Introduction: Recent media reported a lot of news about intrusion networks, making people think that invaders only need to access computer access rights by simple tools. But in fact, things are not as simple as imagining. Hackers want to invade a computer, first have a complete plan. Before the intrusion system, hackers must first find a target host and find which ports can be invaded after listening. Find out the host on the network, test which ports are listening, which is usually implemented by scans. Scanning network is the first step in hackers. Look for a target host with a vulnerability by using a scanner (such as NMAP) to scan the network. Once the target of a vulnerability is found, the next is a scan of the listening port. NMAP accurately determines the operating system type of the sweep host by using the TCP protocol stack fingerprint. This article introduces the use of NMAP in all directions, allows security administrators to understand the site in the eyes of hackers. And by using it, the security administrator can discover the vulnerabilities of their website and gradually improve their own system. NMAP is released from the GNU General Public License (GPL) of the Foundation Foundation, which is free from www.insecure.org/nmap site. The download format can be the source code or RPM format of the TGZ format. Currently stable versions are 2.12. With graphics terminals, this article focuses on the use of NMAP commands. NMAP's syntax is quite simple. NMAP's different options and -s flags consist of different scan types, such as: a ping-scan command is "-sp". Scanning can be scanned after the target host and the network are determined. If ROOT is running NMAP, the function of NMAP is greatly enhanced because superusers can create custom packets that make it easy to use for NMAP. On the target machine, NMAP is flexible. Single-machine scanning using NMAP is simple, the scan of the entire network is simple, as long as the target address with "/ mask" is specified to NMAP. The address is "VICTIM / 24", the target is a Class C network, and the address is "VICTIM / 16", and the target is a Class B network. In addition, NMAP allows you to use all kinds of specified network addresses, such as 192.168.7. *, Refers to 192.168.7.0/24, or 192.168.7.1, 4, 8-12, and scans the host under the selected subnet. Ping Scanning invaders use NMAP to scan the entire network to find the target. Take a PING scan by using the "-sp" command. By default, NMAP sends an ICMP ECHO and a TCP ACK to each scanned host, and the host will be obtained by NMAP. Example: Scan 192.168.7.0 Network: # nmap -sp 192.168.7.0/24starting nmap v. 2.2 by fyodor (fyodor@dhp.com, www.insecure.org/nmap /) Host (192.168.7.11) Appers to be UP. Host (192.168.7.12) APPEARS to Be Up.host (192.168.7.76) APPEARS TO BE UP.NMAP Run Completed - 256 IP Addresses (3 Hosts Up) Scanned In 1 Second If the ICMP ECHO request is not sent, but to check the system This scan may not receive a response of some sites. In this case, a TCP "ping" can be used to scan the target network. A TCP "ping" will send an ACK to each host on the target network. If the host on the network is online, a TCP RST response is returned.
Use the TCP ping option with the PING scan, that is, the "PT" option can scan on the network (the default port refers to this example is 80 (http) port), which will might pass through the target boundary router or even Firewall. Note that the target port on the detected host does not need to open, depending on whether or not it is on the network. # nmap -sp -pt80 192.168.7.0/24tcp probe port is 80starting nmap v. 2.12 by fyodor (fyodor@dhp.com, www.insecure.org/nmap /) Host (192.168.7.11) Appers to be up.host 192.168.7.12) APPEARS to Be Up.host (192.168.7.76) APPEARS TO BE UP.NMAP Run Completed - 256 IP Addresses (3 Hosts Up) Scanned in 1 Second When the potential intruder discovers hosts running on the target network The next step is to perform port scanning. NMAP supports different category port scanning TCP connections, TCP SYN, STEALTH FIN, XMAS Tree, NULL, and UDP scans. Port Scanning An attacker uses TCP connection scans easy to discover, because NMAP will use the Connect () system call to open the connection on the relevant port on the target, and complete the three TCP handshake. Hackers log in to the host will display the open port. A TCP connection scan uses the "-st" command as follows. # Nmap -sT 192.168.7.12Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap /) Interesting ports on (192.168.7.12): Port State Protocol Service7 open tcp echo9 open tcp discard13 open TCP Daytime19 Open TCP Chargen21 Open TCP FTP ... NMAP Run Completed - 1 IP Address (1 Host Up) Scanned In 3 Seconds Concealed Scanning) If an attacker does not want to make its information in the target when an attacker is not willing to scan On the system log, TCP SYN scans can help you, it rarely leaves a record on the target, and the process of three handshakes will never be fully implemented. A scan of SYN is started by sending a SYN package (which is the first package in the TCP protocol). Any open port will have a SYN | ACK response. However, an attacker sends an RST alternative ACK, and the connection is aborted. Three handshakes are not achieved, and there are very few sites to record such probes. If it is a closed port, the response to the initial SYN signal will also be RST, so that NMAP knows that the port is not listening.
The "-ss" command will send a SYN scan detection host or network: # nmap -ss 192.168.7.7starting nmap v. 2.12 by fyodor (fyodor@dhp.com, www.insecure.org/nmap /) Interesting Ports on SaturnLink. NAC.NET (192.168.7.7): Port State Protocol Service21 Open TCP FTP25 Open TCP SMTP53 Open TCP Domain80 Open TCP HTTP ... NMAP Run Completed - 1 IP Address (1 Host Up) Scanned in 1 Second Although SYN scan may not Be careful, they will still be captured by some intrusion detection systems. Stealth FIN, Xmas Tree and Null Scans can be used to avoid the package filtering and detect the SYN package that enters the restricted port. These three scanners returns RST to the closed port, and the open port will absorb the package. A FIN "-SF" scan will send a FIN package to each port. However, Xmas scans "-sx" opens Fin, URG, and PUSH flag, and a null scans "-SN" off all flags. Because Microsoft does not support TCP standards, Fin, Xmas Tree and Null Scans are valid under non-Microsoft's operating systems. UDP Scanning (UDP Scanning) If an attacker finds a popular UDP vulnerability, such as RPCBind vulnerability or CDC Back Orific. In order to find out which ports are listening, UDP scan is performed, that is, which ports are open to UDP. NMAP will send an O byte UDP package to each port. If the host returns to the port is not arrogant, the port indicates that the port is closed. However, this method is limited by time because most UNIX host limits the ICMP error rate. Fortunately, NMAP itself detects this rate and slow down, and does not produce a hover. # nmap -su 192.168.7.7Warning: -su is now UDP scan - for TCP FIN SCAN Use -sfstarting nmap v.2.12 by fyodor (fyodor@dhp.com, www.insecure.org/nmap /) Interesting Ports on SaturnLink .nac.net (192.168.7.7): Port State Protocol Service53 open udp domain111 open udp sunrpc123 open udp ntp137 open udp netbios-ns138 open udp netbios-dgm177 open udp xdmcp1024 open udp unknownNmap run completed - 1 IP address (1 host up ) SCANED IN 2 Seconds OS Fingerprinting Usually an intruder may be familiar with the vulnerability of an operating system, which can easily enter this operating system machine. A common option is the fingerprint on TCP / IP, with the "-o" option to determine the type of the remote operating system. This can be used in conjunction with a port scan, but cannot be used in conjunction with the PING scan. NMAP reduces the range of the searchable operating system system by sending different types of probe signals to the host. Fingerprint Verification TCP includes the use of the FIN detection technique to discover the response type of the target. BOGUS's logo detection, discovers the remote host to the transmitted unknown flag, the TCP initial sequence number (ISN) samples the style of the ISN value, or uses another way to determine the remote operating system.
There is an authority on fingerprints (fingertprinting) article, author: Fyodor, the author also namp See address: http: detection //www.insecure.org/nmap/nmap-fingerprinting-article.htmlNmap's operating system is very accurate It is also very effective, for example: Use the system Solaris 2.7 Fingerprint Verify Stack with SYN Scan. # nmap -ss -o 192.168.7.12starting nmap v. 2.12 by fyodor (fyodor@dhp.com, www.insecure.org/nmap /) Interesting Ports on Comet (192.168.7.12): Port State Protocol Service7 Open TCP Echo9 Open tcp discard13 open tcp daytime19 open tcp chargen21 open tcp ftp ... TCP Sequence Prediction: Class = random positive incrementsDifficulty = 17818 (Worthy challenge) Remote operating system guess: Solaris 2.6 - 2.7Nmap run completed - 1 IP address (1 host up ) Scanned In 5 Secondsident Scan (Ident Scanning) A attacker often looks for a computer that has a vulnerability for some processes. For example, a web server running in root. If the target operates Identd, an attacker uses NMAP to connect through the TCP connection of the "-i" option, which user can find which user has an HTTP daemon. We will scan a Linux web server as an example: # nmap -st -p 80 -i -o www.yourserver.comstarting nmap v. 2.12 by fyodor (fyodor@dhp.com, www.insecure.org/nmap /) Interesting Ports on www.yourserver.com (xxx.xxx.xxx.xxx): Port State Protocol Service Owner80 open tcp http rootTCP Sequence Prediction: Class = random positive incrementsDifficulty = 1140492 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.2.0-pre1 - 2.2.2nmap Run Completed - 1 IP Address (1 Host Up) Scanned in 1 Second If your web server is an error configuration and runs in root, like the above example, it Will be the darkness before dawn. Apache runs under root, is unsafe practices, you can block the Ident request by logout in /etc/indeed.conf to prevent Ident requests, and restart the IDENT. You can also use ipchains or your most common firewall to perform a firewall rule on the network boundary to terminate the Ident request, which prevents unknown people from probing which processes you have. Options (Options) In addition to these scans, NMAP also provides numerous options. One is "-pt", we have already introduced it. TCP "ping" scanning is performed in the target machine or network. Another option is "-p0".
