Shulou(Shulou.com)06/01 Report--

Nmap Network Security Audit (3) the concept of Port scanning Technology Port

There are a total of 65536 ports (0-65535) in the network, which are not only for data entering and leaving the network equipment, but also the exit for computers to communicate with the outside world.

Many programs in the network need to communicate on the network, and the information actually needs to go in and out through the network card. How to distinguish which program uses the access information? this is handled by the operating system, and the mechanism it uses is to divide 65536 ports. The program adds the port number to the message sent. After receiving the information, the operating system will divert the information according to the port number to the program that uses the port number in the current memory.

Classification of ports

According to the usage of ports, ports can be simply divided into three categories:

Well-known ports: this type of port is our commonly used port. Ports numbered 0-1024 are well-known ports. Usually, these ports have been explicitly associated with the protocol of a service, and generally will not be changed, such as our commonly used ports 80 (Http), 23 (Telnet), 22 (SSH).

Registered port: the port number for this section ranges from 1025 to 49151. They are usually associated with some services, but there is no clear provision, and different procedures can be defined according to the actual situation.

Dynamic / private ports: this part of the port number ranges from 49152 to 65535. In general, common services should not use these ports, all of which are easily ignored.

In addition, according to the different protocols, we can be divided into TCP protocol port and UDP protocol port, because these two protocols belong to the transport layer and provide end-to-end services for both sides of the communication.

Definition of Port State in Nmap

Six different states are given for ports in Nmap:

Open: if the state of the destination port is open, it means that the port has an application that accepts TCP connections or UDP messages.

Closed: if the state of the destination port is close, it does not necessarily mean that there is no response. The port with the status of close is accessible, and this port can accept the probe message of Nmap and respond.

Filtered: the main reason for this state is that Nmap cannot determine whether the port is open due to network packet filtering.

Unfiltered: this result is rare and indicates that the target port is accessible, but Nmap cannot tell whether it is open or closed, which usually occurs when ACK scans.

Open | filtered: unable to determine whether the port is open or filtered.

Closed | filtered: unable to determine whether the port is closed or filtered.

Various Port scanning techniques in Nmap

Nmap provides a large number of technologies to detect the port state. Because TCP technology is more complex than UDP technology, TCP has more detection methods than UDP.

SYN scanning

SYN scanning is the most popular scanning method, and it is also the default scanning method adopted by Nmap. This scanning method is fast and can scan thousands of ports in a second.

First, Nmap sends a SYN packet requesting a connection to a port of the target host, and the target computer receives a SYN/ACK reply later, and Nmap sends a RST packet request to disconnect instead of an ACK reply after receiving the SYN/ACK. In this way, the three-way handshake is not completed and a normal TCP connection cannot be established, so this scan will not be recorded in the system log.

When scanning with TCP SYN, you will have the following results:

| |

Connect scanning

Connect scanning is actually very similar to SYN scanning, except that this scanning method completes the three-way handshake of TCP.

The Connect scan syntax is as follows:

Nmap-sT 192.168.126.139

UDP scanning

There are three results when scanning a port using UDP scan

The state of the destination host's reply destination port gets any UDP reply open from the destination port if the target host does not give an answer open filteredICMP port cannot reach error (code 3) closedICMP unreachable error (code 1 2 9 10 13) filtered

The scanning speed of UDP is relatively slow. The syntax is as follows:

Nmap-sU 192.168.126.139

. It is really slow to wait for this result.

Many of the port states in this scan are filtered, but the real status of this port may be open or closed. We need further testing to determine whether these ports are open or closed. The services of UDP programs generally do not respond to empty packets sent by Nmap, and UDP programs need to use their own format. If it is guaranteed that appropriate packets can be sent to all common UDP services, Nmap needs a large database to store these formats, and Nmap stores these formats in Nmap-service-probes. We can use the-sV or-A parameter, and Nmap will send UDP probe to each open | filtered port, and if the target port responds to any probe, the status will be changed to open.

TCP FIN scanning

The TCP FIN scan method sends an FIN packet to the destination port. According to RFC 793, all closed ports, the target system should return the RST flag.

The syntax for scanning a port using TCP FIN is as follows:

Nmap-sF 192.168.126.139

NULL scanning

The TCP NULL scanning method sends a packet that does not contain any flags to the destination port. According to RFC 793, the target host should return the RST flag for all closed ports.

The syntax for scanning a port using TCP NULL is as follows:

Nmap-sN 192.168.126.139

Xmas Tree scanning

The TCP Xmas Tree scanning method sends a packet containing the FIN URG and PUSH flags to the destination port. According to RFC 793, the target system should return the RST flag for closed ports

The syntax for scanning a port using TCP Xmas Tree is as follows:

Nmap-sX 192.168.126.139

Nmap-F 192.168.126.139

two。 Specify to scan a port

Nmap-p 8080 192.168.126.139 /-p followed by the specified port number

3. Use the name to specify the scan port

Nmap-p dns,http 192.168.126.139 /-p followed by port name, multiple ports separated by commas

4. Specify the scan port using the protocol

Nmap-p Urig 53, TRV 22 192.168.126.139 / scan port 53 of UDP and port 22 of TCP, target 192.168.126.139

5. Scan all ports

Nmap-p * 192.168.126.139 / / use with caution

6. Scan common ports

Nmap-- top-ports 20 192.168.126.139 / scan the first 20 ports. The number is set according to your own needs. Default is 10 comments.

Due to the strict inspection of the system, some articles have been deleted, please understand.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.