Linux port Scan Tool Nmap and Nwatch
Introduction to Port scan
The method of port scan port scan is a way to detect an opposing server service by detecting an open port on the other server. Generally can be divided into active and passive two kinds. An active type is to be judged by the answer by sending a packet to a specific port on the other server. On behalf of Nmap
Passive, not the initiative to send packets, but on the network long listening, analysis of the online transaction, to analyze the strict passive should not be called port scan. On behalf of Nwatch
Advantages and disadvantages compared with active type
The active type can obtain the result in a short time only when the other party does not interrupt the communication.
Disadvantages of the active type
1 now with the blocking function of the firewall more and more, some firewalls when the port scan is detected, the port will be closed for a certain time, and some machines use a lot of filter function, only specific IP address to provide services, in this case, the validity of the initiative is greatly reduced.
The 2 active only scans the port for an instant, and only the services used at that time are likely to be detected.
3-port scanning is a generalized attack behavior, for the last licensed machine, generally can not be implemented.
The advantages of passive
Passive only listens to the network, does not become the network attack, it runs for a long time, can detect the change of the server within a long interval.
The disadvantage of passive
Because it does not initiate a request package, even if the port is open, the service cannot be detected by passive if no actual communication occurs
3. Installation of Nmap
Debian Apt-get Install Nmap
Fedora Core Yum Install Nmap
Others download source code, compile
4. How to use Nmap
Here are the four most basic scanning methods supported by Nmap:
* TCP Connect () port scan (-st parameter).
* TCP Synchronization (SYN) port scan (-ss parameter).
* UDP port Scan (-su parameter).
* Ping Scan (-sp parameter)
Ping scans and TCP SYN scans are most useful if you want to outline the overall situation of a network.
* Ping scans determine the state of a host by sending ICMP (Internet Control message protocol,internet) to respond to request packets and TCP answer (acknowledge, abbreviated ACK) packets Ideal for detecting the number of hosts that are running within a specified network segment.
* TCP SYN Scan is not very easy to understand, but if it is compared to the TCP connect () scan, it is easier to see the characteristics of this scanning mode. In the TCP Connect () scan, the scanner opens a full TCP connection using the system call of the operating system itself that is, the scanner opens the complete handshake process between two hosts (SYN, Syn-ack, and ACK). A fully executed handshake indicates that the remote host port is open.
* A TCP SYN scan creates a half-open connection, unlike a TCP connect () scan, where the TCP SYN scan sends a reset (RST) tag instead of an end ACK tag (that is, Syn,syn-ack, or RST): If the remote host is listening and the port is open, the remote host responds with Syn-ack, Nmap sends a RST, and if the remote host's port is turned off, its answer will be RST, at which point the Nmap is transferred to the next port.
-ss uses the Syn+ack method, using TCP SYN,
-st use TCP method, 3 times handshake all do
-su method of using UDP
-SP ICMP ECHO Request Messenger, responding to a port for investigation
-SF FIN SCAN
-sx
-SN all flag off Invalid TCP packet Messenger, judging port condition based on error code
-p0 ignores the results of the ICMP ECHO request, SCAN
-p Scan Port range specifies the range of scan's mesh port
1-100, or use 25,100 of the way
-O detection OS type
-on filename usually format file output
-ox filename with DTD, output results in XML format
-og file name, grep easy format output
-SV Service's program name and version scan
Example:
Nmap-v Target.com
This makes a scan of all reserved TCP ports on the Target.com, and-V indicates verbose mode.
Nmap-ss-o target.com/24
This will begin a SYN-scan, targeting the C-class subnet in which target.example.com is located, and trying to determine what system is running on it. This requires root permission because the Half-open scan and system detection are used.
Result instance:
debianlinux:/etc/init.d# Nmap 192.168.1.1
Starting Nmap 3.81 (http://www.insecure.org/nmap/) at 2005-08-30 00:01 JST
Interesting ports on 192.168.1.1
(The 1658 ports scanned but not shown below are in state:closed)
PORT State SERVICE
21/TCP Open FTP
22/TCP Open SSH
80/TCP Open http
1720/tcp Filtered h.323/q.931
3128/TCP Open Squid-http
5. Nwatch Installation Nwatch Required Packages
Perl 5.005_03 above
Net::P Cap
Ndiff 0.05 bata2 above
Libpcap
Debian:apt-get Install Nwatch
How to use 6.nwatch
-D network device name, default to Eth0
-H host/network[:p Ort][t,u]
T,u can specify TCP or UDP defaults to TCP
-O Output file name
-fi time (seconds) to write the data disk time, the default is 300 seconds
-si Data break time (seconds), defaults to 86400 (day)
LINK
Nmap
http://www.insecure.org/nmap/
Data write disk Time, default is 300 seconds-si data break time (seconds), default is 86400 (day) Linknmap http://www.insecure.org/nmap/
Linux under the use of NMAP tools, Linux under the scan port
NMap, also known as Network Mapper, is the network scanning and sniffer toolkit under Linux, which has three basic functions, one is to detect whether a group of hosts are online, the second is to scan host ports, sniff the provided network services, and to infer the operating system used by the host. Nmap can be used to scan only two nodes of a LAN, up to 500 nodes above the network. Nmap also allows users to customize scanning techniques. Typically, a simple ping operation using the ICMP protocol can satisfy the general requirements, or you can drill down on UDP or TCP ports until the operating system is used by the host, and you can record all the probe results in a variety of log formats for further analysis.
Ping Scan to print out the host that responds to the scan without further testing (such as port scan or OS probing):
NMAP-SP 192.168.1.0/24
Lists only each host on the specified network and does not send any messages to the target host:
NMAP-SL 192.168.1.0/24
To probe open ports on the target host, you can specify a comma-separated list of ports (such as-ps22,23,25,80):
Nmap-ps 192.168.1.234
Ping probe hosts using UDP:
Nmap-pu 192.168.1.0/24
The most Frequently used scan option: SYN Scan, also known as semi-open scan, does not open a full TCP connection and executes quickly:
Nmap-ss 192.168.1.0/24
When the SYN scan is unavailable, the TCP Connect () scan is the default TCP scan:
Nmap-st 192.168.1.0/24
UDP scans with the-SU option, UDP scans send empty (no data) UDP headers to each destination port:
Nmap-su 192.168.1.0/24
Determine which IP protocols (TCP,ICMP,IGMP, etc.) are supported by the target computer:
Nmap-so 192.168.1.19
To probe the operating system of the target host:
Nmap-o 192.168.1.19
Nmap-a 192.168.1.19
In addition, the NMAP official documentation of the example:
Nmap-v scanme.nmap.org
This option scans all reserved TCP ports in the host scanme.nmap.org. Option-V enables detail mode.
Nmap-ss-o scanme.nmap.org/24
For the Secret SYN Scan, the object is 255 hosts in the "Class C" segment of the host Saznme. Try to determine the operating system type of each working host at the same time. Because of SYN scan and OS detection, this scan requires root permissions.
Nmap-sv-p 22,53,110,143,4564 198.116.0-255.1-127
Host enumeration and TCP scanning, the object is Class B 188.116 network segment 255 8-bit subnet. This test is used to determine if the system is running sshd, DNS, IMAPD, or Port 4564. If these ports are open, version detection will be used to determine which application is running.
Nmap-v-ir 100000-p0-p 80
Randomly select 100000 hosts to scan whether to run the Web server (80 port). Sending a probe message from the start phase to determine if the host is working is a waste of time, and only one port of the host is probed, so using-p0 to disable the host list.
Nmap-p0-p80-ox Logs/pb-port80scan.xml-og Logs/pb-port80scan.gnmap 216.163.128.20/20
Scans 4,096 IP addresses, finds the Web server (not ping), and saves the results in grep and XML format.
Host-l company.com | Cut-d-F 4 | Nmap-v-il-
Perform a DNS zone transfer to discover the hosts in the company.com, and then provide the IP address to Nmap. The above commands are used for gnu/linux-different commands for zone transfers by other systems.
Other options:
-P <port ranges> (scan only the specified port)
A single port and a range of ports (such as 1-1023) that are represented by hyphens are available. When both the TCP port and the UDP port are scanned, you can specify the protocol by adding T: or U: in front of the port number. The protocol qualifier remains valid until the other is specified. For example, the parameter-p u:53,111,137,t:21-25,80,139,8080 scans UDP ports 53,111, and 137, while scanning the listed TCP ports.
-F (Fast (limited port) scan) Original: http://hi.baidu.com/ostech/item/92c5e4248e29b94e47996284