Use of nmap in linux-linux Network Scanning Technology

Nmaponlinux official website nmap. in orgcentos, yuminstallnamp can be installed for four common scans. nmap-sP1.1.1.124 Probe C-segment active host, can be used | grepup filter active host 2. nmap-sS1.1.1.1-30-p80SYN scan, specifying an IP Range specifying a port. 3. nmap-sV1.1.1.1-p1-65535

Nmap on linux

You can install yum install namp under nmap.org centos on the official website.

Four Common scans

1. nmap-sP 1.1.1.1/24

Detects active hosts in segment C, which can be used |GrepUp filters active hosts

2. nmap-sS 1.1.1.1-30-p 80

SYN scan: Specifies the IP Range and port number.

3. nmap-sV 1.1.1.1-p 1-65535

Service and version of the probe Port

4. nmap-O 1.1.1.1 or nmap-A 1.1.1.1

Test the operating system type and version

~~~~~~~~~~~~ A detailed description of nmap, for researchers, refer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1Overview
Nmap supports many scanning technologies, such as UDP, TCP connect (), tcp syn (half-open scan ),FtpProxy (bouNcE attacks), reverse flag, ICMP, FIN, ACK Scan, Christmas Tree (Xmas Tree), SYN scan, and null scan. Nmap also provides some advanced features, such as detecting operating system types, secretly scanning, dynamic latency and retransmission computing, parallel scanning, and parallel scanning through TCP/IP protocol stack features.PingScan and detect closed hosts, bait scans, avoids port filter detection, direct RPC scans (no need for port shadows), fragment scans, and flexible target and port settings. nmap always provides the service name (if possible), port number, status, and Protocol of the well known port. The statuses of each port are: open and filter.EdAnd unfiltered. The open state means that the target host can use the accept () system call on this port to accept the connection. The filtered status indicates that the firewall, packet filtering, and other network security software mask the port and disable nmap to detect whether it is enabled. Unfiltered indicates that the port is disabled and no firewall/package filtering software is available to isolate nmap detection attempts. Generally, the port is in the unfiltered state. Only when most of the ports being scanned are in the filtered state will the port in the unfiltered State be displayed. Nmap can also report the following features of a remote host based on the function options used: the operating system used, the TCP sequence, and the user name, DNS name, host address, and other things of the application bound to each port.

You can use nmap-h to quickly list feature options.

2Syntax

Nmap [Scan Type (s)] [Options]

Scan type

-ST
TCP connect () scan: This is the most basic TCP scan method. Connect () is a system call provided by the operating system to open a connection. If the target port has a program listener, connect () will return a successful result; otherwise, this port is inaccessible. The biggest advantage of this technology is that you do not need root permissions. Any UNIX user can use this system for calling. This kind of scan can easily be detected. A large number of connection requests and error messages are recorded in the logs of the target host.

-SS
TCP Synchronous Scan (tcp syn): because you do not have to open a TCP connection, it is usually called half-open ). You can send a TCP synchronization packet (SYN) and wait for a response. If the other party returns SYN | ACK (response) packet, it indicates that the target port is listening; If RST packet is returned, it indicates that the target port does not have a listener; if it receives a SYN | ACK packet, the source host will immediately issue an RST (reset) packet to disconnect from the target host, which is actually automatically completed by our operating system kernel. The biggest benefit of this technology is that few systems are able to record this in system logs. However, you need the root permission to customize SYN packets.

-SF-sX-sN
Private FIN packet scanning, Christmas Tree (Xmas Tree), Null scan mode: used even if SYN scan is uncertain. Some firewall and packet filtering software can monitor SYN packets sent to restricted ports, and some programs such as synlogger and courtney can detect those scans. These advanced scanning methods can escape these interference. The Theoretical Basis of These scanning methods is: the closed port needs to respond to your test package to the RST package, and the opened port must ignore the problematic package (refer to RFC 793 64th page ). FIN scan uses exposed FIN data packets for detection, while Christmas tree scan opens the FIN, URG, and PUSH flag of the data packets. Unfortunately, Microsoft decided to completely ignore this standard and set it up again. Therefore, this scan method is invalid for Windows95/NT. However, from another perspective, you can use this method to separate two different platforms. If you use this scan method to find the opened port, you can determine that the target is not running Windows. If-sF,-sX, or-sN scan is used to show that all ports are closed, and SYN scan is used to display opened ports, you can determine that the target host may run the Windwos system. This method is not very useful because nmap has embedded operating system detection functions. Several other systems use the same processing methods as windows, including Cisco, BSDI, HP/UX, MYS, and IRIX. When data packets should be discarded, all the above systems send reset data packets from open ports.

-SP
Ping scan: Sometimes you just want to know which hosts on the network are running at this time. By sending an ICMP echo request packet to each IP address in your specified network, nmap can complete this task. If the host is running, it will respond. Unfortunately, some sites such as microsoft.com Block ICMP echo request packets. However, by default, nmap can also send TCP ack packets to port 80. If you receive an RST packet, it indicates that the host is running. The third technique used by nmap is to send a SYN Packet and wait for an RST or SYN/ACK packet. For non-root users, nmap uses the connect () method.
By default, nmap uses ICMP and ACK technologies in parallel. Note that nmap performs ping scanning under any circumstances. Only when the target host is running will it perform subsequent scanning. This option is only used if you want to know whether the target host is running and do not want to perform other scans.

-SU
UDP scan: If you want to know which UDP (User Datagram Protocol, RFC768) services are provided on a host, you can use this scan method. Nmap first sends a 0-byte UDP packet to each port of the target host. If we receive an ICMP message that is inaccessible to the port, the port is closed. Otherwise, we assume it is open. Some may think that UDP scanning is meaningless. However, I often think of the recent solaris rpcbind defect. Rpcbind is hidden on an undisclosed UDP port. The port number is greater than 32770. Therefore, even if port 111 is blocked by the firewall. But can you find that a program is listening on any port over 30000? Use UDP scan! The cDc Back Orifice backdoor program is hidden in a configurable UDP port on a Windows host. Some common security defects, such as snmp and,TftpNFS uses the UDP protocol. Unfortunately, UDP scanning is sometimes very slow because most hosts limit the proportion of ICMP error messages (recommended in RFC1812 ). For exampleCmp. H file) only 80 ICMP messages that cannot be reached by the target can appear every 4 seconds. If this proportion is exceeded, a penalty of 1/4 seconds will be given. Solaris is more restrictive. Only about two ICMP inaccessibility messages are allowed per second, which slows down scanning. Nmap detects the proportion of this limit and slows down the sending speed, instead of sending a large number of useless data packets discarded by the target host. However, MicroSoft ignores the RFC1812 suggestion and does not impose any restrictions on this proportion. Therefore, we can quickly scan all the 65K ports on the host running Win95/NT.

-SA
ACK Scan: This advanced scan method is usually used to pass through the firewall rule set. In general, this helps determine whether a firewall is fully functional or a simple package filtering program, just blocking the SYN packets that enter. This scan sends an ACK packet to a specific port (using a Random Response/serial number ). If an RST packet is returned, the port is marked as unfiltered. If nothing is returned, or a non-reachable ICMP message is returned, this port is classified into the filtered class. Note: nmap usually does not output the unfiltered port, so it usually does not display all the ports to be tested in the output. Obviously, this scan method cannot find the port in the open state.

-SW
Scan a sliding window: This advanced scan technique is very similar to ACK scan, except that it can sometimes detect open ports because the size of the sliding window is irregular, some operating systems can report its size. These systems include at least some versions of AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, DiGitAl UNIX, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, UlTrIx, VAX, and VXWORKS.

-SR
RPC scan. This method is used in combination with other nmap port scanning methods. Select all open ports to send NULL SunRPC program to themCommandTo determine whether they are RPC ports. If yes, determine the software and version number. Therefore, you can obtain some information about the firewall. Bait scanning cannot be used with RPC scanning now.

-B
FTP bounce attack (bounce attack): the FTP protocol (RFC 959) has an interesting feature that supports proxy FTP connections. That is to say, you can connect to the FTP server target.com from evil.com and ask this FTP server to send files from anywhere on the Internet! This feature worked well when RFC959 was completed in 1985. However, in today's Internet, we cannot allow people to hijack the FTP server and send data to any node on the Internet. As Hobbit said in an article written in 1995, this Protocol "can be used to deliver virtual inaccessibility emails and news, enter the servers of various sites, fill the hard disk, and skip the firewall, and other harassment activities, and it is difficult to track ". We can use this feature to scan TCP ports on a proxy FTP server. Therefore, you need to connect to an FTP server behind the firewall and then perform port scanning. If there is a readable directory on this FTP server, you can also send data to the target port (but nmap cannot do this for you ). The parameter passed to the-B function option is the FTP server you want to act as the proxy. Syntax format:
-B username: password @ server: port.
Except server, the rest are optional.

General options (this content is not required, but useful)

-P0
You do not need to ping the host before scanning. Some network firewalls Do Not Allow ICMP echo requests to pass through. You can use this option to scan these networks. Microsoft.com is an example. Therefore, you should always use the-P0 or-PT 80 option when scanning this site.

-PT
Before scanning, use TCP ping to determine which hosts are running. Nmap does not implement this function by sending an ICMP echo request packet and then waiting for a response. Instead, it sends a tcp ack packet to the target network (or a single host) and waits for a response. If the host is running, the RST package is returned. This option is valid only when the target network/host blocks the ping packet and still allows you to scan it. For non-root users, we use the connect () system call to implement this function. Use-PT <端口号> To set the target port. The default port number is 80, because this port is usually not filtered.

-PS
For root users, this option allows nmap to use SYN packets instead of ACK packets to scan the target host. If the host is running, an RST package (or a SYN/ACK package) is returned ).

-PI
Set this option to enable nmap to use the real ping (ICMP echo request) to scan whether the target host is running. If you use this option to enable nmap to discover a running host, nmap will also observe your direct subnet broadcast address. Direct subnet broadcast address some externally accessible IP addresses, convert the external package into an inner IP address broadcast package, and send it to a computer subnet. These IP broadcast packages should be deleted because they may cause DoS attacks (such as smurf ).

-PB
This is the default ping scan option. It uses ACK (-PT) and ICMP (-PI) Scanning types for parallel scanning. If the firewall can filter one of the packages, you can use this method to pass through the firewall.

-O
This option activates the TCP/IP fingerprint feature (FingerPrinting) to obtain the remote host flag. In other words, nmap uses some techniques to detect the characteristics of the network protocol stack of the target host operating system. Nmap uses this information to establish the fingerprint feature of the remote host, and compares it with the known operating system fingerprint feature database to know the type of the target host's operating system.

-I
This option enables nmap reverse flag scanning. Dave Goldsmith noticed the protocol in an email sent to the bugtap on April 9, 1996,IdThe ent protocol (rfc 1413) allows you to use a TCP connection to give the user name of any process owner, even if the process has not initialized the connection. For example, you can connect to the HTTP port and use identd to determine whether the server is run by the root user. This scan can be successful only when a full TCP connection is established with the target port (for example, the-sT scan option. With the-I option, the identd genie process of the remote host queries the owner of the process listening on each opened port. Apparently, this scan method is ineffective if the remote host does not run the identd program.

-F
This option enables nmap to send SYN, FIN, XMAS, and NULL packets using fragmented IP packets. Using fragmented data packets increases the difficulty of packet filtering and intrusion detection systems so that they do not know your attempt. However, use this option with caution! Some programs may have trouble processing these fragment packets. They use 24 bytes of fragment data packets in nmap. Although the packet filter and firewall cannot prevent this method, many networks disable packet sharding for performance considerations. This option cannot be used on all platforms. It works well in Linux, FreeBSD, OpenBSD, and other UNIX systems.

-V
Redundancy mode. It provides detailed information during the scanning process. With this option, you can get twice the result with half the effort. Use the-d option to obtain more detailed information.

-H
Quick Reference options.

-ON
Redirects the scan result to a readable file log.FileName.

-OM
Redirects the scan result to the logfilename file, which uses the host-ready parsing syntax. You can use-oM-to replace logfilename, so that the output is redirected to the standard output stdout. In this case, the normal output will be overwritten, and the error message "stderr" can be output to the standard error stderr. Note that if the-v option is used at the same time, other information will be printed on the screen. Similarly, the-OS-will redirect the result to the standard output.