常用指令

查看目标ip端口

nmap -sV -Pn 115.231.218.254

结果解释

Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-03 02:24 EDT
Stats: 0:00:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 23.33% done; ETC: 02:25 (0:01:02 remaining)
Stats: 0:00:22 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 30.97% done; ETC: 02:25 (0:00:51 remaining)
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 40.47% done; ETC: 02:25 (0:00:44 remaining)
Stats: 0:01:20 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 77.17% done; ETC: 02:26 (0:00:24 remaining)
Stats: 0:01:27 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 83.53% done; ETC: 02:26 (0:00:17 remaining)
Stats: 0:02:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 13.33% done; ETC: 02:29 (0:02:49 remaining)
Stats: 0:02:35 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 13.33% done; ETC: 02:30 (0:03:48 remaining)
Stats: 0:02:54 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 20.00% done; ETC: 02:30 (0:03:32 remaining)
Stats: 0:03:39 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 60.00% done; ETC: 02:29 (0:01:06 remaining)
Nmap scan report for 115.231.218.254
Host is up (4.0s latency).
Not shown: 973 closed tcp ports (reset)
PORT      STATE    SERVICE        VERSION
42/tcp    filtered nameserver
80/tcp    open     http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
514/tcp   filtered shell
593/tcp   filtered http-rpc-epmap
1068/tcp  filtered instl_bootc
1433/tcp  open     ms-sql-s       Microsoft SQL Server 2008 R2 10.50.1600; RTM
1434/tcp  filtered ms-sql-m
1900/tcp  filtered upnp
2383/tcp  open     ms-olap4?
3128/tcp  filtered squid-http
3333/tcp  open     dec-notes?
4444/tcp  filtered krb524
6001/tcp  open     X11:1?
6002/tcp  open     X11:2?
6003/tcp  open     X11:3?
6004/tcp  open     X11:4?
6005/tcp  open     X11:5?
6669/tcp  filtered irc
49152/tcp open     msrpc          Microsoft Windows RPC
49153/tcp open     msrpc          Microsoft Windows RPC
49154/tcp open     msrpc          Microsoft Windows RPC
49155/tcp open     msrpc          Microsoft Windows RPC
49157/tcp open     msrpc          Microsoft Windows RPC
49158/tcp open     msrpc          Microsoft Windows RPC
6 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3333-TCP:V=7.94%I=7%D=9/3%Time=64F4271F%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,A,"sign\x20error")%r(LPDString,A,"sign\x20error")%r(JavaRMI,A
SF:,"sign\x20error")%r(kumo-server,A,"sign\x20error")%r(GetRequest,A,"sign
SF:\x20error")%r(HTTPOptions,A,"sign\x20error")%r(RTSPRequest,A,"sign\x20e
SF:rror")%r(RPCCheck,A,"sign\x20error")%r(DNSVersionBindReqTCP,A,"sign\x20
SF:error")%r(DNSStatusRequestTCP,A,"sign\x20error")%r(Help,A,"sign\x20erro
SF:r")%r(SSLSessionReq,A,"sign\x20error")%r(TerminalServerCookie,A,"sign\x
SF:20error")%r(TLSSessionReq,A,"sign\x20error")%r(Kerberos,A,"sign\x20erro
SF:r")%r(SMBProgNeg,A,"sign\x20error")%r(X11Probe,A,"sign\x20error")%r(Fou
SF:rOhFourRequest,A,"sign\x20error")%r(LDAPSearchReq,A,"sign\x20error")%r(
SF:LDAPBindReq,A,"sign\x20error")%r(SIPOptions,A,"sign\x20error")%r(LANDes
SF:k-RC,A,"sign\x20error")%r(TerminalServer,A,"sign\x20error")%r(NCP,A,"si
SF:gn\x20error")%r(NotesRPC,A,"sign\x20error")%r(WMSRequest,A,"sign\x20err
SF:or")%r(oracle-tns,A,"sign\x20error")%r(ms-sql-s,A,"sign\x20error")%r(af
SF:p,A,"sign\x20error")%r(giop,A,"sign\x20error");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6001-TCP:V=7.94%I=7%D=9/3%Time=64F4271A%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4,"\0\0\x01\x20")%r(X11Probe,4,"\0\0\x01\x20")%r(GenericLines,4,"\0\0
SF:\x01\x20")%r(GetRequest,4,"\0\0\x01\x20")%r(HTTPOptions,4,"\0\0\x01\x20
SF:")%r(RTSPRequest,4,"\0\0\x01\x20")%r(RPCCheck,4,"\0\0\x01\x20")%r(DNSVe
SF:rsionBindReqTCP,4,"\0\0\x01\x20")%r(DNSStatusRequestTCP,4,"\0\0\x01\x20
SF:")%r(Help,4,"\0\0\x01\x20")%r(SSLSessionReq,4,"\0\0\x01\x20")%r(Termina
SF:lServerCookie,4,"\0\0\x01\x20")%r(TLSSessionReq,4,"\0\0\x01\x20")%r(Ker
SF:beros,4,"\0\0\x01\x20")%r(SMBProgNeg,4,"\0\0\x01\x20")%r(FourOhFourRequ
SF:est,4,"\0\0\x01\x20")%r(LPDString,4,"\0\0\x01\x20")%r(LDAPSearchReq,4,"
SF:\0\0\x01\x20")%r(LDAPBindReq,4,"\0\0\x01\x20")%r(SIPOptions,4,"\0\0\x01
SF:\x20")%r(LANDesk-RC,4,"\0\0\x01\x20")%r(TerminalServer,4,"\0\0\x01\x20"
SF:)%r(NCP,4,"\0\0\x01\x20")%r(NotesRPC,4,"\0\0\x01\x20")%r(JavaRMI,4,"\0\
SF:0\x01\x20")%r(WMSRequest,4,"\0\0\x01\x20")%r(oracle-tns,4,"\0\0\x01\x20
SF:")%r(ms-sql-s,4,"\0\0\x01\x20")%r(afp,4,"\0\0\x01\x20")%r(giop,4,"\0\0\
SF:x01\x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6002-TCP:V=7.94%I=7%D=9/3%Time=64F4271A%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4,"\0\0\x01\x20")%r(X11Probe,4,"\0\0\x01\x20")%r(GenericLines,4,"\0\0
SF:\x01\x20")%r(GetRequest,4,"\0\0\x01\x20")%r(HTTPOptions,4,"\0\0\x01\x20
SF:")%r(RTSPRequest,4,"\0\0\x01\x20")%r(RPCCheck,4,"\0\0\x01\x20")%r(DNSVe
SF:rsionBindReqTCP,4,"\0\0\x01\x20")%r(DNSStatusRequestTCP,4,"\0\0\x01\x20
SF:")%r(Help,4,"\0\0\x01\x20")%r(SSLSessionReq,4,"\0\0\x01\x20")%r(Termina
SF:lServerCookie,4,"\0\0\x01\x20")%r(TLSSessionReq,4,"\0\0\x01\x20")%r(Ker
SF:beros,4,"\0\0\x01\x20")%r(SMBProgNeg,4,"\0\0\x01\x20")%r(FourOhFourRequ
SF:est,4,"\0\0\x01\x20")%r(LPDString,4,"\0\0\x01\x20")%r(LDAPSearchReq,4,"
SF:\0\0\x01\x20")%r(LDAPBindReq,4,"\0\0\x01\x20")%r(SIPOptions,4,"\0\0\x01
SF:\x20")%r(LANDesk-RC,4,"\0\0\x01\x20")%r(TerminalServer,4,"\0\0\x01\x20"
SF:)%r(NCP,4,"\0\0\x01\x20")%r(NotesRPC,4,"\0\0\x01\x20")%r(JavaRMI,4,"\0\
SF:0\x01\x20")%r(WMSRequest,4,"\0\0\x01\x20")%r(oracle-tns,4,"\0\0\x01\x20
SF:")%r(ms-sql-s,4,"\0\0\x01\x20")%r(afp,4,"\0\0\x01\x20")%r(giop,4,"\0\0\
SF:x01\x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6003-TCP:V=7.94%I=7%D=9/3%Time=64F4271A%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4,"\0\0\x01\x20")%r(X11Probe,4,"\0\0\x01\x20")%r(GenericLines,4,"\0\0
SF:\x01\x20")%r(GetRequest,4,"\0\0\x01\x20")%r(HTTPOptions,4,"\0\0\x01\x20
SF:")%r(RTSPRequest,4,"\0\0\x01\x20")%r(RPCCheck,4,"\0\0\x01\x20")%r(DNSVe
SF:rsionBindReqTCP,4,"\0\0\x01\x20")%r(DNSStatusRequestTCP,4,"\0\0\x01\x20
SF:")%r(Help,4,"\0\0\x01\x20")%r(SSLSessionReq,4,"\0\0\x01\x20")%r(Termina
SF:lServerCookie,4,"\0\0\x01\x20")%r(TLSSessionReq,4,"\0\0\x01\x20")%r(Ker
SF:beros,4,"\0\0\x01\x20")%r(SMBProgNeg,4,"\0\0\x01\x20")%r(FourOhFourRequ
SF:est,4,"\0\0\x01\x20")%r(LPDString,4,"\0\0\x01\x20")%r(LDAPSearchReq,4,"
SF:\0\0\x01\x20")%r(LDAPBindReq,4,"\0\0\x01\x20")%r(SIPOptions,4,"\0\0\x01
SF:\x20")%r(LANDesk-RC,4,"\0\0\x01\x20")%r(TerminalServer,4,"\0\0\x01\x20"
SF:)%r(NCP,4,"\0\0\x01\x20")%r(NotesRPC,4,"\0\0\x01\x20")%r(JavaRMI,4,"\0\
SF:0\x01\x20")%r(WMSRequest,4,"\0\0\x01\x20")%r(oracle-tns,4,"\0\0\x01\x20
SF:")%r(ms-sql-s,4,"\0\0\x01\x20")%r(afp,4,"\0\0\x01\x20")%r(giop,4,"\0\0\
SF:x01\x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6004-TCP:V=7.94%I=7%D=9/3%Time=64F4271A%P=x86_64-pc-linux-gnu%r(NUL
SF:L,4,"\0\0\x01\x20")%r(X11Probe,4,"\0\0\x01\x20")%r(GenericLines,4,"\0\0
SF:\x01\x20")%r(GetRequest,4,"\0\0\x01\x20")%r(HTTPOptions,4,"\0\0\x01\x20
SF:")%r(RTSPRequest,4,"\0\0\x01\x20")%r(RPCCheck,4,"\0\0\x01\x20")%r(DNSVe
SF:rsionBindReqTCP,4,"\0\0\x01\x20")%r(DNSStatusRequestTCP,4,"\0\0\x01\x20
SF:")%r(Help,4,"\0\0\x01\x20")%r(SSLSessionReq,4,"\0\0\x01\x20")%r(Termina
SF:lServerCookie,4,"\0\0\x01\x20")%r(TLSSessionReq,4,"\0\0\x01\x20")%r(Ker
SF:beros,4,"\0\0\x01\x20")%r(SMBProgNeg,4,"\0\0\x01\x20")%r(FourOhFourRequ
SF:est,4,"\0\0\x01\x20")%r(LPDString,4,"\0\0\x01\x20")%r(LDAPSearchReq,4,"
SF:\0\0\x01\x20")%r(LDAPBindReq,4,"\0\0\x01\x20")%r(SIPOptions,4,"\0\0\x01
SF:\x20")%r(LANDesk-RC,4,"\0\0\x01\x20")%r(TerminalServer,4,"\0\0\x01\x20"
SF:)%r(NCP,4,"\0\0\x01\x20")%r(NotesRPC,4,"\0\0\x01\x20")%r(JavaRMI,4,"\0\
SF:0\x01\x20")%r(WMSRequest,4,"\0\0\x01\x20")%r(oracle-tns,4,"\0\0\x01\x20
SF:")%r(ms-sql-s,4,"\0\0\x01\x20")%r(afp,4,"\0\0\x01\x20")%r(giop,4,"\0\0\
SF:x01\x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6005-TCP:V=7.94%I=7%D=9/3%Time=64F4271A%P=x86_64-pc-linux-gnu%r(NUL
SF:L,F,"\x0b\0\x01\x109\xd5\(\xe6\x91TR\xde\+\*\x1a")%r(X11Probe,F,"\x0b\0
SF:\x01\x109\xd5\(\xe6\x91TR\xde\+\*\x1a")%r(GenericLines,F,"\x0b\0\x01\x1
SF:0S\x17\x88u\xab\x9e\xd3\xd4\^z\xa2")%r(GetRequest,F,"\x0b\0\x01\x10\xc9
SF:\x97%\xa3\xa3\xe0V\xe4\xfc\xde\xf4")%r(HTTPOptions,F,"\x0b\0\x01\x10\x1
SF:eo\x15q\x92\(\x9c\x15\xb0\x94!")%r(RTSPRequest,F,"\x0b\0\x01\x10t\xeb\x
SF:03\xc6\x08\x1e\x8d\xae\"\xc9\xaa")%r(RPCCheck,F,"\x0b\0\x01\x10\x0c\xec
SF:\xe2\xe2\x18A\x14Y=\xeb\xa8")%r(DNSVersionBindReqTCP,F,"\x0b\0\x01\x10\
SF:xd5\x0f\xb6\x05aV\xa7\x81-\x20\xf6")%r(DNSStatusRequestTCP,F,"\x0b\0\x0
SF:1\x10\x9f\xc6\xa9_\.\x0c\|U\x05D\x05")%r(Help,F,"\x0b\0\x01\x10\xa4\x81
SF:k\xcbU\x19h\xcf\xe1\xbcZ")%r(SSLSessionReq,F,"\x0b\0\x01\x10~\xe4\x94N7
SF:\xaa\xe9\x19\xd0\xd4\+")%r(TerminalServerCookie,F,"\x0b\0\x01\x10\xcf\x
SF:c3\+\x18\^\xf7\nw\x97\xda\xb4")%r(TLSSessionReq,F,"\x0b\0\x01\x10\"\x94
SF:\x0bj\xeb\x1a\x84\$H=C")%r(Kerberos,F,"\x0b\0\x01\x10\xcc\xb5va\x83\xb6
SF:\+\xadg\x01\x17")%r(SMBProgNeg,F,"\x0b\0\x01\x10\xd3k\xd46\xac9-\xa9\xd
SF:b\x13\xb4")%r(FourOhFourRequest,F,"\x0b\0\x01\x10-\xe6\xac\xab\xa0G\x8a
SF:s#\xf4s")%r(LPDString,F,"\x0b\0\x01\x10\xd3e\x90\xa3f\xd5\xf61\x93z\xc4
SF:")%r(LDAPSearchReq,F,"\x0b\0\x01\x10u\\\xe4:7\xbd\xf2t\xf1\x9c\x84")%r(
SF:LDAPBindReq,F,"\x0b\0\x01\x10\xd9\xc8\xa1\x9e\$\xa9\x1fj\x1a\xe2\x88")%
SF:r(SIPOptions,F,"\x0b\0\x01\x10\*\t\x909\x9f\xd7Dp2\xb0\xe3")%r(LANDesk-
SF:RC,F,"\x0b\0\x01\x10\xc0\x88\xb4\xe6D\xf7Ke\xc3\xe0\xf7")%r(TerminalSer
SF:ver,F,"\x0b\0\x01\x10\+\x96f\\AN\xf0Y\xd7fr")%r(NCP,F,"\x0b\0\x01\x10\x
SF:81V\x87\xca\xee\x0b\xabu\xa5\xdeR")%r(NotesRPC,F,"\x0b\0\x01\x10D\x08B\
SF:xac\xb0\xb3h\xa7\xa9/\xcb")%r(JavaRMI,F,"\x0b\0\x01\x10_H\x89z\x8d\xbdl
SF:\x9f\x84wF")%r(WMSRequest,F,"\x0b\0\x01\x10\0\x9d=f\x93Q\xa6\x1d\x0c\xe
SF:8\xc5")%r(oracle-tns,F,"\x0b\0\x01\x10a{n\x7f\xb0H\x07\xb2\xc5yT")%r(ms
SF:-sql-s,F,"\x0b\0\x01\x10\xbeS\xfa\^\x7fRl:\.<\t")%r(afp,F,"\x0b\0\x01\x
SF:10\x05\x8a\x97\x1f\x17\x82H\x88F\x99\xcc")%r(giop,F,"\x0b\0\x01\x10\x07
SF:\r3\x03\x1f\xab%\xee\)\x8a\n");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 295.44 seconds

查看目标是否存在常见漏洞

nmap --script=vlun {ip}
nmap --script=vlun 124.221.56.92

Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-03 02:36 EDT
Nmap scan report for 115.231.218.254
Host is up (0.038s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
135/tcp   open  msrpc
2383/tcp  open  ms-olap4
3333/tcp  open  dec-notes
6001/tcp  open  X11:1
6002/tcp  open  X11:2
6003/tcp  open  X11:3
6004/tcp  open  X11:4
49153/tcp open  unknown
49154/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 100.32 seconds

与msf联动

# 使用nmap对目标进行扫描，并保存结果
nmap -p-  -sS -sV -n -v --reason --open -oX demon.xml 115.231.218.254
nmap -p-  -sS -sV -n -v --reason --open -oX tiankong.xml 124.221.56.92
# msf中创建环境
msfconsole

# 创建一个工作空间用来读取文件
workspace -a|--add {workspace_name}

# 进入工作空间
workspave {workspace_name}

# 导入当前目录下的 demon.xml (nmap扫描的结果文件)
db_import demon.xml

# 查看当前开启的服务
services 

指端端口进行深探测

nmap 115.231.218.254 -p80,3333,49153 -A -T5

查看目标ip端口​

查看目标是否存在常见漏洞​

与msf联动​

指端端口进行深探测​

查看目标ip端口

查看目标是否存在常见漏洞

与msf联动

指端端口进行深探测