Locations of visitors to this page

Thursday, December 24, 2009

nmap ping scan

nmap ping scan
nmap ping扫描


1. 现象
有3台服务器, 都开了iptables, 允许ICMP,SSH访问
server1: 192.168.18.95
server2: 192.168.51.72
server3: 192.168.51.71

nmap扫描服务器server1的ssh端口, 结果是通的
$ nmap server1 -p22

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-12-24 07:47 UTC
Interesting ports on server1 (192.168.18.95):
PORT   STATE SERVICE
22/tcp open  ssh

Nmap finished: 1 IP address (1 host up) scanned in 0.134 seconds

另一台server2扫描不通
$ nmap server2 -p22

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-12-24 07:48 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 3.001 seconds
然而ping却能ping通
$ ping server2 -c 3
PING server2 (192.168.51.72) 56(84) bytes of data.
64 bytes from server2 (192.168.51.72): icmp_seq=1 ttl=63 time=0.314 ms
64 bytes from server2 (192.168.51.72): icmp_seq=2 ttl=63 time=0.214 ms
64 bytes from server2 (192.168.51.72): icmp_seq=3 ttl=63 time=0.247 ms

--- server2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.214/0.258/0.314/0.043 ms
SSH端口也可访问
$ ssh server2 uptime
username@server2's password:
 07:50:01 up 14 days,  8:02,  1 user,  load average: 0.00, 0.00, 0.00


将server2上的iptables关掉后, nmap扫描通过
# iptables -F
$ nmap server2 -p22

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-12-24 07:49 UTC
Interesting ports on server2 (192.168.51.72):
PORT   STATE SERVICE
22/tcp open  ssh

Nmap finished: 1 IP address (1 host up) scanned in 0.104 seconds

再打开server2上的iptables, 用root运行nmap扫描, 结果也是通的
# nmap server2 -p22

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-12-24 07:50 UTC
Interesting ports on server2 (192.168.51.72):
PORT   STATE SERVICE
22/tcp open  ssh

Nmap finished: 1 IP address (1 host up) scanned in 0.120 seconds

从server3用root向server2扫描也是通的
# nmap server2 -p22

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-12-24 08:10 UTC
Interesting ports on server2 (192.168.51.72):
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:16:C0:A8:33:47 (Semtech)

Nmap finished: 1 IP address (1 host up) scanned in 0.141 seconds

server1的iptables设置:
*nat
...
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -o lo -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
...
*filter
...
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
...
-A RH-Firewall-1-INPUT -j DROP

server2的iptables设置:
*filter
...
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
...
-A RH-Firewall-1-INPUT -j DROP


2. 调查
打开nmap调试信息和strace跟踪
1) server1:
$ nmap -v -d9 --packet-trace -n server1 -p22

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-12-24 07:52 UTC
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  scan-delay: TCP 1000, UDP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
---------------------------------------------
READ selected for machine 192.168.18.95
Machine 192.168.18.95 MIGHT actually be listening on probe port 80
Hostupdate called for machine 192.168.18.95 state UNKNOWN/COMBO -> HOST_UP (trynum 0, dotimeadj: yes time: 727)
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 798 ==> srtt: 798 rttvar: 5000 to: 100000
Finished block: srtt: 798 rttvar: 5000 timeout: 100000 block_tries: 1 up_this_block: 1 down_this_block: 0 group_sz: 1
massping done:  num_hosts: 1  num_responses: 1
Initiating Connect() Scan against 192.168.18.95 [1 port] at 07:52
CONN (0.1040s) TCP localhost > 192.168.18.95:22 => Operation now in progress
**TIMING STATS**: IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ccthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/50/* 1000000/-1/-1
   192.168.18.95: 1/0/0/1/0/0 10.00/50/0 100000/798/5000
Discovered open port 22/tcp on 192.168.18.95
Changing ping technique for 192.168.18.95 to TCP
Timeout vals: srtt: 798 rttvar: 5000 to: 100000 delta -381 ==> srtt: 750 rttvar: 3845 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 417 ==> srtt: 417 rttvar: 5000 to: 100000
The Connect() Scan took 0.00s to scan 1 total ports.
Host 192.168.18.95 appears to be up ... good.
Interesting ports on 192.168.18.95:
Fetchfile found /usr/share/nmap/nmap-services

PORT   STATE SERVICE
22/tcp open  ssh
Final times for host: srtt: 750 rttvar: 3845  to: 100000

Nmap finished: 1 IP address (1 host up) scanned in 0.116 seconds

2) server2:
$ nmap -v -d9 --packet-trace -n server2 -p22

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-12-24 07:53 UTC
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  scan-delay: TCP 1000, UDP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
---------------------------------------------
Finished block: srtt: -1 rttvar: -1 timeout: 1000000 block_tries: 2 up_this_block: 0 down_this_block: 0 group_sz: 1
massping done:  num_hosts: 1  num_responses: 0
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 3.002 seconds
与1)对比发现, nmap扫描server1时连接了server1的80端口

$ strace nmap server2 -p22
...
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("192.168.51.72")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(4, [3], [3], [3], {1, 0})        = 0 (Timeout)
close(3)                                = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("192.168.51.72")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(4, [3], [3], [3], {1, 0})        = 0 (Timeout)
close(3)                                = 0
...
write(1, "Note: Host seems down. If it is "..., 81Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
) = 81
...
连接server2的80端口, 2次超时(Timeout)后报错'Host seems down.', 然后退出

3) root用户扫描server2:
# nmap -v -d9 --packet-trace -n server2 -p22

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-12-24 07:53 UTC
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  scan-delay: TCP 1000, UDP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
---------------------------------------------
Packet capture filter (device bond0): (icmp and dst host 192.168.11.18) or ((tcp or udp) and dst host 192.168.11.18 and ( dst port 34806 or dst port 34807 or dst port 34808 or dst port 34809 or dst port 34810))
SENT (0.0100s) ICMP 192.168.11.18 > 192.168.51.72 Echo request (type=8/code=0) ttl=52 id=10191 iplen=28
SENT (0.0100s) TCP 192.168.11.18:34810 > 192.168.51.72:80 A ttl=40 id=58342 iplen=40 seq=1674883102 win=1024 ack=2782179358
RCVD (0.0100s) ICMP 192.168.51.72 > 192.168.11.18 Echo reply (type=0/code=0) ttl=63 id=43696 iplen=28
We got a ping packet back from 192.168.51.72: id = 56906 seq = 21184 checksum = 52980
Hostupdate called for machine 192.168.51.72 state UNKNOWN/COMBO -> HOST_UP (trynum 0, dotimeadj: yes time: 446)
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 382 ==> srtt: 382 rttvar: 5000 to: 100000
Finished block: srtt: 382 rttvar: 5000 timeout: 100000 block_tries: 1 up_this_block: 1 down_this_block: 0 group_sz: 1
massping done:  num_hosts: 1  num_responses: 1
Initiating SYN Stealth Scan against 192.168.51.72 [1 port] at 07:53
Pcap filter: dst host 192.168.11.18 and (icmp or (tcp and (src host 192.168.51.72)))
Packet capture filter (device bond0): dst host 192.168.11.18 and (icmp or (tcp and (src host 192.168.51.72)))
SENT (0.1240s) TCP 192.168.11.18:34786 > 192.168.51.72:22 S ttl=51 id=27748 iplen=44 seq=3810228640 win=4096
**TIMING STATS**: IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ccthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/50/* 1000000/-1/-1
   192.168.51.72: 1/0/0/1/0/0 10.00/50/0 100000/382/5000
RCVD (0.1240s) TCP 192.168.51.72:22 > 192.168.11.18:34786 SA ttl=63 id=0 iplen=44 seq=3799856132 win=5840 ack=3810228641
Discovered open port 22/tcp on 192.168.51.72
Changing ping technique for 192.168.51.72 to TCP
Timeout vals: srtt: 382 rttvar: 5000 to: 100000 delta 44 ==> srtt: 387 rttvar: 3761 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 426 ==> srtt: 426 rttvar: 5000 to: 100000
The SYN Stealth Scan took 0.01s to scan 1 total ports.
Host 192.168.51.72 appears to be up ... good.
Interesting ports on 192.168.51.72:
Fetchfile found /usr/share/nmap/nmap-services

PORT   STATE SERVICE
22/tcp open  ssh
Final times for host: srtt: 387 rttvar: 3761  to: 100000

Nmap finished: 1 IP address (1 host up) scanned in 0.141 seconds
               Raw packets sent: 3 (112B) | Rcvd: 2 (92B)
发送ICMP echo request, 并向80端口发送TCP ACK包

# strace nmap server2 -p22
...
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 4
setsockopt(4, SOL_SOCKET, SO_BROADCAST, [1], 4) = 0
setsockopt(4, SOL_IP, IP_HDRINCL, [1], 4) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 5
setsockopt(5, SOL_SOCKET, SO_BROADCAST, [1], 4) = 0
setsockopt(5, SOL_IP, IP_HDRINCL, [1], 4) = 0
socket(PF_PACKET, SOCK_RAW, 768)        = 6
ioctl(6, SIOCGIFINDEX, {ifr_name="lo", ifr_index=1}) = 0
ioctl(6, SIOCGIFHWADDR, {ifr_name="bond0", ifr_hwaddr=00:14:22:12:39:2b}) = 0
ioctl(6, SIOCGIFINDEX, {ifr_name="bond0", ifr_index=5}) = 0
bind(6, {sa_family=AF_PACKET, proto=0x03, if5, pkttype=PACKET_HOST, addr(0)={0, }, 20) = 0
getsockopt(6, SOL_SOCKET, SO_ERROR, [17179869184], [4]) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
ioctl(7, SIOCGIFADDR, {ifr_name="bond0", ifr_addr={AF_INET, inet_addr("192.168.11.18")}}) = 0
ioctl(7, SIOCGIFNETMASK, {ifr_name="bond0", ifr_netmask={AF_INET, inet_addr("255.255.255.0")}}) = 0
close(7)                                = 0
brk(0x17164000)                         = 0x17164000
setsockopt(6, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\0\0\0\0\0\0\20)h\0\0\0\0\0", 16) = 0
fcntl(6, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(6, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
recvfrom(6, "\0\220\301\224x\377\177\0\0\220\301\224x\377\177\0\0p\301\224x\377\177\0\0\360\255\23\27\0\0\0"..., 1, MSG_TRUNC, NULL, NULL) = 114
recvfrom(6, "\0\220\301\224x\377\177\0\0\220\301\224x\377\177\0\0p\301\224x\377\177\0\0\360\255\23\27\0\0\0"..., 1, MSG_TRUNC, NULL, NULL) = 114
...
recvfrom(6, "\0\220\301\224x\377\177\0\0\220\301\224x\377\177\0\0p\301\224x\377\177\0\0\360\255\23\27\0\0\0"..., 1, MSG_TRUNC, NULL, NULL) = 146
recvfrom(6, 0x7fff7894c11f, 1, 32, 0, 0) = -1 EAGAIN (Resource temporarily unavailable)
fcntl(6, F_SETFL, O_RDWR)               = 0
setsockopt(6, SOL_SOCKET, SO_ATTACH_FILTER, "\231\0\224x\377\177\0\0\320\312\23\27\0\0\0\0", 16) = 0
sendto(5, "E\0\0\34\360Y\0\0-\1\335\334\300\250\v\22\300\2503H\10\0*\347\244\t)\17", 28, 0, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("192.168.51.72")}, 16) = 28
sendto(4, "E\0\0(\2\275\0\0;\6\275h\300\250\v\22\300\2503H\367\205\0Pu\303\312^\312\303\312^"..., 40, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("192.168.51.72")}, 16) = 40
select(7, [6], NULL, NULL, {0, 20000})  = 1 (in [6], left {0, 20000})
recvfrom(6, "\0\24\"\0229+\0\23\200\6\301A\10\0E\0\0\34\252\274\0\0?\1\21z\300\2503H\300\250"..., 104, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if5, pkttype=PACKET_HOST, addr(6)={1, 00138006c141}, [18]) = 60
ioctl(6, SIOCGSTAMP, 0x7fff78948b20)    = 0
close(4)                                = 0
close(5)                                = 0
close(6)                                = 0
...
创建原始套接字, 向server2端口0和80发送数据包

4) server2关闭iptables:
$ strace nmap server2 -p22
...
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("192.168.51.72")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(4, [3], [3], [3], {1, 0})        = 2 (in [3], out [3], left {1, 0})
recvfrom(3, 0x7ffffaa7bed0, 255, 0, 0, 0) = -1 ECONNREFUSED (Connection refused)
close(3)                                = 0
...
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
fcntl(3, F_GETFL)                       = 0x2 (flags O_RDWR)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK)    = 0
setsockopt(3, SOL_SOCKET, SO_LINGER, {onoff=1, linger=0}, 8) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(22), sin_addr=inet_addr("192.168.51.72")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(4, [3], [3], [3], {0, 99000})    = 1 (out [3], left {0, 99000})
getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
sendto(3, "", 0, 0, NULL, 0)            = 0
getpeername(3, {sa_family=AF_INET, sin_port=htons(22), sin_addr=inet_addr("192.168.51.72")}, [17179869200]) = 0
getsockname(3, {sa_family=AF_INET, sin_port=htons(34707), sin_addr=inet_addr("192.168.11.18")}, [68719476752]) = 0
close(3)                                = 0
...
连接server2的80端口, 1次连接被拒绝(Connection refused)后, 不退出, 继续扫描22端口

5) root从server3扫描server2
# nmap -v -d9 --packet-trace -n server2 -p22

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2009-12-24 08:10 UTC
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  scan-delay: TCP 1000, UDP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
---------------------------------------------
Initiating ARP Ping Scan against 192.168.51.72 [1 port] at 08:10
Pcap filter: arp and ether dst host 00:16:C0:A8:33:46
Packet capture filter (device eth0): arp and ether dst host 00:16:C0:A8:33:46
SENT (0.0140s) ARP who-has 192.168.51.72 tell 192.168.51.71
**TIMING STATS**: IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ccthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/50/* 100000/-1/-1
   192.168.51.72: 1/0/0/1/0/0 10.00/50/0 100000/-1/-1
RCVD (0.0150s) ARP reply 192.168.51.72 is-at 00:16:C0:A8:33:47
Timeout vals: srtt: -1 rttvar: -1 to: 100000 delta 364 ==> srtt: 364 rttvar: 5000 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 100000 delta 364 ==> srtt: 364 rttvar: 5000 to: 100000
The ARP Ping Scan took 0.01s to scan 1 total hosts.
Initiating SYN Stealth Scan against 192.168.51.72 [1 port] at 08:10
Pcap filter: dst host 192.168.51.71 and (icmp or (tcp and (src host 192.168.51.72)))
Packet capture filter (device eth0): dst host 192.168.51.71 and (icmp or (tcp and (src host 192.168.51.72)))
SENT (0.0380s) TCP 192.168.51.71:35569 > 192.168.51.72:22 S ttl=57 id=4614 iplen=44 seq=1639929488 win=2048
**TIMING STATS**: IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ccthresh/delay, timeout/srtt/rttvar/
   Groupstats (1/1 incomplete): 1/*/*/*/*/* 10.00/50/* 1000000/-1/-1
   192.168.51.72: 1/0/0/1/0/0 10.00/50/0 100000/364/5000
RCVD (0.0390s) TCP 192.168.51.72:22 > 192.168.51.71:35569 SA ttl=64 id=0 iplen=44 seq=474347775 win=5840 ack=1639929489
Discovered open port 22/tcp on 192.168.51.72
Changing ping technique for 192.168.51.72 to TCP
Timeout vals: srtt: 364 rttvar: 5000 to: 100000 delta 9 ==> srtt: 365 rttvar: 3752 to: 100000
Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 373 ==> srtt: 373 rttvar: 5000 to: 100000
The SYN Stealth Scan took 0.01s to scan 1 total ports.
Fetchfile found /usr/share/nmap/nmap-mac-prefixes

Host 192.168.51.72 appears to be up ... good.
Interesting ports on 192.168.51.72:
Fetchfile found /usr/share/nmap/nmap-services

PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 00:16:C0:A8:33:47 (Semtech)
Final times for host: srtt: 365 rttvar: 3752  to: 100000

Nmap finished: 1 IP address (1 host up) scanned in 0.142 seconds
               Raw packets sent: 2 (86B) | Rcvd: 2 (86B)
发送ARP扫描


3. 分析
查看nmap手册
$ man nmap
...
HOST DISCOVERY
       One of the very first steps in any network reconnaissance mission is to reduce a (sometimes huge) set of IP ranges into a list of active or interesting hosts. Scanning every port of every single IP address is slow and usually unnecessary. Of course what makes a host interesting depends greatly on the scan purposes. Network administrators may only be interested in hosts running a certain service, while security auditors may care about every single device with an IP address. An administrator may be comfortable using just an ICMP ping to locate hosts on his internal network, while an external penetration tester may use a diverse set of dozens of probes in an attempt to evade firewall restrictions.

       Because host discovery needs are so diverse, Nmap offers a wide variety of options for customizing the techniques used. Host discovery is sometimes called ping scan, but it goes well beyond the simple ICMP echo request packets associated with the ubiquitous ping tool. Users can skip the ping step entirely with a list scan (-sL) or by disabling ping (-P0), or engage the network with arbitrary combinations of multi-port TCP SYN/ACK, UDP, and ICMP probes. The goal of these probes is to solicit responses which demonstrate that an IP address is actually active (is being used by a host or network device). On many networks, only a small percentage of IP addresses are active at any given time. This is particularly common with RFC1918-blessed private address space such as 10.0.0.0/8. That network has 16 million IPs, but I have seen it used by companies with less than a thousand machines. Host discovery can find those machines in a sparsely allocated sea of IP addresses.

       If no host discovery options are given, Nmap sends a TCP ACK packet destined for port 80 and an ICMP Echo Request query to each target machine. An exception to this is that an ARP scan is used for any targets which are on a local ethernet network. For unprivileged UNIX shell users, a SYN packet is sent instead of the ack using the connect() system call. These defaults are equivalent to the -PA -PE options. This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.
...
       -sP (Ping Scan)
              This option tells Nmap to only perform a ping scan (host discovery), then print out the available hosts that responded to the scan. No further testing (such as port scanning or OS detection) is performed. This is one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name.

              Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.

              The -sP option sends an ICMP echo request and a TCP packet to port 80 by default. When executed by an unprivileged user, a SYN packet is sent (using a connect() call) to port 80 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests (-PR) are used unless --send-ip was specified. The -sP option can be combined with any of the discovery probe types (the -P* options, excluding -P0) for greater flexibility. If any of those probe type and port number options are used, the default probes (ACK and echo request) are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise hosts could be missed when the firewall drops probes or their responses.
...
nmap在检测服务和端口之前, 默认首先检测主机是否是活动的, 这被称为主机发现(Host Disvocery)或ping扫描(ping scan)
如果主机发现不通过, 则不进行后面的端口扫描
主机发现的方式有多种, 默认方式是向主机80端口发送一个TCP ACK包, 并发送ICMP 回显请求(Echo Request)查询, 如在同一局域网则使用ARP扫描. 对于UNIX下非特权用户, 不发送ack包, 而是使用connect()系统调用发送一个SYN包.


4. 结论
1) 特权用户才可以建立原始套接字, 使用ARP, ICMP, ACK扫描

2) 普通用户运行nmap扫描server1:
nmap使用connect向80端口发送SYN, 因为server1上启动了tomcat服务, 80端口可访问, 所以主机发现成功通过

3) 普通用户运行nmap扫描打开iptables的server2:
nmap使用connect向80端口发送SYN, server2上iptables不允许访问80端口, 造成扫描超时错误, nmap认为主机不可达, 所以主机发现失败

4) 普通用户运行nmap扫描关闭iptables的server2:
nmap使用connect向80端口发送SYN, server2上没有监听80端口的服务, 造成连接被拒绝, nmap认为主机可到达, 所以主机发现通过

5) 特权用户运行nmap扫描打开iptables的server2:
nmap使用原始套接字发出ICMP回显请求, server2上iptables允许ICMP, 所以主机发现能通过

6) 普通用户ping命令扫描打开iptables的server2:
因为ping命令拥有setuid root权限, 运行时具有root权限, 可以创建原始套接字用ICMP扫描, 所以能ping通主机
$ ls -l $(which ping)
-rwsr-xr-x 1 root root 37280 Mar 14  2007 /bin/ping

6) 特权用户从server3扫描打开iptables的server2:
因为server2和server3处于同一子网, 所以使用ARP扫描, ARP属于第2层数据链路层, iptables无法过滤, 所以主机发现能通过



外部链接:
Chapter 15. Nmap Reference Guide
The Art of Port Scanning - by Fyodor





-fin-

No comments:

Website Analytics

Followers