Nmap is a very powerful utility tool, which can be used to detect hosts on the network (host discovery), open ports on hosts (port discovery or enumeration), software and version of corresponding ports (service discovery), and vulnerabilities in operating system, hardware address and software version detection (Nmap scripts). Nmap is a very common tool, which has a command line interface and a graphical user interface. It mainly includes the following contents: The important parameters in Nmap scanning and operating system detection are introduced. Nmap using tutorial Nmap uses different technologies to perform scanning, including: TCP connect () scanning, TCP reverse identification scanning, FTP bounce scanning, etc. All these scanning types have their own advantages and disadvantages, and we will discuss these issues next. The use of Nmap depends on the target host because there is a difference between simple (basic) scanning and pre-scanning. We need to use some advanced technologies to bypass the firewall and intrusion detection/defense system to get the correct results. The following are some basic commands and examples of their usage: Scan a single host, and the commands are as follows:
The code is as follows:
# nmap NX admin . com # nmap 192. 168. 1.2
Scan the entire subnet with the following command:
The code is as follows:
# nmap 192. 168. 1. 1/24
Use the following command to scan multiple targets:
The code is as follows:
# nmap 192. 168. 1.2 192. 168. 1.5
Scan a series of targets as follows:
The code is as follows:
# nmap192.168.1-100 (the scanned IP address is192.168.1-/kloc-0.
If you have a list of ip addresses, save it as a txt file, put it in the directory where namp is located, and then scan all the hosts in this txt. The command is as follows:
The code is as follows:
#nmap -iL target.txt
If you want to see a list of all the hosts you scanned, use the following command:
The code is as follows:
# nmap-sL 192. 168. 1. 1/24
Scan all subnet hosts except one ip. Command:
The code is as follows:
# nmap192.168.1.124-excluding192.168.1
Scan files for subnet host commands other than ip.
The code is as follows:
# nmap192.168.1.1/24-excluvalxxx.txt (files in xxx.txt will be excluded from the scanned host).
Scan ports 80,2123 on a specific host. The command is as follows
The code is as follows:
#nmap-p80,2 1,23 192. 168. 1. 1
From above, we learned the basic knowledge of Nmap. Let's discuss the scanning technology of Nmap in depth.
Tcp SYN scanning (sS) This is a basic scanning method, which is called half-open scanning, because this technology enables Nmap to obtain the information of the remote host without a complete handshake. Nmap sends a SYN packet to a remote host, but it does not generate any sessions. Therefore, it will not generate any log records on the target host because no session is formed. This is the advantage of SYN scanning. If the scan type is not specified in the Nmap command, it defaults to Tcp SYN. However, it requires root/ administrator privileges.
The code is as follows:
# nmap-sS 192. 168. 1. 1
Tcp connection () scanning (sT) If SYN scanning is not selected, Tcp connection () scanning is the default scanning mode. Unlike Tcp SYN scanning, TCP connect () scanning needs to complete the three-way handshake and call the system's connect (). Tcp connect () scanning technology is only suitable for finding TCP and UDP ports.
The code is as follows:
# nmap-sT 192. 168. 1. 1
Udp scanning (sU) as the name implies, this scanning technology is used to find the UDP port opened by the target host. It doesn't need to send any SYN packets, because this technology is aimed at UDP ports. UDP scanning sends UDP packets to the target host and waits for a response. If an ICMP unreachable error message is returned, the port is closed, and if a correct and appropriate response is received, the port is opened.
The code is as follows:
# nmap-sU 192. 168. 1. 1
FINscan(sF)
Sometimes TcpSYN scanning is not the best scanning method because there is a firewall. The target host may sometimes have IDS and IPS systems, and the firewall will intercept SYN packets. TCP handshake is not needed to send packets with the FIN flag.
The code is as follows:
& lta href = " mailto:root @ Bt:~ # nmap-SF 192. 168. 1.8 " >root @ Bt:~ # nmap-SF 192. 168. 1.8 & lt; /a & gt; & lt/p & gt; & ltp & gtstarting nmap 5.5 1at 20 12-07-08 19:2 1pktnmapscanreportfor 192. 168. 1.8 hosti sup(0.000026 slatency)。 Not displayed: 999closedportsportstateservice11/tcpopen | filtered rpcbind.
FIN scanning does not create logs on the target host (one of the advantages of FIN scanning). All types of scans are different. The packets sent by the FIN scan only contain the FIN identifier, while the empty scan does not send any bytes on the packets. Christmas scan sends packets with FIN, PSH and URG logos.
Pulse scanning
PING scanning is different from other scanning methods because it is only used to find out whether the host exists in the network. It is not used to determine whether the port is open. PING scan requires ROOT privileges. If the user does not have ROOT privileges, PING scan will be called with connect ().
The code is as follows:
# nmap-sp 192. 168. 1. 1
Version detection (sV)
Version detection is used to scan the software version running on the target host and port. Different from other scanning technologies, it is not used to scan the open ports on the target host, but to obtain information from the open ports to judge the software version. Before using version detection scanning, it is necessary to scan which ports are open.
The code is as follows:
# nmap-SV 192. 168. 1. 1
Idle scanning (sL)
Idlescan is an advanced scanning technology. Instead of using your real host Ip to send packets, it uses the host of another target network to send packets.
The code is as follows:
# nmap-sl 192. 168. 1.6 192. 168. 1. 1
Idlescan is an ideal anonymous scanning technology, which sends data to the host192.168.1.6 in the target network to obtain 192. 1.65438+.
Other scanning technologies are needed, such as FTP bounce, segmented scanning and IP protocol scanning. The main scanning methods are discussed above.
Operating system detection of Nmap (o)
One of the most important functions of Nmap is that it can remotely detect operating systems and software. The OS detection technology of Nmap is very useful for understanding the operating system and software of the remote host in penetration testing, and you can know the known vulnerabilities through the obtained information. Nmap has a database named nmap-OS-DB, which contains information of more than 2,600 operating systems. Nmap sends TCP and UDP packets to the target machine, and then checks the results against the database.
The code is as follows:
initiatingsynstealthscanat 10:2 1 scanninglocalhost( 127 . 0 . 0 . 1)[ 1000 ports]discovered openport 1 / kloc-0/ 1/tcpon 127 . 0 . 0 . 1 completedsynstealthscanat 138
The above example clearly shows that Nmap first discovers open ports, and then sends packets to discover remote operating systems. The operating system detection parameter is O (capital O)
Fingerprint identification technology of Nmap operating system;
Device type (router, workgroup, etc. ) details of running (running operating system) operating system (name and version of operating system) network distance (hops between target and attacker)
If the remote host has a firewall, IDS and IPS system, you can use the -PN command to ensure that the remote host is not pinged, because sometimes the firewall will block the ping request. The PN command tells Nmap not to ping the remote host.
The code is as follows:
# nmap-O-pn 192. 168. 1. 1/24
The above command tells the sender that the remote host is active on the network, so there is no need to send a PING request. Using the -PN parameter can bypass the ping command, but it will not affect the system discovery of the host.
Nmap's operating system detection is based on open and closed ports. If OSS cannot detect at least one open or closed port, it will return the following error:
The code is as follows:
Warning: osscanresultsmaybeunreliable because we can't find at least 1 open and 1closedport.
OSScan results are unreliable because at least one open or closed port was not found.
This situation is not ideal, it should be that the remote host has taken precautions against operating system detection. If Nmap cannot detect the remote operating system type, it is unnecessary to use -osscan_limit detection.
It is difficult to accurately detect the remote operating system through Nmap, so it is necessary to use the guessing function option of Nmap and-osscan-guess to guess the closest matching operating system type to the target.
The code is as follows:
# nmap-O-OSS can-guess 192. 168. 1. 1
The following is a description of the scanning type.
-sTTCPconnect () scanning: This is the most basic TCP scanning method. Connect () is a system call provided by the operating system to open the connection. If the target port is listening, connect () will return successfully, otherwise the port is unreachable. The biggest advantage of this technology is that it does not require root permission. Any UNIX user is free to use this system call. This kind of scanning is easy to detect, and a large number of connection requests and error messages will be recorded in the log of the target host.
-sSTCPSYN: Because all TCP connections do not need to be opened, this technology is usually called semi-open. You can send a TCP synchronization packet (SYN) and wait for a response. If the other party returns a SYN|ACK packet, it means that the target port is listening; If the RST packet is returned, it means that the target port has no listener; If the SYN|ACK packet is received, the source host will immediately send a RST (reset) packet to disconnect from the target host, which is actually done automatically by our operating system kernel. The biggest advantage of this technology is that few systems can record this in the system log. However, you need root privileges to customize the SYN package.
-sF-sX-sN secret FIN packet scanning, XmasTree and empty scanning modes: used even if SYN scanning is uncertain. Some firewalls and packet filtering software can monitor SYN packets sent to restricted ports, and some programs such as synlogger and courtney can detect these scans. These advanced scanning methods can avoid these interferences. The theoretical basis of some scanning methods is that the closed port needs to respond to the RST packet of your probe packet, while the open port must ignore the problematic packet (refer to page 64 of RFC793). The FIN scan uses exposed FIN packets for detection, while the Christmas tree scan turns on the FIN, URG and PUSH flags of the packets. Unfortunately, Microsoft decided to completely ignore this standard and start a new stove. So this scanning method is invalid for Windows95/NT. However, from another perspective, you can use this method to distinguish two different platforms. If an open port can be found by using this scanning method, it can be determined that the target is not running Windows. If -sF, -sX or -sN scanning shows that all ports are closed and SYN scanning shows that there are open ports, it can be determined that the target host may be running Windwos system. Now this method is of little use, because nmap has embedded operating system detection function. There are several other systems that use the same processing methods as windows, including Cisco, BSDI, HP /UX, MYS and IRIX. These systems all send reset packets from open ports when packets should be discarded.
-sPping scan: Sometimes you just want to know which hosts are running on the network at this time. Nmap can accomplish this task by sending ICMPecho request packets to each IP address in the specified network. If the host is running, respond. Unfortunately, some websites, such as microsoft.com, block ICMPecho request packets. However, by default, nmap can also send TCPack packets to port 80. If you receive the RST packet, it means that the host is running. The third technique used by nmap is to send SYN packets and then wait for RST or SYN/ACK packets. Root is a non-root user, and nmap uses the connect () method. By default (root user), nmap uses ICMP and ACK technologies in parallel. Please note that nmap will perform a ping scan in any case, and subsequent scans will only be performed when the target host is running. Use this option if you only want to know whether the target host is running and don't want to do other scans.
-sUUDP scanning: If you want to know what UDP (User Datagram Protocol, RFC768) services are provided on the host, you can use this scanning method. Nmap first sends a 0-byte UDP packet to each port of the target host. If we receive an ICMP message that the port is unreachable, the port is closed, otherwise we think it is open. Some people may think that UDP scanning is meaningless. However, I often think of the recent solarisrpcbind bug. Rpcbind is hidden on an undisclosed UDP port, which is larger than 32770. So even if the port11(the well-known port number of PortMap) is blocked by the firewall, it is very important. But can you find out which port is greater than 30000 and there is a program listening? Just scan with UDP! The backdoor program of cDcBackOrifice is hidden in a configurable UDP port of the Windows host. Although there are some common security flaws, some services (such as snmp, tftp and NFS) use UDP protocol. Unfortunately, UDP scanning is sometimes very slow because most hosts limit the proportion of ICMP error messages (recommended in RFC 18 12). For example, in the Linux kernel (in the net/ipv4/icmp.h file), only 80 target cmp messages can appear every 4 seconds. If it exceeds this ratio, it will be fined 1/4 seconds. Solaris is more restrictive, allowing only about 2 ICMP unreachable messages per second, which makes the scanning speed slower. Nmap will detect the ratio of this limit and slow down the sending speed, instead of sending a lot of useless packets, which will be discarded by the target host. However, Micro$oft ignores this suggestion of RFC 18 12 and does not impose any restrictions on this ratio. So we can quickly scan all 65K ports on the host running Win95/NT.
-sAACK scanning: This advanced scanning method is usually used for rule sets that traverse firewalls. Usually, this helps to determine whether the firewall is fully functional or a simple packet filter that only blocks incoming SYN packets. This scanning is to send an ACK packet (using random reply/sequence number) to a specific port. If the RST packet is returned, the port will be marked as unfiltered. If nothing is returned, or an unreachable ICMP message is returned, the port is classified as a filtering class. Please note that nmap usually does not output unfiltered ports, so all probed ports usually do not appear in the output. Obviously, this scanning method can't find out the open ports.
SW scanning of sliding window: This advanced scanning technology is very similar to ACK scanning, except that it can sometimes detect open ports, because the size of sliding window is irregular, and some operating systems can report its size. These systems at least include: some versions of AIX, Amiga, BeOS, BSDI, Cray, Tru64UNIX, DG/UX, OpenVMS, DigitalUNIX, OpenBSD, OpenStep, QNX, Rhapsody, SunOS4.x, Ultrix, VAX and VXWORKS. The complete list can be obtained from the document of nmap- Hacker Mail List 3.
-sRRPC scan. This method is combined with other different port scanning methods of nmap. Select all the open ports, issue the NULL command of SunRPC program to them, and determine whether they are RPC ports, and if so, determine what software it is and its version number. So you can get some information about the firewall. Bait scanning cannot be combined with RPC scanning yet.
-bFTP Rebound Attack: An interesting feature of the FTP protocol (RFC959) is that it supports proxy FTP connections. In other words, I can connect to the FTP server in target.com from evil.com, and I can ask this FTP server to send files anywhere on the Internet for myself! When RFC959 is completed in 1985, this function will work normally. However, in today's Internet, we can't let people hijack the FTP server and let it send data to any node on the Internet. As Hobbit said in an article written in 1995, this protocol "can be used to deliver virtual unreachable emails and news, enter servers of various websites, fill hard disks, skip firewalls, and other harassment activities, and it is difficult to be tracked". We can use this feature to scan TCP ports in the proxy FTP server. Therefore, you need to connect to the FTP server behind the firewall, and then scan the port. If there is a readable directory in this FTP server, you can also send data to the target port at will (but nmap can't help you do this). The parameter passed to the -b function option is the FTP server you want to act as a proxy. The syntax format is: -b User name: password @ server: port. Everything is optional except the server. If you want to know what server has this defect, please refer to my article published in Phrack5 1. You can also get the latest version of this article on nmap's website.
General options These are not necessary, but useful.
-P0 Before scanning, there is no need to ping the host. Some network firewalls do not allow ICMPecho requests to pass through. Use this option to scan these networks. Microsoft.com is an example, so you should always use the -P0 or -PT80 option when scanning this site.
Before the -PT scan, use TCPping to determine which hosts are running. Instead of sending ICMPecho request packets and waiting for a response, nmap sends TCPACK packets to the target network (or a single host) and waits for a response. If the host is running, the RST packet will be returned. This option only works if the destination network/host blocks the ping packet but still allows you to scan it. For non-root users, we use the connect () system call to achieve this function. Use -PT to set the destination port. The default port number is 80, because it is not usually filtered.
-PS For the root user, this option allows nmap to scan the target host with SYN packets instead of ACK packets. If the host is running, the RST packet (or SYN/ACK packet) is returned.
-PI Set this option to let nmap use real ping(ICMPecho request) to scan whether the target host is running. Use this option to let nmap discover the running host, and nmap will also observe your direct subnet broadcast address. Direct subnet broadcast address Some externally accessible IP addresses convert external packets into inward IP broadcast packets and send them to the computer subnet. These IP broadcast packets should be deleted because it will cause denial of service attacks (such as smurf).