The king of system vulnerability scanning

The king of system vulnerability scanning

vulnerability scanner is a great assistant to help you understand the system. Nmap is developed to allow system administrators to view which hosts are in a large network system and what services are running on it...

scanner is a great assistant to help you understand your system. Complex operating systems such as windows 2k/xp support application software to open hundreds of ports to communicate with other client programs or servers. Port scanning is a way to detect which services and applications are running on the server and which contact channels are open to the Internet or other networks. It is not only fast, but also effective

nmap was developed to allow system administrators to see which hosts a large network system has and what services are running on it. It supports scanning of various protocols, such as UDP, TCP connect (), TCP syn (half open), FTP proxy (bounce attack), reverse ident, ICMP (Ping sweep), fin, ACK sweep, Xmas tree, syn sweep, and null scanning. You can see the relevant details in the scan types section. Nmap also provides some practical functions, such as identifying operating system types through tcp/ip, secret scanning, dynamic delay and retransmission, parallel scanning, detecting subordinate hosts through parallel Ping, spoofing scanning, port filtering detection, direct RPC scanning, distributed scanning, flexible target selection, and port description

I. to install nmap

nmap, you need to use a driver called "windows package capture library" - if you often download streaming media movies from the top compared with the critical transportation distance (128000 kilometers) in energy consumption evaluation, you may be familiar with this driver - the addresses of some streaming media movies are encrypted, and WinPcap is needed to detect the real addresses of these movies. The function of WinPcap is to help the calling program (nmap here) capture the raw data transmitted through the card. The latest version of WinPcap supports xp/2k/me/9x full range of operating systems. What you download is an executive file. Double click to install it, and then confirm to use the default settings all the way. You need to restart after installation

next, Download nmap. After downloading, unpack the compression without installation. In addition to the executive file e, it also has the following reference documents:

nmap OS fingerprints: lists the stack identification information of more than 500 network devices and operating systems

2 nmap protocols: nmap performs protocol scanning protocol list

three nmap RPC: remote procedure call (RPC) service list, which nmap uses to determine the application type listening on a specific port

four nmap services: a list of tcp/udp services, which nmap uses to match the service name and port number

in addition to the command line version, there is also a version of nmap with GUI. Like other common windows software, the GUI version needs to be installed. Figure 1 is the running interface of the GUI version nmap. The functions of the GUI version are basically the same as the command-line version. Since many people prefer to use the command-line version, the later description of this article focuses on the command-line version

2. Common scanning types

after unpacking the compressed package of nmap command-line version, enter the command console of windows, and then go to the directory where nmap is installed (if nmap is often used, it is best to add its path to the path environment variable). Run nmap without any command line parameters, and N displays the command syntax according to the relevant budget and evaluation map, as shown in Figure 2

here are the four most basic scanning methods supported by nmap:

⑴ TCP connect() port scanning (-st parameter)

⑵ TCP synchronization (SYN) port scan (-ss parameter)

⑶ UDP port scanning (-su parameter)

⑷ Ping scanning (-sp parameter)

if you want to outline the overall situation of a network, Ping scanning and TCP syn scanning are the most practical. Ping scanning sends ICMP (Internet control message protocol) response request packets and TCP acknowledgement (ACK) packets to determine the status of hosts, which is very suitable for detecting the number of hosts running in a specified segment

tcp syn scanning is not easy to understand at once, but if it is compared with TCP connect() scanning, it is easy to see the characteristics of this scanning method. In TCP connect() scanning, the scanner uses the system call of the operating system itself to open a complete TCP connection - that is, the scanner opens the complete handshake process (syn, syn-ack, and ACK) between two hosts. A complete handshake indicates that the remote host port is open

tcp syn scan creates a semi open connection, which is different from TCP connect() scan in that TCP syn scan sends a reset (RST) flag rather than an end ack flag (that is, syn, syn-ack, or RST): if the remote host is listening and the port is open, the remote host responds with syn-ack, and nmap sends an RST; If the port of the remote host is closed, its reply will be rst, and nmap will go to the next port at this time

Figure 3 shows the test results. It is obvious that the scanning speed of TCP SYN is faster than that of TCP connect (). Using the default timing option, scanning a host in the LAN environment takes less than 10 seconds to Ping, about 13 seconds to TCP syn, and about 7 minutes to TCP connect ()

nmap supports rich and flexible command line parameters. For example, if you want to scan the 192.168.7 network, you can use 192.168.7 X/24 or 192.168.7 Specifies the IP address range in the form of. Use the -p parameter to specify the port range. If you do not specify the port to be scanned, nmap will scan from 1 to 1024 plus the ports listed in nmap services by default

if you want to view the detailed process of nmap operation, just enable verbose mode, that is, add the -v parameter, or add the -vv parameter to obtain more detailed information. For example, nmap SS 192.168.7- P 20,21,, 30000--v command means to execute a TCP syn scan, enable verbose mode, the network to be scanned is 192.168.7, and detect ports 20, 21, 53 to 110 and above 30000 (do not insert spaces in the middle when specifying the port list). For another example, nmap SS 192.168.7.1/24 -p 80 scans the 192.168.0 sub to find the server listening on port 80 (usually the web server)

some network devices, such as routers and network printers, may disable or filter some ports, and prohibit the scanning of the device or across the device. When initially detecting network conditions, -host_ The timeout parameter is very useful. It indicates the timeout time. For example, nmaps increased by 35.8% year-on-year, s host_ The timeout 10000 192.168.0.1 command specifies that the timeout time is 10000 milliseconds

the filtered port on the network device will generally greatly prolong the detection time, and sometimes setting the timeout parameter can significantly reduce the time required to scan the network. Nmap will show which network devices respond to timeout. At this time, you can deal with these devices individually to ensure the overall speed of large-scale network scanning. Of course, host_ How much scanning time can be saved by timeout is ultimately determined by the number of filtered ports on the network

nmap (man document) describes the usage of command line parameters in detail (although man document is written for UNIX version NMA, consumers must see these two signs P when purchasing plastic bagged food, but it also provides instructions for Win32 version)

III. precautions

maybe you are familiar with other port scanners, but nmap is definitely worth a try. It is recommended to scan a familiar system with nmap first, feel the basic operation mode of nmap, and then expand the scanning range to other systems. First scan the internal network to see the results reported by nmap, then scan from an external IP address, and pay attention to the response of firewalls, intrusion detection systems (IDS) and other tools to the scanning operation. Generally, TCP connect() will cause the reaction of IDS system, but IDS does not necessarily record the TCP syn scan commonly known as "half connection". It is best to sort out and archive the report of nmap scanning network for subsequent reference

if you plan to be familiar with and use nmap, the following experience may be helpful to you:

first, avoid misunderstandings. Do not randomly select the scanning target of the test nmap. Many units regard port scanning as malicious behavior, so it is best to test nmap in the internal network. If necessary, you should tell your colleagues that you are testing port scanning, because scanning may cause IDS alerts and other network problems

2 shut down unnecessary services. According to the report provided by nmap (taking into account the security requirements of the network), turn off unnecessary services, or adjust the access control rules (ACLS) of the router, and disable some ports opened to the outside world by the network

third, establish safety benchmarks. After consolidating the network with the help of nmap and figuring out which systems and services may be attacked, the next step is to establish a security benchmark based on these known systems and services. In the future, if you want to enable new services or servers, you can easily implement according to this security benchmark. (end)