Introduction
Nmap은 오픈소스 기반의 Network discovery 도구입니다. 일반적으로 포트스캐너로 알려져 있으며, Lua script(NSE)를 통해 별도의 테스팅 로직을 구성할 수 있어 웹부터 네트워크단 취약점에 대한 스캐닝까지 충분히 커버할 수 있습니다.
Installation
Mac
Linux
Windows
https://nmap.org/download.html
Go-to commands
1
2
3
|
nmap -sC 192.168.0.1 (same this, nmap 192.168.0.1 --script=default)
- 디폴트 스크립트로 대상 스캔
- scanning with default scripts
|
1
2
3
|
nmap -sn -sC 192.168.0.1
- 포트스캔 없이 스크립트 스캔만
- scanning default script without portscan
|
1
2
3
|
nmap -PN 192.168.0.1
- Host 스캔 없이 바로 포트 스캐닝
- Portscanning without host scan
|
1
2
|
nmap -PN 192.168.0.1 -p-
- Full port(1-65536) scanning
|
1
2
3
|
nmap -sS 192.168.0.1
- Syn 스캔
- Syn portscan
|
1
2
|
nmap -sS 192.168.0.1 --script=http* -oX test.xml
- Syn scanning with enable "http~~" scripts and xml output file
|
Default Commands
Scan single IP/Port
1
|
nmap 192.168.0.1 -p 443
|
Scan range of IP/Ports
IP range and subnet
Port range
1
|
nmap 192.168.0.1 -p 20-3000
|
Full port scanning
Most 100 port
Scan from file
Scan types
TCP
Syn
UDP
PING(Ping sweep)
Use NSE(Lua)
Usage
1
2
3
|
Same lines.
--script <NSE FILE>
--script=<NSE FILE>
|
Use NSE
1
|
nmap 192.168.0.1 --script <NSE FILE>
|
Use NSE with arguments
1
|
nmap 192.168.0.1 --script nse --script-args <ARGUMENTS>
|
Use NSE with arguments file
1
|
nmap 192.168.0.1 --script nse --script-args-file <FILE>
|
Use NSE arguments scripts
1
|
nmap -sC --script-args 'user=foo,pass=",{}=bar",paths={/admin,/cgi-bin},xmpp-info.server_name=localhost’
|
1
2
3
4
5
6
7
8
9
|
nmap.registry.args = {
user = "foo",
pass = ",{}=bar",
paths = {
"/admin",
"/cgi-bin"
},
xmpp-info.server_name="localhost"
}
|
NSE list
Write NSE scripts
NSE Information
1
2
3
4
5
6
7
8
|
description = [[
Attempts to find the owner of an open TCP port by querying an auth
(identd - port 113) daemon which must also be open on the target system.
]]
author = "Diman Todorov"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "safe"}
|
portrule
1
2
3
4
5
6
7
8
9
|
portrule = function(host, port)
local auth_port = { number=113, protocol="tcp" }
local identd = nmap.get_port_state(host, auth_port)
return identd ~= nil
and identd.state == "open"
and port.protocol == "tcp"
and port.state == "open"
end
|
action
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
action = function(host, port)
local owner = ""
local client_ident = nmap.new_socket()
local client_service = nmap.new_socket()
local catch = function()
client_ident:close()
client_service:close()
end
local try = nmap.new_try(catch)
try(client_ident:connect(host.ip, 113))
try(client_service:connect(host.ip, port.number))
local localip, localport, remoteip, remoteport =
try(client_service:get_info())
local request = port.number .. ", " .. localport .. "\r\n"
try(client_ident:send(request))
owner = try(client_ident:receive_lines(1))
if string.match(owner, "ERROR") then
owner = nil
else
owner = string.match(owner,
"%d+%s*,%s*%d+%s*:%s*USERID%s*:%s*.+%s*:%s*(.+)\r?\n")
end
try(client_ident:close())
try(client_service:close())
return owner
end
|
Articles
References