Nmap 探测Web服务

发表于 更新于 分类于

探测HTTP服务

探测基本认证信息

基本认证事HTTP服务提供的一种功能,当客户端访问服务器时,浏览器回提示用户输入用户名和密码,通过这种方法,可以保护用户登录信息的安全.Nmap中可以使用http-auth脚本查看服务器基本认证信息

1
nmap --script http-auth <target>

探测默认账户

通常情况下,Web应用程序都会有一个默认账户,在Nmap中,可以使用http-default-accounts脚本检查目标Web服务是否允许使用默认账户登录

1
2
3
4
5
nmap --script=http-default-accounts -p <port> <target>
-- @args http-default-accounts.basepath Base path to append to requests. Default: "/"
-- @args http-default-accounts.fingerprintfile Fingerprint filename. Default: http-default-accounts-fingerprints.lua
-- @args http-default-accounts.category Selects a fingerprint category (or a list of categories).
-- @args http-default-accounts.name Selects fingerprints by a word (or a list of alternate words) included in their names.

检查是否存在风险方法

在Nmap中,使用http-methods脚本检查服务器中是否存在有风险的方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap --script http-methods 192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-16 21:56 China Standard Time
Nmap scan report for 192.168.1.1
Host is up (0.0046s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
23/tcp    open  telnet
80/tcp    open  http
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
445/tcp   open  microsoft-ds
8080/tcp  open  http-proxy
| http-methods:
|_  Supported Methods: GET POST
32768/tcp open  filenet-tms
49152/tcp open  unknown

提取HTTP注释信息

使用http-comments-displayer脚本可以从HTTP响应中提取HTML注释并输出

1
nmap -p80 --script http-comments-displayer <target>

获取HTTP服务时间

使用http-date脚本可以获取服务器的时间,还会显示与本地相差的时间

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -P0 --script http-date 192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-16 22:29 China Standard Time
Nmap scan report for 192.168.1.1
Host is up (0.0070s latency).
Not shown: 993 closed tcp ports (reset)
PORT      STATE SERVICE
21/tcp    open  ftp
23/tcp    open  telnet
80/tcp    open  http
|_http-date: Wed, 16 Feb 2022 14:29:24 GMT; -37s from local time.
445/tcp   open  microsoft-ds
8080/tcp  open  http-proxy/
|_http-date: Wed, 16 Feb 2022 14:29:10 GMT; -37s from local time.
32768/tcp open  filenet-tms
49152/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 20.58 seconds

枚举HTTP服务目录

在Nmap中使用http-enum枚举HTTP服务的网页目录

1
nmap --script http-enum <target> -p 80

获取HTTP头信息

HTTP头是HTTP规定的请求和响应消息都支持的头域内容.使用http-header脚本可以获取HTTP头信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sV --script http-headers www.diaoan.xyz -p 80
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-17 22:36 China Standard Time
Nmap scan report for www.diaoan.xyz
Host is up (0.029s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx
| http-headers:
|   Server: nginx/1.20.1
|   Date: Thu, 17 Feb 2022 14:36:20 GMT
|   Content-Type: text/html
|   Content-Length: 169
|   Connection: close
|   Location: https://www.diaoan.xyz/
|
|_  (Request type: GET)
|_http-server-header: nginx/1.20.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.79 seconds

获取HTTP目录结构

Nmap中通过爬行服务器,可以显示该服务的目录结构以及文件类型,Nmap中使用http-sitemap-generator脚本获取HTTP目录结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ nmap --script http-sitemap-generator www.diaoan.xyz -p 80
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-17 22:50 China Standard Time
Nmap scan report for www.diaoan.xyz
Host is up (0.030s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-sitemap-generator:
|   Directory structure:
|   Longest directory structure:
|     Depth: 0
|     Dir: /
|   Total files found (by extension):
|_

Nmap done: 1 IP address (1 host up) scanned in 6.41 seconds

探测主机是否允许爬行

在Nmap中,使用http-useragent-tester脚本可以探测目标主机是否允许网络爬虫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ nmap -p80 --script http-useragent-tester 192.168.1.1
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-17 22:56 China Standard Time
Nmap scan report for 192.168.1.1
Host is up (0.0022s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-useragent-tester:
|   Status for browser useragent: 200
|   Allowed User Agents:
|     Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
|     libwww
|     lwp-trivial
|     libcurl-agent/1.0
|     PHP/
|     Python-urllib/2.5
|     GT::WWW
|     Snoopy
|     MFC_Tear_Sample
|     HTTP::Lite
|     PHPCrawl
|     URI::Fetch
|     Zend_Http_Client
|     http client
|     PECL::HTTP
|     Wget/1.13.4 (linux-gnu)
|_    WWW-Mechanize/1.34

Nmap done: 1 IP address (1 host up) scanned in 20.43 seconds

探测Web服务是否易受Slowloris DoS攻击

在Nmap中使用http-slowloris脚本探测Web服务易受Slowloris DoS攻击,该脚本无法在Windows中运行

1
nmap --script http-slowloris --min-parallelism 3000 <target>

探测SSL/TLS协议

枚举SSL密钥

Nmap中使用ssl-enum-ciphers脚本枚举服务器支持的SSL密钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
$ nmap --script ssl-enum-ciphers -p 443 www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-17 23:08 China Standard Time
Nmap scan report for www.baidu.com (14.215.177.39)
Host is up (0.0095s latency).
Other addresses for www.baidu.com (not scanned): 14.215.177.38

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|     warnings:
|       Broken cipher RC4 is deprecated by RFC 7465
|       Forward Secrecy not supported by any cipher
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Broken cipher RC4 is deprecated by RFC 7465
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Broken cipher RC4 is deprecated by RFC 7465
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Broken cipher RC4 is deprecated by RFC 7465
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 7.17 seconds

获取SSL证书

在Nmap中使用ssl-cert获取证书的有效期,名称,组织,省,区域名称等

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\Users\DIAOAN> nmap --script ssl-cert -p 443 www.baidu.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-17 23:09 China Standard Time
Nmap scan report for www.baidu.com (14.215.177.39)
Host is up (0.0092s latency).
Other addresses for www.baidu.com (not scanned): 14.215.177.38

PORT    STATE SERVICE
443/tcp open  https
| ssl-cert: Subject: commonName=baidu.com/organizationName=Beijing Baidu Netcom Science Technology Co., Ltd/stateOrProvinceName=beijing/countryName=CN
| Subject Alternative Name: DNS:baidu.com, DNS:baifubao.com, DNS:www.baidu.cn, DNS:www.baidu.com.cn, DNS:mct.y.nuomi.com, DNS:apollo.auto, DNS:dwz.cn, DNS:*.baidu.com, DNS:*.baifubao.com, DNS:*.baidustatic.com, DNS:*.bdstatic.com, DNS:*.bdimg.com, DNS:*.hao123.com, DNS:*.nuomi.com, DNS:*.chuanke.com, DNS:*.trustgo.com, DNS:*.bce.baidu.com, DNS:*.eyun.baidu.com, DNS:*.map.baidu.com, DNS:*.mbd.baidu.com, DNS:*.fanyi.baidu.com, DNS:*.baidubce.com, DNS:*.mipcdn.com, DNS:*.news.baidu.com, DNS:*.baidupcs.com, DNS:*.aipage.com, DNS:*.aipage.cn, DNS:*.bcehost.com, DNS:*.safe.baidu.com, DNS:*.im.baidu.com, DNS:*.baiducontent.com, DNS:*.dlnel.com, DNS:*.dlnel.org, DNS:*.dueros.baidu.com, DNS:*.su.baidu.com, DNS:*.91.com, DNS:*.hao123.baidu.com, DNS:*.apollo.auto, DNS:*.xueshu.baidu.com, DNS:*.bj.baidubce.com, DNS:*.gz.baidubce.com, DNS:*.smartapps.cn, DNS:*.bdtjrcv.com, DNS:*.hao222.com, DNS:*.haokan.com, DNS:*.pae.baidu.com, DNS:*.vd.bdstatic.com, DNS:*.cloud.baidu.com, DNS:click.hm.baidu.com, DNS:log.hm.baidu.com, DNS:cm.pos.baidu.com, DNS:wn.pos.baidu.com, DNS:update.pan.baidu.com
| Issuer: commonName=GlobalSign Organization Validation CA - SHA256 - G2/organizationName=GlobalSign nv-sa/countryName=BE
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-07-01T01:16:03
| Not valid after:  2022-08-02T01:16:03
| MD5:   aeed fb3c 1c26 b90d 0853 7523 bbb1 6bf1
|_SHA-1: be76 05a3 b72b 60fc aa6c 58b6 896b 9e2e 7442 ec50

Nmap done: 1 IP address (1 host up) scanned in 9.37 seconds