且谈扫描器

Published on Apr 18, 2014

缘起

大概是因为论坛一个毕业去阿里的师兄就这么扫到了一个某品牌摄像头web管理界面。接着,对于我,YD的几周便开始了。各种扫描内网啊,No zuo no die啊= =,然后找到了一大堆开放到内网的摄像头、弱口令ssh、匿名ftp、嵌入式板甚至还有ip电话……独留我风中凌乱。

我准备把常见的东西都研究一圈= =

总之,用到了几种扫描器和自己写的扫描器……

nmap

nmap是一个专业的网络探索和安全审计开源工具。尽管它可以针对主机,却被设计来快速扫描大规模网络。nmap使用IP报文来决定网络上的主机是否可达,主机上哪些服务开放(应用程序名和版本),它们运行着什么样的操作系统,包过滤器和防火墙的情况和许多其它特征。尽管nmap广泛用于安全审计。许多系统和网络管理员在实行日常工作比如网络发现、管理服务升级安排,监控主机或服务启动时间 时都很好用。

nmap的输出是一列被扫描的目标,和有关参数指定的补充信息。常见的比如说端口信息表:

⮀ sudo nmap 10.210.96.193

Starting Nmap 6.25 ( http://nmap.org ) at 2014-04-18 21:44 CST Nmap scan report for 10.210.96.193 Host is up (0.054s latency). Not shown: 996 closed ports PORT STATE SERVICE 21/tcp ssh closed 23/tcp open telnet 50389/tcp filtered unknown MAC Address: 3C:E5:A6:D2:39:AD (Hangzhou H3C Technologies Co.)

(no term)
=open=意味着服务在启动并监听着。比如TCP的三次握手成功建立。
(no term)
=closed=表示该端口上服务关闭。比如收到了目标主机返回的RST.
(no term)
=filtered=意味着有防火墙,过滤器等其它障碍阻塞了端口,以致于nmap不知道端口是=open=还是=closed=。出现这种情况是发出去的探测包没了响应。

如果nmap不能确定到底是哪个状态,这些状态可以写成折中形式=closed|filtered=,表示关闭或者是过滤。

当使用版本探测参数(-sV)时,端口信息表也可以包含具体的服务版本信息。

     ~ ⮀ sudo nmap -sV 10.210.96.193

    Starting Nmap 6.25 ( http://nmap.org ) at 2014-04-18 22:03 CST
    Nmap scan report for 10.210.96.193
    Host is up (0.045s latency).
    Not shown: 996 closed ports
    PORT      STATE    SERVICE VERSION
    23/tcp    open     telnet  H3C switch telnetd
    MAC Address: 3C:E5:A6:D2:39:AD (Hangzhou H3C Technologies Co.)
    Service Info: Device: switch

    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 2.88 seconds

当使用IP协议扫描(-sO)时,nmap则提供IP支持的协议而不是端口:

     ~ ⮀ sudo nmap -sO 10.210.96.193

    Starting Nmap 6.25 ( http://nmap.org ) at 2014-04-18 22:02 CST
    Nmap scan report for 10.210.96.193
    Host is up (0.010s latency).
    Not shown: 252 open|filtered protocols
    PROTOCOL STATE  SERVICE
    1        open   icmp
    6        open   tcp
    17       open   udp
    132      closed sctp
    MAC Address: 3C:E5:A6:D2:39:AD (Hangzhou H3C Technologies Co.)

除了端口信息表,nmap提供目标的更多信息,包括反向DNS域名,操作系统猜测,设备类型和MAC地址。

更多参照Nmap Guide

     ~ ⮀ nmap --help
    Nmap 6.25 ( http://nmap.org )
    Usage: nmap [Scan Type(s)] [Options] {target specification}
    TARGET SPECIFICATION:
      Can pass hostnames, IP addresses, networks, etc.
      Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
      -iL <inputfilename>: Input from list of hosts/networks
      -iR <num hosts>: Choose random targets
      --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
      --excludefile <exclude_file>: Exclude list from file
    HOST DISCOVERY:
      -sL: List Scan - simply list targets to scan
      -sn: Ping Scan - disable port scan
      -Pn: Treat all hosts as online -- skip host discovery
      -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
      -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
      -PO[protocol list]: IP Protocol Ping
      -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
      --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
      --system-dns: Use OS's DNS resolver
      --traceroute: Trace hop path to each host
    SCAN TECHNIQUES:
      -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
      -sU: UDP Scan
      -sN/sF/sX: TCP Null, FIN, and Xmas scans
      --scanflags <flags>: Customize TCP scan flags
      -sI <zombie host[:probeport]>: Idle scan
      -sY/sZ: SCTP INIT/COOKIE-ECHO scans
      -sO: IP protocol scan
      -b <FTP relay host>: FTP bounce scan
    PORT SPECIFICATION AND SCAN ORDER:
      -p <port ranges>: Only scan specified ports
        Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
      -F: Fast mode - Scan fewer ports than the default scan
      -r: Scan ports consecutively - don't randomize
      --top-ports <number>: Scan <number> most common ports
      --port-ratio <ratio>: Scan ports more common than <ratio>
    SERVICE/VERSION DETECTION:
      -sV: Probe open ports to determine service/version info
      --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
      --version-light: Limit to most likely probes (intensity 2)
      --version-all: Try every single probe (intensity 9)
      --version-trace: Show detailed version scan activity (for debugging)
    SCRIPT SCAN:
      -sC: equivalent to --script=default
      --script=<Lua scripts>: <Lua scripts> is a comma separated list of 
               directories, script-files or script-categories
      --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
      --script-args-file=filename: provide NSE script args in a file
      --script-trace: Show all data sent and received
      --script-updatedb: Update the script database.
      --script-help=<Lua scripts>: Show help about scripts.
               <Lua scripts> is a comma separted list of script-files or
               script-categories.
    OS DETECTION:
      -O: Enable OS detection
      --osscan-limit: Limit OS detection to promising targets
      --osscan-guess: Guess OS more aggressively
    TIMING AND PERFORMANCE:
      Options which take <time> are in seconds, or append 'ms' (milliseconds),
      's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
      -T<0-5>: Set timing template (higher is faster)
      --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
      --min-parallelism/max-parallelism <numprobes>: Probe parallelization
      --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
          probe round trip time.
      --max-retries <tries>: Caps number of port scan probe retransmissions.
      --host-timeout <time>: Give up on target after this long
      --scan-delay/--max-scan-delay <time>: Adjust delay between probes
      --min-rate <number>: Send packets no slower than <number> per second
      --max-rate <number>: Send packets no faster than <number> per second
    FIREWALL/IDS EVASION AND SPOOFING:
      -f; --mtu <val>: fragment packets (optionally w/given MTU)
      -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
      -S <IP_Address>: Spoof source address
      -e <iface>: Use specified interface
      -g/--source-port <portnum>: Use given port number
      --data-length <num>: Append random data to sent packets
      --ip-options <options>: Send packets with specified ip options
      --ttl <val>: Set IP time-to-live field
      --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
      --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
    OUTPUT:
      -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
         and Grepable format, respectively, to the given filename.
      -oA <basename>: Output in the three major formats at once
      -v: Increase verbosity level (use -vv or more for greater effect)
      -d: Increase debugging level (use -dd or more for greater effect)
      --reason: Display the reason a port is in a particular state
      --open: Only show open (or possibly open) ports
      --packet-trace: Show all packets sent and received
      --iflist: Print host interfaces and routes (for debugging)
      --log-errors: Log errors/warnings to the normal-format output file
      --append-output: Append to rather than clobber specified output files
      --resume <filename>: Resume an aborted scan
      --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
      --webxml: Reference stylesheet from Nmap.Org for more portable XML
      --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
    MISC:
      -6: Enable IPv6 scanning
      -A: Enable OS detection, version detection, script scanning, and traceroute
      --datadir <dirname>: Specify custom Nmap data file location
      --send-eth/--send-ip: Send using raw ethernet frames or IP packets
      --privileged: Assume that the user is fully privileged
      --unprivileged: Assume the user lacks raw socket privileges
      -V: Print version number
      -h: Print this help summary page.
    EXAMPLES:
      nmap -v -A scanme.nmap.org
      nmap -v -sn 192.168.0.0/16 10.0.0.0/8
      nmap -v -iR 10000 -Pn -p 80
    SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

zmap

Zmap是一个开源网络扫描器,旨在帮助研究人员轻松扫描互联网。通过单个机器和可观的上行量,zmap可以在45分钟内扫描整个IPv4地址段,达到以太网的理论上限。

zmap可以研究随时间变化协议的采用情况。检测互联网上可用的服务,让我们更好的理解分布在互联网上的大系统。

详细用法见:Zmap Documentation

Zmap是强有力的工具,但请尊重他人和当地法律。

masscan

号称最快的互联网端口扫描器,它能够在6分钟内扫遍整个互联网,每秒发送十个百万数据包。

它生成类似=nmap=的结果,但内部机理是类似=scanrand=、=unicornscan=和=zmap=异步传输。主要的区别是比它们都快(笑)。另外,它更灵活,允许任意的地址段和端口段。

自由软件。

    ~/ ⮀ masscan --help
    MASSCAN is a fast port scanner. The primary input parameters are the
    IP addresses/ranges you want to scan, and the port numbers. An example
    is the following, which scans the 10.x.x.x network for web servers:
     masscan 10.0.0.0/8 -p80
    The program auto-detects network interface/adapter settings. If this
    fails, you'll have to set these manually. The following is an
    example of all the parameters that are needed:
     --adapter-ip 192.168.10.123
     --adapter-mac 00-11-22-33-44-55
     --router-mac 66-55-44-33-22-11
    Parameters can be set either via the command-line or config-file. The
    names are the same for both. Thus, the above adapter settings would
    appear as follows in a configuration file:
     adapter-ip = 192.168.10.123
     adapter-mac = 00-11-22-33-44-55
     router-mac = 66-55-44-33-22-11
    All single-dash parameters have a spelled out double-dash equivalent,
    so '-p80' is the same as '--ports 80' (or 'ports = 80' in config file).
    To use the config file, type:
     masscan -c <filename>
    To generate a config-file from the current settings, use the --echo
    option. This stops the program from actually running, and just echoes
    the current configuration instead. This is a useful way to generate
    your first config file, or see a list of parameters you didn't know
    about. I suggest you try it now:
     masscan -p1234 --echo

Masscan github页面 Masscan: the entire Internet in 3 minutes

自制扫描器

没啥好说的,拿这gevent写啊……暂时不开源。通常我先用zmap扫端口,然后送给自己的扫描器去扫。