從arl中學習到的nmap配置
阿新 • • 發佈:2022-04-13
燈塔(ARL)裡面有一個namp掃描模組,裡面有配置可以學習一下
首先上程式碼
class PortScan: def __init__(self, targets, ports=None, service_detect=False, os_detect=False, port_parallelism=None, port_min_rate=None, custom_host_timeout=None): self.targets = " ".join(targets) self.ports = ports self.max_hostgroup = 128 self.alive_port = "22,80,443,843,3389,8007-8011,8443,9090,8080-8091,8093,8099,5000-5004,2222,3306,1433,21,25" self.nmap_arguments = "-sT -n --open" self.max_retries = 3 self.host_timeout = 60*5 self.parallelism = port_parallelism # 預設 32 self.min_rate = port_min_rate # 預設64 if service_detect: self.host_timeout += 60 * 5 self.nmap_arguments += " -sV" if os_detect: self.host_timeout += 60 * 4 self.nmap_arguments += " -O" if len(self.ports.split(",")) > 60: self.nmap_arguments += " -PE -PS{}".format(self.alive_port) self.max_retries = 2 else: if self.ports != "0-65535": self.nmap_arguments += " -Pn" if self.ports == "0-65535": self.max_hostgroup = 8 self.min_rate = max(self.min_rate, 400) self.nmap_arguments += " -PE -PS{}".format(self.alive_port) self.host_timeout += 60 * 2 self.max_retries = 2 self.nmap_arguments += " --max-rtt-timeout 800ms" self.nmap_arguments += " --min-rate {}".format(self.min_rate) self.nmap_arguments += " --script-timeout 6s" self.nmap_arguments += " --max-hostgroup {}".format(self.max_hostgroup) # 依據傳過來的超時為準 if custom_host_timeout is not None: if int(custom_host_timeout) > 0: self.host_timeout = custom_host_timeout self.nmap_arguments += " --host-timeout {}s".format(self.host_timeout) self.nmap_arguments += " --min-parallelism {}".format(self.parallelism) self.nmap_arguments += " --max-retries {}".format(self.max_retries) def run(self): logger.info("nmap target {} ports {} arguments {}".format( self.targets[:20], self.ports[:20], self.nmap_arguments)) nm = nmap.PortScanner() nm.scan(hosts=self.targets, ports=self.ports, arguments=self.nmap_arguments) ip_info_list = [] for host in nm.all_hosts(): port_info_list = [] for proto in nm[host].all_protocols(): port_len = len(nm[host][proto]) for port in nm[host][proto]: # 對於開了很多埠的直接丟棄 if port_len > 600 and (port not in [80, 443]): continue port_info = nm[host][proto][port] item = { "port_id": port, "service_name": port_info["name"], "version": port_info["version"], "product": port_info["product"], "protocol": proto } port_info_list.append(item) osmatch_list = nm[host].get("osmatch", []) os_info = self.os_match_by_accuracy(osmatch_list) ip_info = { "ip": host, "port_info": port_info_list, "os_info": os_info } ip_info_list.append(ip_info) return ip_info_list def os_match_by_accuracy(self, os_match_list): for os_match in os_match_list: accuracy = os_match.get('accuracy', '0') if int(accuracy) > 90: return os_match return {}
入口是run
首先是掃描策略的配置
其中涉及到的配置
-
-sT 全連線掃描會和伺服器建立完整的三次握手
-
-n 不做dns解析
-
—open 只顯示開放或可能開放的埠
-
-sV 探測開放埠的服務
-
-O 啟用作業系統版本探測
-
-PE 基於ICMP的echo的主機發現
-
-PS[portlist] 基於TCP SYN指定埠的主機發現
-
-Pn 跳過主機發現,視所有主機都線上
然後是對於掃描結果的處理
- 如果一個ip的埠開放了600個以上,則只留下80和443埠的資訊