Nmap network security audit (d)
Remote Operating System Detection Technology and Services
Remote operating system detection
Many tools are available for remote operating system detection functions, you can use Nmap to find those outdated systems or unauthorized systems on the network.
But not a tool that can provide absolute precision remote operating system information. Almost all of the tools to use to guess the solution by sending a probe to the target, and then respond to guess based on the target system. The probe is mostly in the form of TCP and UDP packets, including detailed inspection of the initial sequence number (ISN), TCO selection, IP identifier (ID), a digital timestamp. Each system will respond differently to these probes, these tools are extracted characteristic portions of these responses, and then recorded in a database, Nmap well.
In Nmap operating system also provides a classification of the detection system uptime and predictability TCP sequence information, -O is used to complete the scanning of the operating system through the port scan.
nmap -O 192.168.126.1
This command will use the default Nmap port scan detection of SYN way, but the option can be used to detect the operating system and other detection technologies. Use --osscan-limit time parameters, Nmap will only meet the "state having both open and closed port" host operating system detects the condition.
OS fingerprint identification
Remote method determines whether the target computer's operating system can be divided into two categories.
Proactive approach: that the client sends information to the remote host, the remote host to make the general reaction to this information, will respond to some of the information, the sender of the information is analyzed, it may be that the type of remote host operating system.
Passive Method: not sending any data packets to the target operating system, but to collect the data packets flowing through the network through a variety of capture tool, then the operating system information of the target computer to obtain from these messages.
Nmap does not use the passive mode, the active mode using Nmap OS fingerprint scan package up to 15 probes. Fingerprint computer as a mechanism for authentication, each operating system has a different characteristic, the target host to see if the response data by sending a probe to the computer, this process is the process of OS fingerprinting analysis. Probe utilizes TCP, UDP, ICMP and other protocols. These probes through clever design can be found subtle differences in target operating system.
In Nmap we can match -O is used
nmap -O -F 192.168.126.1
With our growing parameters, may lead to a greater burden on the system, we will also disclose more information, more easily detected IPS / IDS.
OS fingerprint scans as a management tool
nmap tool can also be used as a network manager. Use this tool, network managers can save a lot of time and effort, we use the following command look at what effect.
nmap -sV -F --fuzzy --osscan-guess 192.168.0.103Here I scanned my own physical machine, the case of open firewall detects my virtual machine version is vmware15.
I use this command to try the virtual machine, the scan results are not problems of wailing
If we hope to accurately detect nmap remote operating system is more difficult, here we all use to -osscan-guess the function parameters have to guess, it will guess the closest target operating system type, we can use this instruction can simple those finding the target network insecure system, you can also quickly get insecure applications on target, we as defenders can use this as soon as possible to improve the security of the system.
We have been unable to determine the nmap say one hundred percent of the target system, can only rely on speculation. Nmap can not be determined at the time the target operating system, the system outputs nmap TCP / IP fingerprint files, and gives the possibility of each system type. nmap also hope that we can submit this type of real fingerprint files and verification of the final system to help update the operating system nmap fingerprint database. Here we will not scan the site, or to use its own virtual machine.
通过扫描结果我们发现,在这次扫描中,并没有得到目标系统的准确值,但是可以看出结果给出了一个TCP/IP fingerprint的值,也就是OS后面的内容。
这个输出结果并非一次的扫描结果,而是多次扫描的结果,这些扫描包括SCAN、SEQ、OPS、WIN、ECN、T1~T7、U1和IE。每次的扫描结果都是用%作为分隔符,有的扫描结果可能为空(RD=0,就代表RD的结果没有得到什么实际内容),测试结果必须完全匹配操作系统指纹的定义,这样才能与指纹数据库中的条目进行匹配。例如 T1(R =N)则代表这次测试没有任何返回结果。
我们将第一个SCAN的结果拿出来分析一下
SCAN(V=7.80%E=4%D=11/3%OT=80%CT=7%CU=40895%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM=5DBE8A64%P=i686-pc-windows-windows)这一行代表当前进行扫描使用的nmap版本以及一些其他的相关本地信息。
V=7.80表示当前使用的nmap版本
D=11/3表示的扫描的日期
OT=80%CT=7表示在指纹识别过程中使用的TCP端口
CU=40895表示在指纹识别过程中使用的UDP端口
PV=Y表示目标IP地址是否属于私有IP地址(Y=yes N=no)
DS=1表示从nmap所在主机到目标主机的距离跳数
G=Y表示这次扫描结果较好,可以提交给iNSEcure.Org(也就是nmap的网站)
TM=5DBE8A64表示扫描所消耗的时间
p=i686-pc-windows-windows指出nmap所在主机的操作系统类型
下面的这些测试结果(SEQ、OPS、WIN、T1),这些测试的结果是通过向目标上开放的TCP端口发送一组非常巧妙的探针得到的。
SEQ(SP=FD%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS=U)SP=FD表示TCP的初始序列号(ISN)
GCD=1表示TCP的增量
ISR=10D表示ISN的速率
TI=I表示SEQ探针回应数据包中IP头部的ID值
II=I表示ICMP探针回应数据包中的IP头部的ID值
TS=U表示TCP数据包的时间戳信息
OPS测试结果
OPS(O1=M5B4NW8NNS%O2=M5B4NW8NNS%O3=M5B4NW8%O4=M5B4NW8NNS%O5=M5B4NW8NNS%O6=M5B4NNS)O1=M5B4表示TCP数据包每次能够传输的最大数据分段
ST11表示ACK的可选信息和数据包的时间戳内容
N表示为空操作
w0指出了窗口大小
O2、O3....O6的意义均和O1相同。
WIN测试结果
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)这个测试结果给出了6个探针返回值的初始窗口大小
W1=2DA0
W2=2DA0
W3=2DA0
W4=2DA0
W5=2DA0
W6=2DA0
ECN测试结果
ECN(R=Y%DF=Y%T=40%W=FFFF%O=M5B4NW8NNS%CC=N%Q=)R=Y表示目标是否对我们进行了响应
DF=Y表示IP数据包的分段标志位是否被设置
T=40表示回应数据包IP中的TT1值 W=FFFF表示TCP初始化窗口的大小信息
O=M5B4NNS表示TCP选项的信息
CC=Y表示目标的拥塞控制控制能力。Y表示目标支持ECN
第一个探针回应。第二个探针是一个设置了DF位内容的为空的数据包,这个数据包的窗口大小为128。
第三个探针是一个设置了FIN、URG、PSH以及SYN标识的数据包,这个数据包的大小为256。第四个探针是一个设置了ACK位的TCP数据包,这个包同样设置了DF位,大小为1024。第五个探针是一个窗口大小为31337的数据包。第六个数据包是一个窗口大小为32768,这个数据包通常是发往关闭的端口。第七个数据包设置了FIN、URG、PSH标志位,这个探针同样发往一个关闭端口,窗口大小为65535。
U1的结果是根据UDP数据包探针返的结果,这个探针的数据部分是300个C字符
IE探针基于ICMP协议,由两个探针组成。
新的操作系统指纹信息提交地址 http://iNSEcure.org/Nmap/submit/
使用Nmap进行服务发现
Nmap提供更精确的服务及版本检测选项,可通过添加选项-sV进行服务和版本检测。服务和版本检测还有更多的选项。
- -sV(版本检测)
也可以使用-A同时打开操作系统探测和服务发现
-
--allports(扫描全部端口)
通常我们在使用nmap进行版本探测的时候不会对目标的全部端口进行扫描,而是会跳过一些端口。如果确实有必要的话可以对全部端口进行扫描。 -
-version-intensity 0-9(设置版本扫描强度)
当进行版本扫描-sV的时候,nmap发送一系列的报文,每个报文都被赋予一个1-9之间的值。数字越高,服务越有可能被正确识别。强度越高扫描时间也越长。强度值在0-9之间,默认是7。-
--version-light (lightweight mode)
--versiom Light-scanning is the equivalent value of the intensity of the above said 2. This lightweight scanning mode is faster, but the probability of success using this mode of service scans also much smaller. - --version-all (Try each probe)
--version-intensity values corresponding to the scanning All 9. Try to ensure that all probe packets for each port.
-
-
--version-trace (track version scan activity)
This will be the nmap print out detailed debugging information about ongoing scan. It is a subset of the information obtained --packet-trace. - -sR (RPC scan)
This process and many port scanning method in combination. It was found that all open TCP / UDP port and program execution SunRPC NULL command, trying to determine whether they are RPC ports, and if so, to determine what program and version number. (If you are a new version of nmap then you will be prompted to the following: -sR is now an alias for -sV and activates version detection as well as RPC scan, translate what is the effect that is -SR -sV alias, so this directive and -sV is the same)