分布式端口扫描利刃: 使用DNmap创建Nmap集群
在执行安全事务时,利用端口扫描搜集信息是非常重要的。当我们试着将可接受的超时时间设置得较长时,扫描就要花费大量时间。
但是,如果我们需要扫描大量主机呢?或是说要扫描整个网络呢?这类情况下,我们需要找到一种方法能够将负载分发到多台主机上并行扫描。
幸运地是,这样的工具已经被开发出来了,它可以创建并管理一个主机集群,集群中的每台主机使用各自的带宽进行端口扫描。
DNmap介绍
2009年,Sebastian Garcia利用Python下的Twisted框架开发了DNmap。DNmap使用标准的客户端/服务端(C/S)架构创建分布式的Nmap扫描网络。DNmap是Backtrack默认包含的工具之一,而且可以在任何装有Python的系统下轻松安装。
要注意的是,在安装并运行DNmap之前,要确保客户端能够运行任何发送给它们的Nmap命令。DNmap的设计导致它无法阻止服务器对客户端的滥用,因此你要确保能够信任你要链接的服务端。
DNmap安装
DNmap requires Nmap, Python 2.7, and the following libraries to be installed:DNmap需要安装Nmap, Python2.7以及两个第三方库:
- python-twisted
- python-openssl
尽管DNmap在Backtrack中是被默认安装的,但这里仍有必要介绍一下在Debian系的系统(在本例中即为Ubuntu)下如何安装DNmap:
jordan@pentest:~$ sudo apt-get install python-openssl python-twisted jordan@pentest:~$ wget http://downloads.sourceforge.net/project/dnmap/dnmap_v0.6.tgz jordan@pentest:~$ tar -xvzf dnmap_v0.6.tgz
所有的文件都将下载dnmap_v0.6下
DNmap用例
DNmap的架构如下:
在我们的例子中,拓扑结构如下:
0x01. 对于C/S结构,我们首先要搭建服务端。让我们看看dnmap_server.py的用法:
root@bt:/pentest/scanners/dnmap# python dnmap_server.py -h +----------------------------------------------------------------------+ | dnmap_server Version 0.6 | | This program is free software; you can redistribute it and/or modify | | it under the terms of the GNU General Public License as published by | | the Free Software Foundation; either version 2 of the License, or | | (at your option) any later version. | | | | Author: Garcia Sebastian, [email protected] | | www.mateslab.com.ar | +----------------------------------------------------------------------+ usage: dnmap_server.py <options> options: -f, --nmap-commands Nmap commands file -p, --port TCP port where we listen for connections. -L, --log-file Log file. Defaults to /var/log/dnmap_server.conf. -l, --log-level Log level. Defaults to info. -v, --verbose_level Verbose level. Give a number between 1 and 5. Defaults to 1. Level 0 means be quiet. -t, --client-timeout How many time should we wait before marking a client Offline. We still remember its values just in case it cames back. -s, --sort Field to sort the statical value. You can choose from: Alias, #Commands, UpTime, RunCmdXMin, | AvrCmdXMin, Status -P, --pem-file pem file to use for TLS connection. By default we use the server.pem file provided with the server in the current directory. dnmap_server uses a '<nmap-commands-file-name>.dnmaptrace' file to know where it must continue reading the nmap commands file. If you want to start over again, just delete the '<nmap-commands-file-name>.dnmaptrace' file
正如你所看到的,服务端的运行需要指定一个包含Nmap命令的文件。在本例中,我们使用一个名为"commands.txt"的文件,其内容如下:
nmap -A -Pn -v -p1-1024 192.168.56.103 nmap -A -Pn -v -p1024-10000 192.168.56.103
为了展现多作业的调度能力,我们向文件里面添加了多个Nmap命令。
由于我们只有一个目标主机,所以只要在多个作业间对端口范围做简单的分割即可。
如果集群中有一台以上的客户机,作业就会在客户机之间进行分配。
对于目标主机管理员而言,他很难获知隐藏在端口扫描后的真正攻击者。
0x02. 我们将Nmap命令文件写好之后,就开始启动服务端:
root@bt:/pentest/scanners/dnmap# python dnmap_server.py -f ~/commands.txt +----------------------------------------------------------------------+ | dnmap_server Version 0.6 | | This program is free software; you can redistribute it and/or modify | | it under the terms of the GNU General Public License as published by | | the Free Software Foundation; either version 2 of the License, or | | (at your option) any later version. | | | | Author: Garcia Sebastian, [email protected] | | www.mateslab.com.ar | +----------------------------------------------------------------------+ =| MET:0:00:30.015147 | Amount of Online clients: 0 |=
0x03. 服务端启动之后,就开始等待客户端链接。这时再让我们看看dnmap_client的用法:
root@bt:/pentest/scanners/dnmap# python dnmap_client.py -h +----------------------------------------------------------------------+ | dnmap Client Version 0.6 | | This program is free software; you can redistribute it and/or modify | | it under the terms of the GNU General Public License as published by | | the Free Software Foundation; either version 2 of the License, or | | (at your option) any later version. | | | | Author: Garcia Sebastian, [email protected] | | www.mateslab.com.ar | +----------------------------------------------------------------------+ usage: dnmap_client.py <options> options: -s, --server-ip IP address of dnmap server. -p, --server-port Port of dnmap server. Dnmap port defaults to 46001 -a, --alias Your name alias so we can give credit to you for your help. Optional -d, --debug Debuging. -m, --max-rate Force nmaps commands to use at most this rate. Useful to slow nmap down. Adds the --max-rate parameter.
看上去我们要为其提供服务端地址,端口号以及客户端的别名。我们将客户端命名为"minion1",然后链接服务端并开始运行命令
root@bt:/pentest/scanners/dnmap# python dnmap_client.py -s 192.168.56.101 -a minion1 +----------------------------------------------------------------------+ | dnmap Client Version 0.6 | | This program is free software; you can redistribute it and/or modify | | it under the terms of the GNU General Public License as published by | | the Free Software Foundation; either version 2 of the License, or | | (at your option) any later version. | | | | Author: Garcia Sebastian, [email protected] | | www.mateslab.com.ar | +----------------------------------------------------------------------+ Client Started... Nmap output files stored in 'nmap_output' directory... Starting connection... Client connected succesfully... Waiting for more commands.... + No -oA given. We add it anyway so not to lose the results. Added -oA 5807742 Command Executed: nmap -A -Pn -v -p1-1024 192.168.56.103 -oA 5807742 Sending output to the server... Waiting for more commands.... + No -oA given. We add it anyway so not to lose the results. Added -oA 71264162 Command Executed: nmap -A -Pn -v -p1024-10000 192.168.56.103 -oA 71264162 Sending output to the server... Waiting for more commands.... ^CConnection lost. Reason: Connection to the other side was lost in a non-clean fashion: Connection lost. Trying to reconnect in 10 secs. Please wait...
0x04. 再回到服务端,我们能看到以下状态:
+ Client ID connected: 192.168.56.102:49747 (minion1) =| MET:0:00:55.011100 | Amount of Online clients: 1 |= Clients connected ----------------- Alias #Commands Last Time Seen (time ago) UpTime Version IsRoot RunCmdXMin AvrCmdXMin Status minion1 1 Jan 10 18:26:27 ( 0' 1") 0h 0m 0.6 True 0.0 0.0 Executing =| MET:0:01:00.015067 | Amount of Online clients: 1 |= Clients connected ----------------- Alias #Commands Last Time Seen (time ago) UpTime Version IsRoot RunCmdXMin AvrCmdXMin Status minion1 1 Jan 10 18:26:27 ( 0' 6") 0h 0m 0.6 True 0.0 0.0 Executing =| MET:0:01:05.014816 | Amount of Online clients: 1 |= Clients connected ----------------- Alias #Commands Last Time Seen (time ago) UpTime Version IsRoot RunCmdXMin AvrCmdXMin Status minion1 1 Jan 10 18:26:27 ( 0'11") 0h 0m 0.6 True 0.0 0.0 Executing =| MET:0:01:10.010916 | Amount of Online clients: 1 |= Clients connected ----------------- Alias #Commands Last Time Seen (time ago) UpTime Version IsRoot RunCmdXMin AvrCmdXMin Status minion1 2 Jan 10 18:26:43 ( 0' 0") 0h 0m 0.6 True 3.8 1.9 Executing =| MET:0:01:20.014574 | Amount of Online clients: 1 |= Clients connected ----------------- Alias #Commands Last Time Seen (time ago) UpTime Version IsRoot RunCmdXMin AvrCmdXMin Status minion1 2 Jan 10 18:26:43 ( 0'10") 0h 0m 0.6 True 3.8 1.9 Executing =| MET:0:01:30.010685 | Amount of Online clients: 1 |= Clients connected ----------------- Alias #Commands Last Time Seen (time ago) UpTime Version IsRoot RunCmdXMin AvrCmdXMin Status minion1 2 Jan 10 18:27:00 ( 0' 4") 0h 0m 0.6 True 3.6 2.5 Online + Connection lost for minion1 (192.168.56.102:49747). =| MET:0:01:35.011836 | Amount of Online clients: 0 |= Clients connected ----------------- Alias #Commands Last Time Seen (time ago) UpTime Version IsRoot RunCmdXMin AvrCmdXMin Status ^Croot@bt:/pentest/scanners/dnmap# ls dnmap_client.py dnmap_server.py nmap_results README server.pem root@bt:/pentest/scanners/dnmap# cd nmap_results/ root@bt:/pentest/scanners/dnmap/nmap_results# ls 5807742.nmap 71264162.nmap
看起来好象所有的命令已经完成,默认情况下扫描结果都被存储在名为 "nmap_result/." 目录下。
我们能看到扫描结果确实被传回到服务端。希望这个简短的教程能帮助到更多人了解如何使用DNmap在多个客户端之间分发Nmap命令,而且你还可以创建多个服务端来承载更多的客户端。
【原文:distributed-port-scanning-creating-nmap 翻译:安全脉搏编辑yiyanghuadan 】