[译]nmap绕过防火墙
原文地址:http://resources.infosecinstitute.com/nmap-evade-firewall-scripting/
[color=blue]TCP ACK Scan (-sA)[/color]
发送ACK数据报比发送SYN数据包更好,因为如果远端主机存在主动防火墙,那么由于防火墙对于ACK数据报不产生log,因为防火墙把ACK数据包当成SYN数据包的应答。TCP ACK扫描要求攻击者有root权限,它对stateless类型的防火墙和IDS很有效果。ACK扫描与其他扫描技术不同,因为它本意不是用来发现open端口的,而是用来判断防火墙类型的。
[b]Firewall Enabled[/b]
# nmap -sA 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:30 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00077s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
[b]Firewall Disabled[/b]
# nmap -sA 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:31 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00020s latency).
All 1000 scanned ports on 192.168.1.9 are unfiltered
所以它很容易用来发现目标是否有防火墙,而且ACK扫描被发现的风险较低但是发现是否存在防火墙的几率比较大。
[color=blue]TCP Window Scan (-sW)[/color]
类似于ACK扫描但是有一点不同,TCP Windows扫描用于发现open/closed端口而不是发现是否被过滤的状态。它也需要root权限。
[b]Firewall Enabled[/b]
# nmap -sW 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:50 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00051s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
[b]Firewall Disabled[/b]
# nmap -sW 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:51 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.1.9 are closed
这种扫描不与目标之间创建session,所以受害者机器不会记录log。
[color=blue]Fragment Packets (-f)[/color]
改技术把请求分成小段发送,所以叫做分片技术,使用-ff如果你想进一步分片
[b]Firewall Enabled[/b]
# nmap -f 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:21 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00056s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
[b]Firewall enabled + all ports are closed[/b]
# nmap -ff 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:24 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00083s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
[b]Firewall Disabled[/b]
# nmap -f 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:20 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00057s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
[color=blue]Spoof MAC Address[/color]
有一种很简单的技术伪装你的MaC地址,nmap可以为每次扫描随机选择一个MAC地址,另一个选项是手动指定MAC地址(这样做攻击者可以伪装成同一网段内的一台电脑),nmap含有一个nmap-mac-prefixe数据库,当给定一个生产厂商的名字时,它查找数据库来找一个合适的名字。
[b]# nmap –spoof-mac Cisco 192.168.1.3[/b]
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 17:18 PKT
Spoofing MAC address 00:00:0C:6D:3F:26 (Cisco Systems)
Nmap scan report for 192.168.1.3
Host is up (0.00036s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
23/tcp closed telnet
80/tcp closed http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
nmap脚本
[color=blue]1. smb-check-vulns [/color]
MS08-067 Windows vulnerability that can be exploited
Conficker malware on the target machine
Denial of service vulnerability of Windows 2000
MS06-025 Windows vulnerability
MS07-029 Windows vulnerability
[img]http://dl2.iteye.com/upload/attachment/0102/0943/c230243e-bbca-3656-9b76-bee3242391ce.jpg[/img]
[color=blue]2. Http-enum[/color]
如果想枚举web服务器来寻找web服务器的目录,这个脚本是最适合的。Http-enum同样可以发现开放端口以及每个端口的软件版本
[b]root@bt:~# nmap -sV –script=http-enum 127.0.0.1[/b]
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 18:47 PKT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000036s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
| http-enum:
| /login.php: Possible admin folder
| /login/: Login page
| /login.php: Login page
| /logs/: Logs
[img]http://dl2.iteye.com/upload/attachment/0102/0946/4e06d39c-a2fa-339e-a00d-2f64d5953c57.jpg[/img]
[color=blue]3. samba-vuln-cve-2012-1182[/color]
用于发现samba CVE-2012-1182栈溢出漏洞
nmap –script=samba-vuln-cve-2012-1182 -p 139 target
nmap –script=samba-vuln-cve-2012-1182 -p 139 192.168.1.3
[color=blue]4. smtp-strangeport[/color]
用于发现smtp服务是否运行在标准端口
nmap -sV –script=smtp-strangeport target
[color=blue]5. http-php-version[/color]
用于获得http版本
[b]nmap -sV –script=http-php-version target[/b]
另外还有
http-wordpress-plugins
http-wordpress-enum
http-wordpress-brute
[color=blue]6. dns-blacklist[/color]
用于发现黑名单IP,你所需要提供的是一个IP以及用于检查反垃圾邮件和代理黑名单的脚本
[b]# nmap -sn 67.213.218.72 –script dns-blacklist[/b]
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-28 23:54 PKT
Nmap scan report for 67.213.218.72
Host is up (0.24s latency).
Host script results:
| dns-blacklist:
| PROXY
| dnsbl.tornevall.org – PROXY
| IP marked as “abusive host”
| Proxy is working
|_ Proxy has been scanned
[color=blue]TCP ACK Scan (-sA)[/color]
发送ACK数据报比发送SYN数据包更好,因为如果远端主机存在主动防火墙,那么由于防火墙对于ACK数据报不产生log,因为防火墙把ACK数据包当成SYN数据包的应答。TCP ACK扫描要求攻击者有root权限,它对stateless类型的防火墙和IDS很有效果。ACK扫描与其他扫描技术不同,因为它本意不是用来发现open端口的,而是用来判断防火墙类型的。
[b]Firewall Enabled[/b]
# nmap -sA 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:30 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00077s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
[b]Firewall Disabled[/b]
# nmap -sA 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:31 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00020s latency).
All 1000 scanned ports on 192.168.1.9 are unfiltered
所以它很容易用来发现目标是否有防火墙,而且ACK扫描被发现的风险较低但是发现是否存在防火墙的几率比较大。
[color=blue]TCP Window Scan (-sW)[/color]
类似于ACK扫描但是有一点不同,TCP Windows扫描用于发现open/closed端口而不是发现是否被过滤的状态。它也需要root权限。
[b]Firewall Enabled[/b]
# nmap -sW 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:50 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00051s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
[b]Firewall Disabled[/b]
# nmap -sW 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 13:51 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00071s latency).
All 1000 scanned ports on 192.168.1.9 are closed
这种扫描不与目标之间创建session,所以受害者机器不会记录log。
[color=blue]Fragment Packets (-f)[/color]
改技术把请求分成小段发送,所以叫做分片技术,使用-ff如果你想进一步分片
[b]Firewall Enabled[/b]
# nmap -f 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:21 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00056s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
[b]Firewall enabled + all ports are closed[/b]
# nmap -ff 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:24 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00083s latency).
All 1000 scanned ports on 192.168.1.9 are filtered
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
[b]Firewall Disabled[/b]
# nmap -f 192.168.1.9
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 14:20 PKT
Nmap scan report for 192.168.1.9
Host is up (0.00057s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
[color=blue]Spoof MAC Address[/color]
有一种很简单的技术伪装你的MaC地址,nmap可以为每次扫描随机选择一个MAC地址,另一个选项是手动指定MAC地址(这样做攻击者可以伪装成同一网段内的一台电脑),nmap含有一个nmap-mac-prefixe数据库,当给定一个生产厂商的名字时,它查找数据库来找一个合适的名字。
[b]# nmap –spoof-mac Cisco 192.168.1.3[/b]
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 17:18 PKT
Spoofing MAC address 00:00:0C:6D:3F:26 (Cisco Systems)
Nmap scan report for 192.168.1.3
Host is up (0.00036s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
23/tcp closed telnet
80/tcp closed http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:66:13:9B (Cadmus Computer Systems)
nmap脚本
[color=blue]1. smb-check-vulns [/color]
MS08-067 Windows vulnerability that can be exploited
Conficker malware on the target machine
Denial of service vulnerability of Windows 2000
MS06-025 Windows vulnerability
MS07-029 Windows vulnerability
[img]http://dl2.iteye.com/upload/attachment/0102/0943/c230243e-bbca-3656-9b76-bee3242391ce.jpg[/img]
[color=blue]2. Http-enum[/color]
如果想枚举web服务器来寻找web服务器的目录,这个脚本是最适合的。Http-enum同样可以发现开放端口以及每个端口的软件版本
[b]root@bt:~# nmap -sV –script=http-enum 127.0.0.1[/b]
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-28 18:47 PKT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000036s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
| http-enum:
| /login.php: Possible admin folder
| /login/: Login page
| /login.php: Login page
| /logs/: Logs
[img]http://dl2.iteye.com/upload/attachment/0102/0946/4e06d39c-a2fa-339e-a00d-2f64d5953c57.jpg[/img]
[color=blue]3. samba-vuln-cve-2012-1182[/color]
用于发现samba CVE-2012-1182栈溢出漏洞
nmap –script=samba-vuln-cve-2012-1182 -p 139 target
nmap –script=samba-vuln-cve-2012-1182 -p 139 192.168.1.3
[color=blue]4. smtp-strangeport[/color]
用于发现smtp服务是否运行在标准端口
nmap -sV –script=smtp-strangeport target
[color=blue]5. http-php-version[/color]
用于获得http版本
[b]nmap -sV –script=http-php-version target[/b]
另外还有
http-wordpress-plugins
http-wordpress-enum
http-wordpress-brute
[color=blue]6. dns-blacklist[/color]
用于发现黑名单IP,你所需要提供的是一个IP以及用于检查反垃圾邮件和代理黑名单的脚本
[b]# nmap -sn 67.213.218.72 –script dns-blacklist[/b]
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-28 23:54 PKT
Nmap scan report for 67.213.218.72
Host is up (0.24s latency).
Host script results:
| dns-blacklist:
| PROXY
| dnsbl.tornevall.org – PROXY
| IP marked as “abusive host”
| Proxy is working
|_ Proxy has been scanned