树莓派3B+ 网络扫描和嗅探(nmap)

既然树莓派是运行Linux系统的，那必不可少的是一些网络嗅探工具，而nmap是一款很不错的工具，它包含了4大功能：主机发现（Host Discovery）、端口扫描（Port Scanning）、版本侦测（Version Detection）、操作系统侦测（Operating System Detection）。基本能满足我们平时需求。

1.直接安装nmap

sudo apt install -y nmap

2.使用介绍

2.0基本参数介绍

官方中文介绍：传送门
虽然有官方的介绍，但还是罗列一些常用的吧！

2.1 扫描在线主机

# 先让我们ping一段地址范围，找到在线主机：
nmap -sP 192.168.1.1-255
# 结果如下：

Starting Nmap 7.40 ( https://nmap.org ) at 2018-05-12 13:10 UTC
Nmap scan report for 192.168.1.1
Host is up (0.088s latency).
Nmap scan report for 192.168.1.100
Host is up (0.025s latency).
Nmap scan report for 192.168.1.107
Host is up (0.13s latency).
Nmap scan report for 192.168.1.113
Host is up (0.0051s latency).
Nmap scan report for 192.168.1.115
Host is up (0.0033s latency).
Nmap scan report for 192.168.1.116
Host is up (0.26s latency).
Nmap scan report for 192.168.1.120
Host is up (0.13s latency).
Nmap scan report for 192.168.1.144
Host is up (0.28s latency).
Nmap done: 255 IP addresses (8 hosts up) scanned in 17.41 seconds

那我们就选我的另一个树莓派做测试，即：192.168.1.120

2.2使用SYN扫描探测开放端口和操作系统

sudo nmap -sS 192.168.1.120 -O
# 结果如下：
Starting Nmap 7.40 ( https://nmap.org ) at 2018-05-12 13:23 UTC
Nmap scan report for 192.168.1.120
Host is up (0.0065s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1080/tcp open  socks
4662/tcp open  edonkey
8002/tcp open  teradataordbms
9001/tcp open  tor-orport
MAC Address: B8:27:EB:B8:CE:B6 (Raspberry Pi Foundation)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.44 seconds

2.3扫描开放端口详细信息

nmap -sV 192.168.1.120 -A
# 结果如下：（扫描比较慢，可指定一些端口扫会更快）

Starting Nmap 7.40 ( https://nmap.org ) at 2018-05-12 13:13 UTC
Nmap scan report for 192.168.1.120
Host is up (0.017s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE         VERSION
21/tcp   open  ftp             vsftpd 3.0.3
22/tcp   open  ssh             (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u3
| ssh-hostkey: 
|   2048 dc:1c:f1:98:66:d4:52:ef:72:dc:80:b6:f2:b4:6d:7d (RSA)
|_  256 3c:14:e2:79:f4:a6:1d:78:02:73:83:99:f8:95:2c:ca (ECDSA)
53/tcp   open  tcpwrapped
80/tcp   open  http            lighttpd 1.4.45
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=RaspAP
| http-git: 
|   192.168.1.120:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Remotes:
|_      https://github.com/billz/raspap-webgui
|_http-server-header: lighttpd/1.4.45
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
139/tcp  open  netbios-ssn     Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn     Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
1080/tcp open  socks?
4662/tcp open  edonkey?
5002/tcp open  rfe?
8002/tcp open  teradataordbms?
9001/tcp open  tor-orport?
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.1 200 OK
|     Server: embed_thunder/1.5.0.0
|     Content-Length: 11
|     Connection: Close
|_    [108545, 0]
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=7.40%I=7%D=5/12%Time=5AF6E89C%P=arm-unknown-linux-gnueabih
SF:f%r(NULL,29,"SSH-2\.0-OpenSSH_7\.4p1\x20Raspbian-10\+deb9u3\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9001-TCP:V=7.40%I=7%D=5/12%Time=5AF6E8A1%P=arm-unknown-linux-gnueab
SF:ihf%r(GetRequest,64,"HTTP/1\.1\x20200\x20OK\r\nServer:\x20embed_thunder
SF:/1\.5\.0\.0\r\nContent-Length:\x2011\r\nConnection:\x20Close\r\n\r\n\[1
SF:08545,\x200\]")%r(FourOhFourRequest,64,"HTTP/1\.1\x20200\x20OK\r\nServe
SF:r:\x20embed_thunder/1\.5\.0\.0\r\nContent-Length:\x2011\r\nConnection:\
SF:x20Close\r\n\r\n\[108545,\x200\]");
Service Info: Host: RASPBERRYPI; OS: Unix

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
|_nbstat: NetBIOS name: RASPBERRYPI, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.12-Debian)
|   Computer name: raspberrypi
|   NetBIOS computer name: RASPBERRYPI\x00
|   Domain name: \x00
|   FQDN: raspberrypi
|_  System time: 2018-05-12T21:16:30+08:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

2.4扫描web服务器的网站目录

可带脚本扫描，脚本存放路径：(/usr/share/nmap/scripts)。目录里有各种各样的脚本。这里选择http-enum.nse

nmap -script http-enum.nse 192.168.1.120
# 结果如下：

Starting Nmap 7.40 ( https://nmap.org ) at 2018-05-12 13:29 UTC
Nmap scan report for 192.168.1.120
Host is up (0.013s latency).
Not shown: 651 filtered ports, 346 closed ports
PORT    STATE SERVICE
80/tcp  open  http
| http-enum: 
|   /blog/: Blog
|   /admin/: Possible admin folder
|   /admin/index.php: Possible admin folder
|   /Admin/: Possible admin folder
|   /sample/: Sample scripts
|   /icons/: Potentially interesting folder w/ directory listing
|   /index/: Potentially interesting folder
|_  /software/: Potentially interesting folder
88/tcp  open  kerberos-sec
445/tcp open  microsoft-ds

2.5扫描主机SSL Heartbleed 漏洞（2012）

nmap -d -script ssl-heartbleed -script-args vulns.showall -sV 192.168.1.120
# 结果不展示。

3.没了