NMAP User Guide (1)

NMAP is an open-source free network discovery and security auditing tool. The software name NMAP is short for network mapper. NMAP was initially created by Fyodor in 1997. Later, with the participation of many volunteers in the open-source community, this tool gradually became one of the most popular security tools. The latest version of nmap6.0 was released on July 6, May 21, 2012. For details, see www.nmap.org.

Port Scan:

Common ports and corresponding services:

80 HTTP

443 https

53 DNS

25 SMTP

22 SSH

23 Telnet

20, 21 FTP

110 POP3

119 NNTP

143 IMAP

179 BGP

135-139, 445 RPC

500 VPN

5060 VoIP

123 NTP

Nmap ip Address/Domain Name supports CIDR. (continuous IP address-connection) [null option host survival, SYN Port]

Domain name resolution:

N does not need to be resolved.

R resolves domain names for all targets.

-System-DNS uses the system domain name Parser for resolution (slow ).

-DNS-server: Select DNS resolution.

Time Performance Optimization:

-T time optimization (0-5) (paranoid | sneaky | polite | normal | aggressive | insane)

-F: fast scanning.

-On % d-% T. NMAP periodic scan comparison.

Ndiff # B 1.xml o2.xml comparison file (-H help-V detailed text format XML format)

-Max-retries: adjust the number of retransmissions.

-Min-hostgroup/-max-hostgroup size: Set the group size.

-Min-parallelism/-max-parellelism Number of probes within a specified time period

-Min-RTT-timrout/-max-RTT-timrout/initial-RTT-timrouttime specifies the probe timeout

-Scan-delay/-max-scan-delay time specifies the latency between probes.

-Max-retries tries: Number of retransmitted probes

-Host-Timeout time: sets the maximum time for scanning hosts.

-Defeat-RST-ratelimit

-A comprehensive scan.

-P port [-number of incoming packets-greater than count p-all u UDP t TCP Service [number of incoming packets] Port ].

-Allports do not exclude any ports for the test version.

-E indicates the network interface.

-R Sequential Scan.

-O system scan.

-Osscan-limit. (Operating system detection for specified targets)

-Osscan-guess;-fuzzy. (Speculative operating system detection results)

-Version-light [Light]-All [full] 1-9 (probe intensity)

-Version-intensity [0-9] default 7 (probe intensity)

-Version-Trace: obtain detailed information about the probe.

-V intensity is small. D: bigger. d: enhanced.-P: strongest debug information. (V <D <p)

-D [level] (improves or sets the debugging level ).

-St TCP port scan (complete three-way handshake ).

-Su UDP scan. (The port may be opened but the response is closed)

-Sl DNS reverse resolution.

-Sm [Fin ack mainmon scan].

-SS hidden scan (half-open SYN ).

-SP: scan for active hosts. (Direct ARP is not directly connected to tcp80 ICMP)

-So determines the host protocol scan.

-Sa tcp ack scan.

-SW scans the Sliding Window Si [idlescan].

-Sr RPC scan. (Flag does not have SYN, ack, RST send back to RST)

-The Sn is null when the host is disabled ]. (Whether or not a direct scan exists)

-SF fin scan. (Sn sf sx cannot escape IDs)

-Sx xmas scan (Fin psh urg is set ).

-Si is completely hidden. [Scan another host with one stepping stone host {No traffic]

-SV service version.

-SC Security-related scripts

-P0 indicates the protocol. (Do Not ping the host) (1icmp6tcp17udp47gre50esp51ah53swipe77sun-nd115l2tp120uti132sctp)

-Use the PS port list to separate [tcp80 SYN scan]

-The list of PA ports is separated by [Ack Scan] (PS + PA test status package filtering Firewall [non-State PA can pass]) [Default scan Port 1]

-Pu port lists are used to separate [UDP high port scan traversal only filters TCP firewalls]

-PE [ICMP ping types]

-PM mask request.

-Pr [ARP Ping] is directly connected by default.

-PN itself.

-PP time request.

-Send-IP direct connection without ARP Ping.

-Reason returned by reason.

-Packet-trace tracks sent and received packets.

-Traceroute: Number of host hops.

-Scanflags banner: Flags for TCP scanning.

-Servicedb File
Specify the scan service in the file.

-Script = script [all] (promiscuous mode) Call the script. (Protocol platform-service-Action)

-Script-updatedb script upgrade

Output:

-OS (script Kidd | 3 Output) saves the scan result output.

-On/og (grep output)

-OA (output to all formats)

-Append-output is appended to the front of the original result.

Input:

-Il imports the original scan results from the list.

-IR: randomly selects the target.

-Exclude: exclude the host or network.

-Excludefile: list of excluded files.

-Randomize-hosts: Random host.

-Il file name import information.

Versiondb calls the database.

Escape technology:

-F 8-byte MTU number specifies the part bytes.

-D <IP, ip>-S source ip e interface
Spoofing IP address and MAC address.

-Source-port source port;-g (source port fraud)

-Spoof-Mac 0: the vendor specifies the Mac.

-Data-length (random data is appended when a message is sent)-date-length is filled with random data.

-Badsum sends packets for TCP and UDP checksum.

-TTL (set IP time-to-live domain)

-IP-options IP Option.

Other options:

-B FTP Bounce Attack.

-Open: only open is displayed.

-Iflist (list interfaces and routes)

-6 (enable IPv6 scanning ).

[Example: NMAP-Spoof-Mac Apple-traceroute-data-length 9 f d ip address, RND: 5, me v n o ss sv oa storage directory log-errors-append-output p t: 1-1024,1433, 2222,2249, 7778,8080, 9999-randomize-hosts IP address]

(The port status recognized by NMAP: open open closed close filterd filter unfilterd not filtered [ack switch is RST] Open | filterd open or filtered [UDP] closed | filterd off or filtered [ipid]).

Cat and nping are two other projects under NMAP.

Ncat # host port connection and redirection interface (similar to NC)

-4 IPv4-6 IPv6-u UDP sctp

-G send Loose Source Route-G Set Source Route Pointer

-P port-S source host

-L listening mode-maximum M connections

Broker link mitm char Chat Server

Use SSL

SSL-verify

SSL-Cert specifies the certificate

SSL-key specifies the Private Key

SSL-trustfile list trusted certificates

Proxy host: Specifies the port on the server.

Proxy-type protocol

Proxy-auth User: use proxy certificate for Password

-E command execution command C command sh Command Execution

Allow host allows connections-allowfile file allows file links

Deny host rejects connection
Denyfile rejects file connection

-D Time: Specify the delay I time, specify the idle W time, and specify the connection timeout.

-O File Save information-x save hexadecimal Information

-V details-c Use crle to remove EOL order-H help

Recv-only accept send-only send-T remote login version display version

Nping # target network packet generation tool.

-TCP-connect TCP connection mode.

-TCP Mode

-Udp UDP Mode

-ICMP Mode

-ARP table/RARP service mode

-Tr route tracing Mode

-P port: Target Port

-G port Source Port

-Seq seqnumber: Set the port Sequence

-Flags: Set TCP flags (CWR, ECN, URG, ack, Psh, RST, Syn, fin)

-Ack: sets the ACK count.

-Win: Set the Sliding Window Size

-Badsum error Verification

-Set the maximum segment size for MSS.

-WS: Set the window size.

-Ts <echo, reply>: Set the timestamp (echo and reply field)

-ICMP-type: Set the ICMP type.

-ICMP-code: Set ICMP code

-ICMP-ID: sets the ICMP identifier.

-ICMP-seq: Set the ICMP Sequence

-ICMP-redirect-ADDR: Set the ICMP redirection address

-ICMP-param-pointer: Set the ICMP parameter pointer

-ICMP-advert-lifetime: Set the ICMP generation cycle.

-ICMP-advert-entry <IP, Pref>: sets ICMP route Advertisement

-ICMP-orig-time: Set the original ICMP timestamp.

-ICMP-Recv-time: Set the ICMP accept Timestamp

-ICMP-trans-time: set the time stamp of ICMP sending.

-ARP-type ARP type (ARP-reply, RARP, RARP-reply)

-ARP-sender-Mac sender's MAC address

-ARP-sender-IP: Set the sender IP Address

-ARP-target-Mac: set the target MAC address

-ARP-target-IP: set the target IP Address

-S: Set the source IP address

-Dest-IP: Set the destination address

-Tos service type

-ID

-DF is not segmented.

-MF more segments

-TTL survival time

-Badsum-invalid IP address verification

-IP-options <S | r [Route] | L [Route] | T | u…> Set IP Options

-IP-options: set IP Options

-MTU maximum transmission unit

-6 Use IPv6

-Hop-limit: Set IPv6 field-by-Field limit to send to the specified Packet

-Traffic-Class Traffic

-Flow flow tag

-Dest-Mac target Mac

-Source-Mac source MAC

-Ether-type: Ethernet Type

-Custom binary data appended to the sent data packet

-Data-string append the data packet sent by the custom string

-Data-file includes the payload from the specified file

-Data-length: random data appended to the sent data packet

-Probe between delay latency

-Rate: The probe in the given

-EC runs echo Client

-Es running echo server

-Ep tcp port number set echo

-NC disable encryption and Verification

-Once serves a client and exits

-H: Display help information

-Version: displays the nping version.

-Stop a specified number after the C round

-E: Set Network Interface Usage

-H does not display sent data packets

-N do not try to capture replies

-Privileged assumes that the user has full permissions.

-Unprivileged: assume that the user lacks the original socket permission.

-Send-eth: original Ethernet Transmission

-Send-raw materials sent by IP layer

-BPF-filter: custom filter BPF

-V: increase or set the output details

-D. Add or set the debugging level.

-Q: reduce redundancy levels

-Quiet is lengthy and the debugging level is set to the lowest.

-The debugging is lengthy and the debugging settings are maximized.

 

 

 

3. Advanced NMAP usage 3.1 Firewall/IDS avoidance

Firewalls and IDs are used to bypass the detection and shielding of firewalls and IDs (Intrusion Detection Systems), so as to detect the status of the target host in more detail.

NMAP provides a variety of avoidance techniques. Generally, we can consider two ways to avoid them: Packet change and timing change ).

3.1.1 avoidance principle 3.1.1.1 fragmentation)

Some simple firewalls may not refresh suspicious detection packets (for example, splitting a TCP packet into multiple IP packets and sending it to the past, this avoids the check.

3.1.1.2 IP spoofing (IP decoys)

During scanning, the real IP address and the IP address of other hosts (other hosts need to be online, otherwise the target host will reply a large number of packets to the host that does not exist, which constitutes a denial of service attack) this allows the firewall or IDs of the target host to track and check a large number of packets with different IP addresses, reducing the probability of tracing to itself. Note that some advanced IDS systems still track the real IP addresses of the scanners through statistical analysis.

3.1.1.3 IP spoofing (IP Spoofing)

As the name suggests, the IP address disguise the IP address in the packet sent by itself as the address of another host, so that the target host is considered to be communicating with other hosts. Note that if you want to receive the reply packet from the target host, the disguised IP address must be in the unified LAN. In addition, if you want to conceal your IP address and receive a response packet from the target host, you can try network technologies such as idle scan or anonymous proxy (such as TOR.

3.1.1.4 specify the source port

Some target hosts only allow packets from specific ports to pass through the firewall. For example, the FTP server is configured to allow TCP packets whose source port is port 21 to communicate with the FTP server through the firewall, but data packets whose source port is another port are blocked. Therefore, in this case, you can specify NMAP to set specific ports for the source ports of the sent packets.

3.1.1.5 scan latency

Some firewalls strictly detect packets that are sent too frequently, and some systems limit the frequency of error messages (for example, the Solaris system usually limits the generation of only one ICMP message per second to reply to the UDP scan, the frequency and latency of packet distribution can be customized to reduce the audit intensity of the target host and save network bandwidth.

3.1.1.6 other technologies

NMAP also provides a variety of avoidance techniques, for example, specify a network interface to send data packets, specify the minimum length of the packet to be sent, specify the MTU of the packet to be sent, specify the TTL, specify the disguised MAC address, use error check, and (badchecksum ).

More information http://nmap.org/book/man-bypass-firewalls-ids.html

 

3.1.2 avoidance

1. -F;-MTU <Val>: Specifies the MTU that uses the shard and the specified data packet.
3. -D <decoy1, decoy2 [, me],…> : Use a set of IP addresses to mask the real IP addresses. Enter me in your IP addresses.
5. -S <ip_address>: disguised as another IP Address
7. -E <iface>: Use a specific network interface.
9. -G/-source-port <portnum>: Use the specified source port.
11. -Data-length <num>: Fill in the random data to make the packet length reach num.
13. -IP-options <Options>: Use the specified IP Option to send data packets.
15. -TTL <Val>: set the time-to-live time.
17. -Spoof-Mac <MAC address/prefix/vendor name>: disguised MAC address
19. -Badsum: uses the incorrect checksum to send data packets (normally, such data packets are discarded. If a reply is received, the reply is from the firewall or IDS/IPS ).

 

3.1.3 avoidance demonstration

Run the following command:

NMAP-v-F-PN-d192.168.1.100, 192.168.1.102, me-e eth0-G 3355 192.168.1.1

Among them,-F indicates that 100 ports are scanned quickly;-PN indicates that ping scanning is not performed;-D indicates that IP spoofing is used to mask your real IP address (where me indicates your IP address ); -E eth0 indicates that the packet is sent using the eth0 Nic;-G 3355 indicates that the source port of the packet is 3355; 192.168.1.1 indicates that the destination IP address is scanned.

We can see the data packet flow from Wireshark: For each test packet, NMAP uses the IP address specified by the-D option to send different data packets, this can disrupt the Firewall/IDs check of the other party (it is better to embed the RND random number in the-D option, which is more confusing ). When port 80 is detected, the target host replies the SYN/ACK packet back to us (of course, we cannot receive the SYN/ACK packet from other spoofed IP addresses ), it proves that port 80 is open.

 

3.2 AUC Script Engine

The NMAP scripting engine is one of the most powerful and flexible NMAP functions. It allows you to write your own scripts to perform automated operations or expand NMAP functions.

Using the Lua script language and a rich script library by default, the system has more than 350 scripts in 14 categories.

The original intention of the design is mainly to consider the following aspects:

• Network discovery)
• More complex version detection (such as Skype software)
• Vulnerability Detection)
• Backdoor Detection)
• Vulnerability Exploitation)

3.2.1 how to create a script by using the AUC

The following uses the daytime. AUC script as an example to describe the format of the neuron.

The use of the Lua script and the configuration of a fixed format, to reduce the burden on User Programming. A script is usually divided into several parts:

Description field: A string describing the script function, which is represented by double square brackets.

Comment field: a line starting with-, which describes the Script output format.

Author field: Description of the script author

License field: this field describes how the script uses the license. It is usually configured with the same license as NMAP.

Categories field: Describes the category of the script to manage the script call.

Rule Field: Describes the script execution rules, that is, to determine the conditions for triggering script execution. If there are four types of NMAP rules, prerule is used to trigger script execution before NMAP does not execute a scan. Such scripts do not need any Nmap scan results; hostrule is used to trigger the script after NMAP completes host discovery and triggers the script based on host discovery results. portrule is used to run the script triggered when NMAP executes port scan or version detection, for example, when a port is detected, a script is triggered to perform more detailed investigations. Postrule is used to extract and organize the data of the scan results after NMAP completes all the scans. In the above example, there is only one portrule, indicating that after the script is executed, if TCP port 13 is detected to be open, the execution of the script is triggered.

Action Field: The specific content of script execution. When the script is triggered for execution through the rule field check, the function defined by the action field is called.

3.2.2 usage of the neuron-specific processing language (AUC) script

NMAP provides command line parameters used by many scripts.

1. -SC: equivalent to-script = default, which uses scripts of the default category for scanning.
3. -Script = <Lua scripts>: <Lua scripts> use a script or a script to scan. Wildcards are supported.
5. -Script-ARGs = <n1 = V1, [n2 = V2,...]>: Provides default parameters for the script.
7. -Script-ARGs-file = filename: Use a file to provide parameters for the script.
9. -Script-Trace: displays the data sent and received during script execution.
11. -Script-updatedb: updates the script database.
13. -Script-help = <Lua scripts>: displays the help information of the script. The <luascripts> part can be separated by commas.

 

3.2.3 demonstration of the usage of neuron-specific language (AUC)

Scan 192.168.1.1 with the script to see if any useful information can be obtained.

The command is as follows:

NMAP-SV-P 80-v-script default, HTTP * 192.168.1.1

From this, we can see that NMAP scans the port 80 of the other party and then uses a large number of scripts starting with HTTP to scan it. The scanning process found that in the HTTP-auth script execution, the words "Basic relm = TP-LINK wireless n router wr740" appeared (red line part ), the type and version of the target device have been mined. If we know more about the vulnerability wr740, we can perform a further penetration test.

4 Reference Materials 4.1 books

NMAP Network Scanning

The NMAP authoritative guide compiled by Fyodor, founder of Nmap, describes the implementation principle and usage of NMAP in great detail. The NMAP official document comes from some chapters of this book.

Secrets of network cartography

This book provides a rich introduction to the implementation principles and application scenarios of NMAP.

NMAP in the enterprise: Your Guide to Network Scanning

This book describes the application of NMAP in the enterprise field.

NMAP mindmap.pdf

This NMAP uses a Mind Map (a one-page picture) to complete NMAP usage.

NMAP User Guide (1)