最近时间充足,到晚上就总结回忆以下以前会的东西了,nmap是一个安全扫描的应用,可以扫描出web应用的漏洞,肉指令,mysql爆破等等,这些操作在lua语言编写的脚本里面,文件路径是:
root@huangxudong-X456UR:/usr/share/nmap/scripts# pwd
/usr/share/nmap/scripts
root@huangxudong-X456UR:/usr/share/nmap/scripts#
脚本个数:580
root@huangxudong-X456UR:/usr/share/nmap/scripts# ls -l |grep “^-”|wc -l
580
root@huangxudong-X456UR:/usr/share/nmap/scripts#
部分脚本nse文件:
http-enum.nse smb-protocols.nse
http-errors.nse smb-psexec.nse
http-exif-spider.nse smb-security-mode.nse
http-favicon.nse smb-server-stats.nse
http-feed.nse smb-system-info.nse
http-fetch.nse smb-vuln-conficker.nse
http-fileupload-exploiter.nse smb-vuln-cve2009-3103.nse
http-form-brute.nse smb-vuln-cve-2017-7494.nse
http-form-fuzzer.nse
http-webdav-scan.nse vmware-version.nse
http-wordpress-brute.nse vnc-brute.nse
http-wordpress-enum.nse vnc-info.nse
http-wordpress-users.nse vnc-title.nse
http-xssed.nse voldemort-info.nse
iax2-brute.nse vtam-enum.nse
现在开始扫:
扫描服务器存在的漏洞:
root@huangxudong-X456UR:/usr/share/nmap/scripts# nmap --script=vuln 127.0.0.1
Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-29 11:33 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000020s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
631/tcp open ipp
|http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server’s resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http://ha.ckers.org/slowloris/
3306/tcp open mysql
| mysql-vuln-cve2012-2122:
| VULNERABLE:
| Authentication bypass in MySQL servers.
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2012-2122
| When a user connects to MariaDB/MySQL, a token (SHA
| over a password and a random scramble string) is calculated and compared
| with the expected value. Because of incorrect casting, it might’ve
| happened that the token and the expected value were considered equal,
| even if the memcmp() returned a non-zero value. In this case
| MySQL/MariaDB would think that the password is correct, even while it is
| not. Because the protocol uses random strings, the probability of
| hitting this bug is about 1/256.
| Which means, if one knows a user name to connect (and “root” almost
| always exists), she can connect using any password by repeating
| connection attempts. ~300 attempts takes only a fraction of second, so
| basically account password protection is as good as nonexistent.
|
| Disclosure date: 2012-06-9
| Extra information:
| Server granted access at iteration #1500
|
| References:
| http://seclists.org/oss-sec/2012/q2/493
| https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122
8009/tcp open ajp13
8080/tcp open http-proxy
| http-enum:
| /examples/: Sample scripts
| /manager/html/upload: Apache Tomcat (401 )
| /manager/html: Apache Tomcat (401 )
|_ /docs/: Potentially interesting folder
Nmap done: 1 IP address (1 host up) scanned in 45.14 seconds
上面扫出的信息可以看出明显有3个漏洞,1、容易受到DOS攻击导致服务器崩溃;2、mysql存在root用户漏洞,攻击者可以使用root用户猜测密码;3、tomcat存在文件夹枚举;OK知道mysql存在root用户,现在可以来枚举mysql所有用户:
root@huangxudong-X456UR:/usr/share/nmap/scripts# nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 127.0.0.1
Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-29 11:43 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000036s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-users:
| debian-sys-maint
| mysql.session
| mysql.sys
|_ root
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
上面将mysql所有的用户枚举出来了;
现在来扫以下8080端口的tomcat,看看是否存在肉指令:
root@huangxudong-X456UR:/usr/share/nmap/scripts# nmap -p8080 --script=auth 127.0.01
Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-29 11:45 CST
Nmap scan report for 127.0.01 (127.0.0.1)
Host is up (0.000036s latency).
rDNS record for 127.0.0.1: localhost
PORT STATE SERVICE
8080/tcp open http-proxy
| http-default-accounts:
| [Apache Tomcat] at /manager/html/
|_ admin:admin
Post-scan script results:
| creds-summary:
| 127.0.0.1:
| 8080/http-proxy:
|_ admin:admin - Valid credentials
Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds
上面扫出了肉指令admin,admin;功能比较强大,已经存在580个扫描脚本,也可以自己拓展写;
————————————————
版权声明:本文为CSDN博主「夜行侠~@」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/s452195377/article/details/94136071