I. Scan ideas
Ii. Common usage
1. Use NSLookup to resolve the IP address of the domain name
2. Use NMAP-Sl to query the IP addresses contained in this IP segment (no survival status is detected, only list)
3. Use NMAP-Sn to query the IP survival status of the host or the entire network segment in the CIDR Block
NMAP-Sn
NMAP has two different scanning methods for LAN and WAN (which are determined based on whether the source destination is in the same network segment ).
When the destination host and source host are not in the same network segment:
NMAP sends four different types of data packets to detect whether the target host is online.
1) ICMP Echo Request
2) a tcp syn packet to port 443
3) a tcp ack packet to port 80
4) An ICMP timestamp request
For example, scan a public IP address.
nmap -sn IP
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/58/7A/wKiom1SyTPDi0qFgAAEj-hp6hYA982.jpg "Title =" 18:13:35 screen .png "alt =" wKiom1SyTPDi0qFgAAEj-hp6hYA982.jpg "/>
When the destination host and source host are in the same network segment
nmap -sn 192.168.1.103
NMAP sends an ARP request to check whether the IP address is online.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/58/77/wKioL1SyTnSh3AdtAACaEJVn9ho932.jpg "Title =" 18:16:01 screen .png "alt =" wkiol1sytnsh3adtaacaejvn9ho932.jpg "/>
4. Scan the port of the host you are interested in
Note that NMAP automatically scans the active status of the IP address before scanning the port. If the target IP address is not alive, it will not scan the port. During the IP address survival scan (the scan at the same-Sn, but NMAP is automatic), two scans are sent to determine whether the IP address is alive.
The following is a scan packet capture for inactive IP addresses. The NMAP-SS-P 80 [IP] is used to scan port 80. However, the actual NMAP scans for inactive IP addresses first.
NMAP-SS-P 80 [IP] # scan TCP port 80
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/58/7A/wKiom1SyVHuz54I1AAIbdzZnVQQ682.jpg "Title =" 18:46:04 screen .png "alt =" wkiom1syvhuz54i1aaibdzznvqq682.jpg "/>
This is the returned result. For this inactive IP address, we recommend that you use-PN for Nmap, that is, to directly scan the port without determining whether the host is alive.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/58/77/wKioL1SyVbbC8LGEAAENMJCqGOM511.jpg "Title =" 18:47:35 screen .png "alt =" wkiol1syvbbc8lgeaaenmjcqgom511.jpg "/>
Yes use the-PN option to scan port 80
nmap -Pn -sS -p 80 113.11.*.*
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/58/7A/wKiom1SyVuDxjN-9AAE39qn6sys024.jpg "Title =" 18:56:18 screen .png "alt =" wKiom1SyVuDxjN-9AAE39qn6sys024.jpg "/>
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/58/77/wKioL1SyV9LyURtSAABfkcm4D2U042.jpg "Title =" 18:57:05 screen .png "alt =" wkiol1syv9lyurtsaabfkcm4d2u042.jpg "/>
According to the Nmap scan results, the port is filtered out, that is, the host is alive but it is not sure whether it is alive.
But from the packet capture point of view, the host does not have any back packet, indicating that the port is filtered or not enabled, and there is no other back packet information for the IP address, so, it is wrong to determine NMAP's host survival (I think ). From packet capture, NMAP sends two request packets by default when no data packets are received.
Description of Nmap port scan results:
NMAP divides the port into six States through detection: open: the port is open. Closed: the port is closed. Filtered: the port is blocked by the firewall IDS/IPS and cannot be determined. Unfiltered: the port is not blocked, but whether the port is open must be further determined. Open | filtered: The port is open or blocked. Closed | filtered: the port is closed or blocked.
Common port scanning methods for NMAP are as follows:
-P specifies the port number. If no port is specified, the default value is to scan 1000 commonly used TCP or UDP ports (according to the scan items)-f fast mode. If no port is specified, only scan Top 100 port-ss tcp port scan, use SYN scan, do not establish TCP connection-st tcp port scan, TCP connect uses three handshakes, establish TCP connection-su UDP port scan other port scan methods:-sa/SW/SM: specify the use of ack/window/Maimon scans to scan the target host. -Sn/SF/SX: Specify tcp null, fin, and Xmas scans to assist in detecting the TCP port status of the other party. -- Scanflags <flags>: customizes the flags of TCP packets. -Si <zombiehost [: probeport]>: Specify to use idle scan to scan the target host (if necessary, find the appropriate zombie host)-sy/SZ: use sctp init/cookie-echo to scan the situation of sctp protocol port opening. -So: use IP protocol scan to determine the protocol types supported by the target machine. -B <FTP Relay host>: Use the FTP Bounce Scan Method
Port Scan Principle
Tcp syn Scanning
This is the default Nmap scan method, which is usually called half-open scanning ). This method sends SYN to the target port. If the SYN/ack reply is received, the port is determined to be open. If the RST packet is received, the port is closed. If no response is received, the port is blocked ). Because this method only sends Syn packets to the specific port of the target host, but does not establish a complete TCP connection, it is relatively hidden and highly efficient, and has a wide range of applicability.
Tcp syn detects port closure:
650) This. width = 650; "src =" http://my.csdn.net/uploads/201207/01/1341106252_9646.jpg "style =" border: none; "/>
Tcp syn detects port opening:
650) This. width = 650; "src =" http://my.csdn.net/uploads/201207/01/1341106266_3589.jpg "style =" border: none; "/>
TCP connect Scanning
TCP connect uses System Network API connect to initiate a connection to the port of the target host. If the connection fails, the port is closed. This method is slow in scanning, and because the establishment of a complete TCP connection will leave record information on the target machine, not concealed. Therefore, TCP connect is the method selected when tcp syn cannot be used.
TCP connect detects that the port is closed:
650) This. width = 650; "src =" http://my.csdn.net/uploads/201207/01/1341106280_8116.jpg "style =" border: none; "/>
TCP connect detects port opening:
650) This. width = 650; "src =" http://my.csdn.net/uploads/201207/01/1341106296_3110.jpg "style =" border: none; "/>
Tcp ack Scanning
Send an ACK packet to the port of the target host. If an RST packet is received, the port is not blocked by the firewall. If no RST packet is received, the port is blocked. This method can only be used to determine whether the firewall shields a port. It can assist in the tcp syn method to determine the situation of the target host firewall.
Tcp ack detects port shielding:
650) This. width = 650; "src =" http://my.csdn.net/uploads/201207/01/1341106327_8291.jpg "style =" border: none; "/>
Tcp ack detects that the port is not blocked:
650) This. width = 650; "src =" http://my.csdn.net/uploads/201207/01/1341106346_8325.jpg "style =" border: none; "/>
Tcp fin/Xmas/null Scanning
These three scanning methods are called stealthy scan because they are relatively hidden. Fin scans the tcp fin package or Xmas tree package/null package sent to the port of the target host. If you receive the reply packet from the peer rst, the port is closed; if the RST packet is not received, the port may be open or blocked (Open | filtered ).
The Xmas tree Package refers to the TCP packet whose fin URG push is set to 1 in flags, and the null Package refers to the TCP packet whose flags are all 0.
Tcp fin detects that the host port is disabled:
650) This. width = 650; "src =" http://my.csdn.net/uploads/201207/01/1341106363_1149.jpg "style =" border: none; "/>
Tcp fin detects that the host port is open or blocked:
650) This. width = 650; "src =" http://my.csdn.net/uploads/201207/01/1341106375_7898.jpg "style =" border: none; "/>
UDP Scanning
The UDP scan method is used to determine the UDP port status. Send a test packet to the UDP port of the target host. If "ICMP port unreachable" is returned, the port is closed. If no reply is received, it indicates that the UDP port may be open or blocked. Therefore, we can determine which UDP ports are open by reverse exclusion.
Disable UDP port:
650) This. width = 650; "src =" http://my.csdn.net/uploads/201207/01/1341106392_8631.jpg "style =" border: none; "/>
UDP port is open or blocked:
650) This. width = 650; "src =" http://my.csdn.net/uploads/201207/01/1341106404_7106.jpg "style =" border: none; "/>
Hide scanning of your own IP Address
Zombie host, also known as idle host, is used in idle scan mode. The host is idle and Its ipid mode is increasing progressively. For detailed implementation principle, see: http://nmap.org/book/idlescan.html) to scan the target in the host, to conceal their own purpose;
Alternatively, you can use FTP Bounce scan to scan other hosts with the proxy service permitted by FTP to hide your identity.
5. Version Detection
Version Detection is used to determine the specific application and version information running on the open port of the target host.
The Version Detection provided by NMAP has the following advantages:
High speed. Performs socket operations in parallel to implement a set of efficient definition syntaxes for probe matching.
Determine the application name and version name as much as possible.
Supports the TCP/UDP protocol and the text and binary formats.
Supports detection of multiple platform services, including Linux, windows, Mac OS, and FreeBSD.
If SSL is detected, OpenSSL is called to continue detecting specific protocols running on SSL (such as https/pop3s/IMAPs ).
If the SunRPC service is detected, brute-force RPC grinder is called to further determine the RPC program number, name, and version number.
Supports complete IPv6 functions, including TCP/UDP and TCP-based SSL.
General platform enumeration (CPE)
Extensive application database (NMAP-services-probes ). Currently, NMAP can recognize signatures of thousands of services, including more than 180 different protocols.
5.1 Version Detection Principle
This section briefly introduces the Version Detection principles.
Version Detection involves the following steps:
First, check whether the ports in the open and open | filtered statuses are in the excluded ports list. If the port is in the exclusion list, remove the port.
If it is a TCP port, try to establish a TCP connection. Try to wait for a moment (usually 6 seconds or more. You can query the probe tcp null q | corresponding totalwaitms In the Nmap-services-Probes file for the specific time ). Generally, the "welcomebanner" message sent by the target machine is received within the waiting time. NMAP compares the received banner with the signature in the NULL Probe in NMAP-services-probes. Find the name and version of the application.
If the application version cannot be determined through "welcome banner", NMAP then tries to send other probe packages (that is, select the appropriate probe from NMAP-services-probes ), compare the response package obtained by probe with the signature in the database. If no specific application can be obtained through repeated detection, print the Response Message of the application, and let the user determine it further.
If it is a UDP port, use the test package in NMAP-services-Probes for probe matching. Compare and analyze the UDP application service types based on the results.
If it is detected that the application is SSL, call OpenSSL to further investigate the specific application type running on SSL.
If the application is detected as SunRPC, call brute-force RPC grinder to further detect specific services.
Usage of version 5.2 Detection
Command line options for Version Detection are relatively simple
-SV: Specify NMAP for Version Detection -- version-intensity <level>: Specify the Version Detection intensity (0-9). The default value is 7. The higher the value, the more accurate the detected service, but the longer the running time. -- Version-light: Specify the lightweight detection method (intensity 2) -- version-ALL: Try to use all probes for detection (intensity 9) -- version-Trace: detailed version detection process information is displayed.
The following uses port 80 scan as an example to show the SNMP scan results and packet capture results.
SNMP-SV-P 80 113. 11. *. * # scan port 80
We can see from the packet capture that when the-PN parameter is not specified, the default restricted IP address memory activity detection is performed only after the host is confirmed to be alive.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/58/7C/wKiom1SyamXSR0VCAAHlPHpC2ZU724.jpg "Title =" 20:19:25 screen .png "alt =" wkiom1syamxsr0vcaahlphpc2zu724.jpg "/>
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/58/79/wKioL1Syau-RSckpAAS2NVWHrO4984.jpg "Title =" 20:17:41 screen .png "alt =" wKioL1Syau-RSckpAAS2NVWHrO4984.jpg "/>
Use SNMP-SV 113. 11. *. * By default, the system checks the survival status, scans common TCP port 1000 Based on the survival status, and then scans the version based on the port status. (In HTTP Version validation, a TCP connection is established first, then close the TCP connection, establish a connection three-way handshake, and send a GET request and send a four-way handshake)
NMAP software usage ideas and common usage