灯塔(ARL)里面有一个namp扫描模块,里面有配置可以学习一下
首先上代码
|
|
入口是run
首先是扫描策略的配置
flowchart TB
A[namp扫描] --> strategy
subgraph strategy
direction LR
B("-sT -n --open
max_hostgroup=128
max_retries=3
host_timeout=60*5
parallelism=32
min_rate=64") --> C{"service_detect?"} C -->|true| c1["add -sV
host_timeout+=60*5"] B --> D{"os_detect?"} D -->|true| d1["add -O
host_timeout+=60*4"] B --> E{"len(self.ports.split(',')) > 60?"} E -->|true| e1["add -PE -PS22,80,443,843,3389,8007-8011,8443,9090,8080-8091,8093,8099,5000-5004,2222,3306,1433,21,25
max_retries=2"] E -->|false| e2{"ports != '0-65535'?"} e2 -->|true| ee1["add -Pn"] B --> F{"ports == '0-65535'?"} F -->|true| f1["add -PE -PS22,80,443,843,3389,8007-8011,8443,9090,8080-8091,8093,8099,5000-5004,2222,3306,1433,21,25
max_hostgroup=8
min_rate=max(self.min_rate, 400)
host_timeout+=60 * 2
max_retries=2 "] end subgraph paramStep direction TB paramStep1["--max-rtt-timeout 800ms"] --> paramStep2["--min-rate min_rate"] paramStep2 --> paramStep3["--script-timeout 6s"] paramStep3 --> paramStep4["--max-hostgroup max_hostgroup"] paramStep4 --> paramStep5["--host-timeout host_timeout"] paramStep5 --> paramStep6["--min-parallelism parallelism"] paramStep6 --> paramStep7["--max-retries max_retries"] end strategy --> paramStep
max_hostgroup=128
max_retries=3
host_timeout=60*5
parallelism=32
min_rate=64") --> C{"service_detect?"} C -->|true| c1["add -sV
host_timeout+=60*5"] B --> D{"os_detect?"} D -->|true| d1["add -O
host_timeout+=60*4"] B --> E{"len(self.ports.split(',')) > 60?"} E -->|true| e1["add -PE -PS22,80,443,843,3389,8007-8011,8443,9090,8080-8091,8093,8099,5000-5004,2222,3306,1433,21,25
max_retries=2"] E -->|false| e2{"ports != '0-65535'?"} e2 -->|true| ee1["add -Pn"] B --> F{"ports == '0-65535'?"} F -->|true| f1["add -PE -PS22,80,443,843,3389,8007-8011,8443,9090,8080-8091,8093,8099,5000-5004,2222,3306,1433,21,25
max_hostgroup=8
min_rate=max(self.min_rate, 400)
host_timeout+=60 * 2
max_retries=2 "] end subgraph paramStep direction TB paramStep1["--max-rtt-timeout 800ms"] --> paramStep2["--min-rate min_rate"] paramStep2 --> paramStep3["--script-timeout 6s"] paramStep3 --> paramStep4["--max-hostgroup max_hostgroup"] paramStep4 --> paramStep5["--host-timeout host_timeout"] paramStep5 --> paramStep6["--min-parallelism parallelism"] paramStep6 --> paramStep7["--max-retries max_retries"] end strategy --> paramStep
其中涉及到的配置
-sT 全连接扫描会和服务器建立完整的三次握手
-n 不做dns解析
—open 只显示开放或可能开放的端口
-sV 探测开放端口的服务
-O 启用操作系统版本探测
-PE 基于ICMP的echo的主机发现
-PS[portlist] 基于TCP SYN指定端口的主机发现
-Pn 跳过主机发现,视所有主机都在线
然后是对于扫描结果的处理
- 如果一个ip的端口开放了600个以上,则只留下80和443端口的信息