Escolar Documentos
Profissional Documentos
Cultura Documentos
UDP Scan
nmap -v -sU 192.168.0.0/24
Fingerprint
nmap -v -0 192.168.0.0/24 #TCP
For example:
[bash]$ host -l somecompanyasanexample.com 10.0.0.1 Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 Aliases: somecompanyasanexample.net SOA ns1.someexampleserver.net. Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 somecompanyasanexample.net name server ns1.someexampleserver.net. Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 Somecompanyasanexample.net name server ns2.someexampleserver.net. Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 somecompanyasanexample.com has address 192.168.1.10 Using domain server: Name: 10.0.0.1 Addresssomecompanyasanexample.com mail is handled by 10 mail.somecompanyasane xample.com Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 mail.somecompanyasanexample.com has address 192.168.1.10 Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 firewall.somecompanyasanexample.com is an alias for vpn.somecompanyasa nexample.com Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 vpn.somecompanyasanexample.com has address 192.168.1.9 Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 payroll.somecompanyasanexample.com has address 192.168.1.33: 10.0.0.1#53
PING SWEEPING
Ping sweeping is the process of pinging numerous hosts. In the case of a large set of target IP addresses, one must perform a ping sweep to determine alive hosts that respond to ICMP echo requests.
TCP PINGING
If a TCP ACK packet is sent to a host that is alive, a RST packet will be sent back. This method can be used to scan machines that block ICMP echo requests.
For example:
nmap -PT6000 192.168.1.1
If a host responds with a RST packet, nmap will consider the host alive and will perform a port scan immediately.
[bash]# nmap -PT 192.168.1.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.1): (The 1597 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 80/tcp open http 113/tcp open auth 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
TDP and UDP port numbers range from 1 to 65535. By default, nmap scans for commonly known ports. Scanning for all 65,535 ports is time consuming but can be performed with nmap when using the -p flag: nmap -sT 192.168.1.1 -p 1-65535
TCP SYN/Half-Open
This type of scanning causes the scanner to send out a SYN packet to the target host. If the target host is listening on a particular port, it will respond with a SYN+ACK. If the target host is alive but not listening on a particular port, a RST packet will be received. As this method of scanning does not complete the TCP three-way handshake, it is stealthy, since it is often not logged by the target host.
SYN Scanning
Using the -sS flag in nmap will perform a SYN scan:
[bash]# nmap -sS 192.168.1.150 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.150): (The 1599 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 113/tcp open auth Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
FIN
In this method, a FIN packet is sent to a target host. If the target host is alive but not listening on a particular port, it will respond with a RST packet. However, if the target host is listening on a particular port, it will not respond. Note that Microsoft Windows hosts will send RST packets in all cases. This is of interest because it helps identify the target hosts as Microsoft Windows hosts. FIN IP packets are used to tear down established TCP connections.
FIN Scanning
Using the -sF flag in nmap will perform a FIN scan:
[bash]# nmap -sF 192.168.1.100 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.100): (The 1594 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 113/tcp open auth Nmap run completed -- 1 IP address (1 host up) scanned in 43 seconds
Reverse Ident
Ident (Identification Protocol) servers listen for connections on port 113. If a TCP connection is established to a port listening on the host running the ident server, the ident server may be queried for the privilege level of the process associated with the connection.
XMAS
This method of scanning involves sending out a TCP packet with the FIN, URG, and PUSH flags set. If the target host is listening on the particular port, it sends a RST packet back. If the target host is not listening on that port, it does not respond. FIN packets are normally used to tear down an established TCP connection. URG packets signify that information needing immediate attention is present within the IP packet, such as a ^C sent during a telnet session. A PUSH packet signifies that the sender requests the receiver to immediately pass all buffered data to the applications.
XMAS Scanning
Using the -sX flag in nmap will perform an XMAS scan:
[bash]# nmap -sX 192.168.1.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.1): (The 1597 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 80/tcp open http 113/tcp open auth 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
NULL Scanning
Using the -sN flag in nmap will perform a TCP NULL scan:
[bash]# nmap -sN 192.168.1.100 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.100): (The 1594 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 113/tcp open auth Nmap run completed -- 1 IP address (1 host up) scanned in 41 seconds
RPC
This type of scan is used to send NULL commands to open ports in order to determine if they are RPC (remote procedure call) ports. Once an open port is determined to be an RPC port, information about the application that is bound to the port is queried for and obtained.
RPC Scanning
Using the -sR in option in nmap will perform an RPC scan:
[bash]# nmap -sR 10.0.0.10 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (10.0.0.10): (The 1584 ports scanned but not shown below are in state: closed) Port State Service (RPC) 7/tcp open echo 21/tcp open ftp 22/tcp open ssh 37/tcp open time 53/tcp open domain 111/tcp open sunrpc (rpcbind V2-4) 113/tcp open auth 512/tcp open exec 513/tcp open login 514/tcp open shell 515/tcp open printer 587/tcp open submission 2049/tcp open nfs (nfs V2-3) 4045/tcp open lockd (nfs V2-3) 7100/tcp open font-service 32771/tcp open sometimes-rpc5 (ypserv V1-2) 32772/tcp open sometimes-rpc7 Nmap run completed -- 1 IP address (1 host up) scanned in 40 seconds
IP Protocol Scanning
Using the -sO flag in nmap will perform an IP protocol scan:
[bash]# nmap -sO 192.168.1.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting protocols on (192.168.1.1): (The 251 protocols scanned but not shown below are in state: closed) Protocol State Name 1 open icmp 2 open igmp 6 open tcp 17 open udp
ACK Scanning
ACK scans can be performed by using nmap with the -sA flag:
nmap sA target_address
Window
This type of scan, while similar to the ACK scan, sometimes helps detect open, filtered, and unfiltered ports on some systems due to an anomaly in the way TCP window sizes are reported.
Window Scanning
Window scans can be performed by potential intruders using nmap with the -sW flag:
nmap sW target_address
UDP
In order to determine if a host is listening on a particular UDP port, a UDP packet is sent to the port. If the target host is not listening on the particular port, an ICMP port unreachable packet is received. However, if the target host is listening on the particular port, no such packet is received. Since UDP is not a connection-oriented protocol, UDP scanning is unreliable.