NMAP - Stealth

1.
2.
3. *-sT, -sS]
o

TCP connect() *-sT]

SYN Stealth *-sS]

4. FIN, Null Xmas Tree *-sF, -sN, -sX]

5. Ping *-sP]
6. UDP *-sU]
7. IP Protocol *-sO]
8. Idle *-sI]
9. ACK *-sA]
10. Window, RPC, List *-sW, -sR, -sL]
11. Timing Hiding
o

FTP Bounce

Ping-a

Idle

12. OS Fingerprinting
13.
14. Nmap
o

IPv6

Verbose

Time-To-Live

15. Nmap
16.

1
Nmap Unix Windows. CL
(Command Line) , NmapFE , .
-
.
, Nmap ( , )
- http://www.insecure.org/nmap/
. (root unix admin windows)
2
, Nmap
,
. ,
. .
3 [-sT, -sS]
- TCP connect() *-sT+ SYN (
- (half-open), stealth ) *-sS].
- .
:arrow: 3.1 TCP connect() *-sT]

 , socket UNIX
, connect(), . connect() ,
, connect() ,
. . Nmap
connect() , ,
, .
Nmap ,
.
,
, port
. .
firewall intrusion detection (IDS)
.
IP- . TCP
connect() . , TCP Stealth
.
:arrow: 3.2 SYN Stealth *-sS]
, TCP/IP
. , SYN
.
TCP ,
(three-way handshake), .
TCP/IP ( TCP/IP
- ).
, TCP
- . TCP ,
.
.
, - TCP .
SYN, ACK, FIN RST.
SYN synchronise, SYN
Sequence Number ( ),
.

ACK acknowledge, ACK ,

( , )
FIN finish, , ,
.
RST Reset, .
RST .
,
TCP , . 80
. TCP SYN ( )
. , (80)
TCP ACK ( SYN) SYN (
sequence ) SYN|ACK. , SYN|ACK
, ACK
80.
, TCP SYN .
, TCP connect(),
, ,
IP. SYN (
) . .
, , SYN ACK
. , RST (
filtered, ). SYN|ACK,
, RST,
.
, (log) .
, firewall- SYN ,
Nmap SYN
, .. -.
4 FIN, Null Xmas Tree [-sF, -sN, -sX]
IDS , SYN ,
.
TCP . , RST
,

 drop- ( , SYN
).
SYN , IDS (Intrusion Detection System)
.
FIN FIN , Xmas Tree FIN, URG PUSH
( ), Null
.
, TCP/IP RFC (
RFC 793). , , !
Windows ,
Windows UNIX ( ),
, SYN .
, Windows -sF, -sX -sN
Cisco, BSDI, HP/UK, MVS IRIX. RST
.
nmap -sS 127.0.0.1 nmap -sF 127.0.0.1,
Linux , SYN -
.
:

bash-2.05b# nmap -sS 127.0.0.1

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 12:54 BST Interesting ports on localhost
(127.0.0.1): (The 1643 ports scanned but not shown
below are in state: closed)
Port State Service
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned
in 1.986 seconds
bash-2.05b# nmap -sF 127.0.0.1
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at

2003-08-27 12:53 BST Interesting ports on localhost

(127.0.0.1): (The 1643 ports scanned but not shown
below are in state: closed)
Port State Service
6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned
in 3.135 seconds

5 Ping [-sP]
"up", .
.
NMAP , () up ().
, ICMP ECHO (REQUEST, - Ping)
. ICMP ECHO (REPLY)
. , ( )
.
Echo Nmap "TCP Ping" .
TCP ACK SYN ( 80 (HTTP),
) - RST SYN|ACK.
- ,
. , "filtered",
.
Nmap UNIX root ICMP ACK
(). -root connect() (
, , SYN ,
root , ).
ICMP , Command (CL = Command Line)
-P -P0 (, ), .
6 UDP [-sU]

 UDP -sU. Nmap 0-

UDP . ICMP Port Unreachable ,
, , .
, "ICMP Port
Unreachable" .
.
UPD , .
"ICMP Port Unreachable" ,
,
. Nmap ,
. ,
65,535 UDP Windows
.
UPD ,
, UDP, SNMP, NFS
- - Back Orifice (BO) ,
.
TCP UDP
, TCP
, UPD .
7 IP Protocol [-sO]
IP Protocol . Nmap
IP (protocol header)
.
IP .
"ICMP Protocol Unreachable", ,
, . .
firewall-, AIX, HP-UX Digital UNIX. ,
, .
"ICMP Protocol Unreachable" ,
- "UDP Scan" , 256 (8 IP Protocol IP ) .

 -sO -.
:

bash-2.05b# nmap -sO 127.0.0.1

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 14:20 BST Interesting protocols on localhost
(127.0.0.1): (The 251 protocols scanned but not shown
below are in state: closed)
Protocol State Name
1 open icmp
2 open igmp
6 open tcp
17 open udp
255 open unknown
Nmap run completed -- 1 IP address (1 host up) scanned
in 3.807 seconds

8 Idle [-sI]

 ,
( ). zombie host (
, - ) .
.
"predictable IP
fragmentation ID". ( , ) Target (, ),
(), 23 (FTP) .
. , SYN|ACK,
(
) RST, RST
IP . , RST,
, .. IPID .

 IP Trust . ,
,
, .
... Idle ,
. ( Idle
), , :
:
# nmap -P0 -p- -sI kiosk.adobe.com www.riaa.com
Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental
Interesting ports on 208.225.90.120:
(The 65522 ports scanned but not shown below are in state: closed)
Port
State
Service
21/tcp open
ftp
25/tcp open
smtp
80/tcp open
http
111/tcp open
sunrpc
135/tcp open
loc-srv
443/tcp open
https
1027/tcp open
IIS
1030/tcp open
iad1
2306/tcp open
unknown
5631/tcp open
pcanywheredata
7937/tcp open
unknown
7938/tcp open
unknown
36890/tcp open
unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 2594.472 seconds

, RIAA (

IDS, , kiosk.adobe.com

:arrow: Idle :
http://www.insecure.org/nmap/idlescan.html

9 ACK [-sA]
, (rulesets)
, stateless stateful. ACK
. RST , , "unfiltered"
( firewall-a). .
.
. stateless (
SYN ) stateful ( ACK )
, ACK
"", ,
firewall- .
10 Window, RPC, List [-sW, -sR, -sL]
TCP Windows ACK , ,
filtered/unfiltered . TCP
Windows ( nmap
).
RPC ,
TCP UDP RPC , ,
, . (decoys) RPC
( Timing Hiding , -.
List IP- (DNS ,
-n Nmap) ping-
.
11 Timing Hiding
:arrow: 11.1 Timing
Nmap
. ,
- - -
.
-. ,

 ( 0, Paranoid ).
Paranoid, Sneaky, Polite, Normal, Aggresive Insane.
-T Paranoid ( -T0) ( ) 5
.
, .
, ,
.
-T Insane ( -T5) ,
:
.
-host_timeout, --max_rtt_timeout,
--min_rtt_timeout, --initial_rtt_timeout,
--max_parallelism, --min_parallelism, and --scan_delay
Nmap .
:arrow: 11.2
-D ,
(, decoys). IP- , IP-,
. -
, (
"" ).
:arrow: 11.3 FTP Bounce
FTP (RFC 959) Proxy FTP,
. ftpd-. ,
. ,
, ,
.
, FTP
, .
:arrow: 11.4 Ping-a
-P0 ( ) ICMP . -PT

 TCP , -PT .
Ping-a : ,
, stealth . , Nmap
, Ping ( ,
"down", ).
-PT -PS, SYN , ACK TCP
Ping.
-PU ( ) UDP "ping".
- "" ,
UDP zero-lenght ( ) UDP .
-PE ( ICMP Echo ), -PP (ICMP Timestamp ), -PM
(Netmask ) -PB (, ICMP Echo TCP Ping ACK
).
:arrow: 11.5
-f IP , -sS, -sF, -sX -sN.
- . ,
firewall- ( iptables)
, .
-
, ,
. -
, !
:arrow: 11.6 Idle
- .
12 OS Fingerprinting
- Nmap (fingerprinting)
. , -v - verbosity
TCP (
Idle ).

 - Fyodor.
http://www.insecure.org/nmap/nmap-fingerprinting-article.html
13
Nmap : -oN, -oX or -oG.
. -oN , -oX
XML, -oG grepable . -oA , -oS
, (,

--append-output
.
14 Nmap
:arrow: 14.1 IPv6
-6 Nmap IPv6 ( , ). TCP
Connect TCP Connect Ping . :
http://nmap6.sourceforge.net (

IPv6)

:arrow: 14.2 Verbose ()

, -v
-v , -d ( ), -
.
(Verbose - , , ,
)
:arrow: 14.3
Ctrl+C "--resume <__>".
Grepable (-oN -oG).
:arrow: 14.4
"-iL <___>" ,
(command line - CL). (hostlist)

, (space), . ("-")
Nmap stdin.
:arrow: 14.5
-F , nmap_services (
, -sO).
, -,
65,535
:arrow: 14.6 Time-To-Live
"-ttl <>" (Time-To-Live - TTL) IPv4 .

ACL firewall- ( TTL-
). Nmap
TTL traceroute ( ,
, , traceroute
!

15 Nmap
:
:
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 15:38 BST
Host 192.168.0.1 appears to be up.
Host 192.168.0.2 appears to be up.
Host chaos.bytekill.net (192.168.0.3) appears to be up.
Host 192.168.0.4 appears to be up.
Host 192.168.0.255 appears to be up.
Nmap run completed -- 256 IP addresses (5 hosts up)

scanned in 9.733 seconds

, 192.168.0.1 . - (
,
)

, Netgear DG814, Nmap

, - SYN -O -F , ,
!
:
bash-2.05b# nmap -sS -F -O 192.168.0.1
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 15:41 BST
Insufficient responses for TCP sequencing (0), OS
detection may be less accurate
Interesting ports on 192.168.0.1: (The 1196 ports
scanned but not shown below are in state: closed)
Port State Service
80/tcp open http Device type: WAP
Running: Compaq embedded, Netgear embedded
OS details: WAP: Compaq iPAQ Connection Point or
Netgear MR814
Nmap run completed -- 1 IP address (1 host up) scanned
in 6.537 seconds

, ! ,
TCP ... Idle ,
TCP Sequencing- . , 192.168.0.1 (..
"non-routable" 10.x.x.x, 192.168.x.x ...)
private , , IP,

, 192.168.0.1 10.0.0.1

192.168.0.255 broadcast , .
- 192.168.0.2, 192.168.0.3
192.168.0.4 . 192.168.0.2 :
:
bash-2.05b# nmap -sS -P0 -O -v 192.168.0.2
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 15:50 BST
Host 192.168.0.2 appears to be up ... good.
Initiating SYN Stealth Scan against 192.168.0.2 at
15:50
Adding open port 139/tcp
Adding open port 1025/tcp
Adding open port 445/tcp
Adding open port 135/tcp
The SYN Stealth Scan took 1 second to scan 1644 ports.
For OSScan assuming that port 135 is open and port 1 is
closed and neither are firewalled
Interesting ports on 192.168.0.2:
(The 1640 ports scanned but not shown below are in
state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn

445/tcp open microsoft-ds

1025/tcp open NFS-or-IIS
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me),
Win 2000 profressional or Advanced Server, or WinXP
TCP Sequence Prediction: Class=random positive
increments
Difficulty=9871 (Worthy challenge)
IPID Sequence Generation: Incremental
Nmap run completed -- 1 IP address (1 host up) scanned
in 2.446 seconds

Nmap , Windows - !
Incremental (), Idle .
192.168.0.3:
[code]bash-2.05b# nmap -sI 192.168.0.2 192.168.0.3
: P0 w/Idlescan, ping
IP. , , Nmap Ping-
- .
[code]Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 15:54 BST
Idlescan using zombie 192.168.0.2 (192.168.0.2:80);
Class: Incremental
Interesting ports on chaos.bytekill.net (192.168.0.3):
(The 1643 ports scanned but not shown below are in
state: closed)

Port State Service

6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned
in 13.423 seconds [/code]
, - ... ! Nmap
(probes), , ,
. , ... X11 Windows
, . , UNIX.
... , 192.168.0.4 . -O...
, .
, SYN , -F:
[code]bash-2.05b# nmap -sS -F 192.168.0.4
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 15:57 BST
Interesting ports on 192.168.0.4:
(The 1193 ports scanned but not shown below are in
state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
Nmap run completed -- 1 IP address (1 host up) scanned
in 0.731 seconds[/code]
Windows, ...
Windows -sF, -sX -sN. -sX:
[code]bash-2.05b# nmap -sX -F 192.168.0.4

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at

2003-08-27 15:58 BST
All 1197 scanned ports on 192.168.0.4 are: closed
Nmap run completed -- 1 IP address (1 host up) scanned
in 0.741 seconds[/code]
, , , - Windows.
- , -,
, .
, .
X... , ,
Windows .
"-sS -p 1024-65534" "-sU -p 1024-65534", ,
, ,

16
, ... Nmap, ,
.
- :
http://www.insecure.org/nmap , "TCP/IP ".
Nmap .
.