mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-25 23:11:02 +08:00
Translated
This commit is contained in:
Flynn
parent
880da89b2d
commit
784431293d
@ -1,129 +0,0 @@
|
||||
Translating by ucasFL
|
||||
NMAP Common Scans – Part Two
|
||||
=====================
|
||||
|
||||
|
||||
|
||||
In a previous article, ‘[NMAP Installation][1]’, a listing of ten different ZeNMAP Profiles were listed. Most of the Profiles used various parameters. Most of the parameters represented different scans which can be performed. This article will cover the last two remaining of the common four scan types.
|
||||
|
||||
**The Common Four Scan Types**
|
||||
|
||||
The four main scan types which are used most often are the following:
|
||||
|
||||
1. PING Scan (-sP)
|
||||
2. TCP SYN Scan (-sS)
|
||||
3. TCP Connect() Scan (-sT)
|
||||
4. UDP Scan (-sU)
|
||||
|
||||
When using NMAP to perform scans these four scans are the four to keep in mind. The main thing to keep in mind about them is what they do and how they do it. This article covers the two TCP scans – TCP SYN Scan and TCP Connect Scan.
|
||||
|
||||
([See Common scans - part one][2])
|
||||
|
||||
**TCP SYN Scan (-sS)**
|
||||
|
||||
The TCP SYN Scan is the default NMAP scan. To run the TCP SYN Scan you are required to have Root privileges.
|
||||
|
||||
The purpose of the TCP SYN Scan is to find open Ports on the scanned systems. As with NMAP scans you can scan systems on the other side of a Firewall. When scanning through a Firewall the scan time will be lengthened since packets will be slowed down.
|
||||
|
||||
The way the TCP SYN Scan works is that it starts a three-way handshake. As described in another article, the three-way handshake takes place between two systems. The Source System sends a packet to the Target System which is a SYN (Sync) request. The Target System will respond with a SYN/ACK (Sync/Acknowledgement). The Source System will the respond with an Acknowledgement (ACK) so the communication link is established and data can be transferred between them.
|
||||
|
||||
The TCP Syn Scan works by performing the steps as follows:
|
||||
|
||||
1. Source System sends a SYN request to the Target but a Port number is added to the request in this case.
|
||||
2. The Target System will respond with a SYN/ ACK (Sync/Acknowledgement) to the Source if the specified Port is open.
|
||||
3. The Source System responds with a RST (Reset) to the Target to close the connection.
|
||||
4. The Target System can respond with a RST/ACK (Reset/Acknowledgement) to the Source System.
|
||||
|
||||
The connection was started to be established so this is considered a half-open connection. Because the connection state is being managed by NMAP you need Root privileges.
|
||||
|
||||
If the Port being scanned is closed the following will occur:
|
||||
|
||||
1. Source System sends a SYN request to the Target and a Port number is added to the request.
|
||||
2. The Target responds with a RST (Reset) since the Port is closed.
|
||||
|
||||
If the Target System is behind a Firewall then the ICMP transmission or responses will be blocked by the Firewall and the following happens:
|
||||
|
||||
1. Source System sends a SYN request to the Target and the Port number is added to the request.
|
||||
2. No response is received since it was Filtered by the Firewall.
|
||||
|
||||
In this case the port is listed as Filtered and the Port may or may not be open. The Firewall may be set to stop all outgoing packets on the specified Port. The Firewall may block all incoming packets to a specified Port and so the Target System does not receive the request.
|
||||
|
||||
**NOTE:** The lack of a response may also occur on a system with a Firewall program enabled on it. Even on a local network you may find Filtered Ports.
|
||||
|
||||
I will perform a scan of a single system (10.0.0.2) and perform the TCP Syn Scan as shown in Figure 1\. The scan is done with the command ‘sudo nmap -sS <IP Address>’. The ‘<IP Address>’ can be exchanged with a single IP Address, as in Figure 1, or by using a group of IP Addresses.
|
||||
|
||||
|
||||
|
||||
**FIGURE 1**
|
||||
|
||||
You can see that it states that 997 Filtered Ports are not shown. NMAP then finds two Ports open – 139 and 445.
|
||||
|
||||
**NOTE:** Keep in mind that NMAP only scans the most well-known 1,000 Ports. We will cover other scans later which will allow us to scan all ports or only those specified.
|
||||
|
||||
The scan was captured by WireShark as shown in Figure 2\. Here you can see the initial Address Resolution Protocol (ARP) requests being made for the Target System. Following the ARP requests are a long list of TCP requests to the Ports on the Target System. Line 4 is to the ‘http-alt’ Port (8080). The Source System Port number is 47,128\. Many SYN requests are sent until a response is made as shown in Figure 3.
|
||||
|
||||
|
||||
|
||||
**FIGURE 2**
|
||||
|
||||
|
||||
|
||||
**FIGURE 3**
|
||||
|
||||
In Figure 3 on Lines 50 and 51 you can see the RST (Reset) packet sent to the Source System. Lines 53 and 55 shows a RST/ACK (Reset/Acknowledgement). Line 50 is for the ‘microsoft-ds’ Port (445) and Line 51 is for the ‘netbios-ssn’ Port (135) we can see that the Ports are opened. No other ACK (Acknowledgments) are made from the Target System except for these Ports. Each request can be sent over 1,000 times.
|
||||
|
||||
The Target System was a Windows System and I turned off the Firewall software on the system and performed the scan again as shown in Figure 4\. Now instead of seeing 997 Filtered Ports there are 997 Closed Ports. Port 135 is also now open on the Target System which was being blocked by the Firewall.
|
||||
|
||||
|
||||
|
||||
**FIGURE 4**
|
||||
|
||||
**TCP Connect() Scan (-sT)**
|
||||
|
||||
The TCP Connect() Scan (-sT) does not require Root privileges as the TCP Syn Scan does. A full Three-Way Handshake is performed in this Scan. Because Root privileges are not needed this scan can be helpful on a network where you cannot get Root privileges.
|
||||
|
||||
The way the TCP Connect Scan works is that it performs a three-way handshake. As described above, the three-way handshake takes place between two systems. The Source System sends a packet to the Target System which is a SYN (Sync) request. The Target System will respond with a SYN/ACK (Sync/Acknowledgement). The Source System will then respond with an Acknowledgement (ACK) so the communication link is established and data can be transferred between them.
|
||||
|
||||
The TCP Connect Scan works by performing the steps as follows:
|
||||
|
||||
1. Source System sends a SYN request to the Target but a Port number is added to the request in this case.
|
||||
2. The Target System will respond with a SYN/ ACK (Sync/Acknowledgement) to the Source if the specified Port is open.
|
||||
3. The Source System responds with an ACK (Acknowledgement) to the Target to finish the session creation.
|
||||
4. The Source System then sends the Target System a RST (Reset) packet to close the session.
|
||||
5. The Target System can respond with a RST/ACK (Reset/Acknowledgement) to the Source System.
|
||||
|
||||
When step 2 occurs the Source System knows that the Port Specified in Step 1 is an Open Port.
|
||||
|
||||
If a Port is closed then the same thing happens as in a TCP Scan. In Step 2 the Target System will respond with a RST (Reset) packet.
|
||||
|
||||
The scan is done with the command ‘nmap -sT <IP Address>’. The ‘<IP Address>’ can be exchanged with a single IP Address, as in Figure 5, or by using a group of IP Addresses.
|
||||
|
||||
The results of a TCP Connect Scan can be seen in Figure 5\. Here you can see that the two open Ports, 139 and 445, are found just like with the TCP SYN Scan. Port 80 is listed as being Closed. The remaining Ports are not shown and listed as Filtered.
|
||||
|
||||
|
||||
|
||||
**FIGURE 5**
|
||||
|
||||
Let’s try the scan again after shutting off the Firewall. The results are shown in Figure 6.
|
||||
|
||||
|
||||
|
||||
**FIGURE 6**
|
||||
|
||||
With the Firewall off we can see more Ports have been found. Just as with the TCP SYN Scan when having the Firewall off we find Ports 139, 445 and 135 are open. We also have found that Port 2869 is also open. There are also 996 closed Ports. Port 80 is now part of the 996 closed Ports – no longer Filtered by the Firewall.
|
||||
|
||||
In some cases the TCP Connect Scan may finish in a shorter amount of time. The TCP Connect Scan also seems to find more open Ports than the TCP SYN Scan.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.linuxforum.com/threads/nmap-common-scans-part-two.3879/
|
||||
|
||||
作者:[Jarret ][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.linuxforum.com/members/jarret.268/
|
||||
[1]:https://www.linuxforum.com/threads/nmap-installation.3431/
|
||||
[2]:https://www.linuxforum.com/threads/nmap-common-scans-part-one.3637/
|
||||
128
translated/tech/20170125 NMAP Common Scans – Part Two.md
Normal file
128
translated/tech/20170125 NMAP Common Scans – Part Two.md
Normal file
@ -0,0 +1,128 @@
|
||||
NMAP 常用扫描简介(二)
|
||||
=====================
|
||||
|
||||
|
||||
|
||||
在我们之前的 [NMAP 安装][1]一文中,列出了 10 种不同的 ZeNMAP 扫描模式,大多数的模式使用了不同的参数。各种不同参数代表执行不同的扫描模式。这篇文章将介绍最后剩下的两种常用扫描类型。
|
||||
|
||||
**四种通用扫描类型**
|
||||
|
||||
下面列出了最常用的四种扫描类型:
|
||||
|
||||
1. PING 扫描(-sP)
|
||||
2. TCP SYN 扫描(-sS)
|
||||
3. TCP Connect() 扫描(-sT)
|
||||
4. UDP 扫描(-sU)
|
||||
|
||||
当我们利用 NMAP 来执行扫描的时候,这四种扫描类型是我们需要熟练掌握的。更重要的是需要知道这些命令做了什么,并且需要知道这些命令是怎么做的。在这篇文章中将介绍两种 TCP 扫描 — TCP SYN 扫描和 TCP Connect() 扫描。
|
||||
|
||||
([阅读 NMAP 常用扫描简介(一)][2])
|
||||
|
||||
**TCP SYN 扫描 (-sS)**
|
||||
|
||||
TCP SYN 扫描是默认的 NMAP 扫描。为了运行 TCP SYN 扫描,你需要有 Root 权限。
|
||||
|
||||
TCP SYN 扫描的目的是找到被扫描系统上的已开启端口。使用 NMAP 扫描可以扫描在防火墙另一侧的系统。当扫描通过防火墙时,扫描时间会延长,因为数据包会变慢。
|
||||
|
||||
TCP SYN 扫描的工作方式是启动一个“三次握手”。正如在另一篇文章中所述,“三次握手”发生在两个系统之间。首先,源系统发送一个包到目标系统,这是一个同步(Sync)请求。然后,目标系统将通过同步/应答(SYN/ACK)响应。接下来,源系统将通过应答(ACK)来响应,从而建立起一个通信连接,然后,可以在两个系统之间传输数据。
|
||||
|
||||
TCP SYN 扫描通过执行下面的步骤来进行工作:
|
||||
|
||||
1. 源系统向目标系统发送一个同步请求,同时,一个端口号会被添加到请求中。
|
||||
2. 如果添加在上一步中的请求中的端口号是开启的,那么目标系统将通过同步/应答(SYN/ACK)来响应源系统。
|
||||
3. 源系统通过重置(RST)来响应目标系统,从而断开连接。
|
||||
4. 目标系统可以通过重置/应答(SYN/ACK)来响应源系统。
|
||||
|
||||
连接已经建立,所以这被认为是半开放连接。因为连接状态是由 NMAP 管理的,所以你需要有 Root 权限。
|
||||
|
||||
如果被扫描的端口是关闭的,那么将执行下面的步骤:
|
||||
|
||||
1. 源系统发送一个同步(SYN)请求到目标系统,同时一个端口号被添加到请求中。
|
||||
2. 目标系统通过重置(RST)响应源系统,因为该端口是关闭的。
|
||||
|
||||
如果目标系统被防火墙监控,那么 ICMP 传输或响应将会防火墙禁止,此时,会执行下面的步骤:
|
||||
|
||||
1. 源系统发送一个同步请求到目标系统,同时一个端口号被添加到请求中。
|
||||
2. 没有任何响应,因为请求被防火墙过滤了。
|
||||
|
||||
在这种情况下,端口可能是被过滤、或者可能打开、或者可能没打开。防火墙可以设置禁止指定端口所有包的传出。防火墙可以禁止所有传入某个指定端口的包,因此目标系统不会接收到请求。
|
||||
|
||||
**注:**无响应可能发生在一个启用了防火墙的系统上。即使在本地网络,你也可能会发现被过滤端口
|
||||
|
||||
我将向图片1那样执行对单一系统(10.0.0.2)的扫描和执行 TCP SYN 扫描。使用命令 `sudo nmap -sS <IP 地址>` 来执行扫描。`<IP 地址>`可以改为一个单一 IP 地址,像图片1那样,也可以使用一组 IP 地址。
|
||||
|
||||
|
||||
|
||||
**图片1**
|
||||
|
||||
你可以看到,状态为 997 的被过滤端口没有显示。NMAP 找到两个开启的端口:139 和 445 。
|
||||
|
||||
**注:**请记住,NMAP 只会扫描绝大多数熟知的 1000 多个端口。以后,我们会介绍可以扫描所有端口或者指定端口的其他扫描。
|
||||
|
||||
扫描会被 WireShark 俘获,正如图片2所展示的那样。在这儿,你可以看到目标系统的初始地址解析协议(ARP)请求。在 ARP 请求下面的是一长列到达目标系统端口的 TCP 请求。第 4 行是到达 `http-alt` 端口(8080)。源系统的端口号为 47128 。正如图片3展示的,许多 SYN 请求只有在做出响应以后才会发送。
|
||||
|
||||
|
||||
|
||||
**图片2**
|
||||
|
||||
|
||||
|
||||
**图片3**
|
||||
|
||||
在图片3的第 50 行和第 51 行,你可以看到,重置(RST)包被发送给了源系统。第 53 行和第 55 行显示 RST/ACK(重置/应答)。第 50 行是针对 ‘microsoft-ds’ 端口(445),第 51 行是针对 ‘netbios-ssn’ 端口(135),我们可以看到,这两个端口都是打开的。除了这些端口,没有其他 ACK(应答)是来自目标系统的。每一个请求均可发送超过 1000 次。
|
||||
|
||||
正如图片4所展示的,目标系统是 Windows 系统,我关闭了系统防火墙,然后再次执行扫描。现在,我们看到 997 端口不是被过滤端口,而是已关闭端口。目标系统上的 135 端口之前被防火墙禁止了,现在也是开启的。
|
||||
|
||||
|
||||
|
||||
**图片4**
|
||||
|
||||
**TCP Connect() 扫描 (-sT)**
|
||||
|
||||
尽管 TCP SYN 扫描需要 Root 权限,但 TCP Connect() 扫描并不需要。一个完整的“三次握手”会在这次扫描中执行。因为不需要 Root 权限,所以在无法获取 Root 权限的网络上,这种扫描非常有用。
|
||||
|
||||
TCP Connect 扫描的工作方式也是执行“三次握手”。正如上面描述过的,“三次握手”发生在两个系统之间。源系统发送一个同步(Sync)请求到目标系统。然后,目标系统将通过同步/应答(SYN/ACK)来响应。最后,源系统通过应答(ACK)来响应,从而建立起连接,然后便可在两个系统之间传输数据。
|
||||
|
||||
TCP Connect 扫描通过执行下面的步骤来工作:
|
||||
|
||||
1. 源系统发送一个同步(SYN)请求到目标系统,同时一个端口号被添加到请求中。
|
||||
2. 如果上一步添加到请求中的端口是开启的,那么目标系统将通过同步/应答(SYN/ACK)来响应源系统。
|
||||
3. 源系统通过应答(ACK)来响应目标系统从而结束会话。
|
||||
4. 然后,源系统向目标系统发送一个重置(RST)包来关闭会话。
|
||||
5. 目标系统可以通过同步/应答(SYN/ACK)来响应源系统。
|
||||
|
||||
若步骤 2 执行了,那么源系统就知道在步骤 1 中的指定端口是开启的。
|
||||
|
||||
如果端口是关闭的,那么会发生和 TCP SYN 扫描相同的事。在步骤 2 中,目标系统将会通过一个重置(RST)包来响应源系统。
|
||||
|
||||
可以使用命令 `nmap -sT <IP 地址>` 来执行扫描。`<IP 地址>`可以改为一个单一 IP 地址,像图片5那样,或者使用一组 IP 地址。
|
||||
|
||||
TCP Connect 扫描的结果可以在图片5中看到。在这儿,你可以看到,有两个已开启端口:139 和 445,这和 TCP SYN 扫描的发现一样。端口 80 是关闭的。剩下没有显示的端口是被过滤了的。
|
||||
|
||||
|
||||
|
||||
**图片5**
|
||||
|
||||
让我们关闭防火墙以后再重新扫描一次,扫描结果展示在图片6中。
|
||||
|
||||
|
||||
|
||||
**图片6**
|
||||
|
||||
关闭防火墙以后,我们可以看到,更多的端口被发现了。就和 TCP SYN 扫描一样,关闭防火墙以后,发现 139 端口和 445 端口是开启的。我们还发现,端口 2869 也是开启的。也发现端口 996 是关闭的。现在,端口 80 是 996 已关闭端口的一部分 — 不再被防火墙过滤。
|
||||
|
||||
在一些情况下, TCP Connect 扫描可以在一个更短的时间内完成。和 TCP SYN 扫描相比,TCP Connect 扫描也可以找到更多的已开启端口
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://www.linuxforum.com/threads/nmap-common-scans-part-two.3879/
|
||||
|
||||
作者:[Jarret ][a]
|
||||
译者:[ucasFL](https://github.com/ucasFL)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:https://www.linuxforum.com/members/jarret.268/
|
||||
[1]:https://www.linuxforum.com/threads/nmap-installation.3431/
|
||||
[2]:https://linux.cn/article-8346-1.html/
|
||||
Loading…
Reference in New Issue
Block a user