Nmap的基本使用：识别服务指纹

服务指纹

服务指纹信息包括服务端口、服务名和版本等。通过nmap的服务指纹分析，我们可以得到更有价值的信息，但更加耗时，且容易被察觉（因为这会产生更多的数据流量）。

Nmap识别服务指纹

通过-sV参数，获取远程机器所启用的服务。下面还是使用之前的靶机。

nmap -sV 192.168.0.204

PS C:\Users\bkryofu> nmap -sV 192.168.0.204
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 01:58 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.0.204
Host is up (0.00s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.38
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp  open  ssl/http    Apache httpd 2.4.38
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
631/tcp  open  ipp         CUPS 2.2
6566/tcp open  sane-port?
MAC Address: 00:1A:A9:91:E1:01 (Fujian Star-net Communication)
Service Info: Hosts: server.kawashiros.club, SERVER; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.14 seconds

执行该命令后，nmap不仅返回了靶机开放的端口，还识别出了开放对应端口的服务（VERSION列）。通过这些获取服务的指纹。

Nmap的侵略性探测

（一）

使用命令nmap -A -v -T4 [IP]来探测目标机器的操作系统、服务等信息。

• -A：使用侵略性策略探测；
• -v：持续输出返回的解析；
• -T4：速度。可调节最低为T1，最高为T5。

还是使用刚刚的靶机测试。这里我把Apache2关了，因为⬛⬛⬛⬛⬛⬛⬛⬛

nmap -A -v -T4 192.168.0.204

PS C:\Users\bkryofu> nmap -A -v -T4 192.168.0.204
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 02:23 ?D1ú±ê×?ê±??
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Initiating ARP Ping Scan at 02:23
Scanning 192.168.0.204 [1 port]
Completed ARP Ping Scan at 02:23, 0.42s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:23
Completed Parallel DNS resolution of 1 host. at 02:23, 0.02s elapsed
Initiating SYN Stealth Scan at 02:23
Scanning 192.168.0.204 [1000 ports]
Discovered open port 445/tcp on 192.168.0.204
Discovered open port 22/tcp on 192.168.0.204
Discovered open port 21/tcp on 192.168.0.204
Discovered open port 139/tcp on 192.168.0.204
Discovered open port 631/tcp on 192.168.0.204
Discovered open port 6566/tcp on 192.168.0.204
Completed SYN Stealth Scan at 02:23, 0.10s elapsed (1000 total ports)
Initiating Service scan at 02:23
Scanning 6 services on 192.168.0.204
Completed Service scan at 02:23, 11.04s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.204
NSE: Script scanning 192.168.0.204.
Initiating NSE at 02:23
Completed NSE at 02:23, 22.27s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.14s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Nmap scan report for 192.168.0.204
Host is up (0.00063s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 c4:17:df:33:57:cb:50:cb:a0:45:84:0b:c7:56:6c:84 (RSA)
|   256 e5:47:d0:3e:18:f7:21:23:81:7a:c7:2b:bb:50:c5:c0 (ECDSA)
|_  256 0a:c5:b9:28:1f:f6:c3:56:a0:2e:96:55:fe:ab:80:7d (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp  open  ipp         CUPS 2.2
| http-methods:
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: CUPS/2.2 IPP/2.1
|_http-title: Home - CUPS 2.2.10
6566/tcp open  sane-port?
MAC Address: 00:1A:A9:91:E1:01 (Fujian Star-net Communication)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6, Linux 5.0 - 5.3
Uptime guess: 45.082 days (since Fri Dec 25 00:25:36 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=251 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: SERVER; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s
| nbstat: NetBIOS name: SERVER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   SERVER<00>           Flags: <unique><active>
|   SERVER<03>           Flags: <unique><active>
|   SERVER<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: server
|   NetBIOS computer name: SERVER\x00
|   Domain name: kawashiros.club
|   FQDN: server.kawashiros.club
|_  System time: 2021-02-08T02:23:20+08:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-02-07T18:23:20
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.63 ms 192.168.0.204

NSE: Script Post-scanning.
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.91 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1019 (41.502KB)

在这里，nmap为我们输出了更为详细的信息。包括靶机的内核版本、估算的靶机运行时长、服务的详细信息等。可以说查到连内裤都不剩。

（二）

使用nmap -sC -sV -O [IP]也可以探测目标机器的操作系统、服务等信息。

• -sC：使用Nmap脚本进行探测；
• -sV：探测目标机器上的服务指纹信息；
• -O：探测目标机器上的操作系统信息。

nmap -sC -sV -O 192.168.0.204

PS C:\Users\bkryofu> nmap -sC -sV -O 192.168.0.204
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 02:36 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.0.204
Host is up (0.0014s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 c4:17:df:33:57:cb:50:cb:a0:45:84:0b:c7:56:6c:84 (RSA)
|   256 e5:47:d0:3e:18:f7:21:23:81:7a:c7:2b:bb:50:c5:c0 (ECDSA)
|_  256 0a:c5:b9:28:1f:f6:c3:56:a0:2e:96:55:fe:ab:80:7d (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp  open  ipp         CUPS 2.2
| http-methods:
|_  Potentially risky methods: PUT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: CUPS/2.2 IPP/2.1
|_http-title: Home - CUPS 2.2.10
6566/tcp open  sane-port?
MAC Address: 00:1A:A9:91:E1:01 (Fujian Star-net Communication)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: Host: SERVER; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: -1s
|_nbstat: NetBIOS name: SERVER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: server
|   NetBIOS computer name: SERVER\x00
|   Domain name: kawashiros.club
|   FQDN: server.kawashiros.club
|_  System time: 2021-02-08T02:37:15+08:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-02-07T18:37:15
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.31 seconds

和nmap -A -v -T4返回的结果没有多大区别。

参考

• Nmap-03:Nmap识别目标机器上服务的指纹_敲代码的乔帮主-CSDN博客
• 服务指纹分析_asdushf的博客-CSDN博客