NMAP tutorial-NMAP command example (NMAP usage) server penetration Tool

NMAP is a useful tool for network scanning and host detection. NMAP is not limited to collecting information and enumeration, but can also be used as a vulnerability detector or security scanner. It is applicable to Windows, Linux, Mac, and other operating systems.

NMAP is a very powerful utility that can be used to detect hosts (host discovery) on the network to detect ports (Port discovery or enumeration) opened on hosts) detecting the software and version of the corresponding port (service discovery) Detection Operating System, hardware address, and Software Version Detection Vulnerability (NMAP script) NMAP is a very common tool, it has the command line interface and graphical user interface. I have the following content: Introduction to Nmap scan's important parameter operating system detection NMAP usage tutorial NMAP uses different technologies to perform scanning, including TCP connect () scan, reverse TCP ident scan and FTP Bounce scan. All of these scan types have their own advantages and disadvantages. We will discuss these issues later. NMAP usage depends on the target host, because there is a difference between a simple (basic) scan and a pre-scan. We need to use some advanced technologies to bypass firewalls and intrusion detection/defense systems to obtain the correct results. Below are some basic commands and their usage examples: scan a single host, the command is as follows:

The Code is as follows:

# NMAP nxadmin.com # NMAP 192.168.1.2

Run the following command to scan the entire subnet:

The Code is as follows:

# NMAP 192.168.1.1/24

Run the following command to scan multiple targets:

The Code is as follows:

# NMAP 192.168.1.2 192.168.1.5

Scan targets within a range, as shown below:

The Code is as follows:

# NMAP 192.168.1.1-100 (scan all hosts whose IP address is 192.168.1.1-192.168.1.100)

If you have an IP address list, save it as a TXT file and scan all hosts in the TXT file in the same directory as NAMP. The command is as follows:

The Code is as follows:

# NMAP-il target.txt

To view the list of all hosts you have scanned, run the following command:

The Code is as follows:

# NMAP-Sl 192.168.1.1/24

Scan all subnet hosts except an IP address. command:

The Code is as follows:

# Nmap192.168.1.1/24-exclude192.168.1.1

Scan Subnet host commands except IP addresses in a file

The Code is as follows:

# Nmap192.168.1.1/24-excludefilexxx.txt(xxx.txt files will be excluded from the scanned host)

Scan ports 80, 21, and 23 on a specific host. The command is as follows:

The Code is as follows:

# Nmap-p80, 21,231 92.161.1

650) This. width = 650; "style =" float: none; margin: 0px auto 0px 97px; "src =" http://hiphotos.baidu.com/exp/pic/item/29790130e924b899614b789e6c061d950b7bf6e6.jpg "class =" pic-cursor-pointer "Height =" 217 "width =" 414 "alt =" 29790130e924b899614b789e6c061d950b7bf6e6 "/>

We have learned the basic NMAP knowledge from above. Next we will discuss NMAP scanning technology in depth.

Tcp syn scan (SS) is a basic scanning method called semi-open scanning. Because of this technology, NMAP can obtain remote host information without a complete handshake. NMAP sends Syn packets to the remote host, but it does not generate any sessions. Therefore, it does not generate any log records on the target host because no session is formed. This is the advantage of SYN scanning. If the Nmap command does not indicate the scan type, the default scan type is tcp syn, but it requires the root/Administrator permission.

The Code is as follows:

# NMAP-SS 192.168.1.1

TCP connect () scan (ST) If you do not select SYN scan, TCP connect () scan is the default scan mode. unlike tcp syn scanning, TCP connect () Scanning requires three handshakes and calls the system's connect (). TCP connect () scan is only applicable to TCP and UDP ports.

The Code is as follows:

# NMAP-ST 192.168.1.1

UDP scan (SU), as its name implies, is used to find the UDP port opened by the target host. It does not need to send any Syn packets because it is for UDP ports. A udp scan sends a UDP packet to the target host and waits for a response. If an ICMP inaccessible error message is returned, the port is disabled. If a correct response is received, this indicates that the port is open.

The Code is as follows:

# NMAP-su 192.168.1.1

Finscan (SF)

Sometimes tcpsyn scan is not the best scan mode, because a firewall exists. The target host may sometimes have IDs and IPS systems, and the firewall will block Syn packets. Sending a data packet with the FIN flag does not need to complete the TCP handshake.

The Code is as follows:

<A href = "mailto: [email protected]: ~ # Nmap-sF192.168.1.8 "> [email protected]: ~ # Nmap-sF192.168.1.8 </a> </P> <p> startingnmap5.51at2012-07-0819: 21pktnmapscanreportfor192. 168.1.8hostisup (0.000026 slatency). notshown: Drawing/tcpopen | filteredrpcbind

Fin scanning does not create logs on the target host (one of the advantages of fin scanning ). all types of scans are different. The fin scan package only contains the fin identifier, and the null scan does not send any bytes of the data packet, xmas scans data packets that send the fin, Psh, and URG IDs.

Pingscan (SP)

Ping scanning is different from other scanning methods because it is only used to identify whether the host is in the network. it is not used to detect whether a port is opened. ping scan requires the root permission. If you do not have the root permission, Ping scan uses connect.

The Code is as follows:

# Nmap-sP192.168.1.1

Version Detection (SV)

Version Check is used to scan the version of software running on the target host and port. unlike other scanning technologies, it is not used to scan open ports on the target host, but it needs to obtain information from open ports to determine the software version. before using version check for scanning, you need to use tcpsyn to scan which ports are opened.

The Code is as follows:

# Nmap-sV192.168.1.1

Idlescan (SL)

Idlescan is an advanced scanning technology. Instead of sending data packets with your real Host IP address, it uses a host on another target network to send data packets.

The Code is as follows:

# Nmap-sL192.168.1.6192.168.1.1

Idlescan is an ideal anonymous scanning technology. It sends data to host 192.168.1.1 through 192.168.1.6 in the target network to obtain the port opened by 192.168.1.1.

Some other scanning technologies are required, such as ftpbounce (FTP Bounce), fragmentationscan, and ipprotocolscan. The most important scanning methods are discussed above.

Nmap OS Detection (o)

One of the most important features of NMAP is its ability to remotely detect operating systems and software. NMAP's OS Detection Technology is very useful in penetration testing to understand the operating systems and software of remote hosts, you can learn the known vulnerabilities through the obtained information. NMAP has a database named NMAP-OS-DB that contains information about more than 2600 operating systems. NMAP sends TCP and UDP packets to the target machine, and then checks the results against the database.

The Code is as follows:

Container: 21 scanninglocalhost (127.0.0.1) [1000 ports] discoveredopenport111/container: 21, 0.08 selapsed (1000 totalports) container (try #1) againstlocalhost (127.0.0.1) container (try #2) againstlocalhost (127.0.0.1)

The preceding example clearly shows that NMAP first discovers an open port and then sends a packet to discover a remote operating system. The operating system detection parameter is O (uppercase O)

650) This. width = 650; "style =" float: none; margin: 0px auto 0px 55.5px; "src =" http://hiphotos.baidu.com/exp/pic/item/425773224f4a20a4a0bd3d6192529822730ed0b2.jpg "class =" pic-cursor-pointer "Height =" 245 "width =" 497 "alt =" 109773224f4a20a4a0bd3d6192529822730ed0b2 "/>

NMAP operating system Fingerprint Recognition Technology:

Detailed information about the operating system (name and version of the operating system) running (operating system) of the device type (vro, working group, etc.) (distance between the target and the attacker)

If the remote host has a firewall, IDs, and IPS system, you can use the-PN command to ensure that the remote host is not pinged, because sometimes the firewall organizes ping requests. -The Pn Command tells NMAP not to ping the remote host.

The Code is as follows:

# Nmap-O-PN192.168.1.1/24

The preceding Command tells the sender that the remote host is alive on the network, so there is no need to send a ping request. You can use the-PN parameter to bypass the ping command without affecting the host system discovery.

The operating system of NMAP detects open and closed ports. If osscan cannot detect at least one open or closed port, the following error is returned:

The Code is as follows:

Warning: osscanresultsmaybeunreliablebecausewecouldnotfindatleast1openand1closedport

Osscan results are unreliable because at least one open or closed port is not found.

650) This. width = 650; "style =" float: none; margin: 0px auto 0px 54px; "src =" http://hiphotos.baidu.com/exp/pic/item/034965f40ad162d9236563ba13dfa9ec8b13cd4a.jpg "class =" pic-cursor-pointer "Height =" 177 "width =" 500 "alt =" 034965f40ad162d9236563ba13dfa9ec8b13cd4a "/>

This situation is not ideal. It should be because the remote host has taken precautions against operating system detection. If NMAP cannot detect the remote operating system type, it is not necessary to use-osscan_limit detection.

650) This. width = 650; "style =" float: none; margin: 0px auto 0px 185.5px; & quot; src = & quot; http://hiphotos.baidu.com/exp/pic/item/504ec7f9d72a6059d994e0bc2a34349b023bba55.jpg & quot; Class = & quot; pic-cursor-pointer & quot; Height = & quot; 152 & quot; width = & quot; 237 & quot; Alt = & quot; Skip & quot;/& quot; the operating system is relatively difficult, you need to use NMAP's guess option.-osscan-guess guessed that the matching OS type is closest to the target.

The Code is as follows:

# NMAP-o -- osscan-guess192.168.1.1

The following describes the scan types.

-Sttcpconnect () scan: This is the most basic TCP scan method. Connect () is a system call provided by the operating system to open a connection. If the target port has a program listener, connect () will return a successful result; otherwise, this port is inaccessible. The biggest advantage of this technology is that you do not need root permissions. Any UNIX user can use this system for calling. This kind of scan can easily be detected. A large number of connection requests and error messages are recorded in the logs of the target host.

-Sstcp Synchronous Scan (tcpsyn): Because you do not need to open a TCP connection, this technique is generally called half-open ). You can send a TCP synchronization packet (SYN) and wait for a response. If the other party returns SYN | ACK (response) packet, it indicates that the target port is listening; If RST packet is returned, it indicates that the target port does not have a listener; if it receives a SYN | ACK packet, the source host will immediately issue an RST (reset) packet to disconnect from the target host, which is actually automatically completed by our operating system kernel. The biggest benefit of this technology is that few systems are able to record this in system logs. However, you need the root permission to customize Syn packets.

-SF-SX-Sn private FIN packet scan, Christmas tree (xmastree), empty (null) scan mode: This mode is used even if SYN scan is uncertain. Some firewall and packet filtering software can monitor Syn packets sent to restricted ports, and some programs such as synlogger and Courtney can detect those scans. These advanced scanning methods can escape these interference. The theoretical basis of some scanning methods is: the closed port needs to respond to your test package to the RST package, and the opened port must ignore the problematic package (refer to rfc793 64th page ). Fin scan uses exposed fin data packets for detection, while Christmas tree scan opens the fin, URG, and push flag of the data packets. Unfortunately, Microsoft decided to completely ignore this standard and set it up again. Therefore, this scan method is invalid for Windows95/NT. However, from another perspective, you can use this method to separate two different platforms. If you use this scan method to find the opened port, you can determine that the target is not running Windows. If-SF,-Sx, or-Sn scan is used to show that all ports are closed, and SYN scan is used to display opened ports, you can determine that the target host may run the windwos system. This method is not very useful because NMAP has embedded operating system detection functions. Several other systems use the same processing methods as windows, including Cisco, bsdi, HP/UX, MYS, and IRIX. When data packets should be discarded, all the above systems send reset data packets from open ports.

-Spping scan: Sometimes you just want to know which hosts on the network are running at this time. By sending an icmpecho request packet to each IP address in your specified network, NMAP can complete this task. If the host is running, it will respond. Unfortunately, some sites such as Microsoft.com block icmpecho request packets. However, by default, NMAP can also send a tcpack packet to port 80. If you receive an RST packet, it indicates that the host is running. The third technique used by NMAP is to send a SYN Packet and wait for an RST or SYN/ACK packet. For non-root users, NMAP uses the connect () method. By default, NMAP uses ICMP and ACK technologies in parallel. Note that NMAP performs Ping scanning under any circumstances. Only when the target host is running will it perform subsequent scanning. This option is only used if you want to know whether the target host is running and do not want to perform other scans.

-Suudp scan: If you want to know which UDP (User Datagram Protocol, rfc768) services are provided on a host, you can use this scan method. NMAP first sends a 0-byte UDP packet to each port of the target host. If we receive an ICMP message that is inaccessible to the port, the port is closed. Otherwise, we assume it is open. Some may think that UDP scanning is meaningless. However, I often think of the recent solarisrpcbind defect. Rpcbind is hidden on an undisclosed UDP port. The port number is greater than 32770. Therefore, even if port 111 is blocked by the firewall. But can you find that a program is listening on any port over 30000? Use UDP scan! The backdoor program of cdcbackorifice is hidden in a configurable UDP port on the Windows host. Some common security defects are not considered. Some services such as SNMP, TFTP, and NFS use UDP protocol. Unfortunately, UDP scanning is sometimes very slow because most hosts limit the proportion of ICMP error messages (recommended in rfc1812 ). For example, in the Linux kernel (in net/IPv4/ICMP. in h文) only 80 target yarn segments CMP messages can be displayed every 4 seconds. If this ratio is exceeded, a penalty of 1/4 seconds will be imposed. Solaris is more restrictive. Only about two ICMP inaccessibility messages are allowed per second, which slows down scanning. NMAP detects the proportion of this limit and slows down the sending speed, instead of sending a large number of useless data packets discarded by the target host. However, micro $ oft ignores the rfc1812 suggestion and does not impose any restrictions on this ratio. Therefore, we can quickly scan all the 65k ports on the host running Win95/NT.

-Saack scan: This advanced scan method is usually used to pass through the Rule Set of the firewall. In general, this helps determine whether a firewall is fully functional or a simple package filtering program, just blocking the SYN packets that enter. This scan sends an ACK packet to a specific port (using a Random Response/serial number ). If an RST packet is returned, the port is marked as unfiltered. If nothing is returned, or a non-reachable ICMP message is returned, this port is classified into the filtered class. Note: NMAP usually does not output the unfiltered port, so it usually does not display all the ports to be tested in the output. Obviously, this scan method cannot find the port in the open state.

-SW scan for sliding windows: This advanced scan technology is very similar to ACK scan, except that it can sometimes detect open ports because the size of sliding windows is irregular, some operating systems can report its size. These systems include at least: some versions include Aix, amiga, BEOs, bsdi, Cray, tru64unix, DG/UX, OpenVMS, digitalunix, OpenBSD, openstep, QNX, Rhapsody, sunos4.x, Ultrix, VAX, and VxWorks. You can obtain the complete list from the documents in the Nmap-hackers mail 3 list.

-Srrpc scan. This method is used in combination with other Nmap port scanning methods. Select all open ports and issue the SunRPC program's NULL command to them to determine whether they are RPC ports. If so, determine the software and version number. Therefore, you can obtain some information about the firewall. Bait scanning cannot be used with RPC scanning now.

-Bftp Bounce Attack (bounceattack): the FTP protocol (rfc959) has an interesting feature that supports proxy FTP connections. That is to say, I can connect to the FTP server target.com from evil.com, And I can ask this FTP server to send files anywhere on the Internet for myself! This feature worked well when rfc959 was completed in 1985. However, in today's Internet, we cannot allow people to hijack the FTP server and send data to any node on the Internet. As hobbit said in an article written in 1995, this Protocol "can be used to deliver virtual inaccessibility emails and news, enter the servers of various sites, fill the hard disk, and skip the firewall, and other harassment activities, and it is difficult to track ". We can use this feature to scan TCP ports on a proxy FTP server. Therefore, you need to connect to an FTP server behind the firewall and then perform port scanning. If there is a readable directory on this FTP server, you can also send data to the target port (but NMAP cannot do this for you ). The parameter passed to the-B function option is the FTP server you want to act as the proxy. Syntax format:-busername: [email protected]: port. Except server, the rest are optional. If you want to know which server has such defects, refer to my article on phrack51. You can also get the latest version of this article at the Nmap site.

Generic options are not required, but are useful.

-P0 you do not need to ping the host before scanning. Some network firewalls do not allow icmpecho requests to pass through. You can use this option to scan these networks. Microsoft.com is an example. Therefore, you should always use the-P0 or-pt80 option when scanning this site.

-Before PT scanning, use tcpping to determine which hosts are running. NMAP does not implement this function by sending an icmpecho request packet and then waiting for a response. Instead, it sends a tcpack packet to the target network (or a single host) and waits for a response. If the host is running, the RST package is returned. This option is valid only when the target network/host blocks the ping packet and still allows you to scan it. For non-root users, we use the connect () system call to implement this function. Use-Pt to set the target port. The default port number is 80, because this port is usually not filtered.

-PS for root users, this option allows NMAP to use Syn packets instead of ACK packets to scan the target host. If the host is running, an rst package (or a SYN/ack package) is returned ).

-Pi sets this option to enable NMAP to use the real Ping (icmpecho request) to scan whether the target host is running. If you use this option to enable NMAP to discover a running host, NMAP will also observe your direct subnet broadcast address. Direct subnet broadcast address some externally accessible IP addresses, convert the external package into an inner IP address broadcast package, and send it to a computer subnet. These IP broadcast packages should be deleted, as they may cause DoS attacks (such as Smurf)

NMAP tutorial-NMAP command example (NMAP usage) server penetration Tool