Beruflich Dokumente
Kultur Dokumente
1.
2.
3. *-sT, -sS]
o
FTP Bounce
Ping-a
Idle
12. OS Fingerprinting
13.
14. Nmap
o
IPv6
Verbose
Time-To-Live
15. Nmap
16.
1
Nmap Unix Windows. CL
(Command Line) , NmapFE , .
-
.
, Nmap ( , )
- http://www.insecure.org/nmap/
. (root unix admin windows)
2
, Nmap
,
. ,
. .
3 [-sT, -sS]
- TCP connect() *-sT+ SYN (
- (half-open), stealth ) *-sS].
- .
:arrow: 3.1 TCP connect() *-sT]
, socket UNIX
, connect(), . connect() ,
, connect() ,
. . Nmap
connect() , ,
, .
Nmap ,
.
,
, port
. .
firewall intrusion detection (IDS)
.
IP- . TCP
connect() . , TCP Stealth
.
:arrow: 3.2 SYN Stealth *-sS]
, TCP/IP
. , SYN
.
TCP ,
(three-way handshake), .
TCP/IP ( TCP/IP
- ).
, TCP
- . TCP ,
.
.
, - TCP .
SYN, ACK, FIN RST.
SYN synchronise, SYN
Sequence Number ( ),
.
drop- ( , SYN
).
SYN , IDS (Intrusion Detection System)
.
FIN FIN , Xmas Tree FIN, URG PUSH
( ), Null
.
, TCP/IP RFC (
RFC 793). , , !
Windows ,
Windows UNIX ( ),
, SYN .
, Windows -sF, -sX -sN
Cisco, BSDI, HP/UK, MVS IRIX. RST
.
nmap -sS 127.0.0.1 nmap -sF 127.0.0.1,
Linux , SYN -
.
:
5 Ping [-sP]
"up", .
.
NMAP , () up ().
, ICMP ECHO (REQUEST, - Ping)
. ICMP ECHO (REPLY)
. , ( )
.
Echo Nmap "TCP Ping" .
TCP ACK SYN ( 80 (HTTP),
) - RST SYN|ACK.
- ,
. , "filtered",
.
Nmap UNIX root ICMP ACK
(). -root connect() (
, , SYN ,
root , ).
ICMP , Command (CL = Command Line)
-P -P0 (, ), .
6 UDP [-sU]
-sO -.
:
8 Idle [-sI]
,
( ). zombie host (
, - ) .
.
"predictable IP
fragmentation ID". ( , ) Target (, ),
(), 23 (FTP) .
. , SYN|ACK,
(
) RST, RST
IP . , RST,
, .. IPID .
IP Trust . ,
,
, .
... Idle ,
. ( Idle
), , :
:
# nmap -P0 -p- -sI kiosk.adobe.com www.riaa.com
Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ )
Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental
Interesting ports on 208.225.90.120:
(The 65522 ports scanned but not shown below are in state: closed)
Port
State
Service
21/tcp open
ftp
25/tcp open
smtp
80/tcp open
http
111/tcp open
sunrpc
135/tcp open
loc-srv
443/tcp open
https
1027/tcp open
IIS
1030/tcp open
iad1
2306/tcp open
unknown
5631/tcp open
pcanywheredata
7937/tcp open
unknown
7938/tcp open
unknown
36890/tcp open
unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 2594.472 seconds
, RIAA (
IDS, , kiosk.adobe.com
:arrow: Idle :
http://www.insecure.org/nmap/idlescan.html
9 ACK [-sA]
, (rulesets)
, stateless stateful. ACK
. RST , , "unfiltered"
( firewall-a). .
.
. stateless (
SYN ) stateful ( ACK )
, ACK
"", ,
firewall- .
10 Window, RPC, List [-sW, -sR, -sL]
TCP Windows ACK , ,
filtered/unfiltered . TCP
Windows ( nmap
).
RPC ,
TCP UDP RPC , ,
, . (decoys) RPC
( Timing Hiding , -.
List IP- (DNS ,
-n Nmap) ping-
.
11 Timing Hiding
:arrow: 11.1 Timing
Nmap
. ,
- - -
.
-. ,
( 0, Paranoid ).
Paranoid, Sneaky, Polite, Normal, Aggresive Insane.
-T Paranoid ( -T0) ( ) 5
.
, .
, ,
.
-T Insane ( -T5) ,
:
.
-host_timeout, --max_rtt_timeout,
--min_rtt_timeout, --initial_rtt_timeout,
--max_parallelism, --min_parallelism, and --scan_delay
Nmap .
:arrow: 11.2
-D ,
(, decoys). IP- , IP-,
. -
, (
"" ).
:arrow: 11.3 FTP Bounce
FTP (RFC 959) Proxy FTP,
. ftpd-. ,
. ,
, ,
.
, FTP
, .
:arrow: 11.4 Ping-a
-P0 ( ) ICMP . -PT
TCP , -PT .
Ping-a : ,
, stealth . , Nmap
, Ping ( ,
"down", ).
-PT -PS, SYN , ACK TCP
Ping.
-PU ( ) UDP "ping".
- "" ,
UDP zero-lenght ( ) UDP .
-PE ( ICMP Echo ), -PP (ICMP Timestamp ), -PM
(Netmask ) -PB (, ICMP Echo TCP Ping ACK
).
:arrow: 11.5
-f IP , -sS, -sF, -sX -sN.
- . ,
firewall- ( iptables)
, .
-
, ,
. -
, !
:arrow: 11.6 Idle
- .
12 OS Fingerprinting
- Nmap (fingerprinting)
. , -v - verbosity
TCP (
Idle ).
- Fyodor.
http://www.insecure.org/nmap/nmap-fingerprinting-article.html
13
Nmap : -oN, -oX or -oG.
. -oN , -oX
XML, -oG grepable . -oA , -oS
, (,
--append-output
.
14 Nmap
:arrow: 14.1 IPv6
-6 Nmap IPv6 ( , ). TCP
Connect TCP Connect Ping . :
http://nmap6.sourceforge.net (
IPv6)
, (space), . ("-")
Nmap stdin.
:arrow: 14.5
-F , nmap_services (
, -sO).
, -,
65,535
:arrow: 14.6 Time-To-Live
"-ttl <>" (Time-To-Live - TTL) IPv4 .
ACL firewall- ( TTL-
). Nmap
TTL traceroute ( ,
, , traceroute
!
15 Nmap
:
:
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 15:38 BST
Host 192.168.0.1 appears to be up.
Host 192.168.0.2 appears to be up.
Host chaos.bytekill.net (192.168.0.3) appears to be up.
Host 192.168.0.4 appears to be up.
Host 192.168.0.255 appears to be up.
Nmap run completed -- 256 IP addresses (5 hosts up)
, 192.168.0.1 . - (
,
)
, - SYN -O -F , ,
!
:
bash-2.05b# nmap -sS -F -O 192.168.0.1
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 15:41 BST
Insufficient responses for TCP sequencing (0), OS
detection may be less accurate
Interesting ports on 192.168.0.1: (The 1196 ports
scanned but not shown below are in state: closed)
Port State Service
80/tcp open http Device type: WAP
Running: Compaq embedded, Netgear embedded
OS details: WAP: Compaq iPAQ Connection Point or
Netgear MR814
Nmap run completed -- 1 IP address (1 host up) scanned
in 6.537 seconds
, ! ,
TCP ... Idle ,
TCP Sequencing- . , 192.168.0.1 (..
"non-routable" 10.x.x.x, 192.168.x.x ...)
private , , IP,
, 192.168.0.1 10.0.0.1
192.168.0.255 broadcast , .
- 192.168.0.2, 192.168.0.3
192.168.0.4 . 192.168.0.2 :
:
bash-2.05b# nmap -sS -P0 -O -v 192.168.0.2
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 15:50 BST
Host 192.168.0.2 appears to be up ... good.
Initiating SYN Stealth Scan against 192.168.0.2 at
15:50
Adding open port 139/tcp
Adding open port 1025/tcp
Adding open port 445/tcp
Adding open port 135/tcp
The SYN Stealth Scan took 1 second to scan 1644 ports.
For OSScan assuming that port 135 is open and port 1 is
closed and neither are firewalled
Interesting ports on 192.168.0.2:
(The 1640 ports scanned but not shown below are in
state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
Nmap , Windows - !
Incremental (), Idle .
192.168.0.3:
[code]bash-2.05b# nmap -sI 192.168.0.2 192.168.0.3
: P0 w/Idlescan, ping
IP. , , Nmap Ping-
- .
[code]Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at
2003-08-27 15:54 BST
Idlescan using zombie 192.168.0.2 (192.168.0.2:80);
Class: Incremental
Interesting ports on chaos.bytekill.net (192.168.0.3):
(The 1643 ports scanned but not shown below are in
state: closed)
16
, ... Nmap, ,
.
- :
http://www.insecure.org/nmap , "TCP/IP ".
Nmap .
.