扫描器之Netsparker、Nmap

一、安装web 扫描器 -- Netsparker

1. 准备安装包，这里使用的绿色版，不需要安装即可使用的软件

软件包文件

2. 开始使用扫描

设置目标网站URL

步骤一

步骤二

步骤三

步骤四

步骤五

步骤六

步骤七

步骤八

步骤九

扫描中

扫描完成，生成报表

存储位置

查看报告

---

二、安装 扫描器 -- Nmap

1. 开源、免费网络连接端口扫描软件，用来扫描网上电脑开放的网络连接端口

2. 主机发现的基本用法

1、nmap主机发现
描述：-sn: Ping Scan - disable port scan
相当于window或linux系统的ping命令进行主机发现，关闭端口扫描
命令语法： 
nmap –sn  
例子：nmap -sn 192.168.2.0/24  或nmap -sn 192.168.2.0-255
 root@kali:~# nmap -sn 192.168.2.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-04 21:18 EST
Nmap scan report for 192.168.2.1 (192.168.2.1)
Host is up (0.00029s latency).
MAC Address: E4:F3:F5:BF:96:48 (Shenzhen Mercury Communication Technologies)
Nmap scan report for 192.168.2.103 (192.168.2.103)
Host is up (0.00020s latency).
MAC Address: 00:0C:29:5A:7A:ED (VMware)
Nmap scan report for 192.168.2.105 (192.168.2.105)
Host is up (0.00021s latency).
MAC Address: 68:F7:28:D9:42:E9 (Lcfc(hefei) Electronics Technology)
Nmap scan report for 192.168.2.100 (192.168.2.100)
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.74 seconds

2、nmap 路由跟踪
描述： Trace hop path to each host
路由器追踪功能，能够帮助网络管理员了解网络通行情况，同时也是网络管理人员很好的辅助工具，通过路由器追踪可以轻松的查处从我们电脑所在地到目的地之间所经常的网络节点，并可以看到通过各个结点所花费的时间
命令语法： 
nmap –traceroute 
例子:namp –traceroute 36.152.44.96 (百度IP)
root@kali:~# nmap --traceroute 36.152.44.96
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-04 21:12 EST
Nmap scan report for 36.152.44.96
Host is up (0.030s latency).
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   0.51 ms  192.168.2.1 (192.168.2.1)
2   0.91 ms  192.168.1.1 (192.168.1.1)
3   2.08 ms  100.4.0.1
4   ... 13
14  33.62 ms 36.152.44.96

Nmap done: 1 IP address (1 host up) scanned in 8.05 seconds
 

3、nmap 端口扫描
描述： 
命令语法： 
nmap -sS    TCP通信中的SYN扫描
-sU   UDP端口扫描 以UDP扫描方式确定目标主机的UDP端口状态
--top-ports  n  表扫描最有可能开放的n个端口 

例子:
 root@kali:~/Desktop# nmap -sS -sU --top-ports 300 192.168.2.103
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-05 00:30 EST
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 99.00% done; ETC: 00:30 (0:00:00 remaining)
Nmap scan report for 192.168.2.103 (192.168.2.103)
Host is up (0.0015s latency).
Not shown: 583 closed ports
PORT     STATE         SERVICE
80/tcp   open          http
81/tcp   open          hosts2-ns
82/tcp   open          xfer
135/tcp  open          msrpc
139/tcp  open          netbios-ssn
445/tcp  open          microsoft-ds
1025/tcp open          NFS-or-IIS
1026/tcp open          LSA-or-nterm
1433/tcp open          ms-sql-s
2383/tcp open          ms-olap4
123/udp  open|filtered ntp
137/udp  open          netbios-ns
138/udp  open|filtered netbios-dgm
445/udp  open|filtered microsoft-ds
500/udp  open|filtered isakmp
1434/udp open|filtered ms-sql-m
4500/udp open|filtered nat-t-ike
MAC Address: 00:0C:29:5A:7A:ED (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds

值得收藏的40个黑客常用入侵端口总结: https://www.php.cn/safe/436409.html

4、nmap 版本检测
描述： 
命令语法： 
nmap  -sV   
例子:namp -sV 192.168.2.103
root@kali:~/Desktop# nmap -sV 192.168.2.103
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-05 00:32 EST
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 83.33% done; ETC: 00:32 (0:00:03 remaining)
Nmap scan report for 192.168.2.103 (192.168.2.103)
Host is up (0.00013s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Microsoft IIS httpd
81/tcp   open  http         Microsoft IIS httpd 6.0
82/tcp   open  http         Microsoft IIS httpd 6.0
83/tcp   open  http         Microsoft IIS httpd 6.0
84/tcp   open  http         Microsoft IIS httpd 6.0
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
1025/tcp open  msrpc        Microsoft Windows RPC
1026/tcp open  msrpc        Microsoft Windows RPC
1433/tcp open  ms-sql-s     Microsoft SQL Server 2008 R2 10.50.1600; RTM
2383/tcp open  ms-olap4?
MAC Address: 00:0C:29:5A:7A:ED (VMware)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.01 seconds

5、nmap OS检测
描述： 
命令语法： 
nmap –O  
例子:namp -O 192.168.2.103
 root@kali:~/Desktop# nmap -O 192.168.2.103
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-05 00:34 EST
Nmap scan report for 192.168.2.103 (192.168.2.103)
Host is up (0.00034s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
80/tcp   open  http
81/tcp   open  hosts2-ns
82/tcp   open  xfer
83/tcp   open  mit-ml-dev
84/tcp   open  ctf
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1433/tcp open  ms-sql-s
2383/tcp open  ms-olap4
MAC Address: 00:0C:29:5A:7A:ED (VMware)
Device type: general purpose
Running: Microsoft Windows 2003
OS CPE: cpe:/o:microsoft:windows_server_2003::sp1 cpe:/o:microsoft:windows_server_2003::sp2
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.65 seconds

6、nmap 漏洞检测
描述： 
命令语法： 
nmap     --script=auth,vuln
例子:nmap 192.168.2.103 --script=auth,vuln
root@kali:~/Desktop# nmap 192.168.2.103 --script=auth,vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-05 00:39 EST
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 85.40% done; ETC: 00:40 (0:00:01 remaining)
...
...
...

Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.75% done; ETC: 00:38 (0:00:00 remaining)
Nmap scan report for 192.168.2.103 (192.168.2.103)
Host is up (0.00066s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
80/tcp   open  http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /reportserver/: Microsoft SQL Report Service (401 Unauthorized)
|_  /reports/: Potentially interesting folder (401 Unauthorized)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
81/tcp   open  hosts2-ns
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
82/tcp   open  xfer
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
83/tcp   open  mit-ml-dev
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
84/tcp   open  ctf
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
135/tcp  open  msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp  open  netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp  open  microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1025/tcp open  NFS-or-IIS
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1026/tcp open  LSA-or-nterm
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1433/tcp open  ms-sql-s
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| ms-sql-dump-hashes: 
| [192.168.2.103:1433]
|_  ERROR: No login credentials
| ms-sql-hasdbaccess: 
|   [192.168.2.103:1433]
|_    ERROR: No login credentials.
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  BID:70574  CVE:CVE-2014-3566
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|     References:
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_      https://www.securityfocus.com/bid/70574
|_sslv2-drown: 
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
2383/tcp open  ms-olap4
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:5A:7A:ED (VMware)

Host script results:
| smb-vuln-ms08-067: 
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|           
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Stats: 0:02:29 elapsed; 1 hosts completed (1 up), 0 undergoing Script Post-Scan
NSE Timing: About 0.00% done
Nmap done: 1 IP address (1 host up) scanned in 149.72 seconds