某《魔鬼训练营》读书笔记：开放端口扫描

！！！笔记仅供学习交流使用，请勿进行其他用途！！！

使用Metasploit自带扫描模块：

msf> search portscan

Matching Modules
================

   Name                                              Disclosure Date  Rank    Description
   ----                                              ---------------  ----    -----------
   auxiliary/scanner/portscan/ack                                     normal  TCP ACK Firewall Scanner
   auxiliary/scanner/portscan/ftpbounce                               normal  FTP Bounce Port Scanner
   auxiliary/scanner/portscan/syn                                     normal  TCP SYN Port Scanner
   auxiliary/scanner/portscan/tcp                                     normal  TCP Port Scanner
   auxiliary/scanner/portscan/xmas                                    normal  TCP "XMas" Port Scanner

ack模块：

路径：auxiliary/scanner/portscan/ack
注意事项：精确度不是太高

msf> use auxiliary/scanner/portscan/ack
msf auxiliary(ack) > show options

Module options (auxiliary/scanner/portscan/ack):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf auxiliary(ack) > set RHOSTS 10.10.10.128
RHOSTS => 10.10.10.128
msf auxiliary(ack) > set THREADS 50
THREADS => 50
msf auxiliary(ack) > exploit
。。。。
。。。。

ftpbounce模块：

路径：auxiliary/scanner/portscan/ftpbounce
注意事项：精确度不高

msf> use auxiliary/scanner/portscan/ftpbounce
msf auxiliary(ftpbounce) > show options

Module options (auxiliary/scanner/portscan/ftpbounce):

   Name        Current Setting      Required  Description
   ----        ---------------      --------  -----------
   BOUNCEHOST                       yes       FTP relay host
   BOUNCEPORT  21                   yes       FTP relay port
   FTPPASS     mozilla@example.com  no        The password for the specified username
   FTPUSER     anonymous            no        The username to authenticate as
   PORTS       1-10000              yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                           yes       The target address range or CIDR identifier
   THREADS     1                    yes       The number of concurrent threads

msf auxiliary(ftpbounce) > set RHOSTS 10.10.10.128
RHOSTS => 10.10.10.128
msf auxiliary(ftpbounce) > set PORTS 1-100
PORTS => 1-100
msf auxiliary(ftpbounce) > set BOUNCEHOST 10.10.10.130
BOUNCEHOST => 10.10.10.130
msf auxiliary(ftpbounce) > exploit
。。。。。
。。。。。

syn模块：

路径：auxiliary/scanner/portscan/syn 
注意事项：速度快，精确度高

msf> use auxiliary/scanner/portscan/syn 
msf auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf auxiliary(syn) > set RHOSTS 10.10.10.128
RHOSTS => 10.10.10.128
msf auxiliary(syn) > set THREADS 50
THREADS => 50
msf auxiliary(syn) > exploit
。。。。。
。。。。。

tcp模块：

路径：auxiliary/scanner/portscan/tcp 
注意事项：慢,准确,容易被记录

msf> use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf auxiliary(tcp) > set RHOSTS 10.10.10.128
RHOSTS => 10.10.10.128
msf auxiliary(tcp) > set THREADS 50
THREADS => 50
msf auxiliary(tcp) > exploit
。。。。。
。。。。。

xmas模块：

路径：auxiliary/scanner/portscan/xmas
注意事项：慢,准确

msf> use auxiliary/scanner/portscan/xmas
msf auxiliary(xmas) > show options

Module options (auxiliary/scanner/portscan/xmas):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf auxiliary(xmas) > set RHOSTS 10.10.10.128
RHOSTS => 10.10.10.128
msf auxiliary(xmas) > set THREADS 50
THREADS => 50
msf auxiliary(xmas) > exploit
。。。。。
。。。。。

nmap工具：

nmap -F 10.10.10.128 #快速扫描
nmap -sS -sV -Pn 10.10.10.128 #使用TCP SYN方式，探测版本号，默认主机在线方式扫描。
nmap -sS -sV -Pn -p21-25 10.10.10.128 #只扫描TCP21-25号端口。
nmap -sU 10.10.10.128 #扫描UDP端口
nmap -sU -sS -p U:53,111,137,T:21-25 10.10.10.128 #扫描TCP，UDP的指定端口。
使用nmap对主机进行辨识时，其实已经扫描出了开放的端口，以及版本信息。
nmap -O 10.10.10.128 #辨识主机类型及开放端口情况