Nmap
nmap -sC -p22,111,139 -T4 xxx.xxx.xxx.xxx
# scan top ports
nmap --top-ports 10 xxx.xxx.xxx.xxx
# scan a hostname with moreinfo
nmap -v hostname
# scan mutliple ip list
nmap ip1,ip2,ip3
nmap 192.168.1.1-20
nmap 192.168.1.*
nmap 192.168.1.0/24
nmap -iL iplist.txt
nmap 192.168.1.0/24 --exclude 192.168.1.5
nmap 192.168.1.0/24 --exclude 192.168.1.5, 192.168.1.6
#6: Find out if a host/network is protected by a firewall
nmap -sA 192.168.1.254
#7: Scan a host when protected by the firewall
nmap -PN 192.168.1.1
#8: Scan an IPv6 host/address
nmap -6 IPv6-Address-Here
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4
#10: How do I perform a fast scan?
nmap -F 192.168.1.1
#11: Display the reason a port is in a particular state
nmap --reason 192.168.1.1
#12: Only show open (or possibly open) ports
nmap --open 192.168.1.1
#13: Show all packets sent and received
nmap --packet-trace 192.168.1.1
#14: Show host interfaces and routes
nmap --iflist
#15: How do I scan specific ports?
nmap -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1
## Scan TCP port 80
nmap -p T:80 192.168.1.1
## Scan UDP port 53
nmap -p U:53 192.168.1.1
## Scan two ports ##
nmap -p 80,443 192.168.1.1
## Scan port ranges ##
nmap -p 80-200 192.168.1.1
## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
## Scan all ports with * wildcard ##
nmap -p "*" 192.168.1.1
#16: The fastest way to scan all your devices/computers for open ports ever
nmap -T5 192.168.1.0/24
#18: detect services version
nmap -sV 192.168.1.1
# discovery
nmap -sP --script discovery higgses.com
nmap -A -sC --script discovery --script-args=newtargets 192.168.1.1 >> E:海知智能\Other\pk\ruyi\d.txt
nmap -A -sC --script discovery --script-args=newtargets --system-dns 192.168.1.1 > E:海知智能\Other\pk\ruyi\d.txt
-------------------------------------------------------------------------------------------------------------------------
PART 2
-------------------------------------------------------------------------------------------------------------------------
nmap -sU --data-length urlid
nmap --scanflags URGACKPSHRSTSYNFIN
#TCP空闲扫描
#这种先进的扫描方法允许对目标进行一个真正的盲目TCP端口扫描(即没有数据包从你的真实IP地址发送到目标)。
#相反独特的侧信道攻击利用僵尸主机上可预测的IP分段ID序列生成来收集关于目标的开放端口的信息。
#IDS系统只会显示扫描是从您指定的僵尸机发起。这在进行MITM(中间人攻击)非常有用的。
#寻找僵尸主机
nmap -v -O -Pn -n 192.168.50.16
#确定目标支持哪些IP协议
nmap -sO 目标
nmap -sI zombie
nmap -Pn -p- -sI 僵尸主机 目标
nmap -sI 僵尸主机:113 -Pn -p20-80,110-180 -r - packet-trace -v 目标
-------------------------------------------------------------------------------------------------------------------------
PART3
-------------------------------------------------------------------------------------------------------------------------
#NMAP脚本数据库操作系统的所有可能的匹配。–fuzzy可以用作–osscan-guess的快捷方式。
nmap -O --fuzzy www.test.com
-sR = rpc scan
#城市数据
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#扫描时显示调试信息
nmap -sV –version-trace host
#很多是关于nse脚本的
https://svn.Nmap.org/Nmap/scripts/hostmap-bfk.nse
#邮箱收集的脚本
http://seclists.org/Nmap-dev/2011/q3/att-401/http-google-email.nse
#检测主机恶意行为
nmap -p80 -script http-google-malware -script-args http-google-malware.api=<API> <目标>
#whois查询禁用缓存
nmap -sn --script whois -script-args whois.whodb=nocache scanme. Nmap.org
-------------------------------------------------------------------------------------------------------------------------
PART4 : http://www.freebuf.com/sectool/101335.html
-------------------------------------------------------------------------------------------------------------------------
#诱饵扫描
nmap –D RND:10 TARGET
nmap –D decoy1,decoy2,decoy3 target
#空闲扫描
nmap –P0 -sI zombie target
#随机顺序扫描
nmap --randomize-hosts targets
#MAC地址欺骗
nmap -sT -PN –spoof-mac aa:bb:cc:dd:ee:ff target
#设置User-Agent
nmap -p80 --script http-methods --script-args http.useragent=”Mozilla 5” <target>
#扫描http代理
nmap --script http-open-proxy -p8080 <target>
#验证
nmap --script http-open-proxy --script-args http-open-proxy.url=http://whatsmyip.org,http-open-.pattern=”Your IP address is” -p8080 <target>
#文件目录和管理员账号
nmap --script http-enum -p80 <target>
#指定不同的User Agent来绕过某些防火墙
nmap -p80 --script http-enum --script-args http.useragent=”Mozilla 5″<target>
#也可以指定HTTP管道数目来加快扫描
nmap -p80 --script http-enum --script-args http.pipeline=25 <target>
#暴力破解http认证
nmap -p80 --script http-brute --script-args http-brute.path=/admin/ <target>
#使用自定义的字典
nmap -p80 --script http-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
#不同的模式
#user:
nmap --script http-brute --script-args brute.mode=user <target>
#pwd:
nmap --script http-brute --script-args brute.mode=pass <target>
#fcreds:
nmap --script http-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>
#确定web服务器上的有效用户名列表
nmap -p80 –script http-userdir-enum <target>
#测试默认凭据
nmap -p80 --script http-default-accounts <target>
#WordPress 审计
nmap -p80 --script http-wordpress-brute <target>
nmap -p80 --script http-wordpress-brute --script-args http-wordpressbrute.threads=5 <target>
nmap -p80 --script http-wordpress-brute --script-args http-wordpressbrute.hostname=”ahostname.wordpress.com” <target>
#设置一个不同的登陆URI,登录使用参数http-wordpress-brute.uri:
nmap -p80 --script http-wordpress-brute --script-args http-wordpressbrute.uri=”/hidden-wp-login.php” <target>
#要改变存储的用户名和密码的POST变量的名称,设置参数http-wordpress-brute.uservar和http-wordpress-brute.passvar:
nmap -p80 --script http-wordpress-brute --script-args http-wordpressbrute.uservar=usuario,http-wordpress-brute.passvar=pasguord <target>
#Joomla审计
nmap -p80 --script http-joomla-brute <target>
#检测web防火墙
nmap -p80 --script http-waf-detect <target>
nmap -p80 --script http-waf-detect --script-args=”http-waf-detect.detectBodyChanges” <target>
nmap -p80 --script http-waf-detect --script-args=”http-waf-detect.aggro” <target>
#检测跨站跟踪漏洞
nmap -p80 --script http-methods,http-trace --script-args http-methods.retest <target>
#检测跨站脚本漏洞
nmap -p80 --script http-unsafe-output-escaping <target>
#nmap检测sql注入
nmap -p80 --script http-sql-injection <target>
nmap -p80 --script http-sql-injection --script-args httpspider.maxpagecount=200 <target>
nmap -p80 --script http-sql-injection --script-args httpspider.withinhost=false <target>
nmap -sV --script=mysql-databases 192.168.195.130
-------------------------------------------------------------------------------------------------------------------------
PART5 :http://www.freebuf.com/articles/system/102137.html
-------------------------------------------------------------------------------------------------------------------------
#列出数据库名称
nmap -sV --script=mysql-databases 192.168.195.130
nmap -sV --script=mysql-databases --script-args mysqluser=root,mysqlpass=toor 192.168.195.130
#用密码进行身份验证。通过暴力破解或者空口令获得凭据。
nmap -sV --script=mysql-users 192.168.195.130
#检查用户空口令
sudo nmap --script mysql-empty-password 192.168.195.130
#mysqlserver变量清单
nmap -p3306 --script mysql-variables localhost
#暴力破解
nmap --script=mysql-brute localhost
#转储密码的哈希值,通过使用John the Ripper进行暴力破解。需要root权限。
nmap --script=mysql-dump-hashes localhost
#Mysql信息
nmap --script=mysql-info localhost
#Mysql枚举
nmap --script=mysql-enum localhost
nmap –script=mysql-vuln-cve2012-2122 localhost
#CVE-2012-2122
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
# http://www.exploit-db.com/exploits/19092/
# http://blog.trendmicro.com/trendlabs-security-intelligence/mysql-password-verification-bypass-cve-2012-2122/
#使用谷歌搜索发现有效的电子邮件帐户
nmap -p80 --script=http-email-harvest target
#检测开放中继
nmap -sV --script smtp-open-relay -v localhost
#暴力破解SMTP密码
nmap -p25 -Pn --script smtp-brute target
#枚举SMTP服务的用户
nmap -p25 --script smtp-enum-users target
#检测SMTP服务器后门
nmap -sV --script smtp-strangeport target
#检索IMAP邮件服务器的功能
nmap -p143,993 -Pn --script imap-capabilities target
#暴力破解POP3密码
nmap -p110 –script pop3-brute google.com
#检索POP3邮件服务器支持的功能
nmap -p110 –script pop3-capabilities target
#检测4.70到4.75版本的Exim SMTP的漏洞
nmap –script smtp-vuln-cve2011-1764 –script-args mailfrom=<Source address>,mailto=<Destination address>,domain=<domain> -p25,465,587 <target>
-------------------------------------------------------------------------------------------------------------------------
OTHER
-------------------------------------------------------------------------------------------------------------------------
sudo zmap --bandwidth=100M --target-port=80 --max-targets=100000 --output-file=results.csv
nmap --script http-open-proxy.nse \
--script-args proxy.url=<url>,proxy.pattern=<pattern>
#also http-open-proxy sock-open-proxy
cd $GOPATH/src/github.com/zmap/zgrab
zmap -p 80 -N 1000 -B 100M -o - | zgrab --port 80 --tls --http="/" --output-file=/home/ec2-user/mdiskdata/test80.json
对邮件服务器渗透测试
我们可以使用Nmap脚本对邮件服务的攻击如下:
使用谷歌搜索发现有效的电子邮件帐户
检测开放中继
暴力破解SMTP密码
枚举SMTP服务器的用户
检测SMTP服务器的后门
暴力破解IMAP密码
检索IMAP邮件服务器的功能
暴力破解POP3密码
检索POP3邮件服务器的功能
检测4.70到4.75版本的Exim SMTP的漏洞
如何自定义指针match
NSE开发 http://nmap.org/book/nse-tutorial.html
inurl:axis-cgi/jpg
Reference was arleady in code area