|
|
| Page | 3/3 | | Date | 14.02.2022 | | Size | 116 Kb. | | #58225 |
| 4.1.Port Scanning - nmap scans more than 1660 ports
- Most port scanners list ports as opened or closed
- nmap recognizes 6 port states
- Open
- Accepting TCP connections or UDP packets
- Closed
- Host is up on the IP address
- Accessible but no app is listening
- Try later
Port Scanning Basics - nmap recognizes 6 port states (cont’d)
- Filtered
- Unfiltered
- Port is accessible but not whether open or closed
- Used in mapping firewall rulesets
- Try Window scan, SYN scan, FIN scan
Port Scanning Basics - nmap recognizes 6 port states (cont’d)
- open|filtered
- When unable to determine whether port is open of filtered
- closed|filtered
- When unable to determine whether port is closed or filtered
Port Scanning Techniques - Only one scan technique can be used at a time
- Usually must have root privilege
- Some available scan techniques:
- sS (TCP SYN scan)
- Default
- Half-open scanning
- The open request is never completed
- sT (TCP connect() scan)
- A full TCP connection is attempted
- Firewalls tend to block incomplete TCP connect attempts
- The scan control is handed over to the OS.
Port Scanning Techniques (cont’d) - Some additional available scan techniques:
- sU (UDP scan)
- Picks up services like DNS, SNMP, DHCP
- A UDP packet is sent with no data to all targeted ports
- ICMP: port unreachable --> port is closed
- ICMP: 3 code: 1,2,9,10 or 13 --> port is filtered
- Responds with a UDP packet --> port is open
- No response --> port is open|filtered
- sN (TCP null scan) no flags set
- sF (TCP FIN scan) only the FIN bit is set
- sX (Xmas scan) FIN, PSH, & URG bits are set
- RST packet received --> port is closed
- No response --> port is open|filtered
- ICMP unreachable (1,2,3,9,10,13) --> port is filtered
Port Scanning Techniques (cont’d) - Some additional available scan techniques:
- sA (TCP ACK scan)
- No open ports are discovered
- Does determine if the firewall is statefull
- Unfiltered systems return a RST packet and labeled unfiltered
- Noresponse of ICMP errors are labeled filtered
- sW (TCP window scan)
- sO (IP protocol scan)
- Cycles through all of the IP protocols
Service and Version Detection - Probes discovered ports
- nmap-service-probes contains probes for querying options
OS Detection - Uses TCP and UDP scans
- Compares to the nmap-os-fingerprints database
- o (Enable OS detection)
- A (Enable both OS and version detection)
Output - Piles of output
- Many formats
- oN (Normal optput)
- oX
- v (Increase verbosity level)
Conclusion - nmap
- Extremely powerful
- Extremely invasive
- Extremely obvious if you are not careful
- Extremely illegal if not done correctly
Share with your friends: |
|
|
