Linux 系统扫描nmap与tcpdump抓包

NMAP扫描

一款强大的网络探测利器工具
支持多种探测技术

--ping扫描
--多端口扫描
-- TCP/IP指纹校验

为什么需要扫描?
以获取一些公开/非公开信息为目的
--检测潜在风险
--查找可攻击目标
--收集设备/主机/系统/软件信息
--发现可利用的安全漏洞

基本用法
nmap [扫描类型] [选项] <扫描目标...>
常用的扫描类型

常用选项
-sS TCP SYN扫描(半开) 该方式发送SYN到目标端口，如果收到SYN/ACK回复，那么判断端口是开放的；如果收到RST包，说明该端口是关闭的。简单理解就是3次握手只完成一半就可以判断端口是否打开,提高扫描速度
-sT TCP 连接扫描(全开)
-sU UDP扫描
-sP ICMP扫描
-sV 探测打开的端口对应的服务版本信息
-A 目标系统全面分析 (可能会比较慢)
-p 扫描指定端口

1 ) 检查目标主机是否能ping通

[root@case100 ~]# yum -y install nmap  //nmap安装
[root@case100 ~]# nmap -sP 192.168.4.0/24    //扫描 192.168.4.0/24 网段所有打开的主机
[root@case100 ~]# nmap -sP 192.168.4.140-160   //扫描 140到160网段所有打开的主机
[root@case100 ~]# nmap  -sP 192.168.4.100,140,141   //扫描 100,140,141 主机是否打开 
[root@case100 ~]# nmap -n -sP 192.168.4.140  //-n 不执行DNS解析

2）检查目标主机所开启的TCP服务

[root@case100 ~]# nmap -sT 192.168.4.100

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-16 16:46 CST
Nmap scan report for 192.168.4.100
Host is up (0.00026s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
3306/tcp open  mysql
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

[root@case100 ~]# nmap  192.168.4.100  //不加任何参数 默认就是TCP的扫描 和-sT效果一样
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-16 16:46 CST
Nmap scan report for 192.168.4.100
Host is up (0.0000030s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
3306/tcp open  mysql
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
[root@case100 ~]# nmap -sT www.baidu.com   //当然目标主机也可以是域名

3 ) 检查192.168.4.0/24网段内哪些主机开启了FTP、SSH服务

[root@case100 ~]# nmap -p 21-22 192.168.4.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-16 16:53 CST
Nmap scan report for 192.168.4.140
Host is up (0.00036s latency).
PORT   STATE  SERVICE
21/tcp closed ftp
22/tcp open   ssh
MAC Address: 52:54:00:B4:8C:9E (QEMU Virtual NIC)

Nmap scan report for 192.168.4.141
Host is up (0.00052s latency).
PORT   STATE  SERVICE
21/tcp closed ftp
22/tcp open   ssh
MAC Address: 52:54:00:24:A1:77 (QEMU Virtual NIC)

Nmap scan report for 192.168.4.142
Host is up (0.00051s latency).
PORT   STATE  SERVICE
21/tcp closed ftp
22/tcp open   ssh
MAC Address: 52:54:00:16:E6:DE (QEMU Virtual NIC)
......

4）检查目标主机所开启的UDP服务

[root@case100 ~]# nmap -sU 192.168.4.100

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-16 16:54 CST
Nmap scan report for 192.168.4.100
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
111/udp open          rpcbind

Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

5 ) 探测打开的端口对应的服务版本信息

[root@case100 ~]# nmap  -sV 192.168.4.100,140,141    //扫描100,140,141  3台主机

Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-19 15:50 CST
Nmap scan report for 192.168.4.100
Host is up (0.0000030s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
111/tcp  open  rpcbind 2-4 (RPC #100000)
3306/tcp open  mysql   MySQL 5.7.17

Nmap scan report for 192.168.4.140
Host is up (0.00016s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
MAC Address: 52:54:00:B4:8C:9E (QEMU Virtual NIC)

Nmap scan report for 192.168.4.141
Host is up (0.00019s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
MAC Address: 52:54:00:24:A1:77 (QEMU Virtual NIC)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 6.38 seconds

6）全面分析目标主机192.168.4.100的操作系统信息

[root@case100 ~]# nmap -A 192.168.4.100
Starting Nmap 6.40 ( http://nmap.org ) at 2020-10-16 16:58 CST
Nmap scan report for 192.168.4.100
Host is up (0.000035s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 2048 bb:57:60:4b:40:e1:ed:41:45:7b:eb:cf:23:86:04:13 (RSA)
|_256 1e:76:cc:e8:d9:55:86:df:dc:a1:ea:7a:6c:67:c6:00 (ECDSA)
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|_  100000  2,3,4        111/udp  rpcbind
3306/tcp open  mysql   MySQL 5.7.17
| mysql-info: Protocol: 10
| Version: 5.7.17
| Thread ID: 13
| Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, SSL, Transactions, Secure Connection
| Status: Autocommit
\x08lt: Q\x1FX01}
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=10/16%OT=22%CT=1%CU=43703%PV=Y%DS=0%D
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.05 seconds

tcpdump

命令行抓取数据包工具
基本用法
tcpdump [选项] [过滤条件]

常见监控选项
-i，指定监控的网络接口（默认监听第一个网卡）
-A，转换为 ACSII 码，以方便阅读
-w，将数据包信息保存到指定文件
-r，从指定文件读取数据包信息

常用的过滤条件：
类型：host、net、port、portrange
方向：src、dst
协议：tcp、udp、ip、wlan、arp、……
多个条件组合：and、or、not

案例1

[root@case100 ~]# tcpdump   //抓取所有的包

如果报错
tcpdump: packet printing is not supported for link type NFLOG: use -w
需要指定接口ifconfig查看要抓包的接口

[root@case100 ~]# tcpdump -i ens5 host 192.168.44.100  //抓取从接口ens5 主机为192.168.4.140的 数据包

[root@case100 ~]# tcpdump -i ens5 tcp port 22004  //抓取TCP 22004

通过and组合限定更多条件
[root@case100 ~]# tcpdump -i ens5 tcp port 22004 and host 192.168.4.140  //通过and组合过滤条件 

抓取icmp协议
[root@case100 ~]# tcpdump -A -i ens5 icmp  //抓取icmp协议包
[root@case100 ~]# tcpdump  -i ens5  icmp and  host 10.0.3.211   //抓取icmp协议 主机为10.0.3.211的包

[root@case100 ~]# tcpdump -A -w test1.cap -i ens5 icmp  //如果想进一步分析 可把结果保存下来 后面用WireShark软件分析

案例2:使用tcpdump分析FTP访问中的明文交换信息
1 ) 安装部署vsftpd服务

[root@case254 ~]# yum -y install vsftpd
[root@case254 ~]# systemctl restart vsftpd

这里假设，192.168.4.254 主机有vsftpd服务 共享和登陆用户之类的配置都已经部署好，如果没有需要提前安装并启动服务！！！

2 ) 并启动tcpdump等待抓包
执行tcpdump命令行，添加适当的过滤条件，只抓取访问主机192.168.4.100的21端口的数据通信 ，并转换为ASCII码格式的易读文本。

[root@case254 ~]# tcpdump -A tcp port 21 -i private1   //因为4网段不是默认接口所有要指定

3 ) case100作为客户端访问case254服务端

[root@case100 ~]# yum -y install ftp 
[root@case100 ~]# ftp 192.168.4.254
Connected to 192.168.4.254 (192.168.4.254).
220 (vsFTPd 3.0.2)
Name (192.168.4.254:root): ftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (192,168,4,254,47,162).
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Oct 20  2019 ansible
drwxr-xr-x    2 0        0               6 Oct 13  2019 extras
drwxr-xrwx    3 0        0              24 Oct 10  2019 ios
drwxrwxrwx   10 0        0            4096 Aug 13 05:42 pub
drwxr-xr-x    2 0        0               6 Oct 13  2019 redhat
drwxrwxrwx    2 0        0              32 Jul 07  2019 share
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
......
ftp> quit
221 Goodbye.

4 ) 查看tcpdump抓包

[root@case254 ~]# tcpdump -A tcp port 21 -i private1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on private1, link-type EN10MB (Ethernet), capture size 65535 bytes
17:42:11.926001 IP 192.168.4.100.47604 > 192.168.4.254.ftp: Flags [P.], seq 1412379158:1412379164, ack 3282094552, win 229, options [nop,nop,TS val 526602819 ecr 527385903], length 6
E..:..@....)...d........T/2................
.cRC.oE/PASV

17:42:11.926212 IP 192.168.4.254.ftp > 192.168.4.100.47604: Flags [P.], seq 1:51, ack 6, win 227, options [nop,nop,TS val 527456805 ecr 526602819], length 50
E..f.j@.@.,u.......d........T/2............
.pZ%.cRC227 Entering Passive Mode (192,168,4,254,254,7).

17:42:11.927147 IP 192.168.4.100.47604 > 192.168.4.254.ftp: Flags [P.], seq 6:12, ack 51, win 229, options [nop,nop,TS val 526602820 ecr 527456805], length 6
E..:..@....(...d........T/2....
...........
.cRD.pZ%LIST

17:42:11.927299 IP 192.168.4.254.ftp > 192.168.4.100.47604: Flags [P.], seq 51:90, ack 12, win 227, options [nop,nop,TS val 527456806 ecr 526602820], length 39
E..[.k@.@.,........d.......
T/2"...........
.pZ&.cRD150 Here comes the directory listing.

17:42:11.928886 IP 192.168.4.254.ftp > 192.168.4.100.47604: Flags [P.], seq 90:114, ack 12, win 227, options [nop,nop,TS val 527456807 ecr 526602820], length 24
E..L.l@.@.,........d.......1T/2"...........
.pZ'.cRD226 Directory send OK.

//通过抓包可以看到 192.168.4.254.ftp  传输协议 3次握手等信息

5 ) 再次使用tcpdump抓包，使用-w选项可以将抓取的数据包另存为文件，方便后期慢慢分析。

[root@case254 ~]# tcpdump -A tcp port 21 -i private1 -w ftp.cap

6 ) tcpdump命令的-r选项，可以去读之前抓取的历史数据文件

[root@case254 ~]# tcpdump -A -r ftp.cap |grep ftp
reading from file ftp.cap, link-type EN10MB (Ethernet)
18:03:18.353802 IP 192.168.4.100.47610 > 192.168.4.254.ftp: Flags [S], seq 2971413673, win 29200, options [mss 1460,sackOK,TS val 527869246 ecr 0,nop,wscale 7], length 0
18:03:18.353959 IP 192.168.4.254.ftp > 192.168.4.100.47610: Flags [S.], seq 2254235441, ack 2971413674, win 28960, options [mss 1460,sackOK,TS val 528723232 ecr 527869246,nop,wscale 7], length 0
18:03:18.354474 IP 192.168.4.100.47610 > 192.168.4.254.ftp: Flags [.], ack 1, win 229, options [nop,nop,TS val 527869247 ecr 528723232], length 0
18:03:18.357118 IP 192.168.4.254.ftp > 192.168.4.100.47610: Flags [P.], seq 1:21, ack 1, win 227, options [nop,nop,TS val 528723236 ecr 527869247], length 20
18:03:18.357874 IP 192.168.4.100.47610 > 192.168.4.254.ftp: Flags [.], ack 21, win 229, options [nop,nop,TS val 527869250 ecr 528723236], length 0
18:03:20.596123 IP 192.168.4.100.47610 > 192.168.4.254.ftp: Flags [F.], seq 1, ack 21, win 229, options [nop,nop,TS val 527871489 ecr 528723236], length 0
18:03:20.596218 IP 192.168.4.254.ftp > 192.168.4.100.47610: Flags [.], ack 2, win 227, options [nop,nop,TS val 528725475 ecr 527871489], length 0
18:03:20.596382 IP 192.168.4.254.ftp > 192.168.4.100.47610: Flags [F.], seq 21, ack 2, win 227, options [nop,nop,TS val 528725475 ecr 527871489], length 0
......