Nmap network security audit (c)
Port scanning technology
The concept of port
A total of 65,536 network ports (0-65535), and out of port is available for data network equipment, but also export computer communicate with the outside world.
Many network programs require for network communication, and the information actually required through the network card access, access to information is how to distinguish which program to use it, it is handled by the operating system, and the mechanism it uses is divided into 65,536 ports, program Add port number in the transmitted information, and the operating system after receiving the message according to the port number will be diverted to the program information using the port number in the current memory.
Category ports
The usage of different ports, the ports can be easily divided into three categories:
Recognized port: this type of port is our common port. Port number port ports 0-1024 are accepted. Usually these ports have a clear agreement with a service of the association, generally do not change, such as our common port 80 (Http), 23 ports (Telnet), 22 port (SSH).
Registration port: the scope of this part of the port number from 1025-49151. They are often also associated with some of the service, but did not clearly defined, different programs can be defined according to the actual situation.
Dynamic / Private Ports: Scope This section is the port number from 49152-65535. In general, common services should not use these ports, all easily overlooked.
In addition, according to the different protocols can be divided into port TCP protocol, UDP protocol port, because both belong to the transport layer protocol for communication between the parties to provide end to end service.
Nmap port defined state
Nmap port given in six different states:
open: If the target state port is open, it indicates that the port has accepted the application TCP connections or UDP packets.
closed: If the target is in the close state of the port, where incomplete mean no response, the state is close ports are accessible, this port can accept Nmap probe packets and respond.
Filtered : This state is generated mainly because the stored network packet filter, resulting in not determine whether the port Nmap open
unfiltered: this result is rare, it indicates that the target port is accessible, but Nmap can not determine in the end it is open or closed, this situation usually occurs when the ACK scan.
open | filtered: unable to determine the port is open or being filtered.
closed | filtered: unable to determine the port is closed or being filtered.
Various ports in the scanning techniques Nmap
Nmap provides a number of techniques to achieve the detection of the port state, since TCP UDP technology in relation to more complex technology, TCP detection means to be more than the UDP.
-
SYN scan
SYN scan is the most popular form of scanning, Nmap is also the default scanning method used. This fast scanning, can scan at a second thousands of ports.
First Nmap SYN packet will be connected to a port sends a request to the target host, and the target computer will be received after the SYN / ACK response, Nmap after receiving the SYN / ACK packet send request to disconnect RST, ACK instead of response. Such three-way handshake is not completed, the TCP connection can not be established, therefore, (ready to draw the focus of) the scan will not be recorded in the system log.
There are several results when scanning TCP SYN:
|
-
Connect scan
Connect with SYN scan scanning actually like, but this scanning TCP three-way handshake is completed.
Connect scan syntax is as follows:
nmap -sT 192.168.126.139
-
UDP scanning
There are three results when using a UDP port scan to scan
| Target host response | Status of the target port |
|---|---|
| Get any response from the target UDP port | open |
| If the target host is not given answer | open filtered |
| Unable to reach port ICMP error (Code 3) | closed |
| ICMP error can not reach (code 1291013) | filtered |
UDP scan speed is relatively slow. The syntax is as follows:
nmap -sU 192.168.126.139...... and so this result is indeed very slow
The results of the scan, there are many port states are filtered, but the true status of the port may be open or closed, if we are to judge these ports are open or closed in the end if you need further testing. UDP program service generally will not respond to Nmap issued by empty packets, UDP program needs to use their own format. If the guarantee can send the appropriate data packets to all common UDP services, Nmap requires a large database to store these formats, Nmap will be stored in these formats Nmap-service-probes in. We can use -sV or -A parameter, Nmap will be made to each open | filtered port to send UDP probe, if the target port have any response to a probe, the status will be changed to open.
-
TCP FIN scans
Sending a TCP FIN scanning methods FIN packet to the destination port. Accordance with the provisions of RFC 793, all closed ports, the target system should return RST flag.
Using TCP FIN scans port syntax is as follows:nmap -sF 192.168.126.139
-
NULL scan
TCP NULL scan by sending a packet does not contain any flags to the target port. Accordance with the provisions of RFC 793, for all closed ports, target host should return RST flag.
Using TCP NULL scan port the following syntax:nmap -sN 192.168.126.139
-
Xmas Tree scan
TCP Xmas Tree is a scanning method comprising the FIN URG flag and PUSH packet sent to the destination port. 793 in accordance with the provisions of RFC, to shut down the port, the target system should return RST flag
using TCP Xmas Tree scan port the following syntax:nmap -sX 192.168.126.139
Designated port scan
- Scan common port 100
nmap -F 192.168.126.139
2. Specify a port scan
nmap -p 8080 192.168.126.139 //-p后加指定的端口号3. Use to specify the name of the port scan
nmap -p dns,http 192.168.126.139 //-p后跟端口名称,多个端口用逗号隔开4. Using the protocol specifies a scan port
nmap -p U:53 , T:22 192.168.126.139 //对UDP的53端口和TCP的22端口进行扫描,目标192.168.126.139The scan all ports
nmap -p * 192.168.126.139 //慎用6. scan commonly used ports
nmap --top-ports 20 192.168.126.139 //对前20个端口进行扫描,数字根据自己需求设置,默认是10个Remark
Because the system check is quite strict, so the deletion of part of the article, please understand