NMAP對企業環境實施安全檢查

NMAP介紹

Nmap是一款開源免費的網絡發現（Network Discovery）和安全審計（Security Auditing）工具。
Nmap特色功能：
主機探測：探測網絡上的主機，例如列出響應TCP和ICMP請求、icmp請求、開放特別端口的主機
端口掃描：探測目標主機所開放的端口
版本檢測：探測目標主機的網絡服務，判斷其服務名稱及版本號
系統檢測：探測目標主機的操作系統及網絡設備的硬件特性
支持探測腳本的編寫：使用Nmap的腳本引擎（NSE）和Lua編程語言

常用命令

1. 查詢網段內在線主機

nmap -sP < TARGET >
參數解釋：
< TARGET > 可以是單個地址、網段、域名
-sP ping檢查，結果可能會由於主機禁ping而未必會準確
輸出參考：

Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-13 22:40 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.2.1
Host is up (0.0020s latency).
MAC Address: F8:AA:78:05:AA:AA (Unknown)
Nmap scan report for 192.168.2.7
Host is up (0.035s latency).
MAC Address: 7C:AA:AB:AA:AA (Unknown)
Nmap scan report for 192.168.2.200
Host is up (0.0020s latency).
MAC Address: 00:AA:32:7D:AA:AA (Synology Incorporated)
Nmap done: 256 IP addresses (3 hosts up) scanned in 74.66 seconds

2. 掃描在線主機的開放服務

nmap -sS -P0 -sV -O < TARGET >
參數解釋：
< TARGET > 可以是單個地址、網段、域名
-sS TCP SYN 掃描 (又稱半開放,或隱身掃描 此參數掃描速度快，安全性高)
-P0 允許你關閉 ICMP pings.
-sV 打開系統版本檢測
-O 嘗試識別遠程操作系統

輸出參考：

Nmap scan report for 192.168.2.200
Host is up (0.0016s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE     VERSION
80/tcp    open  http        nginx
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp   open  ssl/http    nginx
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
548/tcp   open  afp         Netatalk 3.1.8 (name: ZServer01; protocol 3.4)
4662/tcp  open  edonkey?
5000/tcp  open  http        nginx
5001/tcp  open  ssl/http    nginx
50001/tcp open  upnp        Portable SDK for UPnP devices 1.6.21 (Linux 3.2.40; UPnP 1.0)
50002/tcp open  http        lighttpd 1.4.43
MAC Address: 00:11:32:7D:FF:76 (Synology Incorporated)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: ZSERVER01; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel:3.2.40

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (1 hosts up) scanned in 127.95 seconds

3. 目標主機詳細信息

nmap -A < TARGET >
參數解釋：
< TARGET > 可以是單個地址、網段、域名

輸出參考：

Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-13 23:25 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.2.200
Host is up (0.0014s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE     VERSION
80/tcp    open  http        nginx
|_http-server-header: nginx
|_http-title: Did not follow redirect to http://192.168.2.200:5000/
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
443/tcp   open  ssl/http    nginx
|_http-server-header: nginx
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./countryName=TW
| Not valid before: 2017-10-13T11:44:53
|_Not valid after:  2037-06-30T11:44:53
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_  http/1.1
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
548/tcp   open  afp         Netatalk 3.1.8 (name: ZServer01; protocol 3.4)
| afp-serverinfo:
|   Server Flags:
|     Flags hex: 0x8f79
|     Super Client: true
|     UUIDs: true
|     UTF8 Server Name: true
|     Open Directory: true
|     Reconnect: false
|     Server Notifications: true
|     TCP/IP: true
|     Server Signature: true
|     Server Messages: true
|     Password Saving Prohibited: false
|     Password Changing: false
|     Copy File: true
|   Server Name: ZServer01
|   Machine Type: Netatalk3.1.8
|   AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3, AFP3.4
|   UAMs: DHX2, DHCAST128
|   Server Signature: 8a2eb6e86AAAAAAAAAA38ac2
|   Network Addresses:
|     192.168.2.200
|_  UTF8 Server Name: ZServer01
4662/tcp  open  edonkey?
5000/tcp  open  http        nginx
| http-robots.txt: 1 disallowed entry
|_/
5001/tcp  open  ssl/http    nginx
|_http-server-header: nginx
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./countryName=TW
| Not valid before: 2017-10-13T11:44:53
|_Not valid after:  2037-06-30T11:44:53
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1
50001/tcp open  upnp        Portable SDK for UPnP devices 1.6.21 (Linux 3.2.40; UPnP 1.0)
50002/tcp open  http        lighttpd 1.4.43
|_http-server-header: lighttpd/1.4.43
|_http-title: 403 - Forbidden
MAC Address: 00:AA:32:7D:AA:AA (Synology Incorporated)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: Host: ZSERVER01; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel:3.2.40

Host script results:
|_nbstat: NetBIOS name: ZSERVER01, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-03-13 23:27:17
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   1.44 ms 192.168.2.200

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.35 seconds

4. NES腳本掃描

Nmap -sC < TARGET >
參數解釋：
< TARGET > 可以是單個地址、網段、域名
-sC 默認NES腳本掃描

輸出參考：

Starting Nmap 7.70 ( https://nmap.org ) at 2020-03-13 23:27 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.2.200
Host is up (0.0043s latency).
Not shown: 990 closed ports
PORT      STATE SERVICE
80/tcp    open  http
|_http-title: Did not follow redirect to http://192.168.2.200:5000/
139/tcp   open  netbios-ssn
443/tcp   open  https
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=synology.com/organizationName=Synology Inc./countryName=TW
| Not valid before: 2017-10-13T11:44:53
|_Not valid after:  2037-06-30T11:44:53
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_  http/1.1
445/tcp   open  microsoft-ds
548/tcp   open  afp
| afp-serverinfo:
|   Server Flags:
|     Flags hex: 0x8f79
|     Super Client: true
|     UUIDs: true
|     UTF8 Server Name: true
|     Open Directory: true
|     Reconnect: false
|     Server Notifications: true
|     TCP/IP: true
|     Server Signature: true
|     Server Messages: true
|     Password Saving Prohibited: false
|     Password Changing: false
|     Copy File: true
|   Server Name: ZServer01
|   Machine Type: Netatalk3.1.8
|   AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3, AFP3.4
|   UAMs: DHX2, DHCAST128
|   Server Signature: 8a2eb6e8AAAAAAAAAAAAAA11ef0238ac2
|   Network Addresses:
|     192.168.2.200
|_  UTF8 Server Name: ZServer01
4662/tcp  open  edonkey
5000/tcp  open  upnp
5001/tcp  open  commplex-link
50001/tcp open  unknown
50002/tcp open  iiimsf
MAC Address: 00:11:32:7D:AA:AA (Synology Incorporated)

Host script results:
|_nbstat: NetBIOS name: ZSERVER01, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-03-13 23:28:22
|_  start_date: N/A

Nmap done: 1 IP address (1 host up) scanned in 110.96 seconds

5. 在局域網上掃找 Conficker 蠕蟲病毒

nmap -PN -T4 -p139,445 -n -v –script=smb-vuln-* –script-args safe=1 192.168.2.0/24
參數解釋：
–script 可以通過自定義腳本進行掃描，功能十分強大！

輸出參考：

Nmap scan report for 192.168.2.10
Host is up (0.0090s latency).

PORT    STATE    SERVICE
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
MAC Address: 6C:40:08:BB:B0:A2 (Apple)

Nmap scan report for 192.168.2.200
Host is up (0.0012s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:11:32:7D:FF:76 (Synology Incorporated)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try
|_smb-vuln-ms17-010: Could not connect to 'IPC$'

7. 郵件安全檢查

• SMTP弱密碼
  nmap -p 25 --script smtp-brute.nse -v < SMTP Host >
• SMTP用戶名枚舉
  nmap -p 25 --script smtp-enum-users.nse -v < SMTP Host >
• POP弱密碼
  nmap -p 110 --script pop3-brute.nse -v < SMTP Host >

8. 數據庫安全檢查

• MYSQL弱密碼
  nmap -p 3306 --script mysql-brute.nse -v < MYSQL Host >
• MYSQL導出所有用戶
  nmap -p 3306 --script mysql-dump-hashes --script-args=‘username=root,password=root’ < MYSQL Host >
• 掃描網段內MSSQL服務
  nmap -p 1433 --script ms-sql-info.nse --script-args mssql.instance-port=1433 -v 192.168.2.0/24
• 掃描網段內MSSQL服務弱密碼與空密碼
  nmap -p 1433 --script ms-sql-empty-password.nse -v 192.168.2.0/24
  nmap -p 1433 --script ms-sql-brute.nse -v 192.168.2.0/24
• 通過掃描到的賬號與密碼嘗試遠程執行xp-cmdshell
  nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=sa,ms-sql-xp-cmdshell.cmd=net user test test add 192.168.2.0/24
• 掃描網段內MSSQL服務導出所有用戶
  nmap -p 1433 --script ms-sql-dump-hashes -v 192.168.3.0/24
• 掃描網段內PostgreSQL數據庫弱密碼
  nmap -p 5432 --script pgsql-brute -v 192.168.2.0/24
• 掃描網段內Oracle數據庫弱密碼
  nmap --script oracle-brute-stealth -p 1521 --script-args oracle-brute-stealth.sid=ORCL -v 192.168.2.0/24
  nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=ORCL -v 192.168.2.0/24
• 掃描網段內Mongodb數據庫弱密碼
  nmap -p 27017 --script mongodb-brute 192.168.2.0/24
• 掃描網段內Redis數據庫弱密碼
  nmap -p 6379 --script redis-brute.nse 192.168.2.0/24

8. 掃描網段內的SNMP信息

nmap -sU --script snmp-brute --script-args snmp-brute.communitiesdb=user.txt 192.168.2.0/24

9. 掃描網段內的LDAP服務安全檢查

nmap -p 389 --script ldap-brute --script-args ldap.base=‘cn=users,dc=cqure,dc=net’ 192.168.2.0/24

10. HTTP相關安全檢查

nmap -p80 --script http-* 192.168.2.0/24

11. SMB相關安全檢查

nmap -p445 --script smb-vuln* 192.168.2.0/24

常用端口與滲透風險

通過掃描得到的信息，我們可以針對常見服務存在的風險可能性進行強化。