# nmap
最強の日本語リファレンスサイト https://nmap.org/man/ja/ (opens new window)
# ポートスキャン
# Ping scan
nmap -sn xxx.xxx.xxx.xxx/28
1
出力例
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-13 00:07 JST
Nmap scan report for DESKTOP-HEHPH4B.mshome.net (172.17.220.1)
Host is up (0.00021s latency).
MAC Address: 00:15:5D:2C:25:2C (Microsoft)
Nmap scan report for 172.17.220.5
Host is up (0.00059s latency).
MAC Address: 00:15:5D:AC:06:1A (Microsoft)
Nmap scan report for sec-linux.mshome.net (172.17.220.4)
Host is up.
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
# ポートスキャン
# 全ポートに対してのスキャン
全ポートスキャンはそこそこ重たい。
nmap -sV -O -p- xxx.xxx.xxx.xxx
1
-p-: 全ポート(1~65535) -sV: サービスバージョンスキャン -O: OSフィンガープリント出力
metasploitableをスキャンしてみた
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-13 00:04 JST
Nmap scan report for 172.17.220.5
Host is up (0.00065s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34631/tcp open mountd 1-3 (RPC #100005)
38471/tcp open java-rmi GNU Classpath grmiregistry
41431/tcp open nlockmgr 1-4 (RPC #100021)
45239/tcp open status 1 (RPC #100024)
MAC Address: 00:15:5D:AC:06:1A (Microsoft)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.09 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# intense scan
OSディテクション、バージョンディテクション、スクリプトスキャン、トレースルートを全部やりつつ、そこそこタイミング早く
nmap -T4 -A -v 172.17.220.5
1
-A: Enable OS detection, version detection, script scanning, and traceroute
-T<0-5>: Set timing template (higher is faster) paranoid (0)、sneaky (1)、polite (2)、normal (3)、aggressive (4)、insane (5)
0,1はIDS回避用。高信頼ネットワークならT4がおすすめらしい。
https://nmap.org/man/ja/man-performance.html (opens new window)
出力例
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-13 00:13 JST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:13
Completed NSE at 00:13, 0.00s elapsed
Initiating NSE at 00:13
Completed NSE at 00:13, 0.00s elapsed
Initiating NSE at 00:13
Completed NSE at 00:13, 0.00s elapsed
Initiating ARP Ping Scan at 00:13
Scanning 172.17.220.5 [1 port]
Completed ARP Ping Scan at 00:13, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:13
Completed Parallel DNS resolution of 1 host. at 00:13, 1.01s elapsed
Initiating SYN Stealth Scan at 00:13
Scanning 172.17.220.5 [1000 ports]
Discovered open port 23/tcp on 172.17.220.5
Discovered open port 111/tcp on 172.17.220.5
Discovered open port 22/tcp on 172.17.220.5
Discovered open port 445/tcp on 172.17.220.5
Discovered open port 53/tcp on 172.17.220.5
Discovered open port 3306/tcp on 172.17.220.5
Discovered open port 80/tcp on 172.17.220.5
Discovered open port 139/tcp on 172.17.220.5
Discovered open port 25/tcp on 172.17.220.5
Discovered open port 5900/tcp on 172.17.220.5
Discovered open port 21/tcp on 172.17.220.5
Discovered open port 512/tcp on 172.17.220.5
Discovered open port 2121/tcp on 172.17.220.5
Discovered open port 6000/tcp on 172.17.220.5
Discovered open port 2049/tcp on 172.17.220.5
Discovered open port 8180/tcp on 172.17.220.5
Discovered open port 1099/tcp on 172.17.220.5
Discovered open port 5432/tcp on 172.17.220.5
Discovered open port 1524/tcp on 172.17.220.5
Discovered open port 6667/tcp on 172.17.220.5
Discovered open port 513/tcp on 172.17.220.5
Discovered open port 514/tcp on 172.17.220.5
Discovered open port 8009/tcp on 172.17.220.5
Completed SYN Stealth Scan at 00:13, 0.11s elapsed (1000 total ports)
Initiating Service scan at 00:13
Scanning 23 services on 172.17.220.5
Completed Service scan at 00:14, 62.37s elapsed (23 services on 1 host)
Initiating OS detection (try #1) against 172.17.220.5
NSE: Script scanning 172.17.220.5.
Initiating NSE at 00:14
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 00:14, 9.91s elapsed
Initiating NSE at 00:14
Completed NSE at 00:14, 14.05s elapsed
Initiating NSE at 00:14
Completed NSE at 00:14, 0.00s elapsed
Nmap scan report for 172.17.220.5
Host is up (0.00085s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 172.17.220.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2020-04-12T15:18:18+00:00; +3m46s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
53/tcp open domain ISC BIND 9.4.2
| dns-nsid:
|_ bind.version: 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec?
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
| mysql-info:
| Protocol: 10
| Version: 5.0.51a-3ubuntu5
| Thread ID: 15
| Capabilities flags: 43564
| Some Capabilities: SwitchToSSLAfterHandshake, SupportsTransactions, Speaks41ProtocolNew, ConnectWithDatabase, LongColumnFlag, SupportsCompression, Support41Auth
| Status: Autocommit
|_ Salt: +[j#lv1--9t`dTY@vPmT
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2020-04-12T15:18:18+00:00; +3m47s from scanner time.
5900/tcp open vnc VNC (protocol 3.3)
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ VNC Authentication (2)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
| irc-info:
| users: 1
| servers: 1
| lusers: 1
| lservers: 0
| server: irc.Metasploitable.LAN
| version: Unreal3.2.8.1. irc.Metasploitable.LAN
| uptime: 0 days, 1:14:09
| source ident: nmap
| source host: Test-96C670A6.mshome.net
|_ error: Closing Link: camzrnzwm[sec-linux.mshome.net] (Quit: camzrnzwm)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 00:15:5D:AC:06:1A (Microsoft)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.049 days (since Sun Apr 12 23:04:26 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=190 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 3m46s, deviation: 0s, median: 3m45s
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| METASPLOITABLE<00> Flags: <unique><active>
| METASPLOITABLE<03> Flags: <unique><active>
| METASPLOITABLE<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
|_smb-security-mode: ERROR: Script execution failed (use -d to debug)
|_smb2-time: Protocol negotiation failed (SMB2)
TRACEROUTE
HOP RTT ADDRESS
1 0.85 ms 172.17.220.5
NSE: Script Post-scanning.
Initiating NSE at 00:14
Completed NSE at 00:14, 0.00s elapsed
Initiating NSE at 00:14
Completed NSE at 00:14, 0.00s elapsed
Initiating NSE at 00:14
Completed NSE at 00:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.12 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.430KB)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181