Linux nmap Command __linux

Source: Internet
Author: User
Tags ack error code system log
Nmap, Network Mapper, was released under the GNU General Public License (GPL) of the Free Software Foundation. Its basic functions are: to detect whether a group of hosts online, scan the host port, sniffer provided network services, determine the host's operating system. After the software is downloaded, execute the Configure, make, and made install three commands, install the NMAP binaries on the system, and execute the nmap.

Website Download: http://nmap.org/download.html

or download Packages

Rpm-vhu http://nmap.org/dist/nmap-5.21-1.i386.rpm
Rpm-vhu http://nmap.org/dist/zenmap-5.21-1.noarch.rpm

Test system: CentOS5.3

Nmap's syntax is simple, but powerful. For example: The Ping-scan command is "-SP", after the target host and network are identified, you can scan. The ability to run Nmap,nmap with root is enhanced because Superuser can create custom packets that make it easy to nmap. Using Nmap for a stand-alone scan or scanning the entire network is simple, as long as the target address with "/mask" is assigned to Nmap. In addition, Nmap allows you to use a variety of specified network addresses, such as 192.168.1.*, to scan hosts on selected subnets.

How to use Nmap

Here are the four most basic scanning methods supported by Nmap:

* TCP Connect () port scan (-st parameter).

* TCP Synchronization (SYN) port scan (-ss parameter).

* UDP port Scan (-su parameter).

* Ping Scan (-sp parameter)

Ping scans and TCP SYN scans are most useful if you want to outline the overall situation of a network.

* Ping scans determine the state of a host by sending ICMP (Internet Control message protocol,internet) to respond to request packets and TCP answer (acknowledge, abbreviated ACK) packets Ideal for detecting the number of hosts that are running within a specified network segment.

* TCP SYN Scan is not very easy to understand, but if it is compared to the TCP connect () scan, it is easier to see the characteristics of this scanning mode. In the TCP Connect () scan, the scanner opens a full TCP connection using the system call of the operating system itself that is, the scanner opens the complete handshake process between two hosts (SYN, Syn-ack, and ACK). A fully executed handshake indicates that the remote host port is open.

* A TCP SYN scan creates a half-open connection, unlike a TCP connect () scan, where the TCP SYN scan sends a reset (RST) tag instead of an end ACK tag (that is, Syn,syn-ack, or RST): If the remote host is listening and the port is open, the remote host responds with Syn-ack, Nmap sends a RST, and if the remote host's port is turned off, its answer will be RST, at which point the Nmap is transferred to the next port.

-ss uses the Syn+ack method, using TCP SYN,

-st use TCP method, 3 times handshake all do

-su method of using UDP

-SP ICMP ECHO Request Messenger, responding to a port for investigation

-SF FIN SCAN

-sx

-SN all flag off Invalid TCP packet Messenger, judging port condition based on error code

-p0 ignores the results of the ICMP ECHO request, SCAN

-p Scan Port range specifies the range of scan's mesh port

1-100, or use 25,100 of the way

-O detection OS type

-on filename usually format file output

-ox filename with DTD, output results in XML format

-og file name, grep easy format output

-SV Service's program name and version scan

Ping Scan: Intruders use Nmap to scan the entire network for targets. By using the "-SP" command, by default, Nmap sends an ICMP echo and a TCP ACK to each scanned host, and the response of the host to any one is nmap. as shown below.

[Root@coremail ~]# nmap-sp 192.168.1.60

Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:46 CST
Nmap Scan for 192.168.1.60
The Host is up (0.00085s latency).
Nmap done:1 IP Address (1 host up) scanned in 0.49 seconds

Nmap supports different types of port scans, TCP connection scans can use the "-st" command, the TCP connect () port scan (-st parameters). The details are as follows:
[Root@coremail ~]# nmap-st 192.168.92.129

Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:51 CST
Nmap Scan for 192.168.92.129
The Host is up (0.0017s latency).
Not shown:997 closed ports
PORT State SERVICE
22/TCP Open SSH
111/TCP Open Rpcbind
11111/tcp Open Unknown

Nmap done:1 IP Address (1 host up) scanned in 0.48 seconds



Covert scans (Stealth scanning). When scanning, TCP SYN scans can help you if an attacker does not want their information to be recorded on the target system log. With the "-SS" command, you can send a SYN scan probe host or network. as shown below.

[Root@coremail ~]# Nmap-ss www.baidu.com

Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:51 CST
Nmap Scan for www.baidu.com (220.181.6.175)
The Host is up (0.0094s latency).
Not shown:998 filtered ports
PORT State SERVICE
21/TCP Open FTP
80/TCP Open http

Nmap done:1 IP Address (1 host up) scanned in 56.54 seconds

If an attacker wants to perform a UDP scan, it is possible to know which ports are open to UDP. Nmap will send an O-byte UDP packet to each port. If the host returns a port that is unreachable, the port is closed. UDP port scan (-su parameter). as shown below.

[Root@coremail ~]# Nmap-su 192.168.92.129

Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:53 CST
Nmap Scan for 192.168.92.129
The Host is up (0.000019s latency).
Not shown:996 closed ports
PORT State SERVICE
68/UDP open|filtered DHCPC
111/UDP Open Rpcbind
123/UDP open|filtered NTP
631/UDP open|filtered IPP

Nmap done:1 IP Address (1 host up) scanned in 1.93 secon


Operating system identification. The type of remote operating system can be probed by using the "-o" option. Nmap reduces the range of operating system systems found by sending different types of probe signals to the host. As shown in Figure 6.

[Root@coremail ~]# Nmap-ss-o 192.168.92.129

Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:56 CST
Nmap Scan for 192.168.92.129
The Host is up (0.00024s latency).
Not shown:997 closed ports
PORT State SERVICE
22/TCP Open SSH
111/TCP Open Rpcbind
11111/tcp Open Unknown
Device type:general Purpose
Running:linux 2.6.X
OS Details:linux 2.6.15-2.6.30
Network distance:0 Hops

OS Detection performed. Please have a incorrect results at http://nmap.org/submit/.
Nmap done:1 IP Address (1 host up) scanned in 5.72 seconds



Ident scan. Attackers are interested in finding a computer that is vulnerable to some process, such as a Web server running with root. If the target machine runs Identd, the attacker can find out which user owns the HTTP daemon through a TCP connection to the "-I" option. To scan a Linux Web server for example, use the following command:

[Root@coremail ~]# nmap-st-p 80-o www.baidu.com

Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:58 CST
Nmap Scan for www.baidu.com (220.181.6.175)
The Host is up (0.0069s latency).
PORT State SERVICE
80/tcp Filtered HTTP
Warning:osscan results May is unreliable because we could not find at least 1 open and 1 closed port
Device type:general purpose|storage-misc| Wap|game Console
Running (JUST guessing): Apple Mac OS X 10.5.X (96%), BlueArc Embedded (87%), Kcorp Embedded (86%), Nintendo embedded (86 %)
Aggressive OS guesses:apple Mac os X 10.5.5 (Leopard) (96%), BlueArc Titan 2100 NAS Device (87%), Kcorp KLG-575 WAP (86%) , Nintendo DS game console (86%)
No exact OS matches for host (test conditions non-ideal).

OS Detection performed. Please have a incorrect results at http://nmap.org/submit/.
Nmap done:1 IP Address (1 host up) scanned in 5.39 seconds

[Root@coremail ~]# nmap-st-p 80-o 192.168.92.129

Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 13:00 CST
Nmap Scan for 192.168.92.129
The Host is up (0.00014s latency).
PORT State SERVICE
80/TCP Open http
Warning:osscan results May is unreliable because we could not find at least 1 open and 1 closed port
Device type:general Purpose
Running:linux 2.6.X
OS Details:linux 2.6.15-2.6.30
Network distance:0 Hops

OS Detection performed. Please have a incorrect results at http://nmap.org/submit/.
Nmap done:1 IP Address (1 host up) scanned in 2.86 seconds



Hide the scanned source address:

If your system IP is 192.168.1.20, but you want all NMAP packets issued by your system to be labeled as IP address 20.20.20.20, you can use the following command to send a packet to the Sandi system:

Nmap-s 20.20.20.20-e eth0-p0-ss-v Sandi

-p0 (not ping) and-ss (TCP syn hidden port scan) enables NMAP to perform TCP-based scans without first pinging packets. The-SS option can help with the scanning of the initial SYN packets by filtering the firewall.

To allow the system to use port 53来 to send packet execution and scan similar to the above, issue the following command

Nmap-g 53-s 20.20.20.20-e eth0-p0-ss-v Sandi

In addition to these scans, Nmap offers a number of options, one of the many Linux attackers must have, through which we can know the system and lay a good foundation for the attacks below.

http://os.51cto.com/art/201401/428152.htm  29 Concrete Examples

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.