服务指纹

服务指纹信息包括服务端口、服务名和版本等。通过nmap的服务指纹分析,我们可以得到更有价值的信息,但更加耗时,且容易被察觉(因为这会产生更多的数据流量)。

Nmap识别服务指纹

通过-sV参数,获取远程机器所启用的服务。下面还是使用之前的靶机。

1
nmap -sV 192.168.0.204
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PS C:\Users\bkryofu> nmap -sV 192.168.0.204
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 01:58 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.0.204
Host is up (0.00s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp open ssl/http Apache httpd 2.4.38
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
6566/tcp open sane-port?
MAC Address: 00:1A:A9:91:E1:01 (Fujian Star-net Communication)
Service Info: Hosts: server.kawashiros.club, SERVER; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.14 seconds

执行该命令后,nmap不仅返回了靶机开放的端口,还识别出了开放对应端口的服务(VERSION列)。通过这些获取服务的指纹。

Nmap的侵略性探测

(一)

使用命令nmap -A -v -T4 [IP]来探测目标机器的操作系统、服务等信息。

  • -A:使用侵略性策略探测;
  • -v:持续输出返回的解析;
  • -T4:速度。可调节最低为T1,最高为T5

还是使用刚刚的靶机测试。这里我把Apache2关了,因为⬛⬛⬛⬛⬛⬛⬛⬛</span>

1
nmap -A -v -T4 192.168.0.204
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
PS C:\Users\bkryofu> nmap -A -v -T4 192.168.0.204
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 02:23 ?D1ú±ê×?ê±??
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Initiating ARP Ping Scan at 02:23
Scanning 192.168.0.204 [1 port]
Completed ARP Ping Scan at 02:23, 0.42s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:23
Completed Parallel DNS resolution of 1 host. at 02:23, 0.02s elapsed
Initiating SYN Stealth Scan at 02:23
Scanning 192.168.0.204 [1000 ports]
Discovered open port 445/tcp on 192.168.0.204
Discovered open port 22/tcp on 192.168.0.204
Discovered open port 21/tcp on 192.168.0.204
Discovered open port 139/tcp on 192.168.0.204
Discovered open port 631/tcp on 192.168.0.204
Discovered open port 6566/tcp on 192.168.0.204
Completed SYN Stealth Scan at 02:23, 0.10s elapsed (1000 total ports)
Initiating Service scan at 02:23
Scanning 6 services on 192.168.0.204
Completed Service scan at 02:23, 11.04s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.204
NSE: Script scanning 192.168.0.204.
Initiating NSE at 02:23
Completed NSE at 02:23, 22.27s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.14s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Nmap scan report for 192.168.0.204
Host is up (0.00063s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c4:17:df:33:57:cb:50:cb:a0:45:84:0b:c7:56:6c:84 (RSA)
| 256 e5:47:d0:3e:18:f7:21:23:81:7a:c7:2b:bb:50:c5:c0 (ECDSA)
|_ 256 0a:c5:b9:28:1f:f6:c3:56:a0:2e:96:55:fe:ab:80:7d (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: CUPS/2.2 IPP/2.1
|_http-title: Home - CUPS 2.2.10
6566/tcp open sane-port?
MAC Address: 00:1A:A9:91:E1:01 (Fujian Star-net Communication)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6, Linux 5.0 - 5.3
Uptime guess: 45.082 days (since Fri Dec 25 00:25:36 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=251 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: SERVER; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: 0s
| nbstat: NetBIOS name: SERVER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| SERVER<00> Flags: <unique><active>
| SERVER<03> Flags: <unique><active>
| SERVER<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: server
| NetBIOS computer name: SERVER\x00
| Domain name: kawashiros.club
| FQDN: server.kawashiros.club
|_ System time: 2021-02-08T02:23:20+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-07T18:23:20
|_ start_date: N/A

TRACEROUTE
HOP RTT ADDRESS
1 0.63 ms 192.168.0.204

NSE: Script Post-scanning.
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Initiating NSE at 02:23
Completed NSE at 02:23, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.91 seconds
Raw packets sent: 1023 (45.806KB) | Rcvd: 1019 (41.502KB)

在这里,nmap为我们输出了更为详细的信息。包括靶机的内核版本、估算的靶机运行时长、服务的详细信息等。可以说查到连内裤都不剩。

(二)

使用nmap -sC -sV -O [IP]也可以探测目标机器的操作系统、服务等信息。

  • -sC:使用Nmap脚本进行探测;
  • -sV:探测目标机器上的服务指纹信息;
  • -O:探测目标机器上的操作系统信息。
1
nmap -sC -sV -O 192.168.0.204
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
PS C:\Users\bkryofu> nmap -sC -sV -O 192.168.0.204
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-08 02:36 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.0.204
Host is up (0.0014s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c4:17:df:33:57:cb:50:cb:a0:45:84:0b:c7:56:6c:84 (RSA)
| 256 e5:47:d0:3e:18:f7:21:23:81:7a:c7:2b:bb:50:c5:c0 (ECDSA)
|_ 256 0a:c5:b9:28:1f:f6:c3:56:a0:2e:96:55:fe:ab:80:7d (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
| http-methods:
|_ Potentially risky methods: PUT
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: CUPS/2.2 IPP/2.1
|_http-title: Home - CUPS 2.2.10
6566/tcp open sane-port?
MAC Address: 00:1A:A9:91:E1:01 (Fujian Star-net Communication)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: Host: SERVER; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m00s, deviation: 4h37m07s, median: -1s
|_nbstat: NetBIOS name: SERVER, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: server
| NetBIOS computer name: SERVER\x00
| Domain name: kawashiros.club
| FQDN: server.kawashiros.club
|_ System time: 2021-02-08T02:37:15+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-07T18:37:15
|_ start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.31 seconds

nmap -A -v -T4返回的结果没有多大区别。

参考