NMAP - A Stealth Port Scanner--reference

SYN or Stealth scanning makes use of this procedure by sending a SYN packet and looking at the response. If SYN/ACK is sent back,the port is open and the remote end is trying to open a TCP connection. The scanner then sends an RST to tear down the connection before it can be established fully; often preventing the connection attempt appearing in application logs. If the port is closed,an RST will be sent. If it is filtered,the SYN packet will have been dropped and no response will be sent. In this way,Nmap can detect three port states - open,closed and filtered. Filtered ports may require further probing since they could be subject to firewall rules which render them open to some IPs or conditions,and closed to others.

Modern firewalls and Intrusion Detection Systems can detect SYN scans,but in combination with other features of Nmap,it is possible to create a virtually undetectable SYN scan by altering timing and other options (explained later).

With the multitude of modern firewalls and IDS’ now looking out for SYN scans,these three scan types may be useful to varying degrees. Each scan type refers to the flags set in the TCP header. The idea behind these type of scans is that a closed port should respond with an RST upon receiving packets,whereas an open port should just drop them (it’s listening for packets with SYN set). This way,you never make even part of a connection,and never send a SYN packet; which is what most IDS’ look out for.

The FIN scan sends a packet with only the FIN flag set,the Xmas Tree scan sets the FIN,URG and PUSH flags (see a good TCP/IP book for more details) and the Null scan sends a packet with no flags switched on.

These scan types will work against any system where the TCP/IP implementation follows RFC 793. Microsoft Windows does not follow the RFC,and will ignore these packets even on closed ports. This technicality allows you to detect an MS Windows system by running SYN along with one of these scans. If the SYN scan shows open ports,and the FIN/NUL/XMAS does not,chances are you’re looking at a Windows box (though OS Fingerprinting is a much more reliable way of determining the OS running on a target!)

The sample below shows a SYN scan and a FIN scan,performed against a Linux system. The results are,predictably,the same,but the FIN scan is less likely to show up in a logging system.

   1 [chaos]# nmap -sS 127.0.0.1
   2 
   3 Starting Nmap 4.01 at 2006-07-06 17:23 BST
   4 Interesting ports on chaos (127.0.0.1):
   5 (The 1668 ports scanned but not shown below are in state:
   6         closed)
   7 PORT     STATE SERVICE
   8 21/tcp   open  ftp
   9 22/tcp   open  ssh
  10 631/tcp  open  ipp
  11 6000/tcp open  X11
  12 
  13 Nmap finished: 1 IP address (1 host up) scanned in 0.207
  14         seconds
  15 [chaos]# nmap -sF 127.0.0.1
  16 
  17 Starting Nmap 4.01 at 2006-07-06 17:23 BST
  18 Interesting ports on chaos (127.0.0.1):
  19 (The 1668 ports scanned but not shown below are in state:
  20         closed)
  21 PORT     STATE         SERVICE
  22 21/tcp   open|filtered ftp
  23 22/tcp   open|filtered ssh
  24 631/tcp  open|filtered ipp
  25 6000/tcp open|filtered X11
  26 
  27 Nmap finished: 1 IP address (1 host up) scanned in 1.284
  28         seconds

This scan type lists the hosts within the specified range that responded to a ping. It allows you to detect which computers are online,rather than which ports are open. Four methods exist within Nmap for ping sweeping.

The first method sends an ICMP ECHO REQUEST (ping request) packet to the destination system. If an ICMP ECHO REPLY is received,the system is up,and ICMP packets are not blocked. If there is no response to the ICMP ping,Nmap will try a "TCP Ping",to determine whether ICMP is blocked,or if the host is really not online.

A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST,or a SYN/ACK,is returned,then the remote system is online. If the remote system does not respond,either it is offline,or the chosen port is filtered,and thus not responding to anything.

When you run an Nmap ping scan as root,the default is to use the ICMP and ACK methods. Non-root users will use the connect() method,which attempts to connect to a machine,waiting for a response,and tearing down the connection as soon as it has been established (similar to the SYN/ACK method for root users,but this one establishes a full TCP connection!)

The ICMP scan type can be disabled by setting -P0 (that is,zero,not uppercase o).

Scanning for open UDP ports is done with the -sU option. With this scan type,Nmap sends 0-byte UDP packets to each target port on the victim. Receipt of an ICMP Port Unreachable message signifies the port is closed,otherwise it is assumed open.

（编辑：威海站长网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!