The first experience of Nmap

recently contacted with Nmap. Discovering Namp is a powerful tool. It is said that the NSA is using this tool to imagine how powerful his function is. If you see the movie "The Matrix" you will also find Nmap figure, the following stills:

On the left, the computer screen shows Nmap's computer operating interface.

=============================================================================================================== ================================================

Nmap more parameters, in fact, there is no need to all back down, the commonly used on the back of the general is enough.            One of the important meanings of writing this blog is to make it easy for you to quickly query later when you forget. Wow, a click ...

=============================================================================================================== ===========================================================================================

Common:

Ping scan (ping sweeping)

The intruder uses Nmap to scan the entire network for a target. Ping the scan by using the "-sp" command . By default,Nmap sends an ICMP echo and a TCP ACK to each host that is scanned,  The host responds to any kind of response that will be obtained by Nmap .

Example: Scan 192.168. 1.0/24 Network:

# NMAP-SP 192.168.1.0/24

====================================================================================================

Port Scan (ports scanning)

An attacker who uses a TCP connection scan is easily discoverable because Nmap will use the Connect () system call to open the connection to the relevant port on the target. And completes three TCP handshake. The hacker logged on to the host will display an open port. A tcp connection scan uses the "-st" command as follows.

# nmap-st 192.168.1.152

=====================================================================================================

Covert Scan (Stealth scanning)

If an attacker does not want the information to be recorded on the target system log when the scan is made,TCP SYNscanning can help you, it rarely leaves a record on the target machine, the three-time handshake process is never fully realized. By sending aSYNPackage (yesTCPthe first package in the protocol) starts onceSYNthe scan. Any open port will have asyn| ACKResponse. However, an attacker sends aRSTAlternativeACK, the connection is aborted. Three times the handshake is not realized, there are very few sites can record such a probe. If the port is closed, the initialSYNthe response of the signal will also beRST, letNMAPknow that the port is not listening. "-ss"command will send aSYNscan the probe host or network:

~# Nmap-ss 192.168.1.152

====================================================================================================

Operating system identification (OS fingerprinting)

Usually an intruder may be familiar with an operating system vulnerability and can easily enter the machine for this operating system. A common option is toTCP/IPon the fingerprints, with"-O"option determines the type of remote operating system. This can be used in conjunction with a port scan, but not withPingThe scan is used in combination. NmapNarrow the scope of the operating system you are looking for by sending different types of probing signals to the host. Fingerprint verificationTCPincluding the useFINprobe Technology discovers the response type of the target machine. BOGUSdetect the remote host to send theSYNpackage of the unidentified sign of the reaction,TCPInitial serial number(ISN)Sample DiscoveryISNvalue, you can also decide the remote operating system in a different way. There is an authoritative message about fingerprints (fingertprinting) of the article, Fyodor, but alsoNampthe author, see Address:http://www.insecure.org/nmap/nmap-fingerprinting-article.html

The detection of Nmap's operating system is very accurate and effective, for example: Using the system Solaris 2.7 fingerprint verification stack with SYN scan.

# Nmap-ss-o 192.168.1.109

=============================================================================================================== ==========================================================================================

Parameters:

Port scan

Port scanning is the most basic and core function of Nmap, which is used to determine the opening of the TCP/UDP port of the target host.

By default, NMAP scans the 1000 most likely open TCP ports.

Nmap divides a port into 6 states by probing:

1. Open: The port is open.
2. Closed: The port is off.
3. Filtered: The port is shielded by the firewall ids/ips and cannot determine its status.
4. Unfiltered: The port is not blocked, but it needs to be further determined if it is open.
5. Open|filtered: The port is open or blocked.
6. Closed|filtered: The port is closed or masked.

Scan mode options

2. -SS/ST/SA/SW/SM: Specifies that the target host is scanned using TCP syn/connect ()/ack/window/maimon scans.
4. -SU: Specifies the UDP port status of the target host using UDP scanning.
6. -SN/SF/SX: Specifies to use TCP Null, FIN, and Xmas scans secret scan mode to assist in probing each other's TCP port status.
8. --scanflags <flags>: Custom TCP packet flags.
10. -si <zombiehost[:p robeport]>: Specifies that the target host is scanned using the idle scan mode (if appropriate zombie host is needed)
12. -sy/sz: Use SCTP init/cookie-echo to scan the open case of the SCTP protocol port.
14. -SO: Use IP protocol Scan to determine the protocol type supported by the target machine.
16. -B <ftp relay Host>: Using FTP Bounce Scan mode

-SS/ST/SA/SW/SM: Specifies that the target host is scanned using TCP syn/connect ()/ack/window/maimon scans.

-SU: Specifies the UDP port status of the target host using UDP scanning.

-SN/SF/SX: Specifies to use TCP Null, FIN, and Xmas scans secret scan mode to assist in probing each other's TCP port status.

--scanflags <flags>: Custom TCP packet flags.

-si <zombiehost[:p robeport]>: Specifies that the target host is scanned using the idle scan mode (if appropriate zombie host is needed)

-sy/sz: Use SCTP init/cookie-echo to scan the open case of the SCTP protocol port.

-SO: Use IP protocol Scan to determine the protocol type supported by the target machine.

-B <ftp relay Host>: Using FTP Bounce Scan mode

Port parameters and Scan order

2. -P <port ranges>: Scan the specified port
4. Example:-P22; -p1-65535; -P U:53,111,137,t:21-25,80,139,8080,s:9 (where T represents the TCP protocol, U represents the UDP protocol, S represents the SCTP protocol)
6. -f:fast mode– quick mode, only top 100 ports are scanned
8. -R: Do not perform the operation of random port scrambling (without this parameter, NMAP will scan the port in a random order to scan, so that Nmap scan is not easy to be detected by the other side of the firewall).
10. --top-ports <number>: Scan the number port with the highest open probability (Nmap's authors have done a large-scale Internet scan to count the probability that various ports on the network might be open.) This arranges the list of most likely open ports, as described in the file: Nmap-services. By default, NMAP scans the most likely 1000 TCP ports)
12. --port-ratio <ratio>: Scans for ports above the specified frequency. Similar to the above--top-ports, here the probability as a parameter, so that the probability of more than--port-ratio port is scanned. Obviously the parameter must be between 0 and 1, the specific range probability situation can view the Nmap-services file.

Usage of version detection

1. -SV: Specifies that Nmap be version-detected
2. --version-intensity <level>: Specifies the version detection strength (0-9), which defaults to 7. The higher the value, the more accurate the detected service, but the longer the run time.
3. --version-light: Specify the use of light detection mode (intensity 2)
4. --version-all: Try to use all probes for detection (intensity 9)
5. --version-trace: Displays detailed version detection process information.

OS detection usage

1. -O: Specify Nmap for OS detection.
2. --osscan-limit: Restricts nmap to the OS detection of the determined host (at least the host has an open and closed port).
3. --osscan-guess: A system type that boldly guesses each other's host. The accuracy will drop a lot, but will provide the user with the potential operating system as much as possible.

=============================================================================================================== ==========================================================================================

Nmap Advanced Usage

Firewall/ids Circumvention

Avoid usage

2. -F; --MTU <val>: Specifies the MTU of the specified packet using the Shard.
4. -D <decoy1,decoy2[,me],...: Mask the real address with a set of IP addresses, where me fills in its own IP address.
6. -S <ip_address>: masquerading as a different IP address
8. -e <iface>: Using a specific network interface
10. -g/--source-port <portnum>: Using the specified source port
12. --data-length <num>: Fills random data so that the packet length reaches Num.
14. --ip-options <options>: Sends a packet using the specified IP option.
16. --ttl <val>: Sets the time-to-live time.
18. --spoof-mac <mac Address/prefix/vendor name>: Spoofing MAC Address
20. --badsum: Use the wrong checksum to send the packet (normally, the packet is discarded and if a reply is received, the reply is from a firewall or ids/ips).

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Instance parsing:

1.

If you want a full, full scan of a host, you can use the-a option built into Nmap. With this option, Nmap hosts discovery, port scanning, application and version detection, operating system detection, and invoking the default NSE script scan for the target host.

Command form:

Nmap–t4–a–v Targethost

Where-a option is used to scan using offensive (aggressive) mode,-T4 specifies the timing (Timing) used by the scanning process, there are 6 levels (0-5), the higher the level, the faster the scan speed, but also easy to be detected by the firewall or IDs and blocked off, In the case of good network communication, it is recommended to use T4;-V to display redundant (verbosity) information and to display the details of the scan during the scan, thus allowing the user to understand the current scan status.

2.

Nmap–ss–su–t4–top-ports 300 192.168.1.100

The parameter-ss indicates that the TCP port is scanned using TCP SYN,-SU indicates that the UDP port is scanned,-T4 indicates a time level of 4, and--top-ports 300 means that the 300 ports that are most likely to open are scanned (TCP and UDP have 300 ports respectively).

3.

NMAP–SV 192.168.1.100

Version detection of the host 192.168.1.100.

4.

Nmap-v-f-pn-d192.168.1.100,192.168.1.102,me-e eth0-g 3355 192.168.1.1

wherein,-f means a quick scan of 100 ports;-PN means no ping scan;-d means using IP decoy to mask your real IP (where me represents my own IP);-e eth0 means that the packet is sent using the eth0 Nic;-g 3355 means that its source port uses 3355 The 192.168.1.1 is the target IP address being scanned.

The first experience of Nmap