Nmap是一个网络连接端扫描软件,用来扫描网上电脑开放的网络连接端,确定哪些服务运行在哪些连接端,并且推断计算机运行哪个操作系统,正如大多数被用于网络安全的工具,Nmap也是不少黑客及骇客爱用的工具,系统管理员可以利用Nmap来探测工作环境中未经批准使用的服务器,但是黑客会利用Nmap来搜集目标电脑的网络设定,从而计划攻击的方法.
主机发现有时候也叫做 Ping 扫描,但它远远超越用世人皆知的 Ping 工具发送简单的 IcMp 回声请求报文,这些探测的目的是获得响应以显示某个 lP 地址是否是活动的(正在被某主机或者网络设备使用).主机发现能够找到零星分布于 lP 地址海洋上的那些机器.
批量Ping扫描: 批量扫描一个网段的主机存活数.
[root@localhost ~]# nmap -sP 192.168.1.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:41 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
MAC Address: 44:7D:3F:07:2C:A1 (Unknown)
Nmap scan report for 192.168.1.2
Host is up (0.000095s latency).
MAC Address: FF:8E:BB:EE:AA:B4 (Unknown)
Nmap scan report for 192.168.1.3
Host is up (0.051s latency).
MAC Address: CC:C0:AC:22:DD:07 (Unknown)
Nmap scan report for 192.168.1.7
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 50.15 seconds跳过Ping探测: 有些主机关闭了ping检测,所以可以使用-P0跳过ping的探测,可以加快扫描速度.
[root@localhost ~]# nmap -P0 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:52 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds计算网段主机IP: 仅列出指定网段上的每台主机,不发送任何报文到目标主机.
[root@localhost ~]# nmap -sL 192.168.1.0/24
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:43 EDT
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap scan report for 192.168.1.4
Nmap scan report for 192.168.1.5
...省略...
Nmap done: 256 IP addresses (0 hosts up) scanned in 4.03 seconds扫描IP地址范围: 可以指定一个IP地址范围
[root@localhost ~]# nmap -sP 192.168.1.1-10
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:17 EDT
Nmap scan report for 192.168.1.1
Host is up (0.00087s latency).
MAC Address: 1A:7D:2E:AC:6E:1A (Unknown)
Nmap scan report for 192.168.1.2
Host is up (0.00016s latency).
MAC Address: 81:8E:38:BC:7C:8E (Unknown)
Nmap scan report for 192.168.1.4
Host is up (0.061s latency).
MAC Address: 81:29:81:64:81:A3 (Unknown)
Nmap scan report for 192.168.1.5
Host is up (0.060s latency).
MAC Address: EA:3A:EA:EA:81:EA (Unknown)
Nmap scan report for 192.168.1.7
Host is up.
Nmap done: 10 IP addresses (5 hosts up) scanned in 0.26 seconds探测开放端口(SYN): 探测目标主机开放的端口,可指定一个以逗号分隔的端口列表(如-PS22,443,80).
[root@localhost ~]# nmap -PS22,80,443 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:15 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds探测开放端口(UDP): 探测目标主机开放的端口,可指定一个以逗号分隔的端口列表(如-PS22,443,80).
[root@localhost ~]# nmap -PU 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 21:55 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.06 secondsSYN扫描: 使用SYN半开放扫描
[root@localhost ~]# nmap -sS 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:01 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.06 secondsTCP扫描: 扫描开放了TCP端口的设备.
[root@localhost ~]# nmap -sT 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:01 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0012s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.10 secondsUDP扫描: 扫描开放了UDP端口的设备.
[root@localhost ~]# nmap -sU 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:02 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0010s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds协议探测: 探测目标主机支持哪些IP协议
[root@localhost ~]# nmap -sO 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:04 EDT
Nmap scan report for 192.168.1.7
Host is up (0.000016s latency).
Not shown: 249 closed protocols
PROTOCOL STATE SERVICE
1 open icmp
2 open|filtered igmp
6 open tcp
17 open udp
103 open|filtered pim
136 open|filtered udplite
255 open|filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds探测目标系统: 扫描探测目标主机操作系统,这里结果仅供参考.
[root@localhost ~]# nmap -O 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:06 EDT
Nmap scan report for 192.168.1.7
Host is up (0.000056s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.9
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds探测服务版本: 用于扫描目标主机服务版本号.
[root@localhost ~]# nmap -sV 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:08 EDT
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
3306/tcp open mysql ?
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.43 seconds扫描多台主机: 一次性扫描多台目标主机.
[root@localhost ~]# nmap 192.168.1.2 192.168.1.7
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:11 EDT
Nmap scan report for 192.168.1.2
Host is up (0.00052s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: F4:8E:38:EE:7C:B4 (Unknown)
Nmap scan report for 192.168.1.7
Host is up (0.000010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 2 IP addresses (2 hosts up) scanned in 4.26 seconds导入扫描文件: 从一个文件中导入IP地址,并进行扫描.
[root@localhost ~]# cat lyshark.log
localhost
www.baidu.com
192.168.1.7
[root@localhost ~]# nmap -iL lyshark.log
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-19 22:13 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
3306/tcp open mysql
Nmap scan report for 192.168.1.7
Host is up (0.0000090s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 3 IP addresses (2 hosts up) scanned in 3.09 seconds绕过防火墙: 在扫描时通过使用-f参数以及使用--mtu 4/8/16使用分片、指定数据包的MTU,来绕过防火墙.
[root@localhost ~]# nmap -f 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 03:12 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000012s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
Nmap done: 1 IP address (1 host up) scanned in 0.07 secondsNmap不仅用于端口扫描,服务检测,其还具有强大的脚本功能,利用Nmap Script可以快速探测服务器,一般情况下,常用的扫描脚本会放在/usr/share/nmap/script目录下,并且脚本扩招名为*.nse后缀的,接下来将介绍最常用的扫描脚本.
扫描WEB敏感目录: 通过使用--script=http-enum.nse可以扫描网站的敏感目录.
[root@localhost ~]# nmap -p 80 --script=http-enum.nse www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 01:49 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
| http-enum:
| /login.php: Possible admin folder
| /robots.txt: Robots file
| /config/: Potentially interesting folder w/ directory listing
| /docs/: Potentially interesting folder w/ directory listing
| /external/: Potentially interesting folder w/ directory listing
|_ /icons/: Potentially interesting folder w/ directory listing
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds绕开鉴权: 负责处理鉴权证书(绕开鉴权)的脚本,也可以作为检测部分应用弱口令.
[root@localhost ~]# nmap --script=auth www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:16 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub
22/tcp open ssh
25/tcp open smtp
| smtp-enum-users:
|_ root
80/tcp open http
| http-domino-enum-passwords:
|_ ERROR: No valid credentials were found
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds默认脚本扫描: 脚本扫描,主要是搜集各种应用服务的信息,收集到后可再针对具体服务进行攻击.
[root@localhost ~]# nmap --script=default www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:21 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 6 Oct 30 19:45 pub
22/tcp open ssh
| ssh-hostkey: 2048 c2:89:44:fc:e3:1b:5a:65:a1:6e:11:34:73:6d:d5:04 (RSA)
|_256 54:0e:d4:47:2f:b2:d4:2b:33:b6:d8:35:66:2d:a2:aa (ECDSA)
3306/tcp open mysql
| mysql-info: Protocol: 10
| Version: 5.5.60-MariaDB
| Thread ID: 10408
| Status: Autocommit
|_Salt: <D"y]F(2
Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds检测常见漏洞: 通过使用--script=luln,可以扫描网站的常见漏洞,以及网页的目录结构.
[root@localhost ~]# nmap --script=vuln www.mkdirs.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:24 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000017s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
| smtp-vuln-cve2010-4344:
|_ The SMTP server is not Exim: NOT VULNERABLE
80/tcp open http
| http-enum:
| /login.php: Possible admin folder
| /robots.txt: Robots file
| /config/: Potentially interesting folder w/ directory listing
| /docs/: Potentially interesting folder w/ directory listing
| /external/: Potentially interesting folder w/ directory listing
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-fileupload-exploiter:
|_http-frontpage-login: false
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds内网服务探测: 通过使用--script=broadcast,可以实现在局域网内探查更多服务开启状况.
[root@localhost ~]# nmap -n -p445 --script=broadcast 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:28 EDT
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.1.14
| Server Identifier: 192.168.1.1
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
|_ Domain Name Server: 192.168.1.1
| broadcast-eigrp-discovery:
|_ ERROR: Couldn't get an A.S value.
| broadcast-listener:
| ether
| ARP Request
| sender ip sender mac target ip
| 192.168.1.1 43:72:23:04:56:21 192.168.1.2
| 192.168.1.2 B4:8C:28:BE:4C:34 192.168.1.1
| EIGRP Update
........进行WhoIS查询: 通过使用--script whois模块,可以查询网站的简单信息.
[root@localhost ~]# nmap --script whois www.baidu.com
Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 61.135.0.0 - 61.135.255.255
| netname: UNICOM-BJ
| descr: China Unicom Beijing province network
| country: CN
| person: ChinaUnicom Hostmaster
|_email: hqs-ipabuse@chinaunicom.cn
Nmap done: 1 IP address (1 host up) scanned in 4.76 seconds详细WhoIS解析: 利用第三方的数据库或资源,查询详细的WhoIS解析情况.
[root@localhost ~]# nmap --script external www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-30 23:31 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.018s latency).
|_http-robtex-shared-ns: ERROR: Script execution failed (use -d to debug)
| ip-geolocation-geoplugin:
| 61.135.169.125 (www.baidu.com)
| coordinates (lat,lon): 39.9288,116.3889
|_ state: Beijing, China
|_ip-geolocation-maxmind: ERROR: Script execution failed (use -d to debug)
| whois: Record found at whois.apnic.net
| inetnum: 61.135.0.0 - 61.135.255.255
| netname: UNICOM-BJ
| descr: China Unicom Beijing province network
|_country: CN
.....发现内网网关: 通过使用--script=broadcast-netbios-master-browser可以发现内网网关的地址.
[root@localhost ~]# nmap --script=broadcast-netbios-master-browser 192.168.1.1
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:05 EDT
Pre-scan script results:
| broadcast-netbios-master-browser:
| ip server domain
|_192.168.1.2 Web-Server WORKGROUP
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp filtered http
1900/tcp open upnp
MAC Address: 42:1C:1B:E7:B1:B2 (TP-Link)发现WEB中Robots文件: 通过使用--script=http-robots.txt.nse可以检测到robots文件内容.
[root@localhost scripts]# nmap --script=http-robots.txt.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:12 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.019s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
| http-robots.txt: 9 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/
|_/homepage/ /cpro /
443/tcp open https
| http-robots.txt: 9 disallowed entries
| /baidu /s? /ulink? /link? /home/news/data/ /shifen/
|_/homepage/ /cpro /
Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds检查WEB服务器时间: 检查web服务器的当前时间.
[root@localhost scripts]# nmap -p 443 --script http-date.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:16 EDT
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT STATE SERVICE
443/tcp open https
|_http-date: Sun, 31 Mar 2019 06:16:53 GMT; 0s from local time.
Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds执行DOS攻击: dos攻击,对于处理能力较小的站点还挺好用的.
[root@localhost ~]# nmap --script http-slowloris --max-parallelism 1000 www.mkdirs.com
Warning: Your max-parallelism (-M) option is extraordinarily high, which can hurt reliability
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:21 EDT检查DNS子域: 检查目标ns服务器是否允许传送,如果能,直接把子域拖出来就好了.
[root@localhost scripts]# nmap -p 53 --script dns-zone-transfer.nse -v www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:28 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 02:28
Scanning www.baidu.com (61.135.169.121) [4 ports]
Completed Ping Scan at 02:28, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:28
Completed Parallel DNS resolution of 1 host. at 02:28, 0.01s elapsed
Initiating SYN Stealth Scan at 02:28
Scanning www.baidu.com (61.135.169.121) [1 port]
Completed SYN Stealth Scan at 02:28, 0.20s elapsed (1 total ports)
NSE: Script scanning 61.135.169.121.
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.016s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT STATE SERVICE
53/tcp filtered domain
NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
Raw packets sent: 6 (240B) | Rcvd: 1 (28B)查询WEB旁站: 旁站查询,ip2hosts接口该接口似乎早已停用,如果想继续用,可自行到脚本里把接口部分的代码改掉.
[root@localhost scripts]# nmap -p80 --script hostmap-ip2hosts.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 02:29 EDT
Nmap scan report for www.baidu.com (61.135.169.121)
Host is up (0.017s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.125
PORT STATE SERVICE
80/tcp open http
Host script results:
| hostmap-ip2hosts:
|_ hosts: Error: could not GET http://www.ip2hosts.com/csv.php?ip=61.135.169.121
Nmap done: 1 IP address (1 host up) scanned in 5.89 seconds暴力破解DNS记录: 这里以破解百度的域名为例子,由于内容较多这里简化显示.
[root@localhost scripts]# nmap --script=dns-brute.nse www.baidu.com
Starting Nmap 6.40 ( http://nmap.org ) at 2019-03-31 03:19 EDT
Nmap scan report for www.baidu.com (61.135.169.125)
Host is up (0.018s latency).
Other addresses for www.baidu.com (not scanned): 61.135.169.121
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Host script results:
| dns-brute:
| DNS Brute-force hostnames
| lab.baidu.com - 180.149.144.192
| lab.baidu.com - 180.149.132.122
| corp.baidu.com - 123.129.254.12
|_ log.baidu.com - 10.26.39.14
Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds内网VNC扫描: 通过使用脚本,检查VNC版本等一些敏感信息.
[root@localhost ~]# nmap --script=realvnc-auth-bypass 127.0.0.1 #检查VNC版本
[root@localhost ~]# nmap --script=vnc-auth 127.0.0.1 #检查VNC认证方式
[root@localhost ~]# nmap --script=vnc-info 127.0.0.1 #获取VNC信息
[root@localhost ~]# nmap --script=vnc-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1 #暴力破解VNC密码内网SMB扫描: 检查局域网中的Samba服务器,以及对服务器的暴力破解.
[root@localhost ~]# nmap --script=smb-brute.nse 127.0.0.1 #简单尝试破解SMB服务
[root@localhost ~]# nmap --script=smb-check-vulns.nse --script-args=unsafe=1 127.0.0.1 #SMB已知几个严重漏
[root@localhost ~]# nmap --script=smb-brute.nse --script-args=userdb=/user.txt,passdb=/pass.txt 127.0.0.1 #通过传递字段文件,进行暴力破解
[root@localhost ~]# nmap -p445 -n --script=smb-psexec --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查询主机一些敏感信息:nmap_service
[root@localhost ~]# nmap -n -p445 --script=smb-enum-sessions.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查看会话
[root@localhost ~]# nmap -n -p445 --script=smb-os-discovery.nse --script-args=smbuser=admin,smbpass=1233 127.0.0.1 #查看系统信息MSSQL扫描: 检查局域网中的SQL Server服务器,以及对服务器的暴力破解.
[root@localhost ~]# nmap -p1433 --script=ms-sql-brute --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #暴力破解MSSQL密码
[root@localhost ~]# nmap -p 1433 --script ms-sql-dump-hashes.nse --script-args mssql.username=sa,mssql.password=sa 127.0.0.1 #dumphash值
[root@localhost ~]# nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net user" 192.168.137.4 xp_cmdshell #执行命令MYSQL扫描: 检查局域网中的MySQL服务器,以及对服务器的暴力破解.
[root@localhost ~]# nmap -p3306 --script=mysql-empty-password.nse 127.0.0.1 #扫描root空口令
[root@localhost ~]# nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 127.0.0.1 #列出所有用户
[root@localhost ~]# nmap -p3306 --script=mysql-brute.nse --script-args=userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #暴力破解MYSQL口令Oracle扫描: 检查局域网中的Oracle服务器,以及对服务器的暴力破解.
[root@localhost ~]# nmap --script=oracle-sid-brute -p 1521-1560 127.0.0.1 #oracle sid扫描
[root@localhost ~]# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 127.0.0.1 #oracle弱口令破解以上只是个人笔记,如需了解原理,下面..
推荐一个博客:https://blog.csdn.net/m0_37268841/article/category/7681798
原文:https://www.cnblogs.com/LyShark/p/10637507.html