0

nmap脚本详解 - 春告鳥

 1 year ago
source link: https://www.cnblogs.com/Cl0ud/p/17052752.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

nmap脚本详解 - 春告鳥 - 博客园

nmap --script

我们通过nmap script来大幅扩展nmap的功能,nmap具有强大的脚本引擎NSE(Nmap Scripting Engine),它允许用户编写(和共享)简单的脚本(使用lua编程语言)自动化各种网络任务

NSEDoc Reference Portal — Nmap Scripting Engine documentation

20230114222548.png

目前nmap官方有604个NSE脚本,安装nmap后存储在script文件夹下,这些都是Nmap特有的,是基于lua语言编写的

nmap脚本分类

nmap脚本主要分为以下几类,在扫描时可根据需要设置--script=类别这种方式进行比较笼统的扫描:




auth: 负责处理鉴权证书(绕开鉴权)的脚本  
broadcast: 在局域网内探查更多服务开启状况,如dhcp/dns/sqlserver等服务  
brute: 提供暴力破解方式,针对常见的应用如http/snmp等  
default: 使用-sC或-A选项扫描时候默认的脚本,提供基本脚本扫描能力  
discovery: 对网络进行更多的信息,如SMB枚举、SNMP查询等  
dos: 用于进行拒绝服务攻击  
exploit: 利用已知的漏洞入侵系统  
external: 利用第三方的数据库或资源,例如进行whois解析  
fuzzer: 模糊测试的脚本,发送异常的包到目标机,探测出潜在漏洞 intrusive: 入侵性的脚本,此类脚本可能引发对方的IDS/IPS的记录或屏蔽  
malware: 探测目标机是否感染了病毒、开启了后门等信息  
safe: 此类与intrusive相反,属于安全性脚本  
version: 负责增强服务与版本扫描(Version Detection)功能的脚本  
vuln: 负责检查目标机是否有常见的漏洞(Vulnerability),如是否有MS08_067




  • 指定运行脚本
    • 




当我们使用Nmap并添加参数-sC或者--script时,Nmap会执行NSE脚本


例如,在script目录下有http-title.nsehttp-trace.nse脚本,执行如下命令:





nmap --script http-title scanme.nmap.org







--script-args=key1=value1,key2=value2... 




  • 从文件中读取参数
    • 







–script-args-file=filename




  • 显示全部发送和收到的数据
    • 







--script-trace




  • 更新数据库
    • 




在Nmap的scripts目录里有一个script.db,该文件中保存了当前Nmap可用的脚本,类似于一个小型数据库,如果我们开启nmap并且调用了此参数,则nmap会自行扫描scripts目录中的扩展脚本,进行数据库更新





--script-updatedb




指定对应的脚本信息,Nmap会输出该脚本名称对应的脚本使用参数,以及详细介绍信息。





--script-help=脚本名称




nmap脚本简介


一个NSE脚本的书写一般分为四步:


  • 导入脚本编写所需库
    • 

  • 编写脚本描述信息
    • 

  • 确定Rule类型
    • 

  • 编写Action
    • 




Nmap nse脚本模板结构图





20230114222617.png


其中Rule存在四种类型:


  • Prerule 在Nmap没有扫描之前进行触发
    • 

  • Hostrule 在Nmap执行主机发现或探测时进行触发
    • 

  • Protrule 在Nmap执行端口扫描的时候触发
    • 

  • Postrule 在Nmap结束的时候触发脚本,通常用于扫描结果的数据提取和整理
    • 




用于描述脚本的触发规则,返回值只有true和false两种。返回值决定了后面的action对应的函数是否执行


  • true -  执行
    • 

  • false - 不执行
    • 




Rule描述脚本的触发规则,定义了脚本在nmap生命周期的啥时候来执行


我们选择 http-php-version.nse脚本来跟进分析一下,这个脚本的主要作用是检测PHP服务器的版本


查看API手册 https://nmap.org/nsedoc/lib/ 来导入你要导入的lua脚本 - nmap内置模块





local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"



local openssl = stdnse.silent_require "openssl"




description对脚本进行概述





description = [[
Attempts to retrieve the PHP version from a web server. PHP has a number
of magic queries that return images or text that can vary with the PHP
version. This script uses the following queries:
* <code>/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42</code>: gets a GIF logo, which changes on April Fool's Day.
* <code>/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000</code>: gets an HTML credits page.



A list of magic queries is at http://www.0php.com/php_easter_egg.php.
The script also checks if any header field value starts with
<code>"PHP"</code> and reports that value if found.



PHP versions after 5.5.0 do not respond to these queries.



Link:
* http://phpsadness.com/sad/11
]]




作者和脚本分类





author = {"Ange Gutek", "Rob Nicholls"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}




在端口扫描的时候运行判断函数,这里直接调用了shortport提供的判断





portrule = shortport.http




然后定义了访问的接口和PHP对应关系





-- These are the magic queries that return fingerprintable data.
local LOGO_QUERY = "/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"
local CREDITS_QUERY = "/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"



-- For PHP 5.x hashes up to 5.2.14 and 5.3.3 see:
-- http://seclists.org/nmap-dev/2010/q4/518



local LOGO_HASHES = {
  -- Bunny (Carmella)
  ["37e194b799d4aaff10e39c4e3b2679a2"] = {"5.0.0 - 5.0.3"},
  -- Black Scottish Terrier (Scotch)
  ["4b2c92409cf0bcf465d199e93a15ac3f"] = {"4.3.11", "4.4.0 - 4.4.9", "5.0.4 - 5.0.5", "5.1.0 - 5.1.2"},
  -- Colored
  ["50caaf268b4f3d260d720a1a29c5fe21"] = {"5.1.3 - 5.1.6", "5.2.0 - 5.2.17"},
  -- PHP Code Guy With Breadsticks (Thies C. Arntzen)
  ["85be3b4be7bfe839cbb3b4f2d30ff983"] = {"4.0.0 - 4.2.3"},
  -- Brown Dog In Grass (Nadia)
  ["a57bd73e27be03a62dd6b3e1b537a72c"] = {"4.3.0 - 4.3.11"},
  -- Elephant
  ["fb3bbd9ccc4b3d9e0b3be89c5ff98a14"] = {"5.3.0 - 5.3.29", "5.4.0 - 5.4.45"},
}



local CREDITS_HASHES = {
  ["744aecef04f9ed1bc39ae773c40017d1"] = {"4.0.1pl2", "4.1.0 - 4.1.2", "4.2.2"},
  ["4ba58b973ecde12dafbbd40b54afac43"] = {"4.1.1 OpenVMS"},
  ["8bc001f58bf6c17a67e1ca288cb459cc"] = {"4.2.0 - 4.2.2"},
  ["3422eded2fcceb3c89cabb5156b5d4e2"] = {"4.2.3"},
  ["1e04761e912831dd29b7a98785e7ac61"] = {"4.3.0"},
  ["1e04761e912831dd29b7a98785e7ac61"] = {"4.3.1"},
  ["65eaaaa6c5fdc950e820f9addd514b8b"] = {"4.3.1 Mandrake Linux"},
  ["8a8b4a419103078d82707cf68226a482"] = {"4.3.2"},
  ["22d03c3c0a9cff6d760a4ba63909faea"] = {"4.3.2"}, -- entity encoded "'"
  ["8a4a61f60025b43f11a7c998f02b1902"] = {"4.3.3 - 4.3.5"},
  ["39eda6dfead77a33cc6c63b5eaeda244"] = {"4.3.3 - 4.3.5"}, -- entity encoded "'"
  ["913ec921cf487109084a518f91e70859"] = {"4.3.6 - 4.3.8"},
  ["884ba1f11e0e956c7c3ba64e5e33ee9f"] = {"4.3.6 - 4.3.8"}, -- entity encoded
  ["c5fa6aec2cf0172a5a1df7082335cf9e"] = {"4.3.8 Mandrake Linux"},
  ["8fbf48d5a2a64065fc26db3e890b9871"] = {"4.3.9 - 4.3.11"},
  ["f9b56b361fafd28b668cc3498425a23b"] = {"4.3.9 - 4.3.11"}, -- entity encoded "'"
  ["ddf16ec67e070ec6247ec1908c52377e"] = {"4.4.0"},
  ["3d7612c9927b4c5cfff43efd27b44124"] = {"4.4.0"}, -- entity encoded "'"
  ["55bc081f2d460b8e6eb326a953c0e71e"] = {"4.4.1"},
  ["bed7ceff09e9666d96fdf3518af78e0e"] = {"4.4.2 - 4.4.4"},
  ["692a87ca2c51523c17f597253653c777"] = {"4.4.5 - 4.4.7"},
  ["50ac182f03fc56a719a41fc1786d937d"] = {"4.4.8 - 4.4.9"},
  ["3c31e4674f42a49108b5300f8e73be26"] = {"5.0.0 - 5.0.5"},
  ["e54dbf41d985bfbfa316dba207ad6bce"] = {"5.0.0"},
  ["6be3565cdd38e717e4eb96868d9be141"] = {"5.0.5"},
  ["b7cf53972b35b5d57f12c9d857b6b507"] = {"5.0.5 ActiveScript"},
  ["5518a02af41478cfc492c930ace45ae5"] = {"5.1.0 - 5.1.1"},
  ["6cb0a5ba2d88f9d6c5c9e144dd5941a6"] = {"5.1.2"},
  ["82fa2d6aa15f971f7dadefe4f2ac20e3"] = {"5.1.3 - 5.1.6"},
  ["6a1c211f27330f1ab602c7c574f3a279"] = {"5.2.0"},
  ["d3894e19233d979db07d623f608b6ece"] = {"5.2.1"},
  ["56f9383587ebcc94558e11ec08584f05"] = {"5.2.2"},
  ["c37c96e8728dc959c55219d47f2d543f"] = {"5.2.3 - 5.2.5", "5.2.6RC3"},
  ["1776a7c1b3255b07c6b9f43b9f50f05e"] = {"5.2.6"},
  ["1ffc970c5eae684bebc0e0133c4e1f01"] = {"5.2.7 - 5.2.8"},
  ["54f426521bf61f2d95c8bfaa13857c51"] = {"5.2.9 - 5.2.14"},
  ["adb361b9255c1e5275e5bd6e2907c5fb"] = {"5.2.15 - 5.2.17"},
  ["db23b07a9b426d0d033565b878b1e384"] = {"5.3.0"},
  ["a4c057b11fa0fba98c8e26cd7bb762a8"] = {"5.3.1 - 5.3.2"},
  ["b34501471d51cebafacdd45bf2cd545d"] = {"5.3.3"},
  ["e3b18899d0ffdf8322ed18d7bce3c9a0"] = {"5.3.4 - 5.3.5"},
  ["2e7f5372931a7f6f86786e95871ac947"] = {"5.3.6"},
  ["f1f1f60ac0dcd700a1ad30aa81175d34"] = {"5.3.7 - 5.3.8"},
  ["23f183b78eb4e3ba8b3df13f0a15e5de"] = {"5.3.9 - 5.3.29"},
  ["85da0a620fabe694dab1d55cbf1e24c3"] = {"5.4.0 - 5.4.14"},
  ["ebf6d0333d67af5f80077438c45c8eaa"] = {"5.4.15 - 5.4.45"},
}




最后就是判定的主要逻辑了,虽然我们不懂Lua,但是我们还是能大概看懂这里做的事情





action = function(host, port)
  local response
  local logo_versions, credits_versions
  local logo_hash, credits_hash
  local header_name, header_value
  local lines



  -- 1st pass : the "special" PHP-logo test
  response = http.get(host, port, LOGO_QUERY)
  if response.body and response.status == 200 then
    logo_hash = stdnse.tohex(openssl.md5(response.body))
    logo_versions = LOGO_HASHES[logo_hash]
  end



  -- 2nd pass : the PHP-credits test
  response = http.get(host, port, CREDITS_QUERY)
  if response.body and response.status == 200 then
    credits_hash = stdnse.tohex(openssl.md5(response.body))
    credits_versions = CREDITS_HASHES[credits_hash]
  end



  for name, value in pairs(response.header) do
    if string.match(value, "^PHP/") then
      header_name = name
      header_value = value
      break
    end
  end



  lines = {}
  if logo_versions then
    lines[#lines + 1] = "Versions from logo query (less accurate): " .. table.concat(logo_versions, ", ")
  elseif logo_hash and nmap.verbosity() >= 2 then
    lines[#lines + 1] = "Logo query returned unknown hash " .. logo_hash
  end
  if credits_versions then
    lines[#lines + 1] = "Versions from credits query (more accurate): " .. table.concat(credits_versions, ", ")
  elseif credits_hash and nmap.verbosity() >= 2 then
    lines[#lines + 1] = "Credits query returned unknown hash " .. credits_hash
  end
  if header_name and header_value then
    lines[#lines + 1] = "Version from header " .. header_name .. ": " .. header_value
  end



  if #lines > 0 then
    return table.concat(lines, "\n")
  end
end




访问可能存在泄露PHP版本的接口,并将返回值进行md5计算,检查字典里是否有对应值,如果有的话就说明存在PHP的版本泄露,最后返回结果。


事实上只是实现的语言不一样,核心的检测原理都是一致的


按照应用服务扫描


nmap脚本的完整文档可以看官方文档 https://nmap.org/nsedoc/scripts/


下面是常用的一些应用扫描


VNC扫描


VNC  (Virtual Network Console)是虚拟网络控制台的缩写。它 是一款优秀的远程控制工具软件


  • 检查vnc bypass
    • 







nmap  --script=realvnc-auth-bypass 192.168.137.4




  • 检查vnc认证方式
    • 







nmap  --script=vnc-auth  192.168.137.4  




  • 获取vnc信息
    • 







nmap  --script=vnc-info  192.168.137.4  




smb扫描


SMB(全称是Server Message Block)是一个网络协议名,它能被用于Web连接和客户端与服务器之间的信息沟通


  • smb破解
    • 







nmap  --script=smb-brute.nse 192.168.137.4  




  • smb字典破解
    • 







nmap --script=smb-brute.nse --script-args=userdb=/var/passwd,passdb=/var/passwd 192.168.137.4




  • smb漏洞检测
    • 







nmap  --script=smb-check-vulns.nse --script-args=unsafe=1 192.168.137.4




Mssql扫描


  • 暴力破解用户名密码
    • 







nmap -p1433 --script=ms-sql-brute --script-args=userdb=/var/passwd,passdb=/var/passwd 192.168.137.4 




  • 有密码后xp_cmdshell执行命令
    • 







nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd="net user" 192.168.137.4  




  • 有密码后dymphash
    • 







nmap -p 1433 --script ms-sql-dump-hashes.nse --script-args mssql.username=sa,mssql.password=sa  192.168.137.4  




Mysql扫描


  • 扫描root空口令
    • 







nmap -p3306 --script=mysql-empty-password.nse 192.168.137.4   




  • 列举所有mysql用户
    • 







nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 192.168.137.4 




  • 扫描mysql相关的脚本
    • 







nmap --script=mysql-* 192.168.137.4  




Oracle扫描


  • oracle sid 扫描
    • 







nmap --script=oracle-sid-brute -p 1521-1560 192.168.137.5 




  • oracle弱口令破解
    • 







nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL,userdb=/var/passwd,passdb=/var/passwd 192.168.137.5 




如果想要了解更多的脚本内容,移步官方文档 -> https://nmap.org/nsedoc/scripts/





建了一个微信的安全交流群,欢迎添加我微信备注进群,一起来聊天吹水哇,以及一个会发布安全相关内容的公众号,欢迎关注 😃



    
GIF

    
GIF




__EOF__

        

        

            

                report
            

        

    







        
Recommend

        



                

    
About Joyk

    
 





Aggregate valuable and interesting links.

Joyk means Joy of geeK