nmap脚本详解 - 春告鳥
source link: https://www.cnblogs.com/Cl0ud/p/17052752.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
nmap脚本详解 - 春告鳥 - 博客园
nmap --script
我们通过nmap script
来大幅扩展nmap的功能,nmap具有强大的脚本引擎NSE(Nmap Scripting Engine),它允许用户编写(和共享)简单的脚本(使用lua编程语言)自动化各种网络任务
NSEDoc Reference Portal — Nmap Scripting Engine documentation
目前nmap官方有604个NSE脚本,安装nmap后存储在script文件夹下,这些都是Nmap特有的,是基于lua语言编写的
nmap脚本分类
nmap脚本主要分为以下几类,在扫描时可根据需要设置--script=类别这种方式进行比较笼统的扫描:
- 指定运行脚本
当我们使用Nmap并添加参数-sC
或者--script
时,Nmap会执行NSE脚本
例如,在script目录下有http-title.nse
、http-trace.nse
脚本,执行如下命令:
- 从文件中读取参数
- 显示全部发送和收到的数据
- 更新数据库
在Nmap的scripts目录里有一个script.db
,该文件中保存了当前Nmap可用的脚本,类似于一个小型数据库,如果我们开启nmap并且调用了此参数,则nmap会自行扫描scripts目录中的扩展脚本,进行数据库更新
指定对应的脚本信息,Nmap会输出该脚本名称对应的脚本使用参数,以及详细介绍信息。
nmap脚本简介
一个NSE脚本的书写一般分为四步:
- 导入脚本编写所需库
- 编写脚本描述信息
- 确定Rule类型
- 编写Action
Nmap nse脚本模板结构图
其中Rule存在四种类型:
- Prerule 在Nmap没有扫描之前进行触发
- Hostrule 在Nmap执行主机发现或探测时进行触发
- Protrule 在Nmap执行端口扫描的时候触发
- Postrule 在Nmap结束的时候触发脚本,通常用于扫描结果的数据提取和整理
用于描述脚本的触发规则,返回值只有true和false两种。返回值决定了后面的action对应的函数是否执行
- true - 执行
- false - 不执行
Rule描述脚本的触发规则,定义了脚本在nmap生命周期的啥时候来执行
我们选择 http-php-version.nse
脚本来跟进分析一下,这个脚本的主要作用是检测PHP服务器的版本
查看API手册 https://nmap.org/nsedoc/lib/ 来导入你要导入的lua脚本 - nmap内置模块
local http = require "http" local nmap = require "nmap" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local table = require "table"
local openssl = stdnse.silent_require "openssl"
description
对脚本进行概述
description = [[ Attempts to retrieve the PHP version from a web server. PHP has a number of magic queries that return images or text that can vary with the PHP version. This script uses the following queries: * <code>/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42</code>: gets a GIF logo, which changes on April Fool's Day. * <code>/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000</code>: gets an HTML credits page.
A list of magic queries is at http://www.0php.com/php_easter_egg.php. The script also checks if any header field value starts with <code>"PHP"</code> and reports that value if found.
PHP versions after 5.5.0 do not respond to these queries.
Link: * http://phpsadness.com/sad/11 ]]
作者和脚本分类
在端口扫描的时候运行判断函数,这里直接调用了shortport
提供的判断
然后定义了访问的接口和PHP对应关系
-- These are the magic queries that return fingerprintable data. local LOGO_QUERY = "/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42" local CREDITS_QUERY = "/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"
-- For PHP 5.x hashes up to 5.2.14 and 5.3.3 see: -- http://seclists.org/nmap-dev/2010/q4/518
local LOGO_HASHES = { -- Bunny (Carmella) ["37e194b799d4aaff10e39c4e3b2679a2"] = {"5.0.0 - 5.0.3"}, -- Black Scottish Terrier (Scotch) ["4b2c92409cf0bcf465d199e93a15ac3f"] = {"4.3.11", "4.4.0 - 4.4.9", "5.0.4 - 5.0.5", "5.1.0 - 5.1.2"}, -- Colored ["50caaf268b4f3d260d720a1a29c5fe21"] = {"5.1.3 - 5.1.6", "5.2.0 - 5.2.17"}, -- PHP Code Guy With Breadsticks (Thies C. Arntzen) ["85be3b4be7bfe839cbb3b4f2d30ff983"] = {"4.0.0 - 4.2.3"}, -- Brown Dog In Grass (Nadia) ["a57bd73e27be03a62dd6b3e1b537a72c"] = {"4.3.0 - 4.3.11"}, -- Elephant ["fb3bbd9ccc4b3d9e0b3be89c5ff98a14"] = {"5.3.0 - 5.3.29", "5.4.0 - 5.4.45"}, }
local CREDITS_HASHES = { ["744aecef04f9ed1bc39ae773c40017d1"] = {"4.0.1pl2", "4.1.0 - 4.1.2", "4.2.2"}, ["4ba58b973ecde12dafbbd40b54afac43"] = {"4.1.1 OpenVMS"}, ["8bc001f58bf6c17a67e1ca288cb459cc"] = {"4.2.0 - 4.2.2"}, ["3422eded2fcceb3c89cabb5156b5d4e2"] = {"4.2.3"}, ["1e04761e912831dd29b7a98785e7ac61"] = {"4.3.0"}, ["1e04761e912831dd29b7a98785e7ac61"] = {"4.3.1"}, ["65eaaaa6c5fdc950e820f9addd514b8b"] = {"4.3.1 Mandrake Linux"}, ["8a8b4a419103078d82707cf68226a482"] = {"4.3.2"}, ["22d03c3c0a9cff6d760a4ba63909faea"] = {"4.3.2"}, -- entity encoded "'" ["8a4a61f60025b43f11a7c998f02b1902"] = {"4.3.3 - 4.3.5"}, ["39eda6dfead77a33cc6c63b5eaeda244"] = {"4.3.3 - 4.3.5"}, -- entity encoded "'" ["913ec921cf487109084a518f91e70859"] = {"4.3.6 - 4.3.8"}, ["884ba1f11e0e956c7c3ba64e5e33ee9f"] = {"4.3.6 - 4.3.8"}, -- entity encoded ["c5fa6aec2cf0172a5a1df7082335cf9e"] = {"4.3.8 Mandrake Linux"}, ["8fbf48d5a2a64065fc26db3e890b9871"] = {"4.3.9 - 4.3.11"}, ["f9b56b361fafd28b668cc3498425a23b"] = {"4.3.9 - 4.3.11"}, -- entity encoded "'" ["ddf16ec67e070ec6247ec1908c52377e"] = {"4.4.0"}, ["3d7612c9927b4c5cfff43efd27b44124"] = {"4.4.0"}, -- entity encoded "'" ["55bc081f2d460b8e6eb326a953c0e71e"] = {"4.4.1"}, ["bed7ceff09e9666d96fdf3518af78e0e"] = {"4.4.2 - 4.4.4"}, ["692a87ca2c51523c17f597253653c777"] = {"4.4.5 - 4.4.7"}, ["50ac182f03fc56a719a41fc1786d937d"] = {"4.4.8 - 4.4.9"}, ["3c31e4674f42a49108b5300f8e73be26"] = {"5.0.0 - 5.0.5"}, ["e54dbf41d985bfbfa316dba207ad6bce"] = {"5.0.0"}, ["6be3565cdd38e717e4eb96868d9be141"] = {"5.0.5"}, ["b7cf53972b35b5d57f12c9d857b6b507"] = {"5.0.5 ActiveScript"}, ["5518a02af41478cfc492c930ace45ae5"] = {"5.1.0 - 5.1.1"}, ["6cb0a5ba2d88f9d6c5c9e144dd5941a6"] = {"5.1.2"}, ["82fa2d6aa15f971f7dadefe4f2ac20e3"] = {"5.1.3 - 5.1.6"}, ["6a1c211f27330f1ab602c7c574f3a279"] = {"5.2.0"}, ["d3894e19233d979db07d623f608b6ece"] = {"5.2.1"}, ["56f9383587ebcc94558e11ec08584f05"] = {"5.2.2"}, ["c37c96e8728dc959c55219d47f2d543f"] = {"5.2.3 - 5.2.5", "5.2.6RC3"}, ["1776a7c1b3255b07c6b9f43b9f50f05e"] = {"5.2.6"}, ["1ffc970c5eae684bebc0e0133c4e1f01"] = {"5.2.7 - 5.2.8"}, ["54f426521bf61f2d95c8bfaa13857c51"] = {"5.2.9 - 5.2.14"}, ["adb361b9255c1e5275e5bd6e2907c5fb"] = {"5.2.15 - 5.2.17"}, ["db23b07a9b426d0d033565b878b1e384"] = {"5.3.0"}, ["a4c057b11fa0fba98c8e26cd7bb762a8"] = {"5.3.1 - 5.3.2"}, ["b34501471d51cebafacdd45bf2cd545d"] = {"5.3.3"}, ["e3b18899d0ffdf8322ed18d7bce3c9a0"] = {"5.3.4 - 5.3.5"}, ["2e7f5372931a7f6f86786e95871ac947"] = {"5.3.6"}, ["f1f1f60ac0dcd700a1ad30aa81175d34"] = {"5.3.7 - 5.3.8"}, ["23f183b78eb4e3ba8b3df13f0a15e5de"] = {"5.3.9 - 5.3.29"}, ["85da0a620fabe694dab1d55cbf1e24c3"] = {"5.4.0 - 5.4.14"}, ["ebf6d0333d67af5f80077438c45c8eaa"] = {"5.4.15 - 5.4.45"}, }
最后就是判定的主要逻辑了,虽然我们不懂Lua,但是我们还是能大概看懂这里做的事情
action = function(host, port) local response local logo_versions, credits_versions local logo_hash, credits_hash local header_name, header_value local lines
-- 1st pass : the "special" PHP-logo test response = http.get(host, port, LOGO_QUERY) if response.body and response.status == 200 then logo_hash = stdnse.tohex(openssl.md5(response.body)) logo_versions = LOGO_HASHES[logo_hash] end
-- 2nd pass : the PHP-credits test response = http.get(host, port, CREDITS_QUERY) if response.body and response.status == 200 then credits_hash = stdnse.tohex(openssl.md5(response.body)) credits_versions = CREDITS_HASHES[credits_hash] end
for name, value in pairs(response.header) do if string.match(value, "^PHP/") then header_name = name header_value = value break end end
lines = {} if logo_versions then lines[#lines + 1] = "Versions from logo query (less accurate): " .. table.concat(logo_versions, ", ") elseif logo_hash and nmap.verbosity() >= 2 then lines[#lines + 1] = "Logo query returned unknown hash " .. logo_hash end if credits_versions then lines[#lines + 1] = "Versions from credits query (more accurate): " .. table.concat(credits_versions, ", ") elseif credits_hash and nmap.verbosity() >= 2 then lines[#lines + 1] = "Credits query returned unknown hash " .. credits_hash end if header_name and header_value then lines[#lines + 1] = "Version from header " .. header_name .. ": " .. header_value end
if #lines > 0 then return table.concat(lines, "\n") end end
访问可能存在泄露PHP版本的接口,并将返回值进行md5计算,检查字典里是否有对应值,如果有的话就说明存在PHP的版本泄露,最后返回结果。
事实上只是实现的语言不一样,核心的检测原理都是一致的
按照应用服务扫描
nmap脚本的完整文档可以看官方文档 https://nmap.org/nsedoc/scripts/
下面是常用的一些应用扫描
VNC扫描
VNC (Virtual Network Console)是虚拟网络控制台的缩写。它 是一款优秀的远程控制工具软件
- 检查vnc bypass
- 检查vnc认证方式
- 获取vnc信息
smb扫描
SMB(全称是Server Message Block)是一个网络协议名,它能被用于Web连接和客户端与服务器之间的信息沟通
- smb破解
- smb字典破解
- smb漏洞检测
Mssql扫描
- 暴力破解用户名密码
- 有密码后
xp_cmdshell
执行命令
- 有密码后dymphash
Mysql扫描
- 扫描root空口令
- 列举所有mysql用户
- 扫描mysql相关的脚本
Oracle扫描
- oracle sid 扫描
- oracle弱口令破解
如果想要了解更多的脚本内容,移步官方文档 -> https://nmap.org/nsedoc/scripts/
建了一个微信的安全交流群,欢迎添加我微信备注进群
,一起来聊天吹水哇,以及一个会发布安全相关内容的公众号,欢迎关注 😃
__EOF__
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK