Академический Документы
Профессиональный Документы
Культура Документы
NMAP
Nmap is the most popular scanning tool used on the Internet. Cretead by Fyodar (http://www.insecure.org ! it was "eatured in the Matri# $eloaded mo%ie.
EC-Council
&'N &canning
&yn scanning! a techni(ue that is widely across the Internet today. )he syn scan! also called the *hal" open* scan! is the ability to determine a ports state without ma+ing a "ull connection to the host. Many systems do not log the attempt! and discard it as a communications error. 'ou must "irst learn ,-way handsha+e to understand the &yn scan.
EC-Council
&tandard )CP communications are controlled by "lags in the )CP pac+et header. )he "lags are as "ollows: . Synchronize - also called *&'N/
0 1sed to initiate a connection between hosts.
. Push - *P&3/
0 Instructs recei%ing system to send all bu""ered data immediately
. Urgent - *1$4/
0 &tates that the data contained in the pac+et should be processed immediately
Finish - also called *FIN* 0 )ells remote system that there will be no more 0 Also used to reset a connection.
transmissions
EC-Council
)he Computer A ( 678.69:.6.8 initiates a connection to the ser%er ( 678.69:.6., %ia a pac+et with only the SYN "lag set. )he ser%er replies with a pac+et with both the SYN and the A ! "lag set.
For the "inal step! the client responds bac+ the ser%er with a single A ! pac+et. EC-Council
&tealth &can
Computer A Computer B
Client sends a single SYN pac+et to the ser%er on the appropriate port. I" the port is open then the ser%er responds with a SYN"A ! pac+et. I" the ser%er responds with an RS# pac+et! then the remote port is in state *closed/ )he client sends RS# pac+et to close the initiation be"ore a connection can e%er be established. )his scan also +nown as ;hal"-open/ scan.
EC-Council
<mas &can
omputer A omputer $
Xmas scan directed at open port: 192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
Note: <MA& scan only wor+s =& system>s )CP/IP implementation is de%eloped according to $FC ?7, <mas &can will not wor+ against any current %ersion o" Microso"t 5indows. <mas scans directed at any Microso"t system will show all ports on the host as being closed.
EC-Council
FIN &can
omputer A
FIN scan directed at open port: 192.5.5.92:4031 -----------FIN------------------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
omputer $
Note: FIN scan only wor+s =& system>s )CP/IP implementation is de%eloped according to $FC ?7, FIN &can will not wor+ against any current %ersion o" Microso"t 5indows. FIN scans directed at any Microso"t system will show all ports on the host as being closed.
EC-Council
N1@@ &can
omputer A
NULL scan directed at open port: 192.5.5.92:4031 -----------NO F'$(S SE"---------->192.5.5.110:23 192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
omputer $
N)'' scan directed at cl sed ! rt: 192.5.5.92:4031 -------------NO F'$(S SE"---------192.5.5.110:23 192.5.5.92:4031<-------------RS"#$%&--------------192.5.5.110:23
Note: N1@@ scan only wor+s =& system>s )CP/IP implementation is de%eloped according to $FC ?7, N1@@ &can will not wor+ against any current %ersion o" Microso"t 5indows. N1@@ scans directed at any Microso"t system will show all ports on the host as being closed.
EC-Council
IA@B &can
Almost "our years ago! security researcher AntireC posted an inno%ati%e new )CP port scanning techni(ue. Idlescan! as it has become +nown! allows "or completely blind port scanning. Attac+ers can actually scan a target without sending a single pac+et to the target "rom their own IP address.
EC-Council
Most networ+ ser%ers listen on )CP ports! such as web ser%ers on port :E and mail ser%ers on port 8F. A port is considered *open* i" an application is listening on the port! otherwise it is closed. =ne way to determine whether a port is open is to send a *&'N* (session establishment pac+et to the port. )he target machine will send bac+ a *&'NGAC2* (session re(uest ac+nowledgment pac+et i" the port is open! and a *$&)* ($eset pac+et i" the port is closed. A machine which recei%es an unsolicited &'NGAC2 pac+et will respond with a $&). An unsolicited $&) will be ignored. B%ery IP pac+et on the Internet has a *"ragment identi"ication* number. Many operating systems simply increment this number "or e%ery pac+et they send. &o probing "or this number can tell an attac+er how many pac+ets ha%e been sent since the last probe.
EC-Council
EC-Council
EC-Council
EC-Council
Fragmentation scanning
Instead o" Iust sending the probe pac+et! you brea+ it into a couple o" small IP "ragments. 'ou are splitting up the )CP header o%er se%eral pac+ets to ma+e it harder "or pac+et "ilters and so "orth to detect what you are doing. )he -" switch instructs the speci"ied &'N or FIN scan to use tiny "ragmented pac+ets.
EC-Council
)his isn>t really port scanning! since ICMP doesn>t ha%e a port abstraction. Dut it is sometimes use"ul to determine what hosts in a networ+ are up by pinging them all. nmap -P cert.org/8J 6F8.6J:.E.E/69
EC-Council
&can =ptions
EC-Council
%s# ()cpConnect %sS &&'N scan %sF (Fin &can %s' (<mas &can %sN (Null &can %sP (Ping &can %sU (1AP scans %sO (Protocol &can %s( (Idle &can %sA (Ac+ &can %s) (5indow &can %sR ($PC scan %s* (@ist/Ans &can
Ping Aetection
%P+ (donKt ping %P# ()CP ping %PS (&'N ping %P( (ICMP ping %P$ (L P) M PI %PP (ICMP timestamp -PM (ICMP netmas+
EC-Council
=utput Format
EC-Council
)iming
EC-Council
%# Paranoid - serial scan N ,EE sec wait %# Sneaky % serialiCe scans N 6F sec wait %# Polite % serialiCe scans N E.J sec wait %# Normal - parallel scan %# Aggressi.e% parallel scan N ,EE sec timeout N 6.8F sec/probe %# (nsane % parallel scan N ?F sec timeout N E., sec/probe %%host/timeout %%ma0/rtt/timeout (de"ault - 7EEE %%min/rtt/timeout %%initial/rtt/timeout (de"ault 0 9EEE %%ma0/parallelism %%scan/delay (between probes
%%resume (scan %%append/output %i* 1targets_filename2 %p 1port ranges2 %F &Fast scan mode %3 <decoy1 [,decoy2][,ME],> %S <SRC_I _!ddress> %e <interface> %g <portn"m#er> %%data/length <n"m#er> %%randomize/hosts %O (=& "ingerprinting -( (dentscan %4 ("ragmentation %. (%erbose -h (help %n (no re%erse loo+up %R (do re%erse loo+up %r (dont randomiCe port scan %5 14tp relay host2 (F)P bounce
EC-Council