CONTENTS
!!!笔记仅供学习交流使用,请勿进行其他用途!!!
使用Metasploit自带扫描模块:
msf> search portscan Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner auxiliary/scanner/portscan/tcp normal TCP Port Scanner auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
ack模块:
路径:auxiliary/scanner/portscan/ack
注意事项:精确度不是太高
msf> use auxiliary/scanner/portscan/ack msf auxiliary(ack) > show options Module options (auxiliary/scanner/portscan/ack): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set INTERFACE no The name of the interface PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf auxiliary(ack) > set RHOSTS 10.10.10.128 RHOSTS => 10.10.10.128 msf auxiliary(ack) > set THREADS 50 THREADS => 50 msf auxiliary(ack) > exploit 。。。。 。。。。
ftpbounce模块:
路径:auxiliary/scanner/portscan/ftpbounce
注意事项:精确度不高
msf> use auxiliary/scanner/portscan/ftpbounce msf auxiliary(ftpbounce) > show options Module options (auxiliary/scanner/portscan/ftpbounce): Name Current Setting Required Description ---- --------------- -------- ----------- BOUNCEHOST yes FTP relay host BOUNCEPORT 21 yes FTP relay port FTPPASS mozilla@example.com no The password for the specified username FTPUSER anonymous no The username to authenticate as PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads msf auxiliary(ftpbounce) > set RHOSTS 10.10.10.128 RHOSTS => 10.10.10.128 msf auxiliary(ftpbounce) > set PORTS 1-100 PORTS => 1-100 msf auxiliary(ftpbounce) > set BOUNCEHOST 10.10.10.130 BOUNCEHOST => 10.10.10.130 msf auxiliary(ftpbounce) > exploit 。。。。。 。。。。。
syn模块:
路径:auxiliary/scanner/portscan/syn
注意事项:速度快,精确度高
msf> use auxiliary/scanner/portscan/syn msf auxiliary(syn) > show options Module options (auxiliary/scanner/portscan/syn): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set INTERFACE no The name of the interface PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf auxiliary(syn) > set RHOSTS 10.10.10.128 RHOSTS => 10.10.10.128 msf auxiliary(syn) > set THREADS 50 THREADS => 50 msf auxiliary(syn) > exploit 。。。。。 。。。。。
tcp模块:
路径:auxiliary/scanner/portscan/tcp
注意事项:慢,准确,容易被记录
msf> use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > show options Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds msf auxiliary(tcp) > set RHOSTS 10.10.10.128 RHOSTS => 10.10.10.128 msf auxiliary(tcp) > set THREADS 50 THREADS => 50 msf auxiliary(tcp) > exploit 。。。。。 。。。。。
xmas模块:
路径:auxiliary/scanner/portscan/xmas
注意事项:慢,准确
msf> use auxiliary/scanner/portscan/xmas msf auxiliary(xmas) > show options Module options (auxiliary/scanner/portscan/xmas): Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set INTERFACE no The name of the interface PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds msf auxiliary(xmas) > set RHOSTS 10.10.10.128 RHOSTS => 10.10.10.128 msf auxiliary(xmas) > set THREADS 50 THREADS => 50 msf auxiliary(xmas) > exploit 。。。。。 。。。。。
nmap工具:
nmap -F 10.10.10.128 #快速扫描
nmap -sS -sV -Pn 10.10.10.128 #使用TCP SYN方式,探测版本号,默认主机在线方式扫描。
nmap -sS -sV -Pn -p21-25 10.10.10.128 #只扫描TCP21-25号端口。
nmap -sU 10.10.10.128 #扫描UDP端口
nmap -sU -sS -p U:53,111,137,T:21-25 10.10.10.128 #扫描TCP,UDP的指定端口。
使用nmap对主机进行辨识时,其实已经扫描出了开放的端口,以及版本信息。
nmap -O 10.10.10.128 #辨识主机类型及开放端口情况
发表评论