Shulou(Shulou.com)06/01 Report--

This article mainly introduces the common usage of nmap software, which is very detailed and has a certain reference value. Friends who are interested must finish reading it!

Second, common usage

1. Use nslookup to resolve the IP address of the domain name

2. Use nmap-sL to query the ip address contained in the IP network segment (do not detect survival status, only list)

3. Use nmap-sn to query the IP survival status of the host or the entire network segment.

Nmap-sn

Nmap has two different scanning methods for LAN and WAN (based on whether the source destination is in the same network segment).

When the destination host is not on the same network segment as the source host:

Nmap sends four different types of packets to detect whether the target host is online.

1) ICMP echo request

2) a TCP SYN packet to port 443

3) a TCP ACK packet to port 80

4) an ICMP timestamp request

For example: take scanning a public network IP as an example

Nmap-sn IP

When the destination host is on the same network segment as the source host

Nmap-sn 192.168.1.103

Nmap will check whether ip is online by sending an arp request

4. Scan the port of the host of interest

It should be noted that before nmap scans the port, it will automatically scan the survival status of the ip. If it is found that the target ip is not alive, the port scan will no longer be performed. During the ip survival scan (the same as the sn scan, but automatically by nmap), two scans are sent to determine the survival of the ip.

The following is the scan packet for non-surviving ip. Nmap-sS-p 80 [ip] is used to scan port 80, but the actual nmap scans for ip survival first.

Nmap-sS-p 80 [ip] # scan TCP 80 port

This is the returned result. It is recommended to use-Pn for this kind of non-surviving ip,nmap, that is, without judging the survival of the host, scan the port directly.

The following figure shows scanning port 80 using the-Pn option

Nmap-Pn-sS-p 80 113.11.

From the scan results of nmap, the port is filtered, that is, it is not sure whether it is alive, but the host is alive.

However, from the point of view of grabbing packets, the host does not have any return packets, which means that the port is filtered or not opened, and there is no other return packet information about the ip. Therefore, it is wrong to judge the host survival of the nmap (personal opinion). From the point of view of grabbing packets, nmap sends 2 request packets by default when it does not receive data packets. When the reply packet is not received, it means that the past packet has been filtered out by firewalls and other devices. If it is not filtered, the rest packet should be replied, and the port displayed by nmap is closed.

Description of nmap port scan results:

Nmap divides the port into six states by probing: open: the port is open. Closed: the port is closed. Filtered: the port is blocked by the firewall IDS/IPS and its status cannot be determined. Unfiltered: the port is not blocked, but whether it is open or not needs to be further determined. Open | filtered: the port is open or blocked. Closed | filtered: the port is closed or blocked.

There are several common port scanning methods for nmap:

-P specifies the port number, if you do not specify a port, the default is to scan 1000 commonly used tcp or udp ports (depending on the scan item)-F fast mode, when no port is specified, only scan the port of TOP 100. scan using SYN mode, no TCP connection is established-sT TCP port scan, tcp connect through 3-way handshake Establish tcp connection-sU UDP port scan other port scanning methods:-sA/sW/sM: specify the way to use ACK/Window/Maimon scans to scan the target host. -sN/sF/sX: specify the secret scanning methods of TCP Null, FIN and and Xmas scans to help detect the TCP port status of the other party. -- scanflags: customize the flags of the TCP package. -sI: specifies to use idle scan method to scan the target host (as long as a suitable zombie host is found)-sY/sZ: use SCTP INIT/COOKIE-ECHO to scan for the opening of SCTP protocol ports. -sO: use IP protocol scan to determine the types of protocols supported by the target machine. -b: use FTP bounce scan scan mode

Port scanning principle

TCP SYN scanning

This is the default scanning method for Nmap and is often referred to as semi-open scanning (Half-open scanning). This method sends SYN to the destination port. If the SYN/ACK reply is received, the port is judged to be open; if the RST packet is received, the port is closed. If no reply is received, it is determined that the port is Filtered. Because this method only sends SYN packets to specific ports of the target host, but does not establish a complete TCP connection, it is relatively hidden, efficient and has a wide range of applications.

TCP SYN detected port shutdown:

TCP SYN detected that the port is open:

TCP connect scanning

The TCP connect method uses the system network API connect to initiate a connection to the port of the target host. If the connection cannot be made, the port is closed. The scanning speed of this method is slow, and because the establishment of a complete TCP connection will leave record information on the target computer, it is not hidden enough. Therefore, TCP connect is the way to consider when TCP SYN cannot be used.

TCP connect detected port shutdown:

TCP connect detected that the port is open:

TCP ACK scanning

Send an ACK packet to the port of the target host. If you receive a RST packet, the port is not blocked by the firewall; if you do not receive a RST packet, it is blocked. This method can only be used to determine whether the firewall is blocking a port, and it can assist TCP SYN to judge the condition of the firewall of the target host.

TCP ACK detected that the port is blocked:

TCP ACK detected that the port is not blocked:

TCP FIN/Xmas/NULL scanning

These three scanning methods are called secret scanning (Stealthy Scan) because they are relatively hidden. FIN scans for TCP FIN packets or Xmas tree packets / null packets sent to the port of the target host. If you receive a RST reply packet, the port is closed; no RST packet is received indicating that the port may be open or blocked (open | filtered).

The Xmas tree package refers to the TCP package in which FIN URG PUSH is set to 1 in flags, and the NULL package refers to the TCP package in which all flags is 0.

TCP FIN detected that the host port is closed:

TCP FIN detects that the host port is open or blocked:

UDP scanning

The UDP scanning method is used to determine the condition of the UDP port. Send a probe packet to the UDP port of the target host. If you receive a reply "ICMP port unreachable", the port is closed; if no reply is received, the UDP port may be open or blocked. Therefore, reverse exclusion is used to determine which UDP ports are likely to be open.

UDP port shutdown:

The UDP port is open or blocked:

Hide your own IP scan

Use the idle scan method with the help of a zombie host (zombie host, also known as idle host), which is idle and its IPID mode is incremental. For detailed implementation principle, see: http://nmap.org/book/idlescan.html) to scan the target on the host to achieve the purpose of concealing yourself.

Or use FTP bounce scan, scan other hosts with the proxy service allowed by FTP, and also achieve the purpose of hiding your identity.

5. Version detection

Version detection, which is used to determine the specific application and version information running on the open port of the target host.

The version detection provided by Nmap has the following advantages:

Highway. Socket operations are carried out in parallel to achieve a set of efficient probe matching definition syntax.

Determine the application name and version name as much as possible.

Support TCP/UDP protocol, support text format and binary format.

Support a variety of platform services detection, including Linux/Windows/Mac OS/FreeBSD and other systems.

If SSL is detected, openSSL is called to continue to detect specific protocols (such as HTTPS/POP3S/IMAPS) running on SSL.

If a SunRPC service is detected, brute-force RPC grinder is called to further determine the RPC program number, name, and version number.

Support for complete IPv6 functions, including TCP/UDP, TCP-based SSL.

General platform enumeration function (CPE)

Extensive application database (nmap-services-probes). At present, Nmap can recognize the signatures of thousands of services, including more than 180 different protocols.

5.1 version detection principle

This paper briefly introduces the detection principle of the version.

Version detection is divided into the following steps:

First check whether the port of open and open | filtered status is in the list of excluded ports. If you are in the exclusion list, remove the port.

If it is a TCP port, try to establish a TCP connection. Try to wait for a moment (usually 6 seconds or more, when you can query the Probe TCP NULL q in the file nmap-services-probes | | the corresponding totalwaitms). Usually within the waiting time, you will receive a "WelcomeBanner" message sent by the target. Nmap compares the received Banner with the signature in the NULL probe in the nmap-services-probes. Find the name and version information of the corresponding application.

If the version of the application cannot be determined through "Welcome Banner", nmap tries to send another probe packet (that is, picking the appropriate probe from the nmap-services-probes) to compare the reply packet obtained by probe with the signature in the database. If the specific application cannot be obtained by repeated detection, then the application return message is printed and the user is left to make a further decision.

If it is a UDP port, use the probe packet in nmap-services-probes directly for probe matching. The types of UDP application services are compared and analyzed according to the results.

If it detects that the application is SSL, then call openSSL to further investigate the specific application type running on SSL.

If it detects that the application is SunRPC, then call brute-force RPC grinder to further probe the specific service.

The use of version 5.2 detection

The command line options for version detection are relatively simple

-sV: specifies to let Nmap perform version detection-- version-intensity: specifies the version detection strength (0-9). The default is 7. The higher the value, the more accurate the detected service, but the running time will be longer. -- version-light: specifies the use of lightweight detection method (intensity 2)-- version-all: attempts to detect with all probes (intensity 9)-- version-trace: displays detailed version detection process information.

Take the version of scanning port 80 as an example to display the scan results and packet capture results of snmp.

Snmp-sV-p 80 113.11.11. * # specify scan port 80

As can be seen from the capture package, when the-Pn parameter is not specified, the default restrictive ip survivability test is performed only when the host is confirmed to be alive.

When using snmp-sV 113.11.room.*, check the survival status by default, scan port 1000 commonly used in TCP according to the survival status, and re-scan the version according to the port status (in the http version confirmation, the tcp connection is first established, then the tcp connection is closed, the connection is established with 3 handshakes, and the get request is waved 4 times)

6. OS detection

Command nmap-O 113.11.room.*

Nmap first checks the survival status of the host, then scans the common port 1000, and finally determines the OS system. The following figure shows the result of running. According to the results, all the ports inside can be scanned whether they are open or closed, indicating that there are no firewalls and other security protection equipment.

7. Advanced usage of Nmap

Firewall and IDS circumvention are used to bypass the detection and shielding of firewall and IDS (* detection system), so that the condition of the target host can be found in more detail.

Nmap provides a variety of evasion techniques, which can usually be considered from two aspects: packet transformation (Packet Change) and timing transformation (Timing Change).

7.1Partition (Fragmentation)

Some simple firewalls may avoid reassembly checks by fragmenting suspicious probe packets (such as splitting TCP packets into multiple IP packets) in order to speed up the processing.

-f;-- mtu: specify MTU.nmap-sn-f-- mtu 16 113.11.destroy. * # Note that the value after mtu must be a multiple of 8, as shown in the following figure

In the following figure, the first is the capture of the package under the normal command, and then the capture of the packet after sharding:

Nmap-sn 113.11.*.*nmap-sn-f-- mtu 16 113.11.11. *

From the grab packet, we can see that the packet of data is 16byte, which is consistent with the bytes set by the fragment. At the same time, there is also a hint in the grab packet "Reassembled in # 878".

7.2 IP deception (IP decoys)

When scanning, mix the real IP address and the IP address of other hosts (other hosts need to be online, otherwise the target host will reply a large number of packets to non-existent hosts, which essentially constitutes a denial of service *), so that the firewall or IDS of the target host can track and check a large number of packets with different IP addresses and reduce the probability of tracing to itself. Note that some advanced IDS systems can still trace the real IP address of the scanner through statistical analysis.

-D: mask the real address with a set of IP addresses, where ME fills in its own IP address. Nmap-sn-D 1.1.1.1 113.11.address. * # here, if you do not add your own address [ME], you will also use your own address, and the decoy address will be sent, that is, both addresses will be used as source addresses.

The following is a screenshot of the packet. You can see that there are two source addresses, one is the decoy address, and the other is your own real address. You can use the camouflage address to start a reflective dos***.

This means that the source address is a private network address. When the source address is a public network address, whether it is feasible to leave the source address empty needs to be verified.

7.3 specify source port

Some target hosts only allow packets from specific ports to pass through the firewall. For example, the FTP server is configured to allow TCP packets with source port 21 to communicate with the FTP server through the firewall, but packets with other source ports are blocked. Therefore, in such cases, you can specify that the source port of the packet that Nmap will send is set to a specific port.

-g/--source-port: use the specified source port nmap-sn-g 11111 113.11.upload. * # specify the source port as 11111 and send it out.

The following figure shows the packet capture, from which you can see that the source port of the tcp is 51111. You can specify the source port to match the ACL access list of the firewall, so as to avoid the detection of the firewall.

7.4 scan delay

Some firewalls carry out strict detection against packets that are sent too frequently, and some systems limit the frequency of error messages (for example, Solaris systems usually limit the generation of only one ICMP message per second to UDP scanning), so customizing the frequency and delay of sending packets in this case can reduce the audit intensity of the target host and save network bandwidth.

7.5 IP camouflage (IP Spoofing)

As the name implies, IP disguises the IP address in the packet it is about to send as the address of another host, so that the target machine thinks that the other host is communicating with it. It should be noted that if you want to receive a reply packet from the target host, the camouflaged IP needs to be located on the unified local area network. In addition, if you want to hide your IP address and receive a reply packet from the target host, you can try a network technology such as idle scan or an anonymous proxy (such as TOR).

-S: disguised as another IP address nmap-sn-S 1.1.1.1 113.11.address. * when the source address is disguised as another ip, the target machine thinks that another host is communicating with it.

The following are unsuccessful screenshots. If you have any knowledge, please give us some advice.

Note that if it is a camouflaged source ip address, you must use the-Pn and-e options

When the-Pn and-e options are used, the error is still prompted and the address cannot be assigned.

Nmap-sn-Pn-e wlan0-S 1.1.1.1 113.11.*.*nmap-sn-Pn-e eth0-S 1.1.1.1 113.11.11

7.6 other technologies

Nmap also provides a variety of avoidance techniques, such as specifying a network interface to send packets, specifying the minimum length of packets, specifying MTU for sending packets, specifying TTL, specifying camouflaged MAC addresses, using error checking and (badchecksum).

More information http://nmap.org/book/man-bypass-firewalls-ids.html

-f;-- mtu: specify the MTU.-D of the specified packet using sharding: mask the real address with a set of IP addresses, where ME fills in its own IP address. -S: disguise as another IP address-e: use a specific network interface-g/--source-port: use the specified source port-- data-length: fill in random data to make the packet length reach Num. -- ip-options: use the specified IP option to send the packet. -- ttl: sets time-to-live time. -- spoof-mac: camouflage MAC address-- badsum: use the wrong checksum to send packets (normally, such packets are discarded. If a reply is received, the reply comes from a firewall or IDS/IPS). 8 NSE scripting engine

The NSE scripting engine (Nmap Scripting Engine) is one of the most powerful and flexible features of Nmap, allowing users to write their own scripts to perform automated operations or to extend the functionality of Nmap.

NSE uses the Lua scripting language and provides a rich scripting library by default, which currently contains more than 350 scripts in 14 categories.

The original intention of NSE is to consider the following aspects:

Network discovery (Network Discovery)

More complex version detection (such as skype software)

Vulnerability detection (Vulnerability Detection)

Backdoor detection (Backdoor Detection)

Exploit (Vulnerability Exploitation)

These are all the contents of the article "what are the common uses of nmap software?" Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.