nmap.1

Ubuntu packages of security software。 相当不错的源码

These states are not intrinsic properties of the port itself, but describe how Nmap sees them\. For example, an Nmap scan from the same network as the target may show port 135/tcp as open, while a scan at the same time with the same options from across the Internet might show that port as
filtered\.
.PP
\fBThe six port states recognized by Nmap\fR
.PP
open
.RS 4
An application is actively accepting TCP connections or UDP packets on this port\. Finding these is often the primary goal of port scanning\. Security\-minded people know that each open port is an avenue for attack\. Attackers and pen\-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate users\. Open ports are also interesting for non\-security scans because they show services available for use on the network\.
.RE
.PP
closed
.RS 4
A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it\. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection\. Because closed ports are reachable, it may be worth scanning later in case some open up\. Administrators may want to consider blocking such ports with a firewall\. Then they would appear in the filtered state, discussed next\.
.RE
.PP
filtered
.RS 4
Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port\. The filtering could be from a dedicated firewall device, router rules, or host\-based firewall software\. These ports frustrate attackers because they provide so little information\. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common\. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering\. This slows down the scan dramatically\.
.RE
.PP
unfiltered
.RS 4
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed\. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state\. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open\.
.RE
.PP
open|filtered
.RS 4
Nmap places ports in this state when it is unable to determine whether a port is open or filtered\. This occurs for scan types in which open ports give no response\. The lack of response could also mean that a packet filter dropped the probe or any response it elicited\. So Nmap does not know for sure whether the port is open or being filtered\. The UDP, IP protocol, FIN, null, and Xmas scans classify ports this way\.
.RE
.PP
closed|filtered
.RS 4
This state is used when Nmap is unable to determine whether a port is closed or filtered\. It is only used for the IP ID idle scan\.
.RE
.SH "PORT SCANNING TECHNIQUES"
.PP
As a novice performing automotive repair, I can struggle for hours trying to fit my rudimentary tools (hammer, duct tape, wrench, etc\.) to the task at hand\. When I fail miserably and tow my jalopy to a real mechanic, he invariably fishes around in a huge tool chest until pulling out the perfect gizmo which makes the job seem effortless\. The art of port scanning is similar\. Experts understand the dozens of scan techniques and choose the appropriate one (or combination) for a given task\. Inexperienced users and script kiddies, on the other hand, try to solve every problem with the default SYN scan\. Since Nmap is free, the only barrier to port scanning mastery is knowledge\. That certainly beats the automotive world, where it may take great skill to determine that you need a strut spring compressor, then you still have to pay thousands of dollars for it\.
.PP
Most of the scan types are only available to privileged users\. This is because they send and receive raw packets, which requires root access on Unix systems\. Using an administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when WinPcap has already been loaded into the OS\. Requiring root privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts\. Now, the world is different\. Computers are cheaper, far more people have always\-on direct Internet access, and desktop Unix systems (including Linux and Mac OS X) are prevalent\. A Windows version of Nmap is now available, allowing it to run on even more desktops\. For all these reasons, users have less need to run Nmap from limited shared shell accounts\. This is fortunate, as the privileged options make Nmap far more powerful and flexible\.
.PP
While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines (or firewalls in front of them)\. Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap\. Much more common are non\-RFC\-compliant hosts that do not respond as they should to Nmap probes\. FIN, null, and Xmas scans are particularly susceptible to this problem\. Such issues are specific to certain scan types and so are discussed in the individual scan type entries\.
.PP
This section documents the dozen or so port scan techniques supported by Nmap\. Only one method may be used at a time, except that UDP scan (\fB\-sU\fR) may be combined with any one of the TCP scan types\. As a memory aid, port scan type options are of the form
\fB\-s\fR\fB\fIC\fR\fR, where
\fIC\fR
is a prominent character in the scan name, usually the first\. The one exception to this is the deprecated FTP bounce scan (\fB\-b\fR)\. By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on Unix) or if IPv6 targets were specified\. Of the scans listed in this section, unprivileged users can only execute connect and FTP bounce scans\.
.PP
\fB\-sS\fR (TCP SYN scan)
.RS 4
SYN scan is the default and most popular scan option for good reasons\. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls\. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections\. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap\'s FIN/null/Xmas, Maimon and idle scans do\. It also allows clear, reliable differentiation between the
open,
closed, and
filtered
states\.
.sp
This technique is often referred to as half\-open scanning, because you don\'t open a full TCP connection\. You send a SYN packet, as if you are going to open a real connection and then wait for a response\. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non\-listener\. If no response is received after several retransmissions, the port is marked as filtered\. The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is received\.
.RE
.PP
\fB\-sT\fR (TCP connect scan)
.RS 4
TCP connect scan is the default TCP scan type when SYN scan is not an option\. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks\. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the
connect()
system call\. This is the same high\-level system call that web browsers, P2P clients, and most other network\-enabled applications use to establish a connection\. It is part of a programming interface known as the Berkeley Sockets API\. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt\.
.sp
When SYN scan is available, it is usually a better choice\. Nmap has less control over the high level
connect()
call than with raw packets, making it less efficient\. The system call completes connections to open target ports rather than performing the half\-open reset that SYN scan does\. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection\. A decent IDS will catch either, but most machines have no such alarm system\. Many services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data\. Truly pathetic services crash when this happens, though that is uncommon\. An administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been connect scanned\.
.RE
.PP
\fB\-sU\fR (UDP scans)
.RS 4
While most popular services on the Internet run over the TCP protocol,
\fIUDP\fR\&[3]
services are widely deployed\. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common\. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports\. This is a mistake, as exploitable UDP services are quite common and attackers certainly don\'t ignore the whole protocol\. Fortunately, Nmap can help inventory UDP ports\.
.sp
UDP scan is activated with the
\fB\-sU\fR
option\. It can be combined with a TCP scan type such as SYN scan (\fB\-sS\fR) to check both protocols during the same run\.
.sp
UDP scan works by sending an empty (no data) UDP header to every targeted port\. If an ICMP port unreachable error (type 3, code 3) is returned, the port is
closed\. Other ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13) mark the port as
filtered\. Occasionally, a service will respond with a UDP packet, proving that it is
open\. If no response is received after retransmissions, the port is classified as
open|filtered\. This means that the port could be open, or perhaps packet filters are blocking the communication\. Versions scan (\fB\-sV\fR) can be used to help differentiate the truly open ports from the filtered ones\.
.sp
A big challenge with UDP scanning is doing it quickly\. Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct retransmissions just in case the probe or response were lost\. Closed ports are often an even bigger problem\. They usually send back an ICMP port unreachable error\. But unlike the RST packets sent by closed TCP ports in response to a SYN or connect scan, many hosts rate limit ICMP port unreachable messages by default\. Linux and Solaris are particularly strict about this\. For example, the Linux 2\.4\.20 kernel limits destination unreachable messages to one per second (in
\fInet/ipv4/icmp\.c\fR)\.
.sp
Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop\. Unfortunately, a Linux\-style limit of one packet per second makes a 65,536\-port scan take more than 18 hours\. Ideas for speeding your UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using
\fB\-\-host\-timeout\fR
to skip slow hosts\.
.RE
.PP
\fB\-sN\fR; \fB\-sF\fR; \fB\-sX\fR (TCP Null, FIN, and Xmas scans)
.RS 4
These three scan types (even more are possible with the
\fB\-\-scanflags\fR
option described in the next section) exploit a subtle loophole in the
\fITCP RFC\fR\&[4]
to differentiate between
open
and
closed
ports\. Page 65 says that
\(lqif the [destination] port state is CLOSED \.\.\.\. an incoming segment not containing a RST causes a RST to be sent in response\.\(rq
Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that:
\(lqyou are unlikely to get here, but if you do, drop the segment, and return\.\(rq
.sp
When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open\. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK\. Nmap exploits this with three scan types:
.PP
Null scan (\fB\-sN\fR)
.RS 4
Does not set any bits (TCP flag header is 0)
.RE
.PP
FIN scan (\fB\-sF\fR)
.RS 4
Sets just the TCP FIN bit\.
.RE
.PP
Xmas scan (\fB\-sX\fR)
.RS 4
Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree\.
.RE
.sp
These three scan types are exactly the same in behavior except for the TCP flags set in probe packets\. If a RST packet is received, the port is considered
closed, while no response means it is
open|filtered\. The port is marked
filtered
if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received\.
.sp
The key advantage to these scan types is that they can sneak through certain non\-stateful firewalls and packet filtering routers\. Another advantage is that these scan types are a little more stealthy than even a SYN scan\. Don\'t count on this though\(emmost modern IDS products can be configured to detect them\. The big downside is that not all systems follow RFC 793 to the letter\. A number of systems send RST responses to the probes regardless of whether the port is open or not\. This causes all of the ports to be labeled
closed\. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400\. This scan does work against most Unix\-based systems though\. Another downside of these scans is that they can\'t distinguish
open
ports from certain
filtered
ones, leaving you with the response
open|filtered\.
.RE
.PP
\fB\-sA\fR (TCP ACK scan)
.RS 4
This scan is different than the others discussed so far in that it never determines
open
(or even
open|filtered) ports\. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered\.
.sp
The ACK scan probe packet has only the ACK flag set (unless you use
\fB\-\-scanflags\fR)\. When scanning unfiltered systems,
open
and
closed
ports will both return a RST packet\. Nmap then labels them as
unfiltered, meaning that they are reachable by the ACK packet, but whether they are
open
or
closed
is undetermined\. Ports that don\'t respond, or send certain ICMP error messages back (type 3, code 1, 2, 3, 9, 10, or 13), are labeled
filtered\.
.RE
.PP
\fB\-sW\fR (TCP Window scan)
.RS 4
Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing
unfiltered
when a RST is returned\. It does this by examining the TCP Window field of the RST packets returned\. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window\. So instead of always listing a port as
unfiltered