Nmap, Network Mapper, was released under the GNU General Public License (GPL) of the Free Software Foundation. Its basic functions are: to detect whether a group of hosts online, scan the host port, sniffer provided network services, determine the host's operating system. After the software is downloaded, execute the Configure, make, and made install three commands, install the NMAP binaries on the system, and execute the nmap.
Website Download: http://nmap.org/download.html
or download Packages
Rpm-vhu http://nmap.org/dist/nmap-5.21-1.i386.rpm
Rpm-vhu http://nmap.org/dist/zenmap-5.21-1.noarch.rpm
Test system: CentOS5.3
Nmap's syntax is simple, but powerful. For example: The Ping-scan command is "-SP", after the target host and network are identified, you can scan. The ability to run Nmap,nmap with root is enhanced because Superuser can create custom packets that make it easy to nmap. Using Nmap for a stand-alone scan or scanning the entire network is simple, as long as the target address with "/mask" is assigned to Nmap. In addition, Nmap allows you to use a variety of specified network addresses, such as 192.168.1.*, to scan hosts on selected subnets.
How to use Nmap
Here are the four most basic scanning methods supported by Nmap:
* TCP Connect () port scan (-st parameter).
* TCP Synchronization (SYN) port scan (-ss parameter).
* UDP port Scan (-su parameter).
* Ping Scan (-sp parameter)
Ping scans and TCP SYN scans are most useful if you want to outline the overall situation of a network.
* Ping scans determine the state of a host by sending ICMP (Internet Control message protocol,internet) to respond to request packets and TCP answer (acknowledge, abbreviated ACK) packets Ideal for detecting the number of hosts that are running within a specified network segment.
* TCP SYN Scan is not very easy to understand, but if it is compared to the TCP connect () scan, it is easier to see the characteristics of this scanning mode. In the TCP Connect () scan, the scanner opens a full TCP connection using the system call of the operating system itself that is, the scanner opens the complete handshake process between two hosts (SYN, Syn-ack, and ACK). A fully executed handshake indicates that the remote host port is open.
* A TCP SYN scan creates a half-open connection, unlike a TCP connect () scan, where the TCP SYN scan sends a reset (RST) tag instead of an end ACK tag (that is, Syn,syn-ack, or RST): If the remote host is listening and the port is open, the remote host responds with Syn-ack, Nmap sends a RST, and if the remote host's port is turned off, its answer will be RST, at which point the Nmap is transferred to the next port.
-ss uses the Syn+ack method, using TCP SYN,
-st use TCP method, 3 times handshake all do
-su method of using UDP
-SP ICMP ECHO Request Messenger, responding to a port for investigation
-SF FIN SCAN
-sx
-SN all flag off Invalid TCP packet Messenger, judging port condition based on error code
-p0 ignores the results of the ICMP ECHO request, SCAN
-p Scan Port range specifies the range of scan's mesh port
1-100, or use 25,100 of the way
-O detection OS type
-on filename usually format file output
-ox filename with DTD, output results in XML format
-og file name, grep easy format output
-SV Service's program name and version scan
Ping Scan: Intruders use Nmap to scan the entire network for targets. By using the "-SP" command, by default, Nmap sends an ICMP echo and a TCP ACK to each scanned host, and the response of the host to any one is nmap. as shown below.
[Root@coremail ~]# nmap-sp 192.168.1.60
Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:46 CST
Nmap Scan for 192.168.1.60
The Host is up (0.00085s latency).
Nmap done:1 IP Address (1 host up) scanned in 0.49 seconds
Nmap supports different types of port scans, TCP connection scans can use the "-st" command, the TCP connect () port scan (-st parameters). The details are as follows:
[Root@coremail ~]# nmap-st 192.168.92.129
Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:51 CST
Nmap Scan for 192.168.92.129
The Host is up (0.0017s latency).
Not shown:997 closed ports
PORT State SERVICE
22/TCP Open SSH
111/TCP Open Rpcbind
11111/tcp Open Unknown
Nmap done:1 IP Address (1 host up) scanned in 0.48 seconds
Covert scans (Stealth scanning). When scanning, TCP SYN scans can help you if an attacker does not want their information to be recorded on the target system log. With the "-SS" command, you can send a SYN scan probe host or network. as shown below.
[Root@coremail ~]# Nmap-ss www.baidu.com
Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:51 CST
Nmap Scan for www.baidu.com (220.181.6.175)
The Host is up (0.0094s latency).
Not shown:998 filtered ports
PORT State SERVICE
21/TCP Open FTP
80/TCP Open http
Nmap done:1 IP Address (1 host up) scanned in 56.54 seconds
If an attacker wants to perform a UDP scan, it is possible to know which ports are open to UDP. Nmap will send an O-byte UDP packet to each port. If the host returns a port that is unreachable, the port is closed. UDP port scan (-su parameter). as shown below.
[Root@coremail ~]# Nmap-su 192.168.92.129
Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:53 CST
Nmap Scan for 192.168.92.129
The Host is up (0.000019s latency).
Not shown:996 closed ports
PORT State SERVICE
68/UDP open|filtered DHCPC
111/UDP Open Rpcbind
123/UDP open|filtered NTP
631/UDP open|filtered IPP
Nmap done:1 IP Address (1 host up) scanned in 1.93 secon
Operating system identification. The type of remote operating system can be probed by using the "-o" option. Nmap reduces the range of operating system systems found by sending different types of probe signals to the host. As shown in Figure 6.
[Root@coremail ~]# Nmap-ss-o 192.168.92.129
Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:56 CST
Nmap Scan for 192.168.92.129
The Host is up (0.00024s latency).
Not shown:997 closed ports
PORT State SERVICE
22/TCP Open SSH
111/TCP Open Rpcbind
11111/tcp Open Unknown
Device type:general Purpose
Running:linux 2.6.X
OS Details:linux 2.6.15-2.6.30
Network distance:0 Hops
OS Detection performed. Please have a incorrect results at http://nmap.org/submit/.
Nmap done:1 IP Address (1 host up) scanned in 5.72 seconds
Ident scan. Attackers are interested in finding a computer that is vulnerable to some process, such as a Web server running with root. If the target machine runs Identd, the attacker can find out which user owns the HTTP daemon through a TCP connection to the "-I" option. To scan a Linux Web server for example, use the following command:
[Root@coremail ~]# nmap-st-p 80-o www.baidu.com
Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 12:58 CST
Nmap Scan for www.baidu.com (220.181.6.175)
The Host is up (0.0069s latency).
PORT State SERVICE
80/tcp Filtered HTTP
Warning:osscan results May is unreliable because we could not find at least 1 open and 1 closed port
Device type:general purpose|storage-misc| Wap|game Console
Running (JUST guessing): Apple Mac OS X 10.5.X (96%), BlueArc Embedded (87%), Kcorp Embedded (86%), Nintendo embedded (86 %)
Aggressive OS guesses:apple Mac os X 10.5.5 (Leopard) (96%), BlueArc Titan 2100 NAS Device (87%), Kcorp KLG-575 WAP (86%) , Nintendo DS game console (86%)
No exact OS matches for host (test conditions non-ideal).
OS Detection performed. Please have a incorrect results at http://nmap.org/submit/.
Nmap done:1 IP Address (1 host up) scanned in 5.39 seconds
[Root@coremail ~]# nmap-st-p 80-o 192.168.92.129
Starting Nmap 5.21 (http://nmap.org) at 2010-06-08 13:00 CST
Nmap Scan for 192.168.92.129
The Host is up (0.00014s latency).
PORT State SERVICE
80/TCP Open http
Warning:osscan results May is unreliable because we could not find at least 1 open and 1 closed port
Device type:general Purpose
Running:linux 2.6.X
OS Details:linux 2.6.15-2.6.30
Network distance:0 Hops
OS Detection performed. Please have a incorrect results at http://nmap.org/submit/.
Nmap done:1 IP Address (1 host up) scanned in 2.86 seconds
Hide the scanned source address:
If your system IP is 192.168.1.20, but you want all NMAP packets issued by your system to be labeled as IP address 20.20.20.20, you can use the following command to send a packet to the Sandi system:
Nmap-s 20.20.20.20-e eth0-p0-ss-v Sandi
-p0 (not ping) and-ss (TCP syn hidden port scan) enables NMAP to perform TCP-based scans without first pinging packets. The-SS option can help with the scanning of the initial SYN packets by filtering the firewall.
To allow the system to use port 53来 to send packet execution and scan similar to the above, issue the following command
Nmap-g 53-s 20.20.20.20-e eth0-p0-ss-v Sandi
In addition to these scans, Nmap offers a number of options, one of the many Linux attackers must have, through which we can know the system and lay a good foundation for the attacks below.
http://os.51cto.com/art/201401/428152.htm 29 Concrete Examples