Principle and usage of NMAP scanning

This article is reproduced to: http://www.cnblogs.com/tdcqma/p/5692546.html 1 Nmap Introduction

Nmap scanning principle and usage PDF: Download address

Nmap is an open source free Network Discovery (network Discovery) and security Audit (auditing) tool. The software name Nmap is the abbreviation of Network Mapper. Nmap was originally created by Fyodor in 1997. Then, with the participation of many volunteers in the open source community, the tool is becoming one of the most popular security essentials. The latest version of Nmap6.0 was released on May 21, 2012 For more information, please see: www.nmap.org.

In general, Nmap is used to enumerate network host inventories, manage service escalation schedules, and monitor host or service health. Nmap can detect whether the target machine is online, the port is open, the service type and version information of the detection operation, the detection operating system and device type, etc.

Advantages of Nmap:

1. Flexible. Supports dozens of different scanning modes to support multiple target object scans.

2. Strong. Nmap can be used to scan large computers on the Internet.

3. Portable. Support the mainstream operating system: Windows/linux/unix/macos and so on, open source, easy to transplant.

4. Simple. Provides a default operation that covers most functions, basic port Scans Nmap Targetip, and full scan nmap–a targetip.

5. Freedom. Nmap, as open source software, can be freely used within the scope of the GPL license.

6. Rich documentation. NMAP Official Website provides a detailed description of the document. Nmap authors and other security experts have written several nmap reference books.

7. Community support. Nmap has a strong community support team behind it.

8. Praise is added. Get a lot of rewards and appear in a lot of film and television works (such as The Matrix 2, Die HARD4, etc.).

9. Popular. At present Nmap has been one of the necessary tools by thousands of security experts. 1.1 Zenmap

Zenmap is an official Nmap graphical interface that is usually released with the NMAP installation package. Zenmap is a free, open source graphical interface written in Python, capable of running on different operating system platforms (Windows/linux/unix/mac OS, etc.). Zenmap is designed to provide a simpler way for Nmap to operate. Simple commonly used operation commands can be saved as profile, users can select profile when scanning, it is easy to compare different scanning results, provide the network topology (networktopology) graphics display function.

The profile field, which is used to select "Zenmap default provided profile" or "User created profile"; Command field to display the command selected by the profile or the user-specified command; Topology tab, Used to show the topology between the target machine and the computer that is scanned. 1.2 Functional Architecture Diagram

Nmap contains four basic features: Host Discovery port scan (port scanning) version detect (version detection) operating system detection (operating system detection)

And these four functions, there is a general dependency (usually the order of the relationship, but the special application is considered in addition), first need to host discovery, then determine the port status, and then determine the port running specific application and version information, and then the operating system can be detected. On the basis of four basic functions, NMAP provides circumvention techniques for firewalls and IDs (intrusiondetection system, intrusion detection systems), which can be applied to all stages of four basic functions, and Nmap provides powerful NSE (Nmap Scripting Language) scripting engine features, which complement and extend the basic functionality. 2 nmap Basic Scanning Method

Nmap mainly includes four aspects of scanning functions, host discovery, port scanning, application and version detection, operating system detection. Before you explain each specific feature in detail, you can first look at the typical usage of nmap. 2.1 Usage Introduction 2.1.1 Determine port status

If a computed IP address or domain name is scanned directly, then NMAP hosts the host discovery process and port scan. This method is executed quickly and can be used to determine the port's open status.

Command form:

Nmap Targethost

Can determine the target host online situation and port basic condition.

2.1.2 Complete and comprehensive scan

If you want a complete and comprehensive scan of a host, you can use the Nmap-a option built in. The nmap is used for host discovery, port scanning, application and version detection, operating system detection, and calling default NSE script scans for Target hosts.

Command form:

Nmap–t4–a–v Targethost

Where the-a option is used for aggressive (aggressive) scanning,-T4 specifies the sequence (Timing) used by the scanning process, with a total of 6 levels (0-5), the higher the level, the faster the scan, but also easily detected and masked by firewalls or IDs, In a good condition of network communication, T4;-V is recommended for displaying redundant (verbosity) information, showing the details of the scan during the scan, so that the user can understand the current scan status.

For example, a computer that scans the local area network for 192.168.1.100 addresses. Obviously, the information scanned is very rich, in the Scan report section of 192.168.1.100 (circled in red), you can see the results of the host discovery "host is up"; The result of the port scan, there are 996 closed ports, 4 open ports (when no scan port is specified) The Nmap default scans 1000 most likely open ports), while version detection detects specific application and version information that is running on the port for further detection of the scan to the open, and the OS detects the device type and operating system of the target host. and the green block diagram is the display result of the Nmap calling the NSE script for further information mining. 2.2 Host Discovery

Host Discovery (Discovery), which is used to discover whether the target host is online (Alive, open). 2.2.1 Host Discovery Principle

The host discovery is similar to the ping command, sending probe packets to the target host and, if received, the target host is turned on. Nmap supports more than 10 different host detection methods, such as sending ICMP Echo/timestamp/netmask messages, sending Tcpsyn/ack packets, sending SCTP Init/cookie-echo packets, Users can choose different ways to detect the target machine flexibly under different conditions.

Host Discovery Fundamentals: (for example, ICMP echo method)

Nmap users are located at the source, IP address 192.168.0.5, send ICMP Echo Request to the target host 192.168.0.3. If the request message is not blocked by the firewall, then the target opportunity to reply to the ICMP Echo reply packet back. To determine if the target host is online.

By default, Nmap sends four different types of packets to detect whether the target host is online.

1. ICMP Echo Request

2. A TCP SYN packet to port 443

3. A TCP ACK packet to port 80

4. An ICMP timestamp request

Four messages are sent to detect whether the target is open. As soon as you receive a reply from one of the packages, the target machine is turned on. Use four different types of packets to avoid the error of judgment caused by firewalls or packet loss. usage of 2.2.2 Host Discovery

Typically, host discovery is not used alone, but as a port scan, version detection, OS detection first step. In some special applications, such as determining the number of active hosts in a large local area network, the host Discovery feature may be used solely for the purpose of implementation.

The user can use the rich options provided by Nmap to customize the detection of the host discovery, whether as an auxiliary usage or a specialized purpose. -sl: list scan  list Scan, only the specified target IP enumerated, not host discovery.      -sn: ping scan  only host discovery, no port scan.      -pn:  All designated hosts as open, skipping the host discovery process.      -ps/pa/pu/py[portlist]:  are found using Tcpsyn/ack or Sctp init/echo methods.      -pe/pp/pm:  uses the icmp echo, timestamp, and netmask  request package to discover the host. -po[protocollist]:  uses IP protocol packets to detect if the other host is open.      -n/-r: -n means no DNS resolution;-R means always DNS resolution.      --dns-servers <serv1[,serv2],... >:  Specifies the DNS server.      --system-dns:  Specifies to use the system's DNS server      --traceroute:  to track each routing node   

-sl:list Scan list Scan, only the IP of the specified target is enumerated, not host discovery.

-sn:ping Scan only host discovery, no port scan.

-PN: Treat all designated hosts as open, skipping the host discovery process.

-ps/pa/pu/py[portlist]: found using Tcpsyn/ack or SCTP Init/echo method.

-pe/pp/pm: Using ICMP echo, timestamp, and netmask request Package Discovery host. -po[protocollist]: Use IP protocol packets to detect if the other host is open.

-n/-r:-n means no DNS resolution;-R means always DNS resolution.

--dns-servers <serv1[,serv2],...: Specify a DNS server.

--system-dns: Specifies the DNS server to use the system

--TRACEROUTE: Tracking each routing node

Among them, the more commonly used is-SN, indicating that only the host discovery process alone;-PN represents advanced operations such as port scans that skip host discovery directly (available if the target host is already open);-N, if you do not want to use DNS or reverse DNS resolution, Then you can use this option. 2.2.3 Use demo

Probe scanme.nmap.org

The following is a simple demonstration of the use of host discovery, for example, to probe scanme.nmap.org hosts.

The order is as follows:

Nmap–sn–pe–ps80,135–pu53 scanme.nmap.org

Using the Wireshark grab package, we see that scanme.nmap.org's IP address 182.140.147.57 sent four probe packets: icmpecho,80 and 135-port TCP SYN Packets, 53-port UDP packets (DNS domain). Received the reply of ICMP echo and 80-port reply. Thus the scanme.nmap.org host is determined to be normal online.

Detecting active hosts within a local area network

Scan LAN 192.168.1.100-192.168.1.120 The range of IP hosts is active.

The order is as follows:

NMAP–SN 192.168.1.100-120

From the results, you can see that there are three hosts active in this IP range.

From the Wireshark grab package, you can see the case of the sent probe package:

In the LAN, Nmap is through the ARP packet to ask the IP address of the host is active, if received ARP reply package, then the host online.

For example, the message details for an ARP reply are as follows:

2.3-Port scan

Port scanning is the most basic and core function of Nmap, which is used to determine the opening of the TCP/UDP port of the target host.

By default, NMAP scans 1000 TCP ports that are most likely to be open.

Nmap the port into 6 states by probing: open: The port is opened. Closed: The port is off. Filtered: The port is masked by a firewall ids/ips and cannot determine its status. Unfiltered: The port is not blocked, but it needs to be further determined if it is open. Open|filtered: The port is open or blocked. Closed|filtered: The port is closed or blocked. 2.3.1 Port Scanning principle

Nmap is very powerful in port scanning and provides more than 10 ways to detect. 2.3.1.1 TCP SYN scanning

This is the default scanning method for Nmap, which is often referred to as a half-open scan (scanning). This method sends SYN to the target port, and if the syn/ack reply is received, then the port is open and if the RST packet is received, the port is closed. If no reply is received, then the port is judged to be blocked (filtered). Because this method only sends the SYN package to the target host's specific port, but does not establish the complete TCP connection, therefore is relatively covert, moreover the efficiency is high, the application scope is wide.

TCP SYN detects port shutdown: