[Kali penetration all-round practice] use Nmap for port detection to find vulnerable sites

Article directory

1 Summary

One port is a very important thing in network application, equivalent to "door".
What is port
Port is a very important concept in computer network. It is not a hardware, different from the slot in computer, it can be said to be a software slot. If necessary, there can be tens of thousands of ports in a computer.

   The port is defined by the TCP/IP protocol. It is stipulated that ip address and port are used as socket, which represents a connection end of TCP link, generally known as socket. Specifically, it is to use [ip: Port] to locate the process in a host. It can be used as a metaphor that a port is the gateway between two computer processes, which can be defined casually. Its purpose is only to let two computers find each other's processes. A computer is like a building. There are many entrances (ports) in the building. You can find different companies (processes) in different entrances. If you want to communicate with the program of remote host a, you only need to send the data to [a; port] to realize the communication.

Classification of three ports
On the Internet, according to the protocol type, ports are divided into two types: TCP port and UDP port. Although they are all identified by positive integers, this does not cause ambiguity, such as TCP port 80 and UDP port 80, because the datagram will indicate the port type as well as the port type.
From the point of view of port allocation, ports are divided into two categories: fixed ports and dynamic ports (some tutorials also divide the rarely used high ports into the third category: Private Ports):
Fixed port (0-1023):
Use a centralized management mechanism, that is, obey the assignment of ports by a management organization, which is responsible for publishing these assignments. Because these ports are tightly bound to some services, we will often scan these ports to determine whether the other party has enabled these services, such as TCP 21 (ftp), 80 (http), 139 (netbios), UDP 7 (echo), 69 (tftp) and other well-known ports;
Dynamic port (1024-49151):
These ports are not tied to a certain service. The operating system dynamically allocates these ports to each process, and the same process may be allocated to different ports twice. However, some applications are not willing to use the dynamic ports allocated by the operating system. They have their own "trademark" ports, such as the 4000 port of oicq client, the 7626 port of Trojan ice, etc., which are all fixed and famous.

The function of four ports in intrusion
Some people used to compare servers to houses, and ports to doors leading to different rooms (services), which is a good analogy if you don't consider the details. If the intruder wants to occupy the house, he is bound to break through the door (physical invasion is another word). For the intruder, it is very important to know how many doors the house has opened, what kind of doors they are, and what is behind the door.
The intruder will usually scan the port of the target host with a scanner to determine which port is open. From the open port, the intruder can know roughly what services the target host provides, and then guess the possible existence Therefore, scanning the port can help us better understand the target host, and for the administrator, scanning the open port of this machine is also the first step to do a good job in security.

5, Port scanning principle: try to establish a connection with the target host. If the target host has a reply, the port is open.
Scan classification:
1. Full TCP connection. This method uses three handshakes to establish a standard TCP connection with the target host. But this method is easy to be found and recorded by the target host.
2. SYN scanning: the scanning host automatically sends SYN data segments to the designated ports of the target host, indicating that the connection request is sent.
!! If the response message SYN=1 and ACK=1 of the target host indicates that the port is active, then the scan host sends an RST back to the target host to reject the connection. Three handshakes failed.
!! If the target host response is RST, the port is "dead.".
3 FIN scan: Send a message with FIN=1 to a closed window. The message will be lost and an RST will be returned. If the FIN message is sent to the active window, the message will be lost without any response.
4. Agent scanning. It's chicken catching.

2 Nmap action

3 common Nmap scanning instructions

4-port scan status

5 differences between TCP / IP and Http

TPC/IP is the transport layer protocol, which mainly solves how to transmit data in the network, while HTTP is the application layer protocol, which mainly solves how to package data. As for the relationship between TCP/IP and HTTP protocol, the network has a relatively easy to understand introduction: "when we transmit data, we can only use (transmission layer) TCP/IP protocol, but in that case, if there is no application layer, we cannot identify the data content. If we want to make the transmitted data meaningful, we must use the application layer protocol, which has many application layer protocols, such as HTTP , FTP, TELNET, etc. you can also define your own application layer protocol. WEB uses HTTP protocol as application layer protocol to encapsulate HTTP text information, and then uses TCP/IP as transport layer protocol to send it to the network. "

The term TCP/IP stands for transmission control protocol / Internet protocol and refers to a series of protocols. "IP" represents the internet protocol, which TCP and UDP use to transfer packets from one network to another. Think of IP as a highway that allows other protocols to drive on it and find outlets for other computers. TCP and UDP are "trucks" on expressways, and the goods they carry are protocols like HTTP and FTP.
You should understand that TCP and UDP are transport layer protocols used for FTP, HTTP and SMTP. Although TCP and UDP are used to transmit other protocols, they have a significant difference: TCP provides guaranteed data transmission, while UDP does not. This means that TCP has a special mechanism to ensure data security from one endpoint to another without error, and UDP does not provide any such guarantee.
HTTP (Hypertext Transfer Protocol) is a protocol that uses TCP to transfer information between two computers, usually Web servers and clients. The client uses a Web browser to send HTTP request to the Web server, and the Web server sends the requested information to the client.

6 use Nmap to detect the target open port

nmap has a graphical interface and can also be used in the shell
First probe the port of win7 virtual machine

root@kali:~# nmap -h
Nmap 7.70 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
root@kali:~# nmap -sS -p 80-3389 -v 192.168.206.133
Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-15 04:26 EDT
Initiating ARP Ping Scan at 04:26
Scanning 192.168.206.133 [1 port]
Completed ARP Ping Scan at 04:26, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:26
Completed Parallel DNS resolution of 1 host. at 04:26, 0.03s elapsed
Initiating SYN Stealth Scan at 04:26
Scanning bogon (192.168.206.133) [3310 ports]
Discovered open port 445/tcp on 192.168.206.133
Discovered open port 135/tcp on 192.168.206.133
Discovered open port 139/tcp on 192.168.206.133
Completed SYN Stealth Scan at 04:26, 2.56s elapsed (3310 total ports)
Nmap scan report for bogon (192.168.206.133)
Host is up (0.00027s latency).
Not shown: 3307 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:FD:EB:9E (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.01 seconds
           Raw packets sent: 3561 (156.668KB) | Rcvd: 3311 (132.440KB)

root@kali:~# nmap shop.aqlab.cn
Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-15 04:50 EDT
Stats: 0:00:31 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 91.45% done; ETC: 04:50 (0:00:03 remaining)
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 91.70% done; ETC: 04:50 (0:00:03 remaining)
Stats: 0:00:33 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 91.80% done; ETC: 04:50 (0:00:03 remaining)
Stats: 0:00:33 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 91.85% done; ETC: 04:50 (0:00:03 remaining)
Stats: 0:00:34 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 92.00% done; ETC: 04:50 (0:00:03 remaining)
Stats: 0:00:34 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 92.05% done; ETC: 04:50 (0:00:03 remaining)
Stats: 0:00:34 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 92.10% done; ETC: 04:50 (0:00:03 remaining)
Stats: 0:00:34 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 92.15% done; ETC: 04:50 (0:00:03 remaining)
Nmap scan report for shop.aqlab.cn (59.63.200.79)
Host is up (0.076s latency).
Not shown: 990 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
1433/tcp open  ms-sql-s
3389/tcp open  ms-wbt-server
8001/tcp open  vcom-tunnel
8002/tcp open  teradataordbms
8007/tcp open  ajp12
8008/tcp open  http
8010/tcp open  xmpp
8082/tcp open  blackice-alerts

Nmap done: 1 IP address (1 host up) scanned in 40.27 seconds
root@kali:~# nmap -p 80-10000 -A shop.aplab.cn -v
Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-15 04:53 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 04:53
Completed NSE at 04:53, 0.00s elapsed
Initiating NSE at 04:53
Completed NSE at 04:53, 0.00s elapsed
Failed to resolve "shop.aplab.cn".
NSE: Script Post-scanning.
Initiating NSE at 04:53
Completed NSE at 04:53, 0.00s elapsed
Initiating NSE at 04:53
Completed NSE at 04:53, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.23 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
root@kali:~# nmap -p 80-10000 -A shop.aplab.cn -v
Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-15 04:56 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 04:56
Completed NSE at 04:56, 0.00s elapsed
Initiating NSE at 04:56
Completed NSE at 04:56, 0.00s elapsed
Failed to resolve "shop.aplab.cn".
NSE: Script Post-scanning.
Initiating NSE at 04:56
Completed NSE at 04:56, 0.00s elapsed
Initiating NSE at 04:56
Completed NSE at 04:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.07 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
root@kali:~# nmap -p 80-10000 -A shop.aplab.cn -v
Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-15 05:00 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 05:01
Completed NSE at 05:01, 0.00s elapsed
Initiating NSE at 05:01
Completed NSE at 05:01, 0.00s elapsed
Failed to resolve "shop.aplab.cn".
NSE: Script Post-scanning.
Initiating NSE at 05:01
Completed NSE at 05:01, 0.00s elapsed
Initiating NSE at 05:01
Completed NSE at 05:01, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.06 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
root@kali:~# nmap -p80-10000 -A shop.aplab.cn -v
Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-15 05:01 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 05:01
Completed NSE at 05:01, 0.00s elapsed
Initiating NSE at 05:01
Completed NSE at 05:01, 0.00s elapsed
Failed to resolve "shop.aplab.cn".
NSE: Script Post-scanning.
Initiating NSE at 05:01
Completed NSE at 05:01, 0.00s elapsed
Initiating NSE at 05:01
Completed NSE at 05:01, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.05 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

-A represents a comprehensive system scan
Port 8001 has been verified to be a vulnerable site
Here

859 original articles published, 228 praised, 80000 visitors+
Private letter follow

Keywords: DNS network ftp Mac

Added by WD.Gh0st on Sun, 15 Mar 2020 13:17:53 +0200