利用Nmap扫描并识别服务

　　利用 Nmap 扫描并识别服务
　　配合使用特定脚本和利用特定漏洞：
　　· 可以用来识别活动主机
　　· 扫描 TCP 和 UDP 的开发端口
　　· 检测防火墙
　　· 获取运行在远程主机上的服务版本和事件
　　实施步骤
　　启动 Vulnerable_VM 靶机
　　在安装 KALI 系统的攻击机上
　　检测 Vulnerable_VM 是否活动，使用 nmap 扫描工具：
　　nmap -sn idea.lanyus.com
　　参数说明：
-sn | Ping Scan - 关闭端口扫描
root@kali:~# nmap -sn 192.168.150.143
Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 23:50 CST
Nmap scan report for bogon (192.168.150.143)
Host is up (0.00028s latency).
MAC Address: 00:0C:29:8F:CA:00 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
　　检测 Vulnerable_VM 开放的端口
root@kali:~# nmap idea.lanyus.com
Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 18:33 CST
Nmap scan report for idea.lanyus.com (120.52.29.220)
Host is up (0.0072s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy
Nmap done: 1 IP address (1 host up) scanned in 49.01 seconds
　　下面的命令扫描靶机上的1000以内的端口
root@kali:~# nmap 192.168.150.143
Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 23:53 CST
Nmap scan report for bogon (192.168.150.143)
Host is up (0.00028s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
5001/tcp open  commplex-link
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
MAC Address: 00:0C:29:8F:CA:00 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
　　扫描靶机运行的服务的版本号，并基于此判断靶机系统类型
　　nmap -sV -O idea.lanyus.com
　　参数说明：
-sV | Probe open ports to determine service/version info
root@kali:~# nmap -sV -O idea.lanyus.com
Starting Nmap 7.01 ( https://nmap.org ) at 2016-07-17 23:47 CST
Nmap scan report for idea.lanyus.com (120.52.29.220)
Host is up (0.035s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE    VERSION
80/tcp   open  http       cloudflare-nginx
443/tcp  open  ssl/https?
8080/tcp open  http       cloudflare-nginx
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|general purpose
Running: Actiontec embedded， Linux 2.4.X|3.X， Microsoft Windows 7|2012
OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
OS details: Actiontec MI424WR-GEN3I WAP， DD-WRT v24-sp2 (Linux 2.4.37)， Linux 3.2， Microsoft Windows 7 or Windows Server 2012
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.32 seconds