【Nmap】Nmap脚本引擎使用实战教程_nmap配置脚本使用

nmap脚本存在的地址

cd /usr/share/nmap/scripts
ls

ls | grep auth (查询涉及auth的脚本)

ls | grep auth

┌──(root?kali)-[/usr/share/nmap/scripts]
└─# ls | grep auth
ajp-auth.nse
auth-owners.nse
auth-spoof.nse
http-auth-finder.nse
http-auth.nse
netbus-auth-bypass.nse
realvnc-auth-bypass.nse
socks-auth-info.nse
ssh-auth-methods.nse
vmauthd-brute.nse

1
2
3
4
5
6
7
8
9
10
11
12
13

ls | wc -l (显示脚本数量)

ls | wc -l
┌──(root㉿kali)-[/usr/share/nmap/scripts]
└─# ls | wc -l
605

nmap --script=default 192.168.73.139 （默认脚本扫描）

└─# nmap --script=default 192.168.73.139
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-04 09:06 EDT
Nmap scan report for 192.168.73.139
Host is up (0.0038s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.73.133
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp   open  ssh
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet
25/tcp   open  smtp
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|_    SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
53/tcp   open  domain
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/udp   nfs
|   100005  1,2,3      46882/tcp   mountd
|   100005  1,2,3      58279/udp   mountd
|   100021  1,3,4      44342/tcp   nlockmgr
|   100021  1,3,4      59831/udp   nlockmgr
|   100024  1          57276/tcp   status
|_  100024  1          59041/udp   status
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 25
|   Capabilities flags: 43564
|   Some Capabilities: ConnectWithDatabase, Support41Auth, Speaks41ProtocolNew, SupportsCompression, SupportsTransactions, LongColumnFlag, SwitchToSSLAfterHandshake
|   Status: Autocommit
|_  Salt: 98N`uNe0_l%mv-w6A'<9
5432/tcp open  postgresql
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: TLS randomness does not represent time
5900/tcp open  vnc
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    VNC Authentication (2)
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  unknown
|_http-title: Apache Tomcat/5.5
|_http-favicon: Apache Tomcat
MAC Address: 00:0C:29:4F:35:A4 (VMware)

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: -1d01h06m20s, deviation: 2h49m43s, median: -1d03h06m21s
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: metasploitable
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: metasploitable.localdomain
|_  System time: 2023-11-03T06:00:43-04:00

Nmap done: 1 IP address (1 host up) scanned in 96.83 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114

nmap -sC 192.168.73.139 (默认脚本扫描)

-sC 等价于 --script=default

nmap --script=auth 192.168.73.139 (认证脚本使用)

└─# nmap --script=auth 192.168.73.139   
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-04 09:10 EDT
Nmap scan report for 192.168.73.139
Host is up (0.0015s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh
| ssh-publickey-acceptance: 
|_  Accepted Public Keys: No public keys accepted
| ssh-auth-methods: 
|   Supported authentication methods: 
|     publickey
|_    password
23/tcp   open  telnet
25/tcp   open  smtp
| smtp-enum-users: 
|_  Method RCPT returned a unhandled status code.
53/tcp   open  domain
80/tcp   open  http
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
| mysql-users: 
|   debian-sys-maint
|   guest
|_  root
| mysql-empty-password: 
|_  root account has empty password
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
| http-default-accounts: 
|   [Apache Tomcat] at /manager/html/
|     tomcat:tomcat
|   [Apache Tomcat Host Manager] at /host-manager/html/
|_    tomcat:tomcat
|_http-config-backup: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:4F:35:A4 (VMware)

Host script results:
| smb-enum-users: 
|_  Domain: METASPLOITABLE; Users: backup, bin, bind, daemon, dhcp, distccd, ftp, games, gnats, irc, klog, libuuid, list, lp, mail, man, msfadmin, mysql, news, nobody, postfix, postgres, proftpd, proxy, root, service, sshd, sync, sys, syslog, telnetd, tomcat55, user, uucp, www-data

Post-scan script results:
| creds-summary: 
|   192.168.73.139: 
|     8180/unknown: 
|       tomcat:tomcat - Valid credentials
|_      tomcat:tomcat - Valid credentials
Nmap done: 1 IP address (1 host up) scanned in 30.90 seconds
                                                                  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

nmap --script=vuln 192.168.73.139 (进行漏洞扫描)

└─# nmap -p 3306 --script=vuln 192.168.73.139
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-04 09:34 EDT
Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 95.15% done; ETC: 09:35 (0:00:01 remaining)
Stats: 0:01:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.03% done; ETC: 09:36 (0:00:01 remaining)
Stats: 0:02:49 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.03% done; ETC: 09:37 (0:00:01 remaining)
Stats: 0:03:58 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.03% done; ETC: 09:39 (0:00:02 remaining)
Stats: 0:03:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.03% done; ETC: 09:39 (0:00:02 remaining)
Stats: 0:03:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.03% done; ETC: 09:39 (0:00:02 remaining)
Stats: 0:03:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.03% done; ETC: 09:39 (0:00:02 remaining)
Stats: 0:03:59 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.03% done; ETC: 09:39 (0:00:02 remaining)
Nmap scan report for 192.168.73.139
Host is up (0.00026s latency).

PORT     STATE SERVICE
3306/tcp open  mysql
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
|_ssl-dh-params: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
|_ssl-heartbleed: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:4F:35:A4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 249.58 seconds
                                                                      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

nmap -p3306 --script=mysql-enpty-password.nse 192.168.73.139 (进行mysql空口令脚本运行)

└─# nmap -p 3306 --script=mysql-empty-password.nse 192.168.73.139
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-04 09:29 EDT
Nmap scan report for 192.168.73.139
Host is up (0.00039s latency).

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-empty-password: 
|_  root account has empty password
MAC Address: 00:0C:29:4F:35:A4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 9.00 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13

nmap -p 3306 --script=mysql-users.nse --script-args=mysqluser=root 192.168.73.139 (列出所有mysql用户)

└─# nmap -p 3306 --script=mysql-users.nse --script-args=mysqluser=root 192.168.73.139
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-04 09:30 EDT
Nmap scan report for 192.168.73.139
Host is up (0.00036s latency).

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-users: 
|   debian-sys-maint
|   guest
|_  root
MAC Address: 00:0C:29:4F:35:A4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

nmap -p 1433 --script=ms-sql-brute --script-args=userdb=/var/passwd.passdb=/var/passwd 192.168.73.139 (密码暴力破解，未验证)

nmap --script=exploit 192.168.73.139 (能够利用的漏洞扫描)

nmap --script=exploit 192.168.73.139                                             
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-04 09:35 EDT
Nmap scan report for 192.168.73.139
Host is up (0.00099s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
| ftp-vsftpd-backdoor: 
|   VULNERABLE:
|   vsFTPd version 2.3.4 backdoor
|     State: VULNERABLE (Exploitable)
|     IDs:  BID:48539  CVE:CVE-2011-2523
|       vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
|     Disclosure date: 2011-07-03
|     Exploit results:
|       Shell command: id
|       Results: uid=0(root) gid=0(root)
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
|       https://www.securityfocus.com/bid/48539
|       http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
|_      https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
53/tcp   open  domain
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.73.139
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.73.139:80/dvwa/
|     Form id: 
|     Form action: login.php
|     
|     Path: http://192.168.73.139:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/passwd/TWiki/WebHome
|     
|     Path: http://192.168.73.139:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/passwd/Main/WebHome
|     
|     Path: http://192.168.73.139:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/edit/TWiki/
|     
|     Path: http://192.168.73.139:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/view/TWiki/TWikiSkins
|     
|     Path: http://192.168.73.139:80/twiki/TWikiDocumentation.html
|     Form id: 
|     Form action: http://TWiki.org/cgi-bin/manage/TWiki/ManagingWebs
|     
|     Path: http://192.168.73.139:80/mutillidae/index.php?page=set-background-color.php
|     Form id: id-bad-cred-tr
|     Form action: index.php?page=set-background-color.php
|     
|     Path: http://192.168.73.139:80/mutillidae/?page=text-file-viewer.php
|     Form id: id-bad-cred-tr
|     Form action: index.php?page=text-file-viewer.php
|     
|     Path: http://192.168.73.139:80/mutillidae/?page=user-info.php
|     Form id: id-bad-cred-tr
|_    Form action: ./index.php?page=user-info.php
| http-fileupload-exploiter: 
|   
|_    Couldn't find a file-type field.
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:4F:35:A4 (VMware)

Host script results:
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 15.18 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

nmap --script=discovery 192.168.73.139 （网络信息收集）

└─# nmap --script=discovery 192.168.73.139
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-04 09:38 EDT
Pre-scan script results:
| ipv6-multicast-mld-list: 
|   fe80::1c7c:df56:3aec:dc85: 
|     device: eth0
|     mac: 00:0c:29:89:2b:46
|     multicast_ips: 
|       ff02::1:ffec:dc85         (NDP Solicited-node)
|       ff02::fb                  (mDNSv6)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::c                   (SSDP)
|   fe80::126:bc1b:fe22:c30c: 
|     device: eth0
|     mac: 00:50:56:c0:00:08
|     multicast_ips: 
|       ff02::1:ff22:c30c         (NDP Solicited-node)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::fb                  (mDNSv6)
|       ff02::c                   (SSDP)
|   fe80::fc4d:2337:69da:2f70: 
|     device: eth0
|     mac: 00:0c:29:22:bd:21
|     multicast_ips: 
|       ff02::1:ffda:2f70         (NDP Solicited-node)
|       ff02::1:3                 (Link-local Multicast Name Resolution)
|       ff02::fb                  (mDNSv6)
|_      ff02::c                   (SSDP)
| broadcast-igmp-discovery: 
|   192.168.73.135
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.251
|     Description: mDNS (rfc6762)
|   192.168.73.134
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.252
|     Description: Link-local Multicast Name Resolution (rfc4795)
|   192.168.73.134
|     Interface: eth0
|     Version: 2
|     Group: 239.255.255.250
|     Description: Organization-Local Scope (rfc2365)
|_  Use the newtargets script-arg to add the results as targets
| targets-ipv6-multicast-mld: 
|   IP: fe80::126:bc1b:fe22:c30c   MAC: 00:50:56:c0:00:08  IFACE: eth0
|   IP: fe80::1c7c:df56:3aec:dc85  MAC: 00:0c:29:89:2b:46  IFACE: eth0
|   IP: fe80::fc4d:2337:69da:2f70  MAC: 00:0c:29:22:bd:21  IFACE: eth0
| 
|_  Use --script-args=newtargets to add the results as targets
| broadcast-ping: 
|   IP: 192.168.73.2  MAC: 00:50:56:ef:75:a9
|_  Use --script-args=newtargets to add the results as targets
| targets-ipv6-multicast-invalid-dst: 
|   IP: fe80::fc4d:2337:69da:2f70  MAC: 00:0c:29:22:bd:21  IFACE: eth0
|   IP: fe80::1c7c:df56:3aec:dc85  MAC: 00:0c:29:89:2b:46  IFACE: eth0
|_  Use --script-args=newtargets to add the results as targets
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
| lltd-discovery: 
|   192.168.73.134
|     Hostname: WIN-G80GAF3ISCL
|     Mac: 00:0c:29:22:bd:21 (VMware)
|     IPv6: fe80::fc4d:2337:69da:2f70
|   192.168.73.135
|     Hostname: WIN-RNERKFG3PSF
|     Mac: 00:0c:29:89:2b:46 (VMware)
|     IPv6: fe80::1c7c:df56:3aec:dc85
|_  Use the newtargets script-arg to add the results as targets
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

nmap --script=malware 192.168.73.139 (进行网站后门扫描)

└─# nmap --script=malware 192.168.73.139     
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-04 09:40 EDT
Nmap scan report for 192.168.73.139
Host is up (0.0030s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:0C:29:4F:35:A4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 14.50 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

nmap --script=safe 192.168.73.139 (进行安全扫描)

└─# nmap --script=safe 192.168.73.139
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-04 09:41 EDT
Pre-scan script results:
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
|_eap-info: please specify an interface with -e
| broadcast-listener: 
|   ether
|       ARP Request
|         sender ip       sender mac         target ip
|         192.168.73.2    00:50:56:ef:75:a9  192.168.73.144
|         192.168.73.134  00:0c:29:22:bd:21  192.168.73.2
|   udp
|       DHCP
|         srv ip          cli ip          mask           gw            dns           vendor
|         192.168.73.254  192.168.73.144  255.255.255.0  192.168.73.2  192.168.73.2  -
|       SSDP
|         ip            uri
|_        192.168.73.1   urn:dial-multiscreen-org:service:dial:1
| broadcast-netbios-master-browser: 
|_ip  server  domain
| lltd-discovery: 
|   192.168.73.134
|     Hostname: WIN-G80GAF3ISCL
|     Mac: 00:0c:29:22:bd:21 (VMware)
|     IPv6: fe80::fc4d:2337:69da:2f70
|   192.168.73.135
|     Hostname: WIN-RNERKFG3PSF
|     Mac: 00:0c:29:89:2b:46 (VMware)
|     IPv6: fe80::1c7c:df56:3aec:dc85
|_  Use the newtargets script-arg to add the results as targets
| broadcast-wsdd-discover: 
|   Devices
|     239.255.255.250
|         Message id: a4ef2f7d-c4ee-42f6-8fbe-a964ce873077
|         Address: http://192.168.73.134:5357/cb8a9e4d-6c75-422e-8201-9da8ab6760e5/
|         Type: Device pub:Computer
|     239.255.255.250
|         Message id: fe029431-f4b0-4f95-813b-6310e247d5f8
|         Address: http://192.168.73.135:5357/067b1021-a782-4bc3-a19a-4ff66980483a/
|_        Type: Device pub:Computer
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
| broadcast-dhcp-discover: 
|   Response 1 of 1: 
|     Interface: eth0
|     IP Offered: 192.168.73.144
|     Server Identifier: 192.168.73.254
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.73.2
|     Domain Name Server: 192.168.73.2
|     Domain Name: localdomain
|     Broadcast Address: 192.168.73.255
|_    NetBIOS Name Server: 192.168.73.2
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
| broadcast-ping: 
|   IP: 192.168.73.2  MAC: 00:50:56:ef:75:a9
|_  Use --script-args=newtargets to add the results as targets
| broadcast-igmp-discovery: 
|   192.168.73.134
|     Interface: eth0
|     Version: 2
|     Group: 224.0.0.251
|     Description: mDNS (rfc6762)
|   192.168.73.1
|     Interface: eth0
|     Version: 2
|     Group: 239.255.255.250
|     Description: Organization-Local Scope (rfc2365)
|_  Use the newtargets script-arg to add the results as targets

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

nmap --script=fuzzer 192.168.73.139 (进行模糊测试漏洞扫描)

└─# nmap --script=fuzzer 192.168.73.139
Starting Nmap 7.92 ( https://nmap.org ) at 2023-11-04 09:43 EDT
Nmap scan report for 192.168.73.139
Host is up (0.0019s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
25/tcp   open     smtp
53/tcp   open     domain
|_dns-fuzz: Server didn't response to our probe, can't fuzz
80/tcp   filtered http
111/tcp  open     rpcbind
139/tcp  open     netbios-ssn
445/tcp  open     microsoft-ds
512/tcp  open     exec
513/tcp  open     login
514/tcp  open     shell
1099/tcp open     rmiregistry
1524/tcp open     ingreslock
2049/tcp open     nfs
2121/tcp open     ccproxy-ftp
3306/tcp open     mysql
5432/tcp open     postgresql
5900/tcp open     vnc
6000/tcp open     X11
6667/tcp open     irc
8009/tcp open     ajp13
8180/tcp open     unknown
MAC Address: 00:0C:29:4F:35:A4 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 16.55 seconds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34