nmap.1

Ubuntu packages of security software。 相当不错的源码

when it receives a RST back, Window scan lists the port as
open
or
closed
if the TCP Window value in that reset is positive or zero, respectively\.
.sp
This scan relies on an implementation detail of a minority of systems out on the Internet, so you can\'t always trust it\. Systems that don\'t support it will usually return all ports
closed\. Of course, it is possible that the machine really has no open ports\. If most scanned ports are
closed
but a few common port numbers (such as 22, 25, 53) are
filtered, the system is most likely susceptible\. Occasionally, systems will even show the exact opposite behavior\. If your scan shows 1000 open ports and 3 closed or filtered ports, then those three may very well be the truly open ones\.
.RE
.PP
\fB\-sM\fR (TCP Maimon scan)
.RS 4
The Maimon scan is named after its discoverer, Uriel Maimon\. He described the technique in Phrack Magazine issue #49 (November 1996)\. Nmap, which included this technique, was released two issues later\. This technique is exactly the same as null, FIN, and Xmas scans, except that the probe is FIN/ACK\. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed\. However, Uriel noticed that many BSD\-derived systems simply drop the packet if the port is open\.
.RE
.PP
\fB\-\-scanflags\fR (Custom TCP scan)
.RS 4
Truly advanced Nmap users need not limit themselves to the canned scan types offered\. The
\fB\-\-scanflags\fR
option allows you to design your own scan by specifying arbitrary TCP flags\. Let your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules!
.sp
The
\fB\-\-scanflags\fR
argument can be a numerical flag value such as 9 (PSH and FIN), but using symbolic names is easier\. Just mash together any combination of
URG,
ACK,
PSH,
RST,
SYN, and
FIN\. For example,
\fB\-\-scanflags URGACKPSHRSTSYNFIN\fR
sets everything, though it\'s not very useful for scanning\. The order these are specified in is irrelevant\.
.sp
In addition to specifying the desired flags, you can specify a TCP scan type (such as
\fB\-sA\fR
or
\fB\-sF\fR)\. That base type tells Nmap how to interpret responses\. For example, a SYN scan considers no\-response to indicate a
filtered
port, while a FIN scan treats the same as
open|filtered\. Nmap will behave the same way it does for the base scan type, except that it will use the TCP flags you specify instead\. If you don\'t specify a base type, SYN scan is used\.
.RE
.PP
\fB\-sI <zombie host[:probeport]>\fR (idle scan)
.RS 4
This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address)\. Instead, a unique side\-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target\. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria)\. This fascinating scan type is too complex to fully describe in this reference guide, so I wrote and posted an informal paper with full details at
\fI\%http://insecure.org/nmap/idlescan.html\fR\.
.sp
Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP\-based trust relationships between machines\. The port listing shows open ports
\fIfrom the perspective of the zombie host\.\fR
So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules)\.
.sp
You can add a colon followed by a port number to the zombie host if you wish to probe a particular port on the zombie for IP ID changes\. Otherwise Nmap will use the port it uses by default for TCP pings (80)\.
.RE
.PP
\fB\-sO\fR (IP protocol scan)
.RS 4
IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc\.) are supported by target machines\. This isn\'t technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers\. Yet it still uses the
\fB\-p\fR
option to select scanned protocol numbers, reports its results within the normal port table format, and even uses the same underlying scan engine as the true port scanning methods\. So it is close enough to a port scan that it belongs here\.
.sp
Besides being useful in its own right, protocol scan demonstrates the power of open source software\. While the fundamental idea is pretty simple, I had not thought to add it nor received any requests for such functionality\. Then in the summer of 2000, Gerhard Rieger conceived the idea, wrote an excellent patch implementing it, and sent it to the nmap\-hackers mailing list\. I incorporated that patch into the Nmap tree and released a new version the next day\. Few pieces of commercial software have users enthusiastic enough to design and contribute their own improvements!
.sp
Protocol scan works in a similar fashion to UDP scan\. Instead of iterating through the port number field of a UDP packet, it sends IP packet headers and iterates through the 8\-bit IP protocol field\. The headers are usually empty, containing no data and not even the proper header for the claimed protocol\. The three exceptions are TCP, UDP, and ICMP\. A proper protocol header for those is included since some systems won\'t send them otherwise and because Nmap already has functions to create them\. Instead of watching for ICMP port unreachable messages, protocol scan is on the lookout for ICMP
\fIprotocol\fR
unreachable messages\. If Nmap receives any response in any protocol from the target host, Nmap marks that protocol as
open\. An ICMP protocol unreachable error (type 3, code 2) causes the protocol to be marked as
closed
Other ICMP unreachable errors (type 3, code 1, 3, 9, 10, or 13) cause the protocol to be marked
filtered
(though they prove that ICMP is
open
at the same time)\. If no response is received after retransmissions, the protocol is marked
open|filtered
.RE
.PP
\fB\-b <FTP relay host>\fR (FTP bounce scan)
.RS 4
An interesting feature of the FTP protocol (\fIRFC 959\fR\&[5]) is support for so\-called proxy FTP connections\. This allows a user to connect to one FTP server, then ask that files be sent to a third\-party server\. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it\. One of the abuses this feature allows is causing the FTP server to port scan other hosts\. Simply ask the FTP server to send a file to each interesting port of a target host in turn\. The error message will describe whether the port is open or not\. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would\. Nmap supports FTP bounce scan with the
\fB\-b\fR
option\. It takes an argument of the form
\fIusername\fR:\fIpassword\fR@\fIserver\fR:\fIport\fR\.
\fIServer\fR
is the name or IP address of a vulnerable FTP server\. As with a normal URL, you may omit
\fIusername\fR:\fIpassword\fR, in which case anonymous login credentials (user:
anonymous
password:\-wwwuser@) are used\. The port number (and preceding colon) may be omitted as well, in which case the default FTP port (21) on
\fIserver\fR
is used\.
.sp
This vulnerability was widespread in 1997 when Nmap was released, but has largely been fixed\. Vulnerable servers are still around, so it is worth trying when all else fails\. If bypassing a firewall is your goal, scan the target network for open port 21 (or even for any FTP services if you scan all ports with version detection), then try a bounce scan using each\. Nmap will tell you whether the host is vulnerable or not\. If you are just trying to cover your tracks, you don\'t need to (and, in fact, shouldn\'t) limit yourself to hosts on the target network\. Before you go scanning random Internet addresses for vulnerable FTP servers, consider that sysadmins may not appreciate you abusing their servers in this way\.
.RE
.SH "PORT SPECIFICATION AND SCAN ORDER"
.PP
In addition to all of the scan methods discussed previously, Nmap offers options for specifying which ports are scanned and whether the scan order is randomized or sequential\. By default, Nmap scans all ports up to and including 1024 as well as higher numbered ports listed in the
\fInmap\-services\fR
file for the protocol(s) being scanned\.
.PP
\fB\-p <port ranges>\fR (Only scan specified ports)
.RS 4
This option specifies which ports you want to scan and overrides the default\. Individual port numbers are OK, as are ranges separated by a hyphen (e\.g\. 1\-1023)\. The beginning and/or end values of a range may be omitted, causing Nmap to use 1 and 65535, respectively\. So you can specify
\fB\-p\-\fR
to scan ports from 1 through 65535\. Scanning port zero is allowed if you specify it explicitly\. For IP protocol scanning (\fB\-sO\fR), this option specifies the protocol numbers you wish to scan for (0\-255)\.
.sp
When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port numbers by
T:
or
U:\. The qualifier lasts until you specify another qualifier\. For example, the argument
\fB\-p U:53,111,137,T:21\-25,80,139,8080\fR
would scan UDP ports 53,111,and 137, as well as the listed TCP ports\. Note that to scan both UDP & TCP, you have to specify
\fB\-sU\fR
and at least one TCP scan type (such as
\fB\-sS\fR,
\fB\-sF\fR, or
\fB\-sT\fR)\. If no protocol qualifier is given, the port numbers are added to all protocol lists\.
.sp
Ports can also be specified by name according to what the port is referred to in the
\fInmap\-services\fR\. You can even use the wildcards * and ? with the names\. For example, to scan FTP and all ports whose names begin with http, use
\fB\-p ftp,http*\fR\. Be careful about shell expansions and quote the argument to
\fB\-p\fR
if unsure\.
.sp
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in
\fInmap\-services\fR\. For example, the following will scan all ports in
\fInmap\-services\fR
equal to or below 1024:
\fB\-p [\-1024]\fR\. Be careful with shell expansions and quote the argument to
\fB\-p\fR
if unsure\.
.RE
.PP
\fB\-F\fR (Fast (limited port) scan)
.RS 4
Specifies that you only wish to scan for ports listed in the
\fInmap\-services\fR
file which comes with nmap (or the protocols file for
\fB\-sO\fR)\. This is much faster than scanning all 65535 ports on a host\. Because this list contains so many TCP ports (more than 1200), the speed difference from a default TCP scan (about 1650 ports) isn\'t dramatic\. The difference can be enormous if you specify your own tiny
\fInmap\-services\fR
file using the
\fB\-\-servicedb\fR
or
\fB\-\-datadir\fR
options\.
.RE
.PP
\fB\-r\fR (Don\'t randomize ports)
.RS 4
By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons)\. This randomization is normally desirable, but you can specify
\fB\-r\fR
for sequential port scanning instead\.
.RE
.SH "SERVICE AND VERSION DETECTION"
.PP
Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open\. Using its
\fInmap\-services\fR
database of about 2,200 well\-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively\. This lookup is usually accurate\(emthe vast majority of daemons listening on TCP port 25 are, in fact, mail servers\. However, you should not bet your security on this! People can and do run services on strange ports\.
.PP
Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information\. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running\. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to\. Version detection helps you obtain this information\.
.PP
After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running\. The
\fInmap\-service\-probes\fR
database contains probes for querying various services and match expressions to recognize and parse responses\. Nmap tries to determine the service protocol (e\.g\. FTP, SSH, telnet, http), the application name (e\.g\. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e\.g\. printer, router), the OS family (e\.g\. Windows, Linux) and sometimes miscellaneous details like whether an X server is open to connections, the SSH protocol version, or the KaZaA user name)\. Of course, most services don\'t provide all of this information\. If Nmap was compiled with OpenSSL support, it will connect to SSL servers to deduce the service listening behind that encryption layer\. When RPC ser