http://nmap.org/bennieston-tutorial/
요 페이지 해석
1. Introduction : 그냥 소개글
Nmap is a free, open-source port scanner available for both UNIX and Windows. It has an optional graphical front-end, NmapFE, and supports a wide variety of scan types, each one with different benefits and drawbacks.
This article describes some of these scan types, explaining their relative benefits and just how they actually work. It also offers tips about which types of scan would be best against which types of host.
The article assumes you have Nmap installed (or that you know how to install it. Instructions are available on the Nmap website, http://www.insecure.org/nmap/install/inst-source.html ), and that you have the required privileges to run the scans detailed (many scans require root or Administrator privileges).
A frequently asked questions section has been added since the first version of this article, and this is included as the last section in this version. This is a fully revised and updated version of this tutorial, re-typed and converted to a TeX format, allowing more output formats to be utilised. At the time of writing, the latest Nmap version was 4.11.
2. Disclaimer (A disclaimer is a statement in which a person says that they did not know about something or that they are not responsible for something)
This information is provided to assist users of Nmap in scanning their own networks, or networks for which they have been given permission to scan, in order to determine the security of such networks. it is not intended to assist with scanning remote sites with the intention of breaking into or exploiting services on those sites, or for imformation gathering purposes beyond those allowed by law. I hereby disclaim any responsibility for actions taken based upon the information in this article, and urge all who seek information towards a destructive end to reconsider their life, and do something constructive instead.
- 요약 : 나쁘게 사용해서 인생 망치지 말라는 글
3 Basic Scan Types [-sT, -sS]
The two basic scan types used most in Nmap are TCP connect() scanning [-sT] and SYN scanning (also known as half-open, or stealth scanning) [-sS].
These two types are explained in detail below.
3.1 TCP connect() Scan [-sT]
These scans are so called because UNIX sockets programming uses a system call named connect() to begin a TCP connection to a remote site. If connect() succeeds, a connection was made. If it fails, the connection could not be made (the remote system is offline, the port is closed, or some other error occurred along the way). This allows a basic type of port scan, which attempts to connect to every port in turn, and notes whether or not the connection succeeded. Once the scan is completed, ports to which a connection could be established are listed as open, the rest are said to be closed.
(TCP connection을 할때 system call "connect()를 쓰므로 저렇게 명명 되었다. connect()가 성공하면 연결된다. (안되는경우 : remote system이 offline port closed , 도중에 에러 발생)
This method of scanning is very effective, and provides a clear picture of the ports you can and cannot access. If a connect() scan lists a port as open, you can definitely connect to it - that is what the scanning computer just did! There is, however, a major drawback to this kind of scan; it is very easy to detect on the system being scanned. If a firewall or intrusion detection system is running on the victim, attempts to connect() to every port on the system will almost always trigger a warning. Indeed, with modern firewalls, an attempt to connect to a single port which has been blocked or has not been specifically "opened" will usually result in the connection attempt being logged. Additionally, most servers will log connections and their source IP, so it would be easy to detect the source of a TCP connect() scan.
For this reason, the TCP Stealth Scan was developed.
(단점 : 탐지하기가 쉽다. 대부분의 서버들에 로그가 남는다. 현대의 방화벽은 막혀있는 포트나 특별히 "opened"되지 않은 a single port 로 connect 하려는 시도를 로그에 남긴다.)
3.2 SYN Stealth Scan [-sS]
I’ll begin this section with an overview of the TCP connection process. Those familiar with TCP/IP can skip the first few paragraphs.
When a TCP connection is made between two systems, a process known as a "three way handshake" occurs. This involves the exchange of three packets, and synchronises the systems with each other (necessary for the error correction built into TCP. Refer to a good TCP/IP book for more details.
The system initiating the connection sends a packet to the system it wants to connect to. TCP packets have a header section with a flags field. Flags tell the receiving end something about the type of packet, and thus what the correct response is.
Here, I will talk about only four of the possible flags. These are SYN (Synchronise), ACK (Acknowledge), FIN (Finished) and RST (Reset). SYN packets include a TCP sequence number, which lets the remote system know what sequence numbers to expect in subsequent communication. ACK acknowledges receipt of a packet or set of packets, FIN is sent when a communication is finished, requesting that the connection be closed, and RST is sent when the connection is to be reset (closed immediately).
To initiate a TCP connection, the initiating system sends a SYN packet to the destination, which will respond with a SYN of its own, and an ACK, acknowledging the receipt of the first packet (these are combined into a single SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the SYN/ACK, and data transfer can then begin.
SYN or Stealth scanning makes use of this procedure by sending a SYN packet and looking at the response. If SYN/ACK is sent back, the port is open and the remote end is trying to open a TCP connection. The scanner then sends an RST to tear down the connection before it can be established fully; often preventing the connection attempt appearing in application logs. If the port is closed, an RST will be sent. If it is filtered, the SYN packet will have been dropped and no response will be sent. In this way, Nmap can detect three port states - open, closed and filtered. Filtered ports may require further probing since they could be subject to firewall rules which render them open to some IPs or conditions, and closed to others.
Modern firewalls and Intrusion Detection Systems can detect SYN scans, but in combination with other features of Nmap, it is possible to create a virtually undetectable SYN scan by altering timing and other options (explained later).
4 FIN, Null and Xmas Tree Scans [-sF, -sN, -sX]
With the multitude of modern firewalls and IDS’ now looking out for SYN scans, these three scan types may be useful to varying degrees. Each scan type refers to the flags set in the TCP header. The idea behind these type of scans is that a closed port should respond with an RST upon receiving packets, whereas an open port should just drop them (it’s listening for packets with SYN set). This way, you never make even part of a connection, and never send a SYN packet; which is what most IDS’ look out for.
The FIN scan sends a packet with only the FIN flag set, the Xmas Tree scan sets the FIN, URG and PUSH flags (see a good TCP/IP book for more details) and the Null scan sends a packet with no flags switched on.
These scan types will work against any system where the TCP/IP implementation follows RFC 793. Microsoft Windows does not follow the RFC, and will ignore these packets even on closed ports. This technicality allows you to detect an MS Windows system by running SYN along with one of these scans. If the SYN scan shows open ports, and the FIN/NUL/XMAS does not, chances are you’re looking at a Windows box (though OS Fingerprinting is a much more reliable way of determining the OS running on a target!)
The sample below shows a SYN scan and a FIN scan, performed against a Linux system. The results are, predictably, the same, but the FIN scan is less likely to show up in a logging system.
1 [chaos]# nmap -sS 127.0.0.1
2
3 Starting Nmap 4.01 at 2006-07-06 17:23 BST
4 Interesting ports on chaos (127.0.0.1):
5 (The 1668 ports scanned but not shown below are in state:
6 closed)
7 PORT STATE SERVICE
8 21/tcp open ftp
9 22/tcp open ssh
10 631/tcp open ipp
11 6000/tcp open X11
12
13 Nmap finished: 1 IP address (1 host up) scanned in 0.207
14 seconds
15 [chaos]# nmap -sF 127.0.0.1
16
17 Starting Nmap 4.01 at 2006-07-06 17:23 BST
18 Interesting ports on chaos (127.0.0.1):
19 (The 1668 ports scanned but not shown below are in state:
20 closed)
21 PORT STATE SERVICE
22 21/tcp open|filtered ftp
23 22/tcp open|filtered ssh
24 631/tcp open|filtered ipp
25 6000/tcp open|filtered X11
26
27 Nmap finished: 1 IP address (1 host up) scanned in 1.284
28 seconds
5 Ping Scan [-sP]
This scan type lists the hosts within the specified range that responded to a ping. It allows you to detect which computers are online, rather than which ports are open. Four methods exist within Nmap for ping sweeping.
The first method sends an ICMP ECHO REQUEST (ping request) packet to the destination system. If an ICMP ECHO REPLY is received, the system is up, and ICMP packets are not blocked. If there is no response to the ICMP ping, Nmap will try a "TCP Ping", to determine whether ICMP is blocked, or if the host is really not online.
A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST, or a SYN/ACK, is returned, then the remote system is online. If the remote system does not respond, either it is offline, or the chosen port is filtered, and thus not responding to anything.
When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods. Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established (similar to the SYN/ACK method for root users, but this one establishes a full TCP connection!)
The ICMP scan type can be disabled by setting -P0 (that is, zero, not uppercase o).
