NMAP - A Stealth Port Scanner--reference

Usually used to map firewall rulesets and distinguish between stateful and stateless firewalls,this scan type sends ACK packets to a host. If an RST comes back,the port is classified "unfiltered" (that is,it was allowed to send its RST through whatever firewall was in place). If nothing comes back,the port is said to be "filtered". That is,the firewall prevented the RST coming back from the port. This scan type can help determine if a firewall is stateless (just blocks incoming SYN packets) or stateful (tracks connections and also blocks unsolicited ACK packets).

Note that an ACK scan will never show ports in the "open" state,and so it should be used in conjunction with another scan type to gain more information about firewalls or packet filters between yourself and the victim.

The TCP Window scan is similar to the ACK scan but can sometimes detect open ports as well as filtered/unfiltered ports. This is due to anomalies in TCP Window size reporting by some operating systems (see the Nmap manual for a list,or the nmap-hackers mailing list for the full list of susceptible OS’).

RPC Scans can be used in conjunction with other scan types to try to determine if an open TCP or UDP port is an RPC service,and if so,which program,and version numbers are running on it. Decoys are not supported with RPC scans (see section on Timing and Hiding Scans,below).

List scanning simply prints a list of IPs and names (DNS resolution will be used unless the -n option is passed to Nmap) without actually pinging or scanning the hosts.

Nmap adjusts its timings automatically depending on network speed and response times of the victim. However,you may want more control over the timing in order to create a more stealthy scan,or to get the scan over and done with quicker.

The main timing option is set through the -T parameter. There are six predefined timing policies which can be specified by name or number (starting with 0,corresponding to Paranoid timing). The timings are Paranoid,Sneaky,Polite,Normal,Aggressive and Insane.

A -T Paranoid (or -T0) scan will wait (generally) at least 5 minutes between each packet sent. This makes it almost impossible for a firewall to detect a port scan in progress (since the scan takes so long it would most likely be attributed to random network traffic). Such a scan will still show up in logs,but it will be so spread out that most analysis tools or humans will miss it completely.

A -T Insane (or -T5) scan will map a host in very little time,provided you are on a very fast network or don’t mind losing some information along the way.

Timings for individual aspects of a scan can also be set using the –host_timeout,–max_rtt_timeout,–min_rtt_timeout,–initial_rtt_timeout,–max_parallelism,–min_parallelism,and –scan_delay options. See the Nmap manual for details.

The -D option allows you to specify Decoys. This option makes it look like those decoys are scanning the target network. It does not hide your own IP,but it makes your IP one of a torrent of others supposedly scanning the victim at the same time. This not only makes the scan look more scary,but reduces the chance of you being traced from your scan (difficult to tell which system is the "real" source).

The FTP protocol (RFC 959) specified support for a "proxy" ftp,which allowed a connection to an FTP server to send data to anywhere on the internet. This tends not to work with modern ftpds,in which it is an option usually disabled in the configuration. If a server with this feature is used by Nmap,it can be used to try to connect to ports on your victim,thus determining their state.

This scan method allows for some degree of anonymity,although the FTP server may log connections and commands sent to it.

The -P0 (that’s a zero) option allows you to switch off ICMP pings. The -PT option switches on TCP Pings,you can specify a port after the -PT option to be the port to use for the TCP ping.

（编辑：网站开发网_马鞍山站长网）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!