Expert skills: nmap, a tool essential for Linux hackers
[Special Report of Bi network experts]Nmap is a network probe and security scanning program. System Administrators and individuals can use this software to scan a large network and obtain information about the host being scanned and what services the system provides. Nmap supports many scanning technologies, such as UDP, TCP connect (), tcp syn (half-open scan ),FtpProxy (bouNcE attacks), reverse flag, ICMP, FIN, ACK Scan, Christmas Tree (Xmas Tree), SYN scan, and null scan. Details can be obtained from the scan type section. Nmap also provides some advanced features, such as detecting the operating system type through the TCP/IP protocol stack features, secretly scanning, dynamic latency and retransmission computing, parallel scanning, and parallelPingScan and detect closed hosts, bait scans, avoids port filtering detection, direct RPC scans (no need for port shadows), fragment scans, and flexible target and port settings. This article describes the detailed use options of NMap and provides several practical examples. nmap is an essential tool for intrusion and network security detection.
(1) Select the program installation package
First, go to the official website to download nmap.
Select the package to be installed
(2) install the Gcc compiler
Of course, we can also select the source code for installation. The premise of source code installation is that the Gcc compiler is installed first. We can use yum-y install Gcc to install the Gcc compiler on the network.
When Gcc is installed, go to the folder where the source code is stored.CompressionSource code file 2.
ExtractShrink source code files
(3) Test the running environment and install nmap
After decompression, enter the decompressed folder and use./confgure and make to test the running environment. 3
./Configure and make test environment
Then log on to install nmap as an administrator and test the availability, as shown in figure 4.
Install nmap and test its availability
After nmap is installed, the following describes how to use nmap.
(4) Nmap usage
You can use man nmap to check whether nmap is used. To improve nmap performance in the non-root state, software designers have made great efforts. Unfortunately, some kernel interfaces (such as raw socket) need to be used in the root state. Therefore, try to use nmap as root.
Run nmap to obtain the list of host ports to be scanned. Nmap always provides the service name (if possible), port number, status, and protocol information of the well known port. The statuses of each port are: open and filter.EdAnd unfiltered. The open state means that the target host can use the accept () system call on this port to accept the connection. The filtered status indicates that the firewall, packet filtering, and other network security software mask the port and disable nmap to detect whether it is enabled. Unfiltered indicates that the port is disabled and no firewall/package filtering software is available to isolate nmap detection attempts. Generally, the port is in the unfiltered state. Only when most of the ports being scanned are in the filtered state will the port in the unfiltered State be displayed. Nmap can also report the following features of a remote host based on the function options used: the operating system used, the TCP sequence, and the user name, DNS name, host address, and other things of the application bound to each port.
1. Function options
Function options can be used in combination. Some feature options can only be used in some scan mode. Nmap automatically identifies invalid or unsupported combinations of function options and sends a warning to the user.
If you are an experienced user, you can skip the example section at the end. You can use nmap-h to quickly list function Option List 5.
Quick List of feature options
2. Scan type
-ST
TCP connect () scan: This is the most basic TCP scan method. Connect () is a system call provided by the operating system to open a connection. If the target port has a program listener, connect () will return a successful result; otherwise, this port is inaccessible. The biggest advantage of this technology is that you do not need root permissions. Any UNIX user can use this system for calling. This kind of scan can easily be detected. A large number of connection requests and error messages are recorded in the logs of the target host.
-SS
TCP Synchronous Scan (tcp syn): Because you do not need to open a TCP connection, this technology is generally called half-open scan ). You can issue a TCP synchronization packet (SYN) and wait for the response. If the other party returns SYN | ACK (response) packet, it indicates that the target port is listening; If RST packet is returned, it indicates that the target port does not have a listener; if it receives a SYN | ACK packet, the source host will immediately issue an RST (reset) packet to disconnect from the target host, which is actually automatically completed by our operating system kernel. The biggest benefit of this technology is that few systems are able to record this in system logs. However, you need the root permission to customize SYN packets.
-SF-sN
Private FIN packet scanning, Christmas Tree (Xmas Tree), Null scan mode: used even if SYN scan is uncertain. Some firewall and packet filtering software can monitor SYN packets sent to restricted ports, and some programs such as synlogger and courtney can detect those scans. These advanced scanning methods can escape these interference. The Theoretical Basis of These scanning methods is: the closed port needs to respond to your test package to the RST package, and the opened port must ignore the problematic package (refer to RFC 793 64th page ). FIN scan uses exposed FIN data packets for detection, while Christmas tree scan opens the FIN, URG, and PUSH flag of the data packets. Unfortunately, Microsoft decided to completely ignore this standard and set a new course. Therefore, this scan method is invalid for Windows95/NT. However, from another perspective, you can use this method to separate two different platforms. If you use this scan method to discover opened ports, you can determine that the target is not running Windows. If you use-sF,-sX, or-sN scan to show that all ports are closed, and use SYN scan to show opened ports, you can determine that the target host may run the Windwos system. This method is not very useful because nmap has embedded operating system detection functions. Several other systems use the same processing methods as windows, including Cisco, BSDI, HP/UX, MYS, and IRIX. When data packets should be discarded, all the above systems will send a reset packet from the opened port.
-SP
Ping scan: Sometimes you just want to know which hosts on the network are running at this time. By sending an ICMP echo request packet to each IP address in your specified network, nmap can complete this task. If the host is running, it will respond. Unfortunately, some sites such as microsoft.com Block ICMP echo request packets. However, by default, nmap can also send TCP ack packets to port 80. If you receive an RST packet, it indicates that the host is running. The third technique used by nmap is to send a SYN Packet and wait for an RST or SYN/ACK packet. For non-root users, nmap uses the connect () method.
By default, nmap uses ICMP and ACK technologies in parallel.
Note that nmap performs ping scanning under any circumstances. Only when the target host is running will it perform subsequent scanning. This option is only used if you want to know whether the target host is running and do not want to perform other scans.
-SU
UDP scan: If you want to know which UDP (User Datagram Protocol, RFC768) services are provided on a host, you can use this scan method. Nmap first sends a 0-byte UDP packet to each port of the target host. If we receive an ICMP message that is inaccessible to the port, the port is closed. Otherwise, we assume it is open.
Some may think that UDP scanning is meaningless. However, I often think of solaris rpcbind defects. Rpcbind is hidden on an undisclosed UDP port. The port number is greater than 32770. Therefore, even if port 111 is blocked by the firewall. But can you find that a program is listening on any port over 30000? Use UDP scan! The cDc Back Orifice backdoor program is hidden in a configurable UDP port on a Windows host. Some common security defects, such as snmp and,TftpNFS uses the UDP protocol. Unfortunately, UDP scanning is sometimes very slow because most hosts limit the proportion of ICMP error messages (recommended in RFC1812 ). For exampleCmp. H file) only 80 ICMP messages that cannot be reached by the target can appear every 4 seconds. If this proportion is exceeded, a penalty of 1/4 seconds will be given. Solaris is more restrictive. Only about two ICMP inaccessibility messages are allowed per second, which slows down scanning. Nmap detects the proportion of this limit and slows down the sending speed, instead of sending a large number of useless data packets discarded by the target host.
However, Microsoft ignores the RFC1812 suggestion and does not impose any restrictions on this proportion. Therefore, we can quickly scan all the 65K ports on the host running Win95/NT.
-SA
ACK Scan: This advanced scan method is usually used to pass through the firewall rule set. In general, this helps determine whether a firewall is fully functional or a simple package filtering program, just blocking the SYN packets that enter.
This scan sends an ACK packet to a specific port (using a Random Response/serial number ). If an RST packet is returned, the port is marked as unfiltered. If nothing is returned, or a non-reachable ICMP message is returned, this port is classified into the filtered class. Note: nmap usually does not output the unfiltered port, so it usually does not display all the ports to be tested in the output. Obviously, this scan method cannot find the port in the open state.
-SW
Scan a sliding window: This advanced scan technique is very similar to ACK scan, except that it can sometimes detect open ports because the size of the sliding window is irregular, some operating systems can report its size. These systems include at least some versions of AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, DiGitAl UNIX, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, UlTrIx, VAX, and VXWORKS. You can obtain the complete list from the documents in the nmap-hackers mail 3 list.
-SR
RPC scan. This method is used in combination with other nmap port scanning methods. Select all open ports to send NULL SunRPC program to themCommandTo determine whether they are RPC ports. If yes, determine the software and version number. Therefore, you can obtain some information about the firewall. Bait scanning cannot be used with RPC scanning now.
-B
FTP bounce attack (bounce attack): the FTP protocol (RFC 959) has an interesting feature that supports proxy FTP connections. That is to say, I can connect to the FTP server target.com from evil.com, And I can ask this FTP server to send files anywhere on the Internet for myself! This feature worked well when RFC959 was completed in 1985. However, in today's Internet, we cannot allow people to hijack the FTP server and send data to any node on the Internet. As Hobbit said in an article written in 1995, this protocol can be used to deliver virtual inaccessibility emails and news, enter the servers of various sites, fill the hard disk, and skip the firewall, and other harassment activities, and it is difficult to track. We can use this feature to scan TCP ports on a proxy FTP server. Therefore, you need to connect to an FTP server behind the firewall and then perform port scanning. If there is a readable directory on this FTP server, you can also send data to the target port (but nmap cannot do this for you ).
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
