Linux Enterprise port scanning and Practice (1)

Port and vulnerability discovery and scanning are also necessary for enterprise risk assessment and management. As the saying goes: "The treasure of a thousand miles is destroyed by the ant nest ." Once an attacker finds a small vulnerability, the final consequence may be the paralysis of the entire network. How can we discover security vulnerabilities in enterprise networks? What key technologies need to be mastered and used? What popular and efficient tools can be used by system administrators to scan and discover vulnerabilities?

Enterprise port scan policy

1. Purpose of port scanning

For computer systems in the network, a port is a potential communication channel, that is, an intrusion channel. Port Scanning on the target computer can obtain a lot of useful information to detect system security vulnerabilities. It allows system users to understand what services the system currently provides to the outside world, thus providing a reference for system users to manage the network.

Technically, port scanning sends test data packets to the TCP/UDP Service ports of the target host and records the response of the target host. By analyzing the response to determine whether the service port is opened or closed, you can know the service or information provided by the port. Port Scanning can also monitor the running status of the local host by capturing inbound and outbound IP packets from the local host or server. It can not only analyze the received data, in addition, it helps users discover some inherent vulnerabilities of the target host without providing detailed steps for entering a system. Generally, port scanning is intended for one or more of the following purposes:

1. Discover open ports: Discover TCP or UDP ports opened on the target system;

2. Understand host operating system information: port scanning can predict the version of the scanned operating system or application through the operating system fingerprint;

3. Understand the software or service version: the software or service version can be identified by the "sign acquisition" or application fingerprint;

4. detect vulnerable software versions: identify software and service defects to facilitate attacks against vulnerabilities.

Port Scanning mainly includes classic full-connection scanners) and so-called SYN semi-connection scanners. In addition, there are indirect and confidential scans. The TCP scan method establishes a standard TCP connection with the host to be scanned. Therefore, this method is the most accurate, with few false positives or false positives, but is easy to detect and record by the target host. The SYN mode establishes a semi-open connection with the target host, which is not easy to be recorded by the target host. However, the scan results may be missed, which is serious when the network condition is poor.

2. quick installation of nmap for enterprise port scanning

Nmap is a network detection and security scanning program. System Administrators and individuals can use this software to scan a large network and obtain information about the host running and what services it provides. Nmap supports many scanning technologies, such as UDP, TCP connect (), tcp syn (half-open scan), and ftp Proxy (bounce Attack), reverse flag, ICMP, FIN, ACK Scan, Christmas Tree (Xmas Tree), SYN scan, and null scan. Nmap also provides some advanced features, such as detecting operating system types, secretly scanning, dynamic latency and retransmission computing, and parallel scanning through TCP/IP protocol stack features, detects closed hosts by Using ping scanning in parallel, and uses bait scanning to avoid port filtering detection, direct RPC scanning (no need for port injection), fragment scanning, and flexible target and port settings.

To improve nmap performance in the non-root state, software designers have made great efforts. Unfortunately, some kernel interfaces (such as raw socket) need to be used in the root state. Therefore, try to use nmap as root.

Run nmap to obtain the list of host ports to be scanned. Nmap always provides the service name (if possible), port number, status, and Protocol of the well known port. Each port has the following statuses: open, filtered, and unfiltered.

The open state means that the target host can use the accept () system call on this port to accept the connection;

The filtered status indicates that the firewall, packet filtering, and other network security software mask the port and disable nmap to detect whether it is enabled.

Unfiltered indicates that the port is disabled and no firewall/package filtering software is available to isolate nmap detection attempts. Generally, the port is in the unfiltered state. Only when most of the ports being scanned are in the filtered state will the port in the unfiltered State be displayed.

Nmap can also report the following features of a remote host based on the function options used: the operating system used, the TCP sequence, and the user name, DNS name, host address, and other things of the application bound to each port.

Before use, we need to download the software's source code package for installation. Download URL: http://linux.softpedia.com/get/system/networking/nmap-184.shtml. After the download is complete, take the author download to the version as an example: nmap-5.00.tgz, the user can execute the following installation command:

1) decompress the Software Package

# Tar-xzvf nmap-5.00.tgz

2) switch to the installation directory

# Cd nmap-5.00

3) use the configure command to generate the make File

#./Configure

4) Compile the source code

# Make

5) install related modules

# Make install