结合渗透测试最常见就是单个域名扫指纹,自动子域名查找、获取所有子域名的IP,自动C段IP查找相同子域名,利用有效IP扫端口。
常见端口库扫描
service_list = {
21:"FTP",
22:"ssh",
25:"SMTP",
80:"web",
139:"Samba",
143:"IMAP",
161:"SNMP",
389:"Ldap目录访问协议",
443:"https",
445:"Microsoft SMB",
465:"SMTP SSL",
513:"rlogin",
546:"DHCP failover",
873:"rsync",
993:"IMAPS",
1080:"socks proxy",
1194:"OpenVPN",
1352:"Lotus domino",
1433:"MSSQL",
1521:"Oracle default",
2049:"Nfs",
2181:"ZooKeeper",
2375:"Docker",
3306:"MySQL",
3389:"Remote Desktop",
4440:"rundeck",
4848:"GlassFish控制台",
5000:"SysBase/DB2",
5432:"PostgreSQL",
5632:"pcanywhere",
5900:"vnc",
5984:"Apache CouchDB",
6082:"varnish",
6984:"Apache CouchDB SSL",
6379:"Redis",
7001:"weblogic_Server isten port",
7002:"Server Listen SSL Port",
8069:"zabbix",
8080:"web,jboss,tomcat etc..",
8089:"Jboss/Tomcat/Resin",
8083:"influxDB Web admin",
8086:"influxdb HTTP API",
8095:"Atlassian Crowd",
8161:"activemq",
8888:"Jupyter Notebook",
8983:"solr",
9000:"fastcgi",
9043:"VMware ESXI vsphere",
9080:"websphere http",
9083:"Hive default",
9090:"websphere admin",
9200:"Elsaticsearch http",
9300:"Elsaticsearch Node1",
10000:"HiveServer2",
11211:"memcached",
27017:"MongoDB",
50000:"SAP command excute",
50060:"hadoop web",
50070:"hadoop default",
60000:"HBase Master",
60010:"hbase.master.info.bindAddress",
}
利用文章
- ZooKeeper http://www.polaris-lab.com/index.php/archives/41/
- Docker http://www.polaris-lab.com/index.php/archives/253/
- 常见未授权漏洞 https://xz.aliyun.com/t/6103
- 信息泄露V1.1.pdf https://www.yuque.com/desm0nd/osrdpc/uebfz5
在线端口扫描服务
- yougetsignal | http://www.yougetsignal.com
- viewdns | http://viewdns.info
- hackertarget | https://hackertarget.com
- ipfingerprints | http://www.ipfingerprints.com
- pingeu | http://ping.eu
- spiderip | https://spiderip.com
- t1shopper | http://www.t1shopper.com
- standingtech | https://portscanner.standingtech.com
python自带库端口扫描
- nmap扫描端口 https://www.cnblogs.com/17bdw/p/10372236.html#_label2_0
- githubx项目 https://github.com/search?l=Python&q=port+scan&type=Repositories
考虑CDN
国外的公有云厂商IP地址公开列表:
- Azure https://www.microsoft.com/en-us/download/details.aspx?id=56519
- AWS https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#aws-ip-download
- Google Cloud https://cloud.google.com/compute/docs/faq#find_ip_range
- IBM https://cloud.ibm.com/docs/infrastructure/virtual-router-appliance?topic=hardware-firewall-dedicated-ibm-cloud-ip-ranges
利用Python原始库完成一个端口扫描的功能
import socket
def get_ip_status(ip,port):
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server.connect((ip,port))
print(\'{0} port {1} is open\'.format(ip, port))
except Exception as err:
print(\'{0} port {1} is not open\'.format(ip,port))
finally:
server.close()
get_ip_status("192.168.221.133",22)
多线程端口扫描封装
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import threadpool
import socket
service_list = {
21:"FTP",
22:"ssh",
25:"SMTP",
80:"web",
139:"Samba",
143:"IMAP",
161:"SNMP",
389:"Ldap目录访问协议",
443:"https",
445:"Microsoft SMB",
465:"SMTP SSL",
513:"rlogin",
546:"DHCP failover",
873:"rsync",
993:"IMAPS",
1080:"socks proxy",
1194:"OpenVPN",
1352:"Lotus domino",
1433:"MSSQL",
1521:"Oracle default",
2049:"Nfs",
2181:"ZooKeeper",
2375:"Docker",
3306:"MySQL",
3389:"Remote Desktop",
4440:"rundeck",
4848:"GlassFish控制台",
5000:"SysBase/DB2",
5432:"PostgreSQL",
5632:"pcanywhere",
5900:"vnc",
5984:"Apache CouchDB",
6082:"varnish",
6984:"Apache CouchDB SSL",
6379:"Redis",
7001:"weblogic_Server isten port",
7002:"Server Listen SSL Port",
8069:"zabbix",
8080:"web,jboss,tomcat etc..",
8089:"Jboss/Tomcat/Resin",
8083:"influxDB Web admin",
8086:"influxdb HTTP API",
8095:"Atlassian Crowd",
8161:"activemq",
8888:"Jupyter Notebook",
8983:"solr",
9000:"fastcgi",
9043:"VMware ESXI vsphere",
9080:"websphere http",
9083:"Hive default",
9090:"websphere admin",
9200:"Elsaticsearch http",
9300:"Elsaticsearch Node1",
10000:"HiveServer2",
11211:"memcached",
27017:"MongoDB",
50000:"SAP command excute",
50060:"hadoop web",
50070:"hadoop default",
60000:"HBase Master",
60010:"hbase.master.info.bindAddress",
}
class Port(object):
"""docstring for Port"""
def __init__(self, ip):
self.state = \'unscan\' #未扫描
self.ip = ip
self.report = \'\'
# 主要执行函数
def main(self):
global g_list
g_list = []
portlist = []
for port in service_list:
portlist.append(port) # 保存url的列表
self.thread_requestor(portlist) # 线程池函数
for q in g_list: # 保存线程回调函数的值到vulurl.txt中
print("sucess:",q)
# 线程池函数
def thread_requestor(self,portlist):
pool = threadpool.ThreadPool(200) # 线程池数量
# reqs = threadpool.makeRequests(getScan,urllist,res_printer) # 使用线程池
reqs = threadpool.makeRequests(self.get_ip_status, portlist,self.res_printer) # 使用线程池
[pool.putRequest(req) for req in reqs] # 简写 for req in reqs pool.putRequest(req)
pool.wait()
# 回调函数的结果保存到g_list数组中
def res_printer(self,res1,res2):
if res2:
#print (\'"线程返回的地址 = " %s \')% res2
g_list.append(res2)
else:
pass
# 获取IP端口
def get_ip_status(self,port):
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
server.connect((self.ip, port))
print(\'{0} port {1} is open\'.format(self.ip, port))
return port
except Exception as e:
print(\'{0} port {1} is not open\'.format(self.ip, port))
finally:
server.close()
if __name__ == "__main__":
Port("www.baidu.com").main()
python-nmap
把nmap指令参数封装起来,然后调用nmap,格式化nmap输出的结果。
模块常用方法说明
这里我们主要接受python-nmap模块的两个常用类,一个是PortScanner()类,实现一个nmap工具的端口扫描功能封装;另一个为PortScannerHostDict()类,实现存储与访问主机扫描结果
1、PortScanner()类常用方法
1-1、scan()方法
scan(self, hosts=\'127.0.0.1\', ports=None, arguments=\'-sV\')
方法,实现指定主机、端口、namp命令行参数的扫描。参数hosts为字符串类型,表示扫描的主机地址,格式可以用"scanme.nmap.org"、"192.116.0-255.1-127"、"216.163.128.20/20"表示; 参数ports为字符串类型,表示扫描的端口,可以用"22,53,110,143-4564"表示;参数namp命令行参数,格式为"-sU -sX -sC",例如:
nm = nmap.PortScanner()
nm.scan(\'192.168.209.121-122\', \'22,80\')
1-2、command_line()方法
command_line(self)方法,返回的扫描方法映射到具体的nmap命令行,如:
>>> nm.command_line()
u\'nmap -oX - -p 22,80 -sV 192.168.209.121-122\'
1-3、scaninfo()方法
scaninfo(self)方法,返回nmap扫描信息,格式为字典类型,如:
>>>nm.scanninfo()
{\'tcp\':{\'services\':\'22,80\', \'method\':\'syn\'}}
1-4、all_hosts()方法
all_hosts(self)方法,返回nmap扫描的主机清单,格式为列表类型,例如:
[\'192.168.209.121\', \'192.168.209.122\']
2、PortScannerHostDict()类常用方法
2-1、hostname()方法
hostname(self)方法,返回扫描对象的主机名,如:
>>> nm[\'192.168.209.121\'].hostname()
\'liuyazhuang\'
2-2、state()方法
state(self)方法,返回扫描对象的状态,包括4中状态(up、down、unknown、skipped),如:
>>> nm[\'192.168.209.121\'].state()
\'up\'
2-3、all_protocols()方法
all_protocols(self)方法,返回扫描的协议,如:
>>> nm[\'192.168.209.121\'].all_protocols()
[\'tcp\']
2-4、all_tcp()方法
all_tcp(self)方法,返回TCP协议扫描的端口,如:
>>> nm[\'192.168.209.121\'].all_tcp()
[22,80]
2-5、tcp()方法
tcp(self, port)方法,返回扫描TCP协议port(端口)的信息,如:
>>> nm[\'192.168.209.121\'].tcp(22)
{\'state\':\'open\', \'reason\':\'syn-ack\', \'name\':\'ssh\'}
python操作nmap
1.简单的小案例
创建PortScanner实例,然后扫描159.239.210.26这个IP的20-443端口。
import nmap
nm = nmap.PortScanner()
ret = nm.scan(\'115.239.210.26\',\'20\')
print ret
返回格式如下:
{\'nmap\': {\'scanstats\':
{\'uphosts\': \'1\', \'timestr\': \'Tue Oct 25 11:30:47 2016\', \'downhosts\': \'0\', \'totalhosts\': \'1\', \'elapsed\': \'1.11\'},
\'scaninfo\': {\'tcp\': {\'services\': \'20\', \'method\': \'connect\'}}, \'command_line\': \'nmap -oX - -p 20 -sV 115.239.210.26\'},
\'scan\': {\'115.239.210.26\': {\'status\': {\'state\': \'up\', \'reason\': \'syn-ack\'}, \'hostnames\': [{\'type\': \'\', \'name\': \'\'}],
\'vendor\': {}, \'addresses\': {\'ipv4\': \'115.239.210.26\'},
\'tcp\': {20: {\'product\': \'\', \'state\': \'filtered\', \'version\': \'\', \'name\': \'ftp-data\', \'conf\': \'3\', \'extrainfo\': \'\',
\'reason\': \'no-response\', \'cpe\': \'\'}
}
}
}
}
2.内置方法:
还可以打印出简单的信息
import nmap
nm = nmap.PortScanner()
print nm.scaninfo()
# {u\'tcp\': {\'services\': u\'20-443\', \'method\': u\'syn\'}}
print nm.command_line()
# u\'nmap -oX - -p 20-443 -sV 115.239.210.26\'
查看有多少个host
print nm.all_hosts()
# [u\'115.239.210.26\']
查看该host的详细信息
nm[\'115.239.210.26\']
查看该host包含的所有协议
nm[\'115.239.210.26\'].all_protocols()
查看该host的哪些端口提供了tcp协议
nm[\'115.239.210.26\'][\'tcp\']
nm[\'115.239.210.26\'][\'tcp\'].keys()
查看该端口是否提供了tcp协议
nm[\'115.239.210.26\'].has_tcp(21)
还可以像这样设置nmap执行的参数
nm.scan(hosts=\'192.168.1.0/24\', arguments=\'-n -sP -PE -PA21,23,80,3389\')
更多操作请进官网http://xael.org/pages/python-nmap-en.html