Linux Scan Technical Notes

Linux Scan Technical Notes

Preface

Host node of the survival of the detection method, we use the most daily is the ping, in addition to other methods? This article describes fping,hping related operations to detect node survival.
The survival of the service, our daily use of the most is Telnet, in addition to other ways? This article describes the detection of Nmap,ncat for service survival.
In addition, this article describes the batch host node scan, the batch service port survival scan, as well as the route scanning and security precautions.

0. Network security technology
1) data is true, reliable, complete and controllable (safety angle).
Example: Obtaining a weak password for a public device
Get Common commands:
Tracert/traceroute//Query the number of route hops to the destination address.
Nmap//Bulk Host service scan to get open ports (such as 80,23,22, etc.)
Try brute force cracking, such as: http://10.202.4.73 (admin/admin)
NC//Interactive Shell Login

2) network intrusion mode
Casing – Network Scan – enumeration – rights to be raised, etc.

One. Host Scan

Common commands:
1) fping
Features: Parallel send (bulk host send)
2) hping

SOURCE Package Compilation steps:
1) detection configuration./configure Makefile
2) Compile make binary executable file
3) Install make install to the specified path

The following is the version of fping installed:
[Email protected] fping-3.13]# fping-v
Fping:version 3.13
fping:comments to [email protected]

1.fping parameter Description:
1) man-h parameter view Help
2)
-a displays only the list of surviving hosts
-U only shows hosts that are not surviving
-G Support Host segment
-F read from file

Example

[root@localhost fping-3.13]# fping -a -g 114.114.114.1/24114.114.114.110114.114.114.114114.114.114.119

Fping-a-F/ip_list.txt
Fping-u-F/ip_list.txt

2.hping Host Scan
1) A specific port initiates a TCP probe
-P Port
-S set the SYN packet for TCP mode

The following parameters are written to the kernel to allow access to ICMP:
Sysctl-w net.ipv4.icmp_echo_ignore_all=1

You can still use the hping command to probe for port survival, even if the host disables ping.

[[email protected] hping-master]# hping-p 135-s 192.168.1.107Hping192.168. 1. 107(eth0192.168. 1. 107): SSet, +Headers +0Data byteslen= $ip=192.168. 1. 107Ttl= -DfID=841sport=135Flags=sa seq=0win=8192rtt=2.7mslen= $ip=192.168. 1. 107Ttl= -DfID=1121sport=135Flags=sa seq=1win=8192rtt=0.9mslen= $ip=192.168. 1. 107Ttl= -DfID=1374sport=135Flags=sa seq=2win=8192rtt=0.8mslen= $ip=192.168. 1. 107Ttl= -DfID=1777sport=135Flags=sa seq=3win=8192rtt=0.9Ms

2) fake source IP to simulate DDoS attacks

Two. Route scanning

Function: The query to one host to another host's hop count and delay.
Command:
1) traceroute;
2) MTR (test host-to-routing connectivity)

Traceroute principle: UDP packets above the default port of 30000.
Traceroute Parameters:
-T TCP Packets
-P Port
-I (uppercase I) ICMP packet
-N Do not resolve IP address to domain name
Example:
"Mode One": The default UDP mode access.

[Email protected] hping-master]# traceroute Www.baidu.comtraceroute to Www.baidu.com (61.135.169.125), Hops Max, Te packets1 192.168.1.1 (192.168.1.1) 3.377 ms 2.129 ms 3.747 MS2 112.237.12.1 (112.237.12.1) 3.658 ms 3.287 MS 3.  295 Ms3 221.0.68.245 (221.0.68.245) 8.835 Ms 8.374 Ms 221.0.68.45 (221.0.68.45) 6.011 ms4 218.56.4.65 (218.56.4.65) 22.628 Ms 22.172 ms 21.733 MS5 219.158.98.229 (219.158.98.229) 28.242 Ms 219.158.98.225 (219.158.98.225) 24.119 Ms 21 9.158.96.33 (219.158.96.33) 27.358 ms6 124.65.194.158 (124.65.194.158) 26.988 ms 27.691 ms 30.738 MS7 124.65.59.166 (124.65.59.166) 60.235 ms 59.844 ms 59.422 MS8 61.49.168.78 (61.49.168.78) 24.938 Ms 61.49.168.82 (61.49.168.82) 23. 435 Ms 61.49.168.78 (61.49.168.78) 22.323 MS9* **10* **11* **12* **13* **14* **15* **16* **17* **18* **19* **20* **21* **22* **23* **24* **25* **26* **27* **28* **29* **30* **

"Way Two" ICMP way access.

[[email protected] hping-master]# traceroute-i-N www.baidu.comTraceroute toWww.baidu.com (61.135. 169. the), -Hops Max, - bytePackets1  192.168. 1. 1  1.962Ms2.268Ms1.985Ms2  112.237.. 1  3.588Ms4.704Ms4.505Ms3  221.0..  6.415Ms6.062Ms5.797Ms4  218.56. 4.  22.058Ms21.805Ms21.701Ms5  219.158..  21.344Ms21.184Ms21.016Ms6  124.65. 194. 158  26.865Ms26.571Ms26.289Ms7  124.65.. 166  19.953Ms24.586Ms24.241Ms8  61.49. 168. the  23.946Ms22.079Ms21.584Ms9* * *Ten  61.135. 169. the  20.379Ms22.970Ms21.124Ms

"Way three" TCP way access.

[[email protected] hping-master]# traceroute -T -p 80 -n www.baidu.comtraceroute to www.baidu.com (61.135.169.125), 30 hops max, 60 byte packets1  192.168.1.1  10.428 ms  3.382 ms  3.105 ms2  * * *3  221.0.68.245  6.938 ms  6.462 ms 221.0.68.21  5.914 ms4  * * *5  219.158.96.33  29.864 ms 219.158.96.29  23.532 ms 219.158.96.37  23.160 ms6  124.65.194.158  32.945 ms  32.642 ms  32.350 ms7  124.65.59.166  24.625 ms  23.980 ms  25.939 ms8  * * *9  * * *10  61.135.169.125  22.750 ms  22.076 ms *

The www.baidu.com corresponding IP address 61.135.169.125 can be obtained by Nslooup counter-check.
Conclusion:
Traceroute with TCP or ICMP access, it is possible to access the IP address of the destination website. The default UDP packet is not available.

MTR Command Example:
The MTR is a very good network connectivity judgment tool in Linux, which combines the features of Ping, traceroute,nslookup.

[Email protected] hping-master]# mtr www.baidu.comMy traceroute [v0.75]Localhost.localdomain (0.0.0.0) Sat Nov 02:01:35 2015keys:help Display mode Restart statistics Order of fields quitPackets PingsHost loss% Snt last AVG best Wrst StDev1.192.168.1.1 0% 32 3.8 4.3 2.1 11.1 1.52.112.237.12.1 0% 32 3.8 4.5 2.8 11.3 1.63.221.0.68.21 0% 32 9.5 7.9 3.5 13.7 2.34.218.56.4.65 0% 32 23.8 23.3 21.5 25.5 1.15.219.158.98.221 0% 32 25.0 25.8 21.4 70.3 8.36.124.65.194.166 0% 31 31.6 29.0 25.1 32.9 2.17.124.65.58.62 0% 31 24.6 29.0 19.9 53.3 10.88.123.125.248.46 0% 31 23.2 22.7 19.6 29.0 2.09.???.???One by one .61.135.169.121 0% 31 22.8 23.1 20.3 25.9 1.5

Three. Batch Service scan

Role:
1) Fast access to the host's survival status;
2) Obtain the detection status of the host service.

Typical commands:
1) Nmap
2) Ncat (known as Swiss Army Knife)

1) Nmap Command Use introduction:
Nmap Default scan port range (0-1024, and common service port)
Nmap-p 0-30000
1) ICMP protocol type (-p) Ping scan simple, fast and efficient for scanning host survival
2) TCP syn type (-SS) semi-open connection 1. Efficient, 2. Not easy to detect, 3. General
3) TCP Connect type (-ST) fully open connection 1. Simulate real user requests, 2 results are reliable
4) UDP scan (-SU) UDP protocol Scan 1 slow, 2 effective through the firewall policy

[Email protected] nmap-7.00]# NMAP-SP192.168. 119. 0/ -Starting Nmap7.00(https://nmap.org) at -- One- -  Geneva: -Pstwarning:File./nmap-payloads exists, but Nmap isusing/usr/local/bin/. /share/nmap/nmap-payloads forSecurity andConsistency reasons. Set nmapdir=. toGive priority toFilesinchYour local directory (may affect, the other data files too). Nmap Scan Report  for 192.168. 119. 1Host isUp (0.00038s latency). MAC Address:xx: -: About: C0:xx: ,(VMware) Nmap Scan Report  for 192.168. 119. 2Host isUp (0.00013s latency). MAC Address:xx: -: About: Ec:c8: Wu(VMware) Nmap Scan Report  for 192.168. 119. 254Host isUp (0.00011s latency). MAC Address:xx: -: About: E0: Geneva: E6 (VMware) Nmap scan Report  for 192.168. 119.Host isUp. Nmap Done: theIP Addresses (4Hosts up) scannedinch 2.01Seconds

[Email protected] nmap-7.00]# Nmap-ss192.168. 119. 1Starting Nmap7.00(https://nmap.org) at -- One- -  Geneva: -Pstwarning:File./nmap-services exists, but Nmap isusing/usr/local/bin/. /share/nmap/nmap-services forSecurity andConsistency reasons. Set nmapdir=. toGive priority toFilesinchYour local directory (may affect, the other data files too). Nmap Scan Report  for 192.168. 119. 1Host isUp (0.00021s latency). notShown:987Closed portsPORTState SERVICE the/tcpOpenhttp135/tcpOpenMsrpc139/tcpOpenNetbios-ssn445/tcpOpenMicrosoft-ds902/tcpOpenIss-realsecure912/tcpOpenApex-mesh1025/tcpOpennfs-or-iis1026/tcpOpenlsa-or-nterm1027/tcpOpenIis1028/tcpOpenUnknown1038/tcpOpenMtqp5678/tcpOpenRrac10000/tcpOpenSnet-sensor-mgmtmac Address:xx: -: About: C0:xx: ,(VMware) Nmap Done:1IP Address (1Host up) scannedinch 1.39Seconds

2) NCAT tool use (port scan, default TCP)
Ncat-w setting the time-out period
-Z Input/Output mode
-V shows the execution process
-U stands for UDP
[Email protected] ~]# ncat-v-w2 202.118.66.66 80
Ncat:version 7.00 (https://nmap.org/ncat)
Ncat:connected to 202.118.66.66:80.

Four. How to prevent malicious scanning

Common methods of attack:
1) SYN Attack--
The use of TCP protocol defects causes the system service to stop responding, and the network bandwidth runs slowly or responds slowly.
2) DDoS attacks--
Distributed denial of access Service attacks.
Normal service receives n many similar normal service accesses at the same time.
3) Malicious scan

DDoS attack prevention for SYN types
Mode one: Reduce the number of resend Syn+ack packets
Sysctl-w net.ipv4.tcp_synack_retries=3
Sysctl-w net.ipv4.tcp_syn_retries=3

Method Two: SYN Cookie technology (no three handshake)
Sysctl-w Net.ipv4.syncookies=1

Way three: Add backlog queue
Sysctl-w net.ipv4.tcp_max_syn_backlog=2048

Other prevention strategies under Linux
Strategy 1: How to turn off ICMP protocol requests
Sysctrl-w net.ipv4.icmp_echo_ignore_all=1

Strategy 2: Prevent scanning with iptables
Iptables-a forward-p tcp-syn-m limit-limit 1/s-limit-burst 5-j ACCEPT
Iptables-a forward-p tcp-tcp-flags syn,ack,fin,rst rst-m limit-limit 1/s-j ACCEPT
Iptables-a forward-p icmp-icmp-type echo-request-m limit-limit 1/s-j ACCEPT

2015-11-29 at home
Ming Yi World
Reprint please indicate source, original address: http://blog.csdn.net/laoyang360/article/details/50095987
If you feel this article is helpful, please click on the ' top ' support, your support is I insist on writing the most power, thank you!

Linux Scan Technical Notes