Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use the nmap network scanning tool command in the Linux system". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to use the nmap network scanning tool command in the Linux system".

1. Name

Nmap- Network Detection and Security scanning tool

two。 Grammar

Nmap

3. Description

Nmap is a network detection and security scanning program that system managers and individuals can use to scan large networks to get information about which host is running and what services it provides. Nmap supports many scanning techniques, such as UDP, TCP connect (), TCP SYN (half open scan), ftp proxy (bounce attack), reverse flag, ICMP, FIN, ACK scan, Christmas tree (Xmas Tree), SYN scan and null scan. Details can be obtained from the scan type section. Nmap also provides some advanced features, such as: detection of operating system types through TCP/IP protocol stack features, secret scanning, dynamic delay and retransmission computation, parallel scanning, detection of closed hosts through parallel ping scans, bait scans, avoiding port filtering detection, direct RPC scans (without port mapping), fragment scanning, and flexible target and port settings.

In order to improve the performance of nmap in non-root, software designers have made great efforts. Unfortunately, some kernel interfaces (such as raw socket) need to be used in root state. So you should use nmap in root whenever possible.

The nmap operation usually gets a list of the host ports being scanned. Nmap always gives information about the service name (if possible), port number, status, and protocol of the well known port. The status of each port is: open, filtered, unfiltered. The open status means that the target host can accept connections on this port using the accept () system call. Filtered status indicates that firewalls, packet filtering and other network security software mask the port and prohibit nmap from detecting whether it is open or not. Unfiltered said: this port is closed and there is no firewall / packet filtering software to isolate nmap probe attempts. In general, the state of the port is basically the unfiltered state, and the port in the unfiltered state will be displayed only if most of the ports being scanned are in the filtered state.

Depending on the functional options used, nmap can also report the following characteristics of the remote host: the operating system used, the TCP sequence, the user name of the application running bound to each port, the DNS name, whether the host address is a spoofed address, and other things.

4. Functional option

Functional options can be combined. Some functional options can only be used in a certain scanning mode. Nmap automatically identifies invalid or unsupported combinations of feature options and sends a warning to the user.

If you are an experienced user, you can skip the sample section at the end. You can use nmap-h to quickly list feature options.

4.1 scan Typ

-sT

TCP connect () scan: this is the most basic TCP scan method. Connect () is a system call provided by the operating system to open a connection. If the target port has a program listener, connect () will return successfully, otherwise the port is unreachable. The biggest advantage of this technology is that you don't need root permission. Any UNIX user is free to use this system call. This scan is easily detected and a large number of connection requests and error messages are recorded in the log of the target host.

-sS

TCP synchronous scan (TCP SYN): because it is not necessary to open a single TCP connection, this technique is often called semi-open scan (half-open). You can send out a TCP synchronization package (SYN) and wait for a response. If the other party returns a SYN | ACK (response) packet, the target port is listening; if a RST packet is returned, the destination port does not have a listener; if a SYN | ACK packet is received, the source host will immediately issue a RST (reset) packet to disconnect from the target host, which is actually done automatically by our operating system kernel. The biggest advantage of this technology is that few systems can log this in the system log. However, you need root permission to customize SYN packets.

-sF-sF-sN

Secret FIN packet scan, Christmas tree (Xmas Tree), empty (Null) scan mode: used even if the SYN scan cannot be determined. Some firewalls and packet filtering software can monitor SYN packets sent to restricted ports, and some programs such as synlogger and courtney can detect those scans. These advanced scanning methods can avoid these disturbances.

The theoretical basis for these scanning methods is that closed ports need to respond to RST packets to your probe packets, while open ports must ignore problematic packets (see RFC 793, page 64). FIN scans use exposed FIN packets to detect, while Christmas tree scans open packets for FIN, URG, and PUSH flags. Unfortunately, Microsoft decided to ignore this standard completely and start over. So this scanning method is not valid for Windows95/NT. However, from another point of view, you can use this approach to separate two different platforms. If you can find open ports using this scanning method, you can be sure that the target is not running a Windows system. If the-sF,-sX, or-sN scan shows that all ports are closed, while the SYN scan shows open ports, you can determine that the target host may be running a Windwos system. This approach is not very useful now, because nmap has built-in operating system detection. There are several other systems that use the same processing as windows, including Cisco, BSDI, HP/UX, MYS, and IRIX. When a packet should be discarded, all of these systems send a reset packet from an open port.

-sP

Ping scan: sometimes you just want to know which hosts are running on the network at this time. Nmap can accomplish this task by sending ICMP echo request packets to each IP address in your specified network. If the host is running, it will respond. Unfortunately, some sites such as microsoft.com block ICMP echo request packets. However, by default, nmap can also send TCP ack packets to port 80, and if you receive a RST packet, the host is running. The third technique used by nmap is to send a SYN packet and then wait for a RST or SYN/ACK packet. For non-root users, nmap uses the connect () method.

By default (root users), nmap uses ICMP and ACK technologies in parallel.

Note that nmap will perform ping scans in any case, and subsequent scans will take place only if the target host is running. This option is only used if you just want to know if the target host is running and do not want to do other scans.

-sU

UDP scanning: if you want to know which UDP (user Datagram Protocol, RFC768) services are available on a host, you can use this scanning method. Nmap first sends a 0-byte UDP packet to each port of the target host. If we receive an ICMP message that the port is unreachable, the port is closed, otherwise we assume it is open.

Some people may think that UDP scanning is meaningless. However, I often think of recent solaris rpcbind defects. Rpcbind is hidden on an undisclosed UDP port with a port number greater than 32770. So it matters even if port 111 (the well-known port number of portmap) is blocked by a firewall. But can you find out which port greater than 30000 has a program listening? Just use UDP scan! The cDc Back Orifice backdoor is hidden in a configurable UDP port on the Windows host. Regardless of some common security flaws, some services such as snmp, tftp, and NFS use the UDP protocol. Unfortunately, UDP scanning is sometimes very slow because most hosts limit the percentage of ICMP error messages (recommended in RFC1812). For example, in the Linux kernel (in the net/ipv4/icmp.h file), there is a limit of 80 target CMP messages every 4 seconds. If this ratio is exceeded, a penalty of 4 seconds will be given. The solaris limit is tighter, allowing only about 2 ICMP unreachable messages per second, which makes scanning slower. Instead of sending a large number of useless packets that will be discarded by the target host, nmap detects the percentage of this limit and slows down the transmission.

However, Micro$oft ignores RFC1812's suggestion and does not impose any restrictions on this ratio. So we can quickly scan all 65K ports on hosts running Win95/NT.

-sA

ACK scanning: this advanced scanning method is commonly used to traverse the rule set of firewalls. Typically, this helps to determine whether a firewall is fully functional or a simple packet filter that simply blocks incoming SYN packets.

This scan sends ACK packets to a specific port (using a random reply / sequence number). If a RST packet is returned, the port is marked as unfiltered. If nothing is returned, or if an unreachable ICMP message is returned, the port falls into the filtered class. Note that nmap usually does not output the port of unfiltered, so it usually does not show all the ports being probed in the output. Obviously, this scanning method cannot find the port that is in the open state.

-sW

Scanning of sliding windows: this advanced scanning technique is very similar to ACK scanning, except that it can sometimes detect open ports because the size of the sliding window is irregular and some operating systems can report its size. These systems include at least some versions of AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.x, Ultrix, VAX, VXWORKS. The complete list can be obtained from the documents in the nmap-hackers Mail 3 list.

-sR

RPC scan. This method is used in conjunction with other different port scanning methods of nmap. Select all ports that are open and issue them the NULL command of the SunRPC program to determine if they are RPC ports, and if so, determine which software and its version number.

So you can get some information about the firewall. Bait scanning cannot be used in conjunction with RPC scanning yet.

-b

FTP bounce attack (bounce attack): the FTP protocol (RFC 959) has an interesting feature that supports proxy FTP connections. That is, I can connect to the FTP server target.com from evil.com, and I can ask this FTP server to send files anywhere on the Internet for myself! In 1985, when RFC959 was completed, this feature worked well. However, in today's Internet, we can't let people hijack the FTP server and let it send data to any node on the Internet. As Hobbit wrote in 1995, the protocol "can be used to deliver virtual unreachable emails and news, access servers at various sites, fill hard drives, skip firewalls, and other harassment activities, and are difficult to track." We can use this feature to scan the TCP port on a proxy FTP server. Therefore, you need to connect to a FTP server behind the firewall and then do a port scan. If there are read-write directories in this FTP server, you can also send data to the target port at will (though nmap can't do this for you).

The parameter passed to the-b function option is the FTP server that you want to act as a proxy. The syntax format is:

-b username:password@server:port.

With the exception of server, all are optional. If you want to know which servers have this flaw, you can refer to my article in Phrack 51. You can also get the latest version of this article on nmap's site.

4.2 Common options

This content is not necessary, but it is useful.

-P0

It is not necessary to ping the host before scanning. The firewalls of some networks do not allow ICMP echo requests to pass through, and use this option to scan these networks. Microsoft.com is an example, so you should always use the-P0 or-PT 80 options when scanning this site.

-PT

Use TCP ping to determine which hosts are running before scanning. Instead of sending ICMP echo request packets and waiting for a response, nmap sends TCP ACK packets to the target network (or a single host) and waits for a response. The RST package is returned if the host is running. This option works only if the target network / host blocks the ping packet and still allows you to scan it. For non-root users, we use the connect () system call to do this. Use-PT to set the destination port. The default port number is 80 because this port is not usually filtered.

-PS

For root users, this option lets nmap scan the target host using the SYN package instead of the ACK package. Return a RST package (or a SYN/ACK package) if the host is running.

-PI

Set this option to have nmap use a real ping (ICMP echo request) to scan for whether the target host is running. While using this option to let nmap discover the running host, nmap will also observe your direct subnet broadcast address. Direct subnet broadcast address some externally reachable IP addresses that convert the external packet into an inward IP broadcast packet and send it to a computer subnet. These IP broadcast packets should be deleted because they can cause a denial of service attack (such as smurf).

-PB

This is the default ping scanning option. It uses ACK (- PT) and ICMP (- PI) scan types to scan in parallel. If the firewall can filter one of the packets, using this method, you can pass through the firewall.

-O

This option activates the scan of the TCP/IP fingerprint feature (fingerprinting) to obtain the flag of the remote host. In other words, nmap uses some techniques to detect the characteristics of the network protocol stack of the target host operating system. Nmap uses this information to establish the fingerprint characteristics of the remote host and compares it with the known operating system fingerprint database to know the type of operating system of the target host.

-I

This option turns on the reverse flag scan function of nmap. Dave Goldsmith's email to bugtap in 1996 noted this protocol, and the ident protocol (rfc 1413) allows the user name of any process owner to be given using a TCP connection, even if the process does not initialize the connection. For example, you can connect to the HTTP port and then use identd to determine whether the server is running by a root user. This scan can be successful only if a full TCP connection is established with the destination port (for example, the-sT scan option). Using the-I option, the identd wizard process of the remote host queries the owner of the process that is listening on each open port. Obviously, this scanning method is invalid if the remote host is not running the identd program.

-f

This option causes nmap to send SYN, FIN, XMAS, NULL using fragmented IP packets. The use of fragmented packets makes packet filtering and intrusion detection systems more difficult, making it impossible for them to know what you are trying to do. However, use this option carefully! Some programs have trouble dealing with these fragmented packets, and my favorite sniffer will segmentation faulted when it receives the first 36 bytes of the fragmented package. As a result, 24-byte fragmented packets are used in nmap. Although packet filters and firewalls cannot protect against this method, there are many networks that prohibit packet fragmentation for performance reasons.

Note that this option is not available on all platforms. It works well in Linux, FreeBSD, OpenBSD and other UNIX systems.

-v

Redundancy mode. This option is highly recommended and will give details of the scanning process. With this option, you can get twice the result with half the effort. Use the-d option to get more detailed information.

-h

Quick reference options.

-oN

Redirect the scan results to a readable file logfilename.

-oM

Redirect the scan results to a logfilename file that uses syntax that can be parsed by the host. You can use-oM-instead of logfilename so that the output is redirected to the standard output stdout. In this case, the normal output will be overwritten and the error message can be output to the standard error stderr. Note that if you use the-v option at the same time, other information will be printed on the screen.

-oS thIs l0gz th4 r3suLtS of YouR ScanZ iN a s | THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument-

(wItHOUt qUOteZ) to sh00t output iNT0 STOUTROTHERMORAPHY! Inexplicably, the following is what I guessed to translate, pictographic words?

Redirect the scan results to a file called logfilename, which uses a grammatical form of "hacker dialect". Again, using-oS-redirects the results to standard output.

-resume

A network scan may be interrupted due to reasons such as control-C or network loss. Use this option to enable the scan to continue with the previous scan. Logfilename is a log file that is unscanned. It must be in a readable form or in a form that the machine can parse. And the subsequent scan cannot add new options, but can only use the same options as the interrupted scan. Nmap will then perform a new scan with the last successful scan in the log file.

-iL

Reads the target of the scan from the inputfilename file. In this file, there should be a list of hosts or networks, separated by the space bar, tab key, or enter key. If you use-iL -, nmap reads the host name from the standard input stdin. You can get more detailed information from the specify goals section.

-iR

Let nmap randomly select the host to scan.

-p

This option allows you to select the range of port numbers to scan. For example,-p 23 means: scan only port 23 of the target host. -p 20-30 139jue 60000-scan ports 20 to 30, port 139 and all ports greater than 60000. By default, nmap scans the list of ports defined in numbers 1 through 1024 and in the nmap-services file (usually in the / usr/share/nmap/ directory if the RPM package is used).

-F

Quick scan mode, scans only the ports listed in the nmap-services file. Obviously faster than scanning all 65535 ports.

-D

The target network / host is scanned using the bait scanning method. If nmap uses this method to scan the target network, from the point of view of the target host / network, the scan looks as if it were sent from other hosts (decoy1, etc.). Thus, even if the IDS (intrusion detection system) of the target host issues an alarm to the port scan, it is impossible for them to know which is the real address that initiated the scan and which is innocent. This scanning method can effectively deal with active defense mechanisms such as route tracking and response-dropping, and can hide your IP address very well.

Each bait host name is separated by a comma, or you can use the ME option, which represents your own host and is intermingled with the bait host name. If you put ME in the sixth or lower position, some port scan detection software will hardly show your IP address at all. If you do not use the ME option, nmap will randomly include your IP address in the bait host.

Note: the host you use as bait should be running or you only occasionally send SYN packets to the target. Obviously, if there is only one host running on the network, the target will easily determine which host performed the scan. Perhaps you should also directly use the bait's IP address instead of its domain name, so that the log of the decoy's domain name server does not leave a record of you.

Also note: some stupid port scan detection software will refuse to route hosts that are trying to scan the port. Therefore, you need to disconnect the target host from some bait. If the bait is the gateway of the target host or itself, it will cause great problems to the target host. So you need to use this option carefully.

Bait scanning can be used either in the initial ping scan or in a real scan state. It can also be used in combination with the-O option.

Using too many bait scans can slow down your scan and may even cause incorrect scan results. At the same time, some ISP will filter out your cheating packets. Although most ISP now have no restrictions on this.

-S

In some cases, nmap may not be able to determine your source address (nmap will tell you).

In this case, you can use this option to give your IP address.

This option is also used when spoofing scanning. Use this option to make the target think it is another host to scan itself.

-e

Tell nmap which interface to use to send and receive packets. Nmap can automatically detect this interface and will tell you if it is invalid.

-g

Sets the source port for the scan. Some naive rule sets of firewalls and packet filters allow packets with source ports of DNS (53) or FTP-DATA (20) to pass and connect. Obviously, if the attacker modifies the source port to 20 or 53, he can destroy the firewall protection. When using UDP scanning, use port 53 first; when using TCP scanning, use port 20 first. Note that nmap uses this port only if it can be used for scanning. For example, if you cannot perform a TCP scan, nmap automatically changes the source port, even if you use the-g option.

For some scans, using this option can cause a slight loss of performance, because I sometimes save some useful information about a particular source port.

-r

Tell nmap not to disrupt the order of the ports being scanned.

-- randomize_hosts

Before scanning, nmap disrupts the order of hosts in each group of scans, and each group of nmap can scan up to 2048 hosts. This makes the scan less likely to be detected by the network monitor, especially in combination with the-- scan_delay option to avoid detection more effectively.

-M

Sets the maximum number of sockets to be used for parallel scanning when TCP connect () scans are performed. Use this option to slow down the scanning speed and avoid downtime of remote destinations.

4.3 timely options

In general, when nmap is running, it can be well adjusted according to the characteristics of the network. When scanning, nmap minimizes the chance of being detected by the target and speeds up the scanning as much as possible. However, nmap's default just-in-time policy is sometimes not suitable for your goals. You can control the scanning timing of nmap using the following options:

-T

Set the timely policy for nmap. Paranoid: in order to avoid IDS detection and make the scanning speed extremely slow, nmap serial all scans, sending at least one packet every 5 minutes; Sneaky: similar, except that the packet transmission interval is 15 seconds; Polite: do not increase too much network load, avoid downtime of the target host, serial each probe, and make each probe have an interval of 0.4 seconds. Normal:nmap default option to scan as quickly as possible without network overload or host / port loss; Aggressive: set a 5-minute timeout limit so that the scan time for each host is no more than 5 minutes and the waiting time for each probe response is no more than 1.5 seconds B > Insane: only suitable for fast networks or you don't care about losing some information. The timeout limit for each host is 75 seconds, and only 0.3 seconds for each probe. You can also use numbers instead of these patterns, for example:-T 0 equals-T Paranoid,-T 5 equals-T Insane.

These just-in-time modes cannot be combined with the appropriate options below.

-- host_timeout

Sets the time to scan a host in milliseconds. By default, there is no timeout limit.

-- max_rtt_timeout

Sets the wait time for each probe, in milliseconds. If this time limit is exceeded, it will be retransmitted or timed out. The default value is approximately 9000 milliseconds.

-- min_rtt_timeout

When the target host responds quickly, nmap shortens the timeout for each probe. This increases the speed of scanning, but may lose some packets that take a long time to respond. Using this option, you can have nmap wait at least the amount of time you specify for each probe, in milliseconds.

-- initial_rtt_timeout

Sets the timeout value for the initial probe. In general, this option is only useful when scanning for firewall-protected hosts using the-P0 option. The default is 6000 milliseconds.

-- max_parallelism

Sets the maximum number of parallel scans. -- max_parallelism 1 means scanning only one port at a time. This option is also valid for other parallel scans, such as ping sweep, RPC scan.

-- scan_delay

Sets the amount of time that nmap must wait between probes. This option is mainly used to reduce the load on the network.

4.4 goal setting

Of all the parameters of nmap, only the target parameters must be given. Its simplest form is to enter a hostname or an IP address directly on the command line. If you want to scan a subnet of an IP address, you can add a / mask after the hostname or IP address. The mask ranges from 0 (scan the entire network) to 32 (scan only this host). Use / 24 to scan class C addresses and / 16 to scan class B addresses.

In addition, nmap has a more powerful representation that gives you more flexibility in specifying IP addresses. For example, if you want to scan the class B network 128.210.room.address, you can specify these addresses in three ways: 128.210.room.*, 128.21mer. 0-255.0-255or 128.210.0.0amp 16 are equivalent.

5. Example

The code is as follows:

# nmap-sP 192.168.1.0 take 24

# perform a ping scan and print out the host that responded to the scan without further testing (such as port scan or operating system probe)

The code is as follows:

# nmap-sL 192.168.1.0 take 24

# list only each host on the specified network and do not send any message to the target host

The code is as follows:

# nmap-PS 192.168.1.234

# probe the open ports of the target host. You can specify a comma-separated list of ports (such as-PS22,23,25,80)

The code is as follows:

# nmap-PU 192.168.1.0 take 24

# use UDP ping to detect hosts

The code is as follows:

# nmap-sS 192.168.1.0 take 24

# the most frequently used scanning option: SYN scan, also known as semi-open scan, which does not open a full TCP connection and executes very quickly

The code is as follows:

# nmap-sT 192.168.1.0 take 24

# when SYN scan is not available, TCP Connect () scan is the default TCP scan

The code is as follows:

# nmap-sU 192.168.1.0 take 24

# UDP scan with-sU option, UDP scan sends empty (no data) UDP headers to each destination port

The code is as follows:

# nmap-sO 192.168.1.19

# determine which IP protocols are supported by the target (TCP,ICMP,IGMP, etc.)

The code is as follows:

# nmap-O 192.168.1.19

# probe the operating system of the target host

The code is as follows:

# nmap-A 192.168.1.19

# probe the operating system of the target host

The code is as follows:

# nmap-v scanme.nmap.org

# this option scans all reserved TCP ports in the host scanme.nmap.org. Option-v enables detail mode.

The code is as follows:

# nmap-sS-O scanme.nmap.org/24

# perform secret SYN scanning for 255hosts in the "Class C" network segment where the host Saznme is located. At the same time, try to determine the operating system type of each working host. This scan requires root permissions because of SYN scanning and operating system detection.

The code is as follows:

# nmap-sV-p 22p22p53Power110p143p4564198.116.0-255.1-127,

# perform host enumeration and TCP scanning for 188.116 8-bit subnets in Class B network segment. This test is used to determine if the system is running sshd, DNS, imapd, or 4564 ports. If these ports are open, version detection is used to determine which application is running.

The code is as follows:

# nmap-v-iR 100000-P0-p 80

# randomly select 100000 hosts to scan whether the Web server (port 80) is running. Sending a probe message from the initial phase to determine whether the host is working is a waste of time, and only one port of the host needs to be detected, so use-P0 to disable the host list.

The code is as follows:

# nmap-P0-p80-oX logs/pb-port80scan.xml-oG logs/pb-port80scan.gnmap 216.163.128.20

# scan 4096 IP addresses to find Web servers (not ping), and save the results in Grep and XML formats.

The code is as follows:

# host-l company.com | cut-d-f 4 | nmap-v-iL-

# perform DNS zone transfer to discover the host in the company.com, and then provide the IP address to Nmap. The above command is used for GNU/Linux-other systems have different commands for regional transmission

Thank you for reading, the above is the content of "how to use the nmap network scanning tool command in the Linux system". After the study of this article, I believe you have a deeper understanding of how to use the nmap network scanning tool command in the Linux system, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.