端口扫描原理及工具 - 安全工具篇
"端口"是英文port的意译,可以认为是设备与外界通讯交流的出口。端口可分为虚拟端口和物理端口,其中虚拟端口指计算机内部端口,不可见。例如计算机中的80端口、21端口、23端口等。
一台拥有IP地址的主机可以提供许多服务,比如Web服务、FTP服务、SMTP服务等,这些服务完全可以通过1个IP地址来实现。那么,主机是怎样区分不同的网络服务呢?显然不能只靠IP地址,因为IP 地址与网络服务的关系是一对多的关系。实际上是通过“IP地址+端口号”来区分不同的服务的。
因此,一个开放的端口代表一个提供的服务,不同的服务具有不同的端口号,因此要对服务进行测试,首先要确定是否开放对应端口号。
端口的分类
端口范围:0-65535(2^16)
TCP端口和UDP端口。由于TCP和UDP 两个协议是独立的,因此各自的端口号也相互独立,比如TCP有235端口,UDP也 可以有235端口,两者并不冲突。
端口分为:
1、周知端口
周知端口是众所周知的端口号,范围从0到1023,其中80端口分配给WWW服务,21端口分配给FTP服务等。我们在IE的地址栏里输入一个网址的时候是不必指定端口号的,因为在默认情况下WWW服务的端口是“80”。
2、动态端口
动态端口的范围是从49152到65535。之所以称为动态端口,是因为它 一般不固定分配某种服务,而是动态分配。
3、注册端口
端口1024到49151,分配给用户进程或应用程序。这些进程主要是用户安装的程序。
端口扫描工具-Nmap
1、使用Nmap工具查找ip的tcp端口
-O
:获取操作系统版本信息
root@kali:~# nmap -O 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:06 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00044s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.93 seconds
2、使用Nmap工具查找udp端口
-sU
:表示udp scan , udp端口扫描
-Pn
:不对目标进行ping探测(不判断主机是否在线)(直接扫描端口)
对于udp端口扫描比较慢,扫描完6万多个端口需要20分钟左右
root@kali:~# nmap -sU 10.0.2.5 -Pn -p1-100,138,808
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 21:51 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00063s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
53/udp open domain
68/udp open|filtered dhcpc
69/udp open|filtered tftp
138/udp open|filtered netbios-dgm
808/udp open|filtered unknown
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 104.80 seconds
3、使用Nmap工具获取端口Banner
只会返回有Banner信息的,没有则不会返回。
root@kali:~# nmap 10.0.2.5 --script banner -Pn -p1-100
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:04 EDT
Nmap scan report for 10.0.2.5
Host is up (0.000080s latency).
Not shown: 94 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_banner: 220 (vsFTPd 2.3.4)
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
23/tcp open telnet
|_banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD'
25/tcp open smtp
|_banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
53/tcp open domain
80/tcp open http
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 16.33 seconds
4、使用Nmap嗅探服务版本信息
如果没有返回banner信息的,也可以使用该方法尝试嗅探服务版本信息。
root@kali:~# nmap -p80 -sV 10.0.2.5 -Pn
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:04 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds
5、利用nmap对目标进行完整测试
在针对内容测试时,有授权的情况下,可以利用nmap对目标进行完整测试
root@kali:~# nmap -A -v 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:14 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:14
Completed NSE at 22:14, 0.00s elapsed
Initiating NSE at 22:14
Completed NSE at 22:14, 0.00s elapsed
Initiating ARP Ping Scan at 22:14
Scanning 10.0.2.5 [1 port]
Completed ARP Ping Scan at 22:14, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:14
Completed Parallel DNS resolution of 1 host. at 22:14, 0.01s elapsed
Initiating SYN Stealth Scan at 22:14
Scanning 10.0.2.5 [1000 ports]
Discovered open port 3306/tcp on 10.0.2.5
Discovered open port 21/tcp on 10.0.2.5
Discovered open port 445/tcp on 10.0.2.5
Discovered open port 23/tcp on 10.0.2.5
Discovered open port 5900/tcp on 10.0.2.5
Discovered open port 53/tcp on 10.0.2.5
Discovered open port 80/tcp on 10.0.2.5
Discovered open port 139/tcp on 10.0.2.5
Discovered open port 25/tcp on 10.0.2.5
Discovered open port 22/tcp on 10.0.2.5
Discovered open port 111/tcp on 10.0.2.5
Discovered open port 2049/tcp on 10.0.2.5
Discovered open port 6000/tcp on 10.0.2.5
Discovered open port 512/tcp on 10.0.2.5
Discovered open port 5432/tcp on 10.0.2.5
Discovered open port 514/tcp on 10.0.2.5
Discovered open port 1099/tcp on 10.0.2.5
Discovered open port 8009/tcp on 10.0.2.5
Discovered open port 513/tcp on 10.0.2.5
Discovered open port 1524/tcp on 10.0.2.5
Discovered open port 2121/tcp on 10.0.2.5
Discovered open port 8180/tcp on 10.0.2.5
Discovered open port 6667/tcp on 10.0.2.5
Completed SYN Stealth Scan at 22:14, 0.16s elapsed (1000 total ports)
Initiating Service scan at 22:14
Scanning 23 services on 10.0.2.5
Completed Service scan at 22:15, 11.16s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 10.0.2.5
NSE: Script scanning 10.0.2.5.
Initiating NSE at 22:15
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 22:15, 15.69s elapsed
Initiating NSE at 22:15
Completed NSE at 22:15, 0.02s elapsed
Nmap scan report for 10.0.2.5
Host is up (0.00034s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.0.2.7
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2019-04-11T02:15:12+00:00; 0s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ SSL2_RC2_128_CBC_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/udp nfs
| 100005 1,2,3 39599/udp mountd
| 100005 1,2,3 53020/tcp mountd
| 100021 1,3,4 34000/tcp nlockmgr
| 100021 1,3,4 53718/udp nlockmgr
| 100024 1 34334/udp status
|_ 100024 1 56859/tcp status
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open java-rmi Java RMI Registry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 9
| Capabilities flags: 43564
| Some Capabilities: Support41Auth, SupportsTransactions, ConnectWithDatabase, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, LongColumnFlag, SupportsCompression
| Status: Autocommit
|_ Salt: !_>Wz"5%YoDElpo]bSYG
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2019-04-11T02:15:12+00:00; 0s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 0:29:23
| source ident: nmap
| source host: FCCB13B2.EB72D3BE.7B559A54.IP
|_ error: Closing Link: ffbyostgq[10.0.2.7] (Quit: ffbyostgq)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.017 days (since Wed Apr 10 21:50:31 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=190 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| NetBIOS computer name:
| Workgroup: WORKGROUP\x00
|_ System time: 2019-04-10T22:15:10-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.34 ms 10.0.2.5
NSE: Script Post-scanning.
Initiating NSE at 22:15
Completed NSE at 22:15, 0.00s elapsed
Initiating NSE at 22:15
Completed NSE at 22:15, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.04 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
Nmap还有很多其他用途,给出一个Nmap中文手册,可以自行学习研究
摘录一份端口渗透表
端口号 | 端口说明 | 攻击技巧 |
---|---|---|
21/22/69 | ftp/tftp:文件传输协议 | 爆破、嗅探、溢出、后门 |
22 | ssh:远程连接 | 爆破、OpenSSH、28个退格 |
23 | telnet:远程连接 | 爆破、嗅探 |
25 | smtp:邮件服务 | 邮件伪造 |
53 | DNS:域名系统 | DNS区域传输、DNS劫持、DNS缓存投毒、DNS欺骗、深度利用(利用DNS隧道技术刺透防火墙) |
67/68 | dhcp | 劫持、欺骗 |
110 | pop3 | 爆破 |
139 | samba | 爆破、未授权访问、远程代码执行 |
143 | imap | 爆破 |
161 | snmp | 爆破 |
389 | ldap | 注入攻击、未授权访问 |
512/513/514 | linux r | 直接使用rlogin |
873 | rsync | 未授权访问 |
1080 | socket | 爆破(进行内网渗透) |
1352 | lotus | 爆破(弱口令)、信息泄露(源代码) |
1433 | mssql | 爆破(使用系统用户登陆)、注入攻击 |
1521 | oracle | 爆破(TNS)、注入攻击 |
2049 | nfs | 配置不当 |
2181 | zookeeper | 未授权访问 |
3306 | mysql | 爆破、拒绝服务、注入 |
3389 | rdp | 爆破、shift后门 |
4848 | glassflsh | 爆破(控制台弱口令)、认证绕过 |
5000 | sybase/DB2 | 爆破、注入 |
5432 | postgresql | 缓冲区溢出、注入攻击、爆破(弱口令) |
5632 | pcanywhere | 拒绝服务、代码执行 |
5900 | vnc | 爆破(弱口令)、认证绕过 |
6379 | redis | 未授权访问、爆破(弱口令) |
7001 | weblogic | java反序列化、控制台弱口令、控制台部署webshell |
80/443/8080 | web | 常见web攻击、控制台爆破、对应服务器版本漏洞 |
8069 | zabbix | 远程命令执行 |
9090 | websphere控制台 | 爆破(控制台弱口令)、java反序列 |
9200/9300 | elasticsearch | 远程代码执行 |
11211 | memcache/memcached | 未授权访问 |
27017 | mongodb | 爆破、未授权访问 |