端口扫描原理及工具 - 安全工具篇

"端口"是英文port的意译,可以认为是设备与外界通讯交流的出口。端口可分为虚拟端口和物理端口,其中虚拟端口指计算机内部端口,不可见。例如计算机中的80端口、21端口、23端口等。

一台拥有IP地址的主机可以提供许多服务,比如Web服务、FTP服务、SMTP服务等,这些服务完全可以通过1个IP地址来实现。那么,主机是怎样区分不同的网络服务呢?显然不能只靠IP地址,因为IP 地址与网络服务的关系是一对多的关系。实际上是通过“IP地址+端口号”来区分不同的服务的。

因此,一个开放的端口代表一个提供的服务,不同的服务具有不同的端口号,因此要对服务进行测试,首先要确定是否开放对应端口号

端口的分类

端口范围:0-65535(2^16)

TCP端口和UDP端口。由于TCP和UDP 两个协议是独立的,因此各自的端口号也相互独立,比如TCP有235端口,UDP也 可以有235端口,两者并不冲突。

端口分为:

1、周知端口
周知端口是众所周知的端口号,范围从0到1023,其中80端口分配给WWW服务,21端口分配给FTP服务等。我们在IE的地址栏里输入一个网址的时候是不必指定端口号的,因为在默认情况下WWW服务的端口是“80”。

2、动态端口
动态端口的范围是从49152到65535。之所以称为动态端口,是因为它 一般不固定分配某种服务,而是动态分配。

3、注册端口
端口1024到49151,分配给用户进程或应用程序。这些进程主要是用户安装的程序。

端口扫描工具-Nmap

1、使用Nmap工具查找ip的tcp端口
-O:获取操作系统版本信息

root@kali:~# nmap -O 10.0.2.5 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:06 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00044s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.93 seconds

2、使用Nmap工具查找udp端口
-sU:表示udp scan , udp端口扫描
-Pn:不对目标进行ping探测(不判断主机是否在线)(直接扫描端口)
对于udp端口扫描比较慢,扫描完6万多个端口需要20分钟左右

root@kali:~# nmap -sU 10.0.2.5  -Pn -p1-100,138,808
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 21:51 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00063s latency).
Not shown: 97 closed ports
PORT    STATE         SERVICE
53/udp  open          domain
68/udp  open|filtered dhcpc
69/udp  open|filtered tftp
138/udp open|filtered netbios-dgm
808/udp open|filtered unknown
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 104.80 seconds

3、使用Nmap工具获取端口Banner
只会返回有Banner信息的,没有则不会返回。

root@kali:~# nmap 10.0.2.5 --script banner  -Pn  -p1-100 
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:04 EDT
Nmap scan report for 10.0.2.5
Host is up (0.000080s latency).
Not shown: 94 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
|_banner: 220 (vsFTPd 2.3.4)
22/tcp open  ssh
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
23/tcp open  telnet
|_banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD'
25/tcp open  smtp
|_banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
53/tcp open  domain
80/tcp open  http
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 16.33 seconds

4、使用Nmap嗅探服务版本信息
如果没有返回banner信息的,也可以使用该方法尝试嗅探服务版本信息。

root@kali:~# nmap -p80  -sV 10.0.2.5  -Pn  
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:04 EDT
Nmap scan report for 10.0.2.5
Host is up (0.00031s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) DAV/2)
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.95 seconds

5、利用nmap对目标进行完整测试
在针对内容测试时,有授权的情况下,可以利用nmap对目标进行完整测试

root@kali:~# nmap -A -v 10.0.2.5
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-10 22:14 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:14
Completed NSE at 22:14, 0.00s elapsed
Initiating NSE at 22:14
Completed NSE at 22:14, 0.00s elapsed
Initiating ARP Ping Scan at 22:14
Scanning 10.0.2.5 [1 port]
Completed ARP Ping Scan at 22:14, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:14
Completed Parallel DNS resolution of 1 host. at 22:14, 0.01s elapsed
Initiating SYN Stealth Scan at 22:14
Scanning 10.0.2.5 [1000 ports]
Discovered open port 3306/tcp on 10.0.2.5
Discovered open port 21/tcp on 10.0.2.5
Discovered open port 445/tcp on 10.0.2.5
Discovered open port 23/tcp on 10.0.2.5
Discovered open port 5900/tcp on 10.0.2.5
Discovered open port 53/tcp on 10.0.2.5
Discovered open port 80/tcp on 10.0.2.5
Discovered open port 139/tcp on 10.0.2.5
Discovered open port 25/tcp on 10.0.2.5
Discovered open port 22/tcp on 10.0.2.5
Discovered open port 111/tcp on 10.0.2.5
Discovered open port 2049/tcp on 10.0.2.5
Discovered open port 6000/tcp on 10.0.2.5
Discovered open port 512/tcp on 10.0.2.5
Discovered open port 5432/tcp on 10.0.2.5
Discovered open port 514/tcp on 10.0.2.5
Discovered open port 1099/tcp on 10.0.2.5
Discovered open port 8009/tcp on 10.0.2.5
Discovered open port 513/tcp on 10.0.2.5
Discovered open port 1524/tcp on 10.0.2.5
Discovered open port 2121/tcp on 10.0.2.5
Discovered open port 8180/tcp on 10.0.2.5
Discovered open port 6667/tcp on 10.0.2.5
Completed SYN Stealth Scan at 22:14, 0.16s elapsed (1000 total ports)
Initiating Service scan at 22:14
Scanning 23 services on 10.0.2.5
Completed Service scan at 22:15, 11.16s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 10.0.2.5
NSE: Script scanning 10.0.2.5.
Initiating NSE at 22:15
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 22:15, 15.69s elapsed
Initiating NSE at 22:15
Completed NSE at 22:15, 0.02s elapsed
Nmap scan report for 10.0.2.5
Host is up (0.00034s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.0.2.7
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
|_ssl-date: 2019-04-11T02:15:12+00:00; 0s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      39599/udp  mountd
|   100005  1,2,3      53020/tcp  mountd
|   100021  1,3,4      34000/tcp  nlockmgr
|   100021  1,3,4      53718/udp  nlockmgr
|   100024  1          34334/udp  status
|_  100024  1          56859/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 9
|   Capabilities flags: 43564
|   Some Capabilities: Support41Auth, SupportsTransactions, ConnectWithDatabase, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, LongColumnFlag, SupportsCompression
|   Status: Autocommit
|_  Salt: !_>Wz"5%YoDElpo]bSYG
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2019-04-11T02:15:12+00:00; 0s from scanner time.
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    VNC Authentication (2)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 0:29:23
|   source ident: nmap
|   source host: FCCB13B2.EB72D3BE.7B559A54.IP
|_  error: Closing Link: ffbyostgq[10.0.2.7] (Quit: ffbyostgq)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.017 days (since Wed Apr 10 21:50:31 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=190 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC:  (unknown)
| Names:
|   METASPLOITABLE<00>   Flags: 
|   METASPLOITABLE<03>   Flags: 
|   METASPLOITABLE<20>   Flags: 
|   \x01\x02__MSBROWSE__\x02<01>  Flags: 
|   WORKGROUP<00>        Flags: 
|   WORKGROUP<1d>        Flags: 
|_  WORKGROUP<1e>        Flags: 
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP\x00
|_  System time: 2019-04-10T22:15:10-04:00
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 10.0.2.5

NSE: Script Post-scanning.
Initiating NSE at 22:15
Completed NSE at 22:15, 0.00s elapsed
Initiating NSE at 22:15
Completed NSE at 22:15, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.04 seconds
           Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)

Nmap还有很多其他用途,给出一个Nmap中文手册,可以自行学习研究

摘录一份端口渗透表

端口号 端口说明 攻击技巧
21/22/69 ftp/tftp:文件传输协议 爆破、嗅探、溢出、后门
22 ssh:远程连接 爆破、OpenSSH、28个退格
23 telnet:远程连接 爆破、嗅探
25 smtp:邮件服务 邮件伪造
53 DNS:域名系统 DNS区域传输、DNS劫持、DNS缓存投毒、DNS欺骗、深度利用(利用DNS隧道技术刺透防火墙)
67/68 dhcp 劫持、欺骗
110 pop3 爆破
139 samba 爆破、未授权访问、远程代码执行
143 imap 爆破
161 snmp 爆破
389 ldap 注入攻击、未授权访问
512/513/514 linux r 直接使用rlogin
873 rsync 未授权访问
1080 socket 爆破(进行内网渗透)
1352 lotus 爆破(弱口令)、信息泄露(源代码)
1433 mssql 爆破(使用系统用户登陆)、注入攻击
1521 oracle 爆破(TNS)、注入攻击
2049 nfs 配置不当
2181 zookeeper 未授权访问
3306 mysql 爆破、拒绝服务、注入
3389 rdp 爆破、shift后门
4848 glassflsh 爆破(控制台弱口令)、认证绕过
5000 sybase/DB2 爆破、注入
5432 postgresql 缓冲区溢出、注入攻击、爆破(弱口令)
5632 pcanywhere 拒绝服务、代码执行
5900 vnc 爆破(弱口令)、认证绕过
6379 redis 未授权访问、爆破(弱口令)
7001 weblogic java反序列化、控制台弱口令、控制台部署webshell
80/443/8080 web 常见web攻击、控制台爆破、对应服务器版本漏洞
8069 zabbix 远程命令执行
9090 websphere控制台 爆破(控制台弱口令)、java反序列
9200/9300 elasticsearch 远程代码执行
11211 memcache/memcached 未授权访问
27017 mongodb 爆破、未授权访问

转载于:https://my.oschina.net/u/1404949/blog/3039471

你可能感兴趣的:(端口扫描原理及工具 - 安全工具篇)