基于nmap网络扫描技术

0x00 主机扫描技术

典型的是ping扫描，传统的ping扫描向目标主机发送ICMP回显请求报文，以此判断目标主机是否在线。更先进的ping使用ARP，TCP，UDP协议。

扫描具体IP

┌──(dyh㉿dyhace)-[~]
└─$ nmap -sP 192.168.17.131 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:01 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00051s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

扫描某个网段

┌──(dyh㉿dyhace)-[~]
└─$ nmap -sP 192.168.17.1/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 21:59 CST
Nmap scan report for 192.168.17.2 (192.168.17.2)
Host is up (0.00053s latency).
Nmap scan report for 192.168.17.128 (192.168.17.128)
Host is up (0.00036s latency).
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.0021s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.64 seconds

0x01 端口扫描技术

1. TCP扫描
   优点：不需要特殊权限即可执行
   缺点：三次握手花费时间较长，且日志会记录相关信息，容易被察觉

┌──(dyh㉿dyhace)-[~]
└─$ nmap -sT 192.168.17.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:07 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00027s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds

返回三个端口及相关信息（端口号/协议类型 状态 服务类型）

2. TCP SYN扫描
   优点：由于没有建立完整连接，速度较快，目标主机日志一般不会记录
   缺点：构造特殊IP包需要root/admin权限

┌──(dyh㉿dyhace)-[~]
└─$ nmap -sS 192.168.17.131
You requested a scan type which requires root privileges.
QUITTING!

┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sS 192.168.17.131  
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:17 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.000096s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds

所得端口与使用TCP扫描得到的一致。

3. TCP FIN扫描
   利用TCP/IP协议缺陷，若端口开放，服务器丢弃FIN包；若端口关闭，服务器回复RST（只对UNIX/Linux有效）。对于Windows，无论端口开与否，都会返回RST。
   对一台Windows主机扫描，提示所有端口均关闭，对比之前的扫描可知，其实是有端口打开的：

┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sF 192.168.17.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:28 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00039s latency).
All 1000 scanned ports on 192.168.17.131 (192.168.17.131) are closed
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds

4. TCP ACK扫描
   不能确定端口是否开放，但可以测试是否有防火墙过滤。当端口未被过滤时，标记为unfiltered；被过滤时，标记为filtered。
   关闭目标主机防火墙，端口状态标记为未被过滤：

┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sA 192.168.0.101 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:36 CST
Nmap scan report for 192.168.0.101 (192.168.0.101)
Host is up (0.000027s latency).
All 1000 scanned ports on 192.168.0.101 (192.168.0.101) are unfiltered

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds

开启防火墙，标记为被过滤：

┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sA 192.168.17.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:38 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00027s latency).
All 1000 scanned ports on 192.168.17.131 (192.168.17.131) are filtered
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 21.34 seconds

5. TCP窗口扫描
   区别于TCP ACK扫描，当收到RST数据包时，会根据窗口值是正数还是0来将端口标志为打开或关闭。
   打开防火墙：（结果与ACK扫描相同）

┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sA 192.168.17.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:38 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00027s latency).
All 1000 scanned ports on 192.168.17.131 (192.168.17.131) are filtered
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 21.34 seconds

关闭防火墙：（根据窗口值将端口标志为关闭）

┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sW 192.168.17.131
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:53 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00038s latency).
All 1000 scanned ports on 192.168.17.131 (192.168.17.131) are closed
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds

6. UDP扫描
   由于UDP协议的不可靠性，为提高准确性，扫描器会多次测试，导致速度较慢。需要root权限

┌──(root💀dyhace)-[/home/dyh]
└─# nmap -sU 192.168.17.131                                                                                                                     130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-16 22:58 CST
Nmap scan report for 192.168.17.131 (192.168.17.131)
Host is up (0.00049s latency).
Not shown: 993 closed ports
PORT     STATE         SERVICE
123/udp  open|filtered ntp
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
445/udp  open|filtered microsoft-ds
500/udp  open|filtered isakmp
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
MAC Address: 00:0C:29:A4:46:5E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds

返回表明以上端口开放或被过滤。