Linux Administrator: Enterprise Port scan Policy

Enterprise Port Scan Policy

1, the purpose of port scanning for the computer system located in the network, a port is a potential communication channel, that is, an intrusion channel. Port scanning of the target computer can get a lot of useful information to discover the security vulnerabilities of the system. It can make the system users understand what services the system is providing to the outside world, thus providing a reference means for the system User Management network.

Technically, the port scan sends probe packets to the target host's TCP/UDP service port and records the response of the target host. The service or information provided by the port can be known by analyzing the response to determine whether the service port is turned on or off.

Port scanning can also monitor the operation of the local host by capturing the inflow and outflow of the local host or server, not only to analyze the data received, but also to help the user discover some inherent weaknesses of the target host without providing detailed steps to enter a system. Generally, port scans are usually intended as one or more of the following:

(1) Discovery of open ports: Discovery of open TCP or UDP ports on target systems;

(2) to understand the host operating system information: port scanning through the operating system's "fingerprint" to speculate on the operating system or the version of the application of the information;

(3) Understand the software or service version: Software or service version can be identified by "logo acquisition" or application fingerprint;

(4) Discovery of vulnerable software versions: Identify defects in software and services that can help launch attacks against vulnerabilities.

Port scans include classic scanners (fully connected) and so-called SYN (semi-connected) scanners. In addition, there are indirect scans and secret scans. TCP Scan mode is by establishing the standard TCP connection with the scanned host, so this method is most accurate, rarely false or false, but it is easy to be detected and recorded by the target host. The Syn method is to establish a half-open connection with the target host, so that it is not easy to be logged by the target host, but the result of the scan will be false and the omission is serious when the network condition is bad.

2, fast installation nmap for enterprise port scanning Nmap is a network detection and security scanner, system managers and individuals can use this software to scan a large network, to obtain the host is running and what services to provide information. Nmap supports a wide range of scanning technologies, such as UDP, TCP Connect (), TCP syn (Half-open scan), FTP agent (Bounce attack), reverse flag, ICMP, FIN, ACK Scan, Christmas tree (xmas), SYN Scan, and NULL scan.

Nmap also provides some advanced features, such as: detecting operating system types via TCP/IP protocol stack features, secret scans, dynamic latency and retransmission calculations, parallel scans, parallel ping scans to detect shutdown hosts, decoy scans, bypass port filtering detection, direct RPC scans (no port innuendo), Fragmentation scans, as well as flexible targets and port settings.

In order to improve the performance of nmap in Non-root state, the designers of software have made great efforts. Unfortunately, some kernel interfaces (such as raw sockets) need to be used in root state. So you should use nmap at root as much as possible.

The Nmap run usually gets a list of the scanned host ports. Nmap always gives the well known port service name (if possible), port number, status, and protocol information. The status of each port is: Open, filtered, unfiltered.

The open state means that the target host can use the Accept () system call to accept the connection on this port;

The filtered state indicates that firewalls, packet filters, and other network security software cover up the port, preventing Nmap from detecting whether it is open.

Unfiltered indicates that the port is closed and there is no firewall/packet filtering software to isolate the Nmap detection attempt. Typically, the state of a port is basically a unfiltered state, and a port in the unfiltered state is displayed only if most of the scanned ports are in filtered state.

Depending on the functionality options used, NMAP can also report on the following characteristics of the remote host: The operating system used, the TCP sequence, the user name that runs the application bound to each port, the DNS name, the host address is a spoofed address, and something else.

Before using, we need to download the software source package to install. When the download is complete, take the version downloaded by the author as an example: Nmap-5.00.tgz, the user performs the following installation command:

(1) Decompression Package

#tar –XZVF nmap-5.00.tgz

(2) switch to the installation directory

#cd nmap-5.00

(3) Using the Configure command to generate a make file

#./configure

(4) Compiling source code

#make

(5) Installation of related modules

#make Install

3, four steps to use Nmap to determine the enterprise network open port (1) Scan implementation First step: Discover Active Host

Use Nmap to scan the entire network for targets and determine if the target is connected. Ping the scan by using the "-SP" command. By default, Nmap sends an ICMP echo and a TCP ACK to each scanned host, and host response to any one is nmap, scanning very quickly and scanning a large network in a very short time. The command uses the following:

[Root@localhost ~]# nmap-sp 10.1.4.0/24

Nmap finished:256 IP addresses (up to) scanned in 7.852 seconds

Through this scan, you can find that the company's network of 125 hosts are active, that is, to take advantage of the next step is to conduct a more detailed scan to scan these hosts what the end of the active port.

(2) Scan to implement the second step: Scan port scan

Typically, when a nmap user determines that a host running on the network is connected, the next step is to perform a port scan, and the port scan uses-st parameters. As shown in the following results:

[Root@localhost ~]# nmap-v-st 10.1.4.0/24

Host 10.1.4.11 appears to is up ... good.

Interesting ports on 10.1.4.11:

Not shown:1673 closed ports

PORT State SERVICE

80/TCP Open Htt

MAC ADDRESS:00:1E:65:F0:78:CA (Unknown)

It can be clearly seen that the port scan in a variety of ways to host the network TCP active port for a comprehensive scan, due to the number of scanned hosts too much (125), the above only gives 2 hosts TCP port situation, That is, the host 10.1.4.1 and 10.1.4.11, and the host 10.1.4.1 open a lot of ports, network services are relatively rich, and from the composition of the IP address, the host is most likely the gateway (the General Gateway IP address set to x.x.x.1), We then locked the host for a follow-up scan.