分布式端口扫描利刃: 使用DNmap创建Nmap集群

在执行安全事务时，利用端口扫描搜集信息是非常重要的。当我们试着将可接受的超时时间设置得较长时，扫描就要花费大量时间。

但是，如果我们需要扫描大量主机呢？或是说要扫描整个网络呢？这类情况下，我们需要找到一种方法能够将负载分发到多台主机上并行扫描。

幸运地是，这样的工具已经被开发出来了，它可以创建并管理一个主机集群，集群中的每台主机使用各自的带宽进行端口扫描。

DNmap介绍

2009年，Sebastian Garcia利用Python下的Twisted框架开发了DNmap。DNmap使用标准的客户端/服务端(C/S)架构创建分布式的Nmap扫描网络。DNmap是Backtrack默认包含的工具之一，而且可以在任何装有Python的系统下轻松安装。

要注意的是，在安装并运行DNmap之前，要确保客户端能够运行任何发送给它们的Nmap命令。DNmap的设计导致它无法阻止服务器对客户端的滥用，因此你要确保能够信任你要链接的服务端。

DNmap安装

DNmap requires Nmap, Python 2.7, and the following libraries to be installed:DNmap需要安装Nmap, Python2.7以及两个第三方库：

• python-twisted
• python-openssl

尽管DNmap在Backtrack中是被默认安装的，但这里仍有必要介绍一下在Debian系的系统(在本例中即为Ubuntu)下如何安装DNmap:

jordan@pentest:~$ sudo apt-get install python-openssl python-twisted
jordan@pentest:~$ wget http://downloads.sourceforge.net/project/dnmap/dnmap_v0.6.tgz
jordan@pentest:~$ tar -xvzf dnmap_v0.6.tgz

所有的文件都将下载dnmap_v0.6下

DNmap用例

DNmap的架构如下：

在我们的例子中，拓扑结构如下：

0x01.　对于C/S结构，我们首先要搭建服务端。让我们看看dnmap_server.py的用法:

root@bt:/pentest/scanners/dnmap# python dnmap_server.py -h
+----------------------------------------------------------------------+
| dnmap_server Version 0.6                                             |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or    |
| (at your option) any later version.                                  |
|                                                                      |
| Author: Garcia Sebastian, eldraco@gmail.com                          |
| www.mateslab.com.ar                                                  |
+----------------------------------------------------------------------+

usage: dnmap_server.py <options>
options:
  -f, --nmap-commands        Nmap commands file
  -p, --port        TCP port where we listen for connections.
  -L, --log-file        Log file. Defaults to /var/log/dnmap_server.conf.
　 -l, --log-level       Log level. Defaults to info.
  -v, --verbose_level         Verbose level. Give a number between 1 and 5. Defaults to 1. Level 0 means be quiet.
  -t, --client-timeout         How many time should we wait before marking a client Offline. We still remember its values just in case it cames back.
  -s, --sort            Field to sort the statical value. You can choose from: Alias, #Commands, UpTime, RunCmdXMin, | AvrCmdXMin, Status
  -P, --pem-file         pem file to use for TLS connection. By default we use the server.pem file provided with the server in the current directory.

 dnmap_server uses a '<nmap-commands-file-name>.dnmaptrace' file to know where it must continue reading the nmap commands file. If you want to start over again,
 just delete the '<nmap-commands-file-name>.dnmaptrace' file

正如你所看到的，服务端的运行需要指定一个包含Nmap命令的文件。在本例中，我们使用一个名为"commands.txt"的文件，其内容如下:

nmap -A -Pn -v -p1-1024 192.168.56.103 
nmap -A -Pn -v -p1024-10000 192.168.56.103

为了展现多作业的调度能力，我们向文件里面添加了多个Nmap命令。

由于我们只有一个目标主机，所以只要在多个作业间对端口范围做简单的分割即可。

如果集群中有一台以上的客户机，作业就会在客户机之间进行分配。

对于目标主机管理员而言，他很难获知隐藏在端口扫描后的真正攻击者。

0x02.　我们将Nmap命令文件写好之后，就开始启动服务端:

root@bt:/pentest/scanners/dnmap# python dnmap_server.py -f ~/commands.txt
+----------------------------------------------------------------------+
| dnmap_server Version 0.6                                             |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or    |
| (at your option) any later version.                                  |
|                                                                      |
| Author: Garcia Sebastian, eldraco@gmail.com                          |
| www.mateslab.com.ar                                                  |
+----------------------------------------------------------------------+

=| MET:0:00:30.015147 | Amount of Online clients: 0 |=

0x03.　服务端启动之后，就开始等待客户端链接。这时再让我们看看dnmap_client的用法:

root@bt:/pentest/scanners/dnmap# python dnmap_client.py -h
+----------------------------------------------------------------------+
| dnmap Client Version 0.6                                             |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or    |
| (at your option) any later version.                                  |
|                                                                      |
| Author: Garcia Sebastian, eldraco@gmail.com                          |
| www.mateslab.com.ar                                                  |
+----------------------------------------------------------------------+

usage: dnmap_client.py <options>
options:
  -s, --server-ip        IP address of dnmap server.
  -p, --server-port      Port of dnmap server. Dnmap port defaults to 46001
  -a, --alias      Your name alias so we can give credit to you for your help. Optional
  -d, --debug      Debuging.
  -m, --max-rate      Force nmaps commands to use at most this rate. Useful to slow nmap down. Adds the --max-rate parameter.

看上去我们要为其提供服务端地址，端口号以及客户端的别名。我们将客户端命名为"minion1"，然后链接服务端并开始运行命令

root@bt:/pentest/scanners/dnmap# python dnmap_client.py -s 192.168.56.101 -a minion1
+----------------------------------------------------------------------+
| dnmap Client Version 0.6                                             |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License as published by |
| the Free Software Foundation; either version 2 of the License, or    |
| (at your option) any later version.                                  |
|                                                                      |
| Author: Garcia Sebastian, eldraco@gmail.com                          |
| www.mateslab.com.ar                                                  |
+----------------------------------------------------------------------+

Client Started...
Nmap output files stored in 'nmap_output' directory...
Starting connection...
Client connected succesfully...
Waiting for more commands....
+ No -oA given. We add it anyway so not to lose the results. Added -oA 5807742
        Command Executed: nmap -A -Pn -v -p1-1024 192.168.56.103 -oA 5807742
        Sending output to the server...
Waiting for more commands....
+ No -oA given. We add it anyway so not to lose the results. Added -oA 71264162
        Command Executed: nmap -A -Pn -v -p1024-10000 192.168.56.103 -oA 71264162
        Sending output to the server...
Waiting for more commands....
^CConnection lost. Reason: Connection to the other side was lost in a non-clean fashion: Connection lost.
Trying to reconnect in 10 secs. Please wait...

0x04.　再回到服务端，我们能看到以下状态:

+ Client ID connected: 192.168.56.102:49747 (minion1)
=| MET:0:00:55.011100 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime      Version  IsRoot  RunCmdXMin      AvrCmdXMin      Status
minion1         1               Jan 10 18:26:27 ( 0' 1")         0h 0m      0.6      True           0.0            0.0       Executing

=| MET:0:01:00.015067 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime      Version  IsRoot  RunCmdXMin      AvrCmdXMin       Status
minion1         1               Jan 10 18:26:27 ( 0' 6")         0h 0m      0.6      True           0.0            0.0        Executing

=| MET:0:01:05.014816 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime      Version  IsRoot  RunCmdXMin      AvrCmdXMin       Status
minion1         1               Jan 10 18:26:27 ( 0'11")         0h 0m      0.6      True           0.0            0.0        Executing

=| MET:0:01:10.010916 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin       Status
minion1         2               Jan 10 18:26:43 ( 0' 0")         0h 0m          0.6     True           3.8            1.9        Executing

=| MET:0:01:20.014574 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin       Status
minion1         2               Jan 10 18:26:43 ( 0'10")         0h 0m          0.6     True           3.8            1.9        Executing

=| MET:0:01:30.010685 | Amount of Online clients: 1 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin       Status
minion1         2               Jan 10 18:27:00 ( 0' 4")         0h 0m          0.6     True           3.6            2.5        Online

+ Connection lost for minion1 (192.168.56.102:49747).
=| MET:0:01:35.011836 | Amount of Online clients: 0 |=
Clients connected
-----------------
Alias           #Commands       Last Time Seen  (time ago)      UpTime          Version IsRoot  RunCmdXMin      AvrCmdXMin       Status

^Croot@bt:/pentest/scanners/dnmap# ls
dnmap_client.py  dnmap_server.py  nmap_results  README  server.pem
root@bt:/pentest/scanners/dnmap# cd nmap_results/
root@bt:/pentest/scanners/dnmap/nmap_results# ls
5807742.nmap  71264162.nmap

看起来好象所有的命令已经完成，默认情况下扫描结果都被存储在名为 "nmap_result/." 目录下。

我们能看到扫描结果确实被传回到服务端。希望这个简短的教程能帮助到更多人了解如何使用DNmap在多个客户端之间分发Nmap命令，而且你还可以创建多个服务端来承载更多的客户端。