《Nmap渗透测试指南》—第2章2.5节TCP SYN Ping扫描
本文共 3331 字,大约阅读时间需要 11 分钟。
本节书摘来自异步社区《Nmap渗透测试指南》一书中的第2章2.5节TCP SYN Ping扫描,作者 商广明,更多章节内容可以访问云栖社区“异步社区”公众号查看。
2.5 TCP SYN Ping扫描
表2.4所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——TCP SYN Ping扫描。
TCP协议是TCP/IP协议族中的面向连接的、可靠的传输层协议,允许发送和接收字节流形式的数据。为了使服务器和客户端以不同的速度产生和消费数据,TCP提供了发送和接收两个缓冲区。TCP提供全双工服务,数据同时能双向流动。通信的每一方都有发送和接收两个缓冲区,可以双向发送数据。TCP在报文中加上一个递进的确认序列号来告诉发送者,接收者期望收到的下一个字节,如果在规定时间内,没有收到关于这个包的确认响应,则重新发送此包,这保证了TCP是一种可靠的传输层协议。
-PS选项发送一个设置了SYN标志位的空TCP报文。默认目的端口为80(可以通过改变nmap.h)文件中的DEFAULT-TCP-PROBE-PORT值进行配置,但不同的端口也可以作为选项指定,甚至可以指定一个以逗号分隔的端口列表(如-PS22,23,25,80,115,3306,3389),在这种情况下,每个端口会被并发地扫描。
通常情况下,Nmap默认Ping扫描是使用TCP ACK和ICMP Echo请求对目标进行是否存活的响应,当目标主机的防火墙阻止这些请求时,我们可以使用TCP SYN Ping扫描来进行对目标主机存活的判断。
root@Wing:~# nmap -PS -v 192.168.121.1Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:31 CSTInitiating Ping Scan at 11:31Scanning 192.168.121.1 [1 port]Completed Ping Scan at 11:31, 1.01s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 11:31Completed Parallel DNS resolution of 1 host. at 11:31, 0.01s elapsedInitiating SYN Stealth Scan at 11:31Scanning 192.168.121.1 [1000 ports]Discovered open port 135/tcp on 192.168.121.1Discovered open port 445/tcp on 192.168.121.1Discovered open port 139/tcp on 192.168.121.1Discovered open port 49155/tcp on 192.168.121.1Discovered open port 7000/tcp on 192.168.121.1Discovered open port 49165/tcp on 192.168.121.1Discovered open port 49153/tcp on 192.168.121.1Discovered open port 49152/tcp on 192.168.121.1Discovered open port 912/tcp on 192.168.121.1Discovered open port 902/tcp on 192.168.121.1Discovered open port 843/tcp on 192.168.121.1Increasing send delay for 192.168.121.1 from 0 to 5 due to 258 out of 858 dropped probes since last increase.Discovered open port 8000/tcp on 192.168.121.1Completed SYN Stealth Scan at 11:32, 69.92s elapsed (1000 total ports)Nmap scan report for 192.168.121.1Host is up (1.2s latency).Not shown: 987 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds514/tcp filtered shell843/tcp open unknown902/tcp open iss-realsecure912/tcp open apex-mesh7000/tcp open afs3-fileserver8000/tcp open http-alt49152/tcp open unknown49153/tcp open unknown49155/tcp open unknown49165/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 70.99 seconds Raw packets sent: 1409 (61.996KB) | Rcvd: 1008 (40.605KB)root@Wing:~#
从上面的返回结果可得知Nmap是通过SYN/ACK和RST响应来对目标主机是否存活进行判断,但在特定情况下防火墙会丢弃RST包,这种情况下扫描的结果会不准确,这时,我们需要指定一个端口或端口范围来避免这种情况。
root@Wing:~# nmap -PS80,100-200 -v 192.168.121.1Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-28 11:38 CSTInitiating Ping Scan at 11:38Scanning 192.168.121.1 [1 port]Completed Ping Scan at 11:38, 1.00s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 11:38Completed Parallel DNS resolution of 1 host. at 11:38, 0.04s elapsedInitiating SYN Stealth Scan at 11:38Scanning 192.168.121.1 [102 ports]Discovered open port 139/tcp on 192.168.121.1Discovered open port 135/tcp on 192.168.121.1Completed SYN Stealth Scan at 11:38, 4.04s elapsed (102 total ports)Nmap scan report for 192.168.121.1Host is up (1.0s latency).Not shown: 100 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssnNmap done: 1 IP address (1 host up) scanned in 5.15 seconds Raw packets sent: 103 (4.532KB) | Rcvd: 103 (4.128KB)root@Wing:~#
转载地址:http://dcbva.baihongyu.com/
你可能感兴趣的文章
玩转Edas应用部署
查看>>
music-音符与常用记号
查看>>
sql操作命令
查看>>
zip 数据压缩
查看>>
Python爬虫学习系列教程
查看>>
【数据库优化专题】MySQL视图优化(二)
查看>>
【转载】每个程序员都应该学习使用Python或Ruby
查看>>
PHP高级编程之守护进程,实现优雅重启
查看>>
PHP字符编码转换类3
查看>>
rsync同步服务配置手记
查看>>
http缓存知识
查看>>
Go 时间交并集小工具
查看>>
iOS 多线程总结
查看>>
webpack是如何实现前端模块化的
查看>>
TCP的三次握手四次挥手
查看>>
关于redis的几件小事(六)redis的持久化
查看>>
package.json
查看>>
webpack4+babel7+eslint+editorconfig+react-hot-loader 搭建react开发环境
查看>>
Maven 插件
查看>>
初探Angular6.x---进入用户编辑模块
查看>>