nmap.1

来自「Ubuntu packages of security software。 相」· 1 代码 · 共 736 行 · 第 1/5 页

So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules).
.sp
You can add a colon followed by a port number to the zombie host if you wish to probe a particular port on the zombie for IPID changes. Otherwise Nmap will use the port it uses by default for tcp pings (80).
.TP
\fB\-sO\fR (IP protocol scan)
IP Protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. Yet it still uses the
\fB\-p\fR
option to select scanned protocol numbers, reports its results within the normal port table format, and even uses the same underlying scan engine as the true port scanning methods. So it is close enough to a port scan that it belongs here.
.sp
Besides being useful in its own right, protocol scan demonstrates the power of open source software. While the fundamental idea is pretty simple, I had not thought to add it nor received any requests for such functionality. Then in the summer of 2000, Gerhard Rieger conceived the idea, wrote an excellent patch implementing it, and sent it to the nmap\-hackers mailing list. I incorporated that patch into the Nmap tree and released a new version the next day. Few pieces of commercial software have users enthusiastic enough to design and contribute their own improvements!
.sp
Protocol scan works in a similar fashion to UDP scan. Instead of iterating through the port number field of a UDP packet, it sends IP packet headers and iterates through the 8\-bit IP protocol field. The headers are usually empty, containing no data and not even the proper header for the claimed protocol. The three exceptions are TCP, UDP, and ICMP. A proper protocol header for those is included since some systems won't send them otherwise and because Nmap already has functions to create them. Instead of watching for ICMP port unreachable messages, protocol scan is on the lookout for ICMP
\fIprotocol\fR
unreachable messages. If Nmap receives any response in any protocol from the target host, Nmap marks that protocol as
open. An ICMP protocol unreachable error (type 3, code 2) causes the protocol to be marked as
closed
Other ICMP unreachable errors (type 3, code 1, 3, 9, 10, or 13) cause the protocol to be marked
filtered
(though they prove that ICMP is
open
at the same time). If no response is received after retransmissions, the protocol is marked
open|filtered
.TP
\fB\-b <ftp relay host>\fR (FTP bounce scan)
An interesting feature of the FTP protocol ([5]\&\fIRFC 959\fR) is support for so\-called proxy ftp connections. This allows a user to connect to one FTP server, then ask that files be sent to a third\-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. One of the abuses this feature allows is causing the FTP server to port scan other hosts. Simply ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would. Nmap supports ftp bounce scan with the
\fB\-b\fR
option. It takes an argument of the form
\fIusername\fR:\fIpassword\fR@\fIserver\fR:\fIport\fR.
\fIServer\fR
is the name or IP address of a vulnerable FTP server. As with a normal URL, you may omit
\fIusername\fR:\fIpassword\fR, in which case anonymous login credentials (user:
anonymous
password:\-wwwuser@) are used. The port number (and preceding colon) may be omitted as well, in which case the default FTP port (21) on
\fIserver\fR
is used.
.sp
This vulnerability was widespread in 1997 when Nmap was released, but has largely been fixed. Vulnerable servers are still around, so it is worth trying when all else fails. If bypassing a firewall is your goal, scan the target network for open port 21 (or even for any ftp services if you scan all ports with version detection), then try a bounce scan using each. Nmap will tell you whether the host is vulnerable or not. If you are just trying to cover your tracks, you don't need to (and, in fact, shouldn't) limit yourself to hosts on the target network. Before you go scanning random Internet addresses for vulnerable FTP servers, consider that sysadmins may not appreciate you abusing their servers in this way.
.SH "PORT SPECIFICATION AND SCAN ORDER"
.PP
In addition to all of the scan methods discussed previously, Nmap offers options for specifying which ports are scanned and whether the scan order is randomized or sequential. By default, Nmap scans all ports up to and including 1024 as well as higher numbered ports listed in the
\fInmap\-services\fR
file for the protocol(s) being scanned.
.TP
\fB\-p <port ranges>\fR (Only scan specified ports)
This option specifies which ports you want to scan and overrides the default. Individual port numbers are OK, as are ranges separated by a hyphen (e.g. 1\-1023). The beginning and/or end values of a range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify
\fB\-p\-\fR
to scan ports from 1 through 65535. Scanning port zero is allowed if you specify it explicitly. For IP protocol scanning (\fB\-sO\fR), this option specifies the protocol numbers you wish to scan for (0\-255).
.sp
When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port numbers by
T:
or
U:. The qualifier lasts until you specify another qualifier. For example, the argument
\fB\-p U:53,111,137,T:21\-25,80,139,8080\fR
would scan UDP ports 53,111,and 137, as well as the listed TCP ports. Note that to scan both UDP & TCP, you have to specify
\fB\-sU\fR
and at least one TCP scan type (such as
\fB\-sS\fR,
\fB\-sF\fR, or
\fB\-sT\fR). If no protocol qualifier is given, the port numbers are added to all protocol lists.
.TP
\fB\-F\fR (Fast (limited port) scan)
Specifies that you only wish to scan for ports listed in the
\fInmap\-services\fR
file which comes with nmap (or the protocols file for
\fB\-sO\fR). This is much faster than scanning all 65535 ports on a host. Because this list contains so many TCP ports (more than 1200), the speed difference from a default TCP scan (about 1650 ports) isn't dramatic. The difference can be enormous if you specify your own tiny
\fInmap\-services\fR
file using the
\fB\-\-datadir\fR
option.
.TP
\fB\-r\fR (Don't randomize ports)
By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify
\fB\-r\fR
for sequential port scanning instead.
.SH "SERVICE AND VERSION DETECTION"
.PP
Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its
\fInmap\-services\fR
database of about 2,200 well\-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accurate \-\- the vast majority of daemons listening on TCP port 25 are, in fact, mail servers. However, you should not bet your security on this! People can and do run services on strange ports.
.PP
Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to. Version detection helps you obtain this information.
.PP
After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The
\fInmap\-service\-probes\fR
database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. ftp, ssh, telnet, http), the application name (e.g. ISC Bind, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux) and sometimes miscellaneous details like whether an X server is open to connections, the SSH protocol version, or the KaZaA user name). Of course, most services don't provide all of this information. If Nmap was compiled with OpenSSL support, it will connect to SSL servers to deduce the service listening behind that encryption layer. When RPC services are discovered, the Nmap RPC grinder (\fB\-sR\fR) is automatically used to determine the RPC program and version numbers. Some UDP ports are left in the
open|filtered
state after a UDP port scan is unable to determine whether the port is open or filtered. Version detection will try to elicit a response from these ports (just as it does with open ports), and change the state to open if it succeeds.
open|filtered
TCP ports are treated the same way. Note that the Nmap
\fB\-A\fR
option enables version detection among other things. A paper documenting the workings, usage, and customization of version detection is available at
\fI\%http://insecure.org/nmap/vscan/\fR.
.PP
When Nmap receives responses from a service but cannot match them to its database, it prints out a special fingerprint and a URL for you to submit if to if you know for sure what is running on the port. Please take a couple minutes to make the submission so that your find can benefit everyone. Thanks to these submissions, Nmap has about 3,000 pattern matches for more than 350 protocols such as smtp, ftp, http, etc.
.PP
Version detection is enabled and controlled with the following options:
.TP
\fB\-sV\fR (Version detection)
Enables version detection, as discussed above. Alternatively, you can use
\fB\-A\fR
to enable both OS detection and version detection.
.TP
\fB\-\-allports\fR (Don't exclude any ports from version detection)
By default, Nmap version detection skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of HTTP get requests, binary SSL session requests, etc. This behavior can be changed by modifying or removing the
Exclude
directive in
\fInmap\-service\-probes\fR, or you can specify
\fB\-\-allports\fR
to scan all ports regardless of any
Exclude
directive.
.TP
\fB\-\-version\-intensity <intensity>\fR (Set version scan intensity)
When performing a version scan (\fB\-sV\fR), nmap sends a series of probes, each of which is assigned a rarity value between 1 and 9. The lower\-numbered probes are effective against a wide variety of common services, while the higher numbered ones are rarely useful. The intensity level specifies which probes should be applied. The higher the number, the more likely it is the service will be correctly identified. However, high intensity scans take longer. The intensity must be between 0 and 9. The default is 7. When a probe is registered to the target port via the
\fInmap\-service\-probes\fRports
directive, that probe is tried regardless of intensity level. This ensures that the DNS probes will always be attempted against any open port 53, the SSL probe will be done against 443, etc.
.TP
\fB\-\-version\-light\fR (Enable light mode)
This is a convenience alias for
\fB\-\-version\-intensity 2\fR. This light mode makes version scanning much faster, but it is slightly less likely to identify services.
.TP
\fB\-\-version\-all\fR (Try every single probe)
An alias for
\fB\-\-version\-intensity 9\fR, ensuring that every single probe is attempted against each port.
.TP
\fB\-\-version\-trace\fR (Trace version scan activity)
This causes Nmap to print out extensive debugging info about what version scanning is doing. It is a subset of what you get with
\fB\-\-packet\-trace\fR.
.TP
\fB\-sR\fR (RPC scan)
This method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can effectively obtain the same info as
\fBrpcinfo \-p\fR
even if the target's portmapper is behind a firewall (or protected by TCP wrappers). Decoys do not currently work with RPC scan. This is automatically enabled as part of version scan (\fB\-sV\fR) if you request that. As version detection includes this and is much more comprehensive,
\fB\-sR\fR
is rarely needed.
.SH "OS DETECTION"
.PP
One of Nmap's best\-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IPID sampling, and the initial window size check, Nmap compares the results to its
\fInmap\-os\-fingerprints\fR
database of more than 1500 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc).
.PP
If Nmap is unable to guess the OS of a machine, and conditions are good (e.g. at least one open port and one closed port were found), Nmap will provide a URL you can use to submit the fingerprint if you know (for sure) the OS running on the machine. By doing this you contribute to the pool of operating systems known to Nmap and thus it will be more accurate for everyone.
.PP
OS detection enables several other tests which make use of information that is gathered during the process anyway. One of these is uptime measurement, which uses the TCP timestamp option (RFC 1323) to guess when a machine was last rebooted. This is only reported for machines which provide this information. Another is TCP Sequence Predictability Classification. This measures approximately how hard it is to establish a forged TCP connection against the remote host. It is useful for exploiting source\-IP