nmap.1

来自「Ubuntu packages of security software。 相」· 1 代码 · 共 736 行 · 第 1/5 页

closed, and
filtered
states.
.sp
This technique is often referred to as half\-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non\-listener. If no response is received after several retransmissions, the port is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is received.
.TP
\fB\-sT\fR (TCP connect scan)
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the
connect()
system call. This is the same high\-level system call that web browsers, P2P clients, and most other network\-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.
.sp
When SYN scan is available, it is usually a better choice. Nmap has less control over the high level
connect()
call than with raw packets, making it less efficient. The system call completes connections to open target ports rather than performing the half\-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such alarm system. Many services on your average UNIX system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been connect scanned.
.TP
\fB\-sU\fR (UDP scans)
While most popular services on the Internet run over the TCP protocol,
[3]\&\fIUDP\fR
services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports.
.sp
UDP scan is activated with the
\fB\-sU\fR
option. It can be combined with a TCP scan type such as SYN scan (\fB\-sS\fR) to check both protocols during the same run.
.sp
UDP scan works by sending an empty (no data) UDP header to every targeted port. If an ICMP port unreachable error (type 3, code 3) is returned, the port is
closed. Other ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13) mark the port as
filtered. Occasionally, a service will respond with a UDP packet, proving that it is
open. If no response is received after retransmissions, the port is classified as
open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Versions scan (\fB\-sV\fR) can be used to help differentiate the truly open ports from the filtered ones.
.sp
A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct retransmissions just in case the probe or response were lost. Closed ports are often an even bigger problem. They usually send back an ICMP port unreachable error. But unlike the RST packets sent by closed TCP ports in response to a SYN or connect scan, many hosts rate limit ICMP port unreachable messages by default. Linux and Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits destination unreachable messages to one per second (in
\fInet/ipv4/icmp.c\fR).
.sp
Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop. Unfortunately, a Linux\-style limit of one packet per second makes a 65,536\-port scan take more than 18 hours. Ideas for speeding your UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using
\fB\-\-host\-timeout\fR
to skip slow hosts.
.TP
\fB\-sN\fR; \fB\-sF\fR; \fB\-sX\fR (TCP Null, FIN, and Xmas scans)
These three scan types (even more are possible with the
\fB\-\-scanflags\fR
option described in the next section) exploit a subtle loophole in the
[4]\&\fITCP RFC\fR
to differentiate between
open
and
closed
ports. Page 65 says that
\(lqif the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.\(rq
Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that:
\(lqyou are unlikely to get here, but if you do, drop the segment, and return.\(rq
.sp
When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types:
.RS
.TP
Null scan (\fB\-sN\fR)
Does not set any bits (tcp flag header is 0)
.TP
FIN scan (\fB\-sF\fR)
Sets just the TCP FIN bit.
.TP
Xmas scan (\fB\-sX\fR)
Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
.RE
.IP
These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If a RST packet is received, the port is considered
closed, while no response means it is
open|filtered. The port is marked
filtered
if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received.
.sp
The key advantage to these scan types is that they can sneak through certain non\-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more stealthy than even a SYN scan. Don't count on this though \-\- most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled
closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most UNIX\-based systems though. Another downside of these scans is that they can't distinguish
open
ports from certain
filtered
ones, leaving you with the response
open|filtered.
.TP
\fB\-sA\fR (TCP ACK scan)
This scan is different than the others discussed so far in that it never determines
open
(or even
open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.
.sp
The ACK scan probe packet has only the ACK flag set (unless you use
\fB\-\-scanflags\fR). When scanning unfiltered systems,
open
and
closed
ports will both return a RST packet. Nmap then labels them as
unfiltered, meaning that they are reachable by the ACK packet, but whether they are
open
or
closed
is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 1, 2, 3, 9, 10, or 13), are labeled
filtered.
.TP
\fB\-sW\fR (TCP Window scan)
Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing
unfiltered
when a RST is returned. It does this by examining the TCP Window field of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while closed ones have a zero window. So instead of always listing a port as
unfiltered
when it receives a RST back, Window scan lists the port as
open
or
closed
if the TCP Window value in that reset is positive or zero, respectively.
.sp
This scan relies on an implementation detail of a minority of systems out on the Internet, so you can't always trust it. Systems that don't support it will usually return all ports
closed. Of course, it is possible that the machine really has no open ports. If most scanned ports are
closed
but a few common port numbers (such as 22, 25, 53) are
filtered, the system is most likely susceptible. Occasionally, systems will even show the exact opposite behavior. If your scan shows 1000 open ports and 3 closed or filtered ports, then those three may very well be the truly open ones.
.TP
\fB\-sM\fR (TCP Maimon scan)
The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as Null, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD\-derived systems simply drop the packet if the port is open.
.TP
\fB\-\-scanflags\fR (Custom TCP scan)
Truly advanced Nmap users need not limit themselves to the canned scan types offered. The
\fB\-\-scanflags\fR
option allows you to design your own scan by specifying arbitrary TCP flags. Let your creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules!
.sp
The
\fB\-\-scanflags\fR
argument can be a numerical flag value such as 9 (PSH and FIN), but using symbolic names is easier. Just mash together any combination of
URG,
ACK,
PSH,
RST,
SYN, and
FIN. For example,
\fB\-\-scanflags URGACKPSHRSTSYNFIN\fR
sets everything, though it's not very useful for scanning. The order these are specified in is irrelevant.
.sp
In addition to specifying the desired flags, you can specify a TCP scan type (such as
\fB\-sA\fR
or
\fB\-sF\fR). That base type tells Nmap how to interpret responses. For example, a SYN scan considers no\-response to indicate a
filtered
port, while a FIN scan treats the same as
open|filtered. Nmap will behave the same way it does for the base scan type, except that it will use the TCP flags you specify instead. If you don't specify a base type, SYN scan is used.
.TP
\fB\-sI <zombie host[:probeport]>\fR (Idlescan)
This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side\-channel attack exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the zombie machine you specify (which must be up and meet certain criteria). This fascinating scan type is too complex to fully describe in this reference guide, so I wrote and posted an informal paper with full details at
\fI\%http://insecure.org/nmap/idlescan.html\fR.
.sp
Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP\-based trust relationships between machines. The port listing shows open ports
\fIfrom the perspective of the zombie host.\fR