端口扫描工具
前言
平常经常遇到不知道局域网内服务器ip, 需要使用端口扫描来确定服务器ip的情况, 需要端口扫描的解决方案.
nmap
nmap是最流行的端口扫描工具, 使用方法:
sudo nmap -sT -p 22 192.168.10.0-255输出:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-25 16:08 CST
Nmap scan report for 192.168.10.0
Host is up (0.00018s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 4C:CC:6A:C3:3D:52 (Micro-Star Intl)
Nmap scan report for 192.168.10.1
Host is up (0.00040s latency).
PORT STATE SERVICE
22/tcp closed ssh
MAC Address: F4:DE:AF:DB:9C:9B (Huawei Technologies)
Nmap scan report for 192.168.10.5
Host is up (0.17s latency).
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: 34:7D:F6:62:5D:EF (Intel Corporate)
Nmap scan report for 192.168.10.9
Host is up (0.13s latency).
PORT STATE SERVICE
22/tcp filtered ssh
MAC Address: CC:D9:AC:03:1B:D2 (Intel Corporate)经过体验速度较慢, 但是根据官网文档所述, 功能很多, 适合针对确定的ip和域名扫描.
masscan
masscan是c语言编写的端口扫描工具, 主打速度快, 需要自行编译或使用包管理器安装, 使用:
sudo masscan -p22 192.168.10.0/24输出:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-04-25 08:17:30 GMT
Initiating SYN Stealth Scan
Scanning 256 hosts [1 port/host]
Discovered open port 22/tcp on 192.168.10.199
Discovered open port 22/tcp on 192.168.10.229
Discovered open port 22/tcp on 192.168.10.65速度很快, 默认每秒100个数据包, 通过添加--max-rate参数可以加快扫描速度:
sudo masscan -p22 192.168.0.0/16 --max-rate 100000但是它不支持域名扫描, 也不支持udp, 优点是速度很快, 可以和nmap结合使用.
zmap
zmap和masscan一样是为了ipv4全网扫描的工具, 同样主打速度快, 同样不提供二进制文件, 使用:
sudo zmap -p22 192.168.10.0/24报错:
Apr 25 17:31:46.236 [INFO] zmap: By default, ZMap will output the unique IP addresses of hosts that respond successfully (e.g., SYN-ACK packet). This is equivalent to running ZMap with the following flags: --output-module=csv --output-fields=saddr --output-filter='success=1 && repeat=0' --no-header-row. If you want all responses, explicitly set an output module or set --output-filter="".
Apr 25 17:31:46.236 [WARN] blocklist: ZMap is currently using the default blocklist located at /etc/zmap/blocklist.conf. By default, this blocklist excludes locally scoped networks (e.g. 10.0.0.0/8, 127.0.0.1/8, and 192.168.0.0/16). If you are trying to scan local networks, you can change the default blocklist by editing the default ZMap configuration at /etc/zmap/blocklist.conf. If you have modified the default blocklist, you can ignore this message.
Apr 25 17:31:46.237 [ERROR] blocklist: no addresses are eligible to be scanned in the current configuration. This may be because the blocklist being used by ZMap (/etc/zmap/blocklist.conf) prevents any addresses from receiving probe packets.
Apr 25 17:31:46.237 [FATAL] zmap: unable to initialize blocklist / allowlist看起来zmap默认是不允许扫描局域网的.
naabu
naabu是go语言编写的端口扫描工具, 相比masscan需要用make编译安装(或者用包管理器下载), naabu的编译安装更加友好, 且官方有编译好的二进制文件提供.
使用方式:
sudo naabu -p 22 -host 192.168.10.0/24输出:
__
___ ___ ___ _/ / __ __
/ _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/
projectdiscovery.io
[INF] Current naabu version 2.3.0 (latest)
[INF] Running host discovery scan
[INF] Running SYN scan with CAP_NET_RAW privileges
192.168.10.212:80
192.168.10.212:443
[INF] Found 3 ports on host 192.168.10.212 (192.168.10.212)速度也很快.
RustScan
RustScan如其名是rust编写的端口扫描工具, 社区文档写得很好, 官方也提供windows和linux的二进制文件, 速度保持很快的同时, 支持很多现代化的特性, 比如支持Python/Lua/Shell脚本集成, 官方文档说支持自适应学习, “越用越流畅”. 还支持无障碍, 这很酷.
使用:
rustscan -a 192.168.10.0/24 -p22先是输出了扫描到的端口, 然后报了一大堆警告, 和调用nmap的输出, 看起来很杂乱. 经过查询, 得知默认rustscan会将扫描的的机器端口再传入nmap扫描, 使得数据更准确, 可以加上-g参数禁止传入nmap:
rustscan -a 192.168.10.0/24 -p22 --ulimit 5000 -g输出结果很纯净:
192.168.10.93 -> [22]
192.168.10.65 -> [22]
192.168.10.47 -> [22]
192.168.10.192 -> [22]
192.168.10.229 -> [22]
192.168.10.212 -> [22]
192.168.10.0 -> [22]
192.168.10.11 -> [22]据文档说, 是为了方便grep过滤的模式.
总结
nmap最流行, 功能最强大, 但是扫描速度非常慢; masscan和zmap类似, 主打速度快, 不提供编译好的文件, 使用起来感觉masscan更友好一点; naabu是有公司驱动的开源项目, 使用go编写, 使用和输出都比较简单; rustscan是社区驱动的端口扫描软件, 功能丰富, 主要思路是先用rustscan初筛然后放入nmap详细扫描.