腦名稱 (hostname), MAC 位址 (address), 以及 CPU 製造商 (vender) 等資訊. 更多的 nmap 指令用法參考 :
# https://pypi.org/project/python-nmap/
# https://github.com/alexandrenorman
1. 安裝 pyhton-nmap 套件 :
root@kali:~# pip3 install python-nmap
Collecting python-nmap
Building wheels for collected packages: python-nmap
Running setup.py bdist_wheel for python-nmap ... done
Stored in directory: /root/.cache/pip/wheels/bb/a6/48/4d9e2285291b458c3f17064b1dac2f2fb0045736cb88562854
Successfully built python-nmap
Installing collected packages: python-nmap
Successfully installed python-nmap-0.6.1
可見目前最新是 0.6.1 版. 安裝完成就可以進入 Python shell 將 nmap 模組匯入 :
root@kali:~# python3
Python 3.7.5 (default, Oct 27 2019, 15:43:29)
[GCC 9.2.1 20191022] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import nmap #匯入 nmap 模組
>>> dir(nmap)
['ET', 'PortScanner', 'PortScannerAsync', 'PortScannerError', 'PortScannerHostDict', 'PortScannerYield', 'Process', '__author__', '__builtins__', '__cached__', '__doc__', '__file__', '__last_modification__', '__loader__', '__name__', '__package__', '__path__', '__spec__', '__version__', 'convert_nmap_output_to_encoding', 'csv', 'io', 'nmap', 'os', 're', 'shlex', 'subprocess', 'sys']
可見此模組本身使用了 csv, io, re, sys 等內建模組, 主角是 PortScanner (同步) 與 PortScannerAsync (非同步) 等類別. 不過這是套件結構中的捷徑, 實際的類別放在下一層的 nmap.nmap 中 :
>>> dir(nmap.nmap)
['ET', 'PortScanner', 'PortScannerAsync', 'PortScannerError', 'PortScannerHostDict', 'PortScannerYield', 'Process', '__author__', '__builtins__', '__cached__', '__doc__', '__file__', '__get_last_online_version', '__last_modification__', '__loader__', '__name__', '__package__', '__scan_progressive__', '__spec__', '__version__', 'convert_nmap_output_to_encoding', 'csv', 'io', 'os', 're', 'shlex', 'subprocess', 'sys']
與上面 dir(nmap) 結果是一樣的. 接下來就可以呼叫 PortScanner 類別的建構子 PortScanner() 進行通訊埠掃描測試了.
2. 掃描通訊埠 :
呼叫 nmap.PortScanner() 函數可掃描指定主機的通訊埠, 其參數格式如下 :
nmap.PortScanner('主機網址', '通訊埠範圍', arguments='掃描類型參數')
這三個參數都是字串, 其中通訊埠範圍用 'from-to' 表示, 例如 '1-500' 表示掃描通訊埠 1~500. arguments 為下面是從 Pi Zero W 掃描我的筆電的結果 :
>>> nm=nmap.PortScanner()
>>> type(nm)
<class 'nmap.nmap.PortScanner'>
>>> nm.scan('192.168.43.14', '1-500', '-sS')
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -sS 192.168.43.14', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1-500'}}, 'scanstats': {'timestr': 'Fri May 8 07:00:00 2020', 'elapsed': '24.98', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:xx:xx:xx'}, 'vendor': {'1C:1B:B5:xx:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}}}}
>>> nm.command_line()
'nmap -oX - -p 1-500 -sS 192.168.43.14'
用 dir() 指令可查詢 PortScanner 物件的方法
>>> dir(nm)
['_PortScanner__process', '__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getitem__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_nmap_last_output', '_nmap_path', '_nmap_subversion_number', '_nmap_version_number', '_scan_result', 'all_hosts', 'analyse_nmap_xml_scan', 'command_line', 'csv', 'get_nmap_last_output', 'has_host', 'listscan', 'nmap_version', 'scan', 'scaninfo', 'scanstats']
PortScanner 物件之方法 | 說明 |
scan(ip, ports, arguments) | 掃描主機之通訊埠, 傳回字典 |
command_line() | 傳回對應之 Nmap 指令字串 |
csv() | 傳回以分號隔開的 csv 格式掃描回應字串 |
scaninfo() | 傳回掃描資訊 (字典), 例如 tcp/udp, 半連接等 |
hostname() | 傳回主機名稱 (字串) |
all_hosts() | 傳回被掃瞄之主機 IP (串列) |
has_host(ip) | 檢查是否有主機之掃描結果 (True/False) |
例如 :
>>> nm.scan('192.168.43.14', '1-500', '-sS')
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -sS 192.168.43.14', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1-500'}}, 'scanstats': {'timestr': 'Sat May 9 04:57:29 2020', 'elapsed': '13.29', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:xx:xx:xx'}, 'vendor': {'1C:1B:B5:xx:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}}}}
>>> nm.all_hosts()
['192.168.43.14']
>>> nm.csv()
'host;hostname;hostname_type;protocol;port;name;state;product;extrainfo;reason;version;conf;cpe\r\n'
>>> nm.has_host('192.168.43.14')
True
>>> nm.has_host('192.168.43.15')
False
>>> nm.scaninfo()
{'tcp': {'method': 'syn', 'services': '1-500'}}
>>> nm.all_hosts()
['192.168.43.14']
>>> nm.nmap_version()
(7, 80)
>>> nm.listscan()
['127.0.0.1']
>>> nm.scanstats()
{'timestr': 'Sat May 9 05:44:45 2020', 'elapsed': '0.01', 'uphosts': '0', 'downhosts': '1', 'totalhosts': '1'}
>>> nm.get_nmap_last_output()
'<?xml version="1.0" encoding="UTF-8"?>\n<!DOCTYPE nmaprun>\n<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>\n<!-- Nmap 7.80 scan initiated Sat May 9 05:44:45 2020 as: nmap -oX - -sL 127.0.0.1 -->\n<nmaprun scanner="nmap" args="nmap -oX - -sL 127.0.0.1" start="1589003085" startstr="Sat May 9 05:44:45 2020" version="7.80" xmloutputversion="1.04">\n<verbose level="0"/>\n<debugging level="0"/>\n<host><status state="unknown" reason="user-set" reason_ttl="0"/>\n<address addr="127.0.0.1" addrtype="ipv4"/>\n<hostnames>\n<hostname name="kali" type="PTR"/>\n</hostnames>\n</host>\n<runstats><finished time="1589003085" timestr="Sat May 9 05:44:45 2020" elapsed="0.01" summary="Nmap done at Sat May 9 05:44:45 2020; 1 IP address (0 hosts up) scanned in 0.01 seconds" exit="success"/><hosts up="0" down="1" total="1"/>\n</runstats>\n</nmaprun>\n'
>>>
上面傳入 '-sS' 掃描類型參數表示對目標主機進行半開通訊埠掃描, 回應資料包括了電腦名稱與 MAC 位址等主機資訊. 可用的掃描類型參數如下表 :
掃描類型參數 | 說明 |
'-sP' | 對目標主機進行 ping 掃描 |
'-PR' | 對目標主機進行 ARP 掃描 |
'-sS' | 對目標主機進行半連接 TCP 通訊埠掃描 |
'-sT' | 對目標主機進行全連接 TCP 通訊埠掃描 |
'-sU' | 對目標主機進行 UDP 通訊埠掃描 |
'-sV' | 掃描目標主機所安裝之網路服務軟體版本 |
'-O' | 掃描目標主機之作業系統資訊 |
測試結果如下 :
>>> nm.scan('192.168.43.14', '1-500', '-sV')
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -sV 192.168.43.14', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1-500'}}, 'scanstats': {'timestr': 'Fri May 8 15:43:21 2020', 'elapsed': '19.16', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:66:xx:xx'}, 'vendor': {'1C:1B:B5:66:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}}}}
>>> nm.scan('192.168.43.14', '1-500', '-PR')
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -PR 192.168.43.14', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1-500'}}, 'scanstats': {'timestr': 'Fri May 8 15:46:01 2020', 'elapsed': '12.33', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:66:xx:xx'}, 'vendor': {'1C:1B:B5:66:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}}}}
>>> nm.scan('192.168.43.14', '1-500', '-sT')
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -sT 192.168.43.14', 'scaninfo': {'tcp': {'method': 'connect', 'services': '1-500'}}, 'scanstats': {'timestr': 'Fri May 8 15:47:02 2020', 'elapsed': '12.26', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:66:xx:xx'}, 'vendor': {'1C:1B:B5:66:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}}}}
>>> nm.scan('192.168.43.14', '1-500', '-sP')
{'nmap': {'command_line': None, 'scaninfo': {'error': ['You cannot use -F (fast scan) or -p (explicit port selection) when not doing a port scan\nQUITTING!\n', 'You cannot use -F (fast scan) or -p (explicit port selection) when not doing a port scan\nQUITTING!\n']}, 'scanstats': {'timestr': 'Fri May 8 15:47:57 2020', 'elapsed': '0.01', 'uphosts': '0', 'downhosts': '0', 'totalhosts': '0'}}, 'scan': {}}
>>> nm.scan('192.168.43.14', '1-500', '-sU')
{'nmap': {'command_line': 'nmap -oX - -p 1-500 -sU 192.168.43.14', 'scaninfo': {'udp': {'method': 'udp', 'services': '1-500'}}, 'scanstats': {'timestr': 'Sat May 9 04:43:45 2020', 'elapsed': '35.95', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:xx:xx:xx'}, 'vendor': {'1C:1B:B5:xx:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}, 'udp': {137: {'state': 'open', 'reason': 'udp-response', 'name': 'netbios-ns', 'product': '', 'version': '', 'extrainfo': '', 'conf': '3', 'cpe': ''}}}}}
>>> nm.scan('192.168.43.14', arguments='-O')
{'nmap': {'command_line': 'nmap -oX - -O 192.168.43.14', 'scaninfo': {'tcp': {'method': 'syn', 'services': '1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389'}}, 'scanstats': {'timestr': 'Sat May 9 00:17:08 2020', 'elapsed': '165.53', 'uphosts': '1', 'downhosts': '0', 'totalhosts': '1'}}, 'scan': {'192.168.43.14': {'hostnames': [{'name': 'DESKTOP-QUTGKxx', 'type': 'PTR'}], 'addresses': {'ipv4': '192.168.43.14', 'mac': '1C:1B:B5:xx:xx:xx'}, 'vendor': {'1C:1B:B5:xx:xx:xx': 'Intel Corporate'}, 'status': {'state': 'up', 'reason': 'arp-response'}, 'tcp': {5357: {'state': 'open', 'reason': 'syn-ack', 'name': 'wsdapi', 'product': '', 'version': '', 'extrainfo': '', 'conf': '3', 'cpe': ''}}, 'portused': [{'state': 'open', 'proto': 'tcp', 'portid': '5357'}], 'osmatch': [{'name': 'AVtech Room Alert 26W environmental monitor', 'accuracy': '87', 'line': '9077', 'osclass': [{'type': 'specialized', 'vendor': 'AVtech', 'osfamily': 'embedded', 'osgen': None, 'accuracy': '87', 'cpe': []}]}, {'name': 'Microsoft Windows XP SP2', 'accuracy': '87', 'line': '81128', 'osclass': [{'type': 'general purpose', 'vendor': 'Microsoft', 'osfamily': 'Windows', 'osgen': 'XP', 'accuracy': '87', 'cpe': ['cpe:/o:microsoft:windows_xp::sp2']}]}, {'name': 'FreeBSD 6.2-RELEASE', 'accuracy': '86', 'line': '27364', 'osclass': [{'type': 'general purpose', 'vendor': 'FreeBSD', 'osfamily': 'FreeBSD', 'osgen': '6.X', 'accuracy': '86', 'cpe': ['cpe:/o:freebsd:freebsd:6.2']}]}, {'name': 'FreeBSD 10.3-STABLE', 'accuracy': '85', 'line': '26140', 'osclass': [{'type': 'general purpose', 'vendor': 'FreeBSD', 'osfamily': 'FreeBSD', 'osgen': '10.X', 'accuracy': '85', 'cpe': ['cpe:/o:freebsd:freebsd:10.3']}]}]}}}
另外也可以用 nm 字典鍵擷取資訊 :
>>> nm['192.168.43.14'].all_protocols()
[]
>>> nm['192.168.43.14'].state()
'up'
>>> nm['192.168.43.14'].hostname()
'DESKTOP-QUTGKxx'
>>> nm['192.168.43.14']['tcp'].keys()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
KeyError: 'tcp'
>>> nm['192.168.43.14'].all_tcp()
[]
>>> nm['192.168.43.14'].all_udp()
[]
>>> nm['192.168.43.14'].all_sctp()
[]
>>> nm['192.168.43.14'].has_tcp(22)
False
但以下這幾個不知為何有錯誤 :
>>> nm['192.168.43.14']['tcp'][22]
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
KeyError: 'tcp'
>>> nm['192.168.43.14'].tcp(22)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python3.7/dist-packages/nmap/nmap.py", line 975, in tcp
return self['tcp'][port]
KeyError: 'tcp'
>>> nm['192.168.43.14']['tcp'][22]['state']
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
KeyError: 'tcp'
>>>
參考 :
# 黑客終極網絡掃描工具Zenmap使用方法
沒有留言:
張貼留言