Network scanning technology

0x00 host scanning technology

The typical is ping scanning. The traditional ping scanning sends ICMP echo request message to the target host to judge whether the target host is online. More advanced ping uses ARP, TCP and UDP protocols.

Scan specific IP

┌──(dyh㉿dyhace)-[~]
└─$ nmap -sP 192.168.17.131 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:01 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00051s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

Scan a network segment

┌──(dyh㉿dyhace)-[~]
└─$ nmap -sP 192.168.17.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 21:59 CST
Nmap scan report for 192.168.17.2 (192.168.17.2)
Host is up (0.00053s latency).
Nmap scan report for 192.168.17.128 (192.168.17.128)
Host is up (0.00036s latency).
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.0021s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.64 seconds

0x02 port scanning technology

  1. TCP scan
    Advantages: it can be executed without special permission
    Disadvantages: the three handshakes take a long time, and the log will record relevant information, which is easy to be detected
┌──(dyh㉿dyhace)-[~]
└─$ nmap -sT 192.168.17.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:07 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00027s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds

Return three ports and related information (port number / protocol type status service type)

  1. TCP SYN scan
    Advantages: because no complete connection is established, the speed is fast, and the target host log is generally not recorded
    Disadvantages: constructing a special IP package requires root/admin permission
┌──(dyh㉿dyhace)-[~]
└─$ nmap -sS 192.168.17.131
You requested a scan type which requires root privileges.
QUITTING!

┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sS 192.168.17.131  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:17 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.000096s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds

The port obtained is consistent with that obtained by TCP scanning.

  1. TCP FIN scan
    Taking advantage of TCP/IP protocol defects, if the port is open, the server discards the FIN packet; If the port is closed, the server replies RST (only valid for UNIX/Linux). For Windows, RST is returned whether the port is on or not.
    Scan a Windows host and prompt that all ports are closed. Compared with the previous scan, it can be seen that there are ports open:
┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sF 192.168.17.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:28 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00039s latency).
All 1000 scanned ports on 192.168.17.131 (192.168.17.131) are closed
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds
  1. TCP ACK scan
    You cannot determine whether the port is open, but you can test whether there is firewall filtering. When the port is not filtered, it is marked as unfiltered; When filtered, it is marked as filtered.
    Turn off the target host firewall and mark the port status as unfiltered:
┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sA 192.168.0.101 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:36 CST
Nmap scan report for 192.168.0.101 (192.168.0.101)
Host is up (0.000027s latency).
All 1000 scanned ports on 192.168.0.101 (192.168.0.101) are unfiltered

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

Turn on the firewall and mark it as filtered:

┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sA 192.168.17.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:38 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00027s latency).
All 1000 scanned ports on 192.168.17.131 (192.168.17.131) are filtered
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 21.34 seconds

  1. TCP window scan
    Different from TCP ACK scanning, when an RST packet is received, the port will be marked as open or closed according to whether the window value is a positive number or 0.
    Open firewall: (the result is the same as ACK scan)
┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sA 192.168.17.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:38 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00027s latency).
All 1000 scanned ports on 192.168.17.131 (192.168.17.131) are filtered
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 21.34 seconds

Turn off the firewall: (mark the port as off according to the window value)

┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sW 192.168.17.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:53 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00038s latency).
All 1000 scanned ports on 192.168.17.131 (192.168.17.131) are closed
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds

  1. UDP scan
    Due to the unreliability of UDP protocol, the scanner will be tested many times to improve accuracy, resulting in slow speed. root privileges are required
┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sU 192.168.17.131                                                                                                                     130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:58 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00049s latency).
Not shown: 993 closed ports
PORT     STATE         SERVICE
123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
445/udp  open|filtered microsoft-ds
500/udp  open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds

Return indicates that the above ports are open or filtered.

Tags: Linux udp nmap

Posted on Thu, 16 Sep 2021 13:53:52 -0400 by V-Man