Shulou(Shulou.com)06/01 Report--

Http://www.verycheck.net/blog/?p=140

Nmap is a powerful tool for port scanning, service detection, and even vulnerability scanning. Nmap covers many basic concepts and commands from beginner to advanced, and in the second part of this article, I will mention some advanced technologies of Nmap.

Firewalls and IDS play a very important role in rejecting remote targets from a security perspective. Because these hardware and software blockages are very effective, you need to bypass these tools to get the right results during testing, otherwise you may go in the wrong direction. Nmap can scan remote target computer firewalls and other detection systems because it uses different technologies to combat these software, and these technologies rely on remote software. There may be two types of firewalls that are securely installed on the target computer:

1. Host-based firewall (a firewall running on a separate target computer, for example, a firewall currently running on your computer)

two。 Network-based firewall (a firewall that protects the entire network and is deployed on network nodes)

There are two types of IDS/IPS that may also be installed on the target machine, which is also a situation that needs to be addressed during the testing process. There are many different Nmap technologies to handle this situation, such as:

An introduction to

TCP ACK Scan (- sA)

Using this command sends ACK packets instead of SYN packets, because ACK packets are not logged by the firewall if there is a firewall working on the remote computer, and the firewall responds to ACK packets in the same way as SYN packets. TCP ACK scans require root privileges to start (Nmap starts with root privileges), and it works well against stateless firewalls and IDS. As a tester, you need to check the firewall response: there are four possible types of responses:

1.Open port (firewall allows a few ports to open)

2.Closed Port (most ports are closed because of the firewall)

3.Filtered (Nmap is not sure whether the port is open or closed)

4.Unfiltered (Nmap can access this port, but it is not clear when the port is open)

Some of these important responses can be obtained by you during the test. ACK scanning is a little different from other scanning techniques in that it cannot find open ports in a planned way, but it can effectively filter and unfilter responses with banding. Let's compare the two results of ACK scans:

It is now easy to find out whether the target computer has a firewall enabled, because a simple ACK scan means that the victim has a lower probability of detecting the victim, but a higher chance of finding the firewall. Let's take a look at the next SYN scan when the firewall is on and off: TCP Window Scan (- sW) is very similar to ACK scan, but with one difference, TCP window scan can distinguish between open and closed unfiltered ports. It also requires root permission to execute. Let's take a look at the different responses of TCP window scans. This type of scan cannot open any active session of the target computer, so it will not be recorded by the victim. It works simply by sending ACK packets and then accepting separate RST packets in the response. Fragment Packets (- f) this is a very general concept and can be used in many different situations, for example, fragmentation technology can effectively bypass firewalls if the target machine does not have the ability to handle a large number of packets. The parameter to this technique is-f, which commits IP packages into small segments, which are called fragmented IP packages. If you want to break up the IP head of a machine, you can use double-f (that is,-ff). Spoof MAC Address this is a simpler technology, you can forge your MAC (MAC) address. MAC address spoofing makes it difficult for victims to detect the source of submission. Nmap can select a complete random MAC address for each scan, and these MAC addresses are based on different vendors, and the other setting is to specify the MAC address manually (in this way, the user can forge a computer address in the same network). Nmap has a database called namp-mac-prefixes, and when you provide the manufacturer's name to this database, it will find the MAC address that meets the criteria. The Nmap Timing Option time parameter is a very important and interesting feature of Nmap, because sometimes you need to have a delay between submissions. There are many reasons for this, but the most important reason is the network; sometimes the victim's computer and the actual network cannot handle a large number of submissions. As a tester, you need to make sure that your scan does not cause a denial of service (DoS), so timely response and submission is very important in the scan. Nmap has a lot of features and parameters, which are very helpful for timely scanning targets, and fragmentation (- f) is also a very useful technique for splitting your submissions. Other important parameters are discussed below: Delay (- scan_delay), which is a good parameter for the user to control the time between each submission, because you can use integer form to control the interval you need for each exploration. But don't forget the unit of time: milliseconds e.g. 5ms seconds e.g. 5s e.g. 5m e.g. 5h Let's look at an example: Host Timeout Option (- host-timeout) when you scan a local network, sometimes a host takes a long time to respond, and it's painful to wait for a separate one. There are many reasons for slow response, such as network connectivity or firewalls, and you can set a time limit if you don't want to waste more time on it. Nmap Scripting Nmap Scripting is one of the best features of Nmap. Nmap scripts are very useful for testers because they can save drinking time and operations. At the time of this writing, the Nmap Scripting engine has more than 400 scripts, and you can construct your own scripts, and everyone can construct scripts and submit them to the script engine to help testers in the community. Nmap scripts implement many different functions, from vulnerability scanning to exploitation, from malware detection to brute force cracking. In this section, we will discuss some useful Nmap scripts and their usage: smb-check-vulns this is an important script to detect the following vulnerabilities: 1.MS08-067 Windows vulnerability that can be exploited 2.Conficker malware on the target machine 3.Denial of service vulnerability of Windows 2000 4.MS06-025 Windows vulnerability 5.MS07-029 Windows vulnerability it can easily find the above vulnerabilities on the target machine, and you can easily exploit these vulnerabilities through Metasploit. Http-enum if you want to enumerate the directories of web sites in web server, this Nmap script can help you do this well. The http-enum script can also find the open port and the version of the software for each port. The script samba-vuln-cve-2012-1182 can be used to see if there is a Samba heap overflow CVE-2012-1187 on the target machine. Many smtp-strangeport organizations do not use the default port when running SMTP services for security reasons. Smtp-strangeport is a script http-php-version that can determine whether SMTP is running on the default port, and this script can get PHP version information from web server. This software version information is important for * testers to find vulnerabilities, so this script is very helpful for web application * * testing. The Nmap script engine contains a lot of test scripts for software platforms that you actually encounter. For example, if you want to test a WordPress-based web site, you can use the following Nmap script. 1.http-wordpress-plugins 2.http-wordpress-enum 3.http-wordpress-brute dns-blacklist this is the best script I've ever seen for users to find a blacklist of IP addresses. All you need to do is provide the IP address, and then the script will check the DNS anti-spam and proxy blacklist article to most likely cover important parts of Nmap from entry to advanced, so that people who don't have the relevant knowledge can learn from it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.