当前位置:网站首页>Collection of penetration test information -- use with nmap and other tools
Collection of penetration test information -- use with nmap and other tools
2022-07-06 18:35:00 【Aspirin. two thousand and two】
List of articles
Matching use of tools
All penetration is based on ports
Common port information and penetration methods
Port number Port services / Brief description of the agreement Some possible penetration uses of ports
tcp 21 ftp Default data and command transfer port [ Can be transmitted in plaintext or encrypted ] Allow anonymous upload and download , Blast , Sniffing ,win Raise the right , Remote execution (proftpd 1.3.5), Backdoors (proftpd,vsftp 2.3.4)
tcp 22 ssh[ data ssl The encrypted ] Blasting can be attempted based on the collected information ,v1 Version middleman ,ssh Tunnel and Intranet agent forwarding , File transfer , wait … Commonly used in linux Remote management …
tcp 23 telnet[ Plaintext transmission ] Blast , Sniffing , Commonly used in routing , Swap landing , Weak password can be tried , There may be unexpected gains
tcp 25 smtp[ Simple mail transfer protocol , Most of the linux This service may be enabled by default in the distribution ] Mail forgery ,vrfy/expn Query mail user information , You can use smtp-user-enum Tools come from running
tcp/udp 53 dns[ Domain name resolution ] Allow zone transfer ,dns hijacked , Cache poisoning , Deception and all kinds of dns Remote control of tunnel
tcp/udp 69 tftp[ Simple file transfer protocol , No certification ] Try to download the target and its various important configuration files tcp 80-89,443,8440-8450,8080-8089 web[ Various common web Service port ] Various commonly used web Service port , Try the classic top n,vpn,owa,webmail, The goal is oa, Various types java Console , Various servers web Management panel , Various types web Middleware vulnerability exploitation , Various types web Frame exploit, etc ……
tcp 110 [ Post office protocol , Plaintext ciphertext ] Try blasting , Sniffing tcp 137,139,445 samba[smb Realization windows and linux File sharing between , Plaintext ] Trial blasting and smb Exploitation of various remote execution vulnerabilities , Such as ,ms08-067,ms17-010, Sniffing, etc. ……
tcp 143 imap[ Plaintext ciphertext ] Try blasting udp 161 snmp[ Plaintext ] Burst default team string , Collect target Intranet Information
tcp 389 ldap[ Lightweight directory access protocol ] ldap Inject , Allow anonymous access , Weak password tcp 512,513,514 linux rexec Explode ,rlogin land
tcp 873 rsync Backup service Anonymous access , Upload files tcp 1194 openvpn Find a way to catch vpn account number , Access to Intranet
tcp 1352 Lotus domino The mail service Weak password , Information leakage , Blast
tcp 1433 mssql database ( Open outreach ) Inject , Raise the right ,sa Weak password , Blast
tcp 1521 oracle database tns Blast , Inject , play shell…
tcp 1500 ispmanager Hosting Control Panel Weak password
tcp 1025,111,2049 nfs Improper permission configuration
tcp 1723 pptp Blast , Find a way to catch vpn account number , Access to Intranet
tcp 2082,2083 cpanel Host management panel login Weak password
tcp 2181 zookeeper Unauthorized access
tcp 2601,2604 zebra route Default password zerbra
tcp 3128 squid Agency service Weak password
tcp 3312,3311 kangle Host management login Weak password
tcp 3306 mysql database Inject , Raise the right , Blast
tcp 3389 windows rdp Remote desktop shift back door , Blast ,ms12-020[ Blue screen exp]
tcp 4848 glassfish Console Weak password
tcp 4899 radmin Remote desktop management tools , Grasp the password expansion machine
tcp 5000 sybase/DB2 database Blast , Inject
tcp 5432 postgresql database Blast , Inject , Weak password
tcp 5632 pcanywhere Remote desktop management tools Grab the code , Code execution
tcp 5900,5901,5902 vnc Remote desktop management tools Weak password burst , If the information collection is not in place , The chances of success are very small
tcp 5984 CouchDB Unauthorized execution of any instruction
tcp 6379 redis unauthorized Unauthorized access can be attempted , Weak password burst
tcp 7001,7002 weblogic Console java Deserialization , Weak password
tcp 7778 kloxo Host panel login
tcp 8000 Ajenti Hosting Control Panel Weak password
tcp 8443 plesk Hosting Control Panel Weak password
tcp 8069 zabbix Remote execution ,sql Inject
tcp 8080-8089 Jenkins,jboss Deserialization , Console weak password
tcp 9080-9081,9090 websphere Console java Deserialization / Weak password
tcp 9200,9300 elasticsearch Remote execution
tcp 10000 webmin linux host web Control panel entry Weak password
tcp 11211 memcached Unauthorized access
tcp 27017,27018 mongodb Blast , Unauthorized access
tcp 3690 svn service svn Let the cat out of the , Unauthorized access
tcp 50000 SAP Management Console Remote execution
tcp 50070,50030 hadoop The default port is not authorized to access
1、Nmap Typical use
The host found
Identify hosts on the network . For example, list responses TCP and / or ICMP A host that requests or opens a specific port .
Port scanning
Enumerate the open ports on the target host .
Version checking
Ask the network service on the remote device to determine the application name and version number .
OS testing
Determine the operating system and hardware characteristics of the network device .
Vulnerability of software version detection
Vulnerability of software version detection (Nmap Script for )
2、Nmap Description of common scanning parameters
Parameters ( Case sensitive ) | explain |
---|---|
-sT | TCP connect() scanning , In this way, a large number of connection requests and error messages will be recorded in the log of the target host .( Not recommended ) |
-sS | Half open scan , Few systems can log it . however , need Root jurisdiction .( Scan others on your own machine , It must be high authority ) |
-sF,-sN | Secret FIN Packet scanning 、Xmas Tree、Null Scanning mode |
-sP | ping scanning ,Nmap When scanning ports , By default ping scanning , Only the host is alive ,Nmap To continue scanning . |
-sU | UDP scanning , but UDP Scanning is unreliable |
-sA | This advanced scanning method is usually used to scan rule sets through firewalls |
-sV | Probe port service version |
-Pn | You don't need to use... Before scanning ping command , Some firewalls prohibit ping command . You can use this option to scan |
-v | Display the scanning process , Recommended |
-h | Help options , Is the clearest help document |
-p | Designated port , Such as "1-65535、1433、135、22、80" etc. |
-O | Enable remote operating system detection , There are false positives |
-A | Comprehensive system testing 、 Enable script detection 、 Scanning, etc |
-oN/-oX/-oG | Write report to file , They are normal 、XML、grepable Three formats |
-T4 | in the light of TCP The port prohibits dynamic scan delay exceeding 10ms |
-iL | Read host list , for example ,"-iL C:\ip.txt" |
3、Nmap Script classification
auth: Handle authentication certificate ( Bypass authentication ) Script for ( Detect weak passwords )
broadcast: Probe more services on LAN , Such as dhcp/dns/sqlserver Etc
brute: Provide violent solutions , For common applications such as http/snmp etc.
default: Use -sC or -A Option to scan the default script , Provides basic script scanning capabilities
discovery: More information about the Internet , Such as SMB enumeration 、SNMP Query etc.
dos: Used for denial of service attacks
exploit: Exploit known vulnerability to invade system
external: Using third party databases or resources , For example, to whois analysis
fuzzer: The script for the fuzzy test , Send abnormal package to target machine , Detect potential vulnerabilities intrusive: Invasive scripts , This kind of script may trigger the other party's IDS/IPS Recording or shielding of
malware: Detect if the target machine is infected with a virus 、 Open the back door and other information
safe: Such and intrusive contrary , Belongs to security script
version: Responsible for enhanced services and version scanning (Version Detection) Function script
vuln: Responsible for checking whether the target machine has common vulnerabilities (Vulnerability), If there is MS08_067,MS17_010 etc.
auth,brute,vuln Is a common script
4、 example
Common scanning
-sP : Conduct ping scanning ( Print out pairs ping Scan responding hosts , No further testing ( Such as port scan or operating system probe ))nmap -sP 192.168.110.0/24
( This command can be used to detect which machines are in the LAN )
-sS : Semi open scan ( Not 3 A handshake tcp scanning )
Use the most frequent scanning option :SYN scanning , Also called semi open scan , It doesn't open a complete TCP Connect , Fast execution , Efficient ( A complete tcp Connection needs 3 The second handshake , and -sS Option not required 3 The second handshake )
advantage :Nmap send out SYN Package to remote host , however It will not generate any sessions , The target host hardly logs the connection .( Prevent the other party from judging as scanning attack ), Scanning speed is fast , Efficient , Most frequently used at work
shortcoming : It needs to root/administrator Permissions to perform
mamp -sS 192.168.110.14
nmap -sS -p 1-65535 192.168.3.110.4
( Scan all open ports of the target - Semi open )
sT:3 The second handshake tcp Scan
advantage : Ordinary users can also use .
shortcoming : This kind of scan is easy to detect , A large number of connection requests and error messages will be recorded in the log of the target host , Because it has to be done 3 The second handshake , Low efficiency , Slow speed , It is recommended to use -sS
sV: Scan the open service of the target address ( port ) Version of
Version detection is used to scan the version of the software running on the target host and port .nmap -sV 192.168.110.247
-O: Scan the target address for the operating system version nmap -O 192.168.110.247
-A:OS distinguish , Version detection , Script scanning and comprehensive scanning nmap -A 192.168.110.247
-Pn -A Bypass the firewall for a full scan nmap -Pn -A 192.168.110.247
Script use
nmap --script=auth 192.168.3.26
Weak password scanning
nmap --script=brute 192.168.3.26
nmap --script=vuln 192.168.3.26
边栏推荐
猜你喜欢
Distiller les connaissances du modèle interactif! L'Université de technologie de Chine & meituan propose Virt, qui a à la fois l'efficacité du modèle à deux tours et la performance du modèle interacti
[Sun Yat sen University] information sharing of postgraduate entrance examination and re examination
CSRF vulnerability analysis
徐翔妻子应莹回应“股评”:自己写的!
模板于泛型编程之declval
TOP命令详解
287. 寻找重复数
On time and parameter selection of asemi rectifier bridge db207
Splay
The third season of Baidu online AI competition is coming in midsummer, looking for you who love AI!
随机推荐
Reproduce ThinkPHP 2 X Arbitrary Code Execution Vulnerability
[sword finger offer] 60 Points of N dice
Recommend easy-to-use backstage management scaffolding, everyone open source
小程序在产业互联网中的作用
Transport layer congestion control - slow start and congestion avoidance, fast retransmission, fast recovery
Maixll dock camera usage
Will openeuler last long
Self-supervised Heterogeneous Graph Neural Network with Co-contrastive Learning 论文阅读
转载:基于深度学习的工业品组件缺陷检测技术
[.Net core] solution to error reporting due to too long request length
First, look at K, an ugly number
2022-2024年CIFAR Azrieli全球学者名单公布,18位青年学者加入6个研究项目
十、进程管理
【剑指 Offer】 60. n个骰子的点数
celery最佳实践
TOP命令详解
The third season of Baidu online AI competition is coming in midsummer, looking for you who love AI!
爬虫玩得好,牢饭吃到饱?这3条底线千万不能碰!
10、 Process management
Docker安装Redis