Nmap 探测网络环境

发表于 更新于 分类于
Nmap 探测网络环境

探测网络

嗅探目标

嗅探就是扫描局域网中活跃的主机,在Nmap中,使用targets-sniffer脚本可以嗅探网络中活动的目标,语法格式如下:

1
2
3
4
nmap -sL --script=targets-sniffer --script-args=newtargets,targets-sniffer.timeout=5s,targets-sniffer.iface=eth0
# args targets-sniffer.timeout  The amount of time to listen for packets. Default <code>10s</code>.
# args targets-sniffer.iface  The interface to use for sniffing.
# args newtargets If true, add discovered targets to the scan queue.
1
2
3
4
5
6
7
8
9
10
11
# 嗅探局域网中活动的主机
$ nmap -sL --script=targets-sniffer --script-args=newtargets,targets-sniffer.timeout=5s,targets-sniffer.iface=eth0

Starting Nmap 7.40 ( https://nmap.org ) at 2022-02-10 08:48 UTC
Pre-scan script results:
| targets-sniffer: Sniffed 2 address(es).
| 192.168.1.3
|_224.0.0.251
Nmap scan report for HUAWEI_Mate_20_Pro-648056 (192.168.1.3)
Nmap scan report for 224.0.0.251
Nmap done: 2 IP addresses (0 hosts up) scanned in 6.40 seconds

感觉效果并没有 nmap -sP target 那么好

监听广播包

广播包是同时发送给局域网中所有主机的包,使用broadcast-listener脚本可以监听发送到本机的所有广播包

1
$ nmap --script broadcast-listener -e lo

探测防火墙规则

在Nmap中,可以使用firewalk脚本探测防火墙规则,语法格式如下:

1
2
3
4
5
6
nmap --script=firewalk --traceroute --min-parallelism 3000 www.diaoan.xyz
args firewalk.max-retries the maximum number of allowed retransmissions.
args firewalk.recv-timeout the duration of the packets capture loop (in milliseconds).
args firewalk.probe-timeout validity period of a probe (in milliseconds).
args firewalk.max-active-probes maximum number of parallel active probes.
args firewalk.max-probed-ports maximum number of ports to probe per protocol. Set to -1 to scan every filtered port.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# 用firewalk脚本探测主机防火墙规则
$ nmap --script=firewalk --traceroute --min-parallelism 3000 www.diaoan.xyz
Warning: Your --min-parallelism option is pretty high!  This can hurt reliability.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 21:38 CST
Nmap scan report for www.diaoan.xyz (121.199.61.226)
Host is up (0.046s latency).
Not shown: 984 filtered tcp ports (no-response)
PORT     STATE  SERVICE
80/tcp   open   http

Host script results:
| firewalk:
| HOP  HOST         PROTOCOL  BLOCKED PORTS
| 1    172.26.80.1  tcp       6,20
|_2    192.168.1.1  tcp       1,3-4,7,9,13,17,19

TRACEROUTE (using port 993/tcp)
HOP RTT      ADDRESS
1   0.28 ms  DIAOAN (172.26.80.1)
2   2.69 ms  TianYi.Home (192.168.1.1)
3   ... 12
13  32.45 ms www.diaoan.xyz (121.199.61.226)

Nmap done: 1 IP address (1 host up) scanned in 53.73 seconds

广播Ping发现主机

广播Ping是向广播地址发送ICMP,以期待局域网中主机的响应,Nmap中使用broadcast-ping脚本进行广播Ping

1
nmap -e eth0 --script broadcast-ping <target>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 使用广播Ping发现主机
$ nmap -e eth0 --script broadcast-ping 192.168.1.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 22:28 CST
Nmap scan report for 192.168.1.1
Host is up (0.0054s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE

Nmap scan report for HUAWEI_Mate_20_Pro-648056 (192.168.1.3)
Host is up (0.0080s latency).
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE

Nmap scan report for 192.168.1.5
Host is up (0.0048s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT     STATE  SERVICE


Nmap scan report for 192.168.1.7
Host is up (0.00052s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE

Nmap done: 256 IP addresses (4 hosts up) scanned in 12.88 seconds

探测目标是否启用了IP转发

IP转发表示路由器接收到IP包后,下一步决定往路由器的哪一个端口发送数据包,Nmap中使用ip-forwarding脚本探测目标是否启用了IP转发,语法格式如下:

1
nmap -sn --script ip-forwarding --script-args='target=<domains>' <target>
1
2
3
4
5
6
7
8
9
10
11
$ nmap -sn --script ip-forwarding --script-args='target=www.diaoan.xyz' 192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 22:58 China Standard Time
Nmap scan report for 192.168.1.1
Host is up (0.0030s latency).
MAC Address: 28:93:7D:1D:A7:90 (Sichuan Tianyi Comheart Telecom)

Host script results:
| ip-forwarding:
|_  The host has ip forwarding enabled, tried ping against (www.diaoan.xyz)

Nmap done: 1 IP address (1 host up) scanned in 14.24 seconds

利用IGMP发现主机

IGMP是一个组播协议,该协议运行在主机和组播路由器之间,在Nmap中,使用broadcast-igmp-discovery发现主机上的IGMP组播成员

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 使用broadcast-igmp-discovery发现主机
$ nmap --script=broadcast-igmp-discovery
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-10 23:02 China Standard Time
Pre-scan script results:
| broadcast-igmp-discovery:
|   192.168.1.1
|     Interface: eth6
|     Version: 2
|     Group: 224.0.0.22
|     Description: IGMP
|   192.168.1.3
|     Interface: eth6
|     Version: 2
|     Group: 239.255.255.250
|     Description: Organization-Local Scope (rfc2365)
|_  Use the newtargets script-arg to add the results as targets
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 7.45 seconds

广播发现PPPoE服务器

PPPoE是常用的宽带接入协议,Nmap中使用broadcast-pppoe-discover脚本发现PPPoE服务器,语法格式如下:

1
nmap --script