A, NMap
1, NMap description:
NMap (Network mapper) is a network connection scanning software, used to scan your computer online open network connection. Determine which services to run in what connection, and infers which operating system the computer is running. It is one of the network administrator will use the software, as well as to assess the network security system.
Its basic functions are three:
one is a network service scan host port, sniffer provided;
2, is to detect a group of hosts are online;
3 can also infer the operating system used by the host to reach host route through the system open software version port;
2, Nmap port status:
When nmap release message to the target host as returned messages so identified six states ports. (Note: This is only six states believe nmap port status, for example: some host or firewall will return some unreliable confirmation message thus preventing nmap port open to question).
Open (Open): the port is open, the application on the target machine is meant to change the port to listen for connections / packets;
Close (closed): the port is closed, here we noteworthy that closed ports also can be accessed, but the port is no application listening on it, but they may be open at any time;
Filtered (filtered): As the packet filtering to block a probe packet reaches the port, Nmap can not determine whether the port is open. Filtering firewall device may come from professional, router or software firewall rule on the host;
Unfiltered (unfiltered): it means that the port is accessible, but NMap not confirm whether the port is open;
This distinction Unfiltered state and filtered states that: unfiltered nmap port can be accessed, but returned messages according to nmap can not determine the status of the port open, and filtered ports can be nmap no direct access. Port is defined as Unfilterd only happen when ack TCP scan type when returned RST packet. The reason and the port is defined as the state is filtered packets containing intercepted firewall device, router rules, or firewall software, you can not send reach port, which manifests itself NMAP sending host receives ICMP error message, or by multiple hosts repeat sent not received any response).
Open | filtered state: This state is mainly indistinguishable nmap port is open or filtered state status. UDP, IP protocol, TCP null, fin, and Xmas Scan Type: This state will only scan type messages without response, as miscellaneous open ports appear.
Close | filtered state: This state is found in its nmap indistinguishable from the port is closed or filtered;
Second, the host found
Host discovery is an IP address is displayed as active (is being used by a host or network device). On many networks, at a given time, often only a small part of the IP address of the event. Host active judges are generally three ways, three ways you can get a response there is a proven host active:
- sending an ICMP echo request nmap target host;
- TCP ACK packet 443 and connection port 80;
- Based on ICMP timestamp request packet destination host;
1,nmap IP
1.1> first host discovery, if the host does not exist will not respond; (1.2.3.4 is not active hosts)
1.2> If the host is active scanning TCP port 1000 used; (183.232.231.173 is active hosts)
1.3> for active hosts, we were open Wireshark capture view; first is to detect active destination host, and then scan commonly used ports 1000;
2,Nmap -sP ip(ping扫描)
该选项告诉Nmap仅仅进行(主机发现),没有进一步的测试(如端口扫描或者操作系统探测)。
2.1> 先进行内网IP扫描,执行ARP扫描,可以看到目的主机的MAC地址,得到回应的主机就是活跃主机;
用Wireshare抓包结果显示如下:
2.2> 进行外网IP扫描,执行的是ICMP扫描和TCP扫描;
使用Wireshark抓包,可以查看到相关信息:可以看到抓取的数据包只是关于主机发现的数据,得到目标目标主机存活之后也没有进行下一步的测试(端口扫描或者操作系统探测)。
3、Nmap -P0 ip
使用 -P0 禁止主机发现,使Nmap对每一个指定的目标IP地址进行高强度的扫描。
通过Wireshark抓包查看:-P0选项禁止主机发现,而是直接对主机进行高强度的扫描;
4、Nmap -PS ip(TCP SYN扫描)
1、主机发现只连接目标主机TCP的80端口,不使用ICMP,连接时发送SYN标志位的空TCP报文;SYN标志位告诉对方您正试图建立一个连接。通常目标端口是关闭的,一个RST(复位)包会发过来;
2、如果碰巧端口是开放的,目标会进行TCP三步握手的第二步,回应一个SYN/ACK TCP报文。
3、然后运行Nmap的机器则会扼杀这个正在建立的连接,发送一个RST而非ACK报文,否则,一个完全的连接将会建立。RST报文是运行Nmap的机器而不是Nmap本身响应的,因为它对收到的SYN/ACK感到本意外。
4、Nmap并不关心端口是否开放或者关闭。无论RST还SYN/ACK响应都会告诉Nmap该主机正在运行。
示例如下:nmap -PS 183.232.231.174;
使用Wireshark抓包查看,不使用ICMP,连接时发送SYN标志位的空TCP报文;
4.1> nmap -PS ip 也可以指定端口,即,nmap -PS ip 端口号
5、nmap -PA ip (TCP ACK扫描)
1、TCP ACK扫描和刚才讨论的TCP SYN扫描相当类似(-PA选项使用和SYN探测相同的默认端口80)。区别就是设置TCP的ACK标志位不是SYN标志位。提供SYN和ACK两种ping是使其通过防火墙的机会尽可能大;
ACK报文表示确认一个建立连接的尝试,但该连接尚未完全建立。所以远程主机应该总是回应一个RST报文,因为它们并没有发出过连接请求到运行Nmap的机器,如果它们正在运行的话。
由于没头没脑的ACK报文通常会被识别成伪造的而丢弃。解决这个两难的方法是通过即指定 -PS,又指定 -PA 来即发送 SYN 又发送 ACK。
5.1> 实例如下:nmap -PS -PA 183.232.231.174
5.2> 抓包分析如下:可以看到同时应用了 -PS 和 -PA 参数就构造了一个完整的数据包,不会轻易被防火墙拦截丢弃;
6、nmap -PU ip(UDP扫描)
1、UDP扫描会发放一个空的(除非指定了–data–length)UDP报文到给定端口。端口列表的格式和前面讨论过的 -PS 和 -PA 选项是一样的;
2、如果目标机器的端口是关闭的,UDP探测应该马上得到一个ICMP端口无法到达的回应报文。这对于Nmap意味着该机器正在运行;
3、如果到达一个开放的端口,大部分服务仅仅忽略这个空报文而不做任何回应;
4、该扫描类型的主要优势是它可以穿越之过滤TCP的防火墙和过滤器;
6.1> 示例如下:nmap -PU 121.194.14.84
6.2> 使用Wireshark转包查看,可以看到目标主机回应了无法达到的ICMP报文,证明目标主机存活;
三、端口扫描
1、nmap -sS ip(TCP SYN扫描)
1, (semi-connected 2/3) by default to find -SP
2, SYN scan is the default scan options most popular in the fast network firewall without intrusion, you can scan thousands of ports per second. SYN scan is relative not play, can not easily be noticed, because it is never complete TCP connection.
3, it is often referred to as semi-open scanning, because it does not open a full TCP connection. It sends a SYN packet, as if you really want to open a connection and then wait for a response. SYN / ACK indicates that the port in the listening (open), the RST (reset) indicates no listener.
1.2> using Wireshark packet capture to view, use the default -sP to find host:
2, nmap -sT ip (TCP connect () scan)
Fully connected with 3/3 default -sP to find the host;
2.1> example is as follows: nmap -sT 183.232.231.173
2.2> using Wireshark packet capture to view, use -sP default host discovery;
Fourth, service and version detection
Examples are as follows: nmap -sV 183.232.231.173;
