Port Scan ——— Nmap

Source: Internet
Author: User
Tags emit ftp protocol

Nmap Tutorial using the Nmap command example (Nmap use method)
    • Browse:8268
    • |
    • Updated: 2014-03-29 17:23

Nmap is a very useful tool for network scanning and host detection. Nmap is not limited to collecting information and enumerations, but can also be used as a vulnerability detector or security scanner. It can be applied to operating systems such as Winodws,linux,mac

Nmap is a very powerful utility that can be used to: Detect hosts on the network (host discovery) detect open ports on the host (port discovery or enumeration) detect the corresponding port (service discovery) software and version detection operating system, hardware address, and software version detection vulnerabilities (Nmap script) Nmap is a very common tool that has a command-line interface and a graphical user interface. I include the following aspects: introduction of the important parameters of NMAP scanning operating system detection Nmap Use the tutorial Nmap uses different techniques to perform the scan, including: TCP Connect () scan, TCP Reverse ident scan, FTP bounce scan, etc. All of these types of scans have their own pros and cons, and we'll discuss them next. The use of Nmap depends on the target host, as there is a simple (basic) scan and the difference between pre-scanning. We need to use some advanced techniques to bypass firewalls and intrusion detection/defense systems to get the right results. Here are some basic commands and examples of their usage: Scan a single host with the following command:

The code is as follows:

#nmap Nxadmin.com#nmap

Scan the entire subnet with the following command:

The code is as follows:


To scan multiple targets, the command is as follows:

The code is as follows:


Scan a range of targets, as follows:

The code is as follows:

#nmap (scan IP address for all hosts in

If you have a list of IP addresses, save this as a TXT file, and Namp in the same directory, scan all hosts within this TXT command as follows:

The code is as follows:

#nmap-il Target.txt

If you want to see a list of all the hosts you scanned, use the following command:

The code is as follows:


Scan all subnet hosts except one IP, command:

The code is as follows:


Scan a subnet host command that is outside the IP in a file

The code is as follows:

#nmap192.168.1.1/24-excludefilexxx.txt (Files in the xxx.txt will be excluded from the scanned host)

Scan the 80,21,23 port on a specific host with the following command

The code is as follows:


From the above we have learned the basic knowledge of nmap, below we have a deep discussion of nmap scanning technology

TCP SYN Scan (SS) This is a basic scanning method, known as semi-open scanning, because this technology allows NMAP to obtain remote host information without a full handshake. Nmap sends a SYN packet to the remote host, but it does not generate any sessions. Therefore, no logging occurs on the target host because no session is formed. This is the advantage of SYN scan. If the scan type is not indicated in the Nmap command, the default is TCP SYN. But it requires Root/administrator permissions.

The code is as follows:


TCP Connect () scan (ST) If the SYN scan is not selected, the TCP connect () scanning is the default scan mode. Unlike the TCP SYN Scan, the TCP connect () scan requires a three-time handshake and calls the system's connect (). The TCP Connect () scan technique is only available for locating TCP and UDP ports.

The code is as follows:


UDP Scan (SU), as the name implies, is used to look for UDP ports opened by the target host. It does not need to send any SYN packets because this technique is for UDP ports. The UDP scan sends a UDP packet to the destination host and waits for a response if an ICMP unreachable error message is returned, stating that the port is closed and that the port is open if the appropriate response is received correctly.

The code is as follows:


Finscan (SF)

Sometimes the Tcpsyn scan is not the best scanning mode because of the presence of a firewall. The target host can sometimes have IDs and IPs systems, and the firewall blocks the SYN packets. Sending a packet with the FIN flag set does not require the completion of the TCP handshake.

The code is as follows:

<a href= "Mailto:[email protected]:~ #nmap-sf192.168.1.8" >[email protected]:~ #nmap-sf192.168.1.8</a> </p> <p>startingnmap5.51at2012-07-0819:21pktnmapscanreportfor192.168.1.8hostisup (0.000026slatency). Notshown:999closedportsportstateservice111/tcpopen|filteredrpcbind

The fin scan also does not create logs on the target host (one of the benefits of fin scanning). Each type of scan is differentiated, and a fin scan sends packets that contain only the fin identity, the null scan does not send any bytes on the packet, and the Xmas scans the packets that send the FIN, PSH, and Urg identities.

Pingscan (SP)

The ping scan differs from other scanning methods because it is used only to find out if the host is present in the network. It is not used to discover whether the port is open or not. The ping scan requires root privileges, and if the user does not have root privileges, the ping scan will use the Connect () call.

The code is as follows:


Version Detection (SV)

Version detection is used to scan the version of the software that is running on the target host and port. Unlike other scanning techniques, it is not intended to scan open ports on a target host, but it needs to obtain information from an open port to determine the version of the software. You need to use the Tcpsyn scan to open which ports before using the version detection scan.

The code is as follows:


Idlescan (SL)

Idlescan is an advanced scanning technology that does not send packets with your real host IP, but instead uses a host of other target networks to send packets.

The code is as follows:


Idlescan is an ideal anonymous scanning technique that sends data to the host via in the target network to obtain open ports

There is a need for other scanning techniques, such as Ftpbounce (FTP bounce), Fragmentationscan (fragment scanning), Ipprotocolscan (IP protocol scanning), which are discussed in several of the most important scanning methods.

Nmap OS Detection (O)

One of the most important features of NMAP is the ability to remotely detect operating systems and software, NMAP's OS detection technology used in penetration testing to understand the remote host's operating system and software is very useful, by obtaining information you can know the known vulnerabilities. Nmap has a nmap-os-db database called the database that contains more than 2600 operating system information. Nmap sends TCP and UDP packets to the target machine, and then checks the results against the database.

The code is as follows:

Initiatingsynstealthscanat10:21scanninglocalhost ( [1000ports]discoveredopenport111/ Tcpon127.0.0.1completedsynstealthscanat10:21,0.08selapsed (1000totalports) initiatingosdetection (try#1) Againstlocalhost ( retryingosdetection (try#2) againstlocalhost (

The above example clearly shows that Nmap first discovered an open port and then sent a packet to discover the remote operating system. Operating system detection parameter is O (capital O)

Nmap's operating system fingerprint identification technology:

Device type (router, workgroup, etc.) running (operating system) operating system details (name and version of the operating system) network distance (destination and distance between attackers hop)

If the remote host has firewalls, IDS and IPs systems, you can use the-PN command to ensure that the remote host is not ping, because sometimes the firewall organizes the ping requests. The-PN command tells Nmap not to ping the remote host.

The code is as follows:


The above command tells the sending host that the remote host is alive on the network, so there is no need to send a ping request, using the-PN parameter can bypass the ping command, but does not affect the host's system discovery.

Nmap's operating system detection is based on having open and closed ports, and if Osscan cannot detect at least one open or closed port, the following error is returned:

The code is as follows:


The result of Osscan is unreliable because there is no discovery of at least one open or closed port

This situation is very unsatisfactory, should be the remote host to do for the operating system to detect the protection. If NMAP cannot detect the remote operating system type, then it is not necessary to use-osscan_limit detection.

It is difficult to think of the remote operating system through NMAP to accurately detect, need to use to nmap guessing function options, –osscan-guess guess the closest to the target of the matching operating system type.

The code is as follows:


The following is a description of the scan type

-sttcpconnect () Scan: This is the most basic method of TCP scanning. Connect () is a system call that is provided by the operating system to open a connection. If the target port has a program listener, connect () will return successfully, otherwise the port is unreachable. The biggest advantage of this technique is that you do not need root privileges. Any UNIX user is free to use this system call. This scan is easily detected and a large number of connection requests and error messages are logged in the target host's log.

-SSTCP Synchronous Scan (Tcpsyn): This technique is often referred to as a half-open scan (half-open) because it does not have to open a TCP connection all. You can emit a TCP synchronization packet (SYN) and wait for the response. If the other party returns syn| The ACK (response) packet indicates that the target port is listening, and if the RST packet is returned, the target port does not have a listener; If you receive a syn| ACK packet, the source host will immediately issue a RST (reset) packet disconnect and the target host connection, which is actually done automatically by our operating system kernel. The biggest benefit of this technique is that few systems can write this into the system log. However, you need root permissions to customize the SYN packet.

-SF-SX-SN secret fin packet Scan, Christmas tree (Xmastree), empty (NULL) scan mode: Used even if the SYN scan is not deterministic. Some firewalls and packet filtering software can monitor SYN packets sent to a restricted port, and some programs, such as Synlogger and Courtney, can detect those scans. These advanced scanning methods can escape these disturbances. The rationale for some scanning methods is that the closed port needs to respond to the RST packet for your probe packet, while the open port must ignore the problematic package (refer to RFC793 on page 64th). The fin scan uses exposed fin packets to detect, while the Christmas tree scans open the fin, Urg, and push flags of the packet. Unfortunately, Microsoft decided to completely ignore this standard and reinvent the rules. So this scanning method is not valid for windows95/nt. However, from another point of view, you can use this method to separate two different platforms. If you use this scanning method to discover open ports, you can determine that the target is not running Windows system. If you use the-SF,-SX, or-SN scans to show that all ports are turned off, and the SYN scan shows open ports, you can determine that the target host might be running a windwos system. This approach is not much of a use now, because Nmap has an embedded OS detection feature. There are several other systems that use the same approach as Windows, including Cisco, BSDI, Hp/ux, MYS, IRIX. These systems emit a reset packet from the open port when the packet should be discarded.

-spping scanning: Sometimes you just want to know which hosts are running on the network at this time. Nmap can complete this task by sending Icmpecho request packets to each IP address within the network you specify. The host will respond if it is running. Unfortunately, some sites such as: Microsoft.com block Icmpecho request packets. However, by default Nmap can also send tcpack packets to port 80, if you receive an RST package, it means that the host is running. The third technique used by Nmap is to send a SYN packet and wait for an RST or Syn/ack packet. For non-root users, Nmap uses the Connect () method. In the default case (root user), Nmap uses ICMP and ACK techniques in parallel. Note that Nmap will ping the scan in any case, and only the target host is in a running state for subsequent scans. This option is only used if you want to know if the target host is running and you do not want to perform other scans.

-SUUDP Scan: You can use this scanning method if you want to know which UDP (User Datagram Protocol, RFC768) service is available on a host. Nmap first sends a 0-byte UDP packet to each port on the target host, and if we receive an ICMP message that the port is unreachable, the port is closed, otherwise we assume it is open. Some people might think that a UDP scan is not meant to be. However, I often think of recent solarisrpcbind flaws. The Rpcbind is hidden on an unlisted UDP port with a port number greater than 32770. So even if Port 111 (Portmap's well-known port number) is blocked by a firewall. But can you find out which port is more than 30000 on which the program is listening? Use a UDP scan to do it! The Cdcbackorifice backdoor is hidden in a configurable UDP port on the Windows host. Some services such as SNMP, TFTP, and NFS use the UDP protocol, regardless of the usual security flaws. Unfortunately, UDP scanning is sometimes very slow because most hosts limit the scale of ICMP error messages (recommended in RFC1812). For example, in the Linux kernel (in the Net/ipv4/icmp.h file) limit only 80 targets per 4 seconds scheming yarn mace Kidney CMP messages, if exceeded this ratio, will give 1/4 seconds penalty. The Solaris restrictions are stricter, allowing only about 2 ICMP Unreachable messages per second, which makes scanning slower. Nmap detects the ratio of this limit, slowing the delivery speed, rather than sending a large number of useless packets that will be discarded by the target host. However, Micro$oft ignored the suggestion of RFC1812, and did not make any restrictions on this ratio. So we can quickly scan all 65K ports on a host running win95/nt.

-saack scanning: This advanced scanning method is typically used to pass through the firewall's ruleset. Typically, this helps to determine whether a firewall is functionally perfect or is a simple packet-filtering program that only blocks incoming SYN packets. This scan sends an ACK packet to a specific port (using a random answer/serial number). If an RST package is returned, the port is marked as unfiltered state. If nothing is returned, or if an unreachable ICMP message is returned, the port is grouped into the filtered class. Note that nmap typically does not output unfiltered ports, so all probed ports are not normally displayed in the output. Obviously, this scanning method does not identify the ports that are in the open state.

-SW scanning of sliding windows: This advanced scanning technique is very similar to an ACK scan, except that it can sometimes detect ports that are open because the size of the sliding window is irregular and some operating systems can report its size. These systems include at a minimum: some versions of AIX, Amiga, BeOS, BSDI, Cray, Tru64unix, Dg/ux, OpenVMS, Digitalunix, OpenBSD, OpenStep, QNX, Rhapsody, sunos4.x, Ultrix, VAX, VXWORKS. A complete list can be obtained from the documents in the Nmap-hackers Mail 3 list.

-SRRPC Scan. This method is used in conjunction with other different port scanning methods of Nmap. Select all open ports to send them the null command for the SUNRPC program to determine if they are RPC ports, and if so, determine which software and their version number. So you can get some information about the firewall. Decoy scanning is not currently available with RPC scanning.

-bftp Bounce Attack (Bounceattack): The FTP protocol (RFC959) has an interesting feature that supports proxy FTP connections. That is, I am able to connect to the FTP server target.com from evil.com, and can ask this FTP server to send files anywhere on the Internet for itself! This feature works well in 1985, when the RFC959 is finished. However, in today's internet, we can't let people hijack an FTP server to send data to any node on the Internet. As Hobbit in an article written in 1995, this Protocol "can be used to deliver virtual unreachable mail and news, access servers at various sites, fill hard disks, skip firewalls, and other harassment, and it's hard to track". We can use this feature to scan a TCP port on a proxy FTP server. Therefore, you need to connect to an FTP server behind the firewall, followed by a port scan. If you have a read-write directory in this FTP server, you can also send data to the destination port (but Nmap can't do that for you). The parameter passed to the-B feature option is the FTP server that you want to act as the proxy. The syntax format is:-busername:[email protected]:p ort. In addition to the server, the rest is optional. If you want to know what server has this flaw, you can refer to the article I published in Phrack51. You can also get the latest version of this article at Nmap's site.

Common options This content is not required, but is useful.

-p0 do not need to ping the host before scanning. Some networks have firewalls that do not allow Icmpecho requests to pass through, and use this option to scan these networks. Microsoft.com is an example, so you should always use the-p0 or-PT80 option when scanning this site.

Before-PT scans, use tcpping to determine which hosts are running. Instead of sending a ICMPECHO request packet and waiting for a response to do so, nmap issues a tcpack packet to the target network (or a single host) and waits for a response. The RST package is returned if the host is running. This option is only valid if the target network/host is blocking the ping package and still allows you to scan it. For non-root users, we use the Connect () system call to implement this feature. Use-PT to set the destination port. The default port number is 80, because this port is not normally filtered.

-ps for the root user, this option allows Nmap to scan the target host with a SYN packet instead of an ACK package. Returns an RST package (or a syn/ack package) if the host is running.

-pi Set this option so that Nmap uses a real ping (Icmpecho request) to scan whether the target host is running. Using this option allows Nmap to discover the running host while Nmap also observes your direct subnet broadcast address. Direct subnet broadcast address some externally accessible IP addresses that convert external packets to an inward IP broadcast packet sent to a computer subnet. These IP broadcast packets should be removed because of a denial of service attack (for example, Smurf).

Port Scan ——— Nmap

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.